Mac OS 8/9 Kerberos 4/5 question

Alexandra Ellwood lxs at MIT.EDU
Wed May 28 15:43:44 EDT 2003

>MacDev Team,
>I'm using KfM 4.0.3. When I get tickets, Kfm 4.0.3 gets both a krb4tgt
>and a krb5tgt. Sometime early next year, we are probably going to
>restrict our Kerbers server to give out only krb5tgt tickets. Our
>Kerberos Server manager says that if you have applications that need
>Kerberos 4 tickets, you first get a krb5tgt, and then convert it to a
>krb4tgt by using the krb425 routine. Our Kerberos server will continue
>to give out both krb5 and krb4 "tickets for service", but only give out
>krb5 "ticket-granting tickets". They are going to do this so that we
>can have expired kerberos passwords (which, I'm told krb4tgt does not
>On Mac OS 8/9, the kerberos server log shows that KfM 4.0.3 is
>requesting both a krb4tgt and a krb5tgt separately. However, on Mac OS
>X 10.2 using KfM 4.5.1, the kerberos server log shows that only a
>krb5tgt is requested (even though I end up with both a krb4tgt and a
>krb5tgt). It would appear that Mac OS X does a krb425 for you, while
>Mac OS 8/9 does not.
>Can I do this with KfM 4.0.3? If not, do you have any suggestions? Is
>KfM 4.0.3 source code avaialable or a newer version of KfM for Mac OS
>8/9 that will call krb425 for me?

You are correct in your observation that KfM 4.0.x does not support 
krb524 at all.  The first version of KfM which supports krb524 is 
4.5, which only runs on Mac OS X.

However, you can support krb5's expired passwords and continue to 
support krb4 tgt requests so long as your clients always request krb5 
tickets first.  KfM 4.0.x always requests krb5 tickets first and will 
correctly handle the expired password error from 
krb5_init_creds_password.  Users of krb4-only kinits will get the 
unhelpful error "principal expired" until the user changes their 
password, but you would have to upgrade these kinits if you turned 
off krb4 tgt requests anyway.

Unfortunately we cannot make the sources to KfM 4.0.x available. 
Some of the code required to build it is encumbered by licenses which 
prevent us from distributing the source.

I strongly recommend updating your Macs to Mac OS X 10.2.x which does 
support using krb524 to get a krb4 tgt from a krb5 tgt.

Hope this helps,

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list