How to Force a Kerb 4 Request

Henry B. Hotz hotz at
Tue Nov 30 19:22:37 EST 2004

I just went back to a known-good krb5.conf from Jaguar;  stripped out  
all the extraneous realm definitions;  added the dns_fallback = no  
line; and retested.  I can now get kerberos 4 tickets on Panther from  
an AFS kaserver.  Obviously I missed something.

I will note that the code *still* does a dns lookup.

> 15:43:30.892937 IP >  
>  37782+ SRV? _kerberos-iv._udp.JPL.NASA.GOV.  
> (48)

I suppose it works because there is no Kerb 4 service record for Active  
Directory.  I've had no end of testing trouble with AD hijacking my  
attempts to use test servers with the real domain/REALM names.

Is there another fallback option that applies to Kerb 4?  Can I put  
that option into a realm definition so I still do lookups for non-JPL  

I really don't want to bother you folks too much about Kerberos 4.   
Sorry.  Kerb 4 should die.  It's just that there's this little project  
here that won't let me deploy Kerb 5 until after they land their probe  
on Titan in January.

On Nov 30, 2004, at 8:24 AM, Alexandra Ellwood wrote:

> On Nov 30, 2004, at 4:25 AM, Henry B. Hotz wrote:
>> Except for the environment variable thing that's exactly what I did.   
>> (I put the file in /Library/Preferences/
>> I didn't do it myself, but someone else was able to use a close  
>> relative of my krb5.conf file with RHEL 3.  The kinit command  
>> *required* the -4 option even though the JPL realm was defined to be  
>> K4 only.
> That should not be necessary on OS X.  KfM should notice that you  
> don't have a v5 config and only get you v4 tickets.  Is that what you  
> are seeing?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the Kerberos mailing list