How to Force a Kerb 4 Request
Alexandra Ellwood
lxs at MIT.EDU
Sat Nov 27 11:47:22 EST 2004
Mac OS X's kinit does not support the -4 option because it is
incompatible with the way the Kerberos Login Library manipulates
tickets. In particular, the KLL defines the concept of a valid ticket
cache as one which contains valid TGTs for all versions of Kerberos
defined by the machine's Kerberos configuration (aka edu.mit.Kerberos).
If we gave users the option of getting only v4 tickets for a realm
which supports both v4 and v5, other applications would display this
ticket cache as invalid and confuse the user.
If you need to solve this problem for a specific user, try creating a
special edu.mit.Kerberos file which has "dns_fallback = no" set in
[libdefaults] and only a v4 configuration (ie: [v4 realms] and [v4
domain_realm] only). Then set the KRB5_CONFIG environment variable to
point to that file and run kinit. I haven't tried this with all
versions of Kerberos for OS X, but it should work.
Note however that you may get the confusing behavior I described above
if you attempt to use other applications (such as Kerberos.app) to
examine the tickets.
On Nov 26, 2004, at 3:42 PM, Sam Hartman wrote:
>>>>>> "Henry" == Henry B Hotz <hotz at jpl.nasa.gov> writes:
>>>>>>
>
> Henry> Looks like Heimdal, not MIT. What do you get with "kinit
> Henry> --version"? (Heimdal will print a version message. MIT
> Henry> will ignore the option and just try to authenticate you
> Henry> anyway.)
>
> No, MIT's kinit supports the -4 option for our Unix builds. note that
> the kinit for OS X does not share code with the kinit on typical Unix
> builds.
>
> If the OS X kinit is missing features you care about, open a feature
> request with bugreport.apple.com.
>
>
> --Sam
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list