install sphinx-generated manpages

Install sphinx-generated manpages.  Original nroff manpages remain for
reference until proofreading is complete.  Modify
doc/rst_source/conf.py to better deal with shadow manpages -- sphinx
will now build k5login.5 instead of .k5login.5, and kadmin.1 instead
of both kadmin.1 and kadmin.local.8.

Proofreaders should ensure that the original nroff manpages (and
associated Makefile rules) are deleted once their reST format
equivalents have been proofread.

ticket: 7064
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25625 dc483132-0cff-0310-8789-dd5450dbe970

45 files changed, 6751 insertions, 13 deletions

diff --git a/doc/Makefile b/doc/Makefile
index 599da3f6cf..abe953423f 100644
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -27,6 +27,8 @@ MANPAGES=$(SRCDIR)/clients/kdestroy/kdestroy.M $(SRCDIR)/clients/kinit/kinit.M $
 USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo
 USER_GUIDE_DEPS=user-guide.texinfo $(USER_GUIDE_INCLUDES)
 
+SPHINX_BUILD=sphinx-build
+
 .PHONY: all
 all:: admin-guide-full install-guide-full user-guide-full clean-temp-ps clean-tex
 
@@ -155,3 +157,15 @@ tgz::
 
 ../NOTICE: notice.texinfo definitions.texinfo copyright.texinfo
 	makeinfo --plaintext -o $@ notice.texinfo
+
+RSTMAN=k5login.5 k5srvutil.1 kadmin.1 kadmind.8 kdb5_ldap_util.8 kdb5_util.8 \
+	kdc.conf.5 kdestroy.1 kinit.1 klist.1 kpasswd.1 kprop.8 kpropd.8 \
+	kproplog.8 krb5.conf.5 krb5kdc.8 ksu.1 kswitch.1 ktutil.1 kvno.1
+
+# The file editing loop deletes some trailing whitespace that the
+# docutils manpage writer outputs near the end of its output files.
+rstman::
+	$(SPHINX_BUILD) -q -b man rst_source ../src/man
+	(cd ../src/man && for f in $(RSTMAN); do \
+		(echo '$$'; echo '?^.." $$?d'; echo 'w'; echo 'q' ) | ed $$f; \
+	done)
diff --git a/doc/rst_source/conf.py b/doc/rst_source/conf.py
index 58a1522a17..29fd607fe7 100644
--- a/doc/rst_source/conf.py
+++ b/doc/rst_source/conf.py
@@ -225,9 +225,8 @@ man_pages = [
     ('krb_users/user_commands/kpasswd', 'kpasswd', u'change a user\'s Kerberos password', [u'MIT'], 1),
     ('krb_users/user_commands/kvno', 'kvno', u'print key version numbers of Kerberos principals', [u'MIT'], 1),
     ('krb_users/user_commands/ksu', 'ksu', u'Kerberized super-user', [u'MIT'], 1),
-    ('krb_users/user_commands/k5login', '.k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5),
+    ('krb_users/user_commands/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5),
     ('krb_admins/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8),
-    ('krb_admins/admin_commands/kadmin_local', 'kadmin.local', u'Kerberos V5 database administration program', [u'MIT'], 8),
     ('krb_admins/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1),
     ('krb_admins/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a slave server', [u'MIT'], 8),
     ('krb_admins/admin_commands/kproplog', 'kproplog', u'display the contents of the Kerberos principal update log', [u'MIT'], 8),
diff --git a/src/Makefile.in b/src/Makefile.in
index 8e327916ae..ebf95c1e00 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -14,7 +14,7 @@ SUBDIRS=util include lib \
 	@ldap_plugin_dir@ \
 	plugins/preauth/pkinit \
 	kdc kadmin slave clients appl tests \
-	config-files gen-manpages @po@
+	config-files gen-manpages man @po@
 WINSUBDIRS=include util lib ccapi windows clients appl
 BUILDTOP=$(REL).
 LOCALINCLUDES = -I$(srcdir) 
@@ -54,7 +54,10 @@ world::
 INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \
 		$(ADMIN_BINDIR) $(SERVER_BINDIR) $(CLIENT_BINDIR) \
 		$(ADMIN_MANDIR) $(SERVER_MANDIR) $(CLIENT_MANDIR) \
-		$(FILE_MANDIR) $(KRB5_LIBDIR) $(KRB5_INCDIR) \
+		$(FILE_MANDIR) \
+		$(ADMIN_CATDIR) $(SERVER_CATDIR) $(CLIENT_CATDIR) \
+		$(FILE_CATDIR) \
+		$(KRB5_LIBDIR) $(KRB5_INCDIR) \
 		$(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \
 		$(KRB5_AD_MODULE_DIR) \
 		$(KRB5_LIBKRB5_MODULE_DIR) \
diff --git a/src/clients/kdestroy/Makefile.in b/src/clients/kdestroy/Makefile.in
index 2c2f8660d8..31372da04e 100644
--- a/src/clients/kdestroy/Makefile.in
+++ b/src/clients/kdestroy/Makefile.in
@@ -36,6 +36,10 @@ install-unix::
 	for f in kdestroy; do \
 	  $(INSTALL_PROGRAM) $$f \
 		$(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
+	done
+
+install-oldman::
+	for f in kdestroy; do \
 	  $(INSTALL_DATA) $(srcdir)/$$f.M \
 		$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
 	done
diff --git a/src/clients/kinit/Makefile.in b/src/clients/kinit/Makefile.in
index 3b8318518b..b3e7a175fe 100644
--- a/src/clients/kinit/Makefile.in
+++ b/src/clients/kinit/Makefile.in
@@ -37,6 +37,10 @@ install-unix::
 	for f in kinit; do \
 	  $(INSTALL_PROGRAM) $$f \
 		$(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
+	done
+
+install-oldman::
+	for f in kinit; do \
 	  $(INSTALL_DATA) $(srcdir)/$$f.M \
 		$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
 	done
diff --git a/src/clients/klist/Makefile.in b/src/clients/klist/Makefile.in
index 5fe76e5755..78913cad5d 100644
--- a/src/clients/klist/Makefile.in
+++ b/src/clients/klist/Makefile.in
@@ -36,7 +36,10 @@ install-unix::
 	for f in klist; do \
 	  $(INSTALL_PROGRAM) $$f \
 		$(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
+	done
+
+install-oldman::
+	for f in klist; do \
 	  $(INSTALL_DATA) $(srcdir)/$$f.M \
 		$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
 	done
-
diff --git a/src/clients/kpasswd/Makefile.in b/src/clients/kpasswd/Makefile.in
index 50abc89c60..959f3b934d 100644
--- a/src/clients/kpasswd/Makefile.in
+++ b/src/clients/kpasswd/Makefile.in
@@ -32,6 +32,8 @@ clean-unix::
 
 install-all install-kdc install-server install-client install-unix::
 	$(INSTALL_PROGRAM) kpasswd $(DESTDIR)$(CLIENT_BINDIR)/`echo kpasswd|sed '$(transform)'`
+
+install-oldman::
 	$(INSTALL_DATA) $(srcdir)/kpasswd.M $(DESTDIR)$(CLIENT_MANDIR)/`echo kpasswd|sed '$(transform)'`.1;
 
 ##WIN32##all-windows:: $(KPWD)
@@ -39,4 +41,3 @@ install-all install-kdc install-server install-client install-unix::
 ##WIN32##$(KPWD): $(OUTPRE)kpasswd.obj $(KLIB) $(CLIB) $(EXERES)
 ##WIN32##	link $(EXE_LINKOPTS) -out:$@ $** $(SCLIB)
 ##WIN32##	$(_VC_MANIFEST_EMBED_EXE)
-
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 9309b97ac6..35a4b73c97 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -36,6 +36,10 @@ install::
 	-for f in ksu; do \
 	  $(INSTALL_SETUID) $$f \
 		$(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
+	done
+
+install-oldman::
+	for f in ksu; do \
 	  $(INSTALL_DATA) $(srcdir)/$$f.M \
 		${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
 	done
diff --git a/src/clients/kvno/Makefile.in b/src/clients/kvno/Makefile.in
index 31d36dc128..053bcecd15 100644
--- a/src/clients/kvno/Makefile.in
+++ b/src/clients/kvno/Makefile.in
@@ -37,6 +37,10 @@ install-unix::
 	for f in kvno; do \
 	  $(INSTALL_PROGRAM) $$f \
 		$(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
+	done
+
+install-oldman::
+	for f in kvno; do \
 	  $(INSTALL_DATA) $(srcdir)/$$f.M \
 		$(DESTDIR)$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
 	done
diff --git a/src/config-files/Makefile.in b/src/config-files/Makefile.in
index 265a439c75..ca75f9790d 100644
--- a/src/config-files/Makefile.in
+++ b/src/config-files/Makefile.in
@@ -3,8 +3,10 @@ BUILDTOP=$(REL)..
 all::
 
 install::
-	$(INSTALL_DATA) $(srcdir)/kdc.conf.M ${DESTDIR}$(FILE_MANDIR)/kdc.conf.5
-	$(INSTALL_DATA) $(srcdir)/krb5.conf.M ${DESTDIR}$(FILE_MANDIR)/krb5.conf.5
 	$(INSTALL_DATA) $(srcdir)/kdc.conf ${DESTDIR}$(EXAMPLEDIR)/kdc.conf
 	$(INSTALL_DATA) $(srcdir)/krb5.conf ${DESTDIR}$(EXAMPLEDIR)/krb5.conf
 	$(INSTALL_DATA) $(srcdir)/services.append ${DESTDIR}$(EXAMPLEDIR)/services.append
+
+install-oldman::
+	$(INSTALL_DATA) $(srcdir)/kdc.conf.M ${DESTDIR}$(FILE_MANDIR)/kdc.conf.5
+	$(INSTALL_DATA) $(srcdir)/krb5.conf.M ${DESTDIR}$(FILE_MANDIR)/krb5.conf.5
diff --git a/src/config/pre.in b/src/config/pre.in
index 139d7a618f..e5a087c02c 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -206,6 +206,10 @@ ADMIN_MANDIR = $(KRB5MANROOT)/man8
 SERVER_MANDIR = $(KRB5MANROOT)/man8
 CLIENT_MANDIR = $(KRB5MANROOT)/man1
 FILE_MANDIR = $(KRB5MANROOT)/man5
+ADMIN_CATDIR = $(KRB5MANROOT)/cat8
+SERVER_CATDIR = $(KRB5MANROOT)/cat8
+CLIENT_CATDIR = $(KRB5MANROOT)/cat1
+FILE_CATDIR = $(KRB5MANROOT)/cat5
 KRB5_LIBDIR = @libdir@
 KRB5_SHLIBDIR = @libdir@$(SHLIB_TAIL_COMP)
 KRB5_INCDIR = @includedir@
diff --git a/src/configure.in b/src/configure.in
index 67ccac2a2b..4c6ec8c186 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1243,6 +1243,8 @@ AC_SUBST([VERTO_CFLAGS])
 AC_SUBST([VERTO_LIBS])
 AC_SUBST([VERTO_VERSION])
 
+AC_PATH_PROG(GROFF, groff)
+
 AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
 V5_AC_OUTPUT_MAKEFILE(.
 
@@ -1276,7 +1278,7 @@ dnl	lib/krb5/ccache/ccapi
 
 dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
 
-	kdc slave config-files gen-manpages include
+	kdc slave config-files gen-manpages man include
 
 	plugins/locate/python
 	plugins/kadm5_hook/test
diff --git a/src/gen-manpages/Makefile.in b/src/gen-manpages/Makefile.in
index bb91a24536..1eaf9422dd 100644
--- a/src/gen-manpages/Makefile.in
+++ b/src/gen-manpages/Makefile.in
@@ -4,10 +4,12 @@ all::
 
 install::
 	$(INSTALL_DATA) $(srcdir)/kerberos.M ${DESTDIR}$(CLIENT_MANDIR)/kerberos.1
-	$(INSTALL_DATA) $(srcdir)/k5login.M ${DESTDIR}$(FILE_MANDIR)/k5login.5
-	$(INSTALL_DATA) $(srcdir)/dot.k5login.M \
-		${DESTDIR}$(FILE_MANDIR)/.k5login.5
 	$(INSTALL_DATA) $(srcdir)/k5identity.M \
 		${DESTDIR}$(FILE_MANDIR)/k5identity.5
 	$(INSTALL_DATA) $(srcdir)/dot.k5identity.M \
 		${DESTDIR}$(FILE_MANDIR)/.k5identity.5
+
+install-oldman::
+	$(INSTALL_DATA) $(srcdir)/k5login.M ${DESTDIR}$(FILE_MANDIR)/k5login.5
+	$(INSTALL_DATA) $(srcdir)/dot.k5login.M \
+		${DESTDIR}$(FILE_MANDIR)/.k5login.5
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
index c7ba8312e6..068034cf96 100644
--- a/src/kadmin/cli/Makefile.in
+++ b/src/kadmin/cli/Makefile.in
@@ -28,6 +28,8 @@ install::
 	$(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(CLIENT_BINDIR)/$(PROG)
 	$(INSTALL_SCRIPT) $(srcdir)/k5srvutil.sh ${DESTDIR}$(CLIENT_BINDIR)/k5srvutil
+
+install-oldman::
 	$(INSTALL_DATA) $(srcdir)/k5srvutil.M ${DESTDIR}$(CLIENT_MANDIR)/k5srvutil.1
 	$(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(CLIENT_MANDIR)/$(PROG).1
 	$(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8
diff --git a/src/kadmin/dbutil/Makefile.in b/src/kadmin/dbutil/Makefile.in
index 2c13827e13..3b7fe3bc6e 100644
--- a/src/kadmin/dbutil/Makefile.in
+++ b/src/kadmin/dbutil/Makefile.in
@@ -27,6 +27,8 @@ $(OBJS): import_err.h
 
 install::
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
+
+install-oldman::
 	$(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8
 
 clean::
diff --git a/src/kadmin/ktutil/Makefile.in b/src/kadmin/ktutil/Makefile.in
index 930b1efc82..4357939588 100644
--- a/src/kadmin/ktutil/Makefile.in
+++ b/src/kadmin/ktutil/Makefile.in
@@ -19,6 +19,8 @@ ktutil: ktutil.o $(OBJS) $(SS_DEPLIB) $(KRB5_BASE_DEPLIBS)
 
 install::
 	$(INSTALL_PROGRAM) ktutil ${DESTDIR}$(CLIENT_BINDIR)/ktutil
+
+install-oldman::
 	$(INSTALL_DATA) $(srcdir)/ktutil.M ${DESTDIR}$(CLIENT_MANDIR)/ktutil.1
 
 generate-files-mac: ktutil_ct.c
diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in
index f063e25d37..1ea705390f 100644
--- a/src/kadmin/server/Makefile.in
+++ b/src/kadmin/server/Makefile.in
@@ -21,6 +21,8 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) $(VE
 
 install::
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(SERVER_BINDIR)/$(PROG)
+
+install-oldman::
 	$(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(SERVER_MANDIR)/$(PROG).8
 
 clean::
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index 8994a6a767..497c6f8d89 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -75,6 +75,8 @@ check-pytests::
 
 install::
 	$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
+
+install-oldman::
 	$(INSTALL_DATA) $(srcdir)/krb5kdc.M ${DESTDIR}$(SERVER_MANDIR)/krb5kdc.8
 
 clean::
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
new file mode 100644
index 0000000000..5df02a0d28
--- /dev/null
+++ b/src/man/Makefile.in
@@ -0,0 +1,68 @@
+mydir=man
+BUILDTOP=$(REL)..
+
+GROFF=@GROFF@
+GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c
+
+all::
+
+install:: install-clientman install-fileman install-adminman install-serverman
+
+install-catman:: install-clientcat install-filecat install-admincat install-servercat
+
+install-clientman::
+	$(INSTALL_DATA) $(srcdir)/k5srvutil.1 ${DESTDIR}$(CLIENT_MANDIR)/k5srvutil.1
+	$(INSTALL_DATA) $(srcdir)/kadmin.1 ${DESTDIR}$(CLIENT_MANDIR)/kadmin.1
+	$(INSTALL_DATA) $(srcdir)/kdestroy.1 ${DESTDIR}$(CLIENT_MANDIR)/kdestroy.1
+	$(INSTALL_DATA) $(srcdir)/kinit.1 ${DESTDIR}$(CLIENT_MANDIR)/kinit.1
+	$(INSTALL_DATA) $(srcdir)/klist.1 ${DESTDIR}$(CLIENT_MANDIR)/klist.1
+	$(INSTALL_DATA) $(srcdir)/kpasswd.1 ${DESTDIR}$(CLIENT_MANDIR)/kpasswd.1
+	$(INSTALL_DATA) $(srcdir)/ksu.1 ${DESTDIR}$(CLIENT_MANDIR)/ksu.1
+	$(INSTALL_DATA) $(srcdir)/kswitch.1 ${DESTDIR}$(CLIENT_MANDIR)/kswitch.1
+	$(INSTALL_DATA) $(srcdir)/ktutil.1 ${DESTDIR}$(CLIENT_MANDIR)/ktutil.1
+	$(INSTALL_DATA) $(srcdir)/kvno.1 ${DESTDIR}$(CLIENT_MANDIR)/kvno.1
+
+install-fileman::
+	$(INSTALL_DATA) $(srcdir)/dot.k5login.5 ${DESTDIR}$(FILE_MANDIR)/.k5login.5
+	$(INSTALL_DATA) $(srcdir)/k5login.5 ${DESTDIR}$(FILE_MANDIR)/k5login.5
+	$(INSTALL_DATA) $(srcdir)/kdc.conf.5 ${DESTDIR}$(FILE_MANDIR)/kdc.conf.5
+	$(INSTALL_DATA) $(srcdir)/krb5.conf.5 ${DESTDIR}$(FILE_MANDIR)/krb5.conf.5
+
+install-adminman::
+	$(INSTALL_DATA) $(srcdir)/kadmin.local.8 ${DESTDIR}$(CLIENT_MANDIR)/kadmin.local.8
+	$(INSTALL_DATA) $(srcdir)/kdb5_ldap_util.8 ${DESTDIR}$(ADMIN_MANDIR)/kdb5_ldap_util.8
+	$(INSTALL_DATA) $(srcdir)/kdb5_util.8 ${DESTDIR}$(ADMIN_MANDIR)/kdb5_util.8
+	$(INSTALL_DATA) $(srcdir)/kprop.8 ${DESTDIR}$(ADMIN_MANDIR)/kprop.8
+	$(INSTALL_DATA) $(srcdir)/kproplog.8 ${DESTDIR}$(ADMIN_MANDIR)/kproplog.8
+
+install-serverman::
+	$(INSTALL_DATA) $(srcdir)/kadmind.8 ${DESTDIR}$(SERVER_MANDIR)/kadmind.8
+	$(INSTALL_DATA) $(srcdir)/kpropd.8 ${DESTDIR}$(SERVER_MANDIR)/kpropd.8
+	$(INSTALL_DATA) $(srcdir)/krb5kdc.8 ${DESTDIR}$(SERVER_MANDIR)/krb5kdc.8
+
+install-clientcat::
+	$(GROFF_MAN) $(srcdir)/k5srvutil.1 > ${DESTDIR}$(CLIENT_CATDIR)/k5srvutil.1
+	$(GROFF_MAN) $(srcdir)/kadmin.1 > ${DESTDIR}$(CLIENT_CATDIR)/kadmin.1
+	$(GROFF_MAN) $(srcdir)/kdestroy.1 > ${DESTDIR}$(CLIENT_CATDIR)/kdestroy.1
+	$(GROFF_MAN) $(srcdir)/kinit.1 > ${DESTDIR}$(CLIENT_CATDIR)/kinit.1
+	$(GROFF_MAN) $(srcdir)/klist.1 > ${DESTDIR}$(CLIENT_CATDIR)/klist.1
+	$(GROFF_MAN) $(srcdir)/kpasswd.1 > ${DESTDIR}$(CLIENT_CATDIR)/kpasswd.1
+	$(GROFF_MAN) $(srcdir)/ksu.1 > ${DESTDIR}$(CLIENT_CATDIR)/ksu.1
+	$(GROFF_MAN) $(srcdir)/kswitch.1 > ${DESTDIR}$(CLIENT_CATDIR)/kswitch.1
+	$(GROFF_MAN) $(srcdir)/ktutil.1 > ${DESTDIR}$(CLIENT_CATDIR)/ktutil.1
+	$(GROFF_MAN) $(srcdir)/kvno.1 > ${DESTDIR}$(CLIENT_CATDIR)/kvno.1
+
+install-filecat::
+	$(GROFF_MAN) $(srcdir)/k5login.5 > ${DESTDIR}$(FILE_CATDIR)/k5login.5
+	($(RM) ${DESTDIR}$(FILE_CATDIR)/.k5login.5; \
+		$(LN_S) $(FILE_CATDIR)/k5login.5 ${DESTDIR}$(FILE_CATDIR)/.k5login.5)
+	$(GROFF_MAN) $(srcdir)/kdc.conf.5 > ${DESTDIR}$(FILE_CATDIR)/kdc.conf.5
+	$(GROFF_MAN) $(srcdir)/krb5.conf.5 > ${DESTDIR}$(FILE_CATDIR)/krb5.conf.5
+
+install-admincat::
+	($(RM) ${DESTDIR}$(ADMIN_CATDIR)/kadmin.local.8; \
+		$(LN_S) $(CLIENT_CATDIR)/kadmin.1 ${DESTDIR}$(ADMIN_CATDIR)/kadmin.local.8)
+	$(GROFF_MAN) $(srcdir)/kdb5_ldap_util.8 > ${DESTDIR}$(ADMIN_CATDIR)/kdb5_ldap_util.8
+	$(GROFF_MAN) $(srcdir)/kdb5_util.8 > ${DESTDIR}$(ADMIN_CATDIR)/kdb5_util.8
+	$(GROFF_MAN) $(srcdir)/kprop.8 > ${DESTDIR}$(ADMIN_CATDIR)/kprop.8
+	$(GROFF_MAN) $(srcdir)/kproplog.8 > ${DESTDIR}$(ADMIN_CATDIR)/kproplog.8
diff --git a/src/man/README b/src/man/README
new file mode 100644
index 0000000000..4d03efb341
--- /dev/null
+++ b/src/man/README
@@ -0,0 +1,4 @@
+The manual page files in this directory are generated from
+reStructuredText format from doc/rst_source.  Edits made here will not
+survive a run of "make rstman" from the doc directory, except for the
+files that implement "shadow manpages".
diff --git a/src/man/deps b/src/man/deps
new file mode 100644
index 0000000000..2feac3c9d3
--- /dev/null
+++ b/src/man/deps
@@ -0,0 +1 @@
+# No dependencies here.
diff --git a/src/man/dot.k5login.5 b/src/man/dot.k5login.5
new file mode 100644
index 0000000000..60c82a4d88
--- /dev/null
+++ b/src/man/dot.k5login.5
@@ -0,0 +1 @@
+.so man5/k5login.5
diff --git a/src/man/k5login.5 b/src/man/k5login.5
new file mode 100644
index 0000000000..ca00b9b0a0
--- /dev/null
+++ b/src/man/k5login.5
@@ -0,0 +1,74 @@
+.TH "K5LOGIN" "5" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+k5login \- Kerberos V5 acl file for host access
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH DESCRIPTION
+.sp
+The \fI.k5login\fP file, which resides in a user\(aqs home directory, contains a list of the Kerberos principals.
+Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides.
+One common use is to place a \fI.k5login\fP file in root\(aqs home directory, thereby granting system administrators remote root access to the host via Kerberos.
+.SH EXAMPLES
+.sp
+Suppose the user "alice" had a \fI.k5login\fP file in her home directory containing the following line:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+bob@FUBAR.ORG
+.UNINDENT
+.UNINDENT
+.sp
+This  would  allow  "bob"  to use any of the Kerberos network applications, such as telnet(1), rlogin(1), rsh(1), and rcp(1),
+to access alice\(aqs account, using bob\(aqs Kerberos tickets.
+.sp
+Let us further suppose that "alice" is a system administrator.
+Alice and the other system administrators would have  their  principals in root\(aqs \fI.k5login\fP file on each host:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+alice@BLEEP.COM
+.sp
+joeadmin/root@BLEEP.COM
+.UNINDENT
+.UNINDENT
+.sp
+This  would  allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password.
+Note that because "bob" retains the Kerberos tickets for his own principal, "bob@FUBAR.ORG",
+he would not have  any  of  the privileges that require alice\(aqs tickets, such as root access to any of the site\(aqs hosts,
+or the ability to change alice\(aqs password.
+.SH SEE ALSO
+.sp
+telnet(1), rlogin(1), rsh(1), rcp(1), ksu(1), telnetd(8), klogind(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/k5srvutil.1 b/src/man/k5srvutil.1
new file mode 100644
index 0000000000..567e82a815
--- /dev/null
+++ b/src/man/k5srvutil.1
@@ -0,0 +1,84 @@
+.TH "K5SRVUTIL" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+k5srvutil \- host key table (keytab) manipulation utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fBk5srvutil\fP \fIoperation\fP [ \fB\-i\fP ] [ \fB\-f\fP \fIfilename\fP ]
+.SH DESCRIPTION
+.sp
+\fIk5srvutil\fP allows a system manager to list or change keys currently in his keytab or to add new keys to the keytab.
+.sp
+Operation must be one of the following:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBlist\fP
+.sp
+Lists the keys in a keytab showing version number and principal name.
+.TP
+.B \fBchange\fP
+.sp
+Changes all the keys in the keytab to new randomly\-generated keys,
+updating the keys in the Kerberos server\(aqs database to match by using the kadmin protocol.
+If a key\(aqs version number doesn\(aqt match the version number stored in the Kerberos server\(aqs database,
+then the operation will fail. The old keys are retained so that existing tickets continue to work.
+If the \fI\-i\fP flag is given, \fIk5srvutil\fP will prompt for yes or no before changing each key.
+If the \fI\-k\fP option is used, the old and new keys will be displayed.
+.TP
+.B \fBdelold\fP
+.sp
+Deletes keys that are not the most recent version from the keytab.
+This operation should be used some time after a change operation to remove old keys.
+If the \fI\-i\fP flag is used, then the program prompts the user whether the old keys associated
+with each principal should be removed.
+.TP
+.B \fBdelete\fP
+.sp
+Deletes particular keys in the keytab, interactively prompting for each key.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+In all cases, the default file used is /etc/krb5.keytab file unless this is overridden by the \fB\-f\fP option.
+.sp
+\fIk5srvutil\fP  uses the kadmin program to edit the keytab in place.
+However, old keys are retained, so they are available in case of failure.
+.SH SEE ALSO
+.sp
+kadmin(8), ktutil(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kadmin.1 b/src/man/kadmin.1
new file mode 100644
index 0000000000..1a0d22a8ff
--- /dev/null
+++ b/src/man/kadmin.1
@@ -0,0 +1,1278 @@
+.TH "KADMIN" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kadmin \- Kerberos V5 database administration program
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBkadmin\fP
+.sp
+[ \fB\-O\fP | \fB\-N\fP ]
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-p\fP \fIprincipal\fP]
+[\fB\-q\fP \fIquery\fP]
+[[\fB\-c\fP \fIcache_name\fP] | [\fB\-k\fP [\fB\-t\fP \fIkeytab\fP ]] | \fB\-n\fP]
+[\fB\-w\fP \fIpassword\fP]
+[\fB\-s\fP \fIadmin_server\fP [:\fIport\fP]]
+.TP
+.B \fBkadmin.local\fP
+.sp
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-p\fP \fIprincipal\fP]
+[\fB\-q\fP \fIquery\fP]
+[\fB\-d\fP \fIdbname\fP]
+[\fB\-e\fP "enc:salt ..."]
+[\fB\-m\fP]
+[\fB\-x\fP \fIdb_args\fP]
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fIkadmin\fP and \fIkadmin.local\fP are command\-line interfaces to the Kerberos V5 KADM5 administration system.
+Both \fIkadmin\fP and \fIkadmin.local\fP provide identical functionalities;
+the difference is that \fIkadmin.local\fP runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database.
+Except as explicitly noted otherwise, this man page will use \fIkadmin\fP to refer to both versions.
+\fIkadmin\fP provides for the maintenance of Kerberos principals, KADM5 policies, and service key tables (keytabs).
+.sp
+The remote version uses Kerberos authentication and an encrypted RPC, to operate securely from anywhere on the network.
+It authenticates to the KADM5 server using the service principal \fIkadmin/admin\fP.
+If the credentials cache contains a ticket for the \fIkadmin/admin\fP principal, and the \fI\-c\fP credentials_cache option is specified,
+that ticket is used to authenticate to KADM5.
+Otherwise, the \fI\-p\fP and \fI\-k\fP options are used to specify the client Kerberos principal name used to authenticate.
+Once \fIkadmin\fP has determined the principal name, it requests a \fIkadmin/admin\fP Kerberos service ticket from the KDC,
+and uses that service ticket to authenticate to KADM5.
+.sp
+If the database is db2, the local client \fIkadmin.local\fP is intended to run directly on the master KDC without Kerberos authentication.
+The local version provides all of the functionality of the now obsolete kdb5_edit(8), except for database dump and load,
+which is now provided by the \fIkdb5_util(8)\fP utility.
+.sp
+If the database is LDAP, \fIkadmin.local\fP need not be run on the KDC.
+.sp
+\fIkadmin.local\fP can be configured to log updates for incremental database propagation.
+Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database.
+This facility can be enabled in the \fIkdc.conf\fP file with the \fIiprop_enable\fP option.
+See the \fIkdc.conf\fP documentation for other options for tuning incremental propagation parameters.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Use \fIrealm\fP as the default database realm.
+.TP
+.B \fB\-p\fP \fIprincipal\fP
+.sp
+Use  \fIprincipal\fP to authenticate.  Otherwise, \fIkadmin\fP will append "/admin" to the primary principal name of the default ccache, the
+value of the \fIUSER\fP environment variable, or the username as obtained with \fIgetpwuid\fP, in order of preference.
+.TP
+.B \fB\-k\fP
+.sp
+Use a \fIkeytab\fP to decrypt the KDC response instead of prompting for a password on the TTY.  In this case, the default principal
+will be \fIhost/hostname\fP.  If there is not a \fIkeytab\fP specified with the \fB\-t\fP option, then the default \fIkeytab\fP will be used.
+.TP
+.B \fB\-t\fP \fIkeytab\fP
+.sp
+Use \fIkeytab\fP to decrypt the KDC response.  This can only be used with the \fB\-k\fP option.
+.TP
+.B \fB\-n\fP
+.sp
+Requests anonymous processing.  Two types of anonymous principals are supported.
+For fully anonymous Kerberos, configure pkinit on the KDC and configure \fIpkinit_anchors\fP in the client\(aqs \fIkrb5.conf\fP.
+Then use the \fI\-n\fP option with a principal of the form \fI@REALM\fP (an empty principal name followed by the at\-sign and a realm name).
+If permitted by the KDC, an anonymous ticket will be returned.
+A second form of anonymous tickets is supported; these realm\-exposed tickets hide the identity of the client but not the client\(aqs realm.
+For this mode, use \fIkinit \-n\fP with a normal principal name.
+If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal.
+As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.
+.TP
+.B \fB\-c\fP \fIcredentials_cache\fP
+.sp
+Use \fIcredentials_cache\fP as the credentials cache.  The \fIcredentials_cache\fP should contain a service ticket for the \fIkadmin/admin\fP service;
+it can be acquired with the \fIkinit(1)\fP program.  If this option is not specified, \fIkadmin\fP requests a new service ticket from
+the KDC, and stores it in its own temporary ccache.
+.TP
+.B \fB\-w\fP \fIpassword\fP
+.sp
+Use \fIpassword\fP instead of prompting for one on the TTY.
+.IP Note
+.
+Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if
+unauthorized users gain read access to the script.
+.RE
+.TP
+.B \fB\-q\fP \fIquery\fP
+.sp
+pass query directly to kadmin, which will perform query and then exit.  This can be useful for writing scripts.
+.TP
+.B \fB\-d\fP \fIdbname\fP
+.sp
+Specifies the name of the Kerberos database.  This option does not apply to the LDAP database.
+.TP
+.B \fB\-s\fP \fIadmin_server\fP [:port]
+.sp
+Specifies the admin server which \fIkadmin\fP should contact.
+.UNINDENT
+.sp
+\fB\-m\fP     Do not authenticate using a \fIkeytab\fP.  This option will cause \fIkadmin\fP to prompt for the master database password.
+.INDENT 0.0
+.TP
+.B \fB\-e\fP enc:salt_list
+.sp
+Sets the list of encryption types and salt types to be used for any new keys created.
+.UNINDENT
+.sp
+\fB\-O\fP     Force use of old AUTH_GSSAPI authentication flavor.
+.sp
+\fB\-N\fP     Prevent fallback to AUTH_GSSAPI authentication flavor.
+.INDENT 0.0
+.TP
+.B \fB\-x\fP \fIdb_args\fP
+.sp
+Specifies the database specific arguments.
+.sp
+Options supported for LDAP database are:
+.INDENT 7.0
+.TP
+.B \fB\-x\fP host=<hostname>
+.sp
+specifies the LDAP server to connect to by a LDAP URI.
+.TP
+.B \fB\-x\fP binddn=<bind_dn>
+.sp
+specifies the DN of the object used by the administration server to bind to the LDAP server.  This object should have the
+read and write rights on the realm container, principal container and the subtree that is referenced by the realm.
+.TP
+.B \fB\-x\fP bindpwd=<bind_password>
+.sp
+specifies the password for the above mentioned binddn. It is recommended not to use this option.
+Instead, the password can be stashed using the \fIstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH DATE FORMAT
+.sp
+Many of the \fIkadmin\fP commands take a duration or time as an argument. The date can appear in a wide variety of formats, such as:
+.sp
+.nf
+.ft C
+1 month ago
+2 hours ago
+400000 seconds ago
+last year
+this Monday
+next Monday
+yesterday
+tomorrow
+now
+second Monday
+fortnight ago
+3/31/92 10:00:07 PST
+January 23, 1987 10:05pm
+22:00 GMT
+.ft P
+.fi
+.sp
+Dates which do not have the "ago" specifier default to being absolute dates, unless they appear in a field where a duration is expected.
+In that case the time specifier will be interpreted as relative.
+Specifying "ago" in a duration may result in unexpected behavior.
+.sp
+The following is a list of all of the allowable keywords.
+.TS
+center;
+|l|l|.
+_
+T{
+Months
+T}	T{
+january, jan, february, feb, march, mar, april, apr, may, june, jun, july, jul, august, aug, september, sep, sept, october, oct, november, nov, december, dec
+T}
+_
+T{
+Days
+T}	T{
+sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed, thursday, thurs, thur, thu, friday, fri, saturday, sat
+T}
+_
+T{
+Units
+T}	T{
+year, month, fortnight, week, day, hour, minute, min, second, sec
+T}
+_
+T{
+Relative
+T}	T{
+tomorrow, yesterday, today, now, last, this, next, first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago
+T}
+_
+T{
+Time Zones
+T}	T{
+kadmin recognizes abbreviations for most of the world\(aqs time zones. A complete listing appears in kadmin Time Zones.
+T}
+_
+T{
+12\-hour Time Delimiters
+T}	T{
+am, pm
+T}
+_
+.TE
+.SH COMMANDS
+.SS add_principal
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBadd_principal\fP [options] \fInewprinc\fP
+.sp
+creates the principal \fInewprinc\fP, prompting twice for a password.  If no policy is specified with the \fI\-policy\fP option,
+and the policy named "default" exists, then that policy is assigned to the principal;
+note that the assignment of the policy "default" only occurs automatically when a principal is first created,
+so the policy "default" must already exist for the assignment to occur.
+This assignment of "default" can be suppressed with the \fI\-clearpolicy\fP option.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+This command requires the \fIadd\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Aliases:
+.sp
+.nf
+.ft C
+addprinc ank
+.ft P
+.fi
+.sp
+The options are:
+.INDENT 7.0
+.TP
+.B \fB\-x\fP \fIdb_princ_args\fP
+.INDENT 7.0
+.INDENT 3.5
+.sp
+Denotes the database specific options.
+.sp
+The options for LDAP database are:
+.INDENT 0.0
+.TP
+.B \fB\-x\fP dn=<dn>
+.sp
+Specifies the LDAP object that will contain the Kerberos principal being created.
+.TP
+.B \fB\-x\fP linkdn=<dn>
+.sp
+Specifies the LDAP object to which the newly created Kerberos principal object will point to.
+.TP
+.B \fB\-x\fP containerdn=<container_dn>
+.sp
+Specifies the container object under which the Kerberos principal is to be created.
+.TP
+.B \fB\-x\fP tktpolicy=<policy>
+.sp
+Associates a ticket policy to the Kerberos principal.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP Note
+.INDENT 7.0
+.IP \(bu 2
+.
+\fIcontainerdn\fP and \fIlinkdn\fP options cannot be specified with dn option.
+.IP \(bu 2
+.
+If \fIdn\fP or \fIcontainerdn\fP options are not specified while adding the principal, the principals are created under the prinicipal container configured in the realm or the realm container.
+.IP \(bu 2
+.
+\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or principal container configured in the realm.
+.UNINDENT
+.RE
+.TP
+.B \fB\-expire\fP \fIexpdate\fP
+.sp
+expiration date of the principal
+.TP
+.B \fB\-pwexpire\fP \fIpwexpdate\fP
+.sp
+password expiration date
+.TP
+.B \fB\-maxlife\fP \fImaxlife\fP
+.sp
+maximum ticket life for the principal
+.TP
+.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
+.sp
+maximum renewable life of tickets for the principal
+.TP
+.B \fB\-kvno\fP \fIkvno\fP
+.sp
+explicitly set the key version number.
+.TP
+.B \fB\-policy\fP \fIpolicy\fP
+.sp
+policy used by this principal.
+If no policy is supplied, then if the policy "default" exists and the \fI\-clearpolicy\fP is not also specified,
+then the policy "default" is used;
+otherwise, the principal will have no policy, and a warning message will be printed.
+.TP
+.B \fB\-clearpolicy\fP
+.sp
+\fI\-clearpolicy\fP prevents the policy "default" from being assigned when \fI\-policy\fP is not specified.
+This option has no effect if the policy "default" does not exist.
+.TP
+.B {\- | +} \fBallow_postdated\fP
+.sp
+\fI\-allow_postdated\fP prohibits this principal from obtaining postdated tickets.
+(Sets the \fIKRB5_KDB_DISALLOW_POSTDATED\fP flag.) \fI+allow_postdated\fP clears this flag.
+.TP
+.B {\- | +} \fBallow_forwardable\fP
+.sp
+\fI\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets.
+(Sets the  \fIKRB5_KDB_DISALLOW_FORWARDABLE\fP flag.)
+\fI+allow_forwardable\fP clears this flag.
+.TP
+.B {\- | +} \fBallow_renewable\fP
+.sp
+\fI\-allow_renewable\fP prohibits this principal from obtaining renewable tickets.
+(Sets the \fIKRB5_KDB_DISALLOW_RENEWABLE\fP flag.)
+\fI+allow_renewable\fP clears this flag.
+.TP
+.B {\- | +} \fBallow_proxiable\fP
+.sp
+\fI\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets.
+(Sets the \fIKRB5_KDB_DISALLOW_PROXIABLE\fP flag.)
+\fI+allow_proxiable\fP clears this flag.
+.TP
+.B {\- | +} \fBallow_dup_skey\fP
+.sp
+\fI\-allow_dup_skey\fP  disables  user\-to\-user  authentication for this principal by prohibiting this principal from obtaining a
+session key for another user.
+(Sets the \fIKRB5_KDB_DISALLOW_DUP_SKEY\fP flag.)
+\fI+allow_dup_skey\fP clears this flag.
+.TP
+.B {\- | +} \fBrequires_preauth\fP
+.sp
+\fI+requires_preauth\fP  requires  this  principal  to  preauthenticate   before   being   allowed   to   kinit.
+(Sets   the \fIKRB5_KDB_REQUIRES_PRE_AUTH\fP flag.)
+\fI\-requires_preauth\fP clears this flag.
+.TP
+.B {\- | +} \fBrequires_hwauth\fP
+.sp
+\fI+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit.
+(Sets the \fIKRB5_KDB_REQUIRES_HW_AUTH\fP flag.)
+\fI\-requires_hwauth\fP clears this flag.
+.TP
+.B {\- | +} \fBok_as_delegate\fP
+.sp
+\fI+ok_as_delegate\fP sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service,
+which clients may use as a hint that credentials can and should be delegated when authenticating to the service.
+(Sets the \fIKRB5_KDB_OK_AS_DELEGATE\fP flag.)
+\fI\-ok_as_delegate\fP clears this flag.
+.TP
+.B {\- | +} \fBallow_svr\fP
+.sp
+\fI\-allow_svr\fP prohibits the issuance of service tickets for this principal.
+(Sets  the  \fIKRB5_KDB_DISALLOW_SVR\fP  flag.)
+\fI+allow_svr\fP clears this flag.
+.TP
+.B {\- | +} \fBallow_tgs_req\fP
+.sp
+\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted.
+This option is useless for most things.
+\fI+allow_tgs_req\fP clears this flag.
+The default  is  +allow_tgs_req.
+In effect, \fI\-allow_tgs_req sets\fP the \fIKRB5_KDB_DISALLOW_TGT_BASED\fP flag on the principal in the database.
+.TP
+.B {\- | +} \fBallow_tix\fP
+.sp
+\fI\-allow_tix\fP forbids the issuance of any tickets for this principal.
+\fI+allow_tix\fP clears this flag.
+The default is \fI+allow_tix\fP.  In effect, \fI\-allow_tix\fP sets the \fIKRB5_KDB_DISALLOW_ALL_TIX\fP flag on the principal in the database.
+.TP
+.B {\- | +} \fBneedchange\fP
+.sp
+\fI+needchange\fP sets a flag in attributes field to force a password change;
+\fI\-needchange\fP clears it.
+The  default  is  \fI\-needchange\fP.
+In effect, \fI+needchange\fP sets the \fIKRB5_KDB_REQUIRES_PWCHANGE\fP flag on the principal in the database.
+.TP
+.B {\- | +} \fBpassword_changing_service\fP
+.sp
+\fI+password_changing_service\fP  sets a flag in the attributes field marking this as a password change service principal
+(useless for most things).
+\fI\-password_changing_service\fP clears the flag.  This  flag  intentionally  has  a  long  name.
+The default  is \fI\-password_changing_service\fP.
+In effect, \fI+password_changing_service\fP sets the \fIKRB5_KDB_PWCHANGE_SERVICE\fP flag on the principal in the database.
+.TP
+.B \fB\-randkey\fP
+.sp
+sets the key of the principal to a random value
+.TP
+.B \fB\-pw\fP \fIpassword\fP
+.sp
+sets the key of the principal to the specified string and does not prompt for a password.  Note:  using this option in  a
+shell script can be dangerous if unauthorized users gain read access to the script.
+.TP
+.B \fB\-e\fP "enc:salt ..."
+.sp
+uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if
+there are multiple enctype\-salttype pairs.  This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2.
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kadmin: addprinc jennifer
+WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
+defaulting to no policy.
+Enter password for principal jennifer@ATHENA.MIT.EDU:  <= Type the password.
+Re\-enter password for principal jennifer@ATHENA.MIT.EDU:  <=Type it again.
+Principal "jennifer@ATHENA.MIT.EDU" created.
+kadmin:
+.ft P
+.fi
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_ADD (requires "add" privilege)
+KADM5_BAD_MASK (shouldn\(aqt happen)
+KADM5_DUP (principal exists already)
+KADM5_UNK_POLICY (policy does not exist)
+KADM5_PASS_Q_* (password quality violations)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS modify_principal
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBmodify_principal\fP [options] \fIprincipal\fP
+.sp
+Modifies the specified principal, changing the fields as specified. The options are as above for \fIadd_principal\fP, except that
+password changing and flags related to password changing are forbidden by this command.
+In addition, the option \fI\-clearpolicy\fP will clear the current policy of a principal.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+This command requires the \fImodify\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+modprinc
+.ft P
+.fi
+.sp
+The options are:
+.INDENT 7.0
+.TP
+.B \fB\-x\fP \fIdb_princ_args\fP
+.sp
+Denotes the database specific options.
+.sp
+The options for LDAP database are:
+.INDENT 7.0
+.TP
+.B \fB\-x\fP tktpolicy=<policy>
+.sp
+Associates a ticket policy to the Kerberos principal.
+.TP
+.B \fB\-x\fP linkdn=<dn>
+.sp
+Associates  a  Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not
+already associated with a LDAP object.
+.UNINDENT
+.TP
+.B \fB\-unlock\fP
+.sp
+Unlocks a locked principal (one which has received too many failed authentication attempts without  enough  time  between
+them according to its password policy) so that it can successfully authenticate.
+.UNINDENT
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_MODIFY  (requires "modify" privilege)
+KADM5_UNK_PRINC (principal does not exist)
+KADM5_UNK_POLICY (policy does not exist)
+KADM5_BAD_MASK (shouldn\(aqt happen)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS delete_principal
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBdelete_principal\fP [ \fI\-force\fP ] \fIprincipal\fP
+.sp
+Deletes the specified \fIprincipal\fP from the database.  This command prompts for deletion, unless the \fI\-force\fP option is  given.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+This command requires the \fIdelete\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+delprinc
+.ft P
+.fi
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_DELETE (requires "delete" privilege)
+KADM5_UNK_PRINC (principal does not exist)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS change_password
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBchange_password\fP [options] \fIprincipal\fP
+.sp
+Changes the password of \fIprincipal\fP.  Prompts for a new password if neither \fI\-randkey\fP or \fI\-pw\fP is specified.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires  the  \fIchangepw\fP privilege,  or that the principal that is running the program to be the same as the one changed.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+cpw
+.ft P
+.fi
+.sp
+The following options are available:
+.INDENT 7.0
+.TP
+.B \fB\-randkey\fP
+.sp
+Sets the key of the principal to a random value
+.TP
+.B \fB\-pw\fP \fIpassword\fP
+.sp
+Set the password to the specified string.  Not recommended.
+.TP
+.B \fB\-e\fP "enc:salt ..."
+.sp
+Uses the specified list of enctype\-salttype pairs for setting the key of the principal.   The quotes are necessary if
+there are multiple enctype\-salttype pairs.  This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2.
+See \fISupported_Encryption_Types_and_Salts\fP for possible values.
+.TP
+.B \fB\-keepold\fP
+.sp
+Keeps the previous kvno\(aqs keys around.  This flag is usually not necessary except perhaps for TGS keys.  Don\(aqt use this
+flag unless you know what you\(aqre doing. This option is not supported for the LDAP database.
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kadmin: cpw systest
+Enter password for principal systest@BLEEP.COM:
+Re\-enter password for principal systest@BLEEP.COM:
+Password for systest@BLEEP.COM changed.
+kadmin:
+.ft P
+.fi
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_MODIFY (requires the modify privilege)
+KADM5_UNK_PRINC (principal does not exist)
+KADM5_PASS_Q_* (password policy violation errors)
+KADM5_PADD_REUSE (password is in principal\(aqs password
+history)
+KADM5_PASS_TOOSOON (current password minimum life not
+expired)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS purgekeys
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBpurgekeys\fP [\fI\-keepkvno oldest_kvno_to_keep\fP ] \fIprincipal\fP
+.sp
+Purges previously retained old keys (e.g., from \fIchange_password \-keepold\fP) from \fIprincipal\fP.
+If \fB\-keepkvno\fP is specified, then only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS get_principal
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBget_principal\fP [\fI\-terse\fP] \fIprincipal\fP
+.sp
+Gets  the  attributes of principal.
+With the \fB\-terse\fP option, outputs fields as quoted tab\-separated strings.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the \fIinquire\fP privilege, or that the principal that is running the the program to be the same as the one being listed.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+getprinc
+.ft P
+.fi
+.sp
+EXAMPLES:
+.sp
+.nf
+.ft C
+kadmin: getprinc tlyu/admin
+Principal: tlyu/admin@BLEEP.COM
+Expiration date: [never]
+Last password change: Mon Aug 12 14:16:47 EDT 1996
+Password expiration date: [none]
+Maximum ticket life: 0 days 10:00:00
+Maximum renewable life: 7 days 00:00:00
+Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
+Last successful authentication: [never]
+Last failed authentication: [never]
+Failed password attempts: 0
+Number of keys: 2
+Key: vno 1, DES cbc mode with CRC\-32, no salt
+Key: vno 1, DES cbc mode with CRC\-32, Version 4
+Attributes:
+Policy: [none]
+
+
+kadmin: getprinc \-terse systest
+systest@BLEEP.COM   3    86400     604800    1
+785926535 753241234 785900000
+tlyu/admin@BLEEP.COM     786100034 0    0
+kadmin:
+.ft P
+.fi
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_GET (requires the get (inquire) privilege)
+KADM5_UNK_PRINC (principal does not exist)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS list_principals
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBlist_principals\fP [expression]
+.sp
+Retrieves all or some principal names.
+Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *,  and  []\(aqs.
+All principal names matching the expression are printed.
+If no expression is provided, all principal names are printed.
+If the expression does not contain an "@" character, an "@" character followed by the local realm is appended  to  the expression.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the \fIlist\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Aliases:
+.sp
+.nf
+.ft C
+listprincs get_principals get_princs
+.ft P
+.fi
+.sp
+EXAMPLES:
+.sp
+.nf
+.ft C
+kadmin:  listprincs test*
+test3@SECURE\-TEST.OV.COM
+test2@SECURE\-TEST.OV.COM
+test1@SECURE\-TEST.OV.COM
+testuser@SECURE\-TEST.OV.COM
+kadmin:
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS get_strings
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBget_strings\fP \fIprincipal\fP
+.sp
+Displays string attributes on \fIprincipal\fP.
+String attributes are used to supply per\-principal configuration to some KDC plugin modules.
+.sp
+Alias:
+.sp
+.nf
+.ft C
+getstr
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS set_string
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
+.sp
+Sets a string attribute on \fIprincipal\fP.
+.sp
+Alias:
+.sp
+.nf
+.ft C
+setstr
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS del_string
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBdel_string\fP \fIprincipal\fP \fIkey\fP
+.sp
+Deletes a string attribute from \fIprincipal\fP.
+.sp
+Alias:
+.sp
+.nf
+.ft C
+delstr
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS add_policy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBadd_policy\fP [options] \fIpolicy\fP
+.sp
+Adds the named \fIpolicy\fP to the policy database.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the \fIadd\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+addpol
+.ft P
+.fi
+.sp
+The following options are available:
+.INDENT 7.0
+.TP
+.B \fB\-maxlife\fP \fItime\fP
+.sp
+sets the maximum lifetime of a password
+.TP
+.B \fB\-minlife\fP \fItime\fP
+.sp
+sets the minimum lifetime of a password
+.TP
+.B \fB\-minlength\fP \fIlength\fP
+.sp
+sets the minimum length of a password
+.TP
+.B \fB\-minclasses\fP \fInumber\fP
+.sp
+sets the minimum number of character classes allowed in a password
+.TP
+.B \fB\-history\fP \fInumber\fP
+.sp
+sets the number of past keys kept for a principal. This option is not supported for LDAP database
+.TP
+.B \fB\-maxfailure\fP \fImaxnumber\fP
+.sp
+sets the maximum number of authentication failures before the principal is  locked.
+Authentication failures are only tracked for principals which require preauthentication.
+.TP
+.B \fB\-failurecountinterval\fP \fIfailuretime\fP
+.sp
+sets  the  allowable  time  between  authentication failures.
+If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure,
+the number of authentication failures is reset to 1.
+.TP
+.B \fB\-lockoutduration\fP \fIlockouttime\fP
+.sp
+sets the duration for which the principal is locked from authenticating if too many authentication failures occur without
+the specified failure count interval elapsing. A duration of 0 means forever.
+.UNINDENT
+.sp
+EXAMPLES:
+.sp
+.nf
+.ft C
+kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
+kadmin:
+.ft P
+.fi
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_ADD (requires the add privilege)
+KADM5_DUP (policy already exists)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS modify_policy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBmodify_policy\fP [options] \fIpolicy\fP
+.sp
+modifies the named \fIpolicy\fP.  Options are as above for \fIadd_policy\fP.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the \fImodify\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+modpol
+.ft P
+.fi
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_MODIFY (requires the modify privilege)
+KADM5_UNK_POLICY (policy does not exist)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS delete_policy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBdelete_policy\fP [ \fI\-force\fP ] \fIpolicy\fP
+.sp
+deletes the named \fIpolicy\fP.  Prompts for confirmation before deletion.
+The command will fail if the policy is in use by any principals.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the \fIdelete\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+delpol
+.ft P
+.fi
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kadmin: del_policy guests
+Are you sure you want to delete the policy "guests"?
+(yes/no): yes
+kadmin:
+.ft P
+.fi
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_DELETE (requires the delete privilege)
+KADM5_UNK_POLICY (policy does not exist)
+KADM5_POLICY_REF (reference count on policy is not zero)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS get_policy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
+.sp
+displays the values of the named \fIpolicy\fP.
+With the \fB\-terse\fP flag, outputs the fields as quoted strings separated by tabs.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the \fIinquire\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+getpol
+.ft P
+.fi
+.sp
+EXAMPLES:
+.sp
+.nf
+.ft C
+kadmin: get_policy admin
+Policy: admin
+Maximum password life: 180 days 00:00:00
+Minimum password life: 00:00:00
+Minimum password length: 6
+Minimum number of password character classes: 2
+Number of old keys kept: 5
+Reference count: 17
+
+kadmin: get_policy \-terse admin
+admin     15552000  0    6    2    5    17
+kadmin:
+.ft P
+.fi
+.sp
+The \fIReference count\fP is the number of principals using that policy.
+.sp
+ERRORS:
+.sp
+.nf
+.ft C
+KADM5_AUTH_GET (requires the get privilege)
+KADM5_UNK_POLICY (policy does not exist)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS list_policies
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBlist_policies\fP [expression]
+.sp
+Retrieves all or some policy names.  Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs.
+All policy names matching the expression are printed.
+If no expression is provided, all existing policy names are printed.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the \fIlist\fP privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+Alias:
+.sp
+.nf
+.ft C
+listpols, get_policies, getpols.
+.ft P
+.fi
+.sp
+EXAMPLES:
+.sp
+.nf
+.ft C
+kadmin:  listpols
+test\-pol
+dict\-only
+once\-a\-min
+test\-pol\-nopw
+
+kadmin:  listpols t*
+test\-pol
+test\-pol\-nopw
+kadmin:
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS ktadd
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBktadd\fP  [[\fIprincipal\fP | \fB\-glob\fP \fIprinc\-exp\fP]
+.sp
+Adds a \fIprincipal\fP or all principals matching \fIprinc\-exp\fP to a keytab file.
+It randomizes each principal\(aqs key in the process, to prevent a compromised admin account from reading out all of the keys from the database.
+The rules for principal expression are the same as for the \fIkadmin\fP \fI\%list_principals\fP command.
+.INDENT 7.0
+.INDENT 3.5
+.IP Note
+.
+Requires the  \fIinquire\fP and \fIchangepw\fP privileges.
+.sp
+If you use the \fI\-glob\fP option, it also requires the \fIlist\fP administrative privilege.
+.RE
+.UNINDENT
+.UNINDENT
+.sp
+The options are:
+.INDENT 7.0
+.TP
+.B \fB\-k[eytab]\fP  \fIkeytab\fP
+.sp
+Use \fIkeytab\fP as the keytab file. Otherwise, \fIktadd\fP will use the default keytab file (\fI/etc/krb5.keytab\fP).
+.TP
+.B \fB\-e\fP \fI"enc:salt..."\fP
+.sp
+Use the specified list of enctype\-salttype pairs for setting the key of the principal.
+The enctype\-salttype pairs may be delimited with commas or whitespace.
+The quotes are necessary for whitespace\-delimited list.
+If this option is not specified, then \fIsupported_enctypes\fP from \fIkrb5.conf\fP will be used.
+See \fISupported_Encryption_Types_and_Salts\fP for all possible values.
+.TP
+.B \fB\-q\fP
+.sp
+Run in quiet mode. This causes \fIktadd\fP to display less verbose information.
+.TP
+.B \fB\-norandkey\fP
+.sp
+Do not randomize the keys. The keys and their version numbers stay unchanged.
+That allows users to continue to use the passwords they know to login normally,
+while simultaneously allowing scripts to login to the same account using a \fIkeytab\fP.
+There is no significant security risk added since \fIkadmin.local\fP must be run by root on the KDC anyway.
+This option is only available in \fIkadmin.local\fP and cannot be specified in combination with \fI\-e\fP option.
+.UNINDENT
+.IP Note
+.
+An entry for each of the principal\(aqs unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types.
+.RE
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
+Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
+     kvno 3, encryption type DES\-CBC\-CRC added to keytab
+     WRFILE:/tmp/foo\-new\-keytab
+kadmin:
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS ktremove
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBktremove\fP  \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP]
+.sp
+Removes entries for the specified \fIprincipal\fP from a keytab.  Requires no permissions, since this does not require database access.
+.sp
+If the string "all" is specified, all entries for that principal are removed;
+if the string "old" is specified, all entries for that principal except those with the highest kvno are removed.
+Otherwise, the value specified is parsed as an integer, and all entries whose \fIkvno\fP match that integer are removed.
+.sp
+The options are:
+.INDENT 7.0
+.TP
+.B \fB\-k[eytab]\fP  \fIkeytab\fP
+.sp
+Use keytab as the keytab file. Otherwise, \fIktremove\fP will use the default keytab file (\fI/etc/krb5.keytab\fP).
+.TP
+.B \fB\-q\fP
+.sp
+Run in quiet mode. This causes \fIktremove\fP to display less verbose information.
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kadmin: ktremove \-k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin all
+Entry for principal kadmin/admin with kvno 3 removed
+     from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+kadmin:
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.IP Note
+.
+The first three files are specific to db2 database.
+.RE
+.TS
+center;
+|l|l|.
+_
+T{
+principal.db
+T}	T{
+default name for Kerberos principal database
+T}
+_
+T{
+<dbname>.kadm5
+T}	T{
+KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.)  Contains policy information.
+T}
+_
+T{
+<dbname>.kadm5.lock
+T}	T{
+Lock file for the KADM5 administrative database.  This file works backwards from most other lock files. I.e., \fIkadmin\fP will exit with an error if this file does not exist.
+T}
+_
+T{
+kadm5.acl
+T}	T{
+File containing list of principals and their \fIkadmin\fP administrative privileges.  See kadmind(8) for a description.
+T}
+_
+T{
+kadm5.keytab
+T}	T{
+\fIkeytab\fP file for \fIkadmin/admin\fP principal.
+T}
+_
+T{
+kadm5.dict
+T}	T{
+file containing dictionary of strings explicitly disallowed as passwords.
+T}
+_
+.TE
+.SH HISTORY
+.sp
+The \fIkadmin\fP program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.
+.SH SEE ALSO
+.sp
+kerberos(1), kpasswd(1), kadmind(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kadmin.local.8 b/src/man/kadmin.local.8
new file mode 100644
index 0000000000..00df30db6f
--- /dev/null
+++ b/src/man/kadmin.local.8
@@ -0,0 +1 @@
+.so man1/kadmin.1
diff --git a/src/man/kadmind.8 b/src/man/kadmind.8
new file mode 100644
index 0000000000..b4eade4ef2
--- /dev/null
+++ b/src/man/kadmind.8
@@ -0,0 +1,287 @@
+.TH "KADMIND" "8" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kadmind \- KADM5 administration server
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fBkadmind\fP [\fB\-x\fP \fIdb_args\fP] [\fB\-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP \fIport\-number\fP] [\fB\-P\fP \fIpid_file\fP]
+.SH DESCRIPTION
+.sp
+This command starts the KADM5 administration server. If the database is db2, the administration server runs on the master Kerberos server,
+which stores the KDC principal database and the KADM5 policy database. If the database is LDAP, the administration server and
+the KDC server need not run on the same machine.  \fIkadmind\fP accepts remote requests to administer the information in these databases.
+Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of \fIkadmind\fP.
+.sp
+\fIkadmind\fP requires a number of configuration files to be set up in order for it to work:
+.INDENT 0.0
+.TP
+.B \fIkdc.conf\fP
+.sp
+The KDC configuration file contains configuration information for the KDC and the KADM5 system.  \fIkadmind\fP understands a number
+of  variable  settings in this file, some of which are mandatory and some of which are optional.
+See the CONFIGURATION VALUES section below.
+.TP
+.B \fIkeytab\fP
+.sp
+Kadmind requires a keytab containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that
+\fIkadmind\fP will answer requests for.  The keytab can be created with the kadmin(8) client.
+The location of the keytab is determined by the \fIadmin_keytab\fP configuration variable (see CONFIGURATION VALUES).
+.TP
+.B \fIACL\fP file
+.sp
+\fIkadmind\fP\(aqs \fIACL\fP (access control list) tells it which principals are allowed to perform KADM5 administration actions.
+The  path of  the \fIACL\fP file is specified via the acl_file configuration variable (see CONFIGURATION VALUES).
+The syntax of the \fIACL\fP file is specified in the \fIACL\fP FILE SYNTAX section below.
+.sp
+If the \fIkadmind\fP\(aqs ACL file is modified, the \fIkadmind\fP daemon needs to be restarted for changes to take effect.
+.UNINDENT
+.sp
+After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal.
+.sp
+\fIkadmind\fP can be configured for incremental database propagation.  Incremental propagation allows slave KDC servers to receive  principal
+and  policy  updates  incrementally instead of receiving full dumps of the database.  This facility can be enabled in the \fIkdc.conf\fP file
+with the \fIiprop_enable\fP option.  See the \fIkdc.conf\fP documentation for other options for tuning incremental propagation parameters.
+Incremental propagation requires the principal "kiprop/MASTER@REALM"
+(where MASTER is the master KDC\(aqs canonical host name, and REALM the realm name) to be registered in the database.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-x\fP \fIdb_args\fP
+.sp
+specifies the database specific arguments.
+.sp
+Options supported for LDAP database are:
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-x\fP \fInconns\fP =<number_of_connections>
+.sp
+specifies the number of connections to be maintained per LDAP server.
+.TP
+.B \fB\-x\fP \fIhost\fP =<ldapuri>
+.sp
+specifies the LDAP server to connect to by a LDAP URI.
+.TP
+.B \fB\-x\fP \fIbinddn\fP =<binddn>
+.sp
+specifies the DN of the object used by the administration server to bind to the LDAP server.  This object should have the
+read and write rights on the realm container, principal container and the subtree that is referenced by the realm.
+.TP
+.B \fB\-x\fP \fIbindpwd\fP =<bind_password>
+.sp
+specifies the password for the above mentioned binddn. It is recommended not to use this option.
+Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+specifies the default realm that \fIkadmind\fP will serve; if it is not specified, the default realm of the host is used.
+\fIkadmind\fP will answer requests for any realm that exists in the local KDC database and for which the appropriate principals are in its keytab.
+.TP
+.B \fB\-m\fP
+.sp
+specifies that the master database password should be fetched from the keyboard rather than from a file on disk.
+Note that the server gets the password prior to putting itself in the background;
+in combination with the \fI\-nofork\fP option, you must place it in the background by hand.
+.TP
+.B \fB\-nofork\fP
+.sp
+specifies that the server does not put itself in the background and does not disassociate itself from the terminal.
+In normal operation, you should always allow the server place itself in the background.
+.TP
+.B \fB\-port\fP \fIport\-number\fP
+.sp
+specifies the port on which the administration server listens for connections.  The default is is controlled by the \fIkadmind_port\fP
+configuration variable (see below).
+.TP
+.B \fB\-P\fP \fIpid_file\fP
+.sp
+specifies the file to which the PID of \fIkadmind\fP process should be written to after it starts up.  This can be used to identify
+whether \fIkadmind\fP is still running and to allow init scripts to stop the correct process.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH CONFIGURATION VALUES
+.sp
+In addition to the relations defined in kdc.conf(5), \fIkadmind\fP understands the following relations,
+all of which should appear in the [realms] section:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBacl_file\fP
+.sp
+The path of \fIkadmind\fP\(aqs \fIACL\fP file.  \fBMandatory\fP.  No default.
+.TP
+.B \fBadmin_keytab\fP
+.sp
+The  name  of  the keytab containing entries for the principals kadmin/admin and kadmin/changepw in each realm that \fIkadmind\fP will
+serve.  The default is the value of the KRB5_KTNAME environment variable, if defined.  \fBMandatory\fP.
+.TP
+.B \fBdict_file\fP
+.sp
+The path of \fIkadmind\fP\(aqs password dictionary.  A principal with any password policy will not be allowed to select any  password  in
+the dictionary.  Optional.  No default.
+.TP
+.B \fBkadmind_port\fP
+.sp
+The TCP port on which \fIkadmind\fP will listen.  The default is 749.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH ACL FILE SYNTAX
+.sp
+The \fIACL\fP file controls which principals can or cannot perform which administrative functions.  For operations  that  affect  principals,
+the  \fIACL\fP file also controls which principals can operate on which other principals.  This file can contain comment lines, null lines or
+lines which contain \fIACL\fP entries.  Comment lines start with the sharp sign (#) and continue until the end of the line.
+Lines containing \fIACL\fP entries have the format of principal whitespace \fIoperation\-mask\fP [whitespace \fIoperation\-target\fP]
+.sp
+Ordering  is important.  The first matching entry is the one which will control access for a particular principal on a particular principal.
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBprincipal\fP
+.sp
+may specify a partially or fully qualified Kerberos version 5 principal name.  Each component of  the  name  may  be  wildcarded
+using the asterisk ( * ) character.
+.TP
+.B \fBoperation\-target\fP
+.sp
+[Optional]  may specify a partially or fully qualified Kerberos version 5 principal name.  Each component of the name may be
+wildcarded using the asterisk ( * ) character.
+.TP
+.B \fBoperation\-mask\fP
+.sp
+Specifies what operations may or may not be performed by a principal matching a particular entry.  This is a string of one or
+more of the following list of characters or their upper\-case counterparts.  If the character is upper\-case, then the operation
+is disallowed.  If the character is lower\-case, then the operation is permitted.
+.sp
+.nf
+.ft C
+a    [Dis]allows the addition of principals or policies in the database.
+d    [Dis]allows the deletion of principals or policies in the database.
+m    [Dis]allows the modification of principals or policies in the database.
+c    [Dis]allows the changing of passwords for principals in the database.
+i    [Dis]allows inquiries to the database.
+l    [Dis]allows the listing of principals or policies in the database.
+p    [Dis]allows the propagation of the principal database.
+x    Short for admcil.
+*    Same as x.
+.ft P
+.fi
+.sp
+Some examples of valid entries here are:
+.INDENT 7.0
+.TP
+.B \fIuser/instance@realm adm\fP
+.sp
+A standard fully qualified name.
+The \fIoperation\-mask\fP only applies to this principal and specifies that [s]he may add,
+delete  or modify principals and policies, but not change anybody else\(aqs password.
+.TP
+.B \fIuser/instance@realm cim service/instance@realm\fP
+.sp
+A  standard fully qualified name and a standard fully qualified target.
+The \fIoperation\-mask\fP only applies to this principal operating on this target and specifies
+that [s]he may change the target\(aqs password, request information about the target and  modify it.
+.TP
+.B \fIuser/*@realm ac\fP
+.sp
+A  wildcarded name.  The \fIoperation\-mask\fP applies to all principals in realm "realm" whose first component is "user" and specifies
+that [s]he may add principals and change anybody\(aqs password.
+.TP
+.B \fIuser/*@realm i */instance@realm\fP
+.sp
+A wildcarded name and target.  The \fIoperation\-mask\fP applies to all principals in realm "realm" whose first component is "user" and
+specifies that [s]he may perform inquiries on principals whose second component is "instance" and realm is "realm".
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+Note: The first three files are specific to db2 database.
+.TS
+center;
+|l|l|.
+_
+T{
+principal.db
+T}	T{
+default name for Kerberos principal database
+T}
+_
+T{
+<dbname>.kadm5
+T}	T{
+KADM5  administrative database.  (This would be "principal.kadm5", if you use the default database name.)  Contains policy information.
+T}
+_
+T{
+<dbname>.kadm5.lock
+T}	T{
+lock file for the KADM5 administrative database.  This file works backwards from most other lock files.  I.e., kadmin will exit with an error if this file does not exist.
+T}
+_
+T{
+kadm5.acl
+T}	T{
+file containing list of principals and their kadmin administrative privileges.  See above for a description.
+T}
+_
+T{
+kadm5.keytab
+T}	T{
+keytab file for \fIkadmin/admin\fP principal.
+T}
+_
+T{
+kadm5.dict
+T}	T{
+file containing dictionary of strings explicitly disallowed as passwords.
+T}
+_
+.TE
+.SH SEE ALSO
+.sp
+kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8), kdb5_ldap_util(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kdb5_ldap_util.8 b/src/man/kdb5_ldap_util.8
new file mode 100644
index 0000000000..71ae0c8c7b
--- /dev/null
+++ b/src/man/kdb5_ldap_util.8
@@ -0,0 +1,1108 @@
+.TH "KDB5_LDAP_UTIL" "8" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kdb5_ldap_util \- Kerberos configuration utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fBkdb5_ldap_util\fP [\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]] [\fB\-H\fP \fIldapuri\fP] \fBcommand\fP [\fIcommand_options\fP]
+.SH DESCRIPTION
+.sp
+\fIkdb5_ldap_util\fP allows an administrator to manage realms, Kerberos services and ticket policies.
+.SH COMMAND-LINE OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-D\fP \fIuser_dn\fP
+.sp
+Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server.
+.TP
+.B \fB\-w\fP \fIpasswd\fP
+.sp
+Specifies the password of \fIuser_dn\fP.  This option is not recommended.
+.TP
+.B \fB\-H\fP \fIldapuri\fP
+.sp
+Specifies the URI of the LDAP server.  It is recommended to use \fIldapi://\fP or \fIldaps://\fP to connect to the LDAP server.
+.UNINDENT
+.SH COMMANDS
+.SS create
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBcreate\fP
+[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
+[\fB\-sscope\fP \fIsearch_scope\fP]
+[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
+[\fB\-k\fP \fImkeytype\fP]
+[\fB\-kv\fP \fImkeyVNO\fP]
+[\fB\-m|\-P\fP \fIpassword*|*\fP\-sf** \fIstashfilename\fP]
+[\fB\-s\fP]
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-kdcdn\fP \fIkdc_service_list\fP]
+[\fB\-admindn\fP \fIadmin_service_list\fP]
+[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
+[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
+[\fIticket_flags\fP]
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Creates realm in directory. Options:
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
+.sp
+Specifies the list of subtrees containing the principals of a realm.
+The list contains the DNs of the subtree objects separated by colon(:).
+.TP
+.B \fB\-sscope\fP \fIsearch_scope\fP
+.sp
+Specifies the scope for searching the principals under the subtree.
+The possible values are 1 or one (one level), 2 or sub (subtrees).
+.TP
+.B \fB\-containerref\fP \fIcontainer_reference_dn\fP
+.sp
+Specifies the DN of the container object in which the principals of a realm will be created.
+If the container reference is not configured  for  a  realm, the principals will be created in the realm container.
+.TP
+.B \fB\-k\fP \fImkeytype\fP
+.sp
+Specifies the key type of the master key in the database; the default is that given in kdc.conf.
+.TP
+.B \fB\-kv\fP \fImkeyVNO\fP
+.sp
+Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed.
+.TP
+.B \fB\-m\fP
+.sp
+Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk.
+.TP
+.B \fB\-P\fP \fIpassword\fP
+.sp
+Specifies the master database password. This option is not recommended.
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.TP
+.B \fB\-sf\fP \fIstashfilename\fP
+.sp
+Specifies the stash file of the master database password.
+.TP
+.B \fB\-s\fP
+.sp
+Specifies that the stash file is to be created.
+.TP
+.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
+.sp
+Specifies maximum ticket life for principals in this realm.
+.TP
+.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+.sp
+Specifies maximum renewable life of tickets for principals in this realm.
+.TP
+.B \fIticket_flags\fP
+.INDENT 7.0
+.INDENT 3.5
+.sp
+Specifies  the ticket flags.
+If this option is not specified, by default, none of the flags are set.
+This means all the ticket options will be allowed and no restriction will be set.
+.UNINDENT
+.UNINDENT
+.sp
+The various flags are:
+.INDENT 7.0
+.TP
+.B {\-|+}allow_postdated
+.
+\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets.
+(Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)  \fI+allow_postdated\fP clears this flag.
+.TP
+.B {\-|+}allow_forwardable
+.
+\fI\-allow_forwardable\fP prohibits principals from obtaining forwardable tickets.
+(Sets the  KRB5_KDB_DISALLOW_FORWARDABLE  flag.)
+\fI+allow_forwardable\fP  clears this flag.
+.TP
+.B {\-|+}allow_renewable
+.
+\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets.
+(Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)
+\fI+allow_renewable\fP clears this flag.
+.TP
+.B {\-|+}allow_proxiable
+.
+\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets.
+(Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)
+\fI+allow_proxiable\fP clears this flag.
+.TP
+.B {\-|+}allow_dup_skey
+.
+\fI\-allow_dup_skey\fP  disables  user\-to\-user  authentication  for principals by prohibiting principals
+from obtaining a session key for another user.
+(Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.)
+\fI+allow_dup_skey\fP clears this flag.
+.TP
+.B {\-|+}ok_as_delegate
+.
++ok_as_delegate sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service,
+which clients may use as a hint that credentials can and should be delegated when authenticating to the service.
+(Sets the KRB5_KDB_OK_AS_DELEGATE flag.)
+\fI\-ok_as_delegate\fP clears this flag.
+.TP
+.B {\-|+}requires_preauth
+.
+\fI+requires_preauth\fP requires principals to preauthenticate before being allowed to \fIkinit\fP.
+(Sets the  KRB5_KDB_REQUIRES_PRE_AUTH  flag.)
+\fI\-requires_preauth\fP clears this flag.
+.TP
+.B {\-|+}requires_hwauth
+.
+\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to kinit.
+(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
+\fI\-requires_hwauth\fP clears this flag.
+.TP
+.B {\-|+}allow_svr
+.
+\fI\-allow_svr\fP prohibits the issuance of service tickets for principals.  (Sets the KRB5_KDB_DISALLOW_SVR flag.)
+\fI+allow_svr\fP clears this flag.
+.TP
+.B {\-|+}allow_tgs_req
+.
+\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for principals is not permitted.
+This option  is  useless  for most  things.
+\fI+allow_tgs_req\fP  clears  this flag.  The default is \fI+allow_tgs_req\fP.
+In effect, \fI\-allow_tgs_req\fP sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.
+.TP
+.B {\-|+}allow_tix
+.
+\fI\-allow_tix\fP forbids the issuance of any tickets for principals.  \fI+allow_tix\fP clears this flag.
+The default is \fI+allow_tix\fP.
+In effect, \fI\-allow_tix\fP  sets  the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.
+.TP
+.B {\-|+}needchange
+.
+\fI+needchange\fP  sets  a  flag in attributes field to force a password change; \fI\-needchange\fP clears it.
+The default is \fI\-needchange\fP.
+In effect, \fI+needchange\fP sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.
+.TP
+.B {\-|+}password_changing_service
+.
+\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal
+(useless for most things).
+\fI\-password_changing_service\fP  clears  the  flag. This flag intentionally has a long name.
+The default is \fI\-password_changing_service\fP.
+In effect, \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.
+.UNINDENT
+.UNINDENT
+.sp
+Command options specific to eDirectory
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-kdcdn\fP \fIkdc_service_list\fP
+.sp
+Specifies the list of KDC service objects serving the realm.
+The list contains the DNs of the KDC service objects separated by colon(:).
+.TP
+.B \fB\-admindn\fP \fIadmin_service_list\fP
+.sp
+Specifies the list of Administration service objects serving the realm.
+The list contains the DNs of  the  Administration  service  objects  separated  by colon(:).
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU
+Password for "cn=admin,o=org":
+Initializing database for realm \(aqATHENA.MIT.EDU\(aq
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+Enter KDC database master key:
+Re\-enter KDC database master key to verify:
+.ft P
+.fi
+.SS modify
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBmodify\fP
+[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
+[\fB\-sscope\fP \fIsearch_scope\fP]
+[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-kdcdn\fP \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP \fIkdc_service_list\fP] [\fB\-addkdcdn\fP \fIkdc_service_list\fP]]
+[\fB\-admindn\fP \fIadmin_service_list\fP | [\fB\-clearadmindn\fP \fIadmin_service_list\fP] [\fB\-addadmindn\fP \fIadmin_service_list\fP]]
+[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
+[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
+[\fIticket_flags\fP]
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Modifies the attributes of a realm. Options:
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
+.sp
+Specifies  the  list  of subtrees containing the principals of a realm.
+The list contains the DNs of the subtree objects separated by colon(:). This list replaces the existing list.
+.TP
+.B \fB\-sscope\fP \fIsearch_scope\fP
+.sp
+Specifies the scope for searching the principals under the subtrees.
+The possible values are 1 or one (one level), 2 or sub (subtrees).
+.TP
+.B \fB\-containerref\fP \fIcontainer_reference_dn\fP
+.sp
+Specifies the DN of the container object in which the principals of a realm will be created.
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.TP
+.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
+.sp
+Specifies maximum ticket life for principals in this realm.
+.TP
+.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+.sp
+Specifies maximum renewable life of tickets for principals in this realm.
+.TP
+.B \fIticket_flags\fP
+.INDENT 7.0
+.INDENT 3.5
+.sp
+Specifies the ticket flags. If this option is not specified, by default, none of the flags are set.
+This means all the ticket options will be allowed  and no restriction will be set.
+.UNINDENT
+.UNINDENT
+.sp
+The various flags are:
+.INDENT 7.0
+.TP
+.B {\-|+}allow_postdated
+.
+\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets.  (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)
+\fI+allow_postdated\fP clears this flag.
+.TP
+.B {\-|+}allow_forwardable
+.
+\fI\-allow_forwardable\fP  prohibits  principals  from  obtaining forwardable tickets.
+(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.)
+\fI+allow_forwardable\fP clears this flag.
+.TP
+.B {\-|+}allow_renewable
+.
+\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)
+\fI+allow_renewable\fP clears this flag.
+.TP
+.B {\-|+}allow_proxiable
+.
+\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets.  (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)
+\fI+allow_proxiable\fP clears this flag.
+.TP
+.B {\-|+}allow_dup_skey
+.
+\fI\-allow_dup_skey\fP Disables user\-to\-user authentication for principals by prohibiting principals from
+obtaining a session key for  another  user.
+(Sets  the KRB5_KDB_DISALLOW_DUP_SKEY flag.)
+\fI+allow_dup_skey\fP clears this flag.
+.TP
+.B {\-|+}requires_preauth
+.
+\fI+requires_preauth\fP  requires  principals  to preauthenticate before being allowed to kinit.
+(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.)  \fI\-requires_preauth\fP clears this flag.
+.TP
+.B {\-|+}requires_hwauth
+.
+\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to kinit.
+(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
+\fI\-requires_hwauth\fP clears this flag.
+.TP
+.B {\-|+}allow_svr
+.
+\fI\-allow_svr\fP prohibits the issuance of service tickets for principals.  (Sets the KRB5_KDB_DISALLOW_SVR flag.) \fI+allow_svr\fP clears this flag.
+.TP
+.B {\-|+}allow_tgs_req
+.
+\fI\-allow_tgs_req\fP  specifies  that  a Ticket\-Granting Service (TGS) request for a service ticket for principals is not permitted.
+This option is useless for most things.
+\fI+allow_tgs_req\fP clears this flag.
+The default is \fI+allow_tgs_req\fP.  In effect, \fI\-allow_tgs_req\fP sets  the  KRB5_KDB_DISALLOW_TGT_BASED  flag  on principals in the database.
+.TP
+.B {\-|+}allow_tix
+.
+\fI\-allow_tix\fP  forbids  the issuance of any tickets for principals.
+\fI+allow_tix\fP clears this flag.  The default is \fI+allow_tix\fP.
+In effect, \fI\-allow_tix\fP sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.
+.TP
+.B {\-|+}needchange
+.
+\fI+needchange\fP sets a flag in attributes field to force a password change;
+\fI\-needchange\fP clears it. The default is \fI\-needchange\fP.
+In  effect,  \fI+needchange\fP  sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.
+.TP
+.B {\-|+}password_changing_service
+.
+\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal
+(useless for most things).  \fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name.
+The default is \fI\-password_changing_service\fP.
+In  effect,  \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.
+.UNINDENT
+.UNINDENT
+.sp
+Command options specific to eDirectory
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-kdcdn\fP \fIkdc_service_list\fP
+.sp
+Specifies  the  list  of  KDC  service objects serving the realm.
+The list contains the DNs of the KDC service objects separated by a colon (:).
+This list replaces the existing list.
+.TP
+.B \fB\-clearkdcdn\fP \fIkdc_service_list\fP
+.sp
+Specifies the list of KDC service objects that need to be removed from the existing list.
+The list contains the DNs of the KDC service  objects  separated by a colon (:).
+.TP
+.B \fB\-addkdcdn\fP \fIkdc_service_list\fP
+.sp
+Specifies  the list of KDC service objects that need to be added to the existing list.
+The list contains the DNs of the KDC service objects separated by a colon (:).
+.TP
+.B \fB\-admindn\fP \fIadmin_service_list\fP
+.sp
+Specifies the list of Administration service objects serving the realm.
+The list contains the DNs of the Administration service  objects  separated  by  a colon (:).
+This list replaces the existing list.
+.TP
+.B \fB\-clearadmindn\fP \fIadmin_service_list\fP
+.sp
+Specifies  the list of Administration service objects that need to be removed from the existing list.
+The list contains the DNs of the Administration service objects separated by a colon (:).
+.TP
+.B \fB\-addadmindn\fP \fIadmin_service_list\fP
+.sp
+Specifies the list of Administration service objects that need to be added to the existing list.
+The list contains the DNs of the  Administration  service objects separated by a colon (:).
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r ATHENA.MIT.EDU
+Password for "cn=admin,o=org":
+shell%
+.ft P
+.fi
+.SS view
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBview\fP [\fB\-r\fP \fIrealm\fP]
+.sp
+Displays the attributes of a realm.  Options:
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view \-r ATHENA.MIT.EDU
+Password for "cn=admin,o=org":
+Realm Name: ATHENA.MIT.EDU
+Subtree: ou=users,o=org
+Subtree: ou=servers,o=org
+SearchScope: ONE
+Maximum ticket life: 0 days 01:00:00
+Maximum renewable life: 0 days 10:00:00
+Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+.ft P
+.fi
+.SS destroy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP]
+.sp
+Destroys an existing realm. Options:
+.TP
+.B \fB\-f\fP
+.sp
+If specified, will not prompt the user for confirmation.
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU
+Password for "cn=admin,o=org":
+Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure?
+(type \(aqyes\(aq to confirm)? yes
+OK, deleting database of \(aqATHENA.MIT.EDU\(aq...
+shell%
+.ft P
+.fi
+.SS list
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBlist\fP
+.sp
+Lists the name of realms.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list
+Password for "cn=admin,o=org":
+ATHENA.MIT.EDU
+OPENLDAP.MIT.EDU
+MEDIA\-LAB.MIT.EDU
+shell%
+.ft P
+.fi
+.SS stashsrvpw
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBstashsrvpw\fP [\fB\-f\fP \fIfilename\fP] \fIservicedn\fP
+.sp
+Allows  an  administrator to store the password for service object in a file so that KDC and Administration server
+can use it to authenticate to the LDAP server.  Options:
+.TP
+.B \fB\-f\fP \fIfilename\fP
+.sp
+Specifies the complete path of the service password file. By default, \fI/usr/local/var/service_passwd\fP is used.
+.TP
+.B \fIservicedn\fP
+.sp
+Specifies Distinguished Name (DN) of the service object whose password is to be stored in file.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org
+Password for "cn=service\-kdc,o=org":
+Re\-enter password for "cn=service\-kdc,o=org":
+.ft P
+.fi
+.SS create_policy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBcreate_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_name\fP
+.sp
+Creates a ticket policy in directory. Options:
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.TP
+.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
+.sp
+Specifies maximum ticket life for principals.
+.TP
+.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
+.sp
+Specifies maximum renewable life of tickets for principals.
+.TP
+.B \fIticket_flags\fP
+.sp
+Specifies the ticket flags. If this option is not specified, by default, none of the flags are set.
+This means all the ticket options will be allowed  and no restriction will be set.
+.sp
+The various flags are:
+.INDENT 7.0
+.TP
+.B {\-|+}allow_postdated
+.
+\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets.
+(Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)  \fI+allow_postdated\fP clears this flag.
+.TP
+.B {\-|+}allow_forwardable
+.
+\fI\-allow_forwardable\fP  prohibits  principals  from  obtaining forwardable tickets.
+(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.)  \fI+allow_forwardable\fP clears this flag.
+.TP
+.B {\-|+}allow_renewable
+.
+\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets.
+(Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)  \fI+allow_renewable\fP clears this flag.
+.TP
+.B {\-|+}allow_proxiable
+.
+\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets.
+(Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)  \fI+allow_proxiable\fP clears this flag.
+.TP
+.B {\-|+}allow_dup_skey
+.
+\fI\-allow_dup_skey\fP disables user\-to\-user authentication for principals by prohibiting principals
+from obtaining a session key for  another  user.
+(Sets  the KRB5_KDB_DISALLOW_DUP_SKEY flag.)  \fI+allow_dup_skey\fP clears this flag.
+.TP
+.B {\-|+}requires_preauth
+.
+\fI+requires_preauth\fP  requires  principals  to preauthenticate before being allowed to kinit.
+(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.)  \fI\-requires_preauth\fP clears this flag.
+.TP
+.B {\-|+}requires_hwauth
+.
+\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to \fIkinit\fP.
+(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
+\fI\-requires_hwauth\fP clears this flag.
+.TP
+.B {\-|+}allow_svr
+.
+\fI\-allow_svr\fP prohibits the issuance of service tickets for principals.
+(Sets the KRB5_KDB_DISALLOW_SVR flag.)  \fI+allow_svr\fP clears this flag.
+.TP
+.B {\-|+}allow_tgs_req
+.
+\fI\-allow_tgs_req\fP  specifies  that  a Ticket\-Granting Service (TGS) request
+for a service ticket for principals is not permitted.
+This option is useless for most things.
+\fI+allow_tgs_req\fP clears this flag.  The default is \fI+allow_tgs_req\fP.
+In effect, \fI\-allow_tgs_req sets\fP  the  KRB5_KDB_DISALLOW_TGT_BASED  flag  on principals in the database.
+.TP
+.B {\-|+}allow_tix
+.
+\fI\-allow_tix\fP  forbids  the issuance of any tickets for principals.
+\fI+allow_tix\fP clears this flag.
+The default is \fI+allow_tix\fP.  In effect, \fI\-allow_tix sets\fP the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.
+.TP
+.B {\-|+}needchange
+.
+\fI+needchange\fP sets a flag in attributes field to force a password change;
+\fI\-needchange\fP clears it. The default is \fI\-needchange\fP.
+In  effect,  \fI+needchange\fP  sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.
+.TP
+.B {\-|+}password_changing_service
+.
+\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal
+(useless for most things).
+\fI\-password_changing_service\fP clears the flag.
+This flag intentionally has a long name. The default is \-password_changing_service.
+In  effect,  \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.
+.UNINDENT
+.TP
+.B \fIpolicy_name\fP
+.sp
+Specifies the name of the ticket policy.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util  \-D  cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy
+Password for "cn=admin,o=org":
+.ft P
+.fi
+.SS modify_policy
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBmodify_policy\fP
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
+[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
+[\fIticket_flags\fP]
+\fIpolicy_name\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Modifies the attributes of a ticket policy. Options are same as create_policy.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify_policy  \-r  ATHENA.MIT.EDU  \-maxtktlife  "60  minutes"  \-maxrenewlife  "10  hours" +allow_postdated \-requires_preauth tktpolicy
+Password for "cn=admin,o=org":
+.ft P
+.fi
+.SS view_policy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBview_policy\fP [\fB\-r\fP \fIrealm\fP] \fIpolicy_name\fP
+.sp
+Displays the attributes of a ticket policy. Options:
+.TP
+.B \fIpolicy_name\fP
+.sp
+Specifies the name of the ticket policy.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy
+Password for "cn=admin,o=org":
+Ticket policy: tktpolicy
+Maximum ticket life: 0 days 01:00:00
+Maximum renewable life: 0 days 10:00:00
+Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+.ft P
+.fi
+.SS destroy_policy
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBdestroy_policy\fP
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-force\fP]
+\fIpolicy_name\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Destroys an existing ticket policy. Options:
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.TP
+.B \fB\-force\fP
+.sp
+Forces  the  deletion  of the policy object. If not specified, will be prompted for confirmation while deleting the policy.
+Enter yes to confirm the deletion.
+.TP
+.B \fIpolicy_name\fP
+.sp
+Specifies the name of the ticket policy.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy
+Password for "cn=admin,o=org":
+This will delete the policy object \(aqtktpolicy\(aq, are you sure?
+(type \(aqyes\(aq to confirm)? yes
+** policy object \(aqtktpolicy\(aq deleted.
+.ft P
+.fi
+.SS list_policy
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBlist_policy\fP [\fB\-r\fP \fIrealm\fP]
+.sp
+Lists the ticket policies in realm if specified or in the default realm.  Options:
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the Kerberos realm of the database.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list_policy \-r ATHENA.MIT.EDU
+Password for "cn=admin,o=org":
+tktpolicy
+tmppolicy
+userpolicy
+.ft P
+.fi
+.SH COMMANDS SPECIFIC TO EDIRECTORY
+.SS setsrvpw
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBsetsrvpw\fP
+[\fB\-randpw|\-fileonly\fP]
+[\fB\-f\fP \fIfilename\fP]
+\fIservice_dn\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file.
+The  \fI\-fileonly\fP  option stores the password in a file and not in the eDirectory object. Options:
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-randpw\fP
+.sp
+Generates  and  sets a random password.
+This options can be specified to store the password both in eDirectory and a file.
+The \fI\-fileonly\fP option can not be used if \fI\-randpw\fP option is already specified.
+.TP
+.B \fB\-fileonly\fP
+.sp
+Stores the password only in a file and not in eDirectory.
+The \fI\-randpw\fP option can not be used when \fI\-fileonly\fP options is specified.
+.TP
+.B \fB\-f\fP \fIfilename\fP
+.sp
+Specifies complete path of the service password file. By default, \fI/usr/local/var/service_passwd\fP is used.
+.TP
+.B \fIservice_dn\fP
+.sp
+Specifies Distinguished Name (DN) of the service object whose password is to be set.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+kdb5_ldap_util setsrvpw \-D cn=admin,o=org setsrvpw \-fileonly \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org
+Password for "cn=admin,o=org":
+Password for "cn=service\-kdc,o=org":
+Re\-enter password for "cn=service\-kdc,o=org":
+.ft P
+.fi
+.SS create_service
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBcreate_service\fP
+{\fB\-kdc|\-admin|\-pwd\fP}
+[\fB\-servicehost\fP \fIservice_host_list\fP]
+[\fB\-realm\fP \fIrealm_list\fP]
+[\fB\-randpw|\-fileonly\fP]
+[\fB\-f\fP \fIfilename\fP] \fIservice_dn\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Creates a service in directory and assigns appropriate rights. Options:
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-kdc\fP
+.sp
+Specifies the service is a KDC service
+.TP
+.B \fB\-admin\fP
+.sp
+Specifies the service is a Administration service
+.TP
+.B \fB\-pwd\fP
+.sp
+Specifies the Password service
+.TP
+.B \fB\-servicehost\fP \fIservice_host_list\fP
+.sp
+Specifies the list of entries separated by a colon (:).
+Each entry consists of the hostname or IP address of the server  hosting  the  service,
+transport protocol, and the port number of the service separated by a pound sign (#).
+For example, server1#tcp#88:server2#udp#89.
+.TP
+.B \fB\-realm\fP \fIrealm_list\fP
+.sp
+Specifies the list of realms that are to be associated with this service.
+The list contains the name of the realms separated by a colon (:).
+.TP
+.B \fB\-randpw\fP
+.sp
+Generates and sets a random password. This option is used to set the random password for
+the service object in directory and also to store it in the file.
+The \fI\-fileonly\fP option can not be used if \fI\-randpw\fP option is specified.
+.TP
+.B \fB\-fileonly\fP
+.sp
+Stores the password only in a file and not in eDirectory.
+The \fI\-randpw\fP option can not be used when \fI\-fileonly\fP option is specified.
+.TP
+.B \fB\-f\fP \fIfilename\fP
+.sp
+Specifies the complete path of the file where the service object password is stashed.
+.TP
+.B \fIservice_dn\fP
+.sp
+Specifies Distinguished Name (DN) of the Kerberos service to be created.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org create_service \-kdc \-randpw \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org
+Password for "cn=admin,o=org":
+File does not exist. Creating the file /home/andrew/conf_keyfile...
+shell%
+.ft P
+.fi
+.SS modify_service
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBmodify_service\fP
+[\fB\-servicehost\fP \fIservice_host_list\fP  |   [\fB\-clearservicehost\fP \fIservice_host_list\fP]   [\fB\-addservicehost\fP \fIservice_host_list\fP]]
+[\fB\-realm\fP \fIrealm_list\fP   |    [\fB\-clearrealm\fP \fIrealm_list\fP] [\fB\-addrealm\fP \fIrealm_list\fP]]
+\fIservice_dn\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Modifies the attributes of a service and assigns appropriate rights. Options:
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-servicehost\fP \fIservice_host_list\fP
+.sp
+Specifies the list of entries separated by a colon (:).
+Each entry consists of a host name or IP Address of the Server hosting the service, transport protocol,
+and port number of the service separated by a pound sign (#).  For example:
+.sp
+.nf
+.ft C
+server1#tcp#88:server2#udp#89
+.ft P
+.fi
+.TP
+.B \fB\-clearservicehost\fP \fIservice_host_list\fP
+.sp
+Specifies the list of servicehost entries to be removed from the existing list separated by colon (:).
+Each entry consists of a host name or IP Address of
+the server hosting the service, transport protocol, and port number of the service separated by a pound sign (#).
+.TP
+.B \fB\-addservicehost\fP \fIservice_host_list\fP
+.sp
+Specifies the list of servicehost entries to be added to the existing list separated by colon (:).
+Each entry consists of a host name or IP Address of the
+server hosting the service, transport protocol, and port number of the service separated by a pound sign (#).
+.TP
+.B \fB\-realm\fP \fIrealm_list\fP
+.sp
+Specifies the list of realms that are to be associated with this service.
+The list contains the name of the realms separated by a  colon  (:).
+This  list replaces the existing list.
+.TP
+.B \fB\-clearrealm\fP \fIrealm_list\fP
+.sp
+Specifies the list of realms to be removed from the existing list.
+The list contains the name of the realms separated by a colon (:).
+.TP
+.B \fB\-addrealm\fP \fIrealm_list\fP
+.sp
+Specifies the list of realms to be added to the existing list.
+The list contains the name of the realms separated by a colon (:).
+.TP
+.B \fIservice_dn\fP
+.sp
+Specifies Distinguished Name (DN) of the Kerberos service to be modified.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org modify_service \-realm ATHENA.MIT.EDU cn=service\-kdc,o=org
+Password for "cn=admin,o=org":
+Changing rights for the service object. Please wait ... done
+shell%
+.ft P
+.fi
+.SS view_service
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBview_service\fP \fIservice_dn\fP
+.sp
+Displays the attributes of a service.  Options:
+.TP
+.B \fIservice_dn\fP
+.sp
+Specifies Distinguished Name (DN) of the Kerberos service to be viewed.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org view_service cn=service\-kdc,o=org
+Password for "cn=admin,o=org":
+Service dn: cn=service\-kdc,o=org
+Service type: kdc
+Service host list:
+Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
+shell%
+.ft P
+.fi
+.SS destroy_service
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBdestroy_service\fP [\fB\-force\fP] [\fB\-f\fP \fIstashfilename\fP] \fIservice_dn\fP
+.sp
+Destroys an existing service. Options:
+.TP
+.B \fB\-force\fP
+.sp
+If specified, will not prompt for user\(aqs confirmation, instead will force destruction of the service.
+.TP
+.B \fB\-f\fP \fIstashfilename\fP
+.sp
+Specifies the complete path of the service password file from where the entry corresponding
+to the service_dn needs to be removed.
+.TP
+.B \fIservice_dn\fP
+.sp
+Specifies Distinguished Name (DN) of the Kerberos service to be destroyed.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org destroy_service cn=service\-kdc,o=org
+Password for "cn=admin,o=org":
+This will delete the service object \(aqcn=service\-kdc,o=org\(aq, are you sure?
+(type \(aqyes\(aq to confirm)? yes
+** service object \(aqcn=service\-kdc,o=org\(aq deleted.
+shell%
+.ft P
+.fi
+.SS list_service
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBlist_service\fP [\fB\-basedn\fP \fIbase_dn\fP]
+.sp
+Lists the name of services under a given base in directory. Options:
+.TP
+.B \fB\-basedn\fP \fIbase_dn\fP
+.sp
+Specifies the base DN for searching the service objects, limiting the search to a particular subtree.
+If this option is not provided, LDAP Server specific search base will be used.
+For eg, in the case of OpenLDAP, value of defaultsearchbase from \fIslapd.conf\fP file will be used,
+where as in the case of  eDirectory, the default value for the base DN is Root.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+shell% kdb5_ldap_util \-D cn=admin,o=org list_service
+Password for "cn=admin,o=org":
+cn=service\-kdc,o=org
+cn=service\-adm,o=org
+cn=service\-pwd,o=org
+shell%
+.ft P
+.fi
+.SH SEE ALSO
+.sp
+kadmin(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kdb5_util.8 b/src/man/kdb5_util.8
new file mode 100644
index 0000000000..ca0310f360
--- /dev/null
+++ b/src/man/kdb5_util.8
@@ -0,0 +1,308 @@
+.TH "KDB5_UTIL" "8" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kdb5_util \- Kerberos database maintenance utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBkdb5_util\fP
+.sp
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-d\fP \fIdbname\fP]
+[\fB\-k\fP \fImkeytype\fP]
+[\fB\-M\fP \fImkeyname\fP]
+[\fB\-kv\fP \fImkeyVNO\fP]
+[\fB\-sf\fP \fIstashfilename\fP]
+[\fB\-m\fP]
+\fIcommand\fP [\fIcommand_options\fP]
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fIkdb5_util\fP  allows an administrator to perform low\-level maintenance procedures on the Kerberos and KADM5 database.
+Databases can be created, destroyed, and dumped to and loaded from ASCII files.
+Additionally, \fIkdb5_util\fP can create a Kerberos master key stash file.
+\fIkdb5_util\fP subsumes the functionality of and makes obsolete the previous database maintenance programs kdb5_create, kdb5_edit, kdb5_destroy, and kdb5_stash.
+.sp
+When \fIkdb5_util\fP is run, it attempts to acquire the master key and open the database.  However, execution continues regardless of whether or not
+\fIkdb5_util\fP successfully opens the database, because the database may not exist yet or the stash file may be corrupt.
+.sp
+Note that some KDB plugins may not support all \fIkdb5_util\fP commands.
+.SH COMMAND-LINE OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+specifies the Kerberos realm of the database.
+.TP
+.B \fB\-d\fP \fIdbname\fP
+.sp
+specifies the name under which the principal database is stored; by default the database is that listed in \fIkdc.conf\fP.
+The  KADM5  policy database and lock file are also derived from this value.
+.TP
+.B \fB\-k\fP \fImkeytype\fP
+.sp
+specifies the key type of the master key in the database; the default is that given in \fIkdc.conf\fP.
+.TP
+.B \fB\-kv\fP \fImkeyVNO\fP
+.sp
+Specifies the version number of the master key in the database; the default is 1.  Note that 0 is not allowed.
+.TP
+.B \fB\-M\fP \fImkeyname\fP
+.sp
+principal name for the master key in the database; the default is that given in \fIkdc.conf\fP.
+.TP
+.B \fB\-m\fP
+.sp
+specifies that the master database password should be read from the TTY rather than fetched from a file on disk.
+.TP
+.B \fB\-sf\fP \fIstash_file\fP
+.sp
+specifies the stash file of the master database password.
+.TP
+.B \fB\-P\fP \fIpassword\fP
+.sp
+specifies the master database password.  This option is not recommended.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH COMMANDS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBcreate\fP [\fB\-s\fP]
+.sp
+Creates a new database.  If the \fI\-s\fP option is specified, the stash file is also created.  This command fails if the database already exists.
+If the command is successful, the database is opened just as if it had already existed when the program was first run.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBdestroy\fP [\fB\-f\fP]
+.sp
+Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation.
+With the \fI\-f\fP argument, does not prompt the user.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBstash\fP [\fB\-f\fP \fIkeyfile\fP]
+.sp
+Stores the master principal\(aqs keys in a stash file.  The \fI\-f\fP argument can be used to override the \fIkeyfile\fP specified at startup.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBdump\fP [\fB\-old|\-b6|\-b7|\-ov|\-r13\fP] [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]]
+.sp
+Dumps the current Kerberos and KADM5 database into an ASCII file.  By default, the database is dumped in current format, "\fIkdb5_util\fP
+load_dump version 6".  If filename is not specified, or is the string "\-", the dump is sent to standard output.  Options:
+.INDENT 7.0
+.TP
+.B \fB\-old\fP
+.sp
+causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format ("kdb5_edit load_dump version 2.0").
+.TP
+.B \fB\-b6\fP
+.sp
+causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0").
+.TP
+.B \fB\-b7\fP
+.sp
+causes the dump to be in the Kerberos 5 Beta 7 format ("\fIkdb5_util\fP load_dump version 4").
+This  was  the  dump  format  produced  on releases prior to 1.2.2.
+.TP
+.B \fB\-ov\fP
+.sp
+causes the dump to be in \fIovsec_adm_export\fP format.
+.TP
+.B \fB\-r13\fP
+.sp
+causes the dump to be in the Kerberos 5 1.3 format ("\fIkdb5_util\fP load_dump version 5").
+This was the dump format produced on releases prior to 1.8.
+.TP
+.B \fB\-verbose\fP
+.sp
+causes the name of each principal and policy to be printed as it is dumped.
+.TP
+.B \fB\-mkey_convert\fP
+.sp
+prompts for a new master key.  This new master key will be used to re\-encrypt the key data in the dumpfile.
+The key data in the database will not be changed.
+.TP
+.B \fB\-new_mkey_file\fP \fImkey_file\fP
+.sp
+the filename of a stash file.  The master key in this stash file will be used to re\-encrypt the key data in the dumpfile.
+The key data in the database will not be changed.
+.TP
+.B \fB\-rev\fP
+.sp
+dumps in reverse order.  This may recover principals that do not dump normally, in cases where database corruption has occurred.
+.TP
+.B \fB\-recurse\fP
+.sp
+causes the dump to walk the database recursively (btree only).  This may recover principals that do not dump normally,
+in cases where database corruption has occurred.
+In  cases  of such corruption, this option will probably retrieve more principals than the \fI\-rev\fP option will.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBload\fP [\fB\-old|\-b6|\-b7|\-ov|\-r13\fP] [\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename dbname\fP
+.sp
+Loads a database dump from the named file into the named database.
+Unless the \fI\-old\fP or \fI\-b6\fP option is given, the format of the dump file is detected automatically and handled as appropriate.
+Unless the \fI\-update\fP option is given, load creates a new database containing only the principals in the dump file,
+overwriting the contents of any previously existing database.
+Note that when using the LDAP KDB plugin the \fI\-update\fP must be given.  Options:
+.INDENT 7.0
+.TP
+.B \fB\-old\fP
+.sp
+requires the database to be in the Kerberos 5 Beta 5 and earlier format ("kdb5_edit load_dump version 2.0").
+.TP
+.B \fB\-b6\fP
+.sp
+requires the database to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0").
+.TP
+.B \fB\-b7\fP
+.sp
+requires the database to be in the Kerberos 5 Beta 7 format ("\fIkdb5_util\fP load_dump version 4").
+.TP
+.B \fB\-ov\fP
+.sp
+requires the database to be in ovsec_adm_import format.  Must be used with the \fI\-update\fP option.
+.TP
+.B \fB\-hash\fP
+.sp
+requires the database to be stored as a hash.  If this option is not specified, the database will be stored as a btree.
+This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals.
+.TP
+.B \fB\-verbose\fP
+.sp
+causes the name of each principal and policy to be printed as it is dumped.
+.TP
+.B \fB\-update\fP
+.sp
+records from the dump file are added to or updated in the existing database.
+(This is useful in conjunction with an \fIovsec_adm_export\fP format dump if you want to preserve per\-principal policy information,
+since the current default format does not contain this data.)
+Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion.
+.UNINDENT
+.sp
+\fIdbname\fP is required and overrides the value specified on the command line or the default.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBark\fP
+.sp
+Adds a random key.
+.TP
+.B \fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP]
+.sp
+Adds a new master key to the \fIK/M\fP (master key) principal.  Existing master keys will remain.
+The \fI\-e etype\fP option allows specification of the enctype of the new master key.
+The \fI\-s\fP option stashes the new master key in a local stash file which will be created if it doesn\(aqt already exist.
+.TP
+.B \fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP]
+.sp
+Sets the activation time of the master key specified by \fImkeyVNO\fP.
+Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when
+the principal keys change, are newly created or when the \fIupdate_princ_encryption\fP command is run.
+If the time argument is provided then that will be the activation time otherwise the current time is used by default.
+The format of the optional time argument is that specified in the \fITime Formats\fP section of the kadmin man page.
+.TP
+.B \fBlist_mkeys\fP
+.sp
+List all master keys from most recent to earliest in \fIK/M\fP principal.
+The output will show the kvno, enctype and salt for each mkey similar to kadmin getprinc output.
+A * following an mkey denotes the currently active master key.
+.TP
+.B \fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP]
+.sp
+Delete master keys from the \fIK/M\fP principal that are not used to protect any principals.
+This command can be used to remove old master keys from a \fIK/M\fP principal once all principal keys are protected by a newer master key.
+.INDENT 7.0
+.TP
+.B \fB\-f\fP
+.sp
+does not prompt user.
+.TP
+.B \fB\-n\fP
+.sp
+do a dry run, shows master keys that would be purged, does not actually purge any keys.
+.TP
+.B \fB\-v\fP
+.sp
+verbose output.
+.UNINDENT
+.TP
+.B \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fIprinc\-pattern\fP]
+.sp
+Update all principal records (or only those matching the princ\-pattern glob pattern)
+to re\-encrypt the key data using the active database master key, if they are encrypted using older versions,
+and give a count at the end of the number of principals updated.
+If the \fI\-f\fP option is not given, ask for confirmation before starting to make changes.
+The \fI\-v\fP option causes each principal processed (each one matching the pattern) to be listed,
+and an indication given as to whether it needed updating or not.
+The \fI\-n\fP option causes the actions not to be taken, only the normal or verbose status messages displayed;
+this implies \fI\-f\fP since no database changes will be performed and thus there\(aqs little reason to seek confirmation.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+kadmin(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kdc.conf.5 b/src/man/kdc.conf.5
new file mode 100644
index 0000000000..7f7668431f
--- /dev/null
+++ b/src/man/kdc.conf.5
@@ -0,0 +1,412 @@
+.TH "KDC.CONF" "5" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kdc.conf \- Kerberos V5 KDC configuration file
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.sp
+The kdc.conf file contains KDC configuration information, including defaults used when issuing Kerberos tickets. Normally, you should install your kdc.conf file in the directory \fI/usr/local/var/krb5kdc\fP. You can override the default location by setting the environment variable \fIKRB5_KDC_PROFILE\fP.
+.SH STRUCTURE
+.sp
+The kdc.conf file is set up in the same format as the \fIkrb5.conf\fP file. The kdc.conf file may contain any or all of the following three sections:
+.TS
+center;
+|l|l|.
+_
+T{
+\fI\%[kdcdefaults]\fP
+T}	T{
+Contains default values for overall behavior of the KDC.
+T}
+_
+T{
+\fI\%[realms]\fP
+T}	T{
+Contains subsections keyed by Kerberos realm names. Each subsection describes realm\-specific information, including where to find the Kerberos servers for that realm.
+T}
+_
+T{
+\fI\%[logging]\fP
+T}	T{
+Contains relations which determine how Kerberos programs are to perform logging.
+T}
+_
+.TE
+.SH SECTIONS
+.SS \fB[kdcdefaults]\fP
+.sp
+The following relation is defined in the [kdcdefaults] section:
+.INDENT 0.0
+.TP
+.B \fBhost_based_services\fP
+.sp
+This relation lists the services that will get host\-based referral processing even if the server principal is not marked as host\-based by the client.
+.TP
+.B \fBkdc_max_dgram_reply_size\fP
+.sp
+Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes.
+.TP
+.B \fBkdc_ports\fP
+.sp
+This relation lists the ports on which the Kerberos server should listen for UDP requests by default. This list is a comma separated list of integers. If this relation is not specified, the compiled\-in default is 88,750, the first being the assigned Kerberos port and the second which was used by Kerberos V4.
+.TP
+.B \fBkdc_tcp_ports\fP
+.sp
+This relation lists the ports on which the Kerberos server should listen for TCP connections by default. This list is a comma separated list of integers. If this relation is not specified, the compiled\-in default is not to listen for TCP connections at all.
+.sp
+If you wish to change this (which we do not recommend, because the current implementation has little protection against denial\-of\-service attacks), the standard port number assigned for Kerberos TCP traffic is port 88.
+.TP
+.B \fBno_host_referral\fP
+.sp
+This relation blocks the specified services from host\-based referral processing, even if the client marks the server principal as host\-based or the service is also listed in \fIhost_based_services\fP. \fIno_host_referral\fP = *  will disable referral processing altogether.
+.TP
+.B \fBrestrict_anonymous_to_tgt\fP
+.sp
+This flag determines the default value of restrict_anonymous_to_tgt for realms. The default value is false.
+.UNINDENT
+.SS \fB[realms]\fP
+.sp
+Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm.
+.sp
+For each realm, the following tags may be specified in the [realms] subsection:
+.INDENT 0.0
+.TP
+.B \fBacl_file\fP
+.sp
+(String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is \fI/usr/local/var/krb5kdc/kadm5.acl\fP.
+.TP
+.B \fBadmin_keytab\fP
+.sp
+(String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is \fI/usr/local/var/krb5kdc/kadm5.keytab\fP.
+.TP
+.B \fBdatabase_name\fP
+.sp
+This string specifies the location of the Kerberos database for this realm.
+.TP
+.B \fBdefault_principal_expiration\fP
+.sp
+(Absolute time string.) Specifies the default expiration date of principals created in this realm. The default value for this tag is 0.
+.TP
+.B \fBdefault_principal_flags\fP
+.sp
+(Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma\-separated list of flags, with \(aq+\(aq before each flag that should be enabled and \(aq\-\(aq before each flag that should be disabled. The default is \fIpostdateable, forwardable, tgt\-based, renewable, proxiable, dup\-skey, allow\-tickets\fP, and \fIservice enabled\fP.
+.sp
+There are a number of possible flags:
+.INDENT 7.0
+.TP
+.B \fIallow\-tickets\fP
+.sp
+Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm.
+.TP
+.B \fIdup\-skey\fP
+.sp
+Enabling this flag allows the principal to obtain a session key for another user, permitting user\-to\-user authentication for this principal.
+.TP
+.B \fIforwardable\fP
+.sp
+Enabling this flag allows the principal to obtain forwardable tickets.
+.TP
+.B \fIhwauth\fP
+.sp
+If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets.
+.TP
+.B \fIno\-auth\-data\-required\fP
+.sp
+Enabling this flag prvents PAC data from being added to the service tickets.
+.TP
+.B \fIok\-as\-delegate\fP
+.sp
+If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service.
+.TP
+.B \fIok\-to\-auth\-as\-delegate\fP
+.sp
+Enabling this flag allows the principal to use S4USelf ticket.
+.TP
+.B \fIpostdateable\fP
+.sp
+Enabling this flag allows the principal to obtain postdateable tickets.
+.TP
+.B \fIpreauth\fP
+.sp
+If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated ticket set.
+.TP
+.B \fIproxiable\fP
+.sp
+Enabling this flag allows the principal to obtain proxy tickets.
+.TP
+.B \fIpwchange\fP
+.sp
+Enabling this flag forces a password change for this principal.
+.TP
+.B \fIpwservice\fP
+.sp
+If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user\(aqs password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password.
+.TP
+.B \fIrenewable\fP
+.sp
+Enabling this flag allows the principal to obtain renewable tickets.
+.TP
+.B \fIservice\fP
+.sp
+Enabling this flag allows the the KDC to issue service tickets for this principal.
+.TP
+.B \fItgt\-based\fP
+.sp
+Enabling this flag allows a principal to obtain tickets based on a ticket\-granting\-ticket, rather than repeating the authentication process that was used to obtain the TGT.
+.UNINDENT
+.TP
+.B \fBdict_file\fP
+.sp
+(String.) Location of the dictionary file containing strings that are not allowed as passwords. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed.
+.TP
+.B \fBhost_based_services\fP
+.sp
+(Whitespace\- or comma\-separated list) This relation lists the services that will get host\-based referral processing even if the server principal is not marked as host\-based by the client.
+.TP
+.B \fBiprop_enable\fP
+.sp
+This boolean ("true" or "false") specifies whether incremental database propagation is enabled.  The default is "false".
+.TP
+.B \fBiprop_master_ulogsize\fP
+.sp
+This numeric value specifies the maximum number of log entries to be retained for incremental propagation.  The maximum value is 2500; default is 1000.
+.TP
+.B \fBiprop_slave_poll\fP
+.sp
+This delta time string specfies how often the slave KDC polls for new updates from the master.  Default is "2m" (that is, two minutes).
+.TP
+.B \fBiprop_port\fP
+.sp
+(Port number.) This specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files.
+.TP
+.B \fBiprop_logfile\fP
+.sp
+(File name) This specifies where the update log file for the realm database is to be stored. The default is to use the \fIdatabase_name\fP entry from the realms section of the krb5 config file, with \fI.ulog\fP appended. (NOTE: If \fIdatabase_name\fP isn\(aqt specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \fIdbmodules\fP section, then the hard\-coded default for \fIdatabase_name\fP is used. Determination of the \fIiprop_logfile\fP default value will not use values from the \fIdbmodules\fP section.)
+.TP
+.B \fBkadmind_port\fP
+.sp
+(Port number.) Specifies the port on which the kadmind daemon is to listen for this realm. The assigned port for kadmind is 749.
+.TP
+.B \fBkey_stash_file\fP
+.sp
+(String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is /usr/local/var/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
+.TP
+.B \fBkdc_ports\fP
+.sp
+(String.) Specifies the list of ports that the KDC is to listen to for UDP requests for this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used.
+.TP
+.B \fBkdc_tcp_ports\fP
+.sp
+(String.) Specifies the list of ports that the KDC is to listen to for TCP requests for this realm. By default, the value of kdc_tcp_ports as specified in the [kdcdefaults] section is used.
+.TP
+.B \fBmaster_key_name\fP
+.sp
+(String.) Specifies the name of the principal associated with the master key. The default is K/M.
+.TP
+.B \fBmaster_key_type\fP
+.sp
+(Key type string.) Specifies the master key\(aqs key type. The default value for this is des3\-cbc\-sha1. For a list of all possible values, see \fISupported_Encryption_Types_and_Salts\fP.
+.TP
+.B \fBmax_life\fP
+.sp
+(Delta time string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours.
+.TP
+.B \fBmax_renewable_life\fP
+.sp
+(Delta time string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0.
+.TP
+.B \fBno_host_referral\fP
+.sp
+(Whitespace\- or comma\-separated list) This relation blocks the specified services from host\-based referral processing, even if the client marks the server principal as host\-based or the service is also listed in \fIhost_based_services\fP. \fIno_host_referral\fP = *  will disable referral processing altogether.
+.TP
+.B \fBreject_bad_transit\fP
+.sp
+A boolean value (true, false). If set to true, the KDC will check the list of transited realms for cross\-realm tickets against the transit path computed from the realm names and the capaths section of its krb5.conf file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path.
+.sp
+If the disable\-transited\-check flag is set in the incoming request, this check is not performed at all. Having the reject_bad_transit option will cause such ticket requests to be rejected always.
+.sp
+This transit path checking and config file option currently apply only to TGS requests.
+.sp
+Earlier versions of the MIT release (before 1.2.3) had bugs in the application server support such that the server\-side checks may not be performed correctly. We recommend turning this option on, unless you know that all application servers in this realm have been updated to fixed versions of the software, and for whatever reason, you don\(aqt want the KDC to do the validation.
+.sp
+This is a per\-realm option so that multiple\-realm KDCs may control it separately for each realm, in case (for example) one realm has had the software on its application servers updated but another has not.
+.sp
+This option defaults to true.
+.TP
+.B \fBrestrict_anonymous_to_tgt\fP
+.sp
+A boolean value (true, false). If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm\(aqs ticket\-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. By default, the value of restrict_anonymous_to_tgt as specified in the [kdcdefaults] section is used.
+.TP
+.B \fBsupported_enctypes\fP
+.sp
+List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through kadmin will have keys of these types. The default value for this tag is aes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal. For lists of possible values, see \fISupported_Encryption_Types_and_Salts\fP
+.UNINDENT
+.SS \fB[logging]\fP
+.sp
+See \fIlogging\fP section in \fIkrb5.conf\fP
+.SH PKINIT OPTIONS
+.IP Note
+.
+The following are pkinit\-specific options. Note that these values may be specified in [kdcdefaults] as global defaults, or within a realm\-specific subsection of [realms]. Also note that a realm\-specific value over\-rides, does not add to, a generic [kdcdefaults] specification. The search order is:
+.INDENT 0.0
+.IP 1. 3
+.
+realm\-specific subsection of [realms]
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B [realms]
+.INDENT 7.0
+.TP
+.B EXAMPLE.COM = {
+.
+pkinit_anchors = FILE:/usr/local/example.com.crt
+.UNINDENT
+.sp
+}
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+.
+generic value in the [kdcdefaults] section.
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B [kdcdefaults]
+.
+pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.RE
+.sp
+For information about the syntax of some of these options, see See pkinit identity syntax.
+.INDENT 0.0
+.TP
+.B \fBpkinit_anchors\fP
+.sp
+Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times.
+.TP
+.B \fBpkinit_dh_min_bits\fP
+.sp
+Specifies the minimum number of bits the KDC is willing to accept for a client\(aqs Diffie\-Hellman key. The default is 2048.
+.TP
+.B \fBpkinit_allow_upn\fP
+.sp
+Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name.
+.sp
+The default is \fIfalse\fP.
+.sp
+Without this option, the KDC will only accept certificates with the \fIid\-pkinit\-san\fP as defined in \fI\%RFC 4556\fP. There is currently no option to disable SAN checking in the KDC.
+.TP
+.B \fBpkinit_eku_checking\fP
+.sp
+This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are:
+.INDENT 7.0
+.TP
+.B \fIkpClientAuth\fP
+.sp
+This is the default value and specifies that client certificates must have the id\-pkinit\-KPClientAuth EKU as defined in \fI\%RFC 4556\fP.
+.TP
+.B \fIscLogin\fP
+.sp
+If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be accepted.
+.TP
+.B \fInone\fP
+.sp
+If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended.
+.UNINDENT
+.TP
+.B \fBpkinit_identity\fP
+.sp
+Specifies the location of the KDC\(aqs X.509 identity information. This option is required if pkinit is to be supported by the KDC.
+.TP
+.B \fBpkinit_kdc_ocsp\fP
+.sp
+Specifies the location of the KDC\(aqs OCSP.
+.TP
+.B \fBpkinit_mapping_file\fP
+.sp
+Specifies the name of the ACL pkinit mapping file. This file maps principals to the certificates that they can use.
+.TP
+.B \fBpkinit_pool\fP
+.sp
+Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client\(aqs certificate and a trusted anchor. This option may be specified multiple times.
+.TP
+.B \fBpkinit_revoke\fP
+.sp
+Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times.
+.TP
+.B \fBpkinit_require_crl_checking\fP
+.sp
+The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and pkinit_require_crl_checking is false, then verification succeeds.
+.sp
+However, if pkinit_require_crl_checking is true and there is no CRL information available for the issuing CA, then verification fails.
+.sp
+\fIpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA.
+.UNINDENT
+.SH SAMPLE KDC.CONF FILE
+.sp
+Here\(aqs an example of a kdc.conf file:
+.sp
+.nf
+.ft C
+[kdcdefaults]
+    kdc_ports = 88
+
+[realms]
+    ATHENA.MIT.EDU = {
+        kadmind_port = 749
+        max_life = 12h 0m 0s
+        max_renewable_life = 7d 0h 0m 0s
+        master_key_type = des3\-hmac\-sha1
+        supported_enctypes = des3\-hmac\-sha1:normal des\-cbc\-crc:normal des\-cbc\-crc:v4
+    }
+
+[logging]
+    kdc = FILE:/usr/local/var/krb5kdc/kdc.log
+    admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
+.ft P
+.fi
+.SH FILES
+.sp
+/usr/local/var/krb5kdc/kdc.conf
+.SH SEE ALSO
+.sp
+krb5.conf(5), krb5kdc(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kdestroy.1 b/src/man/kdestroy.1
new file mode 100644
index 0000000000..9ca6264825
--- /dev/null
+++ b/src/man/kdestroy.1
@@ -0,0 +1,113 @@
+.TH "KDESTROY" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kdestroy \- destroy Kerberos tickets
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fIkdestroy\fP
+.sp
+[\fB\-A\fP]
+[\fB\-q\fP]
+[\fB\-c\fP \fIcache_name\fP]
+.UNINDENT
+.SH DESCRIPTION
+.sp
+The \fIkdestroy\fP utility destroys the user\(aqs active Kerberos
+authorization tickets by writing zeros to the specified
+credentials cache that contains them. If the credentials
+cache is not specified, the default credentials cache is destroyed.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-A\fP
+.sp
+Destroys all caches in the collection, if a cache collection is
+available.
+.TP
+.B \fB\-q\fP
+.sp
+Run quietly. Normally \fIkdestroy\fP beeps if it fails to destroy the user\(aqs tickets.
+The \fI\-q\fP flag suppresses this behavior.
+.TP
+.B \fB\-c\fP \fIcache_name\fP
+.sp
+Use \fIcache_name\fP as the credentials (ticket) cache name and location;
+if this option is not used, the default cache name and location are used.
+.sp
+The default credentials cache may vary between systems.
+If the \fBKRB5CCNAME\fP environment variable is set, its
+value is used to name the default ticket cache.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH NOTE
+.sp
+Most installations recommend that you place the \fIkdestroy\fP command in your \fI.logout\fP file,
+so that your tickets are destroyed automatically when you log out.
+.SH ENVIRONMENT
+.sp
+\fIkdestroy\fP uses the following environment variable:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBKRB5CCNAME\fP
+.sp
+Location of the default Kerberos 5 credentials (ticket)
+cache, in the form \fItype\fP:\fIresidual\fP.  If no type prefix is
+present, the \fBFILE\fP type is assumed.  The type of the
+default cache may determine the availability of a cache
+collection; for instance, a default cache of type \fBDIR\fP
+causes caches within the directory to be present in the
+collection.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+/tmp/krb5cc_[uid] \- Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the decimal UID of the user).
+.SH SEE ALSO
+.sp
+kinit(1), klist(1)
+.SH BUGS
+.sp
+Only the tickets in the specified credentials cache are destroyed.
+Separate ticket caches are used to hold root instance and password changing tickets.
+These should probably be destroyed too, or all of a user\(aqs tickets kept in a single credentials cache.
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kinit.1 b/src/man/kinit.1
new file mode 100644
index 0000000000..3560bcb504
--- /dev/null
+++ b/src/man/kinit.1
@@ -0,0 +1,258 @@
+.TH "KINIT" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kinit \- obtain and cache Kerberos ticket-granting ticket
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBkinit\fP
+.sp
+[\fB\-V\fP]
+[\fB\-l\fP \fIlifetime\fP]
+[\fB\-s\fP \fIstart_time\fP]
+[\fB\-r\fP \fIrenewable_life\fP]
+[\fB\-p\fP | \-\fBP\fP]
+[\fB\-f\fP | \-\fBF\fP]
+[\fB\-a\fP]
+[\fB\-A\fP]
+[\fB\-C\fP]
+[\fB\-E\fP]
+[\fB\-v\fP]
+[\fB\-R\fP]
+[\fB\-k\fP [\-\fBt\fP \fIkeytab_file\fP]]
+[\fB\-c\fP \fIcache_name\fP]
+[\fB\-n\fP]
+[\fB\-S\fP \fIservice_name\fP]
+[\fB\-T\fP \fIarmor_ccache\fP]
+[\fB\-X\fP \fIattribute[=value]\fP]
+[\fIprincipal\fP]
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fIkinit\fP obtains and caches an initial  ticket\-granting  ticket for principal.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fB\-V\fP   display verbose output.
+.INDENT 0.0
+.TP
+.B \fB\-l\fP \fIlifetime\fP
+.sp
+requests a ticket  with  the  lifetime  lifetime.   The
+value  for lifetime must be followed immediately by one
+of the following delimiters:
+.sp
+.nf
+.ft C
+s  seconds
+m  minutes
+h  hours
+d  days
+.ft P
+.fi
+.sp
+as in "kinit \-l 90m".  You cannot mix units; a value of "3h30m" will result in an error.
+.sp
+If the \fB\-l\fP option is not specified, the  default  ticket lifetime
+(configured by each site) is used.  Specifying a ticket lifetime longer than the maximum
+ticket  lifetime (configured by each site) results in a ticket with the maximum lifetime.
+.TP
+.B \fB\-s\fP \fIstart_time\fP
+.sp
+requests  a  postdated  ticket,   valid   starting   at
+\fIstart_time\fP.   Postdated  tickets  are  issued  with the
+\fIinvalid\fP flag set, and need to be fed back  to  the  kdc
+before use.
+.TP
+.B \fB\-r\fP \fIrenewable_life\fP
+.sp
+requests renewable tickets, with a  total  lifetime  of
+\fIrenewable_life\fP.   The duration is in the same format as
+the \fB\-l\fP option, with the same delimiters.
+.UNINDENT
+.sp
+\fB\-f\fP   request forwardable tickets.
+.sp
+\fB\-F\fP   do not request forwardable tickets.
+.sp
+\fB\-p\fP   request proxiable tickets.
+.sp
+\fB\-P\fP   do not request proxiable tickets.
+.sp
+\fB\-a\fP   request tickets with the local address[es].
+.sp
+\fB\-A\fP   request address\-less tickets.
+.sp
+\fB\-C\fP   requests canonicalization of the principal name.
+.sp
+\fB\-E\fP   treats the principal name as an enterprise name.
+.INDENT 0.0
+.TP
+.B \fB\-v\fP
+.sp
+requests that the ticket granting ticket in  the  cache
+(with  the  \fIinvalid\fP  flag set) be passed to the KDC for validation.
+If the ticket is within its requested time range,
+the cache is replaced with the validated ticket.
+.TP
+.B \fB\-R\fP
+.sp
+requests renewal of the ticket\-granting  ticket.
+Note that  an  expired ticket cannot be renewed, even if the ticket
+is still within its renewable life.
+.TP
+.B \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
+.sp
+requests a ticket, obtained from a  key  in  the  local host\(aqs  \fIkeytab\fP file.
+The name and location of the key tab file may be specified with the
+\fB\-t\fP \fIkeytab_file\fP option; otherwise the default name and location will be used.
+By default a host ticket is  requested  but any principal may be specified.
+On a KDC, the special keytab location \fBKDB:\fP can be used to  indicate that kinit
+should  open the KDC database and look  up the key directly.
+This permits  an  administrator  to  obtain tickets  as  any principal that
+supports password\-based authentication.
+.TP
+.B \fB\-n\fP
+.sp
+Requests anonymous processing.
+Two types of  anonymous principals  are  supported.
+.sp
+For  fully anonymous Kerberos,  configure  pkinit  on  the  KDC  and  configure
+\fIpkinit_anchors\fP in the client\(aqs krb5.conf.  Then use the \fB\-n\fP option with
+a principal of the form \fI@REALM\fP (an empty principal  name  followed  by  the
+at\-sign and a realm name).  If permitted by the KDC,  an  anonymous  ticket will  be  returned.
+.sp
+A second form of anonymous tickets is supported;  these  realm\-exposed  tickets
+hide the identity of the client but not the client\(aqs realm.
+For this mode, use \fBkinit \-n\fP with a normal  principal  name.
+If  supported by the KDC, the principal (but not realm) will be replaced by the  anonymous  principal.
+.sp
+As  of release  1.8,  the MIT Kerberos KDC only supports fully anonymous operation.
+.TP
+.B \fB\-T\fP \fIarmor_ccache\fP
+.sp
+Specifies the name of a credential cache  that  already contains  a  ticket.   If  supported  by  the KDC, This
+ccache will be used to armor the  request  so  that  an attacker  would  have to know both the key of the armor
+ticket and the key of the principal used for  authentication  in  order  to attack the request. Armoring also
+makes sure that the response from the KDC is not  modified in transit.
+.TP
+.B \fB\-c\fP \fIcache_name\fP
+.sp
+use \fIcache_name\fP as the Kerberos 5  credentials  (ticket) cache  name  and  location;
+if this option is not used, the default cache name and location are used.
+.sp
+The default credentials cache may vary between systems.  If
+the \fBKRB5CCNAME\fP environment variable is set, its value is
+used to name the default ticket cache.  If a principal name
+is specified and the type of the default credentials cache
+supports a collection (such as the DIR type), an existing
+cache containing credentials for the principal is selected
+or a new one is created and becomes the new primary cache.
+Otherwise, any existing contents of the default cache are
+destroyed by kinit.
+.TP
+.B \fB\-S\fP \fIservice_name\fP
+.sp
+specify an alternate service name to use  when  getting initial tickets.
+.TP
+.B \fB\-X\fP \fIattribute\fP [= \fIvalue\fP ]
+.sp
+specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to  be passed  to  pre\-authentication plugins.
+The acceptable attribute and value values vary from pre\-authentication plugin  to plugin.
+This option may be specified multiple times to specify multiple attributes.
+If no  value is specified, it is assumed to be "yes".
+.sp
+The following attributes are recognized by the OpenSSL pkinit pre\-authentication mechanism:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+\fBX509_user_identity\fP = \fIvalue\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+specify where to find user\(aqs X509 identity information
+.UNINDENT
+.UNINDENT
+.sp
+\fBX509_anchors\fP = \fIvalue\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+specify where to find trusted X509 anchor information
+.UNINDENT
+.UNINDENT
+.sp
+\fBflag_RSA_PROTOCOL\fP [ = \fIyes\fP ]
+.INDENT 0.0
+.INDENT 3.5
+.sp
+specify use of RSA, rather than the default Diffie\-Hellman protocol
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+\fIkinit\fP uses the following environment variables:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBKRB5CCNAME\fP
+.sp
+Location of the default Kerberos 5 credentials (ticket)
+cache, in the form \fItype\fP:\fIresidual\fP.  If no type prefix is
+present, the \fBFILE\fP type is assumed.  The type of the
+default cache may determine the availability of a cache
+collection; for instance, a default cache of type \fBDIR\fP
+causes caches within the directory to be present in the
+collection.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+/tmp/krb5cc_[uid]  default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user).
+.sp
+/etc/krb5.keytab   default location for the local host\(aqs keytab file.
+.SH SEE ALSO
+.sp
+klist(1), kdestroy(1), kerberos(1)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/klist.1 b/src/man/klist.1
new file mode 100644
index 0000000000..b56aa5034a
--- /dev/null
+++ b/src/man/klist.1
@@ -0,0 +1,161 @@
+.TH "KLIST" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+klist \- list cached Kerberos tickets
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBklist\fP
+.sp
+[\fB\-e\fP]
+[[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]]
+[\fB\-k\fP  [\fB\-t\fP]  [\fB\-K\fP]]
+[\fB\-V\fP]
+[\fIcache_name\fP | \fIkeytab_name\fP]
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fIklist\fP lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a \fIkeytab\fP file.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-e\fP
+.sp
+Displays the encryption types of the session key and the ticket for each credential in the credential cache,
+or each key in the keytab file.
+.TP
+.B \fB\-l\fP
+.sp
+If a cache collection is available, displays a table
+summarizing the caches present in the collection.
+.TP
+.B \fB\-A\fP
+.sp
+If a cache collection is available, displays the contents of
+all of the caches in the collection.
+.TP
+.B \fB\-c\fP
+.sp
+List tickets held in a credentials cache. This is the default if neither \fI\-c\fP nor \fI\-k\fP is specified.
+.TP
+.B \fB\-f\fP
+.sp
+Shows the flags present in the credentials, using the following abbreviations:
+.sp
+.nf
+.ft C
+F    Forwardable
+f    forwarded
+P    Proxiable
+p    proxy
+D    postDateable
+d    postdated
+R    Renewable
+I    Initial
+i    invalid
+H    Hardware authenticated
+A    preAuthenticated
+T    Transit policy checked
+O    Okay as delegate
+a    anonymous
+.ft P
+.fi
+.TP
+.B \fB\-s\fP
+.sp
+Causes \fIklist\fP to run silently (produce no output), but to still set the exit status according to whether it
+finds the credentials cache. The exit status is \(aq0\(aq if \fIklist\fP finds a credentials cache, and \(aq1\(aq if it does not
+or if the tickets are expired.
+.TP
+.B \fB\-a\fP
+.sp
+Display list of addresses in credentials.
+.TP
+.B \fB\-n\fP
+.sp
+Show numeric addresses instead of reverse\-resolving addresses.
+.TP
+.B \fB\-k\fP
+.sp
+List keys held in a keytab file.
+.TP
+.B \fB\-t\fP
+.sp
+Display the time entry timestamps for each keytab entry in the keytab file.
+.TP
+.B \fB\-K\fP
+.sp
+Display the value of the encryption key in each \fIkeytab\fP entry in the \fIkeytab\fP file.
+.TP
+.B \fB\-V\fP
+.sp
+Display the Kerberos version number and exit.
+.UNINDENT
+.sp
+If \fBcache_name\fP or \fBkeytab_name\fP is not specified, \fIklist\fP will display the credentials in the default credentials cache or
+\fIkeytab\fP file as appropriate. If the \fIKRB5CCNAME\fP environment variable is set, its value is used to name the default ticket cache.
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+\fIklist\fP uses the following environment variable:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBKRB5CCNAME\fP
+.sp
+Location of the default Kerberos 5 credentials (ticket)
+cache, in the form \fItype\fP:\fIresidual\fP.  If no type prefix is
+present, the \fBFILE\fP type is assumed.  The type of the
+default cache may determine the availability of a cache
+collection; for instance, a default cache of type \fBDIR\fP
+causes caches within the directory to be present in the
+collection.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+/tmp/krb5cc_[uid] \- Default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user).
+.sp
+/etc/krb5.keytab \- Default location for the local host\(aqs keytab file.
+.SH SEE ALSO
+.sp
+kinit(1), kdestroy(1)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kpasswd.1 b/src/man/kpasswd.1
new file mode 100644
index 0000000000..ec1c252d5e
--- /dev/null
+++ b/src/man/kpasswd.1
@@ -0,0 +1,79 @@
+.TH "KPASSWD" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kpasswd \- change a user's Kerberos password
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fIkpasswd\fP [ \fIprincipal\fP ]
+.SH DESCRIPTION
+.sp
+The \fIkpasswd\fP command is used to change a Kerberos principal\(aqs password.
+\fIkpasswd\fP prompts for the current Kerberos password, which is used to obtain a
+\fIchangepw\fP ticket from the KDC for the user\(aqs Kerberos realm.
+If \fIkpasswd\fP successfully obtains the \fIchangepw\fP ticket, the user is prompted twice for
+the new password, and the password is changed.
+.sp
+If the principal is governed by a policy that specifies the length and/or number of
+character classes required in the new password, the new password must conform to the policy.
+(The five character classes are lower case, upper case, numbers, punctuation, and all other characters.)
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fIprincipal\fP
+.sp
+Change the password for the Kerberos principal principal.
+Otherwise, \fIkpasswd\fP uses the principal name from an existing ccache if there is one;
+if not, the principal is derived from the identity of the user invoking the \fIkpasswd\fP command.
+.UNINDENT
+.SH PORTS
+.sp
+\fIkpasswd\fP looks first for:
+.sp
+.nf
+.ft C
+kpasswd_server = host:port
+.ft P
+.fi
+.sp
+in the [\fIrealms\fP] section of the \fIkrb5.conf\fP file under the current realm.
+If that is missing, \fIkpasswd\fP looks for the \fIadmin_server\fP entry, but substitutes 464 for the port.
+.SH SEE ALSO
+.sp
+kadmin(8), kadmind(8)
+.SH BUGS
+.sp
+\fIkpasswd\fP may not work with multi\-homed hosts running on the Solaris platform.
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kprop.8 b/src/man/kprop.8
new file mode 100644
index 0000000000..999aa6c821
--- /dev/null
+++ b/src/man/kprop.8
@@ -0,0 +1,101 @@
+.TH "KPROP" "8" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kprop \- propagate a Kerberos V5 principal database to a slave server
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBkprop\fP
+.sp
+[\fB\-r\fP \fIrealm\fP]
+[\fB\-f\fP \fIfile\fP]
+[\fB\-d\fP]
+[\fB\-P\fP \fIport\fP]
+[\fB\-s\fP \fIkeytab\fP]
+\fIslave_host\fP
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fIkprop\fP  is used to propagate a Kerberos V5 database dump file from the master
+Kerberos server to a slave Kerberos server, which is specified by \fIslave_host\fP.
+This is done by transmitting the dumped database file to the slave server over
+an encrypted, secure channel.
+The dump file must be created by \fIkdb5_util(8)\fP.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the realm of the master server.
+.TP
+.B \fB\-f\fP \fIfile\fP
+.sp
+Specifies the filename where the dumped principal database file is to be found;
+by default the dumped database file is normally
+\fI/usr/local/var/krb5kdc/slave_datatrans\fP.
+.TP
+.B \fB\-P\fP \fIport\fP
+.sp
+Specifies the port to use to contact the \fIkpropd(8)\fP server on the remote host.
+.TP
+.B \fB\-d\fP
+.sp
+Prints debugging information.
+.TP
+.B \fB\-s\fP \fIkeytab\fP
+.sp
+Specifies the location of the keytab file.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+\fIkprop\fP uses the following environment variable:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+\fBKRB5_CONFIG\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+kpropd(8), kdb5_util(8), krb5kdc(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kpropd.8 b/src/man/kpropd.8
new file mode 100644
index 0000000000..af7c0e2738
--- /dev/null
+++ b/src/man/kpropd.8
@@ -0,0 +1,161 @@
+.TH "KPROPD" "8" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kpropd \- Kerberos V5 slave KDC update server
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBkpropd\fP
+.sp
+[ \fB\-r\fP \fIrealm\fP ]
+[ \fB\-a\fP \fIacl_file\fP ]
+[ \fB\-f\fP \fIslave_dumpfile\fP ]
+[ \fB\-F\fP \fIprincipal_database\fP ]
+[ \fB\-p\fP \fIkdb5_util_prog\fP ]
+[ \fB\-P\fP \fIport\fP ]
+[ \fB\-d\fP ]
+[ \fB\-S\fP ]
+.UNINDENT
+.SH DESCRIPTION
+.sp
+The \fIkpropd\fP command runs on the slave KDC server.
+It listens for update requests made by the \fIkprop(8)\fP program,
+and periodically requests incremental updates from the master KDC.
+.sp
+When the slave receives a \fIkprop\fP request from the master,
+\fIkpropd\fP accepts the dumped KDC database and places it in a file,
+and then runs \fIkdb5_util(8)\fP to load the dumped database into
+the active database which is used by \fIkrb5kdc(8)\fP.
+Thus, the master Kerberos server can use \fIkprop(8)\fP
+to propagate its database to the slave servers.
+Upon a successful download of the KDC database file,
+the slave Kerberos server will have an up\-to\-date KDC database.
+.sp
+Normally, \fIkpropd\fP is invoked out of inetd(8).
+This is done by adding a line to the \fIinetd.conf\fP file which looks like this:
+.sp
+.nf
+.ft C
+kprop     stream    tcp  nowait    root /usr/local/sbin/kpropd   kpropd
+.ft P
+.fi
+.sp
+However, \fIkpropd\fP can also run as a standalone daemon, if the \fI\-S\fP option is turned on.
+This is done for debugging purposes, or if for some reason the system administrator
+just doesn\(aqt want to run it out of inetd(8).
+.sp
+When the slave periodically requests incremental updates,
+\fIkpropd\fP updates its \fIprincipal.ulog\fP file with any updates from the master.
+\fIkproplog(8)\fP can be used to view a summary of the update entry log on the slave KDC.
+Incremental propagation is not enabled by default;
+it can be enabled using the \fIiprop_enable\fP and \fIiprop_slave_poll\fP settings in \fIkdc.conf\fP.
+The principal "kiprop/slavehostname@REALM"
+(where "slavehostname" is the name of the slave KDC host,
+and "REALM" is the name of the Kerberos realm)
+must be present in the slave\(aqs keytab file.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-r\fP \fIrealm\fP
+.sp
+Specifies the realm of the master server.
+.TP
+.B \fB\-f\fP \fIfile\fP
+.sp
+Specifies the filename where the dumped principal database file is to be stored;
+by default the dumped database file \fI/usr/local/var/krb5kdc/from_master\fP.
+.TP
+.B \fB\-p\fP
+.sp
+Allows the user to specify the pathname to the \fIkdb5_util(8)\fP program;
+by default the pathname used is /usr/local/sbin/kdb5_util.
+.TP
+.B \fB\-S\fP
+.sp
+Turn on standalone mode.  Normally, \fIkpropd\fP is invoked out of inetd(8)
+so it expects a network connection to be passed to it from inetd(8).
+If the \fI\-S\fP option is specified, \fIkpropd\fP will put itself into the background,
+and wait for connections to the \fIkrb5_prop\fP port specified in  /etc/services.
+.TP
+.B \fB\-d\fP
+.sp
+Turn on debug mode.  In this mode, if the \fI\-S\fP option is selected,
+\fIkpropd\fP will not detach itself from the current job and run in the background.
+Instead, it will run in the foreground and print out debugging messages
+during the database propagation.
+.TP
+.B \fB\-P\fP
+.sp
+Allow for an alternate port number for \fIkpropd\fP to listen on.
+This is only useful if the program is run in standalone mode.
+.TP
+.B \fB\-a\fP  \fIacl_file\fP
+.sp
+Allows the user to specify the path to the \fIkpropd.acl\fP file;
+by default the path used is /usr/local/var/krb5kdc/kpropd.acl.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+\fIkpropd\fP uses the following environment variables:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+\fBKRB5_CONFIG\fP
+.IP \(bu 2
+.
+\fBKRB5_KDC_PROFILE\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.INDENT 0.0
+.TP
+.B \fIkpropd.acl\fP
+.sp
+Access file for \fIkpropd\fP; the default location is \fI/usr/local/var/krb5kdc/kpropd.acl\fP.
+Each entry is a line containing the principal of a \fIhost\fP from which the local machine
+will allow Kerberos database propagation via \fIkprop(8)\fP.
+.UNINDENT
+.SH SEE ALSO
+.sp
+kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kproplog.8 b/src/man/kproplog.8
new file mode 100644
index 0000000000..e02c0ddffa
--- /dev/null
+++ b/src/man/kproplog.8
@@ -0,0 +1,120 @@
+.TH "KPROPLOG" "8" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kproplog \- display the contents of the Kerberos principal update log
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v]
+.SH DESCRIPTION
+.sp
+The \fIkproplog\fP command displays the contents of the Kerberos principal
+update log to standard output.
+It can be used to keep track of the \fIincremental\fP updates
+to the principal database, when enabled.
+The update log file contains the update log maintained by the \fIkadmind\fP process
+on the master KDC server and the \fIkpropd\fP process on the slave KDC servers.
+When updates occur, they are logged to this file.
+Subsequently any KDC slave configured for \fIincremental\fP updates will request
+the current data from the master KDC and update their \fIprincipal.ulog\fP file
+with any updates returned.
+.sp
+The \fIkproplog\fP command can only be run on a KDC server by someone with privileges
+comparable to the superuser.
+It will display update entries for that server only.
+.sp
+If no options are specified, the summary of the update log is displayed.
+If invoked on the master, all of the update entries are also displayed.
+When invoked on a slave KDC server, only a summary of the updates are displayed,
+which includes the serial number of the last update received and
+the associated time stamp of the last update.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-h\fP
+.sp
+Display a summary of the update log.
+This information includes the database version number, state of the database,
+the number of updates in the log, the time stamp of the first and last update,
+and the version number of the first and last update entry.
+.TP
+.B \fB\-e\fP \fInum\fP
+.sp
+Display the last \fInum\fP update entries in the log.
+This is useful when debugging synchronization between KDC servers.
+.TP
+.B \fB\-v\fP
+.sp
+Display individual attributes per update.  An example of the output generated for one entry:
+.sp
+.nf
+.ft C
+Update Entry
+   Update serial # : 4
+   Update operation : Add
+   Update principal : test@EXAMPLE.COM
+   Update size : 424
+   Update committed : True
+   Update time stamp : Fri Feb 20 23:37:42 2004
+   Attributes changed : 6
+         Principal
+         Key data
+         Password last changed
+         Modifying principal
+         Modification time
+         TL data
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+\fIkproplog\fP uses the following environment variables:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+\fBKRB5_KDC_PROFILE\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+kpropd(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/krb5.conf.5 b/src/man/krb5.conf.5
new file mode 100644
index 0000000000..5612a481c2
--- /dev/null
+++ b/src/man/krb5.conf.5
@@ -0,0 +1,1159 @@
+.TH "KRB5.CONF" "5" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+krb5.conf \- Kerberos configuration file
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.sp
+The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG.
+.SH STRUCTURE
+.sp
+The krb5.conf file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:
+.sp
+.nf
+.ft C
+foo = bar
+.ft P
+.fi
+.sp
+or
+.sp
+.nf
+.ft C
+fubar = {
+        foo = bar
+        baz = quux
+}
+.ft P
+.fi
+.sp
+Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag.
+.sp
+For example, if you have the following lines:
+.sp
+.nf
+.ft C
+foo = bar*
+foo = baz
+.ft P
+.fi
+.sp
+then the second value of \fIfoo\fP (baz) would never be read.
+.sp
+The krb5.conf file can include other files using either of the following directives at the beginning of a line:
+.sp
+.nf
+.ft C
+include FILENAME
+includedir DIRNAME
+.ft P
+.fi
+.sp
+\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Included profile files are syntactically independent of their parents, so each included file must begin with a section header.
+.sp
+The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers:
+.sp
+.nf
+.ft C
+module MODULEPATH:RESIDUAL
+.ft P
+.fi
+.sp
+\fIMODULEPATH\fP may be relative to the library path of the krb5 installation, or it may be an absolute path.  \fIRESIDUAL\fP is provided to the module at initialization time.  If krb5.conf uses a module directive, kdc.conf should also use one if it exists.
+.sp
+The krb5.conf file may contain any or all of the following sections:
+.TS
+center;
+|l|l|.
+_
+T{
+\fI\%libdefaults\fP
+T}	T{
+Contains default values used by the Kerberos V5 library.
+T}
+_
+T{
+\fI\%realms\fP
+T}	T{
+Contains subsections keyed by Kerberos realm names. Each subsection describes realm\-specific information, including where to find the Kerberos servers for that realm.
+T}
+_
+T{
+\fI\%domain_realm\fP
+T}	T{
+Contains relations which map domain names and subdomains onto Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name.
+T}
+_
+T{
+\fI\%logging\fP
+T}	T{
+Contains relations which determine how Kerberos programs are to perform logging.
+T}
+_
+T{
+\fI\%capaths\fP
+T}	T{
+Contains the authentication paths used with direct (nonhierarchical) cross\-realm authentication. Entries in this section are used by the client to determine the intermediate realms which may be used in cross\-realm authentication. It is also used by the end\-service when checking the transited field for trusted intermediate realms.
+T}
+_
+T{
+\fI\%plugins\fP
+T}	T{
+Contains tags to register dynamic plugin modules and to turn modules on and off.
+T}
+_
+T{
+\fI\%appdefaults\fP
+T}	T{
+Contains default values that can be used by Kerberos V5 applications.
+T}
+_
+.TE
+.SH SECTIONS
+.SS \fB[libdefaults]\fP
+.sp
+The libdefaults section may contain any of the following relations:
+.INDENT 0.0
+.TP
+.B \fBallow_weak_crypto\fP
+.sp
+If this is set to 0 (for false), then weak encryption types will be filtered out of the previous three lists (as noted in \fISupported_Encryption_Types_and_Salts\fP). The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers.
+.TP
+.B \fBap_req_checksum_type\fP
+.sp
+An integer which specifies the type of AP\-REQ checksum to use in authenticators.
+This variable should be unset so the appropriate checksum for the encryption key in use will be used.
+This can be set if backward compatibility requires a specific checksum type.
+See the \fIkdc_req_checksum_type\fP configuration option for the possible values and their meanings.
+.TP
+.B \fBcanonicalize\fP
+.sp
+This flag indicates to the KDC that the client is prepared to receive a reply that contains a principal name other than the one requested.
+The client should expect, when sending names with the "canonicalize" KDC option,
+that names in the KDC\(aqs reply will be different than the name in the request.
+The default value for this flag is not set.
+.TP
+.B \fBccache_type\fP
+.sp
+Use this parameter on systems which are DCE clients, to specify the type of cache to be created by kinit, or when forwarded tickets are received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. The default value is 4.
+.TP
+.B \fBclockskew\fP
+.sp
+Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes.
+.TP
+.B \fBdefault_keytab_name\fP
+.sp
+This relation specifies the default keytab name to be used by application servers such as telnetd and rlogind. The default is \fI/etc/krb5.keytab\fP.
+.TP
+.B \fBdefault_realm\fP
+.sp
+Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this is not specified and the TXT record lookup is enabled (see \fIudns_label\fP), then that information will be used to determine the default realm. If this tag is not set in this configuration file and there is no DNS information found, then an error will be returned.
+.TP
+.B \fBdefault_tgs_enctypes\fP
+.sp
+Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or whitespace. Kerberos supports many different encryption types, and support for more is planned in the future. (see \fISupported_Encryption_Types_and_Salts\fP for a list of the accepted values for this tag). The default value is \fIaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP.
+.TP
+.B \fBdefault_tkt_enctypes\fP
+.sp
+Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is \fIaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP.
+.TP
+.B \fBdns_fallback\fP
+.sp
+General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect.
+.TP
+.B \fBdns_lookup_kdc\fP
+.sp
+Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. (Note that the admin_server entry must be in the file, because the DNS implementation for it is incomplete.)
+.sp
+Enabling this option does open up a type of denial\-of\-service attack, if someone spoofs the DNS records and redirects you to another server. However, it\(aqs no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won\(aqt know.
+.sp
+If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure\-time options; if none were given, the default is to enable this option. If the DNS support is not compiled in, this entry has no effect.
+.TP
+.B \fBdns_lookup_realm\fP
+.sp
+Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host.
+.sp
+Enabling this option may permit a redirection attack, where spoofed DNS replies persuade a client to authenticate to the wrong realm, when talking to the wrong host (either by spoofing yet more DNS records or by intercepting the net traffic). Depending on how the client software manages hostnames, however, it could already be vulnerable to such attacks. We are looking at possible ways to minimize or eliminate this exposure. For now, we encourage more adventurous sites to try using Secure DNS.
+.sp
+If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure\-time options; if none were given, the default is to disable this option. If the DNS support is not compiled in, this entry has no effect.
+.TP
+.B \fBextra_addresses\fP
+.sp
+This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses should be in a comma\-separated list.
+.TP
+.B \fBforwardable\fP
+.sp
+If this flag is set, initial tickets by default will be forwardable. The default value for this flag is not set.
+.TP
+.B \fBignore_acceptor_hostname\fP
+.sp
+When accepting GSSAPI or krb5 security contexts for host\-based service principals,
+ignore any hostname passed by the calling application and allow any service principal present in the keytab
+which matches the service name and realm  name (if given).
+This option can improve the administrative flexibility of server applications on multihomed hosts,
+but can compromise the security of virtual hosting environments.  The default value is false.
+.TP
+.B \fBk5login_authoritative\fP
+.sp
+If the value of this relation is true (the default), principals must be listed in a local user\(aqs k5login file to be granted login access, if a k5login file exists. If the value of this relation is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal.
+.TP
+.B \fBk5login_directory\fP
+.sp
+If set, the library will look for a local user\(aqs k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user\(aqs home directory, with the filename .k5login. For security reasons, k5login files must be owned by the local user or by root.
+.TP
+.B \fBkdc_default_options\fP
+.sp
+Default KDC options (Xored for multiple values) when requesting initial credentials. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK).
+.TP
+.B \fBkdc_timesync\fP
+.sp
+If this is set to 1 (for true), then client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock. This corrective factor is only used by the Kerberos library. The default is 1.
+.TP
+.B \fBkdc_req_checksum_type\fP
+.sp
+An integer which specifies the type of checksum to use for the KDC requests for compatibility with DCE security servers
+which do not support the default RSA MD5 used by Kerberos V5.
+This applies to DCE 1.1 and earlier.
+Use a value of 2 to use the RSA MD4 instead.
+This value is only used for DES keys; other keys use the preferred checksum type for those keys.
+.sp
+The possible values and their meanings are as follows.
+.TS
+center;
+|l|l|.
+_
+T{
+1
+T}	T{
+CRC32
+T}
+_
+T{
+2
+T}	T{
+RSA MD4
+T}
+_
+T{
+3
+T}	T{
+RSA MD4 DES
+T}
+_
+T{
+4
+T}	T{
+DES CBC
+T}
+_
+T{
+7
+T}	T{
+RSA MD5
+T}
+_
+T{
+8
+T}	T{
+RSA MD5 DES
+T}
+_
+T{
+9
+T}	T{
+NIST SHA
+T}
+_
+T{
+12
+T}	T{
+HMAC SHA1 DES3
+T}
+_
+T{
+\-138
+T}	T{
+Microsoft MD5 HMAC checksum type
+T}
+_
+.TE
+.TP
+.B \fBnoaddresses\fP
+.sp
+Setting this flag causes the initial Kerberos ticket to be addressless. The default for the flag is set.
+.TP
+.B \fBpermitted_enctypes\fP
+.sp
+Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is \fIaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP.
+.TP
+.B \fBplugin_base_dir\fP
+.sp
+If set, determines the base directory where krb5 plugins are located.
+The default value is  the  "krb5/plugins" subdirectory of the krb5 library directory.
+.TP
+.B \fBpreferred_preauth_types\fP
+.sp
+This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC.  The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported.
+.TP
+.B \fBproxiable\fP
+.sp
+If this flag is set, initial tickets by default will be proxiable. The default value for this flag is not set.
+.TP
+.B \fBrdns\fP
+.sp
+If set to false, prevent the use of reverse DNS resolution when translating hostnames into service principal names. Defaults to true. Setting this flag to false is more secure, but may force users to exclusively use fully qualified domain names when authenticating to services.
+.TP
+.B \fBrealm_try_domains\fP
+.sp
+Indicate whether a host\(aqs domain components should be used to determine the Kerberos realm of the host.  The value of this variable is an integer: \-1 means not to search, 0 means to try the host\(aqs domain itself, 1 means to also try the domain\(aqs immediate parent, and so forth. The library\(aqs usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm\-\-which may involve consulting DNS if \fIdns_lookup_kdc\fP is set.  The default is not to search domain components.
+.TP
+.B \fBrenew_lifetime\fP
+.sp
+The value of this tag is the default renewable lifetime for initial tickets. The default value for the tag is 0.
+.UNINDENT
+.sp
+\fBsafe_checksum_type\fP
+.INDENT 0.0
+.INDENT 3.5
+.sp
+An integer which specifies the type of checksum to use for the KRB\-SAFE requests.  By default it is set to 8 (RSA MD5 DES).
+For compatibility with applications linked against DCE version 1.1 or earlier Kerberos libraries,
+use a value of 3 to use the RSA MD4 DES instead.
+This field is ignored when its value is incompatible with the session key type.
+See the \fIkdc_req_checksum_type\fP configuration option for the possible values and their meanings.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fBticket_lifetime\fP
+.sp
+The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day.
+.TP
+.B \fBudp_preference_limit\fP
+.sp
+When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \fIudp_preference_list\fP. If the message is smaller than \fIudp_preference_list\fP, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails.
+.TP
+.B \fBverify_ap_req_nofail\fP
+.sp
+If this flag is set, then an attempt to get initial credentials will fail if the client machine does not have a keytab. The default for the flag is not set.
+.UNINDENT
+.SS \fB[realms]\fP
+.sp
+Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm\(aqs subsection:
+.INDENT 0.0
+.TP
+.B \fBadmin_server\fP
+.sp
+Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the kadmin server for the realm.
+.TP
+.B \fBauth_to_local\fP
+.sp
+This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are:
+.INDENT 7.0
+.TP
+.B DB:filename
+.
+The principal will be looked up in the database filename. Support for this is not currently compiled in by default.
+.TP
+.B RULE:exp
+.
+The local name will be formulated from exp.
+.sp
+The format for exp is [n:string](regexp)s/pattern/replacement/g. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the n\(aqth component of the principal for $n (e.g. if the principal was \fIjohndoe/admin\fP then [2:$2$1foo] would result in the string "adminjohndoefoo"). If this string matches regexp, then the s//[g] substitution command will be run over the string. The optional g will cause the substitution to be global over the string, instead of replacing only the first match in the string.
+.TP
+.B DEFAULT
+.
+The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail.
+.UNINDENT
+.sp
+For example:
+.sp
+.nf
+.ft C
+[realms]
+    ATHENA.MIT.EDU = {
+        auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
+        auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
+        auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
+        auto_to_local = DEFAULT
+    }
+.ft P
+.fi
+.sp
+would result in any principal without \fIroot\fP or \fIadmin\fP as the second component to be translated with the default rule. A principal with a second component of \fIadmin\fP will become its first component. \fIroot\fP will be used as the local name for any principal with a second component of \fIroot\fP. The exception to these two rules are any principals \fIjohndoe\fP/*, which will always get the local name \fIguest\fP.
+.TP
+.B \fBauth_to_local_names\fP
+.sp
+This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name.
+.TP
+.B \fBdatabase_module\fP
+.sp
+This relation indicates the name of the configuration section under [dbmodules] for database specific parameters used by the loadable database library.
+.TP
+.B \fBdefault_domain\fP
+.sp
+This tag is used for Kerberos 4 compatibility. Kerberos 4 does not require the entire hostname of a server to be in its principal like Kerberos 5 does. This tag provides the domain name needed to produce a full hostname when translating V4 principal names into V5 principal names. All servers in this realm are assumed to be in the domain given as the value of this tag
+.TP
+.B \fBkdc\fP
+.sp
+The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs (see \fIudns_label\fP).
+.TP
+.B \fBkpasswd_server\fP
+.sp
+Points to the server where all the password changes are performed.  If there is no such entry, the port 464 on the \fIadmin_server\fP host will be tried.
+.TP
+.B \fBkrb524_server\fP
+.sp
+Points to the server that does 524 conversions.  If it is not mentioned, the krb524 port 4444 on the kdc will be tried.
+.TP
+.B \fBmaster_kdc\fP
+.sp
+Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user\(aqs password has just been changed, and the updated database has not been propagated to the slave servers yet.
+.TP
+.B \fBv4_instance_convert\fP
+.sp
+This subsection allows the administrator to configure exceptions to the default_domain mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name.
+.TP
+.B \fBv4_realm\fP
+.sp
+This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name.
+.UNINDENT
+.SS \fB[domain_realm]\fP
+.sp
+The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name, or a domain name, where domain names are indicated by a prefix of a period (.). The value of the relation is the Kerberos realm name for that particular host or domain. Host names and domain names should be in lower case.
+.sp
+If no translation entry applies, the host\(aqs realm is considered to be the hostname\(aqs domain portion converted to upper case. For example, the following [domain_realm] section:
+.sp
+.nf
+.ft C
+[domain_realm]
+    crash.mit.edu = TEST.ATHENA.MIT.EDU
+    .mit.edu = ATHENA.MIT.EDU
+    mit.edu = ATHENA.MIT.EDU
+    example.com = EXAMPLE.COM
+.ft P
+.fi
+.sp
+maps the host with the \fIexact\fP name \fIcrash.mit.edu\fP into the TEST.ATHENA.MIT.EDU realm. The period prefix in \fI.mit.edu\fP denotes that \fIall\fP systems in the \fImit.edu\fP domain belong to  ATHENA.MIT.EDU realm.
+Note the entries for the hosts \fImit.edu\fP and \fIexample.com\fP. Without these entries, these hosts would be mapped into the Kerberos realms EDU and COM, respectively.
+.SS \fB[logging]\fP
+.sp
+The [logging] section indicates how a particular entity is to perform its logging. The relations in this section assign one or more values to the entity name. Currently, the following entities are used:
+.INDENT 0.0
+.TP
+.B \fBadmin_server\fP
+.sp
+These entries specify how the administrative server is to perform its logging.
+.TP
+.B \fBdefault\fP
+.sp
+These entries specify how to perform logging in the absence of explicit specifications otherwise.
+.TP
+.B \fBkdc\fP
+.sp
+These entries specify how the KDC is to perform its logging.
+.UNINDENT
+.sp
+Values are of the following forms:
+.nf
+FILE=<filename>
+FILE:<filename>
+.fi
+.sp
+.INDENT 0.0
+.INDENT 3.5
+.sp
+This value causes the entity\(aqs logging messages to go to the specified file. If the = form is used, the file is overwritten. If the : form is used, the file is appended to.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B STDERR
+.
+This value causes the entity\(aqs logging messages to go to its standard error stream.
+.TP
+.B CONSOLE
+.
+This value causes the entity\(aqs logging messages to go to the console, if the system supports it.
+.TP
+.B DEVICE=<devicename>
+.
+This causes the entity\(aqs logging messages to go to the specified device.
+.TP
+.B SYSLOG[:<severity>[:<facility>]]
+.
+This causes the entity\(aqs logging messages to go to the system log.
+.sp
+The severity argument specifies the default severity of system log messages. This may be any of the following severities supported by the syslog(3) call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT severity.
+.sp
+The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
+.sp
+If no severity is specified, the default is ERR. If no facility is specified, the default is AUTH.
+.UNINDENT
+.sp
+In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; and the logging messages from the administrative server will be appended to the file \fI/var/adm/kadmin.log\fP and sent to the device \fI/dev/tty04\fP.:
+.sp
+.nf
+.ft C
+[logging]
+    kdc = CONSOLE
+    kdc = SYSLOG:INFO:DAEMON
+    admin_server = FILE:/var/adm/kadmin.log
+    admin_server = DEVICE=/dev/tty04
+.ft P
+.fi
+.SS \fB[capaths]\fP
+.sp
+In order to perform direct (non\-hierarchical) cross\-realm authentication, a database is needed to construct the authentication paths between the realms. This section defines that database.
+.sp
+A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket.
+.sp
+There is a tag for each participating realm, and each tag has subtags for each of the realms. The value of the subtags is an intermediate realm which may participate in the cross\-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate.
+.sp
+There are n**2 possible entries in this table, but only those entries which will be needed on the client or the server need to be present. The client needs a tag for its local realm, with subtags for all the realms of servers it will need to authenticate with. A server needs a tag for each realm of the clients it will serve.
+.sp
+For example, \fIANL.GOV, PNL.GOV\fP, and \fINERSC.GOV\fP all wish to use the \fIES.NET\fP realm as an intermediate realm. \fIANL\fP has a sub realm of \fITEST.ANL.GOV\fP which will authenticate with \fINERSC.GOV\fP but not \fIPNL.GOV\fP. The [capaths] section for \fIANL.GOV\fP systems would look like this:
+.sp
+.nf
+.ft C
+[capaths]
+    ANL.GOV = {
+        TEST.ANL.GOV = .
+        PNL.GOV = ES.NET
+        NERSC.GOV = ES.NET
+        ES.NET = .
+    }
+    TEST.ANL.GOV = {
+        ANL.GOV = .
+    }
+    PNL.GOV = {
+        ANL.GOV = ES.NET
+    }
+    NERSC.GOV = {
+        ANL.GOV = ES.NET
+    }
+    ES.NET = {
+        ANL.GOV = .
+    }
+.ft P
+.fi
+.sp
+The [capaths] section of the configuration file used on \fINERSC.GOV\fP systems would look like this:
+.sp
+.nf
+.ft C
+[capaths]
+    NERSC.GOV = {
+        ANL.GOV = ES.NET
+        TEST.ANL.GOV = ES.NET
+        TEST.ANL.GOV = ANL.GOV
+        PNL.GOV = ES.NET
+        ES.NET = .
+    }
+    ANL.GOV = {
+        NERSC.GOV = ES.NET
+    }
+    PNL.GOV = {
+        NERSC.GOV = ES.NET
+    }
+    ES.NET = {
+        NERSC.GOV = .
+    }
+    TEST.ANL.GOV = {
+        NERSC.GOV = ANL.GOV
+        NERSC.GOV = ES.NET
+    }
+.ft P
+.fi
+.sp
+In the above examples, the ordering is not important, except when the same subtag name is used more then once. The client will use this to determine the path. (It is not important to the server, since the transited field is not sorted.)
+.sp
+This feature is not currently supported by DCE. DCE security servers can be used with Kerberized clients and servers, but versions prior to DCE 1.1 did not fill in the transited field, and should be used with caution.
+.SS \fB[dbdefaults]\fP
+.sp
+The [dbdefaults] section provides default values for the database specific parameters. It can also specify the configuration section under \fI\%dbmodules\fP section for database specific parameters used by the database library.
+.sp
+The following tags are used in this section:
+.INDENT 0.0
+.TP
+.B \fBdatabase_module\fP
+.sp
+This relation indicates the name of the configuration section under the \fI\%dbmodules\fP for database specific parameters used by the loadable database library.
+.TP
+.B \fBldap_kerberos_container_dn\fP
+.sp
+This LDAP specific tag indicates the DN of the container object where the realm objects will be located. This value is used if the container object is not mentioned in the configuration section under \fI\%dbmodules\fP.
+.TP
+.B \fBldap_kdc_dn\fP
+.sp
+This LDAP specific tag indicates the default bind DN for the KDC server. The KDC server does a login to the directory as this object. This object should have the rights to read the Kerberos data in the LDAP database. This value is used if the bind DN for the KDC is not mentioned in the configuration section under \fI\%dbmodules\fP.
+.TP
+.B \fBldap_kadmind_dn\fP
+.sp
+This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. This value is used if the bind DN for the Administration server is not mentioned in the configuration section under \fI\%dbmodules\fP.
+.TP
+.B \fBldap_service_password_file\fP
+.sp
+This LDAP specific tag indicates the file containing the stashed passwords (created by kdb5_ldap_util stashsrvpw) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under \fI\%dbmodules\fP.
+.TP
+.B \fBldap_servers\fP
+.sp
+This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\-separated. The LDAP server is specified by a LDAP URI. This value is used if no LDAP servers are mentioned in the configuration section under \fI\%dbmodules\fP. It is recommended to use the \fIldapi://\fP or \fIldaps://\fP interface and not to use \fIldap://\fP interface.
+.TP
+.B \fBldap_conns_per_server\fP
+.sp
+This LDAP specific tag indicates the number of connections to be maintained per LDAP server. This value is used if the number of connections per LDAP server are not mentioned in the configuration section under \fI\%dbmodules\fP. The default value is 5.
+.UNINDENT
+.SS \fB[dbmodules]\fP
+.sp
+Contains database specific parameters used by the database library. Each tag in the [dbmodules] section of the file names a configuration section for database specific parameters that can be referred to by a realm. The value of the tag is a subsection where the relations in that subsection define the database specific parameters.
+.sp
+For each section, the following tags may be specified in the subsection:
+.INDENT 0.0
+.TP
+.B \fBdatabase_name\fP
+.sp
+This DB2\-specific tag indicates the location of the database in the filesystem. The default is \fI/usr/local/var/krb5kdc/principal\fP.
+.TP
+.B \fBdb_library\fP
+.sp
+This tag indicates the name of the loadable database library. The value should be \fIdb2\fP for DB2 database and \fIkldap\fP for LDAP database.
+.TP
+.B \fBdb_module_dir\fP
+.sp
+This tag controls where the plugin system looks for modules. The value should be an absolute path.
+.TP
+.B \fBdisable_last_success\fP
+.sp
+If set to \fItrue\fP, suppresses KDC updates to the \fI"Last successful authentication"\fP field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the "Last successful authentication" field.).
+.TP
+.B \fBdisable_lockout\fP
+.sp
+If set to \fItrue\fP, suppresses KDC updates to the \fI"Last failed authentication"\fP and \fI"Failed password attempts"\fP fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout.
+.TP
+.B \fBldap_conns_per_server\fP
+.sp
+This LDAP specific tags indicates the number of connections to be maintained per LDAP server.
+.TP
+.B \fBldap_kadmind_dn\fP
+.sp
+This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database.
+.TP
+.B \fBldap_kdc_dn\fP
+.sp
+This LDAP specific tag indicates the default bind DN for the KDC server. The KDC server does a login to the directory as this object. This object should have the rights to read the Kerberos data in the LDAP database.
+.TP
+.B \fBldap_kerberos_container_dn\fP
+.sp
+This LDAP specific tag indicates the DN of the container object where the realm objects will be located.
+.TP
+.B \fBldap_servers\fP
+.sp
+This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\-separated. The LDAP server is specified by a LDAP URI. It is recommended to use \fIldapi://\fP or \fIldaps://\fP interface to connect to the LDAP server.
+.TP
+.B \fBldap_service_password_file\fP
+.sp
+This LDAP specific tag indicates the file containing the stashed passwords (created by \fIkdb5_ldap_util stashsrvpw\fP) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure.
+.UNINDENT
+.SS \fB[appdefaults]\fP
+.sp
+Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application.
+.sp
+For example:
+.sp
+.nf
+.ft C
+[appdefaults]
+    telnet = {
+        ATHENA.MIT.EDU = {
+             option1 = false
+        }
+    }
+    telnet = {
+        option1 = true
+        option2 = true
+    }
+    ATHENA.MIT.EDU = {
+        option2 = false
+    }
+    option2 = true
+.ft P
+.fi
+.sp
+The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ATHENA.MIT.EDU should have option1 set to false and option2 set to true. Any other programs in ATHENA.MIT.EDU should have option2 set to false by default. Any programs running in other realms should have option2 set to true.
+.sp
+The list of specifiable options for each application may be found in that application\(aqs man pages. The application defaults specified here are overridden by those specified in the \fI\%realms\fP section.
+.SH PLUGINS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+\fI\%pwqual\fP interface
+.IP \(bu 2
+.
+\fI\%kadm5_hook\fP interface
+.IP \(bu 2
+.
+\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Tags in the \fB[plugins]\fP section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here.
+.sp
+Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags:
+.INDENT 0.0
+.TP
+.B \fBdisable\fP
+.sp
+This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface.
+.TP
+.B \fBenable_only\fP
+.sp
+This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface.
+.TP
+.B \fBmodule\fP
+.sp
+This tag may have multiple values. Each value is a string of the form "modulename:pathname", which causes the shared object located at pathname to be registered as a dynamic module named modulename for the pluggable interface. If pathname is not an absolute path, it will be treated as relative to the "krb5/plugins" subdirectory of the krb5 library directory.
+.UNINDENT
+.sp
+The following subsections are currently supported within the [plugins] section:
+.SS pwqual interface
+.sp
+The \fBpwqual\fP subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. In addition to any registered dynamic modules, the following built\-in modules exist (and may be disabled with the disable tag):
+.INDENT 0.0
+.TP
+.B \fBdict\fP
+.sp
+Checks against the realm dictionary file
+.TP
+.B \fBempty\fP
+.sp
+Rejects empty passwords
+.TP
+.B \fBhesiod\fP
+.sp
+Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support)
+.TP
+.B \fBprinc\fP
+.sp
+Checks against components of the principal name
+.UNINDENT
+.SS kadm5_hook interface
+.sp
+The \fBkadm5_hook\fP interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface.
+.SS clpreauth and kdcpreauth interfaces
+.sp
+The \fBclpreauth\fP and \fBkdcpreauth\fP interfaces allow plugin modules to provide client and KDC preauthentication mechanisms.  The following built\-in modules exist for these interfaces:
+.INDENT 0.0
+.TP
+.B \fBpkinit\fP
+.sp
+This module implements the PKINIT preauthentication mechanism.
+.TP
+.B \fBencrypted_challenge\fP
+.sp
+This module implements the encrypted challenge FAST factor.
+.TP
+.B \fBencrypted_timestamp\fP
+.sp
+This module implements the encrypted timestamp mechanism.
+.UNINDENT
+.SH PKINIT OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+pkinit identity syntax
+.IP \(bu 2
+.
+pkinit krb5.conf options
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP Note
+.
+The following are pkinit\-specific options. Note that these values may be specified in \fI[libdefaults]\fP as global defaults, or within a realm\-specific subsection of \fI[libdefaults]\fP, or may be specified as realm\-specific values in the \fI[realms]\fP section. Also note that a realm\-specific value over\-rides, does not add to, a generic \fI[libdefaults]\fP specification. The search order is:
+.INDENT 0.0
+.IP 1. 3
+.
+realm\-specific subsection of [libdefaults]
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B [libdefaults]
+.INDENT 7.0
+.TP
+.B EXAMPLE.COM = {
+.
+pkinit_anchors = FILE:/usr/local/example.com.crt
+.UNINDENT
+.sp
+}
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+.
+realm\-specific value in the [realms] section,
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B [realms]
+.INDENT 7.0
+.TP
+.B OTHERREALM.ORG = {
+.
+pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
+.UNINDENT
+.sp
+}
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+.
+generic value in the [libdefaults] section.
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B [libdefaults]
+.
+pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.RE
+.SS Specifying pkinit identity information
+.sp
+The syntax for specifying Public Key identity, trust, and revocation information for pkinit is as follows:
+.INDENT 0.0
+.TP
+.B FILE:file\-name[,key\-file\-name]
+.
+This option has context\-specific behavior.
+.nf
+pkinit_identity
+pkinit_identities
+.fi
+.sp
+.INDENT 7.0
+.INDENT 3.5
+.sp
+\fIfile\-name\fP specifies the name of a PEM\-format file containing the user\(aqs certificate. If \fIkey\-file\-name\fP is not specified, the user\(aqs private key is expected to be in file\-name as well. Otherwise, \fIkey\-file\-name\fP is the name of the file containing the private key.
+.UNINDENT
+.UNINDENT
+.nf
+pkinit_anchors
+pkinit_pool
+.fi
+.sp
+.INDENT 7.0
+.INDENT 3.5
+.sp
+\fIfile\-name\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file.
+.UNINDENT
+.UNINDENT
+.TP
+.B DIR:directory\-name
+.
+This option has context\-specific behavior.
+.nf
+pkinit_identity
+pkinit_identities
+.fi
+.sp
+.INDENT 7.0
+.INDENT 3.5
+.sp
+\fIdirectory\-name\fP specifies a directory with files named *.crt and *.key, where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with .crt is found, a matching file ending with .key is assumed to contain the private key. If no such file is found, then the certificate in the .crt is not used.
+.UNINDENT
+.UNINDENT
+.nf
+pkinit_anchors
+pkinit_pool
+.fi
+.sp
+.INDENT 7.0
+.INDENT 3.5
+.sp
+\fIdirectory\-name\fP is assumed to be an OpenSSL\-style hashed CA directory where each CA cert is stored in a file named \fIhash\-of\-ca\-cert.#\fP. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used.
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+.B pkinit_revoke
+.
+\fIdirectory\-name\fP is assumed to be an OpenSSL\-style hashed CA directory where each revocation list is stored in a file named \fIhash\-of\-ca\-cert.r#\fP. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used.
+.UNINDENT
+.TP
+.B PKCS12:pkcs12\-file\-name
+.
+\fIpkcs12\-file\-name\fP is the name of a PKCS #12 format file, containing the user\(aqs certificate and private key.
+.TP
+.B PKCS11:[module_name=]module\-name[:slotid=slot\-id][:token=token\-label][:certid=cert\-id][:certlabel=cert\-label]
+.
+All keyword/values are optional. module\-name specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the \fImodule\-name\fP. If no module\-name is specified, the default is \fIopensc\-pkcs11.so\fP. \fIslotid=\fP and/or \fItoken=\fP may be specified to force the use of a particular smard card reader or token if there is more than one available. \fIcertid=\fP and/or \fIcertlabel=\fP may be specified to force the selection of a particular certificate on the device. See the \fIpkinit_cert_match\fP configuration option for more ways to select a particular certificate to use for pkinit.
+.TP
+.B ENV:environment\-variable\-name
+.
+environment\-variable\-name specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fIENV:X509_PROXY\fP, where environment variable \fIX509_PROXY\fP has been set to \fIFILE:/tmp/my_proxy.pem\fP.
+.UNINDENT
+.SS PKINIT krb5.conf options
+.INDENT 0.0
+.TP
+.B \fBpkinit_anchors\fP
+.sp
+Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line.
+.TP
+.B \fBpkinit_cert_match\fP
+.sp
+Specifies matching rules that the client certificate must match before it is used to attempt pkinit authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting pkinit authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate.
+.sp
+The Subject and Issuer comparison strings are the \fI\%RFC 2253\fP string representations from the certificate Subject DN and Issuer DN values.
+.sp
+The syntax of the matching rules is:
+.sp
+.nf
+.ft C
+[relation\-operator]component\-rule ...
+.ft P
+.fi
+.sp
+where
+.INDENT 7.0
+.TP
+.B \fIrelation\-operator\fP
+.sp
+can be either \fB&&\fP, meaning all component rules must match, or \fB||\fP, meaning only one component rule must match. The default is &&.
+.TP
+.B \fIcomponent\-rule\fP
+.sp
+can be one of the following. Note that there is no punctuation or whitespace between component rules.
+.sp
+\fI<SUBJECT>regular\-expression\fP
+.sp
+\fI<ISSUER>regular\-expression\fP
+.sp
+\fI<SAN>regular\-expression\fP
+.INDENT 7.0
+.TP
+.B \fI<EKU>extended\-key\-usage\-list\fP
+.sp
+where \fIextended\-key\-usage\-list\fP is a comma\-separated list of required Extended Key Usage values. All values in the list must be present in the certificate.
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+pkinit
+.IP \(bu 2
+.
+msScLogin
+.IP \(bu 2
+.
+clientAuth
+.IP \(bu 2
+.
+emailProtection
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.TP
+.B \fI<KU>key\-usage\-list\fP
+.sp
+where \fIkey\-usage\-list\fP is a comma\-separated list of required Key Usage values. All values in the list must be present in the certificate.
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+digitalSignature
+.IP \(bu 2
+.
+keyEncipherment
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Examples:
+.sp
+.nf
+.ft C
+pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
+pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
+pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
+.ft P
+.fi
+.TP
+.B \fBpkinit_eku_checking\fP
+.sp
+This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are:
+.INDENT 7.0
+.TP
+.B \fIkpKDC\fP
+.sp
+This is the default value and specifies that the KDC must have the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP.
+.TP
+.B \fIkpServerAuth\fP
+.sp
+If kpServerAuth is specified, a KDC certificate with the id\-kp\-serverAuth EKU as used by Microsoft will be accepted.
+.TP
+.B \fInone\fP
+.sp
+If none is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended.
+.UNINDENT
+.TP
+.B \fBpkinit_dh_min_bits\fP
+.sp
+Specifies the size of the Diffie\-Hellman key the client will attempt to use. The acceptable values are currently 1024, 2048, and 4096. The default is 2048.
+.TP
+.B \fBpkinit_identities\fP
+.sp
+Specifies the location(s) to be used to find the user\(aqs X.509 identity information. This option may be specified multiple times. Each value is attempted in order until identity information is found and authentication is attempted. Note that these values are not used if the user specifies X509_user_identity on the command line.
+.TP
+.B \fBpkinit_kdc_hostname\fP
+.sp
+The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as defined in \fI\%RFC 4556\fP. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate).
+.TP
+.B \fBpkinit_longhorn\fP
+.sp
+If this flag is set to true, we are talking to the Longhorn KDC.
+.TP
+.B \fBpkinit_pool\fP
+.sp
+Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times.
+.TP
+.B \fBpkinit_require_crl_checking\fP
+.sp
+The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and \fIpkinit_require_crl_checking\fP is false, then verification succeeds.
+.sp
+However, if \fIpkinit_require_crl_checking\fP is true and there is no CRL information available for the issuing CA, then verification fails.
+.sp
+\fIpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA.
+.TP
+.B \fBpkinit_revoke\fP
+.sp
+Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times.
+.TP
+.B \fBpkinit_win2k\fP
+.sp
+This flag specifies whether the target realm is assumed to support only the old, pre\-RFC version of the protocol. The default is false.
+.TP
+.B \fBpkinit_win2k_require_binding\fP
+.sp
+If this flag is set to true, it expects that the target KDC is patched to return a reply with a checksum rather than a nonce. The default is false.
+.UNINDENT
+.SH SAMPLE KRB5.CONF FILE
+.sp
+Here is an example of a generic krb5.conf file:
+.sp
+.nf
+.ft C
+[libdefaults]
+    default_realm = ATHENA.MIT.EDU
+    default_tkt_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
+    default_tgs_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
+    dns_lookup_kdc = true
+    dns_lookup_realm = false
+
+[realms]
+    ATHENA.MIT.EDU = {
+        kdc = kerberos.mit.edu
+        kdc = kerberos\-1.mit.edu
+        kdc = kerberos\-2.mit.edu:750
+        admin_server = kerberos.mit.edu
+        master_kdc = kerberos.mit.edu
+        default_domain = mit.edu
+    }
+    EXAMPLE.COM = {
+        kdc = kerberos.example.com
+        kdc = kerberos\-1.example.com
+        admin_server = kerberos.example.com
+    }
+    OPENLDAP.MIT.EDU = {
+        kdc = kerberos.mit.edu
+        admin_server = kerberos.mit.edu
+        database_module = openldap_ldapconf
+    }
+
+[domain_realm]
+    .mit.edu = ATHENA.MIT.EDU
+    mit.edu = ATHENA.MIT.EDU
+
+[capaths]
+    ATHENA.MIT.EDU = {
+           EXAMPLE.COM = .
+    }
+    EXAMPLE.COM = {
+           ATHENA.MIT.EDU = .
+    }
+
+[logging]
+    kdc = SYSLOG:INFO
+    admin_server = FILE=/var/kadm5.log
+[dbdefaults]
+    ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
+[dbmodules]
+    openldap_ldapconf = {
+        db_library = kldap
+        disable_last_success = true
+        ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
+        ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
+            # this object needs to have read rights on
+            # the realm container and principal subtrees
+        ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
+            # this object needs to have read and write rights on
+            # the realm container and principal subtrees
+        ldap_service_password_file = /etc/kerberos/service.keyfile
+        ldap_servers = ldaps://kerberos.mit.edu
+        ldap_conns_per_server = 5
+}
+.ft P
+.fi
+.SH FILES
+.sp
+/etc/krb5.conf
+.SH SEE ALSO
+.sp
+syslog(3)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/krb5kdc.8 b/src/man/krb5kdc.8
new file mode 100644
index 0000000000..96fc253704
--- /dev/null
+++ b/src/man/krb5kdc.8
@@ -0,0 +1,168 @@
+.TH "KRB5KDC" "8" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+krb5kdc \- Kerberos V5 KDC
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBkrb5kdc\fP
+.sp
+[  \fB\-x\fP  \fIdb_args\fP ]
+[ \fB\-d\fP \fIdbname\fP ]
+[ \fB\-k\fP \fIkeytype\fP ]
+[ \fB\-M\fP \fImkeyname\fP ]
+[ \fB\-p\fP \fIportnum\fP ]
+[ \fB\-m\fP ]
+[ \fB\-r\fP \fIrealm\fP ]
+[ \fB\-n\fP ]
+[ \fB\-w\fP \fInumworkers\fP ]
+[ \fB\-P\fP \fIpid_file\fP ]
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fIkrb5kdc\fP is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC).
+.SH OPTIONS
+.sp
+The \fB\-x\fP \fIdb_args\fP option specifies the database specific arguments.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+Options supported for LDAP database are:
+.INDENT 0.0
+.TP
+.B \fB\-x\fP nconns=<number_of_connections>
+.sp
+Specifies the number of connections to be maintained per LDAP server.
+.TP
+.B \fB\-x\fP host=<ldapuri>
+.sp
+Specifies the LDAP server to connect to by a LDAP URI.
+.TP
+.B \fB\-x\fP binddn=<binddn>
+.sp
+Specifies the DN of the object used by the KDC server to bind to the LDAP server.
+This object should have the rights to read the realm container, principal container and
+the subtree that is referenced by the realm.
+.TP
+.B \fB\-x\fP bindpwd=<bind_password>
+.sp
+Specifies the password for the above mentioned binddn.
+It is recommended not to use this option. Instead, the password can be
+stashed using the \fIstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+The \fB\-r\fP \fIrealm\fP option specifies the realm for which the server should provide service.
+.sp
+The \fB\-d\fP \fIdbname\fP option specifies the name under which the principal database can be found.
+This option does not apply to the LDAP database.
+.sp
+The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key to be entered manually
+as a password when \fB\-m\fP is given;  the default is "des\-cbc\-crc".
+.sp
+The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the master key
+in the database (usually "K/M" in the KDC\(aqs realm).
+.sp
+The \fB\-m\fP option specifies that the master database password should be fetched
+from the keyboard rather than from a file on disk.
+.sp
+The \fB\-n\fP option specifies that the KDC does not put itself in the background
+and does not disassociate itself from the terminal.
+In normal operation, you should always allow the KDC to place itself in the background.
+.sp
+The \fB\-P\fP \fIpid_file\fP option tells the KDC to write its PID (followed by a newline)
+into \fIpid_file\fP after it starts up.
+This can be used to identify whether the KDC is still running and to allow
+init scripts to stop the correct process.
+.sp
+The \fB\-p\fP \fIportnum\fP option specifies the default UDP port number which the KDC
+should listen on for Kerberos version 5 requests.
+This value is used when no port is specified in the KDC profile and
+when no port is specified in the Kerberos configuration file.
+If no value is available, then the value in \fI/etc/services\fP for service "kerberos" is used.
+.sp
+The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP processes
+to listen to the KDC ports and process requests in parallel.
+The top level KDC process (whose pid is recorded in the pid file
+if the \fB\-P\fP option is also given) acts as a supervisor.
+The supervisor will relay SIGHUP signals to the worker subprocesses,
+and will terminate the worker subprocess if the it is itself terminated or
+if any other worker process exits.
+.IP Note
+.
+On operating systems which do not have \fIpktinfo\fP support,
+using worker processes will prevent the KDC from listening
+for UDP packets on network interfaces created after the KDC starts.
+.RE
+.SH EXAMPLE
+.sp
+The KDC may service requests for multiple realms (maximum 32 realms).
+The realms are listed on the command line.
+Per\-realm options that can be specified on the command line pertain for each realm
+that follows it and are superseded by subsequent definitions of the same option.
+For example:
+.sp
+.nf
+.ft C
+krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3
+.ft P
+.fi
+.sp
+specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3.
+Additionally, per\-realm parameters may be specified in the \fIkdc.conf\fP file.
+The location of this file may be specified by the \fIKRB5_KDC_PROFILE\fP environment variable.
+Parameters specified in this file take precedence over options specified on the command line.
+See the \fIkdc.conf\fP description for further details.
+.SH ENVIRONMENT
+.sp
+\fIkrb5kdc\fP uses the following environment variables:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+.
+\fBKRB5_CONFIG\fP
+.IP \(bu 2
+.
+\fBKRB5_KDC_PROFILE\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+kdb5_util(8), kdc.conf(5), krb5.conf(5), kdb5_ldap_util(8)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/ksu.1 b/src/man/ksu.1
new file mode 100644
index 0000000000..b87e6d4f2c
--- /dev/null
+++ b/src/man/ksu.1
@@ -0,0 +1,397 @@
+.TH "KSU" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+ksu \- Kerberized super-user
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBksu\fP
+.sp
+[ \fItarget_user\fP ]
+[ \fB\-n\fP \fItarget_principal_name\fP ]
+[ \fB\-c\fP \fIsource_cache_name\fP ]
+[ \fB\-k\fP ]
+[ \fB\-D\fP ]
+[ \fB\-r\fP time ]
+[ \fB\-pf\fP ]
+[ \fB\-l\fP \fIlifetime\fP ]
+[ \fB\-z | Z\fP ]
+[ \fB\-q\fP ]
+[ \fB\-e\fP \fIcommand\fP [ args ...  ] ] [ \fB\-a\fP [ args ...  ] ]
+.UNINDENT
+.SH REQUIREMENTS
+.sp
+Must have Kerberos version 5 installed to compile \fIksu\fP.  Must have a Kerberos version 5 server running to use \fIksu\fP.
+.SH DESCRIPTION
+.sp
+\fIksu\fP is a Kerberized version of the \fIsu\fP program that has two missions:
+one is to securely change the real and effective user ID to that of the target user,
+and the other is to create a new security context.
+.IP Note
+.
+For the sake of clarity, all references to and attributes of the user invoking the program
+will start with \(aqsource\(aq (e.g. \fIsource user, source cache\fP, etc.).
+.sp
+Likewise, all references to and attributes of the target account will start with \(aqtarget\(aq.
+.RE
+.SH AUTHENTICATION
+.sp
+To fulfill the first mission, \fIksu\fP operates in two phases: authentication and authorization.
+Resolving the target principal name is the first step in authentication.
+The user can either specify his principal name with the \fI\-n\fP option (e.g. \fI\-n jqpublic@USC.EDU\fP ) or
+a default principal name will be assigned using a heuristic described in the \fIOPTIONS\fP section (see \fI\-n\fP option).
+The target user name must be the first argument to \fIksu\fP; if not specified root is the default.
+If \(aq.\(aq is specified then the target user will be the source user (e.g. \fIksu\fP .).
+If the source user is root or the target user is the source user, no authentication or authorization takes place.
+Otherwise, \fIksu\fP looks for an appropriate Kerberos ticket in the source cache.
+.sp
+The ticket can either be for the end\-server or a ticket granting ticket (TGT) for the target principal\(aqs realm.
+If the ticket for the end\-server is already in the cache, it\(aqs decrypted and verified.
+If it\(aqs not in the cache but the TGT is, the TGT is used to obtain the ticket for the end\-server.
+The end\-server ticket is then verified.
+If neither ticket is in the cache, but \fIksu\fP is compiled with the \fIGET_TGT_VIA_PASSWD\fP define,
+the user will be prompted for a Kerberos password which will then be used to get a TGT.
+If the user is logged in remotely and does not have a secure channel, the password may be exposed.
+If neither ticket is in the cache and \fIGET_TGT_VIA_PASSWD\fP is not defined, authentication fails.
+.SH AUTHORIZATION
+.sp
+This section describes authorization of the source user when \fIksu\fP is invoked without the \fI\-e\fP option.
+For a description of the \-e option, see the OPTIONS section.
+.sp
+Upon successful authentication, \fIksu\fP checks whether the target principal is authorized to access the target account.
+In the target user\(aqs home directory, \fIksu\fP attempts to access two authorization files: \fI.k5login\fP and \fI.k5users\fP.
+In the \fI.k5login\fP file each line contains the name of a principal that is authorized to access the account.
+.sp
+For example:
+.sp
+.nf
+.ft C
+jqpublic@USC.EDU
+jqpublic/secure@USC.EDU
+jqpublic/admin@USC.EDU
+.ft P
+.fi
+.sp
+The format of \fI.k5users\fP is the same, except the principal name may be followed by a list of commands
+that the principal is authorized to execute. (see the \fI\-e\fP option in the \fIOPTIONS\fP section for details).
+.sp
+Thus if the target principal name is found in the \fI.k5login\fP file the source user is authorized to access the target account.
+Otherwise \fIksu\fP looks in the \fI.k5users\fP file.
+If the target principal name is found without any trailing commands or followed only by \(aq*\(aq then the source user is authorized.
+If either \fI.k5login\fP or \fI.k5users\fP exist but an appropriate entry for the target principal does not exist then access is denied.
+If neither file exists then the principal will be granted access to the account according to the aname\->lname mapping rules.
+Otherwise, authorization fails.
+.SH EXECUTION OF THE TARGET SHELL
+.sp
+Upon successful authentication and authorization, \fIksu\fP proceeds in a similar fashion to \fIsu\fP.
+The environment is unmodified with the exception of USER, HOME and SHELL variables.
+If the target user is not root, USER gets set to the target user name.
+Otherwise USER remains unchanged.
+Both HOME and SHELL are set to the target login\(aqs default values.
+In addition, the environment variable \fIKRB5CCNAME\fP gets set to the name of the target cache.
+The real and effective user ID are changed to that of the target user.
+The target user\(aqs shell is then invoked (the shell name is specified in the password file).
+Upon termination of the shell, \fIksu\fP deletes the target cache (unless \fIksu\fP is invoked with the \fI\-k\fP option).
+This is implemented by first doing a fork and then an exec, instead of just exec, as done by \fIsu\fP.
+.SH CREATING A NEW SECURITY CONTEXT
+.sp
+\fIksu\fP can be used to create a new security context for the target program
+(either the target shell, or command specified via the \fI\-e\fP option).
+The target program inherits a set of credentials from the source user.
+By default, this set includes all of the credentials in the source cache
+plus any additional credentials obtained during authentication.
+The source user is able to limit the credentials in this set by using \fI\-z\fP or \fI\-Z\fP option.
+\fI\-z\fP restricts the copy of tickets from the source cache to the target cache
+to only the tickets where client == the target principal name.
+The \fI\-Z\fP option provides the target user with a fresh target cache (no creds in the cache).
+Note that for security reasons, when the source user is root and target user is non\-root,
+\fI\-z\fP option is the default mode of operation.
+.sp
+While no authentication takes place if the source user is root or is the same as the target  user,
+additional  tickets  can  still  be obtained  for the target cache.
+If \fI\-n\fP is specified and no credentials can be copied to the target cache,
+the  source user is prompted for a Kerberos password (unless \fI\-Z\fP specified or \fIGET_TGT_VIA_PASSWD\fP is undefined).
+If successful,  a  TGT is obtained from the  Kerberos server and stored in the target cache.
+Otherwise, if a password is not provided (user hit return) \fIksu\fP continues in a normal mode
+of operation (the target cache will not contain the desired TGT).
+If the wrong password is typed in, \fIksu\fP fails.
+.sp
+\fISide Note\fP: during authentication, only the tickets that could be obtained without
+providing a password are  cached  in  in  the  source cache.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-n\fP \fItarget_principal_name\fP
+.sp
+Specify a Kerberos target principal name.  Used in authentication and authorization phases of \fIksu\fP.
+.sp
+If \fIksu\fP is invoked without \fI\-n\fP, a default principal name is assigned via the following heuristic:
+.INDENT 7.0
+.TP
+.B \fICase 1: source user is non\-root.\fP
+.sp
+If  the target user is the source user the default principal name is set to the default principal of the source cache.
+If the cache does not exist then the default principal name is set to target_user@local_realm.
+If the source and target  users  are different  and  neither  ~target_user/\fI.k5users\fP nor ~target_user/\fI.k5login\fP exist
+then  the  default  principal name is \fItarget_user_login_name@local_realm\fP.
+Otherwise, starting with the first principal listed below, \fIksu\fP checks if the principal is authorized to access the target account
+and whether there is a legitimate ticket for that principal in the source cache.
+If both conditions are met that principal becomes the default target principal,
+otherwise go to the next principal.
+.INDENT 7.0
+.IP a. 3
+.
+default principal of the source cache
+.IP b. 3
+.
+target_user@local_realm
+.IP c. 3
+.
+source_user@local_realm
+.UNINDENT
+.sp
+If a\-c fails try any principal for which there is a ticket in the source cache and that is authorized to  access  the  target account.
+If  that fails select the first principal that is authorized to access the target account from the above list.
+If none are authorized and \fIksu\fP is configured with \fIPRINC_LOOK_AHEAD\fP turned on, select the default principal as follows:
+.sp
+For each candidate in the above list, select an authorized principal that has the same realm name and
+first part of the principal name equal to the prefix of the candidate.
+For example if candidate a) is \fIjqpublic@ISI.EDU\fP and \fIjqpublic/secure@ISI.EDU\fP is authorized to access the target account
+then the default principal is set to \fIjqpublic/secure@ISI.EDU\fP.
+.TP
+.B \fICase 2: source user is root.\fP
+.sp
+If the target user is non\-root then the default principal name is \fItarget_user@local_realm\fP.
+Else, if the source cache  exists the  default  principal name is set to the default principal of the source cache.
+If the source cache does not exist, default principal name is set to \fIroot@local_realm\fP.
+.UNINDENT
+.TP
+.B \fB\-c\fP \fIsource_cache_name\fP
+.sp
+Specify source cache name (e.g.  \-c FILE:/tmp/my_cache).
+If \fI\-c\fP option is not used then the name is obtained from  \fIKRB5CCNAME\fP environment  variable.
+If  \fIKRB5CCNAME\fP is not defined the source cache name is set to krb5cc_<source uid>.
+The target cache name is automatically set to krb5cc_<target uid>.(gen_sym()),
+where gen_sym generates a new number such  that  the  resulting cache does not already exist.
+For example:
+.sp
+.nf
+.ft C
+krb5cc_1984.2
+.ft P
+.fi
+.TP
+.B \fB\-k\fP
+.sp
+Do  not delete the target cache upon termination of the target shell or a command ( \fI\-e\fP command).
+Without \fI\-k\fP, \fIksu\fP deletes the target cache.
+.TP
+.B \fB\-D\fP
+.sp
+Turn on debug mode.
+.TP
+.B \fB\-z\fP
+.sp
+Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name.
+Use the \fI\-n\fP option if you want the tickets for other then the default principal.
+Note that the \fI\-z\fP option is mutually exclusive with the \fI\-Z\fP option.
+.TP
+.B \fB\-Z\fP
+.sp
+Don\(aqt copy any tickets from the source cache to the target cache.
+Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name.
+Note that the \fI\-Z\fP option is mutually exclusive with the \fI\-z\fP option.
+.TP
+.B \fB\-q\fP
+.sp
+Suppress the printing of status messages.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Ticket granting ticket options
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
+.sp
+The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate
+the  source  user. In this case if \fIksu\fP is configured to prompt users for a Kerberos password (GET_TGT_VIA_PASSWD is defined),
+the ticket granting ticket options that are specified will be used when getting a ticket granting ticket  from  the  Kerberos
+server.
+.TP
+.B \fB\-l\fP \fIlifetime\fP
+.sp
+option  specifies  the lifetime to be requested for the ticket; if this option is not specified, the  default ticket lifetime
+(configured by each site) is used instead.
+.TP
+.B \fB\-r\fP \fItime\fP
+.sp
+option  specifies  that  the  \fIRENEWABLE\fP  option should be requested for the ticket, and specifies the desired total  lifetime of the ticket.
+.TP
+.B \fB\-p\fP
+.sp
+option specifies that the PROXIABLE option should  be requested for the ticket.
+.TP
+.B \fB\-f\fP
+.sp
+option specifies that the FORWARDABLE  option  should be requested for the ticket.
+.TP
+.B \fB\-e\fP \fIcommand\fP [args ...]
+.sp
+\fIksu\fP  proceeds  exactly the same as if it was invoked without the \fI\-e\fP option,
+except instead of executing the target shell, \fIksu\fP executes the specified command
+Example of usage:
+.sp
+.nf
+.ft C
+ksu bob \-e ls \-lag
+.ft P
+.fi
+.sp
+The authorization algorithm for \fI\-e\fP is as follows:
+.sp
+If the source user is root or source user == target user, no authorization takes place  and  the  command  is  executed.
+If source  user  id  != 0, and ~target_user/\fI.k5users\fP file does not exist, authorization fails.
+Otherwise, ~target_user/\fI.k5users\fP file must have an appropriate entry for target principal to get authorized.
+.sp
+The \fI.k5users\fP file format:
+.sp
+A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute.
+A principal name followed by a \(aq*\(aq means that the user is authorized to execute any command. Thus, in the following example:
+.sp
+.nf
+.ft C
+jqpublic@USC.EDU ls mail /local/kerberos/klist
+jqpublic/secure@USC.EDU *
+jqpublic/admin@USC.EDU
+.ft P
+.fi
+.sp
+\fIjqpublic@USC.EDU\fP  is only authorized to execute \fIls\fP, \fImail\fP and \fIklist\fP commands.
+\fIjqpublic/secure@USC.EDU\fP is authorized to execute any command.
+\fIjqpublic/admin@USC.EDU\fP is not authorized to execute any command.
+Note, that  \fIjqpublic/admin@USC.EDU\fP  is  authorized to execute the target shell (regular \fIksu\fP, without the \fI\-e\fP option)
+but \fIjqpublic@USC.EDU\fP is not.
+.sp
+The  commands listed after the principal name must be either a full path names or just the program name.
+In the second case, CMD_PATH specifying the location of authorized programs must be defined at the compilation time of \fIksu\fP.
+Which command gets executed ?
+.sp
+If the source user is \fIroot\fP or the target user is the source user or the user is authorized to execute any command (\(aq*\(aq entry)
+then  command can be either a full or a relative path leading to the target program.
+Otherwise, the user must specify either a full path or just the program name.
+.TP
+.B \fB\-a\fP \fIargs\fP
+.sp
+Specify arguments to be passed to the target shell.
+Note: that all flags and parameters following \-a will be passed  to  the shell,
+thus  all  options  intended for \fIksu\fP must precede \fI\-a\fP.
+.sp
+The \fI\-a\fP option can be used to simulate the \fI\-e\fP option if used as follows:
+.sp
+.nf
+.ft C
+\-a \-c [command [arguments]].
+.ft P
+.fi
+.sp
+\fI\-c\fP is interpreted by the c\-shell to execute the command.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH INSTALLATION INSTRUCTIONS
+.sp
+\fIksu\fP can be compiled with the following four flags:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBGET_TGT_VIA_PASSWD\fP
+.sp
+In case no appropriate tickets are found in the source cache,
+the user will be prompted for a Kerberos password.
+The password is then used to get a ticket granting ticket from the Kerberos server.
+The danger of configuring \fIksu\fP with this macro is if the source user is logged in remotely
+and does not have a secure channel, the password may get exposed.
+.TP
+.B \fBPRINC_LOOK_AHEAD\fP
+.sp
+During the resolution of the default principal name, \fIPRINC_LOOK_AHEAD\fP enables \fIksu\fP to find
+principal names in the \fI.k5users\fP file as described in the \fIOPTIONS\fP section (see \fI\-n\fP option).
+.TP
+.B \fBCMD_PATH\fP
+.sp
+Specifies a list of directories containing programs that users are authorized to execute (via \fI.k5users\fP file).
+.TP
+.B \fBHAVE_GETUSERSHELL\fP
+.sp
+If the source user is non\-root, \fIksu\fP insists that the target user\(aqs shell to be invoked is a "legal shell".
+\fIgetusershell(3)\fP is called to obtain the names of "legal shells".
+Note that the target user\(aqs shell is obtained from the passwd file.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+SAMPLE CONFIGURATION
+.INDENT 0.0
+.INDENT 3.5
+.sp
+KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ucb /local/bin"
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B PERMISSIONS FOR KSU
+.
+\fIksu\fP should be owned by root and have the \fIset user id\fP  bit turned on.
+.TP
+.B END\-SERVER ENTRY
+.
+\fIksu\fP attempts to get a ticket for the end server just as Kerberized telnet and rlogin.
+Thus, there must be an entry for the server in the Kerberos database (e.g. \fIhost/nii.isi.edu@ISI.EDU\fP).
+The keytab file must be in an appropriate location.
+.UNINDENT
+.SH SIDE EFFECTS
+.sp
+\fIksu\fP deletes all expired tickets from the source cache.
+.SH AUTHOR OF KSU:
+.sp
+GENNADY (ARI) MEDVINSKY
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kswitch.1 b/src/man/kswitch.1
new file mode 100644
index 0000000000..a4fa6b3d75
--- /dev/null
+++ b/src/man/kswitch.1
@@ -0,0 +1,87 @@
+.TH "KSWITCH" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kswitch \- switch primary ticket cache
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fBkswitch\fP {\fB\-c\fP \fIcachename\fP | \fB\-p\fP \fIprincipal\fP}
+.SH DESCRIPTION
+.sp
+\fIkswitch\fP makes the specified credential cache the primary cache for
+the collection, if a cache collection is available.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-c\fP \fIcachename\fP
+.sp
+Directly specifies the credential cache to be made primary.
+.TP
+.B \fB\-p\fP \fIprincipal\fP
+.sp
+Causes the cache collection to be searched for a cache
+containing credentials for \fIprincipal\fP.  If one is found,
+that collection is made primary.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+\fIkswitch\fP uses the following environment variables:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBKRB5CCNAME\fP
+.sp
+Location of the default Kerberos 5 credentials (ticket)
+cache, in the form \fItype\fP:\fIresidual\fP.  If no type prefix is
+present, the \fBFILE\fP type is assumed.  The type of the
+default cache may determine the availability of a cache
+collection; for instance, a default cache of type \fBDIR\fP
+causes caches within the directory to be present in the
+collection.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+/tmp/krb5cc_[uid]  \- Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the decimal UID of the user).
+.SH SEE ALSO
+.sp
+kinit(1), kdestroy(1), klist(1), kerberos(1)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/ktutil.1 b/src/man/ktutil.1
new file mode 100644
index 0000000000..0fc6566469
--- /dev/null
+++ b/src/man/ktutil.1
@@ -0,0 +1,131 @@
+.TH "KTUTIL" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+ktutil \- Kerberos keytab file maintenance utility
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fBktutil\fP
+.SH DESCRIPTION
+.sp
+The \fIktutil\fP command invokes a subshell from which an administrator can read, write, or edit entries in a Kerberos V5 keytab or V4 srvtab file.
+.SH COMMANDS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fBlist\fP
+.sp
+Displays the current keylist.
+.sp
+Alias: \fBl\fP
+.TP
+.B \fBread_kt\fP \fIkeytab\fP
+.sp
+Read the Kerberos V5 keytab file \fIkeytab\fP into the current keylist.
+.sp
+Alias: \fBrkt\fP
+.TP
+.B \fBread_st\fP \fIsrvtab\fP
+.sp
+Read the Kerberos V4 srvtab file \fIsrvtab\fP into the current keylist.
+.sp
+Alias: \fBrst\fP
+.TP
+.B \fBwrite_kt\fP \fIkeytab\fP
+.sp
+Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP.
+.sp
+Alias: \fBwkt\fP
+.TP
+.B \fBwrite_st\fP \fIsrvtab\fP
+.sp
+Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP.
+.sp
+Alias: \fBwst\fP
+.TP
+.B \fBclear_list\fP
+.sp
+Clear the current keylist.
+.sp
+Alias: \fBclear\fP
+.TP
+.B \fBdelete_entry\fP \fIslot\fP
+.sp
+Delete the entry in slot number \fIslot\fP from the current keylist.
+.sp
+Alias: \fIdelent\fP
+.TP
+.B \fBadd_entry\fP (\fB\-key | \-password)\fP \fB\-p\fP \fIprincipal\fP \fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP
+.sp
+Add \fIprincipal\fP to keylist using key or password.
+.sp
+Alias: \fBaddent\fP
+.TP
+.B \fBlist_requests\fP
+.sp
+Displays a listing of available commands.
+.sp
+Aliases: \fBlr\fP, \fB?\fP
+.TP
+.B \fBquit\fP
+.sp
+Quits ktutil.
+.sp
+Aliases: \fBexit\fP, \fBq\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+EXAMPLE:
+.sp
+.nf
+.ft C
+ktutil:  add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e aes128\-cts\-hmac\-sha1\-96
+Password for alice@BLEEP.COM:
+ktutil:  add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e aes256\-cts\-hmac\-sha1\-96
+Password for alice@BLEEP.COM:
+ktutil:  write_kt keytab
+ktutil:
+.ft P
+.fi
+.SH SEE ALSO
+.INDENT 0.0
+.INDENT 3.5
+.sp
+kadmin(8), kdb5_util(8)
+.UNINDENT
+.UNINDENT
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/man/kvno.1 b/src/man/kvno.1
new file mode 100644
index 0000000000..d554ec0ad8
--- /dev/null
+++ b/src/man/kvno.1
@@ -0,0 +1,116 @@
+.TH "KVNO" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
+.SH NAME
+kvno \- print key version numbers of Kerberos principals
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.INDENT 0.0
+.TP
+.B \fBkvno\fP
+.sp
+[\fB\-c\fP \fIccache\fP]
+[\fB\-e\fP \fIetype\fP]
+[\fB\-q\fP]
+[\fB\-h\fP]
+[\fB\-P\fP]
+[\fB\-S\fP \fIsname\fP]
+[\fB\-U\fP \fIfor_user\fP]
+\fIservice1 service2\fP ...
+.UNINDENT
+.SH DESCRIPTION
+.sp
+\fIkvno\fP acquires a service ticket for the specified Kerberos principals and
+prints out the key version numbers of each.
+.SH OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-c\fP \fIccache\fP
+.sp
+Specifies the name of a credentials cache to use (if not the default)
+.TP
+.B \fB\-e\fP \fIetype\fP
+.sp
+Specifies the enctype which will be requested for the session key of all
+the services named on the command line.
+This is useful in certain backward compatibility situations.
+.TP
+.B \fB\-q\fP
+.sp
+Suppress printing
+.TP
+.B \fB\-h\fP
+.sp
+Prints a usage statement and exits
+.TP
+.B \fB\-P\fP
+.sp
+Specifies that the \fIservice1 service2\fP ...  arguments are to be treated as
+services for which credentials should be acquired using constrained delegation.
+This option is only valid when used in conjunction with protocol transition.
+.TP
+.B \fB\-S\fP \fIsname\fP
+.sp
+Specifies that \fIkrb5_sname_to_principal()\fP will be used to build principal names.
+If this flag is specified, the \fIservice1 service2\fP ...  arguments are interpreted as
+\fIhostnames\fP (rather than principal names),
+and \fIsname\fP is interpreted as the service name.
+.TP
+.B \fB\-U\fP \fIfor_user\fP
+.sp
+Specifies that protocol transition (S4U2Self) is to be used
+to acquire a ticket on behalf of \fIfor_user\fP.
+If constrained  delegation is not requested,
+the service name must match the credentials cache client principal.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+\fIkvno\fP uses the following environment variable:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+\fBKRB5CCNAME\fP  \- Location of the credentials (ticket) cache.
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+/tmp/krb5cc_[uid] \- Default location of the credentials cache ([uid] is the decimal UID of the user).
+.SH SEE ALSO
+.sp
+kinit(1), kdestroy(1)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
index 8396db9bc5..749dfa73c1 100644
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -26,6 +26,8 @@ getdate.c: $(GETDATE)
 
 install::
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
+
+install-oldman::
 	$(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8
 
 clean::
diff --git a/src/slave/Makefile.in b/src/slave/Makefile.in
index 66305622e6..4d2354086b 100644
--- a/src/slave/Makefile.in
+++ b/src/slave/Makefile.in
@@ -31,6 +31,10 @@ install::
 	for f in kprop kpropd kproplog; do \
 	  $(INSTALL_PROGRAM) $$f \
 		$(DESTDIR)$(SERVER_BINDIR)/`echo $$f|sed '$(transform)'`; \
+	done
+
+install-oldman::
+	for f in kprop kpropd kproplog; do \
 	  $(INSTALL_DATA) $(srcdir)/$$f.M \
 		${DESTDIR}$(SERVER_MANDIR)/`echo $$f|sed '$(transform)'`.8; \
 	done
@@ -40,4 +44,3 @@ clean::
 
 clean::
 	$(RM) kprop kpropd kproplog
-