Regenerate man pages

Catch up to the RST content updates.

Lots of .sp vertical space macros are removed, and the output engine
spelles "restructuredText" correctly, now.

23 files changed, 525 insertions, 1054 deletions

diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index c4f588a088..c242940c3f 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -28,11 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
-.SH SYNOPSIS
-.sp
-\fB~/.k5identity\fP
 .SH DESCRIPTION
 .sp
 The .k5identity file, which resides in a user\(aqs home directory,
@@ -44,7 +41,6 @@ Blank lines and lines beginning with \fB#\fP are ignored.  Each line has
 the form:
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fIprincipal\fP \fIfield\fP=\fIvalue\fP ...
 .UNINDENT
 .UNINDENT
@@ -55,7 +51,6 @@ recognized:
 .INDENT 0.0
 .TP
 .B \fBrealm\fP
-.sp
 If the realm of the server principal is known, it is matched
 against \fIvalue\fP, which may be a pattern using shell wildcards.
 For host\-based server principals, the realm will generally only be
@@ -63,13 +58,11 @@ known if there is a \fIdomain_realm\fP section in
 \fIkrb5.conf(5)\fP with a mapping for the hostname.
 .TP
 .B \fBservice\fP
-.sp
 If the server principal is a host\-based principal, its service
 component is matched against \fIvalue\fP, which may be a pattern using
 shell wildcards.
 .TP
 .B \fBhost\fP
-.sp
 If the server principal is a host\-based principal, its hostname
 component is converted to lower case and matched against \fIvalue\fP,
 which may be a pattern using shell wildcards.
@@ -105,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/k5login.man b/src/man/k5login.man
index 9f82dc8db5..d2bcf3ebe1 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -28,11 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
-.SH SYNOPSIS
-.sp
-\fB~/.k5login\fP
 .SH DESCRIPTION
 .sp
 The .k5login file, which resides in a user\(aqs home directory, contains
@@ -89,6 +86,6 @@ kerberos(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index e20d7758f3..083f4852dd 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -44,12 +44,10 @@ a keytab or to add new keys to the keytab.
 .INDENT 0.0
 .TP
 .B \fBlist\fP
-.sp
 Lists the keys in a keytab showing version number and principal
 name.
 .TP
 .B \fBchange\fP
-.sp
 Uses the kadmin protocol to update the keys in the Kerberos
 database to new randomly\-generated keys, and updates the keys in
 the keytab to match.  If a key\(aqs version number doesn\(aqt match the
@@ -61,7 +59,6 @@ If the \fB\-k\fP option is given, the old and new keys will be
 displayed.
 .TP
 .B \fBdelold\fP
-.sp
 Deletes keys that are not the most recent version from the keytab.
 This operation should be used some time after a change operation
 to remove old keys, after existing tickets issued for the service
@@ -69,7 +66,6 @@ have expired.  If the \fB\-i\fP flag is given, then k5srvutil will
 prompt for confirmation for each principal.
 .TP
 .B \fBdelete\fP
-.sp
 Deletes particular keys in the keytab, interactively prompting for
 each key.
 .UNINDENT
@@ -85,6 +81,6 @@ place.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 6ab1a18a23..cc2e97d930 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -79,30 +79,25 @@ kadmin.local can be run on any host which can access the LDAP server.
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Use \fIrealm\fP as the default database realm.
 .TP
 .B \fB\-p\fP \fIprincipal\fP
-.sp
 Use \fIprincipal\fP to authenticate.  Otherwise, kadmin will append
 \fB/admin\fP to the primary principal name of the default ccache,
 the value of the \fBUSER\fP environment variable, or the username as
 obtained with getpwuid, in order of preference.
 .TP
 .B \fB\-k\fP
-.sp
 Use a keytab to decrypt the KDC response instead of prompting for
 a password.  In this case, the default principal will be
 \fBhost/hostname\fP.  If there is no keytab specified with the
 \fB\-t\fP option, then the default keytab will be used.
 .TP
 .B \fB\-t\fP \fIkeytab\fP
-.sp
 Use \fIkeytab\fP to decrypt the KDC response.  This can only be used
 with the \fB\-k\fP option.
 .TP
 .B \fB\-n\fP
-.sp
 Requests anonymous processing.  Two types of anonymous principals
 are supported.  For fully anonymous Kerberos, configure PKINIT on
 the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
@@ -118,7 +113,6 @@ principal.  As of release 1.8, the MIT Kerberos KDC only supports
 fully anonymous operation.
 .TP
 .B \fB\-c\fP \fIcredentials_cache\fP
-.sp
 Use \fIcredentials_cache\fP as the credentials cache.  The
 cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
 (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
@@ -128,163 +122,67 @@ requests a new service ticket from the KDC, and stores it in its
 own temporary ccache.
 .TP
 .B \fB\-w\fP \fIpassword\fP
-.sp
 Use \fIpassword\fP instead of prompting for one.  Use this option with
 care, as it may expose the password to other users on the system
 via the process list.
 .TP
 .B \fB\-q\fP \fIquery\fP
-.sp
 Perform the specified query and then exit.  This can be useful for
 writing scripts.
 .TP
 .B \fB\-d\fP \fIdbname\fP
-.sp
 Specifies the name of the KDC database.  This option does not
 apply to the LDAP database module.
 .TP
 .B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
-.sp
 Specifies the admin server which kadmin should contact.
 .TP
 .B \fB\-m\fP
-.sp
 If using kadmin.local, prompt for the database master password
 instead of reading it from a stash file.
 .TP
 .B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
-.sp
 Sets the list of encryption types and salt types to be used for
 any new keys created.  See \fIEncryption_and_salt_types\fP in
 \fIkdc.conf(5)\fP for a list of possible values.
 .TP
 .B \fB\-O\fP
-.sp
 Force use of old AUTH_GSSAPI authentication flavor.
 .TP
 .B \fB\-N\fP
-.sp
 Prevent fallback to AUTH_GSSAPI authentication flavor.
 .TP
 .B \fB\-x\fP \fIdb_args\fP
-.sp
 Specifies the database specific arguments.  Options supported for
 the LDAP database module are:
 .INDENT 7.0
 .TP
 .B \fB\-x host=\fP\fIhostname\fP
-.sp
-specifies the LDAP server to connect to by a LDAP URI.
+Specifies the LDAP server to connect to by a LDAP URI.
 .TP
 .B \fB\-x binddn=\fP\fIbind_dn\fP
-.sp
-specifies the DN of the object used by the administration
+Specifies the DN of the object used by the administration
 server to bind to the LDAP server.  This object should have
 the read and write privileges on the realm container, the
 principal container, and the subtree that is referenced by the
 realm.
 .TP
 .B \fB\-x bindpwd=\fP\fIbind_password\fP
-.sp
-specifies the password for the above mentioned binddn.  Using
+Specifies the password for the above mentioned binddn.  Using
 this option may expose the password to other users on the
 system via the process list; to avoid this, instead stash the
 password using the \fBstashsrvpw\fP command of
 \fIkdb5_ldap_util(8)\fP.
 .UNINDENT
 .UNINDENT
-.SH DATE FORMAT
-.sp
-Many of the kadmin commands take a duration or time as an
-argument. The date can appear in a wide variety of formats, such as:
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-1 month ago
-2 hours ago
-400000 seconds ago
-last year
-this Monday
-next Monday
-yesterday
-tomorrow
-now
-second Monday
-fortnight ago
-3/31/92 10:00:07 PST
-January 23, 1987 10:05pm
-22:00 GMT
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-Dates which do not have the "ago" specifier default to being absolute
-dates, unless they appear in a field where a duration is expected.  In
-that case the time specifier will be interpreted as relative.
-Specifying "ago" in a duration may result in unexpected behavior.
-.sp
-The following is a list of all of the allowable keywords.
-.TS
-center;
-|l|l|.
-_
-T{
-Months
-T}	T{
-january, jan, february, feb, march, mar, april, apr, may,
-june, jun, july, jul, august, aug, september, sep, sept,
-october, oct, november, nov, december, dec
-T}
-_
-T{
-Days
-T}	T{
-sunday, sun, monday, mon, tuesday, tues, tue, wednesday,
-wednes, wed, thursday, thurs, thur, thu, friday, fri,
-saturday, sat
-T}
-_
-T{
-Units
-T}	T{
-year, month, fortnight, week, day, hour, minute, min,
-second, sec
-T}
-_
-T{
-Relative
-T}	T{
-tomorrow, yesterday, today, now, last, this, next, first,
-second, third, fourth, fifth, sixth, seventh, eighth,
-ninth, tenth, eleventh, twelfth, ago
-T}
-_
-T{
-Time Zones
-T}	T{
-kadmin recognizes abbreviations for most of the world\(aqs
-time zones.
-T}
-_
-T{
-Meridians
-T}	T{
-am, pm
-T}
-_
-.TE
 .SH COMMANDS
 .sp
 When using the remote client, available commands may be restricted
-according to the privileges specified in the kadm5.acl file on the
-admin server.
+according to the privileges specified in the \fIkadm5.acl(5)\fP file
+on the admin server.
 .SS add_principal
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
 .UNINDENT
 .UNINDENT
@@ -304,76 +202,62 @@ Options:
 .INDENT 0.0
 .TP
 .B \fB\-expire\fP \fIexpdate\fP
-.sp
-expiration date of the principal
+(\fIgetdate\fP string) The expiration date of the principal.
 .TP
 .B \fB\-pwexpire\fP \fIpwexpdate\fP
-.sp
-password expiration date
+(\fIgetdate\fP string) The password expiration date.
 .TP
 .B \fB\-maxlife\fP \fImaxlife\fP
-.sp
-maximum ticket life for the principal
+(\fIgetdate\fP string) The maximum ticket life for the principal.
 .TP
 .B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-.sp
-maximum renewable life of tickets for the principal
+(\fIgetdate\fP string) The maximum renewable life of tickets for
+the principal.
 .TP
 .B \fB\-kvno\fP \fIkvno\fP
-.sp
-initial key version number
+The initial key version number.
 .TP
 .B \fB\-policy\fP \fIpolicy\fP
-.sp
-password policy used by this principal.  If not specified, the
+The password policy used by this principal.  If not specified, the
 policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
 is specified).
 .TP
 .B \fB\-clearpolicy\fP
-.sp
-prevents any policy from being assigned when \fB\-policy\fP is not
+Prevents any policy from being assigned when \fB\-policy\fP is not
 specified.
 .TP
 .B {\-|+}\fBallow_postdated\fP
-.sp
 \fB\-allow_postdated\fP prohibits this principal from obtaining
 postdated tickets.  \fB+allow_postdated\fP clears this flag.
 .TP
 .B {\-|+}\fBallow_forwardable\fP
-.sp
 \fB\-allow_forwardable\fP prohibits this principal from obtaining
 forwardable tickets.  \fB+allow_forwardable\fP clears this flag.
 .TP
 .B {\-|+}\fBallow_renewable\fP
-.sp
 \fB\-allow_renewable\fP prohibits this principal from obtaining
 renewable tickets.  \fB+allow_renewable\fP clears this flag.
 .TP
 .B {\-|+}\fBallow_proxiable\fP
-.sp
 \fB\-allow_proxiable\fP prohibits this principal from obtaining
 proxiable tickets.  \fB+allow_proxiable\fP clears this flag.
 .TP
 .B {\-|+}\fBallow_dup_skey\fP
-.sp
 \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
 principal by prohibiting this principal from obtaining a session
 key for another user.  \fB+allow_dup_skey\fP clears this flag.
 .TP
 .B {\-|+}\fBrequires_preauth\fP
-.sp
 \fB+requires_preauth\fP requires this principal to preauthenticate
 before being allowed to kinit.  \fB\-requires_preauth\fP clears this
 flag.
 .TP
 .B {\-|+}\fBrequires_hwauth\fP
-.sp
 \fB+requires_hwauth\fP requires this principal to preauthenticate
 using a hardware device before being allowed to kinit.
 \fB\-requires_hwauth\fP clears this flag.
 .TP
 .B {\-|+}\fBok_as_delegate\fP
-.sp
 \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
 issued with this principal as the service.  Clients may use this
 flag as a hint that credentials should be delegated when
@@ -381,87 +265,71 @@ authenticating to the service.  \fB\-ok_as_delegate\fP clears this
 flag.
 .TP
 .B {\-|+}\fBallow_svr\fP
-.sp
 \fB\-allow_svr\fP prohibits the issuance of service tickets for this
 principal.  \fB+allow_svr\fP clears this flag.
 .TP
 .B {\-|+}\fBallow_tgs_req\fP
-.sp
 \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
 request for a service ticket for this principal is not permitted.
 \fB+allow_tgs_req\fP clears this flag.
 .TP
 .B {\-|+}\fBallow_tix\fP
-.sp
 \fB\-allow_tix\fP forbids the issuance of any tickets for this
 principal.  \fB+allow_tix\fP clears this flag.
 .TP
 .B {\-|+}\fBneedchange\fP
-.sp
 \fB+needchange\fP forces a password change on the next initial
 authentication to this principal.  \fB\-needchange\fP clears this
 flag.
 .TP
 .B {\-|+}\fBpassword_changing_service\fP
-.sp
 \fB+password_changing_service\fP marks this principal as a password
 change service principal.
 .TP
 .B \fB\-randkey\fP
-.sp
-sets the key of the principal to a random value
+Sets the key of the principal to a random value.
 .TP
 .B \fB\-pw\fP \fIpassword\fP
-.sp
-sets the password of the principal to the specified string and
+Sets the password of the principal to the specified string and
 does not prompt for a password.  Note: using this option in a
 shell script may expose the password to other users on the system
 via the process list.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-.sp
-uses the specified list of enctype\-salttype pairs for setting the
+Uses the specified list of enctype\-salttype pairs for setting the
 key of the principal.
 .TP
 .B \fB\-x\fP \fIdb_princ_args\fP
-.sp
-indicates database\-specific options.  The options for the LDAP
+Indicates database\-specific options.  The options for the LDAP
 database module are:
 .INDENT 7.0
 .TP
 .B \fB\-x dn=\fP\fIdn\fP
-.sp
-specifies the LDAP object that will contain the Kerberos
+Specifies the LDAP object that will contain the Kerberos
 principal being created.
 .TP
 .B \fB\-x linkdn=\fP\fIdn\fP
-.sp
-specifies the LDAP object to which the newly created Kerberos
+Specifies the LDAP object to which the newly created Kerberos
 principal object will point.
 .TP
 .B \fB\-x containerdn=\fP\fIcontainer_dn\fP
-.sp
-specifies the container object under which the Kerberos
+Specifies the container object under which the Kerberos
 principal is to be created.
 .TP
 .B \fB\-x tktpolicy=\fP\fIpolicy\fP
-.sp
-associates a ticket policy to the Kerberos principal.
+Associates a ticket policy to the Kerberos principal.
 .UNINDENT
 .IP Note
 .INDENT 7.0
 .IP \(bu 2
-.
 The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
 specified with the \fBdn\fP option.
 .IP \(bu 2
-.
 If the \fIdn\fP or \fIcontainerdn\fP options are not specified while
 adding the principal, the principals are created under the
 principal container configured in the realm or the realm
 container.
 .IP \(bu 2
-.
 \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
 principal container configured in the realm.
 .UNINDENT
@@ -488,7 +356,6 @@ kadmin:
 .SS modify_principal
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
 .UNINDENT
 .UNINDENT
@@ -506,7 +373,6 @@ Options (in addition to the \fBaddprinc\fP options):
 .INDENT 0.0
 .TP
 .B \fB\-unlock\fP
-.sp
 Unlocks a locked principal (one which has received too many failed
 authentication attempts without enough time between them according
 to its password policy) so that it can successfully authenticate.
@@ -514,7 +380,6 @@ to its password policy) so that it can successfully authenticate.
 .SS rename_principal
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP
 .UNINDENT
 .UNINDENT
@@ -529,7 +394,6 @@ Alias: \fBrenprinc\fP
 .SS delete_principal
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP
 .UNINDENT
 .UNINDENT
@@ -543,7 +407,6 @@ Alias: \fBdelprinc\fP
 .SS change_password
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
 .UNINDENT
 .UNINDENT
@@ -561,22 +424,18 @@ The following options are available:
 .INDENT 0.0
 .TP
 .B \fB\-randkey\fP
-.sp
-Sets the key of the principal to a random value
+Sets the key of the principal to a random value.
 .TP
 .B \fB\-pw\fP \fIpassword\fP
-.sp
 Set the password to the specified string.  Using this option in a
 script may expose the password to other users on the system via
 the process list.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-.sp
 Uses the specified list of enctype\-salttype pairs for setting the
 key of the principal.
 .TP
 .B \fB\-keepold\fP
-.sp
 Keeps the existing keys in the database.  This flag is usually not
 necessary except perhaps for \fBkrbtgt\fP principals.
 .UNINDENT
@@ -599,7 +458,6 @@ kadmin:
 .SS purgekeys
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBpurgekeys\fP [\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
 .UNINDENT
 .UNINDENT
@@ -612,7 +470,6 @@ This command requires the \fBmodify\fP privilege.
 .SS get_principal
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP
 .UNINDENT
 .UNINDENT
@@ -660,7 +517,6 @@ kadmin:
 .SS list_principals
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBlist_principals\fP [\fIexpression\fP]
 .UNINDENT
 .UNINDENT
@@ -696,13 +552,11 @@ kadmin:
 .SS get_strings
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBget_strings\fP \fIprincipal\fP
 .UNINDENT
 .UNINDENT
 .sp
-Displays string attributes on \fIprincipal\fP.  String attributes are used
-to supply per\-principal configuration to some KDC plugin modules.
+Displays string attributes on \fIprincipal\fP.
 .sp
 This command requires the \fBinquire\fP privilege.
 .sp
@@ -710,12 +564,21 @@ Alias: \fBgetstr\fP
 .SS set_string
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
 .UNINDENT
 .UNINDENT
 .sp
-Sets a string attribute on \fIprincipal\fP.
+Sets a string attribute on \fIprincipal\fP.  String attributes are used to
+supply per\-principal configuration to the KDC and some KDC plugin
+modules.  The following string attributes are recognized by the KDC:
+.INDENT 0.0
+.TP
+.B \fBsession_enctypes\fP
+Specifies the encryption types supported for session keys when the
+principal is authenticated to as a server.  See
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
+of the accepted values.
+.UNINDENT
 .sp
 This command requires the \fBmodify\fP privilege.
 .sp
@@ -723,7 +586,6 @@ Alias: \fBsetstr\fP
 .SS del_string
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdel_string\fP \fIprincipal\fP \fIkey\fP
 .UNINDENT
 .UNINDENT
@@ -736,7 +598,6 @@ Alias: \fBdelstr\fP
 .SS add_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
 .UNINDENT
 .UNINDENT
@@ -751,47 +612,47 @@ The following options are available:
 .INDENT 0.0
 .TP
 .B \fB\-maxlife\fP \fItime\fP
-.sp
-sets the maximum lifetime of a password
+(\fIgetdate\fP string) Sets the maximum lifetime of a password.
 .TP
 .B \fB\-minlife\fP \fItime\fP
-.sp
-sets the minimum lifetime of a password
+(\fIgetdate\fP string) Sets the minimum lifetime of a password.
 .TP
 .B \fB\-minlength\fP \fIlength\fP
-.sp
-sets the minimum length of a password
+Sets the minimum length of a password.
 .TP
 .B \fB\-minclasses\fP \fInumber\fP
-.sp
-sets the minimum number of character classes required in a
+Sets the minimum number of character classes required in a
 password.  The five character classes are lower case, upper case,
 numbers, punctuation, and whitespace/unprintable characters.
 .TP
 .B \fB\-history\fP \fInumber\fP
-.sp
-sets the number of past keys kept for a principal.  This option is
+Sets the number of past keys kept for a principal.  This option is
 not supported with the LDAP KDC database module.
 .TP
 .B \fB\-maxfailure\fP \fImaxnumber\fP
-.sp
-sets the maximum number of authentication failures before the
+Sets the maximum number of authentication failures before the
 principal is locked.  Authentication failures are only tracked for
 principals which require preauthentication.
 .TP
 .B \fB\-failurecountinterval\fP \fIfailuretime\fP
-.sp
-sets the allowable time between authentication failures.  If an
-authentication failure happens after \fIfailuretime\fP has elapsed
-since the previous failure, the number of authentication failures
-is reset to 1.
+(\fIgetdate\fP string) Sets the allowable time between
+authentication failures.  If an authentication failure happens
+after \fIfailuretime\fP has elapsed since the previous failure,
+the number of authentication failures is reset to 1.
 .TP
 .B \fB\-lockoutduration\fP \fIlockouttime\fP
-.sp
-sets the duration for which the principal is locked from
-authenticating if too many authentication failures occur without
-the specified failure count interval elapsing.  A duration of 0
-means forever.
+(\fIgetdate\fP string) Sets the duration for which the principal
+is locked from authenticating if too many authentication failures
+occur without the specified failure count interval elapsing.
+A duration of 0 means forever.
+.TP
+.B \fB\-allowedkeysalts\fP
+Specifies the key/salt tuples supported for long\-term keys when
+setting or changing a principal\(aqs password/keys.  See
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
+of the accepted values, but note that key/salt tuples must be
+separated with commas (\(aq,\(aq) only.  To clear the allowed key/salt
+policy use a value of \(aq\-\(aq.
 .UNINDENT
 .sp
 Example:
@@ -809,7 +670,6 @@ kadmin:
 .SS modify_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
 .UNINDENT
 .UNINDENT
@@ -823,7 +683,6 @@ Alias: \fBmodpol\fP
 .SS delete_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP
 .UNINDENT
 .UNINDENT
@@ -853,7 +712,6 @@ kadmin:
 .SS get_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
 .UNINDENT
 .UNINDENT
@@ -895,7 +753,6 @@ meaningful.
 .SS list_policies
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBlist_policies\fP [\fIexpression\fP]
 .UNINDENT
 .UNINDENT
@@ -933,8 +790,11 @@ kadmin:
 .SS ktadd
 .INDENT 0.0
 .INDENT 3.5
+.nf
+\fBktadd\fP [options] \fIprincipal\fP
+\fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP
+.fi
 .sp
-\fBktadd\fP [[\fIprincipal\fP|\fB\-glob\fP \fIprinc\-exp\fP]
 .UNINDENT
 .UNINDENT
 .sp
@@ -944,27 +804,23 @@ The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP
 command.
 .sp
 This command requires the \fBinquire\fP and \fBchangepw\fP privileges.
-With the \fB\-glob\fP option, it also requires the \fBlist\fP privilege.
+With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
 .sp
 The options are:
 .INDENT 0.0
 .TP
 .B \fB\-k[eytab]\fP \fIkeytab\fP
-.sp
 Use \fIkeytab\fP as the keytab file.  Otherwise, the default keytab is
 used.
 .TP
 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-.sp
 Use the specified list of enctype\-salttype pairs for setting the
 new keys of the principal.
 .TP
 .B \fB\-q\fP
-.sp
 Display less verbose information.
 .TP
 .B \fB\-norandkey\fP
-.sp
 Do not randomize the keys. The keys and their version numbers stay
 unchanged.  This option is only available in kadmin.local, and
 cannot be specified in combination with the \fB\-e\fP option.
@@ -992,8 +848,7 @@ kadmin:
 .SS ktremove
 .INDENT 0.0
 .INDENT 3.5
-.sp
-\fBktremove\fP \fIprincipal\fP [\fIkvno\fP|\fIall\fP| \fIold\fP]
+\fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP]
 .UNINDENT
 .UNINDENT
 .sp
@@ -1010,12 +865,10 @@ The options are:
 .INDENT 0.0
 .TP
 .B \fB\-k[eytab]\fP \fIkeytab\fP
-.sp
 Use \fIkeytab\fP as the keytab file.  Otherwise, the default keytab is
 used.
 .TP
 .B \fB\-q\fP
-.sp
 Display less verbose information.
 .UNINDENT
 .sp
@@ -1060,6 +913,6 @@ interface to the OpenVision Kerberos administration program.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 83167996e8..51bcaebb7e 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -39,6 +39,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-nofork\fP]
 [\fB\-port\fP \fIport\-number\fP]
 [\fB\-P\fP \fIpid_file\fP]
+[\fB\-p\fP \fIkdb5_util_path\fP]
+[\fB\-K\fP \fIkprop_path\fP]
+[\fB\-F\fP \fIdump_file\fP]
 .SH DESCRIPTION
 .sp
 kadmind starts the Kerberos administration server.  kadmind typically
@@ -53,23 +56,17 @@ for it to work:
 .INDENT 0.0
 .TP
 .B \fIkdc.conf(5)\fP
-.sp
 The KDC configuration file contains configuration information for
 the KDC and admin servers.  kadmind uses settings in this file to
 locate the Kerberos database, and is also affected by the
 \fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related
 settings.
 .TP
-.B ACL file
-.
+.B \fIkadm5.acl(5)\fP
 kadmind\(aqs ACL (access control list) tells it which principals are
 allowed to perform administration actions.  The pathname to the
-ACL file can be specified with the \fBacl_file\fP kdc.conf variable;
-by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.  The syntax of the ACL
-file is specified in the ACL FILE SYNTAX section below.
-.sp
-If the kadmind ACL file is modified, the kadmind daemon needs to
-be restarted for changes to take effect.
+ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP
+variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.
 .UNINDENT
 .sp
 After the server begins running, it puts itself in the background and
@@ -87,38 +84,44 @@ registered in the database.
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 specifies the realm that kadmind will serve; if it is not
 specified, the default realm of the host is used.
 .TP
 .B \fB\-m\fP
-.sp
 causes the master database password to be fetched from the
 keyboard (before the server puts itself in the background, if not
 invoked with the \fB\-nofork\fP option) rather than from a file on
 disk.
 .TP
 .B \fB\-nofork\fP
-.sp
 causes the server to remain in the foreground and remain
 associated to the terminal.  In normal operation, you should allow
 the server to place itself in the background.
 .TP
 .B \fB\-port\fP \fIport\-number\fP
-.sp
 specifies the port on which the administration server listens for
 connections.  The default port is determined by the
 \fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP.
 .TP
 .B \fB\-P\fP \fIpid_file\fP
-.sp
 specifies the file to which the PID of kadmind process should be
 written after it starts up.  This file can be used to identify
 whether kadmind is still running and to allow init scripts to stop
 the correct process.
 .TP
+.B \fB\-p\fP \fIkdb5_util_path\fP
+specifies the path to the kdb5_util command to use when dumping the
+KDB in response to full resync requests when iprop is enabled.
+.TP
+.B \fB\-K\fP \fIkprop_path\fP
+specifies the path to the kprop command to use to send full dumps
+to slaves in response to full resync requests.
+.TP
+.B \fB\-F\fP \fIdump_file\fP
+specifies the file path to be used for dumping the KDB in response
+to full resync requests when iprop is enabled.
+.TP
 .B \fB\-x\fP \fIdb_args\fP
-.sp
 specifies database\-specific arguments.
 .sp
 Options supported for LDAP database are:
@@ -127,16 +130,13 @@ Options supported for LDAP database are:
 .INDENT 0.0
 .TP
 .B \fB\-x nconns=\fP\fInumber_of_connections\fP
-.sp
 specifies the number of connections to be maintained per
 LDAP server.
 .TP
 .B \fB\-x host=\fP\fIldapuri\fP
-.sp
 specifies the LDAP server to connect to by URI.
 .TP
 .B \fB\-x binddn=\fP\fIbinddn\fP
-.sp
 specifies the DN of the object used by the administration
 server to bind to the LDAP server.  This object should
 have read and write privileges on the realm container, the
@@ -144,7 +144,6 @@ principal container, and the subtree that is referenced by
 the realm.
 .TP
 .B \fB\-x bindpwd=\fP\fIbind_password\fP
-.sp
 specifies the password for the above mentioned binddn.
 Using this option may expose the password to other users
 on the system via the process list; to avoid this, instead
@@ -154,149 +153,13 @@ stash the password using the \fBstashsrvpw\fP command of
 .UNINDENT
 .UNINDENT
 .UNINDENT
-.SH ACL FILE SYNTAX
-.sp
-The ACL file controls which principals can or cannot perform which
-administrative functions.  For operations that affect principals, the
-ACL file also controls which principals can operate on which other
-principals.  Empty lines and lines starting with the sharp sign
-(\fB#\fP) are ignored.  Lines containing ACL entries have the format:
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-principal operation\-mask [operation\-target]
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-Ordering is important.  The first matching entry will control access
-for an actor principal on a target principal.
-.INDENT 0.0
-.TP
-.B \fIprincipal\fP
-.sp
-may specify a partially or fully qualified Kerberos version 5
-principal name.  Each component of the name may be wildcarded
-using the \fB*\fP character.
-.TP
-.B \fIoperation\-target\fP
-.sp
-[Optional] may specify a partially or fully qualified Kerberos
-version 5 principal name.  Each component of the name may be
-wildcarded using the \fB*\fP character.
-.TP
-.B \fIoperation\-mask\fP
-.sp
-Specifies what operations may or may not be performed by a
-principal matching a particular entry.  This is a string of one or
-more of the following list of characters or their upper\-case
-counterparts.  If the character is upper\-case, then the operation
-is disallowed.  If the character is lower\-case, then the operation
-is permitted.
-.TS
-center;
-|l|l|.
-_
-T{
-a
-T}	T{
-[Dis]allows the addition of principals or policies
-T}
-_
-T{
-d
-T}	T{
-[Dis]allows the deletion of principals or policies
-T}
-_
-T{
-m
-T}	T{
-[Dis]allows the modification of principals or policies
-T}
-_
-T{
-c
-T}	T{
-[Dis]allows the changing of passwords for principals
-T}
-_
-T{
-i
-T}	T{
-[Dis]allows inquiries about principals or policies
-T}
-_
-T{
-l
-T}	T{
-[Dis]allows the listing of principals or policies
-T}
-_
-T{
-p
-T}	T{
-[Dis]allows the propagation of the principal database
-T}
-_
-T{
-x
-T}	T{
-Short for admcil.
-T}
-_
-T{
-*
-T}	T{
-Same as x.
-T}
-_
-.TE
-.sp
-Some examples of valid entries here are:
-.INDENT 7.0
-.TP
-.B \fBuser/instance@realm adm\fP
-.sp
-A standard fully qualified name.  The \fIoperation\-mask\fP only
-applies to this principal and specifies that [s]he may add,
-delete, or modify principals and policies, but not change
-anybody else\(aqs password.
-.TP
-.B \fBuser/instance@realm cim service/instance@realm\fP
-.sp
-A standard fully qualified name and a standard fully qualified
-target.  The \fIoperation\-mask\fP only applies to this principal
-operating on this target and specifies that [s]he may change
-the target\(aqs password, request information about the target,
-and modify it.
-.TP
-.B \fBuser/*@realm ac\fP
-.sp
-A wildcarded name.  The \fIoperation\-mask\fP applies to all
-principals in realm \fBrealm\fP whose first component is
-\fBuser\fP and specifies that [s]he may add principals and
-change anybody\(aqs password.
-.TP
-.B \fBuser/*@realm i */instance@realm\fP
-.sp
-A wildcarded name and target.  The \fIoperation\-mask\fP applies to
-all principals in realm \fBrealm\fP whose first component is
-\fBuser\fP and specifies that [s]he may perform inquiries on
-principals whose second component is \fBinstance\fP and realm is
-\fBrealm\fP.
-.UNINDENT
-.UNINDENT
 .SH SEE ALSO
 .sp
 \fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP,
-\fIkdb5_ldap_util(8)\fP
+\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 043d768f60..4f1e6bac96 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -45,17 +45,14 @@ services and ticket policies.
 .INDENT 0.0
 .TP
 .B \fB\-D\fP \fIuser_dn\fP
-.sp
 Specifies the Distinguished Name (DN) of the user who has
 sufficient rights to perform the operation on the LDAP server.
 .TP
 .B \fB\-w\fP \fIpasswd\fP
-.sp
 Specifies the password of \fIuser_dn\fP.  This option is not
 recommended.
 .TP
 .B \fB\-H\fP \fIldapuri\fP
-.sp
 Specifies the URI of the LDAP server.  It is recommended to use
 \fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server.
 .UNINDENT
@@ -63,7 +60,6 @@ Specifies the URI of the LDAP server.  It is recommended to use
 .SS create
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBcreate\fP
 [\fB\-subtrees\fP \fIsubtree_dn_list\fP]
 [\fB\-sscope\fP \fIsearch_scope\fP]
@@ -73,8 +69,6 @@ Specifies the URI of the LDAP server.  It is recommended to use
 [\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP]
 [\fB\-s\fP]
 [\fB\-r\fP \fIrealm\fP]
-[\fB\-kdcdn\fP \fIkdc_service_list\fP]
-[\fB\-admindn\fP \fIadmin_service_list\fP]
 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
 [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
 [\fIticket_flags\fP]
@@ -85,68 +79,56 @@ Creates realm in directory. Options:
 .INDENT 0.0
 .TP
 .B \fB\-subtrees\fP \fIsubtree_dn_list\fP
-.sp
 Specifies the list of subtrees containing the principals of a
 realm.  The list contains the DNs of the subtree objects separated
 by colon (\fB:\fP).
 .TP
 .B \fB\-sscope\fP \fIsearch_scope\fP
-.sp
 Specifies the scope for searching the principals under the
 subtree.  The possible values are 1 or one (one level), 2 or sub
 (subtrees).
 .TP
 .B \fB\-containerref\fP \fIcontainer_reference_dn\fP
-.sp
 Specifies the DN of the container object in which the principals
 of a realm will be created.  If the container reference is not
 configured for a realm, the principals will be created in the
 realm container.
 .TP
 .B \fB\-k\fP \fImkeytype\fP
-.sp
 Specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
 \fIkdc.conf(5)\fP.
 .TP
 .B \fB\-kv\fP \fImkeyVNO\fP
-.sp
 Specifies the version number of the master key in the database;
 the default is 1.  Note that 0 is not allowed.
 .TP
 .B \fB\-m\fP
-.sp
 Specifies that the master database password should be read from
 the TTY rather than fetched from a file on the disk.
 .TP
 .B \fB\-P\fP \fIpassword\fP
-.sp
 Specifies the master database password. This option is not
 recommended.
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the Kerberos realm of the database.
 .TP
 .B \fB\-sf\fP \fIstashfilename\fP
-.sp
 Specifies the stash file of the master database password.
 .TP
 .B \fB\-s\fP
-.sp
 Specifies that the stash file is to be created.
 .TP
 .B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-.sp
-Specifies maximum ticket life for principals in this realm.
+(\fIgetdate\fP string) Specifies maximum ticket life for
+principals in this realm.
 .TP
 .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-.sp
-Specifies maximum renewable life of tickets for principals in this
-realm.
+(\fIgetdate\fP string) Specifies maximum renewable life of
+tickets for principals in this realm.
 .TP
 .B \fIticket_flags\fP
-.sp
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
 \fIkadmin(1)\fP.
@@ -173,14 +155,11 @@ Re\-enter KDC database master key to verify:
 .SS modify
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBmodify\fP
 [\fB\-subtrees\fP \fIsubtree_dn_list\fP]
 [\fB\-sscope\fP \fIsearch_scope\fP]
 [\fB\-containerref\fP \fIcontainer_reference_dn\fP]
 [\fB\-r\fP \fIrealm\fP]
-[\fB\-kdcdn\fP \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP \fIkdc_service_list\fP] [\fB\-addkdcdn\fP \fIkdc_service_list\fP]]
-[\fB\-admindn\fP \fIadmin_service_list\fP | [\fB\-clearadmindn\fP \fIadmin_service_list\fP] [\fB\-addadmindn\fP \fIadmin_service_list\fP]]
 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
 [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
 [\fIticket_flags\fP]
@@ -191,37 +170,31 @@ Modifies the attributes of a realm.  Options:
 .INDENT 0.0
 .TP
 .B \fB\-subtrees\fP \fIsubtree_dn_list\fP
-.sp
 Specifies the list of subtrees containing the principals of a
 realm.  The list contains the DNs of the subtree objects separated
 by colon (\fB:\fP).  This list replaces the existing list.
 .TP
 .B \fB\-sscope\fP \fIsearch_scope\fP
-.sp
 Specifies the scope for searching the principals under the
 subtrees.  The possible values are 1 or one (one level), 2 or sub
 (subtrees).
 .TP
 .B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
-.sp
 container object in which the principals of a realm will be
 created.
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the Kerberos realm of the database.
 .TP
 .B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-.sp
-Specifies maximum ticket life for principals in this realm.
+(\fIgetdate\fP string) Specifies maximum ticket life for
+principals in this realm.
 .TP
 .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-.sp
-Specifies maximum renewable life of tickets for principals in this
-realm.
+(\fIgetdate\fP string) Specifies maximum renewable life of
+tickets for principals in this realm.
 .TP
 .B \fIticket_flags\fP
-.sp
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
 \fIkadmin(1)\fP.
@@ -245,7 +218,6 @@ shell%
 .SS view
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBview\fP [\fB\-r\fP \fIrealm\fP]
 .UNINDENT
 .UNINDENT
@@ -254,7 +226,6 @@ Displays the attributes of a realm.  Options:
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the Kerberos realm of the database.
 .UNINDENT
 .sp
@@ -281,7 +252,6 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
 .SS destroy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP]
 .UNINDENT
 .UNINDENT
@@ -290,11 +260,9 @@ Destroys an existing realm. Options:
 .INDENT 0.0
 .TP
 .B \fB\-f\fP
-.sp
 If specified, will not prompt the user for confirmation.
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the Kerberos realm of the database.
 .UNINDENT
 .sp
@@ -318,7 +286,6 @@ shell%
 .SS list
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBlist\fP
 .UNINDENT
 .UNINDENT
@@ -345,7 +312,6 @@ shell%
 .SS stashsrvpw
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBstashsrvpw\fP
 [\fB\-f\fP \fIfilename\fP]
 \fIservicedn\fP
@@ -358,12 +324,10 @@ to the LDAP server.  Options:
 .INDENT 0.0
 .TP
 .B \fB\-f\fP \fIfilename\fP
-.sp
 Specifies the complete path of the service password file. By
 default, \fB/usr/local/var/service_passwd\fP is used.
 .TP
 .B \fIservicedn\fP
-.sp
 Specifies Distinguished Name (DN) of the service object whose
 password is to be stored in file.
 .UNINDENT
@@ -385,7 +349,6 @@ Re\-enter password for "cn=service\-kdc,o=org":
 .SS create_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBcreate_policy\fP
 [\fB\-r\fP \fIrealm\fP]
 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
@@ -399,26 +362,23 @@ Creates a ticket policy in the directory.  Options:
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the Kerberos realm of the database.
 .TP
 .B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-.sp
-Specifies maximum ticket life for principals.
+(\fIgetdate\fP string) Specifies maximum ticket life for
+principals.
 .TP
 .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-.sp
-Specifies maximum renewable life of tickets for principals.
+(\fIgetdate\fP string) Specifies maximum renewable life of
+tickets for principals.
 .TP
 .B \fIticket_flags\fP
-.sp
 Specifies the ticket flags.  If this option is not specified, by
 default, no restriction will be set by the policy.  Allowable
 flags are documented in the description of the \fBadd_principal\fP
 command in \fIkadmin(1)\fP.
 .TP
 .B \fIpolicy_name\fP
-.sp
 Specifies the name of the ticket policy.
 .UNINDENT
 .sp
@@ -440,7 +400,6 @@ Password for "cn=admin,o=org":
 .SS modify_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBmodify_policy\fP
 [\fB\-r\fP \fIrealm\fP]
 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
@@ -471,7 +430,6 @@ Password for "cn=admin,o=org":
 .SS view_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBview_policy\fP
 [\fB\-r\fP \fIrealm\fP]
 \fIpolicy_name\fP
@@ -482,7 +440,6 @@ Displays the attributes of a ticket policy.  Options:
 .INDENT 0.0
 .TP
 .B \fIpolicy_name\fP
-.sp
 Specifies the name of the ticket policy.
 .UNINDENT
 .sp
@@ -506,7 +463,6 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
 .SS destroy_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdestroy_policy\fP
 [\fB\-r\fP \fIrealm\fP]
 [\fB\-force\fP]
@@ -518,16 +474,13 @@ Destroys an existing ticket policy.  Options:
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the Kerberos realm of the database.
 .TP
 .B \fB\-force\fP
-.sp
 Forces the deletion of the policy object.  If not specified, the
 user will be prompted for confirmation before deleting the policy.
 .TP
 .B \fIpolicy_name\fP
-.sp
 Specifies the name of the ticket policy.
 .UNINDENT
 .sp
@@ -550,7 +503,6 @@ This will delete the policy object \(aqtktpolicy\(aq, are you sure?
 .SS list_policy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBlist_policy\fP
 [\fB\-r\fP \fIrealm\fP]
 .UNINDENT
@@ -561,7 +513,6 @@ realm.  Options:
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the Kerberos realm of the database.
 .UNINDENT
 .sp
@@ -587,6 +538,6 @@ userpolicy
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index b35513886b..b89ed00c88 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -59,46 +59,38 @@ commands.
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 specifies the Kerberos realm of the database.
 .TP
 .B \fB\-d\fP \fIdbname\fP
-.sp
 specifies the name under which the principal database is stored;
 by default the database is that listed in \fIkdc.conf(5)\fP.  The
 password policy database and lock files are also derived from this
 value.
 .TP
 .B \fB\-k\fP \fImkeytype\fP
-.sp
 specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
 \fIkdc.conf(5)\fP.
 .TP
 .B \fB\-kv\fP \fImkeyVNO\fP
-.sp
 Specifies the version number of the master key in the database;
 the default is 1.  Note that 0 is not allowed.
 .TP
 .B \fB\-M\fP \fImkeyname\fP
-.sp
 principal name for the master key in the database.  If not
 specified, the name is determined by the \fBmaster_key_name\fP
 variable in \fIkdc.conf(5)\fP.
 .TP
 .B \fB\-m\fP
-.sp
 specifies that the master database password should be read from
 the keyboard rather than fetched from a file on disk.
 .TP
 .B \fB\-sf\fP \fIstash_file\fP
-.sp
 specifies the stash filename of the master database password.  If
 not specified, the filename is determined by the
 \fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP.
 .TP
 .B \fB\-P\fP \fIpassword\fP
-.sp
 specifies the master database password.  Using this option may
 expose the password to other users on the system via the process
 list.
@@ -107,7 +99,6 @@ list.
 .SS create
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBcreate\fP [\fB\-s\fP]
 .UNINDENT
 .UNINDENT
@@ -119,7 +110,6 @@ if it had already existed when the program was first run.
 .SS destroy
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdestroy\fP [\fB\-f\fP]
 .UNINDENT
 .UNINDENT
@@ -130,17 +120,16 @@ the \fB\-f\fP argument, does not prompt the user.
 .SS stash
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBstash\fP [\fB\-f\fP \fIkeyfile\fP]
 .UNINDENT
 .UNINDENT
 .sp
 Stores the master principal\(aqs keys in a stash file.  The \fB\-f\fP
-argument can be used to override the \fIkeyfile\fP specified at startup.
+argument can be used to override the \fIkeyfile\fP specified in
+\fIkdc.conf(5)\fP.
 .SS dump
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdump\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP]
 [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP]
 [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]]
@@ -154,55 +143,50 @@ load_dump version 6".  If filename is not specified, or is the string
 .INDENT 0.0
 .TP
 .B \fB\-old\fP
-.sp
 causes the dump to be in the Kerberos 5 Beta 5 and earlier dump
 format ("kdb5_edit load_dump version 2.0").
 .TP
 .B \fB\-b6\fP
-.sp
 causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
 load_dump version 3.0").
 .TP
 .B \fB\-b7\fP
-.sp
 causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
 load_dump version 4").  This was the dump format produced on
 releases prior to 1.2.2.
 .TP
 .B \fB\-ov\fP
-.sp
 causes the dump to be in "ovsec_adm_export" format.
 .TP
 .B \fB\-r13\fP
-.sp
 causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
 load_dump version 5").  This was the dump format produced on
 releases prior to 1.8.
 .TP
+.B \fB\-r18\fP
+causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
+load_dump version 6").  This was the dump format produced on
+releases prior to 1.11.
+.TP
 .B \fB\-verbose\fP
-.sp
 causes the name of each principal and policy to be printed as it
 is dumped.
 .TP
 .B \fB\-mkey_convert\fP
-.sp
 prompts for a new master key.  This new master key will be used to
 re\-encrypt principal key data in the dumpfile.  The principal keys
 themselves will not be changed.
 .TP
 .B \fB\-new_mkey_file\fP \fImkey_file\fP
-.sp
 the filename of a stash file.  The master key in this stash file
 will be used to re\-encrypt the key data in the dumpfile.  The key
 data in the database will not be changed.
 .TP
 .B \fB\-rev\fP
-.sp
 dumps in reverse order.  This may recover principals that do not
 dump normally, in cases where database corruption has occurred.
 .TP
 .B \fB\-recurse\fP
-.sp
 causes the dump to walk the database recursively (btree only).
 This may recover principals that do not dump normally, in cases
 where database corruption has occurred.  In cases of such
@@ -212,7 +196,6 @@ than the \fB\-rev\fP option will.
 .SS load
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBload\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP]
 [\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP]
 .UNINDENT
@@ -230,39 +213,42 @@ Options:
 .INDENT 0.0
 .TP
 .B \fB\-old\fP
-.sp
 requires the database to be in the Kerberos 5 Beta 5 and earlier
 format ("kdb5_edit load_dump version 2.0").
 .TP
 .B \fB\-b6\fP
-.sp
 requires the database to be in the Kerberos 5 Beta 6 format
 ("kdb5_edit load_dump version 3.0").
 .TP
 .B \fB\-b7\fP
-.sp
 requires the database to be in the Kerberos 5 Beta 7 format
 ("kdb5_util load_dump version 4").
 .TP
 .B \fB\-ov\fP
-.sp
 requires the database to be in "ovsec_adm_import" format.  Must be
 used with the \fB\-update\fP option.
 .TP
+.B \fB\-r13\fP
+requires the database to be in Kerberos 5 1.3 format ("kdb5_util
+load_dump version 5").  This was the dump format produced on
+releases prior to 1.8.
+.TP
+.B \fB\-r18\fP
+requires the database to be in Kerberos 5 1.8 format ("kdb5_util
+load_dump version 6").  This was the dump format produced on
+releases prior to 1.11.
+.TP
 .B \fB\-hash\fP
-.sp
 requires the database to be stored as a hash.  If this option is
 not specified, the database will be stored as a btree.  This
 option is not recommended, as databases stored in hash format are
 known to corrupt data and lose principals.
 .TP
 .B \fB\-verbose\fP
-.sp
 causes the name of each principal and policy to be printed as it
 is dumped.
 .TP
 .B \fB\-update\fP
-.sp
 records from the dump file are added to or updated in the existing
 database.  (This is useful in conjunction with an ovsec_adm_export
 format dump if you want to preserve per\-principal policy
@@ -277,7 +263,6 @@ line or the default.
 .SS ark
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBark\fP [\fB\-e\fP \fIenc\fP:\fIsalt\fP,...] \fIprincipal\fP
 .UNINDENT
 .UNINDENT
@@ -289,7 +274,6 @@ salt types to be used for the new keys.
 .SS add_mkey
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP]
 .UNINDENT
 .UNINDENT
@@ -309,7 +293,6 @@ is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
 .SS use_mkey
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP]
 .UNINDENT
 .UNINDENT
@@ -318,8 +301,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP.
 Once a master key becomes active, it will be used to encrypt newly
 created principal keys.  If no \fItime\fP argument is given, the current
 time is used, causing the specified master key version to become
-active immediately.  The format of \fItime\fP is specified in the
-\fIdate_format\fP section of the \fIkadmin(1)\fP man page.
+active immediately.  The format for \fItime\fP is \fIgetdate\fP string.
 .sp
 After a new master key becomes active, the kdb5_util
 \fBupdate_princ_encryption\fP command can be used to update all
@@ -327,7 +309,6 @@ principal keys to be encrypted in the new master key.
 .SS list_mkeys
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBlist_mkeys\fP
 .UNINDENT
 .UNINDENT
@@ -339,7 +320,6 @@ each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP.  A
 .SS purge_mkeys
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP]
 .UNINDENT
 .UNINDENT
@@ -350,22 +330,18 @@ keys all principal keys are protected by a newer master key.
 .INDENT 0.0
 .TP
 .B \fB\-f\fP
-.sp
 does not prompt for confirmation.
 .TP
 .B \fB\-n\fP
-.sp
 performs a dry run, showing master keys that would be purged, but
 not actually purging any keys.
 .TP
 .B \fB\-v\fP
-.sp
 gives more verbose output.
 .UNINDENT
 .SS update_princ_encryption
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP]
 [\fIprinc\-pattern\fP]
 .UNINDENT
@@ -386,6 +362,6 @@ showing the actions which would have been taken.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 9cbf09bc81..c82119032e 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .sp
 The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
@@ -39,6 +39,9 @@ Relations documented here may also be specified in krb5.conf.
 Normally, the kdc.conf file is found in the KDC state directory,
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP.  You can override the default location by setting the
 environment variable \fBKRB5_KDC_PROFILE\fP.
+.sp
+Please note that you need to restart the KDC daemon for any configuration
+changes to take effect.
 .SH STRUCTURE
 .sp
 The kdc.conf file is set up in the same format as the
@@ -63,12 +66,6 @@ Realm\-specific database configuration and settings
 T}
 _
 T{
-\fI\%[logging]\fP
-T}	T{
-Controls how Kerberos daemons perform logging
-T}
-_
-T{
 \fI\%[dbdefaults]\fP
 T}	T{
 Default database settings
@@ -80,6 +77,12 @@ T}	T{
 Per\-database settings
 T}
 _
+T{
+\fI\%[logging]\fP
+T}	T{
+Controls how Kerberos daemons perform logging
+T}
+_
 .TE
 .SS [kdcdefaults]
 .sp
@@ -89,53 +92,44 @@ subsection does not contain a relation for the tag.  See the
 \fI\%[realms]\fP section for the definitions of these relations.
 .INDENT 0.0
 .IP \(bu 2
-.
 \fBhost_based_services\fP
 .IP \(bu 2
-.
 \fBkdc_ports\fP
 .IP \(bu 2
-.
 \fBkdc_tcp_ports\fP
 .IP \(bu 2
-.
 \fBno_host_referral\fP
 .IP \(bu 2
-.
 \fBrestrict_anonymous_to_tgt\fP
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \fBkdc_max_dgram_reply_size\fP
-.sp
 Specifies the maximum packet size that can be sent over UDP.  The
 default value is 4096 bytes.
 .UNINDENT
 .SS [realms]
 .sp
-Each tag in the [realms] section of the file names a Kerberos realm.
-The value of the tag is a subsection where the relations in that
-subsection define KDC parameters for that particular realm.
+Each tag in the [realms] section is the name of a Kerberos realm.
+The value of the tag is a subsection where the relations define KDC
+parameters for that particular realm.
 .sp
-For each realm, the following tags may be specified in the [realms]
-subsection:
+For each realm, the following tags may be specified:
 .INDENT 0.0
 .TP
 .B \fBacl_file\fP
-.sp
 (String.)  Location of the access control list file that
 \fIkadmind(8)\fP uses to determine which principals are allowed
-which permissions on the database.  The default value is
-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.
+which permissions on the Kerberos database.  The default value is
+\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.  For more information on Kerberos ACL
+file see \fIkadm5.acl(5)\fP.
 .TP
 .B \fBdatabase_module\fP
-.sp
 This relation indicates the name of the configuration section
 under \fI\%[dbmodules]\fP for database specific parameters used by
 the loadable database library.
 .TP
 .B \fBdatabase_name\fP
-.sp
 (String.)  This string specifies the location of the Kerberos
 database for this realm, if the DB2 back\-end is being used.  If a
 \fBdatabase_module\fP is specified for the realm and the
@@ -144,13 +138,11 @@ value will take precedence over this one.  The default value is
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
 .TP
 .B \fBdefault_principal_expiration\fP
-.sp
-(Absolute time string.)  Specifies the default expiration date of
+(\fIabstime\fP string.)  Specifies the default expiration date of
 principals created in this realm.  The default value is 0, which
 means no expiration date.
 .TP
 .B \fBdefault_principal_flags\fP
-.sp
 (Flag string.)  Specifies the default attributes of principals
 created in this realm.  The format for this string is a
 comma\-separated list of flags, with \(aq+\(aq before each flag that
@@ -163,69 +155,57 @@ There are a number of possible flags:
 .INDENT 7.0
 .TP
 .B \fBallow\-tickets\fP
-.sp
 Enabling this flag means that the KDC will issue tickets for
 this principal.  Disabling this flag essentially deactivates
 the principal within this realm.
 .TP
 .B \fBdup\-skey\fP
-.sp
 Enabling this flag allows the principal to obtain a session
 key for another user, permitting user\-to\-user authentication
 for this principal.
 .TP
 .B \fBforwardable\fP
-.sp
 Enabling this flag allows the principal to obtain forwardable
 tickets.
 .TP
 .B \fBhwauth\fP
-.sp
 If this flag is enabled, then the principal is required to
 preauthenticate using a hardware device before receiving any
 tickets.
 .TP
 .B \fBno\-auth\-data\-required\fP
-.sp
-Enabling this flag prvents PAC data from being added to the
-service tickets.
+Enabling this flag prevents PAC data from being added to
+service tickets for the principal.
 .TP
 .B \fBok\-as\-delegate\fP
-.sp
 If this flag is enabled, it hints the client that credentials
 can and should be delegated when authenticating to the
 service.
 .TP
 .B \fBok\-to\-auth\-as\-delegate\fP
-.sp
-Enabling this flag allows the principal to use S4USelf ticket.
+Enabling this flag allows the principal to use S4USelf tickets.
 .TP
 .B \fBpostdateable\fP
-.sp
 Enabling this flag allows the principal to obtain postdateable
 tickets.
 .TP
 .B \fBpreauth\fP
-.sp
 If this flag is enabled on a client principal, then that
 principal is required to preauthenticate to the KDC before
 receiving any tickets.  On a service principal, enabling this
 flag means that service tickets for this principal will only
 be issued to clients with a TGT that has the preauthenticated
-ticket set.
+bit set.
 .TP
 .B \fBproxiable\fP
-.sp
 Enabling this flag allows the principal to obtain proxy
 tickets.
 .TP
 .B \fBpwchange\fP
-.sp
 Enabling this flag forces a password change for this
 principal.
 .TP
 .B \fBpwservice\fP
-.sp
 If this flag is enabled, it marks this principal as a password
 change service.  This should only be used in special cases,
 for example, if a user\(aqs password has expired, then the user
@@ -234,60 +214,56 @@ the normal password authentication in order to be able to
 change the password.
 .TP
 .B \fBrenewable\fP
-.sp
 Enabling this flag allows the principal to obtain renewable
 tickets.
 .TP
 .B \fBservice\fP
-.sp
 Enabling this flag allows the the KDC to issue service tickets
 for this principal.
 .TP
 .B \fBtgt\-based\fP
-.sp
 Enabling this flag allows a principal to obtain tickets based
 on a ticket\-granting\-ticket, rather than repeating the
 authentication process that was used to obtain the TGT.
 .UNINDENT
 .TP
 .B \fBdict_file\fP
-.sp
 (String.)  Location of the dictionary file containing strings that
 are not allowed as passwords.  If none is specified or if there is
 no policy assigned to the principal, no dictionary checks of
 passwords will be performed.
 .TP
 .B \fBhost_based_services\fP
-.sp
 (Whitespace\- or comma\-separated list.)  Lists services which will
 get host\-based referral processing even if the server principal is
 not marked as host\-based by the client.
 .TP
 .B \fBiprop_enable\fP
-.sp
 (Boolean value.)  Specifies whether incremental database
 propagation is enabled.  The default value is false.
 .TP
 .B \fBiprop_master_ulogsize\fP
-.sp
 (Integer.)  Specifies the maximum number of log entries to be
 retained for incremental propagation.  The maximum value is 2500;
 the default value is 1000.
 .TP
 .B \fBiprop_slave_poll\fP
-.sp
 (Delta time string.)  Specifies how often the slave KDC polls for
 new updates from the master.  The default value is \fB2m\fP (that
 is, two minutes).
 .TP
 .B \fBiprop_port\fP
-.sp
 (Port number.)  Specifies the port number to be used for
 incremental propagation.  This is required in both master and
 slave configuration files.
 .TP
+.B \fBiprop_resync_timeout\fP
+(Delta time string.)  Specifies the amount of time to wait for a
+full propagation to complete.  This is optional in configuration
+files, and is used by slave KDCs only.  The default value is 5
+minutes (\fB5m\fP).
+.TP
 .B \fBiprop_logfile\fP
-.sp
 (File name.)  Specifies where the update log file for the realm
 database is to be stored.  The default is to use the
 \fBdatabase_name\fP entry from the realms section of the krb5 config
@@ -299,18 +275,15 @@ back end is being used, or the file name is specified in the
 default value will not use values from the [dbmodules] section.)
 .TP
 .B \fBkadmind_port\fP
-.sp
 (Port number.)  Specifies the port on which the \fIkadmind(8)\fP
 daemon is to listen for this realm.  The assigned port for kadmind
-is 749.
+is 749, which is used by default.
 .TP
 .B \fBkey_stash_file\fP
-.sp
 (String.)  Specifies the location where the master key has been
 stored (via kdb5_util stash).  The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
 .TP
 .B \fBkdc_ports\fP
-.sp
 (Whitespace\- or comma\-separated list.)  Lists the ports on which
 the Kerberos server should listen for UDP requests, as a
 comma\-separated list of integers.  The default value is
@@ -318,7 +291,6 @@ comma\-separated list of integers.  The default value is
 historically used by Kerberos V4.
 .TP
 .B \fBkdc_tcp_ports\fP
-.sp
 (Whitespace\- or comma\-separated list.)  Lists the ports on which
 the Kerberos server should listen for TCP connections, as a
 comma\-separated list of integers.  If this relation is not
@@ -330,38 +302,39 @@ has little protection against denial\-of\-service attacks), the
 standard port number assigned for Kerberos TCP traffic is port 88.
 .TP
 .B \fBmaster_key_name\fP
-.sp
 (String.)  Specifies the name of the principal associated with the
 master key.  The default is \fBK/M\fP.
 .TP
 .B \fBmaster_key_type\fP
-.sp
 (Key type string.)  Specifies the master key\(aqs key type.  The
 default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP.  For a list of all possible
 values, see \fI\%Encryption and salt types\fP.
 .TP
 .B \fBmax_life\fP
-.sp
-(Delta time string.)  Specifies the maximum time period for which
-a ticket may be valid in this realm.  The default value is 24
-hours.
+(\fIduration\fP string.)  Specifies the maximum time period for
+which a ticket may be valid in this realm.  The default value is
+24 hours.
 .TP
 .B \fBmax_renewable_life\fP
-.sp
-(Delta time string.)  Specifies the maximum time period during
-which a valid ticket may be renewed in this realm.  The default
-value is 0.
+(\fIduration\fP string.)  Specifies the maximum time period
+during which a valid ticket may be renewed in this realm.
+The default value is 0.
 .TP
 .B \fBno_host_referral\fP
-.sp
 (Whitespace\- or comma\-separated list.)  Lists services to block
 from getting host\-based referral processing, even if the client
 marks the server principal as host\-based or the service is also
 listed in \fBhost_based_services\fP.  \fBno_host_referral = *\fP will
 disable referral processing altogether.
 .TP
+.B \fBdes_crc_session_supported\fP
+(Boolean value).  If set to true, the KDC will assume that service
+principals support des\-cbc\-crc for session key enctype negotiation
+purposes.  If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is
+false, or if des\-cbc\-crc is not a permitted enctype, then this
+variable has no effect.  Defaults to true.
+.TP
 .B \fBreject_bad_transit\fP
-.sp
 (Boolean value.)  If set to true, the KDC will check the list of
 transited realms for cross\-realm tickets against the transit path
 computed from the realm names and the capaths section of its
@@ -383,7 +356,6 @@ only to TGS requests.
 The default value is true.
 .TP
 .B \fBrestrict_anonymous_to_tgt\fP
-.sp
 (Boolean value.)  If set to true, the KDC will reject ticket
 requests from anonymous principals to service principals other
 than the realm\(aqs ticket\-granting service.  This option allows
@@ -392,97 +364,12 @@ without allowing anonymous authentication to services.  The
 default value is false.
 .TP
 .B \fBsupported_enctypes\fP
-.sp
 (List of \fIkey\fP:\fIsalt\fP strings.)  Specifies the default key/salt
 combinations of principals for this realm.  Any principals created
 through \fIkadmin(1)\fP will have keys of these types.  The
 default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP.  For lists of
 possible values, see \fI\%Encryption and salt types\fP.
 .UNINDENT
-.SS [logging]
-.sp
-The [logging] section indicates how \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP perform logging.  The keys in this section are
-daemon names, which may be one of:
-.INDENT 0.0
-.TP
-.B \fBadmin_server\fP
-.sp
-Specifies how \fIkadmind(8)\fP performs logging.
-.TP
-.B \fBkdc\fP
-.sp
-Specifies how \fIkrb5kdc(8)\fP performs logging.
-.TP
-.B \fBdefault\fP
-.sp
-Specifies how either daemon performs logging in the absence of
-relations specific to the daemon.
-.UNINDENT
-.sp
-Values are of the following forms:
-.INDENT 0.0
-.TP
-.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
-.sp
-This value causes the daemon\(aqs logging messages to go to the
-\fIfilename\fP.  If the \fB=\fP form is used, the file is overwritten.
-If the \fB:\fP form is used, the file is appended to.
-.TP
-.B \fBSTDERR\fP
-.sp
-This value causes the daemon\(aqs logging messages to go to its
-standard error stream.
-.TP
-.B \fBCONSOLE\fP
-.sp
-This value causes the daemon\(aqs logging messages to go to the
-console, if the system supports it.
-.TP
-.B \fBDEVICE=\fP\fI<devicename>\fP
-.sp
-This causes the daemon\(aqs logging messages to go to the specified
-device.
-.TP
-.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
-.sp
-This causes the daemon\(aqs logging messages to go to the system log.
-.sp
-The severity argument specifies the default severity of system log
-messages.  This may be any of the following severities supported
-by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP,
-\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP,
-and \fBDEBUG\fP.
-.sp
-The facility argument specifies the facility under which the
-messages are logged.  This may be any of the following facilities
-supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP,
-\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP,
-\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP.
-.sp
-If no severity is specified, the default is \fBERR\fP.  If no
-facility is specified, the default is \fBAUTH\fP.
-.UNINDENT
-.sp
-In the following example, the logging messages from the KDC will go to
-the console and to the system log under the facility LOG_DAEMON with
-default severity of LOG_INFO; and the logging messages from the
-administrative server will be appended to the file
-\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP.
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-[logging]
-    kdc = CONSOLE
-    kdc = SYSLOG:INFO:DAEMON
-    admin_server = FILE:/var/adm/kadmin.log
-    admin_server = DEVICE=/dev/tty04
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
 .SS [dbdefaults]
 .sp
 The [dbdefaults] section specifies default values for some database
@@ -491,33 +378,27 @@ a relation for the tag.  See the \fI\%[dbmodules]\fP section for the
 definitions of these relations.
 .INDENT 0.0
 .IP \(bu 2
-.
 \fBldap_kerberos_container_dn\fP
 .IP \(bu 2
-.
 \fBldap_kdc_dn\fP
 .IP \(bu 2
-.
 \fBldap_kadmind_dn\fP
 .IP \(bu 2
-.
 \fBldap_service_password_file\fP
 .IP \(bu 2
-.
 \fBldap_servers\fP
 .IP \(bu 2
-.
 \fBldap_conns_per_server\fP
 .UNINDENT
 .SS [dbmodules]
 .sp
 The [dbmodules] section contains parameters used by the KDC database
-library and database modules.  The following tag may be specified
-in the [dbmodules] section:
+library and database modules.
+.sp
+The following tag may be specified in the [dbmodules] section:
 .INDENT 0.0
 .TP
 .B \fBdb_module_dir\fP
-.sp
 This tag controls where the plugin system looks for modules.  The
 value should be an absolute path.
 .UNINDENT
@@ -529,45 +410,40 @@ the subsection:
 .INDENT 0.0
 .TP
 .B \fBdatabase_name\fP
-.sp
 This DB2\-specific tag indicates the location of the database in
 the filesystem.  The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
 .TP
 .B \fBdb_library\fP
-.sp
 This tag indicates the name of the loadable database module.  The
 value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the
 LDAP module.
 .TP
 .B \fBdisable_last_success\fP
-.sp
 If set to \fBtrue\fP, suppresses KDC updates to the "Last successful
 authentication" field of principal entries requiring
 preauthentication.  Setting this flag may improve performance.
 (Principal entries which do not require preauthentication never
-update the "Last successful authentication" field.).
+update the "Last successful authentication" field.).  First
+introduced in version 1.9.
 .TP
 .B \fBdisable_lockout\fP
-.sp
 If set to \fBtrue\fP, suppresses KDC updates to the "Last failed
 authentication" and "Failed password attempts" fields of principal
 entries requiring preauthentication.  Setting this flag may
-improve performance, but also disables account lockout.
+improve performance, but also disables account lockout.  First
+introduced in version 1.9.
 .TP
 .B \fBldap_conns_per_server\fP
-.sp
 This LDAP\-specific tag indicates the number of connections to be
 maintained per LDAP server.
 .TP
 .B \fBldap_kadmind_dn\fP
-.sp
 This LDAP\-specific tag indicates the default bind DN for the
 \fIkadmind(8)\fP daemon.  kadmind does a login to the directory
 as this object.  This object should have the rights to read and
 write the Kerberos data in the LDAP database.
 .TP
 .B \fBldap_kdc_dn\fP
-.sp
 This LDAP\-specific tag indicates the default bind DN for the
 \fIkrb5kdc(8)\fP daemon.  The KDC does a login to the directory
 as this object.  This object should have the rights to read the
@@ -575,12 +451,10 @@ Kerberos data in the LDAP database, and to write data unless
 \fBdisable_lockout\fP and \fBdisable_last_success\fP are true.
 .TP
 .B \fBldap_kerberos_container_dn\fP
-.sp
 This LDAP\-specific tag indicates the DN of the container object
 where the realm objects will be located.
 .TP
 .B \fBldap_servers\fP
-.sp
 This LDAP\-specific tag indicates the list of LDAP servers that the
 Kerberos servers can connect to.  The list of LDAP servers is
 whitespace\-separated.  The LDAP server is specified by a LDAP URI.
@@ -588,15 +462,89 @@ It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect
 to the LDAP server.
 .TP
 .B \fBldap_service_password_file\fP
-.sp
 This LDAP\-specific tag indicates the file containing the stashed
 passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
 \fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects.  This file must
 be kept secure.
 .UNINDENT
+.SS [logging]
+.sp
+The [logging] section indicates how \fIkrb5kdc(8)\fP and
+\fIkadmind(8)\fP perform logging.  The keys in this section are
+daemon names, which may be one of:
+.INDENT 0.0
+.TP
+.B \fBadmin_server\fP
+Specifies how \fIkadmind(8)\fP performs logging.
+.TP
+.B \fBkdc\fP
+Specifies how \fIkrb5kdc(8)\fP performs logging.
+.TP
+.B \fBdefault\fP
+Specifies how either daemon performs logging in the absence of
+relations specific to the daemon.
+.UNINDENT
+.sp
+Values are of the following forms:
+.INDENT 0.0
+.TP
+.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
+This value causes the daemon\(aqs logging messages to go to the
+\fIfilename\fP.  If the \fB=\fP form is used, the file is overwritten.
+If the \fB:\fP form is used, the file is appended to.
+.TP
+.B \fBSTDERR\fP
+This value causes the daemon\(aqs logging messages to go to its
+standard error stream.
+.TP
+.B \fBCONSOLE\fP
+This value causes the daemon\(aqs logging messages to go to the
+console, if the system supports it.
+.TP
+.B \fBDEVICE=\fP\fI<devicename>\fP
+This causes the daemon\(aqs logging messages to go to the specified
+device.
+.TP
+.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
+This causes the daemon\(aqs logging messages to go to the system log.
+.sp
+The severity argument specifies the default severity of system log
+messages.  This may be any of the following severities supported
+by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP,
+\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP,
+and \fBDEBUG\fP.
+.sp
+The facility argument specifies the facility under which the
+messages are logged.  This may be any of the following facilities
+supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP,
+\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP,
+\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP.
+.sp
+If no severity is specified, the default is \fBERR\fP.  If no
+facility is specified, the default is \fBAUTH\fP.
+.UNINDENT
+.sp
+In the following example, the logging messages from the KDC will go to
+the console and to the system log under the facility LOG_DAEMON with
+default severity of LOG_INFO; and the logging messages from the
+administrative server will be appended to the file
+\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[logging]
+    kdc = CONSOLE
+    kdc = SYSLOG:INFO:DAEMON
+    admin_server = FILE:/var/adm/kadmin.log
+    admin_server = DEVICE=/dev/tty04
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .SH PKINIT OPTIONS
 .IP Note
-.
 The following are pkinit\-specific options.  These values may
 be specified in [kdcdefaults] as global defaults, or within
 a realm\-specific subsection of [realms].  Also note that a
@@ -605,7 +553,6 @@ realm\-specific value over\-rides, does not add to, a generic
 .RE
 .INDENT 0.0
 .IP 1. 3
-.
 realm\-specific subsection of [realms],
 .INDENT 3.0
 .INDENT 3.5
@@ -614,14 +561,13 @@ realm\-specific subsection of [realms],
 .ft C
 [realms]
     EXAMPLE.COM = {
-        pkinit_anchors = FILE\e:/usr/local/example.com.crt
+        pkinit_anchors = FILE:/usr/local/example.com.crt
     }
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .IP 2. 3
-.
 generic value in the [kdcdefaults] section.
 .INDENT 3.0
 .INDENT 3.5
@@ -629,7 +575,7 @@ generic value in the [kdcdefaults] section.
 .nf
 .ft C
 [kdcdefaults]
-    pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/
+    pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
 .ft P
 .fi
 .UNINDENT
@@ -642,19 +588,16 @@ For information about the syntax of some of these options, see
 .INDENT 0.0
 .TP
 .B \fBpkinit_anchors\fP
-.sp
 Specifies the location of trusted anchor (root) certificates which
 the KDC trusts to sign client certificates.  This option is
 required if pkinit is to be supported by the KDC.  This option may
 be specified multiple times.
 .TP
 .B \fBpkinit_dh_min_bits\fP
-.sp
 Specifies the minimum number of bits the KDC is willing to accept
 for a client\(aqs Diffie\-Hellman key.  The default is 2048.
 .TP
 .B \fBpkinit_allow_upn\fP
-.sp
 Specifies that the KDC is willing to accept client certificates
 with the Microsoft UserPrincipalName (UPN) Subject Alternative
 Name (SAN).  This means the KDC accepts the binding of the UPN in
@@ -666,60 +609,50 @@ the id\-pkinit\-san as defined in \fI\%RFC 4556\fP.  There is currently
 no option to disable SAN checking in the KDC.
 .TP
 .B \fBpkinit_eku_checking\fP
-.sp
 This option specifies what Extended Key Usage (EKU) values the KDC
 is willing to accept in client certificates.  The values
 recognized in the kdc.conf file are:
 .INDENT 7.0
 .TP
 .B \fBkpClientAuth\fP
-.sp
 This is the default value and specifies that client
 certificates must have the id\-pkinit\-KPClientAuth EKU as
 defined in \fI\%RFC 4556\fP.
 .TP
 .B \fBscLogin\fP
-.sp
 If scLogin is specified, client certificates with the
 Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be
 accepted.
 .TP
 .B \fBnone\fP
-.sp
 If none is specified, then client certificates will not be
 checked to verify they have an acceptable EKU.  The use of
 this option is not recommended.
 .UNINDENT
 .TP
 .B \fBpkinit_identity\fP
-.sp
 Specifies the location of the KDC\(aqs X.509 identity information.
 This option is required if pkinit is to be supported by the KDC.
 .TP
 .B \fBpkinit_kdc_ocsp\fP
-.sp
 Specifies the location of the KDC\(aqs OCSP.
 .TP
 .B \fBpkinit_mapping_file\fP
-.sp
 Specifies the name of the ACL pkinit mapping file.  This file maps
 principals to the certificates that they can use.
 .TP
 .B \fBpkinit_pool\fP
-.sp
 Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client\(aqs
 certificate and a trusted anchor.  This option may be specified
 multiple times.
 .TP
 .B \fBpkinit_revoke\fP
-.sp
 Specifies the location of Certificate Revocation List (CRL)
 information to be used by the KDC when verifying the validity of
 client certificates.  This option may be specified multiple times.
 .TP
 .B \fBpkinit_require_crl_checking\fP
-.sp
 The default certificate verification process will always check the
 available revocation information to see if a certificate has been
 revoked.  If a match is found for the certificate in a CRL,
@@ -916,11 +849,30 @@ Here\(aqs an example of a kdc.conf file:
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3\-hmac\-sha1
         supported_enctypes = des3\-hmac\-sha1:normal des\-cbc\-crc:normal des\-cbc\-crc:v4
+        database_module = openldap_ldapconf
     }
 
 [logging]
     kdc = FILE:/usr/local/var/krb5kdc/kdc.log
     admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
+
+[dbdefaults]
+    ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
+
+[dbmodules]
+    openldap_ldapconf = {
+        db_library = kldap
+        disable_last_success = true
+        ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
+            # this object needs to have read rights on
+            # the realm container and principal subtrees
+        ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
+            # this object needs to have read and write rights on
+            # the realm container and principal subtrees
+        ldap_service_password_file = /etc/kerberos/service.keyfile
+        ldap_servers = ldaps://kerberos.mit.edu
+        ldap_conns_per_server = 5
+    }
 .ft P
 .fi
 .UNINDENT
@@ -930,10 +882,10 @@ Here\(aqs an example of a kdc.conf file:
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP
 .SH SEE ALSO
 .sp
-\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP
+\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index c178522496..0832c655eb 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -46,17 +46,14 @@ credentials cache is destroyed.
 .INDENT 0.0
 .TP
 .B \fB\-A\fP
-.sp
 Destroys all caches in the collection, if a cache collection is
 available.
 .TP
 .B \fB\-q\fP
-.sp
 Run quietly.  Normally kdestroy beeps if it fails to destroy the
 user\(aqs tickets.  The \fB\-q\fP flag suppresses this behavior.
 .TP
 .B \fB\-c\fP \fIcache_name\fP
-.sp
 Use \fIcache_name\fP as the credentials (ticket) cache name and
 location; if this option is not used, the default cache name and
 location are used.
@@ -76,7 +73,6 @@ kdestroy uses the following environment variable:
 .INDENT 0.0
 .TP
 .B \fBKRB5CCNAME\fP
-.sp
 Location of the default Kerberos 5 credentials (ticket) cache, in
 the form \fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
@@ -87,10 +83,8 @@ to be present in the collection.
 .SH FILES
 .INDENT 0.0
 .TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the
-decimal UID of the user).
+.B \fB@CCNAME@\fP
+Default location of Kerberos 5 credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
@@ -98,6 +92,6 @@ decimal UID of the user).
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 4d88691bcc..257cc98109 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -60,110 +60,82 @@ kinit obtains and caches an initial ticket\-granting ticket for
 .INDENT 0.0
 .TP
 .B \fB\-V\fP
-.sp
 display verbose output.
 .TP
 .B \fB\-l\fP \fIlifetime\fP
+(\fIduration\fP string.)  Requests a ticket with the lifetime
+\fIlifetime\fP.
 .sp
-requests a ticket with the lifetime \fIlifetime\fP.  The integer value
-for \fIlifetime\fP must be followed immediately by one of the
-following delimiters:
-.INDENT 7.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-s  seconds
-m  minutes
-h  hours
-d  days
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-as in \fBkinit \-l 90m\fP.  You cannot mix units; a value of
-\fB3h30m\fP will result in an error.
+For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP.
 .sp
 If the \fB\-l\fP option is not specified, the default ticket lifetime
 (configured by each site) is used.  Specifying a ticket lifetime
 longer than the maximum ticket lifetime (configured by each site)
-results in a ticket with the maximum lifetime.
+will not override the configured maximum ticket lifetime.
 .TP
 .B \fB\-s\fP \fIstart_time\fP
+(\fIduration\fP string.)  Requests a postdated ticket.  Postdated
+tickets are issued with the \fBinvalid\fP flag set, and need to be
+resubmitted to the KDC for validation before use.
 .sp
-requests a postdated ticket, valid starting at \fIstart_time\fP.
-Postdated tickets are issued with the \fBinvalid\fP flag set, and
-need to be resubmitted to the KDC for validation before use.
+\fIstart_time\fP specifies the duration of the delay before the ticket
+can become valid.
 .TP
 .B \fB\-r\fP \fIrenewable_life\fP
-.sp
-requests renewable tickets, with a total lifetime of
-\fIrenewable_life\fP.  The duration is in the same format as the
-\fB\-l\fP option, with the same delimiters.
+(\fIduration\fP string.)  Requests renewable tickets, with a total
+lifetime of \fIrenewable_life\fP.
 .TP
 .B \fB\-f\fP
-.sp
 requests forwardable tickets.
 .TP
 .B \fB\-F\fP
-.sp
 requests non\-forwardable tickets.
 .TP
 .B \fB\-p\fP
-.sp
 requests proxiable tickets.
 .TP
 .B \fB\-P\fP
-.sp
 requests non\-proxiable tickets.
 .TP
 .B \fB\-a\fP
-.sp
 requests tickets restricted to the host\(aqs local address[es].
 .TP
 .B \fB\-A\fP
-.sp
 requests tickets not restricted by address.
 .TP
 .B \fB\-C\fP
-.sp
 requests canonicalization of the principal name, and allows the
 KDC to reply with a different client principal from the one
 requested.
 .TP
 .B \fB\-E\fP
-.sp
 treats the principal name as an enterprise name (implies the
 \fB\-C\fP option).
 .TP
 .B \fB\-v\fP
-.sp
 requests that the ticket\-granting ticket in the cache (with the
 \fBinvalid\fP flag set) be passed to the KDC for validation.  If the
 ticket is within its requested time range, the cache is replaced
 with the validated ticket.
 .TP
 .B \fB\-R\fP
-.sp
 requests renewal of the ticket\-granting ticket.  Note that an
 expired ticket cannot be renewed, even if the ticket is still
 within its renewable life.
 .TP
-.B \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
-.sp
+.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
 requests a ticket, obtained from a key in the local host\(aqs keytab.
 The location of the keytab may be specified with the \fB\-t\fP
-\fIkeytab_file\fP option; otherwise the default keytab will be used.
-By default, a host ticket for the local host is requested, but any
-principal may be specified.  On a KDC, the special keytab location
-\fBKDB:\fP can be used to indicate that kinit should open the KDC
-database and look up the key directly.  This permits an
+\fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use
+of the default client keytab; otherwise the default keytab will be
+used.  By default, a host ticket for the local host is requested,
+but any principal may be specified.  On a KDC, the special keytab
+location \fBKDB:\fP can be used to indicate that kinit should open
+the KDC database and look up the key directly.  This permits an
 administrator to obtain tickets as any principal that supports
 authentication based on the key.
 .TP
 .B \fB\-n\fP
-.sp
 Requests anonymous processing.  Two types of anonymous principals
 are supported.
 .sp
@@ -184,7 +156,6 @@ As of release 1.8, the MIT Kerberos KDC only supports fully
 anonymous operation.
 .TP
 .B \fB\-T\fP \fIarmor_ccache\fP
-.sp
 Specifies the name of a credentials cache that already contains a
 ticket.  If supported by the KDC, this cache will be used to armor
 the request, preventing offline dictionary attacks and allowing
@@ -193,7 +164,6 @@ makes sure that the response from the KDC is not modified in
 transit.
 .TP
 .B \fB\-c\fP \fIcache_name\fP
-.sp
 use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache
 location.  If this option is not used, the default cache location
 is used.
@@ -208,12 +178,10 @@ primary cache.  Otherwise, any existing contents of the default
 cache are destroyed by kinit.
 .TP
 .B \fB\-S\fP \fIservice_name\fP
-.sp
 specify an alternate service name to use when getting initial
 tickets.
 .TP
 .B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
-.sp
 specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
 interpreted by pre\-authentication modules.  The acceptable
 attribute and value values vary from module to module.  This
@@ -225,15 +193,12 @@ pre\-authentication mechanism:
 .INDENT 7.0
 .TP
 .B \fBX509_user_identity\fP=\fIvalue\fP
-.sp
 specify where to find user\(aqs X509 identity information
 .TP
 .B \fBX509_anchors\fP=\fIvalue\fP
-.sp
 specify where to find trusted X509 anchor information
 .TP
 .B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
-.sp
 specify use of RSA, rather than the default Diffie\-Hellman
 protocol
 .UNINDENT
@@ -244,7 +209,6 @@ kinit uses the following environment variables:
 .INDENT 0.0
 .TP
 .B \fBKRB5CCNAME\fP
-.sp
 Location of the default Kerberos 5 credentials cache, in the form
 \fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the \fBFILE\fP
 type is assumed.  The type of the default cache may determine the
@@ -255,13 +219,10 @@ in the collection.
 .SH FILES
 .INDENT 0.0
 .TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-default location of Kerberos 5 credentials cache ([\fIuid\fP] is the
-decimal UID of the user).
+.B \fB@CCNAME@\fP
+default location of Kerberos 5 credentials cache
 .TP
-.B \fB/etc/krb5.keytab\fP
-.sp
+.B \fB@KTNAME@\fP
 default location for the local host\(aqs keytab.
 .UNINDENT
 .SH SEE ALSO
@@ -270,6 +231,6 @@ default location for the local host\(aqs keytab.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/klist.man b/src/man/klist.man
index 80b1f12ce3..cb074d190c 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -28,13 +28,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
 \fBklist\fP
 [\fB\-e\fP]
 [[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]]
+[\fB\-C\fP]
 [\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]]
 [\fB\-V\fP]
 [\fIcache_name\fP|\fIkeytab_name\fP]
@@ -46,28 +47,23 @@ credentials cache, or the keys held in a keytab file.
 .INDENT 0.0
 .TP
 .B \fB\-e\fP
-.sp
 Displays the encryption types of the session key and the ticket
 for each credential in the credential cache, or each key in the
 keytab file.
 .TP
 .B \fB\-l\fP
-.sp
 If a cache collection is available, displays a table summarizing
 the caches present in the collection.
 .TP
 .B \fB\-A\fP
-.sp
 If a cache collection is available, displays the contents of all
 of the caches in the collection.
 .TP
 .B \fB\-c\fP
-.sp
 List tickets held in a credentials cache. This is the default if
 neither \fB\-c\fP nor \fB\-k\fP is specified.
 .TP
 .B \fB\-f\fP
-.sp
 Shows the flags present in the credentials, using the following
 abbreviations:
 .INDENT 7.0
@@ -95,36 +91,39 @@ a    anonymous
 .UNINDENT
 .TP
 .B \fB\-s\fP
-.sp
 Causes klist to run silently (produce no output), but to still set
 the exit status according to whether it finds the credentials
 cache.  The exit status is \(aq0\(aq if klist finds a credentials cache,
 and \(aq1\(aq if it does not or if the tickets are expired.
 .TP
 .B \fB\-a\fP
-.sp
 Display list of addresses in credentials.
 .TP
 .B \fB\-n\fP
-.sp
 Show numeric addresses instead of reverse\-resolving addresses.
 .TP
+.B \fB\-C\fP
+List configuration data that has been stored in the credentials
+cache when klist encounters it.  By default, configuration data
+is not listed.
+.TP
 .B \fB\-k\fP
-.sp
 List keys held in a keytab file.
 .TP
+.B \fB\-i\fP
+In combination with \fB\-k\fP, defaults to using the default client
+keytab instead of the default acceptor keytab, if no name is
+given.
+.TP
 .B \fB\-t\fP
-.sp
 Display the time entry timestamps for each keytab entry in the
 keytab file.
 .TP
 .B \fB\-K\fP
-.sp
 Display the value of the encryption key in each keytab entry in
 the keytab file.
 .TP
 .B \fB\-V\fP
-.sp
 Display the Kerberos version number and exit.
 .UNINDENT
 .sp
@@ -138,7 +137,6 @@ klist uses the following environment variable:
 .INDENT 0.0
 .TP
 .B \fBKRB5CCNAME\fP
-.sp
 Location of the default Kerberos 5 credentials (ticket) cache, in
 the form \fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
@@ -149,13 +147,10 @@ to be present in the collection.
 .SH FILES
 .INDENT 0.0
 .TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of Kerberos 5 credentials cache ([uid] is the
-decimal UID of the user).
+.B \fB@CCNAME@\fP
+Default location of Kerberos 5 credentials cache
 .TP
-.B \fB/etc/krb5.keytab\fP
-.sp
+.B \fB@KTNAME@\fP
 Default location for the local host\(aqs keytab file.
 .UNINDENT
 .SH SEE ALSO
@@ -164,6 +159,6 @@ Default location for the local host\(aqs keytab file.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 0aab125b79..177091f5a4 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -48,7 +48,6 @@ characters.)
 .INDENT 0.0
 .TP
 .B \fIprincipal\fP
-.sp
 Change the password for the Kerberos principal principal.
 Otherwise, kpasswd uses the principal name from an existing ccache
 if there is one; if not, the principal is derived from the
@@ -60,6 +59,6 @@ identity of the user invoking the kpasswd command.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 210e6a32f7..f7a3792936 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -49,26 +49,21 @@ specified by \fIslave_host\fP.  The dump file must be created by
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the realm of the master server.
 .TP
 .B \fB\-f\fP \fIfile\fP
-.sp
 Specifies the filename where the dumped principal database file is
 to be found; by default the dumped database file is normally
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP.
 .TP
 .B \fB\-P\fP \fIport\fP
-.sp
 Specifies the port to use to contact the \fIkpropd(8)\fP server
 on the remote host.
 .TP
 .B \fB\-d\fP
-.sp
 Prints debugging information.
 .TP
 .B \fB\-s\fP \fIkeytab\fP
-.sp
 Specifies the location of the keytab file.
 .UNINDENT
 .SH ENVIRONMENT
@@ -76,7 +71,6 @@ Specifies the location of the keytab file.
 \fIkprop\fP uses the following environment variable:
 .INDENT 0.0
 .IP \(bu 2
-.
 \fBKRB5_CONFIG\fP
 .UNINDENT
 .SH SEE ALSO
@@ -85,6 +79,6 @@ Specifies the location of the keytab file.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index e6da04b129..c429401d57 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -40,7 +40,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-p\fP \fIkdb5_util_prog\fP]
 [\fB\-P\fP \fIport\fP]
 [\fB\-d\fP]
-[\fB\-S\fP]
 .SH DESCRIPTION
 .sp
 The \fIkpropd\fP command runs on the slave KDC server.  It listens for
@@ -56,8 +55,9 @@ Kerberos server to use \fIkprop(8)\fP to propagate its database to
 the slave servers.  Upon a successful download of the KDC database
 file, the slave Kerberos server will have an up\-to\-date KDC database.
 .sp
-Normally, kpropd is invoked out of inetd(8).  This is done by adding
-a line to the \fB/etc/inetd.conf\fP file which looks like this:
+Where incremental propagation is not used, kpropd is commonly invoked
+out of inetd(8) as a nowait service.  This is done by adding a line to
+the \fB/etc/inetd.conf\fP file which looks like this:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -69,9 +69,9 @@ kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
 .UNINDENT
 .UNINDENT
 .sp
-kpropd can also run as a standalone daemon by specifying the \fB\-S\fP
-option.  This is done for debugging purposes, or if for some reason
-the system administrator just doesn\(aqt want to run it out of inetd(8).
+kpropd can also run as a standalone daemon.  This is required for
+incremental propagation.  But this is also useful for debugging
+purposes.
 .sp
 Incremental propagation may be enabled with the \fBiprop_enable\fP
 variable in \fIkdc.conf(5)\fP.  If incremental propagation is
@@ -84,45 +84,42 @@ enabled, the principal \fBkiprop/slavehostname@REALM\fP (where
 \fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the
 name of the Kerberos realm) must be present in the slave\(aqs keytab
 file.
+.sp
+\fIkproplog(8)\fP can be used to force full replication when iprop is
+enabled.
 .SH OPTIONS
 .INDENT 0.0
 .TP
 .B \fB\-r\fP \fIrealm\fP
-.sp
 Specifies the realm of the master server.
 .TP
 .B \fB\-f\fP \fIfile\fP
-.sp
 Specifies the filename where the dumped principal database file is
 to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP.
 .TP
 .B \fB\-p\fP
-.sp
 Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
 program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP.
 .TP
 .B \fB\-S\fP
-.sp
-Turn on standalone mode.  Normally, kpropd is invoked out of
+[DEPRECATED] Enable standalone mode.  Normally kpropd is invoked by
 inetd(8) so it expects a network connection to be passed to it
-from inetd(8).  If the \fB\-S\fP option is specified, kpropd will put
-itself into the background, and wait for connections on port 754
-(or the port specified with the \fB\-P\fP option if given).
+from inetd(8).  If the \fB\-S\fP option is specified, or if standard
+input is not a socket, kpropd will put itself into the background,
+and wait for connections on port 754 (or the port specified with the
+\fB\-P\fP option if given).
 .TP
 .B \fB\-d\fP
-.sp
 Turn on debug mode.  In this mode, if the \fB\-S\fP option is
 selected, kpropd will not detach itself from the current job and
 run in the background.  Instead, it will run in the foreground and
 print out debugging messages during the database propagation.
 .TP
 .B \fB\-P\fP
-.sp
 Allow for an alternate port number for kpropd to listen on.  This
 is only useful in combination with the \fB\-S\fP option.
 .TP
 .B \fB\-a\fP \fIacl_file\fP
-.sp
 Allows the user to specify the path to the kpropd.acl file; by
 default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP.
 .UNINDENT
@@ -131,17 +128,14 @@ default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP.
 kpropd uses the following environment variables:
 .INDENT 0.0
 .IP \(bu 2
-.
 \fBKRB5_CONFIG\fP
 .IP \(bu 2
-.
 \fBKRB5_KDC_PROFILE\fP
 .UNINDENT
 .SH FILES
 .INDENT 0.0
 .TP
 .B kpropd.acl
-.
 Access file for kpropd; the default location is
 \fB/usr/local/var/krb5kdc/kpropd.acl\fP.  Each entry is a line
 containing the principal of a host from which the local machine
@@ -153,6 +147,6 @@ will allow Kerberos database propagation via \fIkprop(8)\fP.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index d5bd21c1ac..974f0bcae3 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -28,11 +28,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
 \fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v]
+\fBkproplog\fP [\-R]
 .SH DESCRIPTION
 .sp
 The kproplog command displays the contents of the KDC database update
@@ -56,20 +57,22 @@ last update received and the associated time stamp of the last update.
 .SH OPTIONS
 .INDENT 0.0
 .TP
+.B \fB\-R\fP
+Reset the update log.  This forces full resynchronization.  If used
+on a slave then that slave will request a full resync.  If used on
+the master then all slaves will request full resyncs.
+.TP
 .B \fB\-h\fP
-.sp
 Display a summary of the update log.  This information includes
 the database version number, state of the database, the number of
 updates in the log, the time stamp of the first and last update,
 and the version number of the first and last update entry.
 .TP
 .B \fB\-e\fP \fInum\fP
-.sp
 Display the last \fInum\fP update entries in the log.  This is useful
 when debugging synchronization between KDC servers.
 .TP
 .B \fB\-v\fP
-.sp
 Display individual attributes per update.  An example of the
 output generated for one entry:
 .INDENT 7.0
@@ -101,7 +104,6 @@ Update Entry
 kproplog uses the following environment variables:
 .INDENT 0.0
 .IP \(bu 2
-.
 \fBKRB5_KDC_PROFILE\fP
 .UNINDENT
 .SH SEE ALSO
@@ -110,6 +112,6 @@ kproplog uses the following environment variables:
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index cc85bb9ea8..07021eb0df 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .sp
 The krb5.conf file contains Kerberos configuration information,
@@ -169,13 +169,15 @@ Controls plugin module registration
 T}
 _
 .TE
+.sp
+Additionally, krb5.conf may include any of the relations described in
+\fIkdc.conf(5)\fP, but it is not a recommended practice.
 .SS [libdefaults]
 .sp
 The libdefaults section may contain any of the following relations:
 .INDENT 0.0
 .TP
 .B \fBallow_weak_crypto\fP
-.sp
 If this flag is set to false, then weak encryption types will be
 filtered out of the previous three lists (as noted in
 \fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP).  The
@@ -186,7 +188,6 @@ should set this tag to true until their infrastructure adopts
 stronger ciphers.
 .TP
 .B \fBap_req_checksum_type\fP
-.sp
 An integer which specifies the type of AP\-REQ checksum to use in
 authenticators.  This variable should be unset so the appropriate
 checksum for the encryption key in use will be used.  This can be
@@ -195,14 +196,12 @@ See the \fBkdc_req_checksum_type\fP configuration option for the
 possible values and their meanings.
 .TP
 .B \fBcanonicalize\fP
-.sp
 If this flag is set to true, initial ticket requests to the KDC
 will request canonicalization of the client principal name, and
 answers with different client principals than the requested
 principal will be accepted.  The default value is false.
 .TP
 .B \fBccache_type\fP
-.sp
 This parameter determines the format of credential cache types
 created by \fIkinit(1)\fP or other programs.  The default value
 is 4, which represents the most current format.  Smaller values
@@ -210,45 +209,51 @@ can be used for compatibility with very old implementations of
 Kerberos which interact with credential caches on the same host.
 .TP
 .B \fBclockskew\fP
-.sp
 Sets the maximum allowable amount of clockskew in seconds that the
 library will tolerate before assuming that a Kerberos message is
 invalid.  The default value is 300 seconds, or five minutes.
 .TP
+.B \fBdefault_ccache_name\fP
+This relation specifies the name of the default credential cache.
+The default is \fB@CCNAME@\fP.  This relation is subject to parameter
+expansion (see below).
+.TP
+.B \fBdefault_client_keytab_name\fP
+This relation specifies the name of the default keytab for
+obtaining client credentials.  The default is \fB@CKTNAME@\fP.  This
+relation is subject to parameter expansion (see below).
+.TP
 .B \fBdefault_keytab_name\fP
-.sp
 This relation specifies the default keytab name to be used by
-application servers such as telnetd and rlogind.  The default is
-\fB/etc/krb5.keytab\fP.
+application servers such as sshd.  The default is \fB@KTNAME@\fP.  This
+relation is subject to parameter expansion (see below).
 .TP
 .B \fBdefault_realm\fP
-.sp
 Identifies the default Kerberos realm for the client.  Set its
 value to your Kerberos realm.  If this value is not set, then a
 realm must be specified with every Kerberos principal when
 invoking programs such as \fIkinit(1)\fP.
 .TP
 .B \fBdefault_tgs_enctypes\fP
-.sp
 Identifies the supported list of session key encryption types that
-should be returned by the KDC.  The list may be delimited with
-commas or whitespace.  See \fIEncryption_and_salt_types\fP in
+should be returned by the KDC, in order of preference from
+highest to lowest.  The list may be delimited with commas or
+whitespace.  See \fIEncryption_and_salt_types\fP in
 \fIkdc.conf(5)\fP for a list of the accepted values for this tag.
 The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
 will be implicitly removed from this list if the value of
 \fBallow_weak_crypto\fP is false.
 .TP
 .B \fBdefault_tkt_enctypes\fP
-.sp
 Identifies the supported list of session key encryption types that
-should be requested by the client.  The format is the same as for
+should be requested by the client, in order of preference from
+highest to lowest.  The format is the same as for
 default_tgs_enctypes.  The default value for this tag is
 \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .TP
 .B \fBdns_lookup_kdc\fP
-.sp
 Indicate whether DNS SRV records should be used to locate the KDCs
 and other servers for a realm, if they are not listed in the
 krb5.conf information for the realm.  (Note that the admin_server
@@ -265,7 +270,6 @@ data), and anything the fake KDC sends will not be trusted without
 verification using some secret that it won\(aqt know.
 .TP
 .B \fBextra_addresses\fP
-.sp
 This allows a computer to use multiple local addresses, in order
 to allow Kerberos to work in a network that uses NATs while still
 using address\-restricted tickets.  The addresses should be in a
@@ -273,12 +277,10 @@ comma\-separated list.  This option has no effect if
 \fBnoaddresses\fP is true.
 .TP
 .B \fBforwardable\fP
-.sp
 If this flag is true, initial tickets will be forwardable by
 default, if allowed by the KDC.  The default value is false.
 .TP
 .B \fBignore_acceptor_hostname\fP
-.sp
 When accepting GSSAPI or krb5 security contexts for host\-based
 service principals, ignore any hostname passed by the calling
 application, and allow clients to authenticate to any service
@@ -289,7 +291,6 @@ compromise the security of virtual hosting environments.  The
 default value is false.
 .TP
 .B \fBk5login_authoritative\fP
-.sp
 If this flag is true, principals must be listed in a local user\(aqs
 k5login file to be granted login access, if a \fI.k5login(5)\fP
 file exists.  If this flag is false, a principal may still be
@@ -298,7 +299,6 @@ file exists but does not list the principal.  The default value is
 true.
 .TP
 .B \fBk5login_directory\fP
-.sp
 If set, the library will look for a local user\(aqs k5login file
 within the named directory, with a filename corresponding to the
 local username.  If not set, the library will look for k5login
@@ -307,23 +307,20 @@ For security reasons, .k5login files must be owned by
 the local user or by root.
 .TP
 .B \fBkdc_default_options\fP
-.sp
 Default KDC options (Xored for multiple values) when requesting
 initial tickets.  By default it is set to 0x00000010
 (KDC_OPT_RENEWABLE_OK).
 .TP
 .B \fBkdc_timesync\fP
-.sp
-If this flag is true, client machines will compute the difference
-between their time and the time returned by the KDC in the
-timestamps in the tickets and use this value to correct for an
-inaccurate system clock when requesting service tickets or
-authenticating to services.  This corrective factor is only used
-by the Kerberos library; it is not used to change the system
-clock.  The default value is true.
+Accepted values for this relation are 1 or 0.  If it is nonzero,
+client machines will compute the difference between their time and
+the time returned by the KDC in the timestamps in the tickets and
+use this value to correct for an inaccurate system clock when
+requesting service tickets or authenticating to services.  This
+corrective factor is only used by the Kerberos library; it is not
+used to change the system clock.  The default value is 1.
 .TP
 .B \fBkdc_req_checksum_type\fP
-.sp
 An integer which specifies the type of checksum to use for the KDC
 requests, for compatibility with very old KDC implementations.
 This value is only used for DES keys; other keys use the preferred
@@ -391,13 +388,11 @@ _
 .TE
 .TP
 .B \fBnoaddresses\fP
-.sp
 If this flag is true, requests for initial tickets will not be
 made with address restrictions set, allowing the tickets to be
 used across NATs.  The default value is true.
 .TP
 .B \fBpermitted_enctypes\fP
-.sp
 Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
 \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
@@ -405,47 +400,40 @@ removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .TP
 .B \fBplugin_base_dir\fP
-.sp
 If set, determines the base directory where krb5 plugins are
 located.  The default value is the \fBkrb5/plugins\fP subdirectory
 of the krb5 library directory.
 .TP
 .B \fBpreferred_preauth_types\fP
-.sp
 This allows you to set the preferred preauthentication types which
 the client will attempt before others which may be advertised by a
 KDC.  The default value for this setting is "17, 16, 15, 14",
 which forces libkrb5 to attempt to use PKINIT if it is supported.
 .TP
 .B \fBproxiable\fP
-.sp
 If this flag is true, initial tickets will be proxiable by
 default, if allowed by the KDC.  The default value is false.
 .TP
 .B \fBrdns\fP
-.sp
 If this flag is true, reverse name lookup will be used in addition
 to forward name lookup to canonicalizing hostnames for use in
 service principal names.  The default value is true.
 .TP
 .B \fBrealm_try_domains\fP
-.sp
 Indicate whether a host\(aqs domain components should be used to
 determine the Kerberos realm of the host.  The value of this
 variable is an integer: \-1 means not to search, 0 means to try the
 host\(aqs domain itself, 1 means to also try the domain\(aqs immediate
 parent, and so forth.  The library\(aqs usual mechanism for locating
 Kerberos realms is used to determine whether a domain is a valid
-realm\-\-which may involve consulting DNS if \fBdns_lookup_kdc\fP is
+realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
 set.  The default is not to search domain components.
 .TP
 .B \fBrenew_lifetime\fP
-.sp
-Sets the default renewable lifetime for initial ticket requests.
-The default value is 0.
+(\fIduration\fP string.)  Sets the default renewable lifetime
+for initial ticket requests.  The default value is 0.
 .TP
 .B \fBsafe_checksum_type\fP
-.sp
 An integer which specifies the type of checksum to use for the
 KRB\-SAFE requests.  By default it is set to 8 (RSA MD5 DES).  For
 compatibility with applications linked against DCE version 1.1 or
@@ -455,12 +443,10 @@ with the session key type.  See the \fBkdc_req_checksum_type\fP
 configuration option for the possible values and their meanings.
 .TP
 .B \fBticket_lifetime\fP
-.sp
-Sets the default lifetime for initial ticket requests.  The
-default value is 1 day.
+(\fIduration\fP string.)  Sets the default lifetime for initial
+ticket requests.  The default value is 1 day.
 .TP
 .B \fBudp_preference_limit\fP
-.sp
 When sending a message to the KDC, the library will try using TCP
 before UDP if the size of the message is above
 \fBudp_preference_limit\fP.  If the message is smaller than
@@ -469,7 +455,6 @@ Regardless of the size, both protocols will be tried if the first
 attempt fails.
 .TP
 .B \fBverify_ap_req_nofail\fP
-.sp
 If this flag is true, then an attempt to verify initial
 credentials will fail if the client machine does not have a
 keytab.  The default value is false.
@@ -483,14 +468,12 @@ following tags may be specified in the realm\(aqs subsection:
 .INDENT 0.0
 .TP
 .B \fBadmin_server\fP
-.sp
 Identifies the host where the administration server is running.
 Typically, this is the master Kerberos server.  This tag must be
 given a value in order to communicate with the \fIkadmind(8)\fP
 server for the realm.
 .TP
 .B \fBauth_to_local\fP
-.sp
 This tag allows you to set a general rule for mapping principal
 names to local user names.  It will be used if there is not an
 explicit mapping for the principal name that is being
@@ -498,7 +481,6 @@ translated. The possible values are:
 .INDENT 7.0
 .TP
 .B \fBRULE:\fP\fIexp\fP
-.sp
 The local name will be formulated from \fIexp\fP.
 .sp
 The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP.
@@ -506,7 +488,7 @@ The integer \fIn\fP indicates how many components the target
 principal should have.  If this matches, then a string will be
 formed from \fIstring\fP, substituting the realm of the principal
 for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
-\fB$n\fP (e.g. if the principal was \fBjohndoe/admin\fP then
+\fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then
 \fB[2:$2$1foo]\fP would result in the string
 \fBadminjohndoefoo\fP).  If this string matches \fIregexp\fP, then
 the \fBs//[g]\fP substitution command will be run over the
@@ -515,7 +497,6 @@ global over the \fIstring\fP, instead of replacing only the first
 match in the \fIstring\fP.
 .TP
 .B \fBDEFAULT\fP
-.sp
 The principal name will be used as the local user name.  If
 the principal has more than one component or is not in the
 default realm, this rule is not applicable and the conversion
@@ -545,20 +526,17 @@ these two rules are any principals \fBjohndoe/*\fP, which will
 always get the local name \fBguest\fP.
 .TP
 .B \fBauth_to_local_names\fP
-.sp
 This subsection allows you to set explicit mappings from principal
 names to local user names.  The tag is the mapping name, and the
 value is the corresponding local user name.
 .TP
 .B \fBdefault_domain\fP
-.sp
 This tag specifies the domain used to expand hostnames when
 translating Kerberos 4 service principals to Kerberos 5 principals
 (for example, when converting \fBrcmd.hostname\fP to
 \fBhost/hostname.domain\fP).
 .TP
 .B \fBkdc\fP
-.sp
 The name or address of a host running a KDC for that realm.  An
 optional port number, separated from the hostname by a colon, may
 be included.  If the name or address contains colons (for example,
@@ -569,13 +547,11 @@ be given a value in each realm subsection in the configuration
 file, or there must be DNS SRV records specifying the KDCs.
 .TP
 .B \fBkpasswd_server\fP
-.sp
 Points to the server where all the password changes are performed.
 If there is no such entry, the port 464 on the \fBadmin_server\fP
 host will be tried.
 .TP
 .B \fBmaster_kdc\fP
-.sp
 Identifies the master KDC(s).  Currently, this tag is used in only
 one case: If an attempt to get credentials fails because of an
 invalid password, the client software will attempt to contact the
@@ -584,7 +560,6 @@ the updated database has not been propagated to the slave servers
 yet.
 .TP
 .B \fBv4_instance_convert\fP
-.sp
 This subsection allows the administrator to configure exceptions
 to the \fBdefault_domain\fP mapping rule.  It contains V4 instances
 (the tag name) which should be translated to some specific
@@ -592,7 +567,6 @@ hostname (the tag value) as the second component in a Kerberos V5
 principal name.
 .TP
 .B \fBv4_realm\fP
-.sp
 This relation is used by the krb524 library routines when
 converting a V5 principal name to a V4 principal name.  It is used
 when the V4 realm name and the V5 realm name are not the same, but
@@ -776,13 +750,10 @@ are overridden by those specified in the \fI\%realms\fP section.
 .INDENT 3.5
 .INDENT 0.0
 .IP \(bu 2
-.
 \fI\%pwqual\fP interface
 .IP \(bu 2
-.
 \fI\%kadm5_hook\fP interface
 .IP \(bu 2
-.
 \fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces
 .UNINDENT
 .UNINDENT
@@ -798,19 +769,16 @@ All subsections support the same tags:
 .INDENT 0.0
 .TP
 .B \fBdisable\fP
-.sp
 This tag may have multiple values. If there are values for this
 tag, then the named modules will be disabled for the pluggable
 interface.
 .TP
 .B \fBenable_only\fP
-.sp
 This tag may have multiple values. If there are values for this
 tag, then only the named modules will be enabled for the pluggable
 interface.
 .TP
 .B \fBmodule\fP
-.sp
 This tag may have multiple values.  Each value is a string of the
 form \fBmodulename:pathname\fP, which causes the shared object
 located at \fIpathname\fP to be registered as a dynamic module named
@@ -830,12 +798,10 @@ disabled with the disable tag):
 .INDENT 0.0
 .TP
 .B \fBk5identity\fP
-.sp
 Uses a .k5identity file in the user\(aqs home directory to select a
 client principal
 .TP
 .B \fBrealm\fP
-.sp
 Uses the service realm to guess an appropriate cache from the
 collection
 .UNINDENT
@@ -847,20 +813,16 @@ changed.  The following built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
 .B \fBdict\fP
-.sp
 Checks against the realm dictionary file
 .TP
 .B \fBempty\fP
-.sp
 Rejects empty passwords
 .TP
 .B \fBhesiod\fP
-.sp
 Checks against user information stored in Hesiod (only if Kerberos
 was built with Hesiod support)
 .TP
 .B \fBprinc\fP
-.sp
 Checks against components of the principal name
 .UNINDENT
 .SS kadm5_hook interface
@@ -878,20 +840,16 @@ built\-in modules exist for these interfaces:
 .INDENT 0.0
 .TP
 .B \fBpkinit\fP
-.sp
 This module implements the PKINIT preauthentication mechanism.
 .TP
 .B \fBencrypted_challenge\fP
-.sp
 This module implements the encrypted challenge FAST factor.
 .TP
 .B \fBencrypted_timestamp\fP
-.sp
 This module implements the encrypted timestamp mechanism.
 .UNINDENT
 .SH PKINIT OPTIONS
 .IP Note
-.
 The following are PKINIT\-specific options.  These values may
 be specified in [libdefaults] as global defaults, or within
 a realm\-specific subsection of [libdefaults], or may be
@@ -901,7 +859,6 @@ A realm\-specific value overrides, not adds to, a generic
 .RE
 .INDENT 0.0
 .IP 1. 3
-.
 realm\-specific subsection of [libdefaults]:
 .INDENT 3.0
 .INDENT 3.5
@@ -910,14 +867,13 @@ realm\-specific subsection of [libdefaults]:
 .ft C
 [libdefaults]
     EXAMPLE.COM = {
-        pkinit_anchors = FILE\e:/usr/local/example.com.crt
+        pkinit_anchors = FILE:/usr/local/example.com.crt
     }
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .IP 2. 3
-.
 realm\-specific value in the [realms] section,
 .INDENT 3.0
 .INDENT 3.5
@@ -926,14 +882,13 @@ realm\-specific value in the [realms] section,
 .ft C
 [realms]
     OTHERREALM.ORG = {
-        pkinit_anchors = FILE\e:/usr/local/otherrealm.org.crt
+        pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
     }
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .IP 3. 3
-.
 generic value in the [libdefaults] section.
 .INDENT 3.0
 .INDENT 3.5
@@ -941,7 +896,7 @@ generic value in the [libdefaults] section.
 .nf
 .ft C
 [libdefaults]
-    pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/
+    pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
 .ft P
 .fi
 .UNINDENT
@@ -954,7 +909,6 @@ information for PKINIT is as follows:
 .INDENT 0.0
 .TP
 .B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
-.sp
 This option has context\-specific behavior.
 .sp
 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
@@ -967,7 +921,6 @@ In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
 be the name of an OpenSSL\-style ca\-bundle file.
 .TP
 .B \fBDIR:\fP\fIdirname\fP
-.sp
 This option has context\-specific behavior.
 .sp
 In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
@@ -991,12 +944,10 @@ but all files in the directory will be examined and if they
 contain a revocation list (in PEM format), they will be used.
 .TP
 .B \fBPKCS12:\fP\fIfilename\fP
-.sp
 \fIfilename\fP is the name of a PKCS #12 format file, containing the
 user\(aqs certificate and private key.
 .TP
 .B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
-.sp
 All keyword/values are optional.  \fImodname\fP specifies the location
 of a library implementing PKCS #11.  If a value is encountered
 with no keyword, it is assumed to be the \fImodname\fP.  If no
@@ -1009,7 +960,6 @@ See the \fBpkinit_cert_match\fP configuration option for more ways
 to select a particular certificate to use for PKINIT.
 .TP
 .B \fBENV:\fP\fIenvvar\fP
-.sp
 \fIenvvar\fP specifies the name of an environment variable which has
 been set to a value conforming to one of the previous values.  For
 example, \fBENV:X509_PROXY\fP, where environment variable
@@ -1019,14 +969,12 @@ example, \fBENV:X509_PROXY\fP, where environment variable
 .INDENT 0.0
 .TP
 .B \fBpkinit_anchors\fP
-.sp
 Specifies the location of trusted anchor (root) certificates which
 the client trusts to sign KDC certificates.  This option may be
 specified multiple times.  These values from the config file are
 not used if the user specifies X509_anchors on the command line.
 .TP
 .B \fBpkinit_cert_match\fP
-.sp
 Specifies matching rules that the client certificate must match
 before it is used to attempt PKINIT authentication.  If a user has
 multiple certificates available (on a smart card, or via other
@@ -1043,7 +991,6 @@ DN values.
 The syntax of the matching rules is:
 .INDENT 7.0
 .INDENT 3.5
-.sp
 [\fIrelation\-operator\fP]\fIcomponent\-rule\fP ...
 .UNINDENT
 .UNINDENT
@@ -1052,13 +999,11 @@ where:
 .INDENT 7.0
 .TP
 .B \fIrelation\-operator\fP
-.sp
 can be either \fB&&\fP, meaning all component rules must match,
 or \fB||\fP, meaning only one component rule must match.  The
 default is \fB&&\fP.
 .TP
 .B \fIcomponent\-rule\fP
-.sp
 can be one of the following.  Note that there is no
 punctuation or whitespace between component rules.
 .INDENT 7.0
@@ -1080,16 +1025,12 @@ must be present in the certificate.  Extended Key Usage values
 can be:
 .INDENT 7.0
 .IP \(bu 2
-.
 pkinit
 .IP \(bu 2
-.
 msScLogin
 .IP \(bu 2
-.
 clientAuth
 .IP \(bu 2
-.
 emailProtection
 .UNINDENT
 .sp
@@ -1098,10 +1039,8 @@ Usage values.  All values in the list must be present in the
 certificate.  Key Usage values can be:
 .INDENT 7.0
 .IP \(bu 2
-.
 digitalSignature
 .IP \(bu 2
-.
 keyEncipherment
 .UNINDENT
 .UNINDENT
@@ -1121,7 +1060,6 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
 .UNINDENT
 .TP
 .B \fBpkinit_eku_checking\fP
-.sp
 This option specifies what Extended Key Usage value the KDC
 certificate presented to the client must contain.  (Note that if
 the KDC certificate has the pkinit SubjectAlternativeName encoded
@@ -1131,30 +1069,25 @@ recognized in the krb5.conf file are:
 .INDENT 7.0
 .TP
 .B \fBkpKDC\fP
-.sp
 This is the default value and specifies that the KDC must have
 the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP.
 .TP
 .B \fBkpServerAuth\fP
-.sp
 If \fBkpServerAuth\fP is specified, a KDC certificate with the
 id\-kp\-serverAuth EKU as used by Microsoft will be accepted.
 .TP
 .B \fBnone\fP
-.sp
 If \fBnone\fP is specified, then the KDC certificate will not be
 checked to verify it has an acceptable EKU.  The use of this
 option is not recommended.
 .UNINDENT
 .TP
 .B \fBpkinit_dh_min_bits\fP
-.sp
 Specifies the size of the Diffie\-Hellman key the client will
 attempt to use.  The acceptable values are 1024, 2048, and 4096.
 The default is 2048.
 .TP
 .B \fBpkinit_identities\fP
-.sp
 Specifies the location(s) to be used to find the user\(aqs X.509
 identity information.  This option may be specified multiple
 times.  Each value is attempted in order until identity
@@ -1163,7 +1096,6 @@ these values are not used if the user specifies
 \fBX509_user_identity\fP on the command line.
 .TP
 .B \fBpkinit_kdc_hostname\fP
-.sp
 The presense of this option indicates that the client is willing
 to accept a KDC certificate with a dNSName SAN (Subject
 Alternative Name) rather than requiring the id\-pkinit\-san as
@@ -1172,18 +1104,15 @@ times.  Its value should contain the acceptable hostname for the
 KDC (as contained in its certificate).
 .TP
 .B \fBpkinit_longhorn\fP
-.sp
 If this flag is set to true, we are talking to the Longhorn KDC.
 .TP
 .B \fBpkinit_pool\fP
-.sp
 Specifies the location of intermediate certificates which may be
 used by the client to complete the trust chain between a KDC
 certificate and a trusted anchor.  This option may be specified
 multiple times.
 .TP
 .B \fBpkinit_require_crl_checking\fP
-.sp
 The default certificate verification process will always check the
 available revocation information to see if a certificate has been
 revoked.  If a match is found for the certificate in a CRL,
@@ -1200,24 +1129,130 @@ fails.
 policy is such that up\-to\-date CRLs must be present for every CA.
 .TP
 .B \fBpkinit_revoke\fP
-.sp
 Specifies the location of Certificate Revocation List (CRL)
 information to be used by the client when verifying the validity
 of the KDC certificate presented.  This option may be specified
 multiple times.
 .TP
 .B \fBpkinit_win2k\fP
-.sp
 This flag specifies whether the target realm is assumed to support
 only the old, pre\-RFC version of the protocol.  The default is
 false.
 .TP
 .B \fBpkinit_win2k_require_binding\fP
-.sp
 If this flag is set to true, it expects that the target KDC is
 patched to return a reply with a checksum rather than a nonce.
 The default is false.
 .UNINDENT
+.SH PARAMETER EXPANSION
+.sp
+Several variables, such as \fBdefault_keytab_name\fP, allow parameters
+to be expanded.  Valid parameters are:
+.INDENT 0.0
+.INDENT 3.5
+.TS
+center;
+|l|l|.
+_
+T{
+%{TEMP}
+T}	T{
+Temporary directory
+T}
+_
+T{
+%{uid}
+T}	T{
+Unix real UID or Windows SID
+T}
+_
+T{
+%{euid}
+T}	T{
+Unix effective user ID or Windows SID
+T}
+_
+T{
+%{USERID}
+T}	T{
+Same as %{uid}
+T}
+_
+T{
+%{null}
+T}	T{
+Empty string
+T}
+_
+T{
+%{LIBDIR}
+T}	T{
+Installation library directory
+T}
+_
+T{
+%{BINDIR}
+T}	T{
+Installation binary directory
+T}
+_
+T{
+%{SBINDIR}
+T}	T{
+Installation admin binary directory
+T}
+_
+T{
+%{username}
+T}	T{
+(Unix) Username of effective user ID
+T}
+_
+T{
+%{APPDATA}
+T}	T{
+(Windows) Roaming application data for current user
+T}
+_
+T{
+%{COMMON_APPDATA}
+T}	T{
+(Windows) Application data for all users
+T}
+_
+T{
+%{LOCAL_APPDATA}
+T}	T{
+(Windows) Local application data for current user
+T}
+_
+T{
+%{SYSTEM}
+T}	T{
+(Windows) Windows system folder
+T}
+_
+T{
+%{WINDOWS}
+T}	T{
+(Windows) Windows folder
+T}
+_
+T{
+%{USERCONFIG}
+T}	T{
+(Windows) Per\-user MIT krb5 config file directory
+T}
+_
+T{
+%{COMMONCONFIG}
+T}	T{
+(Windows) Common MIT krb5 config file directory
+T}
+_
+.TE
+.UNINDENT
+.UNINDENT
 .SH SAMPLE KRB5.CONF FILE
 .sp
 Here is an example of a generic krb5.conf file:
@@ -1247,11 +1282,6 @@ Here is an example of a generic krb5.conf file:
         kdc = kerberos\-1.example.com
         admin_server = kerberos.example.com
     }
-    OPENLDAP.MIT.EDU = {
-        kdc = kerberos.mit.edu
-        admin_server = kerberos.mit.edu
-        database_module = openldap_ldapconf
-    }
 
 [domain_realm]
     .mit.edu = ATHENA.MIT.EDU
@@ -1264,27 +1294,6 @@ Here is an example of a generic krb5.conf file:
     EXAMPLE.COM = {
            ATHENA.MIT.EDU = .
     }
-
-[logging]
-    kdc = SYSLOG:INFO
-    admin_server = FILE=/var/kadm5.log
-[dbdefaults]
-    ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
-[dbmodules]
-    openldap_ldapconf = {
-        db_library = kldap
-        disable_last_success = true
-        ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
-        ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
-            # this object needs to have read rights on
-            # the realm container and principal subtrees
-        ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
-            # this object needs to have read and write rights on
-            # the realm container and principal subtrees
-        ldap_service_password_file = /etc/kerberos/service.keyfile
-        ldap_servers = ldaps://kerberos.mit.edu
-        ldap_conns_per_server = 5
-}
 .ft P
 .fi
 .UNINDENT
@@ -1298,6 +1307,6 @@ syslog(3)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 97bee967a8..1dbe739b42 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -43,6 +43,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-n\fP]
 [\fB\-w\fP \fInumworkers\fP]
 [\fB\-P\fP \fIpid_file\fP]
+[\fB\-T\fP \fItime_offset\fP]
 .SH DESCRIPTION
 .sp
 krb5kdc is the Kerberos version 5 Authentication Service and Key
@@ -91,7 +92,6 @@ will relay SIGHUP signals to the worker subprocesses, and will
 terminate the worker subprocess if the it is itself terminated or if
 any other worker process exits.
 .IP Note
-.
 On operating systems which do not have \fIpktinfo\fP support,
 using worker processes will prevent the KDC from listening
 for UDP packets on network interfaces created after the KDC
@@ -105,23 +105,19 @@ Options supported for the LDAP database module are:
 .INDENT 0.0
 .TP
 .B \fB\-x\fP nconns=<number_of_connections>
-.sp
 Specifies the number of connections to be maintained per
 LDAP server.
 .TP
 .B \fB\-x\fP host=<ldapuri>
-.sp
 Specifies the LDAP server to connect to by URI.
 .TP
 .B \fB\-x\fP binddn=<binddn>
-.sp
 Specifies the DN of the object used by the KDC server to bind
 to the LDAP server.  This object should have read and write
 privileges to the realm container, the principal container,
 and the subtree that is referenced by the realm.
 .TP
 .B \fB\-x\fP bindpwd=<bind_password>
-.sp
 Specifies the password for the above mentioned binddn.  Using
 this option may expose the password to other users on the
 system via the process list; to avoid this, instead stash the
@@ -130,6 +126,9 @@ password using the \fBstashsrvpw\fP command of
 .UNINDENT
 .UNINDENT
 .UNINDENT
+.sp
+The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which
+the KDC will operate under.  It is intended only for testing purposes.
 .SH EXAMPLE
 .sp
 The KDC may service requests for multiple realms (maximum 32 realms).
@@ -161,10 +160,8 @@ description for further details.
 krb5kdc uses the following environment variables:
 .INDENT 0.0
 .IP \(bu 2
-.
 \fBKRB5_CONFIG\fP
 .IP \(bu 2
-.
 \fBKRB5_KDC_PROFILE\fP
 .UNINDENT
 .SH SEE ALSO
@@ -174,6 +171,6 @@ krb5kdc uses the following environment variables:
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/ksu.man b/src/man/ksu.man
index d45a5f5962..7830a7efa9 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -54,10 +54,9 @@ ksu is a Kerberized version of the su program that has two missions:
 one is to securely change the real and effective user ID to that of
 the target user, and the other is to create a new security context.
 .IP Note
-.
 For the sake of clarity, all references to and attributes of
 the user invoking the program will start with "source"
-(e.g. "source user", "source cache", etc.).
+(e.g., "source user", "source cache", etc.).
 .sp
 Likewise, all references to and attributes of the target
 account will start with "target".
@@ -67,12 +66,12 @@ account will start with "target".
 To fulfill the first mission, ksu operates in two phases:
 authentication and authorization.  Resolving the target principal name
 is the first step in authentication.  The user can either specify his
-principal name with the \fB\-n\fP option (e.g. \fB\-n jqpublic@USC.EDU\fP)
+principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic@USC.EDU\fP)
 or a default principal name will be assigned using a heuristic
 described in the OPTIONS section (see \fB\-n\fP option).  The target user
 name must be the first argument to ksu; if not specified root is the
 default.  If \fB.\fP is specified then the target user will be the
-source user (e.g. \fBksu .\fP).  If the source user is root or the
+source user (e.g., \fBksu .\fP).  If the source user is root or the
 target user is the source user, no authentication or authorization
 takes place.  Otherwise, ksu looks for an appropriate Kerberos ticket
 in the source cache.
@@ -167,7 +166,6 @@ not provided (user hit return) ksu continues in a normal mode of
 operation (the target cache will not contain the desired TGT).  If the
 wrong password is typed in, ksu fails.
 .IP Note
-.
 During authentication, only the tickets that could be
 obtained without providing a password are cached in in the
 source cache.
@@ -176,7 +174,6 @@ source cache.
 .INDENT 0.0
 .TP
 .B \fB\-n\fP \fItarget_principal_name\fP
-.sp
 Specify a Kerberos target principal name.  Used in authentication
 and authorization phases of ksu.
 .sp
@@ -184,7 +181,6 @@ If ksu is invoked without \fB\-n\fP, a default principal name is
 assigned via the following heuristic:
 .INDENT 7.0
 .IP \(bu 2
-.
 Case 1: source user is non\-root.
 .sp
 If the target user is the source user the default principal name
@@ -201,13 +197,10 @@ cache.  If both conditions are met that principal becomes the
 default target principal, otherwise go to the next principal.
 .INDENT 2.0
 .IP a. 3
-.
 default principal of the source cache
 .IP b. 3
-.
 target_user@local_realm
 .IP c. 3
-.
 source_user@local_realm
 .UNINDENT
 .sp
@@ -227,7 +220,6 @@ example if candidate a) is \fBjqpublic@ISI.EDU\fP and
 account then the default principal is set to
 \fBjqpublic/secure@ISI.EDU\fP.
 .IP \(bu 2
-.
 Case 2: source user is root.
 .sp
 If the target user is non\-root then the default principal name
@@ -241,8 +233,7 @@ exist, default principal name is set to \fBroot\e@local_realm\fP.
 \fB\-c\fP \fIsource_cache_name\fP
 .INDENT 0.0
 .INDENT 3.5
-.sp
-Specify source cache name (e.g. \fB\-c FILE:/tmp/my_cache\fP).  If
+Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP).  If
 \fB\-c\fP option is not used then the name is obtained from
 \fBKRB5CCNAME\fP environment variable.  If \fBKRB5CCNAME\fP is not
 defined the source cache name is set to \fBkrb5cc_<source uid>\fP.
@@ -264,17 +255,14 @@ krb5cc_1984.2
 .INDENT 0.0
 .TP
 .B \fB\-k\fP
-.sp
 Do not delete the target cache upon termination of the target
 shell or a command (\fB\-e\fP command).  Without \fB\-k\fP, ksu deletes
 the target cache.
 .TP
 .B \fB\-D\fP
-.sp
 Turn on debug mode.
 .TP
 .B \fB\-z\fP
-.sp
 Restrict the copy of tickets from the source cache to the target
 cache to only the tickets where client == the target principal
 name.  Use the \fB\-n\fP option if you want the tickets for other then
@@ -282,7 +270,6 @@ the default principal.  Note that the \fB\-z\fP option is mutually
 exclusive with the \fB\-Z\fP option.
 .TP
 .B \fB\-Z\fP
-.sp
 Don\(aqt copy any tickets from the source cache to the target cache.
 Just create a fresh target cache, where the default principal name
 of the cache is initialized to the target principal name.  Note
@@ -290,7 +277,6 @@ that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP
 option.
 .TP
 .B \fB\-q\fP
-.sp
 Suppress the printing of status messages.
 .UNINDENT
 .sp
@@ -298,7 +284,6 @@ Ticket granting ticket options:
 .INDENT 0.0
 .TP
 .B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
-.sp
 The ticket granting ticket options only apply to the case where
 there are no appropriate tickets in the cache to authenticate the
 source user.  In this case if ksu is configured to prompt users
@@ -307,29 +292,24 @@ ticket granting ticket options that are specified will be used
 when getting a ticket granting ticket from the Kerberos server.
 .TP
 .B \fB\-l\fP \fIlifetime\fP
-.sp
-specifies the lifetime to be requested for the ticket; if this
-option is not specified, the default ticket lifetime (configured
-by each site) is used instead.
+(\fIduration\fP string.)  Specifies the lifetime to be requested
+for the ticket; if this option is not specified, the default ticket
+lifetime (12 hours) is used instead.
 .TP
 .B \fB\-r\fP \fItime\fP
-.sp
-specifies that the \fBrenewable\fP option should be requested for
-the ticket, and specifies the desired total lifetime of the
-ticket.
+(\fIduration\fP string.)  Specifies that the \fBrenewable\fP option
+should be requested for the ticket, and specifies the desired
+total lifetime of the ticket.
 .TP
 .B \fB\-p\fP
-.sp
 specifies that the \fBproxiable\fP option should be requested for
 the ticket.
 .TP
 .B \fB\-f\fP
-.sp
 option specifies that the \fBforwardable\fP option should be
 requested for the ticket.
 .TP
 .B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...]
-.sp
 ksu proceeds exactly the same as if it was invoked without the
 \fB\-e\fP option, except instead of executing the target shell, ksu
 executes the specified command. Example of usage:
@@ -394,7 +374,6 @@ the target program.  Otherwise, the user must specify either a
 full path or just the program name.
 .TP
 .B \fB\-a\fP \fIargs\fP
-.sp
 Specify arguments to be passed to the target shell.  Note that all
 flags and parameters following \-a will be passed to the shell,
 thus all options intended for ksu must precede \fB\-a\fP.
@@ -420,7 +399,6 @@ ksu can be compiled with the following four flags:
 .INDENT 0.0
 .TP
 .B \fBGET_TGT_VIA_PASSWD\fP
-.sp
 In case no appropriate tickets are found in the source cache, the
 user will be prompted for a Kerberos password.  The password is
 then used to get a ticket granting ticket from the Kerberos
@@ -429,19 +407,16 @@ source user is logged in remotely and does not have a secure
 channel, the password may get exposed.
 .TP
 .B \fBPRINC_LOOK_AHEAD\fP
-.sp
 During the resolution of the default principal name,
 \fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in
 the .k5users file as described in the OPTIONS section
 (see \fB\-n\fP option).
 .TP
 .B \fBCMD_PATH\fP
-.sp
 Specifies a list of directories containing programs that users are
 authorized to execute (via .k5users file).
 .TP
 .B \fBHAVE_GETUSERSHELL\fP
-.sp
 If the source user is non\-root, ksu insists that the target user\(aqs
 shell to be invoked is a "legal shell".  \fIgetusershell(3)\fP is
 called to obtain the names of "legal shells".  Note that the
@@ -460,7 +435,7 @@ ksu should be owned by root and have the set user id bit turned on.
 .sp
 ksu attempts to get a ticket for the end server just as Kerberized
 telnet and rlogin.  Thus, there must be an entry for the server in the
-Kerberos database (e.g. \fBhost/nii.isi.edu@ISI.EDU\fP).  The keytab
+Kerberos database (e.g., \fBhost/nii.isi.edu@ISI.EDU\fP).  The keytab
 file must be in an appropriate location.
 .SH SIDE EFFECTS
 .sp
@@ -471,6 +446,6 @@ GENNADY (ARI) MEDVINSKY
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index b265b78fb0..753f008322 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -42,11 +42,9 @@ collection, if a cache collection is available.
 .INDENT 0.0
 .TP
 .B \fB\-c\fP \fIcachename\fP
-.sp
 Directly specifies the credential cache to be made primary.
 .TP
 .B \fB\-p\fP \fIprincipal\fP
-.sp
 Causes the cache collection to be searched for a cache containing
 credentials for \fIprincipal\fP.  If one is found, that collection is
 made primary.
@@ -57,7 +55,6 @@ kswitch uses the following environment variables:
 .INDENT 0.0
 .TP
 .B \fBKRB5CCNAME\fP
-.sp
 Location of the default Kerberos 5 credentials (ticket) cache, in
 the form \fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
@@ -68,10 +65,8 @@ to be present in the collection.
 .SS FILES
 .INDENT 0.0
 .TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the
-decimal UID of the user).
+.B \fB@CCNAME@\fP
+Default location of Kerberos 5 credentials cache
 .UNINDENT
 .SS SEE ALSO
 .sp
@@ -79,6 +74,6 @@ decimal UID of the user).
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index be2cc7da4d..31b0d51c53 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -42,7 +42,6 @@ V4 srvtab file.
 .SS list
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBlist\fP
 .UNINDENT
 .UNINDENT
@@ -53,7 +52,6 @@ Alias: \fBl\fP
 .SS read_kt
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBread_kt\fP \fIkeytab\fP
 .UNINDENT
 .UNINDENT
@@ -64,7 +62,6 @@ Alias: \fBrkt\fP
 .SS read_st
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBread_st\fP \fIsrvtab\fP
 .UNINDENT
 .UNINDENT
@@ -75,7 +72,6 @@ Alias: \fBrst\fP
 .SS write_kt
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBwrite_kt\fP \fIkeytab\fP
 .UNINDENT
 .UNINDENT
@@ -86,7 +82,6 @@ Alias: \fBwkt\fP
 .SS write_st
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBwrite_st\fP \fIsrvtab\fP
 .UNINDENT
 .UNINDENT
@@ -97,7 +92,6 @@ Alias: \fBwst\fP
 .SS clear_list
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBclear_list\fP
 .UNINDENT
 .UNINDENT
@@ -108,7 +102,6 @@ Alias: \fBclear\fP
 .SS delete_entry
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBdelete_entry\fP \fIslot\fP
 .UNINDENT
 .UNINDENT
@@ -119,7 +112,6 @@ Alias: \fBdelent\fP
 .SS add_entry
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBadd_entry\fP {\fB\-key\fP|\fB\-password\fP} \fB\-p\fP \fIprincipal\fP
 \fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP
 .UNINDENT
@@ -131,7 +123,6 @@ Alias: \fBaddent\fP
 .SS list_requests
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBlist_requests\fP
 .UNINDENT
 .UNINDENT
@@ -142,7 +133,6 @@ Aliases: \fBlr\fP, \fB?\fP
 .SS quit
 .INDENT 0.0
 .INDENT 3.5
-.sp
 \fBquit\fP
 .UNINDENT
 .UNINDENT
@@ -174,6 +164,6 @@ ktutil:
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 38ef7af2d4..e66b911ed2 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -49,35 +49,29 @@ and prints out the key version numbers of each.
 .INDENT 0.0
 .TP
 .B \fB\-c\fP \fIccache\fP
-.sp
 Specifies the name of a credentials cache to use (if not the
 default)
 .TP
 .B \fB\-e\fP \fIetype\fP
-.sp
 Specifies the enctype which will be requested for the session key
 of all the services named on the command line.  This is useful in
 certain backward compatibility situations.
 .TP
 .B \fB\-q\fP
-.sp
 Suppress printing output when successful.  If a service ticket
 cannot be obtained, an error message will still be printed and
 kvno will exit with nonzero status.
 .TP
 .B \fB\-h\fP
-.sp
 Prints a usage statement and exits.
 .TP
 .B \fB\-P\fP
-.sp
 Specifies that the \fIservice1 service2\fP ...  arguments are to be
 treated as services for which credentials should be acquired using
 constrained delegation.  This option is only valid when used in
 conjunction with protocol transition.
 .TP
 .B \fB\-S\fP \fIsname\fP
-.sp
 Specifies that the \fIservice1 service2\fP ... arguments are
 interpreted as hostnames, and the service principals are to be
 constructed from those hostnames and the service name \fIsname\fP.
@@ -85,7 +79,6 @@ The service hostnames will be canonicalized according to the usual
 rules for constructing service principals.
 .TP
 .B \fB\-U\fP \fIfor_user\fP
-.sp
 Specifies that protocol transition (S4U2Self) is to be used to
 acquire a ticket on behalf of \fIfor_user\fP.  If constrained
 delegation is not requested, the service name must match the
@@ -97,16 +90,13 @@ kvno uses the following environment variable:
 .INDENT 0.0
 .TP
 .B \fBKRB5CCNAME\fP
-.sp
 Location of the credentials (ticket) cache.
 .UNINDENT
 .SH FILES
 .INDENT 0.0
 .TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of the credentials cache ([\fIuid\fP] is the decimal
-UID of the user).
+.B \fB@CCNAME@\fP
+Default location of the credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
@@ -114,6 +104,6 @@ UID of the user).
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 0d0c95102a..2473e9a308 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -45,6 +45,6 @@ the server\(aqs response.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/man/sserver.man b/src/man/sserver.man
index aa07d4f24f..1c48cc3507 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
 .
 .SH SYNOPSIS
 .sp
@@ -48,7 +48,7 @@ The service name used by sserver and sclient is sample.  Hence,
 sserver will require that there be a keytab entry for the service
 \fBsample/hostname.domain.name@REALM.NAME\fP.  This keytab is generated
 using the \fIkadmin(1)\fP program.  The keytab file is usually
-installed as \fB/etc/krb5.keytab\fP.
+installed as \fB@KTNAME@\fP.
 .sp
 The \fB\-S\fP option allows for a different keytab than the default.
 .sp
@@ -103,7 +103,6 @@ You are nlgilman@JIMI.MIT.EDU
 .SH COMMON ERROR MESSAGES
 .INDENT 0.0
 .IP 1. 3
-.
 kinit returns the error:
 .INDENT 3.0
 .INDENT 3.5
@@ -120,7 +119,6 @@ kinit: Client not found in Kerberos database while getting
 This means that you didn\(aqt create an entry for your username in the
 Kerberos database.
 .IP 2. 3
-.
 sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
@@ -136,7 +134,6 @@ unknown service sample/tcp; check /etc/services
 This means that you don\(aqt have an entry in /etc/services for the
 sample tcp port.
 .IP 3. 3
-.
 sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
@@ -152,7 +149,6 @@ connect: Connection refused
 This probably means you didn\(aqt edit /etc/inetd.conf correctly, or
 you didn\(aqt restart inetd after editing inetd.conf.
 .IP 4. 3
-.
 sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
@@ -171,7 +167,6 @@ defined in the Kerberos database; it should be created using
 \fIkadmin(1)\fP, and a keytab file needs to be generated to make
 the key for that service principal available for sclient.
 .IP 5. 3
-.
 sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
@@ -194,6 +189,6 @@ probably not installed in the proper directory.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-2011, MIT
+2012, MIT
 .\" Generated by docutils manpage writer.
 .