Remove nroff man pages

We generate man pages from RST sources now; they are checked into
the tree in src/man/.

The gen-manpages directory is no longer needed.

37 files changed, 2 insertions, 6150 deletions

diff --git a/doc/build/directory_org.rst b/doc/build/directory_org.rst
index 928c20377a..f3aeeb5098 100644
--- a/doc/build/directory_org.rst
+++ b/doc/build/directory_org.rst
@@ -10,7 +10,6 @@ ccapi            Credential cache services
 clients          Kerberos V5 user programs (See :ref:`user_commands`)
 config           Configure scripts
 config-files     Sample Kerberos configuration files
-gen-manpages     manpages for Kerberos V5 and the Kerberos V5 login program
 include          include files needed to build the Kerberos system
 kadmin           Administrative interface to the Kerberos master database: :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`ktutil(1)`.
 kdc              Kerberos V5 Authentication Service and Key Distribution Center
diff --git a/src/Makefile.in b/src/Makefile.in
index aac8bfca3e..ea882d3995 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -14,7 +14,7 @@ SUBDIRS=util include lib \
 	@ldap_plugin_dir@ \
 	plugins/preauth/pkinit \
 	kdc kadmin slave clients appl tests \
-	config-files gen-manpages man doc @po@
+	config-files man doc @po@
 WINSUBDIRS=include util lib ccapi windows clients appl
 BUILDTOP=$(REL).
 LOCALINCLUDES = -I$(srcdir) 
diff --git a/src/appl/sample/sclient/sclient.M b/src/appl/sample/sclient/sclient.M
deleted file mode 100644
index 1b5a8d6b7e..0000000000
--- a/src/appl/sample/sclient/sclient.M
+++ /dev/null
@@ -1,38 +0,0 @@
-.\" appl/sample/sclient/sclient.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" 
-.\"
-.TH SCLIENT 1
-.SH NAME
-sclient \- sample Kerberos version 5 client
-.SH SYNOPSIS
-.B sclient
-.I remotehost
-.br
-.SH DESCRIPTION
-.I sclient
-will contact a sample server (\fIsserver\fR(8)) and authenticate to it
-using Kerberos version 5 tickets, then display the server's response.
-.SH SEE ALSO
-kinit(1), sserver(8)
-.SH BUGS
diff --git a/src/appl/sample/sserver/sserver.M b/src/appl/sample/sserver/sserver.M
deleted file mode 100644
index 4323fd11be..0000000000
--- a/src/appl/sample/sserver/sserver.M
+++ /dev/null
@@ -1,130 +0,0 @@
-.\" appl/sample/sserver/sserver.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH SSERVER 8
-.SH NAME
-sserver \- sample Kerberos version 5 server
-.SH SYNOPSIS
-.B sserver
-[
-.I \-p
-port ] [
-.I \-S
-keytab ] [
-.I server_port
-]
-.br
-.SH DESCRIPTION
-
-\fIsserver\fP and \fIsclient\fP are a simple demonstration
-client/server application.  When \fIsclient\fP connects to
-\fIsserver\fP, it performs a Kerberos authentication, and then
-\fIsserver\fP returns to \fIsclient\fP the Kerberos
-principal which was used for the Kerberos authentication.  It makes a
-good test that Kerberos has been successfully installed on a machine.
-.PP
-The service name used by \fIsserver\fP and \fIsclient\fP is
-\fBsample\fP.  Hence, \fIsserver\fP will require that there be a keytab
-entry for the service "sample/hostname.domain.name@REALM.NAME".  This
-keytab is generated using the
-.IR kadmin(8)
-program.  The keytab file is usually installed as "/etc/krb5.keytab".
-.PP
-The 
-.B \-S
-option allows for a different keytab than the default.
-.PP
-\fIsserver\fP is normally invoked out of 
-.IR inetd(8), 
-using a line in
-/etc/inetd.conf that looks like this:
-.PP
-sample  stream  tcp     nowait  root /usr/local/sbin/sserver	sserver
-.PP
-Since \fBsample\fP is normally not a port defined in /etc/services, you will
-usually have to add a line to /etc/services which looks like this:
-.PP
-sample          13135/tcp
-.PP
-When using \fIsclient,\fP you will first have to have an entry in the Kerberos
-database, by using 
-.IR kadmin(8),
-and then you have to get Kerberos
-tickets, by using 
-.IR kinit(8).  
-Also, if you are running the \fIsclient\fP
-program on a different host than the \fIsserver\fP it will be
-connecting to, be
-sure that both hosts have an entry in /etc/services for the \fBsample\fP tcp
-port, and that the same port number is in both files.
-.PP
-When you run sclient you should see something like this:
-.PP
-sendauth succeeded, reply is:
-.br
-reply len 32, contents:
-.br
-You are nlgilman@JIMI.MIT.EDU
-.br
-.SH COMMON ERROR MESSAGES
-
-1)  \fIkinit\fP returns the error:
-.PP
-kinit: Client not found in Kerberos database while getting initial credentials
-.PP
-This means that you didn't create an entry for your username in the
-Kerberos database.
-.PP
-2)  \fIsclient\fP returns the error:
-.PP
-unknown service sample/tcp; check /etc/services
-.PP
-This means that you don't have an entry in /etc/services for the
-\fBsample\fP tcp port.
-.PP
-3)  \fIsclient\fP returns the error:
-.PP
-connect: Connection refused
-.PP
-This probably means you didn't edit /etc/inetd.conf correctly, or you
-didn't restart \fIinetd\fP after editing inetd.conf.
-.PP
-4)  \fIsclient\fP returns the error:
-.PP
-sclient: Server not found in Kerberos database while using sendauth
-.PP
-This means that the "sample/hostname@LOCAL.REALM" service was not
-defined in the Kerberos database; it should be created using \fIkadmin,\fP
-and a keytab file needs to be generated to make the key for that service
-principal available for \fIssclient\fP.
-.PP
-5)  \fIsclient\fP returns the error:
-.PP
-sendauth rejected, error reply is:
-        " No such file or directory"
-.PP
-This probably means \fIsserver\fP couldn't find the keytab file.  It was
-probably not installed in the proper directory.
-.br
-.SH SEE ALSO
-sclient(1), services(5), inetd(8)
diff --git a/src/clients/kcpytkt/kcpytkt.M b/src/clients/kcpytkt/kcpytkt.M
deleted file mode 100644
index 11ed939296..0000000000
--- a/src/clients/kcpytkt/kcpytkt.M
+++ /dev/null
@@ -1,37 +0,0 @@
-.\"
-.\" clients/kvnol/kcpytkt.M
-.\" "
-.TH KCPYTKT 1
-.SH NAME
-kcpytkt \- copies one or more service tickets between credentials caches
-.SH SYNOPSIS
-\fBkcpytkt\fP [\fB\-h\fP] [\fB\-c source_ccache\fP] [\fB\-e etype\fP] [\fB\-f flags\fP] 
-\fBdest_ccache\fP \fBservice1\fP \fBservice2\fP \fB...\fP
-.br
-.SH DESCRIPTION
-.I kcpytkt
-copies the specified service tickets to the destination credentials cache
-.SH OPTIONS
-.TP
-.B \-c
-specifies the source credentials cache from which service tickets will be.
-copied.  if no ccache is specified, the default ccache is used.
-.TP
-.B \-e
-specifies the session key enctype of the service tickets you wish to delete.
-.TP
-.B \-h
-prints a usage statement and exits
-.SH ENVIRONMENT
-.B kcpytkt
-uses the following environment variable:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the credentials (ticket) cache.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of the credentials cache ([uid] is the decimal UID of
-the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)
diff --git a/src/clients/kdeltkt/kdeltkt.M b/src/clients/kdeltkt/kdeltkt.M
deleted file mode 100644
index a9f369418e..0000000000
--- a/src/clients/kdeltkt/kdeltkt.M
+++ /dev/null
@@ -1,37 +0,0 @@
-.\"
-.\" clients/kvnol/kdeltkt.M
-.\" "
-.TH KDELTKT 1
-.SH NAME
-kdeltkt \- delete one or more service tickets from the credentials cache
-.SH SYNOPSIS
-\fBkdeltkt\fP [\fB\-h\fP] [\fB\-c ccache\fP] [\fB\-e etype\fP] [\fB\-f flags\fP] 
-\fBservice1\fP \fBservice2\fP \fB...\fP
-.br
-.SH DESCRIPTION
-.I kdeltkt
-deletes the specified service tickets from the credentials cache
-.SH OPTIONS
-.TP
-.B \-c
-specifies the credentials cache from which service tickets will be deleted.
-if no cache is specified, the default cache is used.
-.TP
-.B \-e
-specifies the session key enctype of the service tickets you wish to delete.
-.TP
-.B \-h
-prints a usage statement and exits
-.SH ENVIRONMENT
-.B kdeltkt
-uses the following environment variable:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the credentials (ticket) cache.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of the credentials cache ([uid] is the decimal UID of
-the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)
diff --git a/src/clients/kdestroy/kdestroy.M b/src/clients/kdestroy/kdestroy.M
deleted file mode 100644
index 4deaa5fde2..0000000000
--- a/src/clients/kdestroy/kdestroy.M
+++ /dev/null
@@ -1,89 +0,0 @@
-.\" clients/kdestroy/kdestroy.M
-.\"
-.\" Copyright 1992 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KDESTROY 1
-.SH NAME
-kdestroy \- destroy Kerberos tickets
-.SH SYNOPSIS
-.B kdestroy
-[\fB\-A\fP] [\fB\-q\fP] [\fB\-c\fP \fIcache_name]
-.br
-.SH DESCRIPTION
-The
-.I kdestroy
-utility destroys the user's active Kerberos authorization tickets by
-writing zeros to the specified credentials cache that contains them.  If
-the credentials cache is not specified, the default credentials cache is
-destroyed.
-.SH OPTIONS
-.TP
-.B \-A
-Destroys all caches in the collection, if a cache collection is
-available.
-.B \-q
-Run quietly.  Normally
-.B kdestroy
-beeps if it fails to destroy the user's tickets.  The
-.B \-q
-flag suppresses this behavior.
-.TP
-\fB\-c\fP \fIcache_name\fP
-use
-.I cache_name
-as the credentials (ticket) cache name and location; if this option is
-not used, the default cache name and location are used.
-.sp
-The default credentials cache may vary between systems.  If the
-.SM KRB5CCNAME
-environment variable is set, its value is used to name the default
-ticket cache.
-.PP
-Most installations recommend that you place the
-.I kdestroy
-command in your
-.I .logout
-file, so that your tickets are destroyed automatically when you log out.
-.SH ENVIRONMENT
-.B Kdestroy
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.SH SEE ALSO
-kinit(1), klist(1), krb5(3)
-.SH BUGS
-.PP
-Only the tickets in the specified credentials cache are destroyed.
-Separate ticket caches are used to hold root instance and password
-changing tickets.  These should probably be destroyed too, or all of a
-user's tickets kept in a single credentials cache.
diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M
deleted file mode 100644
index 0a919c09f1..0000000000
--- a/src/clients/kinit/kinit.M
+++ /dev/null
@@ -1,239 +0,0 @@
-.\" clients/kinit/kinit.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KINIT 1
-.SH NAME
-kinit \- obtain and cache Kerberos ticket-granting ticket
-.SH SYNOPSIS
-.TP
-.B kinit
-.ad l
-[\fB\-V\fP]
-[\fB\-l\fP \fIlifetime\fP] [\fB\-s\fP \fIstart_time\fP]
-[\fB\-r\fP \fIrenewable_life\fP]
-[\fB\-p\fP | \fB\-P\fP]
-[\fB\-f\fP | \fB\-F\fP]
-[\fB\-a\fP]
-[\fB\-A\fP]
-[\fB\-C\fP]
-[\fB\-E\fP]
-[\fB\-v\fP] [\fB\-R\fP]
-[\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP]
-[\fB\-n\fP]
-[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP]
-[\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
-[\fIprincipal\fP]
-.ad b
-.br
-.SH DESCRIPTION
-.I kinit
-obtains and caches an initial ticket-granting ticket for
-.IR principal .  
-.SH OPTIONS
-.TP
-.B \-V
-display verbose output.
-.TP
-\fB\-l\fP \fIlifetime\fP
-requests a ticket with the lifetime
-.IR lifetime .
-The value for
-.I lifetime
-must be followed immediately by one of the following delimiters:
-.sp
-.nf
-.in +.3i
-\fBs\fP  seconds
-\fBm\fP  minutes
-\fBh\fP  hours
-\fBd\fP  days
-.in -.3i
-.fi
-.sp
-as in "kinit -l 90m".  You cannot mix units; a value of `3h30m' will
-result in an error.
-.sp
-If the
-.B \-l
-option is not specified, the default ticket lifetime (configured by each
-site) is used.  Specifying a ticket lifetime longer than the maximum
-ticket lifetime (configured by each site) results in a ticket with the
-maximum lifetime.
-.TP
-\fB\-s\fP \fIstart_time\fP
-requests a postdated ticket, valid starting at
-.IR start_time .
-Postdated tickets are issued with the
-.I invalid
-flag set, and need to be fed back to the kdc before use.
-.TP
-\fB\-r\fP \fIrenewable_life\fP
-requests renewable tickets, with a total lifetime of
-.IR renewable_life .
-The duration is in the same format as the
-.B \-l
-option, with the same delimiters.
-.TP
-.B \-f
-request forwardable tickets.
-.TP
-.B \-F
-do not request forwardable tickets.
-.TP
-.B \-p
-request proxiable tickets.
-.TP
-.B \-P
-do not request proxiable tickets.
-.TP
-.B \-a
-request tickets with the local address[es].
-.TP
-.B \-A
-request address-less tickets.
-.TP
-.B \-C
-requests canonicalization of the principal name.
-.TP
-.B \-E
-treats the principal name as an enterprise name.
-.TP
-.B \-v
-requests that the ticket granting ticket in the cache (with the 
-.I invalid
-flag set) be passed to the kdc for validation.  If the ticket is within
-its requested time range, the cache is replaced with the validated
-ticket.
-.TP
-.B \-R
-requests renewal of the ticket-granting ticket.  Note that an expired
-ticket cannot be renewed, even if the ticket is still within its
-renewable life.
-.TP
-\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
-requests a ticket, obtained from a key in the local host's
-.I keytab
-file.  The name and location of the keytab file may be specified with
-the
-.B \-t
-.I keytab_file
-option; otherwise the default name and location will be used.  By
-default a host ticket is requested but any principal may be
-specified. On a KDC, the special keytab location
-.B KDB:
-can be used to indicate that kinit should open the KDC database and
-look up the key directly.  This permits an administrator to obtain
-tickets as any principal that supports password-based authentication.
-.TP
-\fB-n\fP
-Requests anonymous processing.  Two types of anonymous principals are
-supported.  For fully anonymous Kerberos, configure pkinit on the KDC
-and configure
-.I pkinit_anchors
-in the client's krb5.conf.  Then use the
-.B -n
-option with a principal of the form
-.I @REALM
-(an empty principal name followed by the at-sign and a realm name).
-If permitted by the KDC, an anonymous ticket will be returned.
-A second form of anonymous tickets is supported; these realm-exposed
-tickets hide the identity of the client but not the client's realm.
-For this mode, use
-.B kinit -n
-with a normal principal name.  If supported by the KDC, the principal
-(but not realm) will be replaced by the anonymous principal.
-As of release 1.8, the MIT Kerberos KDC only supports fully anonymous
-operation.
-.TP
-\fB\-T\fP \fIarmor_ccache\fP
-Specifies the name of a credential cache that already contains a
-ticket.  If supported by the KDC, This ccache will be used to armor
-the request so that an attacker would have to know both the key of the
-armor ticket and the key of the principal used for authentication in
-order to attack the request. Armoring also makes sure that the
-response from the KDC is not modified in transit.
-.TP
-\fB\-c\fP \fIcache_name\fP
-use
-.I cache_name
-as the Kerberos 5 credentials (ticket) cache name and location; if this 
-option is not used, the default cache name and location are used.
-.sp
-The default credentials cache may vary between systems.  If the
-.B KRB5CCNAME
-environment variable is set, its value is used to name the default
-ticket cache.  If a principal name is specified and the type of the
-default credentials cache supports a collection (such as the DIR
-type), an existing cache containing credentials for the principal is
-selected or a new one is created and becomes the new primary cache.
-Otherwise, any existing contents of the default cache are destroyed by
-.IR kinit .
-.TP
-\fB\-S\fP \fIservice_name\fP
-specify an alternate service name to use when
-getting initial tickets.
-.TP
-\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
-specify a pre\-authentication attribute and value to be passed to
-pre\-authentication plugins.  The acceptable \fIattribute\fP and
-\fIvalue\fP values vary from pre\-authentication plugin to plugin.
-This option may be specified multiple times to specify multiple
-attributes.  If no \fIvalue\fP is specified, it is assumed to be
-"yes".
-.sp
-.nf
-The following attributes are recognized by the OpenSSL pkinit
-pre-authentication mechanism:
-.in +.3i
-\fBX509_user_identity\fP=\fIvalue\fP
-   specify where to find user's X509 identity information
-\fBX509_anchors\fP=\fIvalue\fP
-   specify where to find trusted X509 anchor information
-\fBflag_RSA_PROTOCOL\fP[=yes]
-   specify use of RSA, rather than the default Diffie-Hellman protocol
-.in -.3i
-.fi
-.sp
-.SH ENVIRONMENT
-.B Kinit
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.TP
-/etc/krb5.keytab
-default location for the local host's
-.B keytab
-file.
-.SH SEE ALSO
-klist(1), kdestroy(1), kswitch(1), kerberos(1)
diff --git a/src/clients/klist/klist.M b/src/clients/klist/klist.M
deleted file mode 100644
index 32aed10ac9..0000000000
--- a/src/clients/klist/klist.M
+++ /dev/null
@@ -1,147 +0,0 @@
-.\" clients/klist/klist.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KLIST 1
-.SH NAME
-klist \- list cached Kerberos tickets
-.SH SYNOPSIS
-\fBklist\fP [\fB\-e\fP] [[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] 
-[\fB\-s\fP] [\fB\-a\fP  [\fB\-n\fP]]]
-[\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]]
-[\fIcache_name\fP | \fIkeytab_name\fP]
-.br
-.SH DESCRIPTION
-.I Klist
-lists the Kerberos principal and Kerberos tickets held in a credentials
-cache, or the keys held in a
-.B keytab
-file.
-.SH OPTIONS
-.TP
-.B \-e
-displays the encryption types of the session key and the ticket for each
-credential in the credential cache, or each key in the keytab file.
-.TP
-.B \-c
-List tickets held in a credentials cache.  This is the default if
-neither
-.B \-c
-nor
-.B \-k
-is specified.
-.TP
-.B \-l
-If a cache collection is available, displays a table summarizing the
-caches present in the collection.
-.TP
-.B \-A
-If a cache collection is available, displays the contents of all of
-the caches in the collection.
-.TP
-.B \-f
-shows the flags present in the credentials, using the following
-abbreviations:
-.sp
-.nf
-.in +.5i
-F	\fBF\fPorwardable
-f	\fBf\fPorwarded
-P	\fBP\fProxiable
-p	\fBp\fProxy
-D	post\fBD\fPateable
-d	post\fBd\fPated
-R	\fBR\fPenewable
-I	\fBI\fPnitial
-i	\fBi\fPnvalid
-H	\fBH\fPardware authenticated
-A	pre\fBA\fPuthenticated
-T	\fBT\fPransit policy checked
-O	\fBO\fPkay as delegate
-a	\fBa\fPnonymous
-.in -.5i
-.fi
-.TP
-.B \-s
-causes
-.B klist
-to run silently (produce no output), but to still set the exit status
-according to whether it finds the credentials cache.  The exit status is
-`0' if
-.B klist
-finds a credentials cache, and `1' if it does not or if the tickets are
- expired.
-.TP
-.B \-a
-display list of addresses in credentials.
-.TP
-.B \-n
-show numeric addresses instead of reverse-resolving addresses.
-.TP
-\fB\-k\fP
-List keys held in a
-.B keytab
-file.  
-.TP
-.B \-t
-display the time entry timestamps for each keytab entry in the keytab
-file.
-.TP
-.B \-K
-display the value of the encryption key in each keytab entry in the
-keytab file.
-.TP
-.B \-V
-display the Kerberos version number and exit.
-.PP
-If
-.I cache_name
-or
-.I keytab_name
-is not specified, klist will display the credentials in the default
-credentials cache or keytab file as appropriate.  If the
-.B KRB5CCNAME
-environment variable is set, its value is used to name the default
-ticket cache.
-.SH ENVIRONMENT
-.B Klist
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.TP
-/etc/krb5.keytab
-default location for the local host's
-.B keytab
-file.
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)
diff --git a/src/clients/kpasswd/kpasswd.M b/src/clients/kpasswd/kpasswd.M
deleted file mode 100644
index ea71f383b5..0000000000
--- a/src/clients/kpasswd/kpasswd.M
+++ /dev/null
@@ -1,74 +0,0 @@
-.\" clients/kpasswd/kpasswd.M
-.\" 
-.\" Copyright 1995 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KPASSWD 1
-.SH NAME
-kpasswd \- change a user's Kerberos password
-.SH SYNOPSIS
-.B kpasswd
-[\fIprincipal\fP]
-.SH DESCRIPTION
-.PP
-The
-.I kpasswd
-command is used to change a Kerberos principal's password.
-.I Kpasswd
-prompts for the current Kerberos password, which is used to obtain a 
-.B changepw
-ticket from the
-.SM KDC
-for the user's Kerberos realm.  If
-.B kpasswd
-successfully obtains the
-.B changepw
-ticket, the user is prompted twice for the new password, and the
-password is changed.
-.PP
-If the principal is governed by a policy that specifies the length and/or
-number of character classes required in the new password, the new
-password must conform to the policy.  (The five character classes are
-lower case, upper case, numbers, punctuation, and all other characters.)
-.SH OPTIONS
-.TP
-.I principal
-change the password for the Kerberos principal
-.IR principal .
-Otherwise, 
-.I kpasswd
-uses the principal name from an existing ccache if there is one; if
-not, the principal is derived from the identity of the user
-invoking the
-.I kpasswd
-command.
-.SH PORTS
-.B kpasswd 
-looks first for kpasswd_server = host:port in the [realms] section of
-the krb5.conf file under the current realm.  If that is missing,
-.B kpasswd
-looks for the admin_server entry, but substitutes 464 for the port.
-.SH SEE ALSO
-kadmin(8), kadmind(8)
-.SH BUGS
-.PP
-.B kpasswd
-may not work with multi-homed hosts running on the Solaris platform.
diff --git a/src/clients/ksu/ksu.M b/src/clients/ksu/ksu.M
deleted file mode 100644
index 00e000847a..0000000000
--- a/src/clients/ksu/ksu.M
+++ /dev/null
@@ -1,481 +0,0 @@
-.\" Copyright (c) 1994 by the University of Southern California
-.\"
-.\" EXPORT OF THIS SOFTWARE from the United States of America may
-.\"     require a specific license from the United States Government.
-.\"     It is the responsibility of any person or organization contemplating
-.\"     export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
-.\"     this software and its documentation in source and binary forms is
-.\"     hereby granted, provided that any documentation or other materials
-.\"     related to such distribution or use acknowledge that the software
-.\"     was developed by the University of Southern California. 
-.\"
-.\" DISCLAIMER OF WARRANTY.  THIS SOFTWARE IS PROVIDED "AS IS".  The
-.\"     University of Southern California MAKES NO REPRESENTATIONS OR
-.\"     WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
-.\"     limitation, the University of Southern California MAKES NO
-.\"     REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
-.\"     PARTICULAR PURPOSE. The University of Southern
-.\"     California shall not be held liable for any liability nor for any
-.\"     direct, indirect, or consequential damages with respect to any
-.\"     claim by the user or distributor of the ksu software.
-.\"
-.\" KSU was written by:  Ari Medvinsky, ari@isi.edu
-.\" "
-.TH KSU 1
-.SH NAME
-ksu \- Kerberized super-user    	
-.SH SYNOPSIS
-.B ksu 
-[
-.I target_user
-] [
-.B \-n
-.I target_principal_name 
-] [
-.B \-c
-.I source_cache_name
-] [
-.B \-k
-] [
-.B \-D
-] [
-.B \-r
-.I time
-] [
-.B \-pf
-] [
-.B \-l 
-.I lifetime
-] [
-.B \-zZ
-] [
-.B \-q
-] [
-.B \-e
-.I command
-[
-.I args ...
-] ] [
-.B \-a 
-[
-.I args ...
-] ] 
-.br
-.SH REQUIREMENTS
-Must have Kerberos version 5 installed to compile ksu.
-Must have a Kerberos version 5 server running to use ksu.
-.br
-.SH DESCRIPTION
-.I ksu
-is a Kerberized version of the su program that has two missions:
-one is to securely change the real and effective user ID to that
-of the target user, and the other is to create a new security context.
-For the sake of clarity, all references to and attributes of
-the user invoking the program will start with 'source' (e.g.
-source user, source cache, etc.).  Likewise, all references
-to and attributes of the target account will start with 'target'.
-.br
-.SH AUTHENTICATION
-To fulfill the first mission, ksu operates in two phases: authentication
-and authorization.  Resolving the target principal name is the
-first step in authentication.  The user
-can either specify his principal name with the
-.B \-n
-option
-(e.g.
-.B \-n
-jqpublic@USC.EDU) or a default principal name will be assigned
-using a heuristic described in the OPTIONS section (see
-.B \-n
-option).
-The target user name must be the first argument to ksu; if not specified
-root is the default.  If '.' is specified then the target user will be
-the source user (e.g. ksu .). 
-If the source user is root or the target user is the source user, no 
-authentication or authorization takes place.  Otherwise, ksu looks
-for an appropriate Kerberos ticket in the source cache.
-.PP
-The ticket can either be for
-the end-server
-or a ticket granting ticket (TGT) for the target principal's realm.  If the
-ticket for the end-server is already in the cache, it's decrypted and
-verified.  If it's not in the cache but the TGT is, the TGT is used to
-obtain the ticket for the end-server.   The end-server ticket is then
-verified.  If neither ticket is in the cache, but ksu is compiled
-with the GET_TGT_VIA_PASSWD define, the user will be prompted
-for a Kerberos password which will then be used to get a TGT.
-If the user is logged in remotely and
-does not have a secure channel, the password may be exposed.
-If neither ticket is in the cache and GET_TGT_VIA_PASSWD is not defined,
-authentication fails.
-.br
-.SH AUTHORIZATION
-This section describes authorization of the source user when ksu
-is invoked without the
-.B \-e
-option.
-For a description of the
-.B \-e
-option, see the OPTIONS section.
-.PP
-Upon successful authentication, ksu checks whether the target principal
-is authorized to access the target account.
-In the target user's home directory, ksu attempts to access
-two authorization files: .k5login and .k5users.  In the .k5login  
-file each line contains the name of a
-principal that is authorized to access the account.
-.TP 12
-For example:
-jqpublic@USC.EDU
-.br
-jqpublic/secure@USC.EDU
-.br
-jqpublic/admin@USC.EDU
-.PP
-The format of .k5users is the same, except the
-principal name may be followed by a list of commands that
-the principal is authorized to execute. (see the
-.B \-e
-option in the OPTIONS section for details).
-.PP
-Thus if the target principal
-name is found in the .k5login file the source user is authorized to access
-the target account. Otherwise ksu looks in the .k5users file.
-If the target principal name is found without any trailing commands
-or followed only by '*' then the source user is authorized.  
-If either .k5login or .k5users exist but an appropriate entry for the target
-principal does not exist then access is denied. If neither
-file exists then the principal will be granted access 
-to the account according to the aname\->lname mapping rules (see
-.IR krb5_anadd(8) 
-for more details).
-Otherwise, authorization fails.
-.br
-.SH EXECUTION OF THE TARGET SHELL
-Upon successful authentication and authorization, ksu
-proceeds in a similar fashion to su.  The environment
-is unmodified with the exception of USER, HOME and SHELL variables.
-If the target user is not root, USER gets set to the target user
-name. Otherwise USER remains unchanged. Both HOME and SHELL are
-set to the target login's default values.
-In addition, the environment variable KRB5CCNAME gets set to the
-name of the target cache.
-The real and effective user ID are changed to that of the
-target user.  The target user's shell is then invoked
-(the shell name is specified in the password file).
-Upon termination of the shell, ksu deletes the target cache (unless
-ksu is invoked with the
-.B \-k option).
-This is implemented by first doing a fork and then an exec, instead
-of just exec, as done by su.
-.br
-.SH CREATING A NEW SECURITY CONTEXT
-.PP
-Ksu can be used to create a new security context for the
-target program (either the target
-shell, or command specified via the -e option).
-The target program inherits a set
-of credentials from the source user.
-By default, this set includes all of the credentials
-in the source cache plus any
-additional credentials obtained during authentication.
-The source user is able to limit the credentials in this set
-by using -z or -Z option.
--z restricts the copy of tickets from the source cache
-to the target cache to only the tickets where client ==
-the target principal name.  The -Z option
-provides the target user with a fresh target cache
-(no creds in the cache). Note that for security reasons,
-when the source user is root and target user is non-root,
--z option is the default mode of operation. 
-
-While no authentication takes place if the source user
-is root or is the same as the target user, additional
-tickets can still be obtained for the target cache.
-If -n is specified and no credentials can be copied to the target
-cache,  the  source user is prompted for a Kerberos password
-(unless -Z specified or GET_TGT_VIA_PASSWD is undefined). If
-successful,  a  TGT is obtained from the Kerberos server and
-stored in the target cache.  Otherwise,
-if a password is not provided (user hit return)
-ksu continues  in  a
-normal  mode  of  operation (the target cache will
-not contain the desired TGT).
-If the wrong password is typed in, ksu fails.
-.PP
-\fISide Note:\fP during authentication, only the tickets that could be
-obtained without providing a password are cached in
-in the source cache.
-.SH OPTIONS
-.TP 10
-\fB\-n \fItarget_principal_name
-Specify a Kerberos target principal name.
-Used in authentication and authorization
-phases of ksu.
-
-If ksu is invoked without
-.B \-n,
-a default principal name is
-assigned via the following heuristic:
-
-\fICase 1:\fP source user is non-root.
-.br
-If the target user is the source user the default principal name
-is set to the default principal of the source cache. If the
-cache does not exist then the default principal name is set to
-target_user@local_realm.
-If the source and target users are different and
-neither ~target_user/.k5users
-nor ~target_user/.k5login exist then
-the default principal name is
-target_user_login_name@local_realm. Otherwise,
-starting with the first principal listed below,
-ksu checks if the principal is authorized
-to  access the target account and whether
-there is a legitimate ticket for that principal
-in the source cache. If both conditions are met
-that principal becomes the default target principal,
-otherwise go to the next principal.
-
-a) default principal of the source cache
-.br
-b) target_user@local_realm
-.br
-c) source_user@local_realm
-
-If a-c fails try any principal for which there is
-a ticket in the source cache and that is
-authorized to access the target account.
-If that fails select the first principal that
-is authorized to access the target account from
-the above list.
-If none are authorized and ksu is configured with PRINC_LOOK_AHEAD
-turned on, select the default principal as follows:
-
-For each candidate in the above list,
-select an authorized principal that has
-the same realm name and first part
-of the principal name equal to the prefix of the candidate.
-For example if candidate a) is jqpublic@ISI.EDU and jqpublic/secure@ISI.EDU
-is authorized to access the target account then the default principal
-is set to jqpublic/secure@ISI.EDU.
-
-\fICase 2:\fP source user is root.
-.br
-If the target user is non-root then the
-default principal name is target_user@local_realm.
-Else, if the source cache exists the default
-principal name is set to the default principal
-of the source cache. If the source cache does not
-exist, default principal name is set to
-root@local_realm.
-.TP 10
-\fB\-c \fIsource_cache_name
-Specify source cache name (e.g.
-.B \-c
-FILE:/tmp/my_cache).
-If
-.B \-c
-option is not used then the
-name is obtained from KRB5CCNAME environment variable.
-If KRB5CCNAME is not defined the source cache name
-is set to krb5cc_<source uid>.
-The target cache name is automatically
-set to krb5cc_<target uid>.(gen_sym()),
-where gen_sym generates a new number such that
-the resulting cache does not already exist.
-.br
-For example: krb5cc_1984.2
-.TP 10
-\fB\-k
-Do not delete the target cache upon termination of the
-target shell or a command (
-.B \-e
-command).
-Without
-.B \-k,
-ksu deletes the target cache.
-.TP 10
-\fB\-D
-turn on debug mode.
-.TP 10
-\fITicket granting ticket options: -l lifetime -r time -pf\fP
-The ticket granting ticket options only apply to the
-case where there are no appropriate tickets in
-the cache to authenticate the source user. In this case
-if ksu is configured to prompt users for a
-Kerberos password (GET_TGT_VIA_PASSWD is defined),
-the ticket granting
-ticket options that are specified will be used
-when getting a ticket granting ticket from the Kerberos
-server.
-.TP 10
-\fB\-l \fIlifetime
-option specifies the lifetime to be
-requested for the ticket; if this option is not
-specified, the  default ticket lifetime
-(configured by each site) is used instead.
-.TP 10
-\fB\-r \fItime
-option  specifies  that  the  RENEWABLE  option
-should be requested for the ticket, and specifies
-the desired total lifetime of the ticket.
-.TP 10
-\fB\-p
-option specifies that the PROXIABLE option should  be
-requested for the ticket.
-.TP 10
-\fB\-f
-option specifies that the FORWARDABLE  option  should
-be requested for the ticket.
-.TP 10
-\fB\-z
-restrict the copy of tickets from the source cache
-to the target cache to only the tickets where client ==
-the target principal name. Use the
-.B \-n
-option
-if you want the tickets for other then the default
-principal. Note that the
-.B \-z 
-option is mutually
-exclusive with the -Z option.
-.TP 10
-\fB\-Z
-Don't copy any tickets from the source cache to the
-target cache. Just create a fresh target cache,
-where the default principal name of the cache is
-initialized to the target principal name.  Note that
-.B \-Z
-option is mutually
-exclusive with the -z option.
-.TP 10
-\fB\-q
-suppress the printing of status messages.
-.TP 10
-\fB\-e \fIcommand [args ...]
-ksu proceeds exactly the same as if it was invoked without the
-.B \-e
-option,
-except instead of executing the target shell, ksu executes the
-specified command (Example of usage: ksu bob
-.B \-e
-ls
-.B \-lag).
-
-\fIThe authorization algorithm for -e is as follows:\fP
-
-If the source user is root or source user == target user,
-no authorization takes place and             
-the command is executed.  If source user id != 0, and ~target_user/.k5users
-file does not exist, authorization fails.
-Otherwise, ~target_user/.k5users file must have an
-appropriate entry for target principal
-to get authorized.
-
-\fIThe .k5users file format:\fP
-
-A single principal entry on each line
-that may be followed by a list of commands that
-the principal is authorized to execute.
-A principal name followed by a '*' means
-that the user is authorized to execute
-any command. Thus, in the following example:
-
-jqpublic@USC.EDU ls mail /local/kerberos/klist
-.br
-jqpublic/secure@USC.EDU *
-.br
-jqpublic/admin@USC.EDU
-
-jqpublic@USC.EDU is only authorized to execute ls, mail
-and klist commands. jqpublic/secure@USC.EDU is authorized
-to execute any command. jqpublic/admin@USC.EDU is not
-authorized to execute any command.  Note, that
-jqpublic/admin@USC.EDU is authorized to execute
-the target shell (regular ksu, without the
-.B \-e
-option) but jqpublic@USC.EDU is not.
-
-The commands listed after the principal name must
-be either a full path names or just the program name.
-In the second case, CMD_PATH specifying the location
-of authorized programs must be defined at the
-compilation time of ksu.               
-
-\fIWhich command gets executed ?\fP
-
-If the source user is root or
-the target user is the source user or 
-the user
-is authorized to execute any command ('*' entry)
-then command can be either a full or a relative
-path leading to the target program.
-Otherwise, the user must specify either a full
-path or just the program name.
-.TP 10
-\fB\-a \fIargs
-specify arguments to be passed to the target shell.
-Note: that all flags and parameters following -a
-will be passed to the shell, thus all options
-intended for ksu must precede
-.B \-a.
-The
-.B \-a
-option can be used to simulate the
-.B \-e
-option if used as follows:
-.B \-a
-.B \-c
-[command [arguments]].
-.B \-c
-is interpreted by the c-shell to execute the command.
-.PP
-.SH INSTALLATION INSTRUCTIONS
-ksu can be compiled with the following 4 flags (see the Imakefile):
-.TP 10
-\fIGET_TGT_VIA_PASSWD\fP 
-in case no appropriate tickets are found in the source
-cache, the user will be prompted for a Kerberos
-password.  The password is then used to get a
-ticket granting ticket from the Kerberos server.
-The danger of configuring ksu with this macro is
-if the source user is logged in remotely and does not
-have a secure channel, the password may get exposed.
-.TP 10
-\fIPRINC_LOOK_AHEAD\fP
-during the resolution of the default principal name,
-PRINC_LOOK_AHEAD enables ksu to find principal names          
-in the .k5users file as described in the OPTIONS section
-(see -n option).      
-.TP 10
-\fICMD_PATH\fP
-specifies a list of directories containing programs
-that users are authorized to execute (via .k5users file). 
-.TP 10
-\fIHAS_GETUSERSHELL\fP
-If the source user is non-root, ksu insists that
-the target user's shell to be invoked
-is a "legal shell". getusershell(3) is called to obtain
-the names of "legal shells".  Note that the target user's    
-shell is obtained from the passwd file.
-.TP 10
-SAMPLE CONFIGURATION:
-KSU_OPTS = -DGET_TGT_VIA_PASSWD 
--DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
-.TP 10
-PERMISSIONS FOR KSU
-ksu should be owned by root and have the set user id  bit turned on.   
-.TP 10
-END-SERVER ENTRY     
-
-ksu attempts to get a ticket for the end server just as Kerberized
-telnet and rlogin.  Thus, there must be an entry for the server in the
-Kerberos database (e.g. host/nii.isi.edu@ISI.EDU).  The keytab file must
-be in an appropriate location.
-
-.SH SIDE EFFECTS
-ksu deletes all expired tickets from the source cache. 
-.SH AUTHOR OF KSU:	GENNADY (ARI) MEDVINSKY
diff --git a/src/clients/kswitch/kswitch.M b/src/clients/kswitch/kswitch.M
deleted file mode 100644
index 4076975517..0000000000
--- a/src/clients/kswitch/kswitch.M
+++ /dev/null
@@ -1,61 +0,0 @@
-.\" clients/kswitch/kswitch.M
-.\"
-.\" Copyright 2011 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KSWITCH 1
-.SH NAME
-kswitch \- switch primary credential cache
-.SH SYNOPSIS
-\fBkswitch\fP {\fB\-c\fP \fIcachename\fP | \fB\-p\fP \fIprincipal\fP}
-.SH DESCRIPTION
-.I kswitch
-makes the specified credential cache the primary cache for the
-collection, if a cache collection is available.
-.SH OPTIONS
-.TP
-.B \-c
-.I cachename
-directly specifies the credential cache to be made primary.
-.TP
-.B \-p
-.I principal
-causes the cache collection to be searched for a cache containing
-credentials for \fIprincipal\fP.  If one is found, that collection is
-made primary.
-.SH ENVIRONMENT
-.B kswitch
-uses the following environment variables:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the default Kerberos 5 credentials (ticket) cache, in the
-form \fItype\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed.  The type of the default cache may
-determine the availability of a cache collection; for instance, a
-default cache of type \fBDIR\fP causes caches within the directory to
-be present in the collection.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of Kerberos 5 credentials cache 
-([uid] is the decimal UID of the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), klist(1), kerberos(1)
diff --git a/src/clients/kvno/kvno.M b/src/clients/kvno/kvno.M
deleted file mode 100644
index ce88a8d630..0000000000
--- a/src/clients/kvno/kvno.M
+++ /dev/null
@@ -1,88 +0,0 @@
-.\" Copyright (C) 1998 by the FundsXpress, INC.
-.\" 
-.\" All rights reserved.
-.\" 
-.\" Export of this software from the United States of America may require
-.\" a specific license from the United States Government.  It is the
-.\" responsibility of any person or organization contemplating export to
-.\" obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of FundsXpress. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  FundsXpress makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" 
-.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-.\"
-.\" clients/kvnol/kvno.M
-.\" "
-.TH KVNO 1
-.SH NAME
-kvno \- print key version numbers of Kerberos principals
-.SH SYNOPSIS
-\fBkvno\fP [\fB\-q\fP] [\fB\-h\fP] [\fB-c ccache\fP]\ [\fB\-e etype\fP]
-\fBservice1\fP \fBservice2\fP \fB...\fP
-.br
-.SH DESCRIPTION
-.I Kvno
-acquires a service ticket for the specified Kerberos principals and
-prints out the key version numbers of each.  
-.SH OPTIONS
-.TP
-.B \-c ccache
-specifies the name of a credentials cache to use (if not the default)
-.TP
-.B \-e etype
-specifies the enctype which will be requested for the session key of
-all the services named on the command line.  This is useful in certain
-backward compatibility situations.
-.TP
-.B \-q
-suppress printing
-.TP
-.B \-h
-prints a usage statement and exits
-.TP
-.B \-P
-specifies that the
-.B service1 service2 ...
-arguments are to be treated as services for which credentials should
-be acquired using constrained delegation. This option is only valid
-when used in conjunction with protocol transition.
-.TP
-.B \-S sname
-specifies that krb5_sname_to_principal() will be used to build
-principal names.  If this flag is specified, the
-.B service1 service2 ...
-arguments are interpreted as hostnames (rather than principal names),
-and
-.B sname
-is interpreted as the service name.
-.TP
-.B \-U for_user
-specifies that protocol transition (S4U2Self) is to be used to acquire
-a ticket on behalf of
-.B for_user.
-If constrained delegation is not requested, the service name
-must match the credentials cache client principal.
-.SH ENVIRONMENT
-.B Kvno
-uses the following environment variable:
-.TP "\w'.SM KRB5CCNAME\ \ 'u"
-.SM KRB5CCNAME
-Location of the credentials (ticket) cache.
-.SH FILES
-.TP "\w'/tmp/krb5cc_[uid]\ \ 'u"
-/tmp/krb5cc_[uid]
-default location of the credentials cache ([uid] is the decimal UID of
-the user).
-.SH SEE ALSO
-kinit(1), kdestroy(1), krb5(3)
diff --git a/src/config-files/kdc.conf.M b/src/config-files/kdc.conf.M
deleted file mode 100644
index 5e2e6506ed..0000000000
--- a/src/config-files/kdc.conf.M
+++ /dev/null
@@ -1,273 +0,0 @@
-.\" Copyright 1995, 2008 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.TH KDC.CONF 5
-.SH NAME
-kdc.conf \- Kerberos V5 KDC configuration file
-.SH DESCRIPTION
-.I kdc.conf
-specifies per-realm configuration data to be used by the Kerberos V5
-Authentication Service and Key Distribution Center (AS/KDC).  This
-includes database, key and per-realm defaults.
-.PP
-The 
-.I kdc.conf
-file uses the same format as the
-.I krb5.conf
-file.  For a basic description of the syntax, please refer to the
-.I krb5.conf
-description.
-.PP
-The following sections are currently used in the
-.I kdc.conf
-file:
-.IP [kdcdefaults]
-Contains parameters which control the overall behaviour of the KDC.
-.IP [realms]
-Contains subsections keyed by Kerberos realm names which describe per-realm
-KDC parameters.
-.SH KDCDEFAULTS SECTION
-The following relations are defined in the
-.I [kdcdefaults]
-section:
-.IP kdc_ports
-This relation lists the ports which the Kerberos server should listen
-on, by default.  This list is a comma separated list of integers.  If
-this relation is not specified, the compiled-in default is usually
-port 88 and port 750.
-.IP kdc_tcp_ports
-This relation lists the ports on which the Kerberos server should
-listen for TCP connections by default.  This list is a comma separated
-list of integers.
-If this relation is not specified, the compiled-in default is not to
-listen for TCP connections at all.
-
-If you wish to change this (which we do not recommend, because the
-current implementation has little protection against denial-of-service
-attacks), the standard port number assigned for Kerberos TCP traffic
-is port 88.
-.IP v4_mode
-This 
-.B string
-specifies how the KDC should respond to Kerberos IV packets. Valid
-values for this relation are the same as the valid arguments to the
-.B -4
-flag to
-.BR krb5kdc .
-If this relation is not specified, the compiled-in default of
-.I none
-is used.
-
-.SH REALMS SECTION
-Each tag in the
-.I [realms]
-section of the file names a Kerberos realm.  The value of the tag is a
-subsection where the relations in that subsection define KDC parameters for
-that particular realm.
-.PP
-For each realm, the following tags may be specified in the
-.I [realms]
-subsection:
-
-.IP acl_file
-This
-.B string
-specifies the location of the access control list (acl) file that
-kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
-
-.IP database_name
-This
-.B string
-specifies the location of the Kerberos database for this realm.
-
-.IP default_principal_expiration
-This
-.B absolute time string
-specifies the default expiration date of principals created in this realm.
-
-.IP default_principal_flags
-This
-.B flag string
-specifies the default attributes of principals created in this realm.
-The format for the string is a comma-separated list of flags, with '+'
-before each flag to be enabled and '-' before each flag to be
-disabled.  The default is for postdateable, forwardable, tgt-based,
-renewable, proxiable, dup-skey, allow-tickets, and service to be
-enabled, and all others to be disabled.
-
-There are a number of possible flags: 
-.RS
-.TP
-.B postdateable
-Enabling this flag allows the principal to obtain postdateable tickets.
-.TP
-.B forwardable
-Enabling this flag allows the principal to obtain forwardable tickets.
-.TP
-.B tgt-based
-Enabling this flag allows a principal to obtain tickets based on a
-ticket-granting-ticket, rather than repeating the authentication
-process that was used to obtain the TGT.
-.TP
-.B renewable
-Enabling this flag allows the principal to obtain renewable tickets.
-.TP
-.B proxiable
-Enabling this flag allows the principal to obtain proxy tickets.
-.TP
-.B dup-skey
-Enabling this flag allows the principal to obtain a session key for
-another user, permitting user-to-user authentication for this principal.
-.TP
-.B allow-tickets
-Enabling this flag means that the KDC will issue tickets for this
-principal.  Disabling this flag essentially deactivates the principal
-within this realm.
-.TP
-.B preauth
-If this flag is enabled on a client principal, then that principal is
-required to preauthenticate to the KDC before receiving any tickets.
-On a service principal, enabling this flag means that service tickets
-for this principal will only be issued to clients with a TGT that has
-the preauthenticated ticket set.
-.TP
-.B hwauth
-If this flag is enabled, then the principal is required to
-preauthenticate using a hardware device before receiving any tickets.
-.TP
-.B pwchange
-Enabling this flag forces a password change for this principal.
-.TP
-.B service
-Enabling this flag allows the the KDC to issue service tickets for this
-principal.
-.TP
-.B pwservice
-If this flag is enabled, it marks this principal as a password change
-service.  This should only be used in special cases, for example, if a
-user's password has expired, the user has to get tickets for that
-principal to be able to change it without going through the normal
-password authentication.
-.RE
-
-.IP dict_file
-This
-.B string
-location of the dictionary file containing strings that are not allowed
-as passwords.  If this tag is not set or if there is no policy assigned
-to the principal, then no check will be done.
-
-.IP kadmind_port
-This
-.B port number
-specifies the port on which the kadmind daemon is to listen for this
-realm.
-
-.IP kpasswd_port
-This
-.B port number
-specifies the port on which the kadmind daemon is to listen for this
-realm.
-
-.IP key_stash_file
-This
-.B string
-specifies the location where the master key has been stored with
-.I kdb5_stash.
-
-.IP kdc_ports
-This
-.B string
-specifies the list of ports that the KDC is to listen to for this realm.  
-By default, the value of 
-.I kdc_ports
-as specified in the 
-.I [kdcdefaults] 
-section is used.
-
-.IP kdc_tcp_ports
-This
-.B string
-specifies the list of ports that the KDC is to listen to
-for TCP requests for this realm.  By default, the value of
-.I kdc_tcp_ports
-as specified in the
-.I [kdcdefaults]
-section is used.
-
-.IP master_key_name
-This
-.B string
-specifies the name of the principal associated with the master key.
-The default value is K/M.
-
-.IP master_key_type
-This
-.B key type string
-represents the master key's key type.
-
-.IP max_life
-This
-.B delta time string
-specifies the maximum time period that a ticket may be valid for in
-this realm.  
-
-.IP max_renewable_life
-This
-.B delta time string
-specifies the maximum time period that a ticket may be renewed for in
-this realm. 
-
-.IP iprop_enable
-This
-.B boolean
-("true" or "false") specifies whether incremental database propagation
-is enabled.  The default is "false".
-
-.IP iprop_master_ulogsize
-This
-.B numeric value
-specifies the maximum number of log entries to be retained for
-incremental propagation.  The maximum value is 2500; default is 1000.
-
-.IP iprop_slave_poll
-This
-.B delta time string
-specifies how often the slave KDC polls for new updates from the
-master.  Default is "2m" (that is, two minutes).
-
-.IP supported_enctypes
-list of key:salt strings that specifies the default key/salt
-combinations of principals for this realm
-
-.IP reject_bad_transit
-this
-.B boolean
-specifies whether or not the list of transited realms for cross-realm
-tickets should be checked against the transit path computed from the
-realm names and the [capaths] section of its krb5.conf file
-
-.SH FILES 
-/usr/local/var/krb5kdc/kdc.conf
-
-.SH SEE ALSO
-krb5.conf(5), krb5kdc(8)
diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M
deleted file mode 100644
index af4200c3ba..0000000000
--- a/src/config-files/krb5.conf.M
+++ /dev/null
@@ -1,813 +0,0 @@
-.\" Copyright 1995 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.TH KRB5.CONF 5
-.SH NAME
-krb5.conf \- Kerberos configuration file
-.SH DESCRIPTION
-.I krb5.conf
-contains configuration information needed by the Kerberos V5 library.
-This includes information describing the default Kerberos realm, and the
-location of the Kerberos key distribution centers for known realms.
-.PP
-The 
-.I krb5.conf
-file uses an INI-style format.  Sections are delimited by square braces;
-within each section, there are relations where tags can be assigned to
-have specific values.  Tags can also contain a subsection, which
-contains further relations or subsections.  A tag can be assigned to
-multiple values.  Here is an example of the INI-style format used by
-.IR krb5.conf :
-
-.sp
-.nf
-.in +1i
-[section1]
-	tag1 = value_a
-	tag1 = value_b
-	tag2 = value_c
-
-[section 2]
-	tag3 = {
-		subtag1 = subtag_value_a
-		subtag1 = subtag_value_b
-		subtag2 = subtag_value_c
-	}
-	tag4 = {
-		subtag1 = subtag_value_d
-		subtag2 = subtag_value_e
-	}
-.in -1i
-.fi
-.sp
-
-.PP
-.I krb5.conf
-can include other files using the directives "include FILENAME" or
-"includedir DIRNAME", which must occur at the beginning of a line.
-FILENAME or DIRNAME should be an absolute path.  The named file or
-directory must exist and be readable.  Including a directory includes
-all files within the directory whose names consist solely of
-alphanumeric characters, dashes, or underscores.  Included profile
-files are syntactically independent of their parents, so each included
-file must begin with a section header.
-
-.PP
-.I krb5.conf
-can cause configuration to be obtained from a loadable profile module
-by placing the directive "module MODULEPATH:RESIDUAL" at the beginning
-of a line before any section headers.  MODULEPATH may be relative to
-the library path of the krb5 installation, or it may be an absolute
-path.  RESIDUAL is provided to the module at initialization time.  If
-.I krb5.conf
-uses a module directive,
-.I kdc.conf
-should also use one if it exists.
-
-.PP
-The following sections are currently used in the 
-.I krb5.conf
-file:
-.IP [libdefaults]
-Contains various default values used by the Kerberos V5 library.
-
-.IP [login]
-Contains default values used by the Kerberos V5 login program,
-.IR login.krb5 (8).
-
-.IP [appdefaults]
-Contains default values that can be used by Kerberos V5 applications.
-
-.IP [realms]
-Contains subsections keyed by Kerberos realm names which describe where
-to find the Kerberos servers for a particular realm, and other
-realm-specific information.
-
-.IP [domain_realm]
-Contains relations which map subdomains and domain names to Kerberos
-realm names.  This is used by programs to determine what realm a host
-should be in, given its fully qualified domain name.
-
-.IP [logging]
-Contains relations which determine how Kerberos entities are to perform
-their logging.
-
-.IP [capaths]
-Contains the authentication paths used with non-hierarchical
-cross-realm. Entries in the section are used by the client to determine
-the intermediate realms which may be used in cross-realm
-authentication. It is also used by the end-service when checking the
-transited field for trusted intermediate realms.
-
-.IP [dbdefaults]
-Contains default values for database specific parameters.
-
-.IP [dbmodules]
-Contains database specific parameters used by the database library.
-
-.IP [plugins]
-Contains plugin module registration and filtering parameters.
-.PP 
-Each of these sections will be covered in more details in the following
-sections.
-.SH LIBDEFAULTS SECTION
-The following relations are defined in the [libdefaults] section:
-
-.IP default_keytab_name
-This relation specifies the default keytab name to be used by
-application severs such as telnetd and rlogind.  The default is
-"/etc/krb5.keytab".  This formerly defaulted to "/etc/v5srvtab", but
-was changed to the current value.
-
-.IP default_realm
-This relation identifies the default realm to be used in a client host's
-Kerberos activity.
-
-.IP default_tgs_enctypes
-This relation identifies the supported list of session key encryption
-types that should be returned by the KDC. The list may be delimited with
-commas or whitespace.
-
-.IP default_tkt_enctypes
-This relation identifies the supported list of session key encryption
-types that should be requested by the client, in the same format.
-
-.IP permitted_enctypes
-This relation identifies the permitted list of session key encryption
-types.
-
-.IP allow_weak_crypto
-If this is set to 0 (for false), then weak encryption types will be
-filtered out of the previous three lists.  The default value for this
-tag is false, which may cause authentication failures in existing
-Kerberos infrastructures that do not support strong crypto.  Users in
-affected environments should set this tag to true until their
-infrastructure adopts stronger ciphers.
-
-.IP clockskew 
-This relation sets the maximum allowable amount of clockskew in seconds
-that the library will tolerate before assuming that a Kerberos message
-is invalid.  The default value is 300 seconds, or five minutes.
-
-.IP ignore_acceptor_hostname
-When accepting GSSAPI or krb5 security contexts for host-based service
-principals, ignore any hostname passed by the calling application and
-allow any service principal present in the keytab which matches the
-service name and realm name (if given).  This option can improve the
-administrative flexibility of server applications on multi-homed
-hosts, but can compromise the security of virtual hosting
-environments.  The default value is false.
-
-.IP k5login_authoritative
-If the value of this relation is true (the default), principals must
-be listed in a local user's k5login file to be granted login access,
-if a k5login file exists.  If the value of this relation is false, a
-principal may still be granted login access through other mechanisms
-even if a k5login file exists but does not list the principal.
-
-.IP k5login_directory
-If set, the library will look for a local user's k5login file within
-the named directory, with a filename corresponding to the local
-username.  If not set, the library will look for k5login files in the
-user's home directory, with the filename .k5login.  For security
-reasons, k5login files must be owned by the local user or by root.
-
-.IP kdc_timesync 
-If the value of this relation is non-zero (the default), the library
-will compute the difference between the system clock and the time
-returned by the KDC and in order to correct for an inaccurate system
-clock.  This corrective factor is only used by the Kerberos library.
-
-.IP kdc_req_checksum_type
-For compatibility with DCE security servers which do not support the
-default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value
-of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and
-earlier.  This value is only used for DES keys; other keys use the
-preferred checksum type for those keys.
-
-.IP ap_req_checksum_type 
-If set  this variable  controls what ap-req checksum will be used in  authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used.   This can be set if backward compatibility requires a specific checksum type.
-
-.IP safe_checksum_type 
-This allows you to set the preferred keyed-checksum type for use in KRB_SAFE
-messages.  The default value for this type is CKSUMTYPE_RSA_MD5_DES.
-For compatibility with applications linked against DCE version 1.1 or
-earlier Kerberos
-libraries, use a value of 3 to use the CKSUMTYPE_RSA_MD4_DES
-instead.  This field is ignored when its value is incompatible with
-the session key type.
-
-.IP preferred_preauth_types
-This allows you to set the preferred preauthentication types which the
-client will attempt before others which may be advertised by a KDC.  The
-default value for this setting is "17, 16, 15, 14", which forces libkrb5
-to attempt to use PKINIT if it is supported.
-
-.IP ccache_type
-User this parameter on systems which are DCE clients, to specify the
-type of cache to be created by kinit, or when forwarded tickets are
-received. DCE and Kerberos can share the cache, but some versions of DCE
-do not support the default cache as created by this version of
-Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
-DCE 1.1 systems.
-
-.IP dns_lookup_kdc
-Indicate whether DNS SRV records should be used to locate the KDCs and
-other servers for a realm, if they are not listed in the information 
-for the realm.  The default is to use these records.
-
-.IP dns_lookup_realm
-Indicate whether DNS TXT records should be used to determine the Kerberos
-realm of a host.  The default is not to use these records.
-
-.IP dns_fallback
-General flag controlling the use of DNS for Kerberos information.  If both
-of the preceding options are specified, this option has no effect.
-
-.IP realm_try_domains
-Indicate whether a host's domain components should be used to
-determine the Kerberos realm of the host.  The value of this variable
-is an integer: \-1 means not to search, 0 means to try the host's
-domain itself, 1 means to also try the domain's immediate parent, and
-so forth.  The library's usual mechanism for locating Kerberos realms
-is used to determine whether a domain is a valid realm--which may
-involve consulting DNS if dns_lookup_kdc is set.  The default is not
-to search domain components.
-
-.IP extra_addresses
-This allows a computer to use multiple local addresses, in order to
-allow Kerberos to work in a network that uses NATs.  The addresses should
-be in a comma-separated list.
-
-.IP udp_preference_limit
-When sending a message to the KDC, the library will try using TCP
-before UDP if the size of the message is above "udp_preference_limit".
-If the message is smaller than "udp_preference_limit", then UDP will be
-tried before TCP.  Regardless of the size, both protocols will be
-tried if the first attempt fails.
-
-.IP verify_ap_req_nofail
-If this flag is set, then an attempt to get initial credentials will
-fail if the client machine does not have a keytab.  The default for the
-flag is false.
-
-.IP ticket_lifetime
-The value of this tag is the default lifetime for initial tickets.  The
-default value for the tag is 1 day (1d).
-
-.IP renew_lifetime
-The value of this tag is the default renewable lifetime for initial
-tickets.  The default value for the tag is 0.
-
-.IP noaddresses
-Setting this flag causes the initial Kerberos ticket to be addressless.
-The default for the flag is true.
-
-.IP forwardable
-If this flag is set, initial tickets by default will be forwardable.
-The default value for this flag is false.
-
-.IP proxiable
-If this flag is set, initial tickets by default will be proxiable.
-The default value for this flag is false.
-
-.IP rdns
-If set to false, prevent the use of reverse DNS resolution when
-translating hostnames into service principal names.  Defaults to
-true.  Setting this flag to false is more secure, but may force
-users to exclusively use fully qualified domain names when
-authenticating to services.
-
-.IP plugin_base_dir
-If set, determines the base directory where krb5 plugins are located.
-The default value is the "krb5/plugins" subdirectory of the krb5
-library directory.
-
-.SH APPDEFAULTS SECTION
-
-Each tag in the [appdefaults] section names a Kerberos V5 application
-or an option that is used by some Kerberos V5 application[s].  The
-four ways that you can set values for options are as follows, in
-decreasing order of precedence:
-
-.sp
-.nf
-.in +1i
-#1) 	
-	application = {
-		realm1 = {
-			option = value
-		}
-		realm2 = {
-			option = value
-		}
-	}
-#2) 	
-	application = {
-		option1 = value
-		option2 = value
-	}
-#3)	
-	realm = {
-		option = value
-	}
-#4)	
-	option = value
-.in -1in
-.fi
-.sp
-
-.SH LOGIN SECTION
-The [login] section is used to configure the behavior of the Kerberos V5
-login program,
-.IR login.krb5 (8).
-Refer to the manual entry for
-.I login.krb5
-for a description of the relations allowed in this section.
-.SH REALMS SECTION
-Each tag in the [realms] section of the file names a Kerberos realm.
-The value of the tag is a subsection where the relations in that
-subsection define the properties of that particular realm.  For example:
-
-.sp
-.nf
-.in +1i
-[realms]
-	ATHENA.MIT.EDU = {
-		admin_server = KERBEROS.MIT.EDU
-		default_domain = MIT.EDU
-		database_module = ldapconf
-		v4_instance_convert = {
-			mit = mit.edu
-			lithium = lithium.lcs.mit.edu
-		}
-		v4_realm = LCS.MIT.EDU
-	}
-.in -1i
-.fi
-.sp
-
-For each realm, the following tags may be specified in the realm's
-subsection:
-
-.IP kdc
-The value of this relation is the name of a host running a KDC for that
-realm.  An optional port number (preceded by a colon) may be appended to
-the hostname.  This tag should generally be used only if the realm
-administrator has not made the information available through DNS.
-
-.IP admin_server
-This relation identifies the host where the administration server is
-running.  Typically this is the Master Kerberos server.
-
-.IP database_module
-This relation indicates the name of the configuration section under dbmodules
-for database specific parameters used by the loadable database library.
-
-.IP default_domain
-This relation identifies the default domain for which hosts in this
-realm are assumed to be in.  This is needed for translating V4 principal
-names (which do not contain a domain name) to V5 principal names (which
-do).
-
-.IP v4_instance_convert
-This subsection allows the administrator to configure exceptions to the
-default_domain mapping rule.  It contains V4 instances (the tag name)
-which should be translated to some specific hostname (the tag value) as
-the second component in a Kerberos V5 principal name.
-
-.IP v4_realm
-This relation is used by the krb524 library routines when converting 
-a V5 principal name to a V4 principal name. It is used when V4 realm
-name and the V5 realm are not the same, but still share the same 
-principal names and passwords. The tag value is the Kerberos V4 realm 
-name. 
-
-.IP auth_to_local_names
-This subsection allows you to set explicit mappings from principal
-names to local user names.  The tag is the mapping name, and the value
-is the corresponding local user name.
-
-.IP auth_to_local
-This tag allows you to set a general rule for mapping principal names
-to local user names.  It will be used if there is not an explicit
-mapping for the principal name that is being translated.  The possible
-values are:
-
-.in +.5i
-DB:<filename>
-.in +.5i
-The principal will be looked up in the database <filename>.
-Support for this is not currently compiled in by default.
-.in -.5in
-RULE:<exp>
-.in +.5i
-The local name will be formulated from <exp>.
-.in -.5i
-DEFAULT
-.in +.5i
-The principal name will be used as the local name.  If the
-principal has more than one component or is not in the default
-realm, this rule is not applicable and the conversion will fail.
-.in -1i
-
-.SH DOMAIN_REALM SECTION
-
-The [domain_realm] section provides a translation from a hostname to the
-Kerberos realm name for the services provided by that host.
-.PP
-The tag name can be a hostname, or a domain name, where domain names are
-indicated by a prefix of a period ('.') character.  The value of the
-relation is the Kerberos realm name for that particular host or domain.
-Host names and domain names should be in lower case.
-.PP
-If no translation entry applies, the host's realm is considered to be
-the hostname's domain portion converted to upper case.  For example, the
-following [domain_realm] section:
-
-.sp
-.nf
-.in +1i
-[domain_realm]
-	.mit.edu = ATHENA.MIT.EDU
-	mit.edu = ATHENA.MIT.EDU 
-	dodo.mit.edu = SMS_TEST.MIT.EDU
-	.ucsc.edu = CATS.UCSC.EDU
-.in -1i
-.fi
-.sp
-maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts in
-the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in the
-UCSC.EDU domain into the CATS.UCSC.EDU realm.  ucbvax.berkeley.edu would
-be mapped by the default rules to the BERKELEY.EDU realm, while
-sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.
-
-.SH LOGGING SECTION
-
-The [logging] section indicates how a particular entity is to perform
-its logging.  The relations specified in this section assign one or more
-values to the entity name.
-.PP
-Currently, the following entities are used:
-.IP kdc
-These entries specify how the KDC is to perform its logging.
-.IP admin_server
-These entries specify how the administrative server is to perform its logging.
-.IP default
-These entries specify how to perform logging in the absence of explicit
-specifications otherwise.
-.PP
-Values are of the following forms:
-.IP FILE=<filename>
-.IP FILE:<filename>
-This value causes the entity's logging messages to go to the specified
-file.  If the
-.B =
-form is used, then the file is overwritten.  Otherwise, the file is
-appended to.
-.IP STDERR
-This value causes the entity's logging messages to go to its standard
-error stream.
-.IP CONSOLE
-This value causes the entity's logging messages to go to the console, if
-the system supports it.
-.IP DEVICE=<devicename>
-This causes the entity's logging messages to go to the specified device.
-.IP SYSLOG[:<severity>[:<facility>]]
-This causes the entity's logging messages to go to the system log.
-
-The
-.B severity
-argument specifies the default severity of system log messages.  This
-may be any of the following severities supported by the
-.I syslog(3)
-call minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR,
-LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG.  For example, to
-specify LOG_CRIT severity, one would use CRIT for
-.B severity.
-
-The
-.B facility
-argument specifies the facility under which the messages are logged.
-This may be any of the following facilities supported by the
-.I syslog(3)
-call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON,
-LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through
-LOG_LOCAL7.
-
-If no
-.B severity
-is specified, the default is ERR, and if no
-.B facility
-is specified, the default is AUTH.
-.PP
-In the following example, the logging messages from the KDC will go to
-the console and to the system log under the facility LOG_DAEMON with
-default severity of LOG_INFO; and the logging messages from the
-administrative server will be appended to the file /var/adm/kadmin.log
-and sent to the device /dev/tty04.
-.sp
-.nf
-.in +1i
-[logging]
-	kdc = CONSOLE
-	kdc = SYSLOG:INFO:DAEMON
-	admin_server = FILE:/var/adm/kadmin.log
-	admin_server = DEVICE=/dev/tty04
-.in -1i
-.fi
-.sp
-
-.SH CAPATHS SECTION
-
-Cross-realm authentication is typically organized hierarchically.  This
-hierarchy is based on the name of the realm, which thus imposes
-restrictions on the choice of realm names, and on who may participate in
-a cross-realm authentication. A non hierarchical organization may be used,
-but requires a database to construct the authentication paths between
-the realms. This section defines that database.
-.PP
-A client will use this section to find the authentication path between
-its realm and the realm of the server. The server will use this section
-to verify the authentication path used be the client, by checking the
-transited field of the received ticket.
-.PP
-There is a tag name for each participating realm, and each tag has
-subtags for each of the realms. The value of the subtags is an
-intermediate realm which may participate in the cross-realm
-authentication. The subtags may be repeated if there is more then one
-intermediate realm. A value of "." means that the two realms share keys
-directly, and no intermediate realms should be allowed to participate.
-.PP
-There are n**2 possible entries in this table, but only those entries
-which will be needed on the client or the server need to be present. The
-client needs a tag for its local realm, with subtags for all the realms
-of servers it will need to authenticate with.  A server needs a tag for
-each realm of the clients it will serve.
-.PP
-For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
-realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV
-which will authenticate with NERSC.GOV but not PNL.GOV.  The [capath]
-section for ANL.GOV systems would look like this:
-.sp
-.nf
-.in +1i
-[capaths]
-	ANL.GOV = {
-		TEST.ANL.GOV = .
-		PNL.GOV = ES.NET
-		NERSC.GOV = ES.NET
-		ES.NET = .
-	}
-	TEST.ANL.GOV = {
-		ANL.GOV = .
-	}
-	PNL.GOV = {
-		ANL.GOV = ES.NET
-	}
-	NERSC.GOV = {
-		ANL.GOV = ES.NET
-	}
-	ES.NET = {
-		ANL.GOV = .
-	}
-.in -1i
-.fi
-.sp
-The [capath] section of the configuration file used on NERSC.GOV systems
-would look like this:
-.sp
-.nf
-.in +1i
-[capaths]
-	NERSC.GOV = {
-		ANL.GOV = ES.NET
-		TEST.ANL.GOV = ES.NET
-		TEST.ANL.GOV = ANL.GOV
-		PNL.GOV = ES.NET
-		ES.NET = .
-	}
-	ANL.GOV = {
-		NERSC.GOV = ES.NET
-	}
-	PNL.GOV = {
-		NERSC.GOV = ES.NET
-	}
-	ES.NET = {
-		NERSC.GOV = .
-	}
-	TEST.ANL.GOV = {
-		NERSC.GOV = ANL.GOV
-		NERSC.GOV = ES.NET
-	}
-.in -1i
-.fi
-.sp
-In the above examples, the ordering is not important, except when the
-same subtag name is used more then once. The client will use this to
-determine the path. (It is not important to the server, since the
-transited field is not sorted.)
-.PP
-If this section is not present, or if the client or server cannot find a
-client/server path, then normal hierarchical organization is assumed.
-.PP
-This feature is not currently supported by DCE. DCE security servers can
-be used with Kerberized clients and servers, but versions prior to DCE
-1.1 did not fill in the transited field, and should be used with
-caution.
-
-.SH DATABASE DEFAULT SECTION
-
-The [dbdefaults] section indicates default values for the database specific parameters.
-It can also specify the configuration section under dbmodules for database
-specific parameters used by the loadable database library.  
-
-.PP
-The following tags are used in this section:
-.IP database_module
-This relation indicates the name of the configuration section under dbmodules
-for database specific parameters used by the loadable database library.
-
-.IP ldap_kerberos_container_dn 
-This LDAP specific tag indicates the DN of the container object where the realm
-objects will be located. This value is used if no object DN is mentioned in the
-configuration section under dbmodules.
-
-.IP ldap_kdc_dn
-This LDAP specific tag indicates the default bind DN for the KDC server.
-The KDC server does a login to the directory as this object. This value is used if
-no object DN is mentioned in the configuration section under dbmodules.
-
-.IP ldap_kadmind_dn
-This LDAP specific tag indicates the default bind DN for the
-Administration server. The Administration server does a login to the directory
-as this object. This value is used if no object DN is mentioned in
-the configuration section under dbmodules.
-
-.IP ldap_service_password_file
-This LDAP specific tag indicates the file containing the stashed passwords for the
-objects used for starting the Kerberos servers. This value is used if no
-service password file is mentioned in the configuration section under dbmodules.
-
-.IP ldap_servers
-This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
-is whitespace-separated. The LDAP server is specified by a LDAP URI.
-This value is used if no LDAP servers are mentioned in the configuration
-section under dbmodules.
-
-.IP ldap_conns_per_server
-This LDAP specific tag indicates the number of connections to be maintained per
-LDAP server. This value is used if the number of connections per LDAP server are not 
-mentioned in the configuration section under dbmodules. The default value is 5.
-
-.SH DATABASE MODULE SECTION
-Each tag in the [dbmodules] section of the file names a configuration section
-for database specific parameters that can be referred to by a realm. 
-The value of the tag is a subsection where the relations in that subsection
-define the database specific parameters.
-
-.PP
-For each section, the following tags may be specified in the subsection:
-
-.IP database_name
-This DB2-specific tag indicates the location of the database in the
-filesystem.
-
-.IP db_library
-This tag indicates the name of the loadable database library.
-The value should be db2 for db2 database and kldap for LDAP database.
-
-.IP disable_last_success
-If set to true, suppresses KDC updates to the "Last successful
-authentication" field of principal entries requiring
-preauthentication.  Setting this flag may improve performance.
-(Principal entries which do not require preauthentication never update
-the "Last successful authentication" field.)
-
-.IP disable_lockout
-If set to true, suppresses KDC updates to the "Last failed
-authentication" and "Failed password attempts" fields of principal
-entries requiring preauthentication.  Setting this flag may improve
-performance, but also disables account lockout.
-
-.IP ldap_kerberos_container_dn 
-This LDAP specific tag indicates the DN of the container object where the realm
-objects will be located.
-
-.IP ldap_kdc_dn
-This LDAP specific tag indicates the bind DN for the KDC server.
-The KDC does a login to the directory as this object.
-
-.IP ldap_kadmind_dn
-This LDAP specific tag indicates the bind DN for the Administration server.
-The Administration server does a login to the directory
-as this object.
-
-.IP ldap_service_password_file
-This LDAP specific tag indicates the file containing the stashed passwords for the
-objects used for starting the Kerberos servers.
-
-.IP ldap_servers
-This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
-is whitespace-separated. The LDAP server is specified by a LDAP URI.
-
-.IP ldap_conns_per_server
-This LDAP specific tag indicates the number of connections to be maintained per
-LDAP server.
-
-.SH PLUGINS SECTION
-
-Tags in the [plugins] section can be used to register dynamic plugin
-modules and to turn modules on and off.  Not every krb5 pluggable
-interface uses the [plugins] section; the ones that do are documented
-here.
-
-.PP
-Each pluggable interface corresponds to a subsection of [plugins].
-All subsections support the same tags:
-
-.IP module
-This tag may have multiple values.  Each value is a string of the form
-"modulename:pathname", which causes the shared object located at
-pathname to be registered as a dynamic module named modulename for the
-pluggable interface.  If pathname is not an absolute path, it will be
-treated as relative to the plugin base directory.
-
-.IP enable_only
-This tag may have multiple values.  If there are values for this tag,
-then only the named modules will be enabled for the pluggable
-interface.
-
-.IP disable
-This tag may have multiple values.  If there are values for this tag,
-then the named modules will be disabled for the pluggable interface.
-
-.PP
-The following subsections are currently supported within the [plugins]
-section:
-
-.SS pwqual interface
-
-The pwqual subsection controls modules for the password quality
-interface, which is used to reject weak passwords when passwords are
-changed.  In addition to any registered dynamic modules, the following
-built-in modules exist (and may be disabled with the disable tag):
-
-.IP dict
-Checks against the realm dictionary file
-
-.IP empty
-Rejects empty passwords
-
-.IP hesiod
-Checks against user information stored in Hesiod (only if Kerberos was
-built with Hesiod support)
-
-.IP princ
-Checks against components of the principal name
-
-.SS kadm5_hook interface
-
-The kadm5_hook interface provides plugins with information on
-principal creation, modification, password changes and deletion. This
-interface can be used to write a plugin to synchronize MIT Kerberos
-with another database such as Active Directory. No plugins are built
-in for this interface.
-
-.SS clpreauth and kdcpreauth interfaces
-
-The clpreauth and kdcpreauth interfaces allow plugin modules to
-provide client and KDC preauthentication mechanisms.  The following
-built-in modules exist for these interfaces:
-
-.IP pkinit
-This module implements the PKINIT preauthentication mechanism.
-
-.IP encrypted_challenge
-This module implements the encrypted challenge FAST factor.
-
-.IP encrypted_timestamp
-This module implements the encrypted timestamp mechanism.
-
-.SH FILES 
-/etc/krb5.conf
-.SH SEE ALSO
-syslog(3)
diff --git a/src/configure.in b/src/configure.in
index 7154f686bd..5a1539c096 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1323,7 +1323,7 @@ dnl	lib/krb5/ccache/ccapi
 
 dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
 
-	kdc slave config-files gen-manpages man doc include
+	kdc slave config-files man doc include
 
 	plugins/locate/python
 	plugins/kadm5_hook/test
diff --git a/src/gen-manpages/Makefile.in b/src/gen-manpages/Makefile.in
deleted file mode 100644
index 1eaf9422dd..0000000000
--- a/src/gen-manpages/Makefile.in
+++ /dev/null
@@ -1,15 +0,0 @@
-mydir=gen-manpages
-BUILDTOP=$(REL)..
-all::
-
-install::
-	$(INSTALL_DATA) $(srcdir)/kerberos.M ${DESTDIR}$(CLIENT_MANDIR)/kerberos.1
-	$(INSTALL_DATA) $(srcdir)/k5identity.M \
-		${DESTDIR}$(FILE_MANDIR)/k5identity.5
-	$(INSTALL_DATA) $(srcdir)/dot.k5identity.M \
-		${DESTDIR}$(FILE_MANDIR)/.k5identity.5
-
-install-oldman::
-	$(INSTALL_DATA) $(srcdir)/k5login.M ${DESTDIR}$(FILE_MANDIR)/k5login.5
-	$(INSTALL_DATA) $(srcdir)/dot.k5login.M \
-		${DESTDIR}$(FILE_MANDIR)/.k5login.5
diff --git a/src/gen-manpages/deps b/src/gen-manpages/deps
deleted file mode 100644
index 2feac3c9d3..0000000000
--- a/src/gen-manpages/deps
+++ /dev/null
@@ -1 +0,0 @@
-# No dependencies here.
diff --git a/src/gen-manpages/dot.k5identity.M b/src/gen-manpages/dot.k5identity.M
deleted file mode 100644
index 8af572af16..0000000000
--- a/src/gen-manpages/dot.k5identity.M
+++ /dev/null
@@ -1 +0,0 @@
-.so man5/k5identity.5
diff --git a/src/gen-manpages/dot.k5login.M b/src/gen-manpages/dot.k5login.M
deleted file mode 100644
index 60c82a4d88..0000000000
--- a/src/gen-manpages/dot.k5login.M
+++ /dev/null
@@ -1 +0,0 @@
-.so man5/k5login.5
diff --git a/src/gen-manpages/header.doc b/src/gen-manpages/header.doc
deleted file mode 100644
index d112287861..0000000000
--- a/src/gen-manpages/header.doc
+++ /dev/null
@@ -1 +0,0 @@
-.ds h ""Kerberos V5 release Beta 7" "MIT Project Athena"
diff --git a/src/gen-manpages/k5identity.M b/src/gen-manpages/k5identity.M
deleted file mode 100644
index 8161eaec3f..0000000000
--- a/src/gen-manpages/k5identity.M
+++ /dev/null
@@ -1,57 +0,0 @@
-.TH .K5LOGIN 5
-.SH NAME
-\&.k5identity \- Kerberos V5 client principal selection rules
-.SH DESCRIPTION
-The \fB.k5identity\fP file, which resides in a user's home directory,
-contains a list of rules for selecting a client principals based on
-the server being accessed.  These rules are used to choose a
-credential cache within the cache collection when possible.
-.PP
-Blank lines and lines beginning with '#' are ignored.  Each line has
-the form:
-.PP
-.RS
-\fIprincipal\fP \fIfield\fP=\fIvalue\fP ...
-.RE
-.PP
-If the server principal meets all of the \fIfield\fP constraints, then
-\fIprincipal\fP is chosen as the client principal.  The following
-fields are recognized:
-.TP
-.B realm
-If the realm of the server principal is known, it is matched against
-\fIvalue\fP, which may be a pattern using shell wildcards.  For
-host-based server principals, the realm will generally only be known
-if there is a domain_realm section in krb5.conf with a mapping for the
-hostname.
-.TP
-.B service
-If the server principal is a host-based principal, its service
-component is matched against \fIvalue\fP, which may be a pattern using
-shell wildcards.
-.TP
-.B host
-If the server principal is a host-based principal, its hostname
-component is converted to lower case and matched against \fIvalue\fP,
-which may be a pattern using shell wildcards.
-.PP
-If the server principal matches the constraints of multiple lines in
-the \fB.k5identity\fP file, the principal from the first matching line
-is used.  If no line matches, credentials will be selected some other
-way, such as the realm heuristic or the current primary cache.
-.SH EXAMPLE
-The following example \fB.k5identity\fP file selects the client
-principal alice@KRBTEST.COM if the server principal is within that
-realm, the principal alice/root@EXAMPLE.COM if the server host is
-within a servers subdomain, and the principal alice/mail@EXAMPLE.COM
-when accessing the IMAP service on mail.example.com.
-.PP
-.RS
-.nf
-alice@KRBTEST.COM       realm=KRBTEST.COM
-alice/root@EXAMPLE.COM  host=*.servers.example.com
-alice/mail@EXAMPLE.COM  host=mail.example.com service=imap
-.fi
-.RE
-.SH SEE ALSO
-kerberos(1), krb5.conf(5)
diff --git a/src/gen-manpages/k5login.M b/src/gen-manpages/k5login.M
deleted file mode 100644
index dc0a84c745..0000000000
--- a/src/gen-manpages/k5login.M
+++ /dev/null
@@ -1,54 +0,0 @@
-.TH .K5LOGIN 5
-.SH NAME
-\&.k5login \- Kerberos V5 acl file for host access.
-.SH DESCRIPTION
-The
-.B .k5login
-file, which resides in a user's home directory, contains a list of the
-Kerberos principals.  Anyone with valid tickets for a principal in the
-file is allowed host access with the UID of the user in whose home
-directory the file resides.  One common use is to place a
-.B .k5login
-file in root's home directory, thereby granting system administrators
-remote root access to the host via Kerberos.
-.SH EXAMPLES
-Suppose the user "alice" had a 
-.B .k5login
-file in her home directory containing the following line:
-.sp
-.nf
-.in +1i
-bob@FUBAR.ORG
-.in -1i
-.fi
-.sp
-This would allow "bob" to use any of the Kerberos network
-applications, such as
-.IR telnet (1),
-.IR rlogin (1),
-.IR rsh (1),
-and
-.IR rcp (1),
-to access alice's account, using bob's Kerberos tickets.
-.PP
-Let us further suppose that "alice" is a system administrator.  Alice
-and the other system administrators would have their principals in
-root's
-.B .k5login
-file on each host:
-.sp
-.nf
-.in +1i
-alice@BLEEP.COM
-joeadmin/root@BLEEP.COM
-.in -1i
-.fi
-.sp
-This would allow either system administrator to log in to these hosts
-using their Kerberos tickets instead of having to type the root
-password.  Note that because "bob" retains the Kerberos tickets for
-his own principal, "bob@FUBAR.ORG", he would not have any of the
-privileges that require alice's tickets, such as root access to any of
-the site's hosts, or the ability to change alice's password.
-.SH SEE ALSO
-telnet(1), rlogin(1), rsh(1), rcp(1), ksu(1), telnetd(8), klogind(8)
diff --git a/src/gen-manpages/kerberos.M b/src/gen-manpages/kerberos.M
deleted file mode 100644
index 7a96a82d8b..0000000000
--- a/src/gen-manpages/kerberos.M
+++ /dev/null
@@ -1,163 +0,0 @@
-.\" Copyright 1989, 2011 by the Massachusetts Institute of Technology.
-.\"
-.\" For copying and distribution information,
-.\" please see the file <mit-copyright.h>.
-.\" "
-.TH KERBEROS 1
-.SH NAME
-kerberos \- introduction to the Kerberos system
-.SH DESCRIPTION
-The Kerberos system authenticates individual users in a network
-environment.  After authenticating yourself to Kerberos, you can use
-Kerberos-enabled programs without having to present passwords.
-.PP
-If you enter your username and
-.I kinit
-responds with this message:
-.PP
-kinit(v5): Client not found in Kerberos database while getting initial
-credentials
-.PP
-you haven't been registered as a Kerberos user.  See your system
-administrator.
-.PP
-A Kerberos name usually contains three parts.  The first is the
-.IR primary ,
-which is usually a user's or service's name.  The second is the
-.IR instance ,
-which in the case of a user is usually null.  Some users may have
-privileged instances, however, such as ``root'' or ``admin''.  In the
-case of a service, the instance is the fully qualified name of the
-machine on which it runs; i.e. there can be an
-.I rlogin
-service running on the machine ABC, which is different from the rlogin
-service running on the machine XYZ.  The third part of a Kerberos name
-is the
-.IR realm .
-The realm corresponds to the Kerberos service providing authentication
-for the principal.
-.PP
-When writing a Kerberos name, the principal name is separated from the
-instance (if not null) by a slash, and the realm (if not the local
-realm) follows, preceded by an ``@'' sign.  The following are examples
-of valid Kerberos names:
-.sp
-.nf
-.in +8
-david
-jennifer/admin
-joeuser@BLEEP.COM
-cbrown/root@FUBAR.ORG
-.in -8
-.fi
-.PP
-When you authenticate yourself with Kerberos you get an initial Kerberos
-.IR ticket .
-(A Kerberos ticket is an encrypted protocol message that provides
-authentication.)  Kerberos uses this ticket for network utilities such
-as
-.I rlogin
-and
-.IR rcp .
-The ticket transactions are done transparently, so you don't have to
-worry about their management.
-.PP
-Note, however, that tickets expire.  Privileged tickets, such as those
-with the instance ``root'', expire in a few minutes, while tickets that
-carry more ordinary privileges may be good for several hours or a day,
-depending on the installation's policy.  If your login session extends
-beyond the time limit, you will have to re-authenticate yourself to
-Kerberos to get new tickets.  Use the
-.IR kinit
-command to re-authenticate yourself.
-.PP
-If you use the
-.I kinit
-command to get your tickets, make sure you use the
-.I kdestroy
-command to destroy your tickets before you end your login session.  You
-should put the
-.I kdestroy
-command in your
-.I \.logout
-file so that your tickets will be destroyed automatically when you
-logout.  For more information about the
-.I kinit
-and
-.I kdestroy
-commands, see the
-.IR kinit (1)
-and
-.IR kdestroy (1)
-manual pages.
-.PP
-Kerberos tickets can be forwarded.  In order to forward tickets, you
-must request
-.I forwardable
-tickets when you
-.IR kinit .
-Once you have forwardable tickets, most Kerberos programs have a command
-line option to forward them to the remote host.
-.SH "ENVIRONMENT VARIABLES"
-Several environment variables affect the operation of Kerberos-enabled
-programs.  These include:
-.TP
-.B KRB5CCNAME
-Specifies the location of the credential cache, in the form
-\fITYPE\fP:\fIresidual\fP.  If no type prefix is present, the
-\fBFILE\fP type is assumed and \fIresidual\fP is the pathname of the
-cache file.  A collection of multiple caches may be used by specifying
-the \fBDIR\fP type and the pathname of a private directory (which must
-already exist).  The default cache file is /tmp/krb5cc_\fIuid\fP where
-\fIuid\fP is the decimal user ID of the user.
-.TP
-.B KRB5_KTNAME
-Specifies the location of the keytab file, in the form
-\fITYPE\fP:\fIresidual\fP.  If no type is present, the \fBFILE\fP type
-is assumed and \fIresidual\fP is the pathname of the keytab file.  The
-default keytab file is /etc/krb5.keytab.
-.TP
-.B KRB5_CONFIG
-Specifies the location of the Kerberos configuration file.  The
-default is /etc/krb5.conf.
-.TP
-.B KRB5_KDC_PROFILE
-Specifies the location of the KDC configuration file, which contains
-additional configuration directives for the Key Distribution Center
-daemon and associated programs.  The default is
-/usr/local/var/krb5kdc/kdc.conf.
-.TP
-.B KRB5RCACHETYPE
-Specifies the default type of replay cache to use for servers.  Valid
-types include "dfl" for the normal file type and "none" for no replay
-cache.
-.B KRB5RCACHEDIR
-Specifies the default directory for replay caches used by servers.
-The default is the value of the \fBTMPDIR\fP environment variable, or
-/var/tmp if \fBTMPDIR\fP is not set.
-.TP
-.B KRB5_TRACE
-Specifies a filename to write trace log output to.  Trace logs can
-help illuminate decisions made internally by the Kerberos libraries.
-The default is not to write trace log output anywhere.
-.PP
-Most environment variables are disabled for certain programs, such as
-login system programs and setuid programs, which are designed to be
-secure when run within an untrusted process environment.
-.SH "SEE ALSO"
-kdestroy(1), kinit(1), klist(1), kswitch(1), kpasswd(1), ksu(1),
-krb5.conf(5), kdc.conf(5), kadmin(1), kadmind(8), kdb5_util(8),
-krb5kdc(8)
-.SH BUGS
-.SH AUTHORS
-Steve Miller, MIT Project Athena/Digital Equipment Corporation
-.br
-Clifford Neuman, MIT Project Athena
-.br
-Greg Hudson, MIT Kerberos Consortium
-.SH HISTORY
-The MIT Kerberos 5 implementation was developed at MIT, with
-contributions from many outside parties.  It is currently maintained
-by the MIT Kerberos Consortium.
-.SH RESTRICTIONS
-Copyright 1985,1986,1989-1996,2002,2011 Massachusetts Institute of Technology
diff --git a/src/kadmin/cli/k5srvutil.M b/src/kadmin/cli/k5srvutil.M
deleted file mode 100644
index 528bf00f21..0000000000
--- a/src/kadmin/cli/k5srvutil.M
+++ /dev/null
@@ -1,58 +0,0 @@
-.\" Copyright 1989, 2003 by the Massachusetts Institute of Technology.
-.\"
-.TH K5SRVUTIL 1
-.SH NAME
-k5srvutil \- host key table (keytab) manipulation utility
-.SH SYNOPSIS
-k5srvutil
-.B operation
-[
-.B \-i 
-] [ 
-.B \-f filename 
-]
-.SH DESCRIPTION
-.I k5srvutil
-allows a system manager to list or change keys currently in his
-keytab or to add new keys to the keytab.
-.PP
-
-Operation must be one of the following:
-.TP 10n
-.I list
-lists the keys in a keytab showing version number and principal
-name.  
-.TP 10n
-.I change
-changes all the keys in the keytab to new randomly-generated keys,
-updating the keys in the Kerberos server's database to match by using the
-kadmin protocol.  If a key's version number doesn't match the
-version number stored in the Kerberos server's database,  then the operation will fail.  The old keys are retained
-so that existing tickets continue to work.
-If the \-i flag is given, 
-.I k5srvutil
-will prompt for yes or no before changing each key.  If the \-k
-option is used, the old and new keys will be displayed.
-.TP 10n
-.I delold
-Deletes keys that are not the most recent version from the keytab.  This operation
-should be used some time after a change operation to  remove old keys.
-If the \-i flag is used, then the program prompts the user
-whether the old keys associated with each principal should be removed.
-.TP 10n
-.I delete
-deletes particular keys in the keytab, interactively prompting for 
-each key.
-
-.PP
-In all cases, the default file used is /etc/krb5.keytab file 
- unless this is overridden by the \-f option.
-
-
-.I k5srvutil
-uses the kadmin program to edit the keytab in place.  However, old keys are retained, so
-they are available in case of failure.
-
-.SH SEE ALSO
-kadmin(8), ktutil(8)
-
diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
deleted file mode 100644
index b05007a53c..0000000000
--- a/src/kadmin/cli/kadmin.M
+++ /dev/null
@@ -1,979 +0,0 @@
-.TH KADMIN 1
-.SH NAME
-kadmin \- Kerberos V5 database administration program
-.SH SYNOPSIS
-.TP
-.B kadmin
-.ad l
-[\fB\-O\fP | \fB\-N\fP]
-[\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP]
-.br
-[[\fB-c\fP \fIcache_name\fP] | [\fB-k\fP [\fB-t\fP
-\fIkeytab\fP]] | \fB-n\fP] [\fB\-w\fP \fIpassword\fP] [\fB\-s\fP
-\fIadmin_server\fP[\fI:port\fP]
-.TP "\w'.B kadmin.local\ 'u"
-.B kadmin.local
-[\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP]
-.br
-[\fB\-d\fP \fIdbname\fP] [\fB\-e \fI"enc:salt ..."\fP] [\fB-m\fP] [\fB\-x\fP \fIdb_args\fP]
-.ad b
-.SH DESCRIPTION
-.B kadmin
-and
-.B kadmin.local
-are command-line interfaces to the Kerberos V5 KADM5 administration
-system.  Both
-.B kadmin
-and
-.B kadmin.local
-provide identical functionalities; the difference is that
-.B kadmin.local
-runs on the master KDC if the database is db2 and
-does not use Kerberos to authenticate to the
-database. Except as explicitly noted otherwise, 
-this man page will use
-.B kadmin
-to refer to both versions.
-.B kadmin
-provides for the maintenance of Kerberos principals, KADM5 policies, and
-service key tables (keytabs).  
-.PP
-The remote version uses Kerberos authentication and an encrypted RPC, to
-operate securely from anywhere on the network.  It authenticates to the
-KADM5 server using the service principal
-.IR kadmin/admin .
-If the credentials cache contains a ticket for the
-.I kadmin/admin
-principal, and the 
-.B \-c
-.I credentials_cache
-option is specified, that ticket is used to authenticate to KADM5.
-Otherwise, the
-.B -p
-and
-.B -k
-options are used to specify the client Kerberos principal name used to
-authenticate.  Once
-.B kadmin
-has determined the principal name, it requests a
-.I kadmin/admin
-Kerberos service ticket from the KDC, and uses that service ticket to
-authenticate to KADM5.
-.PP
-If the database is db2, the local client
-.BR kadmin.local ,
-is intended to run directly on the master KDC without Kerberos
-authentication.  The local version provides all of the functionality of
-the now obsolete
-.IR kdb5_edit (8),
-except for database dump and load, which is now provided by the
-.IR kdb5_util (8)
-utility.
-.PP
-If the database is LDAP, kadmin.local need not be run on the KDC. 
-.PP
-kadmin.local can be configured to log updates for incremental database
-propagation.  Incremental propagation allows slave KDC servers to
-receive principal and policy updates incrementally instead of
-receiving full dumps of the database.  This facility can be enabled in
-the
-.I kdc.conf
-file with the
-.I iprop_enable
-option.  See the
-.I kdc.conf
-documentation for other options for tuning incremental propagation
-parameters.
-
-.SH OPTIONS
-.TP
-\fB\-r\fP \fIrealm\fP
-Use
-.I realm
-as the default database realm.
-.TP
-\fB\-p\fP \fIprincipal\fP
-Use
-.I principal
-to authenticate.  Otherwise, kadmin will append "/admin" to the primary
-principal name of the default ccache, the value of the
-.SM USER
-environment variable, or the username as obtained with getpwuid, in
-order of preference.
-.TP
-\fB\-k\fP
-Use a keytab to decrypt the KDC response instead of prompting for a
-password on the TTY.  In this case, the default principal will be
-host/\fIhostname\fP.  If there is not a keytab specified with the
-.B \-t
-option, then the default keytab will be used.
-.TP
-\fB\-t\fP \fIkeytab\fP
-Use
-.I keytab
-to decrypt the KDC response.  This can only be used with the
-.B \-k
-option.
-\fB-n\fP
-Requests anonymous processing.  Two types of anonymous principals are
-supported.  For fully anonymous Kerberos, configure pkinit on the KDC
-and configure
-.I pkinit_anchors
-in the client's krb5.conf.  Then use the
-.B -n
-option with a principal of the form
-.I @REALM
-(an empty principal name followed by the at-sign and a realm name).
-If permitted by the KDC, an anonymous ticket will be returned.
-A second form of anonymous tickets is supported; these realm-exposed
-tickets hide the identity of the client but not the client's realm.
-For this mode, use
-.B kinit -n
-with a normal principal name.  If supported by the KDC, the principal
-(but not realm) will be replaced by the anonymous principal.
-As of release 1.8, the MIT Kerberos KDC only supports fully anonymous
-operation.
-.TP
-\fB\-c\fP \fIcredentials_cache\fP
-Use
-.I credentials_cache
-as the credentials cache.  The
-.I credentials_cache
-should contain a service ticket for the
-.I kadmin/admin
-service; it can be acquired with the
-.IR kinit (1)
-program.  If this option is not specified,
-.B kadmin
-requests a new service ticket from the KDC, and stores it in its own
-temporary ccache.
-.TP
-\fB\-w\fP \fIpassword\fP
-Use
-.I password
-instead of prompting for one on the TTY.  Note:  placing the password
-for a Kerberos principal with administration access into a shell script
-can be dangerous if unauthorized users gain read access to the script.
-.TP
-\fB\-q\fP \fIquery\fP
-pass
-.I query
-directly to
-.BR kadmin ,
-which will perform
-.I query
-and then exit.  This can be useful for writing scripts.
-.TP
-\fB\-d\fP \fIdbname\fP
-Specifies the name of the Kerberos database.
-This option does not apply to the LDAP database.
-.TP
-\fB\-s\fP \fIadmin_server[:port]\fP
-Specifies the admin server which kadmin should contact.
-.TP
-\fB\-m\fP
-Do not authenticate using a keytab.  This option will cause kadmin
-to prompt for the master database password.
-.TP
-\fB\-e\fP \fIenc:salt_list\fP
-Sets the list of encryption types and salt types to be used for any new
-keys created.
-.TP
-.B \-O
-Force use of old AUTH_GSSAPI authentication flavor.
-.TP
-.B \-N
-Prevent fallback to AUTH_GSSAPI authentication flavor.
-.TP
-\fB\-x\fP \fIdb_args\fP
-Specifies the database specific arguments.
-
-Options supported for LDAP database are:
-.RS
-.TP
-\-x host=<hostname>
-specifies the LDAP server to connect to by a LDAP URI.
-.TP
-\-x binddn=<bind_dn>
-.fi
-specifies the DN of the object used by the administration server to bind to the LDAP server.
-This object should have the read and write rights on the realm container, principal container
-and the subtree that is referenced by the realm.
-.TP
-\-x bindpwd=<bind_password>
-.fi
-specifies the password for the above mentioned binddn. It is recommended not to use this option.
-Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
-.RE
-.SH DATE FORMAT 
-Various commands in kadmin can take a variety of date formats,
-specifying durations or absolute times.  Examples of valid formats are:
-.sp
-.nf
-.RS
-1 month ago
-2 hours ago
-400000 seconds ago
-last year
-this Monday
-next Monday
-yesterday
-tomorrow
-now
-second Monday
-a fortnight ago
-3/31/92 10:00:07 PST
-January 23, 1987 10:05pm
-22:00 GMT
-.RE
-.fi
-.PP
-Dates which do not have the "ago" specifier default to being absolute
-dates, unless they appear in a field where a duration is expected.  In
-that case the time specifier will be interpreted as relative.
-Specifying "ago" in a duration may result in unexpected behavior.
-.PP
-.SH COMMANDS
-.TP
-\fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
-creates the principal
-.IR newprinc ,
-prompting twice for a password.  If no policy is specified with the
-\-policy option, and the policy named "default" exists, then that
-policy is assigned to the principal; note that the assignment of the
-policy "default" only occurs automatically when a principal is first
-created, so the policy "default" must already exist for the assignment
-to occur.  This assignment of "default" can be suppressed with the
-\-clearpolicy option.  This command requires the 
-.I add
-privilege.  This command has the aliases
-.B addprinc
-and
-.BR ank .
-The options are:
-.RS
-.TP
-\fB\-x\fP \fIdb_princ_args\fP
-Denotes the database specific options. The options for LDAP database are:
-.RS
-.TP
-\-x dn=<dn>
-Specifies the LDAP object that will contain the Kerberos principal being 
-created.
-.TP
-\-x linkdn=<dn>
-.fi
-Specifies the LDAP object to which the newly created Kerberos principal object
-will point to.
-.TP
-\-x containerdn=<container_dn>
-Specifies the container object under which the Kerberos principal is to be created. 
-.TP
-\-x tktpolicy=<policy>
-Associates a ticket policy to the Kerberos principal.
-.RE
-.TP
-\fB\-expire\fP \fIexpdate\fP
-expiration date of the principal
-.TP
-\fB\-pwexpire\fP \fIpwexpdate\fP
-password expiration date
-.TP
-\fB\-maxlife\fP \fImaxlife\fP
-maximum ticket life for the principal
-.TP
-\fB\-maxrenewlife\fP \fImaxrenewlife\fP
-maximum renewable life of tickets for the principal
-.TP
-\fB\-kvno\fP \fIkvno\fP
-explicitly set the key version number.
-.TP
-\fB\-policy\fP \fIpolicy\fP
-policy used by this principal.  If no policy is supplied, then if the
-policy "default" exists and the -clearpolicy is not also specified,
-then the policy "default" is used; otherwise, the principal 
-will have no policy, and a warning message will be printed.
-.TP
-\fB\-clearpolicy\fP 
-.B -clearpolicy
-prevents the policy "default" from being assigned when 
-.B -policy
-is not specified.  This option has no effect if the policy "default"
-does not exist.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
-.B -allow_postdated
-prohibits this principal from obtaining postdated tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_POSTDATED
-flag.)
-.B +allow_postdated
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
-.B -allow_forwardable
-prohibits this principal from obtaining forwardable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_FORWARDABLE
-flag.)
-.B +allow_forwardable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
-.B -allow_renewable
-prohibits this principal from obtaining renewable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_RENEWABLE
-flag.)
-.B +allow_renewable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
-.B -allow_proxiable
-prohibits this principal from obtaining proxiable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_PROXIABLE
-flag.)
-.B +allow_proxiable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
-.B -allow_dup_skey
-Disables user-to-user authentication for this principal by prohibiting
-this principal from obtaining a session key for another user.  (Sets the
-.SM KRB5_KDB_DISALLOW_DUP_SKEY
-flag.)
-.B +allow_dup_skey
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
-.B +requires_preauth
-requires this principal to preauthenticate before being allowed to
-kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_PRE_AUTH
-flag.)
-.B -requires_preauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
-.B +requires_hwauth
-requires this principal to preauthenticate using a hardware device
-before being allowed to kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_HW_AUTH
-flag.)
-.B -requires_hwauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
-.B +ok_as_delegate
-sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
-as the service, which clients may use as a hint that credentials can and
-should be delegated when authenticating to the service.  (Sets the
-.SM KRB5_KDB_OK_AS_DELEGATE
-flag.)
-.B -ok_as_delegate
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
-.B -allow_svr
-prohibits the issuance of service tickets for this principal.  (Sets the
-.SM KRB5_KDB_DISALLOW_SVR
-flag.)
-.B +allow_svr
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
-.B \-allow_tgs_req
-specifies that a Ticket-Granting Service (TGS) request for a service
-ticket for this principal is not permitted.  This option is useless for
-most things.
-.B +allow_tgs_req
-clears this flag.  The default is
-.BR +allow_tgs_req .
-In effect,
-.B \-allow_tgs_req
-sets the
-.SM KRB5_KDB_DISALLOW_TGT_BASED
-flag on the principal in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
-.B \-allow_tix
-forbids the issuance of any tickets for this principal.
-.B +allow_tix
-clears this flag.  The default is
-.BR +allow_tix .
-In effect,
-.B \-allow_tix
-sets the
-.SM KRB5_KDB_DISALLOW_ALL_TIX
-flag on the principal in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBneedchange\fP
-.B +needchange
-sets a flag in attributes field to force a password change;
-.B \-needchange
-clears it.  The default is
-.BR \-needchange .
-In effect,
-.B +needchange
-sets the
-.SM KRB5_KDB_REQUIRES_PWCHANGE
-flag on the principal in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
-.B +password_changing_service
-sets a flag in the attributes field marking this as a password change
-service principal (useless for most things).
-.B \-password_changing_service
-clears the flag.  This flag intentionally has a long name.  The default
-is
-.BR \-password_changing_service .
-In effect,
-.B +password_changing_service
-sets the
-.SM KRB5_KDB_PWCHANGE_SERVICE
-flag on the principal in the database.
-.TP
-.B \-randkey
-sets the key of the principal to a random value
-.TP
-\fB\-pw\fP \fIpassword\fP
-sets the key of the principal to the specified string and does not
-prompt for a password.  Note:  using this option in a shell script can
-be dangerous if unauthorized users gain read access to the script.
-.TP
-\fB\-e\fP \fI"enc:salt ..."\fP
-uses the specified list of enctype\-salttype pairs for setting the key
-of the principal.  The quotes are necessary if there are multiple
-enctype\-salttype pairs.  This will not function against kadmin
-daemons earlier than krb5\-1.2.
-.nf
-.TP
-EXAMPLE:
-kadmin: addprinc tlyu/admin
-WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
-defaulting to no policy.
-Enter password for principal tlyu/admin@BLEEP.COM:
-Re-enter password for principal tlyu/admin@BLEEP.COM:
-Principal "tlyu/admin@BLEEP.COM" created.
-kadmin:
-
-kadmin: addprinc \-x dn=cn=mwm_user,o=org mwm_user
-WARNING: no policy specified for "mwm_user@BLEEP.COM";
-defaulting to no policy.
-Enter password for principal mwm_user@BLEEP.COM: 
-Re-enter password for principal mwm_user@BLEEP.COM: 
-Principal "mwm_user@BLEEP.COM" created.
-kadmin:
-
-.TP
-ERRORS:
-KADM5_AUTH_ADD (requires "add" privilege)
-KADM5_BAD_MASK (shouldn't happen)
-KADM5_DUP (principal exists already)
-KADM5_UNK_POLICY (policy does not exist)
-KADM5_PASS_Q_* (password quality violations)
-.fi
-.RE
-.TP
-\fBdelete_principal\fP [\fB-force\fP] \fIprincipal\fP
-deletes the specified principal from the database.  This command prompts
-for deletion, unless the
-.B -force
-option is given. This command requires the
-.I delete
-privilege.  Aliased
-to
-.BR delprinc.
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: delprinc mwm_user
-Are you sure you want to delete the principal
-"mwm_user@BLEEP.COM"? (yes/no): yes
-Principal "mwm_user@BLEEP.COM" deleted.
-Make sure that you have removed this principal from
-all ACLs before reusing.
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_DELETE (requires "delete" privilege)
-KADM5_UNK_PRINC (principal does not exist)
-.RE
-.fi
-.TP
-\fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
-modifies the specified principal, changing the fields as specified.  The
-options are as above for
-.BR add_principal ,
-except that password changing and flags related to password changing
-are forbidden by this command.  In addition, the option
-.B \-clearpolicy
-will clear the current policy of a principal.  This command requires the
-.I modify
-privilege.  Aliased to
-.BR modprinc .
-.RS
-.TP
-\fB\-x\fP \fIdb_princ_args\fP
-Denotes the database specific options. The options for LDAP database are:
-.RS
-.TP
-\-x tktpolicy=<policy>
-Associates a ticket policy to the Kerberos principal.
-.TP
-\-x linkdn=<dn>
-.fi
-Associates a Kerberos principal with a LDAP object. This option is honored only
-if the Kerberos principal is not already associated with a LDAP object. 
-.RE
-.TP
-.B \-unlock
-Unlocks a locked principal (one which has received too many failed
-authentication attempts without enough time between them according to
-its password policy) so that it can successfully authenticate.
-.TP
-ERRORS:
-KADM5_AUTH_MODIFY (requires "modify" privilege)
-KADM5_UNK_PRINC (principal does not exist)
-KADM5_UNK_POLICY (policy does not exist)
-KADM5_BAD_MASK (shouldn't happen)
-.RE
-.fi
-.TP
-\fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
-changes the password of
-.IR principal .
-Prompts for a new password if neither
-.B \-randkey
-or
-.B \-pw
-is specified.  Requires the
-.I changepw
-privilege, or that the principal that is running the program to be the
-same as the one changed.  Aliased to
-.BR cpw .
-The following options are available:
-.RS
-.TP
-.B \-randkey
-sets the key of the principal to a random value
-.TP
-\fB\-pw\fP \fIpassword\fP
-set the password to the specified string.  Not recommended.
-.TP
-\fB\-e\fP \fI"enc:salt ..."\fP
-uses the specified list of enctype\-salttype pairs for setting the key
-of the principal.  The quotes are necessary if there are multiple
-enctype\-salttype pairs.  This will not function against kadmin
-daemons earlier than krb5\-1.2.
-.TP
-\fB\-keepold \fP 
-Keeps the previous kvno's keys around.  This flag is usually not
-necessary except perhaps for TGS keys.  Don't use this flag unless you
-know what you're doing. This option is not supported for the LDAP database.
-.nf
-.TP
-EXAMPLE:
-kadmin: cpw systest
-Enter password for principal systest@BLEEP.COM:
-Re-enter password for principal systest@BLEEP.COM:
-Password for systest@BLEEP.COM changed.
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_MODIFY (requires the modify privilege)
-KADM5_UNK_PRINC (principal does not exist)
-KADM5_PASS_Q_* (password policy violation errors)
-KADM5_PADD_REUSE (password is in principal's password
-history)
-KADM5_PASS_TOOSOON (current password minimum life not
-expired)
-.RE
-.fi
-.TP
-\fBpurgekeys\fP [\fB-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
-purges previously retained old keys (e.g., from
-.B change_password
-.BR -keepold )
-from
-.IR principal .
-If
-.B -keepkvno
-is specified, then only purges keys with kvnos lower than
-.IR oldest_kvno_to_keep .
-.fi
-.TP
-\fBget_principal\fP [\fB-terse\fP] \fIprincipal\fP
-gets the attributes of
-.IR principal .
-Requires the
-.I inquire
-privilege, or that the principal that is running the the program to be
-the same as the one being listed.  With the
-.B \-terse
-option, outputs fields as quoted tab-separated strings.  Alias
-.BR getprinc .
-.sp
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin: getprinc tlyu/admin
-Principal: tlyu/admin@BLEEP.COM
-Expiration date: [never]
-Last password change: Mon Aug 12 14:16:47 EDT 1996
-Password expiration date: [none]
-Maximum ticket life: 0 days 10:00:00
-Maximum renewable life: 7 days 00:00:00
-Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
-Last successful authentication: [never]
-Last failed authentication: [never]
-Failed password attempts: 0
-Number of keys: 2
-Key: vno 1, DES cbc mode with CRC-32, no salt
-Key: vno 1, DES cbc mode with CRC-32, Version 4
-Attributes:
-Policy: [none]
-kadmin: getprinc -terse systest
-systest@BLEEP.COM	3	86400	604800	1
-785926535	753241234	785900000
-tlyu/admin@BLEEP.COM	786100034	0	0
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_GET (requires the get (inquire) privilege)
-KADM5_UNK_PRINC (principal does not exist)
-.RE
-.fi
-.TP
-\fBlist_principals\fP [\fIexpression\fP]
-Retrieves all or some principal names.  
-.I Expression
-is a shell-style glob expression that can contain the wild-card
-characters \&?, *, and []'s.  All principal names matching the
-expression are printed.  If no expression is provided, all principal
-names are printed.  If the expression does not contain an "@" character,
-an "@" character followed by the local realm is appended to the
-expression.  Requires the
-.I list
-privilege.  Alias
-.BR listprincs ,
-.BR get_principals ,
-.BR get_princs .
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin:  listprincs test*
-test3@SECURE-TEST.OV.COM
-test2@SECURE-TEST.OV.COM
-test1@SECURE-TEST.OV.COM
-testuser@SECURE-TEST.OV.COM
-kadmin:
-.RE
-.fi
-.TP
-\fBget_strings\fP \fIprincipal\fP
-displays string attributes on
-.IR principal .
-String attributes are used to supply per-principal configuration to
-some KDC plugin modules.  Alias
-.BR getstrs .
-.fi
-.TP
-\fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
-sets a string attribute on
-.IR principal .
-Alias
-.BR setstr .
-.fi
-.TP
-\fBdel_string\fP \fIprincipal\fP \fIkey\fP
-deletes a string attribute from
-.IR principal .
-Alias
-.BR delstr .
-.fi
-.TP
-\fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
-adds the named policy to the policy database.  Requires the
-.I add
-privilege.  Aliased to
-.BR addpol .
-The following options are available:
-.RS
-.TP
-\fB\-maxlife\fP \fItime\fP
-sets the maximum lifetime of a password
-.TP
-\fB\-minlife\fP \fItime\fP
-sets the minimum lifetime of a password
-.TP
-\fB\-minlength\fP \fIlength\fP
-sets the minimum length of a password
-.TP
-\fB\-minclasses\fP \fInumber\fP
-sets the minimum number of character classes allowed in a password
-.TP
-\fB\-history\fP \fInumber\fP
-sets the number of past keys kept for a principal. This option is not supported for LDAP database
-.TP
-\fB\-maxfailure\fP \fImaxnumber\fP
-sets the maximum number of authentication failures before the
-principal is locked.  Authentication failures are only tracked for
-principals which require preauthentication.
-.TP
-\fB\-failurecountinterval\fP \fIfailuretime\fP
-sets the allowable time between authentication failures.  If an
-authentication failure happens after \fIfailuretime\fP has elapsed
-since the previous failure, the number of authentication failures is
-reset to 1.  A failure count interval of 0 means forever.
-.TP
-\fB\-lockoutduration\fP \fIlockouttime\fP
-sets the duration for which the principal is locked from
-authenticating if too many authentication failures occur without the
-specified failure count interval elapsing.  A duration of 0 means
-forever.
-.sp
-.nf
-.TP
-EXAMPLES:
-kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_ADD (requires the add privilege)
-KADM5_DUP (policy already exists)
-.fi
-.RE
-.TP
-\fBdelete_policy [\-force]\fP \fIpolicy\fB
-deletes the named policy.  Prompts for confirmation before deletion.
-The command will fail if the policy is in use by any principals.
-Requires the
-.I delete
-privilege.  Alias
-.BR delpol .
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: del_policy guests
-Are you sure you want to delete the policy "guests"?
-(yes/no): yes
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_DELETE (requires the delete privilege)
-KADM5_UNK_POLICY (policy does not exist)
-KADM5_POLICY_REF (reference count on policy is not zero)
-.RE
-.fi
-.TP
-\fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
-modifies the named policy.  Options are as above for
-.BR add_policy .
-Requires the
-.I modify
-privilege.  Alias
-.BR modpol .
-.sp
-.nf
-.RS
-.TP
-ERRORS:
-KADM5_AUTH_MODIFY (requires the modify privilege)
-KADM5_UNK_POLICY (policy does not exist)
-.RE
-.fi
-.TP
-\fBget_policy\fP [\fB\-terse\fP] \fIpolicy\fP
-displays the values of the named policy.  Requires the
-.I inquire
-privilege.  With the
-.B \-terse
-flag, outputs the fields as quoted strings separated by tabs.  Alias
-.BR getpol .
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin: get_policy admin
-Policy: admin
-Maximum password life: 180 days 00:00:00
-Minimum password life: 00:00:00
-Minimum password length: 6
-Minimum number of password character classes: 2
-Number of old keys kept: 5
-Reference count: 17
-kadmin: get_policy -terse admin
-admin	15552000	0	6	2	5	17
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_GET (requires the get privilege)
-KADM5_UNK_POLICY (policy does not exist)
-.RE
-.fi
-.TP
-\fBlist_policies\fP [\fIexpression\fP]
-Retrieves all or some policy names.  
-.I Expression
-is a shell-style glob expression that can contain the wild-card
-characters \&?, *, and []'s.  All policy names matching the expression
-are printed.  If no expression is provided, all existing policy names
-are printed.  Requires the
-.I list
-privilege.  Alias
-.BR listpols ,
-.BR get_policies ,
-.BR getpols .
-.sp
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin:  listpols
-test-pol
-dict-only
-once-a-min
-test-pol-nopw
-kadmin:  listpols t*
-test-pol
-test-pol-nopw
-kadmin:
-.RE
-.fi
-.TP
-\fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
-.br
-[\fB\-norandkey\fP] [[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
-.br
-Adds a principal or all principals matching
-.I princ-exp
-to a keytab.
-It randomizes each principal's key in the process, to prevent a
-compromised admin account from reading out all of the keys from the
-database.  However,
-.B kadmin.local
-has the
-.B \-norandkey
-option, which leaves the keys and their version numbers unchanged,
-similar to the Kerberos V4
-.B ext_srvtab
-command.
-That allows users to continue to use the passwords they know
-to login normally, while simultaneously allowing scripts
-to login to the same account using a keytab.
-There is no significant security risk added since
-.B kadmin.local
-must be run by root on the KDC anyway.
-.sp
-Requires the
-.I inquire
-and 
-.I changepw
-privileges.  An entry for each of the principal's unique encryption types
-is added, ignoring multiple keys with the same encryption type but
-different salt types.  If the
-.B \-k
-argument is not specified, the default keytab
-.I /etc/krb5.keytab
-is used.  If the
-.B \-q
-option is specified, less verbose status information is displayed.
-.sp
-The
-.B -glob
-option requires the
-.I list
-privilege.
-.I princ-exp
-follows the same rules described for the
-.B list_principals
-command.  
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
-Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
-	kvno 3, encryption type DES-CBC-CRC added to keytab
-	WRFILE:/tmp/foo-new-keytab
-kadmin:
-.RE
-.fi
-.TP
-\fBktremove\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] \fIprincipal\fP [\fIkvno\fP | \fBall\fP | \fBold\fP]
-Removes entries for the specified principal from a keytab.  Requires no
-permissions, since this does not require database access.  If the string
-"all" is specified, all entries for that principal are removed; if the
-string "old" is specified, all entries for that principal except those
-with the highest kvno are removed.  Otherwise, the value specified is
-parsed as an integer, and all entries whose kvno match that integer are
-removed.  If the
-.B \-k
-argument is not specified, the default keytab
-.I /etc/krb5.keytab
-is used.  If the
-.B \-q
-option is specified, less verbose status information is displayed.
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
-Entry for principal kadmin/admin with kvno 3 removed
-	from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
-kadmin:
-.RE
-.fi
-.SH FILES
-.TP "\w'<dbname>.kadm5.lock\ \ 'u"
-principal.db
-default name for Kerberos principal database
-.TP
-<dbname>.kadm5
-KADM5 administrative database.  (This would be "principal.kadm5", if you
-use the default database name.)  Contains policy information.
-.TP
-<dbname>.kadm5.lock
-lock file for the KADM5 administrative database.  This file works
-backwards from most other lock files.  I.e.,
-.B kadmin
-will exit with an error if this file does
-.I not
-exist.
-.TP
-.B Note:
-The above three files are specific to db2 database.
-.TP 
-kadm5.acl
-file containing list of principals and their
-.B kadmin
-administrative privileges.  See
-.IR kadmind (8)
-for a description.
-.TP
-kadm5.keytab
-keytab file for
-.I kadmin/admin
-principal.
-.TP
-kadm5.dict
-file containing dictionary of strings explicitly disallowed as
-passwords.
-.SH HISTORY
-The
-.B kadmin
-program was originally written by Tom Yu at MIT, as an interface to the
-OpenVision Kerberos administration program.
-.SH SEE ALSO
-.IR kerberos (1),
-.IR kpasswd (1),
-.IR kadmind (8)
-.SH BUGS
-.PP
-Command output needs to be cleaned up.
diff --git a/src/kadmin/cli/kadmin.local.M b/src/kadmin/cli/kadmin.local.M
deleted file mode 100644
index 00df30db6f..0000000000
--- a/src/kadmin/cli/kadmin.local.M
+++ /dev/null
@@ -1 +0,0 @@
-.so man1/kadmin.1
diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M
deleted file mode 100644
index b834a225ac..0000000000
--- a/src/kadmin/dbutil/kdb5_util.M
+++ /dev/null
@@ -1,276 +0,0 @@
-.TH KDB5_UTIL 8
-.SH NAME
-kdb5_util \- Kerberos database maintenance utility
-.SH SYNOPSIS
-.B kdb5_util
-[\fB\-r\fP\ \fIrealm\fP] [\fB\-d\fP\ \fIdbname\fP]
-[\fB\-k\fP\ \fImkeytype\fP] [\fB\-M\fP\ \fImkeyname\fP]
-[\fB\-kv\fP\ \fImkeyVNO\fP] 
-[\fB\-sf\fP\ \fIstashfilename\fP]
-[\fB\-m\fP]
-.I command
-.I [command_options]
-.SH DESCRIPTION
-.B kdb5_util
-allows an administrator to perform low-level maintenance procedures on
-the Kerberos and KADM5 database.  Databases can be created, destroyed,
-and dumped to and loaded from
-.SM ASCII
-files.  Additionally,
-.B kdb5_util
-can create a Kerberos master key stash file.
-.B kdb5_util
-subsumes the functionality of and makes obsolete the previous database
-maintenance programs
-.BR kdb5_create ,
-.BR kdb5_edit ,
-.BR kdb5_destroy ,
-and
-.BR kdb5_stash .
-.PP
-When
-.B kdb5_util
-is run, it attempts to acquire the master key and open the database.
-However, execution continues regardless of whether or not
-.B kdb5_util
-successfully opens the database, because the database may not exist yet
-or the stash file may be corrupt.
-.PP
-Note that some KDB plugins may not support all
-.B kdb5_util
-commands.
-.SH COMMAND-LINE OPTIONS
-.TP
-\fB\-r\fP\ \fIrealm\fP
-specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-\fB\-d\fP\ \fIdbname\fP
-specifies the name under which the principal database is stored; by
-default the database is that listed in
-.IR kdc.conf (5).
-The KADM5 policy database and lock file are also derived from this
-value.
-.TP
-\fB\-k\fP\ \fImkeytype\fP
-specifies the key type of the master key in the database; the default is
-that given in
-.IR kdc.conf .
-.TP
-\fB\-kv\fP\ \fImkeyVNO\fP
-Specifies the version number of the master key in the database; the default is
-1.  Note that 0 is not allowed.
-.TP
-\fB\-M\fP\ \fImkeyname\fP
-principal name for the master key in the database; the default is
-that given in
-.IR kdc.conf .
-.TP
-.B \-m
-specifies that the master database password should be read from the TTY
-rather than fetched from a file on disk.
-.TP
-\fB\-sf\fP \fIstash_file\fP
-specifies the stash file of the master database password.
-.TP
-\fB\-P\fP \fIpassword\fP
-specifies the master database password.  This option is not recommended.
-.SH COMMANDS
-.TP
-\fBcreate\fP [\fB\-s\fP]
-Creates a new database.  If the
-.B \-s
-option is specified, the stash file is also created.  This command fails
-if the database already exists.  If the command is successful, the
-database is opened just as if it had already existed when the program
-was first run.
-.TP
-\fBdestroy\fP [\fB\-f\fP]
-Destroys the database, first overwriting the disk sectors and then
-unlinking the files, after prompting the user for confirmation.  With
-the
-.B \-f
-argument, does not prompt the user.
-.TP
-\fBstash\fP [\fB\-f\fP\ \fIkeyfile\fP]
-Stores the master principal's keys in a stash file.  The
-.B \-f
-argument can be used to override the keyfile specified at startup.
-.TP
-\fBdump\fP [\fB\-old\fP|\fB-b6\fP|\fB-b7\fP|\fB-ov\fP|\fB-r13\fP]
-[\fB\-verbose\fP] [\fB\-mkey_convert\fP]
-[\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP]
-[\fIfilename\fP [\fIprincipals...\fP]]
-.br
-Dumps the current Kerberos and KADM5 database into an ASCII file.  By
-default, the database is dumped in current format, "kdb5_util
-load_dump version 6".  If
-.I filename
-is not specified, or is the string "\-", the dump is sent to standard
-output.  Options:
-.RS
-.TP
-.B \-old
-causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format
-("kdb5_edit load_dump version 2.0").
-.TP
-.B \-b6
-causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
-load_dump version 3.0").
-.TP
-.B \-b7
-causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4").  This was the dump format produced on releases prior to 1.2.2.
-.TP
-.B \-ov
-causes the dump to be in
-.I ovsec_adm_export
-format.
-.TP
-.B \-r13
-causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5").  This was the dump format produced on releases prior to 1.8.
-.TP
-.B \-verbose
-causes the name of each principal and policy to be printed as it is
-dumped.
-.TP
-.B \-mkey_convert
-prompts for a new master key.  This new master key will be used to
-re-encrypt the key data in the dumpfile.  The key data in the database
-will not be changed.
-.TP
-.B \-new_mkey_file \fImkey_file\fP
-the filename of a stash file.  The master key in this stash file will
-be used to re-encrypt the key data in the dumpfile.  The key data in
-the database will not be changed.
-.TP
-.B \-rev
-dumps in reverse order.  This may recover principals that do not dump
-normally, in cases where database corruption has occurred.
-.TP
-.B \-recurse
-causes the dump to walk the database recursively (btree only).  This
-may recover principals that do not dump normally, in cases where
-database corruption has occurred.  In cases of such corruption, this
-option will probably retrieve more principals than the \fB\-rev\fP
-option will.
-.RE
-.TP
-\fBload\fP \fB\-old\fP|\fB-b6\fP|\fB-b7\fP|\fB-ov\fP|\fB-r13\fP] [\fB\-hash\fP]
-[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename dbname\fP
-.br
-Loads a database dump from the named file into the named database.
-Unless the 
-.B \-old
-or 
-.B \-b6
-option is given, the format of the dump file is detected
-automatically and handled as appropriate.  Unless the
-.B \-update
-option is given, 
-.B load
-creates a new database containing only the principals in the dump file,
-overwriting the contents of any previously existing database.  Note that
-when using the LDAP KDB plugin the
-.B \-update
-must be given.  Options:
-.RS
-.TP
-.B \-old
-requires the database to be in the Kerberos 5 Beta 5 and earlier format
-("kdb5_edit load_dump version 2.0").
-.TP
-.B \-b6
-requires the database to be in the Kerberos 5 Beta 6 format ("kdb5_edit
-load_dump version 3.0").
-.TP
-.B \-b7
-requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util
-load_dump version 4").
-.TP
-.B \-ov
-requires the database to be in
-.I ovsec_adm_import
-format.  Must be used with the
-.B \-update
-option.
-.TP
-.B \-hash
-requires the database to be stored as a hash.  If this option is not
-specified, the database will be stored as a btree.  This option
-is not recommended, as databases stored in hash format are known to
-corrupt data and lose principals.
-.TP
-.B \-verbose
-causes the name of each principal and policy to be printed as it is
-dumped.
-.TP
-.B \-update
-records from the dump file are added to or updated in the existing
-database; otherwise, a new database is created containing only what is
-in the dump file and the old one destroyed upon successful completion.
-.TP
-.B dbname
-is required and overrides the value specified on the command line or the
-default.
-.RE
-.TP
-\fBark\fP
-Adds a random key.
-.TP
-\fBadd_mkey\fP [\fB\-e etype\fP] [\fB\-s\fP] 
-Adds a new master key to the K/M (master key) principal.  Existing master keys will remain.
-The
-.B \-e etype
-option allows specification of the enctype of the new master key.  The
-.B \-s
-option stashes the new master key in a local stash file which will be created if it doesn't already exist.
-.TP
-\fBuse_mkey\fP \fImkeyVNO [\fBtime\fP]
-Sets the activation time of the master key specified by 
-.B mkeyVNO.
-Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when the principal keys change, are newly created or when the update_princ_encryption command is run.  If the
-.B time 
-argument is provided then that will be the activation time otherwise the current time is used by default.  The format of the optional
-.B time 
-argument is that specified in the Time Formats section of the kadmin man page.
-.TP
-\fBlist_mkeys\fP
-List all master keys from most recent to earliest in K/M principal. The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output.  A * following an mkey denotes the currently active master key. 
-.TP
-\fBpurge_mkeys\fP [\fB-f\fP] [\fB-n\fP] [\fB-v\fP]
-Delete master keys from the K/M principal that are not used to protect any principals.  This command can be used to remove old master keys from a K/M principal once all principal keys are protected by a newer master key.
-.TP
-.B \-f
-does not prompt user.
-.TP
-.B \-n
-do a dry run, shows master keys that would be purged, does not actually purge any keys.
-.TP
-.B \-v
-verbose output.
-.TP
-\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP]
-Update all principal records (or only those matching the
-.B princ\-pattern
-glob pattern) to re-encrypt the key data using the active
-database master key, if they are encrypted using older versions,
-and give a count at the end of the number of principals updated.
-If the
-.B \-f
-option is not given, ask for confirmation before starting to make
-changes.  The
-.B \-v
-option causes each principal processed (each one matching the pattern)
-to be listed, and an indication given as to whether it needed updating
-or not.
-The
-.B \-n
-option causes the actions not to be taken, only the normal or verbose
-status messages displayed; this implies
-.B \-f
-since no database changes will be performed and thus there's little
-reason to seek confirmation.
-.SH SEE ALSO
-kadmin(8)
diff --git a/src/kadmin/ktutil/ktutil.M b/src/kadmin/ktutil/ktutil.M
deleted file mode 100644
index 7086a5a162..0000000000
--- a/src/kadmin/ktutil/ktutil.M
+++ /dev/null
@@ -1,67 +0,0 @@
-.TH KTUTIL 1
-.SH NAME
-ktutil \- Kerberos keytab file maintenance utility
-.SH SYNOPSIS
-.B ktutil
-.SH DESCRIPTION
-The
-.B ktutil
-command invokes a subshell from which an administrator can read, write,
-or edit entries in a Kerberos V5 keytab or V4 srvtab file.
-.SH COMMANDS
-.TP
-.B list
-Displays the current keylist.  Alias:
-.BR l .
-.TP
-\fBread_kt\fP \fIkeytab\fP
-Read the Kerberos V5 keytab file
-.I keytab
-into the current keylist.  Alias: 
-.B rkt
-.TP
-\fBread_st\fP \fIsrvtab\fP
-Read the Kerberos V4 srvtab file
-.I srvtab
-into the current keylist.  Alias:
-.BR rst .
-.TP
-\fBwrite_kt\fP \fIkeytab\fP
-Write the current keylist into the Kerberos V5 keytab file
-.IR keytab .
-Alias:
-.BR wkt .
-.TP
-\fBwrite_st\fP \fIsrvtab\fP
-Write the current keylist into the Kerberos V4 srvtab file
-.IR srvtab .
-Alias:
-.BR wst .
-.TP
-.B clear_list
-Clear the current keylist.  Alias:
-.BR clear .
-.TP
-\fBdelete_entry\fP \fIslot\fP
-Delete the entry in slot number
-.I slot
-from the current keylist.  Alias:
-.BR delent .
-.TP
-\fBadd_entry\fP (\-key | \-password) \-p \fIprincipal\fP \-k \fIkvno\fP \-e \fIenctype\fP
-Add principal to keylist using key or password.  Alias:
-.BR addent .
-.TP
-.BR list_requests
-Displays a listing of available commands.  Aliases:
-.BR lr ,
-.BR ? .
-.TP
-.B quit
-Quits
-.BR ktutil .
-Aliases:
-.BR exit ,
-.BR q .
-.SH SEE ALSO
-kadmin(8), kdb5_util(8)
diff --git a/src/kadmin/server/kadmind.M b/src/kadmin/server/kadmind.M
deleted file mode 100644
index 83c67ec3eb..0000000000
--- a/src/kadmin/server/kadmind.M
+++ /dev/null
@@ -1,281 +0,0 @@
-.TH KADMIND 8
-.SH NAME
-kadmind \- KADM5 administration server
-.SH SYNOPSIS
-.B kadmind
-[\fB\-x\fP \fIdb_args\fP] [\fB-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP
-\fIport-number\fP]
-    [\fB\-P\fP \fIpid_file\fP]
-.SH DESCRIPTION
-This command starts the KADM5 administration server.  If the database is db2, 
-the administration server runs on the master Kerberos server, which stores the KDC
-principal database and the KADM5 policy database. If the database is LDAP,
-the administration server and the KDC server need not run on the same machine.  
-.B Kadmind
-accepts remote requests to administer the information in these
-databases.  Remote requests are sent, for example, by
-.IR kadmin (8)
-and the
-.IR kpasswd (1)
-command, both of which are clients of
-.BR kadmind .
-.PP
-.B kadmind
-requires a number of configuration files to be set up in order
-for it to work:
-.TP "\w'kdc.conf\ \ 'u"
-kdc.conf
-The KDC configuration file contains configuration information for the KDC
-and the KADM5 system.  
-.B Kadmind
-understands a number of variable settings in this file, some of which are
-mandatory and some of which are optional.  See the CONFIGURATION VALUES
-section below.
-.TP
-ACL file
-.BR Kadmind 's
-ACL (access control list) tells it which principals are allowed to
-perform KADM5 administration actions.  The path of the ACL file is
-specified via the acl_file configuration variable (see CONFIGURATION
-VALUES).  The syntax of the ACL file is specified in the ACL FILE SYNTAX
-section below.
-.PP
-After the server begins running, it puts itself in the background and
-disassociates itself from its controlling terminal.
-.PP
-kadmind can be configured for incremental database propagation.
-Incremental propagation allows slave KDC servers to receive principal
-and policy updates incrementally instead of receiving full dumps of
-the database.  This facility can be enabled in the
-.I kdc.conf
-file with the
-.I iprop_enable
-option.  See the
-.I kdc.conf
-documentation for other options for tuning incremental propagation
-parameters.  Incremental propagation requires the principal
-"kiprop/MASTER@REALM" (where MASTER is the master KDC's canonical host
-name, and REALM the realm name) to be registered in the database.
-
-.SH OPTIONS
-.TP 
-\fB\-x\fP \fIdb_args\fP
-specifies the database specific arguments.
-
-Options supported for LDAP database are:
-.sp 
-.nf 
-.RS 12
-\-x nconns=<number_of_connections>
-.fi
-specifies the number of connections to be maintained per LDAP server.
-
-.nf
-\-x host=<ldapuri>
-specifies the LDAP server to connect to by a LDAP URI.
-
-\-x binddn=<binddn>
-.fi
-specifies the DN of the object used by the administration server to bind to the LDAP server. 
-This object should have the read and write rights on the realm container, principal container
-and the subtree that is referenced by the realm.
-
-\-x bindpwd=<bind_password>
-.fi
-specifies the password for the above mentioned binddn. It is recommended not to use this option.
-Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
-.RE
-.fi
-.TP
-\fB\-r\fP \fIrealm\fP
-specifies the default realm that kadmind will serve; if it is not
-specified, the default realm of the host is used.  
-.B kadmind
-will answer requests for any realm that exists in the local KDC database
-and for which the appropriate principals are in its keytab.
-.TP
-.B \-m
-specifies that the master database password should be fetched from the
-keyboard rather than from a file on disk.  Note that the server gets the
-password prior to putting itself in the background; in combination with
-the -nofork option, you must place it in the background by hand.
-.TP
-.B \-nofork
-specifies that the server does not put itself in the background and does
-not disassociate itself from the terminal.  In normal operation, you
-should always allow the server place itself in the background.
-.TP
-\fB\-port\fP \fIport-number\fB
-specifies the port on which the administration server listens for
-connections.  The default is is controlled by the 
-.I kadmind_port
-configuration variable (see below).
-.TP
-\fB\-P\fP \fIpid_file\fP
-specifies the file to which the PID of
-.B kadmind
-process should be written to after it starts up.  This can be used to
-identify whether
-.B kadmind
-is still running and to allow init scripts to stop the correct process.
-.SH CONFIGURATION VALUES
-.PP
-In addition to the relations defined in kdc.conf(5), kadmind
-understands the following relations, all of which should
-appear in the [realms] section:
-.TP
-acl_file
-The path of kadmind's ACL file.  Mandatory.  No default.
-.TP
-dict_file
-The path of kadmind's password dictionary.  A principal with any
-password policy will not be allowed to select any password in the
-dictionary.  Optional.  No default.
-.TP
-kadmind_port
-The
-.SM TCP
-port on which
-.B kadmind
-will listen.  The default is 749.
-.SH ACL FILE SYNTAX
-.PP
-The ACL file controls which principals can or cannot perform which
-administrative functions.  For operations that affect principals, the
-ACL file also controls which principals can operate on which other
-principals.  This file can contain comment lines, null lines or lines
-which contain ACL entries.  Comment lines start with the sharp sign
-(\fB\&#\fP) and continue until the end of the line.  Lines containing ACL
-entries have the format of
-.B principal
-.I whitespace
-.B operation-mask
-[\fIwhitespace\fP \fBoperation-target\fP]
-.PP
-Ordering is important.  The first matching entry is the one which will
-control access for a particular principal on a particular principal.
-.PP
-.IP principal
-may specify a partially or fully qualified Kerberos version 5
-principal name.  Each component of the name may be wildcarded using
-the asterisk (
-.B *
-) character.
-.IP operation-target
-[Optional] may specify a partially or fully qualified Kerberos version 5
-principal name.  Each component of the name may be wildcarded using the
-asterisk (
-.B *
-) character.
-.IP operation-mask
-Specifies what operations may or may not be performed by a principal
-matching a particular entry.  This is a string of one or more of the
-following list of characters or their upper-case counterparts.  If the
-character is upper-case, then the operation is disallowed.  If the
-character is lower-case, then the operation is permitted.
-.RS
-.TP 5
-.B a
-[Dis]allows the addition of principals or policies in the database.
-.sp -1v
-.TP
-.B d
-[Dis]allows the deletion of principals or policies in the database.
-.sp -1v
-.TP
-.B m
-[Dis]allows the modification of principals or policies in the database.
-.sp -1v
-.TP
-.B c
-[Dis]allows the changing of passwords for principals in the database.
-.sp -1v
-.TP
-.B i
-[Dis]allows inquiries to the database.
-.sp -1v
-.TP
-.B l
-[Dis]allows the listing of principals or policies in the database.
-.sp -1v
-.TP
-.B p
-[Dis]allows the propagation of the principal database.
-.sp -1v
-.TP
-.B x
-Short for
-.IR admcil .
-.sp -1v
-.TP
-.B \&*
-Same as
-.BR x .
-.RE
-Some examples of valid entries here are:
-.TP
-.I user/instance@realm adm
-A standard fully qualified name.  The
-.B operation-mask
-only applies to this principal and specifies that [s]he may add,
-delete or modify principals and policies, but not change anybody
-else's password.
-.TP
-.I user/instance@realm cim service/instance@realm
-A standard fully qualified name and a standard fully qualified target.  The
-.B operation-mask
-only applies to this principal operating on this target and specifies that
-[s]he may change the target's password, request information about the
-target and modify it.
-.TP
-.I user/*@realm ac
-A wildcarded name.  The
-.B operation-mask
-applies to all principals in realm "realm" whose first component is
-"user" and specifies that [s]he may add principals and change
-anybody's password.
-.TP
-.I user/*@realm i */instance@realm
-A wildcarded name and target.  The
-.B operation-mask
-applies to all principals in realm "realm" whose first component is
-"user" and specifies that [s]he may perform
-inquiries on principals whose second component is "instance" and realm
-is "realm".
-.SH FILES
-.TP "\w'<dbname>.kadm5.lock\ 'u"
-principal.db
-default name for Kerberos principal database
-.TP
-<dbname>.kadm5
-KADM5 administrative database.  (This would be "principal.kadm5", if you
-use the default database name.)  Contains policy information.
-.TP
-<dbname>.kadm5.lock
-lock file for the KADM5 administrative database.  This file works
-backwards from most other lock files.  I.e.,
-.B kadmin
-will exit with an error if this file does
-.I not
-exist.
-.TP
-.B Note:
-The above three files are specific to db2 database.
-.TP
-kadm5.acl
-file containing list of principals and their
-.B kadmin
-administrative privileges.  See above for a description.
-.TP
-kadm5.keytab
-keytab file for
-.I kadmin/admin
-principal.
-.TP
-kadm5.dict
-file containing dictionary of strings explicitly disallowed as
-passwords.
-.SH SEE ALSO
-kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8),
-kdb5_ldap_util(8)
-
diff --git a/src/kdc/krb5kdc.M b/src/kdc/krb5kdc.M
deleted file mode 100644
index 175f1aea31..0000000000
--- a/src/kdc/krb5kdc.M
+++ /dev/null
@@ -1,199 +0,0 @@
-.\" kdc/krb5kdc.M
-.\"
-.\" Copyright 1990, 2008 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KRB5KDC 8
-.SH NAME
-krb5kdc \- Kerberos V5 KDC
-.SH SYNOPSIS
-.B krb5kdc
-[
-.B \-x
-.I db_args
-] [
-.B \-d
-.I dbname
-] [
-.B \-k
-.I keytype
-] [
-.B \-M
-.I mkeyname
-] [
-.B \-p
-.I portnum
-] [
-.B \-m
-] [
-.B \-r
-.I realm
-] [
-.B \-n
-] [
-.B \-w
-.I numworkers
-] [
-.B \-P
-.I pid_file
-]
-.br
-.SH DESCRIPTION
-.I krb5kdc
-is the Kerberos version 5 Authentication Service and Key Distribution
-Center (AS/KDC).
-.PP
-The
-.B \-x
-.I db_args
-option specifies the database specific arguments.
-
-Options supported for LDAP database are:
-.sp 
-.nf 
-.RS 8
-\-x nconns=<number_of_connections>
-.fi
-specifies the number of connections to be maintained per LDAP server.
-
-.nf
-\-x host=<ldapuri>
-specifies the LDAP server to connect to by a LDAP URI.
-
-\-x binddn=<binddn>
-.fi
-specifies the DN of the object used by the KDC server to bind to the LDAP server.
-This object should have the rights to read the realm container, principal container
-and the subtree that is referenced by the realm.
-
-\-x bindpwd=<bind_password>
-.fi
-specifies the password for the above mentioned binddn. It is recommended not to use this option.
-Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
-.RE
-.fi
-.PP
-The
-.B \-r
-.I realm
-option specifies the realm for which the server should provide service;
-by default the realm returned by
-.IR krb5_default_local_realm (3)
-is used.
-.PP
-The
-.B \-d
-.I dbname
-option specifies the name under which the principal database can be found; by
-default the database is in DEFAULT_DBM_FILE.
-This option does not apply to the LDAP database.
-.PP
-The
-.B \-k
-.I keytype
-option specifies the key type of the master key to be entered manually
-as a password when \-m is given; the default is "des\-cbc\-crc".
-.PP
-The
-.B \-M
-.I mkeyname
-option specifies the principal name for the master key in the database;
-the default is KRB5_KDB_M_NAME (usually "K/M" in the KDC's realm).
-.PP
-The
-.B \-p
-.I portnum
-option specifies the default UDP port number which the KDC should listen on for
-Kerberos version 5 requests.  This value is used when no port is specified in
-the KDC profile and when no port is specified in the Kerberos configuration
-file.
-If no value is available, then the value in /etc/services for service
-"kerberos" is used.
-.PP
-The
-.B \-m
-option specifies that the master database password should be fetched
-from the keyboard rather than from a file on disk.
-.PP
-The
-.B \-n
-option specifies that the KDC does not put itself in the background
-and does not disassociate itself from the terminal.  In normal
-operation, you should always allow the KDC to place itself in
-the background.
-.PP
-The
-.B \-w
-.I numworkers
-option tells the KDC to fork
-.I numworkers
-processes to listen to the KDC ports and process requests in parallel.
-The top level KDC process (whose pid is recorded in the pid file if
-the
-.B \-P
-option is also given) acts as a supervisor.  The supervisor will relay
-SIGHUP signals to the worker subprocesses, and will terminate the
-worker subprocess if the it is itself terminated or if any other
-worker process exits.  NOTE: on operating systems which do not have
-pktinfo support, using worker processes will prevent the KDC from
-listening for UDP packets on network interfaces created after the KDC
-starts.
-.PP
-The
-.B \-P
-.I pid_file
-option tells the KDC to write its PID (followed by a newline) into
-.I pid_file
-after it starts up.  This can be used to identify whether the KDC is still
-running and to allow init scripts to stop the correct process.
-.PP
-The KDC may service requests for multiple realms (maximum 32 realms).  The
-realms are listed on the command line.  Per-realm options that can be
-specified on the command line pertain for each realm that follows it and are
-superseded by subsequent definitions of the same option.  For example,
-.PP
-.B krb5kdc
-.B \-p
-.I 2001
-.B \-r
-.I REALM1
-.B \-p
-.I 2002
-.B \-r
-.I REALM2
-.B \-r
-.I REALM3
-.PP
-specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for
-REALM2 and REALM3.  Additionally, per-realm parameters may be specified in the
-.I kdc.conf
-file.  The location of this file may be specified by the
-.I KRB5_KDC_PROFILE
-environment variable.  Parameters specified in this file take precedence over
-options specified on the command line.  See the
-.I kdc.conf(5)
-description for further details.
-.SH SEE ALSO
-krb5(3), kdb5_util(8), kdc.conf(5), kdb5_ldap_util(8)
-.SH BUGS
-
-It should fork and go into the background when it finishes reading the
-master password from the terminal.
diff --git a/src/krb5-config.M b/src/krb5-config.M
deleted file mode 100644
index ccc869836f..0000000000
--- a/src/krb5-config.M
+++ /dev/null
@@ -1,82 +0,0 @@
-.\" krb5-config.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" "
-.TH KRB5-CONFIG 1
-.SH NAME
-krb5-config \- tool for linking against MIT Kerberos libraries
-.SH SYNOPSIS
-.B krb5-config
-[ \fB--help\fP | \fB--all\fP | \fB--version\fP | \fB--vendor\fP | \fB--prefix\fP | 
-\fB--exec-prefix\fP | \fB--cflags\fP | \fB--libs\fP libraries ]
-.br
-.SH DESCRIPTION
-.I krb5-config
-tells the application programmer what special flags to use to compile
-and link programs against the installed Kerberos libraries.
-.SH OPTIONS
-.TP
-\fB\--help\fP
-print usage message.  This is the default.
-.TP
-\fB\--all\fP
-prints version, vendor, prefix and exec-prefix.
-.TP
-\fB\--version\fP
-prints the version of the installed Kerberos implementation.
-.TP
-\fB\--vendor\fP
-prints the vendor of the installed Kerberos implementation.
-.TP
-\fB\--prefix\fP 
-prints the prefix with which Kerberos was built.
-.TP
-\fB\--exec-prefix\fP 
-prints the exec-prefix with which Kerberos was built.
-.TP
-\fB\--defccname\fP
-prints the built-in default credential cache name.
-.TP
-\fB\--defktname\fP
-prints the built-in default keytab name.
-.TP
-\fB\--defcktname\fP
-prints the built-in default client keytab name.
-.TP
-\fB\--cflags\fP 
-prints the compiler flags with which Kerberos was built.
-.TP
-\fB\--libs\fP \fIlibraries\fP 
-list compiler options required to link with \fIlibraries\fP.  Possible 
-values for \fIlibraries\fP are:
-.sp
-.nf
-.in +.5i
-krb5         Kerberos 5 application
-gssapi       GSSAPI application with Kerberos 5 bindings
-kadm-client  Kadmin client
-kadm-server  Kadmin server
-kdb          Application that accesses the kerberos database
-.in -.5i
-.fi
-.SH SEE ALSO
-kerberos(1), cc(1)
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
deleted file mode 100644
index 484c4ce886..0000000000
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+++ /dev/null
@@ -1,938 +0,0 @@
-.TH KDB5_LDAP_UTIL 8
-.SH NAME
-kdb5_ldap_util \- Kerberos Configuration Utility
-.SH SYNOPSIS
-.B kdb5_ldap_util
-[\fB\-D\fP\ \fIuser_dn\fP [\fB\-w\fP\ \fIpasswd\fP]]
-[\fB\-H\fP\ \fIldapuri\fP]
-.I command
-.I [command_options]
-.SH DESCRIPTION
-.B kdb5_ldap_util
-allows an administrator to manage realms, Kerberos services and ticket policies.
-.SH COMMAND-LINE OPTIONS
-.TP
-\fB\-D\fP\ \fIuser_dn\fP
-Specifies the Distinguished name (DN) of the user who has sufficient rights to 
-perform the operation on the LDAP server.
-.TP
-\fB\-w\fP\ \fIpasswd\fP
-Specifies the password of 
-.IR user_dn .
-This option is not recommended.
-.TP
-\fB\-H\fP\ \fIldapuri\fP
-Specifies the URI of the LDAP server.
-.SH COMMANDS
-.TP
-\fBcreate\fP [\fB\-subtrees\fP\ \fIsubtree_dn_list\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-containerref\fP\ \fIcontainer_reference_dn\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-kv\fP\ \fImkeyVNO\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-s\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
-Creates realm in directory. Options:
-.RS
-.TP
-\fB\-subtrees\fP\ \fIsubtree_dn_list\fP
-Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree
-objects separated by colon(:).
-.TP
-\fB\-sscope\fP\ \fIsearch_scope\fP
-Specifies the scope for searching the principals under the 
-.IR subtree .
-The possible values are 1 or one (one level), 2 or sub (subtrees).
-.TP
-\fB\-containerref\fP\ \fIcontainer_reference_dn\fP 
-Specifies the DN of the container object in which the principals of a realm will be created.
-If the container reference is not configured for a realm, the principals will be created in the realm container. 
-.TP
-\fB\-k\fP\ \fImkeytype\fP
-Specifies the key type of the master key in the database; the default is
-that given in
-.IR kdc.conf .
-.TP
-\fB\-kv\fP\ \fImkeyVNO\fP
-Specifies the version number of the master key in the database; the default is
-1. Note that 0 is not allowed.
-.TP
-\fB\-m\fP
-Specifies that the master database password should be read from the TTY
-rather than fetched from a file on the disk.
-.TP
-\fB\-P\fP\ \fIpassword\fP
-Specifies the master database password. This option is not recommended.
-.TP
-\fB\-sf\fP\ \fIstashfilename\fP
-Specifies the stash file of the master database password.
-.TP
-\fB\-s\fP
-Specifies that the stash file is to be created.
-.TP
-\fB\-maxtktlife\fP\ \fImax_ticket_life\fP
-Specifies maximum ticket life for principals in this realm.
-.TP
-\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP
-Specifies maximum renewable life of tickets for principals in this realm.
-.TP
-\fIticket_flags\fP
-Specifies the ticket flags. If this option is not specified, by default, none of the flags are
-set. This means all the ticket options will be allowed and no restriction will be set.
-
-The various flags are:
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
-.B \-allow_postdated
-prohibits principals from obtaining postdated tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_POSTDATED
-flag.)
-.B +allow_postdated
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
-.B \-allow_forwardable
-prohibits principals from obtaining forwardable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_FORWARDABLE
-flag.)
-.B +allow_forwardable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
-.B \-allow_renewable
-prohibits principals from obtaining renewable tickets. (Sets the
-.SM KRB5_KDB_DISALLOW_RENEWABLE
-flag.)
-.B +allow_renewable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
-.B \-allow_proxiable
-prohibits principals from obtaining proxiable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_PROXIABLE
-flag.)
-.B +allow_proxiable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
-.B \-allow_dup_skey
-Disables user-to-user authentication for principals by prohibiting
-principals from obtaining a session key for another user. (Sets the
-.SM KRB5_KDB_DISALLOW_DUP_SKEY
-flag.)
-.B +allow_dup_skey
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
-.B +requires_preauth
-requires principals to preauthenticate before being allowed to
-kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_PRE_AUTH
-flag.)
-.B \-requires_preauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
-.B +requires_hwauth
-requires principals to preauthenticate using a hardware device
-before being allowed to kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_HW_AUTH
-flag.)
-.B \-requires_hwauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
-.B \-allow_svr
-prohibits the issuance of service tickets for principals.  (Sets the
-.SM KRB5_KDB_DISALLOW_SVR
-flag.)
-.B +allow_svr
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
-.B \-allow_tgs_req
-specifies that a Ticket-Granting Service (TGS) request for a service
-ticket for principals is not permitted.  This option is useless for
-most things.
-.B +allow_tgs_req
-clears this flag.  The default is
-.BR +allow_tgs_req .
-In effect,
-.B \-allow_tgs_req
-sets the
-.SM KRB5_KDB_DISALLOW_TGT_BASED
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
-.B \-allow_tix
-forbids the issuance of any tickets for principals.
-.B +allow_tix
-clears this flag.  The default is
-.BR +allow_tix .
-In effect,
-.B \-allow_tix
-sets the
-.SM KRB5_KDB_DISALLOW_ALL_TIX
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBneedchange\fP
-.B +needchange
-sets a flag in attributes field to force a password change;
-.B \-needchange
-clears it. The default is
-.BR \-needchange .
-In effect,
-.B +needchange
-sets the
-.SM KRB5_KDB_REQUIRES_PWCHANGE
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
-.B +password_changing_service
-sets a flag in the attributes field marking principal as a password change
-service principal (useless for most things).
-.B \-password_changing_service
-clears the flag. This flag intentionally has a long name. The default
-is
-.BR \-password_changing_service .
-In effect,
-.B +password_changing_service
-sets the
-.SM KRB5_KDB_PWCHANGE_SERVICE
-flag on principals in the database.
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-.B Command Options Specific to eDirectory 
-.TP
-\fB\-kdcdn\fP\ \fIkdc_service_list\fP
-Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC
-service objects separated by colon(:).
-.TP
-\fB\-admindn\fP\ \fIadmin_service_list\fP
-Specifies the list of Administration service objects serving the realm. The list contains the DNs
-of the Administration service objects separated by colon(:).
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu
-create \-subtrees o=org \-sscope SUB
-\-r ATHENA.MIT.EDU\fP
-.nf
-Password for "cn=admin,o=org":
-Initializing database for realm 'ATHENA.MIT.EDU'
-You will be prompted for the database Master Password.
-It is important that you NOT FORGET this password.
-Enter KDC database master key:
-Re-enter KDC database master key to verify:
-.fi
-.RE
-
-.TP
-\fBmodify\fP [\fB\-subtrees\fP\ \fIsubtree_dn_list\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-containerref\fP\ \fIcontainer_reference_dn\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP]
-
-Modifies the attributes of a realm. Options:
-.RS
-.TP
-\fB\-subtrees\fP\ \fIsubtree_dn_list\fP
-Specifies the list of subtrees containing the principals of a realm.
-The list contains the DNs of the subtree objects separated by 
-colon(:). This list replaces the existing list.
-.TP
-\fB\-sscope\fP\ \fIsearch_scope\fP
-Specifies the scope for searching the principals under the 
-.IR subtrees .
-The possible values are 1 or one (one level), 2 or sub (subtrees).
-.TP
-\fB\-containerref\fP\ \fIcontainer_reference_dn\fP 
-Specifies the DN of the container object in which the principals of a realm 
-will be created. 
-.TP
-\fB\-maxtktlife\fP\ \fImax_ticket_life\fP
-Specifies maximum ticket life for principals in this realm.
-.TP
-\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP
-Specifies maximum renewable life of tickets for principals in this realm.
-.TP
-\fIticket_flags\fP
-Specifies the ticket flags. If this option is not specified, by default, 
-none of the flags are set. This means all the ticket options will be allowed 
-and no restriction will be set.
-
-The various flags are:
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
-.B \-allow_postdated
-prohibits principals from obtaining postdated tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_POSTDATED
-flag.)
-.B +allow_postdated
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
-.B \-allow_forwardable
-prohibits principals from obtaining forwardable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_FORWARDABLE
-flag.)
-.B +allow_forwardable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
-.B \-allow_renewable
-prohibits principals from obtaining renewable tickets. (Sets the
-.SM KRB5_KDB_DISALLOW_RENEWABLE
-flag.)
-.B +allow_renewable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
-.B \-allow_proxiable
-prohibits principals from obtaining proxiable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_PROXIABLE
-flag.)
-.B +allow_proxiable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
-.B \-allow_dup_skey
-Disables user-to-user authentication for principals by prohibiting
-principals from obtaining a session key for another user. (Sets the
-.SM KRB5_KDB_DISALLOW_DUP_SKEY
-flag.)
-.B +allow_dup_skey
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
-.B +requires_preauth
-requires principals to preauthenticate before being allowed to
-kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_PRE_AUTH
-flag.)
-.B \-requires_preauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
-.B +requires_hwauth
-requires principals to preauthenticate using a hardware device
-before being allowed to kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_HW_AUTH
-flag.)
-.B \-requires_hwauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
-.B \-allow_svr
-prohibits the issuance of service tickets for principals.  (Sets the
-.SM KRB5_KDB_DISALLOW_SVR
-flag.)
-.B +allow_svr
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
-.B \-allow_tgs_req
-specifies that a Ticket-Granting Service (TGS) request for a service
-ticket for principals is not permitted.  This option is useless for
-most things.
-.B +allow_tgs_req
-clears this flag.  The default is
-.BR +allow_tgs_req .
-In effect,
-.B \-allow_tgs_req
-sets the
-.SM KRB5_KDB_DISALLOW_TGT_BASED
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
-.B \-allow_tix
-forbids the issuance of any tickets for principals.
-.B +allow_tix
-clears this flag.  The default is
-.BR +allow_tix .
-In effect,
-.B \-allow_tix
-sets the
-.SM KRB5_KDB_DISALLOW_ALL_TIX
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBneedchange\fP
-.B +needchange
-sets a flag in attributes field to force a password change;
-.B \-needchange
-clears it. The default is
-.BR \-needchange .
-In effect,
-.B +needchange
-sets the
-.SM KRB5_KDB_REQUIRES_PWCHANGE
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
-.B +password_changing_service
-sets a flag in the attributes field marking principal as a password change
-service principal (useless for most things).
-.B \-password_changing_service
-clears the flag. This flag intentionally has a long name. The default
-is
-.BR \-password_changing_service .
-In effect,
-.B +password_changing_service
-sets the
-.SM KRB5_KDB_PWCHANGE_SERVICE
-flag on principals in the database.
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-.B Command Options Specific to eDirectory
-.TP
-\fB\-kdcdn\fP\ \fIkdc_service_list\fP
-Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC
-service objects separated by a colon (:). This list replaces the existing list.
-.TP
-\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP
-Specifies the list of KDC service objects that need to be removed from the existing list. The list contains
-the DNs of the KDC service objects separated by a colon (:).
-.TP
-\fB\-addkdcdn\fP\ \fIkdc_service_list\fP
-Specifies the list of KDC service objects that need to be added to the existing list. The list contains the
-DNs of the KDC service objects separated by a colon (:).
-.TP
-\fB\-admindn\fP\ \fIadmin_service_list\fP
-Specifies the list of Administration service objects serving the realm. The list contains the DNs
-of the Administration service objects separated by a colon (:). This list replaces the existing list.
-.TP
-\fB\-clearadmindn\fP\ \fIadmin_service_list\fP
-Specifies the list of Administration service objects that need to be removed from the existing list. The list
-contains the DNs of the Administration service objects separated by a colon (:).
-.TP
-\fB\-addadmindn\fP\ \fIadmin_service_list\fP
-Specifies the list of Administration service objects that need to be added to the existing list. The list
-contains the DNs of the Administration service objects separated by a colon (:).
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify 
-+requires_preauth \-r ATHENA.MIT.EDU \fP
-.nf
-Password for "cn=admin,o=org":
-.fi
-.RE
-.TP
-\fBview\fP [\fB\-r\fP\ \fIrealm\fP]
-Displays the attributes of a realm.  Options:
-.RS
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view 
-\-r ATHENA.MIT.EDU\fP
-.nf
-Password for "cn=admin,o=org":
-               Realm Name: ATHENA.MIT.EDU
-                  Subtree: ou=users,o=org
-                  Subtree: ou=servers,o=org
-              SearchScope: ONE
-      Maximum ticket life: 0 days 01:00:00
-   Maximum renewable life: 0 days 10:00:00
-             Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-.fi
-.RE
-.TP
-\fBdestroy\fP [\fB-f\fP] [\fB\-r\fP\ \fIrealm\fP]
-Destroys an existing realm. Options:
-.RS
-.TP
-\fB\-f\fP
-If specified, will not prompt the user for confirmation.  
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy 
-\-r ATHENA.MIT.EDU\fP
-.nf
-Password for "cn=admin,o=org":
-Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
-(type 'yes' to confirm)? yes
-OK, deleting database of 'ATHENA.MIT.EDU'...
-.fi
-.RE
-.TP
-\fBlist\fP
-
-Lists the name of realms.
-.RS
-.nf
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list\fP
-Password for "cn=admin,o=org":
-ATHENA.MIT.EDU
-OPENLDAP.MIT.EDU
-MEDIA-LAB.MIT.EDU
-.fi
-.RE
-.TP
-\fBstashsrvpw\fP [\fB\-f\fP\ \fIfilename\fP] \fIservicedn\fP
-Allows an administrator to store the password for service object in a file so that KDC and Administration
-server can use it to authenticate to the LDAP server. Options:
-.RS
-.TP
-\fB\-f\fP\ \fIfilename\fP
-Specifies the complete path of the service password file. By default, /usr/local/var/service_passwd is used.
-.TP
-\fIservicedn\fP
-Specifies Distinguished name (DN) of the service object whose password is to be stored in file.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP
-.nf
-Password for "cn=service-kdc,o=org":
-Re-enter password for "cn=service-kdc,o=org":
-.fi
-.RE
-.TP
-\fBcreate_policy\fP [\fB\-r\fP\ \fIrealm\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_name\fP
-Creates a ticket policy in directory. Options:
-.RS
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-\fB\-maxtktlife\fP\ \fImax_ticket_life\fP
-Specifies maximum ticket life for principals.
-.TP
-\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP
-Specifies maximum renewable life of tickets for principals.
-.TP
-\fIticket_flags\fP
-Specifies the ticket flags. If this option is not specified, by default, none of the flags are
-set. This means all the ticket options will be allowed and no restriction will be set.
-
-The various flags are:
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
-.B \-allow_postdated
-prohibits principals from obtaining postdated tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_POSTDATED
-flag.)
-.B +allow_postdated
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
-.B \-allow_forwardable
-prohibits principals from obtaining forwardable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_FORWARDABLE
-flag.)
-.B +allow_forwardable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
-.B \-allow_renewable
-prohibits principals from obtaining renewable tickets. (Sets the
-.SM KRB5_KDB_DISALLOW_RENEWABLE
-flag.)
-.B +allow_renewable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
-.B \-allow_proxiable
-prohibits principals from obtaining proxiable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_PROXIABLE
-flag.)
-.B +allow_proxiable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
-.B \-allow_dup_skey
-Disables user-to-user authentication for principals by prohibiting
-principals from obtaining a session key for another user. (Sets the
-.SM KRB5_KDB_DISALLOW_DUP_SKEY
-flag.)
-.B +allow_dup_skey
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
-.B +requires_preauth
-requires principals to preauthenticate before being allowed to
-kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_PRE_AUTH
-flag.)
-.B \-requires_preauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
-.B +requires_hwauth
-requires principals to preauthenticate using a hardware device
-before being allowed to kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_HW_AUTH
-flag.)
-.B \-requires_hwauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
-.B \-allow_svr
-prohibits the issuance of service tickets for principals.  (Sets the
-.SM KRB5_KDB_DISALLOW_SVR
-flag.)
-.B +allow_svr
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
-.B \-allow_tgs_req
-specifies that a Ticket-Granting Service (TGS) request for a service
-ticket for principals is not permitted.  This option is useless for
-most things.
-.B +allow_tgs_req
-clears this flag.  The default is
-.BR +allow_tgs_req .
-In effect,
-.B \-allow_tgs_req
-sets the
-.SM KRB5_KDB_DISALLOW_TGT_BASED
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
-.B \-allow_tix
-forbids the issuance of any tickets for principals.
-.B +allow_tix
-clears this flag.  The default is
-.BR +allow_tix .
-In effect,
-.B \-allow_tix
-sets the
-.SM KRB5_KDB_DISALLOW_ALL_TIX
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBneedchange\fP
-.B +needchange
-sets a flag in attributes field to force a password change;
-.B \-needchange
-clears it. The default is
-.BR \-needchange .
-In effect,
-.B +needchange
-sets the
-.SM KRB5_KDB_REQUIRES_PWCHANGE
-flag on principals in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
-.B +password_changing_service
-sets a flag in the attributes field marking principal as a password change
-service principal (useless for most things).
-.B \-password_changing_service
-clears the flag. This flag intentionally has a long name. The default
-is
-.BR \-password_changing_service .
-In effect,
-.B +password_changing_service
-sets the
-.SM KRB5_KDB_PWCHANGE_SERVICE
-flag on principals in the database.
-.TP
-\fIpolicy_name\fP
-Specifies the name of the ticket policy.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy\fP
-.nf
-Password for "cn=admin,o=org":
-.fi
-.RE
-.TP
-\fBmodify_policy\fP [\fB\-r\fP\ \fIrealm\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_name\fP
-Modifies the attributes of a ticket policy. Options are same as 
-.B create_policy.
-.RS
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" +allow_postdated \-requires_preauth tktpolicy\fP
-.nf
-Password for "cn=admin,o=org":
-.fi
-.RE
-.TP
-\fBview_policy\fP [\fB\-r\fP\ \fIrealm\fP] \fIpolicy_name\fP
-Displays the attributes of a ticket policy. Options:
-.RS
-.TP
-\fIpolicy_name\fP
-Specifies the name of the ticket policy.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy\fP
-.nf
-Password for "cn=admin,o=org":
-            Ticket policy: tktpolicy
-      Maximum ticket life: 0 days 01:00:00
-   Maximum renewable life: 0 days 10:00:00
-             Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-.fi
-.RE
-.TP
-\fBdestroy_policy\fP [\fB\-r\fP\ \fIrealm\fP] [\fB\-force\fP] \fIpolicy_name\fP
-Destroys an existing ticket policy. Options:
-.RS
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-\fB\-force\fP
-Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy. Enter 
-.B yes
-to confirm the deletion.
-.TP
-\fIpolicy_name\fP
-Specifies the name of the ticket policy.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy\fP
-.nf
-Password for "cn=admin,o=org":
-This will delete the policy object 'tktpolicy', are you sure?
-(type 'yes' to confirm)? yes
-** policy object 'tktpolicy' deleted.
-.fi
-.RE
-.TP
-\fBlist_policy\fP [\fB\-r\fP\ \fIrealm\fP]
-Lists the ticket policies in \fIrealm\fP if specified or in the default realm.  Options:
-.RS
-.TP
-\fB\-r\fP\ \fIrealm\fP
-Specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list_policy \-r ATHENA.MIT.EDU\fP
-.nf
-Password for "cn=admin,o=org":
-tktpolicy
-tmppolicy
-userpolicy
-.fi
-.RE
-
-.TP
-.B Commands Specific to eDirectory
-.TP
-\fBsetsrvpw\fP [\fB\-randpw\fP|\fB\-fileonly\fP] [\fB\-f\fP\ \fIfilename\fP] \fIservice_dn\fP
-Allows an administrator to set password for service objects such as KDC and Administration server in
-eDirectory and store them in a file. The 
-.I \-fileonly 
-option stores the password in a file and not in the eDirectory object. Options:
-.RS
-.TP
-\fB\-randpw \fP
-Generates and sets a random password. This options can be specified to store the password both in eDirectory and a file. The 
-.I \-fileonly 
-option can not be used if 
-.I \-randpw
-option is already specified.
-.TP
-\fB\-fileonly\fP
-Stores the password only in a file and not in eDirectory. The 
-.I \-randpw
-option can not be used when 
-.I \-fileonly
-options is specified.
-.TP
-\fB\-f\fP\ \fIfilename\fP
-Specifies complete path of the service password file. By default, /usr/local/var/service_passwd is used.
-.TP
-\fIservice_dn\fP
-Specifies Distinguished name (DN) of the service object whose password is to be set.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util setsrvpw \-D cn=admin,o=org setsrvpw \-fileonly \-f /home/andrew/conf_keyfile
-cn=service-kdc,o=org\fP
-.nf
-Password for "cn=admin,o=org":
-Password for "cn=service-kdc,o=org":
-Re-enter password for "cn=service-kdc,o=org":
-.fi
-.RE
-.TP
-\fBcreate_service\fP {\fB\-kdc|\-admin\fP} [\fB\-servicehost\fP\ \fIservice_host_list\fP] [\fB\-realm\fP\ \fIrealm_list\fP] [\fB\-randpw|\-fileonly\fP] [\fB\-f\fP\ \fIfilename\fP] \fIservice_dn\fP
-Creates a service in directory and assigns appropriate rights. Options:
-.RS
-.TP
-\fB\-kdc\fP 
-Specifies the service is a KDC service
-.TP
-\fB\-admin\fP
-Specifies the service is a Administration service
-.TP
-\fB\-servicehost\fP\ \fIservice_host_list\fP
-Specifies the list of entries separated by a colon (:). Each entry consists of the hostname or IP
-address of the server hosting the service, transport protocol, and the port number of
-the service separated by a pound sign (#). 
-For example,
-server1#tcp#88:server2#udp#89.
-.TP
-\fB\-realm\fP\ \fIrealm_list\fP
-Specifies the list of realms that are to be associated with this service. The list contains the name of the realms
-separated by a colon (:).
-.TP
-\fB\-randpw \fP
-Generates and sets a random password. This option is used to set the random password for the service object in directory and also to store it in the file. The 
-.I \-fileonly 
-option can not be used if 
-.I \-randpw
-option is specified.
-.TP
-\fB\-fileonly\fP
-Stores the password only in a file and not in eDirectory. The 
-.I \-randpw
-option can not be used when 
-.I \-fileonly
-option is specified.
-.TP
-\fB\-f\fP\ \fIfilename\fP
-Specifies the complete path of the file where the service object password is stashed.
-.TP
-\fIservice_dn\fP
-Specifies Distinguished name (DN) of the Kerberos service to be created.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org create_service \-kdc \-randpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP
-.nf
-Password for "cn=admin,o=org":
-File does not exist. Creating the file /home/andrew/conf_keyfile...
-.fi
-.RE
-.TP
-\fBmodify_service\fP [\fB\-servicehost\fP\ \fIservice_host_list\fP | [\fB\-clearservicehost\fP\ \fIservice_host_list\fP] [\fB\-addservicehost\fP\ \fIservice_host_list\fP]] [\fB\-realm\fP\ \fIrealm_list\fP | [\fB\-clearrealm\fP\ \fIrealm_list\fP] [\fB\-addrealm\fP\ \fIrealm_list\fP]] \fIservice_dn\fP
-Modifies the attributes of a service and assigns appropriate rights. Options:
-.RS
-.TP
-\fB\-servicehost\fP\ \fIservice_host_list\fP
-Specifies the list of entries separated by a colon (:). Each entry consists of a host name
-or IP Address of the Server hosting the service, transport protocol, and port
-number of the service separated by a pound sign (#). 
-For example,
-server1#tcp#88:server2#udp#89
-.TP
-\fB\-clearservicehost\fP\ \fIservice_host_list\fP
-Specifies the list of servicehost entries to be removed from the existing list separated by colon (:). Each entry consists of a host name or IP Address of the server
-hosting the service, transport protocol, and port number of the service separated
-by a pound sign (#).
-.TP
-\fB\-addservicehost\fP\ \fIservice_host_list\fP
-Specifies the list of servicehost entries to be added to the existing list separated by colon (:). Each entry consists of a host name or IP Address of the
-server hosting the service, transport protocol, and port number of the service
-separated by a pound sign (#).
-.TP
-\fB\-realm\fP\ \fIrealm_list\fP
-Specifies the list of realms that are to be associated with this service. The list contains the name of
-the realms separated by a colon (:). This list replaces the existing list.
-.TP
-\fB\-clearrealm\fP\ \fIrealm_list\fP
-Specifies the list of realms to be removed from the existing list. The list contains the name of
-the realms separated by a colon (:).
-.TP
-\fB\-addrealm\fP\ \fIrealm_list\fP
-Specifies the list of realms to be added to the existing list. The list contains the name of the
-realms separated by a colon (:).
-.TP
-\fIservice_dn\fP
-Specifies Distinguished name (DN) of the Kerberos service to be modified.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org modify_service \-realm ATHENA.MIT.EDU
-cn=service-kdc,o=org\fP
-.nf
-Password for "cn=admin,o=org":
-Changing rights for the service object. Please wait ... done
-.fi
-.RE
-.TP
-\fBview_service\fP \fIservice_dn\fP
-Displays the attributes of a service.  Options:
-.RS
-.TP
-\fIservice_dn\fP
-Specifies Distinguished name (DN) of the Kerberos service to be viewed.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org view_service cn=service-kdc,o=org\fP
-.nf
-Password for "cn=admin,o=org":
-        Service dn: cn=service-kdc,o=org
-      Service type: kdc
- Service host list:
-     Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
-.fi
-.RE
-.TP
-\fBdestroy_service\fP [\fB\-force\fP] [\fB\-f\fP\ \fIstashfilename\fP] \fIservice_dn\fP
-Destroys an existing service. Options:
-.RS
-.TP
-\fB\-force\fP
-If specified, will not prompt for user's confirmation, instead will force destruction of the service.
-.TP
-\fB\-f\fP\ \fIstashfilename\fP
-Specifies the complete path of the service password file from where the entry corresponding to the 
-.I service_dn
-needs to be removed.
-.TP
-\fIservice_dn\fP
-Specifies Distinguished name (DN) of the Kerberos service to be destroyed.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP
-.nf
-Password for "cn=admin,o=org":
-This will delete the service object 'cn=service-kdc,o=org', are you sure?
-(type 'yes' to confirm)? yes
-** service object 'cn=service-kdc,o=org' deleted.
-.fi
-.RE
-.TP
-\fBlist_service\fP [\fB\-basedn\fP\ \fIbase_dn\fP]
-Lists the name of services under a given base in directory. Options:
-.RS
-.TP
-\fB\-basedn\fP\ \fIbase_dn\fP
-Specifies the base DN for searching the service objects, limiting the search to a particular subtree. If this option
-is not provided, LDAP Server specific search base will be used. 
-For eg, in the case of OpenLDAP, value of 
-.B defaultsearchbase
-from 
-.I slapd.conf
-file will be used, where as in the case of eDirectory, the default value 
-for the base DN is 
-.B Root.
-.TP
-EXAMPLE:
-\fBkdb5_ldap_util \-D cn=admin,o=org list_service\fP
-.nf
-Password for "cn=admin,o=org":
-cn=service-kdc,o=org
-cn=service-adm,o=org
-cn=service-pwd,o=org
-.fi
-.RE
-.SH SEE ALSO
-kadmin(8)
diff --git a/src/slave/kprop.M b/src/slave/kprop.M
deleted file mode 100644
index cb4ae5667f..0000000000
--- a/src/slave/kprop.M
+++ /dev/null
@@ -1,67 +0,0 @@
-.\" slave/kprop.M
-.\"
-.\" Copyright 1992 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" 
-.\"
-.TH KPROP 8
-.SH NAME
-kprop \- propagate a Kerberos V5 principal database to a slave server
-.SH SYNOPSIS
-.B kprop
-[\fB\-r\fP \fIrealm\fP] [\fB\-f\fP \fIfile\fP] [\fB\-d\fP] [\fB\-P\fP
-\fIport\fP] [\fB\-s\fP \fIkeytab\fP] 
-.I slave_host
-.br
-.SH DESCRIPTION
-.I kprop
-is used to propagate a Kerberos V5 database dump file from the master
-Kerberos server to a slave Kerberos server, which is specified by
-.IR slave_host .  
-This is done by transmitting the dumped database file to the slave
-server over an encrypted, secure channel.  The dump file must be created
-by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
-.SH OPTIONS
-.TP
-\fB\-r\fP \fIrealm\fP
-specifies the realm of the master server; by default the realm returned
-by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-\fB\-f\fP \fIfile\fP
-specifies the filename where the dumped principal database file is to be
-found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
-.TP
-\fB\-P\fP \fIport\fP
-specifies the port to use to contact the
-.I kpropd
-server on the remote host.
-.TP
-.B \-d
-prints debugging information.
-.TP
-\fB\-s\fP \fIkeytab\fP
-specifies the location of the keytab file.
-.SH SEE ALSO
-kpropd(8), kdb5_util(8), krb5kdc(8)
diff --git a/src/slave/kpropd.M b/src/slave/kpropd.M
deleted file mode 100644
index f3283c46b6..0000000000
--- a/src/slave/kpropd.M
+++ /dev/null
@@ -1,162 +0,0 @@
-.\" slave/kpropd.M
-.\"
-.\" Copyright 1992, 2008 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" 
-.\"
-.TH KPROPD 8
-.SH NAME
-kpropd \- Kerberos V5 slave KDC update server
-.SH SYNOPSIS
-.B kpropd
-[
-.B \-r
-.I realm
-] [
-.B \-f
-.I slave_dumpfile
-] [
-.B \-F
-.I principal_database
-] [
-.B \-p
-.I kdb5_util_prog
-] [
-.B \-d
-] [
-.B \-S
-] [
-.B \-P
-.I port
-]
-.br
-.SH DESCRIPTION
-The
-.I kpropd 
-command runs on the slave KDC server.  It listens for update requests
-made by the
-.IR kprop (8)
-program, and periodically requests incremental updates from the
-master KDC.
-
-When the slave receives a kprop request from the master,
-.I kpropd 
-accepts the dumped KDC database and places it in a file, and then runs 
-.IR kdb5_util (8)
-to load the dumped database into the active database which is used by 
-.IR krb5kdc (8).
-Thus, the master Kerberos server can use 
-.IR kprop (8)
-to propagate its database to the slave slavers.  Upon a successful download 
-of the KDC database file, the slave Kerberos server will have an
-up-to-date KDC database. 
-.PP
-Normally, kpropd is invoked out of 
-.I inetd(8).  
-This is done by adding a line to the inetd.conf file which looks like
-this:
-
-kprop	stream	tcp	nowait	root	/usr/local/sbin/kpropd	kpropd
-
-However, kpropd can also run as a standalone daemon, if the
-.B \-S
-option is turned on.  This is done for debugging purposes, or if for
-some reason the system administrator just doesn't want to run it out of
-.IR inetd (8).
-
-When the slave periodically requests incremental updates,
-.I kpropd
-updates its
-.I principal.ulog
-file with any updates from the master.
-.IR kproplog (8)
-can be used to view a summary of the update entry log on the slave
-KDC.  Incremental propagation is not enabled by default; it can be
-enabled using the
-.I iprop_enable
-and
-.I iprop_slave_poll
-settings in
-.IR kdc.conf (5).
-The principal "kiprop/slavehostname@REALM" (where "slavehostname" is
-the name of the slave KDC host, and "REALM" is the name of the
-Kerberos realm) must be present in the slave's keytab file.
-
-.SH OPTIONS
-.TP
-\fB\-r\fP \fIrealm\fP
-specifies the realm of the master server; by default the realm returned
-by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-\fB\-f\fP \fIfile\fP
-specifies the filename where the dumped principal database file is to be
-stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
-.TP
-.B \-p
-allows the user to specify the pathname to the
-.IR kdb5_util (8)
-program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
-.TP
-.B \-S
-turn on standalone mode.  Normally, kpropd is invoked out of
-.IR inetd (8)
-so it expects a network connection to be passed to it from
-.I inetd (8).
-If the 
-.B \-S 
-option is specified, kpropd will put itself into the background, and
-wait for connections to the KPROP_SERVICE port (normally krb5_prop).
-.TP
-.B \-d
-turn on debug mode.  In this mode, if the
-.B \-S 
-option is selected, 
-.I kpropd
-will not detach itself from the current job and run in the background.
-Instead, it will run in the foreground and print out debugging messages
-during the database propagation.
-.TP
-.B \-P
-allow for an alternate port number for
-.I kpropd
-to listen on. This is only useful if the program is run in standalone
-mode.
-.TP
-.B \-a
-allows the user to specify the path to the
-kpropd.acl
-file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
-.SH FILES
-.TP "\w'kpropd.acl\ \ 'u"
-kpropd.acl
-Access file for
-.BR kpropd ;
-the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
-Each entry is a line containing the principal of a host from which the
-local machine will allow Kerberos database propagation via kprop.
-.SH SEE ALSO
-kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)
diff --git a/src/slave/kproplog.M b/src/slave/kproplog.M
deleted file mode 100644
index b7081a9562..0000000000
--- a/src/slave/kproplog.M
+++ /dev/null
@@ -1,96 +0,0 @@
-.\" slave/kprop.M
-.\"
-.\" Copyright 2008 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" 
-.\"
-.\" Copyright (c) 2003, Sun Microsystems, Inc.  All Rights Reserved
-.\"
-.TH KPROPLOG 1
-.SH NAME
-kproplog \- display the contents of the Kerberos principal update log
-.SH SYNOPSIS
-.B kproplog
-[\fB\-h\fP] [\fB\-e\fP \fInum\fP]
-.br
-.SH DESCRIPTION
-The
-.I kproplog
-command displays the contents of the Kerberos principal update log to
-standard output.  It can be used to keep track of the incremental
-updates to the principal database, when enabled.  The update log
-file contains the update log maintained by the
-.I kadmind
-process on the master KDC server and the kpropd process on the slave
-KDC servers.  When updates occur, they are logged to this
-file.  Subsequently any KDC slave configured for incremental updates
-will request the current data from the master KDC and update their
-.I principal.ulog
-file with any updates returned.
-
-The
-.I kproplog
-command can only be run on a KDC server by someone with privileges
-comparable to the superuser.  It will display update entries for that
-server only.
-
-If no options are specified, the summary of the update log is
-displayed.  If invoked on the master, all of the update entries are
-also displayed.  When invoked on a slave KDC server, only a summary of
-the updates are displayed, which includes the serial number of the
-last update received and the associated time stamp of the last update.
-
-.SH OPTIONS
-.TP
-\fB\-h\fP
-Display a summary of the update log.  This information includes the
-database version number, state of the database, the number of updates
-in the log, the time stamp of the first and last update, and the
-version number of the first and last update entry.
-.TP
-\fB\-e\fP \fInum\fP
-Display the last
-.I num
-update entries in the log.  This is useful when debugging
-synchronization between KDC servers.
-.TP
-\fB\-v\fP
-Display individual attributes per update.
-An example of the output generated for one entry:
-.nf
- Update Entry
-    Update serial # : 4
-    Update operation : Add
-    Update principal : test@EXAMPLE.COM
-    Update size : 424
-    Update committed : True
-    Update time stamp : Fri Feb 20 23:37:42 2004
-    Attributes changed : 6
-          Principal
-          Key data
-          Password last changed
-          Modifying principal
-          Modification time
-          TL data
-.fi
-
-.SH SEE ALSO
-kpropd(8)
diff --git a/src/tests/create/kdb5_mkdums.M b/src/tests/create/kdb5_mkdums.M
deleted file mode 100644
index e46495e815..0000000000
--- a/src/tests/create/kdb5_mkdums.M
+++ /dev/null
@@ -1,141 +0,0 @@
-.\" tests/create/kdb5_mkdums.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\"   require a specific license from the United States Government.
-.\"   It is the responsibility of any person or organization contemplating
-.\"   export to obtain such a license before exporting.
-.\" 
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission.  Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose.  It is provided "as is" without express
-.\" or implied warranty.
-.\" 
-.\"
-.TH KDB5_MKDUMS 8
-.SH NAME
-kdb5_mkdums \- create a new Kerberos V5 principal database
-.SH SYNOPSIS
-.B kdb5_mkdums
-.B \-n
-.I number
-.B \-p
-.I prefix
-[
-.B \-D
-.I depth
-] [
-.B \-r
-.I realm
-] [
-.B \-d
-.I dbname
-] [
-.B \-k
-.I keytype
-] [
-.B \-M
-.I mkeyname
-] [
-.B \-e
-.I enctype
-] [
-.B \-m
-]
-.br
-.SH DESCRIPTION
-.I kdb5_mkdums
-is used to create many test entries in a Kerberos version 5 principal
-database. 
-Each entry is created with a known password, for later verification.
-.I kdb5_verify
-can be used to verify that the entries were stored correctly in the
-database and can be retrieved.
-.I kdc5_hammer
-can be used to make repeated ticket requests of the KDC for principals
-created via
-.I kdb5_mkdums
-in order to ``stress test'' the KDC.
-.PP
-The
-.B \-p
-.I prefix
-argument specifies the prefix name for each principal to be created.
-The current number and depth will be appended to the prefix.
-.PP
-The
-.B \-n
-.I num_to_create
-argument specifies the number of principals to create (at each depth).
-.PP
-The
-.B \-D
-.I depth
-option specifies the maximum number of components a principal should
-have; the default depth is 1.
-.PP
-The
-.B \-r
-.I realm
-option specifies the realm in which the entries should be created;
-by default the realm returned by
-.IR krb5_default_local_realm (3)
-is used.
-.PP
-The
-.B \-d
-.I dbname
-option specifies the name under which the principal database is to be
-created; by default the database is in DEFAULT_DBM_FILE (normally
-/krb5/principal).
-.PP
-The
-.B \-k
-.I keytype
-option specifies the key type (as an ascii representation of a decimal
-number) of the master key in the database; the default is KEYTYPE_DES.
-.PP
-The
-.B \-M
-.I mkeyname
-option specifies the principal name for the master key in the database;
-the default is KRB5_KDB_M_NAME (usually "K/M" in the KDC's realm).
-.PP
-The
-.B \-e
-.I enctype
-option specifies the encryption type (as an ascii representation of a decimal
-number) to be used when placing entries in
-the database; the default is the default encryption type for the master
-keytype.
-.SH EXAMPLE
-.I
-kdb5_mkdums -p test -n 2 -D 3
-.R
-will create the following principals, each with their printed names as
-passwords:
-.nf
-.in +1i
-test1-DEPTH-1@FOO.MIT.EDU
-test2-DEPTH-1@FOO.MIT.EDU
-test1-DEPTH-1/test1-DEPTH-2@FOO.MIT.EDU
-test2-DEPTH-1/test2-DEPTH-2@FOO.MIT.EDU
-test1-DEPTH-1/test1-DEPTH-2/test1-DEPTH-3@FOO.MIT.EDU
-test2-DEPTH-1/test2-DEPTH-2/test2-DEPTH-3@FOO.MIT.EDU
-.in -1i
-.fi
-.SH BUGS
-Should be do something intelligent about testing fields other than the
-password.
-.SH AUTHOR
-Jon Rochlis, MIT Network Services