diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index ab74fe1b6..ae5caa556 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -614,7 +614,6 @@ init_auth_restart
 				     enctype,
 				     ctx->kcred,
 				     &cksum,
-				     NULL,
 				     &authenticator,
 				     KRB5_KU_AP_REQ_AUTH);
 
diff --git a/lib/krb5/build_auth.c b/lib/krb5/build_auth.c
index 8bdc2c7a1..a845e0ac3 100644
--- a/lib/krb5/build_auth.c
+++ b/lib/krb5/build_auth.c
@@ -100,35 +100,30 @@ make_etypelist(krb5_context context,
 }
 
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_build_authenticator (krb5_context context,
+_krb5_build_authenticator(krb5_context context,
 			  krb5_auth_context auth_context,
 			  krb5_enctype enctype,
 			  krb5_creds *cred,
 			  Checksum *cksum,
-			  Authenticator **auth_result,
 			  krb5_data *result,
 			  krb5_key_usage usage)
 {
-    Authenticator *auth;
+    Authenticator auth;
     u_char *buf = NULL;
     size_t buf_size;
     size_t len;
     krb5_error_code ret;
     krb5_crypto crypto;
 
-    auth = calloc(1, sizeof(*auth));
-    if (auth == NULL) {
-	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
-	return ENOMEM;
-    }
+    memset(&auth, 0, sizeof(auth));
 
-    auth->authenticator_vno = 5;
-    copy_Realm(&cred->client->realm, &auth->crealm);
-    copy_PrincipalName(&cred->client->name, &auth->cname);
+    auth.authenticator_vno = 5;
+    copy_Realm(&cred->client->realm, &auth.crealm);
+    copy_PrincipalName(&cred->client->name, &auth.cname);
 
-    krb5_us_timeofday (context, &auth->ctime, &auth->cusec);
+    krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
 
-    ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey);
+    ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey);
     if(ret)
 	goto fail;
 
@@ -137,32 +132,32 @@ krb5_build_authenticator (krb5_context context,
 	    krb5_generate_seq_number (context,
 				      &cred->session,
 				      &auth_context->local_seqnumber);
-	ALLOC(auth->seq_number, 1);
-	if(auth->seq_number == NULL) {
+	ALLOC(auth.seq_number, 1);
+	if(auth.seq_number == NULL) {
 	    ret = ENOMEM;
 	    goto fail;
 	}
-	*auth->seq_number = auth_context->local_seqnumber;
+	*auth.seq_number = auth_context->local_seqnumber;
     } else
-	auth->seq_number = NULL;
-    auth->authorization_data = NULL;
+	auth.seq_number = NULL;
+    auth.authorization_data = NULL;
 
     if (cksum) {
-	ALLOC(auth->cksum, 1);
-	if (auth->cksum == NULL) {
+	ALLOC(auth.cksum, 1);
+	if (auth.cksum == NULL) {
 	    ret = ENOMEM;
 	    goto fail;
 	}
-	ret = copy_Checksum(cksum, auth->cksum);
+	ret = copy_Checksum(cksum, auth.cksum);
 	if (ret)
 	    goto fail;
 
-	if (auth->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+	if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) {
 	    /*
 	     * This is not GSS-API specific, we only enable it for
 	     * GSS for now
 	     */
-	    ret = make_etypelist(context, &auth->authorization_data);
+	    ret = make_etypelist(context, &auth.authorization_data);
 	    if (ret)
 		goto fail;
 	}
@@ -170,10 +165,10 @@ krb5_build_authenticator (krb5_context context,
 
     /* XXX - Copy more to auth_context? */
 
-    auth_context->authenticator->ctime = auth->ctime;
-    auth_context->authenticator->cusec = auth->cusec;
+    auth_context->authenticator->ctime = auth.ctime;
+    auth_context->authenticator->cusec = auth.cusec;
 
-    ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret);
+    ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret);
     if (ret)
 	goto fail;
     if(buf_size != len)
@@ -185,7 +180,7 @@ krb5_build_authenticator (krb5_context context,
     ret = krb5_encrypt (context,
 			crypto,
 			usage /* KRB5_KU_AP_REQ_AUTH */,
-			buf + buf_size - len,
+			buf,
 			len,
 			result);
     krb5_crypto_destroy(context, crypto);
@@ -193,19 +188,9 @@ krb5_build_authenticator (krb5_context context,
     if (ret)
 	goto fail;
 
+ fail:
+    free_Authenticator (&auth);
     free (buf);
 
-    if (auth_result)
-	*auth_result = auth;
-    else {
-	/* Don't free the `cksum', it's allocated by the caller */
-	free_Authenticator (auth);
-	free (auth);
-    }
-    return ret;
-  fail:
-    free_Authenticator (auth);
-    free (auth);
-    free (buf);
     return ret;
 }
diff --git a/lib/krb5/mk_req_ext.c b/lib/krb5/mk_req_ext.c
index d130272aa..03fc93b02 100644
--- a/lib/krb5/mk_req_ext.c
+++ b/lib/krb5/mk_req_ext.c
@@ -123,12 +123,11 @@ _krb5_mk_req_internal(krb5_context context,
     if (ret)
 	goto out;
 
-    ret = krb5_build_authenticator (context,
+    ret = _krb5_build_authenticator(context,
 				    ac,
 				    ac->keyblock->keytype,
 				    in_creds,
 				    c_opt,
-				    NULL,
 				    &authenticator,
 				    encrypt_usage);
     if (c_opt)
diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index bda0bc3f0..8facf14ed 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -56,7 +56,6 @@ HEIMDAL_KRB5_2.0 {
 		krb5_auth_con_setuserkey;
 		krb5_auth_getremoteseqnumber;
 		krb5_build_ap_req;
-		krb5_build_authenticator;
 		krb5_build_principal;
 		krb5_build_principal_ext;
 		krb5_build_principal_va;
@@ -709,6 +708,7 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_crc_init_table;		
 		_krb5_crc_update;		
 		_krb5_get_krbtgt;
+		_krb5_build_authenticator;
 
 		# V4 compat glue
 		_krb5_krb_tf_setup;