vendor/krb5/1.15.1

40 files changed, 15996 insertions, 0 deletions

diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html
new file mode 100644
index 000000000000..aeab6f19fdba
--- /dev/null
+++ b/doc/html/admin/admin_commands/index.html
@@ -0,0 +1,185 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Administration programs &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="For administrators" href="../index.html" />
+    <link rel="next" title="kadmin" href="kadmin_local.html" />
+    <link rel="prev" title="Authentication indicators" href="../auth_indicator.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="../auth_indicator.html" title="Authentication indicators"
+            accesskey="P">previous</a> |
+        <a href="kadmin_local.html" title="kadmin"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Administration  programs">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="administration-programs">
+<h1>Administration  programs<a class="headerlink" href="#administration-programs" title="Permalink to this headline">¶</a></h1>
+<div class="toctree-wrapper compound">
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l1"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l1"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l1"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l1"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Administration  programs</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Administration  programs</a><ul>
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="../auth_indicator.html" title="Authentication indicators"
+            >previous</a> |
+        <a href="kadmin_local.html" title="kadmin"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Administration  programs">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html
new file mode 100644
index 000000000000..6efa10e95cbe
--- /dev/null
+++ b/doc/html/admin/admin_commands/k5srvutil.html
@@ -0,0 +1,224 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>k5srvutil &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="sserver" href="sserver.html" />
+    <link rel="prev" title="ktutil" href="ktutil.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="ktutil.html" title="ktutil"
+            accesskey="P">previous</a> |
+        <a href="sserver.html" title="sserver"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__k5srvutil">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="k5srvutil">
+<span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>k5srvutil</strong> <em>operation</em>
+[<strong>-i</strong>]
+[<strong>-f</strong> <em>filename</em>]
+[<strong>-e</strong> <em>keysalts</em>]</p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>k5srvutil allows an administrator to list keys currently in
+a keytab, to obtain new keys for a principal currently in a keytab,
+or to delete non-current keys from a keytab.</p>
+<p><em>operation</em> must be one of the following:</p>
+<dl class="docutils">
+<dt><strong>list</strong></dt>
+<dd>Lists the keys in a keytab, showing version number and principal
+name.</dd>
+<dt><strong>change</strong></dt>
+<dd>Uses the kadmin protocol to update the keys in the Kerberos
+database to new randomly-generated keys, and updates the keys in
+the keytab to match.  If a key&#8217;s version number doesn&#8217;t match the
+version number stored in the Kerberos server&#8217;s database, then the
+operation will fail.  If the <strong>-i</strong> flag is given, k5srvutil will
+prompt for confirmation before changing each key.  If the <strong>-k</strong>
+option is given, the old and new keys will be displayed.
+Ordinarily, keys will be generated with the default encryption
+types and key salts.  This can be overridden with the <strong>-e</strong>
+option.  Old keys are retained in the keytab so that existing
+tickets continue to work, but <strong>delold</strong> should be used after
+such tickets expire, to prevent attacks against the old keys.</dd>
+<dt><strong>delold</strong></dt>
+<dd>Deletes keys that are not the most recent version from the keytab.
+This operation should be used some time after a change operation
+to remove old keys, after existing tickets issued for the service
+have expired.  If the <strong>-i</strong> flag is given, then k5srvutil will
+prompt for confirmation for each principal.</dd>
+<dt><strong>delete</strong></dt>
+<dd>Deletes particular keys in the keytab, interactively prompting for
+each key.</dd>
+</dl>
+<p>In all cases, the default keytab is used unless this is overridden by
+the <strong>-f</strong> option.</p>
+<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program to edit the keytab in
+place.</p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><em>ktutil</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">k5srvutil</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="ktutil.html" title="ktutil"
+            >previous</a> |
+        <a href="sserver.html" title="sserver"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__k5srvutil">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html
new file mode 100644
index 000000000000..b1e796c3c214
--- /dev/null
+++ b/doc/html/admin/admin_commands/kadmin_local.html
@@ -0,0 +1,982 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kadmin &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="kadmind" href="kadmind.html" />
+    <link rel="prev" title="Administration programs" href="index.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="index.html" title="Administration programs"
+            accesskey="P">previous</a> |
+        <a href="kadmind.html" title="kadmind"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kadmin">
+<span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p id="kadmin-synopsis"><strong>kadmin</strong>
+[<strong>-O</strong>|<strong>-N</strong>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-p</strong> <em>principal</em>]
+[<strong>-q</strong> <em>query</em>]
+[[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>]
+[<strong>-w</strong> <em>password</em>]
+[<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]]
+[command args...]</p>
+<p><strong>kadmin.local</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-p</strong> <em>principal</em>]
+[<strong>-q</strong> <em>query</em>]
+[<strong>-d</strong> <em>dbname</em>]
+[<strong>-e</strong> <em>enc</em>:<em>salt</em> ...]
+[<strong>-m</strong>]
+[<strong>-x</strong> <em>db_args</em>]
+[command args...]</p>
+</div>
+<div class="section" id="description">
+<span id="kadmin-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>kadmin and kadmin.local are command-line interfaces to the Kerberos V5
+administration system.  They provide nearly identical functionalities;
+the difference is that kadmin.local directly accesses the KDC
+database, while kadmin performs operations using <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a>.
+Except as explicitly noted otherwise, this man page will use &#8220;kadmin&#8221;
+to refer to both versions.  kadmin provides for the maintenance of
+Kerberos principals, password policies, and service key tables
+(keytabs).</p>
+<p>The remote kadmin client uses Kerberos to authenticate to kadmind
+using the service principal <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> (where <em>ADMINHOST</em> is
+the fully-qualified hostname of the admin server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt>.
+If the credentials cache contains a ticket for one of these
+principals, and the <strong>-c</strong> credentials_cache option is specified, that
+ticket is used to authenticate to kadmind.  Otherwise, the <strong>-p</strong> and
+<strong>-k</strong> options are used to specify the client Kerberos principal name
+used to authenticate.  Once kadmin has determined the principal name,
+it requests a service ticket from the KDC, and uses that service
+ticket to authenticate to kadmind.</p>
+<p>Since kadmin.local directly accesses the KDC database, it usually must
+be run directly on the master KDC with sufficient permissions to read
+the KDC database.  If the KDC database uses the LDAP database module,
+kadmin.local can be run on any host which can access the LDAP server.</p>
+</div>
+<div class="section" id="options">
+<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils" id="kadmin-options">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Use <em>realm</em> as the default database realm.</dd>
+<dt><strong>-p</strong> <em>principal</em></dt>
+<dd>Use <em>principal</em> to authenticate.  Otherwise, kadmin will append
+<tt class="docutils literal"><span class="pre">/admin</span></tt> to the primary principal name of the default ccache,
+the value of the <strong>USER</strong> environment variable, or the username as
+obtained with getpwuid, in order of preference.</dd>
+<dt><strong>-k</strong></dt>
+<dd>Use a keytab to decrypt the KDC response instead of prompting for
+a password.  In this case, the default principal will be
+<tt class="docutils literal"><span class="pre">host/hostname</span></tt>.  If there is no keytab specified with the
+<strong>-t</strong> option, then the default keytab will be used.</dd>
+<dt><strong>-t</strong> <em>keytab</em></dt>
+<dd>Use <em>keytab</em> to decrypt the KDC response.  This can only be used
+with the <strong>-k</strong> option.</dd>
+<dt><strong>-n</strong></dt>
+<dd>Requests anonymous processing.  Two types of anonymous principals
+are supported.  For fully anonymous Kerberos, configure PKINIT on
+the KDC and configure <strong>pkinit_anchors</strong> in the client&#8217;s
+<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  Then use the <strong>-n</strong> option with a principal
+of the form <tt class="docutils literal"><span class="pre">&#64;REALM</span></tt> (an empty principal name followed by the
+at-sign and a realm name).  If permitted by the KDC, an anonymous
+ticket will be returned.  A second form of anonymous tickets is
+supported; these realm-exposed tickets hide the identity of the
+client but not the client&#8217;s realm.  For this mode, use <tt class="docutils literal"><span class="pre">kinit</span>
+<span class="pre">-n</span></tt> with a normal principal name.  If supported by the KDC, the
+principal (but not realm) will be replaced by the anonymous
+principal.  As of release 1.8, the MIT Kerberos KDC only supports
+fully anonymous operation.</dd>
+<dt><strong>-c</strong> <em>credentials_cache</em></dt>
+<dd>Use <em>credentials_cache</em> as the credentials cache.  The
+cache should contain a service ticket for the <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt>
+(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin
+server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> service; it can be acquired with the
+<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> program.  If this option is not specified, kadmin
+requests a new service ticket from the KDC, and stores it in its
+own temporary ccache.</dd>
+<dt><strong>-w</strong> <em>password</em></dt>
+<dd>Use <em>password</em> instead of prompting for one.  Use this option with
+care, as it may expose the password to other users on the system
+via the process list.</dd>
+<dt><strong>-q</strong> <em>query</em></dt>
+<dd>Perform the specified query and then exit.</dd>
+<dt><strong>-d</strong> <em>dbname</em></dt>
+<dd>Specifies the name of the KDC database.  This option does not
+apply to the LDAP database module.</dd>
+<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt>
+<dd>Specifies the admin server which kadmin should contact.</dd>
+<dt><strong>-m</strong></dt>
+<dd>If using kadmin.local, prompt for the database master password
+instead of reading it from a stash file.</dd>
+<dt><strong>-e</strong> &#8220;<em>enc</em>:<em>salt</em> ...&#8221;</dt>
+<dd>Sets the keysalt list to be used for any new keys created.  See
+<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible
+values.</dd>
+<dt><strong>-O</strong></dt>
+<dd>Force use of old AUTH_GSSAPI authentication flavor.</dd>
+<dt><strong>-N</strong></dt>
+<dd>Prevent fallback to AUTH_GSSAPI authentication flavor.</dd>
+<dt><strong>-x</strong> <em>db_args</em></dt>
+<dd>Specifies the database specific arguments.  See the next section
+for supported options.</dd>
+</dl>
+<p id="kadmin-options-end">Starting with release 1.14, if any command-line arguments remain after
+the options, they will be treated as a single query to be executed.
+This mode of operation is intended for scripts and behaves differently
+from the interactive mode in several respects:</p>
+<ul class="simple">
+<li>Query arguments are split by the shell, not by kadmin.</li>
+<li>Informational and warning messages are suppressed.  Error messages
+and query output (e.g. for <strong>get_principal</strong>) will still be
+displayed.</li>
+<li>Confirmation prompts are disabled (as if <strong>-force</strong> was given).
+Password prompts will still be issued as required.</li>
+<li>The exit status will be non-zero if the query fails.</li>
+</ul>
+<p>The <strong>-q</strong> option does not carry these behavior differences; the query
+will be processed as if it was entered interactively.  The <strong>-q</strong>
+option cannot be used in combination with a query in the remaining
+arguments.</p>
+</div>
+<div class="section" id="database-options">
+<span id="dboptions"></span><h2>DATABASE OPTIONS<a class="headerlink" href="#database-options" title="Permalink to this headline">¶</a></h2>
+<p>Database options can be used to override database-specific defaults.
+Supported options for the DB2 module are:</p>
+<blockquote>
+<div><dl class="docutils">
+<dt><strong>-x dbname=</strong>*filename*</dt>
+<dd>Specifies the base filename of the DB2 database.</dd>
+<dt><strong>-x lockiter</strong></dt>
+<dd>Make iteration operations hold the lock for the duration of
+the entire operation, rather than temporarily releasing the
+lock while handling each principal.  This is the default
+behavior, but this option exists to allow command line
+override of a [dbmodules] setting.  First introduced in
+release 1.13.</dd>
+<dt><strong>-x unlockiter</strong></dt>
+<dd>Make iteration operations unlock the database for each
+principal, instead of holding the lock for the duration of the
+entire operation.  First introduced in release 1.13.</dd>
+</dl>
+</div></blockquote>
+<p>Supported options for the LDAP module are:</p>
+<blockquote>
+<div><dl class="docutils">
+<dt><strong>-x host=</strong><em>ldapuri</em></dt>
+<dd>Specifies the LDAP server to connect to by a LDAP URI.</dd>
+<dt><strong>-x binddn=</strong><em>bind_dn</em></dt>
+<dd>Specifies the DN used to bind to the LDAP server.</dd>
+<dt><strong>-x bindpwd=</strong><em>password</em></dt>
+<dd>Specifies the password or SASL secret used to bind to the LDAP
+server.  Using this option may expose the password to other
+users on the system via the process list; to avoid this,
+instead stash the password using the <strong>stashsrvpw</strong> command of
+<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>.</dd>
+<dt><strong>-x sasl_mech=</strong><em>mechanism</em></dt>
+<dd>Specifies the SASL mechanism used to bind to the LDAP server.
+The bind DN is ignored if a SASL mechanism is used.  New in
+release 1.13.</dd>
+<dt><strong>-x sasl_authcid=</strong><em>name</em></dt>
+<dd>Specifies the authentication name used when binding to the
+LDAP server with a SASL mechanism, if the mechanism requires
+one.  New in release 1.13.</dd>
+<dt><strong>-x sasl_authzid=</strong><em>name</em></dt>
+<dd>Specifies the authorization name used when binding to the LDAP
+server with a SASL mechanism.  New in release 1.13.</dd>
+<dt><strong>-x sasl_realm=</strong><em>realm</em></dt>
+<dd>Specifies the realm used when binding to the LDAP server with
+a SASL mechanism, if the mechanism uses one.  New in release
+1.13.</dd>
+<dt><strong>-x debug=</strong><em>level</em></dt>
+<dd>sets the OpenLDAP client library debug level.  <em>level</em> is an
+integer to be interpreted by the library.  Debugging messages
+are printed to standard error.  New in release 1.12.</dd>
+</dl>
+</div></blockquote>
+</div>
+<div class="section" id="commands">
+<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>
+<p>When using the remote client, available commands may be restricted
+according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file
+on the admin server.</p>
+<div class="section" id="add-principal">
+<span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote>
+<p>Creates the principal <em>newprinc</em>, prompting twice for a password.  If
+no password policy is specified with the <strong>-policy</strong> option, and the
+policy named <tt class="docutils literal"><span class="pre">default</span></tt> is assigned to the principal if it exists.
+However, creating a policy named <tt class="docutils literal"><span class="pre">default</span></tt> will not automatically
+assign this policy to previously existing principals.  This policy
+assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p>
+<p>This command requires the <strong>add</strong> privilege.</p>
+<p>Aliases: <strong>addprinc</strong>, <strong>ank</strong></p>
+<p>Options:</p>
+<dl class="docutils">
+<dt><strong>-expire</strong> <em>expdate</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The expiration date of the principal.</dd>
+<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The password expiration date.</dd>
+<dt><strong>-maxlife</strong> <em>maxlife</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum ticket life
+for the principal.</dd>
+<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum renewable
+life of tickets for the principal.</dd>
+<dt><strong>-kvno</strong> <em>kvno</em></dt>
+<dd>The initial key version number.</dd>
+<dt><strong>-policy</strong> <em>policy</em></dt>
+<dd>The password policy used by this principal.  If not specified, the
+policy <tt class="docutils literal"><span class="pre">default</span></tt> is used if it exists (unless <strong>-clearpolicy</strong>
+is specified).</dd>
+<dt><strong>-clearpolicy</strong></dt>
+<dd>Prevents any policy from being assigned when <strong>-policy</strong> is not
+specified.</dd>
+<dt>{-|+}<strong>allow_postdated</strong></dt>
+<dd><strong>-allow_postdated</strong> prohibits this principal from obtaining
+postdated tickets.  <strong>+allow_postdated</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_forwardable</strong></dt>
+<dd><strong>-allow_forwardable</strong> prohibits this principal from obtaining
+forwardable tickets.  <strong>+allow_forwardable</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_renewable</strong></dt>
+<dd><strong>-allow_renewable</strong> prohibits this principal from obtaining
+renewable tickets.  <strong>+allow_renewable</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_proxiable</strong></dt>
+<dd><strong>-allow_proxiable</strong> prohibits this principal from obtaining
+proxiable tickets.  <strong>+allow_proxiable</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_dup_skey</strong></dt>
+<dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this
+principal by prohibiting this principal from obtaining a session
+key for another user.  <strong>+allow_dup_skey</strong> clears this flag.</dd>
+<dt>{-|+}<strong>requires_preauth</strong></dt>
+<dd><strong>+requires_preauth</strong> requires this principal to preauthenticate
+before being allowed to kinit.  <strong>-requires_preauth</strong> clears this
+flag.  When <strong>+requires_preauth</strong> is set on a service principal,
+the KDC will only issue service tickets for that service principal
+if the client&#8217;s initial authentication was performed using
+preauthentication.</dd>
+<dt>{-|+}<strong>requires_hwauth</strong></dt>
+<dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate
+using a hardware device before being allowed to kinit.
+<strong>-requires_hwauth</strong> clears this flag.  When <strong>+requires_hwauth</strong> is
+set on a service principal, the KDC will only issue service tickets
+for that service principal if the client&#8217;s initial authentication was
+performed using a hardware device to preauthenticate.</dd>
+<dt>{-|+}<strong>ok_as_delegate</strong></dt>
+<dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets
+issued with this principal as the service.  Clients may use this
+flag as a hint that credentials should be delegated when
+authenticating to the service.  <strong>-ok_as_delegate</strong> clears this
+flag.</dd>
+<dt>{-|+}<strong>allow_svr</strong></dt>
+<dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this
+principal.  <strong>+allow_svr</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_tgs_req</strong></dt>
+<dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS)
+request for a service ticket for this principal is not permitted.
+<strong>+allow_tgs_req</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_tix</strong></dt>
+<dd><strong>-allow_tix</strong> forbids the issuance of any tickets for this
+principal.  <strong>+allow_tix</strong> clears this flag.</dd>
+<dt>{-|+}<strong>needchange</strong></dt>
+<dd><strong>+needchange</strong> forces a password change on the next initial
+authentication to this principal.  <strong>-needchange</strong> clears this
+flag.</dd>
+<dt>{-|+}<strong>password_changing_service</strong></dt>
+<dd><strong>+password_changing_service</strong> marks this principal as a password
+change service principal.</dd>
+<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt>
+<dd><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire
+forwardable tickets to itself from arbitrary users, for use with
+constrained delegation.</dd>
+<dt>{-|+}<strong>no_auth_data_required</strong></dt>
+<dd><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from
+being added to service tickets for the principal.</dd>
+<dt>{-|+}<strong>lockdown_keys</strong></dt>
+<dd><strong>+lockdown_keys</strong> prevents keys for this principal from leaving
+the KDC via kadmind.  The chpass and extract operations are denied
+for a principal with this attribute.  The chrand operation is
+allowed, but will not return the new keys.  The delete and rename
+operations are also denied if this attribute is set, in order to
+prevent a malicious administrator from replacing principals like
+krbtgt/* or kadmin/* with new principals without the attribute.
+This attribute can be set via the network protocol, but can only
+be removed using kadmin.local.</dd>
+<dt><strong>-randkey</strong></dt>
+<dd>Sets the key of the principal to a random value.</dd>
+<dt><strong>-nokey</strong></dt>
+<dd>Causes the principal to be created with no key.  New in release
+1.12.</dd>
+<dt><strong>-pw</strong> <em>password</em></dt>
+<dd>Sets the password of the principal to the specified string and
+does not prompt for a password.  Note: using this option in a
+shell script may expose the password to other users on the system
+via the process list.</dd>
+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt>
+<dd>Uses the specified keysalt list for setting the keys of the
+principal.  See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a
+list of possible values.</dd>
+<dt><strong>-x</strong> <em>db_princ_args</em></dt>
+<dd><p class="first">Indicates database-specific options.  The options for the LDAP
+database module are:</p>
+<dl class="docutils">
+<dt><strong>-x dn=</strong><em>dn</em></dt>
+<dd>Specifies the LDAP object that will contain the Kerberos
+principal being created.</dd>
+<dt><strong>-x linkdn=</strong><em>dn</em></dt>
+<dd>Specifies the LDAP object to which the newly created Kerberos
+principal object will point.</dd>
+<dt><strong>-x containerdn=</strong><em>container_dn</em></dt>
+<dd>Specifies the container object under which the Kerberos
+principal is to be created.</dd>
+<dt><strong>-x tktpolicy=</strong><em>policy</em></dt>
+<dd>Associates a ticket policy to the Kerberos principal.</dd>
+</dl>
+<div class="last admonition note">
+<p class="first admonition-title">Note</p>
+<ul class="last simple">
+<li>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be
+specified with the <strong>dn</strong> option.</li>
+<li>If the <em>dn</em> or <em>containerdn</em> options are not specified while
+adding the principal, the principals are created under the
+principal container configured in the realm or the realm
+container.</li>
+<li><em>dn</em> and <em>containerdn</em> should be within the subtrees or
+principal container configured in the realm.</li>
+</ul>
+</div>
+</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc jennifer
+WARNING: no policy specified for &quot;jennifer@ATHENA.MIT.EDU&quot;;
+defaulting to no policy.
+Enter password for principal jennifer@ATHENA.MIT.EDU:
+Re-enter password for principal jennifer@ATHENA.MIT.EDU:
+Principal &quot;jennifer@ATHENA.MIT.EDU&quot; created.
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modify-principal">
+<span id="add-principal-end"></span><span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote>
+<p>Modifies the specified principal, changing the fields as specified.
+The options to <strong>add_principal</strong> also apply to this command, except
+for the <strong>-randkey</strong>, <strong>-pw</strong>, and <strong>-e</strong> options.  In addition, the
+option <strong>-clearpolicy</strong> will clear the current policy of a principal.</p>
+<p>This command requires the <em>modify</em> privilege.</p>
+<p>Alias: <strong>modprinc</strong></p>
+<p>Options (in addition to the <strong>addprinc</strong> options):</p>
+<dl class="docutils">
+<dt><strong>-unlock</strong></dt>
+<dd>Unlocks a locked principal (one which has received too many failed
+authentication attempts without enough time between them according
+to its password policy) so that it can successfully authenticate.</dd>
+</dl>
+</div>
+<div class="section" id="rename-principal">
+<span id="modify-principal-end"></span><span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></div></blockquote>
+<p>Renames the specified <em>old_principal</em> to <em>new_principal</em>.  This
+command prompts for confirmation, unless the <strong>-force</strong> option is
+given.</p>
+<p>This command requires the <strong>add</strong> and <strong>delete</strong> privileges.</p>
+<p>Alias: <strong>renprinc</strong></p>
+</div>
+<div class="section" id="delete-principal">
+<span id="rename-principal-end"></span><span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote>
+<p>Deletes the specified <em>principal</em> from the database.  This command
+prompts for deletion, unless the <strong>-force</strong> option is given.</p>
+<p>This command requires the <strong>delete</strong> privilege.</p>
+<p>Alias: <strong>delprinc</strong></p>
+</div>
+<div class="section" id="change-password">
+<span id="delete-principal-end"></span><span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote>
+<p>Changes the password of <em>principal</em>.  Prompts for a new password if
+neither <strong>-randkey</strong> or <strong>-pw</strong> is specified.</p>
+<p>This command requires the <strong>changepw</strong> privilege, or that the
+principal running the program is the same as the principal being
+changed.</p>
+<p>Alias: <strong>cpw</strong></p>
+<p>The following options are available:</p>
+<dl class="docutils">
+<dt><strong>-randkey</strong></dt>
+<dd>Sets the key of the principal to a random value.</dd>
+<dt><strong>-pw</strong> <em>password</em></dt>
+<dd>Set the password to the specified string.  Using this option in a
+script may expose the password to other users on the system via
+the process list.</dd>
+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt>
+<dd>Uses the specified keysalt list for setting the keys of the
+principal.  See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a
+list of possible values.</dd>
+<dt><strong>-keepold</strong></dt>
+<dd>Keeps the existing keys in the database.  This flag is usually not
+necessary except perhaps for <tt class="docutils literal"><span class="pre">krbtgt</span></tt> principals.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: cpw systest
+Enter password for principal systest@BLEEP.COM:
+Re-enter password for principal systest@BLEEP.COM:
+Password for systest@BLEEP.COM changed.
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="purgekeys">
+<span id="change-password-end"></span><span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></div></blockquote>
+<p>Purges previously retained old keys (e.g., from <strong>change_password
+-keepold</strong>) from <em>principal</em>.  If <strong>-keepkvno</strong> is specified, then
+only purges keys with kvnos lower than <em>oldest_kvno_to_keep</em>.  If
+<strong>-all</strong> is specified, then all keys are purged.  The <strong>-all</strong> option
+is new in release 1.12.</p>
+<p>This command requires the <strong>modify</strong> privilege.</p>
+</div>
+<div class="section" id="get-principal">
+<span id="purgekeys-end"></span><span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote>
+<p>Gets the attributes of principal.  With the <strong>-terse</strong> option, outputs
+fields as quoted tab-separated strings.</p>
+<p>This command requires the <strong>inquire</strong> privilege, or that the principal
+running the the program to be the same as the one being listed.</p>
+<p>Alias: <strong>getprinc</strong></p>
+<p>Examples:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc tlyu/admin
+Principal: tlyu/admin@BLEEP.COM
+Expiration date: [never]
+Last password change: Mon Aug 12 14:16:47 EDT 1996
+Password expiration date: [none]
+Maximum ticket life: 0 days 10:00:00
+Maximum renewable life: 7 days 00:00:00
+Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
+Last successful authentication: [never]
+Last failed authentication: [never]
+Failed password attempts: 0
+Number of keys: 2
+Key: vno 1, des-cbc-crc
+Key: vno 1, des-cbc-crc:v4
+Attributes:
+Policy: [none]
+
+kadmin: getprinc -terse systest
+systest@BLEEP.COM   3    86400     604800    1
+785926535 753241234 785900000
+tlyu/admin@BLEEP.COM     786100034 0    0
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="list-principals">
+<span id="get-principal-end"></span><span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote>
+<p>Retrieves all or some principal names.  <em>expression</em> is a shell-style
+glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>,
+<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>.  All principal names matching the expression are
+printed.  If no expression is provided, all principal names are
+printed.  If the expression does not contain an <tt class="docutils literal"><span class="pre">&#64;</span></tt> character, an
+<tt class="docutils literal"><span class="pre">&#64;</span></tt> character followed by the local realm is appended to the
+expression.</p>
+<p>This command requires the <strong>list</strong> privilege.</p>
+<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>get_princs</strong></p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin:  listprincs test*
+test3@SECURE-TEST.OV.COM
+test2@SECURE-TEST.OV.COM
+test1@SECURE-TEST.OV.COM
+testuser@SECURE-TEST.OV.COM
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="get-strings">
+<span id="list-principals-end"></span><span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>get_strings</strong> <em>principal</em></div></blockquote>
+<p>Displays string attributes on <em>principal</em>.</p>
+<p>This command requires the <strong>inquire</strong> privilege.</p>
+<p>Alias: <strong>getstr</strong></p>
+</div>
+<div class="section" id="set-string">
+<span id="get-strings-end"></span><span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></div></blockquote>
+<p>Sets a string attribute on <em>principal</em>.  String attributes are used to
+supply per-principal configuration to the KDC and some KDC plugin
+modules.  The following string attribute names are recognized by the
+KDC:</p>
+<dl class="docutils">
+<dt><strong>require_auth</strong></dt>
+<dd>Specifies an authentication indicator which is required to
+authenticate to the principal as a service.  Multiple indicators
+can be specified, separated by spaces; in this case any of the
+specified indicators will be accepted.  (New in release 1.14.)</dd>
+<dt><strong>session_enctypes</strong></dt>
+<dd>Specifies the encryption types supported for session keys when the
+principal is authenticated to as a server.  See
+<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the
+accepted values.</dd>
+<dt><strong>otp</strong></dt>
+<dd>Enables One Time Passwords (OTP) preauthentication for a client
+<em>principal</em>.  The <em>value</em> is a JSON string representing an array
+of objects, each having optional <tt class="docutils literal"><span class="pre">type</span></tt> and <tt class="docutils literal"><span class="pre">username</span></tt> fields.</dd>
+</dl>
+<p>This command requires the <strong>modify</strong> privilege.</p>
+<p>Alias: <strong>setstr</strong></p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>set_string host/foo.mit.edu session_enctypes aes128-cts
+set_string user@FOO.COM otp &quot;[{&quot;&quot;type&quot;&quot;:&quot;&quot;hotp&quot;&quot;,&quot;&quot;username&quot;&quot;:&quot;&quot;al&quot;&quot;}]&quot;
+</pre></div>
+</div>
+</div>
+<div class="section" id="del-string">
+<span id="set-string-end"></span><span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>del_string</strong> <em>principal</em> <em>key</em></div></blockquote>
+<p>Deletes a string attribute from <em>principal</em>.</p>
+<p>This command requires the <strong>delete</strong> privilege.</p>
+<p>Alias: <strong>delstr</strong></p>
+</div>
+<div class="section" id="add-policy">
+<span id="del-string-end"></span><span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote>
+<p>Adds a password policy named <em>policy</em> to the database.</p>
+<p>This command requires the <strong>add</strong> privilege.</p>
+<p>Alias: <strong>addpol</strong></p>
+<p>The following options are available:</p>
+<dl class="docutils">
+<dt><strong>-maxlife</strong> <em>time</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the maximum
+lifetime of a password.</dd>
+<dt><strong>-minlife</strong> <em>time</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the minimum
+lifetime of a password.</dd>
+<dt><strong>-minlength</strong> <em>length</em></dt>
+<dd>Sets the minimum length of a password.</dd>
+<dt><strong>-minclasses</strong> <em>number</em></dt>
+<dd>Sets the minimum number of character classes required in a
+password.  The five character classes are lower case, upper case,
+numbers, punctuation, and whitespace/unprintable characters.</dd>
+<dt><strong>-history</strong> <em>number</em></dt>
+<dd>Sets the number of past keys kept for a principal.  This option is
+not supported with the LDAP KDC database module.</dd>
+</dl>
+<dl class="docutils" id="policy-maxfailure">
+<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt>
+<dd>Sets the number of authentication failures before the principal is
+locked.  Authentication failures are only tracked for principals
+which require preauthentication.  The counter of failed attempts
+resets to 0 after a successful attempt to authenticate.  A
+<em>maxnumber</em> value of 0 (the default) disables lockout.</dd>
+</dl>
+<dl class="docutils" id="policy-failurecountinterval">
+<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the allowable time
+between authentication failures.  If an authentication failure
+happens after <em>failuretime</em> has elapsed since the previous
+failure, the number of authentication failures is reset to 1.  A
+<em>failuretime</em> value of 0 (the default) means forever.</dd>
+</dl>
+<dl class="docutils" id="policy-lockoutduration">
+<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the duration for
+which the principal is locked from authenticating if too many
+authentication failures occur without the specified failure count
+interval elapsing.  A duration of 0 (the default) means the
+principal remains locked out until it is administratively unlocked
+with <tt class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></tt>.</dd>
+<dt><strong>-allowedkeysalts</strong></dt>
+<dd>Specifies the key/salt tuples supported for long-term keys when
+setting or changing a principal&#8217;s password/keys.  See
+<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the
+accepted values, but note that key/salt tuples must be separated
+with commas (&#8216;,&#8217;) only.  To clear the allowed key/salt policy use
+a value of &#8216;-&#8216;.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: add_policy -maxlife &quot;2 days&quot; -minlength 5 guests
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modify-policy">
+<span id="add-policy-end"></span><span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote>
+<p>Modifies the password policy named <em>policy</em>.  Options are as described
+for <strong>add_policy</strong>.</p>
+<p>This command requires the <strong>modify</strong> privilege.</p>
+<p>Alias: <strong>modpol</strong></p>
+</div>
+<div class="section" id="delete-policy">
+<span id="modify-policy-end"></span><span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote>
+<p>Deletes the password policy named <em>policy</em>.  Prompts for confirmation
+before deletion.  The command will fail if the policy is in use by any
+principals.</p>
+<p>This command requires the <strong>delete</strong> privilege.</p>
+<p>Alias: <strong>delpol</strong></p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: del_policy guests
+Are you sure you want to delete the policy &quot;guests&quot;?
+(yes/no): yes
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="get-policy">
+<span id="delete-policy-end"></span><span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote>
+<p>Displays the values of the password policy named <em>policy</em>.  With the
+<strong>-terse</strong> flag, outputs the fields as quoted strings separated by
+tabs.</p>
+<p>This command requires the <strong>inquire</strong> privilege.</p>
+<p>Alias: getpol</p>
+<p>Examples:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: get_policy admin
+Policy: admin
+Maximum password life: 180 days 00:00:00
+Minimum password life: 00:00:00
+Minimum password length: 6
+Minimum number of password character classes: 2
+Number of old keys kept: 5
+Reference count: 17
+
+kadmin: get_policy -terse admin
+admin     15552000  0    6    2    5    17
+kadmin:
+</pre></div>
+</div>
+<p>The &#8220;Reference count&#8221; is the number of principals using that policy.
+With the LDAP KDC database module, the reference count field is not
+meaningful.</p>
+</div>
+<div class="section" id="list-policies">
+<span id="get-policy-end"></span><span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote>
+<p>Retrieves all or some policy names.  <em>expression</em> is a shell-style
+glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>,
+<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>.  All policy names matching the expression are
+printed.  If no expression is provided, all existing policy names are
+printed.</p>
+<p>This command requires the <strong>list</strong> privilege.</p>
+<p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p>
+<p>Examples:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin:  listpols
+test-pol
+dict-only
+once-a-min
+test-pol-nopw
+
+kadmin:  listpols t*
+test-pol
+test-pol-nopw
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="ktadd">
+<span id="list-policies-end"></span><span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><div class="line-block">
+<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div>
+<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div>
+</div>
+</div></blockquote>
+<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a
+keytab file.  Each principal&#8217;s keys are randomized in the process.
+The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong>
+command.</p>
+<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges.
+With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p>
+<p>The options are:</p>
+<dl class="docutils">
+<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
+<dd>Use <em>keytab</em> as the keytab file.  Otherwise, the default keytab is
+used.</dd>
+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt>
+<dd>Uses the specified keysalt list for setting the new keys of the
+principal.  See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a
+list of possible values.</dd>
+<dt><strong>-q</strong></dt>
+<dd>Display less verbose information.</dd>
+<dt><strong>-norandkey</strong></dt>
+<dd>Do not randomize the keys. The keys and their version numbers stay
+unchanged.  This option cannot be specified in combination with the
+<strong>-e</strong> option.</dd>
+</dl>
+<p>An entry for each of the principal&#8217;s unique encryption types is added,
+ignoring multiple keys with the same encryption type but different
+salt types.</p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
+Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
+     encryption type aes256-cts-hmac-sha1-96 added to keytab
+     FILE:/tmp/foo-new-keytab
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="ktremove">
+<span id="ktadd-end"></span><span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote>
+<p>Removes entries for the specified <em>principal</em> from a keytab.  Requires
+no permissions, since this does not require database access.</p>
+<p>If the string &#8220;all&#8221; is specified, all entries for that principal are
+removed; if the string &#8220;old&#8221; is specified, all entries for that
+principal except those with the highest kvno are removed.  Otherwise,
+the value specified is parsed as an integer, and all entries whose
+kvno match that integer are removed.</p>
+<p>The options are:</p>
+<dl class="docutils">
+<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
+<dd>Use <em>keytab</em> as the keytab file.  Otherwise, the default keytab is
+used.</dd>
+<dt><strong>-q</strong></dt>
+<dd>Display less verbose information.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: ktremove kadmin/admin all
+Entry for principal kadmin/admin with kvno 3 removed from keytab
+     FILE:/etc/krb5.keytab
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="lock">
+<span id="ktremove-end"></span><h3>lock<a class="headerlink" href="#lock" title="Permalink to this headline">¶</a></h3>
+<p>Lock database exclusively.  Use with extreme caution!  This command
+only works with the DB2 KDC database module.</p>
+</div>
+<div class="section" id="unlock">
+<h3>unlock<a class="headerlink" href="#unlock" title="Permalink to this headline">¶</a></h3>
+<p>Release the exclusive database lock.</p>
+</div>
+<div class="section" id="list-requests">
+<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3>
+<p>Lists available for kadmin requests.</p>
+<p>Aliases: <strong>lr</strong>, <strong>?</strong></p>
+</div>
+<div class="section" id="quit">
+<h3>quit<a class="headerlink" href="#quit" title="Permalink to this headline">¶</a></h3>
+<p>Exit program.  If the database was locked, the lock is released.</p>
+<p>Aliases: <strong>exit</strong>, <strong>q</strong></p>
+</div>
+</div>
+<div class="section" id="history">
+<h2>HISTORY<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2>
+<p>The kadmin program was originally written by Tom Yu at MIT, as an
+interface to the OpenVision Kerberos administration program.</p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kadmin</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#options">OPTIONS</a></li>
+<li><a class="reference internal" href="#database-options">DATABASE OPTIONS</a></li>
+<li><a class="reference internal" href="#commands">COMMANDS</a><ul>
+<li><a class="reference internal" href="#add-principal">add_principal</a></li>
+<li><a class="reference internal" href="#modify-principal">modify_principal</a></li>
+<li><a class="reference internal" href="#rename-principal">rename_principal</a></li>
+<li><a class="reference internal" href="#delete-principal">delete_principal</a></li>
+<li><a class="reference internal" href="#change-password">change_password</a></li>
+<li><a class="reference internal" href="#purgekeys">purgekeys</a></li>
+<li><a class="reference internal" href="#get-principal">get_principal</a></li>
+<li><a class="reference internal" href="#list-principals">list_principals</a></li>
+<li><a class="reference internal" href="#get-strings">get_strings</a></li>
+<li><a class="reference internal" href="#set-string">set_string</a></li>
+<li><a class="reference internal" href="#del-string">del_string</a></li>
+<li><a class="reference internal" href="#add-policy">add_policy</a></li>
+<li><a class="reference internal" href="#modify-policy">modify_policy</a></li>
+<li><a class="reference internal" href="#delete-policy">delete_policy</a></li>
+<li><a class="reference internal" href="#get-policy">get_policy</a></li>
+<li><a class="reference internal" href="#list-policies">list_policies</a></li>
+<li><a class="reference internal" href="#ktadd">ktadd</a></li>
+<li><a class="reference internal" href="#ktremove">ktremove</a></li>
+<li><a class="reference internal" href="#lock">lock</a></li>
+<li><a class="reference internal" href="#unlock">unlock</a></li>
+<li><a class="reference internal" href="#list-requests">list_requests</a></li>
+<li><a class="reference internal" href="#quit">quit</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#history">HISTORY</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3 current"><a class="current reference internal" href="">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="index.html" title="Administration programs"
+            >previous</a> |
+        <a href="kadmind.html" title="kadmind"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html
new file mode 100644
index 000000000000..7cf3d38e7726
--- /dev/null
+++ b/doc/html/admin/admin_commands/kadmind.html
@@ -0,0 +1,277 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kadmind &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="kdb5_util" href="kdb5_util.html" />
+    <link rel="prev" title="kadmin" href="kadmin_local.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kadmin_local.html" title="kadmin"
+            accesskey="P">previous</a> |
+        <a href="kdb5_util.html" title="kdb5_util"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmind">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kadmind">
+<span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>kadmind</strong>
+[<strong>-x</strong> <em>db_args</em>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-m</strong>]
+[<strong>-nofork</strong>]
+[<strong>-proponly</strong>]
+[<strong>-port</strong> <em>port-number</em>]
+[<strong>-P</strong> <em>pid_file</em>]
+[<strong>-p</strong> <em>kdb5_util_path</em>]
+[<strong>-K</strong> <em>kprop_path</em>]
+[<strong>-k</strong> <em>kprop_port</em>]
+[<strong>-F</strong> <em>dump_file</em>]</p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>kadmind starts the Kerberos administration server.  kadmind typically
+runs on the master Kerberos server, which stores the KDC database.  If
+the KDC database uses the LDAP module, the administration server and
+the KDC server need not run on the same machine.  kadmind accepts
+remote requests from programs such as <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> and
+<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> to administer the information in these database.</p>
+<p>kadmind requires a number of configuration files to be set up in order
+for it to work:</p>
+<dl class="docutils">
+<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a></dt>
+<dd>The KDC configuration file contains configuration information for
+the KDC and admin servers.  kadmind uses settings in this file to
+locate the Kerberos database, and is also affected by the
+<strong>acl_file</strong>, <strong>dict_file</strong>, <strong>kadmind_port</strong>, and iprop-related
+settings.</dd>
+<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></dt>
+<dd>kadmind&#8217;s ACL (access control list) tells it which principals are
+allowed to perform administration actions.  The pathname to the
+ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>
+variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.</dd>
+</dl>
+<p>After the server begins running, it puts itself in the background and
+disassociates itself from its controlling terminal.</p>
+<p>kadmind can be configured for incremental database propagation.
+Incremental propagation allows slave KDC servers to receive principal
+and policy updates incrementally instead of receiving full dumps of
+the database.  This facility can be enabled in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>
+file with the <strong>iprop_enable</strong> option.  Incremental propagation
+requires the principal <tt class="docutils literal"><span class="pre">kiprop/MASTER\&#64;REALM</span></tt> (where MASTER is the
+master KDC&#8217;s canonical host name, and REALM the realm name).  In
+release 1.13, this principal is automatically created and registered
+into the datebase.</p>
+</div>
+<div class="section" id="options">
+<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>specifies the realm that kadmind will serve; if it is not
+specified, the default realm of the host is used.</dd>
+<dt><strong>-m</strong></dt>
+<dd>causes the master database password to be fetched from the
+keyboard (before the server puts itself in the background, if not
+invoked with the <strong>-nofork</strong> option) rather than from a file on
+disk.</dd>
+<dt><strong>-nofork</strong></dt>
+<dd>causes the server to remain in the foreground and remain
+associated to the terminal.  In normal operation, you should allow
+the server to place itself in the background.</dd>
+<dt><strong>-proponly</strong></dt>
+<dd>causes the server to only listen and respond to Kerberos slave
+incremental propagation polling requests.  This option can be used
+to set up a hierarchical propagation topology where a slave KDC
+provides incremental updates to other Kerberos slaves.</dd>
+<dt><strong>-port</strong> <em>port-number</em></dt>
+<dd>specifies the port on which the administration server listens for
+connections.  The default port is determined by the
+<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-P</strong> <em>pid_file</em></dt>
+<dd>specifies the file to which the PID of kadmind process should be
+written after it starts up.  This file can be used to identify
+whether kadmind is still running and to allow init scripts to stop
+the correct process.</dd>
+<dt><strong>-p</strong> <em>kdb5_util_path</em></dt>
+<dd>specifies the path to the kdb5_util command to use when dumping the
+KDB in response to full resync requests when iprop is enabled.</dd>
+<dt><strong>-K</strong> <em>kprop_path</em></dt>
+<dd>specifies the path to the kprop command to use to send full dumps
+to slaves in response to full resync requests.</dd>
+<dt><strong>-k</strong> <em>kprop_port</em></dt>
+<dd>specifies the port by which the kprop process that is spawned by kadmind
+connects to the slave kpropd, in order to transfer the dump file during
+an iprop full resync request.</dd>
+<dt><strong>-F</strong> <em>dump_file</em></dt>
+<dd>specifies the file path to be used for dumping the KDB in response
+to full resync requests when iprop is enabled.</dd>
+<dt><strong>-x</strong> <em>db_args</em></dt>
+<dd>specifies database-specific arguments.  See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for supported arguments.</dd>
+</dl>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>,
+<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kadmind</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#options">OPTIONS</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kadmin_local.html" title="kadmin"
+            >previous</a> |
+        <a href="kdb5_util.html" title="kdb5_util"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmind">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html
new file mode 100644
index 000000000000..673118aac6b8
--- /dev/null
+++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html
@@ -0,0 +1,560 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kdb5_ldap_util &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="krb5kdc" href="krb5kdc.html" />
+    <link rel="prev" title="kdb5_util" href="kdb5_util.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kdb5_util.html" title="kdb5_util"
+            accesskey="P">previous</a> |
+        <a href="krb5kdc.html" title="krb5kdc"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_ldap_util">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kdb5-ldap-util">
+<span id="kdb5-ldap-util-8"></span><h1>kdb5_ldap_util<a class="headerlink" href="#kdb5-ldap-util" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p id="kdb5-ldap-util-synopsis"><strong>kdb5_ldap_util</strong>
+[<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]]
+[<strong>-H</strong> <em>ldapuri</em>]
+<strong>command</strong>
+[<em>command_options</em>]</p>
+</div>
+<div class="section" id="description">
+<span id="kdb5-ldap-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>kdb5_ldap_util allows an administrator to manage realms, Kerberos
+services and ticket policies.</p>
+</div>
+<div class="section" id="command-line-options">
+<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils" id="kdb5-ldap-util-options">
+<dt><strong>-D</strong> <em>user_dn</em></dt>
+<dd>Specifies the Distinguished Name (DN) of the user who has
+sufficient rights to perform the operation on the LDAP server.</dd>
+<dt><strong>-w</strong> <em>passwd</em></dt>
+<dd>Specifies the password of <em>user_dn</em>.  This option is not
+recommended.</dd>
+<dt><strong>-H</strong> <em>ldapuri</em></dt>
+<dd>Specifies the URI of the LDAP server.  It is recommended to use
+<tt class="docutils literal"><span class="pre">ldapi://</span></tt> or <tt class="docutils literal"><span class="pre">ldaps://</span></tt> to connect to the LDAP server.</dd>
+</dl>
+</div>
+<div class="section" id="commands">
+<span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>
+<div class="section" id="create">
+<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-create">
+<div><strong>create</strong>
+[<strong>-subtrees</strong> <em>subtree_dn_list</em>]
+[<strong>-sscope</strong> <em>search_scope</em>]
+[<strong>-containerref</strong> <em>container_reference_dn</em>]
+[<strong>-k</strong> <em>mkeytype</em>]
+[<strong>-kv</strong> <em>mkeyVNO</em>]
+[<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>]
+[<strong>-s</strong>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]</div></blockquote>
+<p>Creates realm in directory. Options:</p>
+<dl class="docutils">
+<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt>
+<dd>Specifies the list of subtrees containing the principals of a
+realm.  The list contains the DNs of the subtree objects separated
+by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).</dd>
+<dt><strong>-sscope</strong> <em>search_scope</em></dt>
+<dd>Specifies the scope for searching the principals under the
+subtree.  The possible values are 1 or one (one level), 2 or sub
+(subtrees).</dd>
+<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt>
+<dd>Specifies the DN of the container object in which the principals
+of a realm will be created.  If the container reference is not
+configured for a realm, the principals will be created in the
+realm container.</dd>
+<dt><strong>-k</strong> <em>mkeytype</em></dt>
+<dd>Specifies the key type of the master key in the database.  The
+default is given by the <strong>master_key_type</strong> variable in
+<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-kv</strong> <em>mkeyVNO</em></dt>
+<dd>Specifies the version number of the master key in the database;
+the default is 1.  Note that 0 is not allowed.</dd>
+<dt><strong>-m</strong></dt>
+<dd>Specifies that the master database password should be read from
+the TTY rather than fetched from a file on the disk.</dd>
+<dt><strong>-P</strong> <em>password</em></dt>
+<dd>Specifies the master database password. This option is not
+recommended.</dd>
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-sf</strong> <em>stashfilename</em></dt>
+<dd>Specifies the stash file of the master database password.</dd>
+<dt><strong>-s</strong></dt>
+<dd>Specifies that the stash file is to be created.</dd>
+<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for
+principals in this realm.</dd>
+<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of
+tickets for principals in this realm.</dd>
+<dt><em>ticket_flags</em></dt>
+<dd>Specifies global ticket flags for the realm.  Allowable flags are
+documented in the description of the <strong>add_principal</strong> command in
+<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+Initializing database for realm &#39;ATHENA.MIT.EDU&#39;
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+Enter KDC database master key:
+Re-enter KDC database master key to verify:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modify">
+<span id="kdb5-ldap-util-create-end"></span><h3>modify<a class="headerlink" href="#modify" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-modify">
+<div><strong>modify</strong>
+[<strong>-subtrees</strong> <em>subtree_dn_list</em>]
+[<strong>-sscope</strong> <em>search_scope</em>]
+[<strong>-containerref</strong> <em>container_reference_dn</em>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]</div></blockquote>
+<p>Modifies the attributes of a realm.  Options:</p>
+<dl class="docutils">
+<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt>
+<dd>Specifies the list of subtrees containing the principals of a
+realm.  The list contains the DNs of the subtree objects separated
+by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).  This list replaces the existing list.</dd>
+<dt><strong>-sscope</strong> <em>search_scope</em></dt>
+<dd>Specifies the scope for searching the principals under the
+subtrees.  The possible values are 1 or one (one level), 2 or sub
+(subtrees).</dd>
+<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt>
+<dd>container object in which the principals of a realm will be
+created.</dd>
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for
+principals in this realm.</dd>
+<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of
+tickets for principals in this realm.</dd>
+<dt><em>ticket_flags</em></dt>
+<dd>Specifies global ticket flags for the realm.  Allowable flags are
+documented in the description of the <strong>add_principal</strong> command in
+<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu modify +requires_preauth -r
+    ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+shell%
+</pre></div>
+</div>
+</div>
+<div class="section" id="view">
+<span id="kdb5-ldap-util-modify-end"></span><h3>view<a class="headerlink" href="#view" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-view">
+<div><strong>view</strong> [<strong>-r</strong> <em>realm</em>]</div></blockquote>
+<p>Displays the attributes of a realm.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    view -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+Realm Name: ATHENA.MIT.EDU
+Subtree: ou=users,o=org
+Subtree: ou=servers,o=org
+SearchScope: ONE
+Maximum ticket life: 0 days 01:00:00
+Maximum renewable life: 0 days 10:00:00
+Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+</pre></div>
+</div>
+</div>
+<div class="section" id="destroy">
+<span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-destroy">
+<div><strong>destroy</strong> [<strong>-f</strong>] [<strong>-r</strong> <em>realm</em>]</div></blockquote>
+<p>Destroys an existing realm. Options:</p>
+<dl class="docutils">
+<dt><strong>-f</strong></dt>
+<dd>If specified, will not prompt the user for confirmation.</dd>
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+Deleting KDC database of &#39;ATHENA.MIT.EDU&#39;, are you sure?
+(type &#39;yes&#39; to confirm)? yes
+OK, deleting database of &#39;ATHENA.MIT.EDU&#39;...
+shell%
+</pre></div>
+</div>
+</div>
+<div class="section" id="list">
+<span id="kdb5-ldap-util-destroy-end"></span><h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-list">
+<div><strong>list</strong></div></blockquote>
+<p>Lists the name of realms.</p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu list
+Password for &quot;cn=admin,o=org&quot;:
+ATHENA.MIT.EDU
+OPENLDAP.MIT.EDU
+MEDIA-LAB.MIT.EDU
+shell%
+</pre></div>
+</div>
+</div>
+<div class="section" id="stashsrvpw">
+<span id="kdb5-ldap-util-list-end"></span><h3>stashsrvpw<a class="headerlink" href="#stashsrvpw" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-stashsrvpw">
+<div><strong>stashsrvpw</strong>
+[<strong>-f</strong> <em>filename</em>]
+<em>name</em></div></blockquote>
+<p>Allows an administrator to store the password for service object in a
+file so that KDC and Administration server can use it to authenticate
+to the LDAP server.  Options:</p>
+<dl class="docutils">
+<dt><strong>-f</strong> <em>filename</em></dt>
+<dd>Specifies the complete path of the service password file. By
+default, <tt class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></tt> is used.</dd>
+<dt><em>name</em></dt>
+<dd>Specifies the name of the object whose password is to be stored.
+If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> are configured for
+simple binding, this should be the distinguished name it will
+use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong>
+variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.  If the KDC or kadmind is
+configured for SASL binding, this should be the authentication
+name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or
+<strong>ldap_kadmind_sasl_authcid</strong> variable.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
+    cn=service-kdc,o=org
+Password for &quot;cn=service-kdc,o=org&quot;:
+Re-enter password for &quot;cn=service-kdc,o=org&quot;:
+</pre></div>
+</div>
+</div>
+<div class="section" id="create-policy">
+<span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-create-policy">
+<div><strong>create_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]
+<em>policy_name</em></div></blockquote>
+<p>Creates a ticket policy in the directory.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for
+principals.</dd>
+<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of
+tickets for principals.</dd>
+<dt><em>ticket_flags</em></dt>
+<dd>Specifies the ticket flags.  If this option is not specified, by
+default, no restriction will be set by the policy.  Allowable
+flags are documented in the description of the <strong>add_principal</strong>
+command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd>
+<dt><em>policy_name</em></dt>
+<dd>Specifies the name of the ticket policy.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    create_policy -r ATHENA.MIT.EDU -maxtktlife &quot;1 day&quot;
+    -maxrenewlife &quot;1 week&quot; -allow_postdated +needchange
+    -allow_forwardable tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modify-policy">
+<span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-modify-policy">
+<div><strong>modify_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]
+<em>policy_name</em></div></blockquote>
+<p>Modifies the attributes of a ticket policy.  Options are same as for
+<strong>create_policy</strong>.</p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
+    -maxtktlife &quot;60 minutes&quot; -maxrenewlife &quot;10 hours&quot;
+    +allow_postdated -requires_preauth tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+</pre></div>
+</div>
+</div>
+<div class="section" id="view-policy">
+<span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-view-policy">
+<div><strong>view_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+<em>policy_name</em></div></blockquote>
+<p>Displays the attributes of a ticket policy.  Options:</p>
+<dl class="docutils">
+<dt><em>policy_name</em></dt>
+<dd>Specifies the name of the ticket policy.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    view_policy -r ATHENA.MIT.EDU tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+Ticket policy: tktpolicy
+Maximum ticket life: 0 days 01:00:00
+Maximum renewable life: 0 days 10:00:00
+Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+</pre></div>
+</div>
+</div>
+<div class="section" id="destroy-policy">
+<span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-destroy-policy">
+<div><strong>destroy_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-force</strong>]
+<em>policy_name</em></div></blockquote>
+<p>Destroys an existing ticket policy.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-force</strong></dt>
+<dd>Forces the deletion of the policy object.  If not specified, the
+user will be prompted for confirmation before deleting the policy.</dd>
+<dt><em>policy_name</em></dt>
+<dd>Specifies the name of the ticket policy.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    destroy_policy -r ATHENA.MIT.EDU tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+This will delete the policy object &#39;tktpolicy&#39;, are you sure?
+(type &#39;yes&#39; to confirm)? yes
+** policy object &#39;tktpolicy&#39; deleted.
+</pre></div>
+</div>
+</div>
+<div class="section" id="list-policy">
+<span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-ldap-util-list-policy">
+<div><strong>list_policy</strong>
+[<strong>-r</strong> <em>realm</em>]</div></blockquote>
+<p>Lists the ticket policies in realm if specified or in the default
+realm.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    list_policy -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+tktpolicy
+tmppolicy
+userpolicy
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="see-also">
+<span id="kdb5-ldap-util-list-policy-end"></span><h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kdb5_ldap_util</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#command-line-options">COMMAND-LINE OPTIONS</a></li>
+<li><a class="reference internal" href="#commands">COMMANDS</a><ul>
+<li><a class="reference internal" href="#create">create</a></li>
+<li><a class="reference internal" href="#modify">modify</a></li>
+<li><a class="reference internal" href="#view">view</a></li>
+<li><a class="reference internal" href="#destroy">destroy</a></li>
+<li><a class="reference internal" href="#list">list</a></li>
+<li><a class="reference internal" href="#stashsrvpw">stashsrvpw</a></li>
+<li><a class="reference internal" href="#create-policy">create_policy</a></li>
+<li><a class="reference internal" href="#modify-policy">modify_policy</a></li>
+<li><a class="reference internal" href="#view-policy">view_policy</a></li>
+<li><a class="reference internal" href="#destroy-policy">destroy_policy</a></li>
+<li><a class="reference internal" href="#list-policy">list_policy</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kdb5_util.html" title="kdb5_util"
+            >previous</a> |
+        <a href="krb5kdc.html" title="krb5kdc"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_ldap_util">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html
new file mode 100644
index 000000000000..66fec5262644
--- /dev/null
+++ b/doc/html/admin/admin_commands/kdb5_util.html
@@ -0,0 +1,615 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kdb5_util &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="kdb5_ldap_util" href="kdb5_ldap_util.html" />
+    <link rel="prev" title="kadmind" href="kadmind.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kadmind.html" title="kadmind"
+            accesskey="P">previous</a> |
+        <a href="kdb5_ldap_util.html" title="kdb5_ldap_util"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_util">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kdb5-util">
+<span id="kdb5-util-8"></span><h1>kdb5_util<a class="headerlink" href="#kdb5-util" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p id="kdb5-util-synopsis"><strong>kdb5_util</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-d</strong> <em>dbname</em>]
+[<strong>-k</strong> <em>mkeytype</em>]
+[<strong>-M</strong> <em>mkeyname</em>]
+[<strong>-kv</strong> <em>mkeyVNO</em>]
+[<strong>-sf</strong> <em>stashfilename</em>]
+[<strong>-m</strong>]
+<em>command</em> [<em>command_options</em>]</p>
+</div>
+<div class="section" id="description">
+<span id="kdb5-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>kdb5_util allows an administrator to perform maintenance procedures on
+the KDC database.  Databases can be created, destroyed, and dumped to
+or loaded from ASCII files.  kdb5_util can create a Kerberos master
+key stash file or perform live rollover of the master key.</p>
+<p>When kdb5_util is run, it attempts to acquire the master key and open
+the database.  However, execution continues regardless of whether or
+not kdb5_util successfully opens the database, because the database
+may not exist yet or the stash file may be corrupt.</p>
+<p>Note that some KDC database modules may not support all kdb5_util
+commands.</p>
+</div>
+<div class="section" id="command-line-options">
+<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils" id="kdb5-util-options">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>specifies the Kerberos realm of the database.</dd>
+<dt><strong>-d</strong> <em>dbname</em></dt>
+<dd>specifies the name under which the principal database is stored;
+by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.  The
+password policy database and lock files are also derived from this
+value.</dd>
+<dt><strong>-k</strong> <em>mkeytype</em></dt>
+<dd>specifies the key type of the master key in the database.  The
+default is given by the <strong>master_key_type</strong> variable in
+<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-kv</strong> <em>mkeyVNO</em></dt>
+<dd>Specifies the version number of the master key in the database;
+the default is 1.  Note that 0 is not allowed.</dd>
+<dt><strong>-M</strong> <em>mkeyname</em></dt>
+<dd>principal name for the master key in the database.  If not
+specified, the name is determined by the <strong>master_key_name</strong>
+variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-m</strong></dt>
+<dd>specifies that the master database password should be read from
+the keyboard rather than fetched from a file on disk.</dd>
+<dt><strong>-sf</strong> <em>stash_file</em></dt>
+<dd>specifies the stash filename of the master database password.  If
+not specified, the filename is determined by the
+<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-P</strong> <em>password</em></dt>
+<dd>specifies the master database password.  Using this option may
+expose the password to other users on the system via the process
+list.</dd>
+</dl>
+</div>
+<div class="section" id="commands">
+<span id="kdb5-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>
+<div class="section" id="create">
+<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-util-create">
+<div><strong>create</strong> [<strong>-s</strong>]</div></blockquote>
+<p>Creates a new database.  If the <strong>-s</strong> option is specified, the stash
+file is also created.  This command fails if the database already
+exists.  If the command is successful, the database is opened just as
+if it had already existed when the program was first run.</p>
+</div>
+<div class="section" id="destroy">
+<span id="kdb5-util-create-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-util-destroy">
+<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote>
+<p>Destroys the database, first overwriting the disk sectors and then
+unlinking the files, after prompting the user for confirmation.  With
+the <strong>-f</strong> argument, does not prompt the user.</p>
+</div>
+<div class="section" id="stash">
+<span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-util-stash">
+<div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote>
+<p>Stores the master principal&#8217;s keys in a stash file.  The <strong>-f</strong>
+argument can be used to override the <em>keyfile</em> specified in
+<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p>
+</div>
+<div class="section" id="dump">
+<span id="kdb5-util-stash-end"></span><h3>dump<a class="headerlink" href="#dump" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-util-dump">
+<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-verbose</strong>]
+[<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> <em>mkey_file</em>] [<strong>-rev</strong>]
+[<strong>-recurse</strong>] [<em>filename</em> [<em>principals</em>...]]</div></blockquote>
+<p>Dumps the current Kerberos and KADM5 database into an ASCII file.  By
+default, the database is dumped in current format, &#8220;kdb5_util
+load_dump version 7&#8221;.  If filename is not specified, or is the string
+&#8220;-&#8221;, the dump is sent to standard output.  Options:</p>
+<dl class="docutils">
+<dt><strong>-b7</strong></dt>
+<dd>causes the dump to be in the Kerberos 5 Beta 7 format (&#8220;kdb5_util
+load_dump version 4&#8221;).  This was the dump format produced on
+releases prior to 1.2.2.</dd>
+<dt><strong>-ov</strong></dt>
+<dd>causes the dump to be in &#8220;ovsec_adm_export&#8221; format.</dd>
+<dt><strong>-r13</strong></dt>
+<dd>causes the dump to be in the Kerberos 5 1.3 format (&#8220;kdb5_util
+load_dump version 5&#8221;).  This was the dump format produced on
+releases prior to 1.8.</dd>
+<dt><strong>-r18</strong></dt>
+<dd>causes the dump to be in the Kerberos 5 1.8 format (&#8220;kdb5_util
+load_dump version 6&#8221;).  This was the dump format produced on
+releases prior to 1.11.</dd>
+<dt><strong>-verbose</strong></dt>
+<dd>causes the name of each principal and policy to be printed as it
+is dumped.</dd>
+<dt><strong>-mkey_convert</strong></dt>
+<dd>prompts for a new master key.  This new master key will be used to
+re-encrypt principal key data in the dumpfile.  The principal keys
+themselves will not be changed.</dd>
+<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt>
+<dd>the filename of a stash file.  The master key in this stash file
+will be used to re-encrypt the key data in the dumpfile.  The key
+data in the database will not be changed.</dd>
+<dt><strong>-rev</strong></dt>
+<dd>dumps in reverse order.  This may recover principals that do not
+dump normally, in cases where database corruption has occurred.</dd>
+<dt><strong>-recurse</strong></dt>
+<dd><p class="first">causes the dump to walk the database recursively (btree only).
+This may recover principals that do not dump normally, in cases
+where database corruption has occurred.  In cases of such
+corruption, this option will probably retrieve more principals
+than the <strong>-rev</strong> option will.</p>
+<div class="versionchanged">
+<p><span class="versionmodified">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong>
+option.</p>
+</div>
+<div class="last versionchanged">
+<p><span class="versionmodified">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15,
+doing a normal dump instead of a recursive traversal.</p>
+</div>
+</dd>
+</dl>
+</div>
+<div class="section" id="load">
+<span id="kdb5-util-dump-end"></span><h3>load<a class="headerlink" href="#load" title="Permalink to this headline">¶</a></h3>
+<blockquote id="kdb5-util-load">
+<div><strong>load</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-hash</strong>]
+[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em> [<em>dbname</em>]</div></blockquote>
+<p>Loads a database dump from the named file into the named database.  If
+no option is given to determine the format of the dump file, the
+format is detected automatically and handled as appropriate.  Unless
+the <strong>-update</strong> option is given, <strong>load</strong> creates a new database
+containing only the data in the dump file, overwriting the contents of
+any previously existing database.  Note that when using the LDAP KDC
+database module, the <strong>-update</strong> flag is required.</p>
+<p>Options:</p>
+<dl class="docutils">
+<dt><strong>-b7</strong></dt>
+<dd>requires the database to be in the Kerberos 5 Beta 7 format
+(&#8220;kdb5_util load_dump version 4&#8221;).  This was the dump format
+produced on releases prior to 1.2.2.</dd>
+<dt><strong>-ov</strong></dt>
+<dd>requires the database to be in &#8220;ovsec_adm_import&#8221; format.  Must be
+used with the <strong>-update</strong> option.</dd>
+<dt><strong>-r13</strong></dt>
+<dd>requires the database to be in Kerberos 5 1.3 format (&#8220;kdb5_util
+load_dump version 5&#8221;).  This was the dump format produced on
+releases prior to 1.8.</dd>
+<dt><strong>-r18</strong></dt>
+<dd>requires the database to be in Kerberos 5 1.8 format (&#8220;kdb5_util
+load_dump version 6&#8221;).  This was the dump format produced on
+releases prior to 1.11.</dd>
+<dt><strong>-hash</strong></dt>
+<dd>requires the database to be stored as a hash.  If this option is
+not specified, the database will be stored as a btree.  This
+option is not recommended, as databases stored in hash format are
+known to corrupt data and lose principals.</dd>
+<dt><strong>-verbose</strong></dt>
+<dd>causes the name of each principal and policy to be printed as it
+is dumped.</dd>
+<dt><strong>-update</strong></dt>
+<dd>records from the dump file are added to or updated in the existing
+database.  Otherwise, a new database is created containing only
+what is in the dump file and the old one destroyed upon successful
+completion.</dd>
+</dl>
+<p>If specified, <em>dbname</em> overrides the value specified on the command
+line or the default.</p>
+</div>
+<div class="section" id="ark">
+<span id="kdb5-util-load-end"></span><h3>ark<a class="headerlink" href="#ark" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,...] <em>principal</em></div></blockquote>
+<p>Adds new random keys to <em>principal</em> at the next available key version
+number.  Keys for the current highest key version number will be
+preserved.  The <strong>-e</strong> option specifies the list of encryption and
+salt types to be used for the new keys.</p>
+</div>
+<div class="section" id="add-mkey">
+<h3>add_mkey<a class="headerlink" href="#add-mkey" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>add_mkey</strong> [<strong>-e</strong> <em>etype</em>] [<strong>-s</strong>]</div></blockquote>
+<p>Adds a new master key to the master key principal, but does not mark
+it as active.  Existing master keys will remain.  The <strong>-e</strong> option
+specifies the encryption type of the new master key; see
+<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible
+values.  The <strong>-s</strong> option stashes the new master key in the stash
+file, which will be created if it doesn&#8217;t already exist.</p>
+<p>After a new master key is added, it should be propagated to slave
+servers via a manual or periodic invocation of <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>.  Then,
+the stash files on the slave servers should be updated with the
+kdb5_util <strong>stash</strong> command.  Once those steps are complete, the key
+is ready to be marked active with the kdb5_util <strong>use_mkey</strong> command.</p>
+</div>
+<div class="section" id="use-mkey">
+<h3>use_mkey<a class="headerlink" href="#use-mkey" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>use_mkey</strong> <em>mkeyVNO</em> [<em>time</em>]</div></blockquote>
+<p>Sets the activation time of the master key specified by <em>mkeyVNO</em>.
+Once a master key becomes active, it will be used to encrypt newly
+created principal keys.  If no <em>time</em> argument is given, the current
+time is used, causing the specified master key version to become
+active immediately.  The format for <em>time</em> is <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string.</p>
+<p>After a new master key becomes active, the kdb5_util
+<strong>update_princ_encryption</strong> command can be used to update all
+principal keys to be encrypted in the new master key.</p>
+</div>
+<div class="section" id="list-mkeys">
+<h3>list_mkeys<a class="headerlink" href="#list-mkeys" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>list_mkeys</strong></div></blockquote>
+<p>List all master keys, from most recent to earliest, in the master key
+principal.  The output will show the kvno, enctype, and salt type for
+each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>getprinc</strong>.  A
+<tt class="docutils literal"><span class="pre">*</span></tt> following an mkey denotes the currently active master key.</p>
+</div>
+<div class="section" id="purge-mkeys">
+<h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>purge_mkeys</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]</div></blockquote>
+<p>Delete master keys from the master key principal that are not used to
+protect any principals.  This command can be used to remove old master
+keys all principal keys are protected by a newer master key.</p>
+<dl class="docutils">
+<dt><strong>-f</strong></dt>
+<dd>does not prompt for confirmation.</dd>
+<dt><strong>-n</strong></dt>
+<dd>performs a dry run, showing master keys that would be purged, but
+not actually purging any keys.</dd>
+<dt><strong>-v</strong></dt>
+<dd>gives more verbose output.</dd>
+</dl>
+</div>
+<div class="section" id="update-princ-encryption">
+<h3>update_princ_encryption<a class="headerlink" href="#update-princ-encryption" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>update_princ_encryption</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]
+[<em>princ-pattern</em>]</div></blockquote>
+<p>Update all principal records (or only those matching the
+<em>princ-pattern</em> glob pattern) to re-encrypt the key data using the
+active database master key, if they are encrypted using a different
+version, and give a count at the end of the number of principals
+updated.  If the <strong>-f</strong> option is not given, ask for confirmation
+before starting to make changes.  The <strong>-v</strong> option causes each
+principal processed to be listed, with an indication as to whether it
+needed updating or not.  The <strong>-n</strong> option performs a dry run, only
+showing the actions which would have been taken.</p>
+</div>
+<div class="section" id="tabdump">
+<h3>tabdump<a class="headerlink" href="#tabdump" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>tabdump</strong> [<strong>-H</strong>] [<strong>-c</strong>] [<strong>-e</strong>] [<strong>-n</strong>] [<strong>-o</strong> <em>outfile</em>]
+<em>dumptype</em></div></blockquote>
+<p>Dump selected fields of the database in a tabular format suitable for
+reporting (e.g., using traditional Unix text processing tools) or
+importing into relational databases.  The data format is tab-separated
+(default), or optionally comma-separated (CSV), with a fixed number of
+columns.  The output begins with a header line containing field names,
+unless suppression is requested using the <strong>-H</strong> option.</p>
+<p>The <em>dumptype</em> parameter specifies the name of an output table (see
+below).</p>
+<p>Options:</p>
+<dl class="docutils">
+<dt><strong>-H</strong></dt>
+<dd>suppress writing the field names in a header line</dd>
+<dt><strong>-c</strong></dt>
+<dd>use comma separated values (CSV) format, with minimal quoting,
+instead of the default tab-separated (unquoted, unescaped) format</dd>
+<dt><strong>-e</strong></dt>
+<dd>write empty hexadecimal string fields as empty fields instead of
+as &#8220;-1&#8221;.</dd>
+<dt><strong>-n</strong></dt>
+<dd>produce numeric output for fields that normally have symbolic
+output, such as enctypes and flag names.  Also requests output of
+time stamps as decimal POSIX time_t values.</dd>
+<dt><strong>-o</strong> <em>outfile</em></dt>
+<dd>write the dump to the specified output file instead of to standard
+output</dd>
+</dl>
+<p>Dump types:</p>
+<dl class="docutils">
+<dt><strong>keydata</strong></dt>
+<dd><p class="first">principal encryption key information, including actual key data
+(which is still encrypted in the master key)</p>
+<dl class="last docutils">
+<dt><strong>name</strong></dt>
+<dd>principal name</dd>
+<dt><strong>keyindex</strong></dt>
+<dd>index of this key in the principal&#8217;s key list</dd>
+<dt><strong>kvno</strong></dt>
+<dd>key version number</dd>
+<dt><strong>enctype</strong></dt>
+<dd>encryption type</dd>
+<dt><strong>key</strong></dt>
+<dd>key data as a hexadecimal string</dd>
+<dt><strong>salttype</strong></dt>
+<dd>salt type</dd>
+<dt><strong>salt</strong></dt>
+<dd>salt data as a hexadecimal string</dd>
+</dl>
+</dd>
+<dt><strong>keyinfo</strong></dt>
+<dd>principal encryption key information (as in <strong>keydata</strong> above),
+excluding actual key data</dd>
+<dt><strong>princ_flags</strong></dt>
+<dd><p class="first">principal boolean attributes.  Flag names print as hexadecimal
+numbers if the <strong>-n</strong> option is specified, and all flag positions
+are printed regardless of whether or not they are set.  If <strong>-n</strong>
+is not specified, print all known flag names for each principal,
+but only print hexadecimal flag names if the corresponding flag is
+set.</p>
+<dl class="last docutils">
+<dt><strong>name</strong></dt>
+<dd>principal name</dd>
+<dt><strong>flag</strong></dt>
+<dd>flag name</dd>
+<dt><strong>value</strong></dt>
+<dd>boolean value (0 for clear, or 1 for set)</dd>
+</dl>
+</dd>
+<dt><strong>princ_lockout</strong></dt>
+<dd><p class="first">state information used for tracking repeated password failures</p>
+<dl class="last docutils">
+<dt><strong>name</strong></dt>
+<dd>principal name</dd>
+<dt><strong>last_success</strong></dt>
+<dd>time stamp of most recent successful authentication</dd>
+<dt><strong>last_failed</strong></dt>
+<dd>time stamp of most recent failed authentication</dd>
+<dt><strong>fail_count</strong></dt>
+<dd>count of failed attempts</dd>
+</dl>
+</dd>
+<dt><strong>princ_meta</strong></dt>
+<dd><p class="first">principal metadata</p>
+<dl class="last docutils">
+<dt><strong>name</strong></dt>
+<dd>principal name</dd>
+<dt><strong>modby</strong></dt>
+<dd>name of last principal to modify this principal</dd>
+<dt><strong>modtime</strong></dt>
+<dd>timestamp of last modification</dd>
+<dt><strong>lastpwd</strong></dt>
+<dd>timestamp of last password change</dd>
+<dt><strong>policy</strong></dt>
+<dd>policy object name</dd>
+<dt><strong>mkvno</strong></dt>
+<dd>key version number of the master key that encrypts this
+principal&#8217;s key data</dd>
+<dt><strong>hist_kvno</strong></dt>
+<dd>key version number of the history key that encrypts the key
+history data for this principal</dd>
+</dl>
+</dd>
+<dt><strong>princ_stringattrs</strong></dt>
+<dd><p class="first">string attributes (key/value pairs)</p>
+<dl class="last docutils">
+<dt><strong>name</strong></dt>
+<dd>principal name</dd>
+<dt><strong>key</strong></dt>
+<dd>attribute name</dd>
+<dt><strong>value</strong></dt>
+<dd>attribute value</dd>
+</dl>
+</dd>
+<dt><strong>princ_tktpolicy</strong></dt>
+<dd><p class="first">per-principal ticket policy data, including maximum ticket
+lifetimes</p>
+<dl class="last docutils">
+<dt><strong>name</strong></dt>
+<dd>principal name</dd>
+<dt><strong>expiration</strong></dt>
+<dd>principal expiration date</dd>
+<dt><strong>pw_expiration</strong></dt>
+<dd>password expiration date</dd>
+<dt><strong>max_life</strong></dt>
+<dd>maximum ticket lifetime</dd>
+<dt><strong>max_renew_life</strong></dt>
+<dd>maximum renewable ticket lifetime</dd>
+</dl>
+</dd>
+</dl>
+<p>Examples:</p>
+<div class="highlight-python"><div class="highlight"><pre>$ kdb5_util tabdump -o keyinfo.txt keyinfo
+$ cat keyinfo.txt
+name        keyindex        kvno    enctype salttype        salt
+foo@EXAMPLE.COM     0       1       aes128-cts-hmac-sha1-96 normal  -1
+bar@EXAMPLE.COM     0       1       aes128-cts-hmac-sha1-96 normal  -1
+bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
+$ sqlite3
+sqlite&gt; .mode tabs
+sqlite&gt; .import keyinfo.txt keyinfo
+sqlite&gt; select * from keyinfo where enctype like &#39;des-cbc-%&#39;;
+bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
+sqlite&gt; .quit
+$ awk -F&#39;\t&#39; &#39;$4 ~ /des-cbc-/ { print }&#39; keyinfo.txt
+bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kdb5_util</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#command-line-options">COMMAND-LINE OPTIONS</a></li>
+<li><a class="reference internal" href="#commands">COMMANDS</a><ul>
+<li><a class="reference internal" href="#create">create</a></li>
+<li><a class="reference internal" href="#destroy">destroy</a></li>
+<li><a class="reference internal" href="#stash">stash</a></li>
+<li><a class="reference internal" href="#dump">dump</a></li>
+<li><a class="reference internal" href="#load">load</a></li>
+<li><a class="reference internal" href="#ark">ark</a></li>
+<li><a class="reference internal" href="#add-mkey">add_mkey</a></li>
+<li><a class="reference internal" href="#use-mkey">use_mkey</a></li>
+<li><a class="reference internal" href="#list-mkeys">list_mkeys</a></li>
+<li><a class="reference internal" href="#purge-mkeys">purge_mkeys</a></li>
+<li><a class="reference internal" href="#update-princ-encryption">update_princ_encryption</a></li>
+<li><a class="reference internal" href="#tabdump">tabdump</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kadmind.html" title="kadmind"
+            >previous</a> |
+        <a href="kdb5_ldap_util.html" title="kdb5_ldap_util"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_util">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html
new file mode 100644
index 000000000000..962d316aab40
--- /dev/null
+++ b/doc/html/admin/admin_commands/kprop.html
@@ -0,0 +1,223 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kprop &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="kpropd" href="kpropd.html" />
+    <link rel="prev" title="krb5kdc" href="krb5kdc.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="krb5kdc.html" title="krb5kdc"
+            accesskey="P">previous</a> |
+        <a href="kpropd.html" title="kpropd"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kprop">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kprop">
+<span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>kprop</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-f</strong> <em>file</em>]
+[<strong>-d</strong>]
+[<strong>-P</strong> <em>port</em>]
+[<strong>-s</strong> <em>keytab</em>]
+<em>slave_host</em></p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>kprop is used to securely propagate a Kerberos V5 database dump file
+from the master Kerberos server to a slave Kerberos server, which is
+specified by <em>slave_host</em>.  The dump file must be created by
+<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>.</p>
+</div>
+<div class="section" id="options">
+<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the realm of the master server.</dd>
+<dt><strong>-f</strong> <em>file</em></dt>
+<dd>Specifies the filename where the dumped principal database file is
+to be found; by default the dumped database file is normally
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/slave_datatrans</span></tt>.</dd>
+<dt><strong>-P</strong> <em>port</em></dt>
+<dd>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> server
+on the remote host.</dd>
+<dt><strong>-d</strong></dt>
+<dd>Prints debugging information.</dd>
+<dt><strong>-s</strong> <em>keytab</em></dt>
+<dd>Specifies the location of the keytab file.</dd>
+</dl>
+</div>
+<div class="section" id="environment">
+<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>
+<p><em>kprop</em> uses the following environment variable:</p>
+<ul class="simple">
+<li><strong>KRB5_CONFIG</strong></li>
+</ul>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kprop</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#options">OPTIONS</a></li>
+<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="krb5kdc.html" title="krb5kdc"
+            >previous</a> |
+        <a href="kpropd.html" title="kpropd"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kprop">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html
new file mode 100644
index 000000000000..b8252223a043
--- /dev/null
+++ b/doc/html/admin/admin_commands/kpropd.html
@@ -0,0 +1,286 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kpropd &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="kproplog" href="kproplog.html" />
+    <link rel="prev" title="kprop" href="kprop.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kprop.html" title="kprop"
+            accesskey="P">previous</a> |
+        <a href="kproplog.html" title="kproplog"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kpropd">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kpropd">
+<span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>kpropd</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-A</strong> <em>admin_server</em>]
+[<strong>-a</strong> <em>acl_file</em>]
+[<strong>-f</strong> <em>slave_dumpfile</em>]
+[<strong>-F</strong> <em>principal_database</em>]
+[<strong>-p</strong> <em>kdb5_util_prog</em>]
+[<strong>-P</strong> <em>port</em>]
+[<strong>-d</strong>]
+[<strong>-t</strong>]</p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>The <em>kpropd</em> command runs on the slave KDC server.  It listens for
+update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> program.  If incremental
+propagation is enabled, it periodically requests incremental updates
+from the master KDC.</p>
+<p>When the slave receives a kprop request from the master, kpropd
+accepts the dumped KDC database and places it in a file, and then runs
+<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> to load the dumped database into the active
+database which is used by <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>.  This allows the master
+Kerberos server to use <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> to propagate its database to
+the slave servers.  Upon a successful download of the KDC database
+file, the slave Kerberos server will have an up-to-date KDC database.</p>
+<p>Where incremental propagation is not used, kpropd is commonly invoked
+out of inetd(8) as a nowait service.  This is done by adding a line to
+the <tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> file which looks like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
+</pre></div>
+</div>
+<p>kpropd can also run as a standalone daemon, backgrounding itself and
+waiting for connections on port 754 (or the port specified with the
+<strong>-P</strong> option if given).  Standalone mode is required for incremental
+propagation.  Starting in release 1.11, kpropd automatically detects
+whether it was run from inetd and runs in standalone mode if it is
+not.  Prior to release 1.11, the <strong>-S</strong> option is required to run
+kpropd in standalone mode; this option is now accepted for backward
+compatibility but does nothing.</p>
+<p>Incremental propagation may be enabled with the <strong>iprop_enable</strong>
+variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.  If incremental propagation is
+enabled, the slave periodically polls the master KDC for updates, at
+an interval determined by the <strong>iprop_slave_poll</strong> variable.  If the
+slave receives updates, kpropd updates its log file with any updates
+from the master.  <a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to view a summary of
+the update entry log on the slave KDC.  If incremental propagation is
+enabled, the principal <tt class="docutils literal"><span class="pre">kiprop/slavehostname&#64;REALM</span></tt> (where
+<em>slavehostname</em> is the name of the slave KDC host, and <em>REALM</em> is the
+name of the Kerberos realm) must be present in the slave&#8217;s keytab
+file.</p>
+<p><a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to force full replication when iprop is
+enabled.</p>
+</div>
+<div class="section" id="options">
+<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the realm of the master server.</dd>
+<dt><strong>-A</strong> <em>admin_server</em></dt>
+<dd>Specifies the server to be contacted for incremental updates; by
+default, the master admin server is contacted.</dd>
+<dt><strong>-f</strong> <em>file</em></dt>
+<dd>Specifies the filename where the dumped principal database file is
+to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/from_master</span></tt>.</dd>
+<dt><strong>-p</strong></dt>
+<dd>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>
+program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>SBINDIR</em></a><tt class="docutils literal"><span class="pre">/kdb5_util</span></tt>.</dd>
+<dt><strong>-d</strong></dt>
+<dd>Turn on debug mode.  In this mode, kpropd will not detach
+itself from the current job and run in the background.  Instead,
+it will run in the foreground and print out debugging messages
+during the database propagation.</dd>
+<dt><strong>-t</strong></dt>
+<dd>In standalone mode without incremental propagation, exit after one
+dump file is received.  In incremental propagation mode, exit as
+soon as the database is up to date, or if the master returns an
+error.</dd>
+<dt><strong>-P</strong></dt>
+<dd>Allow for an alternate port number for kpropd to listen on.  This
+is only useful in combination with the <strong>-S</strong> option.</dd>
+<dt><strong>-a</strong> <em>acl_file</em></dt>
+<dd>Allows the user to specify the path to the kpropd.acl file; by
+default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kpropd.acl</span></tt>.</dd>
+</dl>
+</div>
+<div class="section" id="environment">
+<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>
+<p>kpropd uses the following environment variables:</p>
+<ul class="simple">
+<li><strong>KRB5_CONFIG</strong></li>
+<li><strong>KRB5_KDC_PROFILE</strong></li>
+</ul>
+</div>
+<div class="section" id="files">
+<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils">
+<dt>kpropd.acl</dt>
+<dd>Access file for kpropd; the default location is
+<tt class="docutils literal"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></tt>.  Each entry is a line
+containing the principal of a host from which the local machine
+will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>.</dd>
+</dl>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, inetd(8)</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kpropd</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#options">OPTIONS</a></li>
+<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li>
+<li><a class="reference internal" href="#files">FILES</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kprop.html" title="kprop"
+            >previous</a> |
+        <a href="kproplog.html" title="kproplog"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kpropd">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html
new file mode 100644
index 000000000000..a961170ccf98
--- /dev/null
+++ b/doc/html/admin/admin_commands/kproplog.html
@@ -0,0 +1,249 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kproplog &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="ktutil" href="ktutil.html" />
+    <link rel="prev" title="kpropd" href="kpropd.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kpropd.html" title="kpropd"
+            accesskey="P">previous</a> |
+        <a href="ktutil.html" title="ktutil"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kproplog">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kproplog">
+<span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>kproplog</strong> [<strong>-h</strong>] [<strong>-e</strong> <em>num</em>] [-v]
+<strong>kproplog</strong> [-R]</p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>The kproplog command displays the contents of the KDC database update
+log to standard output.  It can be used to keep track of incremental
+updates to the principal database.  The update log file contains the
+update log maintained by the <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> process on the master
+KDC server and the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> process on the slave KDC servers.
+When updates occur, they are logged to this file.  Subsequently any
+KDC slave configured for incremental updates will request the current
+data from the master KDC and update their log file with any updates
+returned.</p>
+<p>The kproplog command requires read access to the update log file.  It
+will display update entries only for the KDC it runs on.</p>
+<p>If no options are specified, kproplog displays a summary of the update
+log.  If invoked on the master, kproplog also displays all of the
+update entries.  If invoked on a slave KDC server, kproplog displays
+only a summary of the updates, which includes the serial number of the
+last update received and the associated time stamp of the last update.</p>
+</div>
+<div class="section" id="options">
+<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>
+<dl class="docutils">
+<dt><strong>-R</strong></dt>
+<dd>Reset the update log.  This forces full resynchronization.  If used
+on a slave then that slave will request a full resync.  If used on
+the master then all slaves will request full resyncs.</dd>
+<dt><strong>-h</strong></dt>
+<dd>Display a summary of the update log.  This information includes
+the database version number, state of the database, the number of
+updates in the log, the time stamp of the first and last update,
+and the version number of the first and last update entry.</dd>
+<dt><strong>-e</strong> <em>num</em></dt>
+<dd>Display the last <em>num</em> update entries in the log.  This is useful
+when debugging synchronization between KDC servers.</dd>
+<dt><strong>-v</strong></dt>
+<dd><p class="first">Display individual attributes per update.  An example of the
+output generated for one entry:</p>
+<div class="last highlight-python"><div class="highlight"><pre>Update Entry
+   Update serial # : 4
+   Update operation : Add
+   Update principal : test@EXAMPLE.COM
+   Update size : 424
+   Update committed : True
+   Update time stamp : Fri Feb 20 23:37:42 2004
+   Attributes changed : 6
+         Principal
+         Key data
+         Password last changed
+         Modifying principal
+         Modification time
+         TL data
+</pre></div>
+</div>
+</dd>
+</dl>
+</div>
+<div class="section" id="environment">
+<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>
+<p>kproplog uses the following environment variables:</p>
+<ul class="simple">
+<li><strong>KRB5_KDC_PROFILE</strong></li>
+</ul>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kproplog</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#options">OPTIONS</a></li>
+<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kpropd.html" title="kpropd"
+            >previous</a> |
+        <a href="ktutil.html" title="ktutil"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kproplog">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html
new file mode 100644
index 000000000000..22a0c0ca87e4
--- /dev/null
+++ b/doc/html/admin/admin_commands/krb5kdc.html
@@ -0,0 +1,277 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>krb5kdc &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="kprop" href="kprop.html" />
+    <link rel="prev" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kdb5_ldap_util.html" title="kdb5_ldap_util"
+            accesskey="P">previous</a> |
+        <a href="kprop.html" title="kprop"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5kdc">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="krb5kdc">
+<span id="krb5kdc-8"></span><h1>krb5kdc<a class="headerlink" href="#krb5kdc" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>krb5kdc</strong>
+[<strong>-x</strong> <em>db_args</em>]
+[<strong>-d</strong> <em>dbname</em>]
+[<strong>-k</strong> <em>keytype</em>]
+[<strong>-M</strong> <em>mkeyname</em>]
+[<strong>-p</strong> <em>portnum</em>]
+[<strong>-m</strong>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-n</strong>]
+[<strong>-w</strong> <em>numworkers</em>]
+[<strong>-P</strong> <em>pid_file</em>]
+[<strong>-T</strong> <em>time_offset</em>]</p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>krb5kdc is the Kerberos version 5 Authentication Service and Key
+Distribution Center (AS/KDC).</p>
+</div>
+<div class="section" id="options">
+<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>
+<p>The <strong>-r</strong> <em>realm</em> option specifies the realm for which the server
+should provide service.</p>
+<p>The <strong>-d</strong> <em>dbname</em> option specifies the name under which the
+principal database can be found.  This option does not apply to the
+LDAP database.</p>
+<p>The <strong>-k</strong> <em>keytype</em> option specifies the key type of the master key
+to be entered manually as a password when <strong>-m</strong> is given; the default
+is <tt class="docutils literal"><span class="pre">des-cbc-crc</span></tt>.</p>
+<p>The <strong>-M</strong> <em>mkeyname</em> option specifies the principal name for the
+master key in the database (usually <tt class="docutils literal"><span class="pre">K/M</span></tt> in the KDC&#8217;s realm).</p>
+<p>The <strong>-m</strong> option specifies that the master database password should
+be fetched from the keyboard rather than from a stash file.</p>
+<p>The <strong>-n</strong> option specifies that the KDC does not put itself in the
+background and does not disassociate itself from the terminal.  In
+normal operation, you should always allow the KDC to place itself in
+the background.</p>
+<p>The <strong>-P</strong> <em>pid_file</em> option tells the KDC to write its PID into
+<em>pid_file</em> after it starts up.  This can be used to identify whether
+the KDC is still running and to allow init scripts to stop the correct
+process.</p>
+<p>The <strong>-p</strong> <em>portnum</em> option specifies the default UDP port numbers
+which the KDC should listen on for Kerberos version 5 requests, as a
+comma-separated list.  This value overrides the UDP port numbers
+specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdcdefaults"><em>[kdcdefaults]</em></a> section of <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but
+may be overridden by realm-specific values.  If no value is given from
+any source, the default port is 88.</p>
+<p>The <strong>-w</strong> <em>numworkers</em> option tells the KDC to fork <em>numworkers</em>
+processes to listen to the KDC ports and process requests in parallel.
