Import MIT KRB5 1.15.1, which will gracefully replace KTH Heimdal.vendor/krb5/1.15.1

The tarball used in this import is the same tarball used in
ports/krb5-115 r435378.

Obtained from:	http://web.mit.edu/kerberos/dist/
Thanks to:	pfg (for all your tireless behind-the-scenes effort)

1891 files changed, 240811 insertions, 0 deletions

diff --git a/doc/html/.buildinfo b/doc/html/.buildinfo
new file mode 100644
index 000000000000..27fb025a8f84
--- /dev/null
+++ b/doc/html/.buildinfo
@@ -0,0 +1,4 @@
+# Sphinx build info version 1
+# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
+config: fc62d372e8a29aeabe3fddbba35feb54
+tags: 645f666f9bcd5a90fca523b33c5a78b7
diff --git a/doc/html/_sources/about.txt b/doc/html/_sources/about.txt
new file mode 100644
index 000000000000..904f612bf34b
--- /dev/null
+++ b/doc/html/_sources/about.txt
@@ -0,0 +1,35 @@
+Contributing to the MIT Kerberos Documentation
+==============================================
+
+We are looking for documentation writers and editors who could contribute
+towards improving the MIT KC documentation content.  If you are an experienced
+Kerberos developer and/or administrator, please consider sharing your knowledge
+and experience with the Kerberos Community.  You can suggest your own topic or
+write about any of the topics listed
+`here <http://k5wiki.kerberos.org/wiki/Projects/Documentation_Tasks>`__.
+
+If you have any questions, comments, or suggestions on the existing documents,
+please send your feedback via email to krb5-bugs@mit.edu. The HTML version of
+this documentation has a "FEEDBACK" link to the krb5-bugs@mit.edu email
+address with a pre-constructed subject line.
+
+
+Background
+----------
+
+Starting with release 1.11, the Kerberos documentation set is
+unified in a central form.  Man pages, HTML documentation, and PDF
+documents are compiled from reStructuredText sources, and the application
+developer documentation incorporates Doxygen markup from the source
+tree.  This project was undertaken along the outline described
+`here <http://k5wiki.kerberos.org/wiki/Projects/Kerberos_Documentation>`__.
+
+Previous versions of Kerberos 5 attempted to maintain separate documentation
+in the texinfo format, with separate groff manual pages.  Having the API
+documentation disjoint from the source code implementing that API
+resulted in the documentation becoming stale, and over time the documentation
+ceased to match reality.  With a fresh start and a source format that is
+easier to use and maintain, reStructuredText-based documents should provide
+an improved experience for the user.  Consolidating all the documentation
+formats into a single source document makes the documentation set easier
+to maintain.
diff --git a/doc/html/_sources/admin/admin_commands/index.txt b/doc/html/_sources/admin/admin_commands/index.txt
new file mode 100644
index 000000000000..e8dc76524ed6
--- /dev/null
+++ b/doc/html/_sources/admin/admin_commands/index.txt
@@ -0,0 +1,17 @@
+Administration  programs
+========================
+
+.. toctree::
+   :maxdepth: 1
+
+   kadmin_local.rst
+   kadmind.rst
+   kdb5_util.rst
+   kdb5_ldap_util.rst
+   krb5kdc.rst
+   kprop.rst
+   kpropd.rst
+   kproplog.rst
+   ktutil.rst
+   k5srvutil.rst
+   sserver.rst
diff --git a/doc/html/_sources/admin/admin_commands/k5srvutil.txt b/doc/html/_sources/admin/admin_commands/k5srvutil.txt
new file mode 100644
index 000000000000..b873d907774b
--- /dev/null
+++ b/doc/html/_sources/admin/admin_commands/k5srvutil.txt
@@ -0,0 +1,62 @@
+.. _k5srvutil(1):
+
+k5srvutil
+=========
+
+SYNOPSIS
+--------
+
+**k5srvutil** *operation*
+[**-i**]
+[**-f** *filename*]
+[**-e** *keysalts*]
+
+DESCRIPTION
+-----------
+
+k5srvutil allows an administrator to list keys currently in
+a keytab, to obtain new keys for a principal currently in a keytab,
+or to delete non-current keys from a keytab.
+
+*operation* must be one of the following:
+
+**list**
+    Lists the keys in a keytab, showing version number and principal
+    name.
+
+**change**
+    Uses the kadmin protocol to update the keys in the Kerberos
+    database to new randomly-generated keys, and updates the keys in
+    the keytab to match.  If a key's version number doesn't match the
+    version number stored in the Kerberos server's database, then the
+    operation will fail.  If the **-i** flag is given, k5srvutil will
+    prompt for confirmation before changing each key.  If the **-k**
+    option is given, the old and new keys will be displayed.
+    Ordinarily, keys will be generated with the default encryption
+    types and key salts.  This can be overridden with the **-e**
+    option.  Old keys are retained in the keytab so that existing
+    tickets continue to work, but **delold** should be used after
+    such tickets expire, to prevent attacks against the old keys.
+
+**delold**
+    Deletes keys that are not the most recent version from the keytab.
+    This operation should be used some time after a change operation
+    to remove old keys, after existing tickets issued for the service
+    have expired.  If the **-i** flag is given, then k5srvutil will
+    prompt for confirmation for each principal.
+
+**delete**
+    Deletes particular keys in the keytab, interactively prompting for
+    each key.
+
+In all cases, the default keytab is used unless this is overridden by
+the **-f** option.
+
+k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in
+place.
+
+
+SEE ALSO
+--------
+
+:ref:`kadmin(1)`, :ref:`ktutil(1)`
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
new file mode 100644
index 000000000000..50c3b99ea428
--- /dev/null
+++ b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
@@ -0,0 +1,995 @@
+.. _kadmin(1):
+
+kadmin
+======
+
+SYNOPSIS
+--------
+
+.. _kadmin_synopsis:
+
+**kadmin**
+[**-O**\|\ **-N**]
+[**-r** *realm*]
+[**-p** *principal*]
+[**-q** *query*]
+[[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**]
+[**-w** *password*]
+[**-s** *admin_server*\ [:*port*]]
+[command args...]
+
+**kadmin.local**
+[**-r** *realm*]
+[**-p** *principal*]
+[**-q** *query*]
+[**-d** *dbname*]
+[**-e** *enc*:*salt* ...]
+[**-m**]
+[**-x** *db_args*]
+[command args...]
+
+.. _kadmin_synopsis_end:
+
+
+DESCRIPTION
+-----------
+
+kadmin and kadmin.local are command-line interfaces to the Kerberos V5
+administration system.  They provide nearly identical functionalities;
+the difference is that kadmin.local directly accesses the KDC
+database, while kadmin performs operations using :ref:`kadmind(8)`.
+Except as explicitly noted otherwise, this man page will use "kadmin"
+to refer to both versions.  kadmin provides for the maintenance of
+Kerberos principals, password policies, and service key tables
+(keytabs).
+
+The remote kadmin client uses Kerberos to authenticate to kadmind
+using the service principal ``kadmin/ADMINHOST`` (where *ADMINHOST* is
+the fully-qualified hostname of the admin server) or ``kadmin/admin``.
+If the credentials cache contains a ticket for one of these
+principals, and the **-c** credentials_cache option is specified, that
+ticket is used to authenticate to kadmind.  Otherwise, the **-p** and
+**-k** options are used to specify the client Kerberos principal name
+used to authenticate.  Once kadmin has determined the principal name,
+it requests a service ticket from the KDC, and uses that service
+ticket to authenticate to kadmind.
+
+Since kadmin.local directly accesses the KDC database, it usually must
+be run directly on the master KDC with sufficient permissions to read
+the KDC database.  If the KDC database uses the LDAP database module,
+kadmin.local can be run on any host which can access the LDAP server.
+
+
+OPTIONS
+-------
+
+.. _kadmin_options:
+
+**-r** *realm*
+    Use *realm* as the default database realm.
