this commit includes all the changes on the OV_9510_INTEGRATION and

OV_MERGE branches.  This includes, but is not limited to, the new openvision
admin system, and major changes to gssapi to add functionality, and bring
the implementation in line with rfc1964.  before committing, the
code was built and tested for netbsd and solaris.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@8774 dc483132-0cff-0310-8789-dd5450dbe970

12 files changed, 1666 insertions, 0 deletions

diff --git a/src/kadmin/create/ChangeLog b/src/kadmin/create/ChangeLog
new file mode 100644
index 000000000..0c724422d
--- /dev/null
+++ b/src/kadmin/create/ChangeLog
@@ -0,0 +1,9 @@
+Fri Jul 12 14:43:56 1996  Marc Horowitz  <marc@mit.edu>
+
+	* configure.in (USE_GSSAPI_LIBRARY): shared libraries require that
+ 	all symbols be resolved, even if they are not used by the
+ 	executeable.  Thus, create needs to link against gssapi
+
+Wed Jul 10 01:24:29 1996  Marc Horowitz  <marc@mit.edu>
+
+	* Makefile.in, configure.in: added autoconf support
diff --git a/src/kadmin/create/Makefile.in b/src/kadmin/create/Makefile.in
new file mode 100644
index 000000000..547bd39c6
--- /dev/null
+++ b/src/kadmin/create/Makefile.in
@@ -0,0 +1,15 @@
+CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE)
+
+PROG = kdb5_create
+OBJS = kdb5_create.o kadm5_create.o string_table.o
+
+all:: $(PROG)
+
+$(PROG): $(OBJS) $(DEPLIBS)
+	$(CC) $(LDFLAGS) $(LDARGS) -o $(PROG) $(OBJS) $(LIBS)
+
+install::
+	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
+
+clean::
+	$(RM) $(PROG) $(OBJS)
diff --git a/src/kadmin/create/Makefile.ov b/src/kadmin/create/Makefile.ov
new file mode 100644
index 000000000..cdec414b7
--- /dev/null
+++ b/src/kadmin/create/Makefile.ov
@@ -0,0 +1,12 @@
+TOP = ..
+include $(TOP)/config.mk/template
+
+PROG	= kadmin_create
+SRCS	= kdb5_create.c kadm5_create.c string_table.c
+OBJS	= kdb5_create.o kadm5_create.o string_table.o
+
+LIBS =	$(LIBADMSRV) $(LIBRPCLIB) $(LIBKDB5) $(LIBKRB5_ALL) \
+	$(LIBDYN) $(NDBMLIB) $(LIBDB) $(BSDLIB) $(NETLIB) 
+
+expand InstallAdmin
+expand Depend
diff --git a/src/kadmin/create/attic/Makefile.in b/src/kadmin/create/attic/Makefile.in
new file mode 100644
index 000000000..f7bd9ca38
--- /dev/null
+++ b/src/kadmin/create/attic/Makefile.in
@@ -0,0 +1,20 @@
+CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) 
+
+all::
+
+SRCS = $(srcdir)/ovsec_adm_create.c \
+	$(srcdir)/string_table.c
+
+OBJS = ovsec_adm_create.o \
+	string_table.o
+
+all::	ovsec_adm_create
+
+ovsec_adm_create: $(OBJS) $(DEPLIBS)
+	$(LD) $(LDFLAGS) $(LDARGS) -o ovsec_adm_create $(OBJS) $(LIBS)
+
+install::
+	$(INSTALL_PROGRAM) ./ovsec_adm_create ${DESTDIR}$(SERVER_BINDIR)/kadmind5
+
+clean::
+	$(RM) ovsec_adm_create
diff --git a/src/kadmin/create/attic/configure.in b/src/kadmin/create/attic/configure.in
new file mode 100644
index 000000000..67b8f7c52
--- /dev/null
+++ b/src/kadmin/create/attic/configure.in
@@ -0,0 +1,12 @@
+AC_INIT(ovsec_adm_create.c)
+CONFIG_RULES
+AC_PROG_INSTALL
+USE_KADMSRV_LIBRARY
+USE_GSSRPC_LIBRARY
+USE_GSSAPI_LIBRARY
+USE_KDB5_LIBRARY
+USE_DYN_LIBRARY
+USE_DB_LIBRARY
+KRB5_LIBRARIES
+V5_USE_SHARED_LIB
+V5_AC_OUTPUT_MAKEFILE
diff --git a/src/kadmin/create/attic/make_extern b/src/kadmin/create/attic/make_extern
new file mode 100644
index 000000000..5432edf66
--- /dev/null
+++ b/src/kadmin/create/attic/make_extern
@@ -0,0 +1,16 @@
+#!/bin/csh
+
+echo '/*'
+echo '  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.'
+echo '  * '
+echo '  * $Header$'
+echo '  *'
+echo '  */'
+echo ' '
+echo '#ifndef _OVSEC_ADM_STRINGS_'
+echo ' '
+
+cat $1 | grep -v rcsid | grep ^char | awk '{printf "extern %s %s;\n",$1,$2}'
+
+echo ' '
+echo '#endif /* _OVSEC_ADM_STRINGS_ */'
diff --git a/src/kadmin/create/attic/ovsec_adm_create.c b/src/kadmin/create/attic/ovsec_adm_create.c
new file mode 100644
index 000000000..90be0c406
--- /dev/null
+++ b/src/kadmin/create/attic/ovsec_adm_create.c
@@ -0,0 +1,663 @@
+/*
+ * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
+ *
+ * $Id$
+ * $Source$
+ * 
+ * $Log$
+ * Revision 1.23  1996/07/22 20:24:35  marc
+ * this commit includes all the changes on the OV_9510_INTEGRATION and
+ * OV_MERGE branches.  This includes, but is not limited to, the new openvision
+ * admin system, and major changes to gssapi to add functionality, and bring
+ * the implementation in line with rfc1964.  before committing, the
+ * code was built and tested for netbsd and solaris.
+ *
+ * Revision 1.22.4.1  1996/07/18 03:01:22  marc
+ * merged in changes from OV_9510_BP to OV_9510_FINAL1
+ *
+ * Revision 1.22.2.1  1996/06/20  21:44:55  marc
+ * File added to the repository on a branch
+ *
+ * Revision 1.22  1996/06/19  15:09:32  bjaspan
+ * changes to work in mit tree
+ *
+ * Revision 1.21  1995/11/07  23:27:28  grier
+ * Add stdlib.h
+ * Add string.h
+ *
+ * Revision 1.20  1995/08/13  16:41:11  jik
+ * Fix a nonsensical comment about the iterator() function.  See PR
+ * secure-admin/470.
+ *
+ * Revision 1.19  1995/07/02  19:55:13  jik
+ * Key version numbers should start out at 1, not 0.
+ * Should get the master key version number from the master_db entry in
+ * server_kdb.c, rather than assuming that the master key version number
+ * is 0.
+ *
+ * Revision 1.18  1995/03/14  16:58:50  jik
+ * Use krb5_xfree instead of xfree if KRB5B4 is defined.
+ *
+ * Revision 1.17  1994/03/11 19:37:34  bjaspan
+ * [secure-admin/1593: ovsec_adm_create non-error messages go to stderr]
+ * [secure-releng/1608: audit secure-admin/1593: ovsec_adm_create non-error messages go to stderr]
+ *
+ * Sandbox:
+ *
+ *  Normal messages should be printed to stdout rather than displayed
+ *  using com_err, which will cause then to go to stderr.
+ *
+ * Revision 1.17  1994/03/09  22:21:33  jik
+ * Normal messages should be printed to stdout rather than displayed
+ * using com_err, which will cause then to go to stderr.
+ *
+ * Revision 1.16  1993/12/21  20:26:34  marc
+ * create new principals with policy NULL, not ""
+ *
+ * Revision 1.15  1993/12/14  22:51:35  marc
+ * missing * in call to krb5_random_key
+ *
+ * Revision 1.14  1993/11/27  20:42:32  bjaspan
+ * fix secure/621: coredumps with default realm
+ *
+ * Revision 1.13  1993/11/19  20:03:51  shanzer
+ * osa_adb_open_T takes a file name argument.
+ *
+ * Revision 1.12  1993/11/10  21:30:24  bjaspan
+ * move init code to main, accept -m
+ *
+ * Revision 1.11  1993/11/10  04:33:35  bjaspan
+ * rewrote adding principals to kdb, and set lifetimes
+ *
+ * Revision 1.10  1993/11/06  00:08:44  bjaspan
+ * use new OVSEC_KADM_* names, use correct realm
+ *
+ * Revision 1.9  1993/11/05  05:05:35  bjaspan
+ * added -r realm argument
+ *
+ */
+
+#if !defined(lint) && !defined(__CODECENTER__)
+static char *rcsid = "$Header$";
+#endif
+
+#include "string_table.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ovsec_admin/adb.h>
+#include <ovsec_admin/admin.h>
+
+#include <krb5.h>
+#include <krb5/kdb.h>
+
+int add_admin_princ(void *handle, krb5_context context,
+		    char *name, char *realm, int attrs, int lifetime);
+
+#define ERR 1
+#define OK 0
+
+#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
+#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
+
+char *whoami;
+
+extern krb5_encrypt_block master_encblock;
+extern krb5_keyblock master_keyblock;
+extern krb5_db_entry master_db;
+
+/*
+ * Function: main
+ *
+ * Purpose: create admin principals, create and populate admin dbs
+ *
+ * Arguments:
+ *
+ *      input           none
+ *      <return value>  exit status 1 for error 0 for success
+ *      
+ * Requires:
+ *      
+ *      
+ * Effects:
+ *      
+ *      
+ * Modifies:
+ *
+ */
+
+void usage()     
+{
+     fprintf(stderr, "%s\n", str_PROG_CREATE_USAGE);
+     exit(1);
+}
+     
+void main(int argc, char **argv)
+{
+     char *realm = NULL;
+     int freerealm = 0;
+     int retval, from_keyboard = 0;
+     krb5_principal creator = NULL;
+     void *handle;
+     krb5_context context;
+
+     whoami = str_PROG_NAME_CREATE;
+
+     argc--; argv++;
+     while (argc) {
+	  if (strcmp(*argv, "-r") == 0) {
+	       argc--; argv++;
+	       if (!argc)
+		    usage();
+	       realm = *argv;
+	  } else if (strcmp(*argv, "-m") == 0) {
+	       from_keyboard = 1;
+	  } else
+	       break;
+	  argc--; argv++;
+     }
+     
+     if (argc != 0)
+	  usage();
+
+     if (retval = krb5_init_context(&context))
+	  exit(ERR);
+
+     if (realm == NULL) {
+	  if ((retval = krb5_get_default_realm(context, &realm)) != 0)
+	       exit(retval);
+	  freerealm = 1;
+     }
+  
+     if ((retval = ovsec_kadm_init(whoami, from_keyboard?"non-null":NULL,
+				   NULL, realm,
+				   OVSEC_KADM_STRUCT_VERSION,
+				   OVSEC_KADM_API_VERSION_1,
+				   &handle))) {
+	  com_err(whoami, retval, str_INITING_KCONTEXT);
+
+	  krb5_free_context(context);
+	  exit(ERR);
+     }
+
+     retval = add_admin_princs(handle, context, realm);
+
+     ovsec_kadm_destroy(handle);
+     krb5_free_context(context);
+
+     if (retval)
+	  exit(retval);
+     
+     exit(0);
+}
+
+/*
+ * Function: build_name_with_realm
+ *
+ * Purpose: concatenate a name and a realm to form a krb5 name
+ *
+ * Arguments:
+ *
+ * 	name	(input) the name
+ * 	realm	(input) the realm
+ *
+ * Returns:
+ *
+ * 	pointer to name@realm, in allocated memory, or NULL if it
+ * 	cannot be allocated
+ *
+ * Requires: both strings are null-terminated
+ */
+char *build_name_with_realm(char *name, char *realm)
+{
+     char *n;
+
+     n = (char *) malloc(strlen(name) + strlen(realm) + 2);
+     sprintf(n, "%s@%s", name, realm);
+     return n;
+}
+
+/*
+ * Function: add_admin_princs
+ *
+ * Purpose: create admin principals
+ *
+ * Arguments:
+ *
+ * 	rseed		(input) random seed
+ * 	realm		(input) realm, or NULL for default realm
+ *      <return value>  (output) status, 0 for success, 1 for serious error
+ *      
+ * Requires:
+ *      
+ * Effects:
+ *      
+ * add_admin_princs creates OVSEC_KADM_ADMIN_SERVICE,
+ * OVSEC_KADM_CHANGEPW_SERVICE, and OVSEC_KADM_HIST_PRINCIPAL.  If any
+ * of these exist a message is printed.  If any of these existing
+ * principal do not have the proper attributes, a warning message is
+ * printed.
+ */
+int add_admin_princs(void *handle, krb5_context context, char *realm)
+{
+  krb5_error_code ret = 0;
+  
+  if ((ret = add_admin_princ(handle, context,
+			     OVSEC_KADM_ADMIN_SERVICE, realm,
+			     KRB5_KDB_DISALLOW_TGT_BASED,
+			     ADMIN_LIFETIME)))
+       goto clean_and_exit;
+
+  if ((ret = add_admin_princ(handle, context, 
+			     OVSEC_KADM_CHANGEPW_SERVICE, realm, 
+			     KRB5_KDB_DISALLOW_TGT_BASED |
+			     KRB5_KDB_PWCHANGE_SERVICE,
+			     CHANGEPW_LIFETIME)))
+       goto clean_and_exit;
+  
+#if 0
+  /* this is now done inside kdb_init_hist in the admin server */
+
+  if ((ret = add_admin_princ(handle, context, 
+			     OVSEC_KADM_HIST_PRINCIPAL, realm,
+			     KRB5_KDB_DISALLOW_ALL_TIX,
+			     0)))
+       goto clean_and_exit;
+#endif
+
+clean_and_exit:
+
+  return ret;
+}
+
+/*
+ * Function: add_admin_princ
+ *
+ * Arguments:
+ *
+ * 	creator		(r) principal to use as "mod_by"
+ * 	rseed		(r) seed for random key generator
+ * 	name		(r) principal name
+ * 	realm		(r) realm name for principal
+ * 	attrs		(r) principal's attributes
+ * 	lifetime	(r) principal's max life, or 0
+ * 	not_unique	(r) error message for multiple entries, never used
+ * 	exists		(r) warning message for principal exists
+ * 	wrong_attrs	(r) warning message for wrong attributes
+ *
+ * Returns:
+ *
+ * 	OK on success
+ * 	ERR on serious errors
+ *
+ * Effects:
+ * 
+ * If the principal is not unique, not_unique is printed (but this
+ * never happens).  If the principal exists, then exists is printed
+ * and if the principals attributes != attrs, wrong_attrs is printed.
+ * Otherwise, the principal is created with mod_by creator and
+ * attributes attrs and max life of lifetime (if not zero).
+ */
+
+int add_admin_princ(void *handle, krb5_context context,
+		    char *name, char *realm, int attrs, int lifetime)
+{
+     char *fullname;
+     int nprincs;
+     krb5_error_code ret;
+     ovsec_kadm_principal_ent_rec ent;
+
+     memset(&ent, 0, sizeof(ent));
+
+     fullname = build_name_with_realm(name, realm);
+     if (ret = krb5_parse_name(context, fullname, &ent.principal)) {
+	  com_err(whoami, ret, str_PARSE_NAME);
+	  return(ERR);
+     }
+     ent.max_life = lifetime;
+     ent.attributes = attrs;
+     
+     if (ret = ovsec_kadm_create_principal(handle, &ent,
+					   (OVSEC_KADM_PRINCIPAL |
+					    OVSEC_KADM_MAX_LIFE |
+					    OVSEC_KADM_ATTRIBUTES),
+					   "to-be-random")) {
+	  if (ret == OVSEC_KADM_DUP)
+	       ret = ovsec_kadm_modify_principal(handle, &ent,
+						 (OVSEC_KADM_PRINCIPAL |
+						  OVSEC_KADM_MAX_LIFE |
+						  OVSEC_KADM_ATTRIBUTES));
+
+	  if (ret) {
+	       com_err(whoami, ret, str_PUT_PRINC, fullname);
+	       krb5_free_principal(context, ent.principal);
+	       free(fullname);
+	       return ERR;
+	  }
+     }
+
+     ret = ovsec_kadm_randkey_principal(handle, ent.principal, NULL);
+
+     krb5_free_principal(context, ent.principal);
+     free(fullname);
+
+     if (ret) {
+	  com_err(whoami, ret, str_RANDOM_KEY, fullname);
+	  return ERR;
+     }
+
+     return OK;
+}
+
+#if 0
+/*
+ * Function: main
+ *
+ * Purpose: Return "garbage" if the caller asks for it.
+ *
+ * Arguments:
+ *
+ *      input           (input) A null-terminated string,
+ *                      or NULL.
+ *      delay           (input/output) The number of seconds the
+ *                      function should delay before returning.
+ *      <return value>  (output) A string.
+ *      
+ * Requires:
+ *      
+ *      "input" must either be NULL or point to an address in the
+ *      program's address space.  "delay" must point to an address in
+ *      the program's address space.
+ *
+ * Effects:
+ *      
+ *      The function first sleeps for approximately the number of
+ *      seconds specified in "delay".
+ *      
+ *      Then, if "input" is non-NULL and points to a null-terminated
+ *      string which is equal to "garbage", the function sets "delay"
+ *      to 42 and returns a string allocated with malloc(3) containing
+ *      "more-garbage".
+ *      
+ *      If "input" is NULL or does not contain "garbage", the function
+ *      returns NULL without modifying "delay".
+ *      
+ *      If "<return value>" is non-NULL, the caller should deallocate
+ *      the string in it (with free(3)) when it is no longer needed.
+ *      
+ * Modifies:
+ *      
+ *      May allocate a new block of memory in the malloc(3) arena.
+ *      May change the value in the memory location pointed to by
+ *      "delay".
+ */
+
+krb5_error_code add_random_princ(princ_str, princ, attrs, lifetime,
+				 creator, rseed) 
+   char *princ_str;
+   krb5_principal princ, creator;
+   krb5_flags attrs;
+   int lifetime;
+   krb5_pointer *rseed;
+{
+    krb5_db_entry entry;
+    krb5_error_code ret;
+    krb5_encrypted_keyblock ekey;
+    krb5_keyblock *rkey;
+    int nentries = 1;
+
+    memset((char *) &entry, 0, sizeof(entry));
+    entry.principal = princ;
+    entry.kvno = 1;
+    entry.max_life = KRB5_KDB_MAX_LIFE;
+    entry.max_renewable_life = 0;
+    entry.mkvno = master_db.mkvno;
+    entry.expiration = KRB5_KDB_EXPIRATION;
+    entry.mod_name = creator;
+    if (lifetime != 0)
+	 entry.max_life = lifetime;
+    
+    if (ret = krb5_timeofday(&entry.mod_date))
+      return(ret);
+
+    entry.attributes = attrs;
+
+    ret = krb5_random_key(&master_encblock, *rseed, &rkey);
+    if (ret != 0) {
+      com_err(whoami, ret, str_RANDOM_KEY, princ_str);
+      return (ERR);
+    }
+
+
+    ret = krb5_kdb_encrypt_key(&master_encblock, rkey, &ekey);
+    krb5_free_keyblock(rkey);
+    if (ret != 0) {
+      com_err(whoami, ret, str_ENCRYPT_KEY, princ_str);
+      return (ERR);
+    }
+
+    entry.key = ekey;
+    entry.salt_type = KRB5_KDB_SALTTYPE_NORMAL;
+    entry.salt_length = 0;
+    entry.salt = 0;
+    
+    ret = krb5_db_put_principal(&entry, &nentries);
+    if (ret != 0)
+      com_err(whoami, ret, str_PUT_PRINC, princ_str);
+#ifdef KRB5B4
+    krb5_xfree(ekey.contents);
+#else
+    xfree(ekey.contents);
+#endif
+
+    if (ret) return(ERR);
+
+    printf(str_CREATED_PRINC, whoami, princ_str);
+
+    return(OK);
+}
+
+/*
+ * Function: create_admin_policy_db
+ *
+ * Purpose: Return "garbage" if the caller asks for it.
+ *
+ * Arguments:
+ *
+ *      input           (input) A null-terminated string,
+ *                      or NULL.
+ *      delay           (input/output) The number of seconds the
+ *                      function should delay before returning.
+ *      <return value>  (output) A string.
+ *      
+ * Requires:
+ *      
+ *      "input" must either be NULL or point to an address in the
+ *      program's address space.  "delay" must point to an address in
+ *      the program's address space.
+ *
+ * Effects:
+ *      
+ *      The function first sleeps for approximately the number of
+ *      seconds specified in "delay".
+ *      
+ *      Then, if "input" is non-NULL and points to a null-terminated
+ *      string which is equal to "garbage", the function sets "delay"
+ *      to 42 and returns a string allocated with malloc(3) containing
+ *      "more-garbage".
+ *      
+ *      If "input" is NULL or does not contain "garbage", the function
+ *      returns NULL without modifying "delay".
+ *      
+ *      If "<return value>" is non-NULL, the caller should deallocate
+ *      the string in it (with free(3)) when it is no longer needed.
+ *      
+ * Modifies:
+ *      
+ *      May allocate a new block of memory in the malloc(3) arena.
+ *      May change the value in the memory location pointed to by
+ *      "delay".
+ */
+
+int create_admin_policy_db()
+{
+  /* We don't have a create/destroy routine, so opening the db and
+     closing it will have to do. */
+  osa_adb_policy_t policy_db = NULL;
+  osa_adb_ret_t ret;
+
+  ret = osa_adb_open_policy(&policy_db, POLICY_DB);
+  if (ret != OSA_ADB_OK) {
+    com_err (whoami, ret, str_CREATING_POLICY_DB);
+    return(-1);
+  }
+
+  /* Should create sample policies here */
+
+  ret = osa_adb_close_policy(policy_db);
+  if (ret != OSA_ADB_OK) {
+    com_err (whoami, ret, str_CLOSING_POLICY_DB);
+    return(-1);
+  }
+
+  printf(str_CREATED_POLICY_DB, whoami);
+
+  return(OK);
+}
+
+/*
+
+ * Function: iterator(ptr, entry)
+ *
+ * Purpose:
+ *
+ * 	Creates an entry in the Admin database corresponding to the
+ * 	specified entry in the Kerberos database.
+ *
+ * Arguments:
+ *
+ *      ptr		(input) Actually of type osa_adb_princ_t,
+ * 			represents the Admin database in which to
+ * 			create the principal.
+ *	entry		(input) The entry in the Kerberos database for
+ * 			which to create an entry in the Admin
+ * 			database.
+ *      
+ * Requires:
+ *      
+ *      "ptr" represents a valid, open Admin principal database.
+ *      "entry" represents a valid, decoded Kerberos database
+ *      principal entry.
+ *
+ * Effects:
+ *      
+ *      Modifies the Admin principal database by creating a principal
+ *      in the database with the same name as "entry" and no other
+ *      information.
+ *      
+ * Modifies:
+ *      
+ *      Does not modify any global memory.  Modifies the Admin
+ *      principal database whose handle is passed into it.
+ */
+
+krb5_error_code
+iterator(ptr, entry)
+krb5_pointer ptr;
+krb5_db_entry *entry;
+{ 
+  osa_adb_ret_t retval;
+  krb5_error_code retval2;
+  char *princ_str = NULL;
+  osa_princ_ent_rec osa_princ;
+
+  /* Zero the whole struct, and fill in the princ name */
+  memset(&osa_princ, 0, sizeof(osa_princ_ent_rec));
+
+  osa_princ.name = entry->principal;
+  osa_princ.policy = NULL;
+
+  retval = osa_adb_create_princ((osa_adb_princ_t) ptr, &osa_princ);
+  if (retval != OSA_ADB_OK) {
+    if (retval2 = krb5_unparse_name(entry->principal, &princ_str)) {
+	com_err(whoami, retval2, str_UNPARSE_PRINC);
+    }
+    com_err(whoami, retval, str_CREATING_PRINC_ENTRY, 
+	    (princ_str ? princ_str : str_A_PRINC));
+    if (princ_str) free(princ_str);
+  }
+  return (0);
+}
+
+/*
+ * Function: create_and_populate_admin_princ_db
+ *
+ * Purpose: Return "garbage" if the caller asks for it.
+ *
+ * Arguments:
+ *
+ *      input           (input) A null-terminated string,
+ *                      or NULL.
+ *      delay           (input/output) The number of seconds the
+ *                      function should delay before returning.
+ *      <return value>  (output) A string.
+ *      
+ * Requires:
+ *      
+ *      "input" must either be NULL or point to an address in the
+ *      program's address space.  "delay" must point to an address in
+ *      the program's address space.
+ *
+ * Effects:
+ *      
+ *      The function first sleeps for approximately the number of
+ *      seconds specified in "delay".
+ *      
+ *      Then, if "input" is non-NULL and points to a null-terminated
+ *      string which is equal to "garbage", the function sets "delay"
+ *      to 42 and returns a string allocated with malloc(3) containing
+ *      "more-garbage".
+ *      
+ *      If "input" is NULL or does not contain "garbage", the function
+ *      returns NULL without modifying "delay".
+ *      
+ *      If "<return value>" is non-NULL, the caller should deallocate
+ *      the string in it (with free(3)) when it is no longer needed.
+ *      
+ * Modifies:
+ *      
+ *      May allocate a new block of memory in the malloc(3) arena.
+ *      May change the value in the memory location pointed to by
+ *      "delay".
+ */
+
+int create_and_populate_admin_princ_db()
+{
+  osa_adb_princ_t princ_db = NULL;
+  osa_adb_ret_t ret;
+
+  /* We don't have a create/destroy routine, so opening the db and
+     closing it will have to do. */
+
+  ret = osa_adb_open_princ(&princ_db, PRINCIPAL_DB);
+  if (ret != OSA_ADB_OK) {
+    com_err (whoami, ret, str_CREATING_PRINC_DB);
+    return(-1);
+  }
+
+  printf(str_CREATED_PRINC_DB, whoami);
+
+  (void) krb5_db_iterate(iterator, princ_db);
+
+  ret = osa_adb_close_princ(princ_db);
+  if (ret != OSA_ADB_OK) {
+    com_err (whoami, ret, str_CLOSING_PRINC_DB);
+    return(-1);
+  }
+
+
+  return(OK);
+}
+
+#endif
diff --git a/src/kadmin/create/configure.in b/src/kadmin/create/configure.in
new file mode 100644
index 000000000..403034263
--- /dev/null
+++ b/src/kadmin/create/configure.in
@@ -0,0 +1,11 @@
+AC_INIT(kdb5_create.c)
+CONFIG_RULES
+AC_PROG_INSTALL
+USE_KADMSRV_LIBRARY
+USE_GSSRPC_LIBRARY
+USE_GSSAPI_LIBRARY
+USE_DYN_LIBRARY
+USE_KDB5_LIBRARY
+KRB5_LIBRARIES
+V5_USE_SHARED_LIB
+V5_AC_OUTPUT_MAKEFILE
diff --git a/src/kadmin/create/kadm5_create.c b/src/kadmin/create/kadm5_create.c
new file mode 100644
index 000000000..33b30ec9c
--- /dev/null
+++ b/src/kadmin/create/kadm5_create.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
+ *
+ * $Id$
+ * $Source$
+ */
+
+#if !defined(lint) && !defined(__CODECENTER__)
+static char *rcsid = "$Header$";
+#endif
+
+#include "string_table.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <kadm5/adb.h>
+#include <kadm5/admin.h>
+
+#include <krb5.h>
+#include <krb5/kdb.h>
+
+int add_admin_princ(void *handle, krb5_context context,
+		    char *name, char *realm, int attrs, int lifetime);
+
+#define ERR 1
+#define OK 0
+
+#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
+#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
+
+extern char *whoami;
+
+extern krb5_encrypt_block master_encblock;
+extern krb5_keyblock master_keyblock;
+extern krb5_db_entry master_db;
+
+/*
+ * Function: kadm5_create
+ *
+ * Purpose: create admin principals in KDC database
+ *
+ * Arguments:	params	(r) configuration parameters to use
+ *      
+ * Effects:  Creates KADM5_ADMIN_SERVICE and KADM5_CHANGEPW_SERVICE
+ * principals in the KDC database and sets their attributes
+ * appropriately.
+ */
+void kadm5_create(kadm5_config_params *params)
+{
+     int retval;
+     void *handle;
+     krb5_context context;
+     FILE *f;
+
+
+     if (retval = krb5_init_context(&context))
+	  exit(ERR);
+
+     /*
+      * The lock file has to exist before calling kadm5_init, but
+      * params->admin_lockfile may not be set yet...
+      */
+     if (retval = kadm5_get_config_params(context, NULL, NULL,
+					  params, params)) {
+	  com_err(whoami, retval, str_INITING_KCONTEXT);
+	  exit(1);
+     }
+
+     if (retval = osa_adb_create_policy_db(params)) {
+	  com_err(whoami, retval, str_CREATING_POLICY_DB);
+	  exit(1);
+     }
+
+     if ((retval = kadm5_init(whoami, NULL, NULL, params,
+			      KADM5_STRUCT_VERSION,
+			      KADM5_API_VERSION_2,
+			      &handle))) {
+	  com_err(whoami, retval, str_INITING_KCONTEXT);
+
+	  krb5_free_context(context);
+	  exit(ERR);
+     }
+
+     retval = add_admin_princs(handle, context, params->realm);
+
+     kadm5_destroy(handle);
+     krb5_free_context(context);
+
+     if (retval)
+	  exit(retval);
+     
+     exit(0);
+}
+
+/*
+ * Function: build_name_with_realm
+ *
+ * Purpose: concatenate a name and a realm to form a krb5 name
+ *
+ * Arguments:
+ *
+ * 	name	(input) the name
+ * 	realm	(input) the realm
+ *
+ * Returns:
+ *
+ * 	pointer to name@realm, in allocated memory, or NULL if it
+ * 	cannot be allocated
+ *
+ * Requires: both strings are null-terminated
+ */
+char *build_name_with_realm(char *name, char *realm)
+{
+     char *n;
+
+     n = (char *) malloc(strlen(name) + strlen(realm) + 2);
+     sprintf(n, "%s@%s", name, realm);
+     return n;
+}
+
+/*
+ * Function: add_admin_princs
+ *
+ * Purpose: create admin principals
+ *
+ * Arguments:
+ *
+ * 	rseed		(input) random seed
+ * 	realm		(input) realm, or NULL for default realm
+ *      <return value>  (output) status, 0 for success, 1 for serious error
+ *      
+ * Requires:
+ *      
+ * Effects:
+ *      
+ * add_admin_princs creates KADM5_ADMIN_SERVICE,
+ * KADM5_CHANGEPW_SERVICE.  If any of these exist a message is
+ * printed.  If any of these existing principal do not have the proper
+ * attributes, a warning message is printed.
+ */
+int add_admin_princs(void *handle, krb5_context context, char *realm)
+{
+  krb5_error_code ret = 0;
+  
+  if ((ret = add_admin_princ(handle, context,
+			     KADM5_ADMIN_SERVICE, realm,
+			     KRB5_KDB_DISALLOW_TGT_BASED,
+			     ADMIN_LIFETIME)))
+       goto clean_and_exit;
+
+  if ((ret = add_admin_princ(handle, context, 
+			     KADM5_CHANGEPW_SERVICE, realm, 
+			     KRB5_KDB_DISALLOW_TGT_BASED |
+			     KRB5_KDB_PWCHANGE_SERVICE,
+			     CHANGEPW_LIFETIME)))
+       goto clean_and_exit;
+  
+clean_and_exit:
+
+  return ret;
+}
+
+/*
+ * Function: add_admin_princ
+ *
+ * Arguments:
+ *
+ * 	creator		(r) principal to use as "mod_by"
+ * 	rseed		(r) seed for random key generator
+ * 	name		(r) principal name
+ * 	realm		(r) realm name for principal
+ * 	attrs		(r) principal's attributes
+ * 	lifetime	(r) principal's max life, or 0
+ * 	not_unique	(r) error message for multiple entries, never used
+ * 	exists		(r) warning message for principal exists
+ * 	wrong_attrs	(r) warning message for wrong attributes
+ *
+ * Returns:
+ *
+ * 	OK on success
+ * 	ERR on serious errors
+ *
+ * Effects:
+ * 
+ * If the principal is not unique, not_unique is printed (but this
+ * never happens).  If the principal exists, then exists is printed
+ * and if the principals attributes != attrs, wrong_attrs is printed.
+ * Otherwise, the principal is created with mod_by creator and
+ * attributes attrs and max life of lifetime (if not zero).
+ */
+
+int add_admin_princ(void *handle, krb5_context context,
+		    char *name, char *realm, int attrs, int lifetime)
+{
+     char *fullname;
+     int nprincs;
+     krb5_error_code ret;
+     kadm5_principal_ent_rec ent;
+
+     memset(&ent, 0, sizeof(ent));
+
+     fullname = build_name_with_realm(name, realm);
+     if (ret = krb5_parse_name(context, fullname, &ent.principal)) {
+	  com_err(whoami, ret, str_PARSE_NAME);
+	  return(ERR);
+     }
+     ent.max_life = lifetime;
+     ent.attributes = attrs;
+     
+     if (ret = kadm5_create_principal(handle, &ent,
+					   (KADM5_PRINCIPAL |
+					    KADM5_MAX_LIFE |
+					    KADM5_ATTRIBUTES),
+					   "to-be-random")) {
+	  if (ret == KADM5_DUP)
+	       ret = kadm5_modify_principal(handle, &ent,
+						 (KADM5_PRINCIPAL |
+						  KADM5_MAX_LIFE |
+						  KADM5_ATTRIBUTES));
+
+	  if (ret) {
+	       com_err(whoami, ret, str_PUT_PRINC, fullname);
+	       krb5_free_principal(context, ent.principal);
+	       free(fullname);
+	       return ERR;
+	  }
+     }
+
+     ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL);
+
+     krb5_free_principal(context, ent.principal);
+     free(fullname);
+
+     if (ret) {
+	  com_err(whoami, ret, str_RANDOM_KEY, fullname);
+	  return ERR;
+     }
+
+     return OK;
+}
diff --git a/src/kadmin/create/kdb5_create.c b/src/kadmin/create/kdb5_create.c
new file mode 100644
index 000000000..8b167b6b9
--- /dev/null
+++ b/src/kadmin/create/kdb5_create.c
@@ -0,0 +1,536 @@
+/*
+ * admin/create/kdb5_create.c
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Generate (from scratch) a Kerberos KDC database.
+ */
+
+#include <stdio.h>
+#include <k5-int.h>
+#include <kadm5/admin.h>
+
+enum ap_op {
+    NULL_KEY,				/* setup null keys */
+    MASTER_KEY,				/* use master key as new key */
+    TGT_KEY				/* special handling for tgt key */
+};
+
+krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL };
+
+struct realm_info {
+    krb5_deltat max_life;
+    krb5_deltat max_rlife;
+    krb5_timestamp expiration;
+    krb5_flags flags;
+    krb5_encrypt_block *eblock;
+    krb5_pointer rseed;
+    krb5_int32 nkslist;
+    krb5_key_salt_tuple *kslist;
+} rblock = { /* XXX */
+    KRB5_KDB_MAX_LIFE,
+    KRB5_KDB_MAX_RLIFE,
+    KRB5_KDB_EXPIRATION,
+    KRB5_KDB_DEF_FLAGS,
+    (krb5_encrypt_block *) NULL,
+    (krb5_pointer) NULL,
+    1,
+    &def_kslist
+};
+
+struct iterate_args {
+    krb5_context	ctx;
+    struct realm_info	*rblock;
+    krb5_db_entry	*dbentp;
+};
+
+static krb5_error_code add_principal 
+	PROTOTYPE((krb5_context,
+		   krb5_principal, 
+		   enum ap_op,
+		   struct realm_info *));
+
+/*
+ * Steps in creating a database:
+ *
+ * 1) use the db calls to open/create a new database
+ *
+ * 2) get a realm name for the new db
+ *
+ * 3) get a master password for the new db; convert to an encryption key.
+ *
+ * 4) create various required entries in the database
+ *
+ * 5) close & exit
+ */
+
+static void
+usage(who, status)
+char *who;
+int status;
+{
+    fprintf(stderr, "usage: %s [-d dbpathname] [-r realmname] [-k enctype]\n\
+\t[-M mkeyname]\n",
+	    who);
+    exit(status);
+}
+
+krb5_keyblock master_keyblock;
+krb5_principal master_princ;
+krb5_encrypt_block master_encblock;
+krb5_data master_salt;
+
+krb5_data tgt_princ_entries[] = {
+	{0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
+	{0, 0, 0} };
+
+krb5_data db_creator_entries[] = {
+	{0, sizeof("db_creation")-1, "db_creation"} };
+
+/* XXX knows about contents of krb5_principal, and that tgt names
+ are of form TGT/REALM@REALM */
+krb5_principal_data tgt_princ = {
+        0,					/* magic number */
+	{0, 0, 0},				/* krb5_data realm */
+	tgt_princ_entries,			/* krb5_data *data */
+	2,					/* int length */
+	KRB5_NT_SRV_INST			/* int type */
+};
+
+krb5_principal_data db_create_princ = {
+        0,					/* magic number */
+	{0, 0, 0},				/* krb5_data realm */
+	db_creator_entries,			/* krb5_data *data */
+	1,					/* int length */
+	KRB5_NT_SRV_INST			/* int type */
+};
+
+char *mkey_password = 0;
+char *whoami;
+
+void
+main(argc, argv)
+int argc;
+char *argv[];
+{
+    extern char *optarg;	
+    int optchar;
+
+    krb5_error_code retval;
+    char *dbname = (char *) NULL;
+    char *realm = 0;
+    char *mkey_name = 0;
+    char *mkey_fullname;
+    char *defrealm;
+    char *pw_str = 0;
+    char *keyfile = 0;
+    int pw_size = 0;
+    int enctypedone = 0;
+    int do_stash = 0;
+    krb5_data pwd;
+    krb5_context context;
+    krb5_realm_params *rparams;
+    kadm5_config_params kadm5_params;
+
+    memset(&kadm5_params, 0, sizeof(kadm5_params));
+	   
+    krb5_init_context(&context);
+    krb5_init_ets(context);
+
+    if (strrchr(argv[0], '/'))
+	argv[0] = strrchr(argv[0], '/')+1;
+    whoami = argv[0];
+
+    kadm5_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
+    kadm5_params.mkey_from_kbd = 1;
+
+    while ((optchar = getopt(argc, argv, "d:r:k:M:e:P:sf:")) != EOF) {
+	switch(optchar) {
+	case 'd':			/* set db name */
+	    kadm5_params.dbname = dbname = optarg;
+	    kadm5_params.mask |= KADM5_CONFIG_DBNAME;
+	    break;
+	case 'r':
+	    kadm5_params.realm = realm = optarg;
+	    kadm5_params.mask |= KADM5_CONFIG_REALM;
+	    break;
+	case 'k':
+	    if (!krb5_string_to_enctype(optarg, &master_keyblock.enctype)){
+		 enctypedone++;
+		 kadm5_params.enctype = master_keyblock.enctype;
+		 kadm5_params.mask |= KADM5_CONFIG_ENCTYPE;
+	    }		 
+	    else
+		com_err(argv[0], 0, "%s is an invalid enctype", optarg);
+	    break;
+	case 's':
+	    do_stash++;
+	    kadm5_params.mkey_from_kbd = 0;
+	    break;
+	case 'f':
+	    kadm5_params.stash_file = keyfile = optarg;
+	    kadm5_params.mask |= KADM5_CONFIG_STASH_FILE;
+	    break;
+	case 'M':			/* master key name in DB */
+	    kadm5_params.mkey_name = mkey_name = optarg;
+	    kadm5_params.mask |= KADM5_CONFIG_MKEY_NAME;
+	    break;
+        case 'P':		/* Only used for testing!!! */
+	    mkey_password = optarg;
+	    break;
+	case '?':
+	default:
+	    usage(argv[0], 1);
+	    /*NOTREACHED*/
+	}
+    }
+
+    /*
+     * Attempt to read the KDC profile.  If we do, then read appropriate values
+     * from it and augment values supplied on the command line.
+     */
+    if (!(retval = krb5_read_realm_params(context,
+					  realm,
+					  (char *) NULL,
+					  (char *) NULL,
+					  &rparams))) {
+	/* Get the value for the database */
+	if (rparams->realm_dbname && !dbname)
+	    dbname = strdup(rparams->realm_dbname);
+
+	/* Get the value for the master key name */
+	if (rparams->realm_mkey_name && !mkey_name)
+	    mkey_name = strdup(rparams->realm_mkey_name);
+
+	/* Get the value for the master key type */
+	if (rparams->realm_enctype_valid && !enctypedone) {
+	    master_keyblock.enctype = rparams->realm_enctype;
+	    enctypedone++;
+	}
+
+	/* Get the value for maximum ticket lifetime. */
+	if (rparams->realm_max_life_valid)
+	    rblock.max_life = rparams->realm_max_life;
+
+	/* Get the value for maximum renewable ticket lifetime. */
+	if (rparams->realm_max_rlife_valid)
+	    rblock.max_rlife = rparams->realm_max_rlife;
+
+	/* Get the value for the default principal expiration */
+	if (rparams->realm_expiration_valid)
+	    rblock.expiration = rparams->realm_expiration;
+
+	/* Get the value for the default principal flags */
+	if (rparams->realm_flags_valid)
+	    rblock.flags = rparams->realm_flags;
+
+	/* Get the value of the supported key/salt pairs */
+	if (rparams->realm_num_keysalts) {
+	    rblock.nkslist = rparams->realm_num_keysalts;
+	    rblock.kslist = rparams->realm_keysalts;
+	    rparams->realm_num_keysalts = 0;
+	    rparams->realm_keysalts = (krb5_key_salt_tuple *) NULL;
+	}
+
+	/* Get the value for the stash file */
+	if (rparams->realm_stash_file && !keyfile)
+	    keyfile = strdup(rparams->realm_stash_file);
+
+	krb5_free_realm_params(context, rparams);
+    }
+
+    if (!dbname)
+	dbname = DEFAULT_KDB_FILE;
+
+    if (!enctypedone)
+	master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
+
+    if (!valid_enctype(master_keyblock.enctype)) {
+	char tmp[32];
+	if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp)))
+	    com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP,
+		    "while setting up enctype %d", master_keyblock.enctype);
+	else
+	    com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp);
+	exit(1);
+    }
+
+    krb5_use_enctype(context, &master_encblock, master_keyblock.enctype);
+
+    retval = krb5_db_set_name(context, dbname);
+    if (!retval) retval = EEXIST;
+
+    if (retval == EEXIST || retval == EACCES || retval == EPERM) {
+	/* it exists ! */
+	com_err(argv[0], 0, "The database '%s' appears to already exist",
+		dbname);
+	exit(1);
+    }
+    if (!realm) {
+	if ((retval = krb5_get_default_realm(context, &defrealm))) {
+	    com_err(argv[0], retval, "while retrieving default realm name");
+	    exit(1);
+	}	    
+	realm = defrealm;
+    }
+
+    /* assemble & parse the master key name */
+
+    if ((retval = krb5_db_setup_mkey_name(context, mkey_name, realm, 
+					  &mkey_fullname, &master_princ))) {
+	com_err(argv[0], retval, "while setting up master key name");
+	exit(1);
+    }
+
+    krb5_princ_set_realm_data(context, &db_create_princ, realm);
+    krb5_princ_set_realm_length(context, &db_create_princ, strlen(realm));
+    krb5_princ_set_realm_data(context, &tgt_princ, realm);
+    krb5_princ_set_realm_length(context, &tgt_princ, strlen(realm));
+    krb5_princ_component(context, &tgt_princ,1)->data = realm;
+    krb5_princ_component(context, &tgt_princ,1)->length = strlen(realm);
+
+    printf("Initializing database '%s' for realm '%s',\n\
+master key name '%s'\n",
+	   dbname, realm, mkey_fullname);
+
+    if (!mkey_password) {
+	printf("You will be prompted for the database Master Password.\n");
+	printf("It is important that you NOT FORGET this password.\n");
+	fflush(stdout);
+
+	pw_size = 1024;
+	pw_str = malloc(pw_size);
+	
+	retval = krb5_read_password(context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
+				    pw_str, &pw_size);
+	if (retval) {
+	    com_err(argv[0], retval, "while reading master key from keyboard");
+	    exit(1);
+	}
+	mkey_password = pw_str;
+    }
+
+    pwd.data = mkey_password;
+    pwd.length = strlen(mkey_password);
+    retval = krb5_principal2salt(context, master_princ, &master_salt);
+    if (retval) {
+	com_err(argv[0], retval, "while calculated master key salt");
+	exit(1);
+    }
+    if (retval = krb5_string_to_key(context, &master_encblock, 
+				    &master_keyblock, &pwd, &master_salt)) {
+	com_err(argv[0], retval, "while transforming master key from password");
+	exit(1);
+    }
+
+    if ((retval = krb5_process_key(context, &master_encblock,
+				   &master_keyblock))) {
+	com_err(argv[0], retval, "while processing master key");
+	exit(1);
+    }
+
+    rblock.eblock = &master_encblock;
+    if ((retval = krb5_init_random_key(context, &master_encblock, 
+				       &master_keyblock, &rblock.rseed))) {
+	com_err(argv[0], retval, "while initializing random key generator");
+	(void) krb5_finish_key(context, &master_encblock);
+	exit(1);
+    }
+    if ((retval = krb5_db_create(context, dbname))) {
+	(void) krb5_finish_key(context, &master_encblock);
+	(void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
+	com_err(argv[0], retval, "while creating database '%s'",
+		dbname);
+	exit(1);
+    }
+    if ((retval = krb5_db_set_name(context, dbname))) {
+	(void) krb5_finish_key(context, &master_encblock);
+	(void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
+        com_err(argv[0], retval, "while setting active database to '%s'",
+                dbname);
+        exit(1);
+    }
+    if ((retval = krb5_db_init(context))) {
+	(void) krb5_finish_key(context, &master_encblock);
+	(void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
+	com_err(argv[0], retval, "while initializing the database '%s'",
+		dbname);
+	exit(1);
+    }
+
+    if ((retval = add_principal(context, master_princ, MASTER_KEY, &rblock)) ||
+	(retval = add_principal(context, &tgt_princ, TGT_KEY, &rblock))) {
+	(void) krb5_db_fini(context);
+	(void) krb5_finish_key(context, &master_encblock);
+	(void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
+	com_err(argv[0], retval, "while adding entries to the database");
+	exit(1);
+    }
+    if (do_stash &&
+	((retval = krb5_db_store_mkey(context, keyfile, master_princ, 
+				    &master_keyblock)))) {
+	com_err(argv[0], errno, "while storing key");
+	printf("Warning: couldn't stash master key.\n");
+    }
+    /* clean up */
+    (void) krb5_db_fini(context);
+    (void) krb5_finish_key(context, &master_encblock);
+    (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
+    memset((char *)master_keyblock.contents, 0, master_keyblock.length);
+    free(master_keyblock.contents);
+    if (pw_str) {
+	memset(pw_str, 0, pw_size);
+	free(pw_str);
+    }
+    free(master_salt.data);
+
+    kadm5_create(&kadm5_params);
+    
+    exit(0);
+
+}
+
+static krb5_error_code
+tgt_keysalt_iterate(ksent, ptr)
+    krb5_key_salt_tuple	*ksent;
+    krb5_pointer	ptr;
+{
+    krb5_context	context;
+    krb5_error_code	kret;
+    struct iterate_args	*iargs;
+    krb5_keyblock	random_keyblock, *key;
+    krb5_int32		ind;
+    krb5_encrypt_block  random_encblock;
+    krb5_pointer rseed;
+    krb5_data	pwd;
+
+    iargs = (struct iterate_args *) ptr;
+    kret = 0;
+
+    context = iargs->ctx;
+
+    /*
+     * Convert the master key password into a key for this particular
+     * encryption system.
+     */
+    krb5_use_enctype(context, &random_encblock, ksent->ks_enctype);
+    pwd.data = mkey_password;
+    pwd.length = strlen(mkey_password);
+    if (kret = krb5_string_to_key(context, &random_encblock, &random_keyblock, 
+			      &pwd, &master_salt))
+	return kret;
+    if ((kret = krb5_init_random_key(context, &random_encblock, 
+				       &random_keyblock, &rseed)))
+	return kret;
+    
+    if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {
+	ind = iargs->dbentp->n_key_data-1;
+	if (!(kret = krb5_random_key(context,
+				     &random_encblock, rseed,
+				     &key))) {
+	    kret = krb5_dbekd_encrypt_key_data(context,
+					       iargs->rblock->eblock,
+					       key, 
+					       NULL,
+					       1,
+					       &iargs->dbentp->key_data[ind]);
+	    krb5_free_keyblock(context, key);
+	}
+    }
+    memset((char *)random_keyblock.contents, 0, random_keyblock.length);
+    free(random_keyblock.contents);
+    (void) krb5_finish_random_key(context, &random_encblock, &rseed);
+    return(kret);
+}
+
+static krb5_error_code
+add_principal(context, princ, op, pblock)
+    krb5_context context;
+    krb5_principal princ;
+    enum ap_op op;
+    struct realm_info *pblock;
+{
+    krb5_error_code 	  retval;
+    krb5_db_entry 	  entry;
+
+    krb5_timestamp	  now;
+    struct iterate_args	  iargs;
+
+    int			  nentries = 1;
+
+    memset((char *) &entry, 0, sizeof(entry));
+
+    entry.len = KRB5_KDB_V1_BASE_LENGTH;
+    entry.attributes = pblock->flags;
+    entry.max_life = pblock->max_life;
+    entry.max_renewable_life = pblock->max_rlife;
+    entry.expiration = pblock->expiration;
+
+    if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
+	goto error_out;
+
+    if ((retval = krb5_timeofday(context, &now)))
+	goto error_out;
+
+    if ((retval = krb5_dbe_update_mod_princ_data(context, &entry,
+						 now, &db_create_princ)))
+	goto error_out;
+
+    switch (op) {
+    case MASTER_KEY:
+	if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data)))
+	    == NULL)
+	    goto error_out;
+	memset((char *) entry.key_data, 0, sizeof(krb5_key_data));
+	entry.n_key_data = 1;
+
+	entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+	if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock,
+						  &master_keyblock, NULL, 
+						  1, entry.key_data)))
+	    return retval;
+	break;
+    case TGT_KEY:
+	iargs.ctx = context;
+	iargs.rblock = pblock;
+	iargs.dbentp = &entry;
+	/*
+	 * Iterate through the key/salt list, ignoring salt types.
+	 */
+	if ((retval = krb5_keysalt_iterate(pblock->kslist,
+					   pblock->nkslist,
+					   1,
+					   tgt_keysalt_iterate,
+					   (krb5_pointer) &iargs)))
+	    return retval;
+	break;
+    case NULL_KEY:
+	return EOPNOTSUPP;
+    default:
+	break;
+    }
+
+    retval = krb5_db_put_principal(context, &entry, &nentries);
+
+error_out:;
+    krb5_dbe_free_contents(context, &entry);
+    return retval;
+}
diff --git a/src/kadmin/create/string_table.c b/src/kadmin/create/string_table.c
new file mode 100644
index 000000000..b9f86a363
--- /dev/null
+++ b/src/kadmin/create/string_table.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
+ * 
+ * $Header$
+ */
+
+#if !defined(lint) && !defined(__CODECENTER__)
+static char *rcsid = "$Header$";
+#endif
+
+/* String table of messages for kadm5_create */
+
+char *str_INITING_KCONTEXT = "while initializing the kerberos context";
+
+char *str_PARSE_NAME = "while parsing admin principal name.";
+
+char *str_HISTORY_PARSE_NAME = "while parsing admin history principal name.";
+
+char *str_ADMIN_PRINC_EXISTS = "Warning! Admin principal already exists.";
+
+char *str_CHANGEPW_PRINC_EXISTS = "Warning! Changepw principal already exists.";
+
+char *str_HISTORY_PRINC_EXISTS = "Warning! Admin history principal already exists.";
+
+char *str_ADMIN_PRINC_WRONG_ATTRS = 
+    "Warning! Admin principal has incorrect attributes.\n"
+    "\tDISALLOW_TGT should be set, and max_life should be three hours.\n"
+    "\tThis program will leave them as-is, but beware!.";
+
+char *str_CHANGEPW_PRINC_WRONG_ATTRS = 
+    "Warning! Changepw principal has incorrect attributes.\n"
+    "\tDISALLOW_TGT and PW_CHANGE_SERVICE should both be set, and "
+     "max_life should be five minutes.\n"
+    "\tThis program will leave them as-is, but beware!.";
+
+char *str_HISTORY_PRINC_WRONG_ATTRS = 
+    "Warning! Admin history principal has incorrect attributes.\n"
+    "\tDISALLOW_ALL_TIX should be set.\n" 
+    "\tThis program will leave it as-is, but beware!.";
+
+char *str_CREATED_PRINC_DB =
+	"%s: Admin principal database created (or it already existed).\n"; /* whoami */
+
+char *str_CREATED_POLICY_DB =
+	"%s: Admin policy database created (or it already existed).\n"; /* whoami */
+
+char *str_RANDOM_KEY =
+	"while calling random key for %s.";  /* principal name */
+
+char *str_ENCRYPT_KEY =
+	"while calling encrypt key for %s."; /* principal name */
+
+char *str_PUT_PRINC =
+	"while calling storing %s in Kerberos database.";  /* principal name */
+
+char *str_CREATING_POLICY_DB = "while creating/opening admin policy database.";
+
+char *str_CLOSING_POLICY_DB = "while closing admin policy database.";
+
+char *str_CREATING_PRINC_DB = "while creating/opening admin principal database.";
+
+char *str_CLOSING_PRINC_DB = "while closing admin principal database.";
+
+char *str_CREATING_PRINC_ENTRY =
+	"while creating admin principal database entry for %s."; /* princ_name */
+
+char *str_A_PRINC = "a principal";
+
+char *str_UNPARSE_PRINC = "while unparsing principal.";
+
+char *str_CREATED_PRINC = "%s: Created %s principal.\n"; /* whoami, princ_name */
+
+char *str_INIT_KDB = "while initializing kdb.";
+
+char *str_NO_KDB = 
+"while initializing kdb.\nThe Kerberos KDC database needs to exist in /krb5.\n\
+If you haven't run kdb5_create you need to do so before running this command.";
+
+
+char *str_INIT_RANDOM_KEY = "while initializing random key generator.";
+
+char *str_TOO_MANY_ADMIN_PRINC = 
+	"while fetching admin princ. Can only have one admin principal.";
+
+char *str_TOO_MANY_CHANGEPW_PRINC = 
+	"while fetching changepw princ. Can only have one changepw principal.";
+
+char *str_TOO_MANY_HIST_PRINC = 
+	"while fetching history princ. Can only have one history principal.";
+
+char *str_WHILE_DESTROYING_ADMIN_SESSION = "while closing session with admin server and destroying tickets.";
diff --git a/src/kadmin/create/string_table.h b/src/kadmin/create/string_table.h
new file mode 100644
index 000000000..e8cb45367
--- /dev/null
+++ b/src/kadmin/create/string_table.h
@@ -0,0 +1,40 @@
+/*
+  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
+  * 
+  * $Header$
+  *
+  */
+ 
+#ifndef _OVSEC_ADM_STRINGS_
+ 
+extern char *str_INITING_KCONTEXT;
+extern char *str_PARSE_NAME;
+extern char *str_HISTORY_PARSE_NAME;
+extern char *str_ADMIN_PRINC_EXISTS;
+extern char *str_CHANGEPW_PRINC_EXISTS;
+extern char *str_HISTORY_PRINC_EXISTS;
+extern char *str_ADMIN_PRINC_WRONG_ATTRS;
+extern char *str_CHANGEPW_PRINC_WRONG_ATTRS;
+extern char *str_HISTORY_PRINC_WRONG_ATTRS;
+extern char *str_CREATED_PRINC_DB;
+extern char *str_CREATED_POLICY_DB;
+extern char *str_RANDOM_KEY;
+extern char *str_ENCRYPT_KEY;
+extern char *str_PUT_PRINC;
+extern char *str_CREATING_POLICY_DB;
+extern char *str_CLOSING_POLICY_DB;
+extern char *str_CREATING_PRINC_DB;
+extern char *str_CLOSING_PRINC_DB;
+extern char *str_CREATING_PRINC_ENTRY;
+extern char *str_A_PRINC;
+extern char *str_UNPARSE_PRINC;
+extern char *str_CREATED_PRINC;
+extern char *str_INIT_KDB;
+extern char *str_NO_KDB;
+extern char *str_INIT_RANDOM_KEY;
+extern char *str_TOO_MANY_ADMIN_PRINC;
+extern char *str_TOO_MANY_CHANGEPW_PRINC;
+extern char *str_TOO_MANY_HIST_PRINC;
+extern char *str_WHILE_DESTROYING_ADMIN_SESSION;
+ 
+#endif /* _OVSEC_ADM_STRINGS_ */