+The top level KDC process (whose pid is recorded in the pid file if
+the <strong>-P</strong> option is also given) acts as a supervisor.  The supervisor
+will relay SIGHUP signals to the worker subprocesses, and will
+terminate the worker subprocess if the it is itself terminated or if
+any other worker process exits.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">On operating systems which do not have <em>pktinfo</em> support,
+using worker processes will prevent the KDC from listening
+for UDP packets on network interfaces created after the KDC
+starts.</p>
+</div>
+<p>The <strong>-x</strong> <em>db_args</em> option specifies database-specific arguments.
+See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for
+supported arguments.</p>
+<p>The <strong>-T</strong> <em>offset</em> option specifies a time offset, in seconds, which
+the KDC will operate under.  It is intended only for testing purposes.</p>
+</div>
+<div class="section" id="example">
+<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>
+<p>The KDC may service requests for multiple realms (maximum 32 realms).
+The realms are listed on the command line.  Per-realm options that can
+be specified on the command line pertain for each realm that follows
+it and are superseded by subsequent definitions of the same option.</p>
+<p>For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
+</pre></div>
+</div>
+<p>specifies that the KDC listen on port 2001 for REALM1 and on port 2002
+for REALM2 and REALM3.  Additionally, per-realm parameters may be
+specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.  The location of this file
+may be specified by the <strong>KRB5_KDC_PROFILE</strong> environment variable.
+Per-realm parameters specified in this file take precedence over
+options specified on the command line.  See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>
+description for further details.</p>
+</div>
+<div class="section" id="environment">
+<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>
+<p>krb5kdc uses the following environment variables:</p>
+<ul class="simple">
+<li><strong>KRB5_CONFIG</strong></li>
+<li><strong>KRB5_KDC_PROFILE</strong></li>
+</ul>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>,
+<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">krb5kdc</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#options">OPTIONS</a></li>
+<li><a class="reference internal" href="#example">EXAMPLE</a></li>
+<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kdb5_ldap_util.html" title="kdb5_ldap_util"
+            >previous</a> |
+        <a href="kprop.html" title="kprop"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5kdc">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html
new file mode 100644
index 000000000000..de4700ef9cc1
--- /dev/null
+++ b/doc/html/admin/admin_commands/ktutil.html
@@ -0,0 +1,292 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>ktutil &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="k5srvutil" href="k5srvutil.html" />
+    <link rel="prev" title="kproplog" href="kproplog.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kproplog.html" title="kproplog"
+            accesskey="P">previous</a> |
+        <a href="k5srvutil.html" title="k5srvutil"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__ktutil">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="ktutil">
+<span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>ktutil</strong></p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>The ktutil command invokes a command interface from which an
+administrator can read, write, or edit entries in a keytab or Kerberos
+V4 srvtab file.</p>
+</div>
+<div class="section" id="commands">
+<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>
+<div class="section" id="list">
+<h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>list</strong></div></blockquote>
+<p>Displays the current keylist.</p>
+<p>Alias: <strong>l</strong></p>
+</div>
+<div class="section" id="read-kt">
+<h3>read_kt<a class="headerlink" href="#read-kt" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>read_kt</strong> <em>keytab</em></div></blockquote>
+<p>Read the Kerberos V5 keytab file <em>keytab</em> into the current keylist.</p>
+<p>Alias: <strong>rkt</strong></p>
+</div>
+<div class="section" id="read-st">
+<h3>read_st<a class="headerlink" href="#read-st" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>read_st</strong> <em>srvtab</em></div></blockquote>
+<p>Read the Kerberos V4 srvtab file <em>srvtab</em> into the current keylist.</p>
+<p>Alias: <strong>rst</strong></p>
+</div>
+<div class="section" id="write-kt">
+<h3>write_kt<a class="headerlink" href="#write-kt" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>write_kt</strong> <em>keytab</em></div></blockquote>
+<p>Write the current keylist into the Kerberos V5 keytab file <em>keytab</em>.</p>
+<p>Alias: <strong>wkt</strong></p>
+</div>
+<div class="section" id="write-st">
+<h3>write_st<a class="headerlink" href="#write-st" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>write_st</strong> <em>srvtab</em></div></blockquote>
+<p>Write the current keylist into the Kerberos V4 srvtab file <em>srvtab</em>.</p>
+<p>Alias: <strong>wst</strong></p>
+</div>
+<div class="section" id="clear-list">
+<h3>clear_list<a class="headerlink" href="#clear-list" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>clear_list</strong></div></blockquote>
+<p>Clear the current keylist.</p>
+<p>Alias: <strong>clear</strong></p>
+</div>
+<div class="section" id="delete-entry">
+<h3>delete_entry<a class="headerlink" href="#delete-entry" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>delete_entry</strong> <em>slot</em></div></blockquote>
+<p>Delete the entry in slot number <em>slot</em> from the current keylist.</p>
+<p>Alias: <strong>delent</strong></p>
+</div>
+<div class="section" id="add-entry">
+<h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em>
+<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em></div></blockquote>
+<p>Add <em>principal</em> to keylist using key or password.</p>
+<p>Alias: <strong>addent</strong></p>
+</div>
+<div class="section" id="list-requests">
+<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>list_requests</strong></div></blockquote>
+<p>Displays a listing of available commands.</p>
+<p>Aliases: <strong>lr</strong>, <strong>?</strong></p>
+</div>
+<div class="section" id="quit">
+<h3>quit<a class="headerlink" href="#quit" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>quit</strong></div></blockquote>
+<p>Quits ktutil.</p>
+<p>Aliases: <strong>exit</strong>, <strong>q</strong></p>
+</div>
+</div>
+<div class="section" id="example">
+<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>
+<blockquote>
+<div><div class="highlight-python"><div class="highlight"><pre>ktutil:  add_entry -password -p alice@BLEEP.COM -k 1 -e
+    aes128-cts-hmac-sha1-96
+Password for alice@BLEEP.COM:
+ktutil:  add_entry -password -p alice@BLEEP.COM -k 1 -e
+    aes256-cts-hmac-sha1-96
+Password for alice@BLEEP.COM:
+ktutil:  write_kt keytab
+ktutil:
+</pre></div>
+</div>
+</div></blockquote>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">ktutil</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#commands">COMMANDS</a><ul>
+<li><a class="reference internal" href="#list">list</a></li>
+<li><a class="reference internal" href="#read-kt">read_kt</a></li>
+<li><a class="reference internal" href="#read-st">read_st</a></li>
+<li><a class="reference internal" href="#write-kt">write_kt</a></li>
+<li><a class="reference internal" href="#write-st">write_st</a></li>
+<li><a class="reference internal" href="#clear-list">clear_list</a></li>
+<li><a class="reference internal" href="#delete-entry">delete_entry</a></li>
+<li><a class="reference internal" href="#add-entry">add_entry</a></li>
+<li><a class="reference internal" href="#list-requests">list_requests</a></li>
+<li><a class="reference internal" href="#quit">quit</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#example">EXAMPLE</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kproplog.html" title="kproplog"
+            >previous</a> |
+        <a href="k5srvutil.html" title="k5srvutil"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__ktutil">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html
new file mode 100644
index 000000000000..15e622cf0b5d
--- /dev/null
+++ b/doc/html/admin/admin_commands/sserver.html
@@ -0,0 +1,270 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>sserver &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Administration programs" href="index.html" />
+    <link rel="next" title="MIT Kerberos defaults" href="../../mitK5defaults.html" />
+    <link rel="prev" title="k5srvutil" href="k5srvutil.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="k5srvutil.html" title="k5srvutil"
+            accesskey="P">previous</a> |
+        <a href="../../mitK5defaults.html" title="MIT Kerberos defaults"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__sserver">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="sserver">
+<span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="synopsis">
+<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>
+<p><strong>sserver</strong>
+[ <strong>-p</strong> <em>port</em> ]
+[ <strong>-S</strong> <em>keytab</em> ]
+[ <em>server_port</em> ]</p>
+</div>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a> are a simple demonstration client/server
+application.  When sclient connects to sserver, it performs a Kerberos
+authentication, and then sserver returns to sclient the Kerberos
+principal which was used for the Kerberos authentication.  It makes a
+good test that Kerberos has been successfully installed on a machine.</p>
+<p>The service name used by sserver and sclient is sample.  Hence,
+sserver will require that there be a keytab entry for the service
+<tt class="docutils literal"><span class="pre">sample/hostname.domain.name&#64;REALM.NAME</span></tt>.  This keytab is generated
+using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program.  The keytab file is usually
+installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>.</p>
+<p>The <strong>-S</strong> option allows for a different keytab than the default.</p>
+<p>sserver is normally invoked out of inetd(8), using a line in
+<tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> that looks like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>sample stream tcp nowait root /usr/local/sbin/sserver sserver
+</pre></div>
+</div>
+<p>Since <tt class="docutils literal"><span class="pre">sample</span></tt> is normally not a port defined in <tt class="docutils literal"><span class="pre">/etc/services</span></tt>,
+you will usually have to add a line to <tt class="docutils literal"><span class="pre">/etc/services</span></tt> which looks
+like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>sample          13135/tcp
+</pre></div>
+</div>
+<p>When using sclient, you will first have to have an entry in the
+Kerberos database, by using <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and then you have to get
+Kerberos tickets, by using <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>.  Also, if you are running
+the sclient program on a different host than the sserver it will be
+connecting to, be sure that both hosts have an entry in /etc/services
+for the sample tcp port, and that the same port number is in both
+files.</p>
+<p>When you run sclient you should see something like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>sendauth succeeded, reply is:
+reply len 32, contents:
+You are nlgilman@JIMI.MIT.EDU
+</pre></div>
+</div>
+</div>
+<div class="section" id="common-error-messages">
+<h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Permalink to this headline">¶</a></h2>
+<ol class="arabic">
+<li><p class="first">kinit returns the error:</p>
+<div class="highlight-python"><div class="highlight"><pre>kinit: Client not found in Kerberos database while getting
+       initial credentials
+</pre></div>
+</div>
+<p>This means that you didn&#8217;t create an entry for your username in the
+Kerberos database.</p>
+</li>
+<li><p class="first">sclient returns the error:</p>
+<div class="highlight-python"><div class="highlight"><pre>unknown service sample/tcp; check /etc/services
+</pre></div>
+</div>
+<p>This means that you don&#8217;t have an entry in /etc/services for the
+sample tcp port.</p>
+</li>
+<li><p class="first">sclient returns the error:</p>
+<div class="highlight-python"><div class="highlight"><pre>connect: Connection refused
+</pre></div>
+</div>
+<p>This probably means you didn&#8217;t edit /etc/inetd.conf correctly, or
+you didn&#8217;t restart inetd after editing inetd.conf.</p>
+</li>
+<li><p class="first">sclient returns the error:</p>
+<div class="highlight-python"><div class="highlight"><pre>sclient: Server not found in Kerberos database while using
+         sendauth
+</pre></div>
+</div>
+<p>This means that the <tt class="docutils literal"><span class="pre">sample/hostname&#64;LOCAL.REALM</span></tt> service was not
+defined in the Kerberos database; it should be created using
+<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and a keytab file needs to be generated to make
+the key for that service principal available for sclient.</p>
+</li>
+<li><p class="first">sclient returns the error:</p>
+<div class="highlight-python"><div class="highlight"><pre>sendauth rejected, error reply is:
+    &quot;No such file or directory&quot;
+</pre></div>
+</div>
+<p>This probably means sserver couldn&#8217;t find the keytab file.  It was
+probably not installed in the proper directory.</p>
+</li>
+</ol>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a>, services(5), inetd(8)</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">sserver</a><ul>
+<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#common-error-messages">COMMON ERROR MESSAGES</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration  programs</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li>
+<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li>
+<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li>
+<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">sserver</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="k5srvutil.html" title="k5srvutil"
+            >previous</a> |
+        <a href="../../mitK5defaults.html" title="MIT Kerberos defaults"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__sserver">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/advanced/index.html b/doc/html/admin/advanced/index.html
new file mode 100644
index 000000000000..223fd15864f6
--- /dev/null
+++ b/doc/html/admin/advanced/index.html
@@ -0,0 +1,167 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Advanced topics &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="For administrators" href="../index.html" />
+    <link rel="next" title="LDAP backend on Ubuntu 10.4 (lucid)" href="ldapbackend.html" />
+    <link rel="prev" title="Troubleshooting" href="../troubleshoot.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="../troubleshoot.html" title="Troubleshooting"
+            accesskey="P">previous</a> |
+        <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Advanced topics">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="advanced-topics">
+<h1>Advanced topics<a class="headerlink" href="#advanced-topics" title="Permalink to this headline">¶</a></h1>
+<div class="toctree-wrapper compound">
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="ldapbackend.html">LDAP backend on Ubuntu 10.4 (lucid)</a></li>
+<li class="toctree-l1"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li>
+</ul>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Advanced topics</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Advanced topics</a><ul>
+<li class="toctree-l3"><a class="reference internal" href="ldapbackend.html">LDAP backend on Ubuntu 10.4 (lucid)</a></li>
+<li class="toctree-l3"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="../troubleshoot.html" title="Troubleshooting"
+            >previous</a> |
+        <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Advanced topics">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/advanced/ldapbackend.html b/doc/html/admin/advanced/ldapbackend.html
new file mode 100644
index 000000000000..e74d2b80770a
--- /dev/null
+++ b/doc/html/admin/advanced/ldapbackend.html
@@ -0,0 +1,304 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>LDAP backend on Ubuntu 10.4 (lucid) &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Advanced topics" href="index.html" />
+    <link rel="next" title="Retiring DES" href="retiring-des.html" />
+    <link rel="prev" title="Advanced topics" href="index.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="index.html" title="Advanced topics"
+            accesskey="P">previous</a> |
+        <a href="retiring-des.html" title="Retiring DES"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__LDAP backend on Ubuntu 10.4 (lucid)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="ldap-backend-on-ubuntu-10-4-lucid">
+<span id="ldap-be-ubuntu"></span><h1>LDAP backend on Ubuntu 10.4 (lucid)<a class="headerlink" href="#ldap-backend-on-ubuntu-10-4-lucid" title="Permalink to this headline">¶</a></h1>
+<p>Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx)</p>
+<div class="section" id="prerequisites">
+<h2>Prerequisites<a class="headerlink" href="#prerequisites" title="Permalink to this headline">¶</a></h2>
+<p>Install the following packages: <em>slapd, ldap-utils</em> and <em>libldap2-dev</em></p>
+<p>You can install the necessary packages with these commands:</p>
+<div class="highlight-python"><div class="highlight"><pre>sudo apt-get install slapd
+sudo apt-get install ldap-utils
+sudo apt-get install libldap2-dev
+</pre></div>
+</div>
+<p>Extend the user schema using schemas from standart OpenLDAP
+distribution: <em>cosine, mics, nis, inetcomperson</em></p>
+<div class="highlight-python"><div class="highlight"><pre>ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
+ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/mics.ldif
+ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
+ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetcomperson.ldif
+</pre></div>
+</div>
+</div>
+<div class="section" id="building-kerberos-from-source">
+<h2>Building Kerberos from source<a class="headerlink" href="#building-kerberos-from-source" title="Permalink to this headline">¶</a></h2>
+<div class="highlight-python"><div class="highlight"><pre>./configure --with-ldap
+make
+sudo make install
+</pre></div>
+</div>
+</div>
+<div class="section" id="setting-up-kerberos">
+<h2>Setting up Kerberos<a class="headerlink" href="#setting-up-kerberos" title="Permalink to this headline">¶</a></h2>
+<div class="section" id="configuration">
+<h3>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h3>
+<p>Update kdc.conf with the LDAP back-end information:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+    EXAMPLE.COM = {
+        database_module = LDAP
+    }
+
+[dbmodules]
+    LDAP = {
+        db_library = kldap
+        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
+        ldap_kdc_dn = cn=admin,dc=example,dc=com
+        ldap_kadmind_dn = cn=admin,dc=example,dc=com
+        ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
+        ldap_servers = ldapi:///
+    }
+</pre></div>
+</div>
+</div>
+<div class="section" id="schema">
+<h3>Schema<a class="headerlink" href="#schema" title="Permalink to this headline">¶</a></h3>
+<p>From the source tree copy
+<tt class="docutils literal"><span class="pre">src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema</span></tt> into
+<tt class="docutils literal"><span class="pre">/etc/ldap/schema</span></tt></p>
+<p>Warning: this step should be done after slapd is installed to avoid
+problems with slapd installation.</p>
+<p>To convert kerberos.schema to run-time configuration (<tt class="docutils literal"><span class="pre">cn=config</span></tt>)
+do the following:</p>
+<ol class="arabic">
+<li><p class="first">Create a temporary file <tt class="docutils literal"><span class="pre">/tmp/schema_convert.conf</span></tt> with the
+following content:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">include</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ldap</span><span class="o">/</span><span class="n">schema</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">schema</span>
+</pre></div>
+</div>
+</li>
+<li><p class="first">Create a temporary directory <tt class="docutils literal"><span class="pre">/tmp/krb5_ldif</span></tt>.</p>
+</li>
+<li><p class="first">Run:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">slaptest</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">schema_convert</span><span class="o">.</span><span class="n">conf</span> <span class="o">-</span><span class="n">F</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">krb5_ldif</span>
+</pre></div>
+</div>
+<p>This should in a new file named
+<tt class="docutils literal"><span class="pre">/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif</span></tt>.</p>
+</li>
+<li><p class="first">Edit <tt class="docutils literal"><span class="pre">/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif</span></tt> by
+replacing the lines:</p>
+<div class="highlight-python"><div class="highlight"><pre>dn: cn={0}kerberos
+cn: {0}kerberos
+</pre></div>
+</div>
+<p>with</p>
+<blockquote>
+<div><p>dn: cn=kerberos,cn=schema,cn=config
+cn: kerberos</p>
+</div></blockquote>
+<p>Also, remove following attribute-value pairs:</p>
+<div class="highlight-python"><div class="highlight"><pre>structuralObjectClass: olcSchemaConfig
+entryUUID: ...
+creatorsName: cn=config
+createTimestamp: ...
+entryCSN: ...
+modifiersName: cn=config
+modifyTimestamp: ...
+</pre></div>
+</div>
+</li>
+<li><p class="first">Load the new schema with ldapadd (with the proper authentication):</p>
+<div class="highlight-python"><div class="highlight"><pre>ldapadd -Y EXTERNAL -H ldapi:/// -f  /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
+</pre></div>
+</div>
+<p>which should result the message <tt class="docutils literal"><span class="pre">adding</span> <span class="pre">new</span> <span class="pre">entry</span>
+<span class="pre">&quot;cn=kerberos,cn=schema,cn=config&quot;</span></tt>.</p>
+</li>
+</ol>
+</div>
+</div>
+<div class="section" id="create-kerberos-database">
+<h2>Create Kerberos database<a class="headerlink" href="#create-kerberos-database" title="Permalink to this headline">¶</a></h2>
+<p>Using LDAP administrator credentials, create Kerberos database and
+master key stash:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
+</pre></div>
+</div>
+<p>Stash the LDAP administrative passwords:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com
+</pre></div>
+</div>
+<p>Start <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">krb5kdc</span>
+</pre></div>
+</div>
+<p>To destroy database run:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// destroy -f
+</pre></div>
+</div>
+</div>
+<div class="section" id="useful-references">
+<h2>Useful references<a class="headerlink" href="#useful-references" title="Permalink to this headline">¶</a></h2>
+<ul class="simple">
+<li><a class="reference external" href="https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html">Kerberos and LDAP</a></li>
+</ul>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">LDAP backend on Ubuntu 10.4 (lucid)</a><ul>
+<li><a class="reference internal" href="#prerequisites">Prerequisites</a></li>
+<li><a class="reference internal" href="#building-kerberos-from-source">Building Kerberos from source</a></li>
+<li><a class="reference internal" href="#setting-up-kerberos">Setting up Kerberos</a><ul>
+<li><a class="reference internal" href="#configuration">Configuration</a></li>
+<li><a class="reference internal" href="#schema">Schema</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#create-kerberos-database">Create Kerberos database</a></li>
+<li><a class="reference internal" href="#useful-references">Useful references</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Advanced topics</a><ul class="current">
+<li class="toctree-l3 current"><a class="current reference internal" href="">LDAP backend on Ubuntu 10.4 (lucid)</a></li>
+<li class="toctree-l3"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="index.html" title="Advanced topics"
+            >previous</a> |
+        <a href="retiring-des.html" title="Retiring DES"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__LDAP backend on Ubuntu 10.4 (lucid)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/advanced/retiring-des.html b/doc/html/admin/advanced/retiring-des.html
new file mode 100644
index 000000000000..ec846446c12f
--- /dev/null
+++ b/doc/html/admin/advanced/retiring-des.html
@@ -0,0 +1,550 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Retiring DES &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Advanced topics" href="index.html" />
+    <link rel="next" title="Various links" href="../various_envs.html" />
+    <link rel="prev" title="LDAP backend on Ubuntu 10.4 (lucid)" href="ldapbackend.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)"
+            accesskey="P">previous</a> |
+        <a href="../various_envs.html" title="Various links"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Retiring DES">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="retiring-des">
+<span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Permalink to this headline">¶</a></h1>
+<p>Version 5 of the Kerberos protocol was originally implemented using
+the Data Encryption Standard (DES) as a block cipher for encryption.
+While it was considered secure at the time, advancements in computational
+ability have rendered DES vulnerable to brute force attacks on its 56-bit
+keyspace.  As such, it is now considered insecure and should not be
+used (<span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p>
+<div class="section" id="history">
+<h2>History<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2>
+<p>DES was used in the original Kerberos implementation, and was the
+only cryptosystem in krb5 1.0.  Partial support for triple-DES (3DES) was
+added in version 1.1, with full support following in version 1.2.
+The Advanced Encryption Standard (AES), which supersedes DES, gained
+partial support in version 1.3.0 of krb5 and full support in version 1.3.2.
+However, deployments of krb5 using Kerberos databases created with older
+versions of krb5 will not necessarily start using strong crypto for
+ordinary operation without administrator intervention.</p>
+</div>
+<div class="section" id="types-of-keys">
+<h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Permalink to this headline">¶</a></h2>
+<ul class="simple">
+<li>The database master key:  This key is not exposed to user requests,
+but is used to encrypt other key material stored in the kerberos
+database.  The database master key is currently stored as <tt class="docutils literal"><span class="pre">K/M</span></tt>
+by default.</li>
+<li>Password-derived keys:  User principals frequently have keys
+derived from a password.  When a new password is set, the KDC
+uses various string2key functions to generate keys in the database
+for that principal.</li>
+<li>Keytab keys:  Application server principals generally use random
+keys which are not derived from a password.  When the database
+entry is created, the KDC generates random keys of various enctypes
+to enter in the database, which are conveyed to the application server
+and stored in a keytab.</li>
+<li>Session keys:  These are short-term keys generated by the KDC while
+processing client requests, with an enctype selected by the KDC.</li>
+</ul>
+<p>For details on the various enctypes and how enctypes are selected by the KDC
+for session keys and client/server long-term keys, see <a class="reference internal" href="../enctypes.html#enctypes"><em>Encryption types</em></a>.
+When using the <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> interface to generate new long-term keys,
+the <strong>-e</strong> argument can be used to force a particular set of enctypes,
+overriding the KDC default values.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">When the KDC is selecting a session key, it has no knowledge about the
+kerberos installation on the server which will receive the service ticket,
+only what keys are in the database for the service principal.
+In order to allow uninterrupted operation to
+clients while migrating away from DES, care must be taken to ensure that
+kerberos installations on application server machines are configured to
+support newer encryption types before keys of those new encryption types
+are created in the Kerberos database for those server principals.</p>
+</div>
+</div>
+<div class="section" id="upgrade-procedure">
+<h2>Upgrade procedure<a class="headerlink" href="#upgrade-procedure" title="Permalink to this headline">¶</a></h2>
+<p>This procedure assumes that the KDC software has already been upgraded
+to a modern version of krb5 that supports non-DES keys, so that the
+only remaining task is to update the actual keys used to service requests.
+The realm used for demonstrating this procedure, ZONE.MIT.EDU,
+is an example of the worst-case scenario, where all keys in the realm
+are DES.  The realm was initially created with a very old version of krb5,
+and <strong>supported_enctypes</strong> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> was set to a value
+appropriate when the KDC was installed, but was not updated as the KDC
+was upgraded:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+        ZONE.MIT.EDU = {
+                [...]
+                master_key_type = des-cbc-crc
+                supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
+        }
+</pre></div>
+</div>
+<p>This resulted in the keys for all principals in the realm being forced
+to DES-only, unless specifically requested using <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</p>
+<p>Before starting the upgrade, all KDCs were running krb5 1.11,
+and the database entries for some &#8220;high-value&#8221; principals were:</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &#39;getprinc krbtgt/ZONE.MIT.EDU&#39;
+[...]
+Number of keys: 1
+Key: vno 1, des-cbc-crc:v4
+[...]
+[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &#39;getprinc kadmin/admin&#39;
+[...]
+Number of keys: 1
+Key: vno 15, des-cbc-crc
+[...]
+[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &#39;getprinc kadmin/changepw&#39;
+[...]
+Number of keys: 1
+Key: vno 14, des-cbc-crc
+[...]
+</pre></div>
+</div>
+<p>The <tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt> key appears to have never been changed since creation
+(its kvno is 1), and all three database entries have only a des-cbc-crc key.</p>
+<div class="section" id="the-krbtgt-key-and-kdc-keys">
+<h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Permalink to this headline">¶</a></h3>
+<p>Perhaps the biggest single-step improvement in the security of the cell
+is gained by strengthening the key of the ticket-granting service principal,
+<tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt>&#8212;if this principal&#8217;s key is compromised, so is the
+entire realm.  Since the server that will handle service tickets
+for this principal is the KDC itself, it is easy to guarantee that it
+will be configured to support any encryption types which might be
+selected.  However, the default KDC behavior when creating new keys is to
+remove the old keys, which would invalidate all existing tickets issued
+against that principal, rendering the TGTs cached by clients useless.
+Instead, a new key can be created with the old key retained, so that
+existing tickets will still function until their scheduled expiry
+(see <a class="reference internal" href="../database.html#changing-krbtgt-key"><em>Changing the krbtgt key</em></a>).</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
+&gt; aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal
+[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &quot;cpw -e ${enctypes} -randkey \
+&gt; -keepold krbtgt/ZONE.MIT.EDU&quot;
+Authenticating as principal root/admin@ZONE.MIT.EDU with password.
+Key for &quot;krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU&quot; randomized.
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The new <tt class="docutils literal"><span class="pre">krbtgt&#64;REALM</span></tt> key should be propagated to slave KDCs
+immediately so that TGTs issued by the master KDC can be used to
+issue service tickets on slave KDCs.  Slave KDCs will refuse requests
+using the new TGT kvno until the new krbtgt entry has been propagated
+to them.</p>
+</div>
+<p>It is necessary to explicitly specify the enctypes for the new database
+entry, since <strong>supported_enctypes</strong> has not been changed.  Leaving
+<strong>supported_enctypes</strong> unchanged makes a potential rollback operation
+easier, since all new keys of new enctypes are the result of explicit
+administrator action and can be easily enumerated.
+Upgrading the krbtgt key should have minimal user-visible disruption other
+than that described in the note above, since only clients which list the
+new enctypes as supported will use them, per the procedure
+in <a class="reference internal" href="../enctypes.html#session-key-selection"><em>Session key selection</em></a>.
+Once the krbtgt key is updated, the session and ticket keys for user
+TGTs will be strong keys, but subsequent requests
+for service tickets will still get DES keys until the service principals
+have new keys generated.  Application service
+remains uninterrupted due to the key-selection procedure on the KDC.</p>
+<p>After the change, the database entry is now:</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &#39;getprinc krbtgt/ZONE.MIT.EDU&#39;
+[...]
+Number of keys: 5
+Key: vno 2, aes256-cts-hmac-sha1-96
+Key: vno 2, aes128-cts-hmac-sha1-96
+Key: vno 2, des3-cbc-sha1
+Key: vno 2, des-cbc-crc
+Key: vno 1, des-cbc-crc:v4
+[...]
+</pre></div>
+</div>
+<p>Since the expected disruptions from rekeying the krbtgt principal are
+minor, after a short testing period, it is
+appropriate to rekey the other high-value principals, <tt class="docutils literal"><span class="pre">kadmin/admin&#64;REALM</span></tt>
+and <tt class="docutils literal"><span class="pre">kadmin/changepw&#64;REALM</span></tt>. These are the service principals used for
+changing user passwords and updating application keytabs.  The kadmin
+and password-changing services are regular kerberized services, so the
+session-key-selection algorithm described in <a class="reference internal" href="../enctypes.html#session-key-selection"><em>Session key selection</em></a>
+applies.  It is particularly important to have strong session keys for
+these services, since user passwords and new long-term keys are conveyed
+over the encrypted channel.</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
+&gt; aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal
+[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &quot;cpw -e ${enctypes} -randkey \
+&gt; kadmin/admin&quot;
+Authenticating as principal root/admin@ZONE.MIT.EDU with password.
+Key for &quot;kadmin/admin@ZONE.MIT.EDU&quot; randomized.
+[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &quot;cpw -e ${enctypes} -randkey \
+&gt; kadmin/changepw&quot;
+Authenticating as principal root/admin@ZONE.MIT.EDU with password.
+Key for &quot;kadmin/changepw@ZONE.MIT.EDU&quot; randomized.
+</pre></div>
+</div>
+<p>It is not necessary to retain a single-DES key for these services, since
+password changes are not part of normal daily workflow, and disruption
+from a client failure is likely to be minimal.  Furthermore, if a kerberos
+client experiences failure changing a user password or keytab key,
+this indicates that that client will become inoperative once services
+are rekeyed to non-DES enctypes.  Such problems can be detected early
+at this stage, giving more time for corrective action.</p>
+</div>
+<div class="section" id="adding-strong-keys-to-application-servers">
+<h3>Adding strong keys to application servers<a class="headerlink" href="#adding-strong-keys-to-application-servers" title="Permalink to this headline">¶</a></h3>
+<p>Before switching the default enctypes for new keys over to strong enctypes,
+it may be desired to test upgrading a handful of services with the
+new configuration before flipping the switch for the defaults.  This
+still requires using the <strong>-e</strong> argument in <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> to get non-default
+enctypes:</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
+&gt; aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal
+[root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \
+&gt; /etc/zephyr/krb5.keytab  -q &quot;ktadd -e ${enctypes} \
+&gt; -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU&quot;
+Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab.
+Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
+Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
+Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
+Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab.
+</pre></div>
+</div>
+<p>Be sure to remove the old keys from the application keytab, per best
+practice.</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold
+Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab.
+Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab.
+</pre></div>
+</div>
+</div>
+<div class="section" id="adding-strong-keys-by-default">
+<h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Permalink to this headline">¶</a></h3>
+<p>Once the high-visibility services have been rekeyed, it is probably
+appropriate to change <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to generate keys with the new
+encryption types by default.  This enables server administrators to generate
+new enctypes with the <strong>change</strong> subcommand of <a class="reference internal" href="../admin_commands/k5srvutil.html#k5srvutil-1"><em>k5srvutil</em></a>,
+and causes user password
+changes to add new encryption types for their entries.  It will probably
+be necessary to implement administrative controls to cause all user
+principal keys to be updated in a reasonable period of time, whether
+by forcing password changes or a password synchronization service that
+has access to the current password and can add the new keys.</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+        ZONE.MIT.EDU = {
+                supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The krb5kdc process must be restarted for these changes to take effect.</p>
+</div>
+<p>At this point, all service administrators can update their services and the
+servers behind them to take advantage of strong cryptography.
+If necessary, the server&#8217;s krb5 installation should be configured and/or
+upgraded to a version supporting non-DES keys.  See <a class="reference internal" href="../enctypes.html#enctypes"><em>Encryption types</em></a> for
+krb5 version and configuration settings.
+Only when the service is configured to accept non-DES keys should
+the key version number be incremented and new keys generated
+(<tt class="docutils literal"><span class="pre">k5srvutil</span> <span class="pre">change</span> <span class="pre">&amp;&amp;</span> <span class="pre">k5srvutil</span> <span class="pre">delold</span></tt>).</p>
+<div class="highlight-python"><div class="highlight"><pre>root@dr-willy:~# k5srvutil change
+Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab.
+Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
+Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
+Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
+Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
+root@dr-willy:~# klist -e -k -t /etc/krb5.keytab
+Keytab name: WRFILE:/etc/krb5.keytab
+KVNO Timestamp         Principal
+---- ----------------- --------------------------------------------------------
+   2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32)
+   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC)
+   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC)
+   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1)
+   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32)
+root@dr-willy:~# k5srvutil delold
+Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab.
+Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab.
+</pre></div>
+</div>
+<p>When a single service principal is shared by multiple backend servers in
+a load-balanced environment, it may be necessary to schedule downtime
+or adjust the population in the load-balanced pool in order to propagate
+the updated keytab to all hosts in the pool with minimal service interruption.</p>
+</div>
+<div class="section" id="removing-des-keys-from-usage">
+<h3>Removing DES keys from usage<a class="headerlink" href="#removing-des-keys-from-usage" title="Permalink to this headline">¶</a></h3>
+<p>This situation remains something of a testing or transitory state,
+as new DES keys are still being generated, and will be used if requested
+by a client.  To make more progress removing DES from the realm, the KDC
+should be configured to not generate such keys by default.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">An attacker posing as a client can implement a brute force attack against
+a DES key for any principal, if that key is in the current (highest-kvno)
+key list.  This attack is only possible if <strong>allow_weak_crypto = true</strong>
+is enabled on the KDC.  Setting the <strong>+requires_preauth</strong> flag on a
+principal forces this attack to be an online attack, much slower than
+the offline attack otherwise available to the attacker.  However, setting
+this flag on a service principal is not always advisable; see the entry in
+<a class="reference internal" href="../admin_commands/kadmin_local.html#add-principal"><em>add_principal</em></a> for details.</p>
+</div>
+<p>The following KDC configuration will not generate DES keys by default:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+        ZONE.MIT.EDU = {
+                supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">As before, the KDC process must be restarted for this change to take
+effect.  It is best practice to update kdc.conf on all KDCs, not just the
+master, to avoid unpleasant surprises should the master fail and a slave
+need to be promoted.</p>
+</div>
+<p>It is now appropriate to remove the legacy single-DES key from the
+<tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt> entry:</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &quot;cpw -randkey -keepold \
+&gt; krbtgt/ZONE.MIT.EDU&quot;
+Authenticating as principal host/admin@ATHENA.MIT.EDU with password.
+Key for &quot;krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU&quot; randomized.
+</pre></div>
+</div>
+<p>After the maximum ticket lifetime has passed, the old database entry
+should be removed.</p>
+<div class="highlight-python"><div class="highlight"><pre>[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q &#39;purgekeys krbtgt/ZONE.MIT.EDU&#39;
+Authenticating as principal root/admin@ZONE.MIT.EDU with password.
+Old keys for principal &quot;krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU&quot; purged.
+</pre></div>
+</div>
+<p>After the KDC is restarted with the new <strong>supported_enctypes</strong>,
+all user password changes and application keytab updates will not
+generate DES keys by default.</p>
+<div class="highlight-python"><div class="highlight"><pre>contents-vnder-pressvre:~&gt; kpasswd zonetest@ZONE.MIT.EDU
+Password for zonetest@ZONE.MIT.EDU:  [enter old password]
+Enter new password:                  [enter new password]
+Enter it again:                      [enter new password]
+Password changed.
+contents-vnder-pressvre:~&gt; kadmin -r ZONE.MIT.EDU -q &#39;getprinc zonetest&#39;
+[...]
+Number of keys: 3
+Key: vno 9, aes256-cts-hmac-sha1-96
+Key: vno 9, aes128-cts-hmac-sha1-96
+Key: vno 9, des3-cbc-sha1
+[...]
+
+[kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \
+&gt; -t kaduk-zone.keytab -q &#39;ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU&#39;
+Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab.
+Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab.
+Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab.
+Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab.
+</pre></div>
+</div>
+<p>Once all principals have been re-keyed, DES support can be disabled on the
+KDC (<strong>allow_weak_crypto = false</strong>), and client machines can remove
+<strong>allow_weak_crypto = true</strong> from their <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> configuration
+files, completing the migration.  <strong>allow_weak_crypto</strong> takes precedence over
+all places where DES enctypes could be explicitly configured.  DES keys will
+not be used, even if they are present, when <strong>allow_weak_crypto = false</strong>.</p>
+</div>
+<div class="section" id="support-for-legacy-services">
+<h3>Support for legacy services<a class="headerlink" href="#support-for-legacy-services" title="Permalink to this headline">¶</a></h3>
+<p>If there remain legacy services which do not support non-DES enctypes
+(such as older versions of AFS), <strong>allow_weak_crypto</strong> must remain
+enabled on the KDC.  Client machines need not have this setting,
+though&#8212;applications which require DES can use API calls to allow
+weak crypto on a per-request basis, overriding the system krb5.conf.
+However, having <strong>allow_weak_crypto</strong> set on the KDC means that any
+principals which have a DES key in the database could still use those
+keys.  To minimize the use of DES in the realm and restrict it to just
+legacy services which require DES, it is necessary to remove all other
+DES keys.  The realm has been configured such that at password and
+keytab change, no DES keys will be generated by default.  The task
+then reduces to requiring user password changes and having server
+administrators update their service keytabs.  Administrative outreach
+will be necessary, and if the desire to eliminate DES is sufficiently
+strong, the KDC administrators may choose to randkey any principals
+which have not been rekeyed after some timeout period, forcing the
+user to contact the helpdesk for access.</p>
+</div>
+</div>
+<div class="section" id="the-database-master-key">
+<h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Permalink to this headline">¶</a></h2>
+<p>This procedure does not alter <tt class="docutils literal"><span class="pre">K/M&#64;REALM</span></tt>, the key used to encrypt key
+material in the Kerberos database.  (This is the key stored in the stash file
+on the KDC if stash files are used.)  However, the security risk of
+a single-DES key for <tt class="docutils literal"><span class="pre">K/M</span></tt> is minimal, given that access to material
+encrypted in <tt class="docutils literal"><span class="pre">K/M</span></tt> (the Kerberos database) is generally tightly controlled.
+If an attacker can gain access to the encrypted database, they likely
+have access to the stash file as well, rendering the weak cryptography
+broken by non-cryptographic means.  As such, upgrading <tt class="docutils literal"><span class="pre">K/M</span></tt> to a stronger
+encryption type is unlikely to be a high-priority task.</p>
+<p>Is is possible to upgrade the master key used for the database, if
+desired.  Using <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>&#8216;s <strong>add_mkey</strong>, <strong>use_mkey</strong>, and
+<strong>update_princ_encryption</strong> commands, a new master key can be added
+and activated for use on new key material, and the existing entries
+converted to the new master key.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Retiring DES</a><ul>
+<li><a class="reference internal" href="#history">History</a></li>
+<li><a class="reference internal" href="#types-of-keys">Types of keys</a></li>
+<li><a class="reference internal" href="#upgrade-procedure">Upgrade procedure</a><ul>
+<li><a class="reference internal" href="#the-krbtgt-key-and-kdc-keys">The krbtgt key and KDC keys</a></li>
+<li><a class="reference internal" href="#adding-strong-keys-to-application-servers">Adding strong keys to application servers</a></li>
+<li><a class="reference internal" href="#adding-strong-keys-by-default">Adding strong keys by default</a></li>
+<li><a class="reference internal" href="#removing-des-keys-from-usage">Removing DES keys from usage</a></li>
+<li><a class="reference internal" href="#support-for-legacy-services">Support for legacy services</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#the-database-master-key">The Database Master Key</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Advanced topics</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="ldapbackend.html">LDAP backend on Ubuntu 10.4 (lucid)</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">Retiring DES</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="ldapbackend.html" title="LDAP backend on Ubuntu 10.4 (lucid)"
+            >previous</a> |
+        <a href="../various_envs.html" title="Various links"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Retiring DES">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/appl_servers.html b/doc/html/admin/appl_servers.html
new file mode 100644
index 000000000000..ef7f37524d9c
--- /dev/null
+++ b/doc/html/admin/appl_servers.html
@@ -0,0 +1,356 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Application servers &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Host configuration" href="host_config.html" />
+    <link rel="prev" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
+            accesskey="P">previous</a> |
+        <a href="host_config.html" title="Host configuration"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="application-servers">
+<h1>Application servers<a class="headerlink" href="#application-servers" title="Permalink to this headline">¶</a></h1>
+<p>If you need to install the Kerberos V5 programs on an application
+server, please refer to the Kerberos V5 Installation Guide.  Once you
+have installed the software, you need to add that host to the Kerberos
+database (see <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>), and generate a keytab for
+that host, that contains the host&#8217;s key.  You also need to make sure
+the host&#8217;s clock is within your maximum clock skew of the KDCs.</p>
+<div class="section" id="keytabs">
+<h2>Keytabs<a class="headerlink" href="#keytabs" title="Permalink to this headline">¶</a></h2>
+<p>A keytab is a host&#8217;s copy of its own keylist, which is analogous to a
+user&#8217;s password.  An application server that needs to authenticate
+itself to the KDC has to have a keytab that contains its own principal
+and key.  Just as it is important for users to protect their
+passwords, it is equally important for hosts to protect their keytabs.
+You should always store keytab files on local disk, and make them
+readable only by root, and you should never send a keytab file over a
+network in the clear.  Ideally, you should run the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>
+command to extract a keytab on the host on which the keytab is to
+reside.</p>
+<div class="section" id="adding-principals-to-keytabs">
+<span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Permalink to this headline">¶</a></h3>
+<p>To generate a keytab, or to add a principal to an existing keytab, use
+the <strong>ktadd</strong> command from kadmin.</p>
+</div>
+<div class="section" id="ktadd">
+<h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><div class="line-block">
+<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div>
+<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div>
+</div>
+</div></blockquote>
+<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a
+keytab file.  Each principal&#8217;s keys are randomized in the process.
+The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong>
+command.</p>
+<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges.
+With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p>
+<p>The options are:</p>
+<dl class="docutils">
+<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
+<dd>Use <em>keytab</em> as the keytab file.  Otherwise, the default keytab is
+used.</dd>
+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt>
+<dd>Uses the specified keysalt list for setting the new keys of the
+principal.  See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a
+list of possible values.</dd>
+<dt><strong>-q</strong></dt>
+<dd>Display less verbose information.</dd>
+<dt><strong>-norandkey</strong></dt>
+<dd>Do not randomize the keys. The keys and their version numbers stay
+unchanged.  This option cannot be specified in combination with the
+<strong>-e</strong> option.</dd>
+</dl>
+<p>An entry for each of the principal&#8217;s unique encryption types is added,
+ignoring multiple keys with the same encryption type but different
+salt types.</p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
+Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
+     encryption type aes256-cts-hmac-sha1-96 added to keytab
+     FILE:/tmp/foo-new-keytab
+kadmin:
+</pre></div>
+</div>
+<div class="section" id="examples">
+<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4>
+<p>Here is a sample session, using configuration files that enable only
+AES encryption:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU
+Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab
+Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab
+kadmin:
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="removing-principals-from-keytabs">
+<h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Permalink to this headline">¶</a></h3>
+<p>To remove a principal from an existing keytab, use the kadmin
+<strong>ktremove</strong> command.</p>
+</div>
+<div class="section" id="ktremove">
+<h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote>
+<p>Removes entries for the specified <em>principal</em> from a keytab.  Requires
+no permissions, since this does not require database access.</p>
+<p>If the string &#8220;all&#8221; is specified, all entries for that principal are
+removed; if the string &#8220;old&#8221; is specified, all entries for that
+principal except those with the highest kvno are removed.  Otherwise,
+the value specified is parsed as an integer, and all entries whose
+kvno match that integer are removed.</p>
+<p>The options are:</p>
+<dl class="docutils">
+<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>
+<dd>Use <em>keytab</em> as the keytab file.  Otherwise, the default keytab is
+used.</dd>
+<dt><strong>-q</strong></dt>
+<dd>Display less verbose information.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: ktremove kadmin/admin all
+Entry for principal kadmin/admin with kvno 3 removed from keytab
+     FILE:/etc/krb5.keytab
+kadmin:
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="clock-skew">
+<h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Permalink to this headline">¶</a></h2>
+<p>A Kerberos application server host must keep its clock synchronized or
+it will reject authentication requests from clients.  Modern operating
+systems typically provide a facility to maintain the correct time;
+make sure it is enabled.  This is especially important on virtual
+machines, where clocks tend to drift more rapidly than normal machine
+clocks.</p>
+<p>The default allowable clock skew is controlled by the <strong>clockskew</strong>
+variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.</p>
+</div>
+<div class="section" id="getting-dns-information-correct">
+<h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Permalink to this headline">¶</a></h2>
+<p>Several aspects of Kerberos rely on name service.  When a hostname is
+used to name a service, the Kerberos library canonicalizes the
+hostname using forward and reverse name resolution.  (The reverse name
+resolution step can be turned off using the <strong>rdns</strong> variable in
+<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.)  The result of this canonicalization must match
+the principal entry in the host&#8217;s keytab, or authentication will fail.</p>
+<p>Each host&#8217;s canonical name must be the fully-qualified host name
+(including the domain), and each host&#8217;s IP address must
+reverse-resolve to the canonical name.</p>
+<p>Configuration of hostnames varies by operating system.  On the
+application server itself, canonicalization will typically use the
+<tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file rather than the DNS.  Ensure that the line for the
+server&#8217;s hostname is in the following form:</p>
+<div class="highlight-python"><div class="highlight"><pre>IP address      fully-qualified hostname        aliases
+</pre></div>
+</div>
+<p>Here is a sample <tt class="docutils literal"><span class="pre">/etc/hosts</span></tt> file:</p>
+<div class="highlight-python"><div class="highlight"><pre># this is a comment
+127.0.0.1      localhost localhost.mit.edu
+10.0.0.6       daffodil.mit.edu daffodil trillium wake-robin
+</pre></div>
+</div>
+<p>The output of <tt class="docutils literal"><span class="pre">klist</span> <span class="pre">-k</span></tt> for this example host should look like:</p>
+<div class="highlight-python"><div class="highlight"><pre>viola# klist -k
+Keytab name: /etc/krb5.keytab
+KVNO Principal
+---- ------------------------------------------------------------
+   2 host/daffodil.mit.edu@ATHENA.MIT.EDU
+</pre></div>
+</div>
+<p>If you were to ssh to this host with a fresh credentials cache (ticket
+file), and then <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a>, the output should list a service
+principal of <tt class="docutils literal"><span class="pre">host/daffodil.mit.edu&#64;ATHENA.MIT.EDU</span></tt>.</p>
+</div>
+<div class="section" id="configuring-your-firewall-to-work-with-kerberos-v5">
+<span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Permalink to this headline">¶</a></h2>
+<p>If you need off-site users to be able to get Kerberos tickets in your
+realm, they must be able to get to your KDC.  This requires either
+that you have a slave KDC outside your firewall, or that you configure
+your firewall to allow UDP requests into at least one of your KDCs, on
+whichever port the KDC is running.  (The default is port 88; other
+ports may be specified in the KDC&#8217;s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.)
+Similarly, if you need off-site users to be able to change their
+passwords in your realm, they must be able to get to your Kerberos
+admin server on the kpasswd port (which defaults to 464).  If you need
+off-site users to be able to administer your Kerberos realm, they must
+be able to get to your Kerberos admin server on the administrative
+port (which defaults to 749).</p>
+<p>If your on-site users inside your firewall will need to get to KDCs in
+other realms, you will also need to configure your firewall to allow
+outgoing TCP and UDP requests to port 88, and to port 464 to allow
+password changes.  If your on-site users inside your firewall will
+need to get to Kerberos admin servers in other realms, you will also
+need to allow outgoing TCP and UDP requests to port 749.</p>
+<p>If any of your KDCs are outside your firewall, you will need to allow
+kprop requests to get through to the remote KDC.  <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> uses
+the <tt class="docutils literal"><span class="pre">krb5_prop</span></tt> service on port 754 (tcp).</p>
+<p>The book <em>UNIX System Security</em>, by David Curry, is a good starting
+point for learning to configure firewalls.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Application servers</a><ul>
+<li><a class="reference internal" href="#keytabs">Keytabs</a><ul>
+<li><a class="reference internal" href="#adding-principals-to-keytabs">Adding principals to keytabs</a></li>
+<li><a class="reference internal" href="#ktadd">ktadd</a><ul>
+<li><a class="reference internal" href="#examples">Examples</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#removing-principals-from-keytabs">Removing principals from keytabs</a></li>
+<li><a class="reference internal" href="#ktremove">ktremove</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#clock-skew">Clock Skew</a></li>
+<li><a class="reference internal" href="#getting-dns-information-correct">Getting DNS information correct</a></li>
+<li><a class="reference internal" href="#configuring-your-firewall-to-work-with-kerberos-v5">Configuring your firewall to work with Kerberos V5</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Application servers</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
+            >previous</a> |
+        <a href="host_config.html" title="Host configuration"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Application servers">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/auth_indicator.html b/doc/html/admin/auth_indicator.html
new file mode 100644
index 000000000000..0d91bfe5f5cd
--- /dev/null
+++ b/doc/html/admin/auth_indicator.html
@@ -0,0 +1,206 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Authentication indicators &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Administration programs" href="admin_commands/index.html" />
+    <link rel="prev" title="HTTPS proxy configuration" href="https.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="https.html" title="HTTPS proxy configuration"
+            accesskey="P">previous</a> |
+        <a href="admin_commands/index.html" title="Administration programs"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="authentication-indicators">
+<span id="auth-indicator"></span><h1>Authentication indicators<a class="headerlink" href="#authentication-indicators" title="Permalink to this headline">¶</a></h1>
+<p>As of release 1.14, the KDC can be configured to annotate tickets if
+the client authenticated using a stronger preauthentication mechanism
+such as <a class="reference internal" href="pkinit.html#pkinit"><em>PKINIT</em></a> or <a class="reference internal" href="otp.html#otp-preauth"><em>OTP</em></a>.  These
+annotations are called &#8220;authentication indicators.&#8221;  Service
+principals can be configured to require particular authentication
+indicators in order to authenticate to that service.  An
+authentication indicator value can be any string chosen by the KDC
+administrator; there are no pre-set values.</p>
+<p>To use authentication indicators with PKINIT or OTP, first configure
+the KDC to include an indicator when that preauthentication mechanism
+is used.  For PKINIT, use the <strong>pkinit_indicator</strong> variable in
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.  For OTP, use the <strong>indicator</strong> variable in the
+token type definition, or specify the indicators in the <strong>otp</strong> user
+string as described in <a class="reference internal" href="otp.html#otp-preauth"><em>OTP Preauthentication</em></a>.</p>
+<p>To require an indicator to be present in order to authenticate to a
+service principal, set the <strong>require_auth</strong> string attribute on the
+principal to the indicator value to be required.  If you wish to allow
+one of several indicators to be accepted, you can specify multiple
+indicator values separated by spaces.</p>
+<p>For example, a realm could be configured to set the authentication
+indicator value &#8220;strong&#8221; when PKINIT is used to authenticate, using a
+setting in the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> subsection:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">pkinit_indicator</span> <span class="o">=</span> <span class="n">strong</span>
+</pre></div>
+</div>
+<p>A service principal could be configured to require the &#8220;strong&#8221;
+authentication indicator value:</p>
+<div class="highlight-python"><div class="highlight"><pre>$ kadmin setstr host/high.value.server require_auth strong
+Password for user/admin@KRBTEST.COM:
+</pre></div>
+</div>
+<p>A user who authenticates with PKINIT would be able to obtain a ticket
+for the service principal:</p>
+<div class="highlight-python"><div class="highlight"><pre>$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user
+$ kvno host/high.value.server
+host/high.value.server@KRBTEST.COM: kvno = 1
+</pre></div>
+</div>
+<p>but a user who authenticates with a password would not:</p>
+<div class="highlight-python"><div class="highlight"><pre>$ kinit user
+Password for user@KRBTEST.COM:
+$ kvno host/high.value.server
+kvno: KDC policy rejects request while getting credentials for
+  host/high.value.server@KRBTEST.COM
+</pre></div>
+</div>
+<p>GSSAPI server applications can inspect authentication indicators
+through the <a class="reference internal" href="../appdev/gssapi.html#gssapi-authind-attr"><em>auth-indicators</em></a> name
+attribute.</p>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Authentication indicators</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="https.html" title="HTTPS proxy configuration"
+            >previous</a> |
+        <a href="admin_commands/index.html" title="Administration programs"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Authentication indicators">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/backup_host.html b/doc/html/admin/backup_host.html
new file mode 100644
index 000000000000..c62dfd5b6809
--- /dev/null
+++ b/doc/html/admin/backup_host.html
@@ -0,0 +1,191 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Backups of secure hosts &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="PKINIT configuration" href="pkinit.html" />
+    <link rel="prev" title="Host configuration" href="host_config.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="host_config.html" title="Host configuration"
+            accesskey="P">previous</a> |
+        <a href="pkinit.html" title="PKINIT configuration"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Backups of secure hosts">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="backups-of-secure-hosts">
+<h1>Backups of secure hosts<a class="headerlink" href="#backups-of-secure-hosts" title="Permalink to this headline">¶</a></h1>
+<p>When you back up a secure host, you should exclude the host&#8217;s keytab
+file from the backup.  If someone obtained a copy of the keytab from a
+backup, that person could make any host masquerade as the host whose
+keytab was compromised.  In many configurations, knowledge of the
+host&#8217;s keytab also allows root access to the host.  This could be
+particularly dangerous if the compromised keytab was from one of your
+KDCs.  If the machine has a disk crash and the keytab file is lost, it
+is easy to generate another keytab file.  (See <a class="reference internal" href="appl_servers.html#add-princ-kt"><em>Adding principals to keytabs</em></a>.)
+If you are unable to exclude particular files from backups, you should
+ensure that the backups are kept as secure as the host&#8217;s root
+password.</p>
+<div class="section" id="backing-up-the-kerberos-database">
+<h2>Backing up the Kerberos database<a class="headerlink" href="#backing-up-the-kerberos-database" title="Permalink to this headline">¶</a></h2>
+<p>As with any file, it is possible that your Kerberos database could
+become corrupted.  If this happens on one of the slave KDCs, you might
+never notice, since the next automatic propagation of the database
+would install a fresh copy.  However, if it happens to the master KDC,
+the corrupted database would be propagated to all of the slaves during
+the next propagation.  For this reason, MIT recommends that you back
+up your Kerberos database regularly.  Because the master KDC is
+continuously dumping the database to a file in order to propagate it
+to the slave KDCs, it is a simple matter to have a cron job
+periodically copy the dump file to a secure machine elsewhere on your
+network.  (Of course, it is important to make the host where these
+backups are stored as secure as your KDCs, and to encrypt its
+transmission across your network.)  Then if your database becomes
+corrupted, you can load the most recent dump onto the master KDC.
+(See <a class="reference internal" href="database.html#restore-from-dump"><em>Restoring a Kerberos database from a dump file</em></a>.)</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Backups of secure hosts</a><ul>
+<li><a class="reference internal" href="#backing-up-the-kerberos-database">Backing up the Kerberos database</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Backups of secure hosts</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="host_config.html" title="Host configuration"
+            >previous</a> |
+        <a href="pkinit.html" title="PKINIT configuration"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Backups of secure hosts">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html
new file mode 100644
index 000000000000..8b6207cb6a03
--- /dev/null
+++ b/doc/html/admin/conf_files/index.html
@@ -0,0 +1,183 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Configuration Files &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="For administrators" href="../index.html" />
+    <link rel="next" title="krb5.conf" href="krb5_conf.html" />
+    <link rel="prev" title="UNIX Application Servers" href="../install_appl_srv.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="../install_appl_srv.html" title="UNIX Application Servers"
+            accesskey="P">previous</a> |
+        <a href="krb5_conf.html" title="krb5.conf"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="configuration-files">
+<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Permalink to this headline">¶</a></h1>
+<p>Kerberos uses configuration files to allow administrators to specify
+settings on a per-machine basis.  <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> applies to all
+applications using the Kerboros library, on clients and servers.
+For KDC-specific applications, additional settings can be specified in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; the two files are merged into a configuration profile
+used by applications accessing the KDC database directly.  <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>
+is also only used on the KDC, it controls permissions for modifying the
+KDC database.</p>
+<div class="section" id="contents">
+<h2>Contents<a class="headerlink" href="#contents" title="Permalink to this headline">¶</a></h2>
+<div class="toctree-wrapper compound">
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</div>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Configuration Files</a><ul>
+<li><a class="reference internal" href="#contents">Contents</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Configuration Files</a><ul>
+<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="../install_appl_srv.html" title="UNIX Application Servers"
+            >previous</a> |
+        <a href="krb5_conf.html" title="krb5.conf"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
new file mode 100644
index 000000000000..640fc7bc1c9c
--- /dev/null
+++ b/doc/html/admin/conf_files/kadm5_acl.html
@@ -0,0 +1,333 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kadm5.acl &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Configuration Files" href="index.html" />
+    <link rel="next" title="Realm configuration decisions" href="../realm_config.html" />
+    <link rel="prev" title="kdc.conf" href="kdc_conf.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kdc_conf.html" title="kdc.conf"
+            accesskey="P">previous</a> |
+        <a href="../realm_config.html" title="Realm configuration decisions"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kadm5-acl">
+<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon uses an Access Control List
+(ACL) file to manage access rights to the Kerberos database.
+For operations that affect principals, the ACL file also controls
+which principals can operate on which other principals.</p>
+<p>The default location of the Kerberos ACL file is
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>  unless this is overridden by the <em>acl_file</em>
+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p>
+</div>
+<div class="section" id="syntax">
+<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>
+<p>Empty lines and lines starting with the sharp sign (<tt class="docutils literal"><span class="pre">#</span></tt>) are
+ignored.  Lines containing ACL entries have the format:</p>
+<div class="highlight-python"><div class="highlight"><pre>principal  permissions  [target_principal  [restrictions] ]
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Line order in the ACL file is important.  The first matching entry
+will control access for an actor principal on a target principal.</p>
+</div>
+<dl class="docutils">
+<dt><em>principal</em></dt>
+<dd><p class="first">(Partially or fully qualified Kerberos principal name.) Specifies
+the principal whose permissions are to be set.</p>
+<p class="last">Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt>
+character.</p>
+</dd>
+<dt><em>permissions</em></dt>
+<dd><p class="first">Specifies what operations may or may not be performed by a
+<em>principal</em> matching a particular entry.  This is a string of one or
+more of the following list of characters or their upper-case
+counterparts.  If the character is <em>upper-case</em>, then the operation
+is disallowed.  If the character is <em>lower-case</em>, then the operation
+is permitted.</p>
+<table border="1" class="last docutils">
+<colgroup>
+<col width="2%" />
+<col width="98%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>a</td>
+<td>[Dis]allows the addition of principals or policies</td>
+</tr>
+<tr class="row-even"><td>c</td>
+<td>[Dis]allows the changing of passwords for principals</td>
+</tr>
+<tr class="row-odd"><td>d</td>
+<td>[Dis]allows the deletion of principals or policies</td>
+</tr>
+<tr class="row-even"><td>e</td>
+<td>[Dis]allows the extraction of principal keys</td>
+</tr>
+<tr class="row-odd"><td>i</td>
+<td>[Dis]allows inquiries about principals or policies</td>
+</tr>
+<tr class="row-even"><td>l</td>
+<td>[Dis]allows the listing of all principals or policies</td>
+</tr>
+<tr class="row-odd"><td>m</td>
+<td>[Dis]allows the modification of principals or policies</td>
+</tr>
+<tr class="row-even"><td>p</td>
+<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><em>Incremental database propagation</em></a>)</td>
+</tr>
+<tr class="row-odd"><td>s</td>
+<td>[Dis]allows the explicit setting of the key for a principal</td>
+</tr>
+<tr class="row-even"><td>x</td>
+<td>Short for admcilsp. All privileges (except <tt class="docutils literal"><span class="pre">e</span></tt>)</td>
+</tr>
+<tr class="row-odd"><td>*</td>
+<td>Same as x.</td>
+</tr>
+</tbody>
+</table>
+</dd>
+</dl>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The <tt class="docutils literal"><span class="pre">extract</span></tt> privilege is not included in the wildcard
+privilege; it must be explicitly assigned.  This privilege
+allows the user to extract keys from the database, and must be
+handled with great care to avoid disclosure of important keys
+like those of the kadmin/* or krbtgt/* principals.  The
+<strong>lockdown_keys</strong> principal attribute can be used to prevent
+key extraction from specific principals regardless of the
+granted privilege.</p>
+</div>
+<dl class="docutils">
+<dt><em>target_principal</em></dt>
+<dd><p class="first">(Optional. Partially or fully qualified Kerberos principal name.)
+Specifies the principal on which <em>permissions</em> may be applied.
+Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt>
+character.</p>
+<p class="last"><em>target_principal</em> can also include back-references to <em>principal</em>,
+in which <tt class="docutils literal"><span class="pre">*number</span></tt> matches the corresponding wildcard in
+<em>principal</em>.</p>
+</dd>
+<dt><em>restrictions</em></dt>
+<dd><p class="first">(Optional) A string of flags. Allowed restrictions are:</p>
+<blockquote>
+<div><dl class="docutils">
+<dt>{+|-}<em>flagname</em></dt>
+<dd>flag is forced to the indicated value.  The permissible flags
+are the same as those for the <strong>default_principal_flags</strong>
+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><em>-clearpolicy</em></dt>
+<dd>policy is forced to be empty.</dd>
+<dt><em>-policy pol</em></dt>
+<dd>policy is forced to be <em>pol</em>.</dd>
+<dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) associated value will be forced to
+MIN(<em>time</em>, requested value).</dd>
+</dl>
+</div></blockquote>
+<p class="last">The above flags act as restrictions on any add or modify operation
+which is allowed due to that ACL line.</p>
+</dd>
+</dl>
+<div class="admonition warning">
+<p class="first admonition-title">Warning</p>
+<p class="last">If the kadmind ACL file is modified, the kadmind daemon needs to be
+restarted for changes to take effect.</p>
+</div>
+</div>
+<div class="section" id="example">
+<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>
+<p>Here is an example of a kadm5.acl file:</p>
+<div class="highlight-python"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU    *                               # line 1
+joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
+joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
+*/root@ATHENA.MIT.EDU     ci  *1@ATHENA.MIT.EDU           # line 4
+*/root@ATHENA.MIT.EDU     l   *                           # line 5
+sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
+</pre></div>
+</div>
+<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with
+an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p>
+<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his
+<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line
+1).  He has no permissions at all with his null instance,
+<tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt> (matches line 2).  His <tt class="docutils literal"><span class="pre">root</span></tt> and other
+non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have
+inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt>
+(matches line 3).</p>
+<p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire
+or change the password of their null instance, but not any other
+null instance.  (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the
+component matching the first wildcard in the actor principal.)</p>
+<p>(line 5) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can generate
+the list of principals in the database, and the list of policies
+in the database.  This line is separate from line 4, because list
+permission can only be granted globally, not to specific target
+principals.</p>
+<p>(line 6) Finally, the Service Management System principal
+<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it
+creates or modifies will not be able to get postdateable tickets or
+tickets with a life of longer than 9 hours.</p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kadm5.acl</a><ul>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#syntax">SYNTAX</a></li>
+<li><a class="reference internal" href="#example">EXAMPLE</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kdc_conf.html" title="kdc.conf"
+            >previous</a> |
+        <a href="../realm_config.html" title="Realm configuration decisions"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html
new file mode 100644
index 000000000000..b81a78f740f7
--- /dev/null
+++ b/doc/html/admin/conf_files/kdc_conf.html
@@ -0,0 +1,1069 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kdc.conf &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Configuration Files" href="index.html" />
+    <link rel="next" title="kadm5.acl" href="kadm5_acl.html" />
+    <link rel="prev" title="krb5.conf" href="krb5_conf.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="krb5_conf.html" title="krb5.conf"
+            accesskey="P">previous</a> |
+        <a href="kadm5_acl.html" title="kadm5.acl"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kdc-conf">
+<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h1>
+<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> for programs which
+are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> program.
+Relations documented here may also be specified in krb5.conf; for the
+KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
+single configuration profile.</p>
+<p>Normally, the kdc.conf file is found in the KDC state directory,
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>.  You can override the default location by setting the
+environment variable <strong>KRB5_KDC_PROFILE</strong>.</p>
+<p>Please note that you need to restart the KDC daemon for any configuration
+changes to take effect.</p>
+<div class="section" id="structure">
+<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>
+<p>The kdc.conf file is set up in the same format as the
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file.</p>
+</div>
+<div class="section" id="sections">
+<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>
+<p>The kdc.conf file may contain the following sections:</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="29%" />
+<col width="71%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults"><em>[kdcdefaults]</em></a></td>
+<td>Default values for KDC behavior</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#kdc-realms"><em>[realms]</em></a></td>
+<td>Realm-specific database configuration and settings</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults"><em>[dbdefaults]</em></a></td>
+<td>Default database settings</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a></td>
+<td>Per-database settings</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#logging"><em>[logging]</em></a></td>
+<td>Controls how Kerberos daemons perform logging</td>
+</tr>
+</tbody>
+</table>
+<div class="section" id="kdcdefaults">
+<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3>
+<p>With two exceptions, relations in the [kdcdefaults] section specify
+default values for realm variables, to be used if the [realms]
+subsection does not contain a relation for the tag.  See the
+<a class="reference internal" href="#kdc-realms"><em>[realms]</em></a> section for the definitions of these relations.</p>
+<ul class="simple">
+<li><strong>host_based_services</strong></li>
+<li><strong>kdc_listen</strong></li>
+<li><strong>kdc_ports</strong></li>
+<li><strong>kdc_tcp_listen</strong></li>
+<li><strong>kdc_tcp_ports</strong></li>
+<li><strong>no_host_referral</strong></li>
+<li><strong>restrict_anonymous_to_tgt</strong></li>
+</ul>
+<dl class="docutils">
+<dt><strong>kdc_max_dgram_reply_size</strong></dt>
+<dd>Specifies the maximum packet size that can be sent over UDP.  The
+default value is 4096 bytes.</dd>
+<dt><strong>kdc_tcp_listen_backlog</strong></dt>
+<dd>(Integer.)  Set the size of the listen queue length for the KDC
+daemon.  The value may be limited by OS settings.  The default
+value is 5.</dd>
+</dl>
+</div>
+<div class="section" id="realms">
+<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>
+<p>Each tag in the [realms] section is the name of a Kerberos realm.  The
+value of the tag is a subsection where the relations define KDC
+parameters for that particular realm.  The following example shows how
+to define one parameter for the ATHENA.MIT.EDU realm:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+    ATHENA.MIT.EDU = {
+        max_renewable_life = 7d 0h 0m 0s
+    }
+</pre></div>
+</div>
+<p>The following tags may be specified in a [realms] subsection:</p>
+<dl class="docutils">
+<dt><strong>acl_file</strong></dt>
+<dd>(String.)  Location of the access control list file that
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed
+which permissions on the Kerberos database.  The default value is
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.  For more information on Kerberos ACL
+file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd>
+<dt><strong>database_module</strong></dt>
+<dd>(String.)  This relation indicates the name of the configuration
+section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters
+used by the loadable database library.  The default value is the
+realm name.  If this configuration section does not exist, default
+values will be used for all database parameters.</dd>
+<dt><strong>database_name</strong></dt>
+<dd>(String, deprecated.)  This relation specifies the location of the
+Kerberos database for this realm, if the DB2 module is being used
+and the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> configuration section does not specify a
+database name.  The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd>
+<dt><strong>default_principal_expiration</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#abstime"><em>Absolute time</em></a> string.)  Specifies the default expiration date of
+principals created in this realm.  The default value is 0, which
+means no expiration date.</dd>
+<dt><strong>default_principal_flags</strong></dt>
+<dd><p class="first">(Flag string.)  Specifies the default attributes of principals
+created in this realm.  The format for this string is a
+comma-separated list of flags, with &#8216;+&#8217; before each flag that
+should be enabled and &#8216;-&#8216; before each flag that should be
+disabled.  The <strong>postdateable</strong>, <strong>forwardable</strong>, <strong>tgt-based</strong>,
+<strong>renewable</strong>, <strong>proxiable</strong>, <strong>dup-skey</strong>, <strong>allow-tickets</strong>, and
+<strong>service</strong> flags default to enabled.</p>
+<p>There are a number of possible flags:</p>
+<dl class="last docutils">
+<dt><strong>allow-tickets</strong></dt>
+<dd>Enabling this flag means that the KDC will issue tickets for
+this principal.  Disabling this flag essentially deactivates
+the principal within this realm.</dd>
+<dt><strong>dup-skey</strong></dt>
+<dd>Enabling this flag allows the principal to obtain a session
+key for another user, permitting user-to-user authentication
+for this principal.</dd>
+<dt><strong>forwardable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain forwardable
+tickets.</dd>
+<dt><strong>hwauth</strong></dt>
+<dd>If this flag is enabled, then the principal is required to
+preauthenticate using a hardware device before receiving any
+tickets.</dd>
+<dt><strong>no-auth-data-required</strong></dt>
+<dd>Enabling this flag prevents PAC or AD-SIGNEDPATH data from
+being added to service tickets for the principal.</dd>
+<dt><strong>ok-as-delegate</strong></dt>
+<dd>If this flag is enabled, it hints the client that credentials
+can and should be delegated when authenticating to the
+service.</dd>
+<dt><strong>ok-to-auth-as-delegate</strong></dt>
+<dd>Enabling this flag allows the principal to use S4USelf tickets.</dd>
+<dt><strong>postdateable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain postdateable
+tickets.</dd>
+<dt><strong>preauth</strong></dt>
+<dd>If this flag is enabled on a client principal, then that
+principal is required to preauthenticate to the KDC before
+receiving any tickets.  On a service principal, enabling this
+flag means that service tickets for this principal will only
+be issued to clients with a TGT that has the preauthenticated
+bit set.</dd>
+<dt><strong>proxiable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain proxy
+tickets.</dd>
+<dt><strong>pwchange</strong></dt>
+<dd>Enabling this flag forces a password change for this
+principal.</dd>
+<dt><strong>pwservice</strong></dt>
+<dd>If this flag is enabled, it marks this principal as a password
+change service.  This should only be used in special cases,
+for example, if a user&#8217;s password has expired, then the user
+has to get tickets for that principal without going through
+the normal password authentication in order to be able to
+change the password.</dd>
+<dt><strong>renewable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain renewable
+tickets.</dd>
+<dt><strong>service</strong></dt>
+<dd>Enabling this flag allows the the KDC to issue service tickets
+for this principal.</dd>
+<dt><strong>tgt-based</strong></dt>
+<dd>Enabling this flag allows a principal to obtain tickets based
+on a ticket-granting-ticket, rather than repeating the
+authentication process that was used to obtain the TGT.</dd>
+</dl>
+</dd>
+<dt><strong>dict_file</strong></dt>
+<dd>(String.)  Location of the dictionary file containing strings that
+are not allowed as passwords.  The file should contain one string
+per line, with no additional whitespace.  If none is specified or
+if there is no policy assigned to the principal, no dictionary
+checks of passwords will be performed.</dd>
+<dt><strong>host_based_services</strong></dt>
+<dd>(Whitespace- or comma-separated list.)  Lists services which will
+get host-based referral processing even if the server principal is
+not marked as host-based by the client.</dd>
+<dt><strong>iprop_enable</strong></dt>
+<dd>(Boolean value.)  Specifies whether incremental database
+propagation is enabled.  The default value is false.</dd>
+<dt><strong>iprop_master_ulogsize</strong></dt>
+<dd>(Integer.)  Specifies the maximum number of log entries to be
+retained for incremental propagation.  The default value is 1000.
+Prior to release 1.11, the maximum value was 2500.</dd>
+<dt><strong>iprop_slave_poll</strong></dt>
+<dd>(Delta time string.)  Specifies how often the slave KDC polls for
+new updates from the master.  The default value is <tt class="docutils literal"><span class="pre">2m</span></tt> (that
+is, two minutes).</dd>
+<dt><strong>iprop_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.)  Specifies the iprop RPC
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon.  If the address
+contains colons, enclose it in square brackets.  If no address is
+specified, the wildcard address is used.  If kadmind fails to bind
+to any of the specified addresses, it will fail to start.  The
+default (when <strong>iprop_enable</strong> is true) is to bind to the wildcard
+address at the port specified in <strong>iprop_port</strong>.  New in release
+1.15.</dd>
+<dt><strong>iprop_port</strong></dt>
+<dd>(Port number.)  Specifies the port number to be used for
+incremental propagation.  When <strong>iprop_enable</strong> is true, this
+relation is required in the slave configuration file, and this
+relation or <strong>iprop_listen</strong> is required in the master
+configuration file, as there is no default port number.  Port
+numbers specified in <strong>iprop_listen</strong> entries will override this
+port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.</dd>
+<dt><strong>iprop_resync_timeout</strong></dt>
+<dd>(Delta time string.)  Specifies the amount of time to wait for a
+full propagation to complete.  This is optional in configuration
+files, and is used by slave KDCs only.  The default value is 5
+minutes (<tt class="docutils literal"><span class="pre">5m</span></tt>).  New in release 1.11.</dd>
+<dt><strong>iprop_logfile</strong></dt>
+<dd>(File name.)  Specifies where the update log file for the realm
+database is to be stored.  The default is to use the
+<strong>database_name</strong> entry from the realms section of the krb5 config
+file, with <tt class="docutils literal"><span class="pre">.ulog</span></tt> appended.  (NOTE: If <strong>database_name</strong> isn&#8217;t
+specified in the realms section, perhaps because the LDAP database
+back end is being used, or the file name is specified in the
+[dbmodules] section, then the hard-coded default for
+<strong>database_name</strong> is used.  Determination of the <strong>iprop_logfile</strong>
+default value will not use values from the [dbmodules] section.)</dd>
+<dt><strong>kadmind_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.)  Specifies the kadmin RPC
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon.  If the address
+contains colons, enclose it in square brackets.  If no address is
+specified, the wildcard address is used.  If kadmind fails to bind
+to any of the specified addresses, it will fail to start.  The
+default is to bind to the wildcard address at the port specified
+in <strong>kadmind_port</strong>, or the standard kadmin port (749).  New in
+release 1.15.</dd>
+<dt><strong>kadmind_port</strong></dt>
+<dd>(Port number.)  Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+daemon is to listen for this realm.  Port numbers specified in
+<strong>kadmind_listen</strong> entries will override this port number.  The
+assigned port for kadmind is 749, which is used by default.</dd>
+<dt><strong>key_stash_file</strong></dt>
+<dd>(String.)  Specifies the location where the master key has been
+stored (via kdb5_util stash).  The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/.k5.REALM</span></tt>, where <em>REALM</em> is the Kerberos realm.</dd>
+<dt><strong>kdc_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.)  Specifies the UDP
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon.  If the address
+contains colons, enclose it in square brackets.  If no address is
+specified, the wildcard address is used.  If no port is specified,
+the standard port (88) is used.  If the KDC daemon fails to bind
+to any of the specified addresses, it will fail to start.  The
+default is to bind to the wildcard address on the standard port.
+New in release 1.15.</dd>
+<dt><strong>kdc_ports</strong></dt>
+<dd>(Whitespace- or comma-separated list, deprecated.)  Prior to
+release 1.15, this relation lists the ports for the
+<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests.  In
+release 1.15 and later, it has the same meaning as <strong>kdc_listen</strong>
+if that relation is not defined.</dd>
+<dt><strong>kdc_tcp_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.)  Specifies the TCP
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon.  If the address
+contains colons, enclose it in square brackets.  If no address is
+specified, the wildcard address is used.  If no port is specified,
+the standard port (88) is used.  To disable listening on TCP, set
+this relation to the empty string with <tt class="docutils literal"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></tt>.
+If the KDC daemon fails to bind to any of the specified addresses,
+it will fail to start.  The default is to bind to the wildcard
+address on the standard port.  New in release 1.15.</dd>
+<dt><strong>kdc_tcp_ports</strong></dt>
+<dd>(Whitespace- or comma-separated list, deprecated.)  Prior to
+release 1.15, this relation lists the ports for the
+<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests.  In
+release 1.15 and later, it has the same meaning as
+<strong>kdc_tcp_listen</strong> if that relation is not defined.</dd>
+<dt><strong>kpasswd_listen</strong></dt>
+<dd>(Comma-separated list.)  Specifies the kpasswd listening addresses
+and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.  Each entry may be
+an interface address, a port number, or an address and port number
+separated by a colon.  If the address contains colons, enclose it
+in square brackets.  If no address is specified, the wildcard
+address is used.  If kadmind fails to bind to any of the specified
+addresses, it will fail to start.  The default is to bind to the
+wildcard address at the port specified in <strong>kpasswd_port</strong>, or the
+standard kpasswd port (464).  New in release 1.15.</dd>
+<dt><strong>kpasswd_port</strong></dt>
+<dd>(Port number.)  Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+daemon is to listen for password change requests for this realm.
+Port numbers specified in <strong>kpasswd_listen</strong> entries will override
+this port number.  The assigned port for password change requests
+is 464, which is used by default.</dd>
+<dt><strong>master_key_name</strong></dt>
+<dd>(String.)  Specifies the name of the principal associated with the
+master key.  The default is <tt class="docutils literal"><span class="pre">K/M</span></tt>.</dd>
+<dt><strong>master_key_type</strong></dt>
+<dd>(Key type string.)  Specifies the master key&#8217;s key type.  The
+default value for this is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></tt>.  For a list of all possible
+values, see <a class="reference internal" href="#encryption-types"><em>Encryption types</em></a>.</dd>
+<dt><strong>max_life</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.)  Specifies the maximum time period for
+which a ticket may be valid in this realm.  The default value is
+24 hours.</dd>
+<dt><strong>max_renewable_life</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.)  Specifies the maximum time period
+during which a valid ticket may be renewed in this realm.
+The default value is 0.</dd>
+<dt><strong>no_host_referral</strong></dt>
+<dd>(Whitespace- or comma-separated list.)  Lists services to block
+from getting host-based referral processing, even if the client
+marks the server principal as host-based or the service is also
+listed in <strong>host_based_services</strong>.  <tt class="docutils literal"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></tt> will
+disable referral processing altogether.</dd>
+<dt><strong>des_crc_session_supported</strong></dt>
+<dd>(Boolean value).  If set to true, the KDC will assume that service
+principals support des-cbc-crc for session key enctype negotiation
+purposes.  If <strong>allow_weak_crypto</strong> in <a class="reference internal" href="krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> is
+false, or if des-cbc-crc is not a permitted enctype, then this
+variable has no effect.  Defaults to true.  New in release 1.11.</dd>
+<dt><strong>reject_bad_transit</strong></dt>
+<dd><p class="first">(Boolean value.)  If set to true, the KDC will check the list of
+transited realms for cross-realm tickets against the transit path
+computed from the realm names and the capaths section of its
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file; if the path in the ticket to be issued
+contains any realms not in the computed path, the ticket will not
+be issued, and an error will be returned to the client instead.
+If this value is set to false, such tickets will be issued
+anyways, and it will be left up to the application server to
+validate the realm transit path.</p>
+<p>If the disable-transited-check flag is set in the incoming
+request, this check is not performed at all.  Having the
+<strong>reject_bad_transit</strong> option will cause such ticket requests to
+be rejected always.</p>
+<p>This transit path checking and config file option currently apply
+only to TGS requests.</p>
+<p class="last">The default value is true.</p>
+</dd>
+<dt><strong>restrict_anonymous_to_tgt</strong></dt>
+<dd>(Boolean value.)  If set to true, the KDC will reject ticket
+requests from anonymous principals to service principals other
+than the realm&#8217;s ticket-granting service.  This option allows
+anonymous PKINIT to be enabled for use as FAST armor tickets
+without allowing anonymous authentication to services.  The
+default value is false.  New in release 1.9.</dd>
+<dt><strong>supported_enctypes</strong></dt>
+<dd>(List of <em>key</em>:<em>salt</em> strings.)  Specifies the default key/salt
+combinations of principals for this realm.  Any principals created
+through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> will have keys of these types.  The
+default value for this tag is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span> <span class="pre">des3-cbc-sha1:normal</span> <span class="pre">arcfour-hmac-md5:normal</span></tt>.  For lists of
+possible values, see <a class="reference internal" href="#keysalt-lists"><em>Keysalt lists</em></a>.</dd>
+</dl>
+</div>
+<div class="section" id="dbdefaults">
+<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3>
+<p>The [dbdefaults] section specifies default values for some database
+parameters, to be used if the [dbmodules] subsection does not contain
+a relation for the tag.  See the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> section for the
+definitions of these relations.</p>
+<ul class="simple">
+<li><strong>ldap_kerberos_container_dn</strong></li>
+<li><strong>ldap_kdc_dn</strong></li>
+<li><strong>ldap_kdc_sasl_authcid</strong></li>
+<li><strong>ldap_kdc_sasl_authzid</strong></li>
+<li><strong>ldap_kdc_sasl_mech</strong></li>
+<li><strong>ldap_kdc_sasl_realm</strong></li>
+<li><strong>ldap_kadmind_dn</strong></li>
+<li><strong>ldap_kadmind_sasl_authcid</strong></li>
+<li><strong>ldap_kadmind_sasl_authzid</strong></li>
+<li><strong>ldap_kadmind_sasl_mech</strong></li>
+<li><strong>ldap_kadmind_sasl_realm</strong></li>
+<li><strong>ldap_service_password_file</strong></li>
+<li><strong>ldap_servers</strong></li>
+<li><strong>ldap_conns_per_server</strong></li>
+</ul>
+</div>
+<div class="section" id="dbmodules">
+<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3>
+<p>The [dbmodules] section contains parameters used by the KDC database
+library and database modules.  Each tag in the [dbmodules] section is
+the name of a Kerberos realm or a section name specified by a realm&#8217;s
+<strong>database_module</strong> parameter.  The following example shows how to
+define one database parameter for the ATHENA.MIT.EDU realm:</p>
+<div class="highlight-python"><div class="highlight"><pre>[dbmodules]
+    ATHENA.MIT.EDU = {
+        disable_last_success = true
+    }
+</pre></div>
+</div>
+<p>The following tags may be specified in a [dbmodules] subsection:</p>
+<dl class="docutils">
+<dt><strong>database_name</strong></dt>
+<dd>This DB2-specific tag indicates the location of the database in
+the filesystem.  The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd>
+<dt><strong>db_library</strong></dt>
+<dd>This tag indicates the name of the loadable database module.  The
+value should be <tt class="docutils literal"><span class="pre">db2</span></tt> for the DB2 module and <tt class="docutils literal"><span class="pre">kldap</span></tt> for the
+LDAP module.</dd>
+<dt><strong>disable_last_success</strong></dt>
+<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the &#8220;Last successful
+authentication&#8221; field of principal entries requiring
+preauthentication.  Setting this flag may improve performance.
+(Principal entries which do not require preauthentication never
+update the &#8220;Last successful authentication&#8221; field.).  First
+introduced in release 1.9.</dd>
+<dt><strong>disable_lockout</strong></dt>
+<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the &#8220;Last failed
+authentication&#8221; and &#8220;Failed password attempts&#8221; fields of principal
+entries requiring preauthentication.  Setting this flag may
+improve performance, but also disables account lockout.  First
+introduced in release 1.9.</dd>
+<dt><strong>ldap_conns_per_server</strong></dt>
+<dd>This LDAP-specific tag indicates the number of connections to be
+maintained per LDAP server.</dd>
+<dt><strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong></dt>
+<dd>These LDAP-specific tags indicate the default DN for binding to
+the LDAP server.  The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon uses
+<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon and other
+administrative programs use <strong>ldap_kadmind_dn</strong>.  The kadmind DN
+must have the rights to read and write the Kerberos data in the
+LDAP database.  The KDC DN must have the same rights, unless
+<strong>disable_lockout</strong> and <strong>disable_last_success</strong> are true, in
+which case it only needs to have rights to read the Kerberos data.
+These tags are ignored if a SASL mechanism is set with
+<strong>ldap_kdc_sasl_mech</strong> or <strong>ldap_kadmind_sasl_mech</strong>.</dd>
+<dt><strong>ldap_kdc_sasl_mech</strong> and <strong>ldap_kadmind_sasl_mech</strong></dt>
+<dd>These LDAP-specific tags specify the SASL mechanism (such as
+<tt class="docutils literal"><span class="pre">EXTERNAL</span></tt>) to use when binding to the LDAP server.  New in
+release 1.13.</dd>
+<dt><strong>ldap_kdc_sasl_authcid</strong> and <strong>ldap_kadmind_sasl_authcid</strong></dt>
+<dd>These LDAP-specific tags specify the SASL authentication identity
+to use when binding to the LDAP server.  Not all SASL mechanisms
+require an authentication identity.  If the SASL mechanism
+requires a secret (such as the password for <tt class="docutils literal"><span class="pre">DIGEST-MD5</span></tt>), these
+tags also determine the name within the
+<strong>ldap_service_password_file</strong> where the secret is stashed.  New
+in release 1.13.</dd>
+<dt><strong>ldap_kdc_sasl_authzid</strong> and <strong>ldap_kadmind_sasl_authzid</strong></dt>
+<dd>These LDAP-specific tags specify the SASL authorization identity
+to use when binding to the LDAP server.  In most circumstances
+they do not need to be specified.  New in release 1.13.</dd>
+<dt><strong>ldap_kdc_sasl_realm</strong> and <strong>ldap_kadmind_sasl_realm</strong></dt>
+<dd>These LDAP-specific tags specify the SASL realm to use when
+binding to the LDAP server.  In most circumstances they do not
+need to be set.  New in release 1.13.</dd>
+<dt><strong>ldap_kerberos_container_dn</strong></dt>
+<dd>This LDAP-specific tag indicates the DN of the container object
+where the realm objects will be located.</dd>
+<dt><strong>ldap_servers</strong></dt>
+<dd>This LDAP-specific tag indicates the list of LDAP servers that the
+Kerberos servers can connect to.  The list of LDAP servers is
+whitespace-separated.  The LDAP server is specified by a LDAP URI.
+It is recommended to use <tt class="docutils literal"><span class="pre">ldapi:</span></tt> or <tt class="docutils literal"><span class="pre">ldaps:</span></tt> URLs to connect
+to the LDAP server.</dd>
+<dt><strong>ldap_service_password_file</strong></dt>
+<dd>This LDAP-specific tag indicates the file containing the stashed
+passwords (created by <tt class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></tt>) for the
+<strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> objects, or for the
+<strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> names
+for SASL authentication.  This file must be kept secure.</dd>
+<dt><strong>unlockiter</strong></dt>
+<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, this DB2-specific tag causes iteration
+operations to release the database lock while processing each
+principal.  Setting this flag to <tt class="docutils literal"><span class="pre">true</span></tt> can prevent extended
+blocking of KDC or kadmin operations when dumps of large databases
+are in progress.  First introduced in release 1.13.</dd>
+</dl>
+<p>The following tag may be specified directly in the [dbmodules]
+section to control where database modules are loaded from:</p>
+<dl class="docutils">
+<dt><strong>db_module_dir</strong></dt>
+<dd>This tag controls where the plugin system looks for database
+modules.  The value should be an absolute path.</dd>
+</dl>
+</div>
+<div class="section" id="logging">
+<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3>
+<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> perform logging.  It may contain the following
+relations:</p>
+<dl class="docutils">
+<dt><strong>admin_server</strong></dt>
+<dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> performs logging.</dd>
+<dt><strong>kdc</strong></dt>
+<dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> performs logging.</dd>
+<dt><strong>default</strong></dt>
+<dd>Specifies how either daemon performs logging in the absence of
+relations specific to the daemon.</dd>
+<dt><strong>debug</strong></dt>
+<dd>(Boolean value.)  Specifies whether debugging messages are
+included in log outputs other than SYSLOG.  Debugging messages are
+always included in the system log output because syslog performs
+its own priority filtering.  The default value is false.  New in
+release 1.15.</dd>
+</dl>
+<p>Logging specifications may have the following forms:</p>
+<dl class="docutils">
+<dt><strong>FILE=</strong><em>filename</em> or <strong>FILE:</strong><em>filename</em></dt>
+<dd>This value causes the daemon&#8217;s logging messages to go to the
+<em>filename</em>.  If the <tt class="docutils literal"><span class="pre">=</span></tt> form is used, the file is overwritten.
