Mac OS 8/9 Kerberos 4/5 question

Rod Eldridge rod at
Fri May 23 15:03:21 EDT 2003

MacDev Team,

I'm using KfM 4.0.3. When I get tickets, Kfm 4.0.3 gets both a krb4tgt
and a krb5tgt. Sometime early next year, we are probably going to
restrict our Kerbers server to give out only krb5tgt tickets. Our
Kerberos Server manager says that if you have applications that need
Kerberos 4 tickets, you first get a krb5tgt, and then convert it to a
krb4tgt by using the krb425 routine. Our Kerberos server will continue
to give out both krb5 and krb4 "tickets for service", but only give out
krb5 "ticket-granting tickets". They are going to do this so that we
can have expired kerberos passwords (which, I'm told krb4tgt does not

On Mac OS 8/9, the kerberos server log shows that KfM 4.0.3 is
requesting both a krb4tgt and a krb5tgt separately. However, on Mac OS
X 10.2 using KfM 4.5.1, the kerberos server log shows that only a
krb5tgt is requested (even though I end up with both a krb4tgt and a
krb5tgt). It would appear that Mac OS X does a krb425 for you, while
Mac OS 8/9 does not.

Can I do this with KfM 4.0.3? If not, do you have any suggestions? Is
KfM 4.0.3 source code avaialable or a newer version of KfM for Mac OS
8/9 that will call krb425 for me?


Rod Eldridge 
Technical Services
Academic Information Technologies
Iowa State University

More information about the krbdev mailing list