Rename doc subdirectories

We like these names better, and they match the PDF document filenames.

admins -> admin
appldev -> appdev
users -> user

and catch up where the names are used elsewhere.

The relay/ directory has been removed, with its contents moved to the
top level in build_this.rst and a new about.rst.

The section headers for kadmind, krb5kdc, sserver, kpasswd, kswitch,
and sclient are misdetected as conflict markers.
bigredbutton: whitespace

ticket: 7433
tags: pullup

12 files changed, 2586 insertions, 0 deletions

diff --git a/doc/admin/admin_commands/index.rst b/doc/admin/admin_commands/index.rst
new file mode 100644
index 0000000000..e8dc76524e
--- /dev/null
+++ b/doc/admin/admin_commands/index.rst
@@ -0,0 +1,17 @@
+Administration  programs
+========================
+
+.. toctree::
+   :maxdepth: 1
+
+   kadmin_local.rst
+   kadmind.rst
+   kdb5_util.rst
+   kdb5_ldap_util.rst
+   krb5kdc.rst
+   kprop.rst
+   kpropd.rst
+   kproplog.rst
+   ktutil.rst
+   k5srvutil.rst
+   sserver.rst
diff --git a/doc/admin/admin_commands/k5srvutil.rst b/doc/admin/admin_commands/k5srvutil.rst
new file mode 100644
index 0000000000..493c176531
--- /dev/null
+++ b/doc/admin/admin_commands/k5srvutil.rst
@@ -0,0 +1,57 @@
+.. _k5srvutil(1):
+
+k5srvutil
+=========
+
+SYNOPSIS
+--------
+
+**k5srvutil** *operation*
+[**-i**]
+[**-f** *filename*]
+
+DESCRIPTION
+-----------
+
+k5srvutil allows an administrator to list or change keys currently in
+a keytab or to add new keys to the keytab.
+
+*operation* must be one of the following:
+
+**list**
+    Lists the keys in a keytab showing version number and principal
+    name.
+
+**change**
+    Uses the kadmin protocol to update the keys in the Kerberos
+    database to new randomly-generated keys, and updates the keys in
+    the keytab to match.  If a key's version number doesn't match the
+    version number stored in the Kerberos server's database, then the
+    operation will fail.  Old keys are retained in the keytab so that
+    existing tickets continue to work.  If the **-i** flag is given,
+    k5srvutil will prompt for confirmation before changing each key.
+    If the **-k** option is given, the old and new keys will be
+    displayed.
+
+**delold**
+    Deletes keys that are not the most recent version from the keytab.
+    This operation should be used some time after a change operation
+    to remove old keys, after existing tickets issued for the service
+    have expired.  If the **-i** flag is given, then k5srvutil will
+    prompt for confirmation for each principal.
+
+**delete**
+    Deletes particular keys in the keytab, interactively prompting for
+    each key.
+
+In all cases, the default keytab is used unless this is overridden by
+the **-f** option.
+
+k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in
+place.
+
+
+SEE ALSO
+--------
+
+:ref:`kadmin(1)`, :ref:`ktutil(1)`
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
new file mode 100644
index 0000000000..396e25524f
--- /dev/null
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -0,0 +1,883 @@
+.. _kadmin(1):
+
+kadmin
+======
+
+SYNOPSIS
+--------
+
+.. _kadmin_synopsis:
+
+**kadmin**
+[**-O**\|\ **-N**]
+[**-r** *realm*]
+[**-p** *principal*]
+[**-q** *query*]
+[[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**]
+[**-w** *password*]
+[**-s** *admin_server*\ [:*port*]]
+
+**kadmin.local**
+[**-r** *realm*]
+[**-p** *principal*]
+[**-q** *query*]
+[**-d** *dbname*]
+[**-e** *enc*:*salt* ...]
+[**-m**]
+[**-x** *db_args*]
+
+.. _kadmin_synopsis_end:
+
+
+DESCRIPTION
+-----------
+
+kadmin and kadmin.local are command-line interfaces to the Kerberos V5
+administration system.  They provide nearly identical functionalities;
+the difference is that kadmin.local directly accesses the KDC
+database, while kadmin performs operations using :ref:`kadmind(8)`.
+Except as explicitly noted otherwise, this man page will use "kadmin"
+to refer to both versions.  kadmin provides for the maintenance of
+Kerberos principals, password policies, and service key tables
+(keytabs).
+
+The remote kadmin client uses Kerberos to authenticate to kadmind
+using the service principal ``kadmin/ADMINHOST`` (where *ADMINHOST* is
+the fully-qualified hostname of the admin server) or ``kadmin/admin``.
+If the credentials cache contains a ticket for one of these
+principals, and the **-c** credentials_cache option is specified, that
+ticket is used to authenticate to kadmind.  Otherwise, the **-p** and
+**-k** options are used to specify the client Kerberos principal name
+used to authenticate.  Once kadmin has determined the principal name,
+it requests a service ticket from the KDC, and uses that service
+ticket to authenticate to kadmind.
+
+Since kadmin.local directly accesses the KDC database, it usually must
+be run directly on the master KDC with sufficient permissions to read
+the KDC database.  If the KDC database uses the LDAP database module,
+kadmin.local can be run on any host which can access the LDAP server.
+
+
+OPTIONS
+-------
+
+.. _kadmin_options:
+
+**-r** *realm*
+    Use *realm* as the default database realm.
+
+**-p** *principal*
+    Use *principal* to authenticate.  Otherwise, kadmin will append
+    ``/admin`` to the primary principal name of the default ccache,
+    the value of the **USER** environment variable, or the username as
+    obtained with getpwuid, in order of preference.
+
+**-k**
+    Use a keytab to decrypt the KDC response instead of prompting for
+    a password.  In this case, the default principal will be
+    ``host/hostname``.  If there is no keytab specified with the
+    **-t** option, then the default keytab will be used.
+
+**-t** *keytab*
+    Use *keytab* to decrypt the KDC response.  This can only be used
+    with the **-k** option.
+
+**-n**
+    Requests anonymous processing.  Two types of anonymous principals
+    are supported.  For fully anonymous Kerberos, configure PKINIT on
+    the KDC and configure **pkinit_anchors** in the client's
+    :ref:`krb5.conf(5)`.  Then use the **-n** option with a principal
+    of the form ``@REALM`` (an empty principal name followed by the
+    at-sign and a realm name).  If permitted by the KDC, an anonymous
+    ticket will be returned.  A second form of anonymous tickets is
+    supported; these realm-exposed tickets hide the identity of the
+    client but not the client's realm.  For this mode, use ``kinit
+    -n`` with a normal principal name.  If supported by the KDC, the
+    principal (but not realm) will be replaced by the anonymous
+    principal.  As of release 1.8, the MIT Kerberos KDC only supports
+    fully anonymous operation.
+
+**-c** *credentials_cache*
+    Use *credentials_cache* as the credentials cache.  The
+    cache should contain a service ticket for the ``kadmin/ADMINHOST``
+    (where *ADMINHOST* is the fully-qualified hostname of the admin
+    server) or ``kadmin/admin`` service; it can be acquired with the
+    :ref:`kinit(1)` program.  If this option is not specified, kadmin
+    requests a new service ticket from the KDC, and stores it in its
+    own temporary ccache.
+
+**-w** *password*
+    Use *password* instead of prompting for one.  Use this option with
+    care, as it may expose the password to other users on the system
+    via the process list.
+
+**-q** *query*
+    Perform the specified query and then exit.  This can be useful for
+    writing scripts.
+
+**-d** *dbname*
+    Specifies the name of the KDC database.  This option does not
+    apply to the LDAP database module.
+
+**-s** *admin_server*\ [:*port*]
+    Specifies the admin server which kadmin should contact.
+
+**-m**
+    If using kadmin.local, prompt for the database master password
+    instead of reading it from a stash file.
+
+**-e** "*enc*:*salt* ..."
+    Sets the list of encryption types and salt types to be used for
+    any new keys created.  See :ref:`Encryption_and_salt_types` in
+    :ref:`kdc.conf(5)` for a list of possible values.
+
+**-O**
+    Force use of old AUTH_GSSAPI authentication flavor.
+
+**-N**
+    Prevent fallback to AUTH_GSSAPI authentication flavor.
+
+**-x** *db_args*
+    Specifies the database specific arguments.  Options supported for
+    the LDAP database module are:
+
+    **-x host=**\ *hostname*
+        Specifies the LDAP server to connect to by a LDAP URI.
+
+    **-x binddn=**\ *bind_dn*
+        Specifies the DN of the object used by the administration
+        server to bind to the LDAP server.  This object should have
+        the read and write privileges on the realm container, the
+        principal container, and the subtree that is referenced by the
+        realm.
+
+    **-x bindpwd=**\ *bind_password*
+        Specifies the password for the above mentioned binddn.  Using
+        this option may expose the password to other users on the
+        system via the process list; to avoid this, instead stash the
+        password using the **stashsrvpw** command of
+        :ref:`kdb5_ldap_util(8)`.
+
+.. _kadmin_options_end:
+
+
+COMMANDS
+--------
+
+When using the remote client, available commands may be restricted
+according to the privileges specified in the :ref:`kadm5.acl(5)` file
+on the admin server.
+
+.. _add_principal:
+
+add_principal
+~~~~~~~~~~~~~
+
+    **add_principal** [*options*] *newprinc*
+
+Creates the principal *newprinc*, prompting twice for a password.  If
+no password policy is specified with the **-policy** option, and the
+policy named ``default`` is assigned to the principal if it exists.
