MIT kerberos vs heimdal

Tomasz Pala gotar at
Fri Feb 20 00:00:43 CET 2015

On Sun, Feb 08, 2015 at 11:41:41 +0100, Jan Rękorajski wrote:

>> problem in having them both on ftp? Client libraries should be
>> compatible (i.e. heimdal client works with MIT server, that's the point
>> of having a 'protocol'). Incompatible parts are kadmin and probably
>> the rest of server stuff - heimdal package is divided accordingly
>> already, krb5 have libkadm5{clnt,srv}_mit and libgssapi_krb5 (suffixed),
>> the only conflicting library I see is itself, but has
>> different SOVER.
> You are mistaking protocol, API and ABI.
> Protocol is the same, Heimdal has no problems at all taking to MIT and
> vice versa. But if you try to run program linked with one in presence of
> a library from other, things may go nasty.

I am aware of problems that might pop up when you mix multiple
ABI-incompatible libraries in single code executed. However I did a
quick research and fortunately the MIT krb5 library has all the symbols
versioned with _MIT suffix:

objdump -TC /usr/lib64/ | grep -v krb5_3_MIT  | grep -v UND
readelf -Ws /usr/lib64/ | grep -v _MIT\$ | grep -v UND

while heimdal implementation uses it's own HEIMDAL_ prefix:

objdump -TC /lib/ | grep -v HEIMDAL_KRB5_2.0  | grep -v UND
readelf -Ws /lib/ | grep -v HEIMDAL_KRB5_2.0\$ | grep -v UND

So (correct me if I'm wrong) one could safely use binary linked with MIT
library and any other library that in turn is linked with heimdal one.

>> What would happen with your heimdal server if we changed heimdal-devel
>> to krb5-devel and rebuild everything? Shouldn't this keep working?
> No. As I said, ABI is different, just look at 'heimdal' patches in repo,
> MIT has some fancy functions Heimdal doesn't.

IMHO in this case you cannot say that ABI is different - in terms of ELF
these are completely different libraries, like libpng and libjpeg.

Tomasz Pala <gotar at>

More information about the pld-devel-en mailing list