Without this patch, the kgssapi uses detailed knowledge
of the internals of Heimdal 1.5.2 (and earlier) Kerberos.

This patch adds support for MIT Kerberos, using new upcalls
to the gssd, so that it can call gss_krb5_export_lucid_sec_context()
to acquire the information (session keys, etc) and does not need
to know the internals of MIT's GSSAPI/Kerberos implementation.

When this patch is applied, a gssd binary compiled/linked to
Heimdal 1.5 .h files and libraries will still work.
However, gssd.c needs to be patched (coming as a separate patch)
before it can be recompiled from sources.

A patched system has done interoperability testing
(Kerberized mounts in both directions) with both
a FreeBSD system that predates when MIT was brought
into main, as well as a Linux 6.2 kernel based Debian system.

I do not have access to any other non-FreeBSD NFS systems,
but I think that, since it interoperates with Linux and older
FreeBSD systems, that it should be ok with others.

I was using a Hesiod 1.5.2 KDC, but I will be testing with a
recent MIT KDC soon.

If you are interested in testing the patch, one created with
"diff -u" (so it applies easily) can be found at
https://people.freebsd.org/~rmacklem/kgssapi.patch
To test it, you can use a pre-MIT gssd binary.
Otherwise, for MIT testing you must:
Download https://people.freebsd.org/~rmacklem/gssd.patch
apply it and rebuild the gssd, using MIT installed in /usr/local via

pkg install krb5

The h files and libraries installed in /usr/lib by a recent
buildworld/installworld will not work. (At least not as of
a July 24 snapshot.)