Getting tickets with 1.3 on KfM can be slow because of DNS requests. Attached is a tcpdump of the DNS request interleaved with the krb5 requests. krb5_sendto_kdc calls krb5_locate_kdc twice for udp and tcp respectively, so each kdc in the config file is looked up twice. For some reason on Mac OS X 10.2.4, these queries are not cached by lookupd. Also, I didn't notice these problems until I started compiling with KRB5_DNS_LOOKUP and KRB5_DNS_LOOKUP_KDC 1 (previously they were 0 on the Mac). I couldn't figure out from the code why this was, since my config file contains: [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false In the config file, the Athena realm is specified as: [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu.:88 kdc = kerberos-1.mit.edu.:88 kdc = kerberos-2.mit.edu.:88 kdc = kerberos-3.mit.edu.:88 admin_server = kerberos.mit.edu. default_domain = mit.edu } Obviously removing the .s at the end of the kdc names will result in more lookups and more slowness.