How to Force a Kerb 4 Request

Henry B. Hotz hotz at
Tue Nov 30 04:25:18 EST 2004

Except for the environment variable thing that's exactly what I did.   
(I put the file in /Library/Preferences/

I didn't do it myself, but someone else was able to use a close  
relative of my krb5.conf file with RHEL 3.  The kinit command  
*required* the -4 option even though the JPL realm was defined to be K4  

On Nov 27, 2004, at 8:47 AM, Alexandra Ellwood wrote:

> Mac OS X's kinit does not support the -4 option because it is  
> incompatible with the way the Kerberos Login Library manipulates  
> tickets.  In particular, the KLL defines the concept of a valid ticket  
> cache as one which contains valid TGTs for all versions of Kerberos  
> defined by the machine's Kerberos configuration (aka  
>  If we gave users the option of getting only v4  
> tickets for a realm which supports both v4 and v5, other applications  
> would display this ticket cache as invalid and confuse the user.
> If you need to solve this problem for a specific user, try creating a  
> special file which has "dns_fallback = no" set in  
> [libdefaults] and only a v4 configuration (ie: [v4 realms] and [v4  
> domain_realm] only).  Then set the KRB5_CONFIG environment variable to  
> point to that file and run kinit.  I haven't tried this with all  
> versions of Kerberos for OS X, but it should work.
> Note however that you may get the confusing behavior I described above  
> if you attempt to use other applications (such as to  
> examine the tickets.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the Kerberos mailing list