From bf5b1bac7a510791e1ea6423a8c2b4b82d80b4d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD=20=D0=9F=D0=B0=D0=BB=D0=B0?= =?UTF-8?q?=D1=83=D0=B7=D0=BE=D0=B2?= Date: Thu, 24 Oct 2024 12:58:49 +0300 Subject: [PATCH] Remove Kerberos 4 support -- remove references to (case insensitive) krb4, os_v4 -- cmulocal/kerberos_v5.m4: remove unused AC_DEFINE HAVE_KRB5 --- Makefile.am | 4 +- changes/next/remove_krb4 | 8 + cmulocal/README.andrew | 4 +- cmulocal/arx.m4 | 153 ------- cmulocal/kafs.m4 | 166 ------- cmulocal/kerberos_v4.m4 | 284 ------------ cmulocal/kerberos_v5.m4 | 1 - cmulocal/zephyr.m4 | 154 ------- configure.ac | 97 ---- doc/legacy/ag.html | 2 +- doc/legacy/install-auth.html | 65 +-- doc/legacy/install-compile.html | 3 - doc/legacy/install-murder.html | 2 +- doc/legacy/install-sieve.html | 2 +- doc/legacy/install-testing.html | 27 +- doc/legacy/man.html | 1 - doc/legacy/overview.html | 35 +- doc/legacy/readme.html | 4 +- docsrc/assets/man-imtest.rst | 2 +- .../imap/concepts/overview_and_concepts.rst | 6 +- docsrc/imap/developer/compiling.rst | 4 +- .../admin/access-control/identifiers.rst | 12 - .../admin/murder/murder-concepts.rst | 2 +- .../admin/murder/murder-installation.rst | 2 +- docsrc/imap/reference/admin/sieve.rst | 2 +- .../reference/manpages/configs/krb.equiv.rst | 47 -- imap/cyr_buildinfo.c | 5 - imap/global.c | 29 +- imap/version.c | 7 - lib/auth.c | 3 - lib/auth.h | 1 - lib/auth_krb.c | 433 ------------------ lib/imapoptions | 6 +- notifyd/notify_zephyr.c | 14 +- perl/imap/t/01-imclient.t | 2 +- ptclient/afskrb.c | 193 -------- 36 files changed, 69 insertions(+), 1713 deletions(-) create mode 100644 changes/next/remove_krb4 delete mode 100644 cmulocal/arx.m4 delete mode 100644 cmulocal/kafs.m4 delete mode 100644 cmulocal/kerberos_v4.m4 delete mode 100644 cmulocal/zephyr.m4 delete mode 100644 docsrc/imap/reference/manpages/configs/krb.equiv.rst delete mode 100644 lib/auth_krb.c diff --git a/Makefile.am b/Makefile.am index 7440d13472..64cc78c146 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1453,7 +1453,6 @@ lib_libcyrus_la_SOURCES = \ lib/acl.c \ lib/acl_afs.c \ lib/auth.c \ - lib/auth_krb.c \ lib/auth_krb5.c \ lib/auth_mboxgroups.c \ lib/auth_pts.c \ @@ -1614,8 +1613,7 @@ dist_man3_MANS = \ dist_man5_MANS = \ man/cyrus.conf.5 \ - man/imapd.conf.5 \ - man/krb.equiv.5 + man/imapd.conf.5 dist_man8_MANS = \ man/arbitron.8 \ diff --git a/changes/next/remove_krb4 b/changes/next/remove_krb4 new file mode 100644 index 0000000000..b9f60d3262 --- /dev/null +++ b/changes/next/remove_krb4 @@ -0,0 +1,8 @@ +Description: + +Remove Kerberos 4 support + +Config changes: + +In imapd.conf srvtab is not valid anymore. +./configure does not accept --enable-krb5afspts , ptclient/afskrb.c works now only with KRB5. diff --git a/cmulocal/README.andrew b/cmulocal/README.andrew index 5cb34f603b..9f6eef268f 100644 --- a/cmulocal/README.andrew +++ b/cmulocal/README.andrew @@ -64,8 +64,8 @@ CMU_SASL Provides --with-sasldir. -CMU_KRB4 - This attempts to find Kerberos 4 libraries and set up CFLAGS and LIBS +CMU_KRB5 + This attempts to find Kerberos 5 libraries and set up CFLAGS and LIBS appropriately. It also updates and substitutes RPATH for shared library stuff. diff --git a/cmulocal/arx.m4 b/cmulocal/arx.m4 deleted file mode 100644 index 0f1d2e40e2..0000000000 --- a/cmulocal/arx.m4 +++ /dev/null @@ -1,153 +0,0 @@ -AC_DEFUN([CMU_ARX_INC_WHERE1], [ -saved_CPPFLAGS=$CPPFLAGS -CPPFLAGS="$saved_CPPFLAGS -I$1" -AC_TRY_COMPILE([#include ], -[arx_context *foo;], -ac_cv_found_arx_inc=yes, -ac_cv_found_arx_inc=no) -CPPFLAGS=$saved_CPPFLAGS -]) - -AC_DEFUN([CMU_ARX_INC_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for arx headers in $i) - CMU_ARX_INC_WHERE1($i) - CMU_TEST_INCPATH($i, arx) - if test "$ac_cv_found_arx_inc" = "yes"; then - ac_cv_arx_where_inc=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -# -# Test for lib files -# - -AC_DEFUN([CMU_ARX_LIB_WHERE1], [ -AC_REQUIRE([CMU_AFS]) -AC_REQUIRE([CMU_KRB4]) -saved_LIBS=$LIBS -LIBS="$saved_LIBS -L$1 -larx $AFS_LIB_FLAGS $AFS_CLIENT_LIBS $KRB_LIB_FLAGS $LIB_SOCKET" -AC_TRY_LINK(, -[arx_Init();], -[ac_cv_found_arx_lib=yes], -ac_cv_found_arx_lib=no) -LIBS=$saved_LIBS -]) - -AC_DEFUN([CMU_ARX_LIB_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for arx libraries in $i) - CMU_ARX_LIB_WHERE1($i) - CMU_TEST_LIBPATH($i, arx) - if test "$ac_cv_found_arx_lib" = "yes" ; then - ac_cv_arx_where_lib=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -AC_DEFUN([CMU_USE_ARX], [ -AC_REQUIRE([CMU_FIND_LIB_SUBDIR]) -AC_ARG_WITH(arx, - [AS_HELP_STRING([--with-arx=PREFIX], [Compile with arx support])], - [if test "X$with_arx" = "X"; then - with_arx=yes - fi]) -AC_ARG_WITH(arx-lib, - [AS_HELP_STRING([--with-arx-lib=dir], [use arx libraries in dir])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-arx-lib]) - fi]) -AC_ARG_WITH(arx-include, - [AS_HELP_STRING([--with-arx-include=dir], [use arx headers in dir])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-arx-include]) - fi]) - - if test "X$with_arx" != "X"; then - if test "$with_arx" != "yes"; then - ac_cv_arx_where_lib=$with_arx/${CMU_LIB_SUBDIR} - ac_cv_arx_where_inc=$with_arx/include - fi - fi - - if test "X$with_arx_lib" != "X"; then - ac_cv_arx_where_lib=$with_arx_lib - fi - if test "X$ac_cv_arx_where_lib" = "X"; then - CMU_ARX_LIB_WHERE(/usr/athena/${CMU_LIB_SUBDIR} /usr/local/${CMU_LIB_SUBDIR} /usr/${CMU_LIB_SUBDIR}) - fi - - if test "X$with_arx_include" != "X"; then - ac_cv_arx_where_inc=$with_arx_include - fi - if test "X$ac_cv_arx_where_inc" = "X"; then - CMU_ARX_INC_WHERE(/usr/athena/include /usr/local/include) - fi - - AC_MSG_CHECKING(whether to include arx) - if test "X$ac_cv_arx_where_lib" = "X" -o "X$ac_cv_arx_where_inc" = "X"; then - ac_cv_found_arx=no - AC_MSG_RESULT(no) - else - ac_cv_found_arx=yes - AC_MSG_RESULT(yes) - ARX_INC_DIR=$ac_cv_arx_where_inc - ARX_LIB_DIR=$ac_cv_arx_where_lib - ARX_INC_FLAGS="-I${ARX_INC_DIR}" - ARX_LIB_FLAGS="-L${ARX_LIB_DIR} -larx" - ARX_LD_FLAGS="-L${ARX_LIB_DIR}" - dnl Do not force configure.in to put these in CFLAGS and LIBS unconditionally - dnl Allow makefile substitutions.... - AC_SUBST(ARX_INC_FLAGS) - AC_SUBST(ARX_LIB_FLAGS) - AC_SUBST(ARX_LD_FLAGS) - if test "X$RPATH" = "X"; then - RPATH="" - fi - case "${host}" in - *-*-linux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${ARX_LIB_DIR}" - else - RPATH="${RPATH}:${ARX_LIB_DIR}" - fi - ;; - *-*-hpux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,+b${ARX_LIB_DIR}" - else - RPATH="${RPATH}:${ARX_LIB_DIR}" - fi - ;; - *-*-irix*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${ARX_LIB_DIR}" - else - RPATH="${RPATH}:${ARX_LIB_DIR}" - fi - ;; - *-*-solaris2*) - if test "$ac_cv_prog_gcc" = yes; then - if test "X$RPATH" = "X"; then - RPATH="-Wl,-R${ARX_LIB_DIR}" - else - RPATH="${RPATH}:${ARX_LIB_DIR}" - fi - else - RPATH="${RPATH} -R${ARX_LIB_DIR}" - fi - ;; - esac - AC_SUBST(RPATH) - fi - ]) - diff --git a/cmulocal/kafs.m4 b/cmulocal/kafs.m4 deleted file mode 100644 index 523030db63..0000000000 --- a/cmulocal/kafs.m4 +++ /dev/null @@ -1,166 +0,0 @@ -dnl kerberos_v4.m4--Kafs libraries and includes -dnl Derrick Brashear -dnl from KTH kafs and Arla - -AC_DEFUN([CMU_KAFS_INC_WHERE1], [ -saved_CPPFLAGS=$CPPFLAGS -CPPFLAGS="$saved_CPPFLAGS -I$1" -AC_TRY_COMPILE([ -#include -#include -#include -], -[struct ClearToken foo;], -ac_cv_found_kafs_inc=yes, -ac_cv_found_kafs_inc=no) -if test "$ac_cv_found_kafs_inc" = "no"; then - CPPFLAGS="$saved_CPPFLAGS -I$1 -I$1/kerberosIV" - AC_TRY_COMPILE([ -#include -#include -#include -], - [struct ClearToken foo;], - [ac_cv_found_kafs_inc=yes], - ac_cv_found_kafs_inc=no) -fi -CPPFLAGS=$saved_CPPFLAGS -]) - -AC_DEFUN([CMU_KAFS_INC_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for kafs headers in $i) - CMU_KAFS_INC_WHERE1($i) - CMU_TEST_INCPATH($i, kafs) - if test "$ac_cv_found_kafs_inc" = "yes"; then - ac_cv_kafs_where_inc=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -AC_DEFUN([CMU_KAFS_LIB_WHERE1], [ -saved_LIBS=$LIBS -LIBS="$saved_LIBS -L$1 -lkafs $KRB_LIB_FLAGS $KRB5_LIB_FLAGS" -AC_TRY_LINK(, -[krb_afslog();], -[ac_cv_found_kafs_lib=yes], -ac_cv_found_kafs_lib=no) -LIBS=$saved_LIBS -]) - -AC_DEFUN([CMU_KAFS_LIB_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for kafs libraries in $i) - CMU_KAFS_LIB_WHERE1($i) - dnl deal with false positives from implicit link paths - CMU_TEST_LIBPATH($i, kafs) - if test "$ac_cv_found_kafs_lib" = "yes" ; then - ac_cv_kafs_where_lib=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -AC_DEFUN([CMU_KAFS], [ -AC_REQUIRE([CMU_FIND_LIB_SUBDIR]) -AC_REQUIRE([CMU_SOCKETS]) -AC_REQUIRE([CMU_KRB4]) -AC_REQUIRE([CMU_KRB5]) -AC_ARG_WITH(kafs, - [AS_HELP_STRING([--with-kafs=PREFIX], [Compile with Kafs support])], - [if test "X$with_kafs" = "X"; then - with_kafs=yes - fi]) -AC_ARG_WITH(kafs-lib, - [AS_HELP_STRING([--with-kafs-lib=DIR], [use kafs libraries in DIR])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-kafs-lib]) - fi]) -AC_ARG_WITH(kafs-include, - [AS_HELP_STRING([--with-kafs-include=DIR], [use kafs headers in DIR])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-kafs-include]) - fi]) - - if test "X$with_kafs" != "X"; then - if test "$with_kafs" != "yes" -a "$with_kafs" != no; then - ac_cv_kafs_where_lib=$with_kafs/$CMU_LIB_SUBDIR - ac_cv_kafs_where_inc=$with_kafs/include - fi - fi - - if test "$with_kafs" != "no"; then - if test "X$with_kafs_lib" != "X"; then - ac_cv_kafs_where_lib=$with_kafs_lib - fi - if test "X$ac_cv_kafs_where_lib" = "X"; then - CMU_KAFS_LIB_WHERE(/usr/athena/$CMU_LIB_SUBDIR /usr/local/$CMU_LIB_SUBDIR /usr/$CMU_LIB_SUBDIR) - fi - - if test "X$with_kafs_include" != "X"; then - ac_cv_kafs_where_inc=$with_kafs_include - fi - if test "X$ac_cv_kafs_where_inc" = "X"; then - CMU_KAFS_INC_WHERE(/usr/athena/include /usr/include/kerberosIV /usr/local/include /usr/include/kerberos) - fi - fi - - AC_MSG_CHECKING(whether to include kafs) - if test "X$ac_cv_kafs_where_lib" = "X" -a "X$ac_cv_kafs_where_inc" = "X"; then - ac_cv_found_kafs=no - AC_MSG_RESULT(no) - else - ac_cv_found_kafs=yes - AC_MSG_RESULT(yes) - KAFS_INC_DIR=$ac_cv_kafs_where_inc - KAFS_LIB_DIR=$ac_cv_kafs_where_lib - KAFS_INC_FLAGS="-I${KAFS_INC_DIR}" - KAFS_LIB_FLAGS="-L${KAFS_LIB_DIR} -lkafs" - if test "X$RPATH" = "X"; then - RPATH="" - fi - case "${host}" in - *-*-linux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${KAFS_LIB_DIR}" - else - RPATH="${RPATH}:${KAFS_LIB_DIR}" - fi - ;; - *-*-hpux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,+b${KAFS_LIB_DIR}" - else - RPATH="${RPATH}:${KAFS_LIB_DIR}" - fi - ;; - *-*-irix*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${KAFS_LIB_DIR}" - else - RPATH="${RPATH}:${KAFS_LIB_DIR}" - fi - ;; - *-*-solaris2*) - if test "$ac_cv_prog_gcc" = yes; then - if test "X$RPATH" = "X"; then - RPATH="-Wl,-R${KAFS_LIB_DIR}" - else - RPATH="${RPATH}:${KAFS_LIB_DIR}" - fi - else - RPATH="${RPATH} -R${KAFS_LIB_DIR}" - fi - ;; - esac - AC_SUBST(RPATH) - fi - ]) - diff --git a/cmulocal/kerberos_v4.m4 b/cmulocal/kerberos_v4.m4 deleted file mode 100644 index 676cbab418..0000000000 --- a/cmulocal/kerberos_v4.m4 +++ /dev/null @@ -1,284 +0,0 @@ -dnl kerberos_v4.m4--Kerberos 4 libraries and includes -dnl Derrick Brashear -dnl from KTH krb and Arla - -AC_DEFUN([CMU_KRB_SENDAUTH_PROTO], [ -AC_MSG_CHECKING(for krb_sendauth prototype) -AC_TRY_COMPILE( -[#include -int krb_sendauth (long options, int fd, KTEXT ktext, char *service, - char *inst, char *realm, u_long checksum, - MSG_DAT *msg_data, CREDENTIALS *cred, - Key_schedule schedule, struct sockaddr_in *laddr, - struct sockaddr_in *faddr, char *version);], -[int foo = krb_sendauth(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); ], -ac_cv_krb_sendauth_proto=no, -ac_cv_krb_sendauth_proto=yes) -AC_MSG_RESULT($ac_cv_krb_sendauth_proto) -if test "$ac_cv_krb_sendauth_proto" = yes; then - AC_DEFINE(HAVE_KRB_SENDAUTH_PROTO)dnl -fi -AC_MSG_RESULT($ac_cv_krb_sendauth_proto) -]) - -AC_DEFUN([CMU_KRB_SET_KEY_PROTO], [ -AC_MSG_CHECKING(for krb_set_key prototype) -AC_CACHE_VAL(ac_cv_krb_set_key_proto, [ -cmu_save_CPPFLAGS="$CPPFLAGS" -CPPFLAGS="${CPPFLAGS} ${KRB_INC_FLAGS}" -AC_TRY_COMPILE( -[#include -int krb_set_key(char *key, int cvt);], -[int foo = krb_set_key(0, 0);], -ac_cv_krb_set_key_proto=no, -ac_cv_krb_set_key_proto=yes) -]) -CPPFLAGS="${cmu_save_CPPFLAGS}" -if test "$ac_cv_krb_set_key_proto" = yes; then - AC_DEFINE(HAVE_KRB_SET_KEY_PROTO)dnl -fi -AC_MSG_RESULT($ac_cv_krb_set_key_proto) -]) - -AC_DEFUN([CMU_KRB4_32_DEFN], [ -AC_MSG_CHECKING(for KRB4_32 definition) -AC_CACHE_VAL(ac_cv_krb4_32_defn, [ -cmu_save_CPPFLAGS="$CPPFLAGS" -CPPFLAGS="${CPPFLAGS} ${KRB_INC_FLAGS}" -AC_TRY_COMPILE( -[#include -], -[KRB4_32 foo = 1;], -ac_cv_krb4_32_defn=yes, -ac_cv_krb4_32_defn=no) -]) -CPPFLAGS="${cmu_save_CPPFLAGS}" -if test "$ac_cv_krb4_32_defn" = yes; then - AC_DEFINE(HAVE_KRB4_32_DEFINE)dnl -fi -AC_MSG_RESULT($ac_cv_krb4_32_defn) -]) - -AC_DEFUN([CMU_KRB_RD_REQ_PROTO], [ -AC_MSG_CHECKING(for krb_rd_req prototype) -AC_CACHE_VAL(ac_cv_krb_rd_req_proto, [ -cmu_save_CPPFLAGS="$CPPFLAGS" -CPPFLAGS="${CPPFLAGS} ${KRB_INC_FLAGS}" -AC_TRY_COMPILE( -[#include -int krb_rd_req(KTEXT authent, char *service, char *instance, -unsigned KRB_INT32 from_addr, AUTH_DAT *ad, char *fn);], -[int foo = krb_rd_req(0,0,0,0,0,0);], -ac_cv_krb_rd_req_proto=no, -ac_cv_krb_rd_req_proto=yes) -]) -CPPFLAGS="${cmu_save_CPPFLAGS}" -if test "$ac_cv_krb_rd_req_proto" = yes; then - AC_DEFINE(HAVE_KRB_RD_REQ_PROTO)dnl -fi -AC_MSG_RESULT($ac_cv_krb_rd_req_proto) -]) - -AC_DEFUN([CMU_KRB_INC_WHERE1], [ -saved_CPPFLAGS=$CPPFLAGS -CPPFLAGS="$saved_CPPFLAGS -I$1" -AC_TRY_COMPILE([#include ], -[struct ktext foo;], -ac_cv_found_krb_inc=yes, -ac_cv_found_krb_inc=no) -if test "$ac_cv_found_krb_inc" = "no"; then - CPPFLAGS="$saved_CPPFLAGS -I$1 -I$1/kerberosIV" - AC_TRY_COMPILE([#include ], - [struct ktext foo;], - [ac_cv_found_krb_inc=yes], - ac_cv_found_krb_inc=no) -fi -CPPFLAGS=$saved_CPPFLAGS -]) - -AC_DEFUN([CMU_KRB_INC_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for kerberos headers in $i) - CMU_KRB_INC_WHERE1($i) - CMU_TEST_INCPATH($i, krb) - if test "$ac_cv_found_krb_inc" = "yes"; then - ac_cv_krb_where_inc=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -# -# Test for kerberos lib files -# - -AC_DEFUN([CMU_KRB_LIB_WHERE1], [ -saved_LIBS=$LIBS -LIBS="$saved_LIBS -L$1 -lkrb ${KRB_LIBDES}" -AC_TRY_LINK(, -[dest_tkt();], -[ac_cv_found_krb_lib=yes], -ac_cv_found_krb_lib=no) -LIBS=$saved_LIBS -]) - -AC_DEFUN([CMU_KRB_LIB_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for kerberos libraries in $i) - CMU_KRB_LIB_WHERE1($i) - dnl deal with false positives from implicit link paths - CMU_TEST_LIBPATH($i, krb) - if test "$ac_cv_found_krb_lib" = "yes" ; then - ac_cv_krb_where_lib=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -AC_DEFUN([CMU_KRB4], [ -AC_REQUIRE([CMU_FIND_LIB_SUBDIR]) -AC_REQUIRE([CMU_SOCKETS]) -AC_REQUIRE([CMU_LIBSSL]) -AC_ARG_WITH(krb4, - [AS_HELP_STRING([--with-krb4=PREFIX], [Compile with Kerberos 4 support])], - [if test "X$with_krb4" = "X"; then - with_krb4=yes - fi]) -AC_ARG_WITH(krb4-lib, - [AS_HELP_STRING([--with-krb4-lib=DIR], [use kerberos 4 libraries in DIR])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-krb4-lib]) - fi]) -AC_ARG_WITH(krb4-include, - [AS_HELP_STRING([--with-krb4-include=DIR], [use kerberos 4 headers in DIR])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-krb4-include]) - fi]) - - if test "X$with_krb4" != "X"; then - if test "$with_krb4" != "yes" -a "$with_krb4" != "no"; then - ac_cv_krb_where_lib=$with_krb4/$CMU_LIB_SUBDIR - ac_cv_krb_where_inc=$with_krb4/include - fi - fi - - if test "$with_krb4" != "no"; then - if test "X$with_krb4_lib" != "X"; then - ac_cv_krb_where_lib=$with_krb4_lib - fi - if test "X$with_krb4_include" != "X"; then - ac_cv_krb_where_inc=$with_krb4_include - fi - if test "X$ac_cv_krb_where_inc" = "X"; then - CMU_KRB_INC_WHERE(/usr/athena/include /usr/include/kerberosIV /usr/local/include /usr/include/kerberos) - fi - - AC_MSG_CHECKING([if libdes is needed]) - AC_TRY_LINK([],[des_quad_cksum();],KRB_DES_LIB="",KRB_DES_LIB="maybe") - if test "X$KRB_DES_LIB" != "X"; then - LIBS="$cmu_save_LIBS -ldes" - AC_TRY_LINK([], [des_quad_cksum();],KRB_DES_LIB="yes") - if test "X$KRB_DES_LIB" = "Xyes"; then - AC_MSG_RESULT([yes]) - KRB_LIBDES="-ldes" - KRB_LIBDESA='$(KRB_LIB_DIR)/libdes.a' - else - LIBS="$cmu_save_LIBS $LIBSSL_LIB_FLAGS" - AC_TRY_LINK([], - [des_quad_cksum();],KRB_DES_LIB="libcrypto") - if test "X$KRB_DES_LIB" = "Xlibcrypto"; then - AC_MSG_RESULT([libcrypto]) - KRB_LIBDES="$LIBSSL_LIB_FLAGS" - KRB_LIBDESA="$LIBSSL_LIB_FLAGS" - else - LIBS="$cmu_save_LIBS -L$LIBSSL_LIB_DIR -ldescompat $LIBSSL_LIB_FLAGS" - AC_TRY_LINK([], - [des_quad_cksum();],KRB_DES_LIB="libcrypto+descompat") - if test "X$KRB_DES_LIB" = "Xlibcrypto+descompat"; then - AC_MSG_RESULT([libcrypto+descompat]) - KRB_LIBDES="-L$LIBSSL_LIB_DIR -ldescompat $LIBSSL_LIB_FLAGS" - KRB_LIBDESA="-L$LIBSSL_LIB_DIR -ldescompat $LIBSSL_LIB_FLAGS" - else - AC_MSG_RESULT([unknown]) - AC_MSG_ERROR([Could not use -ldes]) - fi - fi - fi - else - AC_MSG_RESULT([no]) - fi - if test "X$ac_cv_krb_where_lib" = "X"; then - CMU_KRB_LIB_WHERE(/usr/athena/$CMU_LIB_SUBDIR /usr/local/$CMU_LIB_SUBDIR /usr/$CMU_LIB_SUBDIR) - fi - fi - LIBS="${cmu_save_LIBS}" - - - AC_MSG_CHECKING([whether to include kerberos 4]) - if test "X$ac_cv_krb_where_lib" = "X" -o "X$ac_cv_krb_where_inc" = "X"; then - ac_cv_found_krb=no - AC_MSG_RESULT(no) - else - ac_cv_found_krb=yes - AC_MSG_RESULT(yes) - KRB_INC_DIR=$ac_cv_krb_where_inc - KRB_LIB_DIR=$ac_cv_krb_where_lib - KRB_INC_FLAGS="-I${KRB_INC_DIR}" - KRB_LIB_FLAGS="-L${KRB_LIB_DIR} -lkrb ${KRB_LIBDES}" - LIBS="${cmu_save_LIBS} ${KRB_LIB_FLAGS}" - AC_CHECK_LIB(resolv, dns_lookup, KRB_LIB_FLAGS="${KRB_LIB_FLAGS} -lresolv",,"${KRB_LIB_FLAGS}") - AC_CHECK_LIB(crypt, crypt, KRB_LIB_FLAGS="${KRB_LIB_FLAGS} -lcrypt",,"${KRB_LIB_FLAGS}") - LIBS="${LIBS} ${KRB_LIB_FLAGS}" - AC_CHECK_FUNCS(krb_get_int krb_life_to_time) - AC_SUBST(KRB_INC_FLAGS) - AC_SUBST(KRB_LIB_FLAGS) - LIBS="${cmu_save_LIBS}" - AC_DEFINE(HAVE_KRB4,,[Kerberos V4 is present])dnl zephyr uses this - AC_DEFINE(KERBEROS,,[Use kerberos 4. find out what needs this symbol]) - if test "X$RPATH" = "X"; then - RPATH="" - fi - case "${host}" in - *-*-linux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${KRB_LIB_DIR}" - else - RPATH="${RPATH}:${KRB_LIB_DIR}" - fi - ;; - *-*-hpux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,+b${KRB_LIB_DIR}" - else - RPATH="${RPATH}:${KRB_LIB_DIR}" - fi - ;; - *-*-irix*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${KRB_LIB_DIR}" - else - RPATH="${RPATH}:${KRB_LIB_DIR}" - fi - ;; - *-*-solaris2*) - if test "$ac_cv_prog_gcc" = yes; then - if test "X$RPATH" = "X"; then - RPATH="-Wl,-R${KRB_LIB_DIR}" - else - RPATH="${RPATH}:${KRB_LIB_DIR}" - fi - else - RPATH="${RPATH} -R${KRB_LIB_DIR}" - fi - ;; - esac - AC_SUBST(RPATH) - fi - ]) - diff --git a/cmulocal/kerberos_v5.m4 b/cmulocal/kerberos_v5.m4 index e0a038d4e6..0ee91e0f19 100644 --- a/cmulocal/kerberos_v5.m4 +++ b/cmulocal/kerberos_v5.m4 @@ -138,7 +138,6 @@ AC_ARG_WITH(krb5-impl, KRB5_INC_FLAGS="-I${KRB5_INC_DIR}" AC_SUBST(KRB5_INC_FLAGS) AC_SUBST(KRB5_LIB_FLAGS) - AC_DEFINE(HAVE_KRB5,,[Kerberos V5 is present])dnl zephyr uses this AC_DEFINE(KRB5,,[Use Kerberos 5. (maybe find what needs this and nuke it)]) if test "X$RPATH" = "X"; then RPATH="" diff --git a/cmulocal/zephyr.m4 b/cmulocal/zephyr.m4 deleted file mode 100644 index 128f9bbf41..0000000000 --- a/cmulocal/zephyr.m4 +++ /dev/null @@ -1,154 +0,0 @@ -dnl zephyr.m4--Zephyr libraries and includes -dnl based on kafs.m4, by -dnl Derrick Brashear -dnl from KTH kafs and Arla - -AC_DEFUN([CMU_ZEPHYR_INC_WHERE1], [ -saved_CPPFLAGS=$CPPFLAGS -CPPFLAGS="$saved_CPPFLAGS -I$1" -AC_TRY_COMPILE( -[#include ], -[ZNotice_t foo;], -ac_cv_found_zephyr_inc=yes, -ac_cv_found_zephyr_inc=no) -CPPFLAGS=$saved_CPPFLAGS -]) - -AC_DEFUN([CMU_ZEPHYR_INC_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for zephyr headers in $i) - CMU_ZEPHYR_INC_WHERE1($i) - CMU_TEST_INCPATH($i, zephyr/zephyr) - if test "$ac_cv_found_zephyr_inc" = "yes"; then - ac_cv_zephyr_where_inc=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -AC_DEFUN([CMU_ZEPHYR_LIB_WHERE1], [ -saved_LIBS=$LIBS -LIBS="$saved_LIBS -L$1 -lzephyr $KRB_LIB_FLAGS" -AC_TRY_LINK(, -[ZInitialize();], -[ac_cv_found_zephyr_lib=yes], -ac_cv_found_zephyr_lib=no) -LIBS=$saved_LIBS -]) - -AC_DEFUN([CMU_ZEPHYR_LIB_WHERE], [ - for i in $1; do - AC_MSG_CHECKING(for zephyr libraries in $i) - CMU_ZEPHYR_LIB_WHERE1($i) - dnl deal with false positives from implicit link paths - CMU_TEST_LIBPATH($i, zephyr) - if test "$ac_cv_found_zephyr_lib" = "yes" ; then - ac_cv_zephyr_where_lib=$i - AC_MSG_RESULT(found) - break - else - AC_MSG_RESULT(not found) - fi - done -]) - -AC_DEFUN([CMU_ZEPHYR], [ -AC_REQUIRE([CMU_FIND_LIB_SUBDIR]) -AC_REQUIRE([CMU_SOCKETS]) -AC_REQUIRE([CMU_KRB4]) -AC_ARG_WITH(zephyr, - [AS_HELP_STRING([--with-zephyr=PREFIX],[Compile with Zephyr support])], - [if test "X$with_zephyr" = "X"; then - with_zephyr=yes - fi]) -AC_ARG_WITH(zephyr-lib, - [AS_HELP_STRING([--with-zephyr-lib=DIR], [use zephyr libraries in DIR])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-zephyr-lib]) - fi]) -AC_ARG_WITH(zephyr-include, - [AS_HELP_STRING([--with-zephyr-include=DIR], [use zephyr headers in DIR])], - [if test "$withval" = "yes" -o "$withval" = "no"; then - AC_MSG_ERROR([No argument for --with-zephyr-include]) - fi]) - - if test "X$with_zephyr" != "X"; then - if test "$with_zephyr" != "yes" -a "$with_zephyr" != no; then - ac_cv_zephyr_where_lib=$with_zephyr/$CMU_LIB_SUBDIR - ac_cv_zephyr_where_inc=$with_zephyr/include - fi - fi - - if test "$with_zephyr" != "no"; then - if test "X$with_zephyr_lib" != "X"; then - ac_cv_zephyr_where_lib=$with_zephyr_lib - fi - if test "X$ac_cv_zephyr_where_lib" = "X"; then - CMU_ZEPHYR_LIB_WHERE(/usr/athena/$CMU_LIB_SUBDIR /usr/local/$CMU_LIB_SUBDIR /usr/$CMU_LIB_SUBDIR) - fi - - if test "X$with_zephyr_include" != "X"; then - ac_cv_zephyr_where_inc=$with_zephyr_include - fi - if test "X$ac_cv_zephyr_where_inc" = "X"; then - CMU_ZEPHYR_INC_WHERE(/usr/athena/include /usr/local/include /usr/include) - fi - fi - - AC_MSG_CHECKING(whether to include zephyr) - if test "X$ac_cv_zephyr_where_lib" = "X" -a "X$ac_cv_zephyr_where_inc" = "X"; then - ac_cv_found_zephyr=no - AC_MSG_RESULT(no) - else - ac_cv_found_zephyr=yes - AC_MSG_RESULT(yes) - ZEPHYR_INC_DIR=$ac_cv_zephyr_where_inc - ZEPHYR_LIB_DIR=$ac_cv_zephyr_where_lib - ZEPHYR_INC_FLAGS="-I${ZEPHYR_INC_DIR}" - ZEPHYR_LIB_FLAGS="-L${ZEPHYR_LIB_DIR} -lzephyr" - AC_SUBST(ZEPHYT_INC_FLAGS) - AC_SUBST(ZEPHYR_LIB_FLAGS) - if test "X$RPATH" = "X"; then - RPATH="" - fi - case "${host}" in - *-*-linux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${ZEPHYR_LIB_DIR}" - else - RPATH="${RPATH}:${ZEPHYR_LIB_DIR}" - fi - ;; - *-*-hpux*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,+b${ZEPHYR_LIB_DIR}" - else - RPATH="${RPATH}:${ZEPHYR_LIB_DIR}" - fi - ;; - *-*-irix*) - if test "X$RPATH" = "X"; then - RPATH="-Wl,-rpath,${ZEPHYR_LIB_DIR}" - else - RPATH="${RPATH}:${ZEPHYR_LIB_DIR}" - fi - ;; - *-*-solaris2*) - if test "$ac_cv_prog_gcc" = yes; then - if test "X$RPATH" = "X"; then - RPATH="-Wl,-R${ZEPHYR_LIB_DIR}" - else - RPATH="${RPATH}:${ZEPHYR_LIB_DIR}" - fi - else - RPATH="${RPATH} -R${ZEPHYR_LIB_DIR}" - fi - ;; - esac - AC_SUBST(RPATH) - fi - ]) - diff --git a/configure.ac b/configure.ac index 25a5cf66e2..3b63ca9e29 100644 --- a/configure.ac +++ b/configure.ac @@ -1095,16 +1095,8 @@ AC_ARG_WITH(ldap, [AS_HELP_STRING([--with-ldap=DIR], [use LDAP (in DIR) (experimental) [/usr/local]])], with_ldap="${withval}", with_ldap="no") -dnl select mode of afspts -AC_ARG_ENABLE(krb5afspts, - [AS_HELP_STRING([--enable-krb5afspts], [compile afskrb PTS module with krb5 support])]) - if test "x$enable_afs" = "xyes"; then # krb5afspts is only valid if AFS is enabled, so check inside here. - AS_IF([test "x$enable_krb5afspts" = "xyes"], [SASL_SET_GSSAPI_LIBS - AC_DEFINE(AFSPTS_USE_KRB5,[],[Should the AFS PTS plugin use krb5?]) - ]) - SAVE_CFLAGS="$CFLAGS" CFLAGS="${CFLAGS} -I${with_afs_incdir}" AFS_LIBS="${with_afs_libdir}/afs/libkauth.a ${with_afs_libdir}/afs/libprot.a ${with_afs_libdir}/afs/libauth.a ${with_afs_libdir}/afs/libsys.a ${with_afs_libdir}/librxkad.a ${with_afs_libdir}/librx.a ${with_afs_libdir}/afs/libsys.a ${with_afs_libdir}/libubik.a ${with_afs_libdir}/afs/util.a ${with_afs_libdir}/afs/libafscom_err.a -lresolv" @@ -1228,18 +1220,6 @@ AM_CONDITIONAL([SERVER], [test "$enable_server" != "no"]) dnl this is the new simple check for kerberos; since the person had to dnl compile SASL, we might as well use the same checks. -AC_ARG_WITH(krb, - [AS_HELP_STRING([--with-krb=DIR], [use Kerberos from DIR])], - with_krb="$withval", with_krb="no") - -AC_ARG_WITH(krbimpl, - [AS_HELP_STRING([--with-krbimpl=kth|mit], [assume Kerberos 4 from KTH or MIT])], - with_krbimpl="$withval", with_krbimpl="kth") - -AC_ARG_ENABLE(statickrb, - [AS_HELP_STRING([--enable-statickrb], [link Kerberos statically])], - with_statickrb="yes", with_statickrb="no") - AC_ARG_WITH(krb5-config, [AS_HELP_STRING([--with-krb5-config=PATH], [use krb5-config from PATH])], with_krb5config="$withval", with_krb5config="no") @@ -1261,77 +1241,6 @@ if test "$with_krb5config" != "no"; then CFLAGS="$KRB5_CFLAGS $CFLAGS" fi -dnl In order to compile kerberos4, we need libkrb and libdes. - -dnl we might need -lresolv for kerberos -AC_CHECK_LIB(resolv,res_search) - -if test "$with_statickrb" = "yes" -a ! -d "$with_krb"; then - AC_MSG_ERROR([--enable-statickrb specified but --with-krb did not specify a valid directory]) -fi - -if test "$with_krb" != "no"; then -dnl Do we need DES for kerberos? -AC_ARG_WITH(krbdes, - [AS_HELP_STRING([--without-krbdes], [disable Kerberos DES implementation])],, with_krbdes="yes") -if test "$with_krbdes" = "yes"; then - AC_CHECK_LIB(des,des_ecb_encrypt, - if test "$with_statickrb" = "yes"; then - KRB_LIBS="$with_krb/lib/libdes.a" - else - KRB_LIBS="-ldes" - fi, - AC_MSG_ERROR([The Kerberos DES library is required for Kerberos support.])) -fi -fi - -dnl if we were ambitious, we'd look more aggressively for the -dnl krb4 install -if test -d ${with_krb}; then - AC_CACHE_CHECK(for Kerberos includes, cyrus_cv_krbinclude, [ - for krbhloc in include/kerberosIV include - do - if test -f ${with_krb}/${krbhloc}/krb.h ; then - cyrus_cv_krbinclude=${with_krb}/${krbhloc} - break - fi - done - ]) - - if test -n "${cyrus_cv_krbinclude}"; then - CPPFLAGS="$CPPFLAGS -I${cyrus_cv_krbinclude}" - fi - CMU_ADD_LIBPATH(${with_krb}/lib) -fi - -if test "$with_krbimpl" != "kth"; then - KRBLIB="krb4" -else - KRBLIB="krb" -fi - -if test "$with_des" != no; then - AC_CHECK_HEADER(krb.h, - AC_CHECK_LIB(${KRBLIB}, krb_mk_priv, - if test "$with_statickrb" = "yes"; then - KRB_LIBS="$KRB_LIBS $with_krb/lib/lib${KRBLIB}.a" - else - KRB_LIBS="$KRB_LIBS -l${KRBLIB}" - fi, - AC_WARN(No Kerberos V4 found); krb4=no, - $KRB_LIBS), - krb4=no) -else - AC_WARN(No DES library found for Kerberos V4 support) - krb4=no -fi - -if test "${krb4}" != no; then - AC_DEFINE(HAVE_KRB,[],[Support for Kerberos?]) -fi - -LIBS="$KRB_LIBS $LIBS" - SASL_SET_GSSAPI_LIBS dnl @@ -1423,11 +1332,6 @@ if test "$with_ssl" != "no"; then SSL_CPPFLAGS="$ssl_cppflags" SSL_LIBS="$ssl_ldflags $ssl_libs" AC_DEFINE(HAVE_SSL,[],[Build with SSL support?]) - if test "${krb4}" != no; then - AC_DEFINE(OPENSSL_ENABLE_OLD_DES_SUPPORT,[],[Configure OpenSSL to provide legacy des apis]) - AC_DEFINE(OPENSSL_DES_LIBDES_COMPATIBILITY,[],[Configure OpenSSL to provide krb4-compatible legacy des apis]) - fi - AC_CHECK_LIB(ssl, SSL_CTX_set_alpn_select_cb, AC_DEFINE(HAVE_TLS_ALPN,[], [Do we have support for TLS ALPN extension?])) fi @@ -2630,7 +2534,6 @@ Cyrus Server configured components autocreate: $enable_autocreate idled: $enable_idled httpd: $enable_http - kerberos V4: $krb4 murder: $enable_murder nntpd: $enable_nntp replication: $enable_replication diff --git a/doc/legacy/ag.html b/doc/legacy/ag.html index bcc8be3c27..26094f9678 100644 --- a/doc/legacy/ag.html +++ b/doc/legacy/ag.html @@ -202,7 +202,7 @@

