kinit: add KDB keytab support

This implements
http://k5wiki.kerberos.org/Projects/What_does_God_need_with_a_password.
If the KDB keytab is selected by command line options, then kinit will
register the KDB keytab and open the database.  This permits an
administrator to obtain tickets as a user without knowing that user's
password.

As a result kinit links against libkadm5srv and libkdb5. Discussion is
ongoing about whether this is desirable or about whether two versions
of kinit are required.

ticket: 6779

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24316 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 6 insertions, 2 deletions

diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M
index 1d434c0fbd..80af95bbd1 100644
--- a/src/clients/kinit/kinit.M
+++ b/src/clients/kinit/kinit.M
@@ -131,13 +131,17 @@ ticket cannot be renewed, even if the ticket is still within its
 renewable life.
 .TP
 \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
-requests a host ticket, obtained from a key in the local host's
+requests a ticket, obtained from a key in the local host's
 .I keytab
 file.  The name and location of the keytab file may be specified with
 the
 .B \-t
 .I keytab_file
-option; otherwise the default name and location will be used.
+option; otherwise the default name and location will be used. By default a host ticket is requested but any principal may be specified. On a KDC, the special keytab location
+.B KDB:
+can be used to indicate that kinit should open the KDC database and
+look up the key directly. This permits an administrator to obtain
+tickets as any principal that supports password-based authentication.
 .TP
 \fB-n\fP
 Requests anonymous processing.  Two types of anonymous principals are