From f1a83798f0102f7d35295a6c0d4db0580a791579 Mon Sep 17 00:00:00 2001
From: Jo Sutton <josutton@catalyst.net.nz>
Date: Wed, 14 Feb 2024 09:37:13 +1300
Subject: [PATCH] third_party/heimdal: Import lorikeet-heimdal-202402132018
 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2)

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 27 02:19:31 UTC 2024 on atb-devel-224
---
 third_party/heimdal/appl/gssmask/gssmask.c         |   2 +-
 third_party/heimdal/appl/test/Makefile.am          |  22 +-
 third_party/heimdal/appl/test/auditdns.c           | 506 +++++++++++++++++++++
 third_party/heimdal/cf/make-proto.pl               |   4 +-
 third_party/heimdal/configure.ac                   |  37 +-
 third_party/heimdal/kadmin/kadm_conn.c             |  11 +-
 .../heimdal/kdc/altsecid_gss_preauth_authorizer.c  |   7 +
 third_party/heimdal/kdc/hprop.c                    |   5 +
 third_party/heimdal/kdc/kdc-tester.c               |   4 +-
 third_party/heimdal/kdc/kdc.8                      |  22 +-
 third_party/heimdal/kdc/kerberos5.c                |   3 +-
 third_party/heimdal/kuser/Makefile.am              |   1 +
 third_party/heimdal/kuser/kinit.c                  |   4 +-
 third_party/heimdal/lib/gssapi/Makefile.am         |   5 +-
 third_party/heimdal/lib/hdb/Makefile.am            |   5 +
 third_party/heimdal/lib/hdb/hdb-mitdb.c            |  10 +-
 third_party/heimdal/lib/hdb/hdb.c                  |   2 +-
 third_party/heimdal/lib/hx509/req.c                |   2 +-
 third_party/heimdal/lib/kadm5/init_c.c             |   5 +
 third_party/heimdal/lib/kadm5/ipropd_slave.c       |   8 +-
 third_party/heimdal/lib/kadm5/log.c                |   2 +-
 third_party/heimdal/lib/krb5/addr_families.c       |   5 +
 third_party/heimdal/lib/krb5/expand_hostname.c     |   3 +-
 third_party/heimdal/lib/krb5/get_addrs.c           |   8 +
 third_party/heimdal/lib/krb5/get_cred.c            |  10 +-
 third_party/heimdal/lib/krb5/get_for_creds.c       |  11 +-
 third_party/heimdal/lib/krb5/get_host_realm.c      |   8 +
 third_party/heimdal/lib/krb5/init_creds_pw.c       |  28 +-
 third_party/heimdal/lib/krb5/krb5.conf.5           |  25 +
 third_party/heimdal/lib/krb5/krbhst.c              |  31 +-
 third_party/heimdal/lib/krb5/send_to_kdc.c         |  24 +-
 third_party/heimdal/lib/krb5/sock_principal.c      |   8 +
 third_party/heimdal/lib/krb5/verify_krb5_conf.c    |   6 +
 third_party/heimdal/lib/roken/roken-common.h       |   8 +
 third_party/heimdal/lib/roken/syslogc.c            |   2 +-
 third_party/heimdal/lib/roken/test-mini_inetd.c    |   2 +-
 third_party/heimdal/lib/roken/version-script.map   |   1 +
 third_party/heimdal/tests/bin/setup-env.in         |   1 +
 third_party/heimdal/tests/db/Makefile.am           |   2 +
 third_party/heimdal/tests/db/check-aliases.in      |  57 +--
 third_party/heimdal/tests/gss/Makefile.am          |  18 +-
 third_party/heimdal/tests/gss/check-basic.in       |  32 +-
 third_party/heimdal/tests/gss/check-context.in     |  59 ++-
 third_party/heimdal/tests/gss/check-gssmask.in     |  57 ++-
 third_party/heimdal/tests/gss/check-negoex.in      |   2 -
 .../tests/gss/{check-basic.in => check-nodns.in}   |  39 +-
 third_party/heimdal/tests/gss/check-ntlm.in        |  37 +-
 third_party/heimdal/tests/gss/check-spnego.in      |  37 +-
 third_party/heimdal/tests/gss/krb5-nodns.conf.in   |  55 +++
 third_party/heimdal/tests/java/check-kinit.in      |  26 +-
 third_party/heimdal/tests/kdc/Makefile.am          |   2 +
 third_party/heimdal/tests/kdc/check-bx509.in       |   9 +-
 third_party/heimdal/tests/kdc/check-canon.in       |  59 +--
 third_party/heimdal/tests/kdc/check-cc.in          |  30 +-
 third_party/heimdal/tests/kdc/check-delegation.in  |  56 +--
 third_party/heimdal/tests/kdc/check-des.in         |  42 +-
 third_party/heimdal/tests/kdc/check-digest.in      |  32 +-
 third_party/heimdal/tests/kdc/check-fast.in        |  26 +-
 third_party/heimdal/tests/kdc/check-hdb-mitdb.in   |  12 +-
 third_party/heimdal/tests/kdc/check-httpkadmind.in |   3 +-
 third_party/heimdal/tests/kdc/check-iprop.in       |  23 +-
 third_party/heimdal/tests/kdc/check-kadmin.in      |  46 +-
 third_party/heimdal/tests/kdc/check-kdc.in         | 331 ++++++--------
 third_party/heimdal/tests/kdc/check-keys.in        |  14 +-
 third_party/heimdal/tests/kdc/check-kinit.in       |  10 +-
 third_party/heimdal/tests/kdc/check-kpasswdd.in    |  41 +-
 third_party/heimdal/tests/kdc/check-pkinit.in      |  38 +-
 third_party/heimdal/tests/kdc/check-referral.in    |  85 ++--
 third_party/heimdal/tests/kdc/check-tester.in      |  17 +-
 third_party/heimdal/tests/kdc/check-uu.in          |  26 +-
 third_party/heimdal/tests/ldap/check-ldap.in       |  16 +-
 third_party/heimdal/tests/plugin/check-pac.in      |   9 +-
 72 files changed, 1483 insertions(+), 713 deletions(-)
 create mode 100644 third_party/heimdal/appl/test/auditdns.c
 copy third_party/heimdal/tests/gss/{check-basic.in => check-nodns.in} (88%)
 create mode 100644 third_party/heimdal/tests/gss/krb5-nodns.conf.in

diff --git a/third_party/heimdal/appl/gssmask/gssmask.c b/third_party/heimdal/appl/gssmask/gssmask.c
index 86a671301df..c27e885b5a3 100644
--- a/third_party/heimdal/appl/gssmask/gssmask.c
+++ b/third_party/heimdal/appl/gssmask/gssmask.c
@@ -1117,7 +1117,7 @@ create_client(krb5_socket_t sock, int port, const char *moniker)
 
 	getnameinfo((struct sockaddr *)&c->sa, c->salen,
 		    c->servername, sizeof(c->servername),
-		    NULL, 0, NI_NUMERICHOST);
+		    NULL, 0, NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
     }
 
     c->sock = krb5_storage_from_socket(sock);
diff --git a/third_party/heimdal/appl/test/Makefile.am b/third_party/heimdal/appl/test/Makefile.am
index 15ed68fca8a..7bc9b6f419d 100644
--- a/third_party/heimdal/appl/test/Makefile.am
+++ b/third_party/heimdal/appl/test/Makefile.am
@@ -5,7 +5,8 @@ include $(top_srcdir)/Makefile.am.common
 WFLAGS += $(WFLAGS_LITE)
 
 noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
-	uu_server uu_client nt_gss_server nt_gss_client http_client
+	uu_server uu_client nt_gss_server nt_gss_client http_client \
+	kinit_auditdns
 
 tcp_client_SOURCES = tcp_client.c common.c test_locl.h
 
@@ -38,6 +39,25 @@ nt_gss_client_LDADD = $(gssapi_server_LDADD)
 
 nt_gss_server_LDADD = $(nt_gss_client_LDADD)
 
+kinit_auditdns_SOURCES = ../../kuser/kinit.c auditdns.c
+
+kinit_auditdns_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/../../lib/krb5
+
+# sync with kinit_LDADD in kuser/Makefile.am
+if !NO_AFS
+afs_lib = $(LIB_kafs)
+endif
+kinit_auditdns_LDADD = \
+	$(afs_lib) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/gssapi/libgssapi.la \
+	$(top_builddir)/lib/gss_preauth/libgss_preauth.la \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_libintl) \
+	$(LIB_roken)
+
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
diff --git a/third_party/heimdal/appl/test/auditdns.c b/third_party/heimdal/appl/test/auditdns.c
new file mode 100644
index 00000000000..4f5b1dde5d6
--- /dev/null
+++ b/third_party/heimdal/appl/test/auditdns.c
@@ -0,0 +1,506 @@
+/*-
+ * Copyright (c) 2024 Taylor R. Campbell
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <arpa/inet.h>
+#include <assert.h>
+#include <errno.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "resolve.h"
+#include "roken.h"
+
+struct rk_dns_reply *
+rk_dns_lookup(const char *domain, const char *type_name)
+{
+
+    fprintf(stderr, "DNS leak: %s %s (%s)\n", __func__, domain, type_name);
+    abort();
+}
+
+struct hostent *
+gethostbyname(const char *name)
+{
+
+    fprintf(stderr, "DNS leak: %s %s\n", __func__, name);
+    abort();
+}
+
+#ifdef HAVE_GETHOSTBYNAME2
+
+struct hostent *
+gethostbyname2(const char *name, int af)
+{
+
+    fprintf(stderr, "DNS leak: %s %s\n", __func__, name);
+    abort();
+}
+
+#endif	/* HAVE_GETHOSTBYNAME2 */
+
+struct hostent *
+gethostbyaddr(const void *addr, socklen_t len, int af)
+{
+    const socklen_t maxlen[] = {
+	[AF_INET] = sizeof(struct in_addr),
+	[AF_INET6] = sizeof(struct in6_addr),
+    };
+    char n[INET6_ADDRSTRLEN + 1];
+
+    if (af < 0 || af >= sizeof(maxlen)/sizeof(maxlen[0]) ||
+	maxlen[af] == 0 || len < maxlen[af] ||
+	inet_ntop(af, addr, n, sizeof n) == NULL)
+	fprintf(stderr, "Reverse DNS leak: %s\n", __func__);
+    else
+	fprintf(stderr, "Reverse DNS leak: %s %s\n", __func__, n);
+    abort();
+}
+
+#ifdef HAVE_GETADDRINFO
+
+void
+freeaddrinfo(struct addrinfo *ai)
+{
+
+    free(ai->ai_addr);
+    free(ai);
+}
+
+int
+getaddrinfo(const char *hostname, const char *servname,
+    const struct addrinfo *restrict hints,
+    struct addrinfo **restrict res)
+{
+    char *servend;
+    unsigned long port;
+    union {
+	struct sockaddr		sa;
+	struct sockaddr_in	sin;
+	struct sockaddr_in6	sin6;
+    } *addr = NULL;
+    int af[2] = {AF_INET, AF_INET6};
+    socklen_t addrlen[2] = {sizeof(addr->sin), sizeof(addr->sin6)};
+    int socktype[2] = {SOCK_DGRAM, SOCK_STREAM};
+    int proto[2] = {IPPROTO_UDP, IPPROTO_TCP};
+    size_t i, j, naddr, nproto;
+    struct addrinfo *ai = NULL;
+    int error;
+
+    /*
+     * DNS audit: Abort unless the user specified hints with
+     * AI_NUMERICHOST, AI_NUMERICSERV, and no AI_CANONNAME.
+     */
+    if (hints == NULL ||
+	(hints->ai_flags & AI_NUMERICHOST) == 0 ||
+	(hints->ai_flags & AI_NUMERICSERV) == 0 ||
+	(hints->ai_flags & AI_CANONNAME) != 0) {
+	fprintf(stderr, "DNS leak: %s %s:%s\n",
+	    __func__, hostname, servname);
+	abort();
+    }
+
+    /*
+     * Check hints for address family.  If unspecified, use the default
+     * set of address families: {AF_INET, AF_INET6}.
+     */
+    switch (hints->ai_family) {
+    case AF_UNSPEC:
+	naddr = 2;
+	break;
+    case AF_INET:
+	naddr = 1;
+	af[0] = AF_INET;
+	addrlen[0] = sizeof(addr->sin);
+	break;
+    case AF_INET6:
+	naddr = 1;
+	af[0] = AF_INET6;
+	addrlen[0] = sizeof(addr->sin6);
+	break;
+    default:
+	error = EAI_FAMILY;
+	goto out;
+    }
+
+    /*
+     * Check hints for socket type and protocol.  If both are zero, we
+     * use the default set of socktype/proto pairs.  If one is
+     * specified but not the other, use the default.  If both are
+     * specified, make sure they match.
+     */
+    switch (hints->ai_socktype) {
+    case 0:
+	if (hints->ai_protocol == 0)
+	    nproto = sizeof(proto)/sizeof(proto[0]);
+	else
+	    nproto = 1;
+	break;
+    case SOCK_DGRAM:		/* datagram <-> UDP */
+	if (hints->ai_protocol != 0 && hints->ai_protocol != IPPROTO_UDP) {
+	    error = EAI_SOCKTYPE;
+	    goto out;
+	}
+	socktype[0] = SOCK_DGRAM;
+	proto[0] = IPPROTO_UDP;
+	nproto = 1;
+	break;
+    case SOCK_STREAM:		/* stream <-> TCP */
+	if (hints->ai_protocol != 0 && hints->ai_protocol != IPPROTO_TCP) {
+	    error = EAI_SOCKTYPE;
+	    goto out;
+	}
+	socktype[0] = SOCK_STREAM;
+	proto[0] = IPPROTO_TCP;
+	nproto = 1;
+	break;
+    default:
+	error = EAI_SOCKTYPE;
+	goto out;
+    }
+
+    /*
+     * Check whether a service is specified at all.
+     */
+    if (servname == NULL) {
+	/*
+	 * No service specified.  Use the wildcard port 0.
+	 */
+	port = 0;
+    } else {
+	/*
+	 * Service specified.  First verify it is at most 5 decimal
+	 * digits; then parse it as a nonnegative integer in decimal,
+	 * at most 65535.  (This avoids pathological inputs like
+	 * -18446744073709551493 for which strtoul will succeed and
+	 * return 123 on LP64 platforms.)
+	 */
+	if (strlen(servname) > strlen("65535") ||
+	    strlen(servname) != strspn(servname, "0123456789")) {
+	    error = EAI_NONAME;
+	    goto out;
+	}
+	errno = 0;
+	port = strtoul(servname, &servend, 10);
+	if (servend == servname ||
+	    *servend != '\0' ||
+	    errno != 0 ||
+	    port > 65535) {
+	    error = EAI_NONAME;
+	    goto out;
+	}
+    }
+
+    /*
+     * Check whether a hostname is specified at all.
+     */
+    if (hostname == NULL) {
+	/*
+	 * No hostname.  This only makes sense if we're going to bind
+	 * to a socket and receive incoming packets or listen and
+	 * accept incoming connections, i.e., only if AI_PASSIVE is
+	 * set.  Otherwise, fail with EAI_NONAME.
+	 */
+	if ((hints->ai_flags & AI_PASSIVE) == 0) {
+	    error = EAI_NONAME;
+	    goto out;
+	}
+
+	/*
+	 * Allocate an array of as many addresses as the hints allow.
+	 */
+	if ((addr = calloc(naddr, sizeof(*addr))) == NULL) {
+	    error = EAI_MEMORY;
+	    goto out;
+	}
+
+	/*
+	 * Fill the addresses with the ANY wildcard address, IPv4
+	 * 0.0.0.0 or IPv6 `::' (i.e., 0000:0000:....:0000).
+	 */
+	switch (hints->ai_family) {
+	case AF_UNSPEC:
+	    assert(naddr == 2);
+	    addr[0].sin.sin_family = AF_INET;
+	    addr[0].sin.sin_port = htons(port);
+	    addr[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
+	    addr[1].sin6.sin6_family = AF_INET6;
+	    addr[1].sin6.sin6_port = htons(port);
+	    addr[1].sin6.sin6_addr = in6addr_any;
+	    break;
+	case AF_INET:
+	    assert(naddr == 1);
+	    addr[0].sin.sin_family = AF_INET;
+	    addr[0].sin.sin_port = htons(port);
+	    addr[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
+	    break;
+	case AF_INET6:
+	    assert(naddr == 1);
+	    addr[0].sin6.sin6_family = AF_INET6;
+	    addr[0].sin6.sin6_port = htons(port);
+	    addr[0].sin6.sin6_addr = in6addr_any;
+	    break;
+	default:
+	    error = EAI_FAIL;	/* XXX unreachable */
+	    goto out;
+	}
+	goto have_addr;
+    } else {
+	/*
+	 * Allocate a single socket address record.  Since we have
+	 * AI_NUMERICHOST, the hostname can be parsed as only one
+	 * address and won't be resolved to an array of possibly >1
+	 * addresses.
+	 */
+	naddr = 1;
+	if ((addr = calloc(naddr, sizeof(*addr))) == NULL) {
+	    error = EAI_MEMORY;
+	    goto out;
+	}
+
+	/*
+	 * If the hints specify AF_INET, or don't specify anything, try
+	 * to parse it as an IPv4 address.  If this fails, it will fall
+	 * through.
+	 */
+	if (hints->ai_family == AF_UNSPEC || hints->ai_family == AF_INET) {
+	    switch (inet_pton(AF_INET, hostname, &addr->sin.sin_addr)) {
+	    case -1:		/* system error */
+		error = EAI_SYSTEM;
+		goto out;
+	    case 0:		/* failure */
+		break;
+	    case 1:		/* success */
+		addr->sin.sin_family = AF_INET;
+		addr->sin.sin_port = htons(port);
+		af[0] = AF_INET;
+		addrlen[0] = sizeof(addr->sin);
+		goto have_addr;
+	    }
+	}
+
+	/*
+	 * If the hints specify AF_INET6, or don't specify anything,
+	 * try to parse it as an IPv6 address.  If this fails, it will
+	 * fall through.
+	 */
+	if (hints->ai_family == AF_UNSPEC || hints->ai_family == AF_INET6) {
+	    /* XXX scope id? */
+	    switch (inet_pton(AF_INET6, hostname, &addr->sin6.sin6_addr)) {
+	    case -1:		/* system error */
+		error = EAI_SYSTEM;
+		goto out;
+	    case 0:		/* failure */
+		break;
+	    case 1:		/* success */
+		addr->sin6.sin6_family = AF_INET6;
+		addr->sin6.sin6_port = htons(port);
+		af[0] = AF_INET6;
+		addrlen[0] = sizeof(addr->sin6);
+		goto have_addr;
+	    }
+	}
+
+	/*
+	 * Hostname can't be parsed.
+	 */
+	error = EAI_NONAME;
+	goto out;
+    }
+
+have_addr:
+    /*
+     * We have an address, or multiple possible addresses.  Allocate an
+     * array of addrinfo records to store the result.
+     */
+    if ((ai = calloc(naddr * nproto, sizeof(*ai))) == NULL) {
+	error = EAI_MEMORY;
+	goto out;
+    }
+
+    /*
+     * Fill in the addrinfo records with the cartesian product of
+     * matching address families and matching socktype/protocol pairs.
+     *
+     * XXX Consider randomizing the output for fun!
+     */
+    for (i = 0; i < naddr; i++) {
+	for (j = 0; j < nproto; j++) {
+	    ai[i*nproto + j] = (struct addrinfo) {
+		.ai_flags = 0, /* input flags, unused on output */
+		.ai_family = af[i],
+		.ai_addrlen = addrlen[i],
+		.ai_addr = &addr[i].sa,
+		.ai_socktype = socktype[j],
+		.ai_protocol = proto[j],
+		.ai_canonname = NULL,
+		.ai_next = &ai[i*nproto + j + 1],
+	    };
+	}
+    }
+    addr = NULL;		/* reference consumed by ai[...].ai_addr */
+
+    /*
+     * Null out the last addrinfo's next pointer.
+     */
+    ai[naddr*nproto - 1].ai_next = NULL;
+
+    /*
+     * Success!
+     */
+    error = 0;
+
+out:
+    /*
+     * In the event of error, free whatever we've allocated so far.
+     * Make sure to save and restore errno in case free touches it,
+     * because EAI_SYSTEM requires errno to report the system error.
+     */
+    if (error) {
+	int errno_save = errno;
+
+	if (addr)
+	    free(addr);
+	addr = NULL;
+	if (ai)
+	    freeaddrinfo(ai);
+	ai = NULL;
+
+	errno = errno_save;
+    }
+    *res = ai;
+    return error;
+}
+
+#endif	/* HAVE_GETADDRINFO */
+
+#ifdef HAVE_GETNAMEINFO
+
+int
+getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
+    char *restrict node, socklen_t nodelen,
+    char *restrict service, socklen_t servicelen,
+    int flags)
+{
+    char n[INET6_ADDRSTRLEN + 1] = "";
+    char s[5 + 1] = "";		/* ceil(log_10(2^16)) + 1 */
+
+    /*
+     * Call inet_ntop to format the appropriate member of the
+     * sockaddr_*.
+     */
+    switch (sa->sa_family) {
+    case AF_INET: {
+	struct sockaddr_in sin;
+
+	/*
+	 * Verify the socket address length is at least enough for
+	 * sockaddr_in, and make a copy to avoid strict aliasing
+	 * violation.
+	 */
+	if (salen < sizeof sin)
+	    return EAI_FAIL;
+	memcpy(&sin, sa, sizeof sin);
+
+	/*
+	 * Use inet_ntop to format sin_addr as x.y.z.w, and use
+	 * snprintf to format the port number in decimal.
+	 */
+	if (inet_ntop(AF_INET, &sin.sin_addr, n, sizeof n) == NULL)
+	    return EAI_FAIL;
+	snprintf(s, sizeof s, "%d", (int)sin.sin_port);
+	break;
+    }
+    case AF_INET6: {
+	struct sockaddr_in6 sin6;
+
+	/*
+	 * Verify the socket address length is at least enough for
+	 * sockaddr_in6, and make a copy to avoid strict aliasing
+	 * violation.
+	 */
+	if (salen < sizeof sin6)
+	    return EAI_FAIL;
+	memcpy(&sin6, sa, sizeof sin6);
+
+	/*
+	 * Use inet_ntop to format sin6_addr as a:b:c:...:h, and use
+	 * snprintf to format the port number in decimal.
+	 */
+	if (inet_ntop(AF_INET6, &sin6.sin6_addr, n, sizeof n) == NULL)
+	    return EAI_FAIL;
+	/* XXX scope id? */
+	snprintf(s, sizeof s, "%d", (int)sin6.sin6_port);
+	break;
+    }
+    default:
+	return EAI_FAMILY;
+    }
+
+    /*
+     * DNS audit: Abort unless the user specified flags with
+     * NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE.  We format the
+     * numeric syntax first so it can be included in the error message
+     * to give a clue about what might have DNS leaks.
+     *
+     * The NI_NUMERICSCOPE test is written in a funny way so that on
+     * platforms where it simply doesn't exist (like glibc and
+     * Windows), it doesn't spuriously fail -- scope ids naming is
+     * probably not a source of network leaks.
+     */
+    if ((flags & NI_NUMERICHOST) == 0 ||
+	(flags & NI_NUMERICSERV) == 0 ||
+	(flags & NI_NUMERICSCOPE) != NI_NUMERICSCOPE) {
+	fprintf(stderr, "Reverse DNS leak: %s %s %s\n", __func__, n, s);
+	abort();
+    }
+
+    /*
+     * Verify the (numeric) `names' we determined fit in the buffers
+     * provided, if any.
+     */
+    if ((node && nodelen > 0 && strlen(n) >= nodelen) ||
+	(service && servicelen > 0 && strlen(s) >= servicelen))
+	return EAI_OVERFLOW;
+
+    /*
+     * Copy out the answers that were requested.
+     */
+    if (node)
+	strlcpy(node, n, nodelen);
+    if (service)
+	strlcpy(service, s, servicelen);
+
+    return 0;
+}
+
+#endif	/* HAVE_GETNAMEINFO */
diff --git a/third_party/heimdal/cf/make-proto.pl b/third_party/heimdal/cf/make-proto.pl
index 4af21916b80..21f341c0f76 100644
--- a/third_party/heimdal/cf/make-proto.pl
+++ b/third_party/heimdal/cf/make-proto.pl
@@ -4,8 +4,6 @@
 use Getopt::Std;
 use File::Compare;
 
-use JSON::PP
-
 my $comment = 0;
 my $doxygen = 0;
 my $funcdoc = 0;
@@ -67,6 +65,8 @@ if($opt_m) {
 }
 
 if($opt_x) {
+    require JSON::PP;
+
     my $EXP;
     local $/;
     open(EXP, '<', $opt_x) || die "open ${opt_x}";
diff --git a/third_party/heimdal/configure.ac b/third_party/heimdal/configure.ac
index cecd030e6f3..650e9224608 100644
--- a/third_party/heimdal/configure.ac
+++ b/third_party/heimdal/configure.ac
@@ -196,6 +196,24 @@ AM_CONDITIONAL([HAVE_CAPNG], [test "$with_capng" != "no"])
 AC_SUBST([CAPNG_CFLAGS])
 AC_SUBST([CAPNG_LIBS])
 
+dnl mitdb
+AC_ARG_WITH([mitdb],
+  AC_HELP_STRING([--with-mitdb], [Path to MIT Kerberos DB include header and shared object]),
+  [],
+  [with_mitdb=no])
+if test -n "$with_mitdb" -a -d "$with_mitdb"; then
+  AC_DEFINE_UNQUOTED([HAVE_MITDB], 1, [Define if building with MIT Kerberos DB driver])
+  AC_DEFINE(HAVE_DB1, 1, [define if you have a berkeley db1/2 library])
+  mitdb=$with_mitdb
+elif test "$with_mitdb" = no; then
+  with_mitdb=
+  mitdb=
+elif test "$with_mitdb" = yes; then
+  AC_MSG_ERROR([Need path to MIT Kerberos DB include header and shared object])
+fi
+AM_CONDITIONAL([HAVE_MITDB], [test -n "$with_mitdb"])
+AC_SUBST([MITDB], ["$with_mitdb"])
+
 dnl libmicrohttpd
 AC_ARG_WITH([microhttpd],
   AC_HELP_STRING([--with-microhttpd], [use microhttpd to serve KDC REST API @<:@default=check@:>@]),
@@ -433,7 +451,6 @@ AC_CHECK_HEADERS([\
 	signal.h				\
 	strings.h				\
 	stropts.h				\
-	stdatomic.h				\
 	sys/bitypes.h				\
 	sys/category.h				\
 	sys/file.h				\
@@ -464,6 +481,24 @@ AC_CHECK_HEADERS([\
 	util.h					\
 ])
 
+AC_CHECK_HEADERS([stdatomic.h],
+    [AC_MSG_CHECKING([whether libatomic is required])
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <stdatomic.h>]], [[_Atomic(long long) i; atomic_init(&i, (long long) 0);]])],
+        [AC_MSG_RESULT([no])],
+        [AC_MSG_RESULT([yes])
+        AC_MSG_CHECKING([whether libatomic works])
+        save_LIBS="$LIBS"
+        LIBS="$LIBS -latomic"
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <stdatomic.h>]], [[_Atomic(long long) i; atomic_init(&i, (long long) 0);]])],
+            [AC_MSG_RESULT([yes])],
+            [AC_MSG_RESULT([no, using fallback])
+             LIBS="$save_LIBS"
+             AC_DEFINE([HEIM_BASE_ATOMICS_FALLBACK], [], [Define if you want fallbacks for atomic operations])]
+        )]
+    )],
+    []
+)
+
 dnl On Solaris 8 there's a compilation warning for term.h because
 dnl it doesn't define `bool'.
 AC_CHECK_HEADERS(term.h, , , -)
diff --git a/third_party/heimdal/kadmin/kadm_conn.c b/third_party/heimdal/kadmin/kadm_conn.c
index 0eeaf508da8..ccd89211d2f 100644
--- a/third_party/heimdal/kadmin/kadm_conn.c
+++ b/third_party/heimdal/kadmin/kadm_conn.c
@@ -65,7 +65,11 @@ add_kadm_port(krb5_context contextp, const char *service, unsigned int port)
 static void
 add_standard_ports (krb5_context contextp)
 {
-    add_kadm_port(contextp, "kerberos-adm", 749);
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL))
+	add_kadm_port(contextp, "749", 749);
+    else
+	add_kadm_port(contextp, "kerberos-adm", 749);
 }
 
 /*
@@ -246,6 +250,11 @@ start_server(krb5_context contextp, const char *port_str)
 	hints.ai_flags    = AI_PASSIVE;
 	hints.ai_socktype = SOCK_STREAM;
 
+	if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+		NULL)) {
+	    hints.ai_flags &= ~AI_CANONNAME;
+	    hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+	}
 	e = getaddrinfo(NULL, p->port, &hints, &ai);
 	if(e) {
 	    snprintf(portstr, sizeof(portstr), "%u", p->def_port);
diff --git a/third_party/heimdal/kdc/altsecid_gss_preauth_authorizer.c b/third_party/heimdal/kdc/altsecid_gss_preauth_authorizer.c
index d48ea584bc8..17d3ee31bfd 100644
--- a/third_party/heimdal/kdc/altsecid_gss_preauth_authorizer.c
+++ b/third_party/heimdal/kdc/altsecid_gss_preauth_authorizer.c
@@ -167,6 +167,13 @@ ad_connect(krb5_context context,
     } *s, *servers = NULL;
     size_t i, num_servers = 0;
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	ret = KRB5KDC_ERR_SVC_UNAVAILABLE;
+        krb5_set_error_message(context, ret, "DNS blocked when finding AD DC");
+	return ret;
+    }
+
     {
         struct rk_dns_reply *r;
         struct rk_resource_record *rr;
diff --git a/third_party/heimdal/kdc/hprop.c b/third_party/heimdal/kdc/hprop.c
index c1db11b978e..d6ff6133a06 100644
--- a/third_party/heimdal/kdc/hprop.c
+++ b/third_party/heimdal/kdc/hprop.c
@@ -61,6 +61,11 @@ open_socket(krb5_context context, const char *hostname, const char *port)
     hints.ai_socktype = SOCK_STREAM;
     hints.ai_protocol = IPPROTO_TCP;
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hints.ai_flags &= ~AI_CANONNAME;
+	hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+    }
     error = getaddrinfo (hostname, port, &hints, &ai);
     if (error) {
 	warnx ("%s: %s", hostname, gai_strerror(error));
diff --git a/third_party/heimdal/kdc/kdc-tester.c b/third_party/heimdal/kdc/kdc-tester.c
index 8f8073a44e1..86fe9f02b90 100644
--- a/third_party/heimdal/kdc/kdc-tester.c
+++ b/third_party/heimdal/kdc/kdc-tester.c
@@ -267,11 +267,11 @@ eval_kinit(heim_dict_t o)
 
 	ret = krb5_get_init_creds_opt_set_fast_ccache(kdc_context, opt, fast_cc);
 	if (ret)
-	    krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_set_fast_ccache");
+	    krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_set_fast_ccache");
 
 	ret = krb5_get_init_creds_opt_set_fast_flags(kdc_context, opt, KRB5_FAST_REQUIRED|KRB5_FAST_KDC_VERIFIED);
 	if (ret)
-	    krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_set_fast_ccache");
+	    krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_set_fast_flags");
 
 	fast_cc = NULL;
     }
diff --git a/third_party/heimdal/kdc/kdc.8 b/third_party/heimdal/kdc/kdc.8
index 150a3f18a2d..9269d2c569e 100644
--- a/third_party/heimdal/kdc/kdc.8
+++ b/third_party/heimdal/kdc/kdc.8
@@ -89,7 +89,24 @@ Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
 .It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec
 Specifies the set of ports the KDC should listen on.
 It is given as a
-white-space separated list of services or port numbers.
+white-space separated list of ports.
+A port value of
+.Sq +
+indicates that the standard ports should be used.
+Other values should be service names or port numbers as resolved by
+.Xr getservbyname 3 
+(e.g.,
+.Dq kerberos/udp ,
+.Dq kerberos/tcp ,
+.Dq 8088/udp ,
+etc.), or plain numeric port numbers (e.g.,
+.Dq 9088
+).
+Plain numeric port numbers will be used with both UDP and TCP.
+See also the
+.Dq [kdc] ports
+configuration parameter discussion in
+.Xr krb5.conf 5 .
 .It Fl Fl addresses= Ns Ar list of addresses
 The list of addresses to listen for requests on.
 By default, the kdc will listen on all the locally configured
@@ -214,4 +231,5 @@ There should be a way to specify protocol, port, and address triplets,
 not just addresses and protocol, port tuples.
 .Sh SEE ALSO
 .Xr kinit 1 ,
-.Xr krb5.conf 5
+.Xr krb5.conf 5,
+.Xr getservbyname 3
diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
index 5991711a289..d8127e850f9 100644
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -1061,7 +1061,7 @@ pa_enc_ts_decrypt_kvno(astgs_request_t r,
     krb5_crypto_destroy(r->context, crypto);
     /*
      * Since the user might have several keys with the same
-     * enctype but with diffrent salting, we need to try all
+     * enctype but with different salting, we need to try all
      * the keys with the same enctype.
      */
     if (ret) {
@@ -1143,7 +1143,6 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
 			       kvno);
 	goto out;
     }
-
     if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
 	krb5_error_code ret2;
 	const char *msg = krb5_get_error_message(r->context, ret);
diff --git a/third_party/heimdal/kuser/Makefile.am b/third_party/heimdal/kuser/Makefile.am
index 96ad36fd29e..561e40e716a 100644
--- a/third_party/heimdal/kuser/Makefile.am
+++ b/third_party/heimdal/kuser/Makefile.am
@@ -26,6 +26,7 @@ libexec_PROGRAMS = kdigest kimpersonate
 
 noinst_PROGRAMS = kverify kdecode_ticket generate-requests
 
+# sync with kinit_auditdns_LDADD in appl/test/Makefile.am
 kinit_LDADD = \
 	$(afs_lib) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
diff --git a/third_party/heimdal/kuser/kinit.c b/third_party/heimdal/kuser/kinit.c
index 9a2fac642ad..fe54fd99baf 100644
--- a/third_party/heimdal/kuser/kinit.c
+++ b/third_party/heimdal/kuser/kinit.c
@@ -986,14 +986,14 @@ get_new_tickets(krb5_context context,
 
 	ret = krb5_get_init_creds_opt_set_fast_ccache(context, opt, fastid);
 	if (ret) {
-	    krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
+	    krb5_warn(context, ret, "krb5_get_init_creds_opt_set_fast_ccache");
 	    goto out;
 	}
 
 	ret = krb5_get_init_creds_opt_set_fast_flags(context, opt,
 						 KRB5_FAST_REQUIRED);
 	if (ret) {
-	    krb5_warn(context, ret, "krb5_init_creds_set_fast_flags");
+	    krb5_warn(context, ret, "krb5_get_init_creds_opt_set_fast_flags");
 	    goto out;
 	}
     }
diff --git a/third_party/heimdal/lib/gssapi/Makefile.am b/third_party/heimdal/lib/gssapi/Makefile.am
index 3cb8437db28..3254866dced 100644
--- a/third_party/heimdal/lib/gssapi/Makefile.am
+++ b/third_party/heimdal/lib/gssapi/Makefile.am
@@ -381,7 +381,7 @@ TESTS = test_oid test_names test_cfx
 
 test_cfx_SOURCES = krb5/test_cfx.c
 
-check_PROGRAMS = test_acquire_cred $(TESTS)
+check_PROGRAMS = test_acquire_cred test_acquire_cred_auditdns $(TESTS)
 
 bin_PROGRAMS = gsstool gss-token
 noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred
@@ -389,6 +389,9 @@ noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cre
 test_context_SOURCES = test_context.c test_common.c test_common.h
 test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
 test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h
+test_acquire_cred_auditdns_SOURCES = \
+	test_acquire_cred.c test_common.c test_common.h \
+	../../appl/test/auditdns.c
 
 test_add_store_cred_SOURCES = test_add_store_cred.c
 
diff --git a/third_party/heimdal/lib/hdb/Makefile.am b/third_party/heimdal/lib/hdb/Makefile.am
index 4a559953243..1a6155be40a 100644
--- a/third_party/heimdal/lib/hdb/Makefile.am
+++ b/third_party/heimdal/lib/hdb/Makefile.am
@@ -84,6 +84,11 @@ if versionscript
 libhdb_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
 
+if HAVE_MITDB
+libhdb_la_LDFLAGS += -L$(MITDB)/lib -Wl,-rpath,$(MITDB)/lib -ldb
+AM_CPPFLAGS += -I$(MITDB)/include
+endif
+
 # test_hdbkeys and test_mkey are not tests -- they are manual test utils
 noinst_PROGRAMS = test_dbinfo test_hdbkeys test_mkey test_namespace test_concurrency
 TESTS = test_dbinfo test_namespace test_concurrency
diff --git a/third_party/heimdal/lib/hdb/hdb-mitdb.c b/third_party/heimdal/lib/hdb/hdb-mitdb.c
index ae315cd831d..e65869a6675 100644
--- a/third_party/heimdal/lib/hdb/hdb-mitdb.c
+++ b/third_party/heimdal/lib/hdb/hdb-mitdb.c
@@ -118,7 +118,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
 
 #define CHECK(x) do { if ((x)) goto out; } while(0)
 
-#ifdef HAVE_DB1
+#ifdef HAVE_MITDB
 static krb5_error_code
 mdb_principal2key(krb5_context context,
 		  krb5_const_principal principal,
@@ -134,7 +134,7 @@ mdb_principal2key(krb5_context context,
     key->length = strlen(str) + 1;
     return 0;
 }
-#endif /* HAVE_DB1 */
+#endif /* HAVE_MITDB */
 
 #define KRB5_KDB_SALTTYPE_NORMAL	0
 #define KRB5_KDB_SALTTYPE_V4		1
@@ -675,11 +675,11 @@ mdb_entry2value(krb5_context context, hdb_entry *entry, krb5_data *data)
 }
 #endif
 
-#if HAVE_DB1
+#ifdef HAVE_MITDB
 
 #if defined(HAVE_DB_185_H)
 #include <db_185.h>
-#elif defined(HAVE_DB_H)
+#else
 #include <db.h>
 #endif
 
@@ -1154,7 +1154,7 @@ hdb_mitdb_create(krb5_context context, HDB **db,
     return 0;
 }
 
-#endif /* HAVE_DB1 */
+#endif /* HAVE_MITDB */
 
 /*
 can have any number of princ stanzas.
diff --git a/third_party/heimdal/lib/hdb/hdb.c b/third_party/heimdal/lib/hdb/hdb.c
index 864b4f639da..b02e2f2c96c 100644
--- a/third_party/heimdal/lib/hdb/hdb.c
+++ b/third_party/heimdal/lib/hdb/hdb.c
@@ -77,7 +77,7 @@ static struct hdb_method methods[] = {
 #if HAVE_DB3
     { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "db3:",	hdb_db3_create},
 #endif
-#if HAVE_DB1
+#if HAVE_MITDB
     { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "mit-db:",	hdb_mitdb_create},
 #endif
 #if HAVE_LMDB
diff --git a/third_party/heimdal/lib/hx509/req.c b/third_party/heimdal/lib/hx509/req.c
index c8be1d452bc..5ac1ea7a380 100644
--- a/third_party/heimdal/lib/hx509/req.c
+++ b/third_party/heimdal/lib/hx509/req.c
@@ -1670,7 +1670,7 @@ hx509_request_print(hx509_context context, hx509_request req, FILE *f)
         fprintf(f, "  unsupported_critical_extensions_count: %u\n",
                 (unsigned)req->nunsupported_crit);
     }
-    if (req->nunsupported_crit) {
+    if (req->nunsupported_opt) {
         fprintf(f, "  unsupported_optional_extensions_count: %u\n",
                 (unsigned)req->nunsupported_opt);
     }
diff --git a/third_party/heimdal/lib/kadm5/init_c.c b/third_party/heimdal/lib/kadm5/init_c.c
index ffbb639581c..8cc7cf47607 100644
--- a/third_party/heimdal/lib/kadm5/init_c.c
+++ b/third_party/heimdal/lib/kadm5/init_c.c
@@ -571,6 +571,11 @@ kadm_connect(kadm5_client_context *ctx)
     if (slash != NULL)
 	hostname = slash + 1;
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hints.ai_flags &= ~AI_CANONNAME;
+	hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+    }
     error = getaddrinfo(hostname, portstr, &hints, &ai);
     if (error) {
 	ret = KADM5_BAD_SERVER_NAME;
diff --git a/third_party/heimdal/lib/kadm5/ipropd_slave.c b/third_party/heimdal/lib/kadm5/ipropd_slave.c
index e572bffa7de..2971e7ce4a6 100644
--- a/third_party/heimdal/lib/kadm5/ipropd_slave.c
+++ b/third_party/heimdal/lib/kadm5/ipropd_slave.c
@@ -70,6 +70,11 @@ connect_to_master (krb5_context context, const char *master,
 	port_str = port;
     }
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hints.ai_flags &= ~AI_CANONNAME;
+	hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+    }
     error = getaddrinfo(master, port_str, &hints, &ai);
     if (error) {
 	krb5_warnx(context, "Failed to get address of to %s: %s",
@@ -80,7 +85,8 @@ connect_to_master (krb5_context context, const char *master,
     for (a = ai; a != NULL; a = a->ai_next) {
 	char node[NI_MAXHOST];
 	error = getnameinfo(a->ai_addr, a->ai_addrlen,
-			    node, sizeof(node), NULL, 0, NI_NUMERICHOST);
+			    node, sizeof(node), NULL, 0,
+			    NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
 	if (error)
 	    strlcpy(node, "[unknown-addr]", sizeof(node));
 
diff --git a/third_party/heimdal/lib/kadm5/log.c b/third_party/heimdal/lib/kadm5/log.c
index 96d063eb90e..cbfde885cab 100644
--- a/third_party/heimdal/lib/kadm5/log.c
+++ b/third_party/heimdal/lib/kadm5/log.c
@@ -2720,7 +2720,7 @@ kadm5_log_signal_socket_info(krb5_context context,
 
     memset(&hints, 0, sizeof(hints));
 
-    hints.ai_flags = AI_NUMERICHOST;
+    hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
     if (server_end)
 	hints.ai_flags |= AI_PASSIVE;
     hints.ai_family = AF_INET;
diff --git a/third_party/heimdal/lib/krb5/addr_families.c b/third_party/heimdal/lib/krb5/addr_families.c
index 7d13211a28d..4685d769b8f 100644
--- a/third_party/heimdal/lib/krb5/addr_families.c
+++ b/third_party/heimdal/lib/krb5/addr_families.c
@@ -1210,6 +1210,11 @@ krb5_parse_address(krb5_context context,
     /* if not parsed as numeric address, do a name lookup */
     memset(&hint, 0, sizeof(hint));
     hint.ai_family = AF_UNSPEC;
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hint.ai_flags &= ~AI_CANONNAME;
+	hint.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+    }
     error = getaddrinfo (string, NULL, &hint, &ai);
     if (error) {
 	krb5_error_code ret2;
diff --git a/third_party/heimdal/lib/krb5/expand_hostname.c b/third_party/heimdal/lib/krb5/expand_hostname.c
index 5023d16773e..1f1824f7685 100644
--- a/third_party/heimdal/lib/krb5/expand_hostname.c
+++ b/third_party/heimdal/lib/krb5/expand_hostname.c
@@ -68,7 +68,8 @@ krb5_expand_hostname (krb5_context context,
     struct addrinfo *ai, *a, hints;
     int error;
 
-    if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0)
+    if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0 ||
+	krb5_config_get_bool(context, NULL, "libdefaults", "block_dns", NULL))
 	return copy_hostname (context, orig_hostname, new_hostname);
 
     memset (&hints, 0, sizeof(hints));
diff --git a/third_party/heimdal/lib/krb5/get_addrs.c b/third_party/heimdal/lib/krb5/get_addrs.c
index 82465041886..9f14d43c068 100644
--- a/third_party/heimdal/lib/krb5/get_addrs.c
+++ b/third_party/heimdal/lib/krb5/get_addrs.c
@@ -50,6 +50,14 @@ gethostname_fallback (krb5_context context, krb5_addresses *res)
     char hostname[MAXHOSTNAMELEN];
     struct hostent *hostent;
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	ret = ENXIO;
+	krb5_set_error_message(context, ret,
+	    "DNS blocked in gethostname fallback");
+	return ret;
+    }
+
     if (gethostname (hostname, sizeof(hostname))) {
 	ret = errno;
 	krb5_set_error_message(context, ret, "gethostname: %s", strerror(ret));
diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c
index ff06325912b..5683d967305 100644
--- a/third_party/heimdal/lib/krb5/get_cred.c
+++ b/third_party/heimdal/lib/krb5/get_cred.c
@@ -719,14 +719,14 @@ get_cred_kdc(krb5_context context,
 	memset(&md, 0, sizeof(md));
 
 	if (rep.error.e_data) {
-	    KERB_ERROR_DATA kerb_error_data;
+	    KERB_ERROR_DATA error_data;
 
-	    memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+	    memset(&error_data, 0, sizeof(error_data));
 
 	    /* First try to decode the e-data as KERB-ERROR-DATA. */
 	    ret = decode_KERB_ERROR_DATA(rep.error.e_data->data,
 					 rep.error.e_data->length,
-					 &kerb_error_data,
+					 &error_data,
 					 &len);
 	    if (ret) {
 		/* That failed, so try to decode it as METHOD-DATA. */
@@ -740,10 +740,10 @@ get_cred_kdc(krb5_context context,
 		}
 	    } else if (len != rep.error.e_data->length) {
 		/* Trailing data — just ignore the error. */
-		free_KERB_ERROR_DATA(&kerb_error_data);
+		free_KERB_ERROR_DATA(&error_data);
 	    } else {
 		/* OK. */
-		free_KERB_ERROR_DATA(&kerb_error_data);
+		free_KERB_ERROR_DATA(&error_data);
 	    }
 	}
 
diff --git a/third_party/heimdal/lib/krb5/get_for_creds.c b/third_party/heimdal/lib/krb5/get_for_creds.c
index 3a6be109006..7524ce8b302 100644
--- a/third_party/heimdal/lib/krb5/get_for_creds.c
+++ b/third_party/heimdal/lib/krb5/get_for_creds.c
@@ -329,7 +329,7 @@ get_addresses(krb5_context      context,
     krb5_creds *ticket;
     krb5_const_realm realm;
     krb5_boolean noaddr;
-    struct addrinfo *ai;
+    struct addrinfo *ai, hints;
     int eai;
 
     if (hostname == 0)
@@ -349,8 +349,13 @@ get_addresses(krb5_context      context,
 	return 0;
 
     /* Need addresses, get the address of the remote host. */
-
-    eai = getaddrinfo (hostname, NULL, NULL, &ai);
+    memset(&hints, 0, sizeof(hints));
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hints.ai_flags &= ~AI_CANONNAME;
+	hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+    }
+    eai = getaddrinfo(hostname, NULL, &hints, &ai);
     if (eai) {
 	ret = krb5_eai_to_heim_errno(eai, errno);
 	krb5_set_error_message(context, ret,
diff --git a/third_party/heimdal/lib/krb5/get_host_realm.c b/third_party/heimdal/lib/krb5/get_host_realm.c
index 7b58fe9a4f5..4141a8cfe42 100644
--- a/third_party/heimdal/lib/krb5/get_host_realm.c
+++ b/third_party/heimdal/lib/krb5/get_host_realm.c
@@ -116,6 +116,14 @@ dns_find_realm(krb5_context context,
     char **config_labels;
     int i, ret = 0;
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	ret = KRB5_KDC_UNREACH;
+        krb5_set_error_message(context, ret,
+	    "Realm lookup failed: DNS blocked");
+	return ret;
+    }
+
     config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
 					    "dns_lookup_realm_labels", NULL);
     if(config_labels != NULL)
diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c
index 4790c7e6339..f0166ee02d7 100644
--- a/third_party/heimdal/lib/krb5/init_creds_pw.c
+++ b/third_party/heimdal/lib/krb5/init_creds_pw.c
@@ -579,15 +579,17 @@ get_init_creds_common(krb5_context context,
     else
 	ctx->runflags.change_password_prompt = ctx->prompter != NULL;
 
-    if (options->opt_private->fast_armor_ccache_name) {
-	/* Open the caller-supplied FAST ccache and set the caller flags */
-	ret = krb5_cc_resolve(context, options->opt_private->fast_armor_ccache_name,
-			      &ctx->fast_state.armor_ccache);
-	if (ret)
-	    goto out;
-    }
+    if (options->opt_private) {
+	if (options->opt_private->fast_armor_ccache_name) {
+	    /* Open the caller-supplied FAST ccache and set the caller flags */
+	    ret = krb5_cc_resolve(context, options->opt_private->fast_armor_ccache_name,
+				  &ctx->fast_state.armor_ccache);
+	    if (ret)
+		goto out;
+	}
 
-    ctx->fast_state.flags = options->opt_private->fast_flags;
+	ctx->fast_state.flags = options->opt_private->fast_flags;
+    }
 
     /*
      * If FAST is required with a real credential cache, then the KDC
@@ -3165,15 +3167,15 @@ init_creds_step(krb5_context context,
 	    memset(&ctx->md, 0, sizeof(ctx->md));
 
 	    if (ctx->error.e_data) {
-		KERB_ERROR_DATA kerb_error_data;
+		KERB_ERROR_DATA error_data;
 		krb5_error_code ret2;
 
-		memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+		memset(&error_data, 0, sizeof(error_data));
 
 		/* First try to decode the e-data as KERB-ERROR-DATA. */
 		ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data,
 					      ctx->error.e_data->length,
-					      &kerb_error_data,
+					      &error_data,
 					      &len);
 		if (ret2) {
 		    /* That failed, so try to decode it as METHOD-DATA. */
@@ -3191,10 +3193,10 @@ init_creds_step(krb5_context context,
 		    }
 		} else if (len != ctx->error.e_data->length) {
 		    /* Trailing data — just ignore the error. */
-		    free_KERB_ERROR_DATA(&kerb_error_data);
+		    free_KERB_ERROR_DATA(&error_data);
 		} else {
 		    /* OK. */
-		    free_KERB_ERROR_DATA(&kerb_error_data);
+		    free_KERB_ERROR_DATA(&error_data);
 		}
 	    }
 
diff --git a/third_party/heimdal/lib/krb5/krb5.conf.5 b/third_party/heimdal/lib/krb5/krb5.conf.5
index a10b572142e..1c065cb4918 100644
--- a/third_party/heimdal/lib/krb5/krb5.conf.5
+++ b/third_party/heimdal/lib/krb5/krb5.conf.5
@@ -199,6 +199,9 @@ The default is the result of
 .It Li allow_weak_crypto = Va boolean
 are weak crypto algorithms allowed to be used, among others, DES is
 considered weak.
+.It Li block_dns = Va boolean
+If true, prevent Heimdal from doing any DNS resolution.
+Default is false.
 .It Li clockskew = Va time
 Maximum time differential (in seconds) allowed when comparing
 times.
@@ -795,6 +798,27 @@ Maximum size of a kdc request.
 If set pre-authentication is required.
 .It Li ports = Va "list of ports"
 List of ports the kdc should listen to.
+The list should be double-quoted if it contains more than one
+port specification, and the ports should be separated by space
+or tab characters.
+A port value of
+.Dq +
+means "all the standard ports" for the service, otherwise
+each port value should be of a form resolvable by
+.Xr getservbyname 3
+such as
+.Dq someservicename/tcp ,
+.Dq 12345/udp ,
+or
+.Dq 12345/tcp .
+If a numeric value is given with the
+.Sq /
+and protocol name are missing then that port will be used on
+both, UDP and TCP.
+For example,
+.Dq + 8088/tcp
+means
+.Dq serve on the standard ports and also on port 8088 with TCP .
 .It Li addresses = Va "list of interfaces"
 List of addresses the kdc should bind to.
 .It Li enable-http = Va BOOL
@@ -1472,4 +1496,5 @@ ones.
 .Xr kinit 1 ,
 .Xr krb5_openlog 3 ,
 .Xr strftime 3 ,
+.Xr getservbyname 3 ,
 .Xr verify_krb5_conf 8
diff --git a/third_party/heimdal/lib/krb5/krbhst.c b/third_party/heimdal/lib/krb5/krbhst.c
index 59a8e77d295..9f0cbe8e26f 100644
--- a/third_party/heimdal/lib/krb5/krbhst.c
+++ b/third_party/heimdal/lib/krb5/krbhst.c
@@ -439,6 +439,11 @@ krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
 	snprintf (portstr, sizeof(portstr), "%d", host->port);
 	make_hints(&hints, host->proto);
 
+	if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+		NULL)) {
+	    hints.ai_flags &= ~AI_CANONNAME;
+	    hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+	}
 	ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai);
 	if (ret) {
 	    ret = krb5_eai_to_heim_errno(ret, errno);
@@ -559,6 +564,11 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
 
     make_hints(&hints, proto);
     snprintf(portstr, sizeof(portstr), "%d", port);
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hints.ai_flags &= ~AI_CANONNAME;
+	hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+    }
     ret = getaddrinfo(host, portstr, &hints, &ai);
     if (ret) {
 	/* no more hosts, so we're done here */
@@ -655,7 +665,7 @@ add_locate(void *ctx, int type, struct sockaddr *addr)
     portnum = socket_get_port(addr);
 
     ret = getnameinfo(addr, socklen, host, sizeof(host), port, sizeof(port),
-		      NI_NUMERICHOST|NI_NUMERICSERV);
+		      NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
     if (ret != 0)
 	return 0;
 
@@ -727,6 +737,13 @@ plugin_get_hosts(krb5_context context,
 {
     struct plctx ctx = { type, kd, 0 };
 
+    /*
+     * XXX Need a way to pass this through -- unsure if any of this is
+     * useful without DNS, though.
+     */
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns", NULL))
+	return;
+
     if (_krb5_homedir_access(context))
 	ctx.flags |= KRB5_PLF_ALLOW_HOMEDIR;
 
@@ -787,7 +804,9 @@ kdc_get_next(krb5_context context,
 	return KRB5_KDC_UNREACH;
     }
 
-    if(context->srv_lookup) {
+    if (!krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL) &&
+	context->srv_lookup) {
 	if(kd->sitename && (kd->flags & KD_SITE_SRV_TCP) == 0) {
 	    srv_get_hosts(context, kd, kd->sitename, "tcp", "kerberos");
 	    kd->flags |= KD_SITE_SRV_TCP;
@@ -859,7 +878,9 @@ admin_get_next(krb5_context context,
 	return KRB5_KDC_UNREACH;
     }
 
-    if(context->srv_lookup) {
+    if (!krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL) &&
+	context->srv_lookup) {
 	if((kd->flags & KD_SRV_TCP) == 0) {
 	    srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
 	    kd->flags |= KD_SRV_TCP;
@@ -913,7 +934,9 @@ kpasswd_get_next(krb5_context context,
 	return KRB5_KDC_UNREACH;
     }
 
-    if(context->srv_lookup) {
+    if (!krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL) &&
+	context->srv_lookup) {
 	if((kd->flags & KD_SRV_UDP) == 0) {
 	    srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
 	    kd->flags |= KD_SRV_UDP;
diff --git a/third_party/heimdal/lib/krb5/send_to_kdc.c b/third_party/heimdal/lib/krb5/send_to_kdc.c
index bcabdd4a1ce..fdf216cae0f 100644
--- a/third_party/heimdal/lib/krb5/send_to_kdc.c
+++ b/third_party/heimdal/lib/krb5/send_to_kdc.c
@@ -328,6 +328,7 @@ struct host_fun {
 struct host {
     enum host_state { CONNECT, CONNECTING, CONNECTED, WAITING_REPLY, DEAD } state;
     krb5_krbhst_info *hi;
+    struct addrinfo *freeai;
     struct addrinfo *ai;
     rk_socket_t fd;
     const struct host_fun *fun;
@@ -368,7 +369,8 @@ debug_host(krb5_context context, int level, struct host *host, const char *fmt,
 	proto = "udp";
 
     if (getnameinfo(host->ai->ai_addr, host->ai->ai_addrlen,
-		    name, sizeof(name), port, sizeof(port), NI_NUMERICHOST) != 0)
+		    name, sizeof(name), port, sizeof(port),
+		    NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE) != 0)
 	name[0] = '\0';
 
     switch (host->state) {
@@ -393,6 +395,9 @@ deallocate_host(void *ptr)
     if (!rk_IS_BAD_SOCKET(host->fd))
 	rk_closesocket(host->fd);
     krb5_data_free(&host->data);
+    if (host->freeai)
+	freeaddrinfo(host->freeai);
+    host->freeai = NULL;
     host->ai = NULL;
 }
 
@@ -800,7 +805,7 @@ static krb5_error_code
 submit_request(krb5_context context, krb5_sendto_ctx ctx, krb5_krbhst_info *hi)
 {
     unsigned long submitted_host = 0;
-    krb5_boolean freeai = FALSE;
+    struct addrinfo *freeai = NULL;
     struct timeval nrstart, nrstop;
     krb5_error_code ret;
     struct addrinfo *ai = NULL, *a;
@@ -853,12 +858,17 @@ submit_request(krb5_context context, krb5_sendto_ctx ctx, krb5_krbhst_info *hi)
 	nport = init_port(el, htons(80));
 	snprintf(portstr, sizeof(portstr), "%d", ntohs(nport));
 
+	if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+		NULL)) {
+	    hints.ai_flags &= ~AI_CANONNAME;
+	    hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+	}
 	ret = getaddrinfo(proxy, portstr, &hints, &ai);
 	free(proxy2);
 	if (ret)
 	    return krb5_eai_to_heim_errno(ret, errno);
-	
-	freeai = TRUE;
+
+	freeai = ai;
 
     } else {
 	ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
@@ -893,13 +903,15 @@ submit_request(krb5_context context, krb5_sendto_ctx ctx, krb5_krbhst_info *hi)
 	host = heim_alloc(sizeof(*host), "sendto-host", deallocate_host);
 	if (host == NULL) {
             if (freeai)
-                freeaddrinfo(ai);
+                freeaddrinfo(freeai);
 	    rk_closesocket(fd);
 	    return ENOMEM;
 	}
 	host->hi = hi;
 	host->fd = fd;
 	host->ai = a;
+	host->freeai = freeai;
+	freeai = NULL;
 	/* next version of stid */
 	host->tid = ctx->stid = (ctx->stid & 0xffff0000) | ((ctx->stid & 0xffff) + 1);
 
@@ -946,7 +958,7 @@ submit_request(krb5_context context, krb5_sendto_ctx ctx, krb5_krbhst_info *hi)
     }
 
     if (freeai)
-	freeaddrinfo(ai);
+	freeai = NULL;
 
     if (submitted_host == 0)
 	return KRB5_KDC_UNREACH;
diff --git a/third_party/heimdal/lib/krb5/sock_principal.c b/third_party/heimdal/lib/krb5/sock_principal.c
index a43546de340..aedb0cf465d 100644
--- a/third_party/heimdal/lib/krb5/sock_principal.c
+++ b/third_party/heimdal/lib/krb5/sock_principal.c
@@ -46,6 +46,14 @@ krb5_sock_to_principal (krb5_context context,
     socklen_t salen = sizeof(__ss);
     char hostname[NI_MAXHOST];
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	ret = HEIM_EAI_FAIL;
+	krb5_set_error_message (context, ret,
+				"krb5_sock_to_principal: block_dns enabled");
+	return ret;
+    }
+
     if (getsockname (sock, sa, &salen) < 0) {
 	ret = errno;
 	krb5_set_error_message (context, ret, "getsockname: %s", strerror(ret));
diff --git a/third_party/heimdal/lib/krb5/verify_krb5_conf.c b/third_party/heimdal/lib/krb5/verify_krb5_conf.c
index c258a2bd3b9..ad4a8fb5441 100644
--- a/third_party/heimdal/lib/krb5/verify_krb5_conf.c
+++ b/third_party/heimdal/lib/krb5/verify_krb5_conf.c
@@ -202,6 +202,11 @@ check_host(krb5_context context, const char *path, char *data)
 	defport = tmp;
 	snprintf(service, sizeof(service), "%u", defport);
     }
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	hints.ai_flags &= ~AI_CANONNAME;
+	hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+    }
     ret = getaddrinfo(hostname, service, &hints, &ai);
     if (ret == EAI_SERVICE && !isdigit((unsigned char)service[0])) {
 	snprintf(service, sizeof(service), "%u", defport);
@@ -395,6 +400,7 @@ struct entry v4_name_convert_entries[] = {
 struct entry libdefaults_entries[] = {
     { "accept_null_addresses", krb5_config_string, check_boolean, 0 },
     { "allow_weak_crypto", krb5_config_string, check_boolean, 0 },
+    { "block_dns", krb5_config_string, check_boolean, 0 },
     { "capath", krb5_config_list, all_strings, 1 },
     { "ccapi_library", krb5_config_string, NULL, 0 },
     { "check_pac", krb5_config_string, check_boolean, 0 },
diff --git a/third_party/heimdal/lib/roken/roken-common.h b/third_party/heimdal/lib/roken/roken-common.h
index 906b000336c..f3a4c042255 100644
--- a/third_party/heimdal/lib/roken/roken-common.h
+++ b/third_party/heimdal/lib/roken/roken-common.h
@@ -252,6 +252,14 @@
 #endif
 
 /*
+ * NI_NUMERICSCOPE is still missing from glibc as of 2024:
+ * https://sourceware.org/bugzilla/show_bug.cgi?id=14102
+ */
+#ifndef	NI_NUMERICSCOPE
+#define	NI_NUMERICSCOPE		0
+#endif
+
+/*
  * constants for getnameinfo
  */
 
diff --git a/third_party/heimdal/lib/roken/syslogc.c b/third_party/heimdal/lib/roken/syslogc.c
index f4fb539a634..9687b126550 100644
--- a/third_party/heimdal/lib/roken/syslogc.c
+++ b/third_party/heimdal/lib/roken/syslogc.c
@@ -50,7 +50,7 @@ static SOCKADDR_IN syslog_hostaddr;
 static SOCKET      syslog_socket = INVALID_SOCKET;
 static char        local_hostname[ MAX_COMPUTERNAME_LENGTH + 1 ];
 
-static char        syslog_hostname[ MAX_COMPUTERNAME_LENGTH + 1 ] = "localhost";
+static char        syslog_hostname[ MAX_COMPUTERNAME_LENGTH + 1 ];
 static unsigned short syslog_port = SYSLOG_PORT;
 
 static int   datagramm_size;
diff --git a/third_party/heimdal/lib/roken/test-mini_inetd.c b/third_party/heimdal/lib/roken/test-mini_inetd.c
index 7ab996ae8b4..d6333e4b883 100644
--- a/third_party/heimdal/lib/roken/test-mini_inetd.c
+++ b/third_party/heimdal/lib/roken/test-mini_inetd.c
@@ -49,7 +49,7 @@ get_address(int flags, struct addrinfo ** ret)
 
     memset(&ai, 0, sizeof(ai));
 
-    ai.ai_flags = flags | AI_NUMERICHOST;
+    ai.ai_flags = flags | AI_NUMERICHOST | AI_NUMERICSERV;
     ai.ai_family = AF_INET;
     ai.ai_socktype = SOCK_STREAM;
     ai.ai_protocol = PF_UNSPEC;
diff --git a/third_party/heimdal/lib/roken/version-script.map b/third_party/heimdal/lib/roken/version-script.map
index b48e06b9e6a..fd2b891f888 100644
--- a/third_party/heimdal/lib/roken/version-script.map
+++ b/third_party/heimdal/lib/roken/version-script.map
@@ -76,6 +76,7 @@ HEIMDAL_ROKEN_2.0 {
 		rk_getipnodebyname;
 		rk_getnameinfo;
 		rk_getprogname;
+		rk_getpwnam_r;
 		rk_glob;
 		rk_globfree;
 		rk_hex_decode;
diff --git a/third_party/heimdal/tests/bin/setup-env.in b/third_party/heimdal/tests/bin/setup-env.in
index 8efa0e9922b..d94bba3878a 100644
--- a/third_party/heimdal/tests/bin/setup-env.in
+++ b/third_party/heimdal/tests/bin/setup-env.in
@@ -38,6 +38,7 @@ kdigest="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kdigest"
 kgetcred="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kgetcred"
 kimpersonate="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kimpersonate"
 kinit="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kinit"
+kinit_auditdns="${TESTS_ENVIRONMENT} ${top_builddir}/appl/test/kinit_auditdns"
 klist="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/heimtools klist"
 kpasswd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswd"
 kpasswdd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswdd"
diff --git a/third_party/heimdal/tests/db/Makefile.am b/third_party/heimdal/tests/db/Makefile.am
index 9597a0b4411..d1cf761bc3c 100644
--- a/third_party/heimdal/tests/db/Makefile.am
+++ b/third_party/heimdal/tests/db/Makefile.am
@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+.NOTPARALLEL:
+
 noinst_DATA = krb5.conf krb5.conf-sqlite krb5.conf-db3 krb5.conf-db1 krb5.conf-lmdb
 
 noinst_SCRIPTS = have-db
diff --git a/third_party/heimdal/tests/db/check-aliases.in b/third_party/heimdal/tests/db/check-aliases.in
index b5a1069d8d4..fd6131f5269 100644
--- a/third_party/heimdal/tests/db/check-aliases.in
+++ b/third_party/heimdal/tests/db/check-aliases.in
@@ -58,26 +58,21 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-echo "Adding foo"
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} modify --alias=foo-alias1@${R} --alias=foo-alias2@${R} foo@${R} || exit 1
-
-echo "Adding bar"
-${kadmin} add -p foo --use-defaults  bar@${R} || exit 1
-${kadmin} add_alias bar@${R} bar-alias1@${R} bar-alias2@${R} || exit 1
-${kadmin} add_alias bar@${R} bar-alias4@${R} bar-alias3@${R} || exit 1
-${kadmin} get -o principal bar@${R} | grep "Principal:.bar@${R}" >/dev/null || exit 1
-${kadmin} get -o principal bar-alias1@${R} | grep "Principal:.bar@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias2@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias3@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias4@${R}" >/dev/null || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+modify --alias=foo-alias1@${R} --alias=foo-alias2@${R} foo@${R}
+add -p foo --use-defaults  bar@${R}
+add_alias bar@${R} bar-alias1@${R} bar-alias2@${R}
+add_alias bar@${R} bar-alias4@${R} bar-alias3@${R}
+EOF
+
+${kadmin} get -o principal bar@${R} | grep "Principal:.bar@${R}" >/dev/null
+${kadmin} get -o principal bar-alias1@${R} | grep "Principal:.bar@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias2@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias3@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias4@${R}" >/dev/null
 
 echo "Baz does not exists"
 
@@ -98,9 +93,11 @@ ${kadmin} delete bar-alias1${R} 2>/dev/null && exit 1
 ${kadmin} delete baz-alias1${R} 2>/dev/null && exit 1
 
 echo "Delete aliases with del_alias (must succeed)"
-${kadmin} del_alias bar-alias2@${R} bar-alias3@${R} bar-alias4@${R} || exit 1
+${kadmin} <<EOF || exit 1
+del_alias bar-alias2@${R} bar-alias3@${R} bar-alias4@${R}
+EOF
 ${kadmin} get -o principal bar@${R} | grep "Principal:.bar@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null || exit 1
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null|| exit 1
 ${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias2@${R}" >/dev/null && exit 1
 ${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias3@${R}" >/dev/null && exit 1
 ${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias4@${R}" >/dev/null && exit 1
@@ -111,9 +108,11 @@ ${kadmin} delete bar@${R} 2>/dev/null && exit 1
 ${kadmin} delete baz@${R} 2>/dev/null && exit 1
 
 echo "Add alias to deleted name"
-${kadmin} modify --alias=bar-alias1@${R} foo@${R} || exit 1
-${kadmin} modify --alias=bar@${R} foo@${R} || exit 1
-${kadmin} modify --alias=bar@${R} --alias=baz@${R} foo@${R} || exit 1
+${kadmin} <<EOF || exit 1
+modify --alias=bar-alias1@${R} foo@${R}
+modify --alias=bar@${R} foo@${R}
+modify --alias=bar@${R} --alias=baz@${R} foo@${R}
+EOF
 ${kadmin} get -o principal foo@${R} | grep "Principal:.foo@${R}" >/dev/null || exit 1
 ${kadmin} get -o principal bar@${R} | grep "Principal:.foo@${R}" >/dev/null || exit 1
 ${kadmin} get -o principal baz@${R} | grep "Principal:.foo@${R}" >/dev/null || exit 1
@@ -124,9 +123,11 @@ ${kadmin} get bar-alias1@${R} 2>/dev/null && exit 1
 
 echo "Rename over self alias key"
 ${kadmin} rename foo@${R} foo-alias1@${R} 2>/dev/null && exit 1
-${kadmin} modify --alias= foo@${R} || exit 1
-${kadmin} rename foo@${R} foo-alias1@${R} || exit 1
-${kadmin} modify --alias=foo foo-alias1@${R} || exit 1
+${kadmin} <<EOF || exit 1
+modify --alias= foo@${R}
+rename foo@${R} foo-alias1@${R}
+modify --alias=foo foo-alias1@${R}
+EOF
 
 echo "Doing database check"
 ${kadmin} check ${R} || exit 1
diff --git a/third_party/heimdal/tests/gss/Makefile.am b/third_party/heimdal/tests/gss/Makefile.am
index 2de36bfe24c..c5d85e7214a 100644
--- a/third_party/heimdal/tests/gss/Makefile.am
+++ b/third_party/heimdal/tests/gss/Makefile.am
@@ -2,9 +2,11 @@
 
 include $(top_srcdir)/Makefile.am.common
 
-noinst_DATA = krb5.conf new_clients_k5.conf mech
+.NOTPARALLEL:
 
-SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
+noinst_DATA = krb5.conf krb5-nodns.conf new_clients_k5.conf mech
+
+SCRIPT_TESTS = check-basic check-nodns check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
 
 TESTS = $(SCRIPT_TESTS)
 
@@ -45,6 +47,11 @@ check-basic: check-basic.in Makefile
 	chmod +x check-basic.tmp && \
 	mv check-basic.tmp check-basic
 
+check-nodns: check-nodns.in Makefile
+	$(do_subst) < $(srcdir)/check-nodns.in > check-nodns.tmp && \
+	chmod +x check-nodns.tmp && \
+	mv check-nodns.tmp check-nodns
+
 check-ntlm: check-ntlm.in Makefile
 	$(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp && \
 	chmod +x check-ntlm.tmp && \
@@ -59,6 +66,10 @@ krb5.conf: krb5.conf.in Makefile
 	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
 	mv krb5.conf.tmp krb5.conf
 
+krb5-nodns.conf: krb5-nodns.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5-nodns.conf.in > krb5-nodns.conf.tmp && \
+	mv krb5-nodns.conf.tmp krb5-nodns.conf
+
 new_clients_k5.conf: new_clients_k5.conf.in Makefile
 	$(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \
 	mv new_clients_k5.conf.tmp new_clients_k5.conf
@@ -75,12 +86,14 @@ CLEANFILES= \
 	krb5ccfile-ds \
 	server.keytab \
 	krb5.conf \
+	krb5-nodns.conf \
 	new_clients_k5.conf \
 	mech \
 	current-db* \
 	*.log \
 	tempfile \
 	check-basic.tmp \
+	check-nodns.tmp \
 	check-gss.tmp \
 	check-gssmask.tmp \
 	check-spnego.tmp \
@@ -90,6 +103,7 @@ CLEANFILES= \
 EXTRA_DIST = \
 	NTMakefile \
 	check-basic.in \
+	check-nodns.in \
 	check-gss.in \
 	check-gssmask.in \
 	check-spnego.in \
diff --git a/third_party/heimdal/tests/gss/check-basic.in b/third_party/heimdal/tests/gss/check-basic.in
index c5151c4c94f..8904310ab22 100644
--- a/third_party/heimdal/tests/gss/check-basic.in
+++ b/third_party/heimdal/tests/gss/check-basic.in
@@ -76,28 +76,30 @@ rm -f mkey.file*
 
 > messages.log
 
-echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
 echo upw > ${objdir}/foopassword
 
-${kadmin} add -p upw --use-defaults user@${R} || exit 1
-${kadmin} add -p upw --use-defaults another@${R} || exit 1
-${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+echo Creating database
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p upw --use-defaults user@${R}
+add -p upw --use-defaults another@${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+check ${R}
+EOF
 
 echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 exitcode=0
 
diff --git a/third_party/heimdal/tests/gss/check-context.in b/third_party/heimdal/tests/gss/check-context.in
index 2b866d2f724..266fc384902 100644
--- a/third_party/heimdal/tests/gss/check-context.in
+++ b/third_party/heimdal/tests/gss/check-context.in
@@ -76,41 +76,33 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
 # add both lucid and lucid.test.h5l.se to simulate aliases
-${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
-${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
-
-
-${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
-${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
 # XXX ext should ext aliases too
-${kadmin} ext -k ${keytab} host/short@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p p1 --use-defaults host/lucid.test.h5l.se@${R}
+ext -k ${keytab} host/lucid.test.h5l.se@${R}
+add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R}
+mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R}
+ext -k ${keytab} host/ok-delegate.test.h5l.se@${R}
+add -p p1 --use-defaults host/short@${R}
+mod --alias=host/long.test.h5l.se@${R} host/short@${R}
+ext -k ${keytab} host/short@${R}
+EOF
 ${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
 
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-${kadmin} mod --alias=user1.alias user1@${R} || exit 1
-
 # Create a server principal with no AES
-${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
-${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
-${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
-    aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
-${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
+${kadmin} <<EOF || exit 1
+add -p kaka --use-defaults digest/${R}@${R}
+add -p u1 --use-defaults user1@${R}
+mod --alias=user1.alias user1@${R}
+add -p p1 --use-defaults host/no-aes.test.h5l.se@${R}
+del_enctype host/no-aes.test.h5l.se@${R} aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+ext -k ${keytab} host/no-aes.test.h5l.se@${R}
+check ${R}
+EOF
 
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
 
 echo u1 > ${objdir}/foopassword
 
@@ -118,7 +110,14 @@ echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid} 2>/dev/null
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 testfailed="echo test failed; cat messages.log; exit 1"
 
diff --git a/third_party/heimdal/tests/gss/check-gssmask.in b/third_party/heimdal/tests/gss/check-gssmask.in
index 539e2e94e52..e88e5bc5702 100644
--- a/third_party/heimdal/tests/gss/check-gssmask.in
+++ b/third_party/heimdal/tests/gss/check-gssmask.in
@@ -70,34 +70,34 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
 # Test virtual principals, why not
-${kadmin} add_ns --key-rotation-epoch=now       \
-                 --key-rotation-period=15m      \
-                 --max-ticket-life=10d          \
-                 --max-renewable-life=20d       \
-                 --attributes=                  \
-                 "_/test.h5l.se@${R}" || exit 1
-${kadmin} ext -k ${keytab} host/n1.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/n2.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/n3.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add_ns --key-rotation-epoch=now      --key-rotation-period=15m     --max-ticket-life=10d         --max-renewable-life=20d      --attributes=                 "_/test.h5l.se@${R}"
+ext -k ${keytab} host/n1.test.h5l.se@${R}
+ext -k ${keytab} host/n2.test.h5l.se@${R}
+ext -k ${keytab} host/n3.test.h5l.se@${R}
+add -p u1 --use-defaults user1@${R}
+check ${R}
+EOF
+
+kdcpid=
+n1pid=
+n2pid=
+n3pid=
+cleanup() {
+    echo signal killing kdcs
+    kill -9 ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2>/dev/null
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
-
 exitcode=0
 
 echo "Starting client 1"
@@ -111,20 +111,19 @@ echo "Starting client 2"
 ${gssmaskn2} --moniker=n2 &
 n2pid=$!
 
-echo "Starting client 3"
-${gssmaskn3} --moniker=n3 &
-n3pid=$!
-
-trap "kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null; echo signal killing kdc and maskar; exit 1;" EXIT
+#echo "Starting client 3"
+#${gssmaskn3} --moniker=n3 &
+#n3pid=$!
 
 sleep 10
 
-#    --wrap-ext
+# XXX Make --wrap-ext work (seems to fail)
+#
+# Add --slaves=localhost:8891 if re-enabling client 3
 
 ${gssmaestro} \
     --slaves=localhost:8889 \
     --slaves=localhost:8890 \
-    --slaves=localhost:8891 \
     --principals=user1@${R}:u1 || exitcode=1
 
 trap "" EXIT
diff --git a/third_party/heimdal/tests/gss/check-negoex.in b/third_party/heimdal/tests/gss/check-negoex.in
index 063e0c1139a..e44e26cbf41 100644
--- a/third_party/heimdal/tests/gss/check-negoex.in
+++ b/third_party/heimdal/tests/gss/check-negoex.in
@@ -273,6 +273,4 @@ for mech in spnego spnegoiov; do
 
 done
 
-trap "" EXIT
-
 exit $exitcode
diff --git a/third_party/heimdal/tests/gss/check-basic.in b/third_party/heimdal/tests/gss/check-nodns.in
similarity index 88%
copy from third_party/heimdal/tests/gss/check-basic.in
copy to third_party/heimdal/tests/gss/check-nodns.in
index c5151c4c94f..9718fd76748 100644
--- a/third_party/heimdal/tests/gss/check-basic.in
+++ b/third_party/heimdal/tests/gss/check-nodns.in
@@ -55,13 +55,13 @@ cache2="FILE:krb5ccfile2"
 nocache="FILE:no-such-cache"
 
 kadmin="${kadmin} -l -r $R"
-kdc="${kdc} --addresses=localhost -P $port"
+kdc="${kdc} --addresses=127.0.0.1 -P $port"
 
-acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred"
+acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred_auditdns"
 test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred"
 test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred"
 
-KRB5_CONFIG="${objdir}/krb5.conf"
+KRB5_CONFIG="${objdir}/krb5-nodns.conf"
 export KRB5_CONFIG
 
 KRB5_KTNAME="${keytab}"
@@ -77,32 +77,33 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
 echo upw > ${objdir}/foopassword
-
-${kadmin} add -p upw --use-defaults user@${R} || exit 1
-${kadmin} add -p upw --use-defaults another@${R} || exit 1
-${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p upw --use-defaults user@${R}
+add -p upw --use-defaults another@${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+check ${R}
+EOF
 
 echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 exitcode=0
 
 echo "initial ticket"
-${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
+${kinit_auditdns} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
 
 echo "copy ccache with gss_store_cred"
 # Note we test that the ccache used for storing is token-expanded
diff --git a/third_party/heimdal/tests/gss/check-ntlm.in b/third_party/heimdal/tests/gss/check-ntlm.in
index f953630d09d..56eb591b4f9 100644
--- a/third_party/heimdal/tests/gss/check-ntlm.in
+++ b/third_party/heimdal/tests/gss/check-ntlm.in
@@ -84,24 +84,16 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-
-${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
-${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+add -p kaka --use-defaults digest/${R}@${R}
+add -p ds --use-defaults digestserver@${R}
+modify --attributes=+allow-digest digestserver@${R}
+add -p u1 --use-defaults user1@${R}
+check ${R}
+EOF
 
 echo u1 > ${objdir}/foopassword
 echo ds > ${objdir}/barpassword
@@ -110,7 +102,14 @@ echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 exitcode=0
 
diff --git a/third_party/heimdal/tests/gss/check-spnego.in b/third_party/heimdal/tests/gss/check-spnego.in
index d6e4d833152..69f28200b8f 100644
--- a/third_party/heimdal/tests/gss/check-spnego.in
+++ b/third_party/heimdal/tests/gss/check-spnego.in
@@ -83,24 +83,16 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-
-${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
-${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+add -p kaka --use-defaults digest/${R}@${R}
+add -p ds --use-defaults digestserver@${R}
+modify --attributes=+allow-digest digestserver@${R}
+add -p u1 --use-defaults user1@${R}
+check ${R}
+EOF
 
 echo u1 > ${objdir}/foopassword
 echo ds > ${objdir}/barpassword
@@ -109,7 +101,14 @@ echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 exitcode=0
 
diff --git a/third_party/heimdal/tests/gss/krb5-nodns.conf.in b/third_party/heimdal/tests/gss/krb5-nodns.conf.in
new file mode 100644
index 00000000000..99fb5449036
--- /dev/null
+++ b/third_party/heimdal/tests/gss/krb5-nodns.conf.in
@@ -0,0 +1,55 @@
+include @srcdirabs@/include-krb5.conf
+
+[libdefaults]
+	default_keytab_name = @objdir@/server.keytab
+        enable-kx509 = yes
+        kx509_store = PEM-FILE:/tmp/cert_%{euid}.pem
+	default_realm = TEST.H5L.SE
+	kuserok = SYSTEM-K5LOGIN:@srcdir@/../kdc/k5login
+	kuserok = USER-K5LOGIN
+	kuserok = SIMPLE
+	block_dns = yes
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = 127.0.0.1:@port@
+                auth_to_local_names = {
+                        user1 = mapped_user1
+                }
+	}
+
+[kdc]
+	enable-digest = true
+	allow-anonymous = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+        strict-nametypes = true
+        synthetic_clients = true
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+                log_file = @objdir@/current.log
+	}
+
+[hdb]
+	db-dir = @objdir@
+        enable_virtual_hostbased_princs = true
+        virtual_hostbased_princ_mindots = 1
+        virtual_hostbased_princ_maxdots = 3
+        same_realm_aliases_are_soft = true
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+include @srcdirabs@/missing-krb5.conf
diff --git a/third_party/heimdal/tests/java/check-kinit.in b/third_party/heimdal/tests/java/check-kinit.in
index 82033447409..a04bd932e9d 100644
--- a/third_party/heimdal/tests/java/check-kinit.in
+++ b/third_party/heimdal/tests/java/check-kinit.in
@@ -78,22 +78,26 @@ javac -d "${objdir}" "${srcdir}/../../appl/test/jgssapi_server.java" || \
 echo foo > ${objdir}/foopassword
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults lha@${R} || exit 1
-${kadmin} modify --attributes=+requires-pre-auth lha@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults lha@${R}
+modify --attributes=+requires-pre-auth lha@${R}
+add -p kaka --use-defaults ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+EOF
 
 echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 echo "Run init"
 java \
diff --git a/third_party/heimdal/tests/kdc/Makefile.am b/third_party/heimdal/tests/kdc/Makefile.am
index 09f695348e9..b74c011ba42 100644
--- a/third_party/heimdal/tests/kdc/Makefile.am
+++ b/third_party/heimdal/tests/kdc/Makefile.am
@@ -1,5 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 
+.NOTPARALLEL:
+
 noinst_DATA = \
 	an2ln-db.txt \
 	kdc-tester4.json \
diff --git a/third_party/heimdal/tests/kdc/check-bx509.in b/third_party/heimdal/tests/kdc/check-bx509.in
index 6d894effb1d..8f82a72308b 100644
--- a/third_party/heimdal/tests/kdc/check-bx509.in
+++ b/third_party/heimdal/tests/kdc/check-bx509.in
@@ -118,7 +118,14 @@ mkdir -p authz_dir
 kdcpid=
 bx509pid=
 test_csr_authorizer_pid=
-trap 'kill -9 ${kdcpid} ${bx509pid} ${test_csr_authorizer_pid}; echo signal killing kdc, bx509d, and test_csr_authorizer; exit 1;' EXIT
+cleanup() {
+    echo signal killing kdc, bx509d, and test_csr_authorizer
+    kill -9 ${kdcpid} ${bx509pid} ${test_csr_authorizer_pid} 2>/dev/null
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 # csr_grant ext-type value grantee_principal
 csr_grant() {
diff --git a/third_party/heimdal/tests/kdc/check-canon.in b/third_party/heimdal/tests/kdc/check-canon.in
index 18b83a9b7a6..ea66badc261 100644
--- a/third_party/heimdal/tests/kdc/check-canon.in
+++ b/third_party/heimdal/tests/kdc/check-canon.in
@@ -68,33 +68,29 @@ rm -f mkey.file*
 echo "Creating database"
 initflags="init --realm-max-ticket-life=1day --realm-max-renewable-life=1month"
 
-${kadmin} ${initflags} ${R1} || exit 1
-${kadmin} ${initflags} ${R2} || exit 1
-${kadmin} ${initflags} ${R3} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R1} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R1}@${R2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R1} || exit 1
-${kadmin} add -p cross3 --use-defaults krbtgt/${R3}@${R1} || exit 1
-${kadmin} add -p cross4 --use-defaults krbtgt/${R1}@${R3} || exit 1
-${kadmin} add -p cross5 --use-defaults krbtgt/${R3}@${R2} || exit 1
-${kadmin} add -p cross6 --use-defaults krbtgt/${R2}@${R3} || exit 1
-
-${kadmin} add -p foo --use-defaults host/t1@${R1} || exit 1
-${kadmin} add -p foo --use-defaults host/t2@${R2} || exit 1
-${kadmin} add -p foo --use-defaults host/t3@${R3} || exit 1
-${kadmin} add -p foo --use-defaults host/t11.test1.h5l.se@${R1} || exit 1
-${kadmin} add -p foo --use-defaults host/t12.test1.h5l.se@${R2} || exit 1
-${kadmin} add -p foo --use-defaults host/t22.test2.h5l.se@${R2} || exit 1
-${kadmin} add -p foo --use-defaults host/t23.test2.h5l.se@${R3} || exit 1
-${kadmin} add -p foo --use-defaults host/t33.test3.h5l.se@${R3} || exit 1
-
-
-echo "Doing database check"
-${kadmin} check ${R1} || exit 1
-${kadmin} check ${R2} || exit 1
-${kadmin} check ${R3} || exit 1
+${kadmin} <<EOF || exit 1
+${initflags} ${R1}
+${initflags} ${R2}
+${initflags} ${R3}
+add -p foo --use-defaults foo@${R1}
+add -p cross1 --use-defaults krbtgt/${R1}@${R2}
+add -p cross2 --use-defaults krbtgt/${R2}@${R1}
+add -p cross3 --use-defaults krbtgt/${R3}@${R1}
+add -p cross4 --use-defaults krbtgt/${R1}@${R3}
+add -p cross5 --use-defaults krbtgt/${R3}@${R2}
+add -p cross6 --use-defaults krbtgt/${R2}@${R3}
+add -p foo --use-defaults host/t1@${R1}
+add -p foo --use-defaults host/t2@${R2}
+add -p foo --use-defaults host/t3@${R3}
+add -p foo --use-defaults host/t11.test1.h5l.se@${R1}
+add -p foo --use-defaults host/t12.test1.h5l.se@${R2}
+add -p foo --use-defaults host/t22.test2.h5l.se@${R2}
+add -p foo --use-defaults host/t23.test2.h5l.se@${R3}
+add -p foo --use-defaults host/t33.test3.h5l.se@${R3}
+check ${R1}
+check ${R2}
+check ${R3}
+EOF
 
 echo foo > ${objdir}/foopassword
 
@@ -102,7 +98,14 @@ echo "Starting kdc" ; > messages.log
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-cc.in b/third_party/heimdal/tests/kdc/check-cc.in
index 46e846a10ea..d6d6a91a6e3 100644
--- a/third_party/heimdal/tests/kdc/check-cc.in
+++ b/third_party/heimdal/tests/kdc/check-cc.in
@@ -69,19 +69,14 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p foo --use-defaults bar@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+add -p foo --use-defaults bar@${R}
+add -p kaka --use-defaults ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+check ${R}
+EOF
 
 echo foo > ${objdir}/foopassword
 
@@ -96,7 +91,14 @@ kcmpid=`getpid kcm`
 HEIM_IPC_DIR=${objdir}
 export HEIM_IPC_DIR
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-delegation.in b/third_party/heimdal/tests/kdc/check-delegation.in
index fdff0f6a0f0..de35f6d537d 100644
--- a/third_party/heimdal/tests/kdc/check-delegation.in
+++ b/third_party/heimdal/tests/kdc/check-delegation.in
@@ -72,32 +72,27 @@ rm -f mkey.file*
 echo Creating database
 initflags="init --realm-max-ticket-life=1day --realm-max-renewable-life=1month"
 
-${kadmin} ${initflags} ${R} || exit 1
-${kadmin} ${initflags} ${R2} || exit 1
-${kadmin} ${initflags} ${R3} || exit 1
-${kadmin} ${initflags} ${R4} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R2} || exit 1
-${kadmin} add -p cross3 --use-defaults krbtgt/${R4}@${R3} || exit 1
-
-${kadmin} modify --attributes=+ok-as-delegate krbtgt/${R2}@${R} || exit 1
-${kadmin} modify --attributes=+ok-as-delegate krbtgt/${R3}@${R2} || exit 1
-
-${kadmin} add -p foo --use-defaults host/server.test3.h5l.se@${R3} || exit 1
-${kadmin} modify --attributes=+ok-as-delegate host/server.test3.h5l.se@${R3} || exit 1
-${kadmin} add -p foo --use-defaults host/noserver.test3.h5l.se@${R3} || exit 1
-
-${kadmin} add -p foo --use-defaults host/server.test4.h5l.se@${R4} || exit 1
-${kadmin} modify --attributes=+ok-as-delegate host/server.test4.h5l.se@${R4} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
-${kadmin} check ${R3} || exit 1
-${kadmin} check ${R4} || exit 1
+${kadmin} <<EOF || exit 1
+${initflags} ${R}
+${initflags} ${R2}
+${initflags} ${R3}
+${initflags} ${R4}
+add -p foo --use-defaults foo@${R}
+add -p cross1 --use-defaults krbtgt/${R2}@${R}
+add -p cross2 --use-defaults krbtgt/${R3}@${R2}
+add -p cross3 --use-defaults krbtgt/${R4}@${R3}
+modify --attributes=+ok-as-delegate krbtgt/${R2}@${R}
+modify --attributes=+ok-as-delegate krbtgt/${R3}@${R2}
+add -p foo --use-defaults host/server.test3.h5l.se@${R3}
+modify --attributes=+ok-as-delegate host/server.test3.h5l.se@${R3}
+add -p foo --use-defaults host/noserver.test3.h5l.se@${R3}
+add -p foo --use-defaults host/server.test4.h5l.se@${R4}
+modify --attributes=+ok-as-delegate host/server.test4.h5l.se@${R4}
+check ${R}
+check ${R2}
+check ${R3}
+check ${R4}
+EOF
 
 echo foo > ${objdir}/foopassword
 
@@ -105,7 +100,14 @@ echo Starting kdc; > messages.log
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-des.in b/third_party/heimdal/tests/kdc/check-des.in
index 144613df4f9..f36f0c9ca16 100644
--- a/third_party/heimdal/tests/kdc/check-des.in
+++ b/third_party/heimdal/tests/kdc/check-des.in
@@ -70,28 +70,17 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R2} || exit 1
-
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${afsserver}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${hostserver}@${R} || exit 1
-${kadmin} add_enctype -r ${afsserver}@${R} des-cbc-crc || exit 1
-${kadmin} add_enctype -r ${hostserver}@${R} des-cbc-crc || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+cpw -r krbtgt/${R}@${R}
+add -p foo --use-defaults foo@${R}
+add -p kaka --use-defaults ${afsserver}@${R}
+add -p kaka --use-defaults ${hostserver}@${R}
+add_enctype -r ${afsserver}@${R} des-cbc-crc
+add_enctype -r ${hostserver}@${R} des-cbc-crc
+check ${R}
+EOF
 
 echo foo > ${objdir}/foopassword
 
@@ -99,7 +88,14 @@ echo Starting kdc; > messages.log
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-digest.in b/third_party/heimdal/tests/kdc/check-digest.in
index d934f4e2898..4bf46259278 100644
--- a/third_party/heimdal/tests/kdc/check-digest.in
+++ b/third_party/heimdal/tests/kdc/check-digest.in
@@ -76,20 +76,15 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
-${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p $userpassword --use-defaults ${username}@${R}
+add -p $password --use-defaults ${server}@${R}
+add -p kaka --use-defaults digest/${R}@${R}
+modify --attributes=+allow-digest ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+check ${R}
+EOF
 
 echo $password > ${objdir}/foopassword
 
@@ -98,7 +93,14 @@ env ${HEIM_MALLOC_DEBUG} ${kdc} --detach --testing ||
     { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 exitcode=0
 
diff --git a/third_party/heimdal/tests/kdc/check-fast.in b/third_party/heimdal/tests/kdc/check-fast.in
index d1683f2e750..0cbc146508f 100644
--- a/third_party/heimdal/tests/kdc/check-fast.in
+++ b/third_party/heimdal/tests/kdc/check-fast.in
@@ -71,17 +71,12 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p foo --use-defaults ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+add -p foo --use-defaults ${server}@${R}
+check ${R}
+EOF
 
 echo foo > ${objdir}/foopassword
 echo bar > ${objdir}/barpassword
@@ -91,7 +86,14 @@ env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 Malloc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-hdb-mitdb.in b/third_party/heimdal/tests/kdc/check-hdb-mitdb.in
index a241aeb4a8f..4ab4089364c 100644
--- a/third_party/heimdal/tests/kdc/check-hdb-mitdb.in
+++ b/third_party/heimdal/tests/kdc/check-hdb-mitdb.in
@@ -44,7 +44,8 @@ testfailed="echo test failed; cat messages.log; exit 1"
 
 # If there is no ldap support compiled in, disable test
 if ${kdc} --builtin-hdb | grep mit-db > /dev/null ; then
-    :
+    echo "Testing MIT KDB support"
+    ${kdc} --builtin-hdb
 else
     echo "no MIT KDB support"
     exit 77
@@ -88,7 +89,14 @@ env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 Malloc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-httpkadmind.in b/third_party/heimdal/tests/kdc/check-httpkadmind.in
index 9707fc14b55..16d4402b249 100644
--- a/third_party/heimdal/tests/kdc/check-httpkadmind.in
+++ b/third_party/heimdal/tests/kdc/check-httpkadmind.in
@@ -224,8 +224,9 @@ cleanup() {
         { echo signal killing kadmind; kill -9 "$kadmindpid"; }
     test -n "$kadmind2pid" &&
         { echo signal killing kadmind; kill -9 "$kadmind2pid"; }
+    trap '' EXIT INT TERM
 }
-trap cleanup EXIT
+trap cleanup EXIT INT TERM
 
 rm -f extracted_keytab
 
diff --git a/third_party/heimdal/tests/kdc/check-iprop.in b/third_party/heimdal/tests/kdc/check-iprop.in
index 524379393fa..639146f39d7 100644
--- a/third_party/heimdal/tests/kdc/check-iprop.in
+++ b/third_party/heimdal/tests/kdc/check-iprop.in
@@ -225,18 +225,14 @@ rm -f messages.log messages.log
 > messages.log2
 
 echo Creating database
-${kadmin} -l \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} -l add -p foo --use-defaults user@${R} || exit 1
-
-${kadmin} -l add --random-key --use-defaults iprop/localhost@${R} || exit 1
-${kadmin} -l ext -k ${keytab} iprop/localhost@${R} || exit 1
-${kadmin} -l add --random-key --use-defaults iprop/slave.test.h5l.se@${R} || exit 1
-${kadmin} -l ext -k ${keytab} iprop/slave.test.h5l.se@${R} || exit 1
+${kadmin} -l <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults user@${R}
+add --random-key --use-defaults iprop/localhost@${R}
+ext -k ${keytab} iprop/localhost@${R}
+add --random-key --use-defaults iprop/slave.test.h5l.se@${R}
+ext -k ${keytab} iprop/slave.test.h5l.se@${R}
+EOF
 
 echo foo > ${objdir}/foopassword
 
@@ -307,11 +303,12 @@ cleanup() {
     test -n "$ipds" && kill -9 $ipds        >/dev/null 2>/dev/null
     test -n "$ipds2" && kill -9 $ipds2      >/dev/null 2>/dev/null
     test -n "$kdcpid" && kill -9 $kdcpid    >/dev/null 2>/dev/null
+    trap '' EXIT INT TERM
     tail messages.log
     tail iprop-stats
     exit 1
 }
-trap cleanup EXIT
+trap cleanup EXIT INT TERM
 
 echo Starting kdc ; > messages.log
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
diff --git a/third_party/heimdal/tests/kdc/check-kadmin.in b/third_party/heimdal/tests/kdc/check-kadmin.in
index 339868bfb8f..077b9df3ef6 100644
--- a/third_party/heimdal/tests/kdc/check-kadmin.in
+++ b/third_party/heimdal/tests/kdc/check-kadmin.in
@@ -73,26 +73,23 @@ rm -f messages.log
 > messages.log
 
 echo Creating database
-${kadmin} -l \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} -l add -p "$foopassword" --use-defaults foo/admin@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults bar@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults baz@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults bez@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults fez@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults hasalias@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults pkinit@${R} || exit 1
-${kadmin} -l modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults prune@${R} || exit 1
-${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1
-${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults pruneall@${R} || exit 1
-${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1
-${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1
+${kadmin} -l <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p "$foopassword" --use-defaults foo/admin@${R}
+add -p "$foopassword" --use-defaults bar@${R}
+add -p "$foopassword" --use-defaults baz@${R}
+add -p "$foopassword" --use-defaults bez@${R}
+add -p "$foopassword" --use-defaults fez@${R}
+add -p "$foopassword" --use-defaults hasalias@${R}
+add -p "$foopassword" --use-defaults pkinit@${R}
+modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R}
+add -p "$foopassword" --use-defaults prune@${R}
+cpw --keepold --random-key prune@${R}
+cpw --keepold --random-key prune@${R}
+add -p "$foopassword" --use-defaults pruneall@${R}
+cpw --pruneall --random-key pruneall@${R}
+cpw --pruneall --random-key pruneall@${R}
+EOF
 
 echo "$foopassword" > ${objdir}/foopassword
 
@@ -105,7 +102,14 @@ ${kadmind} --detach --list-chunk-size=1 \
     || { echo "kadmind failed to start"; cat messages.log; exit 1; }
 kadmpid=`getpid kadmind`
 
-trap "kill -9 ${kdcpid} ${kadmpid}" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid} ${kadmpid} 2>/dev/null
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 #----------------------------------
 echo "kinit (no admin); test mod --alias authorization"
diff --git a/third_party/heimdal/tests/kdc/check-kdc.in b/third_party/heimdal/tests/kdc/check-kdc.in
index 307312e1fbc..595b5b2195e 100644
--- a/third_party/heimdal/tests/kdc/check-kdc.in
+++ b/third_party/heimdal/tests/kdc/check-kdc.in
@@ -113,218 +113,143 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R2} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R3} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R4} || exit 1
-
-${kadmin5} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R5} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R6} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R7} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R8} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${H1} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${H2} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${H3} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${H4} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${RH} || exit 1
-
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R2} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R3} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R4} || exit 1
-${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H3} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H4} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1
-${kadmin} add -p bar --use-defaults bar@${R} || exit 1
-${kadmin} add -p foo --use-defaults remove@${R} || exit 1
-${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1
-${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1
-${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
-${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
-${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
-${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
-${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
-
-${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1
-${kadmin} add -p foo --use-defaults ${ps} || exit 1
-${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
-${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${ps} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R3}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R4}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R6}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R7}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R8}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H1}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H2}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H3}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H4}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${RH}
+cpw -r krbtgt/${R}@${R}
+cpw -r krbtgt/${R}@${R}
+cpw -r krbtgt/${R}@${R}
+cpw -r krbtgt/${R}@${R}
+add -p foo --use-defaults foo@${R}
+add -p foo --use-defaults foo/host.${r}@${R}
+add -p foo --use-defaults foo@${R2}
+add -p foo --use-defaults foo@${R3}
+add -p foo --use-defaults foo@${R4}
+add -p foo --use-defaults foo@${R6}
+add -p foo --use-defaults foo@${R7}
+add -p foo --use-defaults foo@${R8}
+add -p foo --use-defaults foo@${H1}
+add -p foo --use-defaults foo/host.${h1}@${H1}
+add -p foo --use-defaults foo@${H2}
+add -p foo --use-defaults foo/host.${h2}@${H2}
+add -p foo --use-defaults foo@${H3}
+add -p foo --use-defaults foo/host.${h3}@${H3}
+add -p foo --use-defaults foo@${H4}
+add -p foo --use-defaults foo/host.${h4}@${H4}
+add -p bar --use-defaults bar@${R}
+add -p foo --use-defaults remove@${R}
+add -p nop --use-defaults ${server}@${R}
+cpw -p bla --keepold ${server}@${R}
+cpw -p kaka --keepold ${server}@${R}
+add -p kaka --use-defaults ${server}-des3@${R}
+add -p kaka --use-defaults kt-des3@${R}
+add -p kaka --use-defaults foo/des3-only@${R}
+add -p kaka --use-defaults bar/des3-only@${R}
+add -p kaka --use-defaults foo/aes-only@${R}
+add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R}
+add -p foo --use-defaults ${ps}
+modify --attributes=+trusted-for-delegation ${ps}
+modify --constrained-delegation=${server} ${ps}
+ext -k ${keytab} ${server}@${R}
+ext -k ${keytab} ${ps}
+add -p kaka --use-defaults ${server2}@${R2}
+ext -k ${keytab} ${server2}@${R2}
+add -p foo  --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R}
+add -p kaka --use-defaults ${serverip}@${R}
+ext -k ${keytab} ${serverip}@${R}
+add -p kaka --use-defaults ${serveripname}@${R}
+ext -k ${keytab} ${serveripname}@${R}
+modify --alias=${serveripname2}@${R} ${serveripname}@${R}
+add -p foo --use-defaults remove2@${R2}
+add -p nopac --use-defaults ${server4}@${R2}
+modify --attributes=+no-auth-data-reqd ${server4}@${R2}
+ext -k ${keytab} ${server4}@${R2}
+add -p kaka --use-defaults ${alias1}@${R}
+ext -k ${keytab} ${alias1}@${R}
+modify --alias=${alias2}@${R} ${alias1}@${R}
+add -p cross1 --use-defaults krbtgt/${R2}@${R}
+modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${R2}
+add -p cross1 --use-defaults krbtgt/${R3}@${R2}
+add -p cross2 --use-defaults krbtgt/${R2}@${R3}
+add -p cross1 --use-defaults krbtgt/${R4}@${R2}
+add -p cross2 --use-defaults krbtgt/${R2}@${R4}
+add -p cross1 --use-defaults krbtgt/${R4}@${R3}
+add -p cross2 --use-defaults krbtgt/${R3}@${R4}
+add -p cross1 --use-defaults krbtgt/${R7}@${R6}
+add -p cross2 --use-defaults krbtgt/${R6}@${R7}
+add -p cross1 --use-defaults krbtgt/${R8}@${R6}
+add -p cross2 --use-defaults krbtgt/${R6}@${R8}
+add -p cross1 --use-defaults krbtgt/${H1}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${H1}
+add -p cross1 --use-defaults krbtgt/${H2}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${H2}
+add -p cross1 --use-defaults krbtgt/${H3}@${H2}
+add -p cross2 --use-defaults krbtgt/${H2}@${H3}
+add -p cross1 --use-defaults krbtgt/${H3}@${H4}
+add -p cross2 --use-defaults krbtgt/${H4}@${H3}
+add -p foo --use-defaults pw-expire@${R}
+modify --pw-expiration-time=+1day  pw-expire@${R}
+add -p foo --use-defaults pw-expired@${R}
+modify --pw-expiration-time=2012-06-12  pw-expired@${R}
+add -p foo --use-defaults account-expired@${R}
+modify --expiration-time=2012-06-12  account-expired@${R}
+add -p foo --use-defaults foo@${RH}
+EOF
+
+${kadmin5} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R5}
+add -p foo --use-defaults foo@${R5}
+add -p kaka --use-defaults ${server3}@${R5}
+ext -k ${keytab} ${server3}@${R5}
+add -p kaka --use-defaults ${server5}@${R5}
+ext -k ${keytab} ${server5}@${R5}
+EOF
 
 # Note: rps is not trusted-for-delegation
-${kadmin} add -p foo --use-defaults ${rps} || exit 1
-${kadmin} modify --constrained-delegation=${server} ${rps} || exit 1
-${kadmin} ext -k ${keytab} ${rps} || exit 1
-
-${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
-${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
-${kadmin} add -p foo  --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R} || exit 1
-${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1
-${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R} || exit 1
-${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1
-${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1
-${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
-${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
-${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
-
-${kadmin} add -p nopac --use-defaults ${server4}@${R2} || exit 1
-${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} || exit 1
-${kadmin} ext -k ${keytab} ${server4}@${R2} || exit 1
-
-${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
-${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
-${kadmin} modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1
+${kadmin} <<EOF || exit 1
+add -p foo --use-defaults ${rps}
+modify --constrained-delegation=${server} ${rps}
+ext -k ${keytab} ${rps}
+EOF
 
 ${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1
 ${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1
-
 ${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1
 ${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1
 
-${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1
-
-${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1
-${kadmin} modify --pw-expiration-time=+1day  pw-expire@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1
-${kadmin} modify --pw-expiration-time=2012-06-12  pw-expired@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1
-${kadmin} modify --expiration-time=2012-06-12  account-expired@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${RH} || exit 1
-
 echo "Check parser"
 ${kadmin} add -p foo --use-defaults -- -p || exit 1
 ${kadmin} delete -- -p || exit 1
 
 echo "Doing database check"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
-${kadmin} check ${R3} || exit 1
-${kadmin} check ${R4} || exit 1
+${kadmin} <<EOF
+check ${R}
+check ${R2}
+check ${R3}
+check ${R4}
+check ${R6}
+check ${R7}
+check ${R8}
+check ${H1}
+check ${H2}
+check ${H3}
+check ${H4}
+EOF
+
 ${kadmin5} check ${R5} || exit 1
-${kadmin} check ${R6} || exit 1
-${kadmin} check ${R7} || exit 1
-${kadmin} check ${R8} || exit 1
-${kadmin} check ${H1} || exit 1
-${kadmin} check ${H2} || exit 1
-${kadmin} check ${H3} || exit 1
-${kadmin} check ${H4} || exit 1
 
 echo "Extracting enctypes"
 ${ktutil} -k ${keytab} list > tempfile || exit 1
@@ -378,8 +303,14 @@ env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach ||
     { echo "kpasswdd failed to start"; exit 1; }
 kpasswddpid=`getpid kpasswdd`
 
-
-trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid} ${kpasswddpid} 2>/dev/null
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-keys.in b/third_party/heimdal/tests/kdc/check-keys.in
index 6784bb51efa..78cc70b3d61 100644
--- a/third_party/heimdal/tests/kdc/check-keys.in
+++ b/third_party/heimdal/tests/kdc/check-keys.in
@@ -65,15 +65,11 @@ sed -e 's/@keys@/v5/' \
 	${sedvars} < ${CIN} > ${COUT}
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults ${principal} || exit 1
-
-${kadmin} cpw -p foo ${principal} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults ${principal}
+cpw -p foo ${principal}
+EOF
 
 sed -e 's/@keys@/v4/' \
 	${sedvars} < ${CIN} > ${COUT}
diff --git a/third_party/heimdal/tests/kdc/check-kinit.in b/third_party/heimdal/tests/kdc/check-kinit.in
index c6cb23ff6f8..c85701c040f 100644
--- a/third_party/heimdal/tests/kdc/check-kinit.in
+++ b/third_party/heimdal/tests/kdc/check-kinit.in
@@ -75,6 +75,14 @@ kinit_out=${objdir}/out-kinit-torture-kinit
 
 parent_shell_proc=$$
 
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+
 if (($# == 0)); then
 
     echo "This is a MANUAL test."
@@ -110,7 +118,7 @@ if (($# == 0)); then
     ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
     kdcpid=`getpid kdc`
 
-    trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+    trap cleanup EXIT INT TERM
 
     ec=0
 else
diff --git a/third_party/heimdal/tests/kdc/check-kpasswdd.in b/third_party/heimdal/tests/kdc/check-kpasswdd.in
index 39f12e1be8c..2640000dfd4 100644
--- a/third_party/heimdal/tests/kdc/check-kpasswdd.in
+++ b/third_party/heimdal/tests/kdc/check-kpasswdd.in
@@ -76,28 +76,16 @@ rm -f mkey.file*
 > messages.log
 
 echo "Creating database for $R"
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-
-echo "Creating database for ${R2}"
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R2} || exit 1
-
-${kadmin} add -p foo --use-defaults bar@${R2} || exit 1
-
-echo "Doing database check for ${R} ${R2}"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+add -p kaka --use-defaults ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+add -p foo --use-defaults bar@${R2}
+check ${R}
+check ${R2}
+EOF
 
 echo foo > ${objdir}/foopassword
 
@@ -111,7 +99,14 @@ env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach ||
     { echo "kpasswdd failed to start"; exit 1; }
 kpasswddpid=`getpid kpasswdd`
 
-trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc; exit \$ec;" EXIT
+cleanup() {
+    echo signal killing kdc and kpasswdd
+    kill -9 ${kdcpid} ${kpasswddpid} 2>/dev/null
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-pkinit.in b/third_party/heimdal/tests/kdc/check-pkinit.in
index 571a64e9c15..066d8e372b4 100644
--- a/third_party/heimdal/tests/kdc/check-pkinit.in
+++ b/third_party/heimdal/tests/kdc/check-pkinit.in
@@ -96,24 +96,18 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} modify --max-ticket-life=5d krbtgt/${R}@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p bar --use-defaults bar@${R} || exit 1
-${kadmin} add -p baz --use-defaults baz@${R} || exit 1
-${kadmin} add -p foo --use-defaults host/server.test.h5l.se@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+modify --max-ticket-life=5d krbtgt/${R}@${R}
+add -p foo --use-defaults foo@${R}
+add -p bar --use-defaults bar@${R}
+add -p baz --use-defaults baz@${R}
+add -p foo --use-defaults host/server.test.h5l.se@${R}
+modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R}
+add -p kaka --use-defaults ${server}@${R}
+check ${R}
+EOF
 ${kadmin} modify --alias=baz2\\@test.h5l.se@${R} baz@${R} || exit 1
-${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1
-
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
 
 # XXX Do not use committed, in-tree private keys or certificates!
 # XXX Add hxtool command to generate a private key w/o generating a CSR
@@ -207,7 +201,15 @@ KRB5_CONFIG="${objdir}/krb5-pkinit2.conf"
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap 'kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt; exit 1;' EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-referral.in b/third_party/heimdal/tests/kdc/check-referral.in
index 49f6a52e449..f62f22ab297 100644
--- a/third_party/heimdal/tests/kdc/check-referral.in
+++ b/third_party/heimdal/tests/kdc/check-referral.in
@@ -89,58 +89,42 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R2} || exit 1
-
-${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1
-${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1
-
 # User 'foo' gets two aliases in the same realm, and one in the other
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add_alias foo@${R} foo@${R2} alias1 alias2 || exit 1
-${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
-${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1
-${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1
-
 # service1 is an alias of service2, in different realms
-${kadmin} add -p foo --use-defaults    ${service2}@${R2} || exit 1
-${kadmin} add_alias ${service2}@${R2}  ${service1}@${R}  || exit 1
-${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
-
 # service3 and service4 get soft aliases in each other's realms
-${kadmin} add -p foo --use-defaults  ${service3}@${R}  || exit 1
-${kadmin} add -p foo --use-defaults  ${service4}@${R2} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R}  ${service3}@${R2} || exit 1
-
 # service6 is a hard alias of service5
-${kadmin} add -p foo --use-defaults  ${service5}@${R}  || exit 1
-${kadmin} add_alias ${service5}@${R} ${service6}@${R2} || exit 1
-
 # service8 is a hard alias of service7, but in the opposite direction
-${kadmin} add -p foo --use-defaults  ${service7}@${R2} || exit 1
-${kadmin} add_alias ${service5}@${R} ${service8}@${R}  || exit 1
-
-${kadmin} add -p foo --use-defaults bar@${R} || exit 1
-${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
-
-${kadmin} ext -k ${keytab} krbtgt/${R}@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R}
+add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2}
+add -p foo --use-defaults foo@${R}
+add_alias foo@${R} foo@${R2} alias1 alias2
+add -p foo --use-defaults    ${service2}@${R2}
+add_alias ${service2}@${R2}  ${service1}@${R} 
+add -p foo --use-defaults  ${service3}@${R} 
+add -p foo --use-defaults  ${service4}@${R2}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R}  ${service3}@${R2}
+add -p foo --use-defaults  ${service5}@${R} 
+add_alias ${service5}@${R} ${service6}@${R2}
+add -p foo --use-defaults  ${service7}@${R2}
+add_alias ${service5}@${R} ${service8}@${R} 
+add -p foo --use-defaults bar@${R}
+add -p cross1 --use-defaults krbtgt/${R2}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${R2}
+ext -k ${keytab} krbtgt/${R}@${R}
+check ${R}
+check ${R2}
+EOF
+
+${kadmin} add -p foo --use-defaults baz\\@realm.foo@${R} || exit 1
 
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
+${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1
+${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
 
 echo foo > ${objdir}/foopassword
 
@@ -148,7 +132,14 @@ echo Starting kdc ; > messages.log
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/kdc/check-tester.in b/third_party/heimdal/tests/kdc/check-tester.in
index 83b48baf27f..fa5ef006b67 100644
--- a/third_party/heimdal/tests/kdc/check-tester.in
+++ b/third_party/heimdal/tests/kdc/check-tester.in
@@ -86,16 +86,13 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults ${server}@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} ext -k ${keytab} foo@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults ${server}@${R}
+add -p foo --use-defaults foo@${R}
+ext -k ${keytab} foo@${R}
+ext -k ${keytab} ${server}@${R}
+EOF
 
 echo "password"
 ${kdc_tester} ${srcdir}/kdc-tester1.json > out-log 2>&1 || exit 1
diff --git a/third_party/heimdal/tests/kdc/check-uu.in b/third_party/heimdal/tests/kdc/check-uu.in
index ef831ca4d94..781715682b6 100644
--- a/third_party/heimdal/tests/kdc/check-uu.in
+++ b/third_party/heimdal/tests/kdc/check-uu.in
@@ -71,17 +71,12 @@ rm -f mkey.file*
 > messages.log
 
 echo Creating database
-${kadmin} \
-    init \
-    --realm-max-ticket-life=1day \
-    --realm-max-renewable-life=1month \
-    ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults user1@${R} || exit 1
-${kadmin} add -p foo --use-defaults user2@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults user1@${R}
+add -p foo --use-defaults user2@${R}
+check ${R}
+EOF
 
 echo foo > ${objdir}/foopassword
 
@@ -89,7 +84,14 @@ echo Starting kdc ; > messages.log
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid} ${uuspid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid} ${uuspid} 2>/dev/null
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
diff --git a/third_party/heimdal/tests/ldap/check-ldap.in b/third_party/heimdal/tests/ldap/check-ldap.in
index f73eb6e1b88..0f092c1cbc0 100644
--- a/third_party/heimdal/tests/ldap/check-ldap.in
+++ b/third_party/heimdal/tests/ldap/check-ldap.in
@@ -91,7 +91,19 @@ done
 
 sh ${objdir}/slapd-init || exit 1
 
-trap "sh ${srcdir}/slapd-stop ; exit 1;" EXIT
+kdcpid=
+cleanup() {
+    if test -n "$kdcpid"; then
+        echo signal killing kdc
+        kill -9 ${kdcpid} 2>/dev/null
+    fi
+    echo Stopping slapd
+    sh ${srcdir}/slapd-stop
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 rm -f current-db*
 
@@ -123,8 +135,6 @@ echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill ${kdcpid}; echo signal killing kdc; sh ${srcdir}/slapd-stop ; exit 1;" EXIT
-
 ec=0
 
 echo "Getting client initial tickets";
diff --git a/third_party/heimdal/tests/plugin/check-pac.in b/third_party/heimdal/tests/plugin/check-pac.in
index 85bf8cd9a98..595d70e1ca2 100644
--- a/third_party/heimdal/tests/plugin/check-pac.in
+++ b/third_party/heimdal/tests/plugin/check-pac.in
@@ -111,7 +111,14 @@ echo Starting kdc
 ${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+    echo signal killing kdc
+    kill -9 ${kdcpid}
+    trap '' EXIT INT TERM
+    cat messages.log
+    exit 1
+}
+trap cleanup EXIT INT TERM
 
 ec=0
 
-- 
2.11.4.GIT