21 files changed, 210 insertions, 39 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index def0d74238..0c4ed5ce26 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,21 @@
+2000-06-30  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (CC_LINK_STATIC): Another fix for freebsd shared libs
+	from David Cross.
+
+2000-06-30  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (KRB5_AC_ENABLE_DNS): Rewrite to fix logic.  Now
+	--enable-dns-for-XX really will be heeded for setting default
+	behavior.  Also, DNS support can now be compiled in while still
+	turned off by default.  Print out whether the DNS support will be
+	compiled in.
+
+2000-06-30  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4: Fix freebsd CC_LINK_SHARED to have correct rpath
+	flags.  Thanks to David Cross.
+
 2000-06-23  Ken Raeburn  <raeburn@mit.edu>
 
 	* aclocal.m4 (KRB5_LIB_PARAMS): Don't need to display "checking"
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index df4a6c0abb..78a7a65d86 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1245,7 +1245,7 @@ mips-*-netbsd*)
 	PICFLAGS=-fpic
 	if test "x$objformat" = "xelf" ; then
 		SHLIBVEXT='.so.$(LIBMAJOR)'
-		CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,-R$(PROG_RPATH)'
+		CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,$(PROG_RPATH)'
 	else
 		SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
 		CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -R$(PROG_RPATH)'
@@ -1419,32 +1419,50 @@ dnl
 dnl KRB5_AC_ENABLE_DNS
 dnl
 AC_DEFUN(KRB5_AC_ENABLE_DNS, [
-  enable_dns_for_kdc=yes
-  enable_dns_for_realm=no
+AC_MSG_CHECKING(if DNS Kerberos lookup support should be compiled in)
 
   AC_ARG_ENABLE([dns],
-[  --enable-dns            enable DNS lookups of Kerberos realm and servers],
-[enable_dns_for_kdc="$enable_dns"
-enable_dns_for_realm="$enable_dns"],
-[enable_dns=no])
-  if test "$enable_dns" = yes; then
-    AC_DEFINE(KRB5_DNS_LOOKUP)
-  fi
+[  --enable-dns            build in support for Kerberos-related DNS lookups], ,
+[enable_dns=default])
 
   AC_ARG_ENABLE([dns-for-kdc],
-[  --enable-dns-for-kdc    enable DNS lookups of Kerberos servers only])
+[  --enable-dns-for-kdc    enable DNS lookups of Kerberos KDCs (default=YES)], ,
+[case "$enable_dns" in
+  yes | no) enable_dns_for_kdc=$enable_dns ;;
+  *) enable_dns_for_kdc=yes ;;
+esac])
   if test "$enable_dns_for_kdc" = yes; then
     AC_DEFINE(KRB5_DNS_LOOKUP_KDC)
   fi
 
   AC_ARG_ENABLE([dns-for-realm],
-[  --enable-dns-for-realm  enable DNS lookups of Kerberos realm names only])
+[  --enable-dns-for-realm  enable DNS lookups of Kerberos realm names], ,
+[case "$enable_dns" in
+  yes | no) enable_dns_for_realm=$enable_dns ;;
+  *) enable_dns_for_realm=no ;;
+esac])
   if test "$enable_dns_for_realm" = yes; then
     AC_DEFINE(KRB5_DNS_LOOKUP_REALM)
   fi
 
-  if test "$enable_dns_for_kdc" = yes || test "$enable_dns_for_realm" = yes ; then
+  if test "$enable_dns_for_kdc,$enable_dns_for_realm" != no,no
+  then
+    # must compile in the support code
+    if test "$enable_dns" = no ; then
+      AC_MSG_ERROR(cannot both enable some DNS options and disable DNS support)
+    fi
     enable_dns=yes
+  fi
+  if test "$enable_dns" = yes ; then
     AC_DEFINE(KRB5_DNS_LOOKUP)
+  else
+    enable_dns=no
   fi
+
+AC_MSG_RESULT($enable_dns)
+dnl AC_MSG_CHECKING(if DNS should be used to find KDCs by default)
+dnl AC_MSG_RESULT($enable_dns_for_kdc)
+dnl AC_MSG_CHECKING(if DNS should be used to find realm name by default)
+dnl AC_MSG_RESULT($enable_dns_for_realm)
+
 ])
diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index 0eac15d6b0..4e0882a569 100644
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,3 +1,15 @@
+2000-06-29  Ken Raeburn  <raeburn@mit.edu>
+
+	Patch from Donn Cave and Leonard Peirce from 1.1 release cycle:
+	* login.c (k_init): Call krb5_cc_set_default_name right after
+	setting the environment variable.
+	(main): Likewise.
+
+2000-06-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* rcp.M, rsh.M, rlogin.M: Add description of new -PO, -PN
+	options.
+
 2000-06-19  Tom Yu  <tlyu@mit.edu>
 
 	* krshd.c (recvauth): Call krb5_recvauth_version() rather than
diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c
index af703b3baa..826ea8a182 100644
--- a/src/appl/bsd/login.c
+++ b/src/appl/bsd/login.c
@@ -517,6 +517,7 @@ void k_init (ttyn)
     if (!getenv(KRB5_ENV_CCNAME)) {
 	sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
 	setenv(KRB5_ENV_CCNAME, ccfile, 1);
+	krb5_cc_set_default_name(kcontext, ccfile);
 	unlink(ccfile+strlen("FILE:"));
     } else {
 	/* note it correctly */
@@ -1755,8 +1756,10 @@ int main(argc, argv)
 
 #ifdef KRB5_GET_TICKETS
     /* ccfile[0] is only set if we got tickets above */
-    if (login_krb5_get_tickets && ccfile[0])
+    if (login_krb5_get_tickets && ccfile[0]) {
 	(void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
+	krb5_cc_set_default_name(kcontext, ccfile);
+    }
 #endif /* KRB5_GET_TICKETS */
 
