krb524 and port 4444 blocks

Douglas E. Engert deengert at
Wed Oct 15 15:36:53 EDT 2003

James Reynolds wrote:
> I was wondering if the delay associated with krb5 and a blocked 4444
> port have been addressed.  The delay is talked about in this email:
> Specifically, we are using kerberos 5 to authenticate our Mac OS X
> computers and we don't reuse tickets and we don't use kerberos 4.  We
> are seeing the ~21 second delay.  We would like this to go away.
> Do you have any recommendations?  Should we poke a hole for port
> 4444?  Should we downgrade to kerberos 4?  Is it possible to get
> krb524 to not do anything?  Is there some other work around?

Sounds like the login is trying to get you a K4 ticket automaticly
even if you don't want it. Is there something in the krb5.conf
on the Mac OS X that is doing this? Is there somthing like:

  krb5_convet = true

The documentation says: 

    Indicate whether or not to use the Kerberos conversion daemon to get V4 tickets. 
    The default value is false. If this is set to false and krb4_get_tickets is true,
    then login will get the V5 tickets directly using the Kerberos V4 protocol 
    directly. This does not currently work with non-MIT-V4 salt types (such as the AFS3
    salt type). Note that if this is set to true and krb524d is not running, login will 
    hang for approximately a minute under Solaris, due to a Solaris socket emulation

This sounds similiar. 

> --
> Thanks,
> James Reynolds
> University of Utah
> Student Computing Labs
> james at
> 801-585-9811
> _______________________________________________
> krbdev mailing list             krbdev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list