diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index ad9f0b2c54a..3586fd0a232 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -208,13 +208,15 @@ self: super: {
 
   # Prevents needing to add security_tool as a build tool to all of x509-system's
   # dependencies.
-  # TODO: use pkgs.darwin.security_tool once we can build it
   x509-system = if pkgs.stdenv.isDarwin && !pkgs.stdenv.cc.nativeLibc
     then let inherit (pkgs.darwin) security_tool;
       in pkgs.lib.overrideDerivation (addBuildDepend super.x509-system security_tool) (drv: {
         patchPhase = (drv.patchPhase or "") + ''
           substituteInPlace System/X509/MacOS.hs --replace security ${security_tool}/bin/security
         '';
+        __propagatedImpureHostDeps = drv.__propagatedImpureHostDeps ++ [
+          "/System/Library/Keychains"
+        ];
       })
     else super.x509-system;
 
diff --git a/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix b/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix
index 0d2f2728406..54a6dcfaeaf 100644
--- a/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix
+++ b/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix
@@ -16,6 +16,12 @@ rec {
     "/usr/lib/libpam.2.dylib"
     "/usr/lib/libxar.1.dylib"
   ];
+  GSS = [
+    "/System/Library/Frameworks/GSS.framework"
+  ];
+  Kerberos = [
+    "/System/Library/Frameworks/Kerberos.framework"
+  ];
   CoreServices = [
     "/System/Library/Frameworks/CoreServices.framework"
     "/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/DataDetectorsCore"
@@ -76,6 +82,8 @@ rec {
     "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv"
     "/System/Library/PrivateFrameworks/FaceCore.framework/Versions/A/FaceCore"
     "/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/GenerationalStorage"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Heimdal"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Versions/Current"
     "/System/Library/PrivateFrameworks/Heimdal.framework/Versions/A/Heimdal"
     "/System/Library/PrivateFrameworks/IconServices.framework/Versions/A/IconServices"
     "/System/Library/PrivateFrameworks/LanguageModeling.framework/Versions/A/LanguageModeling"
diff --git a/pkgs/os-specific/darwin/security-tool/default.nix b/pkgs/os-specific/darwin/security-tool/default.nix
index e1e51e6a7c9..866d006238d 100644
--- a/pkgs/os-specific/darwin/security-tool/default.nix
+++ b/pkgs/os-specific/darwin/security-tool/default.nix
@@ -1,4 +1,4 @@
-{ CoreServices, Foundation, PCSC, Security, apple_sdk, fetchurl, gnustep-make, libobjc, libsecurity_apple_csp, libsecurity_apple_cspdl, libsecurity_apple_file_dl, libsecurity_apple_x509_cl, libsecurity_apple_x509_tp, libsecurity_asn1, libsecurity_cdsa_client, libsecurity_cdsa_plugin, libsecurity_cdsa_utilities, libsecurity_cdsa_utils, libsecurity_cssm, libsecurity_filedb, libsecurity_keychain, libsecurity_mds, libsecurity_pkcs12, libsecurity_sd_cspdl, libsecurity_utilities, libsecurityd, osx_private_sdk, stdenv }:
+{ CoreServices, Foundation, PCSC, Security, GSS, Kerberos, makeWrapper, apple_sdk, fetchurl, gnustep-make, libobjc, libsecurity_apple_csp, libsecurity_apple_cspdl, libsecurity_apple_file_dl, libsecurity_apple_x509_cl, libsecurity_apple_x509_tp, libsecurity_asn1, libsecurity_cdsa_client, libsecurity_cdsa_plugin, libsecurity_cdsa_utilities, libsecurity_cdsa_utils, libsecurity_cssm, libsecurity_filedb, libsecurity_keychain, libsecurity_mds, libsecurity_pkcs12, libsecurity_sd_cspdl, libsecurity_utilities, libsecurityd, osx_private_sdk, stdenv }:
 
 stdenv.mkDerivation rec {
   version = "55115";
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     "security_INSTALL_DIR=\$(out)/bin"
   ];
 
-  propagatedBuildInputs = [ Security PCSC Foundation ];
+  propagatedBuildInputs = [ GSS Kerberos Security PCSC Foundation ];
 
   buildInputs = [
     gnustep-make
@@ -62,6 +62,7 @@ stdenv.mkDerivation rec {
     libsecurity_sd_cspdl
     libsecurity_filedb
     libsecurityd
+    makeWrapper
   ];
 
   NIX_CFLAGS_COMPILE = [
@@ -70,6 +71,10 @@ stdenv.mkDerivation rec {
     "-Wno-deprecated-declarations"
   ];
 
+  postInstall = ''
+    wrapProgram $out/bin/security --set DYLD_INSERT_LIBRARIES /usr/lib/libsqlite3.dylib
+  '';
+
   meta = with stdenv.lib; {
     description = "Command line interface to Mac OS X keychains and Security framework";
     maintainers = with maintainers; [