How to Force a Kerb 4 Request

[Henry B. Hotz]

I just went back to a known-good krb5.conf from Jaguar;  stripped out  
all the extraneous realm definitions;  added the dns_fallback = no  
line; and retested.  I can now get kerberos 4 tickets on Panther from  
an AFS kaserver.  Obviously I missed something.

I will note that the code *still* does a dns lookup.

> 15:43:30.892937 IP dhcp-149-196-226.jpl.nasa.gov.60962 >  
> ns2.jpl.nasa.gov.domain:  37782+ SRV? _kerberos-iv._udp.JPL.NASA.GOV.  
> (48)

I suppose it works because there is no Kerb 4 service record for Active  
Directory.  I've had no end of testing trouble with AD hijacking my  
attempts to use test servers with the real domain/REALM names.

Is there another fallback option that applies to Kerb 4?  Can I put  
that option into a realm definition so I still do lookups for non-JPL  
realms?

I really don't want to bother you folks too much about Kerberos 4.   
Sorry.  Kerb 4 should die.  It's just that there's this little project  
here that won't let me deploy Kerb 5 until after they land their probe  
on Titan in January.

On Nov 30, 2004, at 8:24 AM, Alexandra Ellwood wrote:

> On Nov 30, 2004, at 4:25 AM, Henry B. Hotz wrote:
>
>> Except for the environment variable thing that's exactly what I did.   
>> (I put the file in /Library/Preferences/edu.mit.Kerberos.)
>>
>> I didn't do it myself, but someone else was able to use a close  
>> relative of my krb5.conf file with RHEL 3.  The kinit command  
>> *required* the -4 option even though the JPL realm was defined to be  
>> K4 only.
>>
>
> That should not be necessary on OS X.  KfM should notice that you  
> don't have a v5 config and only get you v4 tickets.  Is that what you  
> are seeing?
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu