Given how ancient krb4 is, it sounds reasonable to update to the new zephyr. Given your description, it seems like people in k4-only zephyr realms should update to the new zephyr source. But, how hard is it to make krb4 an option, and disable it by default? That way anyone who cares can test/fix, but by default it won't be on.
Attachment:
pgp2BqTy95BIx.pgp
Description: PGP signature