krb524 and port 4444 blocks

[James Reynolds]

At 2:36 PM -0500 10/15/03, Douglas E. Engert wrote:
>James Reynolds wrote:
>>
>>  I was wondering if the delay associated with krb5 and a blocked 4444
>>  port have been addressed.  The delay is talked about in this email:
>>  http://mailman.mit.edu/pipermail/krbdev/2002/000985.html
>>
>>  Specifically, we are using kerberos 5 to authenticate our Mac OS X
>>  computers and we don't reuse tickets and we don't use kerberos 4.  We
>>  are seeing the ~21 second delay.  We would like this to go away.
>>
>>  Do you have any recommendations?  Should we poke a hole for port
>>  4444?  Should we downgrade to kerberos 4?  Is it possible to get
>>  krb524 to not do anything?  Is there some other work around?
>
>Sounds like the login is trying to get you a K4 ticket automaticly
>even if you don't want it. Is there something in the krb5.conf
>on the Mac OS X that is doing this? Is there somthing like:
>
>[login]
>   krb5_convet = true
>
>The documentation says:
>
>krb4_convert
>     Indicate whether or not to use the Kerberos conversion daemon to 
>get V4 tickets.
>     The default value is false. If this is set to false and 
>krb4_get_tickets is true,
>     then login will get the V5 tickets directly using the Kerberos V4 protocol
>     directly. This does not currently work with non-MIT-V4 salt 
>types (such as the AFS3
>     salt type). Note that if this is set to true and krb524d is not 
>running, login will
>     hang for approximately a minute under Solaris, due to a Solaris 
>socket emulation
>     bug.
>
>This sounds similiar.

Just to check, I added them to the preferences file and it didn't help.

I tried:

[login]
   krb5_convert = false

and

[login]
   krb5_convert = false
   krb5_get_tickets = false

And just in case I misunderstood, I tried this as well:

[login]
   krb4_convert = false

and

[login]
   krb4_convert = false
   krb4_get_tickets = false

--

Thanks,

James Reynolds
University of Utah
Student Computing Labs
james at scl.utah.edu
801-585-9811