Updates for krb5-1.13-alpha1

diff --git a/README b/README
index 83bc4a4f8852096fc66b4ddabcefe10a613f8048..37f5d1ab1abcfcdb343e7fc013cc0b7fe0a85024 100644 (file)
--- a/README
+++ b/README
@@ -76,9 +76,114 @@ beginning with krb5-1.8.
 Major changes in 1.13
 ---------------------
 
+Administrator experience:
+
+* Add support for accessing KDCs via an HTTPS proxy server using the
+  MS-KKDCP protocol.
+
+* Add support for hierarchical incremental propagation, where slaves
+  can act as intermediates between an upstream master and other
+  downstream slaves.
+
+* Add support for configuring GSS mechanisms using
+  /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
+
+* Add support to the LDAP KDB module for binding to the LDAP server using SASL.
+
+User experience:
+
+* Add client support for the Kerberos Cache Manager protocol. If the
+  host is running a Heimdal kcm daemon, caches served by the daemon
+  can be accessed with the KCM: cache type.
+
+* When built on OS X 10.7 and higher, use "KCM:" as the default cache
+  type, unless overridden by command-line options or krb5-config
+  values.
+
+Performance:
+
+* Add support for doing unlocked database dumps for the DB2 KDC back
+  end, which would allow the KDC and kadmind to continue accessing the
+  database during lengthy database dumps.
+
+
 krb5-1.13 changes by ticket ID
 ------------------------------
 
+884     having "-" in key:salt separator list prevents salttype
+        defaulting from working
+1794    don't use mktemp
+5958    kadmin salttype "no salt" means really means "default/normal
+        salt"
+6034    rework gic_opt_ext to be more portable
+6042    krb5_string_to_keysalts should default to normal salt rather
+        than "ignore salttype"
+6413    pkinit thread safety
+6550    old_stash_bendian is a keytab
+7232    Confusing error message for key version mismatch
+7704    Anonymous kadmin does not work
+7728    ksu assumes the invoking user's using a FILE: ccache
+7795    Allow ":port" suffixes in sn2princ hostnames
+7800    krb5-1.11/1.12: kadm5_init_with_* interface
+7816    Don't produce context deletion token in krb5 mech
+7819    Add rcache feature to gss_acquire_cred_from
+7838    Fix gss_pseudo_random leak on zero length output
+7840    Remove krb5-send-pr
+7850    Remove kdb5_util load iprop safety net
+7855    Add hierarchical iprop support
+7857    Web Documentation: Missing reference to 1.12
+7859    Move OTP sockets to KDC_RUN_DIR
+7861    iprop can deadlock on master KDC
+7868    krb5_get_init_creds_password ignores preauth options when
+        changing password
+7869    In kdb5_util dump, only lock DB for iprop dumps
+7879    Rewrite GSS sequence state tracking code
+7882    Load mechglue config files from /etc/gss/mech.d
+7883    Try compatible keys in rd_req_dec "any" path
+7884    profile writes may not be immediately detected within same
+        process
+7886    Don't check kpasswd reply address
+7889    PKINIT use of OpenSSL OID table is not thread-safe or
+        application-friendly
+7891    Don't free cred handle used in kadm5 server handle
+7892    mismatch between client keytab default principal for kinit and
+        GSS-API
+7901    Update sample configs to include master_kdc
+7906    Don't remove ccache creds before storing them
+7907    Allow GSS mechs to force mechlistMIC in SPNEGO
+7908    Fix unlikely memory error in krb5_rd_cred
+7910    KDC does not log client principal if TGS header ticket
+        verification fails
+7913    Use case insensitive DNS SAN matching in PKINIT
+7915    Improve pointer hygiene around gss_display_name
+7918    LDAP key data decoder ignores salt type if salt value is empty
+7923    x-deltat.y is not compatible with bison 3
+7925    05cbef80d53 breaks /etc/gss/mech
+7929    HTTP proxy support
+7933    pkinit_win2k_require_binding behavior does not match
+        documentation
+7934    Remove PKINIT longhorn compatibility option
+7935    Add a family-independent bindresvport_sa function
+7939    kadm5.acl docs wrongly imply that list permission can have a
+        target
+7944    Add SASL support to LDAP KDB module
+7947    Load plugins with RTLD_NODELETE if possible
+7961    Define _GNU_SOURCE as part of build
+7964    Add KCM credential cache type (client only)
+7968    Improve error message for PRNG seeding failure
+7974    Don't equate IAKERB and krb5 in SPNEGO initiator
+7975    Negotiating NTLM with SPNEGO against Windows Server 2003
+        doesn't work
+7977    Enable unlocked KDB iteration
+7978    Support kdb5_util dump -rev again
+7979    Add kiprop/<master-hostname> during KDB creation
+7981    Minor memory leak in GSS-API mechanism initialization
+7983    In ksu, without the -e flag, also check .k5users
+7984    Make ksu respect the default_ccache_name setting
+7986    Copy config entries to the ksu target ccache
+7987    Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result
+7988    Make krb5_cc_new_unique create DIR: directories
+
 Acknowledgements
 ----------------
 
@@ -243,13 +348,17 @@ reports, suggestions, and valuable resources:
     Holger Isenberg
     Pavel Jindra
     Joel Johnson
+    Anders Kaseorg
     W. Trevor King
     Mikkel Kruse
     Reinhard Kugler
+    Tomas Kuthan
+    Pierre Labastie
     Volker Lendecke
     Jan iankko Lieskovsky
     Oliver Loch
     Kevin Longfellow
+    Jon Looney
     Nuno Lopes
     Ryan Lynch
     Nathaniel McCallum
@@ -271,14 +380,17 @@ reports, suggestions, and valuable resources:
     Javier Palacios
     Tom Parker
     Ezra Peisach
+    Zoran Pericic
     W. Michael Petullo
     Mark Phalan
     Jonathan Reams
     Robert Relyea
     Martin Rex
     Jason Rogers
+    Nate Rosenblum
     Mike Roszkowski
     Guillaume Rousse
+    Andreas Schneider
     Tom Shaw
     Jim Shi
     Peter Shoults
@@ -288,6 +400,7 @@ reports, suggestions, and valuable resources:
     Bjørn Tore Sund
     Joe Travaglini
     Rathor Vipin
+    Denis Vlasenko
     Jorgen Wahlsten
     Stef Walter
     Max (Weijun) Wang
@@ -302,7 +415,9 @@ reports, suggestions, and valuable resources:
     Nicolas Williams
     Ross Wilper
     Augustin Wolf
+    David Woodhouse
     Xu Qiang
+    Neng Xue
     Nickolai Zeldovich
     Hanz van Zijst
     Gertjan Zwartjes

diff --git a/src/clients/ksu/deps b/src/clients/ksu/deps
index f05a1facb0209d377ba576c3c71cb4e0436975ac..a3a07b941f4f09daa4fc59d35eb936c9a310c5b0 100644 (file)
--- a/src/clients/ksu/deps
+++ b/src/clients/ksu/deps
@@ -15,14 +15,15 @@ $(OUTPRE)krb_auth_su.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
 $(OUTPRE)ccache.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/k5-util.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h ccache.c ksu.h
+  $(top_srcdir)/include/k5-base64.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/k5-util.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  ccache.c ksu.h
 $(OUTPRE)authorization.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \

diff --git a/src/lib/krb5/os/deps b/src/lib/krb5/os/deps
index 211354c9e2721f8b1567807f84afa632aa4305c5..cbff8834b1a1db0f8c0165db5394968dd10ae014 100644 (file)
--- a/src/lib/krb5/os/deps
+++ b/src/lib/krb5/os/deps
@@ -415,11 +415,11 @@ sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): \
   $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
   $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h os-proto.h \
-  sendto_kdc.c
+  $(top_srcdir)/include/k5-tls.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  os-proto.h sendto_kdc.c
 sn2princ.so sn2princ.po $(OUTPRE)sn2princ.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \

diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index 06ad79ffe422f6906b5f2d299155cb3ba28da8f5..f3c173c92fd6a6389b843629e7519861deef4517 100644 (file)
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "K5IDENTITY" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH DESCRIPTION
 .sp
 The .k5identity file, which resides in a user\(aqs home directory,
@@ -98,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/k5login.man b/src/man/k5login.man
index c2f304d7b3442336b348b45786c8dedbd4f7c16a..bbb64ec729b73d94a8a17c327be79b1034d6d5b5 100644 (file)
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "K5LOGIN" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH DESCRIPTION
 .sp
 The .k5login file, which resides in a user\(aqs home directory, contains
@@ -41,7 +41,7 @@ administrators remote root access to the host via Kerberos.
 .SH EXAMPLES
 .sp
 Suppose the user \fBalice\fP had a .k5login file in her home directory
-containing the following line:
+containing just the following line:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -55,7 +55,12 @@ bob@FOOBAR.ORG
 .sp
 This would allow \fBbob\fP to use Kerberos network applications, such as
 ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
-tickets.
+tickets.  In a default configuration (with \fBk5login_authoritative\fP set
+to true in \fIkrb5.conf(5)\fP), this .k5login file would not let
+\fBalice\fP use those network applications to access her account, since
+she is not listed!  With no .k5login file, or with \fBk5login_authoritative\fP
+set to false, a default rule would permit the principal \fBalice\fP in the
+machine\(aqs default realm to access the \fBalice\fP account.
 .sp
 Let us further suppose that \fBalice\fP is a system administrator.
 Alice and the other system administrators would have their principals
@@ -86,6 +91,6 @@ kerberos(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 98ed9a810ae0471a5ec63e724935213a95e0533a..9d9677224618d3d700b33cecc7329c603dcdf2df 100644 (file)
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "K5SRVUTIL" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBk5srvutil\fP \fIoperation\fP
@@ -84,6 +84,6 @@ place.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index dbdb10d1412f434caa12d388ee6ebedbf0b76648..4aa21fcc4c624e1e381405afb74c5b78575d2d49 100644 (file)
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KADM5.ACL" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH DESCRIPTION
 .sp
 The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List
@@ -39,7 +39,7 @@ which principals can operate on which other principals.
 .sp
 The default location of the Kerberos ACL file is
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP  unless this is overridden by the \fIacl_file\fP
-variable in \fIkdc.conf(5)\fP.
+variable in \fIkdc.conf(5)\fP\&.
 .SH SYNTAX
 .sp
 Empty lines and lines starting with the sharp sign (\fB#\fP) are
@@ -54,10 +54,14 @@ principal  permissions  [target_principal  [restrictions] ]
 .fi
 .UNINDENT
 .UNINDENT
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
 Line order in the ACL file is important.  The first matching entry
 will control access for an actor principal on a target principal.
-.RE
+.UNINDENT
+.UNINDENT
 .INDENT 0.0
 .TP
 .B \fIprincipal\fP
@@ -105,7 +109,7 @@ _
 T{
 l
 T}     T{
-[Dis]allows the listing of principals or policies
+[Dis]allows the listing of all principals or policies
 T}
 _
 T{
@@ -129,7 +133,7 @@ _
 T{
 x
 T}     T{
-Short for admcil. All privileges
+Short for admcilsp. All privileges
 T}
 _
 T{
@@ -148,7 +152,7 @@ character.
 .sp
 \fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
 in which \fB*number\fP matches the corresponding wildcard in
-\fIprincipal\fP.
+\fIprincipal\fP\&.
 .TP
 .B \fIrestrictions\fP
 (Optional) A string of flags. Allowed restrictions are:
@@ -165,7 +169,7 @@ are the same as the + and \- flags for the kadmin
 policy is forced to be empty.
 .TP
 .B \fI\-policy pol\fP
-policy is forced to be \fIpol\fP.
+policy is forced to be \fIpol\fP\&.
 .TP
 .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
 (\fIgetdate\fP string) associated value will be forced to
@@ -177,24 +181,28 @@ MIN(\fItime\fP, requested value).
 The above flags act as restrictions on any add or modify operation
 which is allowed due to that ACL line.
 .UNINDENT
-.IP Warning
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
 If the kadmind ACL file is modified, the kadmind daemon needs to be
 restarted for changes to take effect.
-.RE
+.UNINDENT
+.UNINDENT
 .SH EXAMPLE
 .sp
-Here is an example of a kadm5.acl file.
+Here is an example of a kadm5.acl file:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-*/admin@ATHENA.MIT.EDU        *                           # line 1
+*/admin@ATHENA.MIT.EDU    *                               # line 1
 joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
-joeadmin/*@ATHENA.MIT.EDU il  */root@ATHENA.MIT.EDU       # line 3
-*/root@ATHENA.MIT.EDU     cil *1@ATHENA.MIT.EDU           # line 4
-*/*@ATHENA.MIT.EDU        i                               # line 5
-*/admin@EXAMPLE.COM       x   * \-maxlife 9h \-postdateable # line 6
+joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
+*/root@ATHENA.MIT.EDU     ci  *1@ATHENA.MIT.EDU           # line 4
+*/root@ATHENA.MIT.EDU     l   *                           # line 5
+sms@ATHENA.MIT.EDU        x   * \-maxlife 9h \-postdateable # line 6
 .ft P
 .fi
 .UNINDENT
@@ -208,28 +216,30 @@ an \fBadmin\fP instance has all administrative privileges.
 1).  He has no permissions at all with his null instance,
 \fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2).  His \fBroot\fP and other
 non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have
-inquire and list permissions with any principal that has the
-instance \fBroot\fP (matches line 3).
+inquire permissions with any principal that has the instance \fBroot\fP
+(matches line 3).
 .sp
-(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list,
+(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
 or change the password of their null instance, but not any other
 null instance.  (Here, \fB*1\fP denotes a back\-reference to the
 component matching the first wildcard in the actor principal.)
 .sp
-(line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for
-\fBjoeadmin@ATHENA.MIT.EDU\fP, as mentioned above) has inquire
-privileges.
+(line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate
+the list of principals in the database, and the list of policies
+in the database.  This line is separate from line 4, because list
+permission can only be granted globally, not to specific target
+principals.
 .sp
-(line 6) Finally, any principal with an \fBadmin\fP instance in \fBEXAMPLE.COM\fP
-has all permissions, but any principal that they create or modify will
-not be able to get postdateable tickets or tickets with a life of
-longer than 9 hours.
+(line 6) Finally, the Service Management System principal
+\fBsms@ATHENA.MIT.EDU\fP has all permissions, but any principal that it
+creates or modifies will not be able to get postdateable tickets or
+tickets with a life of longer than 9 hours.
 .SH SEE ALSO
 .sp
 \fIkdc.conf(5)\fP, \fIkadmind(8)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index c896cdf7ded1300bf01f1f86de393e1ca8a3d101..06d91e8a921b5312677fb348b4f6824b5f801326 100644 (file)
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KADMIN" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkadmin\fP
@@ -54,7 +54,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
 administration system.  They provide nearly identical functionalities;
 the difference is that kadmin.local directly accesses the KDC
-database, while kadmin performs operations using \fIkadmind(8)\fP.
+database, while kadmin performs operations using \fIkadmind(8)\fP\&.
 Except as explicitly noted otherwise, this man page will use "kadmin"
 to refer to both versions.  kadmin provides for the maintenance of
 Kerberos principals, password policies, and service key tables
@@ -62,7 +62,7 @@ Kerberos principals, password policies, and service key tables
 .sp
 The remote kadmin client uses Kerberos to authenticate to kadmind
 using the service principal \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is
-the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP.
+the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP\&.
 If the credentials cache contains a ticket for one of these
 principals, and the \fB\-c\fP credentials_cache option is specified, that
 ticket is used to authenticate to kadmind.  Otherwise, the \fB\-p\fP and
@@ -90,7 +90,7 @@ obtained with getpwuid, in order of preference.
 .B \fB\-k\fP
 Use a keytab to decrypt the KDC response instead of prompting for
 a password.  In this case, the default principal will be
-\fBhost/hostname\fP.  If there is no keytab specified with the
+\fBhost/hostname\fP\&.  If there is no keytab specified with the
 \fB\-t\fP option, then the default keytab will be used.
 .TP
 .B \fB\-t\fP \fIkeytab\fP
@@ -101,7 +101,7 @@ with the \fB\-k\fP option.
 Requests anonymous processing.  Two types of anonymous principals
 are supported.  For fully anonymous Kerberos, configure PKINIT on
 the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
-\fIkrb5.conf(5)\fP.  Then use the \fB\-n\fP option with a principal
+\fIkrb5.conf(5)\fP\&.  Then use the \fB\-n\fP option with a principal
 of the form \fB@REALM\fP (an empty principal name followed by the
 at\-sign and a realm name).  If permitted by the KDC, an anonymous
 ticket will be returned.  A second form of anonymous tickets is
@@ -153,26 +153,72 @@ Force use of old AUTH_GSSAPI authentication flavor.
 Prevent fallback to AUTH_GSSAPI authentication flavor.
 .TP
 .B \fB\-x\fP \fIdb_args\fP
-Specifies the database specific arguments.  Options supported for
-the LDAP database module are:
-.INDENT 7.0
+Specifies the database specific arguments.  See the next section
+for supported options.
+.UNINDENT
+.SH DATABASE OPTIONS
+.sp
+Database options can be used to override database\-specific defaults.
+Supported options for the DB2 module are:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B \fB\-x dbname=\fP*filename*
+Specifies the base filename of the DB2 database.
+.TP
+.B \fB\-x lockiter\fP
+Make iteration operations hold the lock for the duration of
+the entire operation, rather than temporarily releasing the
+lock while handling each principal.  This is the default
+behavior, but this option exists to allow command line
+override of a [dbmodules] setting.  First introduced in
+release 1.13.
+.TP
+.B \fB\-x unlockiter\fP
+Make iteration operations unlock the database for each
+principal, instead of holding the lock for the duration of the
+entire operation.  First introduced in release 1.13.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+Supported options for the LDAP module are:
+.INDENT 0.0
+.INDENT 3.5
+.INDENT 0.0
 .TP
-.B \fB\-x host=\fP\fIhostname\fP
+.B \fB\-x host=\fP\fIldapuri\fP
 Specifies the LDAP server to connect to by a LDAP URI.
 .TP
 .B \fB\-x binddn=\fP\fIbind_dn\fP
-Specifies the DN of the object used by the administration
-server to bind to the LDAP server.  This object should have
-the read and write privileges on the realm container, the
-principal container, and the subtree that is referenced by the
-realm.
-.TP
-.B \fB\-x bindpwd=\fP\fIbind_password\fP
-Specifies the password for the above mentioned binddn.  Using
-this option may expose the password to other users on the
-system via the process list; to avoid this, instead stash the
-password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP.
+Specifies the DN used to bind to the LDAP server.
+.TP
+.B \fB\-x bindpwd=\fP\fIpassword\fP
+Specifies the password or SASL secret used to bind to the LDAP
+server.  Using this option may expose the password to other
+users on the system via the process list; to avoid this,
+instead stash the password using the \fBstashsrvpw\fP command of
+\fIkdb5_ldap_util(8)\fP\&.
+.TP
+.B \fB\-x sasl_mech=\fP\fImechanism\fP
+Specifies the SASL mechanism used to bind to the LDAP server.
+The bind DN is ignored if a SASL mechanism is used.  New in
+release 1.13.
+.TP
+.B \fB\-x sasl_authcid=\fP\fIname\fP
+Specifies the authentication name used when binding to the
+LDAP server with a SASL mechanism, if the mechanism requires
+one.  New in release 1.13.
+.TP
+.B \fB\-x sasl_authzid=\fP\fIname\fP
+Specifies the authorization name used when binding to the LDAP
+server with a SASL mechanism.  New in release 1.13.
+.TP
+.B \fB\-x sasl_realm=\fP\fIrealm\fP
+Specifies the realm used when binding to the LDAP server with
+a SASL mechanism, if the mechanism uses one.  New in release
+1.13.
 .TP
 .B \fB\-x debug=\fP\fIlevel\fP
 sets the OpenLDAP client library debug level.  \fIlevel\fP is an
@@ -180,6 +226,7 @@ integer to be interpreted by the library.  Debugging messages
 are printed to standard error.  New in release 1.12.
 .UNINDENT
 .UNINDENT
+.UNINDENT
 .SH COMMANDS
 .sp
 When using the remote client, available commands may be restricted
@@ -344,8 +391,11 @@ principal is to be created.
 .B \fB\-x tktpolicy=\fP\fIpolicy\fP
 Associates a ticket policy to the Kerberos principal.
 .UNINDENT
-.IP Note
+.sp
+\fBNOTE:\fP
 .INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
 .IP \(bu 2
 The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
 specified with the \fBdn\fP option.
@@ -358,7 +408,8 @@ container.
 \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
 principal container configured in the realm.
 .UNINDENT
-.RE
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .sp
 Example:
@@ -409,7 +460,7 @@ to its password policy) so that it can successfully authenticate.
 .UNINDENT
 .UNINDENT
 .sp
-Renames the specified \fIold_principal\fP to \fInew_principal\fP.  This
+Renames the specified \fIold_principal\fP to \fInew_principal\fP\&.  This
 command prompts for confirmation, unless the \fB\-force\fP option is
 given.
 .sp
@@ -436,7 +487,7 @@ Alias: \fBdelprinc\fP
 .UNINDENT
 .UNINDENT
 .sp
-Changes the password of \fIprincipal\fP.  Prompts for a new password if
+Changes the password of \fIprincipal\fP\&.  Prompts for a new password if
 neither \fB\-randkey\fP or \fB\-pw\fP is specified.
 .sp
 This command requires the \fBchangepw\fP privilege, or that the
@@ -489,8 +540,8 @@ kadmin:
 .UNINDENT
 .sp
 Purges previously retained old keys (e.g., from \fBchange_password
-\-keepold\fP) from \fIprincipal\fP.  If \fB\-keepkvno\fP is specified, then
-only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP.  If
+\-keepold\fP) from \fIprincipal\fP\&.  If \fB\-keepkvno\fP is specified, then
+only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&.  If
 \fB\-all\fP is specified, then all keys are purged.  The \fB\-all\fP option
 is new in release 1.12.
 .sp
@@ -528,8 +579,8 @@ Last successful authentication: [never]
 Last failed authentication: [never]
 Failed password attempts: 0
 Number of keys: 2
-Key: vno 1, DES cbc mode with CRC\-32, no salt
-Key: vno 1, DES cbc mode with CRC\-32, Version 4
+Key: vno 1, des\-cbc\-crc
+Key: vno 1, des\-cbc\-crc:v4
 Attributes:
 Policy: [none]
 
@@ -551,7 +602,7 @@ kadmin:
 .sp
 Retrieves all or some principal names.  \fIexpression\fP is a shell\-style
 glob expression that can contain the wild\-card characters \fB?\fP,
-\fB*\fP, and \fB[]\fP.  All principal names matching the expression are
+\fB*\fP, and \fB[]\fP\&.  All principal names matching the expression are
 printed.  If no expression is provided, all principal names are
 printed.  If the expression does not contain an \fB@\fP character, an
 \fB@\fP character followed by the local realm is appended to the
@@ -584,7 +635,7 @@ kadmin:
 .UNINDENT
 .UNINDENT
 .sp
-Displays string attributes on \fIprincipal\fP.
+Displays string attributes on \fIprincipal\fP\&.
 .sp
 This command requires the \fBinquire\fP privilege.
 .sp
@@ -592,13 +643,14 @@ Alias: \fBgetstr\fP
 .SS set_string
 .INDENT 0.0
 .INDENT 3.5
-\fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
+\fBset_string\fP \fIprincipal\fP \fIname\fP \fIvalue\fP
 .UNINDENT
 .UNINDENT
 .sp
-Sets a string attribute on \fIprincipal\fP.  String attributes are used to
+Sets a string attribute on \fIprincipal\fP\&.  String attributes are used to
 supply per\-principal configuration to the KDC and some KDC plugin
-modules.  The following string attributes are recognized by the KDC:
+modules.  The following string attribute names are recognized by the
+KDC:
 .INDENT 0.0
 .TP
 .B \fBsession_enctypes\fP
@@ -606,11 +658,29 @@ Specifies the encryption types supported for session keys when the
 principal is authenticated to as a server.  See
 \fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the
 accepted values.
+.TP
+.B \fBotp\fP
+Enables One Time Passwords (OTP) preauthentication for a client
+\fIprincipal\fP\&.  The \fIvalue\fP is a JSON string representing an array
+of objects, each having optional \fBtype\fP and \fBusername\fP fields.
 .UNINDENT
 .sp
 This command requires the \fBmodify\fP privilege.
 .sp
 Alias: \fBsetstr\fP
+.sp
+Example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+set_string host/foo.mit.edu session_enctypes aes128\-cts
+set_string user@FOO.COM otp [{"type":"hotp","username":"custom"}]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .SS del_string
 .INDENT 0.0
 .INDENT 3.5
@@ -618,7 +688,7 @@ Alias: \fBsetstr\fP
 .UNINDENT
 .UNINDENT
 .sp
-Deletes a string attribute from \fIprincipal\fP.
+Deletes a string attribute from \fIprincipal\fP\&.
 .sp
 This command requires the \fBdelete\fP privilege.
 .sp
@@ -683,7 +753,7 @@ is locked from authenticating if too many authentication failures
 occur without the specified failure count interval elapsing.
 A duration of 0 (the default) means the principal remains locked
 out until it is administratively unlocked with \fBmodprinc
-\-unlock\fP.
+\-unlock\fP\&.
 .TP
 .B \fB\-allowedkeysalts\fP
 Specifies the key/salt tuples supported for long\-term keys when
@@ -713,8 +783,8 @@ kadmin:
 .UNINDENT
 .UNINDENT
 .sp
-Modifies the password policy named \fIpolicy\fP.  Options are as described
-for \fBadd_policy\fP.
+Modifies the password policy named \fIpolicy\fP\&.  Options are as described
+for \fBadd_policy\fP\&.
 .sp
 This command requires the \fBmodify\fP privilege.
 .sp
@@ -726,7 +796,7 @@ Alias: \fBmodpol\fP
 .UNINDENT
 .UNINDENT
 .sp
-Deletes the password policy named \fIpolicy\fP.  Prompts for confirmation
+Deletes the password policy named \fIpolicy\fP\&.  Prompts for confirmation
 before deletion.  The command will fail if the policy is in use by any
 principals.
 .sp
@@ -755,7 +825,7 @@ kadmin:
 .UNINDENT
 .UNINDENT
 .sp
-Displays the values of the password policy named \fIpolicy\fP.  With the
+Displays the values of the password policy named \fIpolicy\fP\&.  With the
 \fB\-terse\fP flag, outputs the fields as quoted strings separated by
 tabs.
 .sp
@@ -798,13 +868,13 @@ meaningful.
 .sp
 Retrieves all or some policy names.  \fIexpression\fP is a shell\-style
 glob expression that can contain the wild\-card characters \fB?\fP,
-\fB*\fP, and \fB[]\fP.  All policy names matching the expression are
+\fB*\fP, and \fB[]\fP\&.  All policy names matching the expression are
 printed.  If no expression is provided, all existing policy names are
 printed.
 .sp
 This command requires the \fBlist\fP privilege.
 .sp
-Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP.
+Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&.
 .sp
 Examples:
 .INDENT 0.0
@@ -953,6 +1023,6 @@ interface to the OpenVision Kerberos administration program.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index d3be2875db2ad282ae2456d864a294238b91cb12..833aeed6d64e0754c8b36c58eeb6d359a97081f1 100644 (file)
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KADMIND" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kadmind \- KADM5 administration server
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkadmind\fP
@@ -37,6 +37,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-r\fP \fIrealm\fP]
 [\fB\-m\fP]
 [\fB\-nofork\fP]
+[\fB\-proponly\fP]
 [\fB\-port\fP \fIport\-number\fP]
 [\fB\-P\fP \fIpid_file\fP]
 [\fB\-p\fP \fIkdb5_util_path\fP]
@@ -66,7 +67,7 @@ settings.
 kadmind\(aqs ACL (access control list) tells it which principals are
 allowed to perform administration actions.  The pathname to the
 ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP
-variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.
+variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.
 .UNINDENT
 .sp
 After the server begins running, it puts itself in the background and
@@ -78,8 +79,9 @@ and policy updates incrementally instead of receiving full dumps of
 the database.  This facility can be enabled in the \fIkdc.conf(5)\fP
 file with the \fBiprop_enable\fP option.  Incremental propagation
 requires the principal \fBkiprop/MASTER\e@REALM\fP (where MASTER is the
-master KDC\(aqs canonical host name, and REALM the realm name) to be
-registered in the database.
+master KDC\(aqs canonical host name, and REALM the realm name).  In
+release 1.13, this principal is automatically created and registered
+into the datebase.
 .SH OPTIONS
 .INDENT 0.0
 .TP
@@ -98,10 +100,16 @@ causes the server to remain in the foreground and remain
 associated to the terminal.  In normal operation, you should allow
 the server to place itself in the background.
 .TP
+.B \fB\-proponly\fP
+causes the server to only listen and respond to Kerberos slave
+incremental propagation polling requests.  This option can be used
+to set up a hierarchical propagation topology where a slave KDC
+provides incremental updates to other Kerberos slaves.
+.TP
 .B \fB\-port\fP \fIport\-number\fP
 specifies the port on which the administration server listens for
 connections.  The default port is determined by the
-\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP.
+\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&.
 .TP
 .B \fB\-P\fP \fIpid_file\fP
 specifies the file to which the PID of kadmind process should be
@@ -122,43 +130,7 @@ specifies the file path to be used for dumping the KDB in response
 to full resync requests when iprop is enabled.
 .TP
 .B \fB\-x\fP \fIdb_args\fP
-specifies database\-specific arguments.
-.sp
-Options supported for LDAP database are:
-.INDENT 7.0
-.INDENT 3.5
-.INDENT 0.0
-.TP
-.B \fB\-x nconns=\fP\fInumber_of_connections\fP
-specifies the number of connections to be maintained per
-LDAP server.
-.TP
-.B \fB\-x host=\fP\fIldapuri\fP
-specifies the LDAP server to connect to by URI.
-.TP
-.B \fB\-x binddn=\fP\fIbinddn\fP
-specifies the DN of the object used by the administration
-server to bind to the LDAP server.  This object should
-have read and write privileges on the realm container, the
-principal container, and the subtree that is referenced by
-the realm.
-.TP
-.B \fB\-x bindpwd=\fP\fIbind_password\fP
-specifies the password for the above mentioned binddn.
-Using this option may expose the password to other users
-on the system via the process list; to avoid this, instead
-stash the password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP.
-.TP
-.B \fB\-x debug=\fP\fIlevel\fP
-sets the OpenLDAP client library debug level.  \fIlevel\fP is
-an integer to be interpreted by the library.  Debugging
-messages are printed to standard error, so this option
-must be used with the \fB\-nofork\fP option to be useful.
-New in release 1.12.
-.UNINDENT
-.UNINDENT
-.UNINDENT
+specifies database\-specific arguments.  See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments.
 .UNINDENT
 .SH SEE ALSO
 .sp
@@ -167,6 +139,6 @@ New in release 1.12.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 17ecea929b65bf64dbdff6133845a30b28ac646b..6a7c7c3de26e8da9432c9fd8d3fcc146dd11306d 100644 (file)
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KDB5_LDAP_UTIL" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdb5_ldap_util \- Kerberos configuration utility
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkdb5_ldap_util\fP
@@ -49,7 +49,7 @@ Specifies the Distinguished Name (DN) of the user who has
 sufficient rights to perform the operation on the LDAP server.
 .TP
 .B \fB\-w\fP \fIpasswd\fP
-Specifies the password of \fIuser_dn\fP.  This option is not
+Specifies the password of \fIuser_dn\fP\&.  This option is not
 recommended.
 .TP
 .B \fB\-H\fP \fIldapuri\fP
@@ -97,7 +97,7 @@ realm container.
 .B \fB\-k\fP \fImkeytype\fP
 Specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP.
+\fIkdc.conf(5)\fP\&.
 .TP
 .B \fB\-kv\fP \fImkeyVNO\fP
 Specifies the version number of the master key in the database;
@@ -131,7 +131,7 @@ tickets for principals in this realm.
 .B \fIticket_flags\fP
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP.
+\fIkadmin(1)\fP\&.
 .UNINDENT
 .sp
 Example:
@@ -197,7 +197,7 @@ tickets for principals in this realm.
 .B \fIticket_flags\fP
 Specifies global ticket flags for the realm.  Allowable flags are
 documented in the description of the \fBadd_principal\fP command in
-\fIkadmin(1)\fP.
+\fIkadmin(1)\fP\&.
 .UNINDENT
 .sp
 Example:
@@ -314,7 +314,7 @@ shell%
 .INDENT 3.5
 \fBstashsrvpw\fP
 [\fB\-f\fP \fIfilename\fP]
-\fIservicedn\fP
+\fIname\fP
 .UNINDENT
 .UNINDENT
 .sp
@@ -327,9 +327,15 @@ to the LDAP server.  Options:
 Specifies the complete path of the service password file. By
 default, \fB/usr/local/var/service_passwd\fP is used.
 .TP
-.B \fIservicedn\fP
-Specifies Distinguished Name (DN) of the service object whose
-password is to be stored in file.
+.B \fIname\fP
+Specifies the name of the object whose password is to be stored.
+If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for
+simple binding, this should be the distinguished name it will
+use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
+variable in \fIkdc.conf(5)\fP\&.  If the KDC or kadmind is
+configured for SASL binding, this should be the authentication
+name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
+\fBldap_kadmind_sasl_authcid\fP variable.
 .UNINDENT
 .sp
 Example:
@@ -376,7 +382,7 @@ tickets for principals.
 Specifies the ticket flags.  If this option is not specified, by
 default, no restriction will be set by the policy.  Allowable
 flags are documented in the description of the \fBadd_principal\fP
-command in \fIkadmin(1)\fP.
+command in \fIkadmin(1)\fP\&.
 .TP
 .B \fIpolicy_name\fP
 Specifies the name of the ticket policy.
@@ -410,7 +416,7 @@ Password for "cn=admin,o=org":
 .UNINDENT
 .sp
 Modifies the attributes of a ticket policy.  Options are same as for
-\fBcreate_policy\fP.
+\fBcreate_policy\fP\&.
 .sp
 Example:
 .INDENT 0.0
@@ -538,6 +544,6 @@ userpolicy
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index a90976dc0849f8456dcf3b5a50afe30eb675319b..4990af9d12388e3a433b4900a02c1ae26a4a1382 100644 (file)
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KDB5_UTIL" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkdb5_util\fP
@@ -63,14 +63,14 @@ specifies the Kerberos realm of the database.
 .TP
 .B \fB\-d\fP \fIdbname\fP
 specifies the name under which the principal database is stored;
-by default the database is that listed in \fIkdc.conf(5)\fP.  The
+by default the database is that listed in \fIkdc.conf(5)\fP\&.  The
 password policy database and lock files are also derived from this
 value.
 .TP
 .B \fB\-k\fP \fImkeytype\fP
 specifies the key type of the master key in the database.  The
 default is given by the \fBmaster_key_type\fP variable in
-\fIkdc.conf(5)\fP.
+\fIkdc.conf(5)\fP\&.
 .TP
 .B \fB\-kv\fP \fImkeyVNO\fP
 Specifies the version number of the master key in the database;
@@ -79,7 +79,7 @@ the default is 1.  Note that 0 is not allowed.
 .B \fB\-M\fP \fImkeyname\fP
 principal name for the master key in the database.  If not
 specified, the name is determined by the \fBmaster_key_name\fP
-variable in \fIkdc.conf(5)\fP.
+variable in \fIkdc.conf(5)\fP\&.
 .TP
 .B \fB\-m\fP
 specifies that the master database password should be read from
@@ -88,7 +88,7 @@ the keyboard rather than fetched from a file on disk.
 .B \fB\-sf\fP \fIstash_file\fP
 specifies the stash filename of the master database password.  If
 not specified, the filename is determined by the
-\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP.
+\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&.
 .TP
 .B \fB\-P\fP \fIpassword\fP
 specifies the master database password.  Using this option may
@@ -126,13 +126,13 @@ the \fB\-f\fP argument, does not prompt the user.
 .sp
 Stores the master principal\(aqs keys in a stash file.  The \fB\-f\fP
 argument can be used to override the \fIkeyfile\fP specified in
-\fIkdc.conf(5)\fP.
+\fIkdc.conf(5)\fP\&.
 .SS dump
 .INDENT 0.0
 .INDENT 3.5
 \fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP]
 [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP]
-[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]]
+[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP\&...]]
 .UNINDENT
 .UNINDENT
 .sp
@@ -206,7 +206,8 @@ Options:
 .TP
 .B \fB\-b7\fP
 requires the database to be in the Kerberos 5 Beta 7 format
-("kdb5_util load_dump version 4").
+("kdb5_util load_dump version 4").  This was the dump format
+produced on releases prior to 1.2.2.
 .TP
 .B \fB\-ov\fP
 requires the database to be in "ovsec_adm_import" format.  Must be
@@ -234,10 +235,7 @@ is dumped.
 .TP
 .B \fB\-update\fP
 records from the dump file are added to or updated in the existing
-database.  (This is useful in conjunction with an ovsec_adm_export
-format dump if you want to preserve per\-principal policy
-information, since the current default format does not contain
-this data.)  Otherwise, a new database is created containing only
+database.  Otherwise, a new database is created containing only
 what is in the dump file and the old one destroyed upon successful
 completion.
 .UNINDENT
@@ -270,7 +268,7 @@ values.  The \fB\-s\fP option stashes the new master key in the stash
 file, which will be created if it doesn\(aqt already exist.
 .sp
 After a new master key is added, it should be propagated to slave
-servers via a manual or periodic invocation of \fIkprop(8)\fP.  Then,
+servers via a manual or periodic invocation of \fIkprop(8)\fP\&.  Then,
 the stash files on the slave servers should be updated with the
 kdb5_util \fBstash\fP command.  Once those steps are complete, the key
 is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
@@ -281,7 +279,7 @@ is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
 .UNINDENT
 .UNINDENT
 .sp
-Sets the activation time of the master key specified by \fImkeyVNO\fP.
+Sets the activation time of the master key specified by \fImkeyVNO\fP\&.
 Once a master key becomes active, it will be used to encrypt newly
 created principal keys.  If no \fItime\fP argument is given, the current
 time is used, causing the specified master key version to become
@@ -299,7 +297,7 @@ principal keys to be encrypted in the new master key.
 .sp
 List all master keys, from most recent to earliest, in the master key
 principal.  The output will show the kvno, enctype, and salt type for
-each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP.  A
+each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&.  A
 \fB*\fP following an mkey denotes the currently active master key.
 .SS purge_mkeys
 .INDENT 0.0
@@ -346,6 +344,6 @@ showing the actions which would have been taken.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 5d32bf4a0bfbb0e7b916d67345315e89819def4b..3f83afce3062cf092e5e1cc4d3664f0d9a683e47 100644 (file)
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KDC.CONF" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .sp
 The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
 are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
@@ -39,8 +39,8 @@ KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
 single configuration profile.
 .sp
 Normally, the kdc.conf file is found in the KDC state directory,
-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP.  You can override the default location by setting the
-environment variable \fBKRB5_KDC_PROFILE\fP.
+\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\&.  You can override the default location by setting the
+environment variable \fBKRB5_KDC_PROFILE\fP\&.
 .sp
 Please note that you need to restart the KDC daemon for any configuration
 changes to take effect.
@@ -116,6 +116,8 @@ Each tag in the [realms] section is the name of a Kerberos realm.  The
 value of the tag is a subsection where the relations define KDC
 parameters for that particular realm.  The following example shows how
 to define one parameter for the ATHENA.MIT.EDU realm:
+.INDENT 0.0
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -125,6 +127,8 @@ to define one parameter for the ATHENA.MIT.EDU realm:
     }
 .ft P
 .fi
+.UNINDENT
+.UNINDENT
 .sp
 The following tags may be specified in a [realms] subsection:
 .INDENT 0.0
@@ -133,8 +137,8 @@ The following tags may be specified in a [realms] subsection:
 (String.)  Location of the access control list file that
 \fIkadmind(8)\fP uses to determine which principals are allowed
 which permissions on the Kerberos database.  The default value is
-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.  For more information on Kerberos ACL
-file see \fIkadm5.acl(5)\fP.
+\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.  For more information on Kerberos ACL
+file see \fIkadm5.acl(5)\fP\&.
 .TP
 .B \fBdatabase_module\fP
 (String.)  This relation indicates the name of the configuration
@@ -147,7 +151,7 @@ values will be used for all database parameters.
 (String, deprecated.)  This relation specifies the location of the
 Kerberos database for this realm, if the DB2 module is being used
 and the \fI\%[dbmodules]\fP configuration section does not specify a
-database name.  The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
+database name.  The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
 .TP
 .B \fBdefault_principal_expiration\fP
 (\fIabstime\fP string.)  Specifies the default expiration date of
@@ -257,8 +261,8 @@ propagation is enabled.  The default value is false.
 .TP
 .B \fBiprop_master_ulogsize\fP
 (Integer.)  Specifies the maximum number of log entries to be
-retained for incremental propagation.  The maximum value is 2500;
-the default value is 1000.
+retained for incremental propagation.  The default value is 1000.
+Prior to release 1.11, the maximum value was 2500.
 .TP
 .B \fBiprop_slave_poll\fP
 (Delta time string.)  Specifies how often the slave KDC polls for
@@ -280,7 +284,7 @@ minutes (\fB5m\fP).  New in release 1.11.
 (File name.)  Specifies where the update log file for the realm
 database is to be stored.  The default is to use the
 \fBdatabase_name\fP entry from the realms section of the krb5 config
-file, with \fB.ulog\fP appended.  (NOTE: If \fBdatabase_name\fP isn\(aqt
+file, with \fB\&.ulog\fP appended.  (NOTE: If \fBdatabase_name\fP isn\(aqt
 specified in the realms section, perhaps because the LDAP database
 back end is being used, or the file name is specified in the
 [dbmodules] section, then the hard\-coded default for
@@ -316,12 +320,12 @@ standard port number assigned for Kerberos TCP traffic is port 88.
 .TP
 .B \fBmaster_key_name\fP
 (String.)  Specifies the name of the principal associated with the
-master key.  The default is \fBK/M\fP.
+master key.  The default is \fBK/M\fP\&.
 .TP
 .B \fBmaster_key_type\fP
 (Key type string.)  Specifies the master key\(aqs key type.  The
-default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP.  For a list of all possible
-values, see \fI\%Encryption types\fP.
+default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&.  For a list of all possible
+values, see \fI\%Encryption types\fP\&.
 .TP
 .B \fBmax_life\fP
 (\fIduration\fP string.)  Specifies the maximum time period for
@@ -337,7 +341,7 @@ The default value is 0.
 (Whitespace\- or comma\-separated list.)  Lists services to block
 from getting host\-based referral processing, even if the client
 marks the server principal as host\-based or the service is also
-listed in \fBhost_based_services\fP.  \fBno_host_referral = *\fP will
+listed in \fBhost_based_services\fP\&.  \fBno_host_referral = *\fP will
 disable referral processing altogether.
 .TP
 .B \fBdes_crc_session_supported\fP
@@ -380,8 +384,8 @@ default value is false.  New in release 1.9.
 (List of \fIkey\fP:\fIsalt\fP strings.)  Specifies the default key/salt
 combinations of principals for this realm.  Any principals created
 through \fIkadmin(1)\fP will have keys of these types.  The
-default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP.  For lists of
-possible values, see \fI\%Keysalt lists\fP.
+default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&.  For lists of
+possible values, see \fI\%Keysalt lists\fP\&.
 .UNINDENT
 .SS [dbdefaults]
 .sp
@@ -395,8 +399,24 @@ definitions of these relations.
 .IP \(bu 2
 \fBldap_kdc_dn\fP
 .IP \(bu 2
+\fBldap_kdc_sasl_authcid\fP
+.IP \(bu 2
+\fBldap_kdc_sasl_authzid\fP
+.IP \(bu 2
+\fBldap_kdc_sasl_mech\fP
+.IP \(bu 2
+\fBldap_kdc_sasl_realm\fP
+.IP \(bu 2
 \fBldap_kadmind_dn\fP
 .IP \(bu 2
+\fBldap_kadmind_sasl_authcid\fP
+.IP \(bu 2
+\fBldap_kadmind_sasl_authzid\fP
+.IP \(bu 2
+\fBldap_kadmind_sasl_mech\fP
+.IP \(bu 2
+\fBldap_kadmind_sasl_realm\fP
+.IP \(bu 2
 \fBldap_service_password_file\fP
 .IP \(bu 2
 \fBldap_servers\fP
@@ -410,6 +430,8 @@ library and database modules.  Each tag in the [dbmodules] section is
 the name of a Kerberos realm or a section name specified by a realm\(aqs
 \fBdatabase_module\fP parameter.  The following example shows how to
 define one database parameter for the ATHENA.MIT.EDU realm:
+.INDENT 0.0
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -419,13 +441,15 @@ define one database parameter for the ATHENA.MIT.EDU realm:
     }
 .ft P
 .fi
+.UNINDENT
+.UNINDENT
 .sp
 The following tags may be specified in a [dbmodules] subsection:
 .INDENT 0.0
 .TP
 .B \fBdatabase_name\fP
 This DB2\-specific tag indicates the location of the database in
-the filesystem.  The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
+the filesystem.  The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&.
 .TP
 .B \fBdb_library\fP
 This tag indicates the name of the loadable database module.  The
@@ -451,18 +475,41 @@ introduced in release 1.9.
 This LDAP\-specific tag indicates the number of connections to be
 maintained per LDAP server.
 .TP
-.B \fBldap_kadmind_dn\fP
-This LDAP\-specific tag indicates the default bind DN for the
-\fIkadmind(8)\fP daemon.  kadmind does a login to the directory
-as this object.  This object should have the rights to read and
-write the Kerberos data in the LDAP database.
-.TP
-.B \fBldap_kdc_dn\fP
-This LDAP\-specific tag indicates the default bind DN for the
-\fIkrb5kdc(8)\fP daemon.  The KDC does a login to the directory
-as this object.  This object should have the rights to read the
-Kerberos data in the LDAP database, and to write data unless
-\fBdisable_lockout\fP and \fBdisable_last_success\fP are true.
+.B \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP
+These LDAP\-specific tags indicate the default DN for binding to
+the LDAP server.  The \fIkrb5kdc(8)\fP daemon uses
+\fBldap_kdc_dn\fP, while the \fIkadmind(8)\fP daemon and other
+administrative programs use \fBldap_kadmind_dn\fP\&.  The kadmind DN
+must have the rights to read and write the Kerberos data in the
+LDAP database.  The KDC DN must have the same rights, unless
+\fBdisable_lockout\fP and \fBdisable_last_success\fP are true, in
+which case it only needs to have rights to read the Kerberos data.
+These tags are ignored if a SASL mechanism is set with
+\fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&.
+.TP
+.B \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP
+These LDAP\-specific tags specify the SASL mechanism (such as
+\fBEXTERNAL\fP) to use when binding to the LDAP server.  New in
+release 1.13.
+.TP
+.B \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP
+These LDAP\-specific tags specify the SASL authentication identity
+to use when binding to the LDAP server.  Not all SASL mechanisms
+require an authentication identity.  If the SASL mechanism
+requires a secret (such as the password for \fBDIGEST\-MD5\fP), these
+tags also determine the name within the
+\fBldap_service_password_file\fP where the secret is stashed.  New
+in release 1.13.
+.TP
+.B \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP
+These LDAP\-specific tags specify the SASL authorization identity
+to use when binding to the LDAP server.  In most circumstances
+they do not need to be specified.  New in release 1.13.
+.TP
+.B \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP
+These LDAP\-specific tags specify the SASL realm to use when
+binding to the LDAP server.  In most circumstances they do not
+need to be set.  New in release 1.13.
 .TP
 .B \fBldap_kerberos_container_dn\fP
 This LDAP\-specific tag indicates the DN of the container object
@@ -478,8 +525,16 @@ to the LDAP server.
 .B \fBldap_service_password_file\fP
 This LDAP\-specific tag indicates the file containing the stashed
 passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
-\fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects.  This file must
-be kept secure.
+\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
+\fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
+for SASL authentication.  This file must be kept secure.
+.TP
+.B \fBunlockiter\fP
+If set to \fBtrue\fP, this DB2\-specific tag causes iteration
+operations to release the database lock while processing each
+principal.  Setting this flag to \fBtrue\fP can prevent extended
+blocking of KDC or kadmin operations when dumps of large databases
+are in progress.  First introduced in release 1.13.
 .UNINDENT
 .sp
 The following tag may be specified directly in the [dbmodules]
@@ -513,7 +568,7 @@ Values are of the following forms:
 .TP
 .B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
 This value causes the daemon\(aqs logging messages to go to the
-\fIfilename\fP.  If the \fB=\fP form is used, the file is overwritten.
+\fIfilename\fP\&.  If the \fB=\fP form is used, the file is overwritten.
 If the \fB:\fP form is used, the file is appended to.
 .TP
 .B \fBSTDERR\fP
@@ -535,23 +590,23 @@ The severity argument specifies the default severity of system log
 messages.  This may be any of the following severities supported
 by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP,
 \fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP,
-and \fBDEBUG\fP.
+and \fBDEBUG\fP\&.
 .sp
 The facility argument specifies the facility under which the
 messages are logged.  This may be any of the following facilities
 supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP,
 \fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP,
-\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP.
+\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&.
 .sp
-If no severity is specified, the default is \fBERR\fP.  If no
-facility is specified, the default is \fBAUTH\fP.
+If no severity is specified, the default is \fBERR\fP\&.  If no
+facility is specified, the default is \fBAUTH\fP\&.
 .UNINDENT
 .sp
 In the following example, the logging messages from the KDC will go to
 the console and to the system log under the facility LOG_DAEMON with
 default severity of LOG_INFO; and the logging messages from the
 administrative server will be appended to the file
-\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP.
+\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&.
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -579,7 +634,7 @@ For each token type, the following tags may be specified:
 This is the server to send the RADIUS request to.  It can be a
 hostname with optional port, an ip address with optional port, or
 a Unix domain socket address.  The default is
-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP.
+\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/<name>.socket\fP\&.
 .TP
 .B \fBsecret\fP
 This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP)
@@ -603,10 +658,10 @@ server.  The default is 3 retries (4 tries).
 .B \fBstrip_realm\fP
 If this tag is \fBtrue\fP, the principal without the realm will be
 passed to the RADIUS server.  Otherwise, the realm will be
-included.  The default value is \fBtrue\fP.
+included.  The default value is \fBtrue\fP\&.
 .UNINDENT
 .sp
-In the following example, requests are sent to a remote server via UDP.
+In the following example, requests are sent to a remote server via UDP:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -628,7 +683,7 @@ In the following example, requests are sent to a remote server via UDP.
 An implicit default token type named \fBDEFAULT\fP is defined for when
 the per\-principal configuration does not specify a token type.  Its
 configuration is shown below.  You may override this token type to
-something applicable for your situation.
+something applicable for your situation:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -643,16 +698,20 @@ something applicable for your situation.
 .UNINDENT
 .UNINDENT
 .SH PKINIT OPTIONS
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
 The following are pkinit\-specific options.  These values may
 be specified in [kdcdefaults] as global defaults, or within
 a realm\-specific subsection of [realms].  Also note that a
 realm\-specific value over\-rides, does not add to, a generic
 [kdcdefaults] specification.  The search order is:
-.RE
+.UNINDENT
+.UNINDENT
 .INDENT 0.0
 .IP 1. 3
-realm\-specific subsection of [realms],
+realm\-specific subsection of [realms]:
 .INDENT 3.0
 .INDENT 3.5
 .sp
@@ -667,7 +726,7 @@ realm\-specific subsection of [realms],
 .UNINDENT
 .UNINDENT
 .IP 2. 3
-generic value in the [kdcdefaults] section.
+generic value in the [kdcdefaults] section:
 .INDENT 3.0
 .INDENT 3.5
 .sp
@@ -683,7 +742,7 @@ generic value in the [kdcdefaults] section.
 .sp
 For information about the syntax of some of these options, see
 \fISpecifying PKINIT identity information\fP in
-\fIkrb5.conf(5)\fP.
+\fIkrb5.conf(5)\fP\&.
 .INDENT 0.0
 .TP
 .B \fBpkinit_anchors\fP
@@ -704,7 +763,7 @@ the certificate to the Kerberos principal name.  The default value
 is false.
 .sp
 Without this option, the KDC will only accept certificates with
-the id\-pkinit\-san as defined in \fI\%RFC 4556\fP.  There is currently
+the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&.  There is currently
 no option to disable SAN checking in the KDC.
 .TP
 .B \fBpkinit_eku_checking\fP
@@ -716,7 +775,7 @@ recognized in the kdc.conf file are:
 .B \fBkpClientAuth\fP
 This is the default value and specifies that client
 certificates must have the id\-pkinit\-KPClientAuth EKU as
-defined in \fI\%RFC 4556\fP.
+defined in \fI\%RFC 4556\fP\&.
 .TP
 .B \fBscLogin\fP
 If scLogin is specified, client certificates with the
@@ -736,10 +795,6 @@ This option is required if pkinit is to be supported by the KDC.
 .B \fBpkinit_kdc_ocsp\fP
 Specifies the location of the KDC\(aqs OCSP.
 .TP
-.B \fBpkinit_mapping_file\fP
-Specifies the name of the ACL pkinit mapping file.  This file maps
-principals to the certificates that they can use.
-.TP
 .B \fBpkinit_pool\fP
 Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client\(aqs
@@ -907,8 +962,8 @@ database.
 Kerberos keys for users are usually derived from passwords.  Kerberos
 commands and configuration parameters that affect generation of keys
 take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt
-lists\fP.  Each keysalt pair is an enctype name followed by a salttype
-name, in the format \fIenc\fP:\fIsalt\fP.  Individual keysalt list members are
+lists\fP\&.  Each keysalt pair is an enctype name followed by a salttype
+name, in the format \fIenc\fP:\fIsalt\fP\&.  Individual keysalt list members are
 separated by comma (",") characters or space characters.  For example:
 .INDENT 0.0
 .INDENT 3.5
@@ -1025,6 +1080,6 @@ Here\(aqs an example of a kdc.conf file:
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 70eb801644503d281e5e0f120d84317a0a76cd3c..09bace0cff31045f4d266fd7e186f4144fc2cfe5 100644 (file)
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KDESTROY" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kdestroy \- destroy Kerberos tickets
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkdestroy\fP
@@ -74,7 +74,7 @@ kdestroy uses the following environment variable:
 .TP
 .B \fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the
+the form \fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
 determine the availability of a cache collection; for instance, a
 default cache of type \fBDIR\fP causes caches within the directory
@@ -92,6 +92,6 @@ Default location of Kerberos 5 credentials cache
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kinit.man b/src/man/kinit.man
index 46802f487bf0b70b9263ca77e1b89b9e3786154d..560460c86a8ef155e03b432b3a4b80d12bf847fc 100644 (file)
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KINIT" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kinit \- obtain and cache Kerberos ticket-granting ticket
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkinit\fP
@@ -56,7 +56,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .SH DESCRIPTION
 .sp
 kinit obtains and caches an initial ticket\-granting ticket for
-\fIprincipal\fP.
+\fIprincipal\fP\&.
 .SH OPTIONS
 .INDENT 0.0
 .TP
@@ -65,9 +65,9 @@ display verbose output.
 .TP
 .B \fB\-l\fP \fIlifetime\fP
 (\fIduration\fP string.)  Requests a ticket with the lifetime
-\fIlifetime\fP.
+\fIlifetime\fP\&.
 .sp
-For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP.
+For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&.
 .sp
 If the \fB\-l\fP option is not specified, the default ticket lifetime
 (configured by each site) is used.  Specifying a ticket lifetime
@@ -84,7 +84,7 @@ can become valid.
 .TP
 .B \fB\-r\fP \fIrenewable_life\fP
 (\fIduration\fP string.)  Requests renewable tickets, with a total
-lifetime of \fIrenewable_life\fP.
+lifetime of \fIrenewable_life\fP\&.
 .TP
 .B \fB\-f\fP
 requests forwardable tickets.
@@ -141,7 +141,7 @@ Requests anonymous processing.  Two types of anonymous principals
 are supported.
 .sp
 For fully anonymous Kerberos, configure pkinit on the KDC and
-configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP.
+configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&.
 Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP
 (an empty principal name followed by the at\-sign and a realm
 name).  If permitted by the KDC, an anonymous ticket will be
@@ -224,7 +224,7 @@ kinit uses the following environment variables:
 .TP
 .B \fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials cache, in the form
-\fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the \fBFILE\fP
+\fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the \fBFILE\fP
 type is assumed.  The type of the default cache may determine the
 availability of a cache collection; for instance, a default cache
 of type \fBDIR\fP causes caches within the directory to be present
@@ -245,6 +245,6 @@ default location for the local host\(aqs keytab.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/klist.man b/src/man/klist.man
index 220f0efe524978aaabf0e6a8de5aa1e87fdc82b2..27a3defdc70c06992cbc0ea524a8972aaa2937c0 100644 (file)
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KLIST" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 klist \- list cached Kerberos tickets
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBklist\fP
@@ -91,10 +91,9 @@ a    anonymous
 .UNINDENT
 .TP
 .B \fB\-s\fP
-Causes klist to run silently (produce no output), but to still set
-the exit status according to whether it finds the credentials
-cache.  The exit status is \(aq0\(aq if klist finds a credentials cache,
-and \(aq1\(aq if it does not or if the tickets are expired.
+Causes klist to run silently (produce no output).  klist will exit
+with status 1 if the credentials cache cannot be read or is
+expired, and with status 0 otherwise.
 .TP
 .B \fB\-a\fP
 Display list of addresses in credentials.
@@ -138,7 +137,7 @@ klist uses the following environment variable:
 .TP
 .B \fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the
+the form \fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
 determine the availability of a cache collection; for instance, a
 default cache of type \fBDIR\fP causes caches within the directory
@@ -159,6 +158,6 @@ Default location for the local host\(aqs keytab file.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 75d78fb2d4182cbcf238bff34e190dbace8030fe..1db0e1277d2f57ce9bc807cf36f25eec9ad45b8c 100644 (file)
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KPASSWD" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kpasswd \- change a user's Kerberos password
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkpasswd\fP [\fIprincipal\fP]
@@ -59,6 +59,6 @@ identity of the user invoking the kpasswd command.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kprop.man b/src/man/kprop.man
index 169d0ceff9dee64d2bf3468d02674c83808f5672..dc134009d204a55519b52ca6d0b12b09e20c5593 100644 (file)
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KPROP" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kprop \- propagate a Kerberos V5 principal database to a slave server
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkprop\fP
@@ -43,8 +43,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .sp
 kprop is used to securely propagate a Kerberos V5 database dump file
 from the master Kerberos server to a slave Kerberos server, which is
-specified by \fIslave_host\fP.  The dump file must be created by
-\fIkdb5_util(8)\fP.
+specified by \fIslave_host\fP\&.  The dump file must be created by
+\fIkdb5_util(8)\fP\&.
 .SH OPTIONS
 .INDENT 0.0
 .TP
@@ -54,7 +54,7 @@ Specifies the realm of the master server.
 .B \fB\-f\fP \fIfile\fP
 Specifies the filename where the dumped principal database file is
 to be found; by default the dumped database file is normally
-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP.
+\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&.
 .TP
 .B \fB\-P\fP \fIport\fP
 Specifies the port to use to contact the \fIkpropd(8)\fP server
@@ -79,6 +79,6 @@ Specifies the location of the keytab file.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 7bd2d623608d344dea69f3bc39ba8d00680be1b6..b8c73049a15802055c9b55a522a2002cdfbe4d0d 100644 (file)
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KPROPD" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kpropd \- Kerberos V5 slave KDC update server
@@ -28,12 +30,11 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkpropd\fP
 [\fB\-r\fP \fIrealm\fP]
+[\fB\-A\fP \fIadmin_server\fP]
 [\fB\-a\fP \fIacl_file\fP]
 [\fB\-f\fP \fIslave_dumpfile\fP]
 [\fB\-F\fP \fIprincipal_database\fP]
@@ -50,7 +51,7 @@ from the master KDC.
 When the slave receives a kprop request from the master, kpropd
 accepts the dumped KDC database and places it in a file, and then runs
 \fIkdb5_util(8)\fP to load the dumped database into the active
-database which is used by \fIkrb5kdc(8)\fP.  This allows the master
+database which is used by \fIkrb5kdc(8)\fP\&.  This allows the master
 Kerberos server to use \fIkprop(8)\fP to propagate its database to
 the slave servers.  Upon a successful download of the KDC database
 file, the slave Kerberos server will have an up\-to\-date KDC database.
@@ -79,7 +80,7 @@ kpropd in standalone mode; this option is now accepted for backward
 compatibility but does nothing.
 .sp
 Incremental propagation may be enabled with the \fBiprop_enable\fP
-variable in \fIkdc.conf(5)\fP.  If incremental propagation is
+variable in \fIkdc.conf(5)\fP\&.  If incremental propagation is
 enabled, the slave periodically polls the master KDC for updates, at
 an interval determined by the \fBiprop_slave_poll\fP variable.  If the
 slave receives updates, kpropd updates its log file with any updates
@@ -98,13 +99,17 @@ enabled.
 .B \fB\-r\fP \fIrealm\fP
 Specifies the realm of the master server.
 .TP
+.B \fB\-A\fP \fIadmin_server\fP
+Specifies the server to be contacted for incremental updates; by
+default, the master admin server is contacted.
+.TP
 .B \fB\-f\fP \fIfile\fP
 Specifies the filename where the dumped principal database file is
-to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP.
+to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&.
 .TP
 .B \fB\-p\fP
 Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
-program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP.
+program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP\&.
 .TP
 .B \fB\-d\fP
 Turn on debug mode.  In this mode, kpropd will not detach
@@ -118,7 +123,7 @@ is only useful in combination with the \fB\-S\fP option.
 .TP
 .B \fB\-a\fP \fIacl_file\fP
 Allows the user to specify the path to the kpropd.acl file; by
-default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP.
+default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
@@ -134,9 +139,9 @@ kpropd uses the following environment variables:
 .TP
 .B kpropd.acl
 Access file for kpropd; the default location is
-\fB/usr/local/var/krb5kdc/kpropd.acl\fP.  Each entry is a line
+\fB/usr/local/var/krb5kdc/kpropd.acl\fP\&.  Each entry is a line
 containing the principal of a host from which the local machine
-will allow Kerberos database propagation via \fIkprop(8)\fP.
+will allow Kerberos database propagation via \fIkprop(8)\fP\&.
 .UNINDENT
 .SH SEE ALSO
 .sp
@@ -144,6 +149,6 @@ will allow Kerberos database propagation via \fIkprop(8)\fP.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 21d6bb51c7b69850447e564cc343d33595574364..9ef582c96616f4af9ebdf3d138c6aebccc37b2ce 100644 (file)
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KPROPLOG" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 kproplog \- display the contents of the Kerberos principal update log
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v]
@@ -112,6 +112,6 @@ kproplog uses the following environment variables:
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 9731f4065b7515eab8f80a8ea1d49d4fb12eb4b9..ba082d68e346f23d91da4274820f89702ee74ffc 100644 (file)
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KRB5-CONFIG" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 krb5-config \- tool for linking against MIT Kerberos libraries
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkrb5\-config\fP
@@ -74,7 +74,7 @@ prints the built\-in default client (initiator) keytab location.
 prints the compilation flags used to build the Kerberos installation.
 .TP
 .B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP]
-prints the compiler options needed to link against \fIlibrary\fP.
+prints the compiler options needed to link against \fIlibrary\fP\&.
 Allowed values for \fIlibrary\fP are:
 .TS
 center;
@@ -136,6 +136,6 @@ kerberos(1), cc(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 7fa49e1694732f17a0da43fcf104914f895c188c..6647ae5674967059d45ca192737d946fac6ab3c5 100644 (file)
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KRB5.CONF" "5" " " "1.13" "MIT Kerberos"
 .SH NAME
 krb5.conf \- Kerberos configuration file
@@ -28,16 +30,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .sp
 The krb5.conf file contains Kerberos configuration information,
 including the locations of KDCs and admin servers for the Kerberos
 realms of interest, defaults for the current realm and for Kerberos
 applications, and mappings of hostnames onto Kerberos realms.
 Normally, you should install your krb5.conf file in the directory
-\fB/etc\fP.  You can override the default location by setting the
-environment variable \fBKRB5_CONFIG\fP.
+\fB/etc\fP\&.  You can override the default location by setting the
+environment variable \fBKRB5_CONFIG\fP\&.
 .SH STRUCTURE
 .sp
 The krb5.conf file is set up in the style of a Windows INI file.
@@ -53,9 +53,10 @@ foo = bar
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+or:
 .INDENT 0.0
-.TP
-.B or
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -66,14 +67,16 @@ fubar = {
 .ft P
 .fi
 .UNINDENT
+.UNINDENT
 .sp
 Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP
 value for the tag.  This means that neither the remainder of this
 configuration file nor any other configuration file will be checked
 for any other values for this tag.
+.sp
+For example, if you have the following lines:
 .INDENT 0.0
-.TP
-.B For example, if you have the following lines:
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -82,6 +85,7 @@ foo = baz
 .ft P
 .fi
 .UNINDENT
+.UNINDENT
 .sp
 then the second value of \fBfoo\fP (\fBbaz\fP) would never be read.
 .sp
@@ -181,7 +185,7 @@ The libdefaults section may contain any of the following relations:
 If this flag is set to false, then weak encryption types (as noted
 in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered
 out of the lists \fBdefault_tgs_enctypes\fP,
-\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP.  The default
+\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&.  The default
 value for this tag is false, which may cause authentication
 failures in existing Kerberos infrastructures that do not support
 strong crypto.  Users in affected environments should set this tag
@@ -215,25 +219,25 @@ invalid.  The default value is 300 seconds, or five minutes.
 .TP
 .B \fBdefault_ccache_name\fP
 This relation specifies the name of the default credential cache.
-The default is \fB@CCNAME@\fP.  This relation is subject to parameter
+The default is \fB@CCNAME@\fP\&.  This relation is subject to parameter
 expansion (see below).  New in release 1.11.
 .TP
 .B \fBdefault_client_keytab_name\fP
 This relation specifies the name of the default keytab for
-obtaining client credentials.  The default is \fB@CKTNAME@\fP.  This
+obtaining client credentials.  The default is \fB@CKTNAME@\fP\&.  This
 relation is subject to parameter expansion (see below).
 New in release 1.11.
 .TP
 .B \fBdefault_keytab_name\fP
 This relation specifies the default keytab name to be used by
-application servers such as sshd.  The default is \fB@KTNAME@\fP.  This
+application servers such as sshd.  The default is \fB@KTNAME@\fP\&.  This
 relation is subject to parameter expansion (see below).
 .TP
 .B \fBdefault_realm\fP
 Identifies the default Kerberos realm for the client.  Set its
 value to your Kerberos realm.  If this value is not set, then a
 realm must be specified with every Kerberos principal when
-invoking programs such as \fIkinit(1)\fP.
+invoking programs such as \fIkinit(1)\fP\&.
 .TP
 .B \fBdefault_tgs_enctypes\fP
 Identifies the supported list of session key encryption types that
@@ -310,7 +314,7 @@ default value is false.  New in release 1.10.
 .TP
 .B \fBk5login_authoritative\fP
 If this flag is true, principals must be listed in a local user\(aqs
-k5login file to be granted login access, if a \fI.k5login(5)\fP
+k5login file to be granted login access, if a \fI\&.k5login(5)\fP
 file exists.  If this flag is false, a principal may still be
 granted login access through other mechanisms even if a k5login
 file exists but does not list the principal.  The default value is
@@ -324,6 +328,19 @@ files in the user\(aqs home directory, with the filename .k5login.
 For security reasons, .k5login files must be owned by
 the local user or by root.
 .TP
+.B \fBkcm_mach_service\fP
+On OS X only, determines the name of the bootstrap service used to
+contact the KCM daemon for the KCM credential cache type.  If the
+value is \fB\-\fP, Mach RPC will not be used to contact the KCM
+daemon.  The default value is \fBorg.h5l.kcm\fP\&.
+.TP
+.B \fBkcm_socket\fP
+Determines the path to the Unix domain socket used to access the
+KCM daemon for the KCM credential cache type.  If the value is
+\fB\-\fP, Unix domain sockets will not be used to contact the KCM
+daemon.  The default value is
+\fB/var/run/.heim_org.h5l.kcm\-socket\fP\&.
+.TP
 .B \fBkdc_default_options\fP
 Default KDC options (Xored for multiple values) when requesting
 initial tickets.  By default it is set to 0x00000010
@@ -468,7 +485,7 @@ ticket requests.  The default value is 1 day.
 .B \fBudp_preference_limit\fP
 When sending a message to the KDC, the library will try using TCP
 before UDP if the size of the message is above
-\fBudp_preference_limit\fP.  If the message is smaller than
+\fBudp_preference_limit\fP\&.  If the message is smaller than
 \fBudp_preference_limit\fP, then UDP will be tried before TCP.
 Regardless of the size, both protocols will be tried if the first
 attempt fails.
@@ -500,9 +517,9 @@ translated. The possible values are:
 .INDENT 7.0
 .TP
 .B \fBRULE:\fP\fIexp\fP
-The local name will be formulated from \fIexp\fP.
+The local name will be formulated from \fIexp\fP\&.
 .sp
-The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP.
+The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&.
 The integer \fIn\fP indicates how many components the target
 principal should have.  If this matches, then a string will be
 formed from \fIstring\fP, substituting the realm of the principal
@@ -513,15 +530,18 @@ for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
 the \fBs//[g]\fP substitution command will be run over the
 string.  The optional \fBg\fP will cause the substitution to be
 global over the \fIstring\fP, instead of replacing only the first
-match in the \fIstring\fP.
+match in the \fIstring\fP\&.
 .TP
 .B \fBDEFAULT\fP
 The principal name will be used as the local user name.  If
 the principal has more than one component or is not in the
 default realm, this rule is not applicable and the conversion
 will fail.
-.TP
-.B For example:
+.UNINDENT
+.sp
+For example:
+.INDENT 7.0
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -535,14 +555,15 @@ will fail.
 .ft P
 .fi
 .UNINDENT
+.UNINDENT
 .sp
 would result in any principal without \fBroot\fP or \fBadmin\fP as the
 second component to be translated with the default rule.  A
 principal with a second component of \fBadmin\fP will become its
 first component.  \fBroot\fP will be used as the local name for any
-principal with a second component of \fBroot\fP.  The exception to
+principal with a second component of \fBroot\fP\&.  The exception to
 these two rules are any principals \fBjohndoe/*\fP, which will
-always get the local name \fBguest\fP.
+always get the local name \fBguest\fP\&.
 .TP
 .B \fBauth_to_local_names\fP
 This subsection allows you to set explicit mappings from principal
@@ -555,6 +576,32 @@ translating Kerberos 4 service principals to Kerberos 5 principals
 (for example, when converting \fBrcmd.hostname\fP to
 \fBhost/hostname.domain\fP).
 .TP
+.B \fBhttp_anchors\fP
+When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
+can be used to specify the location of the CA certificate which should be
+trusted to issue the certificate for a proxy server.  If left unspecified,
+the system\-wide default set of CA certificates is used.
+.sp
+The syntax for values is similar to that of values for the
+\fBpkinit_anchors\fP tag:
+.sp
+\fBFILE:\fP \fIfilename\fP
+.sp
+\fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file.
+.sp
+\fBDIR:\fP \fIdirname\fP
+.sp
+\fIdirname\fP is assumed to be an directory which contains CA certificates.
+All files in the directory will be examined; if they contain certificates
+(in PEM format), they will be used.
+.sp
+\fBENV:\fP \fIenvvar\fP
+.sp
+\fIenvvar\fP specifies the name of an environment variable which has been set
+to a value conforming to one of the previous values.  For example,
+\fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has
+been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
+.TP
 .B \fBkdc\fP
 The name or address of a host running a KDC for that realm.  An
 optional port number, separated from the hostname by a colon, may
@@ -597,7 +644,7 @@ is the Kerberos V4 realm name.
 The [domain_realm] section provides a translation from a domain name
 or hostname to a Kerberos realm name.  The tag name can be a host name
 or domain name, where domain names are indicated by a prefix of a
-period (\fB.\fP).  The value of the relation is the Kerberos realm name
+period (\fB\&.\fP).  The value of the relation is the Kerberos realm name
 for that particular host or domain.  A host name relation implicitly
 provides the corresponding domain name relation, unless an explicit domain
 name relation is provided.  The Kerberos realm may be
@@ -620,10 +667,10 @@ Host names and domain names should be in lower case.  For example:
 maps the host with the name \fBcrash.mit.edu\fP into the
 \fBTEST.ATHENA.MIT.EDU\fP realm.  The second entry maps all hosts under the
 domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not
-the host with the name \fBdev.mit.edu\fP.  That host is matched
+the host with the name \fBdev.mit.edu\fP\&.  That host is matched
 by the third entry, which maps the host \fBmit.edu\fP and all hosts
 under the domain \fBmit.edu\fP that do not match a preceding rule
-into the realm \fBATHENA.MIT.EDU\fP.
+into the realm \fBATHENA.MIT.EDU\fP\&.
 .sp
 If no translation entry applies to a hostname used for a service
 principal for a service ticket request, the library will try to get a
@@ -660,7 +707,7 @@ a subtag of the server realm.
 For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to
 use the \fBES.NET\fP realm as an intermediate realm.  ANL has a sub
 realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP
-but not \fBPNL.GOV\fP.  The [capaths] section for \fBANL.GOV\fP systems
+but not \fBPNL.GOV\fP\&.  The [capaths] section for \fBANL.GOV\fP systems
 would look like this:
 .INDENT 0.0
 .INDENT 3.5
@@ -732,9 +779,10 @@ important to servers.
 Each tag in the [appdefaults] section names a Kerberos V5 application
 or an option that is used by some Kerberos V5 application[s].  The
 value of the tag defines the default behaviors for that application.
+.sp
+For example:
 .INDENT 0.0
-.TP
-.B For example:
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -755,6 +803,7 @@ value of the tag defines the default behaviors for that application.
 .ft P
 .fi
 .UNINDENT
+.UNINDENT
 .sp
 The above four ways of specifying the value of an option are shown in
 order of decreasing precedence. In this example, if telnet is running
@@ -809,7 +858,7 @@ form \fBmodulename:pathname\fP, which causes the shared object
 located at \fIpathname\fP to be registered as a dynamic module named
 \fImodulename\fP for the pluggable interface.  If \fIpathname\fP is not an
 absolute path, it will be treated as relative to the
-\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP.
+\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&.
 .UNINDENT
 .sp
 For pluggable interfaces where module order matters, modules
@@ -930,21 +979,25 @@ realm\(aqs section, and applies the default method if no
 .TP
 .B \fBk5login\fP
 This module authorizes a principal to a local account according to
-the account\(aqs \fI.k5login(5)\fP file.
+the account\(aqs \fI\&.k5login(5)\fP file.
 .TP
 .B \fBan2ln\fP
 This module authorizes a principal to a local account if the
 principal name maps to the local account name.
 .UNINDENT
 .SH PKINIT OPTIONS
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
 The following are PKINIT\-specific options.  These values may
 be specified in [libdefaults] as global defaults, or within
 a realm\-specific subsection of [libdefaults], or may be
 specified as realm\-specific values in the [realms] section.
 A realm\-specific value overrides, not adds to, a generic
 [libdefaults] specification.  The search order is:
-.RE
+.UNINDENT
+.UNINDENT
 .INDENT 0.0
 .IP 1. 3
 realm\-specific subsection of [libdefaults]:
@@ -962,7 +1015,7 @@ realm\-specific subsection of [libdefaults]:
 .UNINDENT
 .UNINDENT
 .IP 2. 3
-realm\-specific value in the [realms] section,
+realm\-specific value in the [realms] section:
 .INDENT 3.0
 .INDENT 3.5
 .sp
@@ -977,7 +1030,7 @@ realm\-specific value in the [realms] section,
 .UNINDENT
 .UNINDENT
 .IP 3. 3
-generic value in the [libdefaults] section.
+generic value in the [libdefaults] section:
 .INDENT 3.0
 .INDENT 3.5
 .sp
@@ -1015,19 +1068,19 @@ In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
 specifies a directory with files named \fB*.crt\fP and \fB*.key\fP
 where the first part of the file name is the same for matching
 pairs of certificate and private key files.  When a file with a
-name ending with \fB.crt\fP is found, a matching file ending with
-\fB.key\fP is assumed to contain the private key.  If no such file
-is found, then the certificate in the \fB.crt\fP is not used.
+name ending with \fB\&.crt\fP is found, a matching file ending with
+\fB\&.key\fP is assumed to contain the private key.  If no such file
+is found, then the certificate in the \fB\&.crt\fP is not used.
 .sp
 In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to
 be an OpenSSL\-style hashed CA directory where each CA cert is
-stored in a file named \fBhash\-of\-ca\-cert.#\fP.  This infrastructure
+stored in a file named \fBhash\-of\-ca\-cert.#\fP\&.  This infrastructure
 is encouraged, but all files in the directory will be examined and
 if they contain certificates (in PEM format), they will be used.
 .sp
 In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style
 hashed CA directory where each revocation list is stored in a file
-named \fBhash\-of\-ca\-cert.r#\fP.  This infrastructure is encouraged,
+named \fBhash\-of\-ca\-cert.r#\fP\&.  This infrastructure is encouraged,
 but all files in the directory will be examined and if they
 contain a revocation list (in PEM format), they will be used.
 .TP
@@ -1038,8 +1091,8 @@ user\(aqs certificate and private key.
 .B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
 All keyword/values are optional.  \fImodname\fP specifies the location
 of a library implementing PKCS #11.  If a value is encountered
-with no keyword, it is assumed to be the \fImodname\fP.  If no
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP.
+with no keyword, it is assumed to be the \fImodname\fP\&.  If no
+module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
 \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
 a particular smard card reader or token if there is more than one
 available.  \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
@@ -1051,7 +1104,7 @@ to select a particular certificate to use for PKINIT.
 \fIenvvar\fP specifies the name of an environment variable which has
 been set to a value conforming to one of the previous values.  For
 example, \fBENV:X509_PROXY\fP, where environment variable
-\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP.
+\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&.
 .UNINDENT
 .SS PKINIT krb5.conf options
 .INDENT 0.0
@@ -1089,7 +1142,7 @@ where:
 .B \fIrelation\-operator\fP
 can be either \fB&&\fP, meaning all component rules must match,
 or \fB||\fP, meaning only one component rule must match.  The
-default is \fB&&\fP.
+default is \fB&&\fP\&.
 .TP
 .B \fIcomponent\-rule\fP
 can be one of the following.  Note that there is no
@@ -1158,11 +1211,12 @@ recognized in the krb5.conf file are:
 .TP
 .B \fBkpKDC\fP
 This is the default value and specifies that the KDC must have
-the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP.
+the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&.
 .TP
 .B \fBkpServerAuth\fP
 If \fBkpServerAuth\fP is specified, a KDC certificate with the
-id\-kp\-serverAuth EKU as used by Microsoft will be accepted.
+id\-kp\-serverAuth EKU will be accepted.  This key usage value
+is used in most commercially issued server certificates.
 .TP
 .B \fBnone\fP
 If \fBnone\fP is specified, then the KDC certificate will not be
@@ -1187,13 +1241,10 @@ these values are not used if the user specifies
 The presense of this option indicates that the client is willing
 to accept a KDC certificate with a dNSName SAN (Subject
 Alternative Name) rather than requiring the id\-pkinit\-san as
-defined in \fI\%RFC 4556\fP.  This option may be specified multiple
+defined in \fI\%RFC 4556\fP\&.  This option may be specified multiple
 times.  Its value should contain the acceptable hostname for the
 KDC (as contained in its certificate).
 .TP
-.B \fBpkinit_longhorn\fP
-If this flag is set to true, we are talking to the Longhorn KDC.
-.TP
 .B \fBpkinit_pool\fP
 Specifies the location of intermediate certificates which may be
 used by the client to complete the trust chain between a KDC
@@ -1221,16 +1272,6 @@ Specifies the location of Certificate Revocation List (CRL)
 information to be used by the client when verifying the validity
 of the KDC certificate presented.  This option may be specified
 multiple times.
-.TP
-.B \fBpkinit_win2k\fP
-This flag specifies whether the target realm is assumed to support
-only the old, pre\-RFC version of the protocol.  The default is
-false.
-.TP
-.B \fBpkinit_win2k_require_binding\fP
-If this flag is set to true, it expects that the target KDC is
-patched to return a reply with a checksum rather than a nonce.
-The default is false.
 .UNINDENT
 .SH PARAMETER EXPANSION
 .sp
@@ -1352,8 +1393,6 @@ Here is an example of a generic krb5.conf file:
 .ft C
 [libdefaults]
     default_realm = ATHENA.MIT.EDU
-    default_tkt_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
-    default_tgs_enctypes = des3\-hmac\-sha1 des\-cbc\-crc
     dns_lookup_kdc = true
     dns_lookup_realm = false
 
@@ -1364,7 +1403,6 @@ Here is an example of a generic krb5.conf file:
         kdc = kerberos\-2.mit.edu:750
         admin_server = kerberos.mit.edu
         master_kdc = kerberos.mit.edu
-        default_domain = mit.edu
     }
     EXAMPLE.COM = {
         kdc = kerberos.example.com
@@ -1373,7 +1411,6 @@ Here is an example of a generic krb5.conf file:
     }
 
 [domain_realm]
-    .mit.edu = ATHENA.MIT.EDU
     mit.edu = ATHENA.MIT.EDU
 
 [capaths]
@@ -1396,6 +1433,6 @@ syslog(3)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 784c1f1a641a93c24ae36f5c888b5034b99cd0b0..5e177c994c213d737111d10376e06b62d0d35f3f 100644 (file)
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KRB5KDC" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 krb5kdc \- Kerberos V5 KDC
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkrb5kdc\fP
@@ -59,7 +59,7 @@ LDAP database.
 .sp
 The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key
 to be entered manually as a password when \fB\-m\fP is given; the default
-is \fBdes\-cbc\-crc\fP.
+is \fBdes\-cbc\-crc\fP\&.
 .sp
 The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the
 master key in the database (usually \fBK/M\fP in the KDC\(aqs realm).
@@ -91,48 +91,21 @@ the \fB\-P\fP option is also given) acts as a supervisor.  The supervisor
 will relay SIGHUP signals to the worker subprocesses, and will
 terminate the worker subprocess if the it is itself terminated or if
 any other worker process exits.
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
 On operating systems which do not have \fIpktinfo\fP support,
 using worker processes will prevent the KDC from listening
 for UDP packets on network interfaces created after the KDC
 starts.
-.RE
-.sp
-The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments.
-Options supported for the LDAP database module are:
-.INDENT 0.0
-.INDENT 3.5
-.INDENT 0.0
-.TP
-.B \fB\-x\fP nconns=<number_of_connections>
-Specifies the number of connections to be maintained per
-LDAP server.
-.TP
-.B \fB\-x\fP host=<ldapuri>
-Specifies the LDAP server to connect to by URI.
-.TP
-.B \fB\-x\fP binddn=<binddn>
-Specifies the DN of the object used by the KDC server to bind
-to the LDAP server.  This object should have read and write
-privileges to the realm container, the principal container,
-and the subtree that is referenced by the realm.
-.TP
-.B \fB\-x\fP bindpwd=<bind_password>
-Specifies the password for the above mentioned binddn.  Using
-this option may expose the password to other users on the
-system via the process list; to avoid this, instead stash the
-password using the \fBstashsrvpw\fP command of
-\fIkdb5_ldap_util(8)\fP.
-.TP
-.B \fB\-x debug=\fP\fIlevel\fP
-sets the OpenLDAP client library debug level.  \fIlevel\fP is an
-integer to be interpreted by the library.  Debugging messages
-are printed to standard error, so this option must be used
-with the \fB\-n\fP option to be useful.  New in release 1.12.
-.UNINDENT
 .UNINDENT
 .UNINDENT
 .sp
+The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments.
+See \fIDatabase Options\fP in \fIkadmin(1)\fP for
+supported arguments.
+.sp
 The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which
 the KDC will operate under.  It is intended only for testing purposes.
 .SH EXAMPLE
@@ -177,6 +150,6 @@ krb5kdc uses the following environment variables:
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/ksu.man b/src/man/ksu.man
index 89648ee8fc8e7432af1ba60065660347d4cc94b7..e6a65db0487da48ba885c625bcd543432ef4b011 100644 (file)
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KSU" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 ksu \- Kerberized super-user
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBksu\fP
@@ -53,14 +53,18 @@ Kerberos version 5 server running to use ksu.
 ksu is a Kerberized version of the su program that has two missions:
 one is to securely change the real and effective user ID to that of
 the target user, and the other is to create a new security context.
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
 For the sake of clarity, all references to and attributes of
 the user invoking the program will start with "source"
 (e.g., "source user", "source cache", etc.).
 .sp
 Likewise, all references to and attributes of the target
 account will start with "target".
-.RE
+.UNINDENT
+.UNINDENT
 .SH AUTHENTICATION
 .sp
 To fulfill the first mission, ksu operates in two phases:
@@ -70,7 +74,7 @@ principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic@USC.EDU\fP)
 or a default principal name will be assigned using a heuristic
 described in the OPTIONS section (see \fB\-n\fP option).  The target user
 name must be the first argument to ksu; if not specified root is the
-default.  If \fB.\fP is specified then the target user will be the
+default.  If \fB\&.\fP is specified then the target user will be the
 source user (e.g., \fBksu .\fP).  If the source user is root or the
 target user is the source user, no authentication or authorization
 takes place.  Otherwise, ksu looks for an appropriate Kerberos ticket
@@ -96,12 +100,13 @@ option, see the OPTIONS section.
 Upon successful authentication, ksu checks whether the target
 principal is authorized to access the target account.  In the target
 user\(aqs home directory, ksu attempts to access two authorization files:
-\fI.k5login(5)\fP and .k5users.  In the .k5login file each line
+\fI\&.k5login(5)\fP and .k5users.  In the .k5login file each line
 contains the name of a principal that is authorized to access the
 account.
+.sp
+For example:
 .INDENT 0.0
-.TP
-.B For example:
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -111,6 +116,7 @@ jqpublic/admin@USC.EDU
 .ft P
 .fi
 .UNINDENT
+.UNINDENT
 .sp
 The format of .k5users is the same, except the principal name may be
 followed by a list of commands that the principal is authorized to
@@ -165,11 +171,15 @@ server and stored in the target cache.  Otherwise, if a password is
 not provided (user hit return) ksu continues in a normal mode of
 operation (the target cache will not contain the desired TGT).  If the
 wrong password is typed in, ksu fails.
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
 During authentication, only the tickets that could be
 obtained without providing a password are cached in in the
 source cache.
-.RE
+.UNINDENT
+.UNINDENT
 .SH OPTIONS
 .INDENT 0.0
 .TP
@@ -186,10 +196,10 @@ Case 1: source user is non\-root.
 If the target user is the source user the default principal name
 is set to the default principal of the source cache.  If the
 cache does not exist then the default principal name is set to
-\fBtarget_user@local_realm\fP.  If the source and target users are
+\fBtarget_user@local_realm\fP\&.  If the source and target users are
 different and neither \fB~target_user/.k5users\fP nor
 \fB~target_user/.k5login\fP exist then the default principal name
-is \fBtarget_user_login_name@local_realm\fP.  Otherwise, starting
+is \fBtarget_user_login_name@local_realm\fP\&.  Otherwise, starting
 with the first principal listed below, ksu checks if the
 principal is authorized to access the target account and whether
 there is a legitimate ticket for that principal in the source
@@ -218,15 +228,15 @@ principal name equal to the prefix of the candidate.  For
 example if candidate a) is \fBjqpublic@ISI.EDU\fP and
 \fBjqpublic/secure@ISI.EDU\fP is authorized to access the target
 account then the default principal is set to
-\fBjqpublic/secure@ISI.EDU\fP.
+\fBjqpublic/secure@ISI.EDU\fP\&.
 .IP \(bu 2
 Case 2: source user is root.
 .sp
 If the target user is non\-root then the default principal name
-is \fBtarget_user@local_realm\fP.  Else, if the source cache
+is \fBtarget_user@local_realm\fP\&.  Else, if the source cache
 exists the default principal name is set to the default
 principal of the source cache.  If the source cache does not
-exist, default principal name is set to \fBroot\e@local_realm\fP.
+exist, default principal name is set to \fBroot\e@local_realm\fP\&.
 .UNINDENT
 .UNINDENT
 .sp
@@ -236,7 +246,7 @@ exist, default principal name is set to \fBroot\e@local_realm\fP.
 Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP).  If
 \fB\-c\fP option is not used then the name is obtained from
 \fBKRB5CCNAME\fP environment variable.  If \fBKRB5CCNAME\fP is not
-defined the source cache name is set to \fBkrb5cc_<source uid>\fP.
+defined the source cache name is set to \fBkrb5cc_<source uid>\fP\&.
 The target cache name is automatically set to \fBkrb5cc_<target
 uid>.(gen_sym())\fP, where gen_sym generates a new number such that
 the resulting cache does not already exist.  For example:
@@ -376,7 +386,7 @@ full path or just the program name.
 .B \fB\-a\fP \fIargs\fP
 Specify arguments to be passed to the target shell.  Note that all
 flags and parameters following \-a will be passed to the shell,
-thus all options intended for ksu must precede \fB\-a\fP.
+thus all options intended for ksu must precede \fB\-a\fP\&.
 .sp
 The \fB\-a\fP option can be used to simulate the \fB\-e\fP option if
 used as follows:
@@ -421,8 +431,11 @@ If the source user is non\-root, ksu insists that the target user\(aqs
 shell to be invoked is a "legal shell".  \fIgetusershell(3)\fP is
 called to obtain the names of "legal shells".  Note that the
 target user\(aqs shell is obtained from the passwd file.
-.TP
-.B Sample configuration:
+.UNINDENT
+.sp
+Sample configuration:
+.INDENT 0.0
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -430,6 +443,7 @@ KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/
 .ft P
 .fi
 .UNINDENT
+.UNINDENT
 .sp
 ksu should be owned by root and have the set user id bit turned on.
 .sp
@@ -446,6 +460,6 @@ GENNADY (ARI) MEDVINSKY
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index ead8344124c84863801bc8b36a14471c353f462d..fb66e830701a87ce183090a79bf29e3e659fde9f 100644 (file)
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KSWITCH" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kswitch \- switch primary ticket cache
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkswitch\fP
@@ -46,7 +46,7 @@ Directly specifies the credential cache to be made primary.
 .TP
 .B \fB\-p\fP \fIprincipal\fP
 Causes the cache collection to be searched for a cache containing
-credentials for \fIprincipal\fP.  If one is found, that collection is
+credentials for \fIprincipal\fP\&.  If one is found, that collection is
 made primary.
 .UNINDENT
 .SH ENVIRONMENT
@@ -56,7 +56,7 @@ kswitch uses the following environment variables:
 .TP
 .B \fBKRB5CCNAME\fP
 Location of the default Kerberos 5 credentials (ticket) cache, in
-the form \fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the
+the form \fItype\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the
 \fBFILE\fP type is assumed.  The type of the default cache may
 determine the availability of a cache collection; for instance, a
 default cache of type \fBDIR\fP causes caches within the directory
@@ -74,6 +74,6 @@ Default location of Kerberos 5 credentials cache
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 9ebdebd0d884ec26ce4b91d46128e4831cfdf4dc..b0f54a1e327c20f6096fc6219f32c708a30cf27e 100644 (file)
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KTUTIL" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 ktutil \- Kerberos keytab file maintenance utility
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBktutil\fP
@@ -76,7 +76,7 @@ Alias: \fBrst\fP
 .UNINDENT
 .UNINDENT
 .sp
-Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP.
+Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP\&.
 .sp
 Alias: \fBwkt\fP
 .SS write_st
@@ -86,7 +86,7 @@ Alias: \fBwkt\fP
 .UNINDENT
 .UNINDENT
 .sp
-Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP.
+Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP\&.
 .sp
 Alias: \fBwst\fP
 .SS clear_list
@@ -143,6 +143,8 @@ Aliases: \fBexit\fP, \fBq\fP
 .SH EXAMPLE
 .INDENT 0.0
 .INDENT 3.5
+.INDENT 0.0
+.INDENT 3.5
 .sp
 .nf
 .ft C
@@ -158,12 +160,14 @@ ktutil:
 .fi
 .UNINDENT
 .UNINDENT
+.UNINDENT
+.UNINDENT
 .SH SEE ALSO
 .sp
 \fIkadmin(1)\fP, \fIkdb5_util(8)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/kvno.man b/src/man/kvno.man
index 2739bd212b6fab5a8f82fdc0df22073e655f119a..0675b0839e1e175770526febff148113f1eb55ee 100644 (file)
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "KVNO" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 kvno \- print key version numbers of Kerberos principals
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBkvno\fP
@@ -74,13 +74,13 @@ conjunction with protocol transition.
 .B \fB\-S\fP \fIsname\fP
 Specifies that the \fIservice1 service2\fP ... arguments are
 interpreted as hostnames, and the service principals are to be
-constructed from those hostnames and the service name \fIsname\fP.
+constructed from those hostnames and the service name \fIsname\fP\&.
 The service hostnames will be canonicalized according to the usual
 rules for constructing service principals.
 .TP
 .B \fB\-U\fP \fIfor_user\fP
 Specifies that protocol transition (S4U2Self) is to be used to
-acquire a ticket on behalf of \fIfor_user\fP.  If constrained
+acquire a ticket on behalf of \fIfor_user\fP\&.  If constrained
 delegation is not requested, the service name must match the
 credentials cache client principal.
 .UNINDENT
@@ -104,6 +104,6 @@ Default location of the credentials cache
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/sclient.man b/src/man/sclient.man
index 88e24b65b54232c750464fc26f6a07c25db00b0e..f6deaf90366f24c8ed055ffd39d560670602e23d 100644 (file)
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "SCLIENT" "1" " " "1.13" "MIT Kerberos"
 .SH NAME
 sclient \- sample Kerberos version 5 client
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBsclient\fP \fIremotehost\fP
@@ -45,6 +45,6 @@ the server\(aqs response.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/man/sserver.man b/src/man/sserver.man
index 93e749a67c55d5fceb1295958f35b3bca6fc3ce0..81a04b133c929b633c812d1e6a27b019335c07a1 100644 (file)
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,3 +1,5 @@
+.\" Man page generated from reStructuredText.
+.
 .TH "SSERVER" "8" " " "1.13" "MIT Kerberos"
 .SH NAME
 sserver \- sample Kerberos version 5 server
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBsserver\fP
@@ -46,9 +46,9 @@ good test that Kerberos has been successfully installed on a machine.
 .sp
 The service name used by sserver and sclient is sample.  Hence,
 sserver will require that there be a keytab entry for the service
-\fBsample/hostname.domain.name@REALM.NAME\fP.  This keytab is generated
+\fBsample/hostname.domain.name@REALM.NAME\fP\&.  This keytab is generated
 using the \fIkadmin(1)\fP program.  The keytab file is usually
-installed as \fB@KTNAME@\fP.
+installed as \fB@KTNAME@\fP\&.
 .sp
 The \fB\-S\fP option allows for a different keytab than the default.
 .sp
@@ -81,7 +81,7 @@ sample          13135/tcp
 .sp
 When using sclient, you will first have to have an entry in the
 Kerberos database, by using \fIkadmin(1)\fP, and then you have to get
-Kerberos tickets, by using \fIkinit(1)\fP.  Also, if you are running
+Kerberos tickets, by using \fIkinit(1)\fP\&.  Also, if you are running
 the sclient program on a different host than the sserver it will be
 connecting to, be sure that both hosts have an entry in /etc/services
 for the sample tcp port, and that the same port number is in both
@@ -110,7 +110,7 @@ kinit returns the error:
 .nf
 .ft C
 kinit: Client not found in Kerberos database while getting
-    initial credentials
+       initial credentials
 .ft P
 .fi
 .UNINDENT
@@ -156,7 +156,7 @@ sclient returns the error:
 .nf
 .ft C
 sclient: Server not found in Kerberos database while using
-    sendauth
+         sendauth
 .ft P
 .fi
 .UNINDENT
@@ -189,6 +189,6 @@ probably not installed in the proper directory.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2014, MIT
 .\" Generated by docutils manpage writer.
 .

diff --git a/src/patchlevel.h b/src/patchlevel.h
index b7dfe3d0d022939b508d8e8fa18b8bf1ab057ad5..a527ffd39d064a6e528b0a7f6ded5661452d5233 100644 (file)
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -52,6 +52,6 @@
 #define KRB5_MAJOR_RELEASE 1
 #define KRB5_MINOR_RELEASE 13
 #define KRB5_PATCHLEVEL 0
-#define KRB5_RELTAIL "prerelease"
+#define KRB5_RELTAIL "alpha1"
 /* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "master"
+#define KRB5_RELTAG "krb5-1.13-alpha1"

diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index c301ca36d012dc1896612314b503d7c91de639d6..bfada08ad480a01a00f9cef3d4bab090b0e71e53 100644 (file)
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: mit-krb5 1.13-prerelease\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2014-01-15 18:53-0500\n"
+"POT-Creation-Date: 2014-08-20 18:47-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -40,22 +40,22 @@ msgid "\t-c specify name of credentials cache\n"
 msgstr ""
 
 #: ../../src/clients/kdestroy/kdestroy.c:98
-#: ../../src/clients/kinit/kinit.c:382 ../../src/clients/ksu/main.c:282
+#: ../../src/clients/kinit/kinit.c:383 ../../src/clients/ksu/main.c:286
 #, c-format
 msgid "Only one -c option allowed\n"
 msgstr ""
 
 #: ../../src/clients/kdestroy/kdestroy.c:105
-#: ../../src/clients/kinit/kinit.c:411 ../../src/clients/klist/klist.c:182
+#: ../../src/clients/kinit/kinit.c:412 ../../src/clients/klist/klist.c:182
 #, c-format
 msgid "Kerberos 4 is no longer supported\n"
 msgstr ""
 
 #: ../../src/clients/kdestroy/kdestroy.c:126
-#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:134
+#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:137
 #: ../../src/clients/kswitch/kswitch.c:97 ../../src/kadmin/ktutil/ktutil.c:52
-#: ../../src/kdc/main.c:926 ../../src/slave/kprop.c:104
-#: ../../src/slave/kpropd.c:1090
+#: ../../src/kdc/main.c:926 ../../src/slave/kprop.c:102
+#: ../../src/slave/kpropd.c:1052
 msgid "while initializing krb5"
 msgstr ""
 
@@ -79,11 +79,11 @@ msgid "while resolving %s"
 msgstr ""
 
 #: ../../src/clients/kdestroy/kdestroy.c:163
-#: ../../src/clients/kinit/kinit.c:499 ../../src/clients/klist/klist.c:460
+#: ../../src/clients/kinit/kinit.c:501 ../../src/clients/klist/klist.c:460
 msgid "while getting default ccache"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:900
+#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:987
 msgid "while destroying cache"
 msgstr ""
 
@@ -97,341 +97,348 @@ msgstr ""
 msgid "Ticket cache %cNOT%c destroyed!\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:212
+#: ../../src/clients/kinit/kinit.c:213
 #, c-format
 msgid "\t-V verbose\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:213
+#: ../../src/clients/kinit/kinit.c:214
 #, c-format
 msgid "\t-l lifetime\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:214
+#: ../../src/clients/kinit/kinit.c:215
 #, c-format
 msgid "\t-s start time\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:215
+#: ../../src/clients/kinit/kinit.c:216
 #, c-format
 msgid "\t-r renewable lifetime\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:216
+#: ../../src/clients/kinit/kinit.c:217
 #, c-format
 msgid "\t-f forwardable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:217
+#: ../../src/clients/kinit/kinit.c:218
 #, c-format
 msgid "\t-F not forwardable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:218
+#: ../../src/clients/kinit/kinit.c:219
 #, c-format
 msgid "\t-p proxiable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:219
+#: ../../src/clients/kinit/kinit.c:220
 #, c-format
 msgid "\t-P not proxiable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:220
+#: ../../src/clients/kinit/kinit.c:221
 #, c-format
 msgid "\t-n anonymous\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:221
+#: ../../src/clients/kinit/kinit.c:222
 #, c-format
 msgid "\t-a include addresses\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:222
+#: ../../src/clients/kinit/kinit.c:223
 #, c-format
 msgid "\t-A do not include addresses\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:223
+#: ../../src/clients/kinit/kinit.c:224
 #, c-format
 msgid "\t-v validate\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:224
+#: ../../src/clients/kinit/kinit.c:225
 #, c-format
 msgid "\t-R renew\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:225
+#: ../../src/clients/kinit/kinit.c:226
 #, c-format
 msgid "\t-C canonicalize\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:226
+#: ../../src/clients/kinit/kinit.c:227
 #, c-format
 msgid "\t-E client is enterprise principal name\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:227
+#: ../../src/clients/kinit/kinit.c:228
 #, c-format
 msgid "\t-k use keytab\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:228
+#: ../../src/clients/kinit/kinit.c:229
 #, c-format
 msgid "\t-i use default client keytab (with -k)\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:229
+#: ../../src/clients/kinit/kinit.c:230
 #, c-format
 msgid "\t-t filename of keytab to use\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:230
+#: ../../src/clients/kinit/kinit.c:231
 #, c-format
 msgid "\t-c Kerberos 5 cache name\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:231
+#: ../../src/clients/kinit/kinit.c:232
 #, c-format
 msgid "\t-S service\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:232
+#: ../../src/clients/kinit/kinit.c:233
 #, c-format
 msgid "\t-T armor credential cache\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:233
+#: ../../src/clients/kinit/kinit.c:234
 #, c-format
 msgid "\t-X <attribute>[=<value>]\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:300 ../../src/clients/kinit/kinit.c:308
+#: ../../src/clients/kinit/kinit.c:301 ../../src/clients/kinit/kinit.c:309
 #, c-format
 msgid "Bad lifetime value %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:342
+#: ../../src/clients/kinit/kinit.c:343
 #, c-format
 msgid "Bad start time value %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:361
+#: ../../src/clients/kinit/kinit.c:362
 #, c-format
 msgid "Only one -t option allowed.\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:369
+#: ../../src/clients/kinit/kinit.c:370
 #, c-format
 msgid "Only one armor_ccache\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:390
+#: ../../src/clients/kinit/kinit.c:391
 #, c-format
 msgid "Only one -I option allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:400
+#: ../../src/clients/kinit/kinit.c:401
 msgid "while adding preauth option"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:424
+#: ../../src/clients/kinit/kinit.c:425
 #, c-format
 msgid "Only one of -f and -F allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:429
+#: ../../src/clients/kinit/kinit.c:430
 #, c-format
 msgid "Only one of -p and -P allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:434
+#: ../../src/clients/kinit/kinit.c:435
 #, c-format
 msgid "Only one of -a and -A allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:439
+#: ../../src/clients/kinit/kinit.c:440
 #, c-format
 msgid "Only one of -t and -i allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:446
+#: ../../src/clients/kinit/kinit.c:447
 #, c-format
 msgid "keytab specified, forcing -k\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:450 ../../src/clients/klist/klist.c:221
+#: ../../src/clients/kinit/kinit.c:451 ../../src/clients/klist/klist.c:221
 #, c-format
 msgid "Extra arguments (starting with \"%s\").\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:478
+#: ../../src/clients/kinit/kinit.c:480
 msgid "while initializing Kerberos 5 library"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:486 ../../src/clients/kinit/kinit.c:627
-#: ../../src/clients/ksu/ccache.c:73 ../../src/clients/ksu/ccache.c:662
+#: ../../src/clients/kinit/kinit.c:488 ../../src/clients/kinit/kinit.c:644
 #, c-format
 msgid "resolving ccache %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:491
+#: ../../src/clients/kinit/kinit.c:493
 #, c-format
 msgid "Using specified cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:513 ../../src/clients/kinit/kinit.c:578
-#: ../../src/clients/kpasswd/kpasswd.c:29 ../../src/clients/ksu/main.c:234
+#: ../../src/clients/kinit/kinit.c:515 ../../src/clients/kinit/kinit.c:595
+#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:237
 #, c-format
 msgid "when parsing name %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:521 ../../src/kadmin/dbutil/kdb5_util.c:308
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:393
-#: ../../src/slave/kprop.c:218
+#: ../../src/clients/kinit/kinit.c:523 ../../src/kadmin/dbutil/kdb5_util.c:307
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391
+#: ../../src/slave/kprop.c:203
 msgid "while getting default realm"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:533
+#: ../../src/clients/kinit/kinit.c:535
 msgid "while building principal"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:542
+#: ../../src/clients/kinit/kinit.c:543
+msgid "When resolving the default client keytab"
+msgstr ""
+
+#: ../../src/clients/kinit/kinit.c:550
+msgid "When determining client principal name from keytab"
+msgstr ""
+
+#: ../../src/clients/kinit/kinit.c:559
 msgid "when creating default server principal name"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:549
+#: ../../src/clients/kinit/kinit.c:566
 #, c-format
 msgid "(principal %s)"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:552
+#: ../../src/clients/kinit/kinit.c:569
 msgid "for local services"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:573 ../../src/clients/kpasswd/kpasswd.c:43
+#: ../../src/clients/kinit/kinit.c:590 ../../src/clients/kpasswd/kpasswd.c:42
 #, c-format
 msgid "Unable to identify user\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:588 ../../src/clients/kswitch/kswitch.c:116
+#: ../../src/clients/kinit/kinit.c:605 ../../src/clients/kswitch/kswitch.c:116
 #, c-format
 msgid "while searching for ccache for %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:594
+#: ../../src/clients/kinit/kinit.c:611
 #, c-format
 msgid "Using existing cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:603
+#: ../../src/clients/kinit/kinit.c:620
 msgid "while generating new ccache"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:607
+#: ../../src/clients/kinit/kinit.c:624
 #, c-format
 msgid "Using new cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:619
+#: ../../src/clients/kinit/kinit.c:636
 #, c-format
 msgid "Using default cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:632
+#: ../../src/clients/kinit/kinit.c:649
 #, c-format
 msgid "Using specified input cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:640 ../../src/clients/ksu/krb_auth_su.c:276
+#: ../../src/clients/kinit/kinit.c:657 ../../src/clients/ksu/krb_auth_su.c:276
 msgid "when unparsing name"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:644
+#: ../../src/clients/kinit/kinit.c:661
 #, c-format
 msgid "Using principal: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:735
+#: ../../src/clients/kinit/kinit.c:752
 msgid "getting local addresses"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:754
+#: ../../src/clients/kinit/kinit.c:771
 #, c-format
 msgid "while setting up KDB keytab for realm %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:763 ../../src/clients/kvno/kvno.c:203
+#: ../../src/clients/kinit/kinit.c:780 ../../src/clients/kvno/kvno.c:201
 #, c-format
 msgid "resolving keytab %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:768
+#: ../../src/clients/kinit/kinit.c:785
 #, c-format
 msgid "Using keytab: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:772
+#: ../../src/clients/kinit/kinit.c:789
 msgid "resolving default client keytab"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:782
+#: ../../src/clients/kinit/kinit.c:799
 #, c-format
 msgid "while setting '%s'='%s'"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:787
+#: ../../src/clients/kinit/kinit.c:804
 #, c-format
 msgid "PA Option %s = %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:832
+#: ../../src/clients/kinit/kinit.c:849
 msgid "getting initial credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:835
+#: ../../src/clients/kinit/kinit.c:852
 msgid "validating credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:838
+#: ../../src/clients/kinit/kinit.c:855
 msgid "renewing credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:843
+#: ../../src/clients/kinit/kinit.c:860
 #, c-format
 msgid "%s: Password incorrect while %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:846
+#: ../../src/clients/kinit/kinit.c:863
 #, c-format
 msgid "while %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:854 ../../src/slave/kprop.c:245
+#: ../../src/clients/kinit/kinit.c:871 ../../src/slave/kprop.c:224
 #, c-format
 msgid "when initializing cache %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:859
+#: ../../src/clients/kinit/kinit.c:876
 #, c-format
 msgid "Initialized cache\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:863
+#: ../../src/clients/kinit/kinit.c:880
 msgid "while storing credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:867
+#: ../../src/clients/kinit/kinit.c:884
 #, c-format
 msgid "Stored credentials\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:874
+#: ../../src/clients/kinit/kinit.c:891
 msgid "while switching to new ccache"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:929
+#: ../../src/clients/kinit/kinit.c:946
 #, c-format
 msgid "Authenticated to Kerberos v5\n"
 msgstr ""
@@ -541,29 +548,29 @@ msgstr ""
 msgid "while getting default keytab"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:115
+#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:110
 #, c-format
 msgid "while resolving keytab %s"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:99
+#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:94
 msgid "while getting keytab name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:409
+#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:404
 msgid "while starting keytab scan"
 msgstr ""
 
 #: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:500
-#: ../../src/clients/ksu/ccache.c:481 ../../src/kadmin/dbutil/dump.c:551
+#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:550
 msgid "while unparsing principal name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:453
+#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:448
 msgid "while scanning keytab"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:458
+#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:453
 msgid "while ending keytab scan"
 msgstr ""
 
@@ -604,26 +611,26 @@ msgstr ""
 msgid "while retrieving a ticket"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:466
-#: ../../src/slave/kpropd.c:1298 ../../src/slave/kpropd.c:1361
+#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:450
+#: ../../src/slave/kpropd.c:1225 ../../src/slave/kpropd.c:1285
 msgid "while unparsing client name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:471
-#: ../../src/slave/kprop.c:266
+#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:455
+#: ../../src/slave/kprop.c:240
 msgid "while unparsing server name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:496
+#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:480
 #, c-format
 msgid "\tfor client %s"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:505
+#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:489
 msgid "renew until "
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:515
+#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:499
 #, c-format
 msgid "Flags: %s"
 msgstr ""
@@ -653,79 +660,79 @@ msgstr ""
 msgid "broken address (type %d length %d)"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:844
+#: ../../src/clients/klist/klist.c:838
 #, c-format
 msgid "unknown addrtype %d"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:853
+#: ../../src/clients/klist/klist.c:847
 #, c-format
 msgid "unprintable address (type %d, error %d %s)"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:368
+#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:396
 msgid "Enter new password"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:14 ../../src/lib/krb5/krb/gic_pwd.c:376
+#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:404
 msgid "Enter it again"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:34
+#: ../../src/clients/kpasswd/kpasswd.c:33
 #, c-format
 msgid "Unable to identify user from password file\n"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:66
+#: ../../src/clients/kpasswd/kpasswd.c:65
 #, c-format
 msgid "usage: %s [principal]\n"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:74
+#: ../../src/clients/kpasswd/kpasswd.c:73
 msgid "initializing kerberos library"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:78
+#: ../../src/clients/kpasswd/kpasswd.c:77
 msgid "allocating krb5_get_init_creds_opt"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:93
+#: ../../src/clients/kpasswd/kpasswd.c:92
 msgid "opening default ccache"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:98
+#: ../../src/clients/kpasswd/kpasswd.c:97
 msgid "getting principal from ccache"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:105
+#: ../../src/clients/kpasswd/kpasswd.c:104
 msgid "while setting FAST ccache"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:112
+#: ../../src/clients/kpasswd/kpasswd.c:111
 msgid "closing ccache"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:119
+#: ../../src/clients/kpasswd/kpasswd.c:118
 msgid "parsing client name"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:136
+#: ../../src/clients/kpasswd/kpasswd.c:135
 msgid "Password incorrect while getting initial ticket"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:138
+#: ../../src/clients/kpasswd/kpasswd.c:137
 msgid "getting initial ticket"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:145
+#: ../../src/clients/kpasswd/kpasswd.c:144
 msgid "while reading password"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:153
+#: ../../src/clients/kpasswd/kpasswd.c:152
 msgid "changing password"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:175
+#: ../../src/clients/kpasswd/kpasswd.c:174
 #: ../lib/kadm5/chpass_util_strings.c:30
 #, c-format
 msgid "Password changed.\n"
@@ -764,12 +771,12 @@ msgstr ""
 msgid "home directory name `%s' too long, can't search for .k5login\n"
 msgstr ""
 
-#: ../../src/clients/ksu/ccache.c:384
+#: ../../src/clients/ksu/ccache.c:368
 #, c-format
 msgid "home directory path for %s too long\n"
 msgstr ""
 
-#: ../../src/clients/ksu/ccache.c:477
+#: ../../src/clients/ksu/ccache.c:461
 msgid "while retrieving principal name"
 msgstr ""
 
@@ -778,7 +785,7 @@ msgstr ""
 #: ../../src/clients/ksu/krb_auth_su.c:171
 #: ../../src/clients/ksu/krb_auth_su.c:176
 #: ../../src/clients/ksu/krb_auth_su.c:225
-#: ../../src/clients/ksu/krb_auth_su.c:230 ../../src/slave/kprop.c:275
+#: ../../src/clients/ksu/krb_auth_su.c:230 ../../src/slave/kprop.c:247
 msgid "while copying client principal"
 msgstr ""
 
@@ -787,7 +794,7 @@ msgstr ""
 msgid "while creating server %s principal name"
 msgstr ""
 
-#: ../../src/clients/ksu/krb_auth_su.c:110 ../../src/clients/ksu/main.c:503
+#: ../../src/clients/ksu/krb_auth_su.c:110 ../../src/clients/ksu/main.c:476
 msgid "while creating tgt for local realm"
 msgstr ""
 
@@ -810,7 +817,7 @@ msgstr ""
 msgid "         in remotely using an unsecure (non-encrypted) channel. \n"
 msgstr ""
 
-#: ../../src/clients/ksu/krb_auth_su.c:156 ../../src/clients/ksu/main.c:491
+#: ../../src/clients/ksu/krb_auth_su.c:156 ../../src/clients/ksu/main.c:464
 msgid "while reclaiming root uid"
 msgstr ""
 
@@ -876,7 +883,7 @@ msgstr ""
 msgid " %s while unparsing name\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:62
+#: ../../src/clients/ksu/main.c:68
 #, c-format
 msgid ""
 "Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r "
@@ -884,243 +891,283 @@ msgid ""
 "[args... ] ]\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:144
+#: ../../src/clients/ksu/main.c:147
 msgid ""
 "program name too long - quitting to avoid triggering system logging bugs"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:170
+#: ../../src/clients/ksu/main.c:173
 msgid "while allocating memory"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:183
+#: ../../src/clients/ksu/main.c:186
 msgid "while setting euid to source user"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:194 ../../src/clients/ksu/main.c:228
+#: ../../src/clients/ksu/main.c:197 ../../src/clients/ksu/main.c:231
 #, c-format
 msgid "Bad lifetime value (%s hours?)\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:205 ../../src/clients/ksu/main.c:290
+#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:294
 msgid "when gathering parameters"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:250
+#: ../../src/clients/ksu/main.c:253
 #, c-format
 msgid "-z option is mutually exclusive with -Z.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:258
+#: ../../src/clients/ksu/main.c:261
 #, c-format
 msgid "-Z option is mutually exclusive with -z.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:270
+#: ../../src/clients/ksu/main.c:274
 #, c-format
-msgid "while looking for credentials file %s"
+msgid "while looking for credentials cache %s"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:276
+#: ../../src/clients/ksu/main.c:280
 #, c-format
 msgid "malformed credential cache name %s\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:334
+#: ../../src/clients/ksu/main.c:338
 #, c-format
 msgid "ksu: who are you?\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:338
+#: ../../src/clients/ksu/main.c:342
 #, c-format
 msgid "Your uid doesn't match your passwd entry?!\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:355
+#: ../../src/clients/ksu/main.c:357
 #, c-format
 msgid "ksu: unknown login %s\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:375
+#: ../../src/clients/ksu/main.c:377
 msgid "while getting source cache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:381 ../../src/clients/kvno/kvno.c:196
+#: ../../src/clients/ksu/main.c:383 ../../src/clients/kvno/kvno.c:194
 msgid "while opening ccache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:389
+#: ../../src/clients/ksu/main.c:391
 msgid "while selecting the best principal"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:397
+#: ../../src/clients/ksu/main.c:399
 msgid "while returning to source uid after finding best principal"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:417
+#: ../../src/clients/ksu/main.c:419
 #, c-format
 msgid "account %s: authorization failed\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:443
-#, c-format
-msgid "%s does not have correct permissions for %s\n"
+#: ../../src/clients/ksu/main.c:444
+msgid "while parsing temporary name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:473 ../../src/clients/ksu/main.c:481
+#: ../../src/clients/ksu/main.c:449
+msgid "while creating temporary cache"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:455 ../../src/clients/ksu/main.c:701
 #, c-format
 msgid "while copying cache %s to %s"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:508
+#: ../../src/clients/ksu/main.c:480
 #, c-format
 msgid ""
 "WARNING: Your password may be exposed if you enter it here and are logged\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:510
+#: ../../src/clients/ksu/main.c:482
 #, c-format
 msgid "         in remotely using an unsecure (non-encrypted) channel.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:517
+#: ../../src/clients/ksu/main.c:489
 #, c-format
 msgid "Goodbye\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:522
+#: ../../src/clients/ksu/main.c:493
 #, c-format
 msgid "Could not get a tgt for "
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:542
+#: ../../src/clients/ksu/main.c:514
 #, c-format
 msgid "Authentication failed.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:577
+#: ../../src/clients/ksu/main.c:521
 msgid "When unparsing name"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:582
+#: ../../src/clients/ksu/main.c:525
 #, c-format
 msgid "Authenticated %s\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:589
+#: ../../src/clients/ksu/main.c:532
 msgid "while switching to target for authorization check"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:597
+#: ../../src/clients/ksu/main.c:539
 msgid "while checking authorization"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:604
+#: ../../src/clients/ksu/main.c:545
 msgid "while switching back from target after authorization check"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:612
+#: ../../src/clients/ksu/main.c:552
 #, c-format
 msgid "Account %s: authorization for %s for execution of\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:614
+#: ../../src/clients/ksu/main.c:554
 #, c-format
 msgid "               %s successful\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:620
+#: ../../src/clients/ksu/main.c:560
 #, c-format
 msgid "Account %s: authorization for %s successful\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:632
+#: ../../src/clients/ksu/main.c:572
 #, c-format
 msgid "Account %s: authorization for %s for execution of %s failed\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:640
+#: ../../src/clients/ksu/main.c:580
 #, c-format
 msgid "Account %s: authorization of %s failed\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:655
+#: ../../src/clients/ksu/main.c:595
 msgid "while calling cc_filter"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:663
+#: ../../src/clients/ksu/main.c:603
 msgid "while erasing target cache"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:683
+#: ../../src/clients/ksu/main.c:623
 #, c-format
 msgid "ksu: permission denied (shell).\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:693
+#: ../../src/clients/ksu/main.c:632
 #, c-format
 msgid "ksu: couldn't set environment variable USER\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:700
+#: ../../src/clients/ksu/main.c:638
 #, c-format
 msgid "ksu: couldn't set environment variable HOME\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:706
+#: ../../src/clients/ksu/main.c:643
 #, c-format
 msgid "ksu: couldn't set environment variable SHELL\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:714
-#, c-format
-msgid "ksu: couldn't set environment variable %s\n"
-msgstr ""
-
-#: ../../src/clients/ksu/main.c:729
+#: ../../src/clients/ksu/main.c:654
 #, c-format
 msgid "ksu: initgroups failed.\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:735
+#: ../../src/clients/ksu/main.c:659
 #, c-format
 msgid "Leaving uid as %s (%ld)\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:738
+#: ../../src/clients/ksu/main.c:662
 #, c-format
 msgid "Changing uid to %s (%ld)\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:763
+#: ../../src/clients/ksu/main.c:688
+msgid "while getting name of target ccache"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:708
 #, c-format
 msgid "%s does not have correct permissions for %s, %s aborted"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:777
+#: ../../src/clients/ksu/main.c:729
 #, c-format
 msgid "Internal error: command %s did not get resolved\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:794 ../../src/clients/ksu/main.c:830
+#: ../../src/clients/ksu/main.c:746 ../../src/clients/ksu/main.c:782
 #, c-format
 msgid "while trying to execv %s"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:820
+#: ../../src/clients/ksu/main.c:772
 msgid "while calling waitpid"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:825
+#: ../../src/clients/ksu/main.c:777
 msgid "while trying to fork."
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:863
+#: ../../src/clients/ksu/main.c:799
+msgid "while reading cache name from ccache"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:805
+#, c-format
+msgid "ksu: couldn't set environment variable %s\n"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:828
+#, c-format
+msgid "while clearing the value of %s"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:836
+msgid "while resetting target ccache name"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:843
+msgid "while determining target ccache name"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:882
+msgid "while generating part of the target ccache name"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:888
+msgid "while allocating memory for the target ccache name"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:907
+msgid "while creating new target ccache"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:913
+msgid "while initializing target cache"
+msgstr ""
+
+#: ../../src/clients/ksu/main.c:953
 #, c-format
 msgid "terminal name %s too long\n"
 msgstr ""
 
-#: ../../src/clients/ksu/main.c:893
+#: ../../src/clients/ksu/main.c:981
 msgid "while changing to target uid for destroying ccache"
 msgstr ""
 
@@ -1144,9 +1191,9 @@ msgstr ""
 msgid "One of -c or -p must be specified\n"
 msgstr ""
 
-#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:213
-#: ../../src/clients/kvno/kvno.c:247 ../../src/kadmin/cli/keytab.c:360
-#: ../../src/kadmin/dbutil/kdb5_util.c:578
+#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:211
+#: ../../src/clients/kvno/kvno.c:245 ../../src/kadmin/cli/keytab.c:355
+#: ../../src/kadmin/dbutil/kdb5_util.c:576
 #, c-format
 msgid "while parsing principal name %s"
 msgstr ""
@@ -1155,84 +1202,84 @@ msgstr ""
 msgid "while switching to credential cache"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:48
+#: ../../src/clients/kvno/kvno.c:46
 #, c-format
 msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:49
+#: ../../src/clients/kvno/kvno.c:47
 #, c-format
 msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:50
+#: ../../src/clients/kvno/kvno.c:48
 #, c-format
 msgid "\tservice1 service2 ...\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:105 ../../src/clients/kvno/kvno.c:113
+#: ../../src/clients/kvno/kvno.c:103 ../../src/clients/kvno/kvno.c:111
 #, c-format
 msgid "Options -u and -S are mutually exclusive\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:128
+#: ../../src/clients/kvno/kvno.c:126
 #, c-format
 msgid "Option -P (constrained delegation) requires keytab to be specified\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:132
+#: ../../src/clients/kvno/kvno.c:130
 #, c-format
 msgid ""
 "Option -P (constrained delegation) requires option -U (protocol transition)\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:177 ../../src/kadmin/cli/kadmin.c:271
+#: ../../src/clients/kvno/kvno.c:175 ../../src/kadmin/cli/kadmin.c:271
 msgid "while initializing krb5 library"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:184
+#: ../../src/clients/kvno/kvno.c:182
 msgid "while converting etype"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:220
+#: ../../src/clients/kvno/kvno.c:218
 msgid "while getting client principal name"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:258
+#: ../../src/clients/kvno/kvno.c:256
 #, c-format
 msgid "while formatting parsed principal name for '%s'"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:269
+#: ../../src/clients/kvno/kvno.c:267
 msgid "client and server principal names must match"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:286
+#: ../../src/clients/kvno/kvno.c:284
 #, c-format
 msgid "while getting credentials for %s"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:293
+#: ../../src/clients/kvno/kvno.c:291
 #, c-format
 msgid "while decoding ticket for %s"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:304
+#: ../../src/clients/kvno/kvno.c:302
 #, c-format
 msgid "while decrypting ticket for %s"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:308
+#: ../../src/clients/kvno/kvno.c:306
 #, c-format
 msgid "%s: kvno = %d, keytab entry valid\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:326
+#: ../../src/clients/kvno/kvno.c:324
 #, c-format
 msgid "%s: constrained delegation failed"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:332
+#: ../../src/clients/kvno/kvno.c:330
 #, c-format
 msgid "%s: kvno = %d\n"
 msgstr ""
@@ -1254,8 +1301,8 @@ msgid "%s: Cannot initialize. Not enough memory\n"
 msgstr ""
 
 #: ../../src/kadmin/cli/kadmin.c:344 ../../src/kadmin/cli/kadmin.c:795
-#: ../../src/kadmin/cli/kadmin.c:1074 ../../src/kadmin/cli/kadmin.c:1622
-#: ../../src/kadmin/cli/keytab.c:164 ../../src/kadmin/dbutil/kdb5_util.c:593
+#: ../../src/kadmin/cli/kadmin.c:1074 ../../src/kadmin/cli/kadmin.c:1623
+#: ../../src/kadmin/cli/keytab.c:159 ../../src/kadmin/dbutil/kdb5_util.c:591
 #, c-format
 msgid "while parsing keysalts %s"
 msgstr ""
@@ -1265,7 +1312,7 @@ msgstr ""
 msgid "%s: unable to get default realm\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:387 ../../src/slave/kpropd.c:677
+#: ../../src/kadmin/cli/kadmin.c:387
 msgid "while opening default credentials cache"
 msgstr ""
 
@@ -1281,7 +1328,7 @@ msgid "%s: out of memory\n"
 msgstr ""
 
 #: ../../src/kadmin/cli/kadmin.c:424 ../../src/kadmin/cli/kadmin.c:439
-#: ../../src/slave/kpropd.c:708
+#: ../../src/slave/kpropd.c:681
 msgid "while canonicalizing principal name"
 msgstr ""
 
@@ -1328,7 +1375,7 @@ msgstr ""
 msgid "Authenticating as principal %s with password.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:537 ../../src/slave/kpropd.c:755
+#: ../../src/kadmin/cli/kadmin.c:537 ../../src/slave/kpropd.c:728
 #, c-format
 msgid "while initializing %s interface"
 msgstr ""
@@ -1361,9 +1408,9 @@ msgstr ""
 
 #: ../../src/kadmin/cli/kadmin.c:641 ../../src/kadmin/cli/kadmin.c:816
 #: ../../src/kadmin/cli/kadmin.c:1207 ../../src/kadmin/cli/kadmin.c:1328
-#: ../../src/kadmin/cli/kadmin.c:1398 ../../src/kadmin/cli/kadmin.c:1846
-#: ../../src/kadmin/cli/kadmin.c:1890 ../../src/kadmin/cli/kadmin.c:1936
-#: ../../src/kadmin/cli/kadmin.c:1976
+#: ../../src/kadmin/cli/kadmin.c:1398 ../../src/kadmin/cli/kadmin.c:1847
+#: ../../src/kadmin/cli/kadmin.c:1891 ../../src/kadmin/cli/kadmin.c:1937
+#: ../../src/kadmin/cli/kadmin.c:1977
 msgid "while canonicalizing principal"
 msgstr ""
 
@@ -1511,22 +1558,22 @@ msgstr ""
 msgid "Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:935 ../../src/kadmin/dbutil/kdb5_util.c:625
+#: ../../src/kadmin/cli/kadmin.c:935 ../../src/kadmin/dbutil/kdb5_util.c:623
 msgid "while getting time"
 msgstr ""
 
 #: ../../src/kadmin/cli/kadmin.c:984 ../../src/kadmin/cli/kadmin.c:997
 #: ../../src/kadmin/cli/kadmin.c:1010 ../../src/kadmin/cli/kadmin.c:1023
-#: ../../src/kadmin/cli/kadmin.c:1534 ../../src/kadmin/cli/kadmin.c:1546
-#: ../../src/kadmin/cli/kadmin.c:1589 ../../src/kadmin/cli/kadmin.c:1606
+#: ../../src/kadmin/cli/kadmin.c:1535 ../../src/kadmin/cli/kadmin.c:1547
+#: ../../src/kadmin/cli/kadmin.c:1590 ../../src/kadmin/cli/kadmin.c:1607
 #, c-format
 msgid "Invalid date specification \"%s\".\n"
 msgstr ""
 
 #: ../../src/kadmin/cli/kadmin.c:1108 ../../src/kadmin/cli/kadmin.c:1322
-#: ../../src/kadmin/cli/kadmin.c:1393 ../../src/kadmin/cli/kadmin.c:1840
-#: ../../src/kadmin/cli/kadmin.c:1884 ../../src/kadmin/cli/kadmin.c:1930
-#: ../../src/kadmin/cli/kadmin.c:1970
+#: ../../src/kadmin/cli/kadmin.c:1393 ../../src/kadmin/cli/kadmin.c:1841
+#: ../../src/kadmin/cli/kadmin.c:1885 ../../src/kadmin/cli/kadmin.c:1931
+#: ../../src/kadmin/cli/kadmin.c:1971
 msgid "while parsing principal"
 msgstr ""
 
@@ -1536,7 +1583,7 @@ msgid "usage: add_principal [options] principal\n"
 msgstr ""
 
 #: ../../src/kadmin/cli/kadmin.c:1118 ../../src/kadmin/cli/kadmin.c:1145
-#: ../../src/kadmin/cli/kadmin.c:1645
+#: ../../src/kadmin/cli/kadmin.c:1646
 #, c-format
 msgid "\toptions are:\n"
 msgstr ""
@@ -1663,7 +1710,7 @@ msgstr ""
 msgid "Password expiration date: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1425 ../../src/kadmin/cli/kadmin.c:1466
+#: ../../src/kadmin/cli/kadmin.c:1425 ../../src/kadmin/cli/kadmin.c:1467
 msgid "[none]"
 msgstr ""
 
@@ -1702,55 +1749,50 @@ msgstr ""
 msgid "<Encryption type 0x%x>"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1452
+#: ../../src/kadmin/cli/kadmin.c:1453
 #, c-format
 msgid "<Salt type 0x%x>"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1456
-#, c-format
-msgid "no salt\n"
-msgstr ""
-
-#: ../../src/kadmin/cli/kadmin.c:1458
+#: ../../src/kadmin/cli/kadmin.c:1459
 #, c-format
 msgid "MKey: vno %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1460
+#: ../../src/kadmin/cli/kadmin.c:1461
 #, c-format
 msgid "Attributes:"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1468
+#: ../../src/kadmin/cli/kadmin.c:1469
 msgid " [does not exist]"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1469
+#: ../../src/kadmin/cli/kadmin.c:1470
 #, c-format
 msgid "Policy: %s%s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1505
+#: ../../src/kadmin/cli/kadmin.c:1506
 #, c-format
 msgid "usage: get_principals [expression]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1510 ../../src/kadmin/cli/kadmin.c:1782
+#: ../../src/kadmin/cli/kadmin.c:1511 ../../src/kadmin/cli/kadmin.c:1783
 msgid "while retrieving list."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1635
+#: ../../src/kadmin/cli/kadmin.c:1636
 #, c-format
 msgid "%s: parser lost count!\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1644
+#: ../../src/kadmin/cli/kadmin.c:1645
 #, c-format
 msgid "usage; %s [options] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1647
+#: ../../src/kadmin/cli/kadmin.c:1648
 #, c-format
 msgid ""
 "\t\t[-maxlife time] [-minlife time] [-minlength length]\n"
@@ -1759,297 +1801,297 @@ msgid ""
 "\t\t[-allowedkeysalts keysalts]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1651
+#: ../../src/kadmin/cli/kadmin.c:1652
 #, c-format
 msgid "\t\t[-lockoutduration time]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1670
+#: ../../src/kadmin/cli/kadmin.c:1671
 #, c-format
 msgid "while creating policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1691
+#: ../../src/kadmin/cli/kadmin.c:1692
 #, c-format
 msgid "while modifying policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1703
+#: ../../src/kadmin/cli/kadmin.c:1704
 #, c-format
 msgid "usage: delete_policy [-force] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1707
+#: ../../src/kadmin/cli/kadmin.c:1708
 #, c-format
 msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): "
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1711
+#: ../../src/kadmin/cli/kadmin.c:1712
 #, c-format
 msgid "Policy \"%s\" not deleted.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1717
+#: ../../src/kadmin/cli/kadmin.c:1718
 #, c-format
 msgid "while deleting policy \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1729
+#: ../../src/kadmin/cli/kadmin.c:1730
 #, c-format
 msgid "usage: get_policy [-terse] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1734
+#: ../../src/kadmin/cli/kadmin.c:1735
 #, c-format
 msgid "while retrieving policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1739
+#: ../../src/kadmin/cli/kadmin.c:1740
 #, c-format
 msgid "Policy: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1740
+#: ../../src/kadmin/cli/kadmin.c:1741
 #, c-format
 msgid "Maximum password life: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1741
+#: ../../src/kadmin/cli/kadmin.c:1742
 #, c-format
 msgid "Minimum password life: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1742
+#: ../../src/kadmin/cli/kadmin.c:1743
 #, c-format
 msgid "Minimum password length: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1743
+#: ../../src/kadmin/cli/kadmin.c:1744
 #, c-format
 msgid "Minimum number of password character classes: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1745
+#: ../../src/kadmin/cli/kadmin.c:1746
 #, c-format
 msgid "Number of old keys kept: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1746
+#: ../../src/kadmin/cli/kadmin.c:1747
 #, c-format
 msgid "Maximum password failures before lockout: %lu\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1748
+#: ../../src/kadmin/cli/kadmin.c:1749
 #, c-format
 msgid "Password failure count reset interval: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1750
+#: ../../src/kadmin/cli/kadmin.c:1751
 #, c-format
 msgid "Password lockout duration: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1753
+#: ../../src/kadmin/cli/kadmin.c:1754
 #, c-format
 msgid "Allowed key/salt types: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1777
+#: ../../src/kadmin/cli/kadmin.c:1778
 #, c-format
 msgid "usage: get_policies [expression]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1799
+#: ../../src/kadmin/cli/kadmin.c:1800
 #, c-format
 msgid "usage: get_privs\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1804
+#: ../../src/kadmin/cli/kadmin.c:1805
 msgid "while retrieving privileges"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1807
+#: ../../src/kadmin/cli/kadmin.c:1808
 #, c-format
 msgid "current privileges:"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1833
+#: ../../src/kadmin/cli/kadmin.c:1834
 #, c-format
 msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1853
+#: ../../src/kadmin/cli/kadmin.c:1854
 #, c-format
 msgid "while purging keys for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1858
+#: ../../src/kadmin/cli/kadmin.c:1859
 #, c-format
 msgid "All keys for principal \"%s\" removed.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1860
+#: ../../src/kadmin/cli/kadmin.c:1861
 #, c-format
 msgid "Old keys for principal \"%s\" purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1877
+#: ../../src/kadmin/cli/kadmin.c:1878
 #, c-format
 msgid "usage: get_strings principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1897
+#: ../../src/kadmin/cli/kadmin.c:1898
 #, c-format
 msgid "while getting attributes for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1902
+#: ../../src/kadmin/cli/kadmin.c:1903
 #, c-format
 msgid "(No string attributes.)\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1921
+#: ../../src/kadmin/cli/kadmin.c:1922
 #, c-format
 msgid "usage: set_string principal key value\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1943
+#: ../../src/kadmin/cli/kadmin.c:1944
 #, c-format
 msgid "while setting attribute on principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1947
+#: ../../src/kadmin/cli/kadmin.c:1948
 #, c-format
 msgid "Attribute set for principal \"%s\".\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1962
+#: ../../src/kadmin/cli/kadmin.c:1963
 #, c-format
 msgid "usage: del_string principal key\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1983
+#: ../../src/kadmin/cli/kadmin.c:1984
 #, c-format
 msgid "while deleting attribute from principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1987
+#: ../../src/kadmin/cli/kadmin.c:1988
 #, c-format
 msgid "Attribute removed from principal \"%s\".\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:63
+#: ../../src/kadmin/cli/keytab.c:58
 #, c-format
 msgid ""
 "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] "
 "[principal | -glob princ-exp] [...]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:66
+#: ../../src/kadmin/cli/keytab.c:61
 #, c-format
 msgid ""
 "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob "
 "princ-exp] [...]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:74
+#: ../../src/kadmin/cli/keytab.c:69
 #, c-format
 msgid ""
 "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:88 ../../src/kadmin/cli/keytab.c:109
+#: ../../src/kadmin/cli/keytab.c:83 ../../src/kadmin/cli/keytab.c:104
 msgid "while creating keytab name"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:93
+#: ../../src/kadmin/cli/keytab.c:88
 msgid "while opening default keytab"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:182
+#: ../../src/kadmin/cli/keytab.c:177
 #, c-format
 msgid "cannot specify keysaltlist when not changing key\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:199
+#: ../../src/kadmin/cli/keytab.c:194
 #, c-format
 msgid "while expanding expression \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:218 ../../src/kadmin/cli/keytab.c:258
+#: ../../src/kadmin/cli/keytab.c:213 ../../src/kadmin/cli/keytab.c:253
 msgid "while closing keytab"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:282
+#: ../../src/kadmin/cli/keytab.c:277
 #, c-format
 msgid "while parsing -add principal name %s"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:299
+#: ../../src/kadmin/cli/keytab.c:294
 #, c-format
 msgid "%s: Principal %s does not exist.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:302
+#: ../../src/kadmin/cli/keytab.c:297
 #, c-format
 msgid "while changing %s's key"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:309
+#: ../../src/kadmin/cli/keytab.c:304
 msgid "while retrieving principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:321
+#: ../../src/kadmin/cli/keytab.c:316
 msgid "while adding key to keytab"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:327
+#: ../../src/kadmin/cli/keytab.c:322
 #, c-format
 msgid ""
 "Entry for principal %s with kvno %d, encryption type %s added to keytab %s.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:336
+#: ../../src/kadmin/cli/keytab.c:331
 msgid "while freeing principal entry"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:383
+#: ../../src/kadmin/cli/keytab.c:378
 #, c-format
 msgid "%s: Keytab %s does not exist.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:387
+#: ../../src/kadmin/cli/keytab.c:382
 #, c-format
 msgid "%s: No entry for principal %s exists in keytab %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:391
+#: ../../src/kadmin/cli/keytab.c:386
 #, c-format
 msgid "%s: No entry for principal %s with kvno %d exists in keytab %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:397
+#: ../../src/kadmin/cli/keytab.c:392
 msgid "while retrieving highest kvno from keytab"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:430
+#: ../../src/kadmin/cli/keytab.c:425
 msgid "while temporarily ending keytab scan"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:435
+#: ../../src/kadmin/cli/keytab.c:430
 msgid "while deleting entry from keytab"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:440
+#: ../../src/kadmin/cli/keytab.c:435
 msgid "while restarting keytab scan"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:446
+#: ../../src/kadmin/cli/keytab.c:441
 #, c-format
 msgid "Entry for principal %s with kvno %d removed from keytab %s.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/keytab.c:468
+#: ../../src/kadmin/cli/keytab.c:463
 #, c-format
 msgid "%s: There is only one entry for principal %s in keytab %s\n"
 msgstr ""
@@ -2058,399 +2100,401 @@ msgstr ""
 msgid "creating invocation"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:166
+#: ../../src/kadmin/dbutil/dump.c:165
 msgid "while allocating temporary filename dump"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:177
+#: ../../src/kadmin/dbutil/dump.c:176
 msgid "while renaming dump file into place"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:193
+#: ../../src/kadmin/dbutil/dump.c:192
 msgid "while allocating dump_ok filename"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:200
+#: ../../src/kadmin/dbutil/dump.c:199
 #, c-format
 msgid "while creating 'ok' file, '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:207
+#: ../../src/kadmin/dbutil/dump.c:206
 #, c-format
 msgid "while locking 'ok' file, '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:249 ../../src/kadmin/dbutil/dump.c:278
+#: ../../src/kadmin/dbutil/dump.c:248 ../../src/kadmin/dbutil/dump.c:277
 #, c-format
 msgid "%s: regular expression error: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:261
+#: ../../src/kadmin/dbutil/dump.c:260
 #, c-format
 msgid "%s: regular expression match error: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:362
+#: ../../src/kadmin/dbutil/dump.c:361
 #, c-format
 msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:520
+#: ../../src/kadmin/dbutil/dump.c:519
 #, c-format
 msgid ""
 "Warning!  Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:531
+#: ../../src/kadmin/dbutil/dump.c:530
 #, c-format
 msgid ""
 "Warning!  No DES-CBC-CRC key for principal %s, cannot generate OV-compatible "
 "record; skipping\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:559
+#: ../../src/kadmin/dbutil/dump.c:558
 #, c-format
 msgid "while converting %s to new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:580
+#: ../../src/kadmin/dbutil/dump.c:579
 #, c-format
 msgid "%s(%d): %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:623
+#: ../../src/kadmin/dbutil/dump.c:622
 #, c-format
 msgid "%s(%d): ignoring trash at end of line: "
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:686
+#: ../../src/kadmin/dbutil/dump.c:685
 msgid "cannot read tagged data type and length"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:693
+#: ../../src/kadmin/dbutil/dump.c:692
 msgid "cannot read tagged data contents"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:727
+#: ../../src/kadmin/dbutil/dump.c:726
 msgid "cannot match size tokens"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:756
+#: ../../src/kadmin/dbutil/dump.c:755
 msgid "cannot read name string"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:761
+#: ../../src/kadmin/dbutil/dump.c:760
 #, c-format
 msgid "while parsing name %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:769
+#: ../../src/kadmin/dbutil/dump.c:768
 msgid "cannot read principal attributes"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:822
+#: ../../src/kadmin/dbutil/dump.c:821
 msgid "cannot read key size and version"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:833
+#: ../../src/kadmin/dbutil/dump.c:832
 msgid "cannot read key type and length"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:839
+#: ../../src/kadmin/dbutil/dump.c:838
 msgid "cannot read key data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:849
+#: ../../src/kadmin/dbutil/dump.c:848
 msgid "cannot read extra data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:858
+#: ../../src/kadmin/dbutil/dump.c:857
 #, c-format
 msgid "while storing %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:897 ../../src/kadmin/dbutil/dump.c:936
-#: ../../src/kadmin/dbutil/dump.c:982
+#: ../../src/kadmin/dbutil/dump.c:896 ../../src/kadmin/dbutil/dump.c:935
+#: ../../src/kadmin/dbutil/dump.c:981
 #, c-format
 msgid "cannot parse policy (%d read)\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:905 ../../src/kadmin/dbutil/dump.c:944
-#: ../../src/kadmin/dbutil/dump.c:1002
+#: ../../src/kadmin/dbutil/dump.c:904 ../../src/kadmin/dbutil/dump.c:943
+#: ../../src/kadmin/dbutil/dump.c:1001
 msgid "while creating policy"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:909
+#: ../../src/kadmin/dbutil/dump.c:908
 #, c-format
 msgid "created policy %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1039
+#: ../../src/kadmin/dbutil/dump.c:1038
 #, c-format
 msgid "unknown record type \"%s\"\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1169
+#: ../../src/kadmin/dbutil/dump.c:1167
 #, c-format
 msgid "%s: Unknown iprop dump version %d\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1278 ../../src/kadmin/dbutil/dump.c:1510
+#: ../../src/kadmin/dbutil/dump.c:1270 ../../src/kadmin/dbutil/dump.c:1498
 #, c-format
 msgid "Iprop not enabled\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1315
+#: ../../src/kadmin/dbutil/dump.c:1308
 msgid "Conditional dump is an undocumented option for use only for iprop dumps"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1328
+#: ../../src/kadmin/dbutil/dump.c:1321
 msgid "Database not currently opened!"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1342
+#: ../../src/kadmin/dbutil/dump.c:1335
 #: ../../src/kadmin/dbutil/kdb5_stash.c:116
-#: ../../src/kadmin/dbutil/kdb5_util.c:480
+#: ../../src/kadmin/dbutil/kdb5_util.c:479
 msgid "while reading master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1348
+#: ../../src/kadmin/dbutil/dump.c:1341
 msgid "while verifying master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1367 ../../src/kadmin/dbutil/dump.c:1377
+#: ../../src/kadmin/dbutil/dump.c:1360 ../../src/kadmin/dbutil/dump.c:1370
 msgid "while reading new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1371
+#: ../../src/kadmin/dbutil/dump.c:1364
 #, c-format
 msgid "Please enter new master key....\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1395
+#: ../../src/kadmin/dbutil/dump.c:1388
 #, c-format
 msgid "while opening %s for writing"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1411
-#, c-format
-msgid "%s: Couldn't grab lock\n"
+#: ../../src/kadmin/dbutil/dump.c:1403
+msgid "while reading update log header"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1428 ../../src/kadmin/dbutil/dump.c:1435
+#: ../../src/kadmin/dbutil/dump.c:1418 ../../src/kadmin/dbutil/dump.c:1425
 #, c-format
 msgid "performing %s dump"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1466
+#: ../../src/kadmin/dbutil/dump.c:1455
 #, c-format
 msgid "%s: error processing line %d of %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1519
+#: ../../src/kadmin/dbutil/dump.c:1507
 msgid "while parsing options"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1534
+#: ../../src/kadmin/dbutil/dump.c:1522
 #, c-format
 msgid "while opening %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1539 ../../src/kadmin/dbutil/dump.c:1653
+#: ../../src/kadmin/dbutil/dump.c:1527 ../../src/kadmin/dbutil/dump.c:1626
 msgid "standard input"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1544
+#: ../../src/kadmin/dbutil/dump.c:1532
 #, c-format
 msgid "%s: can't read dump header in %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1552 ../../src/kadmin/dbutil/dump.c:1569
+#: ../../src/kadmin/dbutil/dump.c:1540 ../../src/kadmin/dbutil/dump.c:1557
 #, c-format
 msgid "%s: dump header bad in %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1583
+#: ../../src/kadmin/dbutil/dump.c:1566
 #, c-format
 msgid "Could not open iprop ulog\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1589
-#, c-format
-msgid "%s: Loads disallowed when iprop is enabled and a ulog is present\n"
-msgstr ""
-
-#: ../../src/kadmin/dbutil/dump.c:1597
+#: ../../src/kadmin/dbutil/dump.c:1571
 #, c-format
 msgid "%s: dump version %s can only be loaded with the -update flag\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1606 ../../src/kadmin/dbutil/dump.c:1611
+#: ../../src/kadmin/dbutil/dump.c:1580 ../../src/kadmin/dbutil/dump.c:1585
 msgid "computing parameters for database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1617
+#: ../../src/kadmin/dbutil/dump.c:1591
 msgid "while creating database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1626
+#: ../../src/kadmin/dbutil/dump.c:1600
 msgid "while opening database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1636
+#: ../../src/kadmin/dbutil/dump.c:1610
 msgid "while permanently locking database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1655
+#: ../../src/kadmin/dbutil/dump.c:1628
 #, c-format
 msgid "%s: %s restore failed\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1660
+#: ../../src/kadmin/dbutil/dump.c:1633
 msgid "while unlocking database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1670
+#: ../../src/kadmin/dbutil/dump.c:1643 ../../src/kadmin/dbutil/dump.c:1662
+msgid "while reinitializing update log"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/dump.c:1653
 msgid "while making newly loaded database live"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1694
+#: ../../src/kadmin/dbutil/dump.c:1669
+msgid "while writing update log header"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/dump.c:1683
 #, c-format
 msgid "while deleting bad database %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kadm5_create.c:87
+#: ../../src/kadmin/dbutil/kadm5_create.c:84
 msgid "while looking up the Kerberos configuration"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kadm5_create.c:114
+#: ../../src/kadmin/dbutil/kadm5_create.c:111
 msgid "while initializing the Kerberos admin interface"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kadm5_create.c:197
+#: ../../src/kadmin/dbutil/kadm5_create.c:169
 #, c-format
 msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kadm5_create.c:218
+#: ../../src/kadmin/dbutil/kadm5_create.c:190
+#: ../../src/kadmin/dbutil/kadm5_create.c:196
 #, c-format
 msgid "Out of memory\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kadm5_create.c:290
+#: ../../src/kadmin/dbutil/kadm5_create.c:270
+msgid "while appending realm to principal"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:275
 msgid "while parsing admin principal name"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kadm5_create.c:300
+#: ../../src/kadmin/dbutil/kadm5_create.c:286
 #, c-format
 msgid "while creating principal %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:176
-#: ../../src/kadmin/dbutil/kdb5_util.c:242
-#: ../../src/kadmin/dbutil/kdb5_util.c:249
+#: ../../src/kadmin/dbutil/kdb5_create.c:175
+#: ../../src/kadmin/dbutil/kdb5_util.c:241
+#: ../../src/kadmin/dbutil/kdb5_util.c:248
 msgid "while parsing command arguments\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:199
+#: ../../src/kadmin/dbutil/kdb5_create.c:198
 #, c-format
 msgid "Loading random data\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:202
+#: ../../src/kadmin/dbutil/kdb5_create.c:201
 msgid "Loading random data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:212
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:243
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:436
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:592
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1155
-#: ../../src/kadmin/dbutil/kdb5_util.c:424
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527
+#: ../../src/kadmin/dbutil/kdb5_create.c:211
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:242
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:435
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:591
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1149
+#: ../../src/kadmin/dbutil/kdb5_util.c:423
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:606
 msgid "while setting up master key name"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:223
+#: ../../src/kadmin/dbutil/kdb5_create.c:222
 #, c-format
 msgid ""
 "Initializing database '%s' for realm '%s',\n"
 "master key name '%s'\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:228
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:437
+#: ../../src/kadmin/dbutil/kdb5_create.c:227
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:516
 #, c-format
 msgid "You will be prompted for the database Master Password.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:229
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:261
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:438
+#: ../../src/kadmin/dbutil/kdb5_create.c:228
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:260
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517
 #, c-format
 msgid "It is important that you NOT FORGET this password.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:235
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:267
+#: ../../src/kadmin/dbutil/kdb5_create.c:234
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:266
 msgid "while creating new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:243
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:448
+#: ../../src/kadmin/dbutil/kdb5_create.c:242
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527
 msgid "while reading master key from keyboard"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:253
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:286
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:539
+#: ../../src/kadmin/dbutil/kdb5_create.c:252
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:285
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:618
 msgid "while calculating master key salt"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:261
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:295
-#: ../../src/kadmin/dbutil/kdb5_util.c:466
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:551
+#: ../../src/kadmin/dbutil/kdb5_create.c:260
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:294
+#: ../../src/kadmin/dbutil/kdb5_util.c:465
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:630
 msgid "while transforming master key from password"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:271
+#: ../../src/kadmin/dbutil/kdb5_create.c:270
 msgid "while initializing random key generator"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:276
+#: ../../src/kadmin/dbutil/kdb5_create.c:275
 #, c-format
 msgid "while creating database '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:294
+#: ../../src/kadmin/dbutil/kdb5_create.c:293
 msgid "while creating update log"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:316
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:587
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:597
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:605
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:614
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:623
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:633
+#: ../../src/kadmin/dbutil/kdb5_create.c:304
+msgid "while initializing update log"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:320
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:642
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:651
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:675
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:685
 msgid "while adding entries to the database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:344
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:340
+#: ../../src/kadmin/dbutil/kdb5_create.c:348
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:339
 #: ../../src/kadmin/dbutil/kdb5_stash.c:133
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:718
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:667
 msgid "while storing key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_create.c:345
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:341
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:719
+#: ../../src/kadmin/dbutil/kdb5_create.c:349
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:340
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:668
 #, c-format
 msgid "Warning: couldn't stash master key.\n"
 msgstr ""
@@ -2460,8 +2504,8 @@ msgid "while initializing krb5_context"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_destroy.c:63
-#: ../../src/kadmin/dbutil/kdb5_util.c:260
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:293
+#: ../../src/kadmin/dbutil/kdb5_util.c:259
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291
 msgid "while setting default realm name"
 msgstr ""
 
@@ -2471,9 +2515,9 @@ msgid "Deleting KDC database stored in '%s', are you sure?\n"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_destroy.c:85
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1172
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:362
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1533
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1166
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1482
 #, c-format
 msgid "(type 'yes' to confirm)? "
 msgstr ""
@@ -2493,173 +2537,173 @@ msgstr ""
 msgid "** Database '%s' destroyed.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:219
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:218
 #, c-format
 msgid "%s is an invalid enctype"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:251
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:444
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:600
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:250
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:443
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:599
 #: ../../src/kadmin/dbutil/kdb5_mkey.c:986
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1163
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1157
 #, c-format
 msgid "while getting master key principal %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:257
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:256
 #, c-format
 msgid "Creating new master key for master key principal '%s'\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:260
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:259
 #, c-format
 msgid "You will be prompted for a new database Master Password.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:276
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:275
 msgid "while reading new master key from keyboard"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:305
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:304
 msgid "adding new master key to master principal"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:311
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:403
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:844
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1362
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:310
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:402
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:843
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356
 msgid "while getting current time"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:318
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:545
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1369
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:317
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:544
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1363
 msgid "while updating the master key principal modification time"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:326
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:554
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1380
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:325
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:553
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1374
 msgid "while adding master key entry to the database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:384
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:383
 msgid "0 is an invalid KVNO value"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:395
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:394
 #, c-format
 msgid "%d is an invalid KVNO value"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:411
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:410
 #, c-format
 msgid "could not parse date-time string '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:453
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:452
 msgid "while looking up active version of master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:492
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:491
 msgid "while adding new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:530
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:529
 msgid "there must be one master key currently active"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:538
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1348
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:537
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1342
 msgid "while updating actkvno data for master principal entry"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:582
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:581
 #: ../../src/kadmin/dbutil/kdb5_mkey.c:948
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1122
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1116
 msgid "master keylist not initialized"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:608
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:607
 #: ../../src/kadmin/dbutil/kdb5_mkey.c:994
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1260
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254
 msgid "while looking up active kvno list"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:616
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:615
 #: ../../src/kadmin/dbutil/kdb5_mkey.c:1002
 msgid "while looking up active master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:628
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:627
 msgid "while getting enctype description"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:645
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:644
 #, c-format
 msgid "KVNO: %d, Enctype: %s, Active on: %s *\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:650
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:649
 #, c-format
 msgid "KVNO: %d, Enctype: %s, Active on: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:654
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:653
 #, c-format
 msgid "KVNO: %d, Enctype: %s, No activate time set\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:659
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:658
 msgid "asprintf could not allocate enough memory to hold output"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:794
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:793
 msgid "getting string representation of principal name"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:818
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:817
 #, c-format
 msgid "determining master key used for principal '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:824
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:823
 #, c-format
 msgid "would skip:   %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:826
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:825
 #, c-format
 msgid "skipping: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:832
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:831
 #, c-format
 msgid "would update: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:836
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:835
 #, c-format
 msgid "updating: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:840
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:839
 #, c-format
 msgid "error re-encrypting key for principal '%s'"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:851
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:850
 #, c-format
 msgid "while updating principal '%s' modification time"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:858
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:857
 #, c-format
 msgid "while updating principal '%s' key data in the database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:890
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:889
 #, c-format
 msgid ""
 "\n"
@@ -2702,97 +2746,93 @@ msgid ""
 "necessary:\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1031
-msgid "trying to lock database"
-msgstr ""
-
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1041
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1037
 msgid "trying to process principal database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1048
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1042
 #, c-format
 msgid "%u principals processed: %u would be updated, %u already current\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1052
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1046
 #, c-format
 msgid "%u principals processed: %u updated, %u already current\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1170
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1164
 #, c-format
 msgid ""
 "Will purge all unused master keys stored in the '%s' principal, are you "
 "sure?\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1181
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1175
 #, c-format
 msgid "OK, purging unused master keys from '%s'...\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1189
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183
 #, c-format
 msgid "There is only one master key which can not be purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1198
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1192
 msgid "while allocating args.kvnos"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1214
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1208
 msgid "while finding master keys in use"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1223
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1217
 #, c-format
 msgid "Would purge the following master key(s) from %s:\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1226
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1220
 #, c-format
 msgid "Purging the following master key(s) from %s:\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1232
 msgid "master key stash file needs updating, command aborting"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1244
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238
 #, c-format
 msgid "KVNO: %d\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1249
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1243
 #, c-format
 msgid "All keys in use, nothing purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1248
 #, c-format
 msgid "%d key(s) would be purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1267
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1261
 msgid "while looking up mkey aux data list"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1275
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1269
 msgid "while allocating key_data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1350
 msgid "while updating mkey_aux data for master principal entry"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_mkey.c:1384
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1378
 #, c-format
 msgid "%d key(s) purged.\n"
 msgstr ""
 
 #: ../../src/kadmin/dbutil/kdb5_stash.c:97
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:540
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:538
 #, c-format
 msgid "while setting up enctype %d"
 msgstr ""
@@ -2806,7 +2846,7 @@ msgstr ""
 msgid "Using existing stashed keys to update stash file.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:81
+#: ../../src/kadmin/dbutil/kdb5_util.c:80
 #, c-format
 msgid ""
 "Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M "
@@ -2825,7 +2865,7 @@ msgid ""
 "\tlist_mkeys\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:99
+#: ../../src/kadmin/dbutil/kdb5_util.c:98
 #, c-format
 msgid ""
 "\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n"
@@ -2836,101 +2876,101 @@ msgid ""
 "\t\t\tLook at each database documentation for supported arguments\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:212
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:262
+#: ../../src/kadmin/dbutil/kdb5_util.c:211
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260
 msgid "while initializing Kerberos code"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:218
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:269
+#: ../../src/kadmin/dbutil/kdb5_util.c:217
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267
 msgid "while creating sub-command arguments"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:236
+#: ../../src/kadmin/dbutil/kdb5_util.c:235
 msgid "while parsing command arguments"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:265
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:300
+#: ../../src/kadmin/dbutil/kdb5_util.c:264
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298
 #, c-format
 msgid ": %s is an invalid enctype"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:273
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:309
+#: ../../src/kadmin/dbutil/kdb5_util.c:272
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307
 #, c-format
 msgid ": %s is an invalid mkeyVNO"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:318
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:433
+#: ../../src/kadmin/dbutil/kdb5_util.c:317
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431
 msgid "while retreiving configuration parameters"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:369
+#: ../../src/kadmin/dbutil/kdb5_util.c:368
 msgid "Too few arguments"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:370
+#: ../../src/kadmin/dbutil/kdb5_util.c:369
 #, c-format
 msgid "Usage: %s dbpathname realmname"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:376
+#: ../../src/kadmin/dbutil/kdb5_util.c:375
 msgid "while closing previous database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:413
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:928
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1548
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:566
+#: ../../src/kadmin/dbutil/kdb5_util.c:412
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:877
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1497
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564
 msgid "while initializing database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:430
+#: ../../src/kadmin/dbutil/kdb5_util.c:429
 msgid "while retrieving master entry"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:449
+#: ../../src/kadmin/dbutil/kdb5_util.c:448
 msgid "while calculated master key salt"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:481
+#: ../../src/kadmin/dbutil/kdb5_util.c:480
 msgid "Warning: proceeding without master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:499
+#: ../../src/kadmin/dbutil/kdb5_util.c:498
 msgid "while seeding random number generator"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:510
+#: ../../src/kadmin/dbutil/kdb5_util.c:508
 #, c-format
 msgid "%s: Could not map log\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:537
+#: ../../src/kadmin/dbutil/kdb5_util.c:535
 msgid "while closing database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:584
+#: ../../src/kadmin/dbutil/kdb5_util.c:582
 #, c-format
 msgid "while fetching principal %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:607
+#: ../../src/kadmin/dbutil/kdb5_util.c:605
 msgid "while finding mkey"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:632
+#: ../../src/kadmin/dbutil/kdb5_util.c:630
 msgid "while setting changetime"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:640
+#: ../../src/kadmin/dbutil/kdb5_util.c:638
 #, c-format
 msgid "while saving principal %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/kdb5_util.c:644
+#: ../../src/kadmin/dbutil/kdb5_util.c:642
 #, c-format
 msgid "%s changed\n"
 msgstr ""
@@ -3027,113 +3067,113 @@ msgstr ""
 msgid "addent: Illegal character in key.\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:50
+#: ../../src/kadmin/server/ipropd_svc.c:48
 #, c-format
 msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:51
-#: ../../src/kadmin/server/ipropd_svc.c:214
+#: ../../src/kadmin/server/ipropd_svc.c:49
+#: ../../src/kadmin/server/ipropd_svc.c:212
 #, c-format
 msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:148
-#: ../../src/kadmin/server/ipropd_svc.c:273
+#: ../../src/kadmin/server/ipropd_svc.c:146
+#: ../../src/kadmin/server/ipropd_svc.c:271
 #, c-format
 msgid "%s: server handle is NULL"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:158
-#: ../../src/kadmin/server/ipropd_svc.c:286
+#: ../../src/kadmin/server/ipropd_svc.c:156
+#: ../../src/kadmin/server/ipropd_svc.c:284
 #, c-format
 msgid "%s: setup_gss_names failed"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:168
-#: ../../src/kadmin/server/ipropd_svc.c:297
+#: ../../src/kadmin/server/ipropd_svc.c:166
+#: ../../src/kadmin/server/ipropd_svc.c:295
 #, c-format
 msgid "%s: out of memory recording principal names"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:197
+#: ../../src/kadmin/server/ipropd_svc.c:195
 #, c-format
 msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:203
+#: ../../src/kadmin/server/ipropd_svc.c:201
 #, c-format
 msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:322
+#: ../../src/kadmin/server/ipropd_svc.c:320
 #, c-format
 msgid "%s: getclhoststr failed"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:344
+#: ../../src/kadmin/server/ipropd_svc.c:342
 #, c-format
 msgid "%s: cannot construct kdb5 util dump string too long; out of memory"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:364
+#: ../../src/kadmin/server/ipropd_svc.c:362
 #, c-format
 msgid "%s: fork failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:376
+#: ../../src/kadmin/server/ipropd_svc.c:374
 #, c-format
 msgid "%s: popen failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:390
+#: ../../src/kadmin/server/ipropd_svc.c:388
 #, c-format
 msgid "%s: pclose(popen) failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:407
+#: ../../src/kadmin/server/ipropd_svc.c:405
 #, c-format
 msgid "%s: exec failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:423
+#: ../../src/kadmin/server/ipropd_svc.c:421
 #, c-format
 msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:487
+#: ../../src/kadmin/server/ipropd_svc.c:485
 #: ../../src/kadmin/server/kadm_rpc_svc.c:275
 #, c-format
 msgid "check_rpcsec_auth: failed inquire_context, stat=%u"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:517
+#: ../../src/kadmin/server/ipropd_svc.c:515
 #: ../../src/kadmin/server/kadm_rpc_svc.c:310
 #, c-format
 msgid "bad service principal %.*s%s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:540
+#: ../../src/kadmin/server/ipropd_svc.c:538
 #, c-format
 msgid "authentication attempt failed: %s, RPC authentication flavor %d"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:574
+#: ../../src/kadmin/server/ipropd_svc.c:572
 #, c-format
 msgid "RPC unknown request: %d (%s)"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:582
+#: ../../src/kadmin/server/ipropd_svc.c:580
 #, c-format
 msgid "RPC svc_getargs failed (%s)"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:592
+#: ../../src/kadmin/server/ipropd_svc.c:590
 #, c-format
 msgid "RPC svc_sendreply failed (%s)"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:598
+#: ../../src/kadmin/server/ipropd_svc.c:596
 #, c-format
 msgid "RPC svc_freeargs failed (%s)"
 msgstr ""
@@ -3143,11 +3183,11 @@ msgstr ""
 msgid "gss_to_krb5_name: failed display_name status %d"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:107
+#: ../../src/kadmin/server/ovsec_kadmd.c:86
 #, c-format
 msgid ""
 "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n"
-"\t\t[-p path-to-kdb5_util] [-F dump-file]\n"
+"\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n"
 "\t\t[-K path-to-kprop] [-P pid_file]\n"
 "\n"
 "where,\n"
@@ -3155,250 +3195,147 @@ msgid ""
 "\t\t\tLook at each database documentation for supported arguments\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:159
-#, c-format
-msgid "GSS-API error %s: %s\n"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:238
-#, c-format
-msgid "Couldn't create KRB5 Name NameType OID\n"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:264
+#: ../../src/kadmin/server/ovsec_kadmd.c:111
 #, c-format
-msgid "%s: cannot initialize. Not enough memory\n"
+msgid "%s: %s while %s, aborting\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:326
+#: ../../src/kadmin/server/ovsec_kadmd.c:113
 #, c-format
-msgid "%s: %s while initializing context, aborting\n"
+msgid "%s while %s, aborting\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:340
+#: ../../src/kadmin/server/ovsec_kadmd.c:115
 #, c-format
-msgid "%s while initializing, aborting"
+msgid "%s: %s, aborting\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:341
-#: ../../src/kadmin/server/ovsec_kadmd.c:352
+#: ../../src/kadmin/server/ovsec_kadmd.c:116
 #, c-format
-msgid "%s: %s while initializing, aborting\n"
+msgid "%s, aborting"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:350
-#, c-format
-msgid "%s: %s while initializing, aborting"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:363
+#: ../../src/kadmin/server/ovsec_kadmd.c:282
 #, c-format
 msgid ""
-"%s: Missing required configuration values (%lx) while initializing, aborting"
+"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s"
+"%s, addr = %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:366
+#: ../../src/kadmin/server/ovsec_kadmd.c:288
 #, c-format
 msgid ""
-"%s: Missing required configuration values (%lx) while initializing, "
-"aborting\n"
+"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s"
+"%s, addr = %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:377
+#: ../../src/kadmin/server/ovsec_kadmd.c:302
 #, c-format
-msgid "%s: could not initialize loop, aborting"
+msgid "Miscellaneous RPC error: %s, %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:379
+#: ../../src/kadmin/server/ovsec_kadmd.c:318
 #, c-format
-msgid "%s: could not initialize loop, aborting\n"
+msgid "%s Cannot decode status %d"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:388
+#: ../../src/kadmin/server/ovsec_kadmd.c:336
 #, c-format
-msgid "%s: %s while initializing signal handlers, aborting"
+msgid "Authentication attempt failed: %s, GSS-API error strings are:"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:390
-#, c-format
-msgid "%s: %s while initializing signal handlers, aborting\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:341
+msgid "   GSS-API error strings complete."
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:414
+#: ../../src/kadmin/server/ovsec_kadmd.c:378
 #, c-format
-msgid "%s: %s while initializing network, aborting"
+msgid "%s: cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:416
+#: ../../src/kadmin/server/ovsec_kadmd.c:445
 #, c-format
-msgid "%s: %s while initializing network, aborting\n"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:427
-msgid "Cannot build GSS-API authentication names, failing."
+msgid "%s: %s while initializing context, aborting\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:429
-#, c-format
-msgid "%s: Cannot build GSS-API authentication names.\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:456
+msgid "initializing"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:448
-msgid "Can't set kdb keytab's internal context."
+#: ../../src/kadmin/server/ovsec_kadmd.c:460
+msgid "getting config parameters"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:453
-msgid "Can't register kdb keytab."
+#: ../../src/kadmin/server/ovsec_kadmd.c:462
+msgid "Missing required realm configuration"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:459
-msgid "Can't register acceptor keytab."
+#: ../../src/kadmin/server/ovsec_kadmd.c:464
+msgid "Missing required ACL file configuration"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:465
-#, c-format
-msgid "%s: Can't set up keytab for RPC.\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:468
+msgid "initializing network"
 msgstr ""
 
 #: ../../src/kadmin/server/ovsec_kadmd.c:473
-msgid "Cannot set GSS-API authentication names (keytab not present?), failing."
+msgid "Cannot build GSSAPI auth names"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:475
-#, c-format
-msgid "%s: Cannot set GSS-API authentication names.\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:477
+msgid "Cannot set up KDB keytab"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:499
-#, c-format
-msgid "%s: Cannot initialize RPCSEC_GSS service name.\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:480
+msgid "Cannot set GSSAPI authentication names"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:507
-#, c-format
-msgid "Cannot initialize acl file: %s"
+#: ../../src/kadmin/server/ovsec_kadmd.c:497
+msgid "Cannot initialize GSSAPI service name"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:508
-#, c-format
-msgid "%s: Cannot initialize acl file: %s\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:501
+msgid "initializing ACL file"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:520
-#, c-format
-msgid "Cannot detach from tty: %s"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:521
-#, c-format
-msgid "%s: Cannot detach from tty: %s\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:504
+msgid "spawning daemon process"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:532
-#, c-format
-msgid "Cannot create PID file %s: %s"
+#: ../../src/kadmin/server/ovsec_kadmd.c:508
+msgid "creating PID file"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:542
+#: ../../src/kadmin/server/ovsec_kadmd.c:511
 msgid "Seeding random number generator"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:545
-#, c-format
-msgid "Error getting random seed: %s, aborting"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:569
-#, c-format
-msgid "%s: %s while mapping update log (`%s.ulog')\n"
+#: ../../src/kadmin/server/ovsec_kadmd.c:514
+msgid "getting random seed"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:572
-#, c-format
-msgid "%s while mapping update log (`%s.ulog')"
+#: ../../src/kadmin/server/ovsec_kadmd.c:521
+msgid "mapping update log"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:582
+#: ../../src/kadmin/server/ovsec_kadmd.c:525
 #, c-format
 msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:590
-#, c-format
-msgid "%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:594
-#, c-format
-msgid "Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:607
-#, c-format
-msgid "%s while getting IProp svc name, failing"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:610
-#, c-format
-msgid "%s: %s while getting IProp svc name, failing\n"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:632
-#, c-format
-msgid "Unable to set RPCSEC_GSS service name (`%s'), failing."
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:636
-#, c-format
-msgid "%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:655
+#: ../../src/kadmin/server/ovsec_kadmd.c:530
 msgid "starting"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:657 ../../src/kdc/main.c:1061
+#: ../../src/kadmin/server/ovsec_kadmd.c:532 ../../src/kdc/main.c:1061
 #, c-format
 msgid "%s: starting...\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:660
+#: ../../src/kadmin/server/ovsec_kadmd.c:535
 msgid "finished, exiting"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:811
-#, c-format
-msgid ""
-"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s"
-"%s, addr = %s"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:817
-#, c-format
-msgid ""
-"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s"
-"%s, addr = %s"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:845
-#, c-format
-msgid "Miscellaneous RPC error: %s, %s"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:873
-#, c-format
-msgid "Authentication attempt failed: %s, GSS-API error strings are:"
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:877
-msgid "   GSS-API error strings complete."
-msgstr ""
-
-#: ../../src/kadmin/server/ovsec_kadmd.c:905
-#, c-format
-msgid "GSS-API authentication error %.*s: recursive failure!"
-msgstr ""
-
 #: ../../src/kadmin/server/schpw.c:282
 #, c-format
 msgid "setpw request from %s by %.*s%s for %.*s%s: %s"
@@ -3409,7 +3346,7 @@ msgstr ""
 msgid "chpw request from %s for %.*s%s: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/schpw.c:463
+#: ../../src/kadmin/server/schpw.c:464
 #, c-format
 msgid "chpw: Couldn't open admin keytab %s"
 msgstr ""
@@ -3457,46 +3394,46 @@ msgstr ""
 msgid "AS_REQ : handle_authdata (%d)"
 msgstr ""
 
-#: ../../src/kdc/do_tgs_req.c:617
+#: ../../src/kdc/do_tgs_req.c:593
 #, c-format
 msgid "TGS_REQ : handle_authdata (%d)"
 msgstr ""
 
-#: ../../src/kdc/do_tgs_req.c:679
+#: ../../src/kdc/do_tgs_req.c:655
 msgid "not checking transit path"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:63
+#: ../../src/kdc/fast_util.c:62
 #, c-format
 msgid "%s while handling ap-request armor"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:72
+#: ../../src/kdc/fast_util.c:71
 msgid "ap-request armor for something other than the local TGS"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:81
+#: ../../src/kdc/fast_util.c:80
 msgid "ap-request armor without subkey"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:163
+#: ../../src/kdc/fast_util.c:162
 msgid "Ap-request armor not permitted with TGS"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:171
+#: ../../src/kdc/fast_util.c:169
 #, c-format
 msgid "Unknown FAST armor type %d"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:185
+#: ../../src/kdc/fast_util.c:183
 msgid "No armor key but FAST armored request present"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:222
+#: ../../src/kdc/fast_util.c:219
 msgid "FAST req_checksum invalid; request modified"
 msgstr ""
 
-#: ../../src/kdc/fast_util.c:229
+#: ../../src/kdc/fast_util.c:225
 msgid "Unkeyed checksum used in fast_req"
 msgstr ""
 
@@ -3515,51 +3452,51 @@ msgstr ""
 msgid "authdata (%s) handling failure: %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:68
+#: ../../src/kdc/kdc_log.c:82
 #, c-format
 msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:74
+#: ../../src/kdc/kdc_log.c:88
 #, c-format
 msgid "AS_REQ (%s) %s: %s: %s for %s%s%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:145
+#: ../../src/kdc/kdc_log.c:159
 #, c-format
 msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:152
+#: ../../src/kdc/kdc_log.c:166
 #, c-format
 msgid "... PROTOCOL-TRANSITION s4u-client=%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:156
+#: ../../src/kdc/kdc_log.c:170
 #, c-format
 msgid "... CONSTRAINED-DELEGATION s4u-client=%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:160
+#: ../../src/kdc/kdc_log.c:174
 #, c-format
 msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:194
+#: ../../src/kdc/kdc_log.c:208
 #, c-format
 msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:200
+#: ../../src/kdc/kdc_log.c:214
 #, c-format
 msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:218
+#: ../../src/kdc/kdc_log.c:232
 msgid "TGS_REQ: issuing alternate <un-unparseable> TGT"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:221
+#: ../../src/kdc/kdc_log.c:235
 #, c-format
 msgid "TGS_REQ: issuing TGT %s"
 msgstr ""
@@ -3583,88 +3520,88 @@ msgstr ""
 msgid "Encrypted Challenge used outside of FAST tunnel"
 msgstr ""
 
-#: ../../src/kdc/kdc_preauth_ec.c:111
+#: ../../src/kdc/kdc_preauth_ec.c:110
 msgid "Incorrect password in encrypted challenge"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:233
+#: ../../src/kdc/kdc_util.c:236
 msgid "TGS_REQ: SESSION KEY or MUTUAL"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:311
+#: ../../src/kdc/kdc_util.c:314
 msgid "PROCESS_TGS: failed lineage check"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:456
+#: ../../src/kdc/kdc_util.c:468
 #, c-format
 msgid "TGS_REQ: UNKNOWN SERVER: server='%s'"
 msgstr ""
 
-#: ../../src/kdc/main.c:233
+#: ../../src/kdc/main.c:231
 #, c-format
 msgid "while getting context for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:331
+#: ../../src/kdc/main.c:329
 #, c-format
 msgid "while setting default realm to %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:339
+#: ../../src/kdc/main.c:337
 #, c-format
 msgid "while initializing database for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:348
+#: ../../src/kdc/main.c:346
 #, c-format
 msgid "while setting up master key name %s for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:361
+#: ../../src/kdc/main.c:359
 #, c-format
 msgid "while fetching master key %s for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:369
+#: ../../src/kdc/main.c:367
 #, c-format
 msgid "while fetching master keys list for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:378
+#: ../../src/kdc/main.c:376
 #, c-format
 msgid "while resolving kdb keytab for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:387
+#: ../../src/kdc/main.c:385
 #, c-format
 msgid "while building TGS name for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:505
+#: ../../src/kdc/main.c:503
 #, c-format
 msgid "creating %d worker processes"
 msgstr ""
 
-#: ../../src/kdc/main.c:515
+#: ../../src/kdc/main.c:513
 msgid "Unable to reinitialize main loop"
 msgstr ""
 
-#: ../../src/kdc/main.c:520
+#: ../../src/kdc/main.c:518
 #, c-format
 msgid "Unable to initialize signal handlers in pid %d"
 msgstr ""
 
-#: ../../src/kdc/main.c:550
+#: ../../src/kdc/main.c:548
 #, c-format
 msgid "worker %ld exited with status %d"
 msgstr ""
 
-#: ../../src/kdc/main.c:574
+#: ../../src/kdc/main.c:572
 #, c-format
 msgid "signal %d received in supervisor"
 msgstr ""
 
-#: ../../src/kdc/main.c:593
+#: ../../src/kdc/main.c:591
 #, c-format
 msgid ""
 "usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n"
@@ -3678,7 +3615,7 @@ msgid ""
 "arguments\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:655 ../../src/kdc/main.c:662 ../../src/kdc/main.c:774
+#: ../../src/kdc/main.c:653 ../../src/kdc/main.c:660 ../../src/kdc/main.c:774
 #, c-format
 msgid " KDC cannot initialize. Not enough memory\n"
 msgstr ""
@@ -3765,240 +3702,239 @@ msgstr ""
 msgid "shutting down"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:274
+#: ../../src/lib/apputils/net-server.c:258
 msgid "Got signal to request exit"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:288
+#: ../../src/lib/apputils/net-server.c:272
 msgid "Got signal to reset"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:446
+#: ../../src/lib/apputils/net-server.c:429
 #, c-format
 msgid "closing down fd %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:460
+#: ../../src/lib/apputils/net-server.c:443
 #, c-format
 msgid "descriptor %d closed but still in svc_fdset"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:486
+#: ../../src/lib/apputils/net-server.c:469
 msgid "cannot create io event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:492
+#: ../../src/lib/apputils/net-server.c:475
 msgid "cannot save event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:512
+#: ../../src/lib/apputils/net-server.c:495
 #, c-format
 msgid "file descriptor number %d too high"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:520
+#: ../../src/lib/apputils/net-server.c:503
 msgid "cannot allocate storage for connection info"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:579
+#: ../../src/lib/apputils/net-server.c:562
 #, c-format
 msgid "Cannot create TCP server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:588
+#: ../../src/lib/apputils/net-server.c:571
 #, c-format
 msgid "TCP socket fd number %d (for %s) too high"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:596
+#: ../../src/lib/apputils/net-server.c:579
 #, c-format
 msgid "Cannot enable SO_REUSEADDR on fd %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:603
+#: ../../src/lib/apputils/net-server.c:586
 #, c-format
 msgid "setsockopt(%d,IPV6_V6ONLY,1) failed"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:605
+#: ../../src/lib/apputils/net-server.c:588
 #, c-format
 msgid "setsockopt(%d,IPV6_V6ONLY,1) worked"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:608
+#: ../../src/lib/apputils/net-server.c:591
 msgid "no IPV6_V6ONLY socket option support"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:614
+#: ../../src/lib/apputils/net-server.c:597
 #, c-format
 msgid "Cannot bind server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:641
+#: ../../src/lib/apputils/net-server.c:624
 #, c-format
 msgid "Cannot create RPC service: %s; continuing"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:650
+#: ../../src/lib/apputils/net-server.c:633
 #, c-format
 msgid "Cannot register RPC service: %s; continuing"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:699
+#: ../../src/lib/apputils/net-server.c:682
 #, c-format
 msgid "Cannot listen on TCP server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:705
+#: ../../src/lib/apputils/net-server.c:688
 #, c-format
 msgid "cannot set listening tcp socket on %s non-blocking"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:712
+#: ../../src/lib/apputils/net-server.c:695
 #, c-format
 msgid "disabling SO_LINGER on TCP socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:766
-#: ../../src/lib/apputils/net-server.c:775
+#: ../../src/lib/apputils/net-server.c:743
+#: ../../src/lib/apputils/net-server.c:752
 #, c-format
 msgid "listening on fd %d: tcp %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:780
+#: ../../src/lib/apputils/net-server.c:757
 msgid "assuming IPv6 socket accepts IPv4"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:820
-#: ../../src/lib/apputils/net-server.c:833
+#: ../../src/lib/apputils/net-server.c:791
+#: ../../src/lib/apputils/net-server.c:804
 #, c-format
 msgid "listening on fd %d: rpc %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:920
+#: ../../src/lib/apputils/net-server.c:883
 #, c-format
 msgid "Cannot request packet info for udp socket address %s port %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:926
+#: ../../src/lib/apputils/net-server.c:889
 #, c-format
 msgid "listening on fd %d: udp %s%s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:976
-#, c-format
-msgid "skipping unrecognized local address family %d"
-msgstr ""
-
-#: ../../src/lib/apputils/net-server.c:991
+#: ../../src/lib/apputils/net-server.c:918
 msgid "Failed to reconfigure network, exiting"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1048
+#: ../../src/lib/apputils/net-server.c:979
 #, c-format
 msgid ""
 "unhandled routing message type %d, will reconfigure just for the fun of it"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1082
+#: ../../src/lib/apputils/net-server.c:1013
 #, c-format
 msgid "short read (%d/%d) from routing socket"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1092
+#: ../../src/lib/apputils/net-server.c:1023
 #, c-format
 msgid "read %d from routing socket but msglen is %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1124
+#: ../../src/lib/apputils/net-server.c:1055
 #, c-format
 msgid "couldn't set up routing socket: %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1127
+#: ../../src/lib/apputils/net-server.c:1058
 #, c-format
 msgid "routing socket is fd %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1153
+#: ../../src/lib/apputils/net-server.c:1084
 msgid "setting up network..."
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1170
+#: ../../src/lib/apputils/net-server.c:1101
 #, c-format
 msgid "set up %d sockets"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1172
+#: ../../src/lib/apputils/net-server.c:1103
 msgid "no sockets set up?"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1420
-#: ../../src/lib/apputils/net-server.c:1474
+#: ../../src/lib/apputils/net-server.c:1351
+#: ../../src/lib/apputils/net-server.c:1405
 msgid "while dispatching (udp)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1449
+#: ../../src/lib/apputils/net-server.c:1380
 #, c-format
 msgid "while sending reply to %s/%s from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1454
+#: ../../src/lib/apputils/net-server.c:1385
 #, c-format
 msgid "short reply write %d vs %d\n"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1499
+#: ../../src/lib/apputils/net-server.c:1430
 msgid "while receiving from network"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1515
+#: ../../src/lib/apputils/net-server.c:1446
 #, c-format
 msgid "pktinfo says local addr is %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1548
+#: ../../src/lib/apputils/net-server.c:1479
 msgid "too many connections"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1571
+#: ../../src/lib/apputils/net-server.c:1502
 #, c-format
 msgid "dropping %s fd %d from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1649
+#: ../../src/lib/apputils/net-server.c:1580
 #, c-format
 msgid "allocating buffer for new TCP session from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1679
+#: ../../src/lib/apputils/net-server.c:1610
 msgid "while dispatching (tcp)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1711
+#: ../../src/lib/apputils/net-server.c:1642
 msgid "error allocating tcp dispatch private!"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1758
+#: ../../src/lib/apputils/net-server.c:1689
 #, c-format
 msgid "TCP client %s wants %lu bytes, cap is %lu"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1766
+#: ../../src/lib/apputils/net-server.c:1697
 #, c-format
 msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1945
+#: ../../src/lib/apputils/net-server.c:1876
 #, c-format
 msgid "accepted RPC connection on socket %d from %s"
 msgstr ""
 
-#: ../../src/lib/crypto/krb/cf2.c:115
+#: ../../src/lib/crypto/krb/cf2.c:114
 #, c-format
 msgid "Enctype %d has no PRF"
 msgstr ""
 
+#: ../../src/lib/crypto/krb/prng_fortuna.c:428
+msgid "Random number generator could not be seeded"
+msgstr ""
+
 #: ../../src/lib/gssapi/generic/disp_major_status.c:43
 #: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165
 msgid "A required input parameter could not be read"
@@ -4127,7 +4063,7 @@ msgstr ""
 msgid "Unknown %s (field = %d)"
 msgstr ""
 
-#: ../../src/lib/gssapi/krb5/acquire_cred.c:166
+#: ../../src/lib/gssapi/krb5/acquire_cred.c:165
 #, c-format
 msgid "No key table entry found matching %s"
 msgstr ""
@@ -4194,27 +4130,27 @@ msgstr ""
 msgid "An expected per-message token was not received"
 msgstr ""
 
-#: ../../src/lib/gssapi/spnego/spnego_mech.c:1819
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1860
 msgid "SPNEGO cannot find mechanisms to negotiate"
 msgstr ""
 
-#: ../../src/lib/gssapi/spnego/spnego_mech.c:1824
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1865
 msgid "SPNEGO failed to acquire creds"
 msgstr ""
 
-#: ../../src/lib/gssapi/spnego/spnego_mech.c:1829
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1870
 msgid "SPNEGO acceptor did not select a mechanism"
 msgstr ""
 
-#: ../../src/lib/gssapi/spnego/spnego_mech.c:1834
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1875
 msgid "SPNEGO failed to negotiate a mechanism"
 msgstr ""
 
-#: ../../src/lib/gssapi/spnego/spnego_mech.c:1839
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1880
 msgid "SPNEGO acceptor did not return a valid token"
 msgstr ""
 
-#: ../../src/lib/kadm5/alt_prof.c:855
+#: ../../src/lib/kadm5/alt_prof.c:854
 #, c-format
 msgid "Cannot resolve address of admin server \"%s\" for realm \"%s\""
 msgstr ""
@@ -4302,31 +4238,31 @@ msgstr ""
 msgid "Password may not match principal name"
 msgstr ""
 
-#: ../../src/lib/kadm5/srv/server_acl.c:90
+#: ../../src/lib/kadm5/srv/server_acl.c:89
 #, c-format
 msgid "%s: line %d too long, truncated"
 msgstr ""
 
-#: ../../src/lib/kadm5/srv/server_acl.c:91
+#: ../../src/lib/kadm5/srv/server_acl.c:90
 #, c-format
 msgid "Unrecognized ACL operation '%c' in %s"
 msgstr ""
 
-#: ../../src/lib/kadm5/srv/server_acl.c:93
+#: ../../src/lib/kadm5/srv/server_acl.c:92
 #, c-format
 msgid "%s: syntax error at line %d <%10s...>"
 msgstr ""
 
-#: ../../src/lib/kadm5/srv/server_acl.c:95
+#: ../../src/lib/kadm5/srv/server_acl.c:94
 #, c-format
 msgid "%s while opening ACL file %s"
 msgstr ""
 
-#: ../../src/lib/kadm5/srv/server_kdb.c:194
+#: ../../src/lib/kadm5/srv/server_kdb.c:192
 msgid "History entry contains no key data"
 msgstr ""
 
-#: ../../src/lib/kadm5/srv/server_misc.c:146
+#: ../../src/lib/kadm5/srv/server_misc.c:128
 #, c-format
 msgid "password quality module %s rejected password for %s: %s"
 msgstr ""
@@ -4395,33 +4331,33 @@ msgstr ""
 msgid "No authorization data required"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:222
+#: ../../src/lib/kdb/kdb5.c:219
 msgid "No default realm set; cannot initialize KDB"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:325 ../../src/lib/kdb/kdb5.c:408
+#: ../../src/lib/kdb/kdb5.c:324 ../../src/lib/kdb/kdb5.c:406
 #, c-format
 msgid "Unable to find requested database type: %s"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:419
+#: ../../src/lib/kdb/kdb5.c:416
 #, c-format
 msgid "plugin symbol 'kdb_function_table' lookup failed: %s"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:429
+#: ../../src/lib/kdb/kdb5.c:426
 #, c-format
 msgid ""
 "Unable to load requested database module '%s': plugin symbol "
 "'kdb_function_table' not found"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:1698
+#: ../../src/lib/kdb/kdb5.c:1650
 #, c-format
 msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:1867
+#: ../../src/lib/kdb/kdb5.c:1819
 #, c-format
 msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n"
 msgstr ""
@@ -4440,22 +4376,22 @@ msgstr ""
 msgid "Temporary stash file already exists: %s."
 msgstr ""
 
-#: ../../src/lib/kdb/kdb_default.c:231
+#: ../../src/lib/kdb/kdb_default.c:230
 #, c-format
 msgid "rename of temporary keyfile (%s) to (%s) failed: %s"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb_default.c:421
+#: ../../src/lib/kdb/kdb_default.c:419
 #, c-format
 msgid "Can not fetch master key (error: %s)."
 msgstr ""
 
-#: ../../src/lib/kdb/kdb_default.c:484
+#: ../../src/lib/kdb/kdb_default.c:482
 msgid "Unable to decrypt latest master key with the provided master key\n"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb_log.c:101
-msgid "ulog_sync_header: could not sync to disk"
+#: ../../src/lib/kdb/kdb_log.c:83
+msgid "could not sync ulog header to disk"
 msgstr ""
 
 #: ../../src/lib/krb5/ccache/cc_dir.c:122
@@ -4463,49 +4399,49 @@ msgstr ""
 msgid "Subsidiary cache path %s has no parent directory"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_dir.c:129
+#: ../../src/lib/krb5/ccache/cc_dir.c:128
 #, c-format
 msgid "Subsidiary cache path %s filename does not begin with \"tkt\""
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_dir.c:171
+#: ../../src/lib/krb5/ccache/cc_dir.c:169
 #, c-format
 msgid "%s contains invalid filename"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_dir.c:231
+#: ../../src/lib/krb5/ccache/cc_dir.c:229
 #, c-format
 msgid "Credential cache directory %s does not exist"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_dir.c:237
+#: ../../src/lib/krb5/ccache/cc_dir.c:235
 #, c-format
-msgid "Credential cache directory %s exists but isnot a directory"
+msgid "Credential cache directory %s exists but is not a directory"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_dir.c:402
+#: ../../src/lib/krb5/ccache/cc_dir.c:400
 msgid ""
 "Can't create new subsidiary cache because default cache is not a directory "
 "collection"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_file.c:1243
+#: ../../src/lib/krb5/ccache/cc_file.c:569
 #, c-format
 msgid "Credentials cache file '%s' not found"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_file.c:2456
+#: ../../src/lib/krb5/ccache/cc_file.c:1575
 #, c-format
 msgid "Credentials cache I/O operation failed (%s)"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_keyring.c:1421
+#: ../../src/lib/krb5/ccache/cc_keyring.c:1151
 msgid ""
 "Can't create new subsidiary cache because default cache is already a "
-"subsdiary"
+"subsidiary"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cc_keyring.c:1731
+#: ../../src/lib/krb5/ccache/cc_keyring.c:1219
 #, c-format
 msgid "Credentials cache keyring '%s' not found"
 msgstr ""
@@ -4524,12 +4460,12 @@ msgstr ""
 msgid "No key table entry found for %s"
 msgstr ""
 
-#: ../../src/lib/krb5/keytab/kt_file.c:817
-#: ../../src/lib/krb5/keytab/kt_file.c:851
+#: ../../src/lib/krb5/keytab/kt_file.c:815
+#: ../../src/lib/krb5/keytab/kt_file.c:848
 msgid "Cannot change keytab with keytab iterators active"
 msgstr ""
 
-#: ../../src/lib/krb5/keytab/kt_file.c:1051
+#: ../../src/lib/krb5/keytab/kt_file.c:1047
 #, c-format
 msgid "Key table file '%s' not found"
 msgstr ""
@@ -4539,70 +4475,70 @@ msgstr ""
 msgid "Keytab %s is nonexistent or empty"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:252
+#: ../../src/lib/krb5/krb/chpw.c:251
 msgid "Malformed request error"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:255 ../lib/krb5/error_tables/kdb5_err.c:58
+#: ../../src/lib/krb5/krb/chpw.c:254 ../lib/krb5/error_tables/kdb5_err.c:58
 msgid "Server error"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:258
+#: ../../src/lib/krb5/krb/chpw.c:257
 msgid "Authentication error"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:261
+#: ../../src/lib/krb5/krb/chpw.c:260
 msgid "Password change rejected"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:264
+#: ../../src/lib/krb5/krb/chpw.c:263
 msgid "Access denied"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:267
+#: ../../src/lib/krb5/krb/chpw.c:266
 msgid "Wrong protocol version"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:270
+#: ../../src/lib/krb5/krb/chpw.c:269
 msgid "Initial password required"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:273
+#: ../../src/lib/krb5/krb/chpw.c:272
 msgid "Success"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:276 ../lib/krb5/error_tables/krb5_err.c:257
+#: ../../src/lib/krb5/krb/chpw.c:275 ../lib/krb5/error_tables/krb5_err.c:257
 msgid "Password change failed"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:435
+#: ../../src/lib/krb5/krb/chpw.c:433
 msgid ""
 "The password must include numbers or symbols.  Don't include any part of "
 "your name in the password."
 msgstr ""
 
-#: ../../src/lib/krb5/krb/chpw.c:441
+#: ../../src/lib/krb5/krb/chpw.c:439
 #, c-format
 msgid "The password must contain at least %d character."
 msgid_plural "The password must contain at least %d characters."
 msgstr[0] ""
 msgstr[1] ""
 
-#: ../../src/lib/krb5/krb/chpw.c:450
+#: ../../src/lib/krb5/krb/chpw.c:448
 #, c-format
 msgid "The password must be different from the previous password."
 msgid_plural "The password must be different from the previous %d passwords."
 msgstr[0] ""
 msgstr[1] ""
 
-#: ../../src/lib/krb5/krb/chpw.c:462
+#: ../../src/lib/krb5/krb/chpw.c:460
 #, c-format
 msgid "The password can only be changed once a day."
 msgid_plural "The password can only be changed every %d days."
 msgstr[0] ""
 msgstr[1] ""
 
-#: ../../src/lib/krb5/krb/chpw.c:509
+#: ../../src/lib/krb5/krb/chpw.c:506
 msgid "Try a more complex password, or contact your administrator."
 msgstr ""
 
@@ -4628,7 +4564,7 @@ msgstr ""
 msgid "FAST response missing finish message in KDC reply"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/fast.c:560
+#: ../../src/lib/krb5/krb/fast.c:558
 msgid "Ticket modified in KDC reply"
 msgstr ""
 
@@ -4637,21 +4573,21 @@ msgstr ""
 msgid "KDC returned error string: %.*s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gc_via_tkt.c:218
+#: ../../src/lib/krb5/krb/gc_via_tkt.c:217
 #, c-format
 msgid "Server %s not found in Kerberos database"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/get_in_tkt.c:134
+#: ../../src/lib/krb5/krb/get_in_tkt.c:133
 msgid "Reply has wrong form of session key for anonymous request"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/get_in_tkt.c:1631
+#: ../../src/lib/krb5/krb/get_in_tkt.c:1642
 #, c-format
 msgid "%s while storing credentials"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/get_in_tkt.c:1719
+#: ../../src/lib/krb5/krb/get_in_tkt.c:1730
 #, c-format
 msgid "Client '%s' not found in Kerberos database"
 msgstr ""
@@ -4661,41 +4597,36 @@ msgstr ""
 msgid "Keytab contains no suitable keys for %s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gic_opt.c:261
-#, c-format
-msgid "%s: attempt to convert non-extended krb5_get_init_creds_opt"
-msgstr ""
-
 #: ../../src/lib/krb5/krb/gic_pwd.c:75
 #, c-format
 msgid "Password for %s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gic_pwd.c:229
+#: ../../src/lib/krb5/krb/gic_pwd.c:227
 #, c-format
 msgid "Warning: Your password will expire in less than one hour on %s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gic_pwd.c:233
+#: ../../src/lib/krb5/krb/gic_pwd.c:231
 #, c-format
 msgid "Warning: Your password will expire in %d hour%s on %s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gic_pwd.c:237
+#: ../../src/lib/krb5/krb/gic_pwd.c:235
 #, c-format
 msgid "Warning: Your password will expire in %d days on %s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gic_pwd.c:381
+#: ../../src/lib/krb5/krb/gic_pwd.c:409
 msgid "Password expired.  You must change it now."
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gic_pwd.c:400 ../../src/lib/krb5/krb/gic_pwd.c:404
+#: ../../src/lib/krb5/krb/gic_pwd.c:428 ../../src/lib/krb5/krb/gic_pwd.c:432
 #, c-format
 msgid "%s.  Please try again."
 msgstr ""
 
-#: ../../src/lib/krb5/krb/gic_pwd.c:443
+#: ../../src/lib/krb5/krb/gic_pwd.c:471
 #, c-format
 msgid "%.*s%s%s.  Please try again.\n"
 msgstr ""
@@ -4705,26 +4636,26 @@ msgstr ""
 msgid "Principal %s is missing required realm"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/parse.c:217
+#: ../../src/lib/krb5/krb/parse.c:215
 #, c-format
 msgid "Principal %s has realm present"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/plugin.c:164
+#: ../../src/lib/krb5/krb/plugin.c:165
 #, c-format
 msgid "Invalid module specifier %s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/plugin.c:401
+#: ../../src/lib/krb5/krb/plugin.c:402
 #, c-format
 msgid "Could not find %s plugin module named '%s'"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth2.c:1020
+#: ../../src/lib/krb5/krb/preauth2.c:1018
 msgid "Unable to initialize preauth context"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth2.c:1034
+#: ../../src/lib/krb5/krb/preauth2.c:1032
 #, c-format
 msgid "Preauth module %s: %s"
 msgstr ""
@@ -4753,11 +4684,11 @@ msgstr ""
 msgid "OTP value doesn't match any token formats"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:770
+#: ../../src/lib/krb5/krb/preauth_otp.c:769
 msgid "Enter OTP Token Value"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_otp.c:916
+#: ../../src/lib/krb5/krb/preauth_otp.c:914
 msgid "No supported tokens"
 msgstr ""
 
@@ -4790,35 +4721,103 @@ msgstr ""
 msgid "Challenge from authentication server"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth_sam2.c:165
+#: ../../src/lib/krb5/krb/preauth_sam2.c:166
 msgid "SAM Authentication"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/rd_req_dec.c:682
+#: ../../src/lib/krb5/krb/rd_req_dec.c:145
+#, c-format
+msgid "Cannot find key for %s kvno %d in keytab"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:150
+#, c-format
+msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:175
+#, c-format
+msgid "Cannot decrypt ticket for %s using keytab key for %s"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:197
+#, c-format
+msgid "Server principal %s does not match request ticket server %s"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:226
+msgid "No keys in keytab"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:229
+#, c-format
+msgid "Server principal %s does not match any keys in keytab"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:236
+#, c-format
+msgid ""
+"Request ticket server %s found in keytab but does not match server principal "
+"%s"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:241
+#, c-format
+msgid "Request ticket server %s not found in keytab (ticket kvno %d)"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:247
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d not found in keytab; ticket is likely out "
+"of date"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:252
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d not found in keytab; keytab is likely out "
+"of date"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:261
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d found in keytab but not with enctype %s"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:266
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d enctype %s found in keytab but cannot "
+"decrypt ticket"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:897
 #, c-format
 msgid "Encryption type %s not permitted"
 msgstr ""
 
-#: ../../src/lib/krb5/os/expand_path.c:320
+#: ../../src/lib/krb5/os/expand_path.c:316
 #, c-format
 msgid "Can't find username for uid %lu"
 msgstr ""
 
-#: ../../src/lib/krb5/os/expand_path.c:409
-#: ../../src/lib/krb5/os/expand_path.c:425
+#: ../../src/lib/krb5/os/expand_path.c:405
+#: ../../src/lib/krb5/os/expand_path.c:421
 msgid "Invalid token"
 msgstr ""
 
-#: ../../src/lib/krb5/os/expand_path.c:509
+#: ../../src/lib/krb5/os/expand_path.c:506
 msgid "variable missing }"
 msgstr ""
 
-#: ../../src/lib/krb5/os/locate_kdc.c:588
+#: ../../src/lib/krb5/os/locate_kdc.c:660
 #, c-format
 msgid "Cannot find KDC for realm \"%.*s\""
 msgstr ""
 
-#: ../../src/lib/krb5/os/sendto_kdc.c:225
+#: ../../src/lib/krb5/os/sendto_kdc.c:475
 #, c-format
 msgid "Cannot contact any KDC for realm '%.*s'"
 msgstr ""
@@ -4832,317 +4831,309 @@ msgstr ""
 #, c-format
 msgid ""
 "Insecure mkstemp() file mode for replay cache file %s; try running this "
-"program with umask 077 "
+"program with umask 077"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:145
+#: ../../src/lib/krb5/rcache/rc_io.c:144
 #, c-format
 msgid "Cannot %s replay cache file %s: %s"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:151
+#: ../../src/lib/krb5/rcache/rc_io.c:149
 #, c-format
 msgid "Cannot %s replay cache: %s"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:271
+#: ../../src/lib/krb5/rcache/rc_io.c:268
 #, c-format
 msgid "Insecure file mode for replay cache file %s"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:278
+#: ../../src/lib/krb5/rcache/rc_io.c:274
 #, c-format
 msgid "rcache not owned by %d"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:407
-#: ../../src/lib/krb5/rcache/rc_io.c:413
+#: ../../src/lib/krb5/rcache/rc_io.c:398 ../../src/lib/krb5/rcache/rc_io.c:402
+#: ../../src/lib/krb5/rcache/rc_io.c:407
 #, c-format
 msgid "Can't write to replay cache: %s"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:435
+#: ../../src/lib/krb5/rcache/rc_io.c:428
 #, c-format
 msgid "Cannot sync replay cache file: %s"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:455
+#: ../../src/lib/krb5/rcache/rc_io.c:447
 #, c-format
 msgid "Can't read from replay cache: %s"
 msgstr ""
 
-#: ../../src/lib/krb5/rcache/rc_io.c:487 ../../src/lib/krb5/rcache/rc_io.c:494
-#: ../../src/lib/krb5/rcache/rc_io.c:500
+#: ../../src/lib/krb5/rcache/rc_io.c:478 ../../src/lib/krb5/rcache/rc_io.c:484
+#: ../../src/lib/krb5/rcache/rc_io.c:489
 #, c-format
 msgid "Can't destroy replay cache: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/db2/kdb_db2.c:234
-#: ../../src/plugins/kdb/db2/kdb_db2.c:817
+#: ../../src/plugins/kdb/db2/kdb_db2.c:245
+#: ../../src/plugins/kdb/db2/kdb_db2.c:830
 #, c-format
 msgid "Unsupported argument \"%s\" for db2"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:71
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:938
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1139
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1558
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:887
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1088
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1507
 msgid "while reading kerberos container information"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:131
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:145
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:506
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:520
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:162
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:177
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166
 msgid "while providing time specification"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:270
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:306
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304
 msgid "while creating policy object"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:281
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1566
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1515
 msgid "while reading realm information"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:350
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:409
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407
 msgid "while destroying policy object"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358
 #, c-format
 msgid "This will delete the policy object '%s', are you sure?\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:475
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:665
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663
 msgid "while modifying policy object"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:489
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487
 #, c-format
 msgid "while reading information of policy '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:694
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692
 msgid "while viewing policy"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:703
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701
 #, c-format
 msgid "while viewing policy '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:841
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835
 msgid "while listing policy objects"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:362
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453
 #, c-format
 msgid "for subtree while creating realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:374
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465
 #, c-format
 msgid "for container reference while creating realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:398
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:489
 #, c-format
 msgid "invalid search scope while creating realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:413
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:874
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:504
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:823
 #, c-format
 msgid "'%s' is an invalid option\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:433
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512
 #, c-format
 msgid "Initializing database for realm '%s'\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:457
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:747
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:536
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:696
 #, c-format
 msgid "while creating realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:477
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:556
 #, c-format
 msgid "Enter DN of Kerberos container: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:945
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:591
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:894
 #, c-format
 msgid "while reading information of realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:658
-msgid "krb5_sname_to_principal, while adding entries to the database"
-msgstr ""
-
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:664
-msgid "krb5_copy_principal, while adding entries to the database"
-msgstr ""
-
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:784
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:733
 msgid "while reading Kerberos container information"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:825
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:774
 #, c-format
 msgid "for subtree while modifying realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:836
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:785
 #, c-format
 msgid "for container reference while modifying realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:863
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:812
 #, c-format
 msgid "specified for search scope while modifying information of realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:902
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:851
 #, c-format
 msgid "while modifying information of realm '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:991
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:940
 msgid "Realm Name"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:994
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:943
 msgid "Subtree"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:997
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946
 msgid "Principal Container Reference"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1002
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:953
 msgid "SearchScope"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1002
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951
 msgid "Invalid !"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:958
 msgid "KDC Services"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1024
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:973
 msgid "Admin Services"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1039
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:988
 msgid "Passwd Services"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1055
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004
 msgid "Maximum Ticket Life"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1060
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009
 msgid "Maximum Renewable Life"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1067
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1016
 msgid "Ticket flags"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1146
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1095
 msgid "while listing realms"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1490
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1439
 msgid "while adding entries to database"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1531
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1480
 #, c-format
 msgid "Deleting KDC database of '%s', are you sure?\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1542
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491
 #, c-format
 msgid "OK, deleting database of '%s'...\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1575
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1524
 #, c-format
 msgid "deleting database of '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1580
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1529
 #, c-format
 msgid "** Database of '%s' destroyed.\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:82
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:89
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:97
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:105
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:121
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:149
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:228
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:81
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:88
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:96
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:104
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:120
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:148
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227
 msgid "while setting service object password"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:141
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:479
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:140
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477
 #, c-format
 msgid "Password for \"%s\""
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:144
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:143
 #, c-format
 msgid "Re-enter password for \"%s\""
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:155
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:154
 #, c-format
 msgid "%s: Invalid password\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:171
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:170
 msgid "Failed to convert the password to hexadecimal"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:184
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:183
 #, c-format
 msgid "Failed to open file %s: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:206
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:248
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:257
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:284
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:205
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:247
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:256
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:283
 msgid "Failed to write service object password to file"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:212
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:269
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:211
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:268
 msgid "Error reading service object password file"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:237
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236
 #, c-format
 msgid "Error creating file %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:107
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105
 #, c-format
 msgid ""
 "Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n"
@@ -5169,38 +5160,38 @@ msgid ""
 "list_policy     [-r realm]\n"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:327
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:335
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:343
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341
 msgid "while reading ldap parameters"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:441
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439
 msgid "while initializing error handling"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:449
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447
 msgid "while initializing ldap handle"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:463
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:472
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:485
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:527
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525
 msgid "while retrieving ldap configuration"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:502
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:509
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:518
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516
 msgid "while initializing server list"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:549
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547
 msgid "while setting up lib handle"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:558
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556
 msgid "while reading ldap configuration"
 msgstr ""
 
@@ -5212,348 +5203,328 @@ msgstr ""
 msgid "Unable to read Realm"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:200
-msgid ""
-"Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. "
-"Proceeding anyway ..."
-msgstr ""
-
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:201
-msgid ""
-"SASL EXTERNAL mechanism not supported by LDAP server. Can't perform "
-"certificate-based bind."
-msgstr ""
-
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:269
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:215
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73
 msgid "Error processing LDAP DB params:"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:276
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:222
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:80
 msgid "Error reading LDAP server params:"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:49
-msgid "LDAP bind dn value missing "
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64
+msgid "LDAP bind dn value missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:56
-msgid "LDAP bind password value missing "
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69
+msgid "LDAP bind password value missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:63
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:77
 msgid "Error reading password from stash: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:75
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85
 msgid "Service password length is zero"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:117
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145
 #, c-format
-msgid "Cannot create LDAP handle for '%s': %s"
+msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:129
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158
 #, c-format
 msgid "Cannot bind to LDAP server '%s' as '%s': %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:132
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183
+#, c-format
+msgid "Cannot create LDAP handle for '%s': %s"
+msgstr ""
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:131
 msgid "could not complete roll-back, error deleting Kerberos Container"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:59
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:71
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67
 msgid "Error reading kerberos container location from krb5.conf"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:80
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75
 msgid "Kerberos container location not specified"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:87
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:99
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:119
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:130
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:150
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:160
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:55
 #, c-format
 msgid "Error reading '%s' attribute: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:252
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:218
 msgid "KDB module requires -update argument"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:258
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:224
 #, c-format
 msgid "'%s' value missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:289
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:282
 #, c-format
 msgid "unknown option '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:362
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:342
 msgid "Minimum connections required per server is 2"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:409
-msgid "Error reading 'ldap_servers' attribute"
-msgstr ""
-
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159
 msgid "Default realm not set"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:259
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262
 msgid "DN information missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:109
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108
 msgid "Principal does not belong to realm"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:280
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:290
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:299
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:278
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:287
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:295
 #, c-format
 msgid "%s option not supported"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:307
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:302
 #, c-format
 msgid "unknown option: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:315
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:323
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:309
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:316
 #, c-format
 msgid "%s option value missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:525
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:543
 msgid "Principal does not belong to the default realm"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:596
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:611
 #, c-format
 msgid ""
 "operation can not continue, more than one entry with principal name \"%s\" "
 "found"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:661
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:674
 #, c-format
 msgid "'%s' not found: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:743
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:752
 msgid "DN is out of the realm subtree"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:798
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:808
 #, c-format
 msgid "ldap object is already kerberized"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:818
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:828
 #, c-format
 msgid ""
 "link information can not be set/updated as the kerberos principal belongs to "
 "an ldap object"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:833
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:843
 #, c-format
 msgid "Failed getting object references"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:840
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:850
 #, c-format
 msgid "kerberos principal is already linked to a ldap object"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1148
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1158
 msgid "ticket policy object value: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1196
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1206
 #, c-format
 msgid "Principal delete failed (trying to replace entry): %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1206
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1216
 #, c-format
 msgid "Principal add failed: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1244
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1254
 #, c-format
 msgid "User modification failed: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1311
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1327
 msgid "Error reading ticket policy. "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1376
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1393
 #, c-format
 msgid "unable to decode stored principal key data (%s)"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:224
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223
 msgid "Realm information not available"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:296
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294
 msgid "Error reading ticket policy: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:309
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:307
 #, c-format
 msgid "Realm Delete FAILED: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:383
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:387
 msgid "subtree value: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:400
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:404
 msgid "container reference value: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:484
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:487
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550
 msgid "Kerberos Container information is missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:497
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:499
 msgid "Invalid Kerberos container DN"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:514
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:515
 #, c-format
 msgid "Kerberos Container create FAILED: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:559
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:558
 #, c-format
 msgid "Kerberos Container delete FAILED: %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:635
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:634
 msgid "realm object value: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:50
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48
 msgid "Not a hexadecimal password"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:57
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:68
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66
 msgid "Password corrupt"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:103
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93
 #, c-format
 msgid "Cannot open LDAP password file '%s': %s"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:132
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123
 #, c-format
 msgid "Bind DN entry '%s' missing in LDAP password file '%s'"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:146
-msgid "Stash file entry corrupt"
-msgstr ""
-
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:56
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:132
 msgid "Ticket Policy Name missing"
 msgstr ""
 
 #: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:144
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:222
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:221
 msgid "ticket policy object: "
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:210
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:209
 msgid "Ticket Policy Object information missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:297
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:296
 msgid "Ticket Policy Object DN missing"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:324
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:323
 msgid "Delete Failed: One or more Principals associated with the Ticket Policy"
 msgstr ""
 
-#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:432
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:431
 msgid "Error reading container object: "
 msgstr ""
 
 #: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:691
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4332
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:652
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4153
 msgid "Pass phrase for"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1114
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1081
 #, c-format
 msgid "Cannot create cert chain: %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1439
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1408
 msgid "Invalid pkinit packet: octet string expected"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1458
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1427
 msgid "wrong oid\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:6186
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5991
 #, c-format
 msgid "unknown code 0x%x"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:425
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424
 #, c-format
 msgid "Unsupported type while processing '%s'\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:466
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465
 msgid "Internal error parsing X509_user_identity\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:561
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560
 msgid "No user identity options specified"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:419
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:414
 msgid "Pkinit request not signed, but client not anonymous."
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:452
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:447
 msgid "Anonymous pkinit without DH public value not supported."
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1152
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1147
 #, c-format
 msgid "No pkinit_identity supplied for realm %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1163
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1158
 #, c-format
 msgid "No pkinit_anchors supplied for realm %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1355
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1346
 msgid "No realms configured correctly for pkinit support"
 msgstr ""
 
@@ -5565,265 +5536,270 @@ msgid ""
 "\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:117
+#: ../../src/slave/kprop.c:114
 #, c-format
 msgid "Database propagation to %s: SUCCEEDED\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:202
+#: ../../src/slave/kprop.c:187
 msgid "while setting client principal name"
 msgstr ""
 
-#: ../../src/slave/kprop.c:209 ../../src/slave/kprop.c:224
+#: ../../src/slave/kprop.c:194 ../../src/slave/kprop.c:209
 msgid "while setting client principal realm"
 msgstr ""
 
-#: ../../src/slave/kprop.c:238
+#: ../../src/slave/kprop.c:217
 #, c-format
 msgid "while opening credential cache %s"
 msgstr ""
 
-#: ../../src/slave/kprop.c:259
+#: ../../src/slave/kprop.c:233
 msgid "while setting server principal name"
 msgstr ""
 
-#: ../../src/slave/kprop.c:282
+#: ../../src/slave/kprop.c:255
 msgid "while resolving keytab"
 msgstr ""
 
-#: ../../src/slave/kprop.c:291
+#: ../../src/slave/kprop.c:264
 msgid "while getting initial credentials\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:330
+#: ../../src/slave/kprop.c:301
 msgid "while creating socket"
 msgstr ""
 
-#: ../../src/slave/kprop.c:346
+#: ../../src/slave/kprop.c:317
 msgid "while converting server address"
 msgstr ""
 
-#: ../../src/slave/kprop.c:356
+#: ../../src/slave/kprop.c:327
 msgid "while connecting to server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:363 ../../src/slave/kpropd.c:1286
+#: ../../src/slave/kprop.c:334 ../../src/slave/kpropd.c:1215
 msgid "while getting local socket address"
 msgstr ""
 
-#: ../../src/slave/kprop.c:368
+#: ../../src/slave/kprop.c:339
 msgid "while converting local address"
 msgstr ""
 
-#: ../../src/slave/kprop.c:395
+#: ../../src/slave/kprop.c:362
 msgid "in krb5_auth_con_setaddrs"
 msgstr ""
 
-#: ../../src/slave/kprop.c:404
+#: ../../src/slave/kprop.c:370
 msgid "while authenticating to server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:408 ../../src/slave/kprop.c:628
-#: ../../src/slave/kpropd.c:1622
+#: ../../src/slave/kprop.c:374 ../../src/slave/kprop.c:573
+#: ../../src/slave/kpropd.c:1521
 #, c-format
 msgid "Generic remote error: %s\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:414 ../../src/slave/kprop.c:635
+#: ../../src/slave/kprop.c:380 ../../src/slave/kprop.c:579
 msgid "signalled from server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:416 ../../src/slave/kprop.c:637
+#: ../../src/slave/kprop.c:382 ../../src/slave/kprop.c:581
 #, c-format
 msgid "Error text from server: %s\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:450
+#: ../../src/slave/kprop.c:410
 #, c-format
 msgid "allocating database file name '%s'"
 msgstr ""
 
-#: ../../src/slave/kprop.c:455
+#: ../../src/slave/kprop.c:416
 #, c-format
 msgid "while trying to open %s"
 msgstr ""
 
-#: ../../src/slave/kprop.c:463
+#: ../../src/slave/kprop.c:423
 msgid "database locked"
 msgstr ""
 
-#: ../../src/slave/kprop.c:466 ../../src/slave/kpropd.c:525
+#: ../../src/slave/kprop.c:426 ../../src/slave/kpropd.c:525
 #, c-format
 msgid "while trying to lock '%s'"
 msgstr ""
 
-#: ../../src/slave/kprop.c:470 ../../src/slave/kprop.c:478
+#: ../../src/slave/kprop.c:430 ../../src/slave/kprop.c:438
 #, c-format
 msgid "while trying to stat %s"
 msgstr ""
 
-#: ../../src/slave/kprop.c:474
+#: ../../src/slave/kprop.c:434
 msgid "while trying to malloc data_ok_fn"
 msgstr ""
 
-#: ../../src/slave/kprop.c:483
+#: ../../src/slave/kprop.c:443
 #, c-format
 msgid "'%s' more recent than '%s'."
 msgstr ""
 
-#: ../../src/slave/kprop.c:500
+#: ../../src/slave/kprop.c:459
 #, c-format
 msgid "while unlocking database '%s'"
 msgstr ""
 
-#: ../../src/slave/kprop.c:544 ../../src/slave/kprop.c:545
+#: ../../src/slave/kprop.c:492 ../../src/slave/kprop.c:493
 msgid "while encoding database size"
 msgstr ""
 
-#: ../../src/slave/kprop.c:553
+#: ../../src/slave/kprop.c:501
 msgid "while sending database size"
 msgstr ""
 
-#: ../../src/slave/kprop.c:564
+#: ../../src/slave/kprop.c:511
 msgid "while allocating i_vector"
 msgstr ""
 
-#: ../../src/slave/kprop.c:590
+#: ../../src/slave/kprop.c:534
 #, c-format
 msgid "while sending database block starting at %d"
 msgstr ""
 
-#: ../../src/slave/kprop.c:600
+#: ../../src/slave/kprop.c:544
 msgid "Premature EOF found for database file!"
 msgstr ""
 
-#: ../../src/slave/kprop.c:612
+#: ../../src/slave/kprop.c:557
 msgid "while reading response from server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:623
+#: ../../src/slave/kprop.c:568
 msgid "while decoding error response from server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:656
+#: ../../src/slave/kprop.c:599
 #, c-format
 msgid "Kpropd sent database size %d, expecting %d"
 msgstr ""
 
-#: ../../src/slave/kprop.c:710
+#: ../../src/slave/kprop.c:643
 msgid "while allocating filename for update_last_prop_file"
 msgstr ""
 
-#: ../../src/slave/kprop.c:714
+#: ../../src/slave/kprop.c:648
 #, c-format
 msgid "while creating 'last_prop' file, '%s'"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:169
+#: ../../src/slave/kpropd.c:170
 #, c-format
 msgid ""
 "\n"
 "Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:171
+#: ../../src/slave/kpropd.c:172
 #, c-format
 msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:172
+#: ../../src/slave/kpropd.c:173
 #, c-format
 msgid "\t[-x db_args]* [-P port] [-a acl_file]\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:211
+#: ../../src/slave/kpropd.c:174
+#, c-format
+msgid "\t[-A admin_server]\n"
+msgstr ""
+
+#: ../../src/slave/kpropd.c:215
 #, c-format
 msgid "Killing fullprop child (%d)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:242
+#: ../../src/slave/kpropd.c:244
 msgid "while checking if stdin is a socket"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:260
+#: ../../src/slave/kpropd.c:262
 #, c-format
 msgid "ready\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:270
+#: ../../src/slave/kpropd.c:272
 #, c-format
 msgid "Could not open /dev/null: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:277
+#: ../../src/slave/kpropd.c:279
 #, c-format
 msgid "Could not dup the inetd socket: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:312 ../../src/slave/kpropd.c:325
+#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327
 msgid "do_iprop failed.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:365
+#: ../../src/slave/kpropd.c:366
 #, c-format
 msgid "getaddrinfo: %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:371
+#: ../../src/slave/kpropd.c:372
 msgid "while obtaining socket"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:377
+#: ../../src/slave/kpropd.c:378
 msgid "while setting SO_REUSEADDR option"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:385
+#: ../../src/slave/kpropd.c:386
 msgid "while unsetting IPV6_V6ONLY option"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:389
+#: ../../src/slave/kpropd.c:391
 msgid "while binding listener socket"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:400
+#: ../../src/slave/kpropd.c:402
 #, c-format
 msgid "waiting for a kprop connection\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:407
+#: ../../src/slave/kpropd.c:408
 msgid "while accepting connection"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:413
+#: ../../src/slave/kpropd.c:414
 msgid "while forking"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:428
+#: ../../src/slave/kpropd.c:429
 #, c-format
 msgid "waitpid() failed to wait for doit() (%d %s)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:432
+#: ../../src/slave/kpropd.c:433
 msgid "while waiting to receive database"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:436
+#: ../../src/slave/kpropd.c:437
 #, c-format
 msgid "Database load process for full propagation completed.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:470
+#: ../../src/slave/kpropd.c:471
 #, c-format
 msgid ""
 "%s: Standard input does not appear to be a network socket.\n"
 "\t(Not run from inetd, and missing the -S option?)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:484
+#: ../../src/slave/kpropd.c:485
 msgid "while attempting setsockopt (SO_KEEPALIVE)"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:489
+#: ../../src/slave/kpropd.c:490
 #, c-format
 msgid "Connection from %s"
 msgstr ""
@@ -5866,344 +5842,344 @@ msgstr ""
 msgid "while trying to close database file"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:637
+#: ../../src/slave/kpropd.c:624
 #, c-format
 msgid "Incremental propagation enabled\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:652
+#: ../../src/slave/kpropd.c:634
 msgid "Unable to get default realm"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:665
+#: ../../src/slave/kpropd.c:647
 #, c-format
 msgid "%s: unable to get kiprop host based service name for realm %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:686
+#: ../../src/slave/kpropd.c:658
 msgid "while trying to construct host service principal"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:700
+#: ../../src/slave/kpropd.c:672
 msgid "while determining local service principal name"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:719
+#: ../../src/slave/kpropd.c:692
 #, c-format
 msgid "Initializing kadm5 as client %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:733
+#: ../../src/slave/kpropd.c:706
 #, c-format
 msgid "kadm5 initialization failed!\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:742
+#: ../../src/slave/kpropd.c:715
 msgid "while attempting to connect to master KDC ... retrying"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:746
+#: ../../src/slave/kpropd.c:719
 #, c-format
 msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:762
+#: ../../src/slave/kpropd.c:735
 #, c-format
 msgid "while initializing %s interface, retrying"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:766
+#: ../../src/slave/kpropd.c:739
 #, c-format
 msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:776
+#: ../../src/slave/kpropd.c:749
 #, c-format
 msgid "kadm5 initialization succeeded\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:806
+#: ../../src/slave/kpropd.c:771
+msgid "reading update log header"
+msgstr ""
+
+#: ../../src/slave/kpropd.c:782
 #, c-format
-msgid "Calling iprop_get_updates_1()\n"
+msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:811
+#: ../../src/slave/kpropd.c:792
 msgid "iprop_get_updates call failed"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:817
+#: ../../src/slave/kpropd.c:798
 #, c-format
 msgid "Reinitializing iprop because get updates failed\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:838
+#: ../../src/slave/kpropd.c:819
 #, c-format
 msgid "Still waiting for full resync\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:843
+#: ../../src/slave/kpropd.c:824
 #, c-format
 msgid "Full resync needed\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:844
+#: ../../src/slave/kpropd.c:825
 msgid "kpropd: Full resync needed."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:850
+#: ../../src/slave/kpropd.c:830
 msgid "iprop_full_resync call failed"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:863
+#: ../../src/slave/kpropd.c:841
 #, c-format
 msgid "Full resync request granted\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:864
+#: ../../src/slave/kpropd.c:842
 msgid "Full resync request granted."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:873
+#: ../../src/slave/kpropd.c:851
 #, c-format
 msgid "Exponential backoff\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:879
+#: ../../src/slave/kpropd.c:857
 #, c-format
 msgid "Full resync permission denied\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:880
+#: ../../src/slave/kpropd.c:858
 msgid "Full resync, permission denied."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:885
+#: ../../src/slave/kpropd.c:863
 #, c-format
 msgid "Full resync error from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:886
+#: ../../src/slave/kpropd.c:864
 msgid " Full resync, error returned from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:894
+#: ../../src/slave/kpropd.c:872
 #, c-format
 msgid "Full resync invalid result from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:896
+#: ../../src/slave/kpropd.c:874
 msgid "Full resync, invalid return from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:913
+#: ../../src/slave/kpropd.c:890
 #, c-format
-msgid "Got incremental updates from the master\n"
+msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:922
+#: ../../src/slave/kpropd.c:902
 #, c-format
 msgid "ulog_replay failed (%s), updates not registered\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:925
+#: ../../src/slave/kpropd.c:905
 #, c-format
 msgid "ulog_replay failed (%s), updates not registered."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:934
+#: ../../src/slave/kpropd.c:914
 #, c-format
 msgid "Incremental updates: %d updates / %lu us"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:937
+#: ../../src/slave/kpropd.c:917
 #, c-format
 msgid "Incremental updates: %d updates / %lu us\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:945
+#: ../../src/slave/kpropd.c:925
 #, c-format
 msgid "get_updates permission denied\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:946
+#: ../../src/slave/kpropd.c:926
 msgid "get_updates, permission denied."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:951
+#: ../../src/slave/kpropd.c:931
 #, c-format
 msgid "get_updates error from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:952
+#: ../../src/slave/kpropd.c:932
 msgid "get_updates, error returned from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:960
+#: ../../src/slave/kpropd.c:940
 #, c-format
 msgid "get_updates master busy; backoff\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:969
+#: ../../src/slave/kpropd.c:949
 #, c-format
 msgid "KDC is synchronized with master.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:977
+#: ../../src/slave/kpropd.c:957
 #, c-format
 msgid "get_updates invalid result from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:978
+#: ../../src/slave/kpropd.c:958
 msgid "get_updates, invalid return from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:993
+#: ../../src/slave/kpropd.c:973
 #, c-format
 msgid "Busy signal received from master, backoff for %d secs\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1000
+#: ../../src/slave/kpropd.c:980
 #, c-format
 msgid "Waiting for %d seconds before checking for updates again\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1011
+#: ../../src/slave/kpropd.c:991
 #, c-format
 msgid "ERROR returned by master, bailing\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1012
+#: ../../src/slave/kpropd.c:992
 msgid "ERROR returned by master KDC, bailing.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1019
-msgid "while closing default ccache"
-msgstr ""
-
-#: ../../src/slave/kpropd.c:1186
+#: ../../src/slave/kpropd.c:1134
 msgid "copying db args"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1221
+#: ../../src/slave/kpropd.c:1161
 msgid "while trying to construct my service name"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1228
+#: ../../src/slave/kpropd.c:1167
 msgid "while constructing my service realm"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1237
+#: ../../src/slave/kpropd.c:1175
 msgid "while allocating filename for temp file"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1243
+#: ../../src/slave/kpropd.c:1181
 msgid "while initializing"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1252
+#: ../../src/slave/kpropd.c:1189
 msgid "Unable to map log!\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1308
+#: ../../src/slave/kpropd.c:1235
 #, c-format
 msgid "Error in krb5_auth_con_ini: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1316
+#: ../../src/slave/kpropd.c:1243
 #, c-format
 msgid "Error in krb5_auth_con_setflags: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1324
+#: ../../src/slave/kpropd.c:1251
 #, c-format
 msgid "Error in krb5_auth_con_setaddrs: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1332
+#: ../../src/slave/kpropd.c:1259
 #, c-format
 msgid "Error in krb5_kt_resolve: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1341
+#: ../../src/slave/kpropd.c:1268
 #, c-format
 msgid "Error in krb5_recvauth: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1348
+#: ../../src/slave/kpropd.c:1275
 #, c-format
 msgid "Error in krb5_copy_prinicpal: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1367
+#: ../../src/slave/kpropd.c:1291
 msgid "while unparsing ticket etype"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1371
+#: ../../src/slave/kpropd.c:1295
 #, c-format
 msgid "authenticated client: %s (etype == %s)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1457
+#: ../../src/slave/kpropd.c:1374
 msgid "while reading size of database from client"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1468
+#: ../../src/slave/kpropd.c:1384
 msgid "while decoding database size from client"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1483
+#: ../../src/slave/kpropd.c:1397
 msgid "while initializing i_vector"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1488
+#: ../../src/slave/kpropd.c:1402
 #, c-format
 msgid "Full propagation transfer started.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1544
+#: ../../src/slave/kpropd.c:1455
 #, c-format
 msgid "Full propagation transfer finished.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1617
+#: ../../src/slave/kpropd.c:1516
 msgid "while decoding error packet from client"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1626
+#: ../../src/slave/kpropd.c:1525
 msgid "signaled from server"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1628
+#: ../../src/slave/kpropd.c:1527
 #, c-format
 msgid "Error text from client: %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1683
+#: ../../src/slave/kpropd.c:1576
 #, c-format
 msgid "while trying to fork %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1687
+#: ../../src/slave/kpropd.c:1580
 #, c-format
 msgid "while trying to exec %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1694
+#: ../../src/slave/kpropd.c:1587
 #, c-format
 msgid "while waiting for %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1700
+#: ../../src/slave/kpropd.c:1593
 #, c-format
 msgid "%s load terminated"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1706
+#: ../../src/slave/kpropd.c:1599
 #, c-format
 msgid "%s returned a bad exit status (%d)"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:33
+#: ../../src/slave/kproplog.c:27
 #, c-format
 msgid ""
 "\n"
@@ -6212,343 +6188,350 @@ msgid ""
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:144
+#: ../../src/slave/kproplog.c:129
 #, c-format
 msgid ""
 "\n"
 "Couldn't allocate memory"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:267
+#: ../../src/slave/kproplog.c:223
 #, c-format
 msgid "\t\tAttribute flags\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:273
+#: ../../src/slave/kproplog.c:228
 #, c-format
 msgid "\t\tMaximum ticket life\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:279
+#: ../../src/slave/kproplog.c:233
 #, c-format
 msgid "\t\tMaximum renewable life\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:285
+#: ../../src/slave/kproplog.c:238
 #, c-format
 msgid "\t\tPrincipal expiration\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:291
+#: ../../src/slave/kproplog.c:243
 #, c-format
 msgid "\t\tPassword expiration\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:297
+#: ../../src/slave/kproplog.c:248
 #, c-format
 msgid "\t\tLast successful auth\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:303
+#: ../../src/slave/kproplog.c:253
 #, c-format
 msgid "\t\tLast failed auth\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:309
+#: ../../src/slave/kproplog.c:258
 #, c-format
 msgid "\t\tFailed passwd attempt\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:316
+#: ../../src/slave/kproplog.c:263
 #, c-format
 msgid "\t\tPrincipal\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:322
+#: ../../src/slave/kproplog.c:268
 #, c-format
 msgid "\t\tKey data\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:330
+#: ../../src/slave/kproplog.c:275
 #, c-format
 msgid "\t\tTL data\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:338
+#: ../../src/slave/kproplog.c:282
 #, c-format
 msgid "\t\tLength\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:345
+#: ../../src/slave/kproplog.c:287
 #, c-format
 msgid "\t\tPassword last changed\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:351
+#: ../../src/slave/kproplog.c:292
 #, c-format
 msgid "\t\tModifying principal\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:357
+#: ../../src/slave/kproplog.c:297
 #, c-format
 msgid "\t\tModification time\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:363
+#: ../../src/slave/kproplog.c:302
 #, c-format
 msgid "\t\tModified where\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:370
+#: ../../src/slave/kproplog.c:307
 #, c-format
 msgid "\t\tPassword policy\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:377
+#: ../../src/slave/kproplog.c:312
 #, c-format
 msgid "\t\tPassword policy switch\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:384
+#: ../../src/slave/kproplog.c:317
 #, c-format
 msgid "\t\tPassword history KVNO\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:391
+#: ../../src/slave/kproplog.c:322
 #, c-format
 msgid "\t\tPassword history\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:427
+#: ../../src/slave/kproplog.c:356
 #, c-format
 msgid ""
 "Corrupt update entry\n"
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:435
+#: ../../src/slave/kproplog.c:364
 #, c-format
 msgid ""
 "Entry data decode failure\n"
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:440
+#: ../../src/slave/kproplog.c:369
 #, c-format
 msgid "Update Entry\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:442
+#: ../../src/slave/kproplog.c:371
 #, c-format
 msgid "\tUpdate serial # : %u\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:445
+#: ../../src/slave/kproplog.c:373
 #, c-format
 msgid "\tUpdate operation : "
 msgstr ""
 
-#: ../../src/slave/kproplog.c:447
+#: ../../src/slave/kproplog.c:375
 #, c-format
 msgid "Delete\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:449
+#: ../../src/slave/kproplog.c:377
 #, c-format
 msgid "Add\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:453
+#: ../../src/slave/kproplog.c:381
 #, c-format
 msgid ""
 "Could not allocate principal name\n"
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:460
+#: ../../src/slave/kproplog.c:387
 #, c-format
 msgid "\tUpdate principal : %s\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:462
+#: ../../src/slave/kproplog.c:389
 #, c-format
 msgid "\tUpdate size : %u\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:465
+#: ../../src/slave/kproplog.c:390
 #, c-format
 msgid "\tUpdate committed : %s\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:469
+#: ../../src/slave/kproplog.c:394
 #, c-format
 msgid "\tUpdate time stamp : None\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:471
+#: ../../src/slave/kproplog.c:396
 #, c-format
 msgid "\tUpdate time stamp : %s"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:474
+#: ../../src/slave/kproplog.c:400
 #, c-format
 msgid "\tAttributes changed : %d\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:532
+#: ../../src/slave/kproplog.c:465
 #, c-format
 msgid ""
 "Unable to initialize Kerberos\n"
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:540
+#: ../../src/slave/kproplog.c:472
 #, c-format
 msgid ""
 "Couldn't read database_name\n"
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:544
+#: ../../src/slave/kproplog.c:476
 #, c-format
 msgid ""
 "\n"
 "Kerberos update log (%s)\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:549 ../../src/slave/kproplog.c:558
+#: ../../src/slave/kproplog.c:480 ../../src/slave/kproplog.c:495
 #, c-format
 msgid ""
 "Unable to map log file %s\n"
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:565
+#: ../../src/slave/kproplog.c:485
 #, c-format
 msgid ""
-"Corrupt header log, exiting\n"
+"Couldn't reinitialize ulog file %s\n"
 "\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:571
+#: ../../src/slave/kproplog.c:489
 #, c-format
 msgid "Reinitialized the ulog.\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:575
+#: ../../src/slave/kproplog.c:501
+#, c-format
+msgid ""
+"Corrupt header log, exiting\n"
+"\n"
+msgstr ""
+
+#: ../../src/slave/kproplog.c:505
 #, c-format
 msgid "Update log dump :\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:576
+#: ../../src/slave/kproplog.c:506
 #, c-format
 msgid "\tLog version # : %u\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:577
+#: ../../src/slave/kproplog.c:507
 #, c-format
 msgid "\tLog state : "
 msgstr ""
 
-#: ../../src/slave/kproplog.c:580
+#: ../../src/slave/kproplog.c:510
 #, c-format
 msgid "Stable\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:583
+#: ../../src/slave/kproplog.c:513
 #, c-format
 msgid "Unstable\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:586
+#: ../../src/slave/kproplog.c:516
 #, c-format
 msgid "Corrupt\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:589
+#: ../../src/slave/kproplog.c:519
 #, c-format
 msgid "Unknown state: %d\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:593
+#: ../../src/slave/kproplog.c:522
 #, c-format
 msgid "\tEntry block size : %u\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:594
+#: ../../src/slave/kproplog.c:523
 #, c-format
 msgid "\tNumber of entries : %u\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:597
+#: ../../src/slave/kproplog.c:526
 #, c-format
 msgid "\tLast serial # : None\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:600
+#: ../../src/slave/kproplog.c:529
 #, c-format
 msgid "\tFirst serial # : None\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:602
+#: ../../src/slave/kproplog.c:531
 #, c-format
 msgid "\tFirst serial # : "
 msgstr ""
 
-#: ../../src/slave/kproplog.c:606
+#: ../../src/slave/kproplog.c:535
 #, c-format
 msgid "\tLast serial # : "
 msgstr ""
 
-#: ../../src/slave/kproplog.c:611
+#: ../../src/slave/kproplog.c:540
 #, c-format
 msgid "\tLast time stamp : None\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:614
+#: ../../src/slave/kproplog.c:543
 #, c-format
 msgid "\tFirst time stamp : None\n"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:616
+#: ../../src/slave/kproplog.c:545
 #, c-format
 msgid "\tFirst time stamp : %s"
 msgstr ""
 
-#: ../../src/slave/kproplog.c:620
+#: ../../src/slave/kproplog.c:549
 #, c-format
 msgid "\tLast time stamp : %s\n"
 msgstr ""
 
-#: ../../src/util/support/errors.c:112
+#: ../../src/util/support/errors.c:77
 msgid "Kerberos library initialization failure"
 msgstr ""
 
-#: ../../src/util/support/errors.c:130
+#: ../../src/util/support/errors.c:93
 #, c-format
 msgid "error %ld"
 msgstr ""
 
-#: ../../src/util/support/plugins.c:177
+#: ../../src/util/support/plugins.c:186
 #, c-format
 msgid "unable to find plugin [%s]: %s"
 msgstr ""
 
-#: ../../src/util/support/plugins.c:270
+#: ../../src/util/support/plugins.c:274
 msgid "unknown failure"
 msgstr ""
 
-#: ../../src/util/support/plugins.c:273
+#: ../../src/util/support/plugins.c:277
 #, c-format
 msgid "unable to load plugin [%s]: %s"
 msgstr ""
 
-#: ../../src/util/support/plugins.c:296
+#: ../../src/util/support/plugins.c:300
 #, c-format
 msgid "unable to load DLL [%s]"
 msgstr ""
 
-#: ../../src/util/support/plugins.c:312
+#: ../../src/util/support/plugins.c:316
 #, c-format
 msgid "plugin unavailable: %s"
 msgstr ""
@@ -7108,6 +7091,22 @@ msgstr ""
 msgid "Invalid UID in persistent keyring name"
 msgstr ""
 
+#: ../lib/krb5/error_tables/k5e1_err.c:31
+msgid "Malformed reply from KCM daemon"
+msgstr ""
+
+#: ../lib/krb5/error_tables/k5e1_err.c:32
+msgid "Mach RPC error communicating with KCM daemon"
+msgstr ""
+
+#: ../lib/krb5/error_tables/k5e1_err.c:33
+msgid "KCM daemon reply too big"
+msgstr ""
+
+#: ../lib/krb5/error_tables/k5e1_err.c:34
+msgid "No KCM server found"
+msgstr ""
+
 #: ../lib/krb5/error_tables/krb5_err.c:24
 msgid "Client's entry in database has expired"
 msgstr ""

diff --git a/src/util/support/deps b/src/util/support/deps
index 82a2b4e572c6f52a697fa33be89cc009f611ee5c..c43d256dfde6a384319526c27d8a66dbae2d5446 100644 (file)
--- a/src/util/support/deps
+++ b/src/util/support/deps
@@ -71,9 +71,10 @@ path.so path.po $(OUTPRE)path.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
 base64.so base64.po $(OUTPRE)base64.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-base64.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-thread.h base64.c
-json.so json.po $(OUTPRE)json.$(OBJEXT): $(top_srcdir)/include/k5-base64.h \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-json.h \
-  json.c
+json.so json.po $(OUTPRE)json.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(top_srcdir)/include/k5-base64.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-thread.h json.c
 bcmp.so bcmp.po $(OUTPRE)bcmp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
   bcmp.c