make regen

Also fix SRCS in util/support/Makefile.in to name regex.cpp and not
regex.c.

diff --git a/src/kadmin/dbutil/deps b/src/kadmin/dbutil/deps
index d4d96316e6451af6336d41ef5f2b4a0d798bdee6..0d4ebe7a3ac5a4987330fe2e2becc785946a59f1 100644 (file)
--- a/src/kadmin/dbutil/deps
+++ b/src/kadmin/dbutil/deps
@@ -123,11 +123,12 @@ $(OUTPRE)dump.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
   $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
-  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/kdb_log.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h dump.c kdb5_util.h
+  $(top_srcdir)/include/k5-regex.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
+  $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  dump.c kdb5_util.h
 $(OUTPRE)kdb5_mkey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
@@ -144,11 +145,12 @@ $(OUTPRE)kdb5_mkey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
   $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
-  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/kdb_log.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h kdb5_mkey.c kdb5_util.h
+  $(top_srcdir)/include/k5-regex.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
+  $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  kdb5_mkey.c kdb5_util.h
 $(OUTPRE)tabdump.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \

diff --git a/src/lib/kadm5/srv/deps b/src/lib/kadm5/srv/deps
index 8539c6d2aee52f61afb9738f33170fdf88a66dd2..530b836bc4844e7454fafc23403c74acab51951d 100644 (file)
--- a/src/lib/kadm5/srv/deps
+++ b/src/lib/kadm5/srv/deps
@@ -227,9 +227,9 @@ svr_iters.so svr_iters.po $(OUTPRE)svr_iters.$(OBJEXT): \
   $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
   $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
   $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
-  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \
-  svr_iters.c
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-regex.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/plugin.h svr_iters.c
 svr_chpass_util.so svr_chpass_util.po $(OUTPRE)svr_chpass_util.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \

diff --git a/src/lib/krb5/os/deps b/src/lib/krb5/os/deps
index 4c052d55025d170cc4a92aec8f50e7c4ca72def5..4b43f13fbe51974b22faf389fe8cad154371e5a8 100644 (file)
--- a/src/lib/krb5/os/deps
+++ b/src/lib/krb5/os/deps
@@ -321,12 +321,13 @@ localauth_rule.so localauth_rule.po $(OUTPRE)localauth_rule.$(OBJEXT): \
   $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
   $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
   $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/localauth_plugin.h \
-  $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  localauth_rule.c os-proto.h
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-regex.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/localauth_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h localauth_rule.c \
+  os-proto.h
 locate_kdc.so locate_kdc.po $(OUTPRE)locate_kdc.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \

diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index ba7c533bf5dfeaf737dda10b732ca0d4319a6fc4..2f89a30433f26fb4f706a184aa98b9dfeb609317 100644 (file)
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -54,8 +54,8 @@ recognized:
 If the realm of the server principal is known, it is matched
 against \fIvalue\fP, which may be a pattern using shell wildcards.
 For host\-based server principals, the realm will generally only be
-known if there is a domain_realm section in
-krb5.conf(5) with a mapping for the hostname.
+known if there is a \fI\%[domain_realm]\fP section in
+\fI\%krb5.conf\fP with a mapping for the hostname.
 .TP
 \fBservice\fP
 If the server principal is a host\-based principal, its service
@@ -83,18 +83,16 @@ accessing the IMAP service on \fBmail.example.com\fP:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 alice@KRBTEST.COM       realm=KRBTEST.COM
 alice/root@EXAMPLE.COM  host=*.servers.example.com
 alice/mail@EXAMPLE.COM  host=mail.example.com service=imap
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH SEE ALSO
 .sp
-kerberos(1), krb5.conf(5)
+kerberos(1), \fI\%krb5.conf\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/k5login.man b/src/man/k5login.man
index 47276bcb9c0063674753d439e80a16bcad19b419..a139781db1369fde30c569086c3d66483b90cacb 100644 (file)
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -45,18 +45,16 @@ containing just the following line:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 bob@FOOBAR.ORG
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
 This would allow \fBbob\fP to use Kerberos network applications, such as
 ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
 tickets.  In a default configuration (with \fBk5login_authoritative\fP set
-to true in krb5.conf(5)), this .k5login file would not let
+to true in \fI\%krb5.conf\fP), this .k5login file would not let
 \fBalice\fP use those network applications to access her account, since
 she is not listed!  With no .k5login file, or with \fBk5login_authoritative\fP
 set to false, a default rule would permit the principal \fBalice\fP in the
@@ -68,13 +66,11 @@ in root\(aqs .k5login file on each host:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 alice@BLEEP.COM
 
 joeadmin/root@BLEEP.COM
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp

diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 7b41dc7628e620160be6459540135ad9c26b1001..7f61be2df17f2ce3c702b8e7e73203a0beed86b5 100644 (file)
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -78,15 +78,15 @@ each key.
 In all cases, the default keytab is used unless this is overridden by
 the \fB\-f\fP option.
 .sp
-k5srvutil uses the kadmin(1) program to edit the keytab in
+k5srvutil uses the \fI\%kadmin\fP program to edit the keytab in
 place.
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kadmin(1), ktutil(1), kerberos(7)
+\fI\%kadmin\fP, \fI\%ktutil\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 14aa3dee293c35d288d91daac1721b1d769cff88..42db3c8cdf6482046f5df57d17c12e838f1a732f 100644 (file)
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,3 +1,4 @@
+'\" t
 .\" Man page generated from reStructuredText.
 .
 .
@@ -32,14 +33,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 kadm5.acl \- Kerberos ACL file
 .SH DESCRIPTION
 .sp
-The Kerberos kadmind(8) daemon uses an Access Control List
+The Kerberos \fI\%kadmind\fP daemon uses an Access Control List
 (ACL) file to manage access rights to the Kerberos database.
 For operations that affect principals, the ACL file also controls
 which principals can operate on which other principals.
 .sp
 The default location of the Kerberos ACL file is
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP  unless this is overridden by the \fIacl_file\fP
-variable in kdc.conf(5)\&.
+variable in \fI\%kdc.conf\fP\&.
 .SH SYNTAX
 .sp
 Empty lines and lines starting with the sharp sign (\fB#\fP) are
@@ -47,11 +48,9 @@ ignored.  Lines containing ACL entries have the format:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 principal  permissions  [target_principal  [restrictions] ]
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -127,7 +126,7 @@ _
 T{
 p
 T}     T{
-[Dis]allows the propagation of the principal database (used in incr_db_prop)
+[Dis]allows the propagation of the principal database (used in \fI\%Incremental database propagation\fP)
 T}
 _
 T{
@@ -185,7 +184,7 @@ in which \fB*number\fP matches the corresponding wildcard in
 .B {+|\-}\fIflagname\fP
 flag is forced to the indicated value.  The permissible flags
 are the same as those for the \fBdefault_principal_flags\fP
-variable in kdc.conf(5)\&.
+variable in \fI\%kdc.conf\fP\&.
 .TP
 .B \fI\-clearpolicy\fP
 policy is forced to be empty.
@@ -194,7 +193,7 @@ policy is forced to be empty.
 policy is forced to be \fIpol\fP\&.
 .TP
 .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
-(getdate string) associated value will be forced to
+(\fI\%getdate time\fP string) associated value will be forced to
 MIN(\fItime\fP, requested value).
 .UNINDENT
 .UNINDENT
@@ -217,16 +216,14 @@ Here is an example of a kadm5.acl file:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 */admin@ATHENA.MIT.EDU    *                               # line 1
 joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
 joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
 */root@ATHENA.MIT.EDU     ci  *1@ATHENA.MIT.EDU           # line 4
 */root@ATHENA.MIT.EDU     l   *                           # line 5
 sms@ATHENA.MIT.EDU        x   * \-maxlife 9h \-postdateable # line 6
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -260,17 +257,17 @@ postdateable tickets or tickets with a life of longer than 9 hours.
 .SH MODULE BEHAVIOR
 .sp
 The ACL file can coexist with other authorization modules in release
-1.16 and later, as configured in the kadm5_auth section of
-krb5.conf(5)\&.  The ACL file will positively authorize
+1.16 and later, as configured in the \fI\%kadm5_auth interface\fP section of
+\fI\%krb5.conf\fP\&.  The ACL file will positively authorize
 operations according to the rules above, but will never
 authoritatively deny an operation, so other modules can authorize
 operations in addition to those authorized by the ACL file.
 .sp
 To operate without an ACL file, set the \fIacl_file\fP variable in
-kdc.conf(5) to the empty string with \fBacl_file = ""\fP\&.
+\fI\%kdc.conf\fP to the empty string with \fBacl_file = \(dq\(dq\fP\&.
 .SH SEE ALSO
 .sp
-kdc.conf(5), kadmind(8)
+\fI\%kdc.conf\fP, \fI\%kadmind\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 8745fd9afa551ff892daa12c1e5d52d2ec12e56d..227c46ec4bd0f46868f71b6f8cce20d9e88206f6 100644 (file)
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -56,8 +56,8 @@ kadmin \- Kerberos V5 database administration program
 kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
 administration system.  They provide nearly identical functionalities;
 the difference is that kadmin.local directly accesses the KDC
-database, while kadmin performs operations using kadmind(8)\&.
-Except as explicitly noted otherwise, this man page will use "kadmin"
+database, while kadmin performs operations using \fI\%kadmind\fP\&.
+Except as explicitly noted otherwise, this man page will use \(dqkadmin\(dq
 to refer to both versions.  kadmin provides for the maintenance of
 Kerberos principals, password policies, and service key tables
 (keytabs).
@@ -103,7 +103,7 @@ with the \fB\-k\fP option.
 Requests anonymous processing.  Two types of anonymous principals
 are supported.  For fully anonymous Kerberos, configure PKINIT on
 the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
-krb5.conf(5)\&.  Then use the \fB\-n\fP option with a principal
+\fI\%krb5.conf\fP\&.  Then use the \fB\-n\fP option with a principal
 of the form \fB@REALM\fP (an empty principal name followed by the
 at\-sign and a realm name).  If permitted by the KDC, an anonymous
 ticket will be returned.  A second form of anonymous tickets is
@@ -119,7 +119,7 @@ Use \fIcredentials_cache\fP as the credentials cache.  The cache
 should contain a service ticket for the \fBkadmin/admin\fP or
 \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified
 hostname of the admin server) service; it can be acquired with the
-kinit(1) program.  If this option is not specified, kadmin
+\fI\%kinit\fP program.  If this option is not specified, kadmin
 requests a new service ticket from the KDC, and stores it in its
 own temporary ccache.
 .TP
@@ -142,9 +142,9 @@ Specifies the admin server which kadmin should contact.
 If using kadmin.local, prompt for the database master password
 instead of reading it from a stash file.
 .TP
-\fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
+\fB\-e\fP \(dq\fIenc\fP:\fIsalt\fP ...\(dq
 Sets the keysalt list to be used for any new keys created.  See
-Keysalt_lists in kdc.conf(5) for a list of possible
+\fI\%Keysalt lists\fP in \fI\%kdc.conf\fP for a list of possible
 values.
 .TP
 \fB\-O\fP
@@ -223,7 +223,7 @@ Specifies the password or SASL secret used to bind to the LDAP
 server.  Using this option may expose the password to other
 users on the system via the process list; to avoid this,
 instead stash the password using the \fBstashsrvpw\fP command of
-kdb5_ldap_util(8)\&.
+\fI\%kdb5_ldap_util\fP\&.
 .TP
 \fB\-x sasl_mech=\fP\fImechanism\fP
 Specifies the SASL mechanism used to bind to the LDAP server.
@@ -254,7 +254,7 @@ are printed to standard error.  New in release 1.12.
 .SH COMMANDS
 .sp
 When using the remote client, available commands may be restricted
-according to the privileges specified in the kadm5.acl(5) file
+according to the privileges specified in the \fI\%kadm5.acl\fP file
 on the admin server.
 .SS add_principal
 .INDENT 0.0
@@ -278,17 +278,17 @@ Options:
 .INDENT 0.0
 .TP
 \fB\-expire\fP \fIexpdate\fP
-(getdate string) The expiration date of the principal.
+(\fI\%getdate time\fP string) The expiration date of the principal.
 .TP
 \fB\-pwexpire\fP \fIpwexpdate\fP
-(getdate string) The password expiration date.
+(\fI\%getdate time\fP string) The password expiration date.
 .TP
 \fB\-maxlife\fP \fImaxlife\fP
-(duration or getdate string) The maximum ticket life
+(\fI\%Time duration\fP or \fI\%getdate time\fP string) The maximum ticket life
 for the principal.
 .TP
 \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(duration or getdate string) The maximum renewable
+(\fI\%Time duration\fP or \fI\%getdate time\fP string) The maximum renewable
 life of tickets for the principal.
 .TP
 \fB\-kvno\fP \fIkvno\fP
@@ -407,7 +407,7 @@ via the process list.
 .TP
 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
 Uses the specified keysalt list for setting the keys of the
-principal.  See Keysalt_lists in kdc.conf(5) for a
+principal.  See \fI\%Keysalt lists\fP in \fI\%kdc.conf\fP for a
 list of possible values.
 .TP
 \fB\-x\fP \fIdb_princ_args\fP
@@ -455,17 +455,15 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin: addprinc jennifer
-No policy specified for "jennifer@ATHENA.MIT.EDU";
+No policy specified for \(dqjennifer@ATHENA.MIT.EDU\(dq;
 defaulting to no policy.
 Enter password for principal jennifer@ATHENA.MIT.EDU:
 Re\-enter password for principal jennifer@ATHENA.MIT.EDU:
-Principal "jennifer@ATHENA.MIT.EDU" created.
+Principal \(dqjennifer@ATHENA.MIT.EDU\(dq created.
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS modify_principal
@@ -506,6 +504,23 @@ given.
 This command requires the \fBadd\fP and \fBdelete\fP privileges.
 .sp
 Alias: \fBrenprinc\fP
+.SS add_alias
+.INDENT 0.0
+.INDENT 3.5
+\fBadd_alias\fP \fIalias_princ\fP \fItarget_princ\fP
+.UNINDENT
+.UNINDENT
+.sp
+Create an alias \fIalias_princ\fP pointing to \fItarget_princ\fP\&.  Aliases may
+be chained (that is, \fItarget_princ\fP may itself be an alias) up to a
+depth of 10.
+.sp
+This command requires the \fBadd\fP privilege for \fIalias_princ\fP and the
+\fBmodify\fP privilege for \fItarget_princ\fP\&.
+.sp
+(New in release 1.22.)
+.sp
+Aliases: \fBalias\fP
 .SS delete_principal
 .INDENT 0.0
 .INDENT 3.5
@@ -513,8 +528,8 @@ Alias: \fBrenprinc\fP
 .UNINDENT
 .UNINDENT
 .sp
-Deletes the specified \fIprincipal\fP from the database.  This command
-prompts for deletion, unless the \fB\-force\fP option is given.
+Deletes the specified \fIprincipal\fP or alias from the database.  This
+command prompts for deletion, unless the \fB\-force\fP option is given.
 .sp
 This command requires the \fBdelete\fP privilege.
 .sp
@@ -548,7 +563,7 @@ the process list.
 .TP
 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
 Uses the specified keysalt list for setting the keys of the
-principal.  See Keysalt_lists in kdc.conf(5) for a
+principal.  See \fI\%Keysalt lists\fP in \fI\%kdc.conf\fP for a
 list of possible values.
 .TP
 \fB\-keepold\fP
@@ -560,15 +575,13 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin: cpw systest
 Enter password for principal systest@BLEEP.COM:
 Re\-enter password for principal systest@BLEEP.COM:
 Password for systest@BLEEP.COM changed.
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS purgekeys
@@ -604,8 +617,7 @@ Examples:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin: getprinc tlyu/admin
 Principal: tlyu/admin@BLEEP.COM
 Expiration date: [never]
@@ -628,8 +640,7 @@ systest@BLEEP.COM   3    86400     604800    1
 785926535 753241234 785900000
 tlyu/admin@BLEEP.COM     786100034 0    0
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS list_principals
@@ -655,16 +666,14 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin:  listprincs test*
 test3@SECURE\-TEST.OV.COM
 test2@SECURE\-TEST.OV.COM
 test1@SECURE\-TEST.OV.COM
 testuser@SECURE\-TEST.OV.COM
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS get_strings
@@ -701,7 +710,7 @@ specified indicators will be accepted.  (New in release 1.14.)
 \fBsession_enctypes\fP
 Specifies the encryption types supported for session keys when the
 principal is authenticated to as a server.  See
-Encryption_types in kdc.conf(5) for a list of the
+\fI\%Encryption types\fP in \fI\%kdc.conf\fP for a list of the
 accepted values.
 .TP
 \fBotp\fP
@@ -714,14 +723,14 @@ Specifies a matching expression that defines the certificate
 attributes required for the client certificate used by the
 principal during PKINIT authentication.  The matching expression
 is in the same format as those used by the \fBpkinit_cert_match\fP
-option in krb5.conf(5)\&.  (New in release 1.16.)
+option in \fI\%krb5.conf\fP\&.  (New in release 1.16.)
 .TP
 \fBpac_privsvr_enctype\fP
 Forces the encryption type of the PAC KDC checksum buffers to the
 specified encryption type for tickets issued to this server, by
 deriving a key from the local krbtgt key if it is of a different
 encryption type.  It may be necessary to set this value to
-"aes256\-sha1" on the cross\-realm krbtgt entry for an Active
+\(dqaes256\-sha1\(dq on the cross\-realm krbtgt entry for an Active
 Directory realm when using aes\-sha2 keys on the local krbtgt
 entry.
 .UNINDENT
@@ -734,12 +743,10 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 set_string host/foo.mit.edu session_enctypes aes128\-cts
-set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
-.ft P
-.fi
+set_string user@FOO.COM otp \(dq[{\(dq\(dqtype\(dq\(dq:\(dq\(dqhotp\(dq\(dq,\(dq\(dqusername\(dq\(dq:\(dq\(dqal\(dq\(dq}]\(dq
+.EE
 .UNINDENT
 .UNINDENT
 .SS del_string
@@ -771,11 +778,11 @@ The following options are available:
 .INDENT 0.0
 .TP
 \fB\-maxlife\fP \fItime\fP
-(duration or getdate string) Sets the maximum
+(\fI\%Time duration\fP or \fI\%getdate time\fP string) Sets the maximum
 lifetime of a password.
 .TP
 \fB\-minlife\fP \fItime\fP
-(duration or getdate string) Sets the minimum
+(\fI\%Time duration\fP or \fI\%getdate time\fP string) Sets the minimum
 lifetime of a password.
 .TP
 \fB\-minlength\fP \fIlength\fP
@@ -802,7 +809,7 @@ resets to 0 after a successful attempt to authenticate.  A
 .INDENT 0.0
 .TP
 \fB\-failurecountinterval\fP \fIfailuretime\fP
-(duration or getdate string) Sets the allowable time
+(\fI\%Time duration\fP or \fI\%getdate time\fP string) Sets the allowable time
 between authentication failures.  If an authentication failure
 happens after \fIfailuretime\fP has elapsed since the previous
 failure, the number of authentication failures is reset to 1.  A
@@ -811,7 +818,7 @@ failure, the number of authentication failures is reset to 1.  A
 .INDENT 0.0
 .TP
 \fB\-lockoutduration\fP \fIlockouttime\fP
-(duration or getdate string) Sets the duration for
+(\fI\%Time duration\fP or \fI\%getdate time\fP string) Sets the duration for
 which the principal is locked from authenticating if too many
 authentication failures occur without the specified failure count
 interval elapsing.  A duration of 0 (the default) means the
@@ -821,7 +828,7 @@ with \fBmodprinc \-unlock\fP\&.
 \fB\-allowedkeysalts\fP
 Specifies the key/salt tuples supported for long\-term keys when
 setting or changing a principal\(aqs password/keys.  See
-Keysalt_lists in kdc.conf(5) for a list of the
+\fI\%Keysalt lists\fP in \fI\%kdc.conf\fP for a list of the
 accepted values, but note that key/salt tuples must be separated
 with commas (\(aq,\(aq) only.  To clear the allowed key/salt policy use
 a value of \(aq\-\(aq.
@@ -831,12 +838,10 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
-kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
+.EX
+kadmin: add_policy \-maxlife \(dq2 days\(dq \-minlength 5 guests
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS modify_policy
@@ -871,14 +876,12 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin: del_policy guests
-Are you sure you want to delete the policy "guests"?
+Are you sure you want to delete the policy \(dqguests\(dq?
 (yes/no): yes
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS get_policy
@@ -900,8 +903,7 @@ Examples:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin: get_policy admin
 Policy: admin
 Maximum password life: 180 days 00:00:00
@@ -914,12 +916,11 @@ Reference count: 17
 kadmin: get_policy \-terse admin
 admin     15552000  0    6    2    5    17
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
-The "Reference count" is the number of principals using that policy.
+The \(dqReference count\(dq is the number of principals using that policy.
 With the LDAP KDC database module, the reference count field is not
 meaningful.
 .SS list_policies
@@ -943,8 +944,7 @@ Examples:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin:  listpols
 test\-pol
 dict\-only
@@ -955,8 +955,7 @@ kadmin:  listpols t*
 test\-pol
 test\-pol\-nopw
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS ktadd
@@ -987,7 +986,7 @@ used.
 .TP
 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
 Uses the specified keysalt list for setting the new keys of the
-principal.  See Keysalt_lists in kdc.conf(5) for a
+principal.  See \fI\%Keysalt lists\fP in \fI\%kdc.conf\fP for a
 list of possible values.
 .TP
 \fB\-q\fP
@@ -1009,15 +1008,13 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
      encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab
      FILE:/tmp/foo\-new\-keytab
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS ktremove
@@ -1030,8 +1027,8 @@ kadmin:
 Removes entries for the specified \fIprincipal\fP from a keytab.  Requires
 no permissions, since this does not require database access.
 .sp
-If the string "all" is specified, all entries for that principal are
-removed; if the string "old" is specified, all entries for that
+If the string \(dqall\(dq is specified, all entries for that principal are
+removed; if the string \(dqold\(dq is specified, all entries for that
 principal except those with the highest kvno are removed.  Otherwise,
 the value specified is parsed as an integer, and all entries whose
 kvno match that integer are removed.
@@ -1053,14 +1050,12 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin: ktremove kadmin/admin all
 Entry for principal kadmin/admin with kvno 3 removed from keytab
      FILE:/etc/krb5.keytab
 kadmin:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS lock
@@ -1086,11 +1081,11 @@ The kadmin program was originally written by Tom Yu at MIT, as an
 interface to the OpenVision Kerberos administration program.
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kpasswd(1), kadmind(8), kerberos(7)
+\fI\%kpasswd\fP, \fI\%kadmind\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 89d4a3eb7803bd9972ab5bab48c9ed182d2e7498..4a9e56318f870319a39d083b113459802378401f 100644 (file)
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -50,24 +50,24 @@ kadmind starts the Kerberos administration server.  kadmind typically
 runs on the primary Kerberos server, which stores the KDC database.
 If the KDC database uses the LDAP module, the administration server
 and the KDC server need not run on the same machine.  kadmind accepts
-remote requests from programs such as kadmin(1) and
-kpasswd(1) to administer the information in these database.
+remote requests from programs such as \fI\%kadmin\fP and
+\fI\%kpasswd\fP to administer the information in these database.
 .sp
 kadmind requires a number of configuration files to be set up in order
 for it to work:
 .INDENT 0.0
 .TP
-.B kdc.conf(5)
+.B \fI\%kdc.conf\fP
 The KDC configuration file contains configuration information for
 the KDC and admin servers.  kadmind uses settings in this file to
 locate the Kerberos database, and is also affected by the
 \fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related
 settings.
 .TP
-.B kadm5.acl(5)
+.B \fI\%kadm5.acl\fP
 kadmind\(aqs ACL (access control list) tells it which principals are
 allowed to perform administration actions.  The pathname to the
-ACL file can be specified with the \fBacl_file\fP kdc.conf(5)
+ACL file can be specified with the \fBacl_file\fP \fI\%kdc.conf\fP
 variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.
 .UNINDENT
 .sp
@@ -78,7 +78,7 @@ kadmind can be configured for incremental database propagation.
 Incremental propagation allows replica KDC servers to receive
 principal and policy updates incrementally instead of receiving full
 dumps of the database.  This facility can be enabled in the
-kdc.conf(5) file with the \fBiprop_enable\fP option.  Incremental
+\fI\%kdc.conf\fP file with the \fBiprop_enable\fP option.  Incremental
 propagation requires the principal \fBkiprop/PRIMARY\e@REALM\fP (where
 PRIMARY is the primary KDC\(aqs canonical host name, and REALM the realm
 name).  In release 1.13, this principal is automatically created and
@@ -109,7 +109,7 @@ provides incremental updates to other Kerberos replicas.
 \fB\-port\fP \fIport\-number\fP
 specifies the port on which the administration server listens for
 connections.  The default port is determined by the
-\fBkadmind_port\fP configuration variable in kdc.conf(5)\&.
+\fBkadmind_port\fP configuration variable in \fI\%kdc.conf\fP\&.
 .TP
 \fB\-P\fP \fIpid_file\fP
 specifies the file to which the PID of kadmind process should be
@@ -135,16 +135,24 @@ specifies the file path to be used for dumping the KDB in response
 to full resync requests when iprop is enabled.
 .TP
 \fB\-x\fP \fIdb_args\fP
-specifies database\-specific arguments.  See Database Options in kadmin(1) for supported arguments.
+specifies database\-specific arguments.  See \fI\%Database Options\fP in \fI\%kadmin\fP for supported arguments.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
+.sp
+As of release 1.22, kadmind supports systemd socket activation via the
+LISTEN_PID and LISTEN_FDS environment variables.  Sockets provided by
+the caller must correspond to configured listener addresses (via the
+\fBkadmind_listen\fP or \fBkpasswd_listen\fP variables or equivalents) or
+they will be ignored.  Any configured listener addresses that do not
+correspond to caller\-provided sockets will be ignored if socket
+activation is used.
 .SH SEE ALSO
 .sp
-kpasswd(1), kadmin(1), kdb5_util(8),
-kdb5_ldap_util(8), kadm5.acl(5), kerberos(7)
+\fI\%kpasswd\fP, \fI\%kadmin\fP, \fI\%kdb5_util\fP,
+\fI\%kdb5_ldap_util\fP, \fI\%kadm5.acl\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 35fdd0b72f7a2a871c90f419de78429dd95de8ac..b6bd1cd1eb6eb4fbccbd4465557e59c6556265fb 100644 (file)
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -60,9 +60,9 @@ Specifies the URI of the LDAP server.
 .UNINDENT
 .sp
 By default, kdb5_ldap_util operates on the default realm (as specified
-in krb5.conf(5)) and connects and authenticates to the LDAP
+in \fI\%krb5.conf\fP) and connects and authenticates to the LDAP
 server in the same manner as :ref:kadmind(8)\(ga would given the
-parameters in dbdefaults in kdc.conf(5)\&.
+parameters in \fI\%[dbdefaults]\fP in \fI\%kdc.conf\fP\&.
 .SH COMMANDS
 .SS create
 .INDENT 0.0
@@ -104,7 +104,7 @@ realm container.
 \fB\-k\fP \fImkeytype\fP
 Specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
-kdc.conf(5)\&.
+\fI\%kdc.conf\fP\&.
 .TP
 \fB\-kv\fP \fImkeyVNO\fP
 Specifies the version number of the master key in the database;
@@ -113,7 +113,7 @@ the default is 1.  Note that 0 is not allowed.
 \fB\-M\fP \fImkeyname\fP
 Specifies the principal name for the master key in the database.
 If not specified, the name is determined by the
-\fBmaster_key_name\fP variable in kdc.conf(5)\&.
+\fBmaster_key_name\fP variable in \fI\%kdc.conf\fP\&.
 .TP
 \fB\-m\fP
 Specifies that the master database password should be read from
@@ -130,35 +130,33 @@ Specifies the stash file of the master database password.
 Specifies that the stash file is to be created.
 .TP
 \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(getdate string) Specifies maximum ticket life for
+(\fI\%getdate time\fP string) Specifies maximum ticket life for
 principals in this realm.
 .TP
 \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(getdate string) Specifies maximum renewable life of
+(\fI\%getdate time\fP string) Specifies maximum renewable life of
 tickets for principals in this realm.
 .TP
 .B \fIticket_flags\fP
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
-kadmin(1)\&.
+\fI\%kadmin\fP\&.
 .UNINDENT
 .sp
 Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
     \-r ATHENA.MIT.EDU create \-subtrees o=org \-sscope SUB
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 Initializing database for realm \(aqATHENA.MIT.EDU\(aq
 You will be prompted for the database Master Password.
 It is important that you NOT FORGET this password.
 Enter KDC database master key:
 Re\-enter KDC database master key to verify:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS modify
@@ -192,31 +190,29 @@ container object in which the principals of a realm will be
 created.
 .TP
 \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(getdate string) Specifies maximum ticket life for
+(\fI\%getdate time\fP string) Specifies maximum ticket life for
 principals in this realm.
 .TP
 \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(getdate string) Specifies maximum renewable life of
+(\fI\%getdate time\fP string) Specifies maximum renewable life of
 tickets for principals in this realm.
 .TP
 .B \fIticket_flags\fP
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
-kadmin(1)\&.
+\fI\%kadmin\fP\&.
 .UNINDENT
 .sp
 Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 shell% kdb5_ldap_util \-r ATHENA.MIT.EDU \-D cn=admin,o=org \-H
     ldaps://ldap\-server1.mit.edu modify +requires_preauth
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 shell%
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS view
@@ -232,11 +228,10 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
     \-r ATHENA.MIT.EDU view
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 Realm Name: ATHENA.MIT.EDU
 Subtree: ou=users,o=org
 Subtree: ou=servers,o=org
@@ -244,8 +239,7 @@ SearchScope: ONE
 Maximum ticket life: 0 days 01:00:00
 Maximum renewable life: 0 days 10:00:00
 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS destroy
@@ -266,17 +260,15 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 shell% kdb5_ldap_util \-r ATHENA.MIT.EDU \-D cn=admin,o=org \-H
     ldaps://ldap\-server1.mit.edu destroy
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure?
 (type \(aqyes\(aq to confirm)? yes
 OK, deleting database of \(aqATHENA.MIT.EDU\(aq...
 shell%
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS list
@@ -292,17 +284,15 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 shell% kdb5_ldap_util \-D cn=admin,o=org \-H
     ldaps://ldap\-server1.mit.edu list
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 ATHENA.MIT.EDU
 OPENLDAP.MIT.EDU
 MEDIA\-LAB.MIT.EDU
 shell%
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS stashsrvpw
@@ -325,10 +315,10 @@ default, \fB/usr/local/var/service_passwd\fP is used.
 .TP
 .B \fIname\fP
 Specifies the name of the object whose password is to be stored.
-If krb5kdc(8) or kadmind(8) are configured for
+If \fI\%krb5kdc\fP or \fI\%kadmind\fP are configured for
 simple binding, this should be the distinguished name it will
 use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
-variable in kdc.conf(5)\&.  If the KDC or kadmind is
+variable in \fI\%kdc.conf\fP\&.  If the KDC or kadmind is
 configured for SASL binding, this should be the authentication
 name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
 \fBldap_kadmind_sasl_authcid\fP variable.
@@ -338,14 +328,12 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile
     cn=service\-kdc,o=org
-Password for "cn=service\-kdc,o=org":
-Re\-enter password for "cn=service\-kdc,o=org":
-.ft P
-.fi
+Password for \(dqcn=service\-kdc,o=org\(dq:
+Re\-enter password for \(dqcn=service\-kdc,o=org\(dq:
+.EE
 .UNINDENT
 .UNINDENT
 .SS create_policy
@@ -363,18 +351,18 @@ Creates a ticket policy in the directory.  Options:
 .INDENT 0.0
 .TP
 \fB\-maxtktlife\fP \fImax_ticket_life\fP
-(getdate string) Specifies maximum ticket life for
+(\fI\%getdate time\fP string) Specifies maximum ticket life for
 principals.
 .TP
 \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-(getdate string) Specifies maximum renewable life of
+(\fI\%getdate time\fP string) Specifies maximum renewable life of
 tickets for principals.
 .TP
 .B \fIticket_flags\fP
 Specifies the ticket flags.  If this option is not specified, by
 default, no restriction will be set by the policy.  Allowable
 flags are documented in the description of the \fBadd_principal\fP
-command in kadmin(1)\&.
+command in \fI\%kadmin\fP\&.
 .TP
 .B \fIpolicy_name\fP
 Specifies the name of the ticket policy.
@@ -384,15 +372,13 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
-    \-r ATHENA.MIT.EDU create_policy \-maxtktlife "1 day"
-    \-maxrenewlife "1 week" \-allow_postdated +needchange
+    \-r ATHENA.MIT.EDU create_policy \-maxtktlife \(dq1 day\(dq
+    \-maxrenewlife \(dq1 week\(dq \-allow_postdated +needchange
     \-allow_forwardable tktpolicy
-Password for "cn=admin,o=org":
-.ft P
-.fi
+Password for \(dqcn=admin,o=org\(dq:
+.EE
 .UNINDENT
 .UNINDENT
 .SS modify_policy
@@ -413,15 +399,13 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util \-D cn=admin,o=org \-H
     ldaps://ldap\-server1.mit.edu \-r ATHENA.MIT.EDU modify_policy
-    \-maxtktlife "60 minutes" \-maxrenewlife "10 hours"
+    \-maxtktlife \(dq60 minutes\(dq \-maxrenewlife \(dq10 hours\(dq
     +allow_postdated \-requires_preauth tktpolicy
-Password for "cn=admin,o=org":
-.ft P
-.fi
+Password for \(dqcn=admin,o=org\(dq:
+.EE
 .UNINDENT
 .UNINDENT
 .SS view_policy
@@ -438,17 +422,15 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
     \-r ATHENA.MIT.EDU view_policy tktpolicy
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 Ticket policy: tktpolicy
 Maximum ticket life: 0 days 01:00:00
 Maximum renewable life: 0 days 10:00:00
 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS destroy_policy
@@ -475,16 +457,14 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
     \-r ATHENA.MIT.EDU destroy_policy tktpolicy
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 This will delete the policy object \(aqtktpolicy\(aq, are you sure?
 (type \(aqyes\(aq to confirm)? yes
 ** policy object \(aqtktpolicy\(aq deleted.
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SS list_policy
@@ -500,25 +480,23 @@ Example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
     \-r ATHENA.MIT.EDU list_policy
-Password for "cn=admin,o=org":
+Password for \(dqcn=admin,o=org\(dq:
 tktpolicy
 tmppolicy
 userpolicy
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kadmin(1), kerberos(7)
+\fI\%kadmin\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 9c64d646ea95af5dec254345276d1f8bf8dbc12d..d73e45f87bca3bff90cd52ffed2afdee2bd4fbb8 100644 (file)
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -65,14 +65,14 @@ specifies the Kerberos realm of the database.
 .TP
 \fB\-d\fP \fIdbname\fP
 specifies the name under which the principal database is stored;
-by default the database is that listed in kdc.conf(5)\&.  The
+by default the database is that listed in \fI\%kdc.conf\fP\&.  The
 password policy database and lock files are also derived from this
 value.
 .TP
 \fB\-k\fP \fImkeytype\fP
 specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
-kdc.conf(5)\&.
+\fI\%kdc.conf\fP\&.
 .TP
 \fB\-kv\fP \fImkeyVNO\fP
 Specifies the version number of the master key in the database;
@@ -81,7 +81,7 @@ the default is 1.  Note that 0 is not allowed.
 \fB\-M\fP \fImkeyname\fP
 principal name for the master key in the database.  If not
 specified, the name is determined by the \fBmaster_key_name\fP
-variable in kdc.conf(5)\&.
+variable in \fI\%kdc.conf\fP\&.
 .TP
 \fB\-m\fP
 specifies that the master database password should be read from
@@ -90,7 +90,7 @@ the keyboard rather than fetched from a file on disk.
 \fB\-sf\fP \fIstash_file\fP
 specifies the stash filename of the master database password.  If
 not specified, the filename is determined by the
-\fBkey_stash_file\fP variable in kdc.conf(5)\&.
+\fBkey_stash_file\fP variable in \fI\%kdc.conf\fP\&.
 .TP
 \fB\-P\fP \fIpassword\fP
 specifies the master database password.  Using this option may
@@ -98,7 +98,7 @@ expose the password to other users on the system via the process
 list.
 .TP
 \fB\-x\fP \fIdb_args\fP
-specifies database\-specific options.  See kadmin(1) for
+specifies database\-specific options.  See \fI\%kadmin\fP for
 supported options.
 .UNINDENT
 .SH COMMANDS
@@ -132,7 +132,7 @@ the \fB\-f\fP argument, does not prompt the user.
 .sp
 Stores the master principal\(aqs keys in a stash file.  The \fB\-f\fP
 argument can be used to override the \fIkeyfile\fP specified in
-kdc.conf(5)\&.
+\fI\%kdc.conf\fP\&.
 .SS dump
 .INDENT 0.0
 .INDENT 3.5
@@ -144,24 +144,24 @@ kdc.conf(5)\&.
 .UNINDENT
 .sp
 Dumps the current Kerberos and KADM5 database into an ASCII file.  By
-default, the database is dumped in current format, "kdb5_util
-load_dump version 7".  If filename is not specified, or is the string
-"\-", the dump is sent to standard output.  Options:
+default, the database is dumped in current format, \(dqkdb5_util
+load_dump version 7\(dq.  If filename is not specified, or is the string
+\(dq\-\(dq, the dump is sent to standard output.  Options:
 .INDENT 0.0
 .TP
 \fB\-b7\fP
-causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
-load_dump version 4").  This was the dump format produced on
+causes the dump to be in the Kerberos 5 Beta 7 format (\(dqkdb5_util
+load_dump version 4\(dq).  This was the dump format produced on
 releases prior to 1.2.2.
 .TP
 \fB\-r13\fP
-causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
-load_dump version 5").  This was the dump format produced on
+causes the dump to be in the Kerberos 5 1.3 format (\(dqkdb5_util
+load_dump version 5\(dq).  This was the dump format produced on
 releases prior to 1.8.
 .TP
 \fB\-r18\fP
-causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
-load_dump version 6").  This was the dump format produced on
+causes the dump to be in the Kerberos 5 1.8 format (\(dqkdb5_util
+load_dump version 6\(dq).  This was the dump format produced on
 releases prior to 1.11.
 .TP
 \fB\-verbose\fP
@@ -218,17 +218,17 @@ Options:
 .TP
 \fB\-b7\fP
 requires the database to be in the Kerberos 5 Beta 7 format
-("kdb5_util load_dump version 4").  This was the dump format
+(\(dqkdb5_util load_dump version 4\(dq).  This was the dump format
 produced on releases prior to 1.2.2.
 .TP
 \fB\-r13\fP
-requires the database to be in Kerberos 5 1.3 format ("kdb5_util
-load_dump version 5").  This was the dump format produced on
+requires the database to be in Kerberos 5 1.3 format (\(dqkdb5_util
+load_dump version 5\(dq).  This was the dump format produced on
 releases prior to 1.8.
 .TP
 \fB\-r18\fP
-requires the database to be in Kerberos 5 1.8 format ("kdb5_util
-load_dump version 6").  This was the dump format produced on
+requires the database to be in Kerberos 5 1.8 format (\(dqkdb5_util
+load_dump version 6\(dq).  This was the dump format produced on
 releases prior to 1.11.
 .TP
 \fB\-hash\fP
@@ -269,12 +269,12 @@ salt types to be used for the new keys.
 Adds a new master key to the master key principal, but does not mark
 it as active.  Existing master keys will remain.  The \fB\-e\fP option
 specifies the encryption type of the new master key; see
-Encryption_types in kdc.conf(5) for a list of possible
+\fI\%Encryption types\fP in \fI\%kdc.conf\fP for a list of possible
 values.  The \fB\-s\fP option stashes the new master key in the stash
 file, which will be created if it doesn\(aqt already exist.
 .sp
 After a new master key is added, it should be propagated to replica
-servers via a manual or periodic invocation of kprop(8)\&.  Then,
+servers via a manual or periodic invocation of \fI\%kprop\fP\&.  Then,
 the stash files on the replica servers should be updated with the
 kdb5_util \fBstash\fP command.  Once those steps are complete, the key
 is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
@@ -289,7 +289,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP\&.
 Once a master key becomes active, it will be used to encrypt newly
 created principal keys.  If no \fItime\fP argument is given, the current
 time is used, causing the specified master key version to become
-active immediately.  The format for \fItime\fP is getdate string.
+active immediately.  The format for \fItime\fP is \fI\%getdate time\fP string.
 .sp
 After a new master key becomes active, the kdb5_util
 \fBupdate_princ_encryption\fP command can be used to update all
@@ -303,7 +303,7 @@ principal keys to be encrypted in the new master key.
 .sp
 List all master keys, from most recent to earliest, in the master key
 principal.  The output will show the kvno, enctype, and salt type for
-each mkey, similar to the output of kadmin(1) \fBgetprinc\fP\&.  A
+each mkey, similar to the output of \fI\%kadmin\fP \fBgetprinc\fP\&.  A
 \fB*\fP following an mkey denotes the currently active master key.
 .SS purge_mkeys
 .INDENT 0.0
@@ -374,7 +374,7 @@ instead of the default tab\-separated (unquoted, unescaped) format
 .TP
 \fB\-e\fP
 write empty hexadecimal string fields as empty fields instead of
-as "\-1".
+as \(dq\-1\(dq.
 .TP
 \fB\-n\fP
 produce numeric output for fields that normally have symbolic
@@ -389,6 +389,17 @@ output
 Dump types:
 .INDENT 0.0
 .TP
+\fBalias\fP
+principal alias information
+.INDENT 7.0
+.TP
+\fBaliasname\fP
+the name of the alias
+.TP
+\fBtargetname\fP
+the target of the alias
+.UNINDENT
+.TP
 \fBkeydata\fP
 principal encryption key information, including actual key data
 (which is still encrypted in the master key)
@@ -524,8 +535,7 @@ Examples:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 $ kdb5_util tabdump \-o keyinfo.txt keyinfo
 $ cat keyinfo.txt
 name        keyindex        kvno    enctype salttype        salt
@@ -540,17 +550,16 @@ K/M@EXAMPLE.COM     1       1       aes256\-cts\-hmac\-sha384\-192      normal
 sqlite> .quit
 $ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt
 K/M@EXAMPLE.COM     1       1       aes256\-cts\-hmac\-sha384\-192      normal  \-1
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kadmin(1), kerberos(7)
+\fI\%kadmin\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index dc69b9255453a2be5ee834f67be6b1747cb46951..5ed36be2479d0d1eae7fc7c3ea73eaccf345ce03 100644 (file)
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,3 +1,4 @@
+'\" t
 .\" Man page generated from reStructuredText.
 .
 .
@@ -31,9 +32,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .sp
-The kdc.conf file supplements krb5.conf(5) for programs which
-are typically only used on a KDC, such as the krb5kdc(8) and
-kadmind(8) daemons and the kdb5_util(8) program.
+The kdc.conf file supplements \fI\%krb5.conf\fP for programs which
+are typically only used on a KDC, such as the \fI\%krb5kdc\fP and
+\fI\%kadmind\fP daemons and the \fI\%kdb5_util\fP program.
 Relations documented here may also be specified in krb5.conf; for the
 KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
 single configuration profile.
@@ -47,7 +48,7 @@ changes to take effect.
 .SH STRUCTURE
 .sp
 The kdc.conf file is set up in the same format as the
-krb5.conf(5) file.
+\fI\%krb5.conf\fP file.
 .SH SECTIONS
 .sp
 The kdc.conf file may contain the following sections:
@@ -123,7 +124,7 @@ value is 5.
 .TP
 \fBspake_preauth_kdc_challenge\fP
 (String.)  Specifies the group for a SPAKE optimistic challenge.
-See the \fBspake_preauth_groups\fP variable in libdefaults
+See the \fBspake_preauth_groups\fP variable in \fI\%[libdefaults]\fP
 for possible values.  The default is not to issue an optimistic
 challenge.  (New in release 1.17.)
 .UNINDENT
@@ -136,14 +137,12 @@ to define one parameter for the ATHENA.MIT.EDU realm:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [realms]
     ATHENA.MIT.EDU = {
         max_renewable_life = 7d 0h 0m 0s
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -152,11 +151,11 @@ The following tags may be specified in a [realms] subsection:
 .TP
 \fBacl_file\fP
 (String.)  Location of the access control list file that
-kadmind(8) uses to determine which principals are allowed
+\fI\%kadmind\fP uses to determine which principals are allowed
 which permissions on the Kerberos database.  To operate without an
 ACL file, set this relation to the empty string with \fBacl_file =
-""\fP\&.  The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.  For more
-information on Kerberos ACL file see kadm5.acl(5)\&.
+\(dq\(dq\fP\&.  The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.  For more
+information on Kerberos ACL file see \fI\%kadm5.acl\fP\&.
 .TP
 \fBdatabase_module\fP
 (String.)  This relation indicates the name of the configuration
@@ -172,7 +171,7 @@ and the \fI\%[dbmodules]\fP configuration section does not specify a
 database name.  The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
 .TP
 \fBdefault_principal_expiration\fP
-(abstime string.)  Specifies the default expiration date of
+(\fI\%Absolute time\fP string.)  Specifies the default expiration date of
 principals created in this realm.  The default value is 0, which
 means no expiration date.
 .TP
@@ -311,7 +310,7 @@ release 1.17.  Its value is used as a fallback if
 .TP
 \fBiprop_listen\fP
 (Whitespace\- or comma\-separated list.)  Specifies the iprop RPC
-listening addresses and/or ports for the kadmind(8) daemon.
+listening addresses and/or ports for the \fI\%kadmind\fP daemon.
 Each entry may be an interface address, a port number, or an
 address and port number separated by a colon.  If the address
 contains colons, enclose it in square brackets.  If no address is
@@ -328,7 +327,7 @@ relation is required in the replica KDC configuration file, and
 this relation or \fBiprop_listen\fP is required in the primary
 configuration file, as there is no default port number.  Port
 numbers specified in \fBiprop_listen\fP entries will override this
-port number for the kadmind(8) daemon.
+port number for the \fI\%kadmind\fP daemon.
 .TP
 \fBiprop_resync_timeout\fP
 (Delta time string.)  Specifies the amount of time to wait for a
@@ -349,18 +348,20 @@ default value will not use values from the [dbmodules] section.)
 .TP
 \fBkadmind_listen\fP
 (Whitespace\- or comma\-separated list.)  Specifies the kadmin RPC
-listening addresses and/or ports for the kadmind(8) daemon.
-Each entry may be an interface address, a port number, or an
-address and port number separated by a colon.  If the address
-contains colons, enclose it in square brackets.  If no address is
-specified, the wildcard address is used.  If kadmind fails to bind
-to any of the specified addresses, it will fail to start.  The
-default is to bind to the wildcard address at the port specified
-in \fBkadmind_port\fP, or the standard kadmin port (749).  New in
-release 1.15.
+listening addresses and/or ports for the \fI\%kadmind\fP daemon.
+Each entry may be an interface address, a port number, an address
+and port number separated by a colon, or a UNIX domain socket
+pathname.  If the address contains colons, enclose it in square
+brackets.  If no address is specified, the wildcard address is
+used.  To disable listening for kadmin RPC connections, set this
+relation to the empty string with \fBkadmind_listen = \(dq\(dq\fP\&.  If
+kadmind fails to bind to any of the specified addresses, it will
+fail to start.  The default is to bind to the wildcard address at
+the port specified in \fBkadmind_port\fP, or the standard kadmin
+port (749).  New in release 1.15.
 .TP
 \fBkadmind_port\fP
-(Port number.)  Specifies the port on which the kadmind(8)
+(Port number.)  Specifies the port on which the \fI\%kadmind\fP
 daemon is to listen for this realm.  Port numbers specified in
 \fBkadmind_listen\fP entries will override this port number.  The
 assigned port for kadmind is 749, which is used by default.
@@ -370,57 +371,57 @@ assigned port for kadmind is 749, which is used by default.
 stored (via kdb5_util stash).  The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
 .TP
 \fBkdc_listen\fP
-(Whitespace\- or comma\-separated list.)  Specifies the UDP
-listening addresses and/or ports for the krb5kdc(8) daemon.
-Each entry may be an interface address, a port number, or an
-address and port number separated by a colon.  If the address
-contains colons, enclose it in square brackets.  If no address is
-specified, the wildcard address is used.  If no port is specified,
-the standard port (88) is used.  If the KDC daemon fails to bind
-to any of the specified addresses, it will fail to start.  The
-default is to bind to the wildcard address on the standard port.
-New in release 1.15.
+(Whitespace\- or comma\-separated list.)  Specifies the listening
+addresses and/or ports for the \fI\%krb5kdc\fP daemon.  Each
+entry may be an interface address, a port number, an address and
+port number separated by a colon, or a UNIX domain socket
+pathname.  If the address contains colons, enclose it in square
+brackets.  If no address is specified, the wildcard address is
+used.  If no port is specified, the standard port (88) is used.
+To disable listening on UDP, set this relation to the empty string
+with \fBkdc_listen = \(dq\(dq\fP\&.  If the KDC daemon fails to bind to any
+of the specified addresses, it will fail to start.  The default is
+to bind to the wildcard address on the standard port.  New in
+release 1.15.
 .TP
 \fBkdc_ports\fP
 (Whitespace\- or comma\-separated list, deprecated.)  Prior to
 release 1.15, this relation lists the ports for the
-krb5kdc(8) daemon to listen on for UDP requests.  In
+\fI\%krb5kdc\fP daemon to listen on for UDP requests.  In
 release 1.15 and later, it has the same meaning as \fBkdc_listen\fP
 if that relation is not defined.
 .TP
 \fBkdc_tcp_listen\fP
 (Whitespace\- or comma\-separated list.)  Specifies the TCP
-listening addresses and/or ports for the krb5kdc(8) daemon.
-Each entry may be an interface address, a port number, or an
-address and port number separated by a colon.  If the address
-contains colons, enclose it in square brackets.  If no address is
-specified, the wildcard address is used.  If no port is specified,
-the standard port (88) is used.  To disable listening on TCP, set
-this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&.
-If the KDC daemon fails to bind to any of the specified addresses,
-it will fail to start.  The default is to bind to the wildcard
-address on the standard port.  New in release 1.15.
+listening addresses and/or ports for the \fI\%krb5kdc\fP daemon.
+The syntax is identical to that of \fBkdc_listen\fP\&.  To disable
+listening on TCP, set this relation to the empty string with
+\fBkdc_tcp_listen = \(dq\(dq\fP\&.  The default is to bind to the same
+addresses and ports as for UDP.  New in release 1.15.
 .TP
 \fBkdc_tcp_ports\fP
 (Whitespace\- or comma\-separated list, deprecated.)  Prior to
 release 1.15, this relation lists the ports for the
-krb5kdc(8) daemon to listen on for UDP requests.  In
+\fI\%krb5kdc\fP daemon to listen on for UDP requests.  In
 release 1.15 and later, it has the same meaning as
 \fBkdc_tcp_listen\fP if that relation is not defined.
 .TP
 \fBkpasswd_listen\fP
-(Comma\-separated list.)  Specifies the kpasswd listening addresses
-and/or ports for the kadmind(8) daemon.  Each entry may be
-an interface address, a port number, or an address and port number
-separated by a colon.  If the address contains colons, enclose it
-in square brackets.  If no address is specified, the wildcard
-address is used.  If kadmind fails to bind to any of the specified
-addresses, it will fail to start.  The default is to bind to the
-wildcard address at the port specified in \fBkpasswd_port\fP, or the
-standard kpasswd port (464).  New in release 1.15.
+(Comma\-separated list.)  Specifies the kpasswd listening
+addresses and/or ports for the \fI\%kadmind\fP daemon.  Each
+entry may be an interface address, a port number, an address and
+port number separated by a colon, or a UNIX domain socket
+pathname.  If the address contains colons, enclose it in square
+brackets.  If no address is specified, the wildcard address is
+used.  To disable listening for kpasswd requests, set this
+relation to the empty string with \fBkpasswd_listen = \(dq\(dq\fP\&.  If
+kadmind fails to bind to any of the specified addresses, it will
+fail to start.  The default is to bind to the wildcard address at
+the port specified in \fBkpasswd_port\fP, or the standard kpasswd
+port (464).  New in release 1.15.
 .TP
 \fBkpasswd_port\fP
-(Port number.)  Specifies the port on which the kadmind(8)
+(Port number.)  Specifies the port on which the \fI\%kadmind\fP
 daemon is to listen for password change requests for this realm.
 Port numbers specified in \fBkpasswd_listen\fP entries will override
 this port number.  The assigned port for password change requests
@@ -436,12 +437,12 @@ default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&.  For a list of al
 values, see \fI\%Encryption types\fP\&.
 .TP
 \fBmax_life\fP
-(duration string.)  Specifies the maximum time period for
+(\fI\%Time duration\fP string.)  Specifies the maximum time period for
 which a ticket may be valid in this realm.  The default value is
 24 hours.
 .TP
 \fBmax_renewable_life\fP
-(duration string.)  Specifies the maximum time period
+(\fI\%Time duration\fP string.)  Specifies the maximum time period
 during which a valid ticket may be renewed in this realm.
 The default value is 0.
 .TP
@@ -456,7 +457,7 @@ disable referral processing altogether.
 (Boolean value.)  If set to true, the KDC will check the list of
 transited realms for cross\-realm tickets against the transit path
 computed from the realm names and the capaths section of its
-krb5.conf(5) file; if the path in the ticket to be issued
+\fI\%krb5.conf\fP file; if the path in the ticket to be issued
 contains any realms not in the computed path, the ticket will not
 be issued, and an error will be returned to the client instead.
 If this value is set to false, such tickets will be issued
@@ -490,7 +491,7 @@ specified multiple times.  New in release 1.17.
 \fBsupported_enctypes\fP
 (List of \fIkey\fP:\fIsalt\fP strings.)  Specifies the default key/salt
 combinations of principals for this realm.  Any principals created
-through kadmin(1) will have keys of these types.  The
+through \fI\%kadmin\fP will have keys of these types.  The
 default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal\fP\&.  For lists of
 possible values, see \fI\%Keysalt lists\fP\&.
 .UNINDENT
@@ -538,14 +539,12 @@ define one database parameter for the ATHENA.MIT.EDU realm:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [dbmodules]
     ATHENA.MIT.EDU = {
         disable_last_success = true
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -562,16 +561,16 @@ value should be \fBdb2\fP for the DB2 module, \fBklmdb\fP for the LMDB
 module, or \fBkldap\fP for the LDAP module.
 .TP
 \fBdisable_last_success\fP
-If set to \fBtrue\fP, suppresses KDC updates to the "Last successful
-authentication" field of principal entries requiring
+If set to \fBtrue\fP, suppresses KDC updates to the \(dqLast successful
+authentication\(dq field of principal entries requiring
 preauthentication.  Setting this flag may improve performance.
 (Principal entries which do not require preauthentication never
-update the "Last successful authentication" field.).  First
+update the \(dqLast successful authentication\(dq field.).  First
 introduced in release 1.9.
 .TP
 \fBdisable_lockout\fP
-If set to \fBtrue\fP, suppresses KDC updates to the "Last failed
-authentication" and "Failed password attempts" fields of principal
+If set to \fBtrue\fP, suppresses KDC updates to the \(dqLast failed
+authentication\(dq and \(dqFailed password attempts\(dq fields of principal
 entries requiring preauthentication.  Setting this flag may
 improve performance, but also disables account lockout.  First
 introduced in release 1.9.
@@ -582,8 +581,8 @@ maintained per LDAP server.
 .TP
 \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
 These LDAP\-specific tags indicate the default DN for binding to
-the LDAP server.  The krb5kdc(8) daemon uses
-\fBldap_kdc_dn\fP, while the kadmind(8) daemon and other
+the LDAP server.  The \fI\%krb5kdc\fP daemon uses
+\fBldap_kdc_dn\fP, while the \fI\%kadmind\fP daemon and other
 administrative programs use \fBldap_kadmind_dn\fP\&.  The kadmind DN
 must have the rights to read and write the Kerberos data in the
 LDAP database.  The KDC DN must have the same rights, unless
@@ -637,7 +636,7 @@ for SASL authentication.  This file must be kept secure.
 \fBmapsize\fP
 This LMDB\-specific tag indicates the maximum size of the two
 database environments in megabytes.  The default value is 128.
-Increase this value to address "Environment mapsize limit reached"
+Increase this value to address \(dqEnvironment mapsize limit reached\(dq
 errors.  New in release 1.17.
 .TP
 \fBmax_readers\fP
@@ -670,16 +669,16 @@ modules.  The value should be an absolute path.
 .UNINDENT
 .SS [logging]
 .sp
-The [logging] section indicates how krb5kdc(8) and
-kadmind(8) perform logging.  It may contain the following
+The [logging] section indicates how \fI\%krb5kdc\fP and
+\fI\%kadmind\fP perform logging.  It may contain the following
 relations:
 .INDENT 0.0
 .TP
 \fBadmin_server\fP
-Specifies how kadmind(8) performs logging.
+Specifies how \fI\%kadmind\fP performs logging.
 .TP
 \fBkdc\fP
-Specifies how krb5kdc(8) performs logging.
+Specifies how \fI\%krb5kdc\fP performs logging.
 .TP
 \fBdefault\fP
 Specifies how either daemon performs logging in the absence of
@@ -736,15 +735,13 @@ to the file \fB/var/adm/kadmin.log\fP and sent to the device
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [logging]
     kdc = CONSOLE
     kdc = SYSLOG:INFO:DAEMON
     admin_server = FILE:/var/adm/kadmin.log
     admin_server = DEVICE=/dev/tty04
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -799,8 +796,7 @@ In the following example, requests are sent to a remote server via UDP:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [otp]
     MyRemoteTokenType = {
         server = radius.mydomain.com:1812
@@ -809,8 +805,7 @@ In the following example, requests are sent to a remote server via UDP:
         retries = 5
         strip_realm = true
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -821,14 +816,12 @@ something applicable for your situation:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [otp]
     DEFAULT = {
         strip_realm = false
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH PKINIT OPTIONS
@@ -849,14 +842,12 @@ realm\-specific subsection of [realms]:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [realms]
     EXAMPLE.COM = {
         pkinit_anchors = FILE:/usr/local/example.com.crt
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .IP 2. 3
@@ -864,19 +855,17 @@ generic value in the [kdcdefaults] section:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [kdcdefaults]
     pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .sp
 For information about the syntax of some of these options, see
-Specifying PKINIT identity information in
-krb5.conf(5)\&.
+\fI\%Specifying PKINIT identity information\fP in
+\fI\%krb5.conf\fP\&.
 .INDENT 0.0
 .TP
 \fBpkinit_anchors\fP
@@ -970,7 +959,7 @@ in PKINIT requests.  The default value is false.  (New in release
 .sp
 Any tag in the configuration files which requires a list of encryption
 types can be set to some combination of the following strings.
-Encryption types marked as "weak" and "deprecated" are available for
+Encryption types marked as \(dqweak\(dq and \(dqdeprecated\(dq are available for
 compatibility but not recommended for use.
 .TS
 center;
@@ -1064,11 +1053,11 @@ _
 .sp
 The string \fBDEFAULT\fP can be used to refer to the default set of
 types for the variable in question.  Types or families can be removed
-from the current list by prefixing them with a minus sign ("\-").
-Types or families can be prefixed with a plus sign ("+") for symmetry;
+from the current list by prefixing them with a minus sign (\(dq\-\(dq).
+Types or families can be prefixed with a plus sign (\(dq+\(dq) for symmetry;
 it has the same meaning as just listing the type or family.  For
-example, "\fBDEFAULT \-rc4\fP" would be the default set of encryption
-types with RC4 types removed, and "\fBdes3 DEFAULT\fP" would be the
+example, \(dq\fBDEFAULT \-rc4\fP\(dq would be the default set of encryption
+types with RC4 types removed, and \(dq\fBdes3 DEFAULT\fP\(dq would be the
 default set of encryption types with triple DES types moved to the
 front.
 .sp
@@ -1086,18 +1075,16 @@ encryption types in the KDC database.
 .sp
 Kerberos keys for users are usually derived from passwords.  Kerberos
 commands and configuration parameters that affect generation of keys
-take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt
+take lists of enctype\-salttype (\(dqkeysalt\(dq) pairs, known as \fIkeysalt
 lists\fP\&.  Each keysalt pair is an enctype name followed by a salttype
 name, in the format \fIenc\fP:\fIsalt\fP\&.  Individual keysalt list members are
-separated by comma (",") characters or space characters.  For example:
+separated by comma (\(dq,\(dq) characters or space characters.  For example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kadmin \-e aes256\-cts:normal,aes128\-cts:normal
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -1144,8 +1131,7 @@ Here\(aqs an example of a kdc.conf file:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [kdcdefaults]
     kdc_listen = 88
     kdc_tcp_listen = 88
@@ -1170,18 +1156,17 @@ Here\(aqs an example of a kdc.conf file:
     openldap_ldapconf = {
         db_library = kldap
         disable_last_success = true
-        ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
+        ldap_kdc_dn = \(dqcn=krbadmin,dc=mit,dc=edu\(dq
             # this object needs to have read rights on
             # the realm container and principal subtrees
-        ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
+        ldap_kadmind_dn = \(dqcn=krbadmin,dc=mit,dc=edu\(dq
             # this object needs to have read and write rights on
             # the realm container and principal subtrees
         ldap_service_password_file = /etc/kerberos/service.keyfile
         ldap_servers = ldaps://kerberos.mit.edu
         ldap_conns_per_server = 5
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH FILES
@@ -1189,7 +1174,7 @@ Here\(aqs an example of a kdc.conf file:
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP
 .SH SEE ALSO
 .sp
-krb5.conf(5), krb5kdc(8), kadm5.acl(5)
+\fI\%krb5.conf\fP, \fI\%krb5kdc\fP, \fI\%kadm5.acl\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index c21ed3d5ea7cec6de6a0056eb9d491cf093f4b9b..e8e400f691079191a3272602caf0197e375abe43 100644 (file)
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -76,7 +76,7 @@ your .logout file, so that your tickets are destroyed automatically
 when you log out.
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH FILES
 .INDENT 0.0
@@ -86,7 +86,7 @@ Default location of Kerberos 5 credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
-kinit(1), klist(1), kerberos(7)
+\fI\%kinit\fP, \fI\%klist\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kerberos.man b/src/man/kerberos.man
index f40b877bd8e59215da1df5af17d0a8643f7ea601..27179f22aead4a29c5de54b18af8582efb2612a7 100644 (file)
--- a/src/man/kerberos.man
+++ b/src/man/kerberos.man
@@ -37,7 +37,7 @@ environment.  After authenticating yourself to Kerberos, you can use
 Kerberos\-enabled programs without having to present passwords or
 certificates to those programs.
 .sp
-If you receive the following response from kinit(1):
+If you receive the following response from \fI\%kinit\fP:
 .sp
 kinit: Client not found in Kerberos database while getting initial
 credentials
@@ -61,19 +61,17 @@ might be in realm EXAMPLE.COM).
 .sp
 When writing a Kerberos name, the principal name is separated from the
 instance (if not null) by a slash, and the realm (if not the local
-realm) follows, preceded by an "@" sign.  The following are examples
+realm) follows, preceded by an \(dq@\(dq sign.  The following are examples
 of valid Kerberos names:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 david
 jennifer/admin
 joeuser@BLEEP.COM
 cbrown/root@FUBAR.ORG
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -89,13 +87,13 @@ or \fBadmin\fP, to expire in a few minutes, while tickets that carry
 more ordinary privileges may be good for several hours or a day.  If
 your login session extends beyond the time limit, you will have to
 re\-authenticate yourself to Kerberos to get new tickets using the
-kinit(1) command.
+\fI\%kinit\fP command.
 .sp
 Some tickets are \fBrenewable\fP beyond their initial lifetime.  This
 means that \fBkinit \-R\fP can extend their lifetime without requiring
 you to re\-authenticate.
 .sp
-If you wish to delete your local tickets, use the kdestroy(1)
+If you wish to delete your local tickets, use the \fI\%kdestroy\fP
 command.
 .sp
 Kerberos tickets can be forwarded.  In order to forward tickets, you
@@ -164,7 +162,7 @@ or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
 Specifies a filename to write trace log output to.  Trace logs can
 help illuminate decisions made internally by the Kerberos
 libraries.  For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP
-would send tracing information for kinit(1) to
+would send tracing information for \fI\%kinit\fP to
 \fB/dev/stderr\fP\&.  The default is not to write trace log output
 anywhere.
 .TP
@@ -173,7 +171,7 @@ Default client keytab file name.  If unset, \fB@CKTNAME@\fP will be
 used).
 .TP
 \fBKPROP_PORT\fP
-kprop(8) port to use.  Defaults to 754.
+\fI\%kprop\fP port to use.  Defaults to 754.
 .TP
 \fBGSS_MECH_CONFIG\fP
 Specifies a filename containing GSSAPI mechanism module
@@ -187,10 +185,10 @@ login system programs and setuid programs, which are designed to be
 secure when run within an untrusted process environment.
 .SH SEE ALSO
 .sp
-kdestroy(1), kinit(1), klist(1),
-kswitch(1), kpasswd(1), ksu(1),
-krb5.conf(5), kdc.conf(5), kadmin(1),
-kadmind(8), kdb5_util(8), krb5kdc(8)
+\fI\%kdestroy\fP, \fI\%kinit\fP, \fI\%klist\fP,
+\fI\%kswitch\fP, \fI\%kpasswd\fP, \fI\%ksu\fP,
+\fI\%krb5.conf\fP, \fI\%kdc.conf\fP, \fI\%kadmin\fP,
+\fI\%kadmind\fP, \fI\%kdb5_util\fP, \fI\%krb5kdc\fP
 .SH BUGS
 .SH AUTHORS
 .nf

diff --git a/src/man/kinit.man b/src/man/kinit.man
index 6a8da39e02de6fd6457e8789ff4e852035946c8f..33286d5b001405249cc60ab03231ee9d79da16f8 100644 (file)
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -68,7 +68,7 @@ choice of principal name.
 display verbose output.
 .TP
 \fB\-l\fP \fIlifetime\fP
-(duration string.)  Requests a ticket with the lifetime
+(\fI\%Time duration\fP string.)  Requests a ticket with the lifetime
 \fIlifetime\fP\&.
 .sp
 For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&.
@@ -79,7 +79,7 @@ longer than the maximum ticket lifetime (configured by each site)
 will not override the configured maximum ticket lifetime.
 .TP
 \fB\-s\fP \fIstart_time\fP
-(duration string.)  Requests a postdated ticket.  Postdated
+(\fI\%Time duration\fP string.)  Requests a postdated ticket.  Postdated
 tickets are issued with the \fBinvalid\fP flag set, and need to be
 resubmitted to the KDC for validation before use.
 .sp
@@ -87,7 +87,7 @@ resubmitted to the KDC for validation before use.
 can become valid.
 .TP
 \fB\-r\fP \fIrenewable_life\fP
-(duration string.)  Requests renewable tickets, with a total
+(\fI\%Time duration\fP string.)  Requests renewable tickets, with a total
 lifetime of \fIrenewable_life\fP\&.
 .TP
 \fB\-f\fP
@@ -128,9 +128,9 @@ expired ticket cannot be renewed, even if the ticket is still
 within its renewable life.
 .sp
 Note that renewable tickets that have expired as reported by
-klist(1) may sometimes be renewed using this option,
+\fI\%klist\fP may sometimes be renewed using this option,
 because the KDC applies a grace period to account for client\-KDC
-clock skew.  See krb5.conf(5) \fBclockskew\fP setting.
+clock skew.  See \fI\%krb5.conf\fP \fBclockskew\fP setting.
 .TP
 \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
 requests a ticket, obtained from a key in the local host\(aqs keytab.
@@ -149,7 +149,7 @@ Requests anonymous processing.  Two types of anonymous principals
 are supported.
 .sp
 For fully anonymous Kerberos, configure pkinit on the KDC and
-configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&.
+configure \fBpkinit_anchors\fP in the client\(aqs \fI\%krb5.conf\fP\&.
 Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP
 (an empty principal name followed by the at\-sign and a realm
 name).  If permitted by the KDC, an anonymous ticket will be
@@ -208,7 +208,7 @@ specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
 interpreted by pre\-authentication modules.  The acceptable
 attribute and value values vary from module to module.  This
 option may be specified multiple times to specify multiple
-attributes.  If no value is specified, it is assumed to be "yes".
+attributes.  If no value is specified, it is assumed to be \(dqyes\(dq.
 .sp
 The following attributes are recognized by the PKINIT
 pre\-authentication mechanism:
@@ -233,7 +233,7 @@ supported.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH FILES
 .INDENT 0.0
@@ -246,7 +246,7 @@ default location for the local host\(aqs keytab.
 .UNINDENT
 .SH SEE ALSO
 .sp
-klist(1), kdestroy(1), kerberos(7)
+\fI\%klist\fP, \fI\%kdestroy\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/klist.man b/src/man/klist.man
index 10431cc56659015f4fa577897ece9751d35d90a3..3f5c1dd298ee1045e1ff9e347b184d9cb50dd2e2 100644 (file)
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -70,8 +70,7 @@ abbreviations:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 F    Forwardable
 f    forwarded
 P    Proxiable
@@ -86,8 +85,7 @@ A    preAuthenticated
 T    Transit policy checked
 O    Okay as delegate
 a    anonymous
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .TP
@@ -136,7 +134,7 @@ appropriate.  If the \fBKRB5CCNAME\fP environment variable is set, its
 value is used to locate the default ticket cache.
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH FILES
 .INDENT 0.0
@@ -149,7 +147,7 @@ Default location for the local host\(aqs keytab file.
 .UNINDENT
 .SH SEE ALSO
 .sp
-kinit(1), kdestroy(1), kerberos(7)
+\fI\%kinit\fP, \fI\%kdestroy\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 7c54b25c0c034eb65fff1493a44b2c11638ae6d8..918dbbf3c6fde280130f8183843a2fe92ea423fb 100644 (file)
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -55,11 +55,11 @@ identity of the user invoking the kpasswd command.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kadmin(1), kadmind(8), kerberos(7)
+\fI\%kadmin\fP, \fI\%kadmind\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kprop.man b/src/man/kprop.man
index 5bd294e50dd6683ca92df236ed1d82edb7f504ea..91f8394daf72a999a1bc713b04f70c483a00c1af 100644 (file)
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -44,7 +44,7 @@ kprop \- propagate a Kerberos V5 principal database to a replica server
 kprop is used to securely propagate a Kerberos V5 database dump file
 from the primary Kerberos server to a replica Kerberos server, which is
 specified by \fIreplica_host\fP\&.  The dump file must be created by
-kdb5_util(8)\&.
+\fI\%kdb5_util\fP\&.
 .SH OPTIONS
 .INDENT 0.0
 .TP
@@ -57,7 +57,7 @@ to be found; by default the dumped database file is normally
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/replica_datatrans\fP\&.
 .TP
 \fB\-P\fP \fIport\fP
-Specifies the port to use to contact the kpropd(8) server
+Specifies the port to use to contact the \fI\%kpropd\fP server
 on the remote host.
 .TP
 \fB\-d\fP
@@ -68,12 +68,12 @@ Specifies the location of the keytab file.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kpropd(8), kdb5_util(8), krb5kdc(8),
-kerberos(7)
+\fI\%kpropd\fP, \fI\%kdb5_util\fP, \fI\%krb5kdc\fP,
+\fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index c98ddcc13e49402e0f154d685d3d46e73ae2fc03..2740ed711a0f552486c7021883f44a518e257284 100644 (file)
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -47,15 +47,15 @@ kpropd \- Kerberos V5 replica KDC update server
 .SH DESCRIPTION
 .sp
 The \fIkpropd\fP command runs on the replica KDC server.  It listens for
-update requests made by the kprop(8) program.  If incremental
+update requests made by the \fI\%kprop\fP program.  If incremental
 propagation is enabled, it periodically requests incremental updates
 from the primary KDC.
 .sp
 When the replica receives a kprop request from the primary, kpropd
 accepts the dumped KDC database and places it in a file, and then runs
-kdb5_util(8) to load the dumped database into the active
-database which is used by krb5kdc(8)\&.  This allows the primary
-Kerberos server to use kprop(8) to propagate its database to
+\fI\%kdb5_util\fP to load the dumped database into the active
+database which is used by \fI\%krb5kdc\fP\&.  This allows the primary
+Kerberos server to use \fI\%kprop\fP to propagate its database to
 the replica servers.  Upon a successful download of the KDC database
 file, the replica Kerberos server will have an up\-to\-date KDC
 database.
@@ -66,11 +66,9 @@ the \fB/etc/inetd.conf\fP file which looks like this:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -84,18 +82,18 @@ kpropd in standalone mode; this option is now accepted for backward
 compatibility but does nothing.
 .sp
 Incremental propagation may be enabled with the \fBiprop_enable\fP
-variable in kdc.conf(5)\&.  If incremental propagation is
+variable in \fI\%kdc.conf\fP\&.  If incremental propagation is
 enabled, the replica periodically polls the primary KDC for updates, at
 an interval determined by the \fBiprop_replica_poll\fP variable.  If the
 replica receives updates, kpropd updates its log file with any updates
-from the primary.  kproplog(8) can be used to view a summary of
+from the primary.  \fI\%kproplog\fP can be used to view a summary of
 the update entry log on the replica KDC.  If incremental propagation
 is enabled, the principal \fBkiprop/replicahostname@REALM\fP (where
 \fIreplicahostname\fP is the name of the replica KDC host, and \fIREALM\fP is
 the name of the Kerberos realm) must be present in the replica\(aqs
 keytab file.
 .sp
-kproplog(8) can be used to force full replication when iprop is
+\fI\%kproplog\fP can be used to force full replication when iprop is
 enabled.
 .SH OPTIONS
 .INDENT 0.0
@@ -115,7 +113,7 @@ to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/kr
 Path to the Kerberos database file, if not the default.
 .TP
 \fB\-p\fP
-Allows the user to specify the pathname to the kdb5_util(8)
+Allows the user to specify the pathname to the \fI\%kdb5_util\fP
 program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP\&.
 .TP
 \fB\-D\fP
@@ -144,7 +142,7 @@ In standalone mode, write the process ID of the daemon into
 Path to a keytab to use for acquiring acceptor credentials.
 .TP
 \fB\-x\fP \fIdb_args\fP
-Database\-specific arguments.  See Database Options in kadmin(1) for supported arguments.
+Database\-specific arguments.  See \fI\%Database Options\fP in \fI\%kadmin\fP for supported arguments.
 .UNINDENT
 .SH FILES
 .INDENT 0.0
@@ -153,16 +151,16 @@ Database\-specific arguments.  See Database Options in kadmin(1) for supported a
 Access file for kpropd; the default location is
 \fB/usr/local/var/krb5kdc/kpropd.acl\fP\&.  Each entry is a line
 containing the principal of a host from which the local machine
-will allow Kerberos database propagation via kprop(8)\&.
+will allow Kerberos database propagation via \fI\%kprop\fP\&.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kprop(8), kdb5_util(8), krb5kdc(8),
-kerberos(7), inetd(8)
+\fI\%kprop\fP, \fI\%kdb5_util\fP, \fI\%krb5kdc\fP,
+\fI\%kerberos\fP, inetd(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 172420581dd67c9bc766010d0305f44a491f23e3..7a00879a2e97e4c00b927d16a646c2175388a00c 100644 (file)
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -39,8 +39,8 @@ kproplog \- display the contents of the Kerberos principal update log
 The kproplog command displays the contents of the KDC database update
 log to standard output.  It can be used to keep track of incremental
 updates to the principal database.  The update log file contains the
-update log maintained by the kadmind(8) process on the primary
-KDC server and the kpropd(8) process on the replica KDC
+update log maintained by the \fI\%kadmind\fP process on the primary
+KDC server and the \fI\%kpropd\fP process on the replica KDC
 servers.  When updates occur, they are logged to this file.
 Subsequently any KDC replica configured for incremental updates will
 request the current data from the primary KDC and update their log
@@ -79,8 +79,7 @@ output generated for one entry:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 Update Entry
    Update serial # : 4
    Update operation : Add
@@ -95,18 +94,17 @@ Update Entry
          Modifying principal
          Modification time
          TL data
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kpropd(8), kerberos(7)
+\fI\%kpropd\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index ac51dcdc00809d13cb4605d88059fc2ca2cc4cab..685db45f9ec1c539b8ad0de02207e4ce9b27f2ea 100644 (file)
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,3 +1,4 @@
+'\" t
 .\" Man page generated from reStructuredText.
 .
 .
@@ -122,17 +123,15 @@ the following output:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 shell% krb5\-config \-\-libs krb5
 \-L/opt/krb5/lib \-Wl,\-rpath \-Wl,/opt/krb5/lib \-L/usr/local/lib \-lkrb5 \-lk5crypto \-lcom_err
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH SEE ALSO
 .sp
-kerberos(7), cc(1)
+\fI\%kerberos\fP, cc(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 7f81ee502495405d08400f84399c6c043022e442..d4caa2bd338b93d41ee33ddf1ef2c5add4c55bd5 100644 (file)
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,3 +1,4 @@
+'\" t
 .\" Man page generated from reStructuredText.
 .
 .
@@ -53,11 +54,9 @@ the form:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 foo = bar
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -65,14 +64,12 @@ or:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 fubar = {
     foo = bar
     baz = quux
 }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -81,12 +78,10 @@ following directives at the beginning of a line:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 include FILENAME
 includedir DIRNAME
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -94,8 +89,8 @@ includedir DIRNAME
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ".conf" are also included, unless the
-name begins with ".".  Included profile files are syntactically
+1.15, files with names ending in \(dq.conf\(dq are also included, unless the
+name begins with \(dq.\(dq.  Included profile files are syntactically
 independent of their parents, so each included file must begin with a
 section header.  Starting in release 1.17, files are read in
 alphanumeric order; in previous releases, they may be read in any
@@ -118,18 +113,16 @@ headers:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 module MODULEPATH:RESIDUAL
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
 \fIMODULEPATH\fP may be relative to the library path of the krb5
 installation, or it may be an absolute path.  \fIRESIDUAL\fP is provided
 to the module at initialization time.  If krb5.conf uses a module
-directive, kdc.conf(5) should also use one if it exists.
+directive, \fI\%kdc.conf\fP should also use one if it exists.
 .SH SECTIONS
 .sp
 The krb5.conf file may contain the following sections:
@@ -176,7 +169,7 @@ _
 .TE
 .sp
 Additionally, krb5.conf may include any of the relations described in
-kdc.conf(5), but it is not a recommended practice.
+\fI\%kdc.conf\fP, but it is not a recommended practice.
 .SS [libdefaults]
 .sp
 The libdefaults section may contain any of the following relations:
@@ -196,7 +189,7 @@ release 1.21.)
 .TP
 \fBallow_weak_crypto\fP
 If this flag is set to false, then weak encryption types (as noted
-in Encryption_types in kdc.conf(5)) will be filtered
+in \fI\%Encryption types\fP in \fI\%kdc.conf\fP) will be filtered
 out of the lists \fBdefault_tgs_enctypes\fP,
 \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&.  The default
 value for this tag is false.
@@ -209,7 +202,7 @@ principal will be accepted.  The default value is false.
 .TP
 \fBccache_type\fP
 This parameter determines the format of credential cache types
-created by kinit(1) or other programs.  The default value
+created by \fI\%kinit\fP or other programs.  The default value
 is 4, which represents the most current format.  Smaller values
 can be used for compatibility with very old implementations of
 Kerberos which interact with credential caches on the same host.
@@ -250,14 +243,14 @@ expansion (see below).  New in release 1.18.
 Identifies the default Kerberos realm for the client.  Set its
 value to your Kerberos realm.  If this value is not set, then a
 realm must be specified with every Kerberos principal when
-invoking programs such as kinit(1)\&.
+invoking programs such as \fI\%kinit\fP\&.
 .TP
 \fBdefault_tgs_enctypes\fP
 Identifies the supported list of session key encryption types that
 the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
-commas or whitespace.  See Encryption_types in
-kdc.conf(5) for a list of the accepted values for this tag.
+commas or whitespace.  See \fI\%Encryption types\fP in
+\fI\%kdc.conf\fP for a list of the accepted values for this tag.
 Starting in release 1.18, the default value is the value of
 \fBpermitted_enctypes\fP\&.  For previous releases or if
 \fBpermitted_enctypes\fP is not set, the default value is
@@ -356,7 +349,7 @@ default value is false.  New in release 1.10.
 .TP
 \fBk5login_authoritative\fP
 If this flag is true, principals must be listed in a local user\(aqs
-k5login file to be granted login access, if a \&.k5login(5)
+k5login file to be granted login access, if a \fI\%\&.k5login\fP
 file exists.  If this flag is false, a principal may still be
 granted login access through other mechanisms even if a k5login
 file exists but does not list the principal.  The default value is
@@ -419,7 +412,7 @@ parameter expansion (see below) in release 1.17 and later.
 \fBpreferred_preauth_types\fP
 This allows you to set the preferred preauthentication types which
 the client will attempt before others which may be advertised by a
-KDC.  The default value for this setting is "17, 16, 15, 14",
+KDC.  The default value for this setting is \(dq17, 16, 15, 14\(dq,
 which forces libkrb5 to attempt to use PKINIT if it is supported.
 .TP
 \fBproxiable\fP
@@ -433,7 +426,7 @@ single\-component hostnames when DNS canonicalization is not used
 forward canonicalization failed).  The default value is the first
 search domain of the system\(aqs DNS configuration.  To disable
 qualification of shortnames, set this relation to the empty string
-with \fBqualify_shortname = ""\fP\&.  (New in release 1.18.)
+with \fBqualify_shortname = \(dq\(dq\fP\&.  (New in release 1.18.)
 .TP
 \fBrdns\fP
 If this flag is true, reverse name lookup will be used in addition
@@ -452,11 +445,11 @@ realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
 set.  The default is not to search domain components.
 .TP
 \fBrenew_lifetime\fP
-(duration string.)  Sets the default renewable lifetime
+(\fI\%Time duration\fP string.)  Sets the default renewable lifetime
 for initial ticket requests.  The default value is 0.
 .TP
 \fBrequest_timeout\fP
-(duration string.)  Sets the maximum total time for KDC and
+(\fI\%Time duration\fP string.)  Sets the maximum total time for KDC and
 password change requests.  This timeout does not affect the
 intervals between requests, so setting a low timeout may result in
 fewer requests being attempted and/or some servers not being
@@ -502,7 +495,7 @@ The default value for the client is \fBedwards25519\fP\&.  The default
 value for the KDC is empty.  New in release 1.17.
 .TP
 \fBticket_lifetime\fP
-(duration string.)  Sets the default lifetime for initial
+(\fI\%Time duration\fP string.)  Sets the default lifetime for initial
 ticket requests.  The default value is 1 day.
 .TP
 \fBudp_preference_limit\fP
@@ -535,7 +528,7 @@ following tags may be specified in the realm\(aqs subsection:
 \fBadmin_server\fP
 Identifies the host where the administration server is running.
 Typically, this is the primary Kerberos server.  This tag must be
-given a value in order to communicate with the kadmind(8)
+given a value in order to communicate with the \fI\%kadmind\fP
 server for the realm.
 .TP
 \fBauth_to_local\fP
@@ -572,8 +565,7 @@ For example:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [realms]
     ATHENA.MIT.EDU = {
         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
@@ -581,8 +573,7 @@ For example:
         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
         auth_to_local = DEFAULT
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -642,20 +633,21 @@ to a value conforming to one of the previous values.  For example,
 been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
 .TP
 \fBkdc\fP
-The name or address of a host running a KDC for that realm.  An
-optional port number, separated from the hostname by a colon, may
-be included.  If the name or address contains colons (for example,
-if it is an IPv6 address), enclose it in square brackets to
+The name or address of a host running a KDC for the realm, or a
+UNIX domain socket path of a locally running KDC.  An optional
+port number, separated from the hostname by a colon, may be
+included.  If the name or address contains colons (for example, if
+it is an IPv6 address), enclose it in square brackets to
 distinguish the colon from a port separator.  For your computer to
 be able to communicate with the KDC for each realm, this tag must
 be given a value in each realm subsection in the configuration
 file, or there must be DNS SRV records specifying the KDCs.
 .TP
 \fBkpasswd_server\fP
-Points to the server where all the password changes are performed.
-If there is no such entry, DNS will be queried (unless forbidden
-by \fBdns_lookup_kdc\fP).  Finally, port 464 on the \fBadmin_server\fP
-host will be tried.
+The location of the password change server for the realm, using
+the same syntax as \fBkdc\fP\&.  If there is no such entry, DNS will
+be queried (unless forbidden by \fBdns_lookup_kdc\fP).  Finally,
+port 464 on the \fBadmin_server\fP host will be tried.
 .TP
 \fBmaster_kdc\fP
 The name for \fBprimary_kdc\fP prior to release 1.19.  Its value is
@@ -698,14 +690,12 @@ Tag names should be in lower case.  For example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [domain_realm]
     crash.mit.edu = TEST.ATHENA.MIT.EDU
     .dev.mit.edu = TEST.ATHENA.MIT.EDU
     mit.edu = ATHENA.MIT.EDU
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -739,7 +729,7 @@ There is a tag for each participating client realm, and each tag has
 subtags for each of the server realms.  The value of the subtags is an
 intermediate realm which may participate in the cross\-realm
 authentication.  The subtags may be repeated if there is more then one
-intermediate realm.  A value of "." means that the two realms share
+intermediate realm.  A value of \(dq.\(dq means that the two realms share
 keys directly, and no intermediate realms should be allowed to
 participate.
 .sp
@@ -757,8 +747,7 @@ would look like this:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [capaths]
     ANL.GOV = {
         TEST.ANL.GOV = .
@@ -778,8 +767,7 @@ would look like this:
     ES.NET = {
         ANL.GOV = .
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -788,8 +776,7 @@ systems would look like this:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [capaths]
     NERSC.GOV = {
         ANL.GOV = ES.NET
@@ -811,8 +798,7 @@ systems would look like this:
         NERSC.GOV = ANL.GOV
         NERSC.GOV = ES.NET
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -829,8 +815,7 @@ For example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [appdefaults]
     telnet = {
         ATHENA.MIT.EDU = {
@@ -845,8 +830,7 @@ For example:
         option2 = false
     }
     option2 = true
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -970,7 +954,7 @@ following built\-in modules exist for this interface:
 .INDENT 0.0
 .TP
 \fBacl\fP
-This module reads the kadm5.acl(5) file, and authorizes
+This module reads the \fI\%kadm5.acl\fP file, and authorizes
 operations which are allowed according to the rules in the file.
 .TP
 \fBself\fP
@@ -1046,7 +1030,7 @@ realm\(aqs section, and applies the default method if no
 .TP
 \fBk5login\fP
 This module authorizes a principal to a local account according to
-the account\(aqs \&.k5login(5) file.
+the account\(aqs \fI\%\&.k5login\fP file.
 .TP
 \fBan2ln\fP
 This module authorizes a principal to a local account if the
@@ -1095,14 +1079,12 @@ realm\-specific subsection of [libdefaults]:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [libdefaults]
     EXAMPLE.COM = {
         pkinit_anchors = FILE:/usr/local/example.com.crt
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .IP 2. 3
@@ -1110,14 +1092,12 @@ realm\-specific value in the [realms] section:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [realms]
     OTHERREALM.ORG = {
         pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .IP 3. 3
@@ -1125,12 +1105,10 @@ generic value in the [libdefaults] section:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [libdefaults]
     pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -1188,8 +1166,10 @@ module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
 a particular smard card reader or token if there is more than one
 available.  \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
 force the selection of a particular certificate on the device.
-See the \fBpkinit_cert_match\fP configuration option for more ways
-to select a particular certificate to use for PKINIT.
+Specifier values must not contain colon characters, as colons are
+always treated as separators.  See the \fBpkinit_cert_match\fP
+configuration option for more ways to select a particular
+certificate to use for PKINIT.
 .TP
 \fBENV:\fP\fIenvvar\fP
 \fIenvvar\fP specifies the name of an environment variable which has
@@ -1281,13 +1261,11 @@ Examples:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .TP
@@ -1480,8 +1458,7 @@ Here is an example of a generic krb5.conf file:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 [libdefaults]
     default_realm = ATHENA.MIT.EDU
     dns_lookup_kdc = true
@@ -1511,8 +1488,7 @@ Here is an example of a generic krb5.conf file:
     EXAMPLE.COM = {
            ATHENA.MIT.EDU = .
     }
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH FILES

diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 3b619435bfc0220e988f5ec3934efe51720fc287..3975369051c98e14f55e6713c02a06fec05d05a4 100644 (file)
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -53,7 +53,7 @@ Distribution Center (AS/KDC).
 The \fB\-r\fP \fIrealm\fP option specifies the realm for which the server
 should provide service.  This option may be specified multiple times
 to serve multiple realms.  If no \fB\-r\fP option is given, the default
-realm (as specified in krb5.conf(5)) will be served.
+realm (as specified in \fI\%krb5.conf\fP) will be served.
 .sp
 The \fB\-d\fP \fIdbname\fP option specifies the name under which the
 principal database can be found.  This option does not apply to the
@@ -80,8 +80,8 @@ process.
 The \fB\-p\fP \fIportnum\fP option specifies the default UDP and TCP port
 numbers which the KDC should listen on for Kerberos version 5
 requests, as a comma\-separated list.  This value overrides the port
-numbers specified in the kdcdefaults section of
-kdc.conf(5), but may be overridden by realm\-specific values.
+numbers specified in the \fI\%[kdcdefaults]\fP section of
+\fI\%kdc.conf\fP, but may be overridden by realm\-specific values.
 If no value is given from any source, the default port is 88.
 .sp
 The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP
@@ -93,7 +93,7 @@ terminate the worker subprocess if the it is itself terminated or if
 any other worker process exits.
 .sp
 The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments.
-See Database Options in kadmin(1) for
+See \fI\%Database Options\fP in \fI\%kadmin\fP for
 supported arguments.
 .sp
 The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which
@@ -109,29 +109,34 @@ For example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
 specifies that the KDC listen on port 2001 for REALM1 and on port 2002
 for REALM2 and REALM3.  Additionally, per\-realm parameters may be
-specified in the kdc.conf(5) file.  The location of this file
+specified in the \fI\%kdc.conf\fP file.  The location of this file
 may be specified by the \fBKRB5_KDC_PROFILE\fP environment variable.
 Per\-realm parameters specified in this file take precedence over
-options specified on the command line.  See the kdc.conf(5)
+options specified on the command line.  See the \fI\%kdc.conf\fP
 description for further details.
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
+.sp
+As of release 1.22, krb5kdc supports systemd socket activation via the
+LISTEN_PID and LISTEN_FDS environment variables.  Sockets provided by
+the caller must correspond to configured listener addresses (via the
+\fBkdc_listen\fP variable or equivalent) or they will be ignored.  Any
+configured listener addresses that do not correspond to
+caller\-provided sockets will be ignored if socket activation is used.
 .SH SEE ALSO
 .sp
-kdb5_util(8), kdc.conf(5), krb5.conf(5),
-kdb5_ldap_util(8), kerberos(7)
+\fI\%kdb5_util\fP, \fI\%kdc.conf\fP, \fI\%krb5.conf\fP,
+\fI\%kdb5_ldap_util\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/ksu.man b/src/man/ksu.man
index 83553bc7bd67455c0163812988f1bcfc624c0d79..16d174fce7a2a538e9acae3410165928f35a11fc 100644 (file)
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -58,11 +58,11 @@ the target user, and the other is to create a new security context.
 .INDENT 0.0
 .INDENT 3.5
 For the sake of clarity, all references to and attributes of
-the user invoking the program will start with "source"
-(e.g., "source user", "source cache", etc.).
+the user invoking the program will start with \(dqsource\(dq
+(e.g., \(dqsource user\(dq, \(dqsource cache\(dq, etc.).
 .sp
 Likewise, all references to and attributes of the target
-account will start with "target".
+account will start with \(dqtarget\(dq.
 .UNINDENT
 .UNINDENT
 .SH AUTHENTICATION
@@ -100,7 +100,7 @@ option, see the OPTIONS section.
 Upon successful authentication, ksu checks whether the target
 principal is authorized to access the target account.  In the target
 user\(aqs home directory, ksu attempts to access two authorization files:
-\&.k5login(5) and .k5users.  In the .k5login file each line
+\fI\%\&.k5login\fP and .k5users.  In the .k5login file each line
 contains the name of a principal that is authorized to access the
 account.
 .sp
@@ -108,13 +108,11 @@ For example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 jqpublic@USC.EDU
 jqpublic/secure@USC.EDU
 jqpublic/admin@USC.EDU
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -253,11 +251,9 @@ the resulting cache does not already exist.  For example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 krb5cc_1984.2
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -299,12 +295,12 @@ ticket granting ticket options that are specified will be used
 when getting a ticket granting ticket from the Kerberos server.
 .TP
 \fB\-l\fP \fIlifetime\fP
-(duration string.)  Specifies the lifetime to be requested
+(\fI\%Time duration\fP string.)  Specifies the lifetime to be requested
 for the ticket; if this option is not specified, the default ticket
 lifetime (12 hours) is used instead.
 .TP
 \fB\-r\fP \fItime\fP
-(duration string.)  Specifies that the \fBrenewable\fP option
+(\fI\%Time duration\fP string.)  Specifies that the \fBrenewable\fP option
 should be requested for the ticket, and specifies the desired
 total lifetime of the ticket.
 .TP
@@ -333,11 +329,9 @@ executes the specified command. Example of usage:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 ksu bob \-e ls \-lag
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -360,13 +354,11 @@ example:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 jqpublic@USC.EDU ls mail /local/kerberos/klist
 jqpublic/secure@USC.EDU *
 jqpublic/admin@USC.EDU
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -400,11 +392,9 @@ used as follows:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 \-a \-c [command [arguments]].
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -435,8 +425,8 @@ authorized to execute (via .k5users file).
 .TP
 \fBHAVE_GETUSERSHELL\fP
 If the source user is non\-root, ksu insists that the target user\(aqs
-shell to be invoked is a "legal shell".  \fIgetusershell(3)\fP is
-called to obtain the names of "legal shells".  Note that the
+shell to be invoked is a \(dqlegal shell\(dq.  \fIgetusershell(3)\fP is
+called to obtain the names of \(dqlegal shells\(dq.  Note that the
 target user\(aqs shell is obtained from the passwd file.
 .UNINDENT
 .sp
@@ -444,11 +434,9 @@ Sample configuration:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
-KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ucb /local/bin"
-.ft P
-.fi
+.EX
+KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq\(dq/bin /usr/ucb /local/bin\(dq
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -466,11 +454,11 @@ ksu deletes all expired tickets from the source cache.
 GENNADY (ARI) MEDVINSKY
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kerberos(7), kinit(1)
+\fI\%kerberos\fP, \fI\%kinit\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index 265a61221f0195ce0adb5cf99b8c5428ed387e7f..f6e4abcc7c074ddb6779d9c68ecd0593a2b5d3aa 100644 (file)
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -51,7 +51,7 @@ made primary.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH FILES
 .INDENT 0.0
@@ -61,8 +61,8 @@ Default location of Kerberos 5 credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
-kinit(1), kdestroy(1), klist(1),
-kerberos(7)
+\fI\%kinit\fP, \fI\%kdestroy\fP, \fI\%klist\fP,
+\fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 7ea54a2b64575260371759d1ad5c5cdd6a4d5334..ce810f8d42403287aa942e8a3f110af370ad1735 100644 (file)
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -133,8 +133,7 @@ Aliases: \fBexit\fP, \fBq\fP
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 ktutil:  add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e
     aes128\-cts\-hmac\-sha1\-96
 Password for alice@BLEEP.COM:
@@ -143,19 +142,18 @@ ktutil:  add_entry \-password \-p alice@BLEEP.COM \-k 1 \-e
 Password for alice@BLEEP.COM:
 ktutil:  write_kt alice.keytab
 ktutil:
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kadmin(1), kdb5_util(8), kerberos(7)
+\fI\%kadmin\fP, \fI\%kdb5_util\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/kvno.man b/src/man/kvno.man
index 493d079ca5ac1716426d7fb5c7d084ef80227650..a7a522fa9fe2ff5b503d55914100168b36641271 100644 (file)
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -122,7 +122,7 @@ encrypted in the server\(aqs long\-term key.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH FILES
 .INDENT 0.0
@@ -132,7 +132,7 @@ Default location of the credentials cache
 .UNINDENT
 .SH SEE ALSO
 .sp
-kinit(1), kdestroy(1), kerberos(7)
+\fI\%kinit\fP, \fI\%kdestroy\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/sclient.man b/src/man/sclient.man
index 7c23582e846e39a75438f50e6f87641d877e4ba3..0d65552bb1ed72846a76261b8d73c100f3a030b2 100644 (file)
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -36,16 +36,16 @@ sclient \- sample Kerberos version 5 client
 .SH DESCRIPTION
 .sp
 sclient is a sample application, primarily useful for testing
-purposes.  It contacts a sample server sserver(8) and
+purposes.  It contacts a sample server \fI\%sserver\fP and
 authenticates to it using Kerberos version 5 tickets, then displays
 the server\(aqs response.
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-kinit(1), sserver(8), kerberos(7)
+\fI\%kinit\fP, \fI\%sserver\fP, \fI\%kerberos\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/man/sserver.man b/src/man/sserver.man
index 096c13c297235021da3e109260710ef2c08c2f04..dbe2d6d89a0ead594446d36a8dd2f4a329a8ef63 100644 (file)
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -38,7 +38,7 @@ sserver \- sample Kerberos version 5 server
 [ \fIserver_port\fP ]
 .SH DESCRIPTION
 .sp
-sserver and sclient(1) are a simple demonstration client/server
+sserver and \fI\%sclient\fP are a simple demonstration client/server
 application.  When sclient connects to sserver, it performs a Kerberos
 authentication, and then sserver returns to sclient the Kerberos
 principal which was used for the Kerberos authentication.  It makes a
@@ -47,7 +47,7 @@ good test that Kerberos has been successfully installed on a machine.
 The service name used by sserver and sclient is sample.  Hence,
 sserver will require that there be a keytab entry for the service
 \fBsample/hostname.domain.name@REALM.NAME\fP\&.  This keytab is generated
-using the kadmin(1) program.  The keytab file is usually
+using the \fI\%kadmin\fP program.  The keytab file is usually
 installed as \fB@KTNAME@\fP\&.
 .sp
 The \fB\-S\fP option allows for a different keytab than the default.
@@ -57,11 +57,9 @@ sserver is normally invoked out of inetd(8), using a line in
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 sample stream tcp nowait root /usr/local/sbin/sserver sserver
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -71,17 +69,15 @@ like this:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 sample          13135/tcp
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
 When using sclient, you will first have to have an entry in the
-Kerberos database, by using kadmin(1), and then you have to get
-Kerberos tickets, by using kinit(1)\&.  Also, if you are running
+Kerberos database, by using \fI\%kadmin\fP, and then you have to get
+Kerberos tickets, by using \fI\%kinit\fP\&.  Also, if you are running
 the sclient program on a different host than the sserver it will be
 connecting to, be sure that both hosts have an entry in /etc/services
 for the sample tcp port, and that the same port number is in both
@@ -91,13 +87,11 @@ When you run sclient you should see something like this:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 sendauth succeeded, reply is:
 reply len 32, contents:
 You are nlgilman@JIMI.MIT.EDU
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH COMMON ERROR MESSAGES
@@ -107,12 +101,10 @@ kinit returns the error:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 kinit: Client not found in Kerberos database while getting
        initial credentials
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -123,11 +115,9 @@ sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 unknown service sample/tcp; check /etc/services
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -138,11 +128,9 @@ sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 connect: Connection refused
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -153,30 +141,26 @@ sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 sclient: Server not found in Kerberos database while using
          sendauth
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
 This means that the \fBsample/hostname@LOCAL.REALM\fP service was not
 defined in the Kerberos database; it should be created using
-kadmin(1), and a keytab file needs to be generated to make
+\fI\%kadmin\fP, and a keytab file needs to be generated to make
 the key for that service principal available for sclient.
 .IP 5. 3
 sclient returns the error:
 .INDENT 3.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 sendauth rejected, error reply is:
-    "No such file or directory"
-.ft P
-.fi
+    \(dqNo such file or directory\(dq
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -185,11 +169,11 @@ probably not installed in the proper directory.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
-See kerberos(7) for a description of Kerberos environment
+See \fI\%kerberos\fP for a description of Kerberos environment
 variables.
 .SH SEE ALSO
 .sp
-sclient(1), kerberos(7), services(5), inetd(8)
+\fI\%sclient\fP, \fI\%kerberos\fP, services(5), inetd(8)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT

diff --git a/src/plugins/preauth/pkinit/deps b/src/plugins/preauth/pkinit/deps
index b6f4476fe894cbc0904f6b16e537d8047fa8a7bb..90d5d8da89719f9a4f3a8f473dedb4e8b138f3e4 100644 (file)
--- a/src/plugins/preauth/pkinit/deps
+++ b/src/plugins/preauth/pkinit/deps
@@ -28,13 +28,17 @@ pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \
   pkinit_srv.c pkinit_trace.h
 pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/clpreauth_plugin.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/clpreauth_plugin.h \
   $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
-  pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_lib.c \
-  pkinit_trace.h
+  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
+  pkinit_accessor.h pkinit_crypto.h pkinit_lib.c pkinit_trace.h
 pkinit_kdf_test.so pkinit_kdf_test.po $(OUTPRE)pkinit_kdf_test.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
@@ -93,12 +97,12 @@ pkinit_identity.so pkinit_identity.po $(OUTPRE)pkinit_identity.$(OBJEXT): \
 pkinit_matching.so pkinit_matching.po $(OUTPRE)pkinit_matching.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/clpreauth_plugin.h \
-  $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
-  pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_matching.c \
-  pkinit_trace.h
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-regex.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+  pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
+  pkinit_matching.c pkinit_trace.h
 pkinit_crypto_openssl.so pkinit_crypto_openssl.po $(OUTPRE)pkinit_crypto_openssl.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \

diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index bdc31f59bb9a3ab47002ef17231a1d8574a454c9..1f883bf4ef52c509e539db0f6f0091399b26040a 100644 (file)
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: mit-krb5 1.22-prerelease\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-20 16:45-0400\n"
+"POT-Creation-Date: 2025-05-03 23:52-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -55,7 +55,7 @@ msgid "Other credential caches present, use -A to destroy all\n"
 msgstr ""
 
 #: ../../src/clients/kdestroy/kdestroy.c:110
-#: ../../src/clients/kinit/kinit.c:332 ../../src/clients/ksu/main.c:295
+#: ../../src/clients/kinit/kinit.c:332 ../../src/clients/ksu/main.c:284
 #, c-format
 msgid "Only one -c option allowed\n"
 msgstr ""
@@ -77,10 +77,10 @@ msgid "-A option is exclusive with -p option\n"
 msgstr ""
 
 #: ../../src/clients/kdestroy/kdestroy.c:150
-#: ../../src/clients/klist/klist.c:240 ../../src/clients/ksu/main.c:134
-#: ../../src/clients/ksu/main.c:140 ../../src/clients/kswitch/kswitch.c:94
-#: ../../src/kadmin/ktutil/ktutil.c:51 ../../src/kdc/main.c:924
-#: ../../src/kprop/kprop.c:103 ../../src/kprop/kpropd.c:1059
+#: ../../src/clients/klist/klist.c:240 ../../src/clients/ksu/main.c:133
+#: ../../src/clients/ksu/main.c:139 ../../src/clients/kswitch/kswitch.c:94
+#: ../../src/kadmin/ktutil/ktutil.c:51 ../../src/kdc/main.c:919
+#: ../../src/kprop/kprop.c:103 ../../src/kprop/kpropd.c:1060
 msgid "while initializing krb5"
 msgstr ""
 
@@ -116,7 +116,7 @@ msgstr ""
 msgid "while resolving ccache"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:211 ../../src/clients/ksu/main.c:1023
+#: ../../src/clients/kdestroy/kdestroy.c:211 ../../src/clients/ksu/main.c:1011
 msgid "while destroying cache"
 msgstr ""
 
@@ -345,7 +345,7 @@ msgid "while getting default ccache"
 msgstr ""
 
 #: ../../src/clients/kinit/kinit.c:462 ../../src/clients/kinit/kinit.c:530
-#: ../../src/clients/kpasswd/kpasswd.c:30 ../../src/clients/ksu/main.c:248
+#: ../../src/clients/kpasswd/kpasswd.c:30 ../../src/clients/ksu/main.c:247
 #, c-format
 msgid "when parsing name %s"
 msgstr ""
@@ -626,8 +626,8 @@ msgid "while starting keytab scan"
 msgstr ""
 
 #: ../../src/clients/klist/klist.c:327 ../../src/clients/klist/klist.c:485
-#: ../../src/clients/ksu/ccache.c:340 ../../src/kadmin/dbutil/dump.c:487
-#: ../../src/kadmin/dbutil/tabdump.c:549
+#: ../../src/clients/ksu/ccache.c:340 ../../src/kadmin/dbutil/dump.c:442
+#: ../../src/kadmin/dbutil/tabdump.c:587
 msgid "while unparsing principal name"
 msgstr ""
 
@@ -668,7 +668,7 @@ msgid "while retrieving a ticket"
 msgstr ""
 
 #: ../../src/clients/klist/klist.c:689 ../../src/clients/ksu/ccache.c:326
-#: ../../src/kprop/kpropd.c:1206 ../../src/kprop/kpropd.c:1271
+#: ../../src/kprop/kpropd.c:1213 ../../src/kprop/kpropd.c:1278
 msgid "while unparsing client name"
 msgstr ""
 
@@ -720,17 +720,18 @@ msgstr ""
 msgid "\tTicket server: %s\n"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:843 ../../src/clients/klist/klist.c:853
+#: ../../src/clients/klist/klist.c:844 ../../src/clients/klist/klist.c:854
+#: ../../src/clients/klist/klist.c:864
 #, c-format
 msgid "broken address (type %d length %d)"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:862
+#: ../../src/clients/klist/klist.c:873
 #, c-format
 msgid "unknown addrtype %d"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:871
+#: ../../src/clients/klist/klist.c:882
 #, c-format
 msgid "unprintable address (type %d, error %d %s)"
 msgstr ""
@@ -868,7 +869,7 @@ msgstr ""
 msgid "         in remotely using an unsecure (non-encrypted) channel. \n"
 msgstr ""
 
-#: ../../src/clients/ksu/krb_auth_su.c:107 ../../src/clients/ksu/main.c:480
+#: ../../src/clients/ksu/krb_auth_su.c:107 ../../src/clients/ksu/main.c:468
 msgid "while reclaiming root uid"
 msgstr ""
 
@@ -928,274 +929,274 @@ msgid ""
 "[args... ] ]\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:150
+#: ../../src/clients/ksu/main.c:149
 msgid ""
 "program name too long - quitting to avoid triggering system logging bugs"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:176
+#: ../../src/clients/ksu/main.c:175
 msgid "while allocating memory"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:189
+#: ../../src/clients/ksu/main.c:188
 msgid "while setting euid to source user"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:200 ../../src/clients/ksu/main.c:241
+#: ../../src/clients/ksu/main.c:199 ../../src/clients/ksu/main.c:240
 #, c-format
 msgid "Bad lifetime value (%s hours?)\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:212 ../../src/clients/ksu/main.c:303
+#: ../../src/clients/ksu/main.c:211 ../../src/clients/ksu/main.c:292
 msgid "when gathering parameters"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:262
+#: ../../src/clients/ksu/main.c:261
 #, c-format
 msgid "-z option is mutually exclusive with -Z.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:270
+#: ../../src/clients/ksu/main.c:269
 #, c-format
 msgid "-Z option is mutually exclusive with -z.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:283
+#: ../../src/clients/ksu/main.c:279
 #, c-format
 msgid "while looking for credentials cache %s"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:289
-#, c-format
-msgid "malformed credential cache name %s\n"
-msgstr ""
-
-#: ../../src/clients/ksu/main.c:347
+#: ../../src/clients/ksu/main.c:336
 #, c-format
 msgid "ksu: who are you?\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:351
+#: ../../src/clients/ksu/main.c:340
 #, c-format
 msgid "Your uid doesn't match your passwd entry?!\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:366
+#: ../../src/clients/ksu/main.c:355
 #, c-format
 msgid "ksu: unknown login %s\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:386
+#: ../../src/clients/ksu/main.c:367
+#, c-format
+msgid "ksu: failed to get default ccache name\n"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:374
 msgid "while getting source cache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:395
+#: ../../src/clients/ksu/main.c:383
 msgid "while selecting the best principal"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:403
+#: ../../src/clients/ksu/main.c:391
 msgid "while returning to source uid after finding best principal"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:423
+#: ../../src/clients/ksu/main.c:411
 #, c-format
 msgid "account %s: authorization failed\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:458
+#: ../../src/clients/ksu/main.c:446
 msgid "while parsing temporary name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:463
+#: ../../src/clients/ksu/main.c:451
 msgid "while creating temporary cache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:469 ../../src/clients/ksu/main.c:709
+#: ../../src/clients/ksu/main.c:457 ../../src/clients/ksu/main.c:697
 #, c-format
 msgid "while copying cache %s to %s"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:487
+#: ../../src/clients/ksu/main.c:475
 #, c-format
 msgid ""
 "WARNING: Your password may be exposed if you enter it here and are logged\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:489
+#: ../../src/clients/ksu/main.c:477
 #, c-format
 msgid "         in remotely using an unsecure (non-encrypted) channel.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:495
+#: ../../src/clients/ksu/main.c:483
 #, c-format
 msgid "Goodbye\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:499
+#: ../../src/clients/ksu/main.c:487
 #, c-format
 msgid "Could not get a tgt for "
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:521
+#: ../../src/clients/ksu/main.c:509
 #, c-format
 msgid "Authentication failed.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:529
+#: ../../src/clients/ksu/main.c:517
 msgid "When unparsing name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:533
+#: ../../src/clients/ksu/main.c:521
 #, c-format
 msgid "Authenticated %s\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:540
+#: ../../src/clients/ksu/main.c:528
 msgid "while switching to target for authorization check"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:547
+#: ../../src/clients/ksu/main.c:535
 msgid "while checking authorization"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:553
+#: ../../src/clients/ksu/main.c:541
 msgid "while switching back from target after authorization check"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:560
+#: ../../src/clients/ksu/main.c:548
 #, c-format
 msgid "Account %s: authorization for %s for execution of\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:562
+#: ../../src/clients/ksu/main.c:550
 #, c-format
 msgid "               %s successful\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:568
+#: ../../src/clients/ksu/main.c:556
 #, c-format
 msgid "Account %s: authorization for %s successful\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:580
+#: ../../src/clients/ksu/main.c:568
 #, c-format
 msgid "Account %s: authorization for %s for execution of %s failed\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:588
+#: ../../src/clients/ksu/main.c:576
 #, c-format
 msgid "Account %s: authorization of %s failed\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:603
+#: ../../src/clients/ksu/main.c:591
 msgid "while calling cc_filter"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:611
+#: ../../src/clients/ksu/main.c:599
 msgid "while erasing target cache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:631
+#: ../../src/clients/ksu/main.c:619
 #, c-format
 msgid "ksu: permission denied (shell).\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:640
+#: ../../src/clients/ksu/main.c:628
 #, c-format
 msgid "ksu: couldn't set environment variable USER\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:646
+#: ../../src/clients/ksu/main.c:634
 #, c-format
 msgid "ksu: couldn't set environment variable HOME\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:651
+#: ../../src/clients/ksu/main.c:639
 #, c-format
 msgid "ksu: couldn't set environment variable SHELL\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:662
+#: ../../src/clients/ksu/main.c:650
 #, c-format
 msgid "ksu: initgroups failed.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:667
+#: ../../src/clients/ksu/main.c:655
 #, c-format
 msgid "Leaving uid as %s (%ld)\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:670
+#: ../../src/clients/ksu/main.c:658
 #, c-format
 msgid "Changing uid to %s (%ld)\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:696
+#: ../../src/clients/ksu/main.c:684
 msgid "while getting name of target ccache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:716
+#: ../../src/clients/ksu/main.c:704
 #, c-format
 msgid "%s does not have correct permissions for %s, %s aborted"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:737
+#: ../../src/clients/ksu/main.c:725
 #, c-format
 msgid "Internal error: command %s did not get resolved\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:754 ../../src/clients/ksu/main.c:790
+#: ../../src/clients/ksu/main.c:742 ../../src/clients/ksu/main.c:778
 #, c-format
 msgid "while trying to execv %s"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:780
+#: ../../src/clients/ksu/main.c:768
 msgid "while calling waitpid"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:785
+#: ../../src/clients/ksu/main.c:773
 msgid "while trying to fork."
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:835
+#: ../../src/clients/ksu/main.c:823
 msgid "while reading cache name from ccache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:841
+#: ../../src/clients/ksu/main.c:829
 #, c-format
 msgid "ksu: couldn't set environment variable %s\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:867
+#: ../../src/clients/ksu/main.c:855
 msgid "while resetting target ccache name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:881
+#: ../../src/clients/ksu/main.c:869
 msgid "while determining target ccache name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:920
+#: ../../src/clients/ksu/main.c:908
 msgid "while generating part of the target ccache name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:926
+#: ../../src/clients/ksu/main.c:914
 msgid "while allocating memory for the target ccache name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:946
+#: ../../src/clients/ksu/main.c:934
 msgid "while creating new target ccache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:952
+#: ../../src/clients/ksu/main.c:940
 msgid "while initializing target cache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:992
+#: ../../src/clients/ksu/main.c:980
 #, c-format
 msgid "terminal name %s too long\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:1017
+#: ../../src/clients/ksu/main.c:1005
 msgid "while changing to target uid for destroying ccache"
 msgstr ""
 
@@ -1382,8 +1383,8 @@ msgstr ""
 msgid "%s: Cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:380 ../../src/kadmin/cli/kadmin.c:840
-#: ../../src/kadmin/cli/kadmin.c:1109 ../../src/kadmin/cli/kadmin.c:1630
+#: ../../src/kadmin/cli/kadmin.c:380 ../../src/kadmin/cli/kadmin.c:889
+#: ../../src/kadmin/cli/kadmin.c:1158 ../../src/kadmin/cli/kadmin.c:1679
 #: ../../src/kadmin/cli/keytab.c:148 ../../src/kadmin/dbutil/kdb5_util.c:559
 #, c-format
 msgid "while parsing keysalts %s"
@@ -1415,7 +1416,7 @@ msgid "%s: out of memory\n"
 msgstr ""
 
 #: ../../src/kadmin/cli/kadmin.c:468 ../../src/kadmin/cli/kadmin.c:483
-#: ../../src/kprop/kpropd.c:677
+#: ../../src/kprop/kpropd.c:678
 msgid "while canonicalizing principal name"
 msgstr ""
 
@@ -1462,7 +1463,7 @@ msgstr ""
 msgid "Authenticating as principal %s with password.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:580 ../../src/kprop/kpropd.c:722
+#: ../../src/kadmin/cli/kadmin.c:580 ../../src/kprop/kpropd.c:723
 #, c-format
 msgid "while initializing %s interface"
 msgstr ""
@@ -1488,15 +1489,15 @@ msgstr ""
 msgid "usage: delete_principal [-force] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:680 ../../src/kadmin/cli/kadmin.c:859
+#: ../../src/kadmin/cli/kadmin.c:680 ../../src/kadmin/cli/kadmin.c:908
 msgid "while parsing principal name"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:686 ../../src/kadmin/cli/kadmin.c:865
-#: ../../src/kadmin/cli/kadmin.c:1218 ../../src/kadmin/cli/kadmin.c:1343
-#: ../../src/kadmin/cli/kadmin.c:1413 ../../src/kadmin/cli/kadmin.c:1853
-#: ../../src/kadmin/cli/kadmin.c:1897 ../../src/kadmin/cli/kadmin.c:1943
-#: ../../src/kadmin/cli/kadmin.c:1983
+#: ../../src/kadmin/cli/kadmin.c:686 ../../src/kadmin/cli/kadmin.c:914
+#: ../../src/kadmin/cli/kadmin.c:1267 ../../src/kadmin/cli/kadmin.c:1392
+#: ../../src/kadmin/cli/kadmin.c:1462 ../../src/kadmin/cli/kadmin.c:1902
+#: ../../src/kadmin/cli/kadmin.c:1946 ../../src/kadmin/cli/kadmin.c:1992
+#: ../../src/kadmin/cli/kadmin.c:2032
 msgid "while canonicalizing principal"
 msgstr ""
 
@@ -1573,101 +1574,131 @@ msgid ""
 "reusing.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:782
+#: ../../src/kadmin/cli/kadmin.c:785
+msgid "usage: add_alias alias_principal target_principal\n"
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:790
+msgid "while parsing alias principal name"
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:795
+msgid "while parsing target principal name"
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:801
+msgid "while canonicalizing alias principal"
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:807
+msgid "while canonicalizing target principal"
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:813
+#, c-format
+msgid "while aliasing principal \"%s\" to \"%s\""
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:817
+#, c-format
+msgid "Principal \"%s\" aliased to \"%s\".\n"
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:831
 msgid ""
 "usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] "
 "principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:808
+#: ../../src/kadmin/cli/kadmin.c:857
 msgid "change_password: missing db argument"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:814
+#: ../../src/kadmin/cli/kadmin.c:863
 msgid "change_password: Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:822
+#: ../../src/kadmin/cli/kadmin.c:871
 msgid "change_password: missing password arg"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:833
+#: ../../src/kadmin/cli/kadmin.c:882
 msgid "change_password: missing keysaltlist arg"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:844
+#: ../../src/kadmin/cli/kadmin.c:893
 #, c-format
 msgid "unrecognized option %s"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:851
+#: ../../src/kadmin/cli/kadmin.c:900
 msgid "missing principal name"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:853
+#: ../../src/kadmin/cli/kadmin.c:902
 msgid "too many arguments"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:877 ../../src/kadmin/cli/kadmin.c:914
+#: ../../src/kadmin/cli/kadmin.c:926 ../../src/kadmin/cli/kadmin.c:963
 #, c-format
 msgid "while changing password for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:880 ../../src/kadmin/cli/kadmin.c:917
+#: ../../src/kadmin/cli/kadmin.c:929 ../../src/kadmin/cli/kadmin.c:966
 #, c-format
 msgid "Password for \"%s\" changed.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:886 ../../src/kadmin/cli/kadmin.c:1294
+#: ../../src/kadmin/cli/kadmin.c:935 ../../src/kadmin/cli/kadmin.c:1343
 #, c-format
 msgid "while randomizing key for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:889
+#: ../../src/kadmin/cli/kadmin.c:938
 #, c-format
 msgid "Key for \"%s\" randomized.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:894 ../../src/kadmin/cli/kadmin.c:1254
+#: ../../src/kadmin/cli/kadmin.c:943 ../../src/kadmin/cli/kadmin.c:1303
 #, c-format
 msgid "Enter password for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:896 ../../src/kadmin/cli/kadmin.c:1256
+#: ../../src/kadmin/cli/kadmin.c:945 ../../src/kadmin/cli/kadmin.c:1305
 #, c-format
 msgid "Re-enter password for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:901 ../../src/kadmin/cli/kadmin.c:1260
+#: ../../src/kadmin/cli/kadmin.c:950 ../../src/kadmin/cli/kadmin.c:1309
 #, c-format
 msgid "while reading password for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:955
+#: ../../src/kadmin/cli/kadmin.c:1004
 msgid "Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:985 ../../src/kadmin/dbutil/kdb5_util.c:591
+#: ../../src/kadmin/cli/kadmin.c:1034 ../../src/kadmin/dbutil/kdb5_util.c:591
 msgid "while getting time"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1126 ../../src/kadmin/cli/kadmin.c:1337
-#: ../../src/kadmin/cli/kadmin.c:1408 ../../src/kadmin/cli/kadmin.c:1847
-#: ../../src/kadmin/cli/kadmin.c:1891 ../../src/kadmin/cli/kadmin.c:1937
-#: ../../src/kadmin/cli/kadmin.c:1977
+#: ../../src/kadmin/cli/kadmin.c:1175 ../../src/kadmin/cli/kadmin.c:1386
+#: ../../src/kadmin/cli/kadmin.c:1457 ../../src/kadmin/cli/kadmin.c:1896
+#: ../../src/kadmin/cli/kadmin.c:1940 ../../src/kadmin/cli/kadmin.c:1986
+#: ../../src/kadmin/cli/kadmin.c:2026
 msgid "while parsing principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1135
+#: ../../src/kadmin/cli/kadmin.c:1184
 msgid "usage: add_principal [options] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1136 ../../src/kadmin/cli/kadmin.c:1160
-#: ../../src/kadmin/cli/kadmin.c:1653
+#: ../../src/kadmin/cli/kadmin.c:1185 ../../src/kadmin/cli/kadmin.c:1209
+#: ../../src/kadmin/cli/kadmin.c:1702
 msgid "\toptions are:\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1137
+#: ../../src/kadmin/cli/kadmin.c:1186
 msgid ""
 "\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire "
 "pwexpdate] [-maxlife maxtixlife]\n"
@@ -1677,11 +1708,11 @@ msgid ""
 "\t\t[{+|-}attribute]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1142 ../../src/kadmin/cli/kadmin.c:1165
+#: ../../src/kadmin/cli/kadmin.c:1191 ../../src/kadmin/cli/kadmin.c:1214
 msgid "\tattributes are:\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1143 ../../src/kadmin/cli/kadmin.c:1166
+#: ../../src/kadmin/cli/kadmin.c:1192 ../../src/kadmin/cli/kadmin.c:1215
 msgid ""
 "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n"
 "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n"
@@ -1694,11 +1725,11 @@ msgid ""
 "\t\t\tLook at each database documentation for supported arguments\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1159
+#: ../../src/kadmin/cli/kadmin.c:1208
 msgid "usage: modify_principal [options] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1161
+#: ../../src/kadmin/cli/kadmin.c:1210
 msgid ""
 "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife "
 "maxtixlife]\n"
@@ -1706,170 +1737,170 @@ msgid ""
 "\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1225 ../../src/kadmin/cli/kadmin.c:1366
+#: ../../src/kadmin/cli/kadmin.c:1274 ../../src/kadmin/cli/kadmin.c:1415
 #, c-format
 msgid "WARNING: policy \"%s\" does not exist\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1232
+#: ../../src/kadmin/cli/kadmin.c:1281
 #, c-format
 msgid "No policy specified for %s; assigning \"default\"\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1238
+#: ../../src/kadmin/cli/kadmin.c:1287
 #, c-format
 msgid "No policy specified for %s; defaulting to no policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1280
+#: ../../src/kadmin/cli/kadmin.c:1329
 #, c-format
 msgid "Admin server does not support -nokey while creating \"%s\"\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1302
+#: ../../src/kadmin/cli/kadmin.c:1351
 #, c-format
 msgid "while clearing DISALLOW_ALL_TIX for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1349
+#: ../../src/kadmin/cli/kadmin.c:1398
 #, c-format
 msgid "while getting \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1375
+#: ../../src/kadmin/cli/kadmin.c:1424
 #, c-format
 msgid "while modifying \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1379
+#: ../../src/kadmin/cli/kadmin.c:1428
 #, c-format
 msgid "Principal \"%s\" modified.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1400
+#: ../../src/kadmin/cli/kadmin.c:1449
 msgid "usage: get_principal [-terse] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1419
+#: ../../src/kadmin/cli/kadmin.c:1468
 #, c-format
 msgid "while retrieving \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1424 ../../src/kadmin/cli/kadmin.c:1429
+#: ../../src/kadmin/cli/kadmin.c:1473 ../../src/kadmin/cli/kadmin.c:1478
 msgid "while unparsing principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1433
+#: ../../src/kadmin/cli/kadmin.c:1482
 #, c-format
 msgid "Principal: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1434
+#: ../../src/kadmin/cli/kadmin.c:1483
 #, c-format
 msgid "Expiration date: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1435 ../../src/kadmin/cli/kadmin.c:1437
-#: ../../src/kadmin/cli/kadmin.c:1440 ../../src/kadmin/cli/kadmin.c:1448
+#: ../../src/kadmin/cli/kadmin.c:1484 ../../src/kadmin/cli/kadmin.c:1486
+#: ../../src/kadmin/cli/kadmin.c:1489 ../../src/kadmin/cli/kadmin.c:1497
 msgid "[never]"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1436
+#: ../../src/kadmin/cli/kadmin.c:1485
 #, c-format
 msgid "Last password change: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1438
+#: ../../src/kadmin/cli/kadmin.c:1487
 #, c-format
 msgid "Password expiration date: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1441
+#: ../../src/kadmin/cli/kadmin.c:1490
 #, c-format
 msgid "Maximum ticket life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1442
+#: ../../src/kadmin/cli/kadmin.c:1491
 #, c-format
 msgid "Maximum renewable life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1444
+#: ../../src/kadmin/cli/kadmin.c:1493
 #, c-format
 msgid "Last modified: %s (%s)\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1446
+#: ../../src/kadmin/cli/kadmin.c:1495
 #, c-format
 msgid "Last successful authentication: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1452
+#: ../../src/kadmin/cli/kadmin.c:1501
 #, c-format
 msgid "Failed password attempts: %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1454
+#: ../../src/kadmin/cli/kadmin.c:1503
 #, c-format
 msgid "Number of keys: %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1462
+#: ../../src/kadmin/cli/kadmin.c:1511
 #, c-format
 msgid "<Encryption type 0x%x>"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1474
+#: ../../src/kadmin/cli/kadmin.c:1523
 #, c-format
 msgid "<Salt type 0x%x>"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1480
+#: ../../src/kadmin/cli/kadmin.c:1529
 #, c-format
 msgid "MKey: vno %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1482
+#: ../../src/kadmin/cli/kadmin.c:1531
 #, c-format
 msgid "Attributes:"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1485
+#: ../../src/kadmin/cli/kadmin.c:1534
 msgid "while printing flags"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1494
+#: ../../src/kadmin/cli/kadmin.c:1543
 msgid "[none]"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1496
+#: ../../src/kadmin/cli/kadmin.c:1545
 msgid " [does not exist]"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1497
+#: ../../src/kadmin/cli/kadmin.c:1546
 #, c-format
 msgid "Policy: %s%s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1533
+#: ../../src/kadmin/cli/kadmin.c:1582
 msgid "usage: get_principals [expression]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1538 ../../src/kadmin/cli/kadmin.c:1789
+#: ../../src/kadmin/cli/kadmin.c:1587 ../../src/kadmin/cli/kadmin.c:1838
 msgid "while retrieving list."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1643
+#: ../../src/kadmin/cli/kadmin.c:1692
 #, c-format
 msgid "%s: parser lost count!\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1652
+#: ../../src/kadmin/cli/kadmin.c:1701
 #, c-format
 msgid "usage; %s [options] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1654
+#: ../../src/kadmin/cli/kadmin.c:1703
 msgid ""
 "\t\t[-maxlife time] [-minlife time] [-minlength length]\n"
 "\t\t[-minclasses number] [-history number]\n"
@@ -1877,172 +1908,172 @@ msgid ""
 "\t\t[-allowedkeysalts keysalts]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1658
+#: ../../src/kadmin/cli/kadmin.c:1707
 msgid "\t\t[-lockoutduration time]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1677
+#: ../../src/kadmin/cli/kadmin.c:1726
 #, c-format
 msgid "while creating policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1698
+#: ../../src/kadmin/cli/kadmin.c:1747
 #, c-format
 msgid "while modifying policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1710
+#: ../../src/kadmin/cli/kadmin.c:1759
 msgid "usage: delete_policy [-force] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1714
+#: ../../src/kadmin/cli/kadmin.c:1763
 #, c-format
 msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): "
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1718
+#: ../../src/kadmin/cli/kadmin.c:1767
 #, c-format
 msgid "Policy \"%s\" not deleted.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1724
+#: ../../src/kadmin/cli/kadmin.c:1773
 #, c-format
 msgid "while deleting policy \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1736
+#: ../../src/kadmin/cli/kadmin.c:1785
 msgid "usage: get_policy [-terse] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1741
+#: ../../src/kadmin/cli/kadmin.c:1790
 #, c-format
 msgid "while retrieving policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1746
+#: ../../src/kadmin/cli/kadmin.c:1795
 #, c-format
 msgid "Policy: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1747
+#: ../../src/kadmin/cli/kadmin.c:1796
 #, c-format
 msgid "Maximum password life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1748
+#: ../../src/kadmin/cli/kadmin.c:1797
 #, c-format
 msgid "Minimum password life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1749
+#: ../../src/kadmin/cli/kadmin.c:1798
 #, c-format
 msgid "Minimum password length: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1750
+#: ../../src/kadmin/cli/kadmin.c:1799
 #, c-format
 msgid "Minimum number of password character classes: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1752
+#: ../../src/kadmin/cli/kadmin.c:1801
 #, c-format
 msgid "Number of old keys kept: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1753
+#: ../../src/kadmin/cli/kadmin.c:1802
 #, c-format
 msgid "Maximum password failures before lockout: %lu\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1755
+#: ../../src/kadmin/cli/kadmin.c:1804
 #, c-format
 msgid "Password failure count reset interval: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1757
+#: ../../src/kadmin/cli/kadmin.c:1806
 #, c-format
 msgid "Password lockout duration: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1760
+#: ../../src/kadmin/cli/kadmin.c:1809
 #, c-format
 msgid "Allowed key/salt types: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1784
+#: ../../src/kadmin/cli/kadmin.c:1833
 msgid "usage: get_policies [expression]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1806
+#: ../../src/kadmin/cli/kadmin.c:1855
 msgid "usage: get_privs\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1811
+#: ../../src/kadmin/cli/kadmin.c:1860
 msgid "while retrieving privileges"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1814
+#: ../../src/kadmin/cli/kadmin.c:1863
 #, c-format
 msgid "current privileges:"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1840
+#: ../../src/kadmin/cli/kadmin.c:1889
 msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1860
+#: ../../src/kadmin/cli/kadmin.c:1909
 #, c-format
 msgid "while purging keys for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1865
+#: ../../src/kadmin/cli/kadmin.c:1914
 #, c-format
 msgid "All keys for principal \"%s\" removed.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1867
+#: ../../src/kadmin/cli/kadmin.c:1916
 #, c-format
 msgid "Old keys for principal \"%s\" purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1884
+#: ../../src/kadmin/cli/kadmin.c:1933
 msgid "usage: get_strings principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1904
+#: ../../src/kadmin/cli/kadmin.c:1953
 #, c-format
 msgid "while getting attributes for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1909
+#: ../../src/kadmin/cli/kadmin.c:1958
 #, c-format
 msgid "(No string attributes.)\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1928
+#: ../../src/kadmin/cli/kadmin.c:1977
 msgid "usage: set_string principal key value\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1950
+#: ../../src/kadmin/cli/kadmin.c:1999
 #, c-format
 msgid "while setting attribute on principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1954
+#: ../../src/kadmin/cli/kadmin.c:2003
 #, c-format
 msgid "Attribute set for principal \"%s\".\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1969
+#: ../../src/kadmin/cli/kadmin.c:2018
 msgid "usage: del_string principal key\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1990
+#: ../../src/kadmin/cli/kadmin.c:2039
 #, c-format
 msgid "while deleting attribute from principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1994
+#: ../../src/kadmin/cli/kadmin.c:2043
 #, c-format
 msgid "Attribute removed from principal \"%s\".\n"
 msgstr ""
@@ -2152,280 +2183,284 @@ msgstr ""
 msgid "creating invocation"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:165
+#: ../../src/kadmin/dbutil/dump.c:151
 msgid "while allocating temporary filename dump"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:176
+#: ../../src/kadmin/dbutil/dump.c:162
 msgid "while renaming dump file into place"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:196
+#: ../../src/kadmin/dbutil/dump.c:182
 msgid "while allocating dump_ok filename"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:202
+#: ../../src/kadmin/dbutil/dump.c:188
 #, c-format
 msgid "while creating 'ok' file, '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:207
+#: ../../src/kadmin/dbutil/dump.c:193
 #, c-format
 msgid "while locking 'ok' file, '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:260 ../../src/kadmin/dbutil/dump.c:289
+#: ../../src/kadmin/dbutil/dump.c:238
 #, c-format
 msgid "%s: regular expression error: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:272
+#: ../../src/kadmin/dbutil/dump.c:250
 #, c-format
 msgid "%s: regular expression match error: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:373
+#: ../../src/kadmin/dbutil/dump.c:328
 #, c-format
 msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:495
+#: ../../src/kadmin/dbutil/dump.c:450
 #, c-format
 msgid "while converting %s to new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:516
+#: ../../src/kadmin/dbutil/dump.c:471
 #, c-format
 msgid "%s(%d): %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:559
+#: ../../src/kadmin/dbutil/dump.c:514
 #, c-format
 msgid "%s(%d): ignoring trash at end of line: "
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:622
+#: ../../src/kadmin/dbutil/dump.c:577
 msgid "cannot read tagged data type and length"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:626
+#: ../../src/kadmin/dbutil/dump.c:581
 msgid "data type or length overflowed"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:633
+#: ../../src/kadmin/dbutil/dump.c:588
 msgid "cannot read tagged data contents"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:666
+#: ../../src/kadmin/dbutil/dump.c:621
 msgid "cannot match size tokens"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:672
+#: ../../src/kadmin/dbutil/dump.c:627
 msgid "cannot allocate principal (too large)"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:681
+#: ../../src/kadmin/dbutil/dump.c:636
 msgid "cannot allocate tl_data (too large)"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:690
+#: ../../src/kadmin/dbutil/dump.c:645
 msgid "invalid key_data size"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:707
+#: ../../src/kadmin/dbutil/dump.c:655
+msgid "invalid principal extra data size"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/dump.c:667
 msgid "cannot read name string"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:712
+#: ../../src/kadmin/dbutil/dump.c:672
 #, c-format
 msgid "while parsing name %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:720
+#: ../../src/kadmin/dbutil/dump.c:680
 msgid "cannot read principal attributes"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:773
+#: ../../src/kadmin/dbutil/dump.c:733
 msgid "cannot read key size and version"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:777
+#: ../../src/kadmin/dbutil/dump.c:737
 msgid "unsupported key_data_ver version"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:781
+#: ../../src/kadmin/dbutil/dump.c:741
 msgid "invalid kvno"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:792
+#: ../../src/kadmin/dbutil/dump.c:752
 msgid "cannot read key type and length"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:798
+#: ../../src/kadmin/dbutil/dump.c:758
 msgid "cannot read key data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:808
+#: ../../src/kadmin/dbutil/dump.c:768
 msgid "cannot read extra data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:817
+#: ../../src/kadmin/dbutil/dump.c:777
 #, c-format
 msgid "while storing %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:856 ../../src/kadmin/dbutil/dump.c:895
-#: ../../src/kadmin/dbutil/dump.c:941 ../../src/kadmin/dbutil/dump.c:960
+#: ../../src/kadmin/dbutil/dump.c:816 ../../src/kadmin/dbutil/dump.c:855
+#: ../../src/kadmin/dbutil/dump.c:901 ../../src/kadmin/dbutil/dump.c:920
 #, c-format
 msgid "cannot parse policy (%d read)\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:864 ../../src/kadmin/dbutil/dump.c:903
-#: ../../src/kadmin/dbutil/dump.c:981
+#: ../../src/kadmin/dbutil/dump.c:824 ../../src/kadmin/dbutil/dump.c:863
+#: ../../src/kadmin/dbutil/dump.c:941
 msgid "while creating policy"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:868
+#: ../../src/kadmin/dbutil/dump.c:828
 #, c-format
 msgid "created policy %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1018
+#: ../../src/kadmin/dbutil/dump.c:978
 #, c-format
 msgid "unknown record type \"%s\"\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1129
+#: ../../src/kadmin/dbutil/dump.c:1089
 #, c-format
 msgid "%s: Unknown iprop dump version %d\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1207 ../../src/kadmin/dbutil/dump.c:1443
+#: ../../src/kadmin/dbutil/dump.c:1167 ../../src/kadmin/dbutil/dump.c:1403
 #, c-format
 msgid "OV dump format not supported\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1229 ../../src/kadmin/dbutil/dump.c:1455
+#: ../../src/kadmin/dbutil/dump.c:1189 ../../src/kadmin/dbutil/dump.c:1415
 #, c-format
 msgid "Iprop not enabled\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1266
+#: ../../src/kadmin/dbutil/dump.c:1226
 msgid "Conditional dump is an undocumented option for use only for iprop dumps"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1279
+#: ../../src/kadmin/dbutil/dump.c:1239
 msgid "Database not currently opened!"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1293 ../../src/kadmin/dbutil/kdb5_stash.c:114
+#: ../../src/kadmin/dbutil/dump.c:1253 ../../src/kadmin/dbutil/kdb5_stash.c:114
 #: ../../src/kadmin/dbutil/kdb5_util.c:447
 msgid "while reading master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1299
+#: ../../src/kadmin/dbutil/dump.c:1259
 msgid "while verifying master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1318 ../../src/kadmin/dbutil/dump.c:1328
+#: ../../src/kadmin/dbutil/dump.c:1278 ../../src/kadmin/dbutil/dump.c:1288
 msgid "while reading new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1322
+#: ../../src/kadmin/dbutil/dump.c:1282
 #, c-format
 msgid "Please enter new master key....\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1346
+#: ../../src/kadmin/dbutil/dump.c:1306
 #, c-format
 msgid "while opening %s for writing"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1361
+#: ../../src/kadmin/dbutil/dump.c:1321
 msgid "while reading update log header"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1376 ../../src/kadmin/dbutil/dump.c:1384
+#: ../../src/kadmin/dbutil/dump.c:1336 ../../src/kadmin/dbutil/dump.c:1344
 #, c-format
 msgid "performing %s dump"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1414
+#: ../../src/kadmin/dbutil/dump.c:1374
 #, c-format
 msgid "%s: error processing line %d of %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1464
+#: ../../src/kadmin/dbutil/dump.c:1424
 msgid "while parsing options"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1479
+#: ../../src/kadmin/dbutil/dump.c:1439
 #, c-format
 msgid "while opening %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1484 ../../src/kadmin/dbutil/dump.c:1580
+#: ../../src/kadmin/dbutil/dump.c:1444 ../../src/kadmin/dbutil/dump.c:1540
 msgid "standard input"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1489
+#: ../../src/kadmin/dbutil/dump.c:1449
 #, c-format
 msgid "%s: can't read dump header in %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1497 ../../src/kadmin/dbutil/dump.c:1511
+#: ../../src/kadmin/dbutil/dump.c:1457 ../../src/kadmin/dbutil/dump.c:1471
 #, c-format
 msgid "%s: dump header bad in %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1520
+#: ../../src/kadmin/dbutil/dump.c:1480
 #, c-format
 msgid "Could not open iprop ulog\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1525
+#: ../../src/kadmin/dbutil/dump.c:1485
 #, c-format
 msgid "%s: dump version %s can only be loaded with the -update flag\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1534 ../../src/kadmin/dbutil/dump.c:1539
+#: ../../src/kadmin/dbutil/dump.c:1494 ../../src/kadmin/dbutil/dump.c:1499
 msgid "computing parameters for database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1545
+#: ../../src/kadmin/dbutil/dump.c:1505
 msgid "while creating database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1554
+#: ../../src/kadmin/dbutil/dump.c:1514
 msgid "while opening database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1564
+#: ../../src/kadmin/dbutil/dump.c:1524
 msgid "while permanently locking database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1582
+#: ../../src/kadmin/dbutil/dump.c:1542
 #, c-format
 msgid "%s: %s restore failed\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1587
+#: ../../src/kadmin/dbutil/dump.c:1547
 msgid "while unlocking database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1597 ../../src/kadmin/dbutil/dump.c:1616
+#: ../../src/kadmin/dbutil/dump.c:1557 ../../src/kadmin/dbutil/dump.c:1576
 msgid "while reinitializing update log"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1607
+#: ../../src/kadmin/dbutil/dump.c:1567
 msgid "while making newly loaded database live"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1623
+#: ../../src/kadmin/dbutil/dump.c:1583
 msgid "while writing update log header"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1637
+#: ../../src/kadmin/dbutil/dump.c:1597
 #, c-format
 msgid "while deleting bad database %s"
 msgstr ""
@@ -2471,14 +2506,14 @@ msgid "You will be prompted for the database Master Password.\n"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_create.c:202
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:255
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:240
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:476
 #, c-format
 msgid "It is important that you NOT FORGET this password.\n"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_create.c:208
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:261
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:246
 msgid "while creating new master key"
 msgstr ""
 
@@ -2488,13 +2523,13 @@ msgid "while reading master key from keyboard"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_create.c:226
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:280
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:265
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:578
 msgid "while calculating master key salt"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_create.c:234
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:289
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:274
 #: ../../src/kadmin/dbutil/kdb5_util.c:433
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:590
 msgid "while transforming master key from password"
@@ -2523,14 +2558,14 @@ msgid "while adding entries to the database"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_create.c:321
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:333
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:318
 #: ../../src/kadmin/dbutil/kdb5_stash.c:131
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:627
 msgid "while storing key"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_create.c:322
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:334
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:319
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:628
 #, c-format
 msgid "Warning: couldn't stash master key.\n"
@@ -2542,7 +2577,7 @@ msgid "Deleting KDC database stored in '%s', are you sure?\n"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_destroy.c:69
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1111
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1064
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1434
 #, c-format
@@ -2564,292 +2599,292 @@ msgstr ""
 msgid "** Database '%s' destroyed.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:223
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:208
 #, c-format
 msgid "%s is an invalid enctype"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:245
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:421
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:564
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:941
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1102
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:230
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:406
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:551
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:896
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1055
 #, c-format
 msgid "while getting master key principal %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:251
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:236
 #, c-format
 msgid "Creating new master key for master key principal '%s'\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:254
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:239
 #, c-format
 msgid "You will be prompted for a new database Master Password.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:270
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:255
 msgid "while reading new master key from keyboard"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:299
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:284
 msgid "adding new master key to master principal"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:305
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:390
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:806
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1305
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:290
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:375
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:774
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1258
 msgid "while getting current time"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:312
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:522
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1312
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:297
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:507
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1265
 msgid "while updating the master key principal modification time"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:319
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:530
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1322
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:304
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:517
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1275
 msgid "while adding master key entry to the database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:371
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:356
 msgid "0 is an invalid KVNO value"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:382
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:367
 #, c-format
 msgid "%d is an invalid KVNO value"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:398
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:383
 #, c-format
 msgid "could not parse date-time string '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:430
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:415
 msgid "while looking up active version of master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:469
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:454
 msgid "while adding new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:507
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:492
 msgid "there must be one master key currently active"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:515
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1291
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:500
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1244
 msgid "while updating actkvno data for master principal entry"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:556
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:903
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1072
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:543
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:868
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1025
 msgid "master keylist not initialized"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:572
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:949
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1199
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:559
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:904
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1152
 msgid "while looking up active kvno list"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:580
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:957
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:567
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:912
 msgid "while looking up active master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:592
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:579
 msgid "while getting enctype description"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:609
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:596
 #, c-format
 msgid "KVNO: %d, Enctype: %s, Active on: %s *\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:614
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:601
 #, c-format
 msgid "KVNO: %d, Enctype: %s, Active on: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:618
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:605
 #, c-format
 msgid "KVNO: %d, Enctype: %s, No activate time set\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:623
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:610
 msgid "asprintf could not allocate enough memory to hold output"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:756
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:734
 msgid "getting string representation of principal name"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:780
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:748
 #, c-format
 msgid "determining master key used for principal '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:786
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:754
 #, c-format
 msgid "would skip:   %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:788
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:756
 #, c-format
 msgid "skipping: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:794
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:762
 #, c-format
 msgid "would update: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:798
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:766
 #, c-format
 msgid "updating: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:802
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:770
 #, c-format
 msgid "error re-encrypting key for principal '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:813
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:781
 #, c-format
 msgid "while updating principal '%s' modification time"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:820
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:788
 #, c-format
 msgid "while updating principal '%s' key data in the database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:852
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:820
 #, c-format
 msgid ""
 "\n"
 "(type 'yes' to confirm)? "
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:914
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:879
 #, c-format
 msgid "converting glob pattern '%s' to regular expression"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:932
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:887
 #, c-format
 msgid "error compiling converted regexp '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:965
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:920
 #, c-format
 msgid "Re-encrypt all keys not using master key vno %u?"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:967
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:922
 #, c-format
 msgid "OK, doing nothing.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:973
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:928
 #, c-format
 msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:976
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:931
 #, c-format
 msgid ""
 "Principals whose keys are being re-encrypted to master key vno %u if "
 "necessary:\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:992
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:947
 msgid "trying to process principal database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:996
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:951
 #, c-format
 msgid "%u principals processed: %u would be updated, %u already current\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1000
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:955
 #, c-format
 msgid "%u principals processed: %u updated, %u already current\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1109
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1062
 #, c-format
 msgid ""
 "Will purge all unused master keys stored in the '%s' principal, are you "
 "sure?\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1120
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1073
 #, c-format
 msgid "OK, purging unused master keys from '%s'...\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1128
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1081
 #, c-format
 msgid "There is only one master key which can not be purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1137
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1090
 msgid "while allocating args.kvnos"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1153
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1106
 msgid "while finding master keys in use"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1162
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1115
 #, c-format
 msgid "Would purge the following master key(s) from %s:\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1165
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1118
 #, c-format
 msgid "Purging the following master key(s) from %s:\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1177
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1130
 msgid "master key stash file needs updating, command aborting"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1136
 #, c-format
 msgid "KVNO: %d\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1188
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1141
 #, c-format
 msgid "All keys in use, nothing purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1193
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1146
 #, c-format
 msgid "%d key(s) would be purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1206
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1159
 msgid "while looking up mkey aux data list"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1214
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1167
 msgid "while allocating key_data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1299
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1252
 msgid "while updating mkey_aux data for master principal entry"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1326
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1279
 #, c-format
 msgid "%d key(s) purged.\n"
 msgstr ""
@@ -2986,22 +3021,22 @@ msgstr ""
 msgid "while setting changetime"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:606
+#: ../../src/kadmin/dbutil/kdb5_util.c:609
 #, c-format
 msgid "while saving principal %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:610
+#: ../../src/kadmin/dbutil/kdb5_util.c:613
 #, c-format
 msgid "%s changed\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/tabdump.c:573
+#: ../../src/kadmin/dbutil/tabdump.c:611
 #, c-format
 msgid "opening %s for writing"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/tabdump.c:655
+#: ../../src/kadmin/dbutil/tabdump.c:693
 msgid "performing tabular dump"
 msgstr ""
 
@@ -3209,13 +3244,13 @@ msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"
 msgstr ""
 
 #: ../../src/kadmin/server/ipropd_svc.c:490
-#: ../../src/kadmin/server/kadm_rpc_svc.c:299
+#: ../../src/kadmin/server/kadm_rpc_svc.c:306
 #, c-format
 msgid "check_rpcsec_auth: failed inquire_context, stat=%u"
 msgstr ""
 
 #: ../../src/kadmin/server/ipropd_svc.c:520
-#: ../../src/kadmin/server/kadm_rpc_svc.c:328
+#: ../../src/kadmin/server/kadm_rpc_svc.c:335
 #, c-format
 msgid "bad service principal %.*s%s"
 msgstr ""
@@ -3245,7 +3280,7 @@ msgstr ""
 msgid "RPC svc_freeargs failed (%s)"
 msgstr ""
 
-#: ../../src/kadmin/server/kadm_rpc_svc.c:349
+#: ../../src/kadmin/server/kadm_rpc_svc.c:356
 #, c-format
 msgid "gss_to_krb5_name: failed display_name status %d"
 msgstr ""
@@ -3282,171 +3317,171 @@ msgstr ""
 msgid "%s, aborting"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:278
+#: ../../src/kadmin/server/ovsec_kadmd.c:273
 #, c-format
 msgid ""
 "WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = "
 "%.*s%s, addr = %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:284
+#: ../../src/kadmin/server/ovsec_kadmd.c:279
 #, c-format
 msgid ""
 "WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = "
 "%.*s%s, addr = %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:298
+#: ../../src/kadmin/server/ovsec_kadmd.c:293
 #, c-format
 msgid "Miscellaneous RPC error: %s, %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:314
+#: ../../src/kadmin/server/ovsec_kadmd.c:309
 #, c-format
 msgid "%s Cannot decode status %d"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:332
+#: ../../src/kadmin/server/ovsec_kadmd.c:327
 #, c-format
 msgid "Authentication attempt failed: %s, GSS-API error strings are:"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:337
+#: ../../src/kadmin/server/ovsec_kadmd.c:332
 msgid "   GSS-API error strings complete."
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:375
+#: ../../src/kadmin/server/ovsec_kadmd.c:371
 #, c-format
 msgid "%s: cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:443
+#: ../../src/kadmin/server/ovsec_kadmd.c:439
 #, c-format
 msgid "%s: %s while initializing context, aborting\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:454
-#: ../../src/kadmin/server/ovsec_kadmd.c:523
+#: ../../src/kadmin/server/ovsec_kadmd.c:450
+#: ../../src/kadmin/server/ovsec_kadmd.c:519
 msgid "initializing"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:458
+#: ../../src/kadmin/server/ovsec_kadmd.c:454
 msgid "getting config parameters"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:460
+#: ../../src/kadmin/server/ovsec_kadmd.c:456
 msgid "Missing required realm configuration"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:462
+#: ../../src/kadmin/server/ovsec_kadmd.c:458
 msgid "Missing required ACL file configuration"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:464
+#: ../../src/kadmin/server/ovsec_kadmd.c:460
 msgid "-proponly can only be used when iprop_enable is true"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:470
+#: ../../src/kadmin/server/ovsec_kadmd.c:466
 msgid "initializing network"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:475
+#: ../../src/kadmin/server/ovsec_kadmd.c:471
 msgid "Cannot build GSSAPI auth names"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:479
+#: ../../src/kadmin/server/ovsec_kadmd.c:475
 msgid "Cannot set up KDB keytab"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:482
+#: ../../src/kadmin/server/ovsec_kadmd.c:478
 msgid "Cannot set GSSAPI authentication names"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:499
+#: ../../src/kadmin/server/ovsec_kadmd.c:495
 msgid "Cannot initialize GSSAPI service name"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:504
+#: ../../src/kadmin/server/ovsec_kadmd.c:500
 msgid "initializing ACL file"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:512
+#: ../../src/kadmin/server/ovsec_kadmd.c:508
 msgid "spawning daemon process"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:516
+#: ../../src/kadmin/server/ovsec_kadmd.c:512
 msgid "creating PID file"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:530
+#: ../../src/kadmin/server/ovsec_kadmd.c:526
 msgid "mapping update log"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:534
+#: ../../src/kadmin/server/ovsec_kadmd.c:530
 #, c-format
 msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:542
+#: ../../src/kadmin/server/ovsec_kadmd.c:538
 msgid "starting"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:544 ../../src/kdc/main.c:1033
+#: ../../src/kadmin/server/ovsec_kadmd.c:540 ../../src/kdc/main.c:1027
 #, c-format
 msgid "%s: starting...\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:547
+#: ../../src/kadmin/server/ovsec_kadmd.c:543
 msgid "finished, exiting"
 msgstr ""
 
-#: ../../src/kadmin/server/schpw.c:273
+#: ../../src/kadmin/server/schpw.c:240
 #, c-format
 msgid "setpw request from %s by %.*s%s for %.*s%s: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/schpw.c:278
+#: ../../src/kadmin/server/schpw.c:245
 #, c-format
 msgid "chpw request from %s for %.*s%s: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/schpw.c:446
+#: ../../src/kadmin/server/schpw.c:414
 #, c-format
 msgid "chpw: Couldn't open admin keytab %s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:396
+#: ../../src/kadmin/server/server_stubs.c:422
 #, c-format
 msgid ""
 "Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:417
-#: ../../src/kadmin/server/server_stubs.c:695
-#: ../../src/kadmin/server/server_stubs.c:1570
+#: ../../src/kadmin/server/server_stubs.c:443
+#: ../../src/kadmin/server/server_stubs.c:736
+#: ../../src/kadmin/server/server_stubs.c:1643
 msgid "success"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:427
+#: ../../src/kadmin/server/server_stubs.c:453
 #, c-format
 msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:675
+#: ../../src/kadmin/server/server_stubs.c:716
 #, c-format
 msgid ""
 "Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, "
 "client=%.*s%s, service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:690
+#: ../../src/kadmin/server/server_stubs.c:731
 #, c-format
 msgid ""
 "Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, "
 "service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:1566
+#: ../../src/kadmin/server/server_stubs.c:1639
 #, c-format
 msgid ""
 "Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, "
@@ -3511,51 +3546,51 @@ msgstr ""
 msgid "while loading authdata module %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:83
+#: ../../src/kdc/kdc_log.c:79
 #, c-format
 msgid "AS_REQ (%s) %s: ISSUE: authtime %u, %s, %s for %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:91
+#: ../../src/kdc/kdc_log.c:87
 #, c-format
 msgid "AS_REQ (%s) %s: %s: %s for %s%s%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:154
+#: ../../src/kdc/kdc_log.c:146
 #, c-format
 msgid "TGS_REQ (%s) %s: %s: authtime %u, %s%s %s for %s%s%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:163
+#: ../../src/kdc/kdc_log.c:155
 #, c-format
 msgid "... PROTOCOL-TRANSITION s4u-client=%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:167
+#: ../../src/kdc/kdc_log.c:159
 #, c-format
 msgid "... CONSTRAINED-DELEGATION s4u-client=%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:171
+#: ../../src/kdc/kdc_log.c:163
 #, c-format
 msgid "TGS_REQ %s: %s: authtime %u, %s for %s, 2nd tkt client %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:204
+#: ../../src/kdc/kdc_log.c:196
 #, c-format
 msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:210
+#: ../../src/kdc/kdc_log.c:202
 #, c-format
 msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:228
+#: ../../src/kdc/kdc_log.c:220
 msgid "TGS_REQ: issuing alternate <un-unparsable> TGT"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:231
+#: ../../src/kdc/kdc_log.c:223
 #, c-format
 msgid "TGS_REQ: issuing TGT %s"
 msgstr ""
@@ -3583,21 +3618,21 @@ msgstr ""
 msgid "Incorrect password in encrypted challenge"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:179
+#: ../../src/kdc/kdc_util.c:181
 msgid "TGS_REQ: SESSION KEY or MUTUAL"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:378
+#: ../../src/kdc/kdc_util.c:384
 #, c-format
 msgid "TGS_REQ: UNKNOWN SERVER: server='%s'"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:541
+#: ../../src/kdc/kdc_util.c:547
 #, c-format
 msgid "Invalid pac_privsvr_enctype value %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:882
+#: ../../src/kdc/kdc_util.c:888
 #, c-format
 msgid "Required auth indicators not present in ticket: %s"
 msgstr ""
@@ -3612,71 +3647,71 @@ msgstr ""
 msgid "while getting context for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:347
+#: ../../src/kdc/main.c:350
 #, c-format
 msgid "while setting default realm to %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:355
+#: ../../src/kdc/main.c:358
 #, c-format
 msgid "while initializing database for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:364
+#: ../../src/kdc/main.c:367
 #, c-format
 msgid "while setting up master key name %s for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:377
+#: ../../src/kdc/main.c:380
 #, c-format
 msgid "while fetching master key %s for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:386
+#: ../../src/kdc/main.c:389
 #, c-format
 msgid "Stash file %s uses DEPRECATED enctype %s!\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:393
+#: ../../src/kdc/main.c:396
 #, c-format
 msgid "while fetching master keys list for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:402
+#: ../../src/kdc/main.c:405
 #, c-format
 msgid "while resolving kdb keytab for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:411
+#: ../../src/kdc/main.c:414
 #, c-format
 msgid "while building TGS name for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:501
+#: ../../src/kdc/main.c:504
 #, c-format
 msgid "creating %d worker processes"
 msgstr ""
 
-#: ../../src/kdc/main.c:511
+#: ../../src/kdc/main.c:514
 msgid "Unable to reinitialize main loop"
 msgstr ""
 
-#: ../../src/kdc/main.c:516
+#: ../../src/kdc/main.c:519
 #, c-format
 msgid "Unable to initialize signal handlers in pid %d"
 msgstr ""
 
-#: ../../src/kdc/main.c:546
+#: ../../src/kdc/main.c:549
 #, c-format
 msgid "worker %ld exited with status %d"
 msgstr ""
 
-#: ../../src/kdc/main.c:570
+#: ../../src/kdc/main.c:573
 #, c-format
 msgid "signal %d received in supervisor"
 msgstr ""
 
-#: ../../src/kdc/main.c:582
+#: ../../src/kdc/main.c:585
 #, c-format
 msgid ""
 "usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n"
@@ -3690,86 +3725,86 @@ msgid ""
 "arguments\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:655 ../../src/kdc/main.c:662 ../../src/kdc/main.c:777
+#: ../../src/kdc/main.c:658 ../../src/kdc/main.c:770
 #, c-format
 msgid " KDC cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:681 ../../src/kdc/main.c:724 ../../src/kdc/main.c:735
+#: ../../src/kdc/main.c:677 ../../src/kdc/main.c:719 ../../src/kdc/main.c:730
 #, c-format
 msgid "%s: KDC cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:701 ../../src/kdc/main.c:814
+#: ../../src/kdc/main.c:696 ../../src/kdc/main.c:807
 #, c-format
 msgid "%s: cannot initialize realm %s - see log file for details\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:712
+#: ../../src/kdc/main.c:707
 #, c-format
 msgid "%s: cannot initialize realm %s. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:763
+#: ../../src/kdc/main.c:758
 #, c-format
 msgid "invalid enctype %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:802
+#: ../../src/kdc/main.c:795
 msgid "while attempting to retrieve default realm"
 msgstr ""
 
-#: ../../src/kdc/main.c:804
+#: ../../src/kdc/main.c:797
 #, c-format
 msgid "%s: %s, attempting to retrieve default realm\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:910
+#: ../../src/kdc/main.c:905
 #, c-format
 msgid "%s: cannot get memory for realm list\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:943
+#: ../../src/kdc/main.c:938
 msgid "while initializing lookaside cache"
 msgstr ""
 
-#: ../../src/kdc/main.c:951
+#: ../../src/kdc/main.c:946
 msgid "while creating main loop"
 msgstr ""
 
-#: ../../src/kdc/main.c:960
+#: ../../src/kdc/main.c:955
 msgid "while loading KDC policy plugin"
 msgstr ""
 
-#: ../../src/kdc/main.c:985
+#: ../../src/kdc/main.c:979
 msgid "while initializing signal handlers"
 msgstr ""
 
-#: ../../src/kdc/main.c:993
+#: ../../src/kdc/main.c:987
 msgid "while initializing network"
 msgstr ""
 
-#: ../../src/kdc/main.c:1003
+#: ../../src/kdc/main.c:997
 msgid "while detaching from tty"
 msgstr ""
 
-#: ../../src/kdc/main.c:1009
+#: ../../src/kdc/main.c:1003
 msgid "while creating PID file"
 msgstr ""
 
-#: ../../src/kdc/main.c:1017
+#: ../../src/kdc/main.c:1011
 msgid "creating worker processes"
 msgstr ""
 
-#: ../../src/kdc/main.c:1027
+#: ../../src/kdc/main.c:1021
 msgid "while loading audit plugin module(s)"
 msgstr ""
 
-#: ../../src/kdc/main.c:1031
+#: ../../src/kdc/main.c:1025
 msgid "commencing operation"
 msgstr ""
 
-#: ../../src/kdc/main.c:1038
+#: ../../src/kdc/main.c:1032
 msgid "shutting down"
 msgstr ""
 
@@ -3815,118 +3850,118 @@ msgstr ""
 msgid "while connecting to server"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:269 ../../src/kprop/kpropd.c:1196
+#: ../../src/kprop/kprop.c:269 ../../src/kprop/kpropd.c:1198
 msgid "while getting local socket address"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:274
+#: ../../src/kprop/kprop.c:276 ../../src/kprop/kpropd.c:1206
 msgid "while converting local address"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:296
+#: ../../src/kprop/kprop.c:298
 msgid "in krb5_auth_con_setaddrs"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:304
+#: ../../src/kprop/kprop.c:306
 msgid "while authenticating to server"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:308 ../../src/kprop/kprop.c:506
-#: ../../src/kprop/kpropd.c:1519
+#: ../../src/kprop/kprop.c:310 ../../src/kprop/kprop.c:508
+#: ../../src/kprop/kpropd.c:1526
 #, c-format
 msgid "Generic remote error: %s\n"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:314 ../../src/kprop/kprop.c:512
+#: ../../src/kprop/kprop.c:316 ../../src/kprop/kprop.c:514
 msgid "signalled from server"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:316 ../../src/kprop/kprop.c:514
+#: ../../src/kprop/kprop.c:318 ../../src/kprop/kprop.c:516
 #, c-format
 msgid "Error text from server: %s\n"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:344
+#: ../../src/kprop/kprop.c:346
 #, c-format
 msgid "allocating database file name '%s'"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:350
+#: ../../src/kprop/kprop.c:352
 #, c-format
 msgid "while trying to open %s"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:357
+#: ../../src/kprop/kprop.c:359
 msgid "database locked"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:360 ../../src/kprop/kpropd.c:552
+#: ../../src/kprop/kprop.c:362 ../../src/kprop/kpropd.c:553
 #, c-format
 msgid "while trying to lock '%s'"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:364 ../../src/kprop/kprop.c:372
+#: ../../src/kprop/kprop.c:366 ../../src/kprop/kprop.c:374
 #, c-format
 msgid "while trying to stat %s"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:368
+#: ../../src/kprop/kprop.c:370
 msgid "while trying to malloc data_ok_fn"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:377
+#: ../../src/kprop/kprop.c:379
 #, c-format
 msgid "'%s' more recent than '%s'."
 msgstr ""
 
-#: ../../src/kprop/kprop.c:393
+#: ../../src/kprop/kprop.c:395
 #, c-format
 msgid "while unlocking database '%s'"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:425 ../../src/kprop/kprop.c:426
+#: ../../src/kprop/kprop.c:427 ../../src/kprop/kprop.c:428
 msgid "while encoding database size"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:434
+#: ../../src/kprop/kprop.c:436
 msgid "while sending database size"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:444
+#: ../../src/kprop/kprop.c:446
 msgid "while allocating i_vector"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:467
+#: ../../src/kprop/kprop.c:469
 #, c-format
 msgid "while sending database block starting at %<PRIu64>"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:477
+#: ../../src/kprop/kprop.c:479
 msgid "Premature EOF found for database file!"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:490
+#: ../../src/kprop/kprop.c:492
 msgid "while reading response from server"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:501
+#: ../../src/kprop/kprop.c:503
 msgid "while decoding error response from server"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:531
+#: ../../src/kprop/kprop.c:533
 msgid "malformed sent database size message"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:535
+#: ../../src/kprop/kprop.c:537
 #, c-format
 msgid "Kpropd sent database size %<PRIu64>, expecting %<PRIu64>"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:581
+#: ../../src/kprop/kprop.c:583
 msgid "while allocating filename for update_last_prop_file"
 msgstr ""
 
-#: ../../src/kprop/kprop.c:586
+#: ../../src/kprop/kprop.c:588
 #, c-format
 msgid "while creating 'last_prop' file, '%s'"
 msgstr ""
@@ -3941,474 +3976,474 @@ msgid ""
 "\t[-a acl_file] [-A admin_server] [--pid-file=pid_file]\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:231
+#: ../../src/kprop/kpropd.c:232
 #, c-format
 msgid "Killing fullprop child (%d)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:260
+#: ../../src/kprop/kpropd.c:261
 msgid "while checking if stdin is a socket"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:278
+#: ../../src/kprop/kpropd.c:279
 #, c-format
 msgid "ready\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:284
+#: ../../src/kprop/kpropd.c:285
 #, c-format
 msgid "Could not write pid file %s: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:296
+#: ../../src/kprop/kpropd.c:297
 #, c-format
 msgid "Could not open /dev/null: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:303
+#: ../../src/kprop/kpropd.c:304
 #, c-format
 msgid "Could not dup the inetd socket: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:338 ../../src/kprop/kpropd.c:351
+#: ../../src/kprop/kpropd.c:339 ../../src/kprop/kpropd.c:352
 msgid "do_iprop failed.\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:390
+#: ../../src/kprop/kpropd.c:391
 #, c-format
 msgid "getaddrinfo: %s\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:396
+#: ../../src/kprop/kpropd.c:397
 msgid "while obtaining socket"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:402
+#: ../../src/kprop/kpropd.c:403
 msgid "while setting SO_REUSEADDR option"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:410
+#: ../../src/kprop/kpropd.c:411
 msgid "while unsetting IPV6_V6ONLY option"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:415
+#: ../../src/kprop/kpropd.c:416
 msgid "while binding listener socket"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:426
+#: ../../src/kprop/kpropd.c:427
 #, c-format
 msgid "waiting for a kprop connection\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:432
+#: ../../src/kprop/kpropd.c:433
 msgid "while accepting connection"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:438
+#: ../../src/kprop/kpropd.c:439
 msgid "while forking"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:453
+#: ../../src/kprop/kpropd.c:454
 #, c-format
 msgid "waitpid() failed to wait for doit() (%d %s)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:457
+#: ../../src/kprop/kpropd.c:458
 msgid "while waiting to receive database"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:461
+#: ../../src/kprop/kpropd.c:462
 #, c-format
 msgid "Database load process for full propagation completed.\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:499
+#: ../../src/kprop/kpropd.c:500
 #, c-format
 msgid ""
 "%s: Standard input does not appear to be a network socket.\n"
 "\t(Not run from inetd, and missing the -S option?)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:512
+#: ../../src/kprop/kpropd.c:513
 msgid "while attempting setsockopt (SO_KEEPALIVE)"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:517
+#: ../../src/kprop/kpropd.c:518
 #, c-format
 msgid "Connection from %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:537
+#: ../../src/kprop/kpropd.c:538
 #, c-format
 msgid "Rejected connection from unauthorized principal %s\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:541
+#: ../../src/kprop/kpropd.c:542
 #, c-format
 msgid "Rejected connection from unauthorized principal %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:558
+#: ../../src/kprop/kpropd.c:559
 #, c-format
 msgid "while opening database file, '%s'"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:564
+#: ../../src/kprop/kpropd.c:565
 #, c-format
 msgid "while renaming %s to %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:570
+#: ../../src/kprop/kpropd.c:571
 #, c-format
 msgid "while downgrading lock on '%s'"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:577
+#: ../../src/kprop/kpropd.c:578
 #, c-format
 msgid "while unlocking '%s'"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:589
+#: ../../src/kprop/kpropd.c:590
 msgid "while sending # of received bytes"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:595
+#: ../../src/kprop/kpropd.c:596
 msgid "while trying to close database file"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:650
+#: ../../src/kprop/kpropd.c:651
 #, c-format
 msgid "Incremental propagation enabled\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:659
+#: ../../src/kprop/kpropd.c:660
 #, c-format
 msgid "%s: unable to get kiprop host based service name for realm %s\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:669
+#: ../../src/kprop/kpropd.c:670
 msgid "while trying to construct host service principal"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:686
+#: ../../src/kprop/kpropd.c:687
 #, c-format
 msgid "Initializing kadm5 as client %s\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:700
+#: ../../src/kprop/kpropd.c:701
 #, c-format
 msgid "kadm5 initialization failed!\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:709
+#: ../../src/kprop/kpropd.c:710
 msgid "while attempting to connect to primary KDC ... retrying"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:713
+#: ../../src/kprop/kpropd.c:714
 #, c-format
 msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:729
+#: ../../src/kprop/kpropd.c:730
 #, c-format
 msgid "while initializing %s interface, retrying"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:733
+#: ../../src/kprop/kpropd.c:734
 #, c-format
 msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:743
+#: ../../src/kprop/kpropd.c:744
 #, c-format
 msgid "kadm5 initialization succeeded\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:765
+#: ../../src/kprop/kpropd.c:766
 msgid "reading update log header"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:776
+#: ../../src/kprop/kpropd.c:777
 #, c-format
 msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:786
+#: ../../src/kprop/kpropd.c:787
 msgid "iprop_get_updates call failed"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:792
+#: ../../src/kprop/kpropd.c:793
 #, c-format
 msgid "Reinitializing iprop because get updates failed\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:813
+#: ../../src/kprop/kpropd.c:814
 #, c-format
 msgid "Still waiting for full resync\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:818
+#: ../../src/kprop/kpropd.c:819
 #, c-format
 msgid "Full resync needed\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:819
+#: ../../src/kprop/kpropd.c:820
 msgid "kpropd: Full resync needed."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:824
+#: ../../src/kprop/kpropd.c:825
 msgid "iprop_full_resync call failed"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:835
+#: ../../src/kprop/kpropd.c:836
 #, c-format
 msgid "Full resync request granted\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:836
+#: ../../src/kprop/kpropd.c:837
 msgid "Full resync request granted."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:845
+#: ../../src/kprop/kpropd.c:846
 #, c-format
 msgid "Exponential backoff\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:851
+#: ../../src/kprop/kpropd.c:852
 #, c-format
 msgid "Full resync permission denied\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:852
+#: ../../src/kprop/kpropd.c:853
 msgid "Full resync, permission denied."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:857
+#: ../../src/kprop/kpropd.c:858
 #, c-format
 msgid "Full resync error from primary\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:858
+#: ../../src/kprop/kpropd.c:859
 msgid " Full resync, error returned from primary KDC."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:866
+#: ../../src/kprop/kpropd.c:867
 #, c-format
 msgid "Full resync invalid result from primary\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:868
+#: ../../src/kprop/kpropd.c:869
 msgid "Full resync, invalid return from primary KDC."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:884
+#: ../../src/kprop/kpropd.c:885
 #, c-format
 msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:896
+#: ../../src/kprop/kpropd.c:897
 #, c-format
 msgid "ulog_replay failed (%s), updates not registered\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:899
+#: ../../src/kprop/kpropd.c:900
 #, c-format
 msgid "ulog_replay failed (%s), updates not registered."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:908
+#: ../../src/kprop/kpropd.c:909
 #, c-format
 msgid "Incremental updates: %d updates / %lu us"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:911
+#: ../../src/kprop/kpropd.c:912
 #, c-format
 msgid "Incremental updates: %d updates / %lu us\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:919
+#: ../../src/kprop/kpropd.c:920
 #, c-format
 msgid "get_updates permission denied\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:920
+#: ../../src/kprop/kpropd.c:921
 msgid "get_updates, permission denied."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:925
+#: ../../src/kprop/kpropd.c:926
 #, c-format
 msgid "get_updates error from primary\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:927
+#: ../../src/kprop/kpropd.c:928
 msgid "get_updates, error returned from primary KDC."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:935
+#: ../../src/kprop/kpropd.c:936
 #, c-format
 msgid "get_updates primary busy; backoff\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:944
+#: ../../src/kprop/kpropd.c:945
 #, c-format
 msgid "KDC is synchronized with primary.\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:953
+#: ../../src/kprop/kpropd.c:954
 #, c-format
 msgid "get_updates invalid result from primary\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:956
+#: ../../src/kprop/kpropd.c:957
 msgid "get_updates, invalid return from primary KDC."
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:971
+#: ../../src/kprop/kpropd.c:972
 #, c-format
 msgid "Busy signal received from primary, backoff for %d secs\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:978
+#: ../../src/kprop/kpropd.c:979
 #, c-format
 msgid "Waiting for %d seconds before checking for updates again\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:989
+#: ../../src/kprop/kpropd.c:990
 #, c-format
 msgid "ERROR returned by primary, bailing\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:990
+#: ../../src/kprop/kpropd.c:991
 msgid "ERROR returned by primary KDC, bailing.\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1109
+#: ../../src/kprop/kpropd.c:1110
 msgid "copying db args"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1134
+#: ../../src/kprop/kpropd.c:1135
 msgid "Unable to get default realm"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1141
+#: ../../src/kprop/kpropd.c:1142
 msgid "Unable to set default realm"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1151
+#: ../../src/kprop/kpropd.c:1152
 msgid "while trying to construct my service name"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1158
+#: ../../src/kprop/kpropd.c:1159
 msgid "while allocating filename for temp file"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1166
+#: ../../src/kprop/kpropd.c:1167
 msgid "while initializing"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1174
+#: ../../src/kprop/kpropd.c:1175
 msgid "Unable to map log!\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1216
+#: ../../src/kprop/kpropd.c:1223
 #, c-format
 msgid "Error in krb5_auth_con_ini: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1224
+#: ../../src/kprop/kpropd.c:1231
 #, c-format
 msgid "Error in krb5_auth_con_setflags: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1237
+#: ../../src/kprop/kpropd.c:1244
 #, c-format
 msgid "Error in krb5_auth_con_setaddrs: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1245
+#: ../../src/kprop/kpropd.c:1252
 #, c-format
 msgid "Error in krb5_kt_resolve: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1254
+#: ../../src/kprop/kpropd.c:1261
 #, c-format
 msgid "Error in krb5_recvauth: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1261
+#: ../../src/kprop/kpropd.c:1268
 #, c-format
 msgid "Error in krb5_copy_prinicpal: %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1278
+#: ../../src/kprop/kpropd.c:1285
 msgid "while unparsing ticket etype"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1282
+#: ../../src/kprop/kpropd.c:1289
 #, c-format
 msgid "authenticated client: %s (etype == %s)\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1365
+#: ../../src/kprop/kpropd.c:1372
 msgid "while reading size of database from client"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1375
+#: ../../src/kprop/kpropd.c:1382
 msgid "while decoding database size from client"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1383
+#: ../../src/kprop/kpropd.c:1390
 msgid "malformed database size message from client"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1395
+#: ../../src/kprop/kpropd.c:1402
 msgid "while initializing i_vector"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1400
+#: ../../src/kprop/kpropd.c:1407
 #, c-format
 msgid "Full propagation transfer started.\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1454
+#: ../../src/kprop/kpropd.c:1461
 #, c-format
 msgid "Full propagation transfer finished.\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1514
+#: ../../src/kprop/kpropd.c:1521
 msgid "while decoding error packet from client"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1523
+#: ../../src/kprop/kpropd.c:1530
 msgid "signaled from server"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1525
+#: ../../src/kprop/kpropd.c:1532
 #, c-format
 msgid "Error text from client: %s\n"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1574
+#: ../../src/kprop/kpropd.c:1581
 #, c-format
 msgid "while trying to fork %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1578
+#: ../../src/kprop/kpropd.c:1585
 #, c-format
 msgid "while trying to exec %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1585
+#: ../../src/kprop/kpropd.c:1592
 #, c-format
 msgid "while waiting for %s"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1591
+#: ../../src/kprop/kpropd.c:1598
 #, c-format
 msgid "%s load terminated"
 msgstr ""
 
-#: ../../src/kprop/kpropd.c:1597
+#: ../../src/kprop/kpropd.c:1604
 #, c-format
 msgid "%s returned a bad exit status (%d)"
 msgstr ""
@@ -4742,222 +4777,237 @@ msgstr ""
 msgid "\tLast time stamp : %s\n"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:231
+#: ../../src/lib/apputils/net-server.c:236
 msgid "Got signal to request exit"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:245
+#: ../../src/lib/apputils/net-server.c:250
 msgid "Got signal to reset"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:311
+#: ../../src/lib/apputils/net-server.c:316
 #, c-format
 msgid "Invalid port %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:324
+#: ../../src/lib/apputils/net-server.c:329
 #, c-format
 msgid "Removing address %s since wildcard address is being added"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:331
+#: ../../src/lib/apputils/net-server.c:336
 msgid "Address already added to server"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:495
+#: ../../src/lib/apputils/net-server.c:517
 #, c-format
 msgid "closing down fd %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:509
+#: ../../src/lib/apputils/net-server.c:531
 #, c-format
 msgid "descriptor %d closed but still in svc_fdset"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:535
+#: ../../src/lib/apputils/net-server.c:558
 msgid "cannot create io event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:540
+#: ../../src/lib/apputils/net-server.c:563
 msgid "cannot save event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:560
+#: ../../src/lib/apputils/net-server.c:583
 #, c-format
 msgid "file descriptor number %d too high"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:567
+#: ../../src/lib/apputils/net-server.c:590
 msgid "cannot allocate storage for connection info"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:602
+#: ../../src/lib/apputils/net-server.c:629
 #, c-format
 msgid "Cannot create TCP server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:611
+#: ../../src/lib/apputils/net-server.c:638
 #, c-format
 msgid "TCP socket fd number %d (for %s) too high"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:618
+#: ../../src/lib/apputils/net-server.c:645
 #, c-format
 msgid "Cannot enable SO_REUSEADDR on fd %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:623
+#: ../../src/lib/apputils/net-server.c:650
 #, c-format
 msgid "setsockopt(%d,IPV6_V6ONLY,1) failed"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:626
+#: ../../src/lib/apputils/net-server.c:653
 #, c-format
 msgid "setsockopt(%d,IPV6_V6ONLY,1) worked"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:629
+#: ../../src/lib/apputils/net-server.c:656
 msgid "no IPV6_V6ONLY socket option support"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:635
+#: ../../src/lib/apputils/net-server.c:663
 #, c-format
 msgid "Cannot bind server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:705
+#: ../../src/lib/apputils/net-server.c:814
 #, c-format
 msgid "Setting up %s socket for address %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:718
+#: ../../src/lib/apputils/net-server.c:838
 #, c-format
 msgid "Cannot listen on %s server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:727
+#: ../../src/lib/apputils/net-server.c:848
 #, c-format
 msgid "cannot set listening %s socket on %s non-blocking"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:735
+#: ../../src/lib/apputils/net-server.c:856
 #, c-format
 msgid "cannot set SO_LINGER on %s socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:742
+#: ../../src/lib/apputils/net-server.c:863
 #, c-format
 msgid "Setting pktinfo on socket %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:747
+#: ../../src/lib/apputils/net-server.c:868
 #, c-format
 msgid "Cannot request packet info for UDP socket address %s port %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:749
+#: ../../src/lib/apputils/net-server.c:870
 msgid ""
 "System does not support pktinfo yet binding to a wildcard address.  Packets "
 "are not guaranteed to return on the received address."
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:761
+#: ../../src/lib/apputils/net-server.c:882
 msgid "Error attempting to add verto event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:770
+#: ../../src/lib/apputils/net-server.c:891
 #, c-format
 msgid "Cannot create RPC service: %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:780
+#: ../../src/lib/apputils/net-server.c:901
 #, c-format
 msgid "Cannot register RPC service: %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:824
+#: ../../src/lib/apputils/net-server.c:949
 msgid "No addresses added to the net server"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:846
+#: ../../src/lib/apputils/net-server.c:975
+#, c-format
+msgid "UNIX domain socket path too long: %s"
+msgstr ""
+
+#: ../../src/lib/apputils/net-server.c:985
+#, c-format
+msgid "Failed setting up a UNIX socket (for %s)"
+msgstr ""
+
+#: ../../src/lib/apputils/net-server.c:996
 #, c-format
 msgid "Failed getting address info (for %s): %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:876
+#: ../../src/lib/apputils/net-server.c:1027
 #, c-format
 msgid "Failed setting up a %s socket (for %s)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:917
+#: ../../src/lib/apputils/net-server.c:1068
 msgid "setting up network..."
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:920
+#: ../../src/lib/apputils/net-server.c:1071
 msgid "Error setting up network"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:923
+#: ../../src/lib/apputils/net-server.c:1074
 #, c-format
 msgid "set up %d sockets"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:926
+#: ../../src/lib/apputils/net-server.c:1077
 msgid "no sockets set up?"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:989
-#: ../../src/lib/apputils/net-server.c:1043
+#: ../../src/lib/apputils/net-server.c:1103
+#: ../../src/lib/apputils/net-server.c:1144
 msgid "while dispatching (udp)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1018
+#: ../../src/lib/apputils/net-server.c:1118
 #, c-format
-msgid "while sending reply to %s/%s from %s"
+msgid "while sending reply to %s from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1023
+#: ../../src/lib/apputils/net-server.c:1123
 #, c-format
 msgid "short reply write %d vs %d\n"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1068
+#: ../../src/lib/apputils/net-server.c:1165
 msgid "while receiving from network"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1111
+#: ../../src/lib/apputils/net-server.c:1198
 msgid "too many connections"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1129
+#: ../../src/lib/apputils/net-server.c:1217
 #, c-format
 msgid "dropping %s fd %d from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1199
+#: ../../src/lib/apputils/net-server.c:1268
+#, c-format
+msgid "Failed to get address for %d"
+msgstr ""
+
+#: ../../src/lib/apputils/net-server.c:1287
 #, c-format
 msgid "allocating buffer for new TCP session from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1231
+#: ../../src/lib/apputils/net-server.c:1315
 msgid "while dispatching (tcp)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1263
+#: ../../src/lib/apputils/net-server.c:1347
 msgid "error allocating tcp dispatch private!"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1310
+#: ../../src/lib/apputils/net-server.c:1394
 #, c-format
 msgid "TCP client %s wants %lu bytes, cap is %lu"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1318
+#: ../../src/lib/apputils/net-server.c:1402
 #, c-format
 msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1357
+#: ../../src/lib/apputils/net-server.c:1441
 #, c-format
 msgid "getsockname failed: %s"
 msgstr ""
@@ -5095,6 +5145,10 @@ msgstr ""
 msgid "No key table entry found matching %s"
 msgstr ""
 
+#: ../../src/lib/gssapi/krb5/iakerb.c:605
+msgid "The IAKERB proxy could not determine its realm"
+msgstr ""
+
 #: ../../src/lib/gssapi/mechglue/g_dsp_status.c:147
 msgid "The routine completed successfully"
 msgstr ""
@@ -5349,16 +5403,16 @@ msgid ""
 "'kdb_function_table' not found"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:604
+#: ../../src/lib/kdb/kdb5.c:627
 msgid "Cannot initialize database library"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:1770
+#: ../../src/lib/kdb/kdb5.c:1812
 #, c-format
 msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:1942
+#: ../../src/lib/kdb/kdb5.c:1984
 #, c-format
 msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n"
 msgstr ""
@@ -5399,6 +5453,20 @@ msgstr ""
 msgid "could not sync ulog header to disk"
 msgstr ""
 
+#: ../../src/lib/kdb/kdb_log.c:119
+msgid "could not sync the whole ulog to disk"
+msgstr ""
+
+#: ../../src/lib/kdb/kdb_log.c:216
+#, c-format
+msgid "ulog overflow caused by principal %.*s"
+msgstr ""
+
+#: ../../src/lib/kdb/kdb_log.c:238
+#, c-format
+msgid "ulog block size has been resized from %lu to %lu"
+msgstr ""
+
 #: ../../src/lib/krb5/ccache/cc_dir.c:122
 #, c-format
 msgid "Subsidiary cache path %s has no parent directory"
@@ -5681,35 +5749,35 @@ msgstr ""
 msgid "Encrypted timestamp is disabled"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:514
+#: ../../src/lib/krb5/krb/preauth_otp.c:515
 msgid "Please choose from the following:\n"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:516
+#: ../../src/lib/krb5/krb/preauth_otp.c:517
 msgid "Vendor:"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:526
+#: ../../src/lib/krb5/krb/preauth_otp.c:527
 msgid "Enter #"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:562
+#: ../../src/lib/krb5/krb/preauth_otp.c:563
 msgid "OTP Challenge:"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:591
+#: ../../src/lib/krb5/krb/preauth_otp.c:592
 msgid "OTP Token PIN"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:705
+#: ../../src/lib/krb5/krb/preauth_otp.c:706
 msgid "OTP value doesn't match any token formats"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:772
+#: ../../src/lib/krb5/krb/preauth_otp.c:773
 msgid "Enter OTP Token Value"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:918
+#: ../../src/lib/krb5/krb/preauth_otp.c:919
 msgid "No supported tokens"
 msgstr ""
 
@@ -5837,12 +5905,12 @@ msgstr ""
 msgid "variable missing }"
 msgstr ""
 
-#: ../../src/lib/krb5/os/locate_kdc.c:855
+#: ../../src/lib/krb5/os/locate_kdc.c:874
 #, c-format
 msgid "Cannot find KDC for realm \"%.*s\""
 msgstr ""
 
-#: ../../src/lib/krb5/os/sendto_kdc.c:527
+#: ../../src/lib/krb5/os/sendto_kdc.c:528
 #, c-format
 msgid "Cannot contact any KDC for realm '%.*s'"
 msgstr ""
@@ -6186,20 +6254,20 @@ msgstr ""
 msgid "while reading ldap configuration"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:65
 msgid "Unable to read Kerberos container"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:73
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:70
 msgid "Unable to read Realm"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:214
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:211
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:71
 msgid "Error processing LDAP DB params"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:220
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:217
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:77
 msgid "Error reading LDAP server params"
 msgstr ""
@@ -6267,110 +6335,125 @@ msgstr ""
 msgid "Minimum connections required per server is 2"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:160
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:229
 msgid "Default realm not set"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:264
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:311
 msgid "DN information missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:476
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:496
 msgid "dn information missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:137
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:125
+#, c-format
+msgid ""
+"Operation cannot continue; more than one entry with principal name \"%s\" "
+"found"
+msgstr ""
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:238
 msgid "Principal does not belong to realm"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:305
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:314
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:322
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:331
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:340
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:348
 #, c-format
 msgid "%s option not supported"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:329
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:355
 #, c-format
 msgid "unknown option: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:336
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:343
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:362
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:369
 #, c-format
 msgid "%s option value missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:676
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:701
 msgid "DN is out of the realm subtree"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:708
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:733
 msgid "ldap object is already kerberized"
 msgstr ""
 
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:803
-msgid "Principal does not belong to the default realm"
+msgid "target principal not found"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:869
-#, c-format
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:821
 msgid ""
-"operation can not continue, more than one entry with principal name \"%s\" "
-"found"
+"cannot add alias to entry with multiple krbPrincipalName values and no "
+"krbCanonicalName attribute"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:928
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:848
+#, c-format
+msgid "Alias modification failed: %s"
+msgstr ""
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:909
+msgid "Principal does not belong to the default realm"
+msgstr ""
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1002
 #, c-format
 msgid "'%s' not found"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:992
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1063
 #, c-format
 msgid ""
 "link information can not be set/updated as the kerberos principal belongs to "
 "an ldap object"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1007
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1078
 #, c-format
 msgid "Failed getting object references"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1014
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1085
 #, c-format
 msgid "kerberos principal is already linked to a ldap object"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1340
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1411
 msgid "ticket policy object value: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1388
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1459
 #, c-format
 msgid "Principal delete failed (trying to replace entry): %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1398
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1469
 #, c-format
 msgid "Principal add failed: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1436
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1508
 #, c-format
 msgid "User modification failed: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1510
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1582
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:296
 msgid "Error reading ticket policy"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1640
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1715
 msgid "unable to decode stored principal key data"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1698
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1773
 msgid "unable to decode stored principal pw history"
 msgstr ""
 
@@ -6383,34 +6466,34 @@ msgstr ""
 msgid "Realm Delete FAILED: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:388
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:389
 msgid "subtree value: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:405
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:406
 msgid "container reference value: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:488
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:551
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:489
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:552
 msgid "Kerberos Container information is missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:500
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:501
 msgid "Invalid Kerberos container DN"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:516
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:517
 #, c-format
 msgid "Kerberos Container create FAILED: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:559
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:560
 #, c-format
 msgid "Kerberos Container delete FAILED: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:635
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:637
 msgid "realm object value: "
 msgstr ""
 
@@ -6463,235 +6546,235 @@ msgstr ""
 msgid "%s (path: %s): %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:164
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:165
 #, c-format
 msgid "Unsupported argument \"%s\" for LMDB"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:294
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:295
 msgid "LMDB environment open failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:319
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:320
 msgid "LMDB read failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:394
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:395
 msgid "LMDB write failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:418
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:419
 msgid "LMDB delete failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:521
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:522
 #, c-format
 msgid "LMDB file %s does not exist"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:566
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:567
 msgid "LMDB open failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:593
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:594
 #, c-format
 msgid "LMDB file %s already exists"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:658
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:659
 msgid "LMDB create error"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:676
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:677
 #, c-format
 msgid "Could not unlink %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:760
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:761
 #, c-format
 msgid "Unsupported argument \"%s\" for lmdb"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:806
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:807
 msgid "LMDB lockout write failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:882
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:883
 msgid "LMDB principal iteration failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:985
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:986
 msgid "LMDB policy iteration failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:1016
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:1017
 msgid "LMDB transaction commit failure"
 msgstr ""
 
-#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:1115
+#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:1116
 msgid "LMDB lockout update failure"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_clnt.c:967
+#: ../../src/plugins/preauth/pkinit/pkinit_clnt.c:959
 msgid "No pkinit_anchors supplied"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1105
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3435
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1104
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3434
 #, c-format
 msgid "%s: %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1135
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1134
 #, c-format
 msgid "%s (depth %d): %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1377
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4107
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1376
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4108
 msgid "Pass phrase for"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1493
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1492
 msgid "PKINIT cannot initialize any key exchange groups"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1677
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1687
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1893
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1903
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1676
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1686
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1892
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1902
 msgid "Failed to DER encode PKCS7"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1782
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1781
 msgid "Failed to verify own certificate"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1877
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1876
 msgid "Failed to add digest attribute"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1991
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1990
 msgid "Failed to decode CMS message"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2009
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2008
 msgid "Invalid pkinit packet: octet string expected"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2027
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2026
 msgid "wrong oid\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2179
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2178
 msgid "Failed to verify received certificate"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2210
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2209
 msgid "Failed to verify CMS message"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2683
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2681
 msgid "Failed to fetch SSKDF"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2690
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2688
 msgid "Failed to instantiate SSKDF"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2703
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2701
 msgid "Failed to derive key using SSKDF"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2765
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2763
 msgid "Failed to compute digest"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2985
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2983
 msgid "Cannot compose PKINIT KDC public key"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3247
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3245
 #, c-format
 msgid "OpenSSL has no supported key exchange groups for pkinit_dh_min_bits=%d"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3412
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3411
 msgid "Cannot load PKCS11 module"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3418
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3417
 msgid "Cannot find C_GetFunctionList in PKCS11 module"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3425
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3424
 msgid "Cannot retrieve function list in PKCS11 module"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3704
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3705
 msgid "C_FindObjectsInit"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3710
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3711
 msgid "C_FindObjects"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3713
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3714
 msgid "Found no private keys in PKCS11 token"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3792
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3793
 msgid "Failed to DER encode DigestInfo"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3843
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3844
 msgid "Failed to convert PKCS11 ECDSA signature"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3923
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:3924
 #, c-format
 msgid "PKCS11 certificate has unsupported key type %lu"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4227
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4230
 #, c-format
 msgid "Cannot read certificate file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4235
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4238
 #, c-format
 msgid "Cannot read key file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4469
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4467
 msgid "Failed to decode X509 certificate from PKCS11 token"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5048
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5046
 #, c-format
 msgid "Cannot open file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5055
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5053
 #, c-format
 msgid "Cannot read file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5589
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5579
 #, c-format
 msgid "PKCS11 error (%s): %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:415
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:414
 #, c-format
 msgid "Unsupported type while processing '%s'\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:451
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:450
 msgid "Internal error parsing X509_user_identity\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:552
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:551
 msgid "No user identity options specified"
 msgstr ""
 
@@ -6710,34 +6793,34 @@ msgstr ""
 msgid "PKINIT: no freshness token received from %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:512
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:513
 msgid "Pkinit request not signed, but client not anonymous."
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:546
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:548
 msgid "Anonymous pkinit without DH public value not supported."
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:828
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:808
 msgid "Unsupported PKINIT RSA request"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:983
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:963
 #, c-format
 msgid "No pkinit_identity supplied for realm %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:994
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:974
 #, c-format
 msgid "No pkinit_anchors supplied for realm %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1014
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:994
 #, c-format
 msgid "OCSP is not supported: (realm: %s)"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1410
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1390
 msgid "No realms configured correctly for pkinit support"
 msgstr ""
 
@@ -7285,6 +7368,10 @@ msgstr ""
 msgid "Operation requires initial ticket"
 msgstr ""
 
+#: ../lib/kadm5/kadm_err.c:86
+msgid "Alias target must be within the same realm"
+msgstr ""
+
 #: ../lib/kdb/adb_err.c:23
 msgid "No Error"
 msgstr ""
@@ -8567,6 +8654,10 @@ msgstr ""
 msgid "Too much string mapping data"
 msgstr ""
 
+#: ../lib/krb5/error_tables/kdb5_err.c:69
+msgid "Operation unsupported on alias principal name"
+msgstr ""
+
 #: ../lib/krb5/error_tables/asn1_err.c:23
 msgid "ASN.1 failed call to system time library"
 msgstr ""

diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index f63e44a4d7869d0e51ae88f2bd65b62e5feb67d4..b9cd70dac4a7953f5b1459e2d0f0aebbe12f16c5 100644 (file)
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -172,7 +172,7 @@ SRCS=\
        $(srcdir)/getopt.c \
        $(srcdir)/getopt_long.c \
        $(srcdir)/secure_getenv.c \
-       $(srcdir)/regex.c
+       $(srcdir)/regex.cpp
 
 SHLIB_EXPDEPS =
 # Add -lm if dumping thread stats, for sqrt.

diff --git a/src/util/support/deps b/src/util/support/deps
index 4b0f71bb89cbcbc502b65c6399088efaeb16fadd..0d4c7adb58cb51f71eca361acb16b9c09e3c3ae1 100644 (file)
--- a/src/util/support/deps
+++ b/src/util/support/deps
@@ -114,3 +114,6 @@ getopt_long.so getopt_long.po $(OUTPRE)getopt_long.$(OBJEXT): \
 secure_getenv.so secure_getenv.po $(OUTPRE)secure_getenv.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-thread.h secure_getenv.c
+regex.so regex.po $(OUTPRE)regex.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-regex.h \
+  $(top_srcdir)/include/k5-thread.h regex.cpp