Also things like support for GSS-API pre-authentication mechanisms (so, you can use an arbitrary security mechanism such as EAP to authenticate yourself to the KDC), the new SAnon mechanism, pulling in some changes from Apple's fork, replacing builtin crypto with OpenSSL, etc. Lack of release has been typical OSS lack of resources: no one is paid to work on Heimdal full time.
Oh yeah, it's huge.
Also included are experimental:
- httpkadmind (which together with virtual service principal namespaces makes a very nice keytab orchestration system)
- bx509d (an online CA)
- JWT support for the above