+However, creating a policy named ``default`` will not automatically
+assign this policy to previously existing principals.  This policy
+assignment can be suppressed with the **-clearpolicy** option.
+
+This command requires the **add** privilege.
+
+Aliases: **addprinc**, **ank**
+
+Options:
+
+**-expire** *expdate*
+    (:ref:`getdate` string) The expiration date of the principal.
+
+**-pwexpire** *pwexpdate*
+    (:ref:`getdate` string) The password expiration date.
+
+**-maxlife** *maxlife*
+    (:ref:`getdate` string) The maximum ticket life for the principal.
+
+**-maxrenewlife** *maxrenewlife*
+    (:ref:`getdate` string) The maximum renewable life of tickets for
+    the principal.
+
+**-kvno** *kvno*
+    The initial key version number.
+
+**-policy** *policy*
+    The password policy used by this principal.  If not specified, the
+    policy ``default`` is used if it exists (unless **-clearpolicy**
+    is specified).
+
+**-clearpolicy**
+    Prevents any policy from being assigned when **-policy** is not
+    specified.
+
+{-\|+}\ **allow_postdated**
+    **-allow_postdated** prohibits this principal from obtaining
+    postdated tickets.  **+allow_postdated** clears this flag.
+
+{-\|+}\ **allow_forwardable**
+    **-allow_forwardable** prohibits this principal from obtaining
+    forwardable tickets.  **+allow_forwardable** clears this flag.
+
+{-\|+}\ **allow_renewable**
+    **-allow_renewable** prohibits this principal from obtaining
+    renewable tickets.  **+allow_renewable** clears this flag.
+
+{-\|+}\ **allow_proxiable**
+    **-allow_proxiable** prohibits this principal from obtaining
+    proxiable tickets.  **+allow_proxiable** clears this flag.
+
+{-\|+}\ **allow_dup_skey**
+    **-allow_dup_skey** disables user-to-user authentication for this
+    principal by prohibiting this principal from obtaining a session
+    key for another user.  **+allow_dup_skey** clears this flag.
+
+{-\|+}\ **requires_preauth**
+    **+requires_preauth** requires this principal to preauthenticate
+    before being allowed to kinit.  **-requires_preauth** clears this
+    flag.
+
+{-\|+}\ **requires_hwauth**
+    **+requires_hwauth** requires this principal to preauthenticate
+    using a hardware device before being allowed to kinit.
+    **-requires_hwauth** clears this flag.
+
+{-\|+}\ **ok_as_delegate**
+    **+ok_as_delegate** sets the **okay as delegate** flag on tickets
+    issued with this principal as the service.  Clients may use this
+    flag as a hint that credentials should be delegated when
+    authenticating to the service.  **-ok_as_delegate** clears this
+    flag.
+
+{-\|+}\ **allow_svr**
+    **-allow_svr** prohibits the issuance of service tickets for this
+    principal.  **+allow_svr** clears this flag.
+
+{-\|+}\ **allow_tgs_req**
+    **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)
+    request for a service ticket for this principal is not permitted.
+    **+allow_tgs_req** clears this flag.
+
+{-\|+}\ **allow_tix**
+    **-allow_tix** forbids the issuance of any tickets for this
+    principal.  **+allow_tix** clears this flag.
+
+{-\|+}\ **needchange**
+    **+needchange** forces a password change on the next initial
+    authentication to this principal.  **-needchange** clears this
+    flag.
+
+{-\|+}\ **password_changing_service**
+    **+password_changing_service** marks this principal as a password
+    change service principal.
+
+**-randkey**
+    Sets the key of the principal to a random value.
+
+**-pw** *password*
+    Sets the password of the principal to the specified string and
+    does not prompt for a password.  Note: using this option in a
+    shell script may expose the password to other users on the system
+    via the process list.
+
+**-e** *enc*:*salt*,...
+    Uses the specified list of enctype-salttype pairs for setting the
+    key of the principal.
+
+**-x** *db_princ_args*
+    Indicates database-specific options.  The options for the LDAP
+    database module are:
+
+    **-x dn=**\ *dn*
+        Specifies the LDAP object that will contain the Kerberos
+        principal being created.
+
+    **-x linkdn=**\ *dn*
+        Specifies the LDAP object to which the newly created Kerberos
+        principal object will point.
+
+    **-x containerdn=**\ *container_dn*
+        Specifies the container object under which the Kerberos
+        principal is to be created.
+
+    **-x tktpolicy=**\ *policy*
+        Associates a ticket policy to the Kerberos principal.
+
+    .. note::
+        - The **containerdn** and **linkdn** options cannot be
+          specified with the **dn** option.
+        - If the *dn* or *containerdn* options are not specified while
+          adding the principal, the principals are created under the
+          principal container configured in the realm or the realm
+          container.
+        - *dn* and *containerdn* should be within the subtrees or
+          principal container configured in the realm.
+
+Example:
+
+ ::
+
+    kadmin: addprinc jennifer
+    WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
+    defaulting to no policy.
+    Enter password for principal jennifer@ATHENA.MIT.EDU:
+    Re-enter password for principal jennifer@ATHENA.MIT.EDU:
+    Principal "jennifer@ATHENA.MIT.EDU" created.
+    kadmin:
+
+.. _add_principal_end:
+
+.. _modify_principal:
+
+modify_principal
+~~~~~~~~~~~~~~~~
+
+    **modify_principal** [*options*] *principal*
+
+Modifies the specified principal, changing the fields as specified.
+The options to **add_principal** also apply to this command, except
+for the **-randkey**, **-pw**, and **-e** options.  In addition, the
+option **-clearpolicy** will clear the current policy of a principal.
+
+This command requires the *modify* privilege.
+
+Alias: **modprinc**
+
+Options (in addition to the **addprinc** options):
+
+**-unlock**
+    Unlocks a locked principal (one which has received too many failed
+    authentication attempts without enough time between them according
+    to its password policy) so that it can successfully authenticate.
+
+.. _modify_principal_end:
+
+.. _rename_principal:
+
+rename_principal
+~~~~~~~~~~~~~~~~
+
+    **rename_principal** [**-force**] *old_principal* *new_principal*
+
+Renames the specified *old_principal* to *new_principal*.  This
+command prompts for confirmation, unless the **-force** option is
+given.
+
+This command requires the **add** and **delete** privileges.
+
+Alias: **renprinc**
+
+.. _rename_principal_end:
+
+.. _delete_principal:
+
+delete_principal
+~~~~~~~~~~~~~~~~
+
+    **delete_principal** [**-force**] *principal*
+
+Deletes the specified *principal* from the database.  This command
+prompts for deletion, unless the **-force** option is given.
+
+This command requires the **delete** privilege.
+
+Alias: **delprinc**
+
+.. _delete_principal_end:
+
+.. _change_password:
+
+change_password
+~~~~~~~~~~~~~~~
+
+    **change_password** [*options*] *principal*
+
+Changes the password of *principal*.  Prompts for a new password if
+neither **-randkey** or **-pw** is specified.
+
+This command requires the **changepw** privilege, or that the
+principal running the program is the same as the principal being
+changed.
+
+Alias: **cpw**
+
+The following options are available:
+
+**-randkey**
+    Sets the key of the principal to a random value.
+
+**-pw** *password*
+    Set the password to the specified string.  Using this option in a
+    script may expose the password to other users on the system via
+    the process list.
+
+**-e** *enc*:*salt*,...
+    Uses the specified list of enctype-salttype pairs for setting the
+    key of the principal.
+
+**-keepold**
+    Keeps the existing keys in the database.  This flag is usually not
+    necessary except perhaps for ``krbtgt`` principals.
+
+Example:
+
+ ::
+
+    kadmin: cpw systest
+    Enter password for principal systest@BLEEP.COM:
+    Re-enter password for principal systest@BLEEP.COM:
+    Password for systest@BLEEP.COM changed.
+    kadmin:
+
+.. _change_password_end:
+
+.. _purgekeys:
+
+purgekeys
+~~~~~~~~~
+
+    **purgekeys** [**-keepkvno** *oldest_kvno_to_keep*] *principal*
+
+Purges previously retained old keys (e.g., from **change_password
+-keepold**) from *principal*.  If **-keepkvno** is specified, then
+only purges keys with kvnos lower than *oldest_kvno_to_keep*.
+
+This command requires the **modify** privilege.
+
+.. _purgekeys_end:
+
+.. _get_principal:
+
+get_principal
+~~~~~~~~~~~~~
+
+    **get_principal** [**-terse**] *principal*
+
+Gets the attributes of principal.  With the **-terse** option, outputs
+fields as quoted tab-separated strings.
+
+This command requires the **inquire** privilege, or that the principal
+running the the program to be the same as the one being listed.
