From cfc34e25a66e528bfa35be39cc498a28fc1f1606 Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Mon, 28 Apr 2014 00:48:10 +0200
Subject: [PATCH 1/3] Remove use of krb4 settings in example krb5.conf.

---
 krb5.conf | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/krb5.conf b/krb5.conf
index c9f4c44a5..103ea8c22 100644
--- a/krb5.conf
+++ b/krb5.conf
@@ -1,16 +1,6 @@
 [libdefaults]
-        default_realm = MY.REALM
+	default_realm = MY.REALM
 	clockskew = 300
-	v4_instance_resolve = false
-	v4_name_convert = {
-		host = {
-			rcmd = host
-			ftp = ftp
-		}
-		plain = {
-			something = something-else
-		}
-	}
 	
 [realms]
 	MY.REALM = {

From 341f032cfd15dcf736e129f754c3a697ef49f51b Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Mon, 28 Apr 2014 01:02:45 +0200
Subject: [PATCH 2/3] kdc.8: Remove references to kerberos 4.

---
 kdc/kdc.8 | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/kdc/kdc.8 b/kdc/kdc.8
index f14ec5a37..70c4cafe3 100644
--- a/kdc/kdc.8
+++ b/kdc/kdc.8
@@ -47,9 +47,6 @@
 .Op Fl p | Fl Fl no-require-preauth
 .Op Fl Fl max-request= Ns Ar size
 .Op Fl H | Fl Fl enable-http
-.Op Fl Fl no-524
-.Op Fl Fl kerberos4
-.Op Fl Fl kerberos4-cross-realm
 .Oo Fl r Ar string \*(Ba Xo
 .Fl Fl v4-realm= Ns Ar string
 .Xc
@@ -93,14 +90,6 @@ Gives an upper limit on the size of the requests that the kdc is
 willing to handle.
 .It Fl H , Fl Fl enable-http
 Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
-.It Fl Fl no-524
-don't respond to 524 requests
-.It Fl Fl kerberos4
-respond to Kerberos 4 requests
-.It Fl Fl kerberos4-cross-realm
-respond to Kerberos 4 requests from foreign realms.
-This is a known security hole and should not be enabled unless you
-understand the consequences and are willing to live with them.
 .It Fl r Ar string , Fl Fl v4-realm= Ns Ar string
 What realm this server should act as when dealing with version 4
 requests.

From 4199081e94909c29f44cb9c3c6f73f7ccbc7a2d5 Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Mon, 28 Apr 2014 01:03:10 +0200
Subject: [PATCH 3/3] Various manpages: Remove references to Kerberos 4.

---
 lib/krb5/krb5.conf.5       | 46 --------------------------------------
 lib/krb5/krb5_parse_name.3 |  1 -
 lib/krb5/krb5_principal.3  |  1 -
 3 files changed, 48 deletions(-)

diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 5adedf8ed..a638cf167 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -152,11 +152,6 @@ times.
 Default is 300 seconds (five minutes).
 .It Li kdc_timeout = Va time
 Maximum time to wait for a reply from the kdc, default is 3 seconds.
-.It Li v4_name_convert
-.It Li v4_instance_resolve
-These are described in the
-.Xr krb5_425_conv_principal  3
-manual page.
 .It Li capath = {
 .Bl -tag -width "xxx" -offset indent
 .It Va destination-realm Li = Va next-hop-realm
@@ -242,12 +237,6 @@ Scan all network interfaces for addresses, as opposed to simply using
 the address associated with the system's host name.
 .It Li fcache_version = Va int
 Use file credential cache format version specified.
-.It Li krb4_get_tickets = Va boolean
-Also get Kerberos 4 tickets in
-.Nm kinit ,
-.Nm login ,
-and other programs.
-This option is also valid in the [realms] section.
 .It Li fcc-mit-ticketflags = Va boolean
 Use MIT compatible format for file credential cache.
 It's the field ticketflags that is stored in reverse bit order for
@@ -381,14 +370,6 @@ to the database are performed.
 Points to the server where all the password changes are performed.
 If there is no such entry, the kpasswd port on the admin_server host
 will be tried.
-.It Li krb524_server = Va host[:port]
-Points to the server that does 524 conversions.
-If it is not mentioned, the krb524 port on the kdcs will be tried.
-.It Li v4_instance_convert
-.It Li v4_name_convert
-.It Li default_domain
-See
-.Xr krb5_425_conv_principal 3 .
 .It Li tgs_require_subkey
 a boolan variable that defaults to false.
 Old DCE secd (pre 1.1) might need this to be true.
@@ -513,19 +494,10 @@ for propagating changes to slaves.
 Maximum size of a kdc request.
 .It Li require-preauth = Va BOOL
 If set pre-authentication is required.
-Since krb4 requests are not pre-authenticated they will be rejected.
 .It Li ports = Va "list of ports"
 List of ports the kdc should listen to.
 .It Li addresses = Va "list of interfaces"
 List of addresses the kdc should bind to.
-.It Li enable-kerberos4 = Va BOOL
-Turn on Kerberos 4 support.
-.It Li v4-realm = Va REALM
-To what realm v4 requests should be mapped.
-.It Li enable-524 = Va BOOL
-Should the Kerberos 524 converting facility be turned on.
-Default is the same as
-.Va enable-kerberos4 .
 .It Li enable-http = Va BOOL
 Should the kdc answer kdc-requests over http.
 .It Li tgt-use-strongest-session-key = Va BOOL
@@ -565,14 +537,6 @@ The time before expiration that the user should be warned that her
 password is about to expire.
 .It Li logging = Va Logging
 What type of logging the kdc should use, see also [logging]/kdc.
-.It Li use_2b = {
-.Bl -tag -width "xxx" -offset indent
-.It Va principal Li = Va BOOL
-boolean value if the 524 daemon should return AFS 2b tokens for
-.Fa principal .
-.It ...
-.El
-.It Li }
 .It Li hdb-ldap-structural-object Va structural object
 If the LDAP backend is used for storing principals, this is the
 structural object that will be used when creating and when reading
@@ -645,9 +609,6 @@ Additional special values of keytypes are:
 .It Li v5
 The Kerberos 5 salt
 .Va pw-salt
-.It Li v4
-The Kerberos 4 salt
-.Va des:pw-salt:
 .El
 .It Li default_key_rules = Va {
 .Bl -tag -width "xxx" -offset indent
@@ -696,12 +657,6 @@ configuration file for Kerberos 5.
 [realms]
 	FOO.SE = {
 		kdc = kerberos.foo.se
-		v4_name_convert = {
-			rcmd = host
-		}
-		v4_instance_convert = {
-			xyz = xyz.bar.se
-		}
 		default_domain = foo.se
 	}
 [logging]
@@ -729,7 +684,6 @@ are actually used and thus cannot warn about unknown or misspelled
 ones.
 .Sh SEE ALSO
 .Xr kinit 1 ,
-.Xr krb5_425_conv_principal 3 ,
 .Xr krb5_openlog 3 ,
 .Xr strftime 3 ,
 .Xr verify_krb5_conf 8
diff --git a/lib/krb5/krb5_parse_name.3 b/lib/krb5/krb5_parse_name.3
index eb4a2d28c..85acc7292 100644
--- a/lib/krb5/krb5_parse_name.3
+++ b/lib/krb5/krb5_parse_name.3
@@ -61,7 +61,6 @@ quoting it with a backslash
 .Pq Dq \e .
 A realm should not contain slashes or colons.
 .Sh SEE ALSO
-.Xr krb5_425_conv_principal 3 ,
 .Xr krb5_build_principal 3 ,
 .Xr krb5_free_principal 3 ,
 .Xr krb5_sname_to_principal 3 ,
diff --git a/lib/krb5/krb5_principal.3 b/lib/krb5/krb5_principal.3
index 2998130a8..c8d2fec1d 100644
--- a/lib/krb5/krb5_principal.3
+++ b/lib/krb5/krb5_principal.3
@@ -362,7 +362,6 @@ On failure the function returns an error code and set the error
 string.
 .\" .Sh EXAMPLES
 .Sh SEE ALSO
-.Xr krb5_425_conv_principal 3 ,
 .Xr krb5_config 3 ,
 .Xr krb5.conf 5
 .Sh BUGS