+If the <tt class="docutils literal"><span class="pre">:</span></tt> form is used, the file is appended to.</dd>
+<dt><strong>STDERR</strong></dt>
+<dd>This value causes the daemon&#8217;s logging messages to go to its
+standard error stream.</dd>
+<dt><strong>CONSOLE</strong></dt>
+<dd>This value causes the daemon&#8217;s logging messages to go to the
+console, if the system supports it.</dd>
+<dt><strong>DEVICE=</strong><em>&lt;devicename&gt;</em></dt>
+<dd>This causes the daemon&#8217;s logging messages to go to the specified
+device.</dd>
+<dt><strong>SYSLOG</strong>[<strong>:</strong><em>severity</em>[<strong>:</strong><em>facility</em>]]</dt>
+<dd><p class="first">This causes the daemon&#8217;s logging messages to go to the system log.</p>
+<p>The severity argument specifies the default severity of system log
+messages.  This may be any of the following severities supported
+by the syslog(3) call, minus the <tt class="docutils literal"><span class="pre">LOG_</span></tt> prefix: <strong>EMERG</strong>,
+<strong>ALERT</strong>, <strong>CRIT</strong>, <strong>ERR</strong>, <strong>WARNING</strong>, <strong>NOTICE</strong>, <strong>INFO</strong>,
+and <strong>DEBUG</strong>.</p>
+<p>The facility argument specifies the facility under which the
+messages are logged.  This may be any of the following facilities
+supported by the syslog(3) call minus the LOG_ prefix: <strong>KERN</strong>,
+<strong>USER</strong>, <strong>MAIL</strong>, <strong>DAEMON</strong>, <strong>AUTH</strong>, <strong>LPR</strong>, <strong>NEWS</strong>,
+<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>.</p>
+<p class="last">If no severity is specified, the default is <strong>ERR</strong>.  If no
+facility is specified, the default is <strong>AUTH</strong>.</p>
+</dd>
+</dl>
+<p>In the following example, the logging messages from the KDC will go to
+the console and to the system log under the facility LOG_DAEMON with
+default severity of LOG_INFO; and the logging messages from the
+administrative server will be appended to the file
+<tt class="docutils literal"><span class="pre">/var/adm/kadmin.log</span></tt> and sent to the device <tt class="docutils literal"><span class="pre">/dev/tty04</span></tt>.</p>
+<div class="highlight-python"><div class="highlight"><pre>[logging]
+    kdc = CONSOLE
+    kdc = SYSLOG:INFO:DAEMON
+    admin_server = FILE:/var/adm/kadmin.log
+    admin_server = DEVICE=/dev/tty04
+</pre></div>
+</div>
+</div>
+<div class="section" id="otp">
+<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Permalink to this headline">¶</a></h3>
+<p>Each subsection of [otp] is the name of an OTP token type.  The tags
+within the subsection define the configuration required to forward a
+One Time Password request to a RADIUS server.</p>
+<p>For each token type, the following tags may be specified:</p>
+<dl class="docutils">
+<dt><strong>server</strong></dt>
+<dd>This is the server to send the RADIUS request to.  It can be a
+hostname with optional port, an ip address with optional port, or
+a Unix domain socket address.  The default is
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/&lt;name&gt;.socket</span></tt>.</dd>
+<dt><strong>secret</strong></dt>
+<dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>)
+containing the secret used to encrypt the RADIUS packets.  The
+secret should appear in the first line of the file by itself;
+leading and trailing whitespace on the line will be removed.  If
+the value of <strong>server</strong> is a Unix domain socket address, this tag
+is optional, and an empty secret will be used if it is not
+specified.  Otherwise, this tag is required.</dd>
+<dt><strong>timeout</strong></dt>
+<dd>An integer which specifies the time in seconds during which the
+KDC should attempt to contact the RADIUS server.  This tag is the
+total time across all retries and should be less than the time
+which an OTP value remains valid for.  The default is 5 seconds.</dd>
+<dt><strong>retries</strong></dt>
+<dd>This tag specifies the number of retries to make to the RADIUS
+server.  The default is 3 retries (4 tries).</dd>
+<dt><strong>strip_realm</strong></dt>
+<dd>If this tag is <tt class="docutils literal"><span class="pre">true</span></tt>, the principal without the realm will be
+passed to the RADIUS server.  Otherwise, the realm will be
+included.  The default value is <tt class="docutils literal"><span class="pre">true</span></tt>.</dd>
+<dt><strong>indicator</strong></dt>
+<dd>This tag specifies an authentication indicator to be included in
+the ticket if this token type is used to authenticate.  This
+option may be specified multiple times.  (New in release 1.14.)</dd>
+</dl>
+<p>In the following example, requests are sent to a remote server via UDP:</p>
+<div class="highlight-python"><div class="highlight"><pre>[otp]
+    MyRemoteTokenType = {
+        server = radius.mydomain.com:1812
+        secret = SEmfiajf42$
+        timeout = 15
+        retries = 5
+        strip_realm = true
+    }
+</pre></div>
+</div>
+<p>An implicit default token type named <tt class="docutils literal"><span class="pre">DEFAULT</span></tt> is defined for when
+the per-principal configuration does not specify a token type.  Its
+configuration is shown below.  You may override this token type to
+something applicable for your situation:</p>
+<div class="highlight-python"><div class="highlight"><pre>[otp]
+    DEFAULT = {
+        strip_realm = false
+    }
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="pkinit-options">
+<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The following are pkinit-specific options.  These values may
+be specified in [kdcdefaults] as global defaults, or within
+a realm-specific subsection of [realms].  Also note that a
+realm-specific value over-rides, does not add to, a generic
+[kdcdefaults] specification.  The search order is:</p>
+</div>
+<ol class="arabic">
+<li><p class="first">realm-specific subsection of [realms]:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+    EXAMPLE.COM = {
+        pkinit_anchors = FILE:/usr/local/example.com.crt
+    }
+</pre></div>
+</div>
+</li>
+<li><p class="first">generic value in the [kdcdefaults] section:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
+    pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+</pre></div>
+</div>
+</li>
+</ol>
+<p>For information about the syntax of some of these options, see
+<a class="reference internal" href="krb5_conf.html#pkinit-identity"><em>Specifying PKINIT identity information</em></a> in
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p>
+<dl class="docutils">
+<dt><strong>pkinit_anchors</strong></dt>
+<dd>Specifies the location of trusted anchor (root) certificates which
+the KDC trusts to sign client certificates.  This option is
+required if pkinit is to be supported by the KDC.  This option may
+be specified multiple times.</dd>
+<dt><strong>pkinit_dh_min_bits</strong></dt>
+<dd>Specifies the minimum number of bits the KDC is willing to accept
+for a client&#8217;s Diffie-Hellman key.  The default is 2048.</dd>
+<dt><strong>pkinit_allow_upn</strong></dt>
+<dd><p class="first">Specifies that the KDC is willing to accept client certificates
+with the Microsoft UserPrincipalName (UPN) Subject Alternative
+Name (SAN).  This means the KDC accepts the binding of the UPN in
+the certificate to the Kerberos principal name.  The default value
+is false.</p>
+<p class="last">Without this option, the KDC will only accept certificates with
+the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.  There is currently
+no option to disable SAN checking in the KDC.</p>
+</dd>
+<dt><strong>pkinit_eku_checking</strong></dt>
+<dd><p class="first">This option specifies what Extended Key Usage (EKU) values the KDC
+is willing to accept in client certificates.  The values
+recognized in the kdc.conf file are:</p>
+<dl class="last docutils">
+<dt><strong>kpClientAuth</strong></dt>
+<dd>This is the default value and specifies that client
+certificates must have the id-pkinit-KPClientAuth EKU as
+defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
+<dt><strong>scLogin</strong></dt>
+<dd>If scLogin is specified, client certificates with the
+Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
+accepted.</dd>
+<dt><strong>none</strong></dt>
+<dd>If none is specified, then client certificates will not be
+checked to verify they have an acceptable EKU.  The use of
+this option is not recommended.</dd>
+</dl>
+</dd>
+<dt><strong>pkinit_identity</strong></dt>
+<dd>Specifies the location of the KDC&#8217;s X.509 identity information.
+This option is required if pkinit is to be supported by the KDC.</dd>
+<dt><strong>pkinit_indicator</strong></dt>
+<dd>Specifies an authentication indicator to include in the ticket if
+pkinit is used to authenticate.  This option may be specified
+multiple times.  (New in release 1.14.)</dd>
+<dt><strong>pkinit_kdc_ocsp</strong></dt>
+<dd>Specifies the location of the KDC&#8217;s OCSP.</dd>
+<dt><strong>pkinit_pool</strong></dt>
+<dd>Specifies the location of intermediate certificates which may be
+used by the KDC to complete the trust chain between a client&#8217;s
+certificate and a trusted anchor.  This option may be specified
+multiple times.</dd>
+<dt><strong>pkinit_revoke</strong></dt>
+<dd>Specifies the location of Certificate Revocation List (CRL)
+information to be used by the KDC when verifying the validity of
+client certificates.  This option may be specified multiple times.</dd>
+<dt><strong>pkinit_require_crl_checking</strong></dt>
+<dd><p class="first">The default certificate verification process will always check the
+available revocation information to see if a certificate has been
+revoked.  If a match is found for the certificate in a CRL,
+verification fails.  If the certificate being verified is not
+listed in a CRL, or there is no CRL present for its issuing CA,
+and <strong>pkinit_require_crl_checking</strong> is false, then verification
+succeeds.</p>
+<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is
+no CRL information available for the issuing CA, then verification
+fails.</p>
+<p class="last"><strong>pkinit_require_crl_checking</strong> should be set to true if the
+policy is such that up-to-date CRLs must be present for every CA.</p>
+</dd>
+</dl>
+</div>
+<div class="section" id="encryption-types">
+<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2>
+<p>Any tag in the configuration files which requires a list of encryption
+types can be set to some combination of the following strings.
+Encryption types marked as &#8220;weak&#8221; are available for compatibility but
+not recommended for use.</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="44%" />
+<col width="56%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>des-cbc-crc</td>
+<td>DES cbc mode with CRC-32 (weak)</td>
+</tr>
+<tr class="row-even"><td>des-cbc-md4</td>
+<td>DES cbc mode with RSA-MD4 (weak)</td>
+</tr>
+<tr class="row-odd"><td>des-cbc-md5</td>
+<td>DES cbc mode with RSA-MD5 (weak)</td>
+</tr>
+<tr class="row-even"><td>des-cbc-raw</td>
+<td>DES cbc mode raw (weak)</td>
+</tr>
+<tr class="row-odd"><td>des3-cbc-raw</td>
+<td>Triple DES cbc mode raw (weak)</td>
+</tr>
+<tr class="row-even"><td>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</td>
+<td>Triple DES cbc mode with HMAC/sha1</td>
+</tr>
+<tr class="row-odd"><td>des-hmac-sha1</td>
+<td>DES with HMAC/sha1 (weak)</td>
+</tr>
+<tr class="row-even"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td>
+<td>AES-256 CTS mode with 96-bit SHA-1 HMAC</td>
+</tr>
+<tr class="row-odd"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td>
+<td>AES-128 CTS mode with 96-bit SHA-1 HMAC</td>
+</tr>
+<tr class="row-even"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td>
+<td>AES-256 CTS mode with 192-bit SHA-384 HMAC</td>
+</tr>
+<tr class="row-odd"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td>
+<td>AES-128 CTS mode with 128-bit SHA-256 HMAC</td>
+</tr>
+<tr class="row-even"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td>
+<td>RC4 with HMAC/MD5</td>
+</tr>
+<tr class="row-odd"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td>
+<td>Exportable RC4 with HMAC/MD5 (weak)</td>
+</tr>
+<tr class="row-even"><td>camellia256-cts-cmac camellia256-cts</td>
+<td>Camellia-256 CTS mode with CMAC</td>
+</tr>
+<tr class="row-odd"><td>camellia128-cts-cmac camellia128-cts</td>
+<td>Camellia-128 CTS mode with CMAC</td>
+</tr>
+<tr class="row-even"><td>des</td>
+<td>The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)</td>
+</tr>
+<tr class="row-odd"><td>des3</td>
+<td>The triple DES family: des3-cbc-sha1</td>
+</tr>
+<tr class="row-even"><td>aes</td>
+<td>The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96</td>
+</tr>
+<tr class="row-odd"><td>rc4</td>
+<td>The RC4 family: arcfour-hmac</td>
+</tr>
+<tr class="row-even"><td>camellia</td>
+<td>The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac</td>
+</tr>
+</tbody>
+</table>
+<p>The string <strong>DEFAULT</strong> can be used to refer to the default set of
+types for the variable in question.  Types or families can be removed
+from the current list by prefixing them with a minus sign (&#8220;-&#8221;).
+Types or families can be prefixed with a plus sign (&#8220;+&#8221;) for symmetry;
+it has the same meaning as just listing the type or family.  For
+example, &#8220;<tt class="docutils literal"><span class="pre">DEFAULT</span> <span class="pre">-des</span></tt>&#8221; would be the default set of encryption
+types with DES types removed, and &#8220;<tt class="docutils literal"><span class="pre">des3</span> <span class="pre">DEFAULT</span></tt>&#8221; would be the
+default set of encryption types with triple DES types moved to the
+front.</p>
+<p>While <strong>aes128-cts</strong> and <strong>aes256-cts</strong> are supported for all Kerberos
+operations, they are not supported by very old versions of our GSSAPI
+implementation (krb5-1.3.1 and earlier).  Services running versions of
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.</p>
+<p>The <strong>aes128-sha2</strong> and <strong>aes256-sha2</strong> encryption types are new in
+release 1.15.  Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.</p>
+</div>
+<div class="section" id="keysalt-lists">
+<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2>
+<p>Kerberos keys for users are usually derived from passwords.  Kerberos
+commands and configuration parameters that affect generation of keys
+take lists of enctype-salttype (&#8220;keysalt&#8221;) pairs, known as <em>keysalt
+lists</em>.  Each keysalt pair is an enctype name followed by a salttype
+name, in the format <em>enc</em>:<em>salt</em>.  Individual keysalt list members are
+separated by comma (&#8221;,&#8221;) characters or space characters.  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin -e aes256-cts:normal,aes128-cts:normal
+</pre></div>
+</div>
+<p>would start up kadmin so that by default it would generate
+password-derived keys for the <strong>aes256-cts</strong> and <strong>aes128-cts</strong>
+encryption types, using a <strong>normal</strong> salt.</p>
+<p>To ensure that people who happen to pick the same password do not have
+the same key, Kerberos 5 incorporates more information into the key
+using something called a salt.  The supported salt types are as
+follows:</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="21%" />
+<col width="79%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>normal</td>
+<td>default for Kerberos Version 5</td>
+</tr>
+<tr class="row-even"><td>v4</td>
+<td>the only type used by Kerberos Version 4 (no salt)</td>
+</tr>
+<tr class="row-odd"><td>norealm</td>
+<td>same as the default, without using realm information</td>
+</tr>
+<tr class="row-even"><td>onlyrealm</td>
+<td>uses only realm information as the salt</td>
+</tr>
+<tr class="row-odd"><td>afs3</td>
+<td>AFS version 3, only used for compatibility with Kerberos 4 in AFS</td>
+</tr>
+<tr class="row-even"><td>special</td>
+<td>generate a random salt</td>
+</tr>
+</tbody>
+</table>
+</div>
+<div class="section" id="sample-kdc-conf-file">
+<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2>
+<p>Here&#8217;s an example of a kdc.conf file:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
+    kdc_listen = 88
+    kdc_tcp_listen = 88
+[realms]
+    ATHENA.MIT.EDU = {
+        kadmind_port = 749
+        max_life = 12h 0m 0s
+        max_renewable_life = 7d 0h 0m 0s
+        master_key_type = aes256-cts-hmac-sha1-96
+        supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
+        database_module = openldap_ldapconf
+    }
+
+[logging]
+    kdc = FILE:/usr/local/var/krb5kdc/kdc.log
+    admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
+
+[dbdefaults]
+    ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
+
+[dbmodules]
+    openldap_ldapconf = {
+        db_library = kldap
+        disable_last_success = true
+        ldap_kdc_dn = &quot;cn=krbadmin,dc=mit,dc=edu&quot;
+            # this object needs to have read rights on
+            # the realm container and principal subtrees
+        ldap_kadmind_dn = &quot;cn=krbadmin,dc=mit,dc=edu&quot;
+            # this object needs to have read and write rights on
+            # the realm container and principal subtrees
+        ldap_service_password_file = /etc/kerberos/service.keyfile
+        ldap_servers = ldaps://kerberos.mit.edu
+        ldap_conns_per_server = 5
+    }
+</pre></div>
+</div>
+</div>
+<div class="section" id="files">
+<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kdc.conf</span></tt></p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kdc.conf</a><ul>
+<li><a class="reference internal" href="#structure">Structure</a></li>
+<li><a class="reference internal" href="#sections">Sections</a><ul>
+<li><a class="reference internal" href="#kdcdefaults">[kdcdefaults]</a></li>
+<li><a class="reference internal" href="#realms">[realms]</a></li>
+<li><a class="reference internal" href="#dbdefaults">[dbdefaults]</a></li>
+<li><a class="reference internal" href="#dbmodules">[dbmodules]</a></li>
+<li><a class="reference internal" href="#logging">[logging]</a></li>
+<li><a class="reference internal" href="#otp">[otp]</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#pkinit-options">PKINIT options</a></li>
+<li><a class="reference internal" href="#encryption-types">Encryption types</a></li>
+<li><a class="reference internal" href="#keysalt-lists">Keysalt lists</a></li>
+<li><a class="reference internal" href="#sample-kdc-conf-file">Sample kdc.conf File</a></li>
+<li><a class="reference internal" href="#files">FILES</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kdc.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="krb5_conf.html" title="krb5.conf"
+            >previous</a> |
+        <a href="kadm5_acl.html" title="kadm5.acl"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html
new file mode 100644
index 000000000000..ca50e7ad27f1
--- /dev/null
+++ b/doc/html/admin/conf_files/krb5_conf.html
@@ -0,0 +1,1299 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>krb5.conf &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../../_static/jquery.js"></script>
+    <script type="text/javascript" src="../../_static/underscore.js"></script>
+    <script type="text/javascript" src="../../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../../about.html" />
+    <link rel="copyright" title="Copyright" href="../../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+    <link rel="up" title="Configuration Files" href="index.html" />
+    <link rel="next" title="kdc.conf" href="kdc_conf.html" />
+    <link rel="prev" title="Configuration Files" href="index.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="index.html" title="Configuration Files"
+            accesskey="P">previous</a> |
+        <a href="kdc_conf.html" title="kdc.conf"
+            accesskey="N">next</a> |
+        <a href="../../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="krb5-conf">
+<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h1>
+<p>The krb5.conf file contains Kerberos configuration information,
+including the locations of KDCs and admin servers for the Kerberos
+realms of interest, defaults for the current realm and for Kerberos
+applications, and mappings of hostnames onto Kerberos realms.
+Normally, you should install your krb5.conf file in the directory
+<tt class="docutils literal"><span class="pre">/etc</span></tt>.  You can override the default location by setting the
+environment variable <strong>KRB5_CONFIG</strong>.  Multiple colon-separated
+filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are
+present will be read.  Starting in release 1.14, directory names can
+also be specified in <strong>KRB5_CONFIG</strong>; all files within the directory
+whose names consist solely of alphanumeric characters, dashes, or
+underscores will be read.</p>
+<div class="section" id="structure">
+<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>
+<p>The krb5.conf file is set up in the style of a Windows INI file.
+Sections are headed by the section name, in square brackets.  Each
+section may contain zero or more relations, of the form:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span>
+</pre></div>
+</div>
+<p>or:</p>
+<div class="highlight-python"><div class="highlight"><pre>fubar = {
+    foo = bar
+    baz = quux
+}
+</pre></div>
+</div>
+<p>Placing a &#8216;*&#8217; at the end of a line indicates that this is the <em>final</em>
+value for the tag.  This means that neither the remainder of this
+configuration file nor any other configuration file will be checked
+for any other values for this tag.</p>
+<p>For example, if you have the following lines:</p>
+<div class="highlight-python"><div class="highlight"><pre>foo = bar*
+foo = baz
+</pre></div>
+</div>
+<p>then the second value of <tt class="docutils literal"><span class="pre">foo</span></tt> (<tt class="docutils literal"><span class="pre">baz</span></tt>) would never be read.</p>
+<p>The krb5.conf file can include other files using either of the
+following directives at the beginning of a line:</p>
+<div class="highlight-python"><div class="highlight"><pre>include FILENAME
+includedir DIRNAME
+</pre></div>
+</div>
+<p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or
+directory must exist and be readable.  Including a directory includes
+all files within the directory whose names consist solely of
+alphanumeric characters, dashes, or underscores.  Starting in release
+1.15, files with names ending in &#8221;.conf&#8221; are also included.  Included
+profile files are syntactically independent of their parents, so each
+included file must begin with a section header.</p>
+<p>The krb5.conf file can specify that configuration should be obtained
+from a loadable module, rather than the file itself, using the
+following directive at the beginning of a line before any section
+headers:</p>
+<div class="highlight-python"><div class="highlight"><pre>module MODULEPATH:RESIDUAL
+</pre></div>
+</div>
+<p><em>MODULEPATH</em> may be relative to the library path of the krb5
+installation, or it may be an absolute path.  <em>RESIDUAL</em> is provided
+to the module at initialization time.  If krb5.conf uses a module
+directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> should also use one if it exists.</p>
+</div>
+<div class="section" id="sections">
+<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>
+<p>The krb5.conf file may contain the following sections:</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="26%" />
+<col width="74%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td><a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a></td>
+<td>Settings used by the Kerberos V5 library</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#realms"><em>[realms]</em></a></td>
+<td>Realm-specific contact information and settings</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#domain-realm"><em>[domain_realm]</em></a></td>
+<td>Maps server hostnames to Kerberos realms</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#capaths"><em>[capaths]</em></a></td>
+<td>Authentication paths for non-hierarchical cross-realm</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#appdefaults"><em>[appdefaults]</em></a></td>
+<td>Settings used by some Kerberos V5 applications</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#plugins"><em>[plugins]</em></a></td>
+<td>Controls plugin module registration</td>
+</tr>
+</tbody>
+</table>
+<p>Additionally, krb5.conf may include any of the relations described in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but it is not a recommended practice.</p>
+<div class="section" id="libdefaults">
+<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3>
+<p>The libdefaults section may contain any of the following relations:</p>
+<dl class="docutils">
+<dt><strong>allow_weak_crypto</strong></dt>
+<dd>If this flag is set to false, then weak encryption types (as noted
+in <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>) will be filtered
+out of the lists <strong>default_tgs_enctypes</strong>,
+<strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>.  The default
+value for this tag is false, which may cause authentication
+failures in existing Kerberos infrastructures that do not support
+strong crypto.  Users in affected environments should set this tag
+to true until their infrastructure adopts stronger ciphers.</dd>
+<dt><strong>ap_req_checksum_type</strong></dt>
+<dd>An integer which specifies the type of AP-REQ checksum to use in
+authenticators.  This variable should be unset so the appropriate
+checksum for the encryption key in use will be used.  This can be
+set if backward compatibility requires a specific checksum type.
+See the <strong>kdc_req_checksum_type</strong> configuration option for the
+possible values and their meanings.</dd>
+<dt><strong>canonicalize</strong></dt>
+<dd>If this flag is set to true, initial ticket requests to the KDC
+will request canonicalization of the client principal name, and
+answers with different client principals than the requested
+principal will be accepted.  The default value is false.</dd>
+<dt><strong>ccache_type</strong></dt>
+<dd>This parameter determines the format of credential cache types
+created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> or other programs.  The default value
+is 4, which represents the most current format.  Smaller values
+can be used for compatibility with very old implementations of
+Kerberos which interact with credential caches on the same host.</dd>
+<dt><strong>clockskew</strong></dt>
+<dd><p class="first">Sets the maximum allowable amount of clockskew in seconds that the
+library will tolerate before assuming that a Kerberos message is
+invalid.  The default value is 300 seconds, or five minutes.</p>
+<p class="last">The clockskew setting is also used when evaluating ticket start
+and expiration times.  For example, tickets that have reached
+their expiration time can still be used (and renewed if they are
+renewable tickets) if they have been expired for a shorter
+duration than the <strong>clockskew</strong> setting.</p>
+</dd>
+<dt><strong>default_ccache_name</strong></dt>
+<dd>This relation specifies the name of the default credential cache.
+The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a>.  This relation is subject to parameter
+expansion (see below).  New in release 1.11.</dd>
+<dt><strong>default_client_keytab_name</strong></dt>
+<dd>This relation specifies the name of the default keytab for
+obtaining client credentials.  The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCKTNAME</em></a>.  This
+relation is subject to parameter expansion (see below).
+New in release 1.11.</dd>
+<dt><strong>default_keytab_name</strong></dt>
+<dd>This relation specifies the default keytab name to be used by
+application servers such as sshd.  The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>.  This
+relation is subject to parameter expansion (see below).</dd>
+<dt><strong>default_realm</strong></dt>
+<dd>Identifies the default Kerberos realm for the client.  Set its
+value to your Kerberos realm.  If this value is not set, then a
+realm must be specified with every Kerberos principal when
+invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>.</dd>
+<dt><strong>default_tgs_enctypes</strong></dt>
+<dd><p class="first">Identifies the supported list of session key encryption types that
+the client should request when making a TGS-REQ, in order of
+preference from highest to lowest.  The list may be delimited with
+commas or whitespace.  See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag.
+The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types
+will be implicitly removed from this list if the value of
+<strong>allow_weak_crypto</strong> is false.</p>
+<p class="last">Do not set this unless required for specific backward
+compatibility purposes; stale values of this setting can prevent
+clients from taking advantage of new stronger enctypes when the
+libraries are upgraded.</p>
+</dd>
+<dt><strong>default_tkt_enctypes</strong></dt>
+<dd><p class="first">Identifies the supported list of session key encryption types that
+the client should request when making an AS-REQ, in order of
+preference from highest to lowest.  The format is the same as for
+default_tgs_enctypes.  The default value for this tag is
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+removed from this list if the value of <strong>allow_weak_crypto</strong> is
+false.</p>
+<p class="last">Do not set this unless required for specific backward
+compatibility purposes; stale values of this setting can prevent
+clients from taking advantage of new stronger enctypes when the
+libraries are upgraded.</p>
+</dd>
+<dt><strong>dns_canonicalize_hostname</strong></dt>
+<dd>Indicate whether name lookups will be used to canonicalize
+hostnames for use in service principal names.  Setting this flag
+to false can improve security by reducing reliance on DNS, but
+means that short hostnames will not be canonicalized to
+fully-qualified hostnames.  The default value is true.</dd>
+<dt><strong>dns_lookup_kdc</strong></dt>
+<dd><p class="first">Indicate whether DNS SRV records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm.  (Note that the admin_server
+entry must be in the krb5.conf realm information in order to
+contact kadmind, because the DNS implementation for kadmin is
+incomplete.)</p>
+<p class="last">Enabling this option does open up a type of denial-of-service
+attack, if someone spoofs the DNS records and redirects you to
+another server.  However, it&#8217;s no worse than a denial of service,
+because that fake KDC will be unable to decode anything you send
+it (besides the initial ticket request, which has no encrypted
+data), and anything the fake KDC sends will not be trusted without
+verification using some secret that it won&#8217;t know.</p>
+</dd>
+<dt><strong>dns_uri_lookup</strong></dt>
+<dd>Indicate whether DNS URI records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm.  SRV records are used as a
+fallback if no URI records were found.  The default value is true.
+New in release 1.15.</dd>
+<dt><strong>err_fmt</strong></dt>
+<dd>This relation allows for custom error message formatting.  If a
+value is set, error messages will be formatted by substituting a
+normal error message for %M and an error code for %C in the value.</dd>
+<dt><strong>extra_addresses</strong></dt>
+<dd>This allows a computer to use multiple local addresses, in order
+to allow Kerberos to work in a network that uses NATs while still
+using address-restricted tickets.  The addresses should be in a
+comma-separated list.  This option has no effect if
+<strong>noaddresses</strong> is true.</dd>
+<dt><strong>forwardable</strong></dt>
+<dd>If this flag is true, initial tickets will be forwardable by
+default, if allowed by the KDC.  The default value is false.</dd>
+<dt><strong>ignore_acceptor_hostname</strong></dt>
+<dd>When accepting GSSAPI or krb5 security contexts for host-based
+service principals, ignore any hostname passed by the calling
+application, and allow clients to authenticate to any service
+principal in the keytab matching the service name and realm name
+(if given).  This option can improve the administrative
+flexibility of server applications on multihomed hosts, but could
+compromise the security of virtual hosting environments.  The
+default value is false.  New in release 1.10.</dd>
+<dt><strong>k5login_authoritative</strong></dt>
+<dd>If this flag is true, principals must be listed in a local user&#8217;s
+k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a>
+file exists.  If this flag is false, a principal may still be
+granted login access through other mechanisms even if a k5login
+file exists but does not list the principal.  The default value is
+true.</dd>
+<dt><strong>k5login_directory</strong></dt>
+<dd>If set, the library will look for a local user&#8217;s k5login file
+within the named directory, with a filename corresponding to the
+local username.  If not set, the library will look for k5login
+files in the user&#8217;s home directory, with the filename .k5login.
+For security reasons, .k5login files must be owned by
+the local user or by root.</dd>
+<dt><strong>kcm_mach_service</strong></dt>
+<dd>On OS X only, determines the name of the bootstrap service used to
+contact the KCM daemon for the KCM credential cache type.  If the
+value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM
+daemon.  The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd>
+<dt><strong>kcm_socket</strong></dt>
+<dd>Determines the path to the Unix domain socket used to access the
+KCM daemon for the KCM credential cache type.  If the value is
+<tt class="docutils literal"><span class="pre">-</span></tt>, Unix domain sockets will not be used to contact the KCM
+daemon.  The default value is
+<tt class="docutils literal"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></tt>.</dd>
+<dt><strong>kdc_default_options</strong></dt>
+<dd>Default KDC options (Xored for multiple values) when requesting
+initial tickets.  By default it is set to 0x00000010
+(KDC_OPT_RENEWABLE_OK).</dd>
+<dt><strong>kdc_timesync</strong></dt>
+<dd>Accepted values for this relation are 1 or 0.  If it is nonzero,
+client machines will compute the difference between their time and
+the time returned by the KDC in the timestamps in the tickets and
+use this value to correct for an inaccurate system clock when
+requesting service tickets or authenticating to services.  This
+corrective factor is only used by the Kerberos library; it is not
+used to change the system clock.  The default value is 1.</dd>
+<dt><strong>kdc_req_checksum_type</strong></dt>
+<dd><p class="first">An integer which specifies the type of checksum to use for the KDC
+requests, for compatibility with very old KDC implementations.
+This value is only used for DES keys; other keys use the preferred
+checksum type for those keys.</p>
+<p>The possible values and their meanings are as follows.</p>
+<table border="1" class="last docutils">
+<colgroup>
+<col width="20%" />
+<col width="80%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>1</td>
+<td>CRC32</td>
+</tr>
+<tr class="row-even"><td>2</td>
+<td>RSA MD4</td>
+</tr>
+<tr class="row-odd"><td>3</td>
+<td>RSA MD4 DES</td>
+</tr>
+<tr class="row-even"><td>4</td>
+<td>DES CBC</td>
+</tr>
+<tr class="row-odd"><td>7</td>
+<td>RSA MD5</td>
+</tr>
+<tr class="row-even"><td>8</td>
+<td>RSA MD5 DES</td>
+</tr>
+<tr class="row-odd"><td>9</td>
+<td>NIST SHA</td>
+</tr>
+<tr class="row-even"><td>12</td>
+<td>HMAC SHA1 DES3</td>
+</tr>
+<tr class="row-odd"><td>-138</td>
+<td>Microsoft MD5 HMAC checksum type</td>
+</tr>
+</tbody>
+</table>
+</dd>
+<dt><strong>noaddresses</strong></dt>
+<dd>If this flag is true, requests for initial tickets will not be
+made with address restrictions set, allowing the tickets to be
+used across NATs.  The default value is true.</dd>
+<dt><strong>permitted_enctypes</strong></dt>
+<dd>Identifies all encryption types that are permitted for use in
+session key encryption.  The default value for this tag is
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+removed from this list if the value of <strong>allow_weak_crypto</strong> is
+false.</dd>
+<dt><strong>plugin_base_dir</strong></dt>
+<dd>If set, determines the base directory where krb5 plugins are
+located.  The default value is the <tt class="docutils literal"><span class="pre">krb5/plugins</span></tt> subdirectory
+of the krb5 library directory.</dd>
+<dt><strong>preferred_preauth_types</strong></dt>
+<dd>This allows you to set the preferred preauthentication types which
+the client will attempt before others which may be advertised by a
+KDC.  The default value for this setting is &#8220;17, 16, 15, 14&#8221;,
+which forces libkrb5 to attempt to use PKINIT if it is supported.</dd>
+<dt><strong>proxiable</strong></dt>
+<dd>If this flag is true, initial tickets will be proxiable by
+default, if allowed by the KDC.  The default value is false.</dd>
+<dt><strong>rdns</strong></dt>
+<dd>If this flag is true, reverse name lookup will be used in addition
+to forward name lookup to canonicalizing hostnames for use in
+service principal names.  If <strong>dns_canonicalize_hostname</strong> is set
+to false, this flag has no effect.  The default value is true.</dd>
+<dt><strong>realm_try_domains</strong></dt>
+<dd>Indicate whether a host&#8217;s domain components should be used to
+determine the Kerberos realm of the host.  The value of this
+variable is an integer: -1 means not to search, 0 means to try the
+host&#8217;s domain itself, 1 means to also try the domain&#8217;s immediate
+parent, and so forth.  The library&#8217;s usual mechanism for locating
+Kerberos realms is used to determine whether a domain is a valid
+realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is
+set.  The default is not to search domain components.</dd>
+<dt><strong>renew_lifetime</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.)  Sets the default renewable lifetime
+for initial ticket requests.  The default value is 0.</dd>
+<dt><strong>safe_checksum_type</strong></dt>
+<dd>An integer which specifies the type of checksum to use for the
+KRB-SAFE requests.  By default it is set to 8 (RSA MD5 DES).  For
+compatibility with applications linked against DCE version 1.1 or
+earlier Kerberos libraries, use a value of 3 to use the RSA MD4
+DES instead.  This field is ignored when its value is incompatible
+with the session key type.  See the <strong>kdc_req_checksum_type</strong>
+configuration option for the possible values and their meanings.</dd>
+<dt><strong>ticket_lifetime</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.)  Sets the default lifetime for initial
+ticket requests.  The default value is 1 day.</dd>
+<dt><strong>udp_preference_limit</strong></dt>
+<dd>When sending a message to the KDC, the library will try using TCP
+before UDP if the size of the message is above
+<strong>udp_preference_limit</strong>.  If the message is smaller than
+<strong>udp_preference_limit</strong>, then UDP will be tried before TCP.
+Regardless of the size, both protocols will be tried if the first
+attempt fails.</dd>
+<dt><strong>verify_ap_req_nofail</strong></dt>
+<dd>If this flag is true, then an attempt to verify initial
+credentials will fail if the client machine does not have a
+keytab.  The default value is false.</dd>
+</dl>
+</div>
+<div class="section" id="realms">
+<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>
+<p>Each tag in the [realms] section of the file is the name of a Kerberos
+realm.  The value of the tag is a subsection with relations that
+define the properties of that particular realm.  For each realm, the
+following tags may be specified in the realm&#8217;s subsection:</p>
+<dl class="docutils">
+<dt><strong>admin_server</strong></dt>
+<dd>Identifies the host where the administration server is running.
+Typically, this is the master Kerberos server.  This tag must be
+given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+server for the realm.</dd>
+<dt><strong>auth_to_local</strong></dt>
+<dd><p class="first">This tag allows you to set a general rule for mapping principal
+names to local user names.  It will be used if there is not an
+explicit mapping for the principal name that is being
+translated. The possible values are:</p>
+<dl class="docutils">
+<dt><strong>RULE:</strong><em>exp</em></dt>
+<dd><p class="first">The local name will be formulated from <em>exp</em>.</p>
+<p class="last">The format for <em>exp</em> is <strong>[</strong><em>n</em><strong>:</strong><em>string</em><strong>](</strong><em>regexp</em><strong>)s/</strong><em>pattern</em><strong>/</strong><em>replacement</em><strong>/g</strong>.
+The integer <em>n</em> indicates how many components the target
+principal should have.  If this matches, then a string will be
+formed from <em>string</em>, substituting the realm of the principal
+for <tt class="docutils literal"><span class="pre">$0</span></tt> and the <em>n</em>&#8216;th component of the principal for
+<tt class="docutils literal"><span class="pre">$n</span></tt> (e.g., if the principal was <tt class="docutils literal"><span class="pre">johndoe/admin</span></tt> then
+<tt class="docutils literal"><span class="pre">[2:$2$1foo]</span></tt> would result in the string
+<tt class="docutils literal"><span class="pre">adminjohndoefoo</span></tt>).  If this string matches <em>regexp</em>, then
+the <tt class="docutils literal"><span class="pre">s//[g]</span></tt> substitution command will be run over the
+string.  The optional <strong>g</strong> will cause the substitution to be
+global over the <em>string</em>, instead of replacing only the first
+match in the <em>string</em>.</p>
+</dd>
+<dt><strong>DEFAULT</strong></dt>
+<dd>The principal name will be used as the local user name.  If
+the principal has more than one component or is not in the
+default realm, this rule is not applicable and the conversion
+will fail.</dd>
+</dl>
+<p>For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+    ATHENA.MIT.EDU = {
+        auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
+        auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
+        auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
+        auto_to_local = DEFAULT
+    }
+</pre></div>
+</div>
+<p class="last">would result in any principal without <tt class="docutils literal"><span class="pre">root</span></tt> or <tt class="docutils literal"><span class="pre">admin</span></tt> as the
+second component to be translated with the default rule.  A
+principal with a second component of <tt class="docutils literal"><span class="pre">admin</span></tt> will become its
+first component.  <tt class="docutils literal"><span class="pre">root</span></tt> will be used as the local name for any
+principal with a second component of <tt class="docutils literal"><span class="pre">root</span></tt>.  The exception to
+these two rules are any principals <tt class="docutils literal"><span class="pre">johndoe/*</span></tt>, which will
+always get the local name <tt class="docutils literal"><span class="pre">guest</span></tt>.</p>
+</dd>
+<dt><strong>auth_to_local_names</strong></dt>
+<dd>This subsection allows you to set explicit mappings from principal
+names to local user names.  The tag is the mapping name, and the
+value is the corresponding local user name.</dd>
+<dt><strong>default_domain</strong></dt>
+<dd>This tag specifies the domain used to expand hostnames when
+translating Kerberos 4 service principals to Kerberos 5 principals
+(for example, when converting <tt class="docutils literal"><span class="pre">rcmd.hostname</span></tt> to
+<tt class="docutils literal"><span class="pre">host/hostname.domain</span></tt>).</dd>
+<dt><strong>http_anchors</strong></dt>
+<dd><p class="first">When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
+can be used to specify the location of the CA certificate which should be
+trusted to issue the certificate for a proxy server.  If left unspecified,
+the system-wide default set of CA certificates is used.</p>
+<p>The syntax for values is similar to that of values for the
+<strong>pkinit_anchors</strong> tag:</p>
+<p><strong>FILE:</strong> <em>filename</em></p>
+<p><em>filename</em> is assumed to be the name of an OpenSSL-style ca-bundle file.</p>
+<p><strong>DIR:</strong> <em>dirname</em></p>
+<p><em>dirname</em> is assumed to be an directory which contains CA certificates.
+All files in the directory will be examined; if they contain certificates
+(in PEM format), they will be used.</p>
+<p><strong>ENV:</strong> <em>envvar</em></p>
+<p class="last"><em>envvar</em> specifies the name of an environment variable which has been set
+to a value conforming to one of the previous values.  For example,
+<tt class="docutils literal"><span class="pre">ENV:X509_PROXY_CA</span></tt>, where environment variable <tt class="docutils literal"><span class="pre">X509_PROXY_CA</span></tt> has
+been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</p>
+</dd>
+<dt><strong>kdc</strong></dt>
+<dd>The name or address of a host running a KDC for that realm.  An
+optional port number, separated from the hostname by a colon, may
+be included.  If the name or address contains colons (for example,
+if it is an IPv6 address), enclose it in square brackets to
+distinguish the colon from a port separator.  For your computer to
+be able to communicate with the KDC for each realm, this tag must
+be given a value in each realm subsection in the configuration
+file, or there must be DNS SRV records specifying the KDCs.</dd>
+<dt><strong>kpasswd_server</strong></dt>
+<dd>Points to the server where all the password changes are performed.
+If there is no such entry, the port 464 on the <strong>admin_server</strong>
+host will be tried.</dd>
+<dt><strong>master_kdc</strong></dt>
+<dd>Identifies the master KDC(s).  Currently, this tag is used in only
+one case: If an attempt to get credentials fails because of an
+invalid password, the client software will attempt to contact the
+master KDC, in case the user&#8217;s password has just been changed, and
+the updated database has not been propagated to the slave servers
+yet.</dd>
+<dt><strong>v4_instance_convert</strong></dt>
+<dd>This subsection allows the administrator to configure exceptions
+to the <strong>default_domain</strong> mapping rule.  It contains V4 instances
+(the tag name) which should be translated to some specific
+hostname (the tag value) as the second component in a Kerberos V5
+principal name.</dd>
+<dt><strong>v4_realm</strong></dt>
+<dd>This relation is used by the krb524 library routines when
+converting a V5 principal name to a V4 principal name.  It is used
+when the V4 realm name and the V5 realm name are not the same, but
+still share the same principal names and passwords. The tag value
+is the Kerberos V4 realm name.</dd>
+</dl>
+</div>
+<div class="section" id="domain-realm">
+<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3>
+<p>The [domain_realm] section provides a translation from a domain name
+or hostname to a Kerberos realm name.  The tag name can be a host name
+or domain name, where domain names are indicated by a prefix of a
+period (<tt class="docutils literal"><span class="pre">.</span></tt>).  The value of the relation is the Kerberos realm name
+for that particular host or domain.  A host name relation implicitly
+provides the corresponding domain name relation, unless an explicit domain
+name relation is provided.  The Kerberos realm may be
+identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records.
+Host names and domain names should be in lower case.  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[domain_realm]
+    crash.mit.edu = TEST.ATHENA.MIT.EDU
+    .dev.mit.edu = TEST.ATHENA.MIT.EDU
+    mit.edu = ATHENA.MIT.EDU
+</pre></div>
+</div>
+<p>maps the host with the name <tt class="docutils literal"><span class="pre">crash.mit.edu</span></tt> into the
+<tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm.  The second entry maps all hosts under the
+domain <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt> into the <tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm, but not
+the host with the name <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt>.  That host is matched
+by the third entry, which maps the host <tt class="docutils literal"><span class="pre">mit.edu</span></tt> and all hosts
+under the domain <tt class="docutils literal"><span class="pre">mit.edu</span></tt> that do not match a preceding rule
+into the realm <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt>.</p>
+<p>If no translation entry applies to a hostname used for a service
+principal for a service ticket request, the library will try to get a
+referral to the appropriate realm from the client realm&#8217;s KDC.  If
+that does not succeed, the host&#8217;s realm is considered to be the
+hostname&#8217;s domain portion converted to uppercase, unless the
+<strong>realm_try_domains</strong> setting in [libdefaults] causes a different
+parent domain to be used.</p>
+</div>
+<div class="section" id="capaths">
+<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Permalink to this headline">¶</a></h3>
+<p>In order to perform direct (non-hierarchical) cross-realm
+authentication, configuration is needed to determine the
+authentication paths between realms.</p>
+<p>A client will use this section to find the authentication path between
+its realm and the realm of the server.  The server will use this
+section to verify the authentication path used by the client, by
+checking the transited field of the received ticket.</p>
+<p>There is a tag for each participating client realm, and each tag has
+subtags for each of the server realms.  The value of the subtags is an
+intermediate realm which may participate in the cross-realm
+authentication.  The subtags may be repeated if there is more then one
+intermediate realm.  A value of &#8221;.&#8221; means that the two realms share
+keys directly, and no intermediate realms should be allowed to
+participate.</p>
+<p>Only those entries which will be needed on the client or the server
+need to be present.  A client needs a tag for its local realm with
+subtags for all the realms of servers it will need to authenticate to.
+A server needs a tag for each realm of the clients it will serve, with
+a subtag of the server realm.</p>
+<p>For example, <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt>, <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>, and <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt> all wish to
+use the <tt class="docutils literal"><span class="pre">ES.NET</span></tt> realm as an intermediate realm.  ANL has a sub
+realm of <tt class="docutils literal"><span class="pre">TEST.ANL.GOV</span></tt> which will authenticate with <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt>
+but not <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>.  The [capaths] section for <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt> systems
+would look like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>[capaths]
+    ANL.GOV = {
+        TEST.ANL.GOV = .
+        PNL.GOV = ES.NET
+        NERSC.GOV = ES.NET
+        ES.NET = .
+    }
+    TEST.ANL.GOV = {
+        ANL.GOV = .
+    }
+    PNL.GOV = {
+        ANL.GOV = ES.NET
+    }
+    NERSC.GOV = {
+        ANL.GOV = ES.NET
+    }
+    ES.NET = {
+        ANL.GOV = .
+    }
+</pre></div>
+</div>
+<p>The [capaths] section of the configuration file used on <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt>
+systems would look like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>[capaths]
+    NERSC.GOV = {
+        ANL.GOV = ES.NET
+        TEST.ANL.GOV = ES.NET
+        TEST.ANL.GOV = ANL.GOV
+        PNL.GOV = ES.NET
+        ES.NET = .
+    }
+    ANL.GOV = {
+        NERSC.GOV = ES.NET
+    }
+    PNL.GOV = {
+        NERSC.GOV = ES.NET
+    }
+    ES.NET = {
+        NERSC.GOV = .
+    }
+    TEST.ANL.GOV = {
+        NERSC.GOV = ANL.GOV
+        NERSC.GOV = ES.NET
+    }
+</pre></div>
+</div>
+<p>When a subtag is used more than once within a tag, clients will use
+the order of values to determine the path.  The order of values is not
+important to servers.</p>
+</div>
+<div class="section" id="appdefaults">
+<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Permalink to this headline">¶</a></h3>
+<p>Each tag in the [appdefaults] section names a Kerberos V5 application
+or an option that is used by some Kerberos V5 application[s].  The
+value of the tag defines the default behaviors for that application.</p>
+<p>For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[appdefaults]
+    telnet = {
+        ATHENA.MIT.EDU = {
+            option1 = false
+        }
+    }
+    telnet = {
+        option1 = true
+        option2 = true
+    }
+    ATHENA.MIT.EDU = {
+        option2 = false
+    }
+    option2 = true
+</pre></div>
+</div>
+<p>The above four ways of specifying the value of an option are shown in
+order of decreasing precedence. In this example, if telnet is running
+in the realm EXAMPLE.COM, it should, by default, have option1 and
+option2 set to true.  However, a telnet program in the realm
+<tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> should have <tt class="docutils literal"><span class="pre">option1</span></tt> set to false and
+<tt class="docutils literal"><span class="pre">option2</span></tt> set to true.  Any other programs in ATHENA.MIT.EDU should
+have <tt class="docutils literal"><span class="pre">option2</span></tt> set to false by default.  Any programs running in
+other realms should have <tt class="docutils literal"><span class="pre">option2</span></tt> set to true.</p>
+<p>The list of specifiable options for each application may be found in
+that application&#8217;s man pages.  The application defaults specified here
+are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p>
+</div>
+<div class="section" id="plugins">
+<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><ul class="simple">
+<li><a class="reference internal" href="#pwqual">pwqual</a> interface</li>
+<li><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</li>
+<li><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</li>
+</ul>
+</div></blockquote>
+<p>Tags in the [plugins] section can be used to register dynamic plugin
+modules and to turn modules on and off.  Not every krb5 pluggable
+interface uses the [plugins] section; the ones that do are documented
+here.</p>
+<p>New in release 1.9.</p>
+<p>Each pluggable interface corresponds to a subsection of [plugins].
+All subsections support the same tags:</p>
+<dl class="docutils">
+<dt><strong>disable</strong></dt>
+<dd>This tag may have multiple values. If there are values for this
+tag, then the named modules will be disabled for the pluggable
+interface.</dd>
+<dt><strong>enable_only</strong></dt>
+<dd>This tag may have multiple values. If there are values for this
+tag, then only the named modules will be enabled for the pluggable
+interface.</dd>
+<dt><strong>module</strong></dt>
+<dd>This tag may have multiple values.  Each value is a string of the
+form <tt class="docutils literal"><span class="pre">modulename:pathname</span></tt>, which causes the shared object
+located at <em>pathname</em> to be registered as a dynamic module named
+<em>modulename</em> for the pluggable interface.  If <em>pathname</em> is not an
+absolute path, it will be treated as relative to the
+<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a>.</dd>
+</dl>
+<p>For pluggable interfaces where module order matters, modules
+registered with a <strong>module</strong> tag normally come first, in the order
+they are registered, followed by built-in modules in the order they
+are documented below.  If <strong>enable_only</strong> tags are used, then the
+order of those tags overrides the normal module order.</p>
+<p>The following subsections are currently supported within the [plugins]
+section:</p>
+<div class="section" id="ccselect-interface">
+<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Permalink to this headline">¶</a></h4>
+<p>The ccselect subsection controls modules for credential cache
+selection within a cache collection.  In addition to any registered
+dynamic modules, the following built-in modules exist (and may be
+disabled with the disable tag):</p>
+<dl class="docutils">
+<dt><strong>k5identity</strong></dt>
+<dd>Uses a .k5identity file in the user&#8217;s home directory to select a
+client principal</dd>
+<dt><strong>realm</strong></dt>
+<dd>Uses the service realm to guess an appropriate cache from the
+collection</dd>
+</dl>
+</div>
+<div class="section" id="pwqual-interface">
+<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Permalink to this headline">¶</a></h4>
+<p>The pwqual subsection controls modules for the password quality
+interface, which is used to reject weak passwords when passwords are
+changed.  The following built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>dict</strong></dt>
+<dd>Checks against the realm dictionary file</dd>
+<dt><strong>empty</strong></dt>
+<dd>Rejects empty passwords</dd>
+<dt><strong>hesiod</strong></dt>
+<dd>Checks against user information stored in Hesiod (only if Kerberos
+was built with Hesiod support)</dd>
+<dt><strong>princ</strong></dt>
+<dd>Checks against components of the principal name</dd>
+</dl>
+</div>
+<div class="section" id="kadm5-hook-interface">
+<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Permalink to this headline">¶</a></h4>
+<p>The kadm5_hook interface provides plugins with information on
+principal creation, modification, password changes and deletion.  This
+interface can be used to write a plugin to synchronize MIT Kerberos
+with another database such as Active Directory.  No plugins are built
+in for this interface.</p>
+</div>
+<div class="section" id="clpreauth-and-kdcpreauth-interfaces">
+<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4>
+<p>The clpreauth and kdcpreauth interfaces allow plugin modules to
+provide client and KDC preauthentication mechanisms.  The following
+built-in modules exist for these interfaces:</p>
+<dl class="docutils">
+<dt><strong>pkinit</strong></dt>
+<dd>This module implements the PKINIT preauthentication mechanism.</dd>
+<dt><strong>encrypted_challenge</strong></dt>
+<dd>This module implements the encrypted challenge FAST factor.</dd>
+<dt><strong>encrypted_timestamp</strong></dt>
+<dd>This module implements the encrypted timestamp mechanism.</dd>
+</dl>
+</div>
+<div class="section" id="hostrealm-interface">
+<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Permalink to this headline">¶</a></h4>
+<p>The hostrealm section (introduced in release 1.12) controls modules
+for the host-to-realm interface, which affects the local mapping of
+hostnames to realm names and the choice of default realm.  The following
+built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>profile</strong></dt>
+<dd>This module consults the [domain_realm] section of the profile for
+authoritative host-to-realm mappings, and the <strong>default_realm</strong>
+variable for the default realm.</dd>
+<dt><strong>dns</strong></dt>
+<dd>This module looks for DNS records for fallback host-to-realm
+mappings and the default realm.  It only operates if the
+<strong>dns_lookup_realm</strong> variable is set to true.</dd>
+<dt><strong>domain</strong></dt>
+<dd>This module applies heuristics for fallback host-to-realm
+mappings.  It implements the <strong>realm_try_domains</strong> variable, and
+uses the uppercased parent domain of the hostname if that does not
+produce a result.</dd>
+</dl>
+</div>
+<div class="section" id="localauth-interface">
+<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Permalink to this headline">¶</a></h4>
+<p>The localauth section (introduced in release 1.12) controls modules
+for the local authorization interface, which affects the relationship
+between Kerberos principals and local system accounts.  The following
+built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>default</strong></dt>
+<dd>This module implements the <strong>DEFAULT</strong> type for <strong>auth_to_local</strong>
+values.</dd>
+<dt><strong>rule</strong></dt>
+<dd>This module implements the <strong>RULE</strong> type for <strong>auth_to_local</strong>
+values.</dd>
+<dt><strong>names</strong></dt>
+<dd>This module looks for an <strong>auth_to_local_names</strong> mapping for the
+principal name.</dd>
+<dt><strong>auth_to_local</strong></dt>
+<dd>This module processes <strong>auth_to_local</strong> values in the default
+realm&#8217;s section, and applies the default method if no
+<strong>auth_to_local</strong> values exist.</dd>
+<dt><strong>k5login</strong></dt>
+<dd>This module authorizes a principal to a local account according to
+the account&#8217;s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a> file.</dd>
+<dt><strong>an2ln</strong></dt>
+<dd>This module authorizes a principal to a local account if the
+principal name maps to the local account name.</dd>
+</dl>
+</div>
+</div>
+</div>
+<div class="section" id="pkinit-options">
+<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The following are PKINIT-specific options.  These values may
+be specified in [libdefaults] as global defaults, or within
+a realm-specific subsection of [libdefaults], or may be
+specified as realm-specific values in the [realms] section.
+A realm-specific value overrides, not adds to, a generic
+[libdefaults] specification.  The search order is:</p>
+</div>
+<ol class="arabic">
+<li><p class="first">realm-specific subsection of [libdefaults]:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+    EXAMPLE.COM = {
+        pkinit_anchors = FILE:/usr/local/example.com.crt
+    }
+</pre></div>
+</div>
+</li>
+<li><p class="first">realm-specific value in the [realms] section:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+    OTHERREALM.ORG = {
+        pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
+    }
+</pre></div>
+</div>
+</li>
+<li><p class="first">generic value in the [libdefaults] section:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+    pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+</pre></div>
+</div>
+</li>
+</ol>
+<div class="section" id="specifying-pkinit-identity-information">
+<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Permalink to this headline">¶</a></h3>
+<p>The syntax for specifying Public Key identity, trust, and revocation
+information for PKINIT is as follows:</p>
+<dl class="docutils">
+<dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt>
+<dd><p class="first">This option has context-specific behavior.</p>
+<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em>
+specifies the name of a PEM-format file containing the user&#8217;s
+certificate.  If <em>keyfilename</em> is not specified, the user&#8217;s
+private key is expected to be in <em>filename</em> as well.  Otherwise,
+<em>keyfilename</em> is the name of the file containing the private key.</p>
+<p class="last">In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to
+be the name of an OpenSSL-style ca-bundle file.</p>
+</dd>
+<dt><strong>DIR:</strong><em>dirname</em></dt>
+<dd><p class="first">This option has context-specific behavior.</p>
+<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em>
+specifies a directory with files named <tt class="docutils literal"><span class="pre">*.crt</span></tt> and <tt class="docutils literal"><span class="pre">*.key</span></tt>
+where the first part of the file name is the same for matching
+pairs of certificate and private key files.  When a file with a
+name ending with <tt class="docutils literal"><span class="pre">.crt</span></tt> is found, a matching file ending with
+<tt class="docutils literal"><span class="pre">.key</span></tt> is assumed to contain the private key.  If no such file
+is found, then the certificate in the <tt class="docutils literal"><span class="pre">.crt</span></tt> is not used.</p>
+<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to
+be an OpenSSL-style hashed CA directory where each CA cert is
+stored in a file named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.#</span></tt>.  This infrastructure
+is encouraged, but all files in the directory will be examined and
+if they contain certificates (in PEM format), they will be used.</p>
+<p class="last">In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style
+hashed CA directory where each revocation list is stored in a file
+named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.r#</span></tt>.  This infrastructure is encouraged,
+but all files in the directory will be examined and if they
+contain a revocation list (in PEM format), they will be used.</p>
+</dd>
+<dt><strong>PKCS12:</strong><em>filename</em></dt>
+<dd><em>filename</em> is the name of a PKCS #12 format file, containing the
+user&#8217;s certificate and private key.</dd>
+<dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt>
+<dd>All keyword/values are optional.  <em>modname</em> specifies the location
+of a library implementing PKCS #11.  If a value is encountered
+with no keyword, it is assumed to be the <em>modname</em>.  If no
+module-name is specified, the default is <tt class="docutils literal"><span class="pre">opensc-pkcs11.so</span></tt>.
+<tt class="docutils literal"><span class="pre">slotid=</span></tt> and/or <tt class="docutils literal"><span class="pre">token=</span></tt> may be specified to force the use of
+a particular smard card reader or token if there is more than one
+available.  <tt class="docutils literal"><span class="pre">certid=</span></tt> and/or <tt class="docutils literal"><span class="pre">certlabel=</span></tt> may be specified to
+force the selection of a particular certificate on the device.
+See the <strong>pkinit_cert_match</strong> configuration option for more ways
+to select a particular certificate to use for PKINIT.</dd>
+<dt><strong>ENV:</strong><em>envvar</em></dt>
+<dd><em>envvar</em> specifies the name of an environment variable which has
+been set to a value conforming to one of the previous values.  For
+example, <tt class="docutils literal"><span class="pre">ENV:X509_PROXY</span></tt>, where environment variable
+<tt class="docutils literal"><span class="pre">X509_PROXY</span></tt> has been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</dd>
+</dl>
+</div>
+<div class="section" id="pkinit-krb5-conf-options">
+<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Permalink to this headline">¶</a></h3>
+<dl class="docutils">
+<dt><strong>pkinit_anchors</strong></dt>
+<dd>Specifies the location of trusted anchor (root) certificates which
+the client trusts to sign KDC certificates.  This option may be
+specified multiple times.  These values from the config file are
+not used if the user specifies X509_anchors on the command line.</dd>
+<dt><strong>pkinit_cert_match</strong></dt>
+<dd><p class="first">Specifies matching rules that the client certificate must match
+before it is used to attempt PKINIT authentication.  If a user has
+multiple certificates available (on a smart card, or via other
+media), there must be exactly one certificate chosen before
+attempting PKINIT authentication.  This option may be specified
+multiple times.  All the available certificates are checked
+against each rule in order until there is a match of exactly one
+certificate.</p>
+<p>The Subject and Issuer comparison strings are the <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a>
+string representations from the certificate Subject DN and Issuer
+DN values.</p>
+<p>The syntax of the matching rules is:</p>
+<blockquote>
+<div>[<em>relation-operator</em>]<em>component-rule</em> ...</div></blockquote>
+<p>where:</p>
+<dl class="docutils">
+<dt><em>relation-operator</em></dt>
+<dd>can be either <tt class="docutils literal"><span class="pre">&amp;&amp;</span></tt>, meaning all component rules must match,
+or <tt class="docutils literal"><span class="pre">||</span></tt>, meaning only one component rule must match.  The
+default is <tt class="docutils literal"><span class="pre">&amp;&amp;</span></tt>.</dd>
+<dt><em>component-rule</em></dt>
+<dd><p class="first">can be one of the following.  Note that there is no
+punctuation or whitespace between component rules.</p>
+<blockquote>
+<div><div class="line-block">
+<div class="line"><strong>&lt;SUBJECT&gt;</strong><em>regular-expression</em></div>
+<div class="line"><strong>&lt;ISSUER&gt;</strong><em>regular-expression</em></div>
+<div class="line"><strong>&lt;SAN&gt;</strong><em>regular-expression</em></div>
+<div class="line"><strong>&lt;EKU&gt;</strong><em>extended-key-usage-list</em></div>
+<div class="line"><strong>&lt;KU&gt;</strong><em>key-usage-list</em></div>
+</div>
+</div></blockquote>
+<p><em>extended-key-usage-list</em> is a comma-separated list of
+required Extended Key Usage values.  All values in the list
+must be present in the certificate.  Extended Key Usage values
+can be:</p>
+<ul class="simple">
+<li>pkinit</li>
+<li>msScLogin</li>
+<li>clientAuth</li>
+<li>emailProtection</li>
+</ul>
+<p><em>key-usage-list</em> is a comma-separated list of required Key
+Usage values.  All values in the list must be present in the
+certificate.  Key Usage values can be:</p>
+<ul class="last simple">
+<li>digitalSignature</li>
+<li>keyEncipherment</li>
+</ul>
+</dd>
+</dl>
+<p>Examples:</p>
+<div class="last highlight-python"><div class="highlight"><pre>pkinit_cert_match = ||&lt;SUBJECT&gt;.*DoE.*&lt;SAN&gt;.*@EXAMPLE.COM
+pkinit_cert_match = &amp;&amp;&lt;EKU&gt;msScLogin,clientAuth&lt;ISSUER&gt;.*DoE.*
+pkinit_cert_match = &lt;EKU&gt;msScLogin,clientAuth&lt;KU&gt;digitalSignature
+</pre></div>
+</div>
+</dd>
+<dt><strong>pkinit_eku_checking</strong></dt>
+<dd><p class="first">This option specifies what Extended Key Usage value the KDC
+certificate presented to the client must contain.  (Note that if
+the KDC certificate has the pkinit SubjectAlternativeName encoded
+as the Kerberos TGS name, EKU checking is not necessary since the
+issuing CA has certified this as a KDC certificate.)  The values
+recognized in the krb5.conf file are:</p>
+<dl class="last docutils">
+<dt><strong>kpKDC</strong></dt>
+<dd>This is the default value and specifies that the KDC must have
+the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
+<dt><strong>kpServerAuth</strong></dt>
+<dd>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the
+id-kp-serverAuth EKU will be accepted.  This key usage value
+is used in most commercially issued server certificates.</dd>
+<dt><strong>none</strong></dt>
+<dd>If <strong>none</strong> is specified, then the KDC certificate will not be
+checked to verify it has an acceptable EKU.  The use of this
+option is not recommended.</dd>
+</dl>
+</dd>
+<dt><strong>pkinit_dh_min_bits</strong></dt>
+<dd>Specifies the size of the Diffie-Hellman key the client will
+attempt to use.  The acceptable values are 1024, 2048, and 4096.
+The default is 2048.</dd>
+<dt><strong>pkinit_identities</strong></dt>
+<dd>Specifies the location(s) to be used to find the user&#8217;s X.509
+identity information.  This option may be specified multiple
+times.  Each value is attempted in order until identity
+information is found and authentication is attempted.  Note that
+these values are not used if the user specifies
+<strong>X509_user_identity</strong> on the command line.</dd>
+<dt><strong>pkinit_kdc_hostname</strong></dt>
+<dd>The presense of this option indicates that the client is willing
+to accept a KDC certificate with a dNSName SAN (Subject
+Alternative Name) rather than requiring the id-pkinit-san as
+defined in <span class="target" id="index-2"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.  This option may be specified multiple
+times.  Its value should contain the acceptable hostname for the
+KDC (as contained in its certificate).</dd>
+<dt><strong>pkinit_pool</strong></dt>
+<dd>Specifies the location of intermediate certificates which may be
+used by the client to complete the trust chain between a KDC
+certificate and a trusted anchor.  This option may be specified
+multiple times.</dd>
+<dt><strong>pkinit_require_crl_checking</strong></dt>
+<dd><p class="first">The default certificate verification process will always check the
+available revocation information to see if a certificate has been
+revoked.  If a match is found for the certificate in a CRL,
+verification fails.  If the certificate being verified is not
+listed in a CRL, or there is no CRL present for its issuing CA,
+and <strong>pkinit_require_crl_checking</strong> is false, then verification
+succeeds.</p>
+<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is
+no CRL information available for the issuing CA, then verification
+fails.</p>
+<p class="last"><strong>pkinit_require_crl_checking</strong> should be set to true if the
+policy is such that up-to-date CRLs must be present for every CA.</p>
+</dd>
+<dt><strong>pkinit_revoke</strong></dt>
+<dd>Specifies the location of Certificate Revocation List (CRL)
+information to be used by the client when verifying the validity
+of the KDC certificate presented.  This option may be specified
+multiple times.</dd>
+</dl>
+</div>
+</div>
+<div class="section" id="parameter-expansion">
+<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Permalink to this headline">¶</a></h2>
+<p>Starting with release 1.11, several variables, such as
+<strong>default_keytab_name</strong>, allow parameters to be expanded.
+Valid parameters are:</p>
+<blockquote>
+<div><table border="1" class="docutils">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>%{TEMP}</td>
+<td>Temporary directory</td>
+</tr>
+<tr class="row-even"><td>%{uid}</td>
+<td>Unix real UID or Windows SID</td>
+</tr>
+<tr class="row-odd"><td>%{euid}</td>
+<td>Unix effective user ID or Windows SID</td>
+</tr>
+<tr class="row-even"><td>%{USERID}</td>
+<td>Same as %{uid}</td>
+</tr>
+<tr class="row-odd"><td>%{null}</td>
+<td>Empty string</td>
+</tr>
+<tr class="row-even"><td>%{LIBDIR}</td>
+<td>Installation library directory</td>
+</tr>
+<tr class="row-odd"><td>%{BINDIR}</td>
+<td>Installation binary directory</td>
+</tr>
+<tr class="row-even"><td>%{SBINDIR}</td>
+<td>Installation admin binary directory</td>
+</tr>
+<tr class="row-odd"><td>%{username}</td>
+<td>(Unix) Username of effective user ID</td>
+</tr>
+<tr class="row-even"><td>%{APPDATA}</td>
+<td>(Windows) Roaming application data for current user</td>
+</tr>
+<tr class="row-odd"><td>%{COMMON_APPDATA}</td>
+<td>(Windows) Application data for all users</td>
+</tr>
+<tr class="row-even"><td>%{LOCAL_APPDATA}</td>
+<td>(Windows) Local application data for current user</td>
+</tr>
+<tr class="row-odd"><td>%{SYSTEM}</td>
+<td>(Windows) Windows system folder</td>
+</tr>
+<tr class="row-even"><td>%{WINDOWS}</td>
+<td>(Windows) Windows folder</td>
+</tr>
+<tr class="row-odd"><td>%{USERCONFIG}</td>
+<td>(Windows) Per-user MIT krb5 config file directory</td>
+</tr>
+<tr class="row-even"><td>%{COMMONCONFIG}</td>
+<td>(Windows) Common MIT krb5 config file directory</td>
+</tr>
+</tbody>
+</table>
+</div></blockquote>
+</div>
+<div class="section" id="sample-krb5-conf-file">
+<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2>
+<p>Here is an example of a generic krb5.conf file:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+    default_realm = ATHENA.MIT.EDU
+    dns_lookup_kdc = true
+    dns_lookup_realm = false
+
+[realms]
+    ATHENA.MIT.EDU = {
+        kdc = kerberos.mit.edu
+        kdc = kerberos-1.mit.edu
+        kdc = kerberos-2.mit.edu
+        admin_server = kerberos.mit.edu
+        master_kdc = kerberos.mit.edu
+    }
+    EXAMPLE.COM = {
+        kdc = kerberos.example.com
+        kdc = kerberos-1.example.com
+        admin_server = kerberos.example.com
+    }
+
+[domain_realm]
+    mit.edu = ATHENA.MIT.EDU
+
+[capaths]
+    ATHENA.MIT.EDU = {
+           EXAMPLE.COM = .
+    }
+    EXAMPLE.COM = {
+           ATHENA.MIT.EDU = .
+    }
+</pre></div>
+</div>
+</div>
+<div class="section" id="files">
+<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>
+<p><tt class="docutils literal"><span class="pre">/etc/krb5.conf</span></tt></p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p>syslog(3)</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">krb5.conf</a><ul>
+<li><a class="reference internal" href="#structure">Structure</a></li>
+<li><a class="reference internal" href="#sections">Sections</a><ul>
+<li><a class="reference internal" href="#libdefaults">[libdefaults]</a></li>
+<li><a class="reference internal" href="#realms">[realms]</a></li>
+<li><a class="reference internal" href="#domain-realm">[domain_realm]</a></li>
+<li><a class="reference internal" href="#capaths">[capaths]</a></li>
+<li><a class="reference internal" href="#appdefaults">[appdefaults]</a></li>
+<li><a class="reference internal" href="#plugins">[plugins]</a><ul>
+<li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li>
+<li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li>
+<li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li>
+<li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li>
+<li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li>
+<li><a class="reference internal" href="#localauth-interface">localauth interface</a></li>
+</ul>
+</li>
+</ul>
+</li>
+<li><a class="reference internal" href="#pkinit-options">PKINIT options</a><ul>
+<li><a class="reference internal" href="#specifying-pkinit-identity-information">Specifying PKINIT identity information</a></li>
+<li><a class="reference internal" href="#pkinit-krb5-conf-options">PKINIT krb5.conf options</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#parameter-expansion">Parameter expansion</a></li>
+<li><a class="reference internal" href="#sample-krb5-conf-file">Sample krb5.conf file</a></li>
+<li><a class="reference internal" href="#files">FILES</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
+<li class="toctree-l3 current"><a class="current reference internal" href="">krb5.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="index.html" title="Configuration Files"
+            >previous</a> |
+        <a href="kdc_conf.html" title="kdc.conf"
+            >next</a> |
+        <a href="../../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/conf_ldap.html b/doc/html/admin/conf_ldap.html
new file mode 100644
index 000000000000..7cdd64dd2cb4
--- /dev/null
+++ b/doc/html/admin/conf_ldap.html
@@ -0,0 +1,328 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Configuring Kerberos with OpenLDAP back-end &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Application servers" href="appl_servers.html" />
+    <link rel="prev" title="Account lockout" href="lockout.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="lockout.html" title="Account lockout"
+            accesskey="P">previous</a> |
+        <a href="appl_servers.html" title="Application servers"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuring Kerberos with OpenLDAP back-end">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="configuring-kerberos-with-openldap-back-end">
+<h1>Configuring Kerberos with OpenLDAP back-end<a class="headerlink" href="#configuring-kerberos-with-openldap-back-end" title="Permalink to this headline">¶</a></h1>
+<blockquote>
+<div><ol class="arabic">
+<li><p class="first">Set up SSL on the OpenLDAP server and client to ensure secure
+communication when the KDC service and LDAP server are on different
+machines.  <tt class="docutils literal"><span class="pre">ldapi://</span></tt> can be used if the LDAP server and KDC
+service are running on the same machine.</p>
+<ol class="upperalpha simple">
+<li>Setting up SSL on the OpenLDAP server:</li>
+</ol>
+<blockquote>
+<div><ol class="lowerroman">
+<li><p class="first">Get a CA certificate using OpenSSL tools</p>
+</li>
+<li><p class="first">Configure OpenLDAP server for using SSL/TLS</p>
+<p>For the latter, you need to specify the location of CA
+certificate location in <em>slapd.conf</em> file.</p>
+<p>Refer to the following link for more information:
+<a class="reference external" href="http://www.openldap.org/doc/admin23/tls.html">http://www.openldap.org/doc/admin23/tls.html</a></p>
+</li>
+</ol>
+</div></blockquote>
+<ol class="upperalpha" start="2">
+<li><p class="first">Setting up SSL on OpenLDAP client:</p>
+<ol class="lowerroman">
+<li><p class="first">For the KDC and Admin Server, you need to do the client-side
+configuration in ldap.conf.  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">TLS_CACERT</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">openldap</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">cacert</span><span class="o">.</span><span class="n">pem</span>
+</pre></div>
+</div>
+</li>
+</ol>
+</li>
+</ol>
+</li>
+<li><p class="first">Include the Kerberos schema file (kerberos.schema) in the
+configuration file (slapd.conf) on the LDAP Server, by providing
+the location where it is stored:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">include</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">openldap</span><span class="o">/</span><span class="n">schema</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">schema</span>
+</pre></div>
+</div>
+</li>
+<li><p class="first">Choose DNs for the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> servers
+to bind to the LDAP server, and create them if necessary. These DNs
+will be specified with the <strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong>
+directives in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; their passwords can be stashed
+with &#8220;<tt class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></tt>&#8221; and the resulting file
+specified with the <strong>ldap_service_password_file</strong> directive.</p>
+</li>
+<li><p class="first">Choose a DN for the global Kerberos container entry (but do not
+create the entry at this time).  This DN will be specified with the
+<strong>ldap_kerberos_container_dn</strong> directive in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.
+Realm container entries will be created underneath this DN.
+Principal entries may exist either underneath the realm container
+(the default) or in separate trees referenced from the realm
+container.</p>
+</li>
+<li><p class="first">Configure the LDAP server ACLs to enable the KDC and kadmin server
+DNs to read and write the Kerberos data.  If
+<strong>disable_last_success</strong> and <strong>disable_lockout</strong> are both set to
+true in the <a class="reference internal" href="conf_files/kdc_conf.html#dbmodules"><em>[dbmodules]</em></a> subsection for the realm, then the
+KDC DN only requires read access to the Kerberos data.</p>
+<p>Sample access control information:</p>
+<div class="highlight-python"><div class="highlight"><pre>access to dn.base=&quot;&quot;
+    by * read
+
+access to dn.base=&quot;cn=Subschema&quot;
+    by * read
+
+access to attrs=userPassword,userPKCS12
+    by self write
+    by * auth
+
+access to attrs=shadowLastChange
+    by self write
+    by * read
+
+# Providing access to realm container
+access to dn.subtree= &quot;cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com&quot;
+    by dn.exact=&quot;cn=kdc-service,dc=example,dc=com&quot; write
+    by dn.exact=&quot;cn=adm-service,dc=example,dc=com&quot; write
+    by * none
+
+# Providing access to principals, if not underneath realm container
+access to dn.subtree= &quot;ou=users,dc=example,dc=com&quot;
+    by dn.exact=&quot;cn=kdc-service,dc=example,dc=com&quot; write
+    by dn.exact=&quot;cn=adm-service,dc=example,dc=com&quot; write
+    by * none
+
+access to *
+    by * read
+</pre></div>
+</div>
+<p>If the locations of the container and principals or the DNs of
+the service objects for a realm are changed then this
+information should be updated.</p>
+</li>
+<li><p class="first">Start the LDAP server as follows:</p>
+<div class="highlight-python"><div class="highlight"><pre>slapd -h &quot;ldapi:/// ldaps:///&quot;
+</pre></div>
+</div>
+</li>
+<li><p class="first">Modify the <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file to include LDAP specific items
+listed below:</p>
+<div class="highlight-python"><div class="highlight"><pre>realms
+    database_module
+
+dbmodules
+    db_library
+    db_module_dir
+    ldap_kdc_dn
+    ldap_kadmind_dn
+    ldap_service_password_file
+    ldap_servers
+    ldap_conns_per_server
+</pre></div>
+</div>
+</li>
+<li><p class="first">Create the realm using <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> (see
+<a class="reference internal" href="database.html#ldap-create-realm"><em>Creating a Kerberos realm</em></a>):</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s
+</pre></div>
+</div>
+<p>Use the <strong>-subtrees</strong> option if the principals are to exist in a
+separate subtree from the realm container.  Before executing the
+command, make sure that the subtree mentioned above
+<tt class="docutils literal"><span class="pre">(ou=users,dc=example,dc=com)</span></tt> exists.  If the principals will
+exist underneath the realm container, omit the <strong>-subtrees</strong> option
+and do not worry about creating the principal subtree.</p>
+<p>For more information, refer to the section <a class="reference internal" href="database.html#ops-on-ldap"><em>Operations on the LDAP database</em></a>.</p>
+<p>The realm object is created under the
+<strong>ldap_kerberos_container_dn</strong> specified in the configuration file.
+This operation will also create the Kerberos container, if not
+present already.  This will be used to store information related to
+all realms.</p>
+</li>
+<li><p class="first">Stash the password of the service object used by the KDC and
+Administration service to bind to the LDAP server using the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>stashsrvpw</strong> command (see
+<a class="reference internal" href="database.html#stash-ldap"><em>Stashing service object&#8217;s password</em></a>).  The object DN should be the same as
+<strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> values specified in the
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com
+</pre></div>
+</div>
+</li>
+<li><p class="first">Add <tt class="docutils literal"><span class="pre">krbPrincipalName</span></tt> to the indexes in slapd.conf to speed up
+the access.</p>
+</li>
+</ol>
+</div></blockquote>
+<p>With the LDAP back end it is possible to provide aliases for principal
+entries.  Currently we provide no mechanism provided for creating
+aliases, so it must be done by direct manipulation of the LDAP
+entries.</p>
+<p>An entry with aliases contains multiple values of the
+<em>krbPrincipalName</em> attribute.  Since LDAP attribute values are not
+ordered, it is necessary to specify which principal name is canonical,
+by using the <em>krbCanonicalName</em> attribute.  Therefore, to create
+aliases for an entry, first set the <em>krbCanonicalName</em> attribute of
+the entry to the canonical principal name (which should be identical
+to the pre-existing <em>krbPrincipalName</em> value), and then add additional
+<em>krbPrincipalName</em> attributes for the aliases.</p>
+<p>Principal aliases are only returned by the KDC when the client
+requests canonicalization.  Canonicalization is normally requested for
+service principals; for client principals, an explicit flag is often
+required (e.g., <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-C</span></tt>) and canonicalization is only performed
+for initial ticket requests.</p>
+<div class="admonition seealso">
+<p class="first admonition-title">See also</p>
+<p class="last"><a class="reference internal" href="advanced/ldapbackend.html#ldap-be-ubuntu"><em>LDAP backend on Ubuntu 10.4 (lucid)</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Configuring Kerberos with OpenLDAP back-end</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="lockout.html" title="Account lockout"
+            >previous</a> |
+        <a href="appl_servers.html" title="Application servers"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuring Kerberos with OpenLDAP back-end">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/database.html b/doc/html/admin/database.html
new file mode 100644
index 000000000000..dc1cd1971fc9
--- /dev/null
+++ b/doc/html/admin/database.html
@@ -0,0 +1,1858 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Database administration &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Account lockout" href="lockout.html" />
+    <link rel="prev" title="Realm configuration decisions" href="realm_config.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="realm_config.html" title="Realm configuration decisions"
+            accesskey="P">previous</a> |
+        <a href="lockout.html" title="Account lockout"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="database-administration">
+<h1>Database administration<a class="headerlink" href="#database-administration" title="Permalink to this headline">¶</a></h1>
+<p>A Kerberos database contains all of a realm&#8217;s Kerberos principals,
+their passwords, and other administrative information about each
+principal.  For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>
+program to manipulate the Kerberos database as a whole, and the
+<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> program to make changes to the entries in the
+database.  (One notable exception is that users will use the
+<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> program to change their own passwords.)  The kadmin
+program has its own command-line interface, to which you type the
+database administrating commands.</p>
+<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> provides a means to create, delete, load, or dump
+a Kerberos database.  It also contains commands to roll over the
+database master key, and to stash a copy of the key so that the
+<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> and <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemons can use the database
+without manual input.</p>
+<p><a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> provides for the maintenance of Kerberos principals,
+password policies, and service key tables (keytabs).  Normally it
+operates as a network client using Kerberos authentication to
+communicate with <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>, but there is also a variant, named
+kadmin.local, which directly accesses the Kerberos database on the
+local filesystem (or through LDAP).  kadmin.local is necessary to set
+up enough of the database to be able to use the remote version.</p>
+<p>kadmin can authenticate to the admin server using the service
+principal <tt class="docutils literal"><span class="pre">kadmin/HOST</span></tt> (where <em>HOST</em> is the hostname of the admin
+server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt>.  If the credentials cache contains a
+ticket for either service principal and the <strong>-c</strong> ccache option is
+specified, that ticket is used to authenticate to KADM5.  Otherwise,
+the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos
+principal name used to authenticate.  Once kadmin has determined the
+principal name, it requests a <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> Kerberos service ticket
+from the KDC, and uses that service ticket to authenticate to KADM5.</p>
+<p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> for the available kadmin and kadmin.local
+commands and options.</p>
+<div class="section" id="kadmin-options">
+<h2>kadmin options<a class="headerlink" href="#kadmin-options" title="Permalink to this headline">¶</a></h2>
+<p>You can invoke <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> or kadmin.local with any of the
+following options:</p>
+<p><strong>kadmin</strong>
+[<strong>-O</strong>|<strong>-N</strong>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-p</strong> <em>principal</em>]
+[<strong>-q</strong> <em>query</em>]
+[[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>]
+[<strong>-w</strong> <em>password</em>]
+[<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]]
+[command args...]</p>
+<p><strong>kadmin.local</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-p</strong> <em>principal</em>]
+[<strong>-q</strong> <em>query</em>]
+[<strong>-d</strong> <em>dbname</em>]
+[<strong>-e</strong> <em>enc</em>:<em>salt</em> ...]
+[<strong>-m</strong>]
+[<strong>-x</strong> <em>db_args</em>]
+[command args...]</p>
+<p><strong>OPTIONS</strong></p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Use <em>realm</em> as the default database realm.</dd>
+<dt><strong>-p</strong> <em>principal</em></dt>
+<dd>Use <em>principal</em> to authenticate.  Otherwise, kadmin will append
+<tt class="docutils literal"><span class="pre">/admin</span></tt> to the primary principal name of the default ccache,
+the value of the <strong>USER</strong> environment variable, or the username as
+obtained with getpwuid, in order of preference.</dd>
+<dt><strong>-k</strong></dt>
+<dd>Use a keytab to decrypt the KDC response instead of prompting for
+a password.  In this case, the default principal will be
+<tt class="docutils literal"><span class="pre">host/hostname</span></tt>.  If there is no keytab specified with the
+<strong>-t</strong> option, then the default keytab will be used.</dd>
+<dt><strong>-t</strong> <em>keytab</em></dt>
+<dd>Use <em>keytab</em> to decrypt the KDC response.  This can only be used
+with the <strong>-k</strong> option.</dd>
+<dt><strong>-n</strong></dt>
+<dd>Requests anonymous processing.  Two types of anonymous principals
+are supported.  For fully anonymous Kerberos, configure PKINIT on
+the KDC and configure <strong>pkinit_anchors</strong> in the client&#8217;s
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  Then use the <strong>-n</strong> option with a principal
+of the form <tt class="docutils literal"><span class="pre">&#64;REALM</span></tt> (an empty principal name followed by the
+at-sign and a realm name).  If permitted by the KDC, an anonymous
+ticket will be returned.  A second form of anonymous tickets is
+supported; these realm-exposed tickets hide the identity of the
+client but not the client&#8217;s realm.  For this mode, use <tt class="docutils literal"><span class="pre">kinit</span>
+<span class="pre">-n</span></tt> with a normal principal name.  If supported by the KDC, the
+principal (but not realm) will be replaced by the anonymous
+principal.  As of release 1.8, the MIT Kerberos KDC only supports
+fully anonymous operation.</dd>
+<dt><strong>-c</strong> <em>credentials_cache</em></dt>
+<dd>Use <em>credentials_cache</em> as the credentials cache.  The
+cache should contain a service ticket for the <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt>
+(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin
+server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> service; it can be acquired with the
+<a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> program.  If this option is not specified, kadmin
+requests a new service ticket from the KDC, and stores it in its
+own temporary ccache.</dd>
+<dt><strong>-w</strong> <em>password</em></dt>
+<dd>Use <em>password</em> instead of prompting for one.  Use this option with
+care, as it may expose the password to other users on the system
+via the process list.</dd>
+<dt><strong>-q</strong> <em>query</em></dt>
+<dd>Perform the specified query and then exit.</dd>
+<dt><strong>-d</strong> <em>dbname</em></dt>
+<dd>Specifies the name of the KDC database.  This option does not
+apply to the LDAP database module.</dd>
+<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt>
+<dd>Specifies the admin server which kadmin should contact.</dd>
+<dt><strong>-m</strong></dt>
+<dd>If using kadmin.local, prompt for the database master password
+instead of reading it from a stash file.</dd>
+<dt><strong>-e</strong> &#8220;<em>enc</em>:<em>salt</em> ...&#8221;</dt>
+<dd>Sets the keysalt list to be used for any new keys created.  See
+<a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible
+values.</dd>
+<dt><strong>-O</strong></dt>
+<dd>Force use of old AUTH_GSSAPI authentication flavor.</dd>
+<dt><strong>-N</strong></dt>
+<dd>Prevent fallback to AUTH_GSSAPI authentication flavor.</dd>
+<dt><strong>-x</strong> <em>db_args</em></dt>
+<dd>Specifies the database specific arguments.  See the next section
+for supported options.</dd>
+</dl>
+</div>
+<div class="section" id="date-format">
+<h2>Date Format<a class="headerlink" href="#date-format" title="Permalink to this headline">¶</a></h2>
+<p>For the supported date-time formats see <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> section
+in <a class="reference internal" href="../basic/date_format.html#datetime"><em>Supported date and time formats</em></a>.</p>
+</div>
+<div class="section" id="principals">
+<h2>Principals<a class="headerlink" href="#principals" title="Permalink to this headline">¶</a></h2>
+<p>Each entry in the Kerberos database contains a Kerberos principal and
+the attributes and policies associated with that principal.</p>
+<div class="section" id="adding-modifying-and-deleting-principals">
+<span id="add-mod-del-princs"></span><h3>Adding, modifying and deleting principals<a class="headerlink" href="#adding-modifying-and-deleting-principals" title="Permalink to this headline">¶</a></h3>
+<p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>
+<strong>add_principal</strong> command.</p>
+<p>To modify attributes of a principal, use the kadmin
+<strong>modify_principal</strong> command.</p>
+<p>To delete a principal, use the kadmin <strong>delete_principal</strong> command.</p>
+</div>
+<div class="section" id="add-principal">
+<h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote>
+<p>Creates the principal <em>newprinc</em>, prompting twice for a password.  If
+no password policy is specified with the <strong>-policy</strong> option, and the
+policy named <tt class="docutils literal"><span class="pre">default</span></tt> is assigned to the principal if it exists.
+However, creating a policy named <tt class="docutils literal"><span class="pre">default</span></tt> will not automatically
+assign this policy to previously existing principals.  This policy
+assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p>
+<p>This command requires the <strong>add</strong> privilege.</p>
+<p>Aliases: <strong>addprinc</strong>, <strong>ank</strong></p>
+<p>Options:</p>
+<dl class="docutils">
+<dt><strong>-expire</strong> <em>expdate</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The expiration date of the principal.</dd>
+<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The password expiration date.</dd>
+<dt><strong>-maxlife</strong> <em>maxlife</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum ticket life
+for the principal.</dd>
+<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum renewable
+life of tickets for the principal.</dd>
+<dt><strong>-kvno</strong> <em>kvno</em></dt>
+<dd>The initial key version number.</dd>
+<dt><strong>-policy</strong> <em>policy</em></dt>
+<dd>The password policy used by this principal.  If not specified, the
+policy <tt class="docutils literal"><span class="pre">default</span></tt> is used if it exists (unless <strong>-clearpolicy</strong>
+is specified).</dd>
+<dt><strong>-clearpolicy</strong></dt>
+<dd>Prevents any policy from being assigned when <strong>-policy</strong> is not
+specified.</dd>
+<dt>{-|+}<strong>allow_postdated</strong></dt>
+<dd><strong>-allow_postdated</strong> prohibits this principal from obtaining
+postdated tickets.  <strong>+allow_postdated</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_forwardable</strong></dt>
+<dd><strong>-allow_forwardable</strong> prohibits this principal from obtaining
+forwardable tickets.  <strong>+allow_forwardable</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_renewable</strong></dt>
+<dd><strong>-allow_renewable</strong> prohibits this principal from obtaining
+renewable tickets.  <strong>+allow_renewable</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_proxiable</strong></dt>
+<dd><strong>-allow_proxiable</strong> prohibits this principal from obtaining
+proxiable tickets.  <strong>+allow_proxiable</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_dup_skey</strong></dt>
+<dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this
+principal by prohibiting this principal from obtaining a session
+key for another user.  <strong>+allow_dup_skey</strong> clears this flag.</dd>
+<dt>{-|+}<strong>requires_preauth</strong></dt>
+<dd><strong>+requires_preauth</strong> requires this principal to preauthenticate
+before being allowed to kinit.  <strong>-requires_preauth</strong> clears this
+flag.  When <strong>+requires_preauth</strong> is set on a service principal,
+the KDC will only issue service tickets for that service principal
+if the client&#8217;s initial authentication was performed using
+preauthentication.</dd>
+<dt>{-|+}<strong>requires_hwauth</strong></dt>
+<dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate
+using a hardware device before being allowed to kinit.
+<strong>-requires_hwauth</strong> clears this flag.  When <strong>+requires_hwauth</strong> is
+set on a service principal, the KDC will only issue service tickets
+for that service principal if the client&#8217;s initial authentication was
+performed using a hardware device to preauthenticate.</dd>
+<dt>{-|+}<strong>ok_as_delegate</strong></dt>
+<dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets
+issued with this principal as the service.  Clients may use this
+flag as a hint that credentials should be delegated when
+authenticating to the service.  <strong>-ok_as_delegate</strong> clears this
+flag.</dd>
+<dt>{-|+}<strong>allow_svr</strong></dt>
+<dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this
+principal.  <strong>+allow_svr</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_tgs_req</strong></dt>
+<dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS)
+request for a service ticket for this principal is not permitted.
+<strong>+allow_tgs_req</strong> clears this flag.</dd>
+<dt>{-|+}<strong>allow_tix</strong></dt>
+<dd><strong>-allow_tix</strong> forbids the issuance of any tickets for this
+principal.  <strong>+allow_tix</strong> clears this flag.</dd>
+<dt>{-|+}<strong>needchange</strong></dt>
+<dd><strong>+needchange</strong> forces a password change on the next initial
+authentication to this principal.  <strong>-needchange</strong> clears this
+flag.</dd>
+<dt>{-|+}<strong>password_changing_service</strong></dt>
+<dd><strong>+password_changing_service</strong> marks this principal as a password
+change service principal.</dd>
+<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt>
+<dd><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire
+forwardable tickets to itself from arbitrary users, for use with
+constrained delegation.</dd>
+<dt>{-|+}<strong>no_auth_data_required</strong></dt>
+<dd><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from
+being added to service tickets for the principal.</dd>
+<dt>{-|+}<strong>lockdown_keys</strong></dt>
+<dd><strong>+lockdown_keys</strong> prevents keys for this principal from leaving
+the KDC via kadmind.  The chpass and extract operations are denied
+for a principal with this attribute.  The chrand operation is
+allowed, but will not return the new keys.  The delete and rename
+operations are also denied if this attribute is set, in order to
+prevent a malicious administrator from replacing principals like
+krbtgt/* or kadmin/* with new principals without the attribute.
+This attribute can be set via the network protocol, but can only
+be removed using kadmin.local.</dd>
+<dt><strong>-randkey</strong></dt>
+<dd>Sets the key of the principal to a random value.</dd>
+<dt><strong>-nokey</strong></dt>
+<dd>Causes the principal to be created with no key.  New in release
+1.12.</dd>
+<dt><strong>-pw</strong> <em>password</em></dt>
+<dd>Sets the password of the principal to the specified string and
+does not prompt for a password.  Note: using this option in a
+shell script may expose the password to other users on the system
+via the process list.</dd>
+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt>
+<dd>Uses the specified keysalt list for setting the keys of the
+principal.  See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a
+list of possible values.</dd>
+<dt><strong>-x</strong> <em>db_princ_args</em></dt>
+<dd><p class="first">Indicates database-specific options.  The options for the LDAP
+database module are:</p>
+<dl class="docutils">
+<dt><strong>-x dn=</strong><em>dn</em></dt>
+<dd>Specifies the LDAP object that will contain the Kerberos
+principal being created.</dd>
+<dt><strong>-x linkdn=</strong><em>dn</em></dt>
+<dd>Specifies the LDAP object to which the newly created Kerberos
+principal object will point.</dd>
+<dt><strong>-x containerdn=</strong><em>container_dn</em></dt>
+<dd>Specifies the container object under which the Kerberos
+principal is to be created.</dd>
+<dt><strong>-x tktpolicy=</strong><em>policy</em></dt>
+<dd>Associates a ticket policy to the Kerberos principal.</dd>
+</dl>
+<div class="last admonition note">
+<p class="first admonition-title">Note</p>
+<ul class="last simple">
+<li>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be
+specified with the <strong>dn</strong> option.</li>
+<li>If the <em>dn</em> or <em>containerdn</em> options are not specified while
+adding the principal, the principals are created under the
+principal container configured in the realm or the realm
+container.</li>
+<li><em>dn</em> and <em>containerdn</em> should be within the subtrees or
+principal container configured in the realm.</li>
+</ul>
+</div>
+</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc jennifer
+WARNING: no policy specified for &quot;jennifer@ATHENA.MIT.EDU&quot;;
+defaulting to no policy.
+Enter password for principal jennifer@ATHENA.MIT.EDU:
+Re-enter password for principal jennifer@ATHENA.MIT.EDU:
+Principal &quot;jennifer@ATHENA.MIT.EDU&quot; created.
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modify-principal">
+<h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote>
+<p>Modifies the specified principal, changing the fields as specified.
+The options to <strong>add_principal</strong> also apply to this command, except
+for the <strong>-randkey</strong>, <strong>-pw</strong>, and <strong>-e</strong> options.  In addition, the
+option <strong>-clearpolicy</strong> will clear the current policy of a principal.</p>
+<p>This command requires the <em>modify</em> privilege.</p>
+<p>Alias: <strong>modprinc</strong></p>
+<p>Options (in addition to the <strong>addprinc</strong> options):</p>
+<dl class="docutils">
+<dt><strong>-unlock</strong></dt>
+<dd>Unlocks a locked principal (one which has received too many failed
+authentication attempts without enough time between them according
+to its password policy) so that it can successfully authenticate.</dd>
+</dl>
+</div>
+<div class="section" id="delete-principal">
+<h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote>
+<p>Deletes the specified <em>principal</em> from the database.  This command
+prompts for deletion, unless the <strong>-force</strong> option is given.</p>
+<p>This command requires the <strong>delete</strong> privilege.</p>
+<p>Alias: <strong>delprinc</strong></p>
+<div class="section" id="examples">
+<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4>
+<p>If you want to create a principal which is contained by a LDAP object,
+all you need to do is:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer
+WARNING: no policy specified for &quot;jennifer@ATHENA.MIT.EDU&quot;;
+defaulting to no policy.
+Enter password for principal jennifer@ATHENA.MIT.EDU:  &lt;= Type the password.
+Re-enter password for principal jennifer@ATHENA.MIT.EDU:  &lt;=Type it again.
+Principal &quot;jennifer@ATHENA.MIT.EDU&quot; created.
+kadmin:
+</pre></div>
+</div>
+<p>If you want to create a principal under a specific LDAP container and
+link to an existing LDAP object, all you need to do is:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david
+WARNING: no policy specified for &quot;david@ATHENA.MIT.EDU&quot;;
+defaulting to no policy.
+Enter password for principal david@ATHENA.MIT.EDU:  &lt;= Type the password.
+Re-enter password for principal david@ATHENA.MIT.EDU:  &lt;=Type it again.
+Principal &quot;david@ATHENA.MIT.EDU&quot; created.
+kadmin:
+</pre></div>
+</div>
+<p>If you want to associate a ticket policy to a principal, all you need
+to do is:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc -x tktpolicy=userpolicy david
+Principal &quot;david@ATHENA.MIT.EDU&quot; modified.
+kadmin:
+</pre></div>
+</div>
+<p>If, on the other hand, you want to set up an account that expires on
+January 1, 2000, that uses a policy called &#8220;stduser&#8221;, with a temporary
+password (which you want the user to change immediately), you would
+type the following:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc david -expire &quot;1/1/2000 12:01am EST&quot; -policy stduser +needchange
+Enter password for principal david@ATHENA.MIT.EDU:  &lt;= Type the password.
+Re-enter password for principal
+david@ATHENA.MIT.EDU:  &lt;= Type it again.
+Principal &quot;david@ATHENA.MIT.EDU&quot; created.
+kadmin:
+</pre></div>
+</div>
+<p>If you want to delete a principal:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: delprinc jennifer
+Are you sure you want to delete the principal
+&quot;jennifer@ATHENA.MIT.EDU&quot;? (yes/no): yes
+Principal &quot;jennifer@ATHENA.MIT.EDU&quot; deleted.
+Make sure that you have removed this principal from
+all ACLs before reusing.
+kadmin:
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="retrieving-information-about-a-principal">
+<h3>Retrieving information about a principal<a class="headerlink" href="#retrieving-information-about-a-principal" title="Permalink to this headline">¶</a></h3>
+<p>To retrieve a listing of the attributes and/or policies associated
+with a principal, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>get_principal</strong> command.</p>
+<p>To generate a listing of principals, use the kadmin
+<strong>list_principals</strong> command.</p>
+</div>
+<div class="section" id="get-principal">
+<h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote>
+<p>Gets the attributes of principal.  With the <strong>-terse</strong> option, outputs
+fields as quoted tab-separated strings.</p>
+<p>This command requires the <strong>inquire</strong> privilege, or that the principal
+running the the program to be the same as the one being listed.</p>
+<p>Alias: <strong>getprinc</strong></p>
+<p>Examples:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc tlyu/admin
+Principal: tlyu/admin@BLEEP.COM
+Expiration date: [never]
+Last password change: Mon Aug 12 14:16:47 EDT 1996
+Password expiration date: [none]
+Maximum ticket life: 0 days 10:00:00
+Maximum renewable life: 7 days 00:00:00
+Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
+Last successful authentication: [never]
+Last failed authentication: [never]
+Failed password attempts: 0
+Number of keys: 2
+Key: vno 1, des-cbc-crc
+Key: vno 1, des-cbc-crc:v4
+Attributes:
+Policy: [none]
+
+kadmin: getprinc -terse systest
+systest@BLEEP.COM   3    86400     604800    1
+785926535 753241234 785900000
+tlyu/admin@BLEEP.COM     786100034 0    0
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="list-principals">
+<h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote>
+<p>Retrieves all or some principal names.  <em>expression</em> is a shell-style
+glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>,
+<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>.  All principal names matching the expression are
+printed.  If no expression is provided, all principal names are
+printed.  If the expression does not contain an <tt class="docutils literal"><span class="pre">&#64;</span></tt> character, an
+<tt class="docutils literal"><span class="pre">&#64;</span></tt> character followed by the local realm is appended to the
+expression.</p>
+<p>This command requires the <strong>list</strong> privilege.</p>
+<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>get_princs</strong></p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin:  listprincs test*
+test3@SECURE-TEST.OV.COM
+test2@SECURE-TEST.OV.COM
+test1@SECURE-TEST.OV.COM
+testuser@SECURE-TEST.OV.COM
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="changing-passwords">
+<h3>Changing passwords<a class="headerlink" href="#changing-passwords" title="Permalink to this headline">¶</a></h3>
+<p>To change a principal&#8217;s password use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>
+<strong>change_password</strong> command.</p>
+</div>
+<div class="section" id="change-password">
+<h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote>
+<p>Changes the password of <em>principal</em>.  Prompts for a new password if
+neither <strong>-randkey</strong> or <strong>-pw</strong> is specified.</p>
+<p>This command requires the <strong>changepw</strong> privilege, or that the
+principal running the program is the same as the principal being
+changed.</p>
+<p>Alias: <strong>cpw</strong></p>
+<p>The following options are available:</p>
+<dl class="docutils">
+<dt><strong>-randkey</strong></dt>
+<dd>Sets the key of the principal to a random value.</dd>
+<dt><strong>-pw</strong> <em>password</em></dt>
+<dd>Set the password to the specified string.  Using this option in a
+script may expose the password to other users on the system via
+the process list.</dd>
+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt>
+<dd>Uses the specified keysalt list for setting the keys of the
+principal.  See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a
+list of possible values.</dd>
+<dt><strong>-keepold</strong></dt>
+<dd>Keeps the existing keys in the database.  This flag is usually not
+necessary except perhaps for <tt class="docutils literal"><span class="pre">krbtgt</span></tt> principals.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: cpw systest
+Enter password for principal systest@BLEEP.COM:
+Re-enter password for principal systest@BLEEP.COM:
+Password for systest@BLEEP.COM changed.
+kadmin:
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Password changes through kadmin are subject to the same
+password policies as would apply to password changes through
+<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>.</p>
+</div>
+</div>
+</div>
+<div class="section" id="policies">
+<span id="id1"></span><h2>Policies<a class="headerlink" href="#policies" title="Permalink to this headline">¶</a></h2>
+<p>A policy is a set of rules governing passwords.  Policies can dictate
+minimum and maximum password lifetimes, minimum number of characters
+and character classes a password must contain, and the number of old
+passwords kept in the database.</p>
+<div class="section" id="adding-modifying-and-deleting-policies">
+<h3>Adding, modifying and deleting policies<a class="headerlink" href="#adding-modifying-and-deleting-policies" title="Permalink to this headline">¶</a></h3>
+<p>To add a new policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>add_policy</strong> command.</p>
+<p>To modify attributes of a principal, use the kadmin <strong>modify_policy</strong>
+command.</p>
+<p>To delete a policy, use the kadmin <strong>delete_policy</strong> command.</p>
+</div>
+<div class="section" id="add-policy">
+<h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote>
+<p>Adds a password policy named <em>policy</em> to the database.</p>
+<p>This command requires the <strong>add</strong> privilege.</p>
+<p>Alias: <strong>addpol</strong></p>
+<p>The following options are available:</p>
+<dl class="docutils">
+<dt><strong>-maxlife</strong> <em>time</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the maximum
+lifetime of a password.</dd>
+<dt><strong>-minlife</strong> <em>time</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the minimum
+lifetime of a password.</dd>
+<dt><strong>-minlength</strong> <em>length</em></dt>
+<dd>Sets the minimum length of a password.</dd>
+<dt><strong>-minclasses</strong> <em>number</em></dt>
+<dd>Sets the minimum number of character classes required in a
+password.  The five character classes are lower case, upper case,
+numbers, punctuation, and whitespace/unprintable characters.</dd>
+<dt><strong>-history</strong> <em>number</em></dt>
+<dd>Sets the number of past keys kept for a principal.  This option is
+not supported with the LDAP KDC database module.</dd>
+</dl>
+<dl class="docutils" id="policy-maxfailure">
+<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt>
+<dd>Sets the number of authentication failures before the principal is
+locked.  Authentication failures are only tracked for principals
+which require preauthentication.  The counter of failed attempts
+resets to 0 after a successful attempt to authenticate.  A
+<em>maxnumber</em> value of 0 (the default) disables lockout.</dd>
+</dl>
+<dl class="docutils" id="policy-failurecountinterval">
+<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the allowable time
+between authentication failures.  If an authentication failure
+happens after <em>failuretime</em> has elapsed since the previous
+failure, the number of authentication failures is reset to 1.  A
+<em>failuretime</em> value of 0 (the default) means forever.</dd>
+</dl>
+<dl class="docutils" id="policy-lockoutduration">
+<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the duration for
+which the principal is locked from authenticating if too many
+authentication failures occur without the specified failure count
+interval elapsing.  A duration of 0 (the default) means the
+principal remains locked out until it is administratively unlocked
+with <tt class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></tt>.</dd>
+<dt><strong>-allowedkeysalts</strong></dt>
+<dd>Specifies the key/salt tuples supported for long-term keys when
+setting or changing a principal&#8217;s password/keys.  See
+<a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the
+accepted values, but note that key/salt tuples must be separated
+with commas (&#8216;,&#8217;) only.  To clear the allowed key/salt policy use
+a value of &#8216;-&#8216;.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: add_policy -maxlife &quot;2 days&quot; -minlength 5 guests
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modify-policy">
+<h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote>
+<p>Modifies the password policy named <em>policy</em>.  Options are as described
+for <strong>add_policy</strong>.</p>
+<p>This command requires the <strong>modify</strong> privilege.</p>
+<p>Alias: <strong>modpol</strong></p>
+</div>
+<div class="section" id="delete-policy">
+<h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote>
+<p>Deletes the password policy named <em>policy</em>.  Prompts for confirmation
+before deletion.  The command will fail if the policy is in use by any
+principals.</p>
+<p>This command requires the <strong>delete</strong> privilege.</p>
+<p>Alias: <strong>delpol</strong></p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: del_policy guests
+Are you sure you want to delete the policy &quot;guests&quot;?
+(yes/no): yes
+kadmin:
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">You must cancel the policy from <em>all</em> principals before
+deleting it.  The <em>delete_policy</em> command will fail if the policy
+is in use by any principals.</p>
+</div>
+</div>
+<div class="section" id="retrieving-policies">
+<h3>Retrieving policies<a class="headerlink" href="#retrieving-policies" title="Permalink to this headline">¶</a></h3>
+<p>To retrieve a policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>get_policy</strong> command.</p>
+<p>You can retrieve the list of policies with the kadmin
+<strong>list_policies</strong> command.</p>
+</div>
+<div class="section" id="get-policy">
+<h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote>
+<p>Displays the values of the password policy named <em>policy</em>.  With the
+<strong>-terse</strong> flag, outputs the fields as quoted strings separated by
+tabs.</p>
+<p>This command requires the <strong>inquire</strong> privilege.</p>
+<p>Alias: getpol</p>
+<p>Examples:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: get_policy admin
+Policy: admin
+Maximum password life: 180 days 00:00:00
+Minimum password life: 00:00:00
+Minimum password length: 6
+Minimum number of password character classes: 2
+Number of old keys kept: 5
+Reference count: 17
+
+kadmin: get_policy -terse admin
+admin     15552000  0    6    2    5    17
+kadmin:
+</pre></div>
+</div>
+<p>The &#8220;Reference count&#8221; is the number of principals using that policy.
+With the LDAP KDC database module, the reference count field is not
+meaningful.</p>
+</div>
+<div class="section" id="list-policies">
+<h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote>
+<p>Retrieves all or some policy names.  <em>expression</em> is a shell-style
+glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>,
+<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>.  All policy names matching the expression are
+printed.  If no expression is provided, all existing policy names are
+printed.</p>
+<p>This command requires the <strong>list</strong> privilege.</p>
+<p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p>
+<p>Examples:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin:  listpols
+test-pol
+dict-only
+once-a-min
+test-pol-nopw
+
+kadmin:  listpols t*
+test-pol
+test-pol-nopw
+kadmin:
+</pre></div>
+</div>
+</div>
+<div class="section" id="policies-and-principals">
+<h3>Policies and principals<a class="headerlink" href="#policies-and-principals" title="Permalink to this headline">¶</a></h3>
+<p>Policies can be applied to principals as they are created by using
+the <strong>-policy</strong> flag to <a class="reference internal" href="admin_commands/kadmin_local.html#add-principal"><em>add_principal</em></a>. Existing principals can
+be modified by using the <strong>-policy</strong> or <strong>-clearpolicy</strong> flag to
+<a class="reference internal" href="admin_commands/kadmin_local.html#modify-principal"><em>modify_principal</em></a>.</p>
+</div>
+<div class="section" id="updating-the-history-key">
+<h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Permalink to this headline">¶</a></h3>
+<p>If a policy specifies a number of old keys kept of two or more, the
+stored old keys are encrypted in a history key, which is found in the
+key data of the <tt class="docutils literal"><span class="pre">kadmin/history</span></tt> principal.</p>
+<p>Currently there is no support for proper rollover of the history key,
+but you can change the history key (for example, to use a better
+encryption type) at the cost of invalidating currently stored old
+keys.  To change the history key, run:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: change_password -randkey kadmin/history
+</pre></div>
+</div>
+<p>This command will fail if you specify the <strong>-keepold</strong> flag.  Only one
+new history key will be created, even if you specify multiple key/salt
+combinations.</p>
+<p>In the future, we plan to migrate towards encrypting old keys in the
+master key instead of the history key, and implementing proper
+rollover support for stored old keys.</p>
+</div>
+</div>
+<div class="section" id="privileges">
+<span id="id2"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Permalink to this headline">¶</a></h2>
+<p>Administrative privileges for the Kerberos database are stored in the
+file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">A common use of an admin instance is so you can grant
+separate permissions (such as administrator access to the
+Kerberos database) to a separate Kerberos principal. For
+example, the user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> might have a principal for
+his administrative use, called <tt class="docutils literal"><span class="pre">joeadmin/admin</span></tt>.  This
+way, <tt class="docutils literal"><span class="pre">joeadmin</span></tt> would obtain <tt class="docutils literal"><span class="pre">joeadmin/admin</span></tt> tickets
+only when he actually needs to use those permissions.</p>
+</div>
+</div>
+<div class="section" id="operations-on-the-kerberos-database">
+<span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="#operations-on-the-kerberos-database" title="Permalink to this headline">¶</a></h2>
+<p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> command is the primary tool for administrating
+the Kerberos database.</p>
+<p><strong>kdb5_util</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-d</strong> <em>dbname</em>]
+[<strong>-k</strong> <em>mkeytype</em>]
+[<strong>-M</strong> <em>mkeyname</em>]
+[<strong>-kv</strong> <em>mkeyVNO</em>]
+[<strong>-sf</strong> <em>stashfilename</em>]
+[<strong>-m</strong>]
+<em>command</em> [<em>command_options</em>]</p>
+<p><strong>OPTIONS</strong></p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>specifies the Kerberos realm of the database.</dd>
+<dt><strong>-d</strong> <em>dbname</em></dt>
+<dd>specifies the name under which the principal database is stored;
+by default the database is that listed in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.  The
+password policy database and lock files are also derived from this
+value.</dd>
+<dt><strong>-k</strong> <em>mkeytype</em></dt>
+<dd>specifies the key type of the master key in the database.  The
+default is given by the <strong>master_key_type</strong> variable in
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-kv</strong> <em>mkeyVNO</em></dt>
+<dd>Specifies the version number of the master key in the database;
+the default is 1.  Note that 0 is not allowed.</dd>
+<dt><strong>-M</strong> <em>mkeyname</em></dt>
+<dd>principal name for the master key in the database.  If not
+specified, the name is determined by the <strong>master_key_name</strong>
+variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-m</strong></dt>
+<dd>specifies that the master database password should be read from
+the keyboard rather than fetched from a file on disk.</dd>
+<dt><strong>-sf</strong> <em>stash_file</em></dt>
+<dd>specifies the stash filename of the master database password.  If
+not specified, the filename is determined by the
+<strong>key_stash_file</strong> variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-P</strong> <em>password</em></dt>
+<dd>specifies the master database password.  Using this option may
+expose the password to other users on the system via the process
+list.</dd>
+</dl>
+<div class="toctree-wrapper compound">
+<ul class="simple">
+</ul>
+</div>
+<div class="section" id="dumping-a-kerberos-database-to-a-file">
+<h3>Dumping a Kerberos database to a file<a class="headerlink" href="#dumping-a-kerberos-database-to-a-file" title="Permalink to this headline">¶</a></h3>
+<p>To dump a Kerberos database into a file, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>
+<strong>dump</strong> command on one of the KDCs.</p>
+<blockquote>
+<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-verbose</strong>]
+[<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> <em>mkey_file</em>] [<strong>-rev</strong>]
+[<strong>-recurse</strong>] [<em>filename</em> [<em>principals</em>...]]</div></blockquote>
+<p>Dumps the current Kerberos and KADM5 database into an ASCII file.  By
+default, the database is dumped in current format, &#8220;kdb5_util
+load_dump version 7&#8221;.  If filename is not specified, or is the string
+&#8220;-&#8221;, the dump is sent to standard output.  Options:</p>
+<dl class="docutils">
+<dt><strong>-b7</strong></dt>
+<dd>causes the dump to be in the Kerberos 5 Beta 7 format (&#8220;kdb5_util
+load_dump version 4&#8221;).  This was the dump format produced on
+releases prior to 1.2.2.</dd>
+<dt><strong>-ov</strong></dt>
+<dd>causes the dump to be in &#8220;ovsec_adm_export&#8221; format.</dd>
+<dt><strong>-r13</strong></dt>
+<dd>causes the dump to be in the Kerberos 5 1.3 format (&#8220;kdb5_util
+load_dump version 5&#8221;).  This was the dump format produced on
+releases prior to 1.8.</dd>
+<dt><strong>-r18</strong></dt>
+<dd>causes the dump to be in the Kerberos 5 1.8 format (&#8220;kdb5_util
+load_dump version 6&#8221;).  This was the dump format produced on
+releases prior to 1.11.</dd>
+<dt><strong>-verbose</strong></dt>
+<dd>causes the name of each principal and policy to be printed as it
+is dumped.</dd>
+<dt><strong>-mkey_convert</strong></dt>
+<dd>prompts for a new master key.  This new master key will be used to
+re-encrypt principal key data in the dumpfile.  The principal keys
+themselves will not be changed.</dd>
+<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt>
+<dd>the filename of a stash file.  The master key in this stash file
+will be used to re-encrypt the key data in the dumpfile.  The key
+data in the database will not be changed.</dd>
+<dt><strong>-rev</strong></dt>
+<dd>dumps in reverse order.  This may recover principals that do not
+dump normally, in cases where database corruption has occurred.</dd>
+<dt><strong>-recurse</strong></dt>
+<dd><p class="first">causes the dump to walk the database recursively (btree only).
+This may recover principals that do not dump normally, in cases
+where database corruption has occurred.  In cases of such
+corruption, this option will probably retrieve more principals
+than the <strong>-rev</strong> option will.</p>
+<div class="versionchanged">
+<p><span class="versionmodified">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong>
+option.</p>
+</div>
+<div class="last versionchanged">
+<p><span class="versionmodified">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15,
+doing a normal dump instead of a recursive traversal.</p>
+</div>
+</dd>
+</dl>
+<div class="section" id="id3">
+<h4>Examples<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h4>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump dumpfile
+shell%
+
+shell% kbd5_util dump -verbose dumpfile
+kadmin/admin@ATHENA.MIT.EDU
+krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
+kadmin/history@ATHENA.MIT.EDU
+K/M@ATHENA.MIT.EDU
+kadmin/changepw@ATHENA.MIT.EDU
+shell%
+</pre></div>
+</div>
+<p>If you specify which principals to dump, you must use the full
+principal, as in the following example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU
+kadmin/admin@ATHENA.MIT.EDU
+K/M@ATHENA.MIT.EDU
+shell%
+</pre></div>
+</div>
+<p>Otherwise, the principals will not match those in the database and
+will not be dumped:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin
+shell%
+</pre></div>
+</div>
+<p>If you do not specify a dump file, kdb5_util will dump the database to
+the standard output.</p>
+</div>
+</div>
+<div class="section" id="restoring-a-kerberos-database-from-a-dump-file">
+<span id="restore-from-dump"></span><h3>Restoring a Kerberos database from a dump file<a class="headerlink" href="#restoring-a-kerberos-database-from-a-dump-file" title="Permalink to this headline">¶</a></h3>
+<p>To restore a Kerberos database dump from a file, use the
+<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>load</strong> command on one of the KDCs.</p>
+<blockquote>
+<div><strong>load</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-hash</strong>]
+[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em> [<em>dbname</em>]</div></blockquote>
+<p>Loads a database dump from the named file into the named database.  If
+no option is given to determine the format of the dump file, the
+format is detected automatically and handled as appropriate.  Unless
+the <strong>-update</strong> option is given, <strong>load</strong> creates a new database
+containing only the data in the dump file, overwriting the contents of
+any previously existing database.  Note that when using the LDAP KDC
+database module, the <strong>-update</strong> flag is required.</p>
+<p>Options:</p>
+<dl class="docutils">
+<dt><strong>-b7</strong></dt>
+<dd>requires the database to be in the Kerberos 5 Beta 7 format
+(&#8220;kdb5_util load_dump version 4&#8221;).  This was the dump format
+produced on releases prior to 1.2.2.</dd>
+<dt><strong>-ov</strong></dt>
+<dd>requires the database to be in &#8220;ovsec_adm_import&#8221; format.  Must be
+used with the <strong>-update</strong> option.</dd>
+<dt><strong>-r13</strong></dt>
+<dd>requires the database to be in Kerberos 5 1.3 format (&#8220;kdb5_util
+load_dump version 5&#8221;).  This was the dump format produced on
+releases prior to 1.8.</dd>
+<dt><strong>-r18</strong></dt>
+<dd>requires the database to be in Kerberos 5 1.8 format (&#8220;kdb5_util
+load_dump version 6&#8221;).  This was the dump format produced on
+releases prior to 1.11.</dd>
+<dt><strong>-hash</strong></dt>
+<dd>requires the database to be stored as a hash.  If this option is
+not specified, the database will be stored as a btree.  This
+option is not recommended, as databases stored in hash format are
+known to corrupt data and lose principals.</dd>
+<dt><strong>-verbose</strong></dt>
+<dd>causes the name of each principal and policy to be printed as it
+is dumped.</dd>
+<dt><strong>-update</strong></dt>
+<dd>records from the dump file are added to or updated in the existing
+database.  Otherwise, a new database is created containing only
+what is in the dump file and the old one destroyed upon successful
+completion.</dd>
+</dl>
+<p>If specified, <em>dbname</em> overrides the value specified on the command
+line or the default.</p>
+<div class="section" id="id4">
+<h4>Examples<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h4>
+<p>To load a single principal, either replacing or updating the database:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util load dumpfile principal
+shell%
+
+shell% kdb5_util load -update dumpfile principal
+shell%
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">If the database file exists, and the <em>-update</em> flag was not
+given, <em>kdb5_util</em> will overwrite the existing database.</p>
+</div>
+<p>Using kdb5_util to upgrade a master KDC from krb5 1.1.x:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump old-kdb-dump
+shell% kdb5_util dump -ov old-kdb-dump.ov
+  [Create a new KDC installation, using the old stash file/master password]
+shell% kdb5_util load old-kdb-dump
+shell% kdb5_util load -update old-kdb-dump.ov
+</pre></div>
+</div>
+<p>The use of old-kdb-dump.ov for an extra dump and load is necessary
+to preserve per-principal policy information, which is not included in
+the default dump format of krb5 1.1.x.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Using kdb5_util to dump and reload the principal database is
+only necessary when upgrading from versions of krb5 prior
+to 1.2.0&#8212;newer versions will use the existing database as-is.</p>
+</div>
+</div>
+</div>
+<div class="section" id="creating-a-stash-file">
+<span id="create-stash"></span><h3>Creating a stash file<a class="headerlink" href="#creating-a-stash-file" title="Permalink to this headline">¶</a></h3>
+<p>A stash file allows a KDC to authenticate itself to the database
+utilities, such as <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>, <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, and
+<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>.</p>
+<p>To create a stash file, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>stash</strong> command.</p>
+<blockquote>
+<div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote>
+<p>Stores the master principal&#8217;s keys in a stash file.  The <strong>-f</strong>
+argument can be used to override the <em>keyfile</em> specified in
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p>
+<div class="section" id="example">
+<h4>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h4>
+<blockquote>
+<div>shell% kdb5_util stash
+kdb5_util: Cannot find/read stored master key while reading master key
+kdb5_util: Warning: proceeding without master key
+Enter KDC database master key:  &lt;= Type the KDC database master password.
+shell%</div></blockquote>
+<p>If you do not specify a stash file, kdb5_util will stash the key in
+the file specified in your <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.</p>
+</div>
+</div>
+<div class="section" id="creating-and-destroying-a-kerberos-database">
+<h3>Creating and destroying a Kerberos database<a class="headerlink" href="#creating-and-destroying-a-kerberos-database" title="Permalink to this headline">¶</a></h3>
+<p>If you need to create a new Kerberos database, use the
+<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>create</strong> command.</p>
+<blockquote>
+<div><strong>create</strong> [<strong>-s</strong>]</div></blockquote>
+<p>Creates a new database.  If the <strong>-s</strong> option is specified, the stash
+file is also created.  This command fails if the database already
+exists.  If the command is successful, the database is opened just as
+if it had already existed when the program was first run.</p>
+<p>If you need to destroy the current Kerberos database, use the
+<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>destroy</strong> command.</p>
+<blockquote>
+<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote>
+<p>Destroys the database, first overwriting the disk sectors and then
+unlinking the files, after prompting the user for confirmation.  With
+the <strong>-f</strong> argument, does not prompt the user.</p>
+<div class="section" id="id5">
+<h4>Examples<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h4>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util -r ATHENA.MIT.EDU create -s
+Loading random data
+Initializing database &#39;/usr/local/var/krb5kdc/principal&#39; for realm &#39;ATHENA.MIT.EDU&#39;,
+master key name &#39;K/M@ATHENA.MIT.EDU&#39;
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+Enter KDC database master key:  &lt;= Type the master password.
+Re-enter KDC database master key to verify:  &lt;= Type it again.
+shell%
+
+shell% kdb5_util -r ATHENA.MIT.EDU destroy
+Deleting KDC database stored in &#39;/usr/local/var/krb5kdc/principal&#39;, are you sure?
+(type &#39;yes&#39; to confirm)?  &lt;= yes
+OK, deleting database &#39;/usr/local/var/krb5kdc/principal&#39;...
+** Database &#39;/usr/local/var/krb5kdc/principal&#39; destroyed.
+shell%
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="updating-the-master-key">
+<h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Permalink to this headline">¶</a></h3>
+<p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> allows the master key
+to be changed using a rollover process, with minimal loss of
+availability.  To roll over the master key, follow these steps:</p>
+<ol class="arabic">
+<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></tt> to view the current
+master key version number (KVNO).  If you have never rolled over
+the master key before, this will likely be version 1:</p>
+<div class="highlight-python"><div class="highlight"><pre>$ kdb5_util list_mkeys
+Master keys for Principal: K/M@KRBTEST.COM
+KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 *
+</pre></div>
+</div>
+</li>
+<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">1</span></tt> to ensure that a
+master key activation list is present in the database.  This step
+is unnecessary in release 1.11.4 or later, or if the database was
+initially created with release 1.7 or later.</p>
+</li>
+<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></tt> to create a new
+master key and write it to the stash file.  Enter a secure password
+when prompted.  If this is the first time you are changing the
+master key, the new key will have version 2.  The new master key
+will not be used until you make it active.</p>
+</li>
+<li><p class="first">Propagate the database to all slave KDCs, either manually or by
+waiting until the next scheduled propagation.  If you do not have
+any slave KDCs, you can skip this and the next step.</p>
+</li>
+<li><p class="first">On each slave KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></tt> to verify that the
+new master key is present, and then <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">stash</span></tt> to write
+the new master key to the slave KDC&#8217;s stash file.</p>
+</li>
+<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">2</span></tt> to begin using the
+new master key.  Replace <tt class="docutils literal"><span class="pre">2</span></tt> with the version of the new master
+key, as appropriate.  You can optionally specify a date for the new
+master key to become active; by default, it will become active
+immediately.  Prior to release 1.12, <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> must be
+restarted for this change to take full effect.</p>
+</li>
+<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">update_princ_encryption</span></tt>.  This
+command will iterate over the database and re-encrypt all keys in
+the new master key.  If the database is large and uses DB2, the
+master KDC will become unavailable while this command runs, but
+clients should fail over to slave KDCs (if any are present) during
+this time period.  In release 1.13 and later, you can instead run
+<tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class="pre">unlockiter</span> <span class="pre">update_princ_encryption</span></tt> to use unlocked
+iteration; this variant will take longer, but will keep the
+database available to the KDC and kadmind while it runs.</p>
+</li>
+<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">purge_mkeys</span></tt> to clean up the
+old master key.</p>
+</li>
+</ol>
+</div>
+</div>
+<div class="section" id="operations-on-the-ldap-database">
+<span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#operations-on-the-ldap-database" title="Permalink to this headline">¶</a></h2>
+<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> is the primary tool for administrating
+the Kerberos LDAP database.  It allows an administrator to manage
+realms, Kerberos services (KDC and Admin Server) and ticket policies.</p>
+<p><strong>kdb5_ldap_util</strong>
+[<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]]
+[<strong>-H</strong> <em>ldapuri</em>]
+<strong>command</strong>
+[<em>command_options</em>]</p>
+<p><strong>OPTIONS</strong></p>
+<dl class="docutils">
+<dt><strong>-D</strong> <em>user_dn</em></dt>
+<dd>Specifies the Distinguished Name (DN) of the user who has
+sufficient rights to perform the operation on the LDAP server.</dd>
+<dt><strong>-w</strong> <em>passwd</em></dt>
+<dd>Specifies the password of <em>user_dn</em>.  This option is not
+recommended.</dd>
+<dt><strong>-H</strong> <em>ldapuri</em></dt>
+<dd>Specifies the URI of the LDAP server.  It is recommended to use
+<tt class="docutils literal"><span class="pre">ldapi://</span></tt> or <tt class="docutils literal"><span class="pre">ldaps://</span></tt> to connect to the LDAP server.</dd>
+</dl>
+<div class="section" id="creating-a-kerberos-realm">
+<span id="ldap-create-realm"></span><h3>Creating a Kerberos realm<a class="headerlink" href="#creating-a-kerberos-realm" title="Permalink to this headline">¶</a></h3>
+<p>If you need to create a new realm, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>
+<strong>create</strong> command as follows.</p>
+<blockquote>
+<div><strong>create</strong>
+[<strong>-subtrees</strong> <em>subtree_dn_list</em>]
+[<strong>-sscope</strong> <em>search_scope</em>]
+[<strong>-containerref</strong> <em>container_reference_dn</em>]
+[<strong>-k</strong> <em>mkeytype</em>]
+[<strong>-kv</strong> <em>mkeyVNO</em>]
+[<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>]
+[<strong>-s</strong>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]</div></blockquote>
+<p>Creates realm in directory. Options:</p>
+<dl class="docutils">
+<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt>
+<dd>Specifies the list of subtrees containing the principals of a
+realm.  The list contains the DNs of the subtree objects separated
+by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).</dd>
+<dt><strong>-sscope</strong> <em>search_scope</em></dt>
+<dd>Specifies the scope for searching the principals under the
+subtree.  The possible values are 1 or one (one level), 2 or sub
+(subtrees).</dd>
+<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt>
+<dd>Specifies the DN of the container object in which the principals
+of a realm will be created.  If the container reference is not
+configured for a realm, the principals will be created in the
+realm container.</dd>
+<dt><strong>-k</strong> <em>mkeytype</em></dt>
+<dd>Specifies the key type of the master key in the database.  The
+default is given by the <strong>master_key_type</strong> variable in
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><strong>-kv</strong> <em>mkeyVNO</em></dt>
+<dd>Specifies the version number of the master key in the database;
+the default is 1.  Note that 0 is not allowed.</dd>
+<dt><strong>-m</strong></dt>
+<dd>Specifies that the master database password should be read from
+the TTY rather than fetched from a file on the disk.</dd>
+<dt><strong>-P</strong> <em>password</em></dt>
+<dd>Specifies the master database password. This option is not
+recommended.</dd>
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-sf</strong> <em>stashfilename</em></dt>
+<dd>Specifies the stash file of the master database password.</dd>
+<dt><strong>-s</strong></dt>
+<dd>Specifies that the stash file is to be created.</dd>
+<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for
+principals in this realm.</dd>
+<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of
+tickets for principals in this realm.</dd>
+<dt><em>ticket_flags</em></dt>
+<dd>Specifies global ticket flags for the realm.  Allowable flags are
+documented in the description of the <strong>add_principal</strong> command in
+<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+Initializing database for realm &#39;ATHENA.MIT.EDU&#39;
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+Enter KDC database master key:
+Re-enter KDC database master key to verify:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modifying-a-kerberos-realm">
+<span id="ldap-mod-realm"></span><h3>Modifying a Kerberos realm<a class="headerlink" href="#modifying-a-kerberos-realm" title="Permalink to this headline">¶</a></h3>
+<p>If you need to modify a realm, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>
+<strong>modify</strong> command as follows.</p>
+<blockquote>
+<div><strong>modify</strong>
+[<strong>-subtrees</strong> <em>subtree_dn_list</em>]
+[<strong>-sscope</strong> <em>search_scope</em>]
+[<strong>-containerref</strong> <em>container_reference_dn</em>]
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]</div></blockquote>
+<p>Modifies the attributes of a realm.  Options:</p>
+<dl class="docutils">
+<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt>
+<dd>Specifies the list of subtrees containing the principals of a
+realm.  The list contains the DNs of the subtree objects separated
+by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).  This list replaces the existing list.</dd>
+<dt><strong>-sscope</strong> <em>search_scope</em></dt>
+<dd>Specifies the scope for searching the principals under the
+subtrees.  The possible values are 1 or one (one level), 2 or sub
+(subtrees).</dd>
+<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt>
+<dd>container object in which the principals of a realm will be
+created.</dd>
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for
+principals in this realm.</dd>
+<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of
+tickets for principals in this realm.</dd>
+<dt><em>ticket_flags</em></dt>
+<dd>Specifies global ticket flags for the realm.  Allowable flags are
+documented in the description of the <strong>add_principal</strong> command in
+<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu modify +requires_preauth -r
+    ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+shell%
+</pre></div>
+</div>
+</div>
+<div class="section" id="destroying-a-kerberos-realm">
+<h3>Destroying a Kerberos realm<a class="headerlink" href="#destroying-a-kerberos-realm" title="Permalink to this headline">¶</a></h3>
+<p>If you need to destroy a Kerberos realm, use the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>destroy</strong> command as follows.</p>
+<blockquote>
+<div><strong>destroy</strong> [<strong>-f</strong>] [<strong>-r</strong> <em>realm</em>]</div></blockquote>
+<p>Destroys an existing realm. Options:</p>
+<dl class="docutils">
+<dt><strong>-f</strong></dt>
+<dd>If specified, will not prompt the user for confirmation.</dd>
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+Deleting KDC database of &#39;ATHENA.MIT.EDU&#39;, are you sure?
+(type &#39;yes&#39; to confirm)? yes
+OK, deleting database of &#39;ATHENA.MIT.EDU&#39;...
+shell%
+</pre></div>
+</div>
+</div>
+<div class="section" id="retrieving-information-about-a-kerberos-realm">
+<h3>Retrieving information about a Kerberos realm<a class="headerlink" href="#retrieving-information-about-a-kerberos-realm" title="Permalink to this headline">¶</a></h3>
+<p>If you need to display the attributes of a realm, use the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>view</strong> command as follows.</p>
+<blockquote>
+<div><strong>view</strong> [<strong>-r</strong> <em>realm</em>]</div></blockquote>
+<p>Displays the attributes of a realm.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    view -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+Realm Name: ATHENA.MIT.EDU
+Subtree: ou=users,o=org
+Subtree: ou=servers,o=org
+SearchScope: ONE
+Maximum ticket life: 0 days 01:00:00
+Maximum renewable life: 0 days 10:00:00
+Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+</pre></div>
+</div>
+</div>
+<div class="section" id="listing-available-kerberos-realms">
+<h3>Listing available Kerberos realms<a class="headerlink" href="#listing-available-kerberos-realms" title="Permalink to this headline">¶</a></h3>
+<p>If you need to display the list of the realms, use the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>list</strong> command as follows.</p>
+<blockquote>
+<div><strong>list</strong></div></blockquote>
+<p>Lists the name of realms.</p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu list
+Password for &quot;cn=admin,o=org&quot;:
+ATHENA.MIT.EDU
+OPENLDAP.MIT.EDU
+MEDIA-LAB.MIT.EDU
+shell%
+</pre></div>
+</div>
+</div>
+<div class="section" id="stashing-service-object-s-password">
+<span id="stash-ldap"></span><h3>Stashing service object&#8217;s password<a class="headerlink" href="#stashing-service-object-s-password" title="Permalink to this headline">¶</a></h3>
+<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>stashsrvpw</strong> command allows an
+administrator to store the password of service object in a file.  The
+KDC and Administration server uses this password to authenticate to
+the LDAP server.</p>
+<blockquote>
+<div><strong>stashsrvpw</strong>
+[<strong>-f</strong> <em>filename</em>]
+<em>name</em></div></blockquote>
+<p>Allows an administrator to store the password for service object in a
+file so that KDC and Administration server can use it to authenticate
+to the LDAP server.  Options:</p>
+<dl class="docutils">
+<dt><strong>-f</strong> <em>filename</em></dt>
+<dd>Specifies the complete path of the service password file. By
+default, <tt class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></tt> is used.</dd>
+<dt><em>name</em></dt>
+<dd>Specifies the name of the object whose password is to be stored.
+If <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> or <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> are configured for
+simple binding, this should be the distinguished name it will
+use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong>
+variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.  If the KDC or kadmind is
+configured for SASL binding, this should be the authentication
+name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or
+<strong>ldap_kadmind_sasl_authcid</strong> variable.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
+    cn=service-kdc,o=org
+Password for &quot;cn=service-kdc,o=org&quot;:
+Re-enter password for &quot;cn=service-kdc,o=org&quot;:
+</pre></div>
+</div>
+</div>
+<div class="section" id="ticket-policy-operations">
+<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink to this headline">¶</a></h3>
+<div class="section" id="creating-a-ticket-policy">
+<h4>Creating a Ticket Policy<a class="headerlink" href="#creating-a-ticket-policy" title="Permalink to this headline">¶</a></h4>
+<p>To create a new ticket policy in directory , use the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>create_policy</strong> command.  Ticket policy
+objects are created under the realm container.</p>
+<blockquote>
+<div><strong>create_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]
+<em>policy_name</em></div></blockquote>
+<p>Creates a ticket policy in the directory.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for
+principals.</dd>
+<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>
+<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of
+tickets for principals.</dd>
+<dt><em>ticket_flags</em></dt>
+<dd>Specifies the ticket flags.  If this option is not specified, by
+default, no restriction will be set by the policy.  Allowable
+flags are documented in the description of the <strong>add_principal</strong>
+command in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd>
+<dt><em>policy_name</em></dt>
+<dd>Specifies the name of the ticket policy.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    create_policy -r ATHENA.MIT.EDU -maxtktlife &quot;1 day&quot;
+    -maxrenewlife &quot;1 week&quot; -allow_postdated +needchange
+    -allow_forwardable tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+</pre></div>
+</div>
+</div>
+<div class="section" id="modifying-a-ticket-policy">
+<h4>Modifying a Ticket Policy<a class="headerlink" href="#modifying-a-ticket-policy" title="Permalink to this headline">¶</a></h4>
+<p>To modify a ticket policy in directory, use the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>modify_policy</strong> command.</p>
+<blockquote>
+<div><strong>modify_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]
+[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]
+[<em>ticket_flags</em>]
+<em>policy_name</em></div></blockquote>
+<p>Modifies the attributes of a ticket policy.  Options are same as for
+<strong>create_policy</strong>.</p>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H
+    ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
+    -maxtktlife &quot;60 minutes&quot; -maxrenewlife &quot;10 hours&quot;
+    +allow_postdated -requires_preauth tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+</pre></div>
+</div>
+</div>
+<div class="section" id="retrieving-information-about-a-ticket-policy">
+<h4>Retrieving Information About a Ticket Policy<a class="headerlink" href="#retrieving-information-about-a-ticket-policy" title="Permalink to this headline">¶</a></h4>
+<p>To display the attributes of a ticket policy, use the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>view_policy</strong> command.</p>
+<blockquote>
+<div><strong>view_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+<em>policy_name</em></div></blockquote>
+<p>Displays the attributes of a ticket policy.  Options:</p>
+<dl class="docutils">
+<dt><em>policy_name</em></dt>
+<dd>Specifies the name of the ticket policy.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    view_policy -r ATHENA.MIT.EDU tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+Ticket policy: tktpolicy
+Maximum ticket life: 0 days 01:00:00
+Maximum renewable life: 0 days 10:00:00
+Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
+</pre></div>
+</div>
+</div>
+<div class="section" id="destroying-a-ticket-policy">
+<h4>Destroying a Ticket Policy<a class="headerlink" href="#destroying-a-ticket-policy" title="Permalink to this headline">¶</a></h4>
+<p>To destroy an existing ticket policy, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>
+<strong>destroy_policy</strong> command.</p>
+<blockquote>
+<div><strong>destroy_policy</strong>
+[<strong>-r</strong> <em>realm</em>]
+[<strong>-force</strong>]
+<em>policy_name</em></div></blockquote>
+<p>Destroys an existing ticket policy.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+<dt><strong>-force</strong></dt>
+<dd>Forces the deletion of the policy object.  If not specified, the
+user will be prompted for confirmation before deleting the policy.</dd>
+<dt><em>policy_name</em></dt>
+<dd>Specifies the name of the ticket policy.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    destroy_policy -r ATHENA.MIT.EDU tktpolicy
+Password for &quot;cn=admin,o=org&quot;:
+This will delete the policy object &#39;tktpolicy&#39;, are you sure?
+(type &#39;yes&#39; to confirm)? yes
+** policy object &#39;tktpolicy&#39; deleted.
+</pre></div>
+</div>
+</div>
+<div class="section" id="listing-available-ticket-policies">
+<h4>Listing available Ticket Policies<a class="headerlink" href="#listing-available-ticket-policies" title="Permalink to this headline">¶</a></h4>
+<p>To list the name of ticket policies in a realm, use the
+<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>list_policy</strong> command.</p>
+<blockquote>
+<div><strong>list_policy</strong>
+[<strong>-r</strong> <em>realm</em>]</div></blockquote>
+<p>Lists the ticket policies in realm if specified or in the default
+realm.  Options:</p>
+<dl class="docutils">
+<dt><strong>-r</strong> <em>realm</em></dt>
+<dd>Specifies the Kerberos realm of the database.</dd>
+</dl>
+<p>Example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
+    list_policy -r ATHENA.MIT.EDU
+Password for &quot;cn=admin,o=org&quot;:
+tktpolicy
+tmppolicy
+userpolicy
+</pre></div>
+</div>
+</div>
+</div>
+</div>
+<div class="section" id="cross-realm-authentication">
+<span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-realm-authentication" title="Permalink to this headline">¶</a></h2>
+<p>In order for a KDC in one realm to authenticate Kerberos users in a
+different realm, it must share a key with the KDC in the other realm.
+In both databases, there must be krbtgt service principals for both realms.
+For example, if you need to do cross-realm authentication between the realms
+<tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> and <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt>, you would need to add the
+principals <tt class="docutils literal"><span class="pre">krbtgt/EXAMPLE.COM&#64;ATHENA.MIT.EDU</span></tt> and
+<tt class="docutils literal"><span class="pre">krbtgt/ATHENA.MIT.EDU&#64;EXAMPLE.COM</span></tt> to both databases.
+These principals must all have the same passwords, key version
+numbers, and encryption types; this may require explicitly setting
+the key version number with the <strong>-kvno</strong> option.</p>
+<p>In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators
+would run the following commands on the KDCs in both realms:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell%: kadmin.local -e &quot;aes256-cts:normal&quot;
+kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM
+Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
+Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
+kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
+Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU:
+Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU:
+kadmin:
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Even if most principals in a realm are generally created
+with the <strong>requires_preauth</strong> flag enabled, this flag is not
+desirable on cross-realm authentication keys because doing
+so makes it impossible to disable preauthentication on a
+service-by-service basis.  Disabling it as in the example
+above is recommended.</p>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">It is very important that these principals have good
+passwords.  MIT recommends that TGT principal passwords be
+at least 26 characters of random ASCII text.</p>
+</div>
+</div>
+<div class="section" id="changing-the-krbtgt-key">
+<span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#changing-the-krbtgt-key" title="Permalink to this headline">¶</a></h2>
+<p>A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the
+principal <tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt>.  The key for this principal is created
+when the Kerberos database is initialized and need not be changed.
+However, it will only have the encryption types supported by the KDC
+at the time of the initial database creation.  To allow use of newer
+encryption types for the TGT, this key has to be changed.</p>
+<p>Changing this key using the normal <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>
+<strong>change_password</strong> command would invalidate any previously issued
+TGTs.  Therefore, when changing this key, normally one should use the
+<strong>-keepold</strong> flag to change_password to retain the previous key in the
+database as well as the new key.  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
+</pre></div>
+</div>
+<div class="admonition warning">
+<p class="first admonition-title">Warning</p>
+<p class="last">After issuing this command, the old key is still valid
+and is still vulnerable to (for instance) brute force
+attacks.  To completely retire an old key or encryption
+type, run the kadmin <strong>purgekeys</strong> command to delete keys
+with older kvnos, ideally first making sure that all
+tickets issued with the old keys have expired.</p>
+</div>
+<p>Only the first krbtgt key of the newest key version is used to encrypt
+ticket-granting tickets.  However, the set of encryption types present
+in the krbtgt keys is used by default to determine the session key
+types supported by the krbtgt service (see
+<a class="reference internal" href="enctypes.html#session-key-selection"><em>Session key selection</em></a>).  Because non-MIT Kerberos clients
+sometimes send a limited set of encryption types when making AS
+requests, it can be important to for the krbtgt service to support
+multiple encryption types.  This can be accomplished by giving the
+krbtgt principal multiple keys, which is usually as simple as not
+specifying any <strong>-e</strong> option when changing the krbtgt key, or by
+setting the <strong>session_enctypes</strong> string attribute on the krbtgt
+principal (see <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a>).</p>
+<p>Due to a bug in releases 1.8 through 1.13, renewed and forwarded
+tickets may not work if the original ticket was obtained prior to a
+krbtgt key change and the modified ticket is obtained afterwards.
+Upgrading the KDC to release 1.14 or later will correct this bug.</p>
+</div>
+<div class="section" id="incremental-database-propagation">
+<span id="incr-db-prop"></span><h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Permalink to this headline">¶</a></h2>
+<div class="section" id="overview">
+<h3>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h3>
+<p>At some very large sites, dumping and transmitting the database can
+take more time than is desirable for changes to propagate from the
+master KDC to the slave KDCs.  The incremental propagation support
+added in the 1.7 release is intended to address this.</p>
+<p>With incremental propagation enabled, all programs on the master KDC
+that change the database also write information about the changes to
+an &#8220;update log&#8221; file, maintained as a circular buffer of a certain
+size.  A process on each slave KDC connects to a service on the master
+KDC (currently implemented in the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> server) and
+periodically requests the changes that have been made since the last
+check.  By default, this check is done every two minutes.  If the
+database has just been modified in the previous several seconds
+(currently the threshold is hard-coded at 10 seconds), the slave will
+not retrieve updates, but instead will pause and try again soon after.
+This reduces the likelihood that incremental update queries will cause
+delays for an administrator trying to make a bunch of changes to the
+database at the same time.</p>
+<p>Incremental propagation uses the following entries in the per-realm
+data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>):</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="4%" />
+<col width="3%" />
+<col width="94%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>iprop_enable</td>
+<td><em>boolean</em></td>
+<td>If <em>true</em>, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is <em>false</em>.</td>
+</tr>
+<tr class="row-even"><td>iprop_master_ulogsize</td>
+<td><em>integer</em></td>
+<td>Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500.</td>
+</tr>
+<tr class="row-odd"><td>iprop_slave_poll</td>
+<td><em>time interval</em></td>
+<td>Indicates how often the slave should poll the master KDC for changes to the database. The default is two minutes.</td>
+</tr>
+<tr class="row-even"><td>iprop_port</td>
+<td><em>integer</em></td>
+<td>Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files.</td>
+</tr>
+<tr class="row-odd"><td>iprop_resync_timeout</td>
+<td><em>integer</em></td>
+<td>Specifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations.  Defaults to 300 seconds (5 minutes).</td>
+</tr>
+<tr class="row-even"><td>iprop_logfile</td>
+<td><em>file name</em></td>
+<td>Specifies where the update log file for the realm database is to be stored. The default is to use the <em>database_name</em> entry from the realms section of the config file <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, with <em>.ulog</em> appended. (NOTE: If database_name isn&#8217;t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the <em>dbmodules</em> section, then the hard-coded default for <em>database_name</em> is used. Determination of the <em>iprop_logfile</em>  default value will not use values from the <em>dbmodules</em> section.)</td>
+</tr>
+</tbody>
+</table>
+<p>Both master and slave sides must have a principal named
+<tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> (where <em>hostname</em> is the lowercase,
+fully-qualified, canonical name for the host) registered in the
+Kerberos database, and have keys for that principal stored in the
+default keytab file (<a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>).  In release 1.13, the
+<tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> principal is created automatically for the master
+KDC, but it must still be created for slave KDCs.</p>
+<p>On the master KDC side, the <tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> principal must be
+listed in the kadmind ACL file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>, and given the
+<strong>p</strong> privilege (see <a class="reference internal" href="#privileges"><em>Privileges</em></a>).</p>
+<p>On the slave KDC side, <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><em>kpropd</em></a> should be run.  When
+incremental propagation is enabled, it will connect to the kadmind on
+the master KDC and start requesting updates.</p>
+<p>The normal kprop mechanism is disabled by the incremental propagation
+support.  However, if the slave has been unable to fetch changes from
+the master KDC for too long (network problems, perhaps), the log on
+the master may wrap around and overwrite some of the updates that the
+slave has not yet retrieved.  In this case, the slave will instruct
+the master KDC to dump the current database out to a file and invoke a
+one-time kprop propagation, with special options to also convey the
+point in the update log at which the slave should resume fetching
+incremental updates.  Thus, all the keytab and ACL setup previously
+described for kprop propagation is still needed.</p>
+<p>If an environment has a large number of slaves, it may be desirable to
+arrange them in a hierarchy instead of having the master serve updates
+to every slave.  To do this, run <tt class="docutils literal"><span class="pre">kadmind</span> <span class="pre">-proponly</span></tt> on each
+intermediate slave, and <tt class="docutils literal"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class="pre">upstreamhostname</span></tt> on downstream
+slaves to direct each one to the appropriate upstream slave.</p>
+<p>There are several known restrictions in the current implementation:</p>
+<ul class="simple">
+<li>The incremental update protocol does not transport changes to policy
+objects.  Any policy changes on the master will result in full
+resyncs to all slaves.</li>
+<li>The slave&#8217;s KDB module must support locking; it cannot be using the
+LDAP KDB module.</li>
+<li>The master and slave must be able to initiate TCP connections in
+both directions, without an intervening NAT.</li>
+</ul>
+</div>
+<div class="section" id="sun-mit-incremental-propagation-differences">
+<h3>Sun/MIT incremental propagation differences<a class="headerlink" href="#sun-mit-incremental-propagation-differences" title="Permalink to this headline">¶</a></h3>
+<p>Sun donated the original code for supporting incremental database
+propagation to MIT.  Some changes have been made in the MIT source
+tree that will be visible to administrators.  (These notes are based
+on Sun&#8217;s patches.  Changes to Sun&#8217;s implementation since then may not
+be reflected here.)</p>
+<p>The Sun config file support looks for <tt class="docutils literal"><span class="pre">sunw_dbprop_enable</span></tt>,
+<tt class="docutils literal"><span class="pre">sunw_dbprop_master_ulogsize</span></tt>, and <tt class="docutils literal"><span class="pre">sunw_dbprop_slave_poll</span></tt>.</p>
+<p>The incremental propagation service is implemented as an ONC RPC
+service.  In the Sun implementation, the service is registered with
+rpcbind (also known as portmapper) and the client looks up the port
+number to contact.  In the MIT implementation, where interaction with
+some modern versions of rpcbind doesn&#8217;t always work well, the port
+number must be specified in the config file on both the master and
+slave sides.</p>
+<p>The Sun implementation hard-codes pathnames in <tt class="docutils literal"><span class="pre">/var/krb5</span></tt> for the
+update log and the per-slave kprop dump files.  In the MIT
+implementation, the pathname for the update log is specified in the
+config file, and the per-slave dump files are stored in
+<a class="reference internal" href="../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/slave_datatrans_hostname</span></tt>.</p>
+</div>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Database administration</a><ul>
+<li><a class="reference internal" href="#kadmin-options">kadmin options</a></li>
+<li><a class="reference internal" href="#date-format">Date Format</a></li>
+<li><a class="reference internal" href="#principals">Principals</a><ul>
+<li><a class="reference internal" href="#adding-modifying-and-deleting-principals">Adding, modifying and deleting principals</a></li>
+<li><a class="reference internal" href="#add-principal">add_principal</a></li>
+<li><a class="reference internal" href="#modify-principal">modify_principal</a></li>
+<li><a class="reference internal" href="#delete-principal">delete_principal</a><ul>
+<li><a class="reference internal" href="#examples">Examples</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#retrieving-information-about-a-principal">Retrieving information about a principal</a></li>
+<li><a class="reference internal" href="#get-principal">get_principal</a></li>
+<li><a class="reference internal" href="#list-principals">list_principals</a></li>
+<li><a class="reference internal" href="#changing-passwords">Changing passwords</a></li>
+<li><a class="reference internal" href="#change-password">change_password</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#policies">Policies</a><ul>
+<li><a class="reference internal" href="#adding-modifying-and-deleting-policies">Adding, modifying and deleting policies</a></li>
+<li><a class="reference internal" href="#add-policy">add_policy</a></li>
+<li><a class="reference internal" href="#modify-policy">modify_policy</a></li>
+<li><a class="reference internal" href="#delete-policy">delete_policy</a></li>
+<li><a class="reference internal" href="#retrieving-policies">Retrieving policies</a></li>
+<li><a class="reference internal" href="#get-policy">get_policy</a></li>
+<li><a class="reference internal" href="#list-policies">list_policies</a></li>
+<li><a class="reference internal" href="#policies-and-principals">Policies and principals</a></li>
+<li><a class="reference internal" href="#updating-the-history-key">Updating the history key</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#privileges">Privileges</a></li>
+<li><a class="reference internal" href="#operations-on-the-kerberos-database">Operations on the Kerberos database</a><ul>
+<li><a class="reference internal" href="#dumping-a-kerberos-database-to-a-file">Dumping a Kerberos database to a file</a><ul>
+<li><a class="reference internal" href="#id3">Examples</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#restoring-a-kerberos-database-from-a-dump-file">Restoring a Kerberos database from a dump file</a><ul>
+<li><a class="reference internal" href="#id4">Examples</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#creating-a-stash-file">Creating a stash file</a><ul>
+<li><a class="reference internal" href="#example">Example</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#creating-and-destroying-a-kerberos-database">Creating and destroying a Kerberos database</a><ul>
+<li><a class="reference internal" href="#id5">Examples</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#updating-the-master-key">Updating the master key</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#operations-on-the-ldap-database">Operations on the LDAP database</a><ul>
+<li><a class="reference internal" href="#creating-a-kerberos-realm">Creating a Kerberos realm</a></li>
+<li><a class="reference internal" href="#modifying-a-kerberos-realm">Modifying a Kerberos realm</a></li>
+<li><a class="reference internal" href="#destroying-a-kerberos-realm">Destroying a Kerberos realm</a></li>
+<li><a class="reference internal" href="#retrieving-information-about-a-kerberos-realm">Retrieving information about a Kerberos realm</a></li>
+<li><a class="reference internal" href="#listing-available-kerberos-realms">Listing available Kerberos realms</a></li>
+<li><a class="reference internal" href="#stashing-service-object-s-password">Stashing service object&#8217;s password</a></li>
+<li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a><ul>
+<li><a class="reference internal" href="#creating-a-ticket-policy">Creating a Ticket Policy</a></li>
+<li><a class="reference internal" href="#modifying-a-ticket-policy">Modifying a Ticket Policy</a></li>
+<li><a class="reference internal" href="#retrieving-information-about-a-ticket-policy">Retrieving Information About a Ticket Policy</a></li>
+<li><a class="reference internal" href="#destroying-a-ticket-policy">Destroying a Ticket Policy</a></li>
+<li><a class="reference internal" href="#listing-available-ticket-policies">Listing available Ticket Policies</a></li>
+</ul>
+</li>
+</ul>
+</li>
+<li><a class="reference internal" href="#cross-realm-authentication">Cross-realm authentication</a></li>
+<li><a class="reference internal" href="#changing-the-krbtgt-key">Changing the krbtgt key</a></li>
+<li><a class="reference internal" href="#incremental-database-propagation">Incremental database propagation</a><ul>
+<li><a class="reference internal" href="#overview">Overview</a></li>
+<li><a class="reference internal" href="#sun-mit-incremental-propagation-differences">Sun/MIT incremental propagation differences</a></li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Database administration</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="realm_config.html" title="Realm configuration decisions"
+            >previous</a> |
+        <a href="lockout.html" title="Account lockout"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/enctypes.html b/doc/html/admin/enctypes.html
new file mode 100644
index 000000000000..1cee3212704b
--- /dev/null
+++ b/doc/html/admin/enctypes.html
@@ -0,0 +1,345 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Encryption types &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="HTTPS proxy configuration" href="https.html" />
+    <link rel="prev" title="Principal names and DNS" href="princ_dns.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="princ_dns.html" title="Principal names and DNS"
+            accesskey="P">previous</a> |
+        <a href="https.html" title="HTTPS proxy configuration"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Encryption types">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="encryption-types">
+<span id="enctypes"></span><h1>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h1>
+<p>Kerberos can use a variety of cipher algorithms to protect data.  A
+Kerberos <strong>encryption type</strong> (also known as an <strong>enctype</strong>) is a
+specific combination of a cipher algorithm with an integrity algorithm
+to provide both confidentiality and integrity to data.</p>
+<div class="section" id="enctypes-in-requests">
+<h2>Enctypes in requests<a class="headerlink" href="#enctypes-in-requests" title="Permalink to this headline">¶</a></h2>
+<p>Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and
+TGS-REQs.  The client uses the AS-REQ to obtain initial tickets
+(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to
+obtain service tickets.</p>
+<p>The KDC uses three different keys when issuing a ticket to a client:</p>
+<ul class="simple">
+<li>The long-term key of the service: the KDC uses this to encrypt the
+actual service ticket.  The KDC only uses the first long-term key in
+the most recent kvno for this purpose.</li>
+<li>The session key: the KDC randomly chooses this key and places one
+copy inside the ticket and the other copy inside the encrypted part
+of the reply.</li>
+<li>The reply-encrypting key: the KDC uses this to encrypt the reply it
+sends to the client.  For AS replies, this is a long-term key of the
+client principal.  For TGS replies, this is either the session key of the
+authenticating ticket, or a subsession key.</li>
+</ul>
+<p>Each of these keys is of a specific enctype.</p>
+<p>Each request type allows the client to submit a list of enctypes that
+it is willing to accept.  For the AS-REQ, this list affects both the
+session key selection and the reply-encrypting key selection.  For the
+TGS-REQ, this list only affects the session key selection.</p>
+</div>
+<div class="section" id="session-key-selection">
+<span id="id1"></span><h2>Session key selection<a class="headerlink" href="#session-key-selection" title="Permalink to this headline">¶</a></h2>
+<p>The KDC chooses the session key enctype by taking the intersection of
+its <strong>permitted_enctypes</strong> list, the list of long-term keys for the
+most recent kvno of the service, and the client&#8217;s requested list of
+enctypes.  If <strong>allow_weak_crypto</strong> is true, all services are assumed
+to support des-cbc-crc.</p>
+<p>Starting in krb5-1.11, <strong>des_crc_session_supported</strong> in
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> allows additional control over whether the KDC
+issues des-cbc-crc session keys.</p>
+<p>Also starting in krb5-1.11, it is possible to set a string attribute
+on a service principal to control what session key enctypes the KDC
+may issue for service tickets for that principal.  See
+<a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a> in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> for details.</p>
+</div>
+<div class="section" id="choosing-enctypes-for-a-service">
+<h2>Choosing enctypes for a service<a class="headerlink" href="#choosing-enctypes-for-a-service" title="Permalink to this headline">¶</a></h2>
+<p>Generally, a service should have a key of the strongest
+enctype that both it and the KDC support.  If the KDC is running a
+release earlier than krb5-1.11, it is also useful to generate an
+additional key for each enctype that the service can support.  The KDC
+will only use the first key in the list of long-term keys for encrypting
+the service ticket, but the additional long-term keys indicate the
+other enctypes that the service supports.</p>
+<p>As noted above, starting with release krb5-1.11, there are additional
+configuration settings that control session key enctype selection
+independently of the set of long-term keys that the KDC has stored for
+a service principal.</p>
+</div>
+<div class="section" id="configuration-variables">
+<h2>Configuration variables<a class="headerlink" href="#configuration-variables" title="Permalink to this headline">¶</a></h2>
+<p>The following <tt class="docutils literal"><span class="pre">[libdefaults]</span></tt> settings in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> will
+affect how enctypes are chosen.</p>
+<dl class="docutils">
+<dt><strong>allow_weak_crypto</strong></dt>
+<dd>defaults to <em>false</em> starting with krb5-1.8.  When <em>false</em>, removes
+single-DES enctypes (and other weak enctypes) from
+<strong>permitted_enctypes</strong>, <strong>default_tkt_enctypes</strong>, and
+<strong>default_tgs_enctypes</strong>.  Do not set this to <em>true</em> unless the
+use of weak enctypes is an acceptable risk for your environment
+and the weak enctypes are required for backward compatibility.</dd>
+<dt><strong>permitted_enctypes</strong></dt>
+<dd>controls the set of enctypes that a service will accept as session
+keys.</dd>
+<dt><strong>default_tkt_enctypes</strong></dt>
+<dd>controls the default set of enctypes that the Kerberos client
+library requests when making an AS-REQ.  Do not set this unless
+required for specific backward compatibility purposes; stale
+values of this setting can prevent clients from taking advantage
+of new stronger enctypes when the libraries are upgraded.</dd>
+<dt><strong>default_tgs_enctypes</strong></dt>
+<dd>controls the default set of enctypes that the Kerberos client
+library requests when making a TGS-REQ.  Do not set this unless
+required for specific backward compatibility purposes; stale
+values of this setting can prevent clients from taking advantage
+of new stronger enctypes when the libraries are upgraded.</dd>
+</dl>
+<p>The following per-realm setting in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> affects the
+generation of long-term keys.</p>
+<dl class="docutils">
+<dt><strong>supported_enctypes</strong></dt>
+<dd>controls the default set of enctype-salttype pairs that <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+will use for generating long-term keys, either randomly or from
+passwords</dd>
+</dl>
+</div>
+<div class="section" id="enctype-compatibility">
+<h2>Enctype compatibility<a class="headerlink" href="#enctype-compatibility" title="Permalink to this headline">¶</a></h2>
+<p>See <a class="reference internal" href="conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> for additional information about enctypes.</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="57%" />
+<col width="11%" />
+<col width="17%" />
+<col width="15%" />
+</colgroup>
+<thead valign="bottom">
+<tr class="row-odd"><th class="head">enctype</th>
+<th class="head">weak?</th>
+<th class="head">krb5</th>
+<th class="head">Windows</th>
+</tr>
+</thead>
+<tbody valign="top">
+<tr class="row-even"><td>des-cbc-crc</td>
+<td>weak</td>
+<td>all</td>
+<td>&gt;=2000</td>
+</tr>
+<tr class="row-odd"><td>des-cbc-md4</td>
+<td>weak</td>
+<td>all</td>
+<td>?</td>
+</tr>
+<tr class="row-even"><td>des-cbc-md5</td>
+<td>weak</td>
+<td>all</td>
+<td>&gt;=2000</td>
+</tr>
+<tr class="row-odd"><td>des3-cbc-sha1</td>
+<td>&nbsp;</td>
+<td>&gt;=1.1</td>
+<td>none</td>
+</tr>
+<tr class="row-even"><td>arcfour-hmac</td>
+<td>&nbsp;</td>
+<td>&gt;=1.3</td>
+<td>&gt;=2000</td>
+</tr>
+<tr class="row-odd"><td>arcfour-hmac-exp</td>
+<td>weak</td>
+<td>&gt;=1.3</td>
+<td>&gt;=2000</td>
+</tr>
+<tr class="row-even"><td>aes128-cts-hmac-sha1-96</td>
+<td>&nbsp;</td>
+<td>&gt;=1.3</td>
+<td>&gt;=Vista</td>
+</tr>
+<tr class="row-odd"><td>aes256-cts-hmac-sha1-96</td>
+<td>&nbsp;</td>
+<td>&gt;=1.3</td>
+<td>&gt;=Vista</td>
+</tr>
+<tr class="row-even"><td>aes128-cts-hmac-sha256-128</td>
+<td>&nbsp;</td>
+<td>&gt;=1.15</td>
+<td>none</td>
+</tr>
+<tr class="row-odd"><td>aes256-cts-hmac-sha384-192</td>
+<td>&nbsp;</td>
+<td>&gt;=1.15</td>
+<td>none</td>
+</tr>
+<tr class="row-even"><td>camellia128-cts-cmac</td>
+<td>&nbsp;</td>
+<td>&gt;=1.9</td>
+<td>none</td>
+</tr>
+<tr class="row-odd"><td>camellia256-cts-cmac</td>
+<td>&nbsp;</td>
+<td>&gt;=1.9</td>
+<td>none</td>
+</tr>
+</tbody>
+</table>
+<p>krb5 releases 1.8 and later disable the single-DES enctypes by
+default.  Microsoft Windows releases Windows 7 and later disable
+single-DES enctypes by default.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Encryption types</a><ul>
+<li><a class="reference internal" href="#enctypes-in-requests">Enctypes in requests</a></li>
+<li><a class="reference internal" href="#session-key-selection">Session key selection</a></li>
+<li><a class="reference internal" href="#choosing-enctypes-for-a-service">Choosing enctypes for a service</a></li>
+<li><a class="reference internal" href="#configuration-variables">Configuration variables</a></li>
+<li><a class="reference internal" href="#enctype-compatibility">Enctype compatibility</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Encryption types</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="princ_dns.html" title="Principal names and DNS"
+            >previous</a> |
+        <a href="https.html" title="HTTPS proxy configuration"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Encryption types">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/env_variables.html b/doc/html/admin/env_variables.html
new file mode 100644
index 000000000000..087accf2a729
--- /dev/null
+++ b/doc/html/admin/env_variables.html
@@ -0,0 +1,192 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Environment variables &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Troubleshooting" href="troubleshoot.html" />
+    <link rel="prev" title="MIT Kerberos defaults" href="../mitK5defaults.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="../mitK5defaults.html" title="MIT Kerberos defaults"
+            accesskey="P">previous</a> |
+        <a href="troubleshoot.html" title="Troubleshooting"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Environment variables">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="environment-variables">
+<h1>Environment variables<a class="headerlink" href="#environment-variables" title="Permalink to this headline">¶</a></h1>
+<p>The following environment variables can be used during runtime:</p>
+<dl class="docutils">
+<dt><strong>KRB5_CONFIG</strong></dt>
+<dd>Main Kerberos configuration file.  Multiple filenames can be
+specified, separated by a colon; all files which are present will
+be read.  (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default path.)</dd>
+<dt><strong>KRB5_KDC_PROFILE</strong></dt>
+<dd>KDC configuration file.  (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default
+name.)</dd>
+<dt><strong>KRB5_KTNAME</strong></dt>
+<dd>Default keytab file name.  (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the
+default name.)</dd>
+<dt><strong>KRB5_CLIENT_KTNAME</strong></dt>
+<dd>Default client keytab file name.  (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for
+the default name.)</dd>
+<dt><strong>KRB5CCNAME</strong></dt>
+<dd>Default name for the credentials cache file, in the form <em>type</em>:<em>residual</em>.  The type of the default cache may determine the
+availability of a cache collection.  For instance, a default cache
+of type <tt class="docutils literal"><span class="pre">DIR</span></tt> causes caches within the directory to be present
+in the global cache collection.</dd>
+<dt><strong>KRB5RCACHETYPE</strong></dt>
+<dd>Default replay cache type.  Defaults to <tt class="docutils literal"><span class="pre">dfl</span></tt>.  A value of
+<tt class="docutils literal"><span class="pre">none</span></tt> disables the replay cache.</dd>
+<dt><strong>KRB5RCACHEDIR</strong></dt>
+<dd>Default replay cache directory.  (See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the
+default location.)</dd>
+<dt><strong>KPROP_PORT</strong></dt>
+<dd><a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> port to use.  Defaults to 754.</dd>
+<dt><strong>KRB5_TRACE</strong></dt>
+<dd>Filename for trace-logging output (introduced in release 1.9).
+For example, <tt class="docutils literal"><span class="pre">env</span> <span class="pre">KRB5_TRACE=/dev/stdout</span> <span class="pre">kinit</span></tt> would send
+tracing information for kinit to <tt class="docutils literal"><span class="pre">/dev/stdout</span></tt>.  Some programs
+may ignore this variable (particularly setuid or login system
+programs).</dd>
+</dl>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Environment variables</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="../mitK5defaults.html" title="MIT Kerberos defaults"
+            >previous</a> |
+        <a href="troubleshoot.html" title="Troubleshooting"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Environment variables">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/host_config.html b/doc/html/admin/host_config.html
new file mode 100644
index 000000000000..809a2db19269
--- /dev/null
+++ b/doc/html/admin/host_config.html
@@ -0,0 +1,366 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Host configuration &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Backups of secure hosts" href="backup_host.html" />
+    <link rel="prev" title="Application servers" href="appl_servers.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="appl_servers.html" title="Application servers"
+            accesskey="P">previous</a> |
+        <a href="backup_host.html" title="Backups of secure hosts"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Host configuration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="host-configuration">
+<h1>Host configuration<a class="headerlink" href="#host-configuration" title="Permalink to this headline">¶</a></h1>
+<p>All hosts running Kerberos software, whether they are clients,
+application servers, or KDCs, can be configured using
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  Here we describe some of the behavior changes
+you might want to make.</p>
+<div class="section" id="default-realm">
+<h2>Default realm<a class="headerlink" href="#default-realm" title="Permalink to this headline">¶</a></h2>
+<p>In the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section, the <strong>default_realm</strong> realm
+relation sets the default Kerberos realm.  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+    default_realm = ATHENA.MIT.EDU
+</pre></div>
+</div>
+<p>The default realm affects Kerberos behavior in the following ways:</p>
+<ul class="simple">
+<li>When a principal name is parsed from text, the default realm is used
+if no <tt class="docutils literal"><span class="pre">&#64;REALM</span></tt> component is specified.</li>
+<li>The default realm affects login authorization as described below.</li>
+<li>For programs which operate on a Kerberos database, the default realm
+is used to determine which database to operate on, unless the <strong>-r</strong>
+parameter is given to specify a realm.</li>
+<li>A server program may use the default realm when looking up its key
+in a <a class="reference internal" href="install_appl_srv.html#keytab-file"><em>keytab file</em></a>, if its realm is not
+determined by <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> configuration or by the server
+program itself.</li>
+<li>If <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> is passed the <strong>-n</strong> flag, it requests anonymous
+tickets from the default realm.</li>
+</ul>
+<p>In some situations, these uses of the default realm might conflict.
+For example, it might be desirable for principal name parsing to use
+one realm by default, but for login authorization to use a second
+realm.  In this situation, the first realm can be configured as the
+default realm, and <strong>auth_to_local</strong> relations can be used as
+described below to use the second realm for login authorization.</p>
+</div>
+<div class="section" id="login-authorization">
+<span id="id1"></span><h2>Login authorization<a class="headerlink" href="#login-authorization" title="Permalink to this headline">¶</a></h2>
+<p>If a host runs a Kerberos-enabled login service such as OpenSSH with
+GSSAPIAuthentication enabled, login authorization rules determine
+whether a Kerberos principal is allowed to access a local account.</p>
+<p>By default, a Kerberos principal is allowed access to an account if
+its realm matches the default realm and its name matches the account
+name.  (For historical reasons, access is also granted by default if
+the name has two components and the second component matches the
+default realm; for instance, <tt class="docutils literal"><span class="pre">alice/ATHENA.MIT.EDU&#64;ATHENA.MIT.EDU</span></tt>
+is granted access to the <tt class="docutils literal"><span class="pre">alice</span></tt> account if <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> is
+the default realm.)</p>
+<p>The simplest way to control local access is using <a class="reference internal" href="../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a>
+files.  To use these, place a <tt class="docutils literal"><span class="pre">.k5login</span></tt> file in the home directory
+of each account listing the principal names which should have login
+access to that account.  If it is not desirable to use <tt class="docutils literal"><span class="pre">.k5login</span></tt>
+files located in account home directories, the <strong>k5login_directory</strong>
+relation in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section can specify a directory
+containing one file per account uname.</p>
+<p>By default, if a <tt class="docutils literal"><span class="pre">.k5login</span></tt> file is present, it controls
+authorization both positively and negatively&#8211;any principal name
+contained in the file is granted access and any other principal name
+is denied access, even if it would have had access if the <tt class="docutils literal"><span class="pre">.k5login</span></tt>
+file didn&#8217;t exist.  The <strong>k5login_authoritative</strong> relation in the
+<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section can be set to false to make <tt class="docutils literal"><span class="pre">.k5login</span></tt>
+files provide positive authorization only.</p>
+<p>The <strong>auth_to_local</strong> relation in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section for the
+default realm can specify pattern-matching rules to control login
+authorization.  For example, the following configuration allows access
+to principals from a different realm than the default realm:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+    DEFAULT.REALM = {
+        # Allow access to principals from OTHER.REALM.
+        #
+        # [1:$1@$0] matches single-component principal names and creates
+        # a selection string containing the principal name and realm.
+        #
+        # (.*@OTHER\.REALM) matches against the selection string, so that
+        # only principals in OTHER.REALM are matched.
+        #
+        # s/@OTHER\.REALM$// removes the realm name, leaving behind the
+        # principal name as the acount name.
+        auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$//
+
+        # Also allow principals from the default realm.  Omit this line
+        # to only allow access to principals in OTHER.REALM.
+        auth_to_local = DEFAULT
+    }
+</pre></div>
+</div>
+<p>The <strong>auth_to_local_names</strong> subsection of the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section
+for the default realm can specify explicit mappings from principal
+names to local accounts.  The key used in this subsection is the
+principal name without realm, so it is only safe to use in a Kerberos
+environment with a single realm or a tightly controlled set of realms.
+An example use of <strong>auth_to_local_names</strong> might be:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+    ATHENA.MIT.EDU = {
+        auth_to_local_names = {
+            # Careful, these match principals in any realm!
+            host/example.com = hostaccount
+            fred = localfred
+        }
+    }
+</pre></div>
+</div>
+<p>Local authorization behavior can also be modified using plugin
+modules; see <a class="reference internal" href="../plugindev/hostrealm.html#hostrealm-plugin"><em>Host-to-realm interface (hostrealm)</em></a> for details.</p>
+</div>
+<div class="section" id="plugin-module-configuration">
+<span id="plugin-config"></span><h2>Plugin module configuration<a class="headerlink" href="#plugin-module-configuration" title="Permalink to this headline">¶</a></h2>
+<p>Many aspects of Kerberos behavior, such as client preauthentication
+and KDC service location, can be modified through the use of plugin
+modules.  For most of these behaviors, you can use the <a class="reference internal" href="conf_files/krb5_conf.html#plugins"><em>[plugins]</em></a>
+section of krb5.conf to register third-party modules, and to switch
+off registered or built-in modules.</p>
+<p>A plugin module takes the form of a Unix shared object
+(<tt class="docutils literal"><span class="pre">modname.so</span></tt>) or Windows DLL (<tt class="docutils literal"><span class="pre">modname.dll</span></tt>).  If you have
+installed a third-party plugin module and want to register it, you do
+so using the <strong>module</strong> relation in the appropriate subsection of the
+[plugins] section.  The value for <strong>module</strong> must give the module name
+and the path to the module, separated by a colon.  The module name
+will often be the same as the shared object&#8217;s name, but in unusual
+cases (such as a shared object which implements multiple modules for
+the same interface) it might not be.  For example, to register a
+client preauthentication module named <tt class="docutils literal"><span class="pre">mypreauth</span></tt> installed at
+<tt class="docutils literal"><span class="pre">/path/to/mypreauth.so</span></tt>, you could write:</p>
+<div class="highlight-python"><div class="highlight"><pre>[plugins]
+    clpreauth = {
+        module = mypreauth:/path/to/mypreauth.so
+    }
+</pre></div>
+</div>
+<p>Many of the pluggable behaviors in MIT krb5 contain built-in modules
+which can be switched off.  You can disable a built-in module (or one
+you have registered) using the <strong>disable</strong> directive in the
+appropriate subsection of the [plugins] section.  For example, to
+disable the use of .k5identity files to select credential caches, you
+could write:</p>
+<div class="highlight-python"><div class="highlight"><pre>[plugins]
+    ccselect = {
+        disable = k5identity
+    }
+</pre></div>
+</div>
+<p>If you want to disable multiple modules, specify the <strong>disable</strong>
+directive multiple times, giving one module to disable each time.</p>
+<p>Alternatively, you can explicitly specify which modules you want to be
+enabled for that behavior using the <strong>enable_only</strong> directive.  For
+example, to make <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> check password quality using only a
+module you have registered, and no other mechanism, you could write:</p>
+<div class="highlight-python"><div class="highlight"><pre>[plugins]
+    pwqual = {
+        module = mymodule:/path/to/mymodule.so
+        enable_only = mymodule
+    }
+</pre></div>
+</div>
+<p>Again, if you want to specify multiple modules, specify the
+<strong>enable_only</strong> directive multiple times, giving one module to enable
+each time.</p>
+<p>Some Kerberos interfaces use different mechanisms to register plugin
+modules.</p>
+<div class="section" id="kdc-location-modules">
+<h3>KDC location modules<a class="headerlink" href="#kdc-location-modules" title="Permalink to this headline">¶</a></h3>
+<p>For historical reasons, modules to control how KDC servers are located
+are registered simply by placing the shared object or DLL into the
+&#8220;libkrb5&#8221; subdirectory of the krb5 plugin directory, which defaults to
+<a class="reference internal" href="../mitK5defaults.html#paths"><em>LIBDIR</em></a><tt class="docutils literal"><span class="pre">/krb5/plugins</span></tt>.  For example, Samba&#8217;s winbind krb5
+locator plugin would be registered by placing its shared object in
+<a class="reference internal" href="../mitK5defaults.html#paths"><em>LIBDIR</em></a><tt class="docutils literal"><span class="pre">/krb5/plugins/libkrb5/winbind_krb5_locator.so</span></tt>.</p>
+</div>
+<div class="section" id="gssapi-mechanism-modules">
+<span id="gssapi-plugin-config"></span><h3>GSSAPI mechanism modules<a class="headerlink" href="#gssapi-mechanism-modules" title="Permalink to this headline">¶</a></h3>
+<p>GSSAPI mechanism modules are registered using the file
+<tt class="docutils literal"><span class="pre">/etc/gss/mech</span></tt> or configuration files in the <tt class="docutils literal"><span class="pre">/etc/gss/mech.d/</span></tt>
+directory.  Only files with a <tt class="docutils literal"><span class="pre">.conf</span></tt> suffix will be read from the
+<tt class="docutils literal"><span class="pre">/etc/gss/mech.d/</span></tt> directory.  Each line in these files has the
+form:</p>
+<div class="highlight-python"><div class="highlight"><pre>oid  pathname  [options]  &lt;type&gt;
+</pre></div>
+</div>
+<p>Only the oid and pathname are required.  <em>oid</em> is the object
+identifier of the GSSAPI mechanism to be registered.  <em>pathname</em> is a
+path to the module shared object or DLL.  <em>options</em> (if present) are
+options provided to the plugin module, surrounded in square brackets.
+<em>type</em> (if present) can be used to indicate a special type of module.
+Currently the only special module type is &#8220;interposer&#8221;, for a module
+designed to intercept calls to other mechanisms.</p>
+</div>
+<div class="section" id="configuration-profile-modules">
+<span id="profile-plugin-config"></span><h3>Configuration profile modules<a class="headerlink" href="#configuration-profile-modules" title="Permalink to this headline">¶</a></h3>
+<p>A configuration profile module replaces the information source for
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> itself.  To use a profile module, begin krb5.conf
+with the line:</p>
+<div class="highlight-python"><div class="highlight"><pre>module PATHNAME:STRING
+</pre></div>
+</div>
+<p>where <em>PATHNAME</em> is a path to the module shared object or DLL, and
+<em>STRING</em> is a string to provide to the module.  The module will then
+take over, and the rest of krb5.conf will be ignored.</p>
+</div>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Host configuration</a><ul>
+<li><a class="reference internal" href="#default-realm">Default realm</a></li>
+<li><a class="reference internal" href="#login-authorization">Login authorization</a></li>
+<li><a class="reference internal" href="#plugin-module-configuration">Plugin module configuration</a><ul>
+<li><a class="reference internal" href="#kdc-location-modules">KDC location modules</a></li>
+<li><a class="reference internal" href="#gssapi-mechanism-modules">GSSAPI mechanism modules</a></li>
+<li><a class="reference internal" href="#configuration-profile-modules">Configuration profile modules</a></li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Host configuration</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="appl_servers.html" title="Application servers"
+            >previous</a> |
+        <a href="backup_host.html" title="Backups of secure hosts"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Host configuration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/https.html b/doc/html/admin/https.html
new file mode 100644
index 000000000000..4dcdc1b25d44
--- /dev/null
+++ b/doc/html/admin/https.html
@@ -0,0 +1,200 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>HTTPS proxy configuration &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Authentication indicators" href="auth_indicator.html" />
+    <link rel="prev" title="Encryption types" href="enctypes.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="enctypes.html" title="Encryption types"
+            accesskey="P">previous</a> |
+        <a href="auth_indicator.html" title="Authentication indicators"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__HTTPS proxy configuration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="https-proxy-configuration">
+<span id="https"></span><h1>HTTPS proxy configuration<a class="headerlink" href="#https-proxy-configuration" title="Permalink to this headline">¶</a></h1>
+<p>In addition to being able to use UDP or TCP to communicate directