MIT Information Systems

Macintosh Development

[Home] [About Us] [People] [Information Systems]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]

Kerberos for Macintosh on Mac OS 8 & 9 Frequently Asked Questions

The following is a list of frequently asked questions about Kerberos for Macintosh. This information is intended to assist users, support staff and developers who use Kerberos for Macintosh.

This web page contains FAQs for Kerberos for Macintosh on Mac OS 8.x and 9.x only. For FAQs relating to Kerberos on Mac OS X, please click here.

If you would like to suggest an addition to the FAQ, please send mail to

Q: I don't see the realm I need in the Edit Favorite Realms dialog in Kerberos Manager. How do I add new realms?
A: You need to edit the Kerberos Preferences file. See the Kerberos Preferences Documentation for information on how to do this. (If you don't see the realm you need in the pop-up menu in the Login dialog, make sure you can't add it using Edit Favorite Realms before editing the Preferences file.)

Q: Does Kerberos for Macintosh 4.0.x work with Windows Active Directory?
A: Yes, KfM 4.0.x will successfully authenticate against Windows Active Directory acting as a KDC.

Q: I'm trying to install the OS 9 components in Classic on Mac OS X, and the installer can't quit all my applications and/or won't restart. What should I do?
A:If the installer tells you that it cannot quit a certain Mac OS X application (in particular, the OS X Timbuktu Extension is known to cause this), try clicking on the install button a second time (without quitting the installer). This may quit the application in question. If the application still cannot be quit, you can either try to force quit it, or boot back into Mac OS 9 to install Kerberos for Macintosh 4.0.x on your Classic system.

If Classic fails to restart when instructed to do so by the installer, please restart Classic yourself.

Q: Can I use Kerberos for Macintosh behind a NAT (Network Address Translation)?
A: In some cases, yes. Kerberos 4 does not support addressless tickets, so no Kerberos 4 or KClient-using application can be made to work behind a NAT. However, Kerberos 5 can be told to use addressless tickets, which will allow Kerberos 5-using applications to work behind a NAT. However, applications that use the GSSAPI and require channel bindings, such as FTP, will still not work. You can enable addressless tickets by adding the following line to the libdefaults section of the Kerberos Preferences file:

noaddresses = true

There is no GUI way to enable this feature at this time.

Q: I'm getting an error that "delta_t is too big." What does that mean?
A: This error means that your Macintosh's time is not properly synchronized with your KDC's time. You should check your time, time zone and daylight savings time settings to make sure they are correct. It is recommended that you use a Network Time server to keep your Mac's time correct.

A better error message is provided in KfM 3.0.1 and later.

Q: How can I tell what version of Kerberos for Macintosh I'm using?
A: See the Identifying the Version of Kerberos for Macintosh documentation.

Q: Why do KfM 4.0.x, 3.5, and 3.0 require Mac OS 8.1 or higher?
A: We did not have the time or resources to qualify KfM 3.0, 3.5 and 4.0.x on anything earlier. Parts of KfM 3.0, 3.5, and 4.0.x require versions of Mac OS system libraries which are either unavailable, optionally available or sufficiently different in OSes prior to Mac OS 8.1.

Q: How do KfM 4.0.x, 3.5, and 3.0 compare to the CNS Kerberos v5 Macintosh distribution?
A: The CNS distribution is a very outdated implementation that should not be used any more. Red Hat, the company who now owns Cygnus, does not support this implementation. Additionally, The CNS distribution is based on some very early 1.0.x version of the Kerberos v5 code, includes a outdated ticket manager and uses a file based ticket cache.

In contrast, KfM 4.0.x includes Kerberos v5 1.2.3 code (KfM 3.5 includes Kerberos v5 1.2.2, and KfM 3.0 includes Kerberos v5 1.2.1) provides a modern Macintosh ticket manager, stores its credentials in memory, is compatible with Kerberos v4 realms and KClient based applications, and provides support for Mac OS X. KfM is actively maintained and supported. In fact, KfM is included with Mac OS X. If you are planning to add Kerberos to your application, you should use the KfM libraries.

Q: The only Kerberos v5 Telnet on the Macintosh that I've found works with the CNS distribution. Is there one that works with KfM 4.0.x (and 3.5 and 3.0)?
A: Yes, BetterTelnet with Kerberos v5 support has been updated to work with KfM 4.0.x, 3.5 and 3.0. You can download this version of BetterTelnet and Kerberos plugin from NRL.

Q: What happened to the Kerberos menu and floating window from recent versions of KClient?
A: The architecture of KfM 3.0 and KClient 1.x were drastically different, so these features had to be reimplemented from scratch. Due to time constraints and technical difficulties, we were not able to include these features in KfM 3.0.

However, the good news is that those technical problems have been solved and the Kerberos Menu and Kerberos Floating Window are included in KfM 3.5 and 4.0.1. You can download the latest version of Kerberos for Macintosh from the Getting Kerberos For Macintosh page.

The menu and floating window are currently only available under Mac OS 8 & 9. Similar functionality is available in Mac OS X in KfM 4.0a19 and later.

Q: How can I uninstall/remove Kerberos for Macintosh?
A: The Kerberos for Macintosh 4.0.x installer now includes an uninstall function. You can see the Uninstalling Kerberos for Macintosh on Mac OS 8 or 9 documentation for additional information.

Q: Are source code packages for KfM 4.0.x, 3.5, or 3.0 available?
A: No.

Q: If source code is not available then how can people review the libraries for security concerns?
A: The code used for the Kerberos v5 and GSS libraries comes from the same tree as all of the other platforms. If you would like to review that source code, you can download the appropriate release version source package for UNIX. The Kerberos v4 library is the last Cygnus release with minor modifications for Kerberos Login Library.

Other Kerberos for Macintosh FAQs

Questions or comments? Send mail to
Last updated on $Date: 2003/11/18 22:02:47 $
Last modified by $Author: smcguire $