+
+**-p** *principal*
+    Use *principal* to authenticate.  Otherwise, kadmin will append
+    ``/admin`` to the primary principal name of the default ccache,
+    the value of the **USER** environment variable, or the username as
+    obtained with getpwuid, in order of preference.
+
+**-k**
+    Use a keytab to decrypt the KDC response instead of prompting for
+    a password.  In this case, the default principal will be
+    ``host/hostname``.  If there is no keytab specified with the
+    **-t** option, then the default keytab will be used.
+
+**-t** *keytab*
+    Use *keytab* to decrypt the KDC response.  This can only be used
+    with the **-k** option.
+
+**-n**
+    Requests anonymous processing.  Two types of anonymous principals
+    are supported.  For fully anonymous Kerberos, configure PKINIT on
+    the KDC and configure **pkinit_anchors** in the client's
+    :ref:`krb5.conf(5)`.  Then use the **-n** option with a principal
+    of the form ``@REALM`` (an empty principal name followed by the
+    at-sign and a realm name).  If permitted by the KDC, an anonymous
+    ticket will be returned.  A second form of anonymous tickets is
+    supported; these realm-exposed tickets hide the identity of the
+    client but not the client's realm.  For this mode, use ``kinit
+    -n`` with a normal principal name.  If supported by the KDC, the
+    principal (but not realm) will be replaced by the anonymous
+    principal.  As of release 1.8, the MIT Kerberos KDC only supports
+    fully anonymous operation.
+
+**-c** *credentials_cache*
+    Use *credentials_cache* as the credentials cache.  The
+    cache should contain a service ticket for the ``kadmin/ADMINHOST``
+    (where *ADMINHOST* is the fully-qualified hostname of the admin
+    server) or ``kadmin/admin`` service; it can be acquired with the
+    :ref:`kinit(1)` program.  If this option is not specified, kadmin
+    requests a new service ticket from the KDC, and stores it in its
+    own temporary ccache.
+
+**-w** *password*
+    Use *password* instead of prompting for one.  Use this option with
+    care, as it may expose the password to other users on the system
+    via the process list.
+
+**-q** *query*
+    Perform the specified query and then exit.
+
+**-d** *dbname*
+    Specifies the name of the KDC database.  This option does not
+    apply to the LDAP database module.
+
+**-s** *admin_server*\ [:*port*]
+    Specifies the admin server which kadmin should contact.
+
+**-m**
+    If using kadmin.local, prompt for the database master password
+    instead of reading it from a stash file.
+
+**-e** "*enc*:*salt* ..."
+    Sets the keysalt list to be used for any new keys created.  See
+    :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible
+    values.
+
+**-O**
+    Force use of old AUTH_GSSAPI authentication flavor.
+
+**-N**
+    Prevent fallback to AUTH_GSSAPI authentication flavor.
+
+**-x** *db_args*
+    Specifies the database specific arguments.  See the next section
+    for supported options.
+
+.. _kadmin_options_end:
+
+Starting with release 1.14, if any command-line arguments remain after
+the options, they will be treated as a single query to be executed.
+This mode of operation is intended for scripts and behaves differently
+from the interactive mode in several respects:
+
+* Query arguments are split by the shell, not by kadmin.
+* Informational and warning messages are suppressed.  Error messages
+  and query output (e.g. for **get_principal**) will still be
+  displayed.
+* Confirmation prompts are disabled (as if **-force** was given).
+  Password prompts will still be issued as required.
+* The exit status will be non-zero if the query fails.
+
+The **-q** option does not carry these behavior differences; the query
+will be processed as if it was entered interactively.  The **-q**
+option cannot be used in combination with a query in the remaining
+arguments.
+
+.. _dboptions:
+
+DATABASE OPTIONS
+----------------
+
+Database options can be used to override database-specific defaults.
+Supported options for the DB2 module are:
+
+    **-x dbname=**\ \*filename*
+        Specifies the base filename of the DB2 database.
+
+    **-x lockiter**
+        Make iteration operations hold the lock for the duration of
+        the entire operation, rather than temporarily releasing the
+        lock while handling each principal.  This is the default
+        behavior, but this option exists to allow command line
+        override of a [dbmodules] setting.  First introduced in
+        release 1.13.
+
+    **-x unlockiter**
+        Make iteration operations unlock the database for each
+        principal, instead of holding the lock for the duration of the
+        entire operation.  First introduced in release 1.13.
+
+Supported options for the LDAP module are:
+
+    **-x host=**\ *ldapuri*
+        Specifies the LDAP server to connect to by a LDAP URI.
+
+    **-x binddn=**\ *bind_dn*
+        Specifies the DN used to bind to the LDAP server.
+
+    **-x bindpwd=**\ *password*
+        Specifies the password or SASL secret used to bind to the LDAP
+        server.  Using this option may expose the password to other
+        users on the system via the process list; to avoid this,
+        instead stash the password using the **stashsrvpw** command of
+        :ref:`kdb5_ldap_util(8)`.
+
+    **-x sasl_mech=**\ *mechanism*
+        Specifies the SASL mechanism used to bind to the LDAP server.
+        The bind DN is ignored if a SASL mechanism is used.  New in
+        release 1.13.
+
+    **-x sasl_authcid=**\ *name*
+        Specifies the authentication name used when binding to the
+        LDAP server with a SASL mechanism, if the mechanism requires
+        one.  New in release 1.13.
+
+    **-x sasl_authzid=**\ *name*
+        Specifies the authorization name used when binding to the LDAP
+        server with a SASL mechanism.  New in release 1.13.
+
+    **-x sasl_realm=**\ *realm*
+        Specifies the realm used when binding to the LDAP server with
+        a SASL mechanism, if the mechanism uses one.  New in release
+        1.13.
+
+    **-x debug=**\ *level*
+        sets the OpenLDAP client library debug level.  *level* is an
+        integer to be interpreted by the library.  Debugging messages
+        are printed to standard error.  New in release 1.12.
+
+
+COMMANDS
+--------
+
+When using the remote client, available commands may be restricted
+according to the privileges specified in the :ref:`kadm5.acl(5)` file
+on the admin server.
+
+.. _add_principal:
+
+add_principal
+~~~~~~~~~~~~~
+
+    **add_principal** [*options*] *newprinc*
+
+Creates the principal *newprinc*, prompting twice for a password.  If
+no password policy is specified with the **-policy** option, and the
+policy named ``default`` is assigned to the principal if it exists.
+However, creating a policy named ``default`` will not automatically
+assign this policy to previously existing principals.  This policy
+assignment can be suppressed with the **-clearpolicy** option.
+
+This command requires the **add** privilege.
+
+Aliases: **addprinc**, **ank**
+
+Options:
+
+**-expire** *expdate*
+    (:ref:`getdate` string) The expiration date of the principal.
+
+**-pwexpire** *pwexpdate*
+    (:ref:`getdate` string) The password expiration date.
+
+**-maxlife** *maxlife*
+    (:ref:`duration` or :ref:`getdate` string) The maximum ticket life
+    for the principal.
+
+**-maxrenewlife** *maxrenewlife*
+    (:ref:`duration` or :ref:`getdate` string) The maximum renewable
+    life of tickets for the principal.
+
+**-kvno** *kvno*
+    The initial key version number.
+
+**-policy** *policy*
+    The password policy used by this principal.  If not specified, the
+    policy ``default`` is used if it exists (unless **-clearpolicy**
+    is specified).
+
+**-clearpolicy**
+    Prevents any policy from being assigned when **-policy** is not
+    specified.
+
+{-\|+}\ **allow_postdated**
+    **-allow_postdated** prohibits this principal from obtaining
+    postdated tickets.  **+allow_postdated** clears this flag.
+
+{-\|+}\ **allow_forwardable**
+    **-allow_forwardable** prohibits this principal from obtaining
+    forwardable tickets.  **+allow_forwardable** clears this flag.
+
+{-\|+}\ **allow_renewable**
+    **-allow_renewable** prohibits this principal from obtaining
+    renewable tickets.  **+allow_renewable** clears this flag.
+
+{-\|+}\ **allow_proxiable**
+    **-allow_proxiable** prohibits this principal from obtaining
+    proxiable tickets.  **+allow_proxiable** clears this flag.
+
+{-\|+}\ **allow_dup_skey**
+    **-allow_dup_skey** disables user-to-user authentication for this
+    principal by prohibiting this principal from obtaining a session
+    key for another user.  **+allow_dup_skey** clears this flag.
+
+{-\|+}\ **requires_preauth**
+    **+requires_preauth** requires this principal to preauthenticate
+    before being allowed to kinit.  **-requires_preauth** clears this
+    flag.  When **+requires_preauth** is set on a service principal,
+    the KDC will only issue service tickets for that service principal
+    if the client's initial authentication was performed using
+    preauthentication.
+
+{-\|+}\ **requires_hwauth**
+    **+requires_hwauth** requires this principal to preauthenticate
+    using a hardware device before being allowed to kinit.
+    **-requires_hwauth** clears this flag.  When **+requires_hwauth** is
+    set on a service principal, the KDC will only issue service tickets
+    for that service principal if the client's initial authentication was
+    performed using a hardware device to preauthenticate.
+
+{-\|+}\ **ok_as_delegate**
+    **+ok_as_delegate** sets the **okay as delegate** flag on tickets
+    issued with this principal as the service.  Clients may use this
+    flag as a hint that credentials should be delegated when
+    authenticating to the service.  **-ok_as_delegate** clears this
+    flag.
+
+{-\|+}\ **allow_svr**
+    **-allow_svr** prohibits the issuance of service tickets for this
+    principal.  **+allow_svr** clears this flag.
+
+{-\|+}\ **allow_tgs_req**
+    **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)
+    request for a service ticket for this principal is not permitted.
+    **+allow_tgs_req** clears this flag.
+
+{-\|+}\ **allow_tix**
+    **-allow_tix** forbids the issuance of any tickets for this
+    principal.  **+allow_tix** clears this flag.
+
+{-\|+}\ **needchange**
+    **+needchange** forces a password change on the next initial
+    authentication to this principal.  **-needchange** clears this
+    flag.
+
+{-\|+}\ **password_changing_service**
+    **+password_changing_service** marks this principal as a password
+    change service principal.
+
+{-\|+}\ **ok_to_auth_as_delegate**
+    **+ok_to_auth_as_delegate** allows this principal to acquire
+    forwardable tickets to itself from arbitrary users, for use with
+    constrained delegation.
+
+{-\|+}\ **no_auth_data_required**
+    **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from
+    being added to service tickets for the principal.
+
+{-\|+}\ **lockdown_keys**
+    **+lockdown_keys** prevents keys for this principal from leaving
+    the KDC via kadmind.  The chpass and extract operations are denied
+    for a principal with this attribute.  The chrand operation is
+    allowed, but will not return the new keys.  The delete and rename
+    operations are also denied if this attribute is set, in order to
+    prevent a malicious administrator from replacing principals like
+    krbtgt/* or kadmin/* with new principals without the attribute.
+    This attribute can be set via the network protocol, but can only
+    be removed using kadmin.local.
+
+**-randkey**
+    Sets the key of the principal to a random value.
+
+**-nokey**
+    Causes the principal to be created with no key.  New in release
+    1.12.
+
+**-pw** *password*
+    Sets the password of the principal to the specified string and
+    does not prompt for a password.  Note: using this option in a
+    shell script may expose the password to other users on the system
+    via the process list.
+
+**-e** *enc*:*salt*,...
+    Uses the specified keysalt list for setting the keys of the
+    principal.  See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
+    list of possible values.
+
+**-x** *db_princ_args*
+    Indicates database-specific options.  The options for the LDAP
+    database module are:
+
+    **-x dn=**\ *dn*
+        Specifies the LDAP object that will contain the Kerberos
+        principal being created.
+
+    **-x linkdn=**\ *dn*
+        Specifies the LDAP object to which the newly created Kerberos
+        principal object will point.
+
+    **-x containerdn=**\ *container_dn*
+        Specifies the container object under which the Kerberos
+        principal is to be created.
+
+    **-x tktpolicy=**\ *policy*
+        Associates a ticket policy to the Kerberos principal.
+
+    .. note::
+
+        - The **containerdn** and **linkdn** options cannot be
+          specified with the **dn** option.
+        - If the *dn* or *containerdn* options are not specified while
+          adding the principal, the principals are created under the
+          principal container configured in the realm or the realm
+          container.
+        - *dn* and *containerdn* should be within the subtrees or
+          principal container configured in the realm.
+
+Example::
+
+    kadmin: addprinc jennifer
+    WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
+    defaulting to no policy.
+    Enter password for principal jennifer@ATHENA.MIT.EDU:
+    Re-enter password for principal jennifer@ATHENA.MIT.EDU:
+    Principal "jennifer@ATHENA.MIT.EDU" created.
+    kadmin:
+
+.. _add_principal_end:
+
+.. _modify_principal:
+
+modify_principal
+~~~~~~~~~~~~~~~~
+
+    **modify_principal** [*options*] *principal*
+
+Modifies the specified principal, changing the fields as specified.
+The options to **add_principal** also apply to this command, except
+for the **-randkey**, **-pw**, and **-e** options.  In addition, the
+option **-clearpolicy** will clear the current policy of a principal.
+
+This command requires the *modify* privilege.
+
+Alias: **modprinc**
+
+Options (in addition to the **addprinc** options):
+
+**-unlock**
+    Unlocks a locked principal (one which has received too many failed
+    authentication attempts without enough time between them according
+    to its password policy) so that it can successfully authenticate.
+
+.. _modify_principal_end:
+
+.. _rename_principal:
+
+rename_principal
+~~~~~~~~~~~~~~~~
+
+    **rename_principal** [**-force**] *old_principal* *new_principal*
+
+Renames the specified *old_principal* to *new_principal*.  This
+command prompts for confirmation, unless the **-force** option is
+given.
+
+This command requires the **add** and **delete** privileges.
+
+Alias: **renprinc**
+
+.. _rename_principal_end:
+
+.. _delete_principal:
+
+delete_principal
+~~~~~~~~~~~~~~~~
+
+    **delete_principal** [**-force**] *principal*
+
+Deletes the specified *principal* from the database.  This command
+prompts for deletion, unless the **-force** option is given.
+
+This command requires the **delete** privilege.
+
+Alias: **delprinc**
+
+.. _delete_principal_end:
+
+.. _change_password:
+
+change_password
+~~~~~~~~~~~~~~~
+
+    **change_password** [*options*] *principal*
+
+Changes the password of *principal*.  Prompts for a new password if
+neither **-randkey** or **-pw** is specified.
+
+This command requires the **changepw** privilege, or that the
+principal running the program is the same as the principal being
+changed.
+
+Alias: **cpw**
+
+The following options are available:
+
+**-randkey**
+    Sets the key of the principal to a random value.
+
+**-pw** *password*
+    Set the password to the specified string.  Using this option in a
+    script may expose the password to other users on the system via
+    the process list.
+
+**-e** *enc*:*salt*,...
+    Uses the specified keysalt list for setting the keys of the
+    principal.  See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
+    list of possible values.
+
+**-keepold**
+    Keeps the existing keys in the database.  This flag is usually not
+    necessary except perhaps for ``krbtgt`` principals.
+
+Example::
+
+    kadmin: cpw systest
+    Enter password for principal systest@BLEEP.COM:
+    Re-enter password for principal systest@BLEEP.COM:
+    Password for systest@BLEEP.COM changed.
+    kadmin:
+
+.. _change_password_end:
+
+.. _purgekeys:
+
+purgekeys
+~~~~~~~~~
+
+    **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal*
+
+Purges previously retained old keys (e.g., from **change_password
+-keepold**) from *principal*.  If **-keepkvno** is specified, then
+only purges keys with kvnos lower than *oldest_kvno_to_keep*.  If
+**-all** is specified, then all keys are purged.  The **-all** option
+is new in release 1.12.
+
+This command requires the **modify** privilege.
+
+.. _purgekeys_end:
+
+.. _get_principal:
+
+get_principal
+~~~~~~~~~~~~~
+
+    **get_principal** [**-terse**] *principal*
+
+Gets the attributes of principal.  With the **-terse** option, outputs
+fields as quoted tab-separated strings.
+
+This command requires the **inquire** privilege, or that the principal
+running the the program to be the same as the one being listed.
+
+Alias: **getprinc**
+
+Examples::
+
+    kadmin: getprinc tlyu/admin
+    Principal: tlyu/admin@BLEEP.COM
+    Expiration date: [never]
+    Last password change: Mon Aug 12 14:16:47 EDT 1996
+    Password expiration date: [none]
+    Maximum ticket life: 0 days 10:00:00
+    Maximum renewable life: 7 days 00:00:00
+    Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
+    Last successful authentication: [never]
+    Last failed authentication: [never]
+    Failed password attempts: 0
+    Number of keys: 2
+    Key: vno 1, des-cbc-crc
+    Key: vno 1, des-cbc-crc:v4
+    Attributes:
+    Policy: [none]
+
+    kadmin: getprinc -terse systest
+    systest@BLEEP.COM   3    86400     604800    1
+    785926535 753241234 785900000
+    tlyu/admin@BLEEP.COM     786100034 0    0
+    kadmin:
+
+.. _get_principal_end:
+
+.. _list_principals:
+
+list_principals
+~~~~~~~~~~~~~~~
+
+    **list_principals** [*expression*]
+
+Retrieves all or some principal names.  *expression* is a shell-style
+glob expression that can contain the wild-card characters ``?``,
+``*``, and ``[]``.  All principal names matching the expression are
+printed.  If no expression is provided, all principal names are
+printed.  If the expression does not contain an ``@`` character, an
+``@`` character followed by the local realm is appended to the
+expression.
+
+This command requires the **list** privilege.
+
+Alias: **listprincs**, **get_principals**, **get_princs**
+
+Example::
+
+    kadmin:  listprincs test*
+    test3@SECURE-TEST.OV.COM
+    test2@SECURE-TEST.OV.COM
+    test1@SECURE-TEST.OV.COM
+    testuser@SECURE-TEST.OV.COM
+    kadmin:
+
+.. _list_principals_end:
+
+.. _get_strings:
+
+get_strings
+~~~~~~~~~~~
+
+    **get_strings** *principal*
+
+Displays string attributes on *principal*.
+
+This command requires the **inquire** privilege.
+
+Alias: **getstr**
+
+.. _get_strings_end:
+
+.. _set_string:
+
+set_string
+~~~~~~~~~~
+
+    **set_string** *principal* *name* *value*
+
+Sets a string attribute on *principal*.  String attributes are used to
+supply per-principal configuration to the KDC and some KDC plugin
+modules.  The following string attribute names are recognized by the
+KDC:
+
+**require_auth**
+    Specifies an authentication indicator which is required to
+    authenticate to the principal as a service.  Multiple indicators
+    can be specified, separated by spaces; in this case any of the
+    specified indicators will be accepted.  (New in release 1.14.)
+
+**session_enctypes**
+    Specifies the encryption types supported for session keys when the
+    principal is authenticated to as a server.  See
+    :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the
+    accepted values.
+
+**otp**
+    Enables One Time Passwords (OTP) preauthentication for a client
+    *principal*.  The *value* is a JSON string representing an array
+    of objects, each having optional ``type`` and ``username`` fields.
+
+This command requires the **modify** privilege.
+
+Alias: **setstr**
+
+Example::
+
+    set_string host/foo.mit.edu session_enctypes aes128-cts
+    set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
+
+.. _set_string_end:
+
+.. _del_string:
+
+del_string
+~~~~~~~~~~
+
+    **del_string** *principal* *key*
+
+Deletes a string attribute from *principal*.
+
+This command requires the **delete** privilege.
+
+Alias: **delstr**
+
+.. _del_string_end:
+
+.. _add_policy:
+
+add_policy
+~~~~~~~~~~
+
+    **add_policy** [*options*] *policy*
+
+Adds a password policy named *policy* to the database.
+
+This command requires the **add** privilege.
+
+Alias: **addpol**
+
+The following options are available:
+
+**-maxlife** *time*
+    (:ref:`duration` or :ref:`getdate` string) Sets the maximum
+    lifetime of a password.
+
+**-minlife** *time*
+    (:ref:`duration` or :ref:`getdate` string) Sets the minimum
+    lifetime of a password.
+
+**-minlength** *length*
+    Sets the minimum length of a password.
+
+**-minclasses** *number*
+    Sets the minimum number of character classes required in a
+    password.  The five character classes are lower case, upper case,
+    numbers, punctuation, and whitespace/unprintable characters.
+
+**-history** *number*
+    Sets the number of past keys kept for a principal.  This option is
+    not supported with the LDAP KDC database module.
+
+.. _policy_maxfailure:
+
+**-maxfailure** *maxnumber*
+    Sets the number of authentication failures before the principal is
+    locked.  Authentication failures are only tracked for principals
+    which require preauthentication.  The counter of failed attempts
+    resets to 0 after a successful attempt to authenticate.  A
+    *maxnumber* value of 0 (the default) disables lockout.
+
+.. _policy_failurecountinterval:
+
+**-failurecountinterval** *failuretime*
+    (:ref:`duration` or :ref:`getdate` string) Sets the allowable time
+    between authentication failures.  If an authentication failure
+    happens after *failuretime* has elapsed since the previous
+    failure, the number of authentication failures is reset to 1.  A
+    *failuretime* value of 0 (the default) means forever.
+
+.. _policy_lockoutduration:
+
+**-lockoutduration** *lockouttime*
+    (:ref:`duration` or :ref:`getdate` string) Sets the duration for
+    which the principal is locked from authenticating if too many
+    authentication failures occur without the specified failure count
+    interval elapsing.  A duration of 0 (the default) means the
+    principal remains locked out until it is administratively unlocked
+    with ``modprinc -unlock``.
+
+**-allowedkeysalts**
+    Specifies the key/salt tuples supported for long-term keys when
+    setting or changing a principal's password/keys.  See
+    :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the
+    accepted values, but note that key/salt tuples must be separated
+    with commas (',') only.  To clear the allowed key/salt policy use
+    a value of '-'.
+
+Example::
+
+    kadmin: add_policy -maxlife "2 days" -minlength 5 guests
+    kadmin:
+
+.. _add_policy_end:
+
+.. _modify_policy:
+
+modify_policy
+~~~~~~~~~~~~~
+
+    **modify_policy** [*options*] *policy*
+
+Modifies the password policy named *policy*.  Options are as described
+for **add_policy**.
+
+This command requires the **modify** privilege.
+
+Alias: **modpol**
+
+.. _modify_policy_end:
+
+.. _delete_policy:
+
+delete_policy
+~~~~~~~~~~~~~
+
+    **delete_policy** [**-force**] *policy*
+
+Deletes the password policy named *policy*.  Prompts for confirmation
+before deletion.  The command will fail if the policy is in use by any
+principals.
+
+This command requires the **delete** privilege.
+
+Alias: **delpol**
+
+Example::
+
+    kadmin: del_policy guests
+    Are you sure you want to delete the policy "guests"?
+    (yes/no): yes
+    kadmin:
+
+.. _delete_policy_end:
+
+.. _get_policy:
+
+get_policy
+~~~~~~~~~~
+
+    **get_policy** [ **-terse** ] *policy*
+
+Displays the values of the password policy named *policy*.  With the
+**-terse** flag, outputs the fields as quoted strings separated by
+tabs.
+
+This command requires the **inquire** privilege.
+
+Alias: getpol
+
+Examples::
+
+    kadmin: get_policy admin
+    Policy: admin
+    Maximum password life: 180 days 00:00:00
+    Minimum password life: 00:00:00
+    Minimum password length: 6
+    Minimum number of password character classes: 2
+    Number of old keys kept: 5
+    Reference count: 17
+
+    kadmin: get_policy -terse admin
+    admin     15552000  0    6    2    5    17
+    kadmin:
+
+The "Reference count" is the number of principals using that policy.
+With the LDAP KDC database module, the reference count field is not
+meaningful.
+
+.. _get_policy_end:
+
+.. _list_policies:
+
+list_policies
+~~~~~~~~~~~~~
+
+    **list_policies** [*expression*]
+
+Retrieves all or some policy names.  *expression* is a shell-style
+glob expression that can contain the wild-card characters ``?``,
+``*``, and ``[]``.  All policy names matching the expression are
+printed.  If no expression is provided, all existing policy names are
+printed.
+
+This command requires the **list** privilege.
+
+Aliases: **listpols**, **get_policies**, **getpols**.
+
+Examples::
+
+    kadmin:  listpols
+    test-pol
+    dict-only
+    once-a-min
+    test-pol-nopw
+
+    kadmin:  listpols t*
+    test-pol
+    test-pol-nopw
+    kadmin:
+
+.. _list_policies_end:
+
+.. _ktadd:
+
+ktadd
+~~~~~
+
+    | **ktadd** [options] *principal*
+    | **ktadd** [options] **-glob** *princ-exp*
+
+Adds a *principal*, or all principals matching *princ-exp*, to a
+keytab file.  Each principal's keys are randomized in the process.
+The rules for *princ-exp* are described in the **list_principals**
+command.
+
+This command requires the **inquire** and **changepw** privileges.
+With the **-glob** form, it also requires the **list** privilege.
+
+The options are:
+
+**-k[eytab]** *keytab*
+    Use *keytab* as the keytab file.  Otherwise, the default keytab is
+    used.
+
+**-e** *enc*:*salt*,...
+    Uses the specified keysalt list for setting the new keys of the
+    principal.  See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
+    list of possible values.
+
+**-q**
+    Display less verbose information.
+
+**-norandkey**
+    Do not randomize the keys. The keys and their version numbers stay
+    unchanged.  This option cannot be specified in combination with the
+    **-e** option.
+
+An entry for each of the principal's unique encryption types is added,
+ignoring multiple keys with the same encryption type but different
+salt types.
+
+Example::
+
+    kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
+    Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
+         encryption type aes256-cts-hmac-sha1-96 added to keytab
+         FILE:/tmp/foo-new-keytab
+    kadmin:
+
+.. _ktadd_end:
+
+.. _ktremove:
+
+ktremove
+~~~~~~~~
+
+    **ktremove** [options] *principal* [*kvno* | *all* | *old*]
+
+Removes entries for the specified *principal* from a keytab.  Requires
+no permissions, since this does not require database access.
+
+If the string "all" is specified, all entries for that principal are
+removed; if the string "old" is specified, all entries for that
+principal except those with the highest kvno are removed.  Otherwise,
+the value specified is parsed as an integer, and all entries whose
+kvno match that integer are removed.
+
+The options are:
+
+**-k[eytab]** *keytab*
+    Use *keytab* as the keytab file.  Otherwise, the default keytab is
+    used.
+
+**-q**
+    Display less verbose information.
+
+Example::
+
+    kadmin: ktremove kadmin/admin all
+    Entry for principal kadmin/admin with kvno 3 removed from keytab
+         FILE:/etc/krb5.keytab
+    kadmin:
+
+.. _ktremove_end:
+
+lock
+~~~~
+
+Lock database exclusively.  Use with extreme caution!  This command
+only works with the DB2 KDC database module.
+
+unlock
+~~~~~~
+
+Release the exclusive database lock.
+
+list_requests
+~~~~~~~~~~~~~
+
+Lists available for kadmin requests.
+
+Aliases: **lr**, **?**
+
+quit
+~~~~
+
+Exit program.  If the database was locked, the lock is released.
+
+Aliases: **exit**, **q**
+
+
+HISTORY
+-------
+
+The kadmin program was originally written by Tom Yu at MIT, as an
+interface to the OpenVision Kerberos administration program.
+
+
+SEE ALSO
+--------
+
+:ref:`kpasswd(1)`, :ref:`kadmind(8)`
diff --git a/doc/html/_sources/admin/admin_commands/kadmind.txt b/doc/html/_sources/admin/admin_commands/kadmind.txt
new file mode 100644
index 000000000000..f5b7733ea33d
--- /dev/null
+++ b/doc/html/_sources/admin/admin_commands/kadmind.txt
@@ -0,0 +1,123 @@
+.. _kadmind(8):
+
+kadmind
+=======
+
+SYNOPSIS
+--------
+
+**kadmind**
+[**-x** *db_args*]
+[**-r** *realm*]
+[**-m**]
+[**-nofork**]
+[**-proponly**]
+[**-port** *port-number*]
+[**-P** *pid_file*]
+[**-p** *kdb5_util_path*]
+[**-K** *kprop_path*]
+[**-k** *kprop_port*]
+[**-F** *dump_file*]
+
+DESCRIPTION
+-----------
+
+kadmind starts the Kerberos administration server.  kadmind typically
+runs on the master Kerberos server, which stores the KDC database.  If
+the KDC database uses the LDAP module, the administration server and
+the KDC server need not run on the same machine.  kadmind accepts
+remote requests from programs such as :ref:`kadmin(1)` and
+:ref:`kpasswd(1)` to administer the information in these database.
+
+kadmind requires a number of configuration files to be set up in order
+for it to work:
+
+:ref:`kdc.conf(5)`
+    The KDC configuration file contains configuration information for
+    the KDC and admin servers.  kadmind uses settings in this file to
+    locate the Kerberos database, and is also affected by the
+    **acl_file**, **dict_file**, **kadmind_port**, and iprop-related
+    settings.
+
+:ref:`kadm5.acl(5)`
+    kadmind's ACL (access control list) tells it which principals are
+    allowed to perform administration actions.  The pathname to the
+    ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)`
+    variable; by default, it is |kdcdir|\ ``/kadm5.acl``.
+
+After the server begins running, it puts itself in the background and
+disassociates itself from its controlling terminal.
+
+kadmind can be configured for incremental database propagation.
+Incremental propagation allows slave KDC servers to receive principal
+and policy updates incrementally instead of receiving full dumps of
+the database.  This facility can be enabled in the :ref:`kdc.conf(5)`
+file with the **iprop_enable** option.  Incremental propagation
+requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the
+master KDC's canonical host name, and REALM the realm name).  In
+release 1.13, this principal is automatically created and registered
+into the datebase.
+
+
+OPTIONS
+-------
+
+**-r** *realm*
+    specifies the realm that kadmind will serve; if it is not
+    specified, the default realm of the host is used.
+
+**-m**
+    causes the master database password to be fetched from the
+    keyboard (before the server puts itself in the background, if not
+    invoked with the **-nofork** option) rather than from a file on
+    disk.
+
+**-nofork**
+    causes the server to remain in the foreground and remain
+    associated to the terminal.  In normal operation, you should allow
+    the server to place itself in the background.
+
+**-proponly**
+    causes the server to only listen and respond to Kerberos slave
+    incremental propagation polling requests.  This option can be used
+    to set up a hierarchical propagation topology where a slave KDC
+    provides incremental updates to other Kerberos slaves.
+
+**-port** *port-number*
+    specifies the port on which the administration server listens for
+    connections.  The default port is determined by the
+    **kadmind_port** configuration variable in :ref:`kdc.conf(5)`.
+
+**-P** *pid_file*
+    specifies the file to which the PID of kadmind process should be
+    written after it starts up.  This file can be used to identify
+    whether kadmind is still running and to allow init scripts to stop
+    the correct process.
