Remove nroff man pages

We generate man pages from RST sources now; they are checked into
the tree in src/man/.

The gen-manpages directory is no longer needed.

6 files changed, 0 insertions, 1662 deletions

diff --git a/src/kadmin/cli/k5srvutil.M b/src/kadmin/cli/k5srvutil.M
deleted file mode 100644
index 528bf00f21..0000000000
--- a/src/kadmin/cli/k5srvutil.M
+++ /dev/null
@@ -1,58 +0,0 @@
-.\" Copyright 1989, 2003 by the Massachusetts Institute of Technology.
-.\"
-.TH K5SRVUTIL 1
-.SH NAME
-k5srvutil \- host key table (keytab) manipulation utility
-.SH SYNOPSIS
-k5srvutil
-.B operation
-[
-.B \-i 
-] [ 
-.B \-f filename 
-]
-.SH DESCRIPTION
-.I k5srvutil
-allows a system manager to list or change keys currently in his
-keytab or to add new keys to the keytab.
-.PP
-
-Operation must be one of the following:
-.TP 10n
-.I list
-lists the keys in a keytab showing version number and principal
-name.  
-.TP 10n
-.I change
-changes all the keys in the keytab to new randomly-generated keys,
-updating the keys in the Kerberos server's database to match by using the
-kadmin protocol.  If a key's version number doesn't match the
-version number stored in the Kerberos server's database,  then the operation will fail.  The old keys are retained
-so that existing tickets continue to work.
-If the \-i flag is given, 
-.I k5srvutil
-will prompt for yes or no before changing each key.  If the \-k
-option is used, the old and new keys will be displayed.
-.TP 10n
-.I delold
-Deletes keys that are not the most recent version from the keytab.  This operation
-should be used some time after a change operation to  remove old keys.
-If the \-i flag is used, then the program prompts the user
-whether the old keys associated with each principal should be removed.
-.TP 10n
-.I delete
-deletes particular keys in the keytab, interactively prompting for 
-each key.
-
-.PP
-In all cases, the default file used is /etc/krb5.keytab file 
- unless this is overridden by the \-f option.
-
-
-.I k5srvutil
-uses the kadmin program to edit the keytab in place.  However, old keys are retained, so
-they are available in case of failure.
-
-.SH SEE ALSO
-kadmin(8), ktutil(8)
-
diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
deleted file mode 100644
index b05007a53c..0000000000
--- a/src/kadmin/cli/kadmin.M
+++ /dev/null
@@ -1,979 +0,0 @@
-.TH KADMIN 1
-.SH NAME
-kadmin \- Kerberos V5 database administration program
-.SH SYNOPSIS
-.TP
-.B kadmin
-.ad l
-[\fB\-O\fP | \fB\-N\fP]
-[\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP]
-.br
-[[\fB-c\fP \fIcache_name\fP] | [\fB-k\fP [\fB-t\fP
-\fIkeytab\fP]] | \fB-n\fP] [\fB\-w\fP \fIpassword\fP] [\fB\-s\fP
-\fIadmin_server\fP[\fI:port\fP]
-.TP "\w'.B kadmin.local\ 'u"
-.B kadmin.local
-[\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP]
-.br
-[\fB\-d\fP \fIdbname\fP] [\fB\-e \fI"enc:salt ..."\fP] [\fB-m\fP] [\fB\-x\fP \fIdb_args\fP]
-.ad b
-.SH DESCRIPTION
-.B kadmin
-and
-.B kadmin.local
-are command-line interfaces to the Kerberos V5 KADM5 administration
-system.  Both
-.B kadmin
-and
-.B kadmin.local
-provide identical functionalities; the difference is that
-.B kadmin.local
-runs on the master KDC if the database is db2 and
-does not use Kerberos to authenticate to the
-database. Except as explicitly noted otherwise, 
-this man page will use
-.B kadmin
-to refer to both versions.
-.B kadmin
-provides for the maintenance of Kerberos principals, KADM5 policies, and
-service key tables (keytabs).  
-.PP
-The remote version uses Kerberos authentication and an encrypted RPC, to
-operate securely from anywhere on the network.  It authenticates to the
-KADM5 server using the service principal
-.IR kadmin/admin .
-If the credentials cache contains a ticket for the
-.I kadmin/admin
-principal, and the 
-.B \-c
-.I credentials_cache
-option is specified, that ticket is used to authenticate to KADM5.
-Otherwise, the
-.B -p
-and
-.B -k
-options are used to specify the client Kerberos principal name used to
-authenticate.  Once
-.B kadmin
-has determined the principal name, it requests a
-.I kadmin/admin
-Kerberos service ticket from the KDC, and uses that service ticket to
-authenticate to KADM5.
-.PP
-If the database is db2, the local client
-.BR kadmin.local ,
-is intended to run directly on the master KDC without Kerberos
-authentication.  The local version provides all of the functionality of
-the now obsolete
-.IR kdb5_edit (8),
-except for database dump and load, which is now provided by the
-.IR kdb5_util (8)
-utility.
-.PP
-If the database is LDAP, kadmin.local need not be run on the KDC. 
-.PP
-kadmin.local can be configured to log updates for incremental database
-propagation.  Incremental propagation allows slave KDC servers to
-receive principal and policy updates incrementally instead of
-receiving full dumps of the database.  This facility can be enabled in
-the
-.I kdc.conf
-file with the
-.I iprop_enable
-option.  See the
-.I kdc.conf
-documentation for other options for tuning incremental propagation
-parameters.
-
-.SH OPTIONS
-.TP
-\fB\-r\fP \fIrealm\fP
-Use
-.I realm
-as the default database realm.
-.TP
-\fB\-p\fP \fIprincipal\fP
-Use
-.I principal
-to authenticate.  Otherwise, kadmin will append "/admin" to the primary
-principal name of the default ccache, the value of the
-.SM USER
-environment variable, or the username as obtained with getpwuid, in
-order of preference.
-.TP
-\fB\-k\fP
-Use a keytab to decrypt the KDC response instead of prompting for a
-password on the TTY.  In this case, the default principal will be
-host/\fIhostname\fP.  If there is not a keytab specified with the
-.B \-t
-option, then the default keytab will be used.
-.TP
-\fB\-t\fP \fIkeytab\fP
-Use
-.I keytab
-to decrypt the KDC response.  This can only be used with the
-.B \-k
-option.
-\fB-n\fP
-Requests anonymous processing.  Two types of anonymous principals are
-supported.  For fully anonymous Kerberos, configure pkinit on the KDC
-and configure
-.I pkinit_anchors
-in the client's krb5.conf.  Then use the
-.B -n
-option with a principal of the form
-.I @REALM
-(an empty principal name followed by the at-sign and a realm name).
-If permitted by the KDC, an anonymous ticket will be returned.
-A second form of anonymous tickets is supported; these realm-exposed
-tickets hide the identity of the client but not the client's realm.
-For this mode, use
-.B kinit -n
-with a normal principal name.  If supported by the KDC, the principal
-(but not realm) will be replaced by the anonymous principal.
-As of release 1.8, the MIT Kerberos KDC only supports fully anonymous
-operation.
-.TP
-\fB\-c\fP \fIcredentials_cache\fP
-Use
-.I credentials_cache
-as the credentials cache.  The
-.I credentials_cache
-should contain a service ticket for the
-.I kadmin/admin
-service; it can be acquired with the
-.IR kinit (1)
-program.  If this option is not specified,
-.B kadmin
-requests a new service ticket from the KDC, and stores it in its own
-temporary ccache.
-.TP
-\fB\-w\fP \fIpassword\fP
-Use
-.I password
-instead of prompting for one on the TTY.  Note:  placing the password
-for a Kerberos principal with administration access into a shell script
-can be dangerous if unauthorized users gain read access to the script.
-.TP
-\fB\-q\fP \fIquery\fP
-pass
-.I query
-directly to
-.BR kadmin ,
-which will perform
-.I query
-and then exit.  This can be useful for writing scripts.
-.TP
-\fB\-d\fP \fIdbname\fP
-Specifies the name of the Kerberos database.
-This option does not apply to the LDAP database.
-.TP
-\fB\-s\fP \fIadmin_server[:port]\fP
-Specifies the admin server which kadmin should contact.
-.TP
-\fB\-m\fP
-Do not authenticate using a keytab.  This option will cause kadmin
-to prompt for the master database password.
-.TP
-\fB\-e\fP \fIenc:salt_list\fP
-Sets the list of encryption types and salt types to be used for any new
-keys created.
-.TP
-.B \-O
-Force use of old AUTH_GSSAPI authentication flavor.
-.TP
-.B \-N
-Prevent fallback to AUTH_GSSAPI authentication flavor.
-.TP
-\fB\-x\fP \fIdb_args\fP
-Specifies the database specific arguments.
-
-Options supported for LDAP database are:
-.RS
-.TP
-\-x host=<hostname>
-specifies the LDAP server to connect to by a LDAP URI.
-.TP
-\-x binddn=<bind_dn>
-.fi
-specifies the DN of the object used by the administration server to bind to the LDAP server.
-This object should have the read and write rights on the realm container, principal container
-and the subtree that is referenced by the realm.
-.TP
-\-x bindpwd=<bind_password>
-.fi
-specifies the password for the above mentioned binddn. It is recommended not to use this option.
-Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
-.RE
-.SH DATE FORMAT 
-Various commands in kadmin can take a variety of date formats,
-specifying durations or absolute times.  Examples of valid formats are:
-.sp
-.nf
-.RS
-1 month ago
-2 hours ago
-400000 seconds ago
-last year
-this Monday
-next Monday
-yesterday
-tomorrow
-now
-second Monday
-a fortnight ago
-3/31/92 10:00:07 PST
-January 23, 1987 10:05pm
-22:00 GMT
-.RE
-.fi
-.PP
-Dates which do not have the "ago" specifier default to being absolute
-dates, unless they appear in a field where a duration is expected.  In
-that case the time specifier will be interpreted as relative.
-Specifying "ago" in a duration may result in unexpected behavior.
-.PP
-.SH COMMANDS
-.TP
-\fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
-creates the principal
-.IR newprinc ,
-prompting twice for a password.  If no policy is specified with the
-\-policy option, and the policy named "default" exists, then that
-policy is assigned to the principal; note that the assignment of the
-policy "default" only occurs automatically when a principal is first
-created, so the policy "default" must already exist for the assignment
-to occur.  This assignment of "default" can be suppressed with the
-\-clearpolicy option.  This command requires the 
-.I add
-privilege.  This command has the aliases
-.B addprinc
-and
-.BR ank .
-The options are:
-.RS
-.TP
-\fB\-x\fP \fIdb_princ_args\fP
-Denotes the database specific options. The options for LDAP database are:
-.RS
-.TP
-\-x dn=<dn>
-Specifies the LDAP object that will contain the Kerberos principal being 
-created.
-.TP
-\-x linkdn=<dn>
-.fi
-Specifies the LDAP object to which the newly created Kerberos principal object
-will point to.
-.TP
-\-x containerdn=<container_dn>
-Specifies the container object under which the Kerberos principal is to be created. 
-.TP
-\-x tktpolicy=<policy>
-Associates a ticket policy to the Kerberos principal.
-.RE
-.TP
-\fB\-expire\fP \fIexpdate\fP
-expiration date of the principal
-.TP
-\fB\-pwexpire\fP \fIpwexpdate\fP
-password expiration date
-.TP
-\fB\-maxlife\fP \fImaxlife\fP
-maximum ticket life for the principal
-.TP
-\fB\-maxrenewlife\fP \fImaxrenewlife\fP
-maximum renewable life of tickets for the principal
-.TP
-\fB\-kvno\fP \fIkvno\fP
-explicitly set the key version number.
-.TP
-\fB\-policy\fP \fIpolicy\fP
-policy used by this principal.  If no policy is supplied, then if the
-policy "default" exists and the -clearpolicy is not also specified,
-then the policy "default" is used; otherwise, the principal 
-will have no policy, and a warning message will be printed.
-.TP
-\fB\-clearpolicy\fP 
-.B -clearpolicy
-prevents the policy "default" from being assigned when 
-.B -policy
-is not specified.  This option has no effect if the policy "default"
-does not exist.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP
-.B -allow_postdated
-prohibits this principal from obtaining postdated tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_POSTDATED
-flag.)
-.B +allow_postdated
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP
-.B -allow_forwardable
-prohibits this principal from obtaining forwardable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_FORWARDABLE
-flag.)
-.B +allow_forwardable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP
-.B -allow_renewable
-prohibits this principal from obtaining renewable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_RENEWABLE
-flag.)
-.B +allow_renewable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP
-.B -allow_proxiable
-prohibits this principal from obtaining proxiable tickets.  (Sets the
-.SM KRB5_KDB_DISALLOW_PROXIABLE
-flag.)
-.B +allow_proxiable
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP
-.B -allow_dup_skey
-Disables user-to-user authentication for this principal by prohibiting
-this principal from obtaining a session key for another user.  (Sets the
-.SM KRB5_KDB_DISALLOW_DUP_SKEY
-flag.)
-.B +allow_dup_skey
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP
-.B +requires_preauth
-requires this principal to preauthenticate before being allowed to
-kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_PRE_AUTH
-flag.)
-.B -requires_preauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP
-.B +requires_hwauth
-requires this principal to preauthenticate using a hardware device
-before being allowed to kinit.  (Sets the
-.SM KRB5_KDB_REQUIRES_HW_AUTH
-flag.)
-.B -requires_hwauth
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
-.B +ok_as_delegate
-sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
-as the service, which clients may use as a hint that credentials can and
-should be delegated when authenticating to the service.  (Sets the
-.SM KRB5_KDB_OK_AS_DELEGATE
-flag.)
-.B -ok_as_delegate
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
-.B -allow_svr
-prohibits the issuance of service tickets for this principal.  (Sets the
-.SM KRB5_KDB_DISALLOW_SVR
-flag.)
-.B +allow_svr
-clears this flag.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP
-.B \-allow_tgs_req
-specifies that a Ticket-Granting Service (TGS) request for a service
-ticket for this principal is not permitted.  This option is useless for
-most things.
-.B +allow_tgs_req
-clears this flag.  The default is
-.BR +allow_tgs_req .
-In effect,
-.B \-allow_tgs_req
-sets the
-.SM KRB5_KDB_DISALLOW_TGT_BASED
-flag on the principal in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBallow_tix\fP
-.B \-allow_tix
-forbids the issuance of any tickets for this principal.
-.B +allow_tix
-clears this flag.  The default is
-.BR +allow_tix .
-In effect,
-.B \-allow_tix
-sets the
-.SM KRB5_KDB_DISALLOW_ALL_TIX
-flag on the principal in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBneedchange\fP
-.B +needchange
-sets a flag in attributes field to force a password change;
-.B \-needchange
-clears it.  The default is
-.BR \-needchange .
-In effect,
-.B +needchange
-sets the
-.SM KRB5_KDB_REQUIRES_PWCHANGE
-flag on the principal in the database.
-.TP
-{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP
-.B +password_changing_service
-sets a flag in the attributes field marking this as a password change
-service principal (useless for most things).
-.B \-password_changing_service
-clears the flag.  This flag intentionally has a long name.  The default
-is
-.BR \-password_changing_service .
-In effect,
-.B +password_changing_service
-sets the
-.SM KRB5_KDB_PWCHANGE_SERVICE
-flag on the principal in the database.
-.TP
-.B \-randkey
-sets the key of the principal to a random value
-.TP
-\fB\-pw\fP \fIpassword\fP
-sets the key of the principal to the specified string and does not
-prompt for a password.  Note:  using this option in a shell script can
-be dangerous if unauthorized users gain read access to the script.
-.TP
-\fB\-e\fP \fI"enc:salt ..."\fP
-uses the specified list of enctype\-salttype pairs for setting the key
-of the principal.  The quotes are necessary if there are multiple
-enctype\-salttype pairs.  This will not function against kadmin
-daemons earlier than krb5\-1.2.
-.nf
-.TP
-EXAMPLE:
-kadmin: addprinc tlyu/admin
-WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
-defaulting to no policy.
-Enter password for principal tlyu/admin@BLEEP.COM:
-Re-enter password for principal tlyu/admin@BLEEP.COM:
-Principal "tlyu/admin@BLEEP.COM" created.
-kadmin:
-
-kadmin: addprinc \-x dn=cn=mwm_user,o=org mwm_user
-WARNING: no policy specified for "mwm_user@BLEEP.COM";
-defaulting to no policy.
-Enter password for principal mwm_user@BLEEP.COM: 
-Re-enter password for principal mwm_user@BLEEP.COM: 
-Principal "mwm_user@BLEEP.COM" created.
-kadmin:
-
-.TP
-ERRORS:
-KADM5_AUTH_ADD (requires "add" privilege)
-KADM5_BAD_MASK (shouldn't happen)
-KADM5_DUP (principal exists already)
-KADM5_UNK_POLICY (policy does not exist)
-KADM5_PASS_Q_* (password quality violations)
-.fi
-.RE
-.TP
-\fBdelete_principal\fP [\fB-force\fP] \fIprincipal\fP
-deletes the specified principal from the database.  This command prompts
-for deletion, unless the
-.B -force
-option is given. This command requires the
-.I delete
-privilege.  Aliased
-to
-.BR delprinc.
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: delprinc mwm_user
-Are you sure you want to delete the principal
-"mwm_user@BLEEP.COM"? (yes/no): yes
-Principal "mwm_user@BLEEP.COM" deleted.
-Make sure that you have removed this principal from
-all ACLs before reusing.
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_DELETE (requires "delete" privilege)
-KADM5_UNK_PRINC (principal does not exist)
-.RE
-.fi
-.TP
-\fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
-modifies the specified principal, changing the fields as specified.  The
-options are as above for
-.BR add_principal ,
-except that password changing and flags related to password changing
-are forbidden by this command.  In addition, the option
-.B \-clearpolicy
-will clear the current policy of a principal.  This command requires the
-.I modify
-privilege.  Aliased to
-.BR modprinc .
-.RS
-.TP
-\fB\-x\fP \fIdb_princ_args\fP
-Denotes the database specific options. The options for LDAP database are:
-.RS
-.TP
-\-x tktpolicy=<policy>
-Associates a ticket policy to the Kerberos principal.
-.TP
-\-x linkdn=<dn>
-.fi
-Associates a Kerberos principal with a LDAP object. This option is honored only
-if the Kerberos principal is not already associated with a LDAP object. 
-.RE
-.TP
-.B \-unlock
-Unlocks a locked principal (one which has received too many failed
-authentication attempts without enough time between them according to
-its password policy) so that it can successfully authenticate.
-.TP
-ERRORS:
-KADM5_AUTH_MODIFY (requires "modify" privilege)
-KADM5_UNK_PRINC (principal does not exist)
-KADM5_UNK_POLICY (policy does not exist)
-KADM5_BAD_MASK (shouldn't happen)
-.RE
-.fi
-.TP
-\fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
-changes the password of
-.IR principal .
-Prompts for a new password if neither
-.B \-randkey
-or
-.B \-pw
-is specified.  Requires the
-.I changepw
-privilege, or that the principal that is running the program to be the
-same as the one changed.  Aliased to
-.BR cpw .
-The following options are available:
-.RS
-.TP
-.B \-randkey
-sets the key of the principal to a random value
-.TP
-\fB\-pw\fP \fIpassword\fP
-set the password to the specified string.  Not recommended.
-.TP
-\fB\-e\fP \fI"enc:salt ..."\fP
-uses the specified list of enctype\-salttype pairs for setting the key
-of the principal.  The quotes are necessary if there are multiple
-enctype\-salttype pairs.  This will not function against kadmin
-daemons earlier than krb5\-1.2.
-.TP
-\fB\-keepold \fP 
-Keeps the previous kvno's keys around.  This flag is usually not
-necessary except perhaps for TGS keys.  Don't use this flag unless you
-know what you're doing. This option is not supported for the LDAP database.
-.nf
-.TP
-EXAMPLE:
-kadmin: cpw systest
-Enter password for principal systest@BLEEP.COM:
-Re-enter password for principal systest@BLEEP.COM:
-Password for systest@BLEEP.COM changed.
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_MODIFY (requires the modify privilege)
-KADM5_UNK_PRINC (principal does not exist)
-KADM5_PASS_Q_* (password policy violation errors)
-KADM5_PADD_REUSE (password is in principal's password
-history)
-KADM5_PASS_TOOSOON (current password minimum life not
-expired)
-.RE
-.fi
-.TP
-\fBpurgekeys\fP [\fB-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
-purges previously retained old keys (e.g., from
-.B change_password
-.BR -keepold )
-from
-.IR principal .
-If
-.B -keepkvno
-is specified, then only purges keys with kvnos lower than
-.IR oldest_kvno_to_keep .
-.fi
-.TP
-\fBget_principal\fP [\fB-terse\fP] \fIprincipal\fP
-gets the attributes of
-.IR principal .
-Requires the
-.I inquire
-privilege, or that the principal that is running the the program to be
-the same as the one being listed.  With the
-.B \-terse
-option, outputs fields as quoted tab-separated strings.  Alias
-.BR getprinc .
-.sp
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin: getprinc tlyu/admin
-Principal: tlyu/admin@BLEEP.COM
-Expiration date: [never]
-Last password change: Mon Aug 12 14:16:47 EDT 1996
-Password expiration date: [none]
-Maximum ticket life: 0 days 10:00:00
-Maximum renewable life: 7 days 00:00:00
-Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
-Last successful authentication: [never]
-Last failed authentication: [never]
-Failed password attempts: 0
-Number of keys: 2
-Key: vno 1, DES cbc mode with CRC-32, no salt
-Key: vno 1, DES cbc mode with CRC-32, Version 4
-Attributes:
-Policy: [none]
-kadmin: getprinc -terse systest
-systest@BLEEP.COM	3	86400	604800	1
-785926535	753241234	785900000
-tlyu/admin@BLEEP.COM	786100034	0	0
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_GET (requires the get (inquire) privilege)
-KADM5_UNK_PRINC (principal does not exist)
-.RE
-.fi
-.TP
-\fBlist_principals\fP [\fIexpression\fP]
-Retrieves all or some principal names.  
-.I Expression
-is a shell-style glob expression that can contain the wild-card
-characters \&?, *, and []'s.  All principal names matching the
-expression are printed.  If no expression is provided, all principal
-names are printed.  If the expression does not contain an "@" character,
-an "@" character followed by the local realm is appended to the
-expression.  Requires the
-.I list
-privilege.  Alias
-.BR listprincs ,
-.BR get_principals ,
-.BR get_princs .
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin:  listprincs test*
-test3@SECURE-TEST.OV.COM
-test2@SECURE-TEST.OV.COM
-test1@SECURE-TEST.OV.COM
-testuser@SECURE-TEST.OV.COM
-kadmin:
-.RE
-.fi
-.TP
-\fBget_strings\fP \fIprincipal\fP
-displays string attributes on
-.IR principal .
-String attributes are used to supply per-principal configuration to
-some KDC plugin modules.  Alias
-.BR getstrs .
-.fi
-.TP
-\fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
-sets a string attribute on
-.IR principal .
-Alias
-.BR setstr .
-.fi
-.TP
-\fBdel_string\fP \fIprincipal\fP \fIkey\fP
-deletes a string attribute from
-.IR principal .
-Alias
-.BR delstr .
-.fi
-.TP
-\fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
-adds the named policy to the policy database.  Requires the
-.I add
-privilege.  Aliased to
-.BR addpol .
-The following options are available:
-.RS
-.TP
-\fB\-maxlife\fP \fItime\fP
-sets the maximum lifetime of a password
-.TP
-\fB\-minlife\fP \fItime\fP
-sets the minimum lifetime of a password
-.TP
-\fB\-minlength\fP \fIlength\fP
-sets the minimum length of a password
-.TP
-\fB\-minclasses\fP \fInumber\fP
-sets the minimum number of character classes allowed in a password
-.TP
-\fB\-history\fP \fInumber\fP
-sets the number of past keys kept for a principal. This option is not supported for LDAP database
-.TP
-\fB\-maxfailure\fP \fImaxnumber\fP
-sets the maximum number of authentication failures before the
-principal is locked.  Authentication failures are only tracked for
-principals which require preauthentication.
-.TP
-\fB\-failurecountinterval\fP \fIfailuretime\fP
-sets the allowable time between authentication failures.  If an
-authentication failure happens after \fIfailuretime\fP has elapsed
-since the previous failure, the number of authentication failures is
-reset to 1.  A failure count interval of 0 means forever.
-.TP
-\fB\-lockoutduration\fP \fIlockouttime\fP
-sets the duration for which the principal is locked from
-authenticating if too many authentication failures occur without the
-specified failure count interval elapsing.  A duration of 0 means
-forever.
-.sp
-.nf
-.TP
-EXAMPLES:
-kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_ADD (requires the add privilege)
-KADM5_DUP (policy already exists)
-.fi
-.RE
-.TP
-\fBdelete_policy [\-force]\fP \fIpolicy\fB
-deletes the named policy.  Prompts for confirmation before deletion.
-The command will fail if the policy is in use by any principals.
-Requires the
-.I delete
-privilege.  Alias
-.BR delpol .
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: del_policy guests
-Are you sure you want to delete the policy "guests"?
-(yes/no): yes
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_DELETE (requires the delete privilege)
-KADM5_UNK_POLICY (policy does not exist)
-KADM5_POLICY_REF (reference count on policy is not zero)
-.RE
-.fi
-.TP
-\fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
-modifies the named policy.  Options are as above for
-.BR add_policy .
-Requires the
-.I modify
-privilege.  Alias
-.BR modpol .
-.sp
-.nf
-.RS
-.TP
-ERRORS:
-KADM5_AUTH_MODIFY (requires the modify privilege)
-KADM5_UNK_POLICY (policy does not exist)
-.RE
-.fi
-.TP
-\fBget_policy\fP [\fB\-terse\fP] \fIpolicy\fP
-displays the values of the named policy.  Requires the
-.I inquire
-privilege.  With the
-.B \-terse
-flag, outputs the fields as quoted strings separated by tabs.  Alias
-.BR getpol .
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin: get_policy admin
-Policy: admin
-Maximum password life: 180 days 00:00:00
-Minimum password life: 00:00:00
-Minimum password length: 6
-Minimum number of password character classes: 2
-Number of old keys kept: 5
-Reference count: 17
-kadmin: get_policy -terse admin
-admin	15552000	0	6	2	5	17
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_GET (requires the get privilege)
-KADM5_UNK_POLICY (policy does not exist)
-.RE
-.fi
-.TP
-\fBlist_policies\fP [\fIexpression\fP]
-Retrieves all or some policy names.  
-.I Expression
-is a shell-style glob expression that can contain the wild-card
-characters \&?, *, and []'s.  All policy names matching the expression
-are printed.  If no expression is provided, all existing policy names
-are printed.  Requires the
-.I list
-privilege.  Alias
-.BR listpols ,
-.BR get_policies ,
-.BR getpols .
-.sp
-.nf
-.RS
-.TP
-EXAMPLES:
-kadmin:  listpols
-test-pol
-dict-only
-once-a-min
-test-pol-nopw
-kadmin:  listpols t*
-test-pol
-test-pol-nopw
-kadmin:
-.RE
-.fi
-.TP
-\fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
-.br
-[\fB\-norandkey\fP] [[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
-.br
-Adds a principal or all principals matching
-.I princ-exp
-to a keytab.
-It randomizes each principal's key in the process, to prevent a
-compromised admin account from reading out all of the keys from the
-database.  However,
-.B kadmin.local
-has the
-.B \-norandkey
-option, which leaves the keys and their version numbers unchanged,
-similar to the Kerberos V4
-.B ext_srvtab
-command.
-That allows users to continue to use the passwords they know
-to login normally, while simultaneously allowing scripts
-to login to the same account using a keytab.
-There is no significant security risk added since
-.B kadmin.local
-must be run by root on the KDC anyway.
-.sp
-Requires the
-.I inquire
-and 
-.I changepw
-privileges.  An entry for each of the principal's unique encryption types
-is added, ignoring multiple keys with the same encryption type but
-different salt types.  If the
-.B \-k
-argument is not specified, the default keytab
-.I /etc/krb5.keytab
-is used.  If the
-.B \-q
-option is specified, less verbose status information is displayed.
-.sp
-The
-.B -glob
-option requires the
-.I list
-privilege.
-.I princ-exp
-follows the same rules described for the
-.B list_principals
-command.  
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
-Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
-	kvno 3, encryption type DES-CBC-CRC added to keytab
-	WRFILE:/tmp/foo-new-keytab
-kadmin:
-.RE
-.fi
-.TP
-\fBktremove\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] \fIprincipal\fP [\fIkvno\fP | \fBall\fP | \fBold\fP]
-Removes entries for the specified principal from a keytab.  Requires no
-permissions, since this does not require database access.  If the string
-"all" is specified, all entries for that principal are removed; if the
-string "old" is specified, all entries for that principal except those
-with the highest kvno are removed.  Otherwise, the value specified is
-parsed as an integer, and all entries whose kvno match that integer are
-removed.  If the
-.B \-k
-argument is not specified, the default keytab
-.I /etc/krb5.keytab
-is used.  If the
-.B \-q
-option is specified, less verbose status information is displayed.
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
-Entry for principal kadmin/admin with kvno 3 removed
-	from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
-kadmin:
-.RE
-.fi
-.SH FILES
-.TP "\w'<dbname>.kadm5.lock\ \ 'u"
-principal.db
-default name for Kerberos principal database
-.TP
-<dbname>.kadm5
-KADM5 administrative database.  (This would be "principal.kadm5", if you
-use the default database name.)  Contains policy information.
-.TP
-<dbname>.kadm5.lock
-lock file for the KADM5 administrative database.  This file works
-backwards from most other lock files.  I.e.,
-.B kadmin
-will exit with an error if this file does
-.I not
-exist.
-.TP
-.B Note:
-The above three files are specific to db2 database.
-.TP 
-kadm5.acl
-file containing list of principals and their
-.B kadmin
-administrative privileges.  See
-.IR kadmind (8)
-for a description.
-.TP
-kadm5.keytab
-keytab file for
-.I kadmin/admin
-principal.
-.TP
-kadm5.dict
-file containing dictionary of strings explicitly disallowed as
-passwords.
-.SH HISTORY
-The
-.B kadmin
-program was originally written by Tom Yu at MIT, as an interface to the
-OpenVision Kerberos administration program.
-.SH SEE ALSO
-.IR kerberos (1),
-.IR kpasswd (1),
-.IR kadmind (8)
-.SH BUGS
-.PP
-Command output needs to be cleaned up.
diff --git a/src/kadmin/cli/kadmin.local.M b/src/kadmin/cli/kadmin.local.M
deleted file mode 100644
index 00df30db6f..0000000000
--- a/src/kadmin/cli/kadmin.local.M
+++ /dev/null
@@ -1 +0,0 @@
-.so man1/kadmin.1
diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M
deleted file mode 100644
index b834a225ac..0000000000
--- a/src/kadmin/dbutil/kdb5_util.M
+++ /dev/null
@@ -1,276 +0,0 @@
-.TH KDB5_UTIL 8
-.SH NAME
-kdb5_util \- Kerberos database maintenance utility
-.SH SYNOPSIS
-.B kdb5_util
-[\fB\-r\fP\ \fIrealm\fP] [\fB\-d\fP\ \fIdbname\fP]
-[\fB\-k\fP\ \fImkeytype\fP] [\fB\-M\fP\ \fImkeyname\fP]
-[\fB\-kv\fP\ \fImkeyVNO\fP] 
-[\fB\-sf\fP\ \fIstashfilename\fP]
-[\fB\-m\fP]
-.I command
-.I [command_options]
-.SH DESCRIPTION
-.B kdb5_util
-allows an administrator to perform low-level maintenance procedures on
-the Kerberos and KADM5 database.  Databases can be created, destroyed,
-and dumped to and loaded from
-.SM ASCII
-files.  Additionally,
-.B kdb5_util
-can create a Kerberos master key stash file.
-.B kdb5_util
-subsumes the functionality of and makes obsolete the previous database
-maintenance programs
-.BR kdb5_create ,
-.BR kdb5_edit ,
-.BR kdb5_destroy ,
-and
-.BR kdb5_stash .
-.PP
-When
-.B kdb5_util
-is run, it attempts to acquire the master key and open the database.
-However, execution continues regardless of whether or not
-.B kdb5_util
-successfully opens the database, because the database may not exist yet
-or the stash file may be corrupt.
-.PP
-Note that some KDB plugins may not support all
-.B kdb5_util
-commands.
-.SH COMMAND-LINE OPTIONS
-.TP
-\fB\-r\fP\ \fIrealm\fP
-specifies the Kerberos realm of the database; by default the realm
-returned by
-.IR krb5_default_local_realm (3)
-is used.
-.TP
-\fB\-d\fP\ \fIdbname\fP
-specifies the name under which the principal database is stored; by
-default the database is that listed in
-.IR kdc.conf (5).
-The KADM5 policy database and lock file are also derived from this
-value.
-.TP
-\fB\-k\fP\ \fImkeytype\fP
-specifies the key type of the master key in the database; the default is
-that given in
-.IR kdc.conf .
-.TP
-\fB\-kv\fP\ \fImkeyVNO\fP
-Specifies the version number of the master key in the database; the default is
-1.  Note that 0 is not allowed.
-.TP
-\fB\-M\fP\ \fImkeyname\fP
-principal name for the master key in the database; the default is
-that given in
-.IR kdc.conf .
-.TP
-.B \-m
-specifies that the master database password should be read from the TTY
-rather than fetched from a file on disk.
-.TP
-\fB\-sf\fP \fIstash_file\fP
-specifies the stash file of the master database password.
-.TP
-\fB\-P\fP \fIpassword\fP
-specifies the master database password.  This option is not recommended.
-.SH COMMANDS
-.TP
-\fBcreate\fP [\fB\-s\fP]
-Creates a new database.  If the
-.B \-s
-option is specified, the stash file is also created.  This command fails
-if the database already exists.  If the command is successful, the
-database is opened just as if it had already existed when the program
-was first run.
-.TP
-\fBdestroy\fP [\fB\-f\fP]
-Destroys the database, first overwriting the disk sectors and then
-unlinking the files, after prompting the user for confirmation.  With
-the
-.B \-f
-argument, does not prompt the user.
-.TP
-\fBstash\fP [\fB\-f\fP\ \fIkeyfile\fP]
-Stores the master principal's keys in a stash file.  The
-.B \-f
-argument can be used to override the keyfile specified at startup.
-.TP
-\fBdump\fP [\fB\-old\fP|\fB-b6\fP|\fB-b7\fP|\fB-ov\fP|\fB-r13\fP]
-[\fB\-verbose\fP] [\fB\-mkey_convert\fP]
-[\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP]
-[\fIfilename\fP [\fIprincipals...\fP]]
-.br
-Dumps the current Kerberos and KADM5 database into an ASCII file.  By
-default, the database is dumped in current format, "kdb5_util
-load_dump version 6".  If
-.I filename
-is not specified, or is the string "\-", the dump is sent to standard
-output.  Options:
-.RS
-.TP
-.B \-old
-causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format
-("kdb5_edit load_dump version 2.0").
-.TP
-.B \-b6
-causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
-load_dump version 3.0").
-.TP
-.B \-b7
-causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4").  This was the dump format produced on releases prior to 1.2.2.
-.TP
-.B \-ov
-causes the dump to be in
-.I ovsec_adm_export
-format.
-.TP
-.B \-r13
-causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5").  This was the dump format produced on releases prior to 1.8.
-.TP
-.B \-verbose
-causes the name of each principal and policy to be printed as it is
-dumped.
-.TP
-.B \-mkey_convert
-prompts for a new master key.  This new master key will be used to
-re-encrypt the key data in the dumpfile.  The key data in the database
-will not be changed.
-.TP
-.B \-new_mkey_file \fImkey_file\fP
-the filename of a stash file.  The master key in this stash file will
-be used to re-encrypt the key data in the dumpfile.  The key data in
-the database will not be changed.
-.TP
-.B \-rev
-dumps in reverse order.  This may recover principals that do not dump
-normally, in cases where database corruption has occurred.
-.TP
-.B \-recurse
-causes the dump to walk the database recursively (btree only).  This
-may recover principals that do not dump normally, in cases where
-database corruption has occurred.  In cases of such corruption, this
-option will probably retrieve more principals than the \fB\-rev\fP
-option will.
-.RE
-.TP
-\fBload\fP \fB\-old\fP|\fB-b6\fP|\fB-b7\fP|\fB-ov\fP|\fB-r13\fP] [\fB\-hash\fP]
-[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename dbname\fP
-.br
-Loads a database dump from the named file into the named database.
-Unless the 
-.B \-old
-or 
-.B \-b6
-option is given, the format of the dump file is detected
-automatically and handled as appropriate.  Unless the
-.B \-update
-option is given, 
-.B load
-creates a new database containing only the principals in the dump file,
-overwriting the contents of any previously existing database.  Note that
-when using the LDAP KDB plugin the
-.B \-update
-must be given.  Options:
-.RS
-.TP
-.B \-old
-requires the database to be in the Kerberos 5 Beta 5 and earlier format
-("kdb5_edit load_dump version 2.0").
-.TP
-.B \-b6
-requires the database to be in the Kerberos 5 Beta 6 format ("kdb5_edit
-load_dump version 3.0").
-.TP
-.B \-b7
-requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util
-load_dump version 4").
-.TP
-.B \-ov
-requires the database to be in
-.I ovsec_adm_import
-format.  Must be used with the
-.B \-update
-option.
-.TP
-.B \-hash
-requires the database to be stored as a hash.  If this option is not
-specified, the database will be stored as a btree.  This option
-is not recommended, as databases stored in hash format are known to
-corrupt data and lose principals.
-.TP
-.B \-verbose
-causes the name of each principal and policy to be printed as it is
-dumped.
-.TP
-.B \-update
-records from the dump file are added to or updated in the existing
-database; otherwise, a new database is created containing only what is
-in the dump file and the old one destroyed upon successful completion.
-.TP
-.B dbname
-is required and overrides the value specified on the command line or the
-default.
-.RE
-.TP
-\fBark\fP
-Adds a random key.
-.TP
-\fBadd_mkey\fP [\fB\-e etype\fP] [\fB\-s\fP] 
-Adds a new master key to the K/M (master key) principal.  Existing master keys will remain.
-The
-.B \-e etype
-option allows specification of the enctype of the new master key.  The
-.B \-s
-option stashes the new master key in a local stash file which will be created if it doesn't already exist.
-.TP
-\fBuse_mkey\fP \fImkeyVNO [\fBtime\fP]
-Sets the activation time of the master key specified by 
-.B mkeyVNO.
-Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when the principal keys change, are newly created or when the update_princ_encryption command is run.  If the
-.B time 
-argument is provided then that will be the activation time otherwise the current time is used by default.  The format of the optional
-.B time 
-argument is that specified in the Time Formats section of the kadmin man page.
-.TP
-\fBlist_mkeys\fP
-List all master keys from most recent to earliest in K/M principal. The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output.  A * following an mkey denotes the currently active master key. 
-.TP
-\fBpurge_mkeys\fP [\fB-f\fP] [\fB-n\fP] [\fB-v\fP]
-Delete master keys from the K/M principal that are not used to protect any principals.  This command can be used to remove old master keys from a K/M principal once all principal keys are protected by a newer master key.
-.TP
-.B \-f
-does not prompt user.
-.TP
-.B \-n
-do a dry run, shows master keys that would be purged, does not actually purge any keys.
-.TP
-.B \-v
-verbose output.
-.TP
-\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP]
-Update all principal records (or only those matching the
-.B princ\-pattern
-glob pattern) to re-encrypt the key data using the active
-database master key, if they are encrypted using older versions,
-and give a count at the end of the number of principals updated.
-If the
-.B \-f
-option is not given, ask for confirmation before starting to make
-changes.  The
-.B \-v
-option causes each principal processed (each one matching the pattern)
-to be listed, and an indication given as to whether it needed updating
-or not.
-The
-.B \-n
-option causes the actions not to be taken, only the normal or verbose
-status messages displayed; this implies
-.B \-f
-since no database changes will be performed and thus there's little
-reason to seek confirmation.
-.SH SEE ALSO
-kadmin(8)
diff --git a/src/kadmin/ktutil/ktutil.M b/src/kadmin/ktutil/ktutil.M
deleted file mode 100644
index 7086a5a162..0000000000
--- a/src/kadmin/ktutil/ktutil.M
+++ /dev/null
@@ -1,67 +0,0 @@
-.TH KTUTIL 1
-.SH NAME
-ktutil \- Kerberos keytab file maintenance utility
-.SH SYNOPSIS
-.B ktutil
-.SH DESCRIPTION
-The
-.B ktutil
-command invokes a subshell from which an administrator can read, write,
-or edit entries in a Kerberos V5 keytab or V4 srvtab file.
-.SH COMMANDS
-.TP
-.B list
-Displays the current keylist.  Alias:
-.BR l .
-.TP
-\fBread_kt\fP \fIkeytab\fP
-Read the Kerberos V5 keytab file
-.I keytab
-into the current keylist.  Alias: 
-.B rkt
-.TP
-\fBread_st\fP \fIsrvtab\fP
-Read the Kerberos V4 srvtab file
-.I srvtab
-into the current keylist.  Alias:
-.BR rst .
-.TP
-\fBwrite_kt\fP \fIkeytab\fP
-Write the current keylist into the Kerberos V5 keytab file
-.IR keytab .
-Alias:
-.BR wkt .
-.TP
-\fBwrite_st\fP \fIsrvtab\fP
-Write the current keylist into the Kerberos V4 srvtab file
-.IR srvtab .
-Alias:
-.BR wst .
-.TP
-.B clear_list
-Clear the current keylist.  Alias:
-.BR clear .
-.TP
-\fBdelete_entry\fP \fIslot\fP
-Delete the entry in slot number
-.I slot
-from the current keylist.  Alias:
-.BR delent .
-.TP
-\fBadd_entry\fP (\-key | \-password) \-p \fIprincipal\fP \-k \fIkvno\fP \-e \fIenctype\fP
-Add principal to keylist using key or password.  Alias:
-.BR addent .
-.TP
-.BR list_requests
-Displays a listing of available commands.  Aliases:
-.BR lr ,
-.BR ? .
-.TP
-.B quit
-Quits
-.BR ktutil .
-Aliases:
-.BR exit ,
-.BR q .
-.SH SEE ALSO
-kadmin(8), kdb5_util(8)
diff --git a/src/kadmin/server/kadmind.M b/src/kadmin/server/kadmind.M
deleted file mode 100644
index 83c67ec3eb..0000000000
--- a/src/kadmin/server/kadmind.M
+++ /dev/null
@@ -1,281 +0,0 @@
-.TH KADMIND 8
-.SH NAME
-kadmind \- KADM5 administration server
-.SH SYNOPSIS
-.B kadmind
-[\fB\-x\fP \fIdb_args\fP] [\fB-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP
-\fIport-number\fP]
-    [\fB\-P\fP \fIpid_file\fP]
-.SH DESCRIPTION
-This command starts the KADM5 administration server.  If the database is db2, 
-the administration server runs on the master Kerberos server, which stores the KDC
-principal database and the KADM5 policy database. If the database is LDAP,
-the administration server and the KDC server need not run on the same machine.  
-.B Kadmind
-accepts remote requests to administer the information in these
-databases.  Remote requests are sent, for example, by
-.IR kadmin (8)
-and the
-.IR kpasswd (1)
-command, both of which are clients of
-.BR kadmind .
-.PP
-.B kadmind
-requires a number of configuration files to be set up in order
-for it to work:
-.TP "\w'kdc.conf\ \ 'u"
-kdc.conf
-The KDC configuration file contains configuration information for the KDC
-and the KADM5 system.  
-.B Kadmind
-understands a number of variable settings in this file, some of which are
-mandatory and some of which are optional.  See the CONFIGURATION VALUES
-section below.
-.TP
-ACL file
-.BR Kadmind 's
-ACL (access control list) tells it which principals are allowed to
-perform KADM5 administration actions.  The path of the ACL file is
-specified via the acl_file configuration variable (see CONFIGURATION
-VALUES).  The syntax of the ACL file is specified in the ACL FILE SYNTAX
-section below.
-.PP
-After the server begins running, it puts itself in the background and
-disassociates itself from its controlling terminal.
-.PP
-kadmind can be configured for incremental database propagation.
-Incremental propagation allows slave KDC servers to receive principal
-and policy updates incrementally instead of receiving full dumps of
-the database.  This facility can be enabled in the
-.I kdc.conf
-file with the
-.I iprop_enable
-option.  See the
-.I kdc.conf
-documentation for other options for tuning incremental propagation
-parameters.  Incremental propagation requires the principal
-"kiprop/MASTER@REALM" (where MASTER is the master KDC's canonical host
-name, and REALM the realm name) to be registered in the database.
-
-.SH OPTIONS
-.TP 
-\fB\-x\fP \fIdb_args\fP
-specifies the database specific arguments.
-
-Options supported for LDAP database are:
-.sp 
-.nf 
-.RS 12
-\-x nconns=<number_of_connections>
-.fi
-specifies the number of connections to be maintained per LDAP server.
-
-.nf
-\-x host=<ldapuri>
-specifies the LDAP server to connect to by a LDAP URI.
-
-\-x binddn=<binddn>
-.fi
-specifies the DN of the object used by the administration server to bind to the LDAP server. 
-This object should have the read and write rights on the realm container, principal container
-and the subtree that is referenced by the realm.
-
-\-x bindpwd=<bind_password>
-.fi
-specifies the password for the above mentioned binddn. It is recommended not to use this option.
-Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
-.RE
-.fi
-.TP
-\fB\-r\fP \fIrealm\fP
-specifies the default realm that kadmind will serve; if it is not
-specified, the default realm of the host is used.  
-.B kadmind
-will answer requests for any realm that exists in the local KDC database
-and for which the appropriate principals are in its keytab.
-.TP
-.B \-m
-specifies that the master database password should be fetched from the
-keyboard rather than from a file on disk.  Note that the server gets the
-password prior to putting itself in the background; in combination with
-the -nofork option, you must place it in the background by hand.
-.TP
-.B \-nofork
-specifies that the server does not put itself in the background and does
-not disassociate itself from the terminal.  In normal operation, you
-should always allow the server place itself in the background.
-.TP
-\fB\-port\fP \fIport-number\fB
-specifies the port on which the administration server listens for
-connections.  The default is is controlled by the 
-.I kadmind_port
-configuration variable (see below).
-.TP
-\fB\-P\fP \fIpid_file\fP
-specifies the file to which the PID of
-.B kadmind
-process should be written to after it starts up.  This can be used to
-identify whether
-.B kadmind
-is still running and to allow init scripts to stop the correct process.
-.SH CONFIGURATION VALUES
-.PP
-In addition to the relations defined in kdc.conf(5), kadmind
-understands the following relations, all of which should
-appear in the [realms] section:
-.TP
-acl_file
-The path of kadmind's ACL file.  Mandatory.  No default.
-.TP
-dict_file
-The path of kadmind's password dictionary.  A principal with any
-password policy will not be allowed to select any password in the
-dictionary.  Optional.  No default.
-.TP
-kadmind_port
-The
-.SM TCP
-port on which
-.B kadmind
-will listen.  The default is 749.
-.SH ACL FILE SYNTAX
-.PP
-The ACL file controls which principals can or cannot perform which
-administrative functions.  For operations that affect principals, the
-ACL file also controls which principals can operate on which other
-principals.  This file can contain comment lines, null lines or lines
-which contain ACL entries.  Comment lines start with the sharp sign
-(\fB\&#\fP) and continue until the end of the line.  Lines containing ACL
-entries have the format of
-.B principal
-.I whitespace
-.B operation-mask
-[\fIwhitespace\fP \fBoperation-target\fP]
-.PP
-Ordering is important.  The first matching entry is the one which will
-control access for a particular principal on a particular principal.
-.PP
-.IP principal
-may specify a partially or fully qualified Kerberos version 5
-principal name.  Each component of the name may be wildcarded using
-the asterisk (
-.B *
-) character.
-.IP operation-target
-[Optional] may specify a partially or fully qualified Kerberos version 5
-principal name.  Each component of the name may be wildcarded using the
-asterisk (
-.B *
-) character.
-.IP operation-mask
-Specifies what operations may or may not be performed by a principal
-matching a particular entry.  This is a string of one or more of the
-following list of characters or their upper-case counterparts.  If the
-character is upper-case, then the operation is disallowed.  If the
-character is lower-case, then the operation is permitted.
-.RS
-.TP 5
-.B a
-[Dis]allows the addition of principals or policies in the database.
-.sp -1v
-.TP
-.B d
-[Dis]allows the deletion of principals or policies in the database.
-.sp -1v
-.TP
-.B m
-[Dis]allows the modification of principals or policies in the database.
-.sp -1v
-.TP
-.B c
-[Dis]allows the changing of passwords for principals in the database.
-.sp -1v
-.TP
-.B i
-[Dis]allows inquiries to the database.
-.sp -1v
-.TP
-.B l
-[Dis]allows the listing of principals or policies in the database.
-.sp -1v
-.TP
-.B p
-[Dis]allows the propagation of the principal database.
-.sp -1v
-.TP
-.B x
-Short for
-.IR admcil .
-.sp -1v
-.TP
-.B \&*
-Same as
-.BR x .
-.RE
-Some examples of valid entries here are:
-.TP
-.I user/instance@realm adm
-A standard fully qualified name.  The
-.B operation-mask
-only applies to this principal and specifies that [s]he may add,
-delete or modify principals and policies, but not change anybody
-else's password.
-.TP
-.I user/instance@realm cim service/instance@realm
-A standard fully qualified name and a standard fully qualified target.  The
-.B operation-mask
-only applies to this principal operating on this target and specifies that
-[s]he may change the target's password, request information about the
-target and modify it.
-.TP
-.I user/*@realm ac
-A wildcarded name.  The
-.B operation-mask
-applies to all principals in realm "realm" whose first component is
-"user" and specifies that [s]he may add principals and change
-anybody's password.
-.TP
-.I user/*@realm i */instance@realm
-A wildcarded name and target.  The
-.B operation-mask
-applies to all principals in realm "realm" whose first component is
-"user" and specifies that [s]he may perform
-inquiries on principals whose second component is "instance" and realm
-is "realm".
-.SH FILES
-.TP "\w'<dbname>.kadm5.lock\ 'u"
-principal.db
-default name for Kerberos principal database
-.TP
-<dbname>.kadm5
-KADM5 administrative database.  (This would be "principal.kadm5", if you
-use the default database name.)  Contains policy information.
-.TP
-<dbname>.kadm5.lock
-lock file for the KADM5 administrative database.  This file works
-backwards from most other lock files.  I.e.,
-.B kadmin
-will exit with an error if this file does
-.I not
-exist.
-.TP
-.B Note:
-The above three files are specific to db2 database.
-.TP
-kadm5.acl
-file containing list of principals and their
-.B kadmin
-administrative privileges.  See above for a description.
-.TP
-kadm5.keytab
-keytab file for
-.I kadmin/admin
-principal.
-.TP
-kadm5.dict
-file containing dictionary of strings explicitly disallowed as
-passwords.
-.SH SEE ALSO
-kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8),
-kdb5_ldap_util(8)
-