How to Force a Kerb 4 Request

[Henry B. Hotz]

Except for the environment variable thing that's exactly what I did.   
(I put the file in /Library/Preferences/edu.mit.Kerberos.)

I didn't do it myself, but someone else was able to use a close  
relative of my krb5.conf file with RHEL 3.  The kinit command  
*required* the -4 option even though the JPL realm was defined to be K4  
only.

On Nov 27, 2004, at 8:47 AM, Alexandra Ellwood wrote:

> Mac OS X's kinit does not support the -4 option because it is  
> incompatible with the way the Kerberos Login Library manipulates  
> tickets.  In particular, the KLL defines the concept of a valid ticket  
> cache as one which contains valid TGTs for all versions of Kerberos  
> defined by the machine's Kerberos configuration (aka  
> edu.mit.Kerberos).  If we gave users the option of getting only v4  
> tickets for a realm which supports both v4 and v5, other applications  
> would display this ticket cache as invalid and confuse the user.
>
> If you need to solve this problem for a specific user, try creating a  
> special edu.mit.Kerberos file which has "dns_fallback = no" set in  
> [libdefaults] and only a v4 configuration (ie: [v4 realms] and [v4  
> domain_realm] only).  Then set the KRB5_CONFIG environment variable to  
> point to that file and run kinit.  I haven't tried this with all  
> versions of Kerberos for OS X, but it should work.
>
> Note however that you may get the confusing behavior I described above  
> if you attempt to use other applications (such as Kerberos.app) to  
> examine the tickets.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu