How to Force a Kerb 4 Request

Alexandra Ellwood lxs at MIT.EDU
Sat Nov 27 11:47:22 EST 2004

Mac OS X's kinit does not support the -4 option because it is 
incompatible with the way the Kerberos Login Library manipulates 
tickets.  In particular, the KLL defines the concept of a valid ticket 
cache as one which contains valid TGTs for all versions of Kerberos 
defined by the machine's Kerberos configuration (aka 
  If we gave users the option of getting only v4 tickets for a realm 
which supports both v4 and v5, other applications would display this 
ticket cache as invalid and confuse the user.

If you need to solve this problem for a specific user, try creating a 
special file which has "dns_fallback = no" set in 
[libdefaults] and only a v4 configuration (ie: [v4 realms] and [v4 
domain_realm] only).  Then set the KRB5_CONFIG environment variable to 
point to that file and run kinit.  I haven't tried this with all 
versions of Kerberos for OS X, but it should work.

Note however that you may get the confusing behavior I described above 
if you attempt to use other applications (such as to 
examine the tickets.

On Nov 26, 2004, at 3:42 PM, Sam Hartman wrote:

>>>>>> "Henry" == Henry B Hotz <hotz at> writes:
>     Henry> Looks like Heimdal, not MIT.  What do you get with "kinit
>     Henry> --version"?  (Heimdal will print a version message.  MIT
>     Henry> will ignore the option and just try to authenticate you
>     Henry> anyway.)
> No, MIT's kinit supports the -4 option for our Unix builds.  note that
> the kinit for OS X does not share code with the kinit on typical Unix
> builds.
> If the OS X kinit is missing features you care about, open a feature
> request with
> --Sam
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list