+
+Alias: **getprinc**
+
+Examples:
+
+ ::
+
+    kadmin: getprinc tlyu/admin
+    Principal: tlyu/admin@BLEEP.COM
+    Expiration date: [never]
+    Last password change: Mon Aug 12 14:16:47 EDT 1996
+    Password expiration date: [none]
+    Maximum ticket life: 0 days 10:00:00
+    Maximum renewable life: 7 days 00:00:00
+    Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
+    Last successful authentication: [never]
+    Last failed authentication: [never]
+    Failed password attempts: 0
+    Number of keys: 2
+    Key: vno 1, DES cbc mode with CRC-32, no salt
+    Key: vno 1, DES cbc mode with CRC-32, Version 4
+    Attributes:
+    Policy: [none]
+
+    kadmin: getprinc -terse systest
+    systest@BLEEP.COM   3    86400     604800    1
+    785926535 753241234 785900000
+    tlyu/admin@BLEEP.COM     786100034 0    0
+    kadmin:
+
+.. _get_principal_end:
+
+.. _list_principals:
+
+list_principals
+~~~~~~~~~~~~~~~
+
+    **list_principals** [*expression*]
+
+Retrieves all or some principal names.  *expression* is a shell-style
+glob expression that can contain the wild-card characters ``?``,
+``*``, and ``[]``.  All principal names matching the expression are
+printed.  If no expression is provided, all principal names are
+printed.  If the expression does not contain an ``@`` character, an
+``@`` character followed by the local realm is appended to the
+expression.
+
+This command requires the **list** privilege.
+
+Alias: **listprincs**, **get_principals**, **get_princs**
+
+Example:
+
+ ::
+
+    kadmin:  listprincs test*
+    test3@SECURE-TEST.OV.COM
+    test2@SECURE-TEST.OV.COM
+    test1@SECURE-TEST.OV.COM
+    testuser@SECURE-TEST.OV.COM
+    kadmin:
+
+.. _list_principals_end:
+
+.. _get_strings:
+
+get_strings
+~~~~~~~~~~~
+
+    **get_strings** *principal*
+
+Displays string attributes on *principal*.
+
+This command requires the **inquire** privilege.
+
+Alias: **getstr**
+
+.. _get_strings_end:
+
+.. _set_string:
+
+set_string
+~~~~~~~~~~
+
+    **set_string** *principal* *key* *value*
+
+Sets a string attribute on *principal*.  String attributes are used to
+supply per-principal configuration to the KDC and some KDC plugin
+modules.  The following string attributes are recognized by the KDC:
+
+**session_enctypes**
+    Specifies the encryption types supported for session keys when the
+    principal is authenticated to as a server.  See
+    :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list
+    of the accepted values.
+
+This command requires the **modify** privilege.
+
+Alias: **setstr**
+
+.. _set_string_end:
+
+.. _del_string:
+
+del_string
+~~~~~~~~~~
+
+    **del_string** *principal* *key*
+
+Deletes a string attribute from *principal*.
+
+This command requires the **delete** privilege.
+
+Alias: **delstr**
+
+.. _del_string_end:
+
+.. _add_policy:
+
+add_policy
+~~~~~~~~~~
+
+    **add_policy** [*options*] *policy*
+
+Adds a password policy named *policy* to the database.
+
+This command requires the **add** privilege.
+
+Alias: **addpol**
+
+The following options are available:
+
+**-maxlife** *time*
+    (:ref:`getdate` string) Sets the maximum lifetime of a password.
+
+**-minlife** *time*
+    (:ref:`getdate` string) Sets the minimum lifetime of a password.
+
+**-minlength** *length*
+    Sets the minimum length of a password.
+
+**-minclasses** *number*
+    Sets the minimum number of character classes required in a
+    password.  The five character classes are lower case, upper case,
+    numbers, punctuation, and whitespace/unprintable characters.
+
+**-history** *number*
+    Sets the number of past keys kept for a principal.  This option is
+    not supported with the LDAP KDC database module.
+
+**-maxfailure** *maxnumber*
+    Sets the maximum number of authentication failures before the
+    principal is locked.  Authentication failures are only tracked for
+    principals which require preauthentication.
+
+**-failurecountinterval** *failuretime*
+    (:ref:`getdate` string) Sets the allowable time between
+    authentication failures.  If an authentication failure happens
+    after *failuretime* has elapsed since the previous failure,
+    the number of authentication failures is reset to 1.
+
+**-lockoutduration** *lockouttime*
+    (:ref:`getdate` string) Sets the duration for which the principal
+    is locked from authenticating if too many authentication failures
+    occur without the specified failure count interval elapsing.
+    A duration of 0 means forever.
+
+**-allowedkeysalts**
+    Specifies the key/salt tuples supported for long-term keys when
+    setting or changing a principal's password/keys.  See
+    :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list
+    of the accepted values, but note that key/salt tuples must be
+    separated with commas (',') only.  To clear the allowed key/salt
+    policy use a value of '-'.
+
+Example:
+
+ ::
+
+    kadmin: add_policy -maxlife "2 days" -minlength 5 guests
+    kadmin:
+
+.. _add_policy_end:
+
+.. _modify_policy:
+
+modify_policy
+~~~~~~~~~~~~~
+
+    **modify_policy** [*options*] *policy*
+
+Modifies the password policy named *policy*.  Options are as described
+for **add_policy**.
+
+This command requires the **modify** privilege.
+
+Alias: **modpol**
+
+.. _modify_policy_end:
+
+.. _delete_policy:
+
+delete_policy
+~~~~~~~~~~~~~
+
+    **delete_policy** [**-force**] *policy*
+
+Deletes the password policy named *policy*.  Prompts for confirmation
+before deletion.  The command will fail if the policy is in use by any
+principals.
+
+This command requires the **delete** privilege.
+
+Alias: **delpol**
+
+Example:
+
+ ::
+
+    kadmin: del_policy guests
+    Are you sure you want to delete the policy "guests"?
+    (yes/no): yes
+    kadmin:
+
+.. _delete_policy_end:
+
+.. _get_policy:
+
+get_policy
+~~~~~~~~~~
+
+    **get_policy** [ **-terse** ] *policy*
+
+Displays the values of the password policy named *policy*.  With the
+**-terse** flag, outputs the fields as quoted strings separated by
+tabs.
+
+This command requires the **inquire** privilege.
+
+Alias: getpol
+
+Examples:
+
+ ::
+
+    kadmin: get_policy admin
+    Policy: admin
+    Maximum password life: 180 days 00:00:00
+    Minimum password life: 00:00:00
+    Minimum password length: 6
+    Minimum number of password character classes: 2
+    Number of old keys kept: 5
+    Reference count: 17
+
+    kadmin: get_policy -terse admin
+    admin     15552000  0    6    2    5    17
+    kadmin:
+
+The "Reference count" is the number of principals using that policy.
+With the LDAP KDC database module, the reference count field is not
+meaningful.
+
+.. _get_policy_end:
+
+.. _list_policies:
+
+list_policies
+~~~~~~~~~~~~~
+
+    **list_policies** [*expression*]
+
+Retrieves all or some policy names.  *expression* is a shell-style
+glob expression that can contain the wild-card characters ``?``,
+``*``, and ``[]``.  All policy names matching the expression are
+printed.  If no expression is provided, all existing policy names are
+printed.
+
+This command requires the **list** privilege.
+
+Aliases: **listpols**, **get_policies**, **getpols**.
+
+Examples:
+
+ ::
+
+    kadmin:  listpols
+    test-pol
+    dict-only
+    once-a-min
+    test-pol-nopw
+
+    kadmin:  listpols t*
+    test-pol
+    test-pol-nopw
+    kadmin:
+
+.. _list_policies_end:
+
+.. _ktadd:
+
+ktadd
+~~~~~
+
+    | **ktadd** [options] *principal*
+    | **ktadd** [options] **-glob** *princ-exp*
+
+Adds a *principal*, or all principals matching *princ-exp*, to a
+keytab file.  Each principal's keys are randomized in the process.
+The rules for *princ-exp* are described in the **list_principals**
+command.
+
+This command requires the **inquire** and **changepw** privileges.
+With the **-glob** form, it also requires the **list** privilege.
+
+The options are:
+
+**-k[eytab]** *keytab*
+    Use *keytab* as the keytab file.  Otherwise, the default keytab is
+    used.
+
+**-e** *enc*:*salt*,...
+    Use the specified list of enctype-salttype pairs for setting the
+    new keys of the principal.
+
+**-q**
+    Display less verbose information.
+
+**-norandkey**
+    Do not randomize the keys. The keys and their version numbers stay
+    unchanged.  This option is only available in kadmin.local, and
+    cannot be specified in combination with the **-e** option.
+
+An entry for each of the principal's unique encryption types is added,
+ignoring multiple keys with the same encryption type but different
+salt types.
+
+Example:
+
+ ::
+
+    kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
+    Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
+         encryption type aes256-cts-hmac-sha1-96 added to keytab
+         FILE:/tmp/foo-new-keytab
+    kadmin:
+
+.. _ktadd_end:
+
+.. _ktremove:
+
+ktremove
+~~~~~~~~
+
+    **ktremove** [options] *principal* [*kvno* | *all* | *old*]
+
+Removes entries for the specified *principal* from a keytab.  Requires
+no permissions, since this does not require database access.
+
+If the string "all" is specified, all entries for that principal are
+removed; if the string "old" is specified, all entries for that
+principal except those with the highest kvno are removed.  Otherwise,
+the value specified is parsed as an integer, and all entries whose
+kvno match that integer are removed.
+
+The options are:
+
+**-k[eytab]** *keytab*
+    Use *keytab* as the keytab file.  Otherwise, the default keytab is
+    used.
+
+**-q**
+    Display less verbose information.
+
+Example:
+
+ ::
+
+    kadmin: ktremove kadmin/admin all
+    Entry for principal kadmin/admin with kvno 3 removed from keytab
+         FILE:/etc/krb5.keytab
+    kadmin:
+
+.. _ktremove_end:
+
+lock
+~~~~
+
+Lock database exclusively.  Use with extreme caution!  This command
+only works with the DB2 KDC database module.
+
+unlock
+~~~~~~
+
+Release the exclusive database lock.
+
+list_requests
+~~~~~~~~~~~~~
+
+Lists available for kadmin requests.
+
+Aliases: **lr**, **?**
+
+quit
+~~~~
+
+Exit program.  If the database was locked, the lock is released.
+
+Aliases: **exit**, **q**
+
+
+HISTORY
+-------
+
+The kadmin program was originally written by Tom Yu at MIT, as an
+interface to the OpenVision Kerberos administration program.
+
+
+SEE ALSO
+--------
+
+:ref:`kpasswd(1)`, :ref:`kadmind(8)`
diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst
new file mode 100644
index 0000000000..10fc672cbe
--- /dev/null
+++ b/doc/admin/admin_commands/kadmind.rst
@@ -0,0 +1,130 @@
+.. _kadmind(8):
+
+kadmind
+=======
+
+SYNOPSIS
+--------
+
+**kadmind**
+[**-x** *db_args*]
+[**-r** *realm*]
+[**-m**]
+[**-nofork**]
+[**-port** *port-number*]
+[**-P** *pid_file*]
+[**-p** *kdb5_util_path*]
+[**-K** *kprop_path*]
+[**-F** *dump_file*]
+
+DESCRIPTION
+-----------
+
+kadmind starts the Kerberos administration server.  kadmind typically
+runs on the master Kerberos server, which stores the KDC database.  If
+the KDC database uses the LDAP module, the administration server and
+the KDC server need not run on the same machine.  kadmind accepts
+remote requests from programs such as :ref:`kadmin(1)` and
+:ref:`kpasswd(1)` to administer the information in these database.
+
+kadmind requires a number of configuration files to be set up in order
+for it to work:
+
+:ref:`kdc.conf(5)`
+    The KDC configuration file contains configuration information for
+    the KDC and admin servers.  kadmind uses settings in this file to
+    locate the Kerberos database, and is also affected by the
+    **acl_file**, **dict_file**, **kadmind_port**, and iprop-related
+    settings.
+
+:ref:`kadm5.acl(5)`
+    kadmind's ACL (access control list) tells it which principals are
+    allowed to perform administration actions.  The pathname to the
+    ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)`
+    variable; by default, it is |kdcdir|\ ``/kadm5.acl``.
+
+After the server begins running, it puts itself in the background and
+disassociates itself from its controlling terminal.
+
+kadmind can be configured for incremental database propagation.
+Incremental propagation allows slave KDC servers to receive principal
+and policy updates incrementally instead of receiving full dumps of
+the database.  This facility can be enabled in the :ref:`kdc.conf(5)`
+file with the **iprop_enable** option.  Incremental propagation
+requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the
+master KDC's canonical host name, and REALM the realm name) to be
+registered in the database.
+
+
+OPTIONS
+-------
+
+**-r** *realm*
+    specifies the realm that kadmind will serve; if it is not
+    specified, the default realm of the host is used.
+
+**-m**
+    causes the master database password to be fetched from the
+    keyboard (before the server puts itself in the background, if not
+    invoked with the **-nofork** option) rather than from a file on
+    disk.
+
+**-nofork**
+    causes the server to remain in the foreground and remain
+    associated to the terminal.  In normal operation, you should allow
+    the server to place itself in the background.
+
+**-port** *port-number*
+    specifies the port on which the administration server listens for
+    connections.  The default port is determined by the
+    **kadmind_port** configuration variable in :ref:`kdc.conf(5)`.
+
+**-P** *pid_file*
+    specifies the file to which the PID of kadmind process should be
+    written after it starts up.  This file can be used to identify
+    whether kadmind is still running and to allow init scripts to stop
+    the correct process.
+
+**-p** *kdb5_util_path*
+    specifies the path to the kdb5_util command to use when dumping the
+    KDB in response to full resync requests when iprop is enabled.
+
+**-K** *kprop_path*
+    specifies the path to the kprop command to use to send full dumps
+    to slaves in response to full resync requests.
+
+**-F** *dump_file*
+    specifies the file path to be used for dumping the KDB in response
+    to full resync requests when iprop is enabled.
+
+**-x** *db_args*
+    specifies database-specific arguments.
+
+    Options supported for LDAP database are:
+
+        **-x nconns=**\ *number_of_connections*
+            specifies the number of connections to be maintained per
+            LDAP server.
+
+        **-x host=**\ *ldapuri*
+            specifies the LDAP server to connect to by URI.
+
+        **-x binddn=**\ *binddn*
+            specifies the DN of the object used by the administration
+            server to bind to the LDAP server.  This object should
+            have read and write privileges on the realm container, the
+            principal container, and the subtree that is referenced by
+            the realm.
+
+        **-x bindpwd=**\ *bind_password*
+            specifies the password for the above mentioned binddn.
+            Using this option may expose the password to other users
+            on the system via the process list; to avoid this, instead
+            stash the password using the **stashsrvpw** command of
+            :ref:`kdb5_ldap_util(8)`.
+
+SEE ALSO
+--------
+
+:ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`,
+:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`
diff --git a/doc/admin/admin_commands/kdb5_ldap_util.rst b/doc/admin/admin_commands/kdb5_ldap_util.rst
new file mode 100644
index 0000000000..e5c037db43
--- /dev/null
+++ b/doc/admin/admin_commands/kdb5_ldap_util.rst
@@ -0,0 +1,478 @@
+.. _kdb5_ldap_util(8):
+
+kdb5_ldap_util
+===============
+
+SYNOPSIS
+--------
+
+.. _kdb5_ldap_util_synopsis:
+
+**kdb5_ldap_util**
+[**-D** *user_dn* [**-w** *passwd*]]
+[**-H** *ldapuri*]
+**command**
+[*command_options*]
+
+.. _kdb5_ldap_util_synopsis_end:
+
+
+DESCRIPTION
+-----------
+
+kdb5_ldap_util allows an administrator to manage realms, Kerberos
+services and ticket policies.
+
+
+COMMAND-LINE OPTIONS
+--------------------
+
+.. _kdb5_ldap_util_options:
+
+**-D** *user_dn*
+    Specifies the Distinguished Name (DN) of the user who has
+    sufficient rights to perform the operation on the LDAP server.
+
+**-w** *passwd*
+    Specifies the password of *user_dn*.  This option is not
+    recommended.
+
+**-H** *ldapuri*
+    Specifies the URI of the LDAP server.  It is recommended to use
+    ``ldapi://`` or ``ldaps://`` to connect to the LDAP server.
+
+.. _kdb5_ldap_util_options_end:
+
+
+COMMANDS
+--------
+
+create
+~~~~~~
+
+.. _kdb5_ldap_util_create:
+
+    **create**
+    [**-subtrees** *subtree_dn_list*]
+    [**-sscope** *search_scope*]
+    [**-containerref** *container_reference_dn*]
+    [**-k** *mkeytype*]
+    [**-kv** *mkeyVNO*]
+    [**-m|-P** *password*\|\ **-sf** *stashfilename*]
+    [**-s**]
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+
+Creates realm in directory. Options:
+
+**-subtrees** *subtree_dn_list*
+    Specifies the list of subtrees containing the principals of a
+    realm.  The list contains the DNs of the subtree objects separated
+    by colon (``:``).
+
+**-sscope** *search_scope*
+    Specifies the scope for searching the principals under the
+    subtree.  The possible values are 1 or one (one level), 2 or sub
+    (subtrees).
+
+**-containerref** *container_reference_dn*
+    Specifies the DN of the container object in which the principals
+    of a realm will be created.  If the container reference is not
+    configured for a realm, the principals will be created in the
+    realm container.
+
+**-k** *mkeytype*
+    Specifies the key type of the master key in the database.  The
+    default is given by the **master_key_type** variable in
+    :ref:`kdc.conf(5)`.
+
+**-kv** *mkeyVNO*
+    Specifies the version number of the master key in the database;
+    the default is 1.  Note that 0 is not allowed.
+
+**-m**
+    Specifies that the master database password should be read from
+    the TTY rather than fetched from a file on the disk.
+
+**-P** *password*
+    Specifies the master database password. This option is not
+    recommended.
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-sf** *stashfilename*
+    Specifies the stash file of the master database password.
+
+**-s**
+    Specifies that the stash file is to be created.
+
+**-maxtktlife** *max_ticket_life*
+    (:ref:`getdate` string) Specifies maximum ticket life for
+    principals in this realm.
+
+**-maxrenewlife** *max_renewable_ticket_life*
+    (:ref:`getdate` string) Specifies maximum renewable life of
+    tickets for principals in this realm.
+
+*ticket_flags*
+    Specifies global ticket flags for the realm.  Allowable flags are
+    documented in the description of the **add_principal** command in
+    :ref:`kadmin(1)`.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    Initializing database for realm 'ATHENA.MIT.EDU'
+    You will be prompted for the database Master Password.
+    It is important that you NOT FORGET this password.
+    Enter KDC database master key:
+    Re-enter KDC database master key to verify:
+
+.. _kdb5_ldap_util_create_end:
+
+modify
+~~~~~~
+
+.. _kdb5_ldap_util_modify:
+
+    **modify**
+    [**-subtrees** *subtree_dn_list*]
+    [**-sscope** *search_scope*]
+    [**-containerref** *container_reference_dn*]
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+
+Modifies the attributes of a realm.  Options:
+
+**-subtrees** *subtree_dn_list*
+    Specifies the list of subtrees containing the principals of a
+    realm.  The list contains the DNs of the subtree objects separated
+    by colon (``:``).  This list replaces the existing list.
+
+**-sscope** *search_scope*
+    Specifies the scope for searching the principals under the
+    subtrees.  The possible values are 1 or one (one level), 2 or sub
+    (subtrees).
+
+**-containerref** *container_reference_dn* Specifies the DN of the
+    container object in which the principals of a realm will be
+    created.
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-maxtktlife** *max_ticket_life*
+    (:ref:`getdate` string) Specifies maximum ticket life for
+    principals in this realm.
+
+**-maxrenewlife** *max_renewable_ticket_life*
+    (:ref:`getdate` string) Specifies maximum renewable life of
+    tickets for principals in this realm.
+
+*ticket_flags*
+    Specifies global ticket flags for the realm.  Allowable flags are
+    documented in the description of the **add_principal** command in
+    :ref:`kadmin(1)`.
+
+Example:
+
+ ::
+
+    shell% kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu modify +requires_preauth -r
+        ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    shell%
+
+.. _kdb5_ldap_util_modify_end:
+
+view
+~~~~
+
+.. _kdb5_ldap_util_view:
+
+    **view** [**-r** *realm*]
+
+Displays the attributes of a realm.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        view -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    Realm Name: ATHENA.MIT.EDU
+    Subtree: ou=users,o=org
+    Subtree: ou=servers,o=org
+    SearchScope: ONE
+    Maximum ticket life: 0 days 01:00:00
+    Maximum renewable life: 0 days 10:00:00
+    Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+
+.. _kdb5_ldap_util_view_end:
+
+destroy
+~~~~~~~
+
+.. _kdb5_ldap_util_destroy:
+
+    **destroy** [**-f**] [**-r** *realm*]
+
+Destroys an existing realm. Options:
+
+**-f**
+    If specified, will not prompt the user for confirmation.
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+Example:
+
+ ::
+
+    shell% kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
+    (type 'yes' to confirm)? yes
+    OK, deleting database of 'ATHENA.MIT.EDU'...
+    shell%
+
+.. _kdb5_ldap_util_destroy_end:
+
+list
+~~~~
+
+.. _kdb5_ldap_util_list:
+
+    **list**
+
+Lists the name of realms.
+
+Example:
+
+ ::
+
+    shell% kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu list
+    Password for "cn=admin,o=org":
+    ATHENA.MIT.EDU
+    OPENLDAP.MIT.EDU
+    MEDIA-LAB.MIT.EDU
+    shell%
+
+.. _kdb5_ldap_util_list_end:
+
+stashsrvpw
+~~~~~~~~~~
+
+.. _kdb5_ldap_util_stashsrvpw:
+
+    **stashsrvpw**
+    [**-f** *filename*]
+    *servicedn*
+
+Allows an administrator to store the password for service object in a
+file so that KDC and Administration server can use it to authenticate
+to the LDAP server.  Options:
+
+**-f** *filename*
+    Specifies the complete path of the service password file. By
+    default, ``/usr/local/var/service_passwd`` is used.
+
+*servicedn*
+    Specifies Distinguished Name (DN) of the service object whose
+    password is to be stored in file.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
+        cn=service-kdc,o=org
+    Password for "cn=service-kdc,o=org":
+    Re-enter password for "cn=service-kdc,o=org":
+
+.. _kdb5_ldap_util_stashsrvpw_end:
+
+create_policy
+~~~~~~~~~~~~~
+
+.. _kdb5_ldap_util_create_policy:
+
+    **create_policy**
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+    *policy_name*
+
+Creates a ticket policy in the directory.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-maxtktlife** *max_ticket_life*
+    (:ref:`getdate` string) Specifies maximum ticket life for
+    principals.
+
+**-maxrenewlife** *max_renewable_ticket_life*
+    (:ref:`getdate` string) Specifies maximum renewable life of
+    tickets for principals.
+
+*ticket_flags*
+    Specifies the ticket flags.  If this option is not specified, by
+    default, no restriction will be set by the policy.  Allowable
+    flags are documented in the description of the **add_principal**
+    command in :ref:`kadmin(1)`.
+
+*policy_name*
+    Specifies the name of the ticket policy.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
+        -maxrenewlife "1 week" -allow_postdated +needchange
+        -allow_forwardable tktpolicy
+    Password for "cn=admin,o=org":
+
+.. _kdb5_ldap_util_create_policy_end:
+
+modify_policy
+~~~~~~~~~~~~~
+
+.. _kdb5_ldap_util_modify_policy:
+
+    **modify_policy**
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+    *policy_name*
+
+Modifies the attributes of a ticket policy.  Options are same as for
+**create_policy**.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
+        -maxtktlife "60 minutes" -maxrenewlife "10 hours"
+        +allow_postdated -requires_preauth tktpolicy
+    Password for "cn=admin,o=org":
+
+.. _kdb5_ldap_util_modify_policy_end:
+
+view_policy
+~~~~~~~~~~~
+
+.. _kdb5_ldap_util_view_policy:
+
+    **view_policy**
+    [**-r** *realm*]
+    *policy_name*
+
+Displays the attributes of a ticket policy.  Options:
+
+*policy_name*
+    Specifies the name of the ticket policy.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        view_policy -r ATHENA.MIT.EDU tktpolicy
+    Password for "cn=admin,o=org":
+    Ticket policy: tktpolicy
+    Maximum ticket life: 0 days 01:00:00
+    Maximum renewable life: 0 days 10:00:00
+    Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+
+.. _kdb5_ldap_util_view_policy_end:
+
+destroy_policy
+~~~~~~~~~~~~~~
+
+.. _kdb5_ldap_util_destroy_policy:
+
+    **destroy_policy**
+    [**-r** *realm*]
+    [**-force**]
+    *policy_name*
+
+Destroys an existing ticket policy.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-force**
+    Forces the deletion of the policy object.  If not specified, the
+    user will be prompted for confirmation before deleting the policy.
+
+*policy_name*
+    Specifies the name of the ticket policy.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        destroy_policy -r ATHENA.MIT.EDU tktpolicy
+    Password for "cn=admin,o=org":
+    This will delete the policy object 'tktpolicy', are you sure?
+    (type 'yes' to confirm)? yes
+    ** policy object 'tktpolicy' deleted.
+
+.. _kdb5_ldap_util_destroy_policy_end:
+
+list_policy
+~~~~~~~~~~~
+
+.. _kdb5_ldap_util_list_policy:
+
+    **list_policy**
+    [**-r** *realm*]
+
+Lists the ticket policies in realm if specified or in the default
+realm.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+Example:
+
+ ::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        list_policy -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    tktpolicy
+    tmppolicy
+    userpolicy
+
+.. _kdb5_ldap_util_list_policy_end:
+
+
+SEE ALSO
+--------
+
+:ref:`kadmin(1)`
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
new file mode 100644
index 0000000000..d866777c70
--- /dev/null
+++ b/doc/admin/admin_commands/kdb5_util.rst
@@ -0,0 +1,355 @@
+.. _kdb5_util(8):
+
+kdb5_util
+=========
+
+SYNOPSIS
+--------
+
+.. _kdb5_util_synopsis:
+
+**kdb5_util**
+[**-r** *realm*]
+[**-d** *dbname*]
+[**-k** *mkeytype*]
+[**-M** *mkeyname*]
+[**-kv** *mkeyVNO*]
+[**-sf** *stashfilename*]
+[**-m**]
+*command* [*command_options*]
+
+.. _kdb5_util_synopsis_end:
+
+DESCRIPTION
+-----------
+
+kdb5_util allows an administrator to perform maintenance procedures on
+the KDC database.  Databases can be created, destroyed, and dumped to
+or loaded from ASCII files.  kdb5_util can create a Kerberos master
+key stash file or perform live rollover of the master key.
+
+When kdb5_util is run, it attempts to acquire the master key and open
+the database.  However, execution continues regardless of whether or
+not kdb5_util successfully opens the database, because the database
+may not exist yet or the stash file may be corrupt.
+
+Note that some KDC database modules may not support all kdb5_util
+commands.
+
+
+COMMAND-LINE OPTIONS
+--------------------
+
+.. _kdb5_util_options:
+
+**-r** *realm*
+    specifies the Kerberos realm of the database.
+
+**-d** *dbname*
+    specifies the name under which the principal database is stored;
+    by default the database is that listed in :ref:`kdc.conf(5)`.  The
+    password policy database and lock files are also derived from this
+    value.
+
+**-k** *mkeytype*
+    specifies the key type of the master key in the database.  The
+    default is given by the **master_key_type** variable in
+    :ref:`kdc.conf(5)`.
+
+**-kv** *mkeyVNO*
+    Specifies the version number of the master key in the database;
+    the default is 1.  Note that 0 is not allowed.
+
+**-M** *mkeyname*
+    principal name for the master key in the database.  If not
+    specified, the name is determined by the **master_key_name**
+    variable in :ref:`kdc.conf(5)`.
+
+**-m**
+    specifies that the master database password should be read from
+    the keyboard rather than fetched from a file on disk.
+
+**-sf** *stash_file*
+    specifies the stash filename of the master database password.  If
+    not specified, the filename is determined by the
+    **key_stash_file** variable in :ref:`kdc.conf(5)`.
+
+**-P** *password*
+    specifies the master database password.  Using this option may
+    expose the password to other users on the system via the process
+    list.
+
+.. _kdb5_util_options_end:
+
+
+COMMANDS
+--------
+
+create
+~~~~~~
+
+.. _kdb5_util_create:
+
+    **create** [**-s**]
+
+Creates a new database.  If the **-s** option is specified, the stash
+file is also created.  This command fails if the database already
+exists.  If the command is successful, the database is opened just as
+if it had already existed when the program was first run.
+
+.. _kdb5_util_create_end:
+
+destroy
+~~~~~~~
+
+.. _kdb5_util_destroy:
+
+    **destroy** [**-f**]
+
+Destroys the database, first overwriting the disk sectors and then
+unlinking the files, after prompting the user for confirmation.  With
+the **-f** argument, does not prompt the user.
+
+.. _kdb5_util_destroy_end:
+
+stash
+~~~~~
+
+.. _kdb5_util_stash:
+
+    **stash** [**-f** *keyfile*]
+
+Stores the master principal's keys in a stash file.  The **-f**
+argument can be used to override the *keyfile* specified in
+:ref:`kdc.conf(5)`.
+
+.. _kdb5_util_stash_end:
+
+dump
+~~~~
+
+.. _kdb5_util_dump:
+
+    **dump** [**-old**\|\ **-b6**\|\ **-b7**\|\ **-ov**\|\ **-r13**]
+    [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** *mkey_file*]
+    [**-rev**] [**-recurse**] [*filename* [*principals*...]]
+
+Dumps the current Kerberos and KADM5 database into an ASCII file.  By
+default, the database is dumped in current format, "kdb5_util
+load_dump version 6".  If filename is not specified, or is the string
+"-", the dump is sent to standard output.  Options:
+
+**-old**
+    causes the dump to be in the Kerberos 5 Beta 5 and earlier dump
+    format ("kdb5_edit load_dump version 2.0").
+
+**-b6**
+    causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
+    load_dump version 3.0").
+
+**-b7**
+    causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
+    load_dump version 4").  This was the dump format produced on
+    releases prior to 1.2.2.
+
+**-ov**
+    causes the dump to be in "ovsec_adm_export" format.
+
+**-r13**
+    causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
+    load_dump version 5").  This was the dump format produced on
+    releases prior to 1.8.
+
+**-r18**
+    causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
+    load_dump version 6").  This was the dump format produced on
+    releases prior to 1.11.
+
+**-verbose**
+    causes the name of each principal and policy to be printed as it
+    is dumped.
+
+**-mkey_convert**
+    prompts for a new master key.  This new master key will be used to
+    re-encrypt principal key data in the dumpfile.  The principal keys
+    themselves will not be changed.
+
+**-new_mkey_file** *mkey_file*
+    the filename of a stash file.  The master key in this stash file
+    will be used to re-encrypt the key data in the dumpfile.  The key
+    data in the database will not be changed.
+
+**-rev**
+    dumps in reverse order.  This may recover principals that do not
+    dump normally, in cases where database corruption has occurred.
+
+**-recurse**
+    causes the dump to walk the database recursively (btree only).
+    This may recover principals that do not dump normally, in cases
+    where database corruption has occurred.  In cases of such
+    corruption, this option will probably retrieve more principals
+    than the **-rev** option will.
+
+.. _kdb5_util_dump_end:
+
+load
+~~~~
+
+.. _kdb5_util_load:
+
+    **load** [**-old**\|\ **-b6**\|\ **-b7**\|\ **-ov**\|\ **-r13**]
+    [**-hash**] [**-verbose**] [**-update**] *filename* [*dbname*]
+
+Loads a database dump from the named file into the named database.  If
+no option is given to determine the format of the dump file, the
+format is detected automatically and handled as appropriate.  Unless
+the **-update** option is given, **load** creates a new database
+containing only the data in the dump file, overwriting the contents of
+any previously existing database.  Note that when using the LDAP KDC
+database module, the **-update** flag is required.
+
+Options:
+
+**-old**
+    requires the database to be in the Kerberos 5 Beta 5 and earlier
+    format ("kdb5_edit load_dump version 2.0").
+
+**-b6**
+    requires the database to be in the Kerberos 5 Beta 6 format
+    ("kdb5_edit load_dump version 3.0").
+
+**-b7**
+    requires the database to be in the Kerberos 5 Beta 7 format
+    ("kdb5_util load_dump version 4").
+
+**-ov**
+    requires the database to be in "ovsec_adm_import" format.  Must be
+    used with the **-update** option.
+
+**-r13**
+    requires the database to be in Kerberos 5 1.3 format ("kdb5_util
+    load_dump version 5").  This was the dump format produced on
+    releases prior to 1.8.
+
+**-r18**
+    requires the database to be in Kerberos 5 1.8 format ("kdb5_util
+    load_dump version 6").  This was the dump format produced on
+    releases prior to 1.11.
+
+**-hash**
+    requires the database to be stored as a hash.  If this option is
+    not specified, the database will be stored as a btree.  This
+    option is not recommended, as databases stored in hash format are
+    known to corrupt data and lose principals.
+
+**-verbose**
+    causes the name of each principal and policy to be printed as it
+    is dumped.
+
+**-update**
+    records from the dump file are added to or updated in the existing
+    database.  (This is useful in conjunction with an ovsec_adm_export
+    format dump if you want to preserve per-principal policy
+    information, since the current default format does not contain
+    this data.)  Otherwise, a new database is created containing only
+    what is in the dump file and the old one destroyed upon successful
+    completion.
+
+If specified, *dbname* overrides the value specified on the command
+line or the default.
+
+.. _kdb5_util_load_end:
+
+ark
+~~~
+
+    **ark** [**-e** *enc*:*salt*,...] *principal*
+
+Adds new random keys to *principal* at the next available key version
+number.  Keys for the current highest key version number will be
+preserved.  The **-e** option specifies the list of encryption and
+salt types to be used for the new keys.
+
+add_mkey
+~~~~~~~~
+
+    **add_mkey** [**-e** *etype*] [**-s**]
+
+Adds a new master key to the master key principal, but does not mark
+it as active.  Existing master keys will remain.  The **-e** option
+specifies the encryption type of the new master key; see
+:ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list of
+possible values.  The **-s** option stashes the new master key in the
+stash file, which will be created if it doesn't already exist.
+
+After a new master key is added, it should be propagated to slave
+servers via a manual or periodic invocation of :ref:`kprop(8)`.  Then,
+the stash files on the slave servers should be updated with the
+kdb5_util **stash** command.  Once those steps are complete, the key
+is ready to be marked active with the kdb5_util **use_mkey** command.
+
+use_mkey
+~~~~~~~~
+
+    **use_mkey** *mkeyVNO* [*time*]
+
+Sets the activation time of the master key specified by *mkeyVNO*.
+Once a master key becomes active, it will be used to encrypt newly
+created principal keys.  If no *time* argument is given, the current
+time is used, causing the specified master key version to become
+active immediately.  The format for *time* is :ref:`getdate` string.
+
+After a new master key becomes active, the kdb5_util
+**update_princ_encryption** command can be used to update all
+principal keys to be encrypted in the new master key.
+
+list_mkeys
+~~~~~~~~~~
+
+    **list_mkeys**
+
+List all master keys, from most recent to earliest, in the master key
+principal.  The output will show the kvno, enctype, and salt type for
+each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**.  A
+``*`` following an mkey denotes the currently active master key.
+
+purge_mkeys
+~~~~~~~~~~~
+
+    **purge_mkeys** [**-f**] [**-n**] [**-v**]
+
+Delete master keys from the master key principal that are not used to
+protect any principals.  This command can be used to remove old master
+keys all principal keys are protected by a newer master key.
+
+**-f**
+    does not prompt for confirmation.
+
+**-n**
+    performs a dry run, showing master keys that would be purged, but
+    not actually purging any keys.
+
+**-v**
+    gives more verbose output.
+
+update_princ_encryption
+~~~~~~~~~~~~~~~~~~~~~~~
+
+    **update_princ_encryption** [**-f**] [**-n**] [**-v**]
+    [*princ-pattern*]
+
+Update all principal records (or only those matching the
+*princ-pattern* glob pattern) to re-encrypt the key data using the
+active database master key, if they are encrypted using older
+versions, and give a count at the end of the number of principals
+updated.  If the **-f** option is not given, ask for confirmation
+before starting to make changes.  The **-v** option causes each
+principal processed to be listed, with an indication as to whether it
+needed updating or not.  The **-n** option performs a dry run, only
+showing the actions which would have been taken.
+
+
+SEE ALSO
+--------
+
+:ref:`kadmin(1)`
diff --git a/doc/admin/admin_commands/kprop.rst b/doc/admin/admin_commands/kprop.rst
new file mode 100644
index 0000000000..726c8cc2fd
--- /dev/null
+++ b/doc/admin/admin_commands/kprop.rst
@@ -0,0 +1,60 @@
+.. _kprop(8):
+
+kprop
+=====
+
+SYNOPSIS
+--------
+
+**kprop**
+[**-r** *realm*]
+[**-f** *file*]
+[**-d**]
+[**-P** *port*]
+[**-s** *keytab*]
+*slave_host*
+
+
+DESCRIPTION
+-----------
+
+kprop is used to securely propagate a Kerberos V5 database dump file
+from the master Kerberos server to a slave Kerberos server, which is
+specified by *slave_host*.  The dump file must be created by
+:ref:`kdb5_util(8)`.
+
+
+OPTIONS
+-------
+
+**-r** *realm*
+    Specifies the realm of the master server.
+
+**-f** *file*
+    Specifies the filename where the dumped principal database file is
+    to be found; by default the dumped database file is normally
+    |kdcdir|\ ``/slave_datatrans``.
+
+**-P** *port*
+    Specifies the port to use to contact the :ref:`kpropd(8)` server
+    on the remote host.
+
+**-d**
+    Prints debugging information.
+
+**-s** *keytab*
+    Specifies the location of the keytab file.
+
+
+ENVIRONMENT
+-----------
+
+*kprop* uses the following environment variable:
+
+* **KRB5_CONFIG**
+
+
+SEE ALSO
+--------
+
+:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`
diff --git a/doc/admin/admin_commands/kpropd.rst b/doc/admin/admin_commands/kpropd.rst
new file mode 100644
index 0000000000..b5cebcc473
--- /dev/null
+++ b/doc/admin/admin_commands/kpropd.rst
@@ -0,0 +1,123 @@
+.. _kpropd(8):
+
+kpropd
+======
+
+SYNOPSIS
+--------
+
+**kpropd**
+[**-r** *realm*]
+[**-a** *acl_file*]
+[**-f** *slave_dumpfile*]
+[**-F** *principal_database*]
+[**-p** *kdb5_util_prog*]
+[**-P** *port*]
+[**-d**]
+
+DESCRIPTION
+-----------
+
+The *kpropd* command runs on the slave KDC server.  It listens for
+update requests made by the :ref:`kprop(8)` program.  If incremental
+propagation is enabled, it periodically requests incremental updates
+from the master KDC.
+
+When the slave receives a kprop request from the master, kpropd
+accepts the dumped KDC database and places it in a file, and then runs
+:ref:`kdb5_util(8)` to load the dumped database into the active
+database which is used by :ref:`krb5kdc(8)`.  This allows the master
+Kerberos server to use :ref:`kprop(8)` to propagate its database to
+the slave servers.  Upon a successful download of the KDC database
+file, the slave Kerberos server will have an up-to-date KDC database.
+
+Where incremental propagation is not used, kpropd is commonly invoked
+out of inetd(8) as a nowait service.  This is done by adding a line to
+the ``/etc/inetd.conf`` file which looks like this:
+
+ ::
+
+    kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
+
+kpropd can also run as a standalone daemon.  This is required for
+incremental propagation.  But this is also useful for debugging
+purposes.
+
+Incremental propagation may be enabled with the **iprop_enable**
+variable in :ref:`kdc.conf(5)`.  If incremental propagation is
+enabled, the slave periodically polls the master KDC for updates, at
+an interval determined by the **iprop_slave_poll** variable.  If the
+slave receives updates, kpropd updates its log file with any updates
+from the master.  :ref:`kproplog(8)` can be used to view a summary of
+the update entry log on the slave KDC.  If incremental propagation is
+enabled, the principal ``kiprop/slavehostname@REALM`` (where
+*slavehostname* is the name of the slave KDC host, and *REALM* is the
+name of the Kerberos realm) must be present in the slave's keytab
+file.
+
+:ref:`kproplog(8)` can be used to force full replication when iprop is
+enabled.
+
+
+OPTIONS
+--------
+
+**-r** *realm*
+    Specifies the realm of the master server.
+
+**-f** *file*
+    Specifies the filename where the dumped principal database file is
+    to be stored; by default the dumped database file is |kdcdir|\
+    ``/from_master``.
+
+**-p**
+    Allows the user to specify the pathname to the :ref:`kdb5_util(8)`
+    program; by default the pathname used is |sbindir|\
+    ``/kdb5_util``.
+
+**-S**
+    [DEPRECATED] Enable standalone mode.  Normally kpropd is invoked by
+    inetd(8) so it expects a network connection to be passed to it
+    from inetd(8).  If the **-S** option is specified, or if standard
+    input is not a socket, kpropd will put itself into the background,
+    and wait for connections on port 754 (or the port specified with the
+    **-P** option if given).
+
+**-d**
+    Turn on debug mode.  In this mode, if the **-S** option is
+    selected, kpropd will not detach itself from the current job and
+    run in the background.  Instead, it will run in the foreground and
+    print out debugging messages during the database propagation.
+
+**-P**
+    Allow for an alternate port number for kpropd to listen on.  This
+    is only useful in combination with the **-S** option.
+
+**-a** *acl_file*
+    Allows the user to specify the path to the kpropd.acl file; by
+    default the path used is |kdcdir|\ ``/kpropd.acl``.
+
+
+ENVIRONMENT
+-----------
+
+kpropd uses the following environment variables:
+
+* **KRB5_CONFIG**
+* **KRB5_KDC_PROFILE**
+
+
+FILES
+-----
+
+kpropd.acl
+    Access file for kpropd; the default location is
+    ``/usr/local/var/krb5kdc/kpropd.acl``.  Each entry is a line
+    containing the principal of a host from which the local machine
+    will allow Kerberos database propagation via :ref:`kprop(8)`.
+
+
+SEE ALSO
+--------
+
+:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, inetd(8)
diff --git a/doc/admin/admin_commands/kproplog.rst b/doc/admin/admin_commands/kproplog.rst
new file mode 100644
index 0000000000..c7a0ea4175
--- /dev/null
+++ b/doc/admin/admin_commands/kproplog.rst
@@ -0,0 +1,87 @@
+.. _kproplog(8):
+
+kproplog
+========
+
+SYNOPSIS
+--------
+
+**kproplog** [**-h**] [**-e** *num*] [-v]
+**kproplog** [-R]
+
+
+DESCRIPTION
+-----------
+
+The kproplog command displays the contents of the KDC database update
+log to standard output.  It can be used to keep track of incremental
+updates to the principal database.  The update log file contains the
+update log maintained by the :ref:`kadmind(8)` process on the master
+KDC server and the :ref:`kpropd(8)` process on the slave KDC servers.
+When updates occur, they are logged to this file.  Subsequently any
+KDC slave configured for incremental updates will request the current
+data from the master KDC and update their log file with any updates
+returned.
+
+The kproplog command requires read access to the update log file.  It
+will display update entries only for the KDC it runs on.
+
+If no options are specified, kproplog displays a summary of the update
+log.  If invoked on the master, kproplog also displays all of the
+update entries.  If invoked on a slave KDC server, kproplog displays
+only a summary of the updates, which includes the serial number of the
+last update received and the associated time stamp of the last update.
+
+
+OPTIONS
+-------
+
+**-R**
+    Reset the update log.  This forces full resynchronization.  If used
+    on a slave then that slave will request a full resync.  If used on
+    the master then all slaves will request full resyncs.
+
+**-h**
+    Display a summary of the update log.  This information includes
+    the database version number, state of the database, the number of
+    updates in the log, the time stamp of the first and last update,
+    and the version number of the first and last update entry.
+
+**-e** *num*
+    Display the last *num* update entries in the log.  This is useful
+    when debugging synchronization between KDC servers.
+
+**-v**
+    Display individual attributes per update.  An example of the
+    output generated for one entry:
+
+     ::
+
+        Update Entry
+           Update serial # : 4
+           Update operation : Add
+           Update principal : test@EXAMPLE.COM
+           Update size : 424
+           Update committed : True
+           Update time stamp : Fri Feb 20 23:37:42 2004
+           Attributes changed : 6
+                 Principal
+                 Key data
+                 Password last changed
+                 Modifying principal
+                 Modification time
+                 TL data
+
+
+ENVIRONMENT
+-----------
+
+kproplog uses the following environment variables:
+
+* **KRB5_KDC_PROFILE**
+
+
+SEE ALSO
+--------
+
+:ref:`kpropd(8)`
diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
new file mode 100644
index 0000000000..62afca4ee6
--- /dev/null
+++ b/doc/admin/admin_commands/krb5kdc.rst
@@ -0,0 +1,142 @@
+.. _krb5kdc(8):
+
+krb5kdc
+=======
+
+SYNOPSIS
+--------
+
+**krb5kdc**
+[**-x** *db_args*]
+[**-d** *dbname*]
+[**-k** *keytype*]
+[**-M** *mkeyname*]
+[**-p** *portnum*]
+[**-m**]
+[**-r** *realm*]
+[**-n**]
+[**-w** *numworkers*]
+[**-P** *pid_file*]
+[**-T** *time_offset*]
+
+
+DESCRIPTION
+-----------
+
+krb5kdc is the Kerberos version 5 Authentication Service and Key
+Distribution Center (AS/KDC).
+
+
+OPTIONS
+-------
+
+The **-r** *realm* option specifies the realm for which the server
+should provide service.
+
+The **-d** *dbname* option specifies the name under which the
+principal database can be found.  This option does not apply to the
+LDAP database.
+
+The **-k** *keytype* option specifies the key type of the master key
+to be entered manually as a password when **-m** is given; the default
+is ``des-cbc-crc``.
+
+The **-M** *mkeyname* option specifies the principal name for the
+master key in the database (usually ``K/M`` in the KDC's realm).
+
+The **-m** option specifies that the master database password should
+be fetched from the keyboard rather than from a stash file.
+
+The **-n** option specifies that the KDC does not put itself in the
+background and does not disassociate itself from the terminal.  In
+normal operation, you should always allow the KDC to place itself in
+the background.
+
+The **-P** *pid_file* option tells the KDC to write its PID into
+*pid_file* after it starts up.  This can be used to identify whether
+the KDC is still running and to allow init scripts to stop the correct
+process.
+
+The **-p** *portnum* option specifies the default UDP port numbers
+which the KDC should listen on for Kerberos version 5 requests, as a
+comma-separated list.  This value overrides the UDP port numbers
+specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but
+may be overridden by realm-specific values.  If no value is given from
+any source, the default ports are 88 and 750.
+
+The **-w** *numworkers* option tells the KDC to fork *numworkers*
+processes to listen to the KDC ports and process requests in parallel.
+The top level KDC process (whose pid is recorded in the pid file if
+the **-P** option is also given) acts as a supervisor.  The supervisor
+will relay SIGHUP signals to the worker subprocesses, and will
+terminate the worker subprocess if the it is itself terminated or if
+any other worker process exits.
+
+.. note:: On operating systems which do not have *pktinfo* support,
+          using worker processes will prevent the KDC from listening
+          for UDP packets on network interfaces created after the KDC
+          starts.
+
+The **-x** *db_args* option specifies database-specific arguments.
+Options supported for the LDAP database module are:
+
+    **-x** nconns=<number_of_connections>
+        Specifies the number of connections to be maintained per
+        LDAP server.
+
+    **-x** host=<ldapuri>
+        Specifies the LDAP server to connect to by URI.
+
+    **-x** binddn=<binddn>
+        Specifies the DN of the object used by the KDC server to bind
+        to the LDAP server.  This object should have read and write
+        privileges to the realm container, the principal container,
+        and the subtree that is referenced by the realm.
+
+    **-x** bindpwd=<bind_password>
+        Specifies the password for the above mentioned binddn.  Using
+        this option may expose the password to other users on the
+        system via the process list; to avoid this, instead stash the
+        password using the **stashsrvpw** command of
+        :ref:`kdb5_ldap_util(8)`.
+
+The **-T** *offset* option specifies a time offset, in seconds, which
+the KDC will operate under.  It is intended only for testing purposes.
+
+EXAMPLE
+-------
+
+The KDC may service requests for multiple realms (maximum 32 realms).
+The realms are listed on the command line.  Per-realm options that can
+be specified on the command line pertain for each realm that follows
+it and are superseded by subsequent definitions of the same option.
+
+For example:
+
+ ::
+
+    krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
+
+specifies that the KDC listen on port 2001 for REALM1 and on port 2002
+for REALM2 and REALM3.  Additionally, per-realm parameters may be
+specified in the :ref:`kdc.conf(5)` file.  The location of this file
+may be specified by the **KRB5_KDC_PROFILE** environment variable.
+Per-realm parameters specified in this file take precedence over
+options specified on the command line.  See the :ref:`kdc.conf(5)`
+description for further details.
+
+
+ENVIRONMENT
+-----------
+
+krb5kdc uses the following environment variables:
+
+* **KRB5_CONFIG**
+* **KRB5_KDC_PROFILE**
+
+
+SEE ALSO
+--------
+
+:ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`,
+:ref:`kdb5_ldap_util(8)`
diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst
new file mode 100644
index 0000000000..d55ddc8944
--- /dev/null
+++ b/doc/admin/admin_commands/ktutil.rst
@@ -0,0 +1,133 @@
+.. _ktutil(1):
+
+ktutil
+======
+
+SYNOPSIS
+--------
+
+**ktutil**
+
+
+DESCRIPTION
+-----------
+
+The ktutil command invokes a command interface from which an
+administrator can read, write, or edit entries in a keytab or Kerberos
+V4 srvtab file.
+
+
+COMMANDS
+--------
+
+list
+~~~~
+
+    **list**
+
+Displays the current keylist.
+
+Alias: **l**
+
+read_kt
+~~~~~~~
+
+    **read_kt** *keytab*
+
+Read the Kerberos V5 keytab file *keytab* into the current keylist.
+
+Alias: **rkt**
+
+read_st
+~~~~~~~
+
+    **read_st** *srvtab*
+
+Read the Kerberos V4 srvtab file *srvtab* into the current keylist.
+
+Alias: **rst**
+
+write_kt
+~~~~~~~~
+
+    **write_kt** *keytab*
+
+Write the current keylist into the Kerberos V5 keytab file *keytab*.
+
+Alias: **wkt**
+
+write_st
+~~~~~~~~
+
+    **write_st** *srvtab*
+
+Write the current keylist into the Kerberos V4 srvtab file *srvtab*.
+
+Alias: **wst**
+
+clear_list
+~~~~~~~~~~
+
+       **clear_list**
+
+Clear the current keylist.
+
+Alias: **clear**
+
+delete_entry
+~~~~~~~~~~~~
+
+    **delete_entry** *slot*
+
+Delete the entry in slot number *slot* from the current keylist.
+
+Alias: **delent**
+
+add_entry
+~~~~~~~~~
+
+    **add_entry** {**-key**\|\ **-password**} **-p** *principal*
+    **-k** *kvno* **-e** *enctype*
+
+Add *principal* to keylist using key or password.
+
+Alias: **addent**
+
+list_requests
+~~~~~~~~~~~~~
+
+    **list_requests**
+
+Displays a listing of available commands.
+
+Aliases: **lr**, **?**
+
+quit
+~~~~
+
+    **quit**
+
+Quits ktutil.
+
+Aliases: **exit**, **q**
+
+
+EXAMPLE
+-------
+
+ ::
+
+    ktutil:  add_entry -password -p alice@BLEEP.COM -k 1 -e
+        aes128-cts-hmac-sha1-96
+    Password for alice@BLEEP.COM:
+    ktutil:  add_entry -password -p alice@BLEEP.COM -k 1 -e
+        aes256-cts-hmac-sha1-96
+    Password for alice@BLEEP.COM:
+    ktutil:  write_kt keytab
+    ktutil:
+
+
+SEE ALSO
+--------
+
+:ref:`kadmin(1)`, :ref:`kdb5_util(8)`
diff --git a/doc/admin/admin_commands/sserver.rst b/doc/admin/admin_commands/sserver.rst
new file mode 100644
index 0000000000..61826dfafd
--- /dev/null
+++ b/doc/admin/admin_commands/sserver.rst
@@ -0,0 +1,121 @@
+.. _sserver(8):
+
+sserver
+=======
+
+SYNOPSIS
+--------
+
+**sserver**
+[ **-p** *port* ]
+[ **-S** *keytab* ]
+[ *server_port* ]
+
+
+DESCRIPTION
+-----------
+
+sserver and :ref:`sclient(1)` are a simple demonstration client/server
+application.  When sclient connects to sserver, it performs a Kerberos
+authentication, and then sserver returns to sclient the Kerberos
+principal which was used for the Kerberos authentication.  It makes a
+good test that Kerberos has been successfully installed on a machine.
+
+The service name used by sserver and sclient is sample.  Hence,
+sserver will require that there be a keytab entry for the service
+``sample/hostname.domain.name@REALM.NAME``.  This keytab is generated
+using the :ref:`kadmin(1)` program.  The keytab file is usually
+installed as |keytab|.
+
+The **-S** option allows for a different keytab than the default.
+
+sserver is normally invoked out of inetd(8), using a line in
+``/etc/inetd.conf`` that looks like this:
+
+ ::
+
+    sample stream tcp nowait root /usr/local/sbin/sserver sserver
+
+Since ``sample`` is normally not a port defined in ``/etc/services``,
+you will usually have to add a line to ``/etc/services`` which looks
+like this:
+
+ ::
+
+    sample          13135/tcp
+
+When using sclient, you will first have to have an entry in the
+Kerberos database, by using :ref:`kadmin(1)`, and then you have to get
+Kerberos tickets, by using :ref:`kinit(1)`.  Also, if you are running
+the sclient program on a different host than the sserver it will be
+connecting to, be sure that both hosts have an entry in /etc/services
+for the sample tcp port, and that the same port number is in both
+files.
+
+When you run sclient you should see something like this:
+
+ ::
+
+    sendauth succeeded, reply is:
+    reply len 32, contents:
+    You are nlgilman@JIMI.MIT.EDU
+
+
+COMMON ERROR MESSAGES
+---------------------
+
+1) kinit returns the error:
+
+    ::
+
+       kinit: Client not found in Kerberos database while getting
+           initial credentials
+
+   This means that you didn't create an entry for your username in the
+   Kerberos database.
+
+2) sclient returns the error:
+
+    ::
+
+       unknown service sample/tcp; check /etc/services
+
+   This means that you don't have an entry in /etc/services for the
+   sample tcp port.
+
+3) sclient returns the error:
+
+    ::
+
+       connect: Connection refused
+
+   This probably means you didn't edit /etc/inetd.conf correctly, or
+   you didn't restart inetd after editing inetd.conf.
+
+4) sclient returns the error:
+
+    ::
+
+       sclient: Server not found in Kerberos database while using
+           sendauth
+
+   This means that the ``sample/hostname@LOCAL.REALM`` service was not
+   defined in the Kerberos database; it should be created using
+   :ref:`kadmin(1)`, and a keytab file needs to be generated to make
+   the key for that service principal available for sclient.
+
+5) sclient returns the error:
+
+    ::
+
+       sendauth rejected, error reply is:
+           "No such file or directory"
+
+   This probably means sserver couldn't find the keytab file.  It was
+   probably not installed in the proper directory.
+
+
+SEE ALSO
+--------
+
+:ref:`sclient(1)`, services(5), inetd(8)