Should we continue with Heimdal (was: Re: [PATCH] Some coverity fixes)

Andreas Schneider asn at
Wed May 13 01:00:01 MDT 2015

On Wednesday 13 May 2015 08:23:04 Andrew Bartlett wrote:
> On Tue, 2015-05-12 at 09:41 +0200, Andreas Schneider wrote:
> > The last time I asked for help for development they completely ignored me.
> > So I consider this project dead and will not invest any time in Heimdal.
> > If you still like riding a dead horse instead of going with MIT KRB5 ...
> Andreas,

Hey Andrew,

> I really don't think that one single mail to heimdal-discuss (as far as
> my archives show) is really the best measure to write off an open source
> community, but I would agree that Heimdal isn't in the best of states,
> much like MIT was in a very poor state when we started this effort, so
> many long years ago.

if you look at the archive there is not really happening on the development 

> I know this must sound strange, but I really look forward to the day
> that you get the MIT Krb5 port finished, and we can just use a solid,
> widely distributed system library.  I admire the work done so far, but I
> also fear we are still a very long way off, based on the work that was
> required for Heimdal.  That is, there were just so many small but
> critical details.

I'm sure that Heimdal was the right choice when Samba started to write a DC 
but in the meantime it seems the project is not active anymore.

> The tests I wrote recently should help a lot however, in ensuring
> correctness at least with the KDC protocols.  We need some similar tests
> around the GSSAPI layer, for features like DCE_STYLE authentication and
> some of the auto-skew handling.

The tests are using Heimdal code which is an issue. I guess I could compile 
smbtorture with heimdal and then run them agains the MIT KDC. Maybe I can try 
this next week.

> I think we will continue to have similar challenges when we need small
> but critical changes to the library sooner than a RHEL package might
> allow, but we can both agree that this isn't a new problem in Free Software.
> However, when we get there, when all the internal and windows-integration
> tests pass (and I am confident in your team's abilities that
> we will succeed in this eventually), then I would like to seriously discuss
> if maintaining two alternate solutions here is really worth the costs
> involved, and the risks/benefits of supporting just one, system Kerberos
> library.

We are almost there! I have a handful of tests (~10) which do not work yet. 
Next week at SambaXP I need to investigate if we got something wrong with TLS 
and GSSAPI. After that we either need to change Samba code or MIT.

Remember that FreeIPA is handling trusts with Active Directory. We already did 
some testing in this area using the MIT KDC :)

> While it saddens me that we have to go to so much effort to change horses,
> dead or otherwise, I don't fancy riding two of them at the same time in the
> long term.

I guess we will have MIT Kerberos fully working by the end of the year. Maybe 
earlier if someone joins to polish the last bits (like migrating the KDC tests 

Talk to you next week,

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at

More information about the samba-technical mailing list