--- openldap-2.4.25.orig/debian/patches/smbk5pwd-makefile	2011-08-11 19:37:05.000000000 +0200
+++ openldap-2.4.25/debian/patches/smbk5pwd-makefile	2011-08-11 19:39:37.000000000 +0200
@@ -10,7 +10,7 @@
  CC=gcc
  
  # Omit DO_KRB5 or DO_SAMBA if you don't want to support it.
- DEFS=-DDO_KRB5 -DDO_SAMBA
+ DEFS=-DSUPPORT_K5KEY_SCHEME # -DDO_KRB5 -DDO_SAMBA
  
 -HEIMDAL_INC=-I/usr/heimdal/include
 +HEIMDAL_INC=-I/usr/include
diff -Nuar openldap-2.4.25.orig/contrib/slapd-modules/smbk5pwd/Makefile openldap-2.4.25/contrib/slapd-modules/smbk5pwd/Makefile
--- openldap-2.4.25.orig/contrib/slapd-modules/smbk5pwd/Makefile	2011-01-05 00:49:36.000000000 +0100
+++ openldap-2.4.25/contrib/slapd-modules/smbk5pwd/Makefile	2011-08-11 19:39:55.000000000 +0200
@@ -17,7 +17,7 @@
 CC=gcc
 
 # Omit DO_KRB5 or DO_SAMBA if you don't want to support it.
-DEFS=-DDO_KRB5 -DDO_SAMBA
+DEFS=-DSUPPORT_K5KEY_SCHEME # -DDO_KRB5 -DDO_SAMBA
 
 HEIMDAL_INC=-I/usr/heimdal/include
 SSL_INC=
diff -Nuar openldap-2.4.25.orig/contrib/slapd-modules/smbk5pwd/smbk5pwd.c openldap-2.4.25/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
--- openldap-2.4.25.orig/contrib/slapd-modules/smbk5pwd/smbk5pwd.c	2011-01-05 00:49:36.000000000 +0100
+++ openldap-2.4.25/contrib/slapd-modules/smbk5pwd/smbk5pwd.c	2011-08-11 19:34:18.000000000 +0200
@@ -34,6 +34,10 @@
 #include "config.h"
 
 #ifdef DO_KRB5
+#define SUPPORT_K5KEY_SCHEME
+#endif
+
+#ifdef SUPPORT_K5KEY_SCHEME
 #include <lber.h>
 #include <lber_pvt.h>
 #include <lutil.h>
@@ -86,9 +90,11 @@
 	unsigned	mode;
 #define	SMBK5PWD_F_KRB5		(0x1U)
 #define	SMBK5PWD_F_SAMBA	(0x2U)
+#define	SMBK5PWD_F_K5KEY	(0x4U)
 
 #define SMBK5PWD_DO_KRB5(pi)	((pi)->mode & SMBK5PWD_F_KRB5)
 #define SMBK5PWD_DO_SAMBA(pi)	((pi)->mode & SMBK5PWD_F_SAMBA)
+#define SMBK5PWD_SUPPORT_K5KEY_SCHEME(pi)	((pi)->mode & SMBK5PWD_F_K5KEY)
 
 #ifdef DO_KRB5
 	/* nothing yet */
@@ -110,6 +116,9 @@
 #ifdef DO_SAMBA
 	| SMBK5PWD_F_SAMBA
 #endif
+#ifdef SUPPORT_K5KEY_SCHEME
+	| SMBK5PWD_F_K5KEY
+#endif
 ;
 
 static int smbk5pwd_modules_init( smbk5pwd_t *pi );
@@ -243,7 +252,7 @@
 }
 #endif /* DO_SAMBA */
 
-#ifdef DO_KRB5
+#ifdef SUPPORT_K5KEY_SCHEME
 
 static int smbk5pwd_op_cleanup(
 	Operation *op,
@@ -389,7 +398,7 @@
 	ber_dupbv( hash, (struct berval *)&k5key_scheme );
 	return LUTIL_PASSWD_OK;
 }
-#endif /* DO_KRB5 */
+#endif /* SUPPORT_K5KEY_SCHEME */
 
 static int smbk5pwd_exop_passwd(
 	Operation *op,
@@ -889,7 +898,7 @@
 		const char		*name;
 		AttributeDescription	**adp;
 	}
-#ifdef DO_KRB5
+#ifdef SUPPORT_K5KEY_SCHEME
 	krb5_ad[] = {
 		{ "krb5Key",			&ad_krb5Key },
 		{ "krb5KeyVersionNumber",	&ad_krb5KeyVersionNumber },
@@ -897,7 +906,7 @@
 		{ "krb5ValidEnd",		&ad_krb5ValidEnd },
 		{ NULL }
 	},
-#endif /* DO_KRB5 */
+#endif /* SUPPORT_K5KEY_SCHEME */
 #ifdef DO_SAMBA
 	samba_ad[] = {
 		{ "sambaLMPassword",		&ad_sambaLMPassword },
@@ -913,8 +922,8 @@
 	/* this is to silence the unused var warning */
 	dummy_ad.name = NULL;
 
-#ifdef DO_KRB5
-	if ( SMBK5PWD_DO_KRB5( pi ) && oc_krb5KDCEntry == NULL ) {
+#ifdef SUPPORT_K5KEY_SCHEME
+	if ( (SMBK5PWD_SUPPORT_K5KEY_SCHEME( pi ) || SMBK5PWD_DO_KRB5( pi )) && oc_krb5KDCEntry == NULL ) {
 		krb5_error_code	ret;
 		extern HDB 	*_kadm5_s_get_db(void *);
 
@@ -976,7 +985,7 @@
 
 		db = _kadm5_s_get_db( kadm_context );
 	}
-#endif /* DO_KRB5 */
+#endif /* SUPPORT_K5KEY_SCHEME */
 
 #ifdef DO_SAMBA
 	if ( SMBK5PWD_DO_SAMBA( pi ) && oc_sambaSamAccount == NULL ) {
@@ -1071,7 +1080,7 @@
 
 	smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
     
-#ifdef DO_KRB5
+#ifdef SUPPORT_K5KEY_SCHEME
 	smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind;
 
 	lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash );