krb524 and port 4444 blocks

[Douglas E. Engert]

James Reynolds wrote:
> 
> I was wondering if the delay associated with krb5 and a blocked 4444
> port have been addressed.  The delay is talked about in this email:
> http://mailman.mit.edu/pipermail/krbdev/2002/000985.html
> 
> Specifically, we are using kerberos 5 to authenticate our Mac OS X
> computers and we don't reuse tickets and we don't use kerberos 4.  We
> are seeing the ~21 second delay.  We would like this to go away.
> 
> Do you have any recommendations?  Should we poke a hole for port
> 4444?  Should we downgrade to kerberos 4?  Is it possible to get
> krb524 to not do anything?  Is there some other work around?

Sounds like the login is trying to get you a K4 ticket automaticly
even if you don't want it. Is there something in the krb5.conf
on the Mac OS X that is doing this? Is there somthing like:

[login] 
  krb5_convet = true

The documentation says: 

krb4_convert 
    Indicate whether or not to use the Kerberos conversion daemon to get V4 tickets. 
    The default value is false. If this is set to false and krb4_get_tickets is true,
    then login will get the V5 tickets directly using the Kerberos V4 protocol 
    directly. This does not currently work with non-MIT-V4 salt types (such as the AFS3
    salt type). Note that if this is set to true and krb524d is not running, login will 
    hang for approximately a minute under Solaris, due to a Solaris socket emulation
    bug. 

This sounds similiar. 

> 
> --
> 
> Thanks,
> 
> James Reynolds
> University of Utah
> Student Computing Labs
> james at scl.utah.edu
> 801-585-9811
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444