3.2 Authentication

The user authenticates to the frontend server via any supported SASL mechanism or via plaintext. If authentication is successful, the front end server will authenticate to the back end server using a SASL mechanism (in -our case KERBEROS_V4 or GSSAPI) as a privileged user. This user is able to +our case GSSAPI) as a privileged user. This user is able to switch to the authorization of the actual user being proxied for and any authorization checks happen as if the user actually authenticated directly to the back end server. Note this is a native feature of many SASL diff --git a/doc/legacy/install-auth.html b/doc/legacy/install-auth.html index 5490f83ae0..b3a0001cf9 100644 --- a/doc/legacy/install-auth.html +++ b/doc/legacy/install-auth.html @@ -20,7 +20,7 @@

Introduction

Authentication Mechanisms

At this writing, the underlying Cyrus SASL library supports a -variety of SASL mechanisms, including CRAM-MD5, DIGEST-MD5, KERBEROS_V4, +variety of SASL mechanisms, including PLAIN, SCRAM-SHA-1, SCRAM-SHA-256 and GSSAPI. The Cyrus IMAP, POP, and LMTP servers also support STARTTLS using client-side certificates and the EXTERNAL authentication method. @@ -113,69 +113,6 @@

Shadow Passwords

Kerberos

-

Configuring Kerberos v4

- -

Cyrus IMAP supports Kerberos v4 if the SASL library was compiled -with KERBEROS_V4 support.

- -

You'll have to -create a Kerberos v4 identity for the server and add the server's key to -the "srvtab" file. The file must be readable by the cyrus -user. The server's Kerberos identity is "imap.HOST@REALM", -where "HOST" is the first component of the machine's host -name and "REALM" is the machine's Kerberos realm.

- -
    -
  1. Here is a sample session, creating a srvtab file for the -host named "foobar": - -
    -   ksrvutil -f /var/imap/srvtab add
-
    - -

    Here is the information "ksrvutil" requests. Respond by -filling in values or by pressing RETURN. In this example, -the host name is "foobar" and the realm is -"ANDREW.CMU.EDU".

    - -
    -   Name: imap
-   Instance: foobar
-   Realm: ANDREW.CMU.EDU
-   Version number:
-   New principal: imap.foobar@ANDREW.CMU.EDU; version 0
-   Is this correct? (y,n) [y]
-   Password:
-   Verifying, please re-enter Password:
-   Key successfully added.
-   Would you like to add another key? (y,n) [y] n
-
    2. - -

  2. If you plan to install Kerberized POP, create the Kerberos -identity "pop.HOST@REALM" and add the key to the "srvtab" -file. Likewise, if you plan on using LMTP over TCP, create the -Kerberos identity "lmtp.HOST@REALM" and add the key to the -"srvtab" file.

    3. - -

  3. Make the "srvtab" file owned by the cyrus user: -

    -   chown cyrus /var/imap/srvtab
-
    4. - -
  4. Add the option srvtab option to /etc/imapd.conf: -
       srvtab: /var/imap/srvtab
    5. - -
  5. Test using imtest -m KERBEROS_V4. imtest will -attempt to authorize as the current Unix user regardless of the -current ticket's held. Override this with the -u option.
    6. -
- -

Troubleshooting Kerberos_V4 problems

- -

Run the program "krbck" (found in the imap -directory) as the cyrus user on the IMAP server. This program will -diagnose some common Kerberos v4 configuration errors.

-

Configuring Kerberos v5

Cyrus IMAP supports Kerberos v5 if the SASL library was compiled diff --git a/doc/legacy/install-compile.html b/doc/legacy/install-compile.html index a3a0badc20..52f9d2269f 100644 --- a/doc/legacy/install-compile.html +++ b/doc/legacy/install-compile.html @@ -69,9 +69,6 @@

Options to configure

--help
Print a summary of the options to "configure", and exit.

-

--with-krb=PATH -
Specifies where to find the Kerberos library.

-

--with-com_err=PATH
Specifies where to find the com_err environment.

diff --git a/doc/legacy/install-murder.html b/doc/legacy/install-murder.html index 6b426720a1..181c902ba2 100644 --- a/doc/legacy/install-murder.html +++ b/doc/legacy/install-murder.html @@ -203,7 +203,7 @@

Configuring the frontends

If your SASL mechanism does not require authnames or passwords (e.g. -KERBEROS_V4), then this is not required. Note that we used the same +GSSAPI), then this is not required. Note that we used the same authname as the configured in the proxyservers line in the backend's imapd.conf above.

diff --git a/doc/legacy/install-sieve.html b/doc/legacy/install-sieve.html index 49dff9d722..6d8909ed48 100644 --- a/doc/legacy/install-sieve.html +++ b/doc/legacy/install-sieve.html @@ -65,7 +65,7 @@

Testing the sieve server

Escape character is '^]'. "IMPLEMENTATION" "Cyrus timsieved v3.8.3" "VERSION" "1.0" - "SASL" "ANONYMOUS PLAIN KERBEROS_V4 GSSAPI" + "SASL" "ANONYMOUS PLAIN GSSAPI" "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress regex" "NOTIFY" "mailto" "UNAUTHENTICATE" diff --git a/doc/legacy/install-testing.html b/doc/legacy/install-testing.html index 0c9cba7e48..cfd33b59f6 100644 --- a/doc/legacy/install-testing.html +++ b/doc/legacy/install-testing.html @@ -55,11 +55,9 @@

Testing the IMAP Server

If your server is running, you'll get the following message: 
    % /usr/local/bin/imtest -m login foobar
-   S: * OK mail1.andrew.cmu.edu Cyrus IMAP4 v2.0.0 server ready
+   S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE] mail1.andrew.com Cyrus IMAP 3.8.3 server ready
    C: C01 CAPABILITY
-   S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
-   X-NON-HIERARCHICAL-RENAME NO_ATOMIC_RENAME AUTH=GSSAPI AUTH=ANONYMOUS
-   AUTH=KERBEROS_V4 UNSELECT
+   S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL ANNOTATE-EXPERIMENT-1 BINARY CATENATE CHILDREN CONDSTORE CREATE-SPECIAL-USE ESEARCH ESORT LIST-EXTENDED LIST-MYRIGHTS LIST-STATUS MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND MULTISEARCH NAMESPACE OBJECTID QRESYNC QUOTA RIGHTS=kxten SAVEDATE SEARCH=FUZZY SEARCHRES SORT SORT=DISPLAY SPECIAL-USE STATUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDPLUS UNSELECT URL-PARTIAL URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1 LIST-METADATA NO_ATOMIC_RENAME SCAN SORT=MODSEQ SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION X-SIEVE-MAILBOX X-REPLICATION-ARCHIVE XLIST XMOVE AUTH=PLAIN AUTH=GSSAPI AUTH=GS2-KRB5 AUTH=GS2-IAKERB SASL-IR XCONVERSATIONS COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE APPENDLIMIT=2147483647
    S: C01 OK Completed
    Password:
    + go ahead
@@ -78,18 +76,29 @@ 
Testing the IMAP Server

 are listed in the CAPABILITY line:
 
 
-  * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
-  X-NON-HIERARCHICAL-RENAME NO_ATOMIC_RENAME AUTH=ANONYMOUS
-  AUTH=KERBEROS_V4 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 UNSELECT
+  * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL ANNOTATE-EXPERIMENT-1
+  BINARY CATENATE CHILDREN CONDSTORE CREATE-SPECIAL-USE ESEARCH ESORT
+  LIST-EXTENDED LIST-MYRIGHTS LIST-STATUS MAILBOX-REFERRALS METADATA
+  MOVE MULTIAPPEND MULTISEARCH NAMESPACE OBJECTID QRESYNC QUOTA
+  RIGHTS=kxten SAVEDATE SEARCH=FUZZY SEARCHRES SORT SORT=DISPLAY
+  SPECIAL-USE STATUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES
+  UIDPLUS UNSELECT URL-PARTIAL URLAUTH URLAUTH=BINARY WITHIN
+  DIGEST=SHA1 LIST-METADATA NO_ATOMIC_RENAME SCAN SORT=MODSEQ SORT=UID
+  THREAD=REFS X-CREATEDMODSEQ X-REPLICATION X-SIEVE-MAILBOX
+  X-REPLICATION-ARCHIVE XLIST XMOVE AUTH=PLAIN AUTH=GSSAPI
+  AUTH=GS2-KRB5 AUTH=GS2-IAKERB SASL-IR XCONVERSATIONS
+  COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
+  X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
+  APPENDLIMIT=2147483647
   . OK Completed
 

 
 Each of the mechanism names is preceded by a 'AUTH='. For this example
-the ANONYMOUS, KERBEROS_V4, DIGEST-MD5, and CRAM-MD5 mechanisms are
+the PLAIN, GSSAPI, GS2-KRB5, and GS2-IAKERB mechanisms are
 available. If a mechanism does not appear that you wish to use,
 examine the libsasl log messages.  Generally, if a mechanism does not
 appear, it means it failed to initialize.  (For example, if the server
-is unable to access the srvtab file the KERBEROS_V4 mechanism will
+is unable to access the keytab file the GSSAPI mechanism will
 refuse to load.)
 
 
Plaintext login is a special case: the PLAIN SASL mechanism is only
diff --git a/doc/legacy/man.html b/doc/legacy/man.html
index 1b50c91d35..b6037285a9 100644
--- a/doc/legacy/man.html
+++ b/doc/legacy/man.html
@@ -31,7 +31,6 @@ 
Cyrus IMAP Server Man Pages

 
 
 System Administration
diff --git a/doc/legacy/overview.html b/doc/legacy/overview.html
index 03018af40d..d959ad2a58 100644
--- a/doc/legacy/overview.html
+++ b/doc/legacy/overview.html
@@ -290,19 +290,6 @@ 
Kerberos vs. Unix Authorization

 string.  If "@realm" is omitted, it defaults to
 the local realm.
 
-
The file "/etc/krb.equiv" contains mappings between
-Kerberos principals.  The file contains zero or more lines, each
-containing two fields.  Any identity matching the first field of a
-line is changed to the second identity during canonicalization.  For
-example, a line in "/etc/krb.equiv" of:
-
-
-    bovik@REMOTE.COM bovik
-

-
-will cause the identity "bovik@REMOTE.COM" to be treated as if
-it were the local identity "bovik".
-
 
A site may wish to write their own authorization mechanism, perhaps
 to implement a local group mechanism.  If it does so (by implementing an
 auth_[whatever] module), it will dictate its own form and meaning
@@ -384,7 +371,7 @@ 
Plaintext Authentication

 
 
    
 
  • PAM
-
  • Kerberos v4
+
  • Kerberos v5
 
 Plaintext passwords are verified by obtaining a ticket for the
 server's Kerberos identity, to protect against Kerberos server
@@ -411,25 +398,23 @@ 
    Plaintext Authentication
    
 
 
    Kerberos Logins
    
 
-The Kerberos SASL mechanism supports the KERBEROS_V4
+The Kerberos SASL mechanism supports the GSSAPI
 authentication mechanism.  The mechanism requires that a
-srvtab file exist in the location given in the
-"srvtab" configuration option.  The srvtab file must
+keytab file exist in the location given in the
+"sasl_keytab" configuration option.  The keytab file must
 be readable by the Cyrus server and must contain a
-"imap.<host>@<realm>"
-service key, where <host> is the first
-component of the server's host name and
+"<service>/<host>@<realm>"
+service key.  <host> is the first
+component of the server's host name, the FQDN or IP address
+(whatever the client uses).
 <realm> is the server's Kerberos realm.
+<service>` is name of the service: imap,
+HTTP, sieve.
 
 
    The server will permit logins by identities in the local realm and
 identities in the realms listed in the "loginrealms" option
 in "/etc/imapd.conf".
 
-
    The file "/etc/krb.equiv" contains mappings between
-Kerberos principals.  The file contains zero or more lines, each
-containing two fields.  Any identity matching the first field of a
-line is permitted to log in as the identity in the second field.
-
 
    If the "loginuseacl" configuration option is turned on,
 than any Kerberos identity that is granted the "a" right on
 the user's INBOX is permitted to log in as that user.
diff --git a/doc/legacy/readme.html b/doc/legacy/readme.html
index daf8468260..bded3a81d3 100644
--- a/doc/legacy/readme.html
+++ b/doc/legacy/readme.html
@@ -33,8 +33,8 @@ 
    Features
    
 character mapping tables most likely contain errors.
 
 
     The server supports any authentication mechanism available from
-the SASL library. Currently, support includes: KERBEROS_V4, GSSAPI,
-CRAM-MD5, DIGEST-MD5, OTP, PLAIN, and STARTTLS.
+the SASL library. Currently, support includes: GSSAPI, SCRAM*,
+OTP, PLAIN, and STARTTLS.
 
 
     The server supports imaps/pop3s/nntps (IMAP/POP3/NNTP encrypted using SSL).
 
diff --git a/docsrc/assets/man-imtest.rst b/docsrc/assets/man-imtest.rst
index 4d7d9a6977..8454779a8e 100644
--- a/docsrc/assets/man-imtest.rst
+++ b/docsrc/assets/man-imtest.rst
@@ -66,7 +66,7 @@ Options
 .. option:: -l num, --maxssf=num
 
     Maximum protection layer to use (**0**\ =none; **1**\ =integrity;
-    etc).  For example if you are using the KERBEROS_V4 authentication
+    etc).  For example if you are using the GSSAPI authentication
     mechanism specifying **0** will force imtest to not use any layer
     and specifying **1** will force it to use the integrity layer.  By
     default the maximum supported protection layer will be used.
diff --git a/docsrc/imap/concepts/overview_and_concepts.rst b/docsrc/imap/concepts/overview_and_concepts.rst
index 84752cc920..fc06fa0e27 100644
--- a/docsrc/imap/concepts/overview_and_concepts.rst
+++ b/docsrc/imap/concepts/overview_and_concepts.rst
@@ -203,7 +203,7 @@ Plaintext Authentication
 The SASL library has several ways of verifying plaintext passwords. Plaintext passwords are passed either by the IMAP ``LOGIN`` command or by the SASL ``PLAIN`` mechanism (under a TLS layer).
 
 * PAM
-* Kerberos v4: Plaintext passwords are verified by obtaining a ticket for the server's Kerberos identity, to protect against Kerberos server spoofing attacks.
+* GSSAPI: Plaintext passwords are verified by obtaining a ticket for the server's Kerberos identity, to protect against Kerberos server spoofing attacks.
 
 * ``/etc/passwd``
 * ``/etc/shadow``: ``sasl_auto_transition`` automatically creates secrets for shared secret authentication when given a password.
@@ -215,12 +215,10 @@ To disallow the use of plaintext passwords for authentication, you can set ``all
 Kerberos Logins
 ===============
 
-The Kerberos SASL mechanism supports the ``KERBEROS_V4`` authentication mechanism. The mechanism requires that a ``srvtab`` file exist in the location given in the ``srvtab`` configuration option. The ``srvtab`` file must be readable by the Cyrus server and must contain a ``imap.$host@$realm`` service key, where ``$host`` is the first component of the server's host name and ``$realm`` is the server's Kerberos realm.
+The Kerberos SASL mechanism supports the ``GSSAPI`` authentication mechanism. The mechanism requires that a ``keytab`` file exist in the location given in the ``sasl_keytab`` configuration option. The ``keytab`` file must be readable by the Cyrus server and must contain a ``$service/$host@$realm`` service key.  ``$host`` is the first component of the server's host name, the FQDN or IP address (whatever the client uses). ``$realm`` is the server's Kerberos realm. ``$service`` is name of the service: ``imap``, ``HTTP``, ``sieve``.
 