+
+**-p** *kdb5_util_path*
+    specifies the path to the kdb5_util command to use when dumping the
+    KDB in response to full resync requests when iprop is enabled.
+
+**-K** *kprop_path*
+    specifies the path to the kprop command to use to send full dumps
+    to slaves in response to full resync requests.
+
+**-k** *kprop_port*
+    specifies the port by which the kprop process that is spawned by kadmind
+    connects to the slave kpropd, in order to transfer the dump file during
+    an iprop full resync request.
+
+**-F** *dump_file*
+    specifies the file path to be used for dumping the KDB in response
+    to full resync requests when iprop is enabled.
+
+**-x** *db_args*
+    specifies database-specific arguments.  See :ref:`Database Options
+    <dboptions>` in :ref:`kadmin(1)` for supported arguments.
+
+
+SEE ALSO
+--------
+
+:ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`,
+:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`
diff --git a/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt b/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt
new file mode 100644
index 000000000000..cbf313f55a66
--- /dev/null
+++ b/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt
@@ -0,0 +1,462 @@
+.. _kdb5_ldap_util(8):
+
+kdb5_ldap_util
+===============
+
+SYNOPSIS
+--------
+
+.. _kdb5_ldap_util_synopsis:
+
+**kdb5_ldap_util**
+[**-D** *user_dn* [**-w** *passwd*]]
+[**-H** *ldapuri*]
+**command**
+[*command_options*]
+
+.. _kdb5_ldap_util_synopsis_end:
+
+
+DESCRIPTION
+-----------
+
+kdb5_ldap_util allows an administrator to manage realms, Kerberos
+services and ticket policies.
+
+
+COMMAND-LINE OPTIONS
+--------------------
+
+.. _kdb5_ldap_util_options:
+
+**-D** *user_dn*
+    Specifies the Distinguished Name (DN) of the user who has
+    sufficient rights to perform the operation on the LDAP server.
+
+**-w** *passwd*
+    Specifies the password of *user_dn*.  This option is not
+    recommended.
+
+**-H** *ldapuri*
+    Specifies the URI of the LDAP server.  It is recommended to use
+    ``ldapi://`` or ``ldaps://`` to connect to the LDAP server.
+
+.. _kdb5_ldap_util_options_end:
+
+
+COMMANDS
+--------
+
+create
+~~~~~~
+
+.. _kdb5_ldap_util_create:
+
+    **create**
+    [**-subtrees** *subtree_dn_list*]
+    [**-sscope** *search_scope*]
+    [**-containerref** *container_reference_dn*]
+    [**-k** *mkeytype*]
+    [**-kv** *mkeyVNO*]
+    [**-m|-P** *password*\|\ **-sf** *stashfilename*]
+    [**-s**]
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+
+Creates realm in directory. Options:
+
+**-subtrees** *subtree_dn_list*
+    Specifies the list of subtrees containing the principals of a
+    realm.  The list contains the DNs of the subtree objects separated
+    by colon (``:``).
+
+**-sscope** *search_scope*
+    Specifies the scope for searching the principals under the
+    subtree.  The possible values are 1 or one (one level), 2 or sub
+    (subtrees).
+
+**-containerref** *container_reference_dn*
+    Specifies the DN of the container object in which the principals
+    of a realm will be created.  If the container reference is not
+    configured for a realm, the principals will be created in the
+    realm container.
+
+**-k** *mkeytype*
+    Specifies the key type of the master key in the database.  The
+    default is given by the **master_key_type** variable in
+    :ref:`kdc.conf(5)`.
+
+**-kv** *mkeyVNO*
+    Specifies the version number of the master key in the database;
+    the default is 1.  Note that 0 is not allowed.
+
+**-m**
+    Specifies that the master database password should be read from
+    the TTY rather than fetched from a file on the disk.
+
+**-P** *password*
+    Specifies the master database password. This option is not
+    recommended.
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-sf** *stashfilename*
+    Specifies the stash file of the master database password.
+
+**-s**
+    Specifies that the stash file is to be created.
+
+**-maxtktlife** *max_ticket_life*
+    (:ref:`getdate` string) Specifies maximum ticket life for
+    principals in this realm.
+
+**-maxrenewlife** *max_renewable_ticket_life*
+    (:ref:`getdate` string) Specifies maximum renewable life of
+    tickets for principals in this realm.
+
+*ticket_flags*
+    Specifies global ticket flags for the realm.  Allowable flags are
+    documented in the description of the **add_principal** command in
+    :ref:`kadmin(1)`.
+
+Example::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    Initializing database for realm 'ATHENA.MIT.EDU'
+    You will be prompted for the database Master Password.
+    It is important that you NOT FORGET this password.
+    Enter KDC database master key:
+    Re-enter KDC database master key to verify:
+
+.. _kdb5_ldap_util_create_end:
+
+modify
+~~~~~~
+
+.. _kdb5_ldap_util_modify:
+
+    **modify**
+    [**-subtrees** *subtree_dn_list*]
+    [**-sscope** *search_scope*]
+    [**-containerref** *container_reference_dn*]
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+
+Modifies the attributes of a realm.  Options:
+
+**-subtrees** *subtree_dn_list*
+    Specifies the list of subtrees containing the principals of a
+    realm.  The list contains the DNs of the subtree objects separated
+    by colon (``:``).  This list replaces the existing list.
+
+**-sscope** *search_scope*
+    Specifies the scope for searching the principals under the
+    subtrees.  The possible values are 1 or one (one level), 2 or sub
+    (subtrees).
+
+**-containerref** *container_reference_dn* Specifies the DN of the
+    container object in which the principals of a realm will be
+    created.
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-maxtktlife** *max_ticket_life*
+    (:ref:`getdate` string) Specifies maximum ticket life for
+    principals in this realm.
+
+**-maxrenewlife** *max_renewable_ticket_life*
+    (:ref:`getdate` string) Specifies maximum renewable life of
+    tickets for principals in this realm.
+
+*ticket_flags*
+    Specifies global ticket flags for the realm.  Allowable flags are
+    documented in the description of the **add_principal** command in
+    :ref:`kadmin(1)`.
+
+Example::
+
+    shell% kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu modify +requires_preauth -r
+        ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    shell%
+
+.. _kdb5_ldap_util_modify_end:
+
+view
+~~~~
+
+.. _kdb5_ldap_util_view:
+
+    **view** [**-r** *realm*]
+
+Displays the attributes of a realm.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+Example::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        view -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    Realm Name: ATHENA.MIT.EDU
+    Subtree: ou=users,o=org
+    Subtree: ou=servers,o=org
+    SearchScope: ONE
+    Maximum ticket life: 0 days 01:00:00
+    Maximum renewable life: 0 days 10:00:00
+    Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+
+.. _kdb5_ldap_util_view_end:
+
+destroy
+~~~~~~~
+
+.. _kdb5_ldap_util_destroy:
+
+    **destroy** [**-f**] [**-r** *realm*]
+
+Destroys an existing realm. Options:
+
+**-f**
+    If specified, will not prompt the user for confirmation.
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+Example::
+
+    shell% kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
+    (type 'yes' to confirm)? yes
+    OK, deleting database of 'ATHENA.MIT.EDU'...
+    shell%
+
+.. _kdb5_ldap_util_destroy_end:
+
+list
+~~~~
+
+.. _kdb5_ldap_util_list:
+
+    **list**
+
+Lists the name of realms.
+
+Example::
+
+    shell% kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu list
+    Password for "cn=admin,o=org":
+    ATHENA.MIT.EDU
+    OPENLDAP.MIT.EDU
+    MEDIA-LAB.MIT.EDU
+    shell%
+
+.. _kdb5_ldap_util_list_end:
+
+stashsrvpw
+~~~~~~~~~~
+
+.. _kdb5_ldap_util_stashsrvpw:
+
+    **stashsrvpw**
+    [**-f** *filename*]
+    *name*
+
+Allows an administrator to store the password for service object in a
+file so that KDC and Administration server can use it to authenticate
+to the LDAP server.  Options:
+
+**-f** *filename*
+    Specifies the complete path of the service password file. By
+    default, ``/usr/local/var/service_passwd`` is used.
+
+*name*
+    Specifies the name of the object whose password is to be stored.
+    If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for
+    simple binding, this should be the distinguished name it will
+    use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn**
+    variable in :ref:`kdc.conf(5)`.  If the KDC or kadmind is
+    configured for SASL binding, this should be the authentication
+    name it will use as given by the **ldap_kdc_sasl_authcid** or
+    **ldap_kadmind_sasl_authcid** variable.
+
+Example::
+
+    kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
+        cn=service-kdc,o=org
+    Password for "cn=service-kdc,o=org":
+    Re-enter password for "cn=service-kdc,o=org":
+
+.. _kdb5_ldap_util_stashsrvpw_end:
+
+create_policy
+~~~~~~~~~~~~~
+
+.. _kdb5_ldap_util_create_policy:
+
+    **create_policy**
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+    *policy_name*
+
+Creates a ticket policy in the directory.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-maxtktlife** *max_ticket_life*
+    (:ref:`getdate` string) Specifies maximum ticket life for
+    principals.
+
+**-maxrenewlife** *max_renewable_ticket_life*
+    (:ref:`getdate` string) Specifies maximum renewable life of
+    tickets for principals.
+
+*ticket_flags*
+    Specifies the ticket flags.  If this option is not specified, by
+    default, no restriction will be set by the policy.  Allowable
+    flags are documented in the description of the **add_principal**
+    command in :ref:`kadmin(1)`.
+
+*policy_name*
+    Specifies the name of the ticket policy.
+
+Example::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
+        -maxrenewlife "1 week" -allow_postdated +needchange
+        -allow_forwardable tktpolicy
+    Password for "cn=admin,o=org":
+
+.. _kdb5_ldap_util_create_policy_end:
+
+modify_policy
+~~~~~~~~~~~~~
+
+.. _kdb5_ldap_util_modify_policy:
+
+    **modify_policy**
+    [**-r** *realm*]
+    [**-maxtktlife** *max_ticket_life*]
+    [**-maxrenewlife** *max_renewable_ticket_life*]
+    [*ticket_flags*]
+    *policy_name*
+
+Modifies the attributes of a ticket policy.  Options are same as for
+**create_policy**.
+
+Example::
+
+    kdb5_ldap_util -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
+        -maxtktlife "60 minutes" -maxrenewlife "10 hours"
+        +allow_postdated -requires_preauth tktpolicy
+    Password for "cn=admin,o=org":
+
+.. _kdb5_ldap_util_modify_policy_end:
+
+view_policy
+~~~~~~~~~~~
+
+.. _kdb5_ldap_util_view_policy:
+
+    **view_policy**
+    [**-r** *realm*]
+    *policy_name*
+
+Displays the attributes of a ticket policy.  Options:
+
+*policy_name*
+    Specifies the name of the ticket policy.
+
+Example::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        view_policy -r ATHENA.MIT.EDU tktpolicy
+    Password for "cn=admin,o=org":
+    Ticket policy: tktpolicy
+    Maximum ticket life: 0 days 01:00:00
+    Maximum renewable life: 0 days 10:00:00
+    Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+
+.. _kdb5_ldap_util_view_policy_end:
+
+destroy_policy
+~~~~~~~~~~~~~~
+
+.. _kdb5_ldap_util_destroy_policy:
+
+    **destroy_policy**
+    [**-r** *realm*]
+    [**-force**]
+    *policy_name*
+
+Destroys an existing ticket policy.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+**-force**
+    Forces the deletion of the policy object.  If not specified, the
+    user will be prompted for confirmation before deleting the policy.
+
+*policy_name*
+    Specifies the name of the ticket policy.
+
+Example::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        destroy_policy -r ATHENA.MIT.EDU tktpolicy
+    Password for "cn=admin,o=org":
+    This will delete the policy object 'tktpolicy', are you sure?
+    (type 'yes' to confirm)? yes
+    ** policy object 'tktpolicy' deleted.
+
+.. _kdb5_ldap_util_destroy_policy_end:
+
+list_policy
+~~~~~~~~~~~
+
+.. _kdb5_ldap_util_list_policy:
+
+    **list_policy**
+    [**-r** *realm*]
+
+Lists the ticket policies in realm if specified or in the default
+realm.  Options:
+
+**-r** *realm*
+    Specifies the Kerberos realm of the database.
+
+Example::
+
+    kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+        list_policy -r ATHENA.MIT.EDU
+    Password for "cn=admin,o=org":
+    tktpolicy
+    tmppolicy
+    userpolicy
+
+.. _kdb5_ldap_util_list_policy_end:
+
+
+SEE ALSO
+--------
+
+:ref:`kadmin(1)`
diff --git a/doc/html/_sources/admin/admin_commands/kdb5_util.txt b/doc/html/_sources/admin/admin_commands/kdb5_util.txt
new file mode 100644
index 000000000000..258498f0d6ef
--- /dev/null
+++ b/doc/html/_sources/admin/admin_commands/kdb5_util.txt
@@ -0,0 +1,497 @@
+.. _kdb5_util(8):
+
+kdb5_util
+=========
+
+SYNOPSIS
+--------
+
+.. _kdb5_util_synopsis:
+
+**kdb5_util**
+[**-r** *realm*]
+[**-d** *dbname*]
+[**-k** *mkeytype*]
+[**-M** *mkeyname*]
+[**-kv** *mkeyVNO*]
+[**-sf** *stashfilename*]
+[**-m**]
+*command* [*command_options*]
+
+.. _kdb5_util_synopsis_end:
+
+DESCRIPTION
+-----------
+
+kdb5_util allows an administrator to perform maintenance procedures on
+the KDC database.  Databases can be created, destroyed, and dumped to
+or loaded from ASCII files.  kdb5_util can create a Kerberos master
+key stash file or perform live rollover of the master key.
+
+When kdb5_util is run, it attempts to acquire the master key and open
+the database.  However, execution continues regardless of whether or
+not kdb5_util successfully opens the database, because the database
+may not exist yet or the stash file may be corrupt.
+
+Note that some KDC database modules may not support all kdb5_util
+commands.
+
+
+COMMAND-LINE OPTIONS
+--------------------
+
+.. _kdb5_util_options:
+
+**-r** *realm*
+    specifies the Kerberos realm of the database.
+
+**-d** *dbname*
+    specifies the name under which the principal database is stored;
+    by default the database is that listed in :ref:`kdc.conf(5)`.  The
+    password policy database and lock files are also derived from this
+    value.
+
+**-k** *mkeytype*
+    specifies the key type of the master key in the database.  The
+    default is given by the **master_key_type** variable in
+    :ref:`kdc.conf(5)`.
+
+**-kv** *mkeyVNO*
+    Specifies the version number of the master key in the database;
+    the default is 1.  Note that 0 is not allowed.
+
+**-M** *mkeyname*
+    principal name for the master key in the database.  If not
+    specified, the name is determined by the **master_key_name**
+    variable in :ref:`kdc.conf(5)`.
+
+**-m**
+    specifies that the master database password should be read from
+    the keyboard rather than fetched from a file on disk.
+
+**-sf** *stash_file*
+    specifies the stash filename of the master database password.  If
+    not specified, the filename is determined by the
+    **key_stash_file** variable in :ref:`kdc.conf(5)`.
+
+**-P** *password*
+    specifies the master database password.  Using this option may
+    expose the password to other users on the system via the process
+    list.
+
+.. _kdb5_util_options_end:
+
+
+COMMANDS
+--------
+
+create
+~~~~~~
+
+.. _kdb5_util_create:
+
+    **create** [**-s**]
+
+Creates a new database.  If the **-s** option is specified, the stash
+file is also created.  This command fails if the database already
+exists.  If the command is successful, the database is opened just as
+if it had already existed when the program was first run.
+
+.. _kdb5_util_create_end:
+
+destroy
+~~~~~~~
+
+.. _kdb5_util_destroy:
+
+    **destroy** [**-f**]
+
+Destroys the database, first overwriting the disk sectors and then
+unlinking the files, after prompting the user for confirmation.  With
+the **-f** argument, does not prompt the user.
+
+.. _kdb5_util_destroy_end:
+
+stash
+~~~~~
+
+.. _kdb5_util_stash:
+
+    **stash** [**-f** *keyfile*]
+
+Stores the master principal's keys in a stash file.  The **-f**
+argument can be used to override the *keyfile* specified in
+:ref:`kdc.conf(5)`.
+
+.. _kdb5_util_stash_end:
+
+dump
+~~~~
+
+.. _kdb5_util_dump:
+
+    **dump** [**-b7**\|\ **-ov**\|\ **-r13**] [**-verbose**]
+    [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**]
+    [**-recurse**] [*filename* [*principals*...]]
+
+Dumps the current Kerberos and KADM5 database into an ASCII file.  By
+default, the database is dumped in current format, "kdb5_util
+load_dump version 7".  If filename is not specified, or is the string
+"-", the dump is sent to standard output.  Options:
+
+**-b7**
+    causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
+    load_dump version 4").  This was the dump format produced on
+    releases prior to 1.2.2.
+
+**-ov**
+    causes the dump to be in "ovsec_adm_export" format.
+
+**-r13**
+    causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
+    load_dump version 5").  This was the dump format produced on
+    releases prior to 1.8.
+
+**-r18**
+    causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
+    load_dump version 6").  This was the dump format produced on
+    releases prior to 1.11.
+
+**-verbose**
+    causes the name of each principal and policy to be printed as it
+    is dumped.
+
+**-mkey_convert**
+    prompts for a new master key.  This new master key will be used to
+    re-encrypt principal key data in the dumpfile.  The principal keys
+    themselves will not be changed.
+
+**-new_mkey_file** *mkey_file*
+    the filename of a stash file.  The master key in this stash file
+    will be used to re-encrypt the key data in the dumpfile.  The key
+    data in the database will not be changed.
+
+**-rev**
+    dumps in reverse order.  This may recover principals that do not
+    dump normally, in cases where database corruption has occurred.
+
+**-recurse**
+    causes the dump to walk the database recursively (btree only).
+    This may recover principals that do not dump normally, in cases
+    where database corruption has occurred.  In cases of such
+    corruption, this option will probably retrieve more principals
+    than the **-rev** option will.
+
+    .. versionchanged:: 1.15
+        Release 1.15 restored the functionality of the **-recurse**
+        option.
+
+    .. versionchanged:: 1.5
+        The **-recurse** option ceased working until release 1.15,
+        doing a normal dump instead of a recursive traversal.
+
+.. _kdb5_util_dump_end:
+
+load
+~~~~
+
+.. _kdb5_util_load:
+
+    **load** [**-b7**\|\ **-ov**\|\ **-r13**] [**-hash**]
+    [**-verbose**] [**-update**] *filename* [*dbname*]
+
+Loads a database dump from the named file into the named database.  If
+no option is given to determine the format of the dump file, the
+format is detected automatically and handled as appropriate.  Unless
+the **-update** option is given, **load** creates a new database
+containing only the data in the dump file, overwriting the contents of
+any previously existing database.  Note that when using the LDAP KDC
+database module, the **-update** flag is required.
+
+Options:
+
+**-b7**
+    requires the database to be in the Kerberos 5 Beta 7 format
+    ("kdb5_util load_dump version 4").  This was the dump format
+    produced on releases prior to 1.2.2.
+
+**-ov**
+    requires the database to be in "ovsec_adm_import" format.  Must be
+    used with the **-update** option.
+
+**-r13**
+    requires the database to be in Kerberos 5 1.3 format ("kdb5_util
+    load_dump version 5").  This was the dump format produced on
+    releases prior to 1.8.
+
+**-r18**
+    requires the database to be in Kerberos 5 1.8 format ("kdb5_util
+    load_dump version 6").  This was the dump format produced on
+    releases prior to 1.11.
+
+**-hash**
+    requires the database to be stored as a hash.  If this option is
+    not specified, the database will be stored as a btree.  This
+    option is not recommended, as databases stored in hash format are
+    known to corrupt data and lose principals.
+
+**-verbose**
+    causes the name of each principal and policy to be printed as it
+    is dumped.
+
+**-update**
+    records from the dump file are added to or updated in the existing
+    database.  Otherwise, a new database is created containing only
+    what is in the dump file and the old one destroyed upon successful
+    completion.
+
+If specified, *dbname* overrides the value specified on the command
+line or the default.
+
+.. _kdb5_util_load_end:
+
+ark
+~~~
+
+    **ark** [**-e** *enc*:*salt*,...] *principal*
+
+Adds new random keys to *principal* at the next available key version
+number.  Keys for the current highest key version number will be
+preserved.  The **-e** option specifies the list of encryption and
+salt types to be used for the new keys.
+
+add_mkey
+~~~~~~~~
+
+    **add_mkey** [**-e** *etype*] [**-s**]
+
+Adds a new master key to the master key principal, but does not mark
+it as active.  Existing master keys will remain.  The **-e** option
+specifies the encryption type of the new master key; see
+:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible
+values.  The **-s** option stashes the new master key in the stash
+file, which will be created if it doesn't already exist.
+
+After a new master key is added, it should be propagated to slave
+servers via a manual or periodic invocation of :ref:`kprop(8)`.  Then,
+the stash files on the slave servers should be updated with the
+kdb5_util **stash** command.  Once those steps are complete, the key
+is ready to be marked active with the kdb5_util **use_mkey** command.
+
+use_mkey
+~~~~~~~~
+
+    **use_mkey** *mkeyVNO* [*time*]
+
+Sets the activation time of the master key specified by *mkeyVNO*.
+Once a master key becomes active, it will be used to encrypt newly
+created principal keys.  If no *time* argument is given, the current
+time is used, causing the specified master key version to become
+active immediately.  The format for *time* is :ref:`getdate` string.
+
+After a new master key becomes active, the kdb5_util
+**update_princ_encryption** command can be used to update all
+principal keys to be encrypted in the new master key.
+
+list_mkeys
+~~~~~~~~~~
+
+    **list_mkeys**
+
+List all master keys, from most recent to earliest, in the master key
+principal.  The output will show the kvno, enctype, and salt type for
+each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**.  A
+``*`` following an mkey denotes the currently active master key.
+
+purge_mkeys
+~~~~~~~~~~~
+
+    **purge_mkeys** [**-f**] [**-n**] [**-v**]
+
+Delete master keys from the master key principal that are not used to
+protect any principals.  This command can be used to remove old master
+keys all principal keys are protected by a newer master key.
+
+**-f**
+    does not prompt for confirmation.
+
+**-n**
+    performs a dry run, showing master keys that would be purged, but
+    not actually purging any keys.
+
+**-v**
+    gives more verbose output.
+
+update_princ_encryption
+~~~~~~~~~~~~~~~~~~~~~~~
+
+    **update_princ_encryption** [**-f**] [**-n**] [**-v**]
+    [*princ-pattern*]
+
+Update all principal records (or only those matching the
+*princ-pattern* glob pattern) to re-encrypt the key data using the
+active database master key, if they are encrypted using a different
+version, and give a count at the end of the number of principals
+updated.  If the **-f** option is not given, ask for confirmation
+before starting to make changes.  The **-v** option causes each
+principal processed to be listed, with an indication as to whether it
+needed updating or not.  The **-n** option performs a dry run, only
+showing the actions which would have been taken.
+
+tabdump
+~~~~~~~
+
+    **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*]
+    *dumptype*
+
+Dump selected fields of the database in a tabular format suitable for
+reporting (e.g., using traditional Unix text processing tools) or
+im