     if (tty[sizeof("tty")-1] == 'd')
diff --git a/src/appl/bsd/rcp.M b/src/appl/bsd/rcp.M
index 46267a5dd6..e047db5d65 100644
--- a/src/appl/bsd/rcp.M
+++ b/src/appl/bsd/rcp.M
@@ -24,11 +24,13 @@ rcp \- remote file copy
 .B rcp
 [\fB\-p\fP] [\fB\-x\fP] [\fB\-k\fP \fIrealm\fP ] [\fB\-D\fP \fIport\fP]
 [\fB\-N\fP]
+[\fB\-PN | \-PO\fP]
 .I file1 file2
 .sp
 .B rcp
 [\fB\-p\fB] [\fB\-x\fP] [\fP\-k\fP \fIrealm\fP] [\fB\-r\fP] [\fB\-D\fP
 \fIport\fP] [\fB\-N\fP]
+[\fB\-PN | \-PO\fP]
 .I file ... directory
 .SH DESCRIPTION
 .B Rcp
@@ -93,6 +95,16 @@ instead of the remote host's realm as determined by
 if any of the source files are directories, copy each subtree rooted at
 that name; in this case the destination must be a directory.
 .TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol.  The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers.  (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.)  If neither option is specified, some
+simple heuristics are used to guess which to try.
+.TP
 \fB\-D\fP \fIport\fP
 connect to port
 .I port
diff --git a/src/appl/bsd/rlogin.M b/src/appl/bsd/rlogin.M
index 79ac327b14..601fe460b4 100644
--- a/src/appl/bsd/rlogin.M
+++ b/src/appl/bsd/rlogin.M
@@ -25,6 +25,7 @@ rlogin \- remote login
 .I rhost
 [\fB\-e\fP\fI\|c\fP] [\fB\-8\fP] [\fB\-c\fP] [ \fB\-a\fP] [\fB\-f\fP]
 [\fB\-F\fP] [\fB\-t\fP \fItermtype\fP] [\fB\-n\fP] [\fB\-7\fP]
+[\fB\-PN | \-PO\fP]
 [\fB\-d\fP] [\fB\-k\fP \fIrealm\fP] [\fB\-x\fP] [\fB\-L\fP] [\fB\-l\fP
 \fIusername\fP]
 .PP
@@ -133,6 +134,16 @@ instead of the remote host's realm as determined by
 turn on DES encryption for all data passed via the rlogin session.  This
 significantly reduces response time and significantly increases CPU
 utilization.
+.TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol.  The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers.  (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.)  If neither option is specified, some
+simple heuristics are used to guess which to try.
 .SH SEE ALSO
 rsh(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3), rlogin(1) [UCB
 version]
diff --git a/src/appl/bsd/rsh.M b/src/appl/bsd/rsh.M
index 2b342c3d2a..11a7290f5e 100644
--- a/src/appl/bsd/rsh.M
+++ b/src/appl/bsd/rsh.M
@@ -25,6 +25,7 @@ rsh \- remote shell
 .I host
 [\fB\-l\fP \fIusername\fP] [\fB\-n\fP] [\fB\-d\fP] [\fB\-k\fP
 \fIrealm\fP] [\fB\-f\fP | \fB\-F\fP] [\fB\-x\fP]
+[\fB\-PN | \-PO\fP]
 .I command
 .SH DESCRIPTION
 .B Rsh
@@ -101,6 +102,16 @@ on the TCP sockets used for communication with the remote host.
 redirects input from the special device
 .I /dev/null
 (see the BUGS section below).
+.TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol.  The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers.  (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.)  If neither option is specified, some
+simple heuristics are used to guess which to try.
 .PP
 If you omit
 .IR command ,
diff --git a/src/config/ChangeLog b/src/config/ChangeLog
index 9c79034d2e..d49064567c 100644
--- a/src/config/ChangeLog
+++ b/src/config/ChangeLog
@@ -1,3 +1,8 @@
+2000-06-30  Danilo Almeida  <dalmeida@mit.edu>
+
+	* win-pre.in: Fix up DNS build flags to correspond to new DNS
+	build flags.  Add support for not using wshelper.
+
 2000-06-30  Tom Yu  <tlyu@mit.edu>
 
 	* pre.in: Twiddle things around to support building libdb under
diff --git a/src/config/win-pre.in b/src/config/win-pre.in
index 73fdb2efad..d70aff31cf 100644
--- a/src/config/win-pre.in
+++ b/src/config/win-pre.in
@@ -83,17 +83,29 @@ C=.^\
 srcdir = .
 SRCTOP = $(srcdir)\$(BUILDTOP)
 
-!if defined(KRB5_USE_DNS)
+!if defined(KRB5_USE_DNS) || defined(KRB5_USE_DNS_KDC) || defined(KRB5_USE_DNS_REALMS)
+!if defined(KRB5_NO_WSHELPER)
+DNSMSG=resolver
+!else
+DNSMSG=wshelper
+DNSFLAGS=-DWSHELPER=1
+!endif
 !if !defined(DNS_INC)
-!message Must define DNS_INC to point to wshelper includes dir!
+!message Must define DNS_INC to point to $(DNSMSG) includes dir!
 !error
 !endif
 !if !defined(DNS_LIB)
-!message Must define DNS_LIB to point to wshelper library!
+!message Must define DNS_LIB to point to $(DNSMSG) library!
 !error
 !endif
 DNSLIBS=$(DNS_LIB)
-DNSFLAGS=-I$(DNS_INC) -DKRB5_DNS_LOOKUP -DWSHELPER
+DNSFLAGS=-I$(DNS_INC) $(DNSFLAGS) -DKRB5_DNS_LOOKUP=1
+!if defined(KRB5_USE_DNS_KDC)
+DNSFLAGS=$(DNSFLAGS) -DKRB5_DNS_LOOKUP_KDC=1
+!endif
+!if defined(KRB5_USE_DNS_REALMS)
+DNSFLAGS=$(DNSFLAGS) -DKRB5_DNS_LOOKUP_REALMS=1
+!endif
 !else
 DNSLIBS=
 DNSFLAGS=
diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog
index d1548c87fa..ee2192342e 100644
--- a/src/kadmin/server/ChangeLog
+++ b/src/kadmin/server/ChangeLog
@@ -1,3 +1,7 @@
+2000-06-30  Tom Yu  <tlyu@mit.edu>
+
+	* server_stubs.c: Kludge to rename xdr_free() properly.
+
 2000-06-29  Tom Yu  <tlyu@mit.edu>
 
 	* schpw.c (process_chpw_request): Add new argument to call to
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 2eef601b22..f763677b3e 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -18,6 +18,8 @@ static char *rcsid = "$Header$";
 #include <syslog.h>
 #include "misc.h"
 
+#define xdr_free gssrpc_xdr_free /* XXX kludge */
+
 #define LOG_UNAUTH  "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
 #define	LOG_DONE    "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
 
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 087104e703..6f764457ee 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,10 @@
+2000-06-27  Tom Yu  <tlyu@mit.edu>
+
+	* init_sec_context.c (get_credentials): Add initial iteration of
+	krb5_get_credentials in order to differentiate between an actual
+	missing credential and merely a bad match based on enctype.  This
+	was causing problems with kadmin.
+
 2000-06-09  Tom Yu  <tlyu@mit.edu>
 	    Ken Raeburn  <raeburn@mit.edu>
 
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 13a971ffa6..acac47184b 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -77,6 +77,10 @@
 #include <stdlib.h>
 #include <assert.h>
 
+/*
+ * $Id$
+ */
+
 /* XXX This is for debugging only!!!  Should become a real bitfield
    at some point */
 int krb5_gss_dbg_client_expcreds = 0;
@@ -109,11 +113,25 @@ static krb5_error_code get_credentials(context, cred, server, now,
 
     in_creds.keyblock.enctype = 0;
 
+    /*
+     * Initial iteration is necessary to catch a non-matching
+     * credential prior to looping through the GSSAPI-supported
+     * enctypes, since an enctype mismatch in the loop below will
+     * return KRB5_CC_NOTFOUND rather than one of the other error
+     * codes.
+     */
+    code = krb5_get_credentials(context, 0, cred->ccache,
+				&in_creds, out_creds);
+    if (code)
+	goto cleanup;
+    krb5_free_creds(context, *out_creds);
+    *out_creds = NULL;
     for (i = 0; enctypes[i]; i++) {
 	in_creds.keyblock.enctype = enctypes[i];
 	code = krb5_get_credentials(context, 0, cred->ccache, 
 				    &in_creds, out_creds);
-	if (code != KRB5_CC_NOT_KTYPE && code != KRB5KDC_ERR_ETYPE_NOSUPP)
+	if (code != KRB5_CC_NOT_KTYPE && code != KRB5_CC_NOTFOUND
+	    && code != KRB5KDC_ERR_ETYPE_NOSUPP)
 	    break;
     }
     if (enctypes[i] == 0) {
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index dfdf646c71..2d4546f3a5 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,11 @@
+2000-06-30  Tom Yu  <tlyu@mit.edu>
+
+	* conv_princ.c (krb5_425_conv_principal): NULL, not nil.
+
+2000-06-30  Miro Jurisic  <meeroh@mit.edu>
+
+	* conv_princ.c (krb5_425_conv_principal): Fixed a memory leak
+
 2000-06-29  Ezra Peisach  <epeisach@engrailed.mit.edu>
 
 	* t_walk_rtree.c (main): Declare as returning int.
diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c
index b2df0c60e3..f0d3d3d31e 100644
--- a/src/lib/krb5/krb/conv_princ.c
+++ b/src/lib/krb5/krb/conv_princ.c
@@ -272,6 +272,14 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
      	} else if ((retval == 0) && (realm_name == NULL)) {
      		break;
      	}
+     	if (realm_name != NULL) {
+     		profile_release_string (realm_name);
+     		realm_name = NULL;
+     	}
+     	if (dummy_value != NULL) {
+     		profile_release_string (dummy_value);
+     		dummy_value = NULL;
+     	}
      }
      
      if (instance) {
diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog
index 7d0aa318ad..1f0a2779d7 100644
--- a/src/lib/rpc/ChangeLog
+++ b/src/lib/rpc/ChangeLog
@@ -1,3 +1,8 @@
+2000-06-21  Tom Yu  <tlyu@mit.edu>
+
+	* svc_auth_gssapi.c (_svcauth_gssapi): Missed a rename.  From
+	Nathan Neulinger.
+
 2000-05-31  Ken Raeburn  <raeburn@mit.edu>
 
 	* pmap_rmt.c (GIFCONF_BUFSIZE): New macro.
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index 34ee0ef11a..9d831ad0de 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -548,7 +548,7 @@ enum auth_stat _svcauth_gssapi(rqst, msg, no_dispatch)
 				      &call_arg)) {
 			 PRINTF(("svcauth_gssapi: cannot decode args\n"));
 			 LOG_MISCERR("protocol error in call arguments");
-			 xdr_free(xdr_authgssapi_init_arg, &call_arg);
+			 gssrpc_xdr_free(xdr_authgssapi_init_arg, &call_arg);
 			 ret = AUTH_BADCRED;
 			 goto error;
 		    }
diff --git a/src/lib/rpc/unit-test/ChangeLog b/src/lib/rpc/unit-test/ChangeLog
index b41a59d78e..a4b859b08a 100644
--- a/src/lib/rpc/unit-test/ChangeLog
+++ b/src/lib/rpc/unit-test/ChangeLog
@@ -1,3 +1,8 @@
+2000-06-30  Tom Yu  <tlyu@mit.edu>
+
+	* server.c: Include gssrpc/pmap_clnt.h in order to get renaming of
+	pmap_unset().  From Nathan Neulinger.
+
 2000-06-30  Ken Raeburn  <raeburn@mit.edu>
 
 	* rpc_test_setup.sh: Error out if server_handle doesn't get set in
diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/unit-test/server.c
index 7270ea40d8..32f5de349f 100644
--- a/src/lib/rpc/unit-test/server.c
+++ b/src/lib/rpc/unit-test/server.c
@@ -14,6 +14,7 @@ static char *rcsid = "$Header$";
 #include <string.h>
 #include <signal.h>
 #include <gssrpc/rpc.h>
+#include <gssrpc/pmap_clnt.h>
 #include <arpa/inet.h>  /* inet_ntoa */
 #include <gssapi/gssapi.h>
 #include <gssapi/gssapi_generic.h>
diff --git a/src/windows/ChangeLog b/src/windows/ChangeLog
index 23bc3ec305..bc6926a887 100644
--- a/src/windows/ChangeLog
+++ b/src/windows/ChangeLog
@@ -1,3 +1,8 @@
+2000-06-21  Danilo Almeida  <dalmeida@mit.edu>
+
+	* README: Update documentation with DNS information.  Fix up the
+	language a bit.
+
 2000-04-25  Danilo Almeida  <dalmeida@mit.edu>
 
 	* version.rc: Bump version to 1.2 beta.
diff --git a/src/windows/README b/src/windows/README
index f30d02992c..1bac4086ce 100644
--- a/src/windows/README
+++ b/src/windows/README
@@ -1,29 +1,35 @@
 	       Building & Running Kerberos 5 on Windows
 	       ----------------------------------------
 
-Kerberos 5 Windows support now only includes Win32 and no longer
-includes Win16.
+Kerberos 5 builds on Windows with MSVC++ 6.0.  It may or may not build
+with other compilers or make utilities.
 
-We build Kerberos 5 on Windows just with MSVC++ 6.0.  You should
-not need anything else.  We do not know whether it currently
-builds with other compilers or make utilities.
-
-These build instructions assume that you got a standalong source
-distribution of Kerberos 5 rather than the MIT Kerberos for Win32
+These build instructions assume that you have the standalone source
+distribution of Kerberos 5 rather than the MIT Kerberos for Windows
 distribution (which includes a working Kerberos 4).
 
 There are two methods for building a Windows version of Kerberos 5.
 The traditional method involves starting on a Unix machine and
 creating a distribution that can be built on Windows.  The second
 method works from the sources that come from the Unix distribution if
-you have certain Unix-type utilities.
+you have certain Unix-type utilities (see below).
 
-IMPORTANT NOTE: By default, the sources are build with debug
+IMPORTANT NOTE: By default, the sources are built with debug
 information and linked against the debug version of the Microsoft C
-Runtime library, which is not found on most Win32 systems unless they
-have development tools.  To build a release version, you need to
+Runtime library, which is not found on most Windows systems unless
+they have development tools.  To build a release version, you need to
 define NODEBUG either in the environment or the nmake command-line.
 
+DNS Support: To support DNS lookups, you will need to define
+KRB5_DNS_LOOKUP, KRB5_DNS_LOOKUP_KDC, or KRB5_DNS_LOOKUP_REALMS.  The
+DNS code will default to trying to use the wshelper library.  If you
+would rather use a resolver library whose include files more closely
+match the Unix resolver library, define KRB5_NO_WSHELPER.  You will
+also need to define DNS_INC to point to the include directory for the
+library and DNS_LIB to library itself.  The default is not to support
+DNS because the build cannot know whether there is a DNS resolver
+library around for it to use.
+
 
 Traditional Build Method:
 ------------------------
@@ -36,13 +42,13 @@ On the Unix side
 
 
 On the PC side
-1) md \krb5                            # Create where we'll put the tree
+1) md \krb5                            # Create dir where we'll put the tree
 2) cd \krb5
 3) unzip kerbsrc.zip
         - or -
    pkunzip -d kerbsrc.zip
-4) nmake [NODEBUG=1]                   # Build the sources
-5) nmake install [NODEBUG=1]	       # Copy headers, libs, executables
+4) nmake [NODEBUG=1] [DNS-options]     # Build the sources
+5) nmake install [NODEBUG=1]           # Copy headers, libs, executables
 
 
 All-Windows Build Method:
@@ -52,8 +58,8 @@ First, make sure you have sed, gawk, cat, and cp.
 
 1) cd xxx/src                          # Go to where the source lives
 2) nmake -f Makefile.in prep-windows   # Create Makefile for Windows
-3) nmake [NODEBUG=1]                   # Build the sources
-4) nmake install [NODEBUG=1]	       # Copy headers, libs, executables
+3) nmake [NODEBUG=1] [DNS-options      # Build the sources
+4) nmake install [NODEBUG=1]           # Copy headers, libs, executables
 
 
 Notes on the install Target:
@@ -82,7 +88,7 @@ able to run the applications that are built.  Note that Kerberos 5
 will not look for the krb5.ini file in your path.
 
 
-Krb5.ini File:
+krb5.ini File:
 -------------
 
 WARNING: Despite its name, this is not a Windows .ini file.
@@ -128,7 +134,7 @@ Othes Issues:
 
 The krb4_32.dll that is built (but not installed) is not supported.
 If you need Kerberos 4, you can use the krbv4w32.dll that MIT
-distributes as part of the MIT Kerberos for Win32 distribution.
+distributes as part of the MIT Kerberos for Windows distribution.
 
 
 More Information: