-klogin 543/tcp # Kerberos authenticated rlogin
-kerberos5 88/udp kdc # Kerberos authentication--udp
-kerberos5 88/tcp kdc # Kerberos authentication--tcp
-kerberos4 750/udp # Kerberos authentication--udp
-kerberos4 750/tcp # Kerberos authentication--tcp
+#
+# Note --- if you are using Kerberos V4 clients and you either (a)
+# haven't converted all your KDC's over to use V5, or (b) are worried
+# about inter-realm interoperability with other KDC's that are still
+# using V4, then you will have to switch the definition of kerberos and
+# kerberos-sec.
+#
+# The issue is that the official port assignement for the "kerberos"
+# port is port 88, yet the unofficial port that has been used for
+# Kerberos V4 is port 750. The V5 KDC will respond to requests made on
+# either port, and if V4 compatibility is turned on, it will respond to
+# V4 requests on either port as well.
+#
+#
+# Hence, it is safe to switch the definitions of kerberos and
+# kerberos-sec; both should be defined, though, and one should be port
+# 88 and one should be port 750.
+#
+kerberos 88/udp kdc # Kerberos authentication--udp
+kerberos 88/tcp kdc # Kerberos authentication--tcp
+kerberos-sec 750/udp # Kerberos authentication--udp
+kerberos-sec 750/tcp # Kerberos authentication--tcp
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
kpop 1109/tcp # Pop with Kerberos
kshell 544/tcp cmd # and remote shell
+klogin 543/tcp # Kerberos authenticated rlogin
eklogin 2105/tcp # Kerberos encrypted rlogin
krb_prop 754/tcp # Kerberos slave propagation
krb524 4444/tcp # Kerberos 5 to 4 ticket xlator