 The server will permit logins by identities in the local realm and identities in the realms listed in the ``loginrealms`` option in :cyrusman:`imapd.conf(5)`.
 
-The file ``/etc/krb.equiv`` contains mappings between Kerberos principals. The file contains zero or more lines, each containing two fields. Any identity matching the first field of a line is permitted to log in as the identity in the second field.
-
 If the ``loginuseacl`` configuration option is turned on, than any Kerberos identity that is granted the ``a`` right on the user's ``INBOX`` is permitted to log in as that user.
 
 Shared Secrets Logins
diff --git a/docsrc/imap/developer/compiling.rst b/docsrc/imap/developer/compiling.rst
index e9f5032352..cf07eb82d5 100644
--- a/docsrc/imap/developer/compiling.rst
+++ b/docsrc/imap/developer/compiling.rst
@@ -117,10 +117,10 @@ SASL Authentication
     to pass Cyrus IMAP's PLAIN authentication unit tests."
     `sasl binaries`_, sasl2-bin, sasl2-bin, "no", "Administration tools for
     managing SASL."
-    `Kerberos`_, libsasl2-modules-gssapi-mit, krb5-devel, "yes/no", "Development
+    `Kerberos`_, libsasl2-modules-gssapi-mit, krb5-devel, "no", "Development
     headers required to enable Kerberos v5 authentication capabilities, also
     known as the authentication mechanism *GSSAPI*. Configure option:
-    ``--with-krbimpl=mit``."
+    ``--with-gss_impl=mit``."
 
 Alternate database formats
 ##########################
diff --git a/docsrc/imap/reference/admin/access-control/identifiers.rst b/docsrc/imap/reference/admin/access-control/identifiers.rst
index 56d304d12c..07630fb9ca 100644
--- a/docsrc/imap/reference/admin/access-control/identifiers.rst
+++ b/docsrc/imap/reference/admin/access-control/identifiers.rst
@@ -83,18 +83,6 @@ Using the Kerberos authorization mechanism, ACIs are of the form:
 If ``$instance`` is omitted, it defaults to the null string. If
 ``$realm`` is omitted, it defaults to the local realm.
 
-The file ``/etc/krb.equiv`` contains mappings between Kerberos
-principals. The file contains zero or more lines, each containing two
-fields. Any identity matching the first field of a line is changed to
-the second identity during canonicalization. For example, a line in
-``/etc/krb.equiv`` of:
-
-::
-
-    bovik@REMOTE.COM bovik
-
-will cause the identity ``bovik@REMOTE.COM`` to be treated as if it
-were the local identity ``bovik``.
 
 Alternative Authorization
 ^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/docsrc/imap/reference/admin/murder/murder-concepts.rst b/docsrc/imap/reference/admin/murder/murder-concepts.rst
index 6e3c469b27..1d0075b2af 100644
--- a/docsrc/imap/reference/admin/murder/murder-concepts.rst
+++ b/docsrc/imap/reference/admin/murder/murder-concepts.rst
@@ -190,7 +190,7 @@ Authentication
 The user authenticates to the frontend server via any supported SASL 
 mechanism or via plaintext. If authentication is successful, the front 
 end server will authenticate to the backend server using a SASL 
-mechanism (in our case KERBEROS_V4 or GSSAPI) as a privileged user. This 
+mechanism (in our case GSSAPI) as a privileged user. This 
 user is able to switch to the authorization of the actual user being 
 proxied for and any authorization checks happen as if the user actually 
 authenticated directly to the backend server. Note this is a native 
diff --git a/docsrc/imap/reference/admin/murder/murder-installation.rst b/docsrc/imap/reference/admin/murder/murder-installation.rst
index f26b7c9ab3..fa6756f7e3 100644
--- a/docsrc/imap/reference/admin/murder/murder-installation.rst
+++ b/docsrc/imap/reference/admin/murder/murder-installation.rst
@@ -225,7 +225,7 @@ auth name of ``mailproxy``::
     proxy_authname: mailproxy
     
 For SASL mechanisms not using authnames or passwords (e.g.
-KERBEROS_V4), the password options are not required. Note the use of
+GSSAPI), the password options are not required. Note the use of
 the same authname as configured in the proxyservers line of the
 backend's :cyrusman:`imapd.conf(5)` above.
 
diff --git a/docsrc/imap/reference/admin/sieve.rst b/docsrc/imap/reference/admin/sieve.rst
index 4ae4569e2c..7f9579feae 100644
--- a/docsrc/imap/reference/admin/sieve.rst
+++ b/docsrc/imap/reference/admin/sieve.rst
@@ -128,7 +128,7 @@ If your server is running, you'll get a message similar to the following one::
     Escape character is '^]'.
     "IMPLEMENTATION" "Cyrus timsieved v3.8.3"
     "VERSION" "1.0"
-    "SASL" "ANONYMOUS PLAIN KERBEROS_V4 GSSAPI"
+    "SASL" "ANONYMOUS PLAIN GSSAPI"
     "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress regex"
     "NOTIFY" "mailto"
     "UNAUTHENTICATE"
diff --git a/docsrc/imap/reference/manpages/configs/krb.equiv.rst b/docsrc/imap/reference/manpages/configs/krb.equiv.rst
deleted file mode 100644
index c1b2c4eb5c..0000000000
--- a/docsrc/imap/reference/manpages/configs/krb.equiv.rst
+++ /dev/null
@@ -1,47 +0,0 @@
-.. cyrusman:: krb.equiv(5)
-
-.. author: Nic Bernstein (Onlight)
-
-.. _imap-reference-manpages-configs-krb.equiv:
-
-=============
-**krb.equiv**
-=============
-
-Kerberos equivalences
-
-Description
-===========
-
-**krb.equiv** contains zero or more lines, each of which describes a
-mapping of a kerberos principal (*userid@host*) to a local user
-(*userid* or alias). Each line of the file consists of two fields,
-separated by at least one whitespace character; other blanks are
-ignored.  The first field is the kerberos principal name to remap, and
-the second is the name of the corresponding local user.
-
-Examples
-========
-
-Sample file contents:
-
-    ::
-
-        tyq4@ANDY.CMU.EDU tyq4
-        tyq4@DEANNA.ORG tyq4
-        ty347@ECE.CMU.EDU tyq4
-        jj12@ANDY.CMU.EDU tick
-        tick@DEANNA.ORG tick
-        jy9o@ANDY.CMU.EDU jyager
-        jyager@CS.CMU.EDU jyager
-
-Files
-=====
-
-/etc/imapd.conf,
-/krb.equiv
-
-See Also
-========
-
-:cyrusman:`imapd.conf(5)`
diff --git a/imap/cyr_buildinfo.c b/imap/cyr_buildinfo.c
index 0bcef7dc1a..cff2c95bae 100644
--- a/imap/cyr_buildinfo.c
+++ b/imap/cyr_buildinfo.c
@@ -130,11 +130,6 @@ static json_t *buildinfo()
 #else
     json_object_set_new(component, "httpd", json_false());
 #endif
-#ifdef HAVE_KRB
-    json_object_set_new(component, "kerberos_v4", json_true());
-#else
-    json_object_set_new(component, "kerberos_v4", json_false());
-#endif
 #ifdef USE_MURDER
     json_object_set_new(component, "murder", json_true());
 #else
diff --git a/imap/global.c b/imap/global.c
index 512e3e9123..342cc40b4c 100644
--- a/imap/global.c
+++ b/imap/global.c
@@ -475,25 +475,20 @@ EXPORTED int mysasl_config(void *context __attribute__((unused)),
                   const char **result,
                   unsigned *len)
 {
-    if (!strcmp(option, "srvtab")) {
-        /* we don't transform srvtab! */
-        *result = config_getstring(IMAPOPT_SRVTAB);
-    } else {
-        *result = NULL;
+    *result = NULL;
 
-        if (plugin_name) {
-            /* first try it with the plugin name */
-            char *opt = strconcat("sasl_", plugin_name, "_", option, (char*)NULL);
-            *result = config_getoverflowstring(opt, NULL);
-            free(opt);
-        }
+    if (plugin_name) {
+        /* first try it with the plugin name */
+        char *opt = strconcat("sasl_", plugin_name, "_", option, (char*)NULL);
+        *result = config_getoverflowstring(opt, NULL);
+        free(opt);
+    }
 
-        if (*result == NULL) {
-            /* try without the plugin name */
-            char *opt = strconcat("sasl_", option, (char *)NULL);
-            *result = config_getoverflowstring(opt, NULL);
-            free(opt);
-        }
+    if (*result == NULL) {
+        /* try without the plugin name */
+        char *opt = strconcat("sasl_", option, (char *)NULL);
+        *result = config_getoverflowstring(opt, NULL);
+        free(opt);
     }
 
     if (*result != NULL) {
diff --git a/imap/version.c b/imap/version.c
index b81f920561..c79c2c696b 100644
--- a/imap/version.c
+++ b/imap/version.c
@@ -44,9 +44,6 @@
 
 #include 
 #include 
-#ifdef HAVE_KRB
-#include 
-#endif
 
 #include 
 #include "version.h"
@@ -158,10 +155,6 @@ EXPORTED void id_response(struct protstream *pout)
              "; lock = %s", lock_method_desc);
     snprintf(env_buf + strlen(env_buf), MAXIDVALUELEN - strlen(env_buf),
              "; nonblock = %s", nonblock_method_desc);
-#ifdef HAVE_KRB
-    snprintf(env_buf + strlen(env_buf), MAXIDVALUELEN - strlen(env_buf),
-             " (%s)", krb4_version);
-#endif
     if (idle_method_desc)
         snprintf(env_buf + strlen(env_buf), MAXIDVALUELEN - strlen(env_buf),
                  "; idle = %s", idle_method_desc);
diff --git a/lib/auth.c b/lib/auth.c
index 45a0d3bd4a..db92b89819 100644
--- a/lib/auth.c
+++ b/lib/auth.c
@@ -52,9 +52,6 @@ struct auth_mech *auth_mechs[] = {
     &auth_unix,
     &auth_pts,
     &auth_mboxgroups,
-#ifdef HAVE_KRB
-    &auth_krb,
-#endif
 #ifdef HAVE_GSSAPI_H
     &auth_krb5,
 #endif
diff --git a/lib/auth.h b/lib/auth.h
index abe50c24e5..20decd1a71 100644
--- a/lib/auth.h
+++ b/lib/auth.h
@@ -65,7 +65,6 @@ extern struct auth_mech *auth_mechs[];
  * if libcyrus was not built with support for them */
 extern struct auth_mech auth_unix;
 extern struct auth_mech auth_pts;
-extern struct auth_mech auth_krb;
 extern struct auth_mech auth_krb5;
 extern struct auth_mech auth_mboxgroups;
 
diff --git a/lib/auth_krb.c b/lib/auth_krb.c
deleted file mode 100644
index bc7cc2182d..0000000000
--- a/lib/auth_krb.c
+++ /dev/null
@@ -1,433 +0,0 @@
-/* auth_krb.c -- Kerberos authorization
- *
- * Copyright (c) 1994-2008 Carnegie Mellon University.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. The name "Carnegie Mellon University" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For permission or any legal
- *    details, please contact
- *      Carnegie Mellon University
- *      Center for Technology Transfer and Enterprise Creation
- *      4615 Forbes Avenue
- *      Suite 302
- *      Pittsburgh, PA  15213
- *      (412) 268-7393, fax: (412) 268-7395
- *      innovation@andrew.cmu.edu
- *
- * 4. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by Computing Services
- *     at Carnegie Mellon University (http://www.cmu.edu/computing/)."
- *
- * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
- * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
- * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
- * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include 
-#include 
-#include 
-
-#include "auth.h"
-#include "xmalloc.h"
-#include "util.h"
-
-#ifdef HAVE_KRB
-
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#include 
-#include 
-
-#ifndef KRB_MAPNAME
-#define KRB_MAPNAME (SYSCONF_DIR "/krb.equiv")
-#endif
-
-struct auth_state {
-    char userid[MAX_K_NAME_SZ+1];
-    char aname[ANAME_SZ];
-    char inst[INST_SZ];
-    char realm[REALM_SZ];
-};
-
-static struct auth_state auth_anonymous = {
-    "anonymous", "anonymous", "", ""
-};
-
-
-
-static int parse_krbequiv_line (const char *src,
-                                  char *principal, char *localuser);
-static char *auth_map_krbid (const char *real_aname, const char *real_inst,
-                             const char *real_realm);
-
-/*
- * Determine if the user is a member of 'identifier'
- * Returns one of:
- *      0       User does not match identifier
- *      1       identifier matches everybody
- *      2       User is in the group that is identifier
- *      3       User is identifer
- */
-static int mymemberof(const struct auth_state *auth_state, const char *identifier)
-{
-    char aname[ANAME_SZ];
-    char inst[INST_SZ];
-    char realm[REALM_SZ];
-
-    if (!auth_state) auth_state = &auth_anonymous;
-
-    if (strcmp(identifier, "anyone") == 0) return 1;
-
-    if (strcmp(identifier, auth_state->userid) == 0) return 3;
-
-    /* "anonymous" is not a member of any group */
-    if (strcmp(auth_state->userid, "anonymous") == 0) return 0;
-
-    aname[0] = inst[0] = realm[0] = '\0';
-    if (kname_parse(aname, inst, realm, (char *) identifier) != 0) {
-        return 0;
-    }
-
-    if (strcmp(aname, auth_state->aname) != 0 && strcmp(aname, "*") != 0) {
-        return 0;
-    }
-    if (strcmp(inst, auth_state->inst) != 0 && strcmp(inst, "*") != 0) {
-        return 0;
-    }
-    if (strcmp(realm, auth_state->realm) != 0 && strcmp(realm, "*") != 0) {
-        return 0;
-    }
-    return 2;
-}
-
-/*
- * Parse a line 'src' from an /etc/krb.equiv file.
- * Sets the buffer pointed to by 'principal' to be the kerberos
- * identity and sets the buffer pointed to by 'localuser' to
- * be the local user.  Both buffers must be of size one larger than
- * MAX_K_NAME_SZ.  Returns 1 on success, 0 on failure.
- */
-static int
-parse_krbequiv_line(const char *src, char *principal, char *localuser)
-{
-    int i;
-
-    while (Uisspace(*src)) src++;
-    if (!*src) return 0;
-
-    for (i = 0; *src && !Uisspace(*src); i++) {
-        if (i >= MAX_K_NAME_SZ) return 0;
-        *principal++ = *src++;
-    }
-    *principal = 0;
-
-    if (!Uisspace(*src)) return 0; /* Need at least one separator */
-    while (Uisspace(*src)) src++;
-    if (!*src) return 0;
-
-    for (i = 0; *src && !Uisspace(*src); i++) {
-        if (i >= MAX_K_NAME_SZ) return 0;
-        *localuser++ = *src++;
-    }
-    *localuser = 0;
-    return 1;
-}
-
-/*
- * Map a remote kerberos principal to a local username.  If a mapping
- * is found, a pointer to the local username is returned.  Otherwise,
- * a NULL pointer is returned.
- * Eventually, this may be more sophisticated than a simple file scan.
- */
-static char *auth_map_krbid(real_aname, real_inst, real_realm)
-const char *real_aname;
-const char *real_inst;
-const char *real_realm;
-{
-    static char localuser[MAX_K_NAME_SZ + 1];
-    char principal[MAX_K_NAME_SZ + 1];
-    char aname[ANAME_SZ];
-    char inst[INST_SZ];
-    char realm[REALM_SZ];
-    char lrealm[REALM_SZ];
-    char krbhst[256];
-    char *p;
-    char buf[1024];
-    FILE *mapfile;
-
-    if (!(mapfile = fopen(KRB_MAPNAME, "r"))) {
-        /* If the file can't be opened, don't do mappings */
-        return 0;
-    }
-
-    for (;;) {
-        if (!fgets(buf, sizeof(buf), mapfile)) break;
-        if (parse_krbequiv_line(buf, principal, localuser) == 0 ||
-            kname_parse(aname, inst, realm, principal) != 0) {
-            /* Ignore badly formed lines */
-            continue;
-        }
-        if (!strcmp(aname, real_aname) && !strcmp(inst, real_inst) &&
-            !strcmp(realm, real_realm)) {
-            fclose(mapfile);
-
-            aname[0] = inst[0] = realm[0] = '\0';
-            if (kname_parse(aname, inst, realm, localuser) != 0) {
-                return 0;
-            }
-
-            /* Upcase realm name */
-            for (p = realm; *p; p++) {
-                if (Uislower(*p)) *p = toupper(*p);
-            }
-
-            if (*realm) {
-                if (krb_get_lrealm(lrealm,1) == 0 &&
-                    strcmp(lrealm, realm) == 0) {
-                    *realm = 0;
-                }
-                else if (krb_get_krbhst(krbhst, realm, 1)) {
-                    return 0;           /* Unknown realm */
-                }
-            }
-
-            strcpy(localuser, aname);
-            if (*inst) {
-                strcat(localuser, ".");
-                strcat(localuser, inst);
-            }
-            if (*realm) {
-                strcat(localuser, "@");
-                strcat(localuser, realm);
-            }
-
-            return localuser;
-        }
-    }
-
-    fclose(mapfile);
-    return 0;
-}
-
-/*
- * Convert 'identifier' into canonical form.
- * Returns a pointer to a static buffer containing the canonical form
- * or NULL if 'identifier' is invalid.
- */
-static const char *mycanonifyid(const char *identifier, size_t len)
-{
-    static char retbuf[MAX_K_NAME_SZ+1];
-    char aname[ANAME_SZ];
-    char inst[INST_SZ];
-    char realm[REALM_SZ];
-    char lrealm[REALM_SZ];
-    char krbhst[256];
-    char *canon_buf;
-    char *p;
-
-    if(!len) len = strlen(identifier);
-
-    canon_buf = malloc(len + 1);
-    if(!canon_buf) return 0;
-    memcpy(canon_buf, identifier, len);
-    canon_buf[len] = '\0';
-
-    aname[0] = inst[0] = realm[0] = '\0';
-    if (kname_parse(aname, inst, realm, canon_buf) != 0) {
-        free(canon_buf);
-        return 0;
-    }
-
-    free(canon_buf);
-
-    /* Upcase realm name */
-    for (p = realm; *p; p++) {
-        if (Uislower(*p)) *p = toupper(*p);
-    }
-
-    if (*realm) {
-        if (krb_get_lrealm(lrealm,1) == 0 &&
-            strcmp(lrealm, realm) == 0) {
-            *realm = 0;
-        }
-        else if (krb_get_krbhst(krbhst, realm, 1)) {
-            return 0;           /* Unknown realm */
-        }
-    }
-
-    /* Check for krb.equiv remappings. */
-    if ((p = auth_map_krbid(aname, inst, realm)) ) {
-        strcpy(retbuf, p);
-        return retbuf;
-    }
-
-    strcpy(retbuf, aname);
-    if (*inst) {
-        strcat(retbuf, ".");
-        strcat(retbuf, inst);
-    }
-    if (*realm) {
-        strcat(retbuf, "@");
-        strcat(retbuf, realm);
-    }
-
-    return retbuf;
-}
-
-/*
- * Set the current user to 'identifier'.  'cacheid', if non-null,
- * points to a 16-byte binary key to cache identifier's information
- * with.
- */
-static struct auth_state *mynewstate(const char *identifier)
-{
-    struct auth_state *newstate;
-
-    identifier = auth_canonifyid(identifier, 0);
-    if (!identifier) return 0;
-
-    newstate = (struct auth_state *)xmalloc(sizeof(struct auth_state));
-
-    strcpy(newstate->userid, identifier);
-    newstate->aname[0] = newstate->inst[0] = newstate->realm[0] = '\0';
-    kname_parse(newstate->aname, newstate->inst, newstate->realm, (char *) identifier);
-
-    return newstate;
-}
-
-static void myfreestate(struct auth_state *auth_state)
-{
-    free((char *)auth_state);
-}
-
-static char *make_krb_wildcard(const char *aname, const char *inst, const char *realm)
-{
-    return strconcat(
-        (aname ? aname : "*"),
-        ".",
-        (inst ? inst : "*"),
-        "@",
-        (realm ? realm : "*"),
-        NULL
-    );
-}
-
-/* KRB4 groups are just principals with wildcarded components.
- * XXX This hasn't even been so much as compile-tested for lack of
- * a kerberos test environment!  If you use this, please provide
- * feedback.
- */
-static strarray_t *mygroups(const struct auth_state *auth_state)
-{
-    strarray_t *sa = strarray_new();
-    char *tmp = NULL;
-
-    /* *.*@* */
-    tmp = make_krb_wildcard(NULL, NULL, NULL);
-    strarray_appendm(sa, tmp);
-
-    /* *.*@realm */
-    if (auth_state->realm) {
-        tmp = make_krb_wildcard(NULL, NULL, auth_state->realm);
-        strarray_appendm(sa, tmp);
-    }
-
-    /* *.inst@* */
-    if (auth_state->inst) {
-        tmp = make_krb_wildcard(NULL, auth_state->inst, NULL);
-        strarray_appendm(sa, tmp);
-        if (auth_state->realm) {
-            tmp = make_krb_wildcard(NULL, auth_state->inst, auth_state->realm);
-            strarray_appendm(sa, tmp);
-        }
-    }
-
-    /* aname.*@* */
-    if (auth_state->aname) {
-        tmp = make_krb_wildcard(auth_state->aname, NULL, NULL);
-        strarray_appendm(sa, tmp);
-        if (auth_state->realm) {
-            tmp = make_krb_wildcard(auth_state->aname, NULL, auth_state->realm);
-            strarray_appendm(sa, tmp);
-        }
-        if (auth_state->inst) {
-            tmp = make_krb_wildcard(auth_state->aname, auth_state->inst, NULL);
-            strarray_appendm(sa, tmp);
-        }
-        /* n.b. non-wildcard "aname.inst@realm" is NOT a group! */
-    }
-
-    return sa;
-}
-
-#else /* HAVE_KRB */
-
-static int mymemberof(
-    const struct auth_state *auth_state __attribute__((unused)),
-    const char *identifier __attribute__((unused)))
-{
-        fatal("Authentication mechanism (krb) not compiled in", EX_CONFIG);
-        return 0;
-}
-
-static const char *mycanonifyid(
-    const char *identifier __attribute__((unused)),
-    size_t len __attribute__((unused)))
-{
-        fatal("Authentication mechanism (krb) not compiled in", EX_CONFIG);
-        return NULL;
-}
-
-static struct auth_state *mynewstate(
-    const char *identifier __attribute__((unused)))
-{
-        fatal("Authentication mechanism (krb) not compiled in", EX_CONFIG);
-        return NULL;
-}
-
-static void myfreestate(
-    struct auth_state *auth_state __attribute__((unused)))
-{
-        fatal("Authentication mechanism (krb) not compiled in", EX_CONFIG);
-}
-
-static strarray_t *mygroups(
-    const struct auth_state *auth_state __attribute__((unused)))
-{
-        fatal("Authentication mechanism (krb) not compiled in", EX_CONFIG);
-}
-
-#endif
-
-HIDDEN struct auth_mech auth_krb =
-{
-    "krb",              /* name */
-
-    &mycanonifyid,
-    &mymemberof,
-    &mynewstate,
-    &myfreestate,
-    &mygroups,
-    NULL, /* refresh*/
-};
diff --git a/lib/imapoptions b/lib/imapoptions
index 40fc18858f..9c3fb8c1c2 100644
--- a/lib/imapoptions
+++ b/lib/imapoptions
@@ -2865,10 +2865,8 @@ product version in the capabilities
 { "srs_separator", NULL, STRING, "3.1.2" }
 /* The separator to appear immediately after SRS[01] in rewritten addresses. */
 
-{ "srvtab", "", STRING, "2.3.17" }
-/* The pathname of \fIsrvtab\fR file containing the server's private
-   key.  This option is passed to the SASL library and overrides its
-   default setting. */
+{ "srvtab", "", STRING, "UNRELEASED", "UNRELEASED" }
+/* Deprecated: This option does nothing. */
 
 { "submitservers", NULL, STRING, "2.3.17" }
 /* A list of users and groups that are allowed to resolve "urlauth=submit+"
diff --git a/notifyd/notify_zephyr.c b/notifyd/notify_zephyr.c
index 529063752b..6ea716f6b7 100644
--- a/notifyd/notify_zephyr.c
+++ b/notifyd/notify_zephyr.c
@@ -50,10 +50,6 @@
 #include 
 #include 
 #include 
-#ifdef HAVE_KRB
-#include 
-#include 
-#endif
 #include 
 #include 
 
@@ -81,7 +77,6 @@ char* notify_zephyr(const char *class, const char *priority,
     char myhost[HOST_NAME_MAX], *mysender = NULL;
     struct buf msgbody = BUF_INITIALIZER;
     char *lines[2];
-    char *mykrbhost = NULL;
 
     if (!*user) return xstrdup("NO zephyr recipient not specified");
 
@@ -96,10 +91,6 @@ char* notify_zephyr(const char *class, const char *priority,
     }
     myhost[sizeof(myhost)-1] = '\0';
 
-#ifdef HAVE_KRB
-    mykrbhost = krb_get_phost(myhost);
-#endif
-
     if (*mailbox) {
         buf_printf(&msgbody, "You have new mail in %s.\n\n", mailbox);
     }
@@ -112,10 +103,7 @@ char* notify_zephyr(const char *class, const char *priority,
     lines[0] = myhost;
     lines[1] = (char *)buf_cstring(&msgbody);
 
-    mysender = strconcat("imap",
-                         mykrbhost ? "." : "",
-                         mykrbhost ? mykrbhost : "",
-                         "@",
+    mysender = strconcat("imap@",
                          ZGetRealm(),
                          (char *)NULL);
 
diff --git a/perl/imap/t/01-imclient.t b/perl/imap/t/01-imclient.t
index 3b4b5bb0ab..ef1a442ee0 100644
--- a/perl/imap/t/01-imclient.t
+++ b/perl/imap/t/01-imclient.t
@@ -112,7 +112,7 @@ $client->processoneevent until $done;
 print "not " unless $didcap;
 print "ok 7\n";
 
-# if we support kerberos 4 or gssapi auth, log in that way.
+# if we support gssapi auth, log in that way.
 foreach $cap (@caps) {
   $client = Cyrus::IMAP->new($server);
   # this is not fatal because someone might not have e.g. Krb5 tickets
diff --git a/ptclient/afskrb.c b/ptclient/afskrb.c
index 047058d562..01101f245f 100644
--- a/ptclient/afskrb.c
+++ b/ptclient/afskrb.c
@@ -60,11 +60,7 @@
 #include 
 #include 
 
-#ifdef AFSPTS_USE_KRB5
 #include 
-#else
-#include 
-#endif
 
 #include "auth_pts.h"
 #include "libconfig.h"
@@ -119,8 +115,6 @@ int is_local_realm(const char *realm)
     return 0;
 }
 
-#ifdef AFSPTS_USE_KRB5
-
 /*
  * Convert 'identifier' into canonical form.
  * Returns a pointer to a static buffer containing the canonical form
@@ -251,193 +245,6 @@ static char *afspts_canonifyid(const char *identifier, size_t len)
 }
 
 
-#else /* AFSPTS_USE_KRB5 not defined */
-
-/* Sanity Check */
-# if PTS_DB_KEYSIZE < MAX_K_NAME_SZ
-#  error PTS_DB_KEYSIZE is smaller than MAX_K_NAME_SZ
-# endif
-
-/* where is krb.equiv? */
-# ifndef KRB_MAPNAME
-#  define KRB_MAPNAME (SYSCONF_DIR "/krb.equiv")
-# endif
-
-/*
- * Parse a line 'src' from an /etc/krb.equiv file.
- * Sets the buffer pointed to by 'principal' to be the kerberos
- * identity and sets the buffer pointed to by 'localuser' to
- * be the local user.  Both buffers must be of size one larger than
- * MAX_K_NAME_SZ.  Returns 1 on success, 0 on failure.
- */
-static int parse_krbequiv_line(const char *src,
-                               char *principal,
-                               char *localuser)
-{
-    int i;
-
-    while (Uisspace(*src)) src++;
-    if (!*src) return 0;
-
-    for (i = 0; *src && !Uisspace(*src); i++) {
-        if (i >= MAX_K_NAME_SZ) return 0;
-        *principal++ = *src++;
-    }
-    *principal = 0;
-
-    if (!Uisspace(*src)) return 0; /* Need at least one separator */
-    while (Uisspace(*src)) src++;
-    if (!*src) return 0;
-
-    for (i = 0; *src && !Uisspace(*src); i++) {
-        if (i >= MAX_K_NAME_SZ) return 0;
-        *localuser++ = *src++;
-    }
-    *localuser = 0;
-    return 1;
-}
-
-/*
- * Map a remote kerberos principal to a local username.  If a mapping
- * is found, a pointer to the local username is returned.  Otherwise,
- * a NULL pointer is returned.
- * Eventually, this may be more sophisticated than a simple file scan.
- */
-static char *auth_map_krbid(const char *real_aname,
-                            const char *real_inst,
-                            const char *real_realm)
-{
-    static char localuser[MAX_K_NAME_SZ + 1];
-    char principal[MAX_K_NAME_SZ + 1];
-    char aname[ANAME_SZ];
-    char inst[INST_SZ];
-    char realm[REALM_SZ];
-    char lrealm[REALM_SZ];
-    char krbhst[MAX_HSTNM];
-    char *p;
-    char buf[1024];
-    FILE *mapfile;
-
-    if (!(mapfile = fopen(KRB_MAPNAME, "r"))) {
-        /* If the file can't be opened, don't do mappings */
-        return 0;
-    }
-
-    for (;;) {
-        if (!fgets(buf, sizeof(buf), mapfile)) break;
-        if (parse_krbequiv_line(buf, principal, localuser) == 0 ||
-            kname_parse(aname, inst, realm, principal) != 0) {
-            /* Ignore badly formed lines */
-            continue;
-        }
-        if (!strcmp(aname, real_aname) && !strcmp(inst, real_inst) &&
-            !strcmp(realm, real_realm)) {
-            fclose(mapfile);
-
-            aname[0] = inst[0] = realm[0] = '\0';
-            if (kname_parse(aname, inst, realm, localuser) != 0) {
-                return 0;
-            }
-
-            /* Upcase realm name */
-            for (p = realm; *p; p++) {
-                if (Uislower(*p)) *p = toupper(*p);
-            }
-
-            if (*realm) {
-                if (krb_get_lrealm(lrealm,1) == 0 &&
-                    strcmp(lrealm, realm) == 0) {
-                    *realm = 0;
-                }
-                else if (krb_get_krbhst(krbhst, realm, 1)) {
-                    return 0;           /* Unknown realm */
-                }
-            }
-
-            strcpy(localuser, aname);
-            if (*inst) {
-                strcat(localuser, ".");
-                strcat(localuser, inst);
-            }
-            if (*realm) {
-                strcat(localuser, "@");
-                strcat(localuser, realm);
-            }
-
-            return localuser;
-        }
-    }
-
-    fclose(mapfile);
-    return 0;
-}
-
-/*
- * Convert 'identifier' into canonical form.
- * Returns a pointer to a static buffer containing the canonical form
- * or NULL if 'identifier' is invalid.
- */
-static char *afspts_canonifyid(const char *identifier, size_t len)
-{
-    static char retbuf[MAX_K_NAME_SZ+1];
-    char aname[ANAME_SZ];
-    char inst[INST_SZ];
-    char realm[REALM_SZ];
-    char lrealm[REALM_SZ];
-    char krbhst[MAX_HSTNM];
-    char *canon_buf;
-    char *p;
-
-    if(!len) len = strlen(identifier);
-
-    canon_buf = xmalloc(len + 1);
-    memcpy(canon_buf, identifier, len);
-    canon_buf[len] = '\0';
-
-    aname[0] = inst[0] = realm[0] = '\0';
-    if (kname_parse(aname, inst, realm, canon_buf) != 0) {
-        free(canon_buf);
-        return 0;
-    }
-
-    free(canon_buf);
-
-    /* Upcase realm name */
-    for (p = realm; *p; p++) {
-        if (Uislower(*p)) *p = toupper(*p);
-    }
-
-    if (*realm) {
-        if (krb_get_lrealm(lrealm,1) == 0 &&
-            strcmp(lrealm, realm) == 0) {
-            *realm = 0;
-        }
-        else if (krb_get_krbhst(krbhst, realm, 1)) {
-            return 0;           /* Unknown realm */
-        }
-    }
-
-    /* Check for krb.equiv remappings. */
-    p = auth_map_krbid(aname, inst, realm);
-    if (p) {
-        strcpy(retbuf, p);
-        return retbuf;
-    }
-
-    strcpy(retbuf, aname);
-    if (*inst) {
-        strcat(retbuf, ".");
-        strcat(retbuf, inst);
-    }
-    if (*realm && !is_local_realm(realm)) {
-        strcat(retbuf, "@");
-        strcat(retbuf, realm);
-    }
-
-    return retbuf;
-}
-#endif /* AFSPTS_USE_KRB5 */
-
 /* API */
 
 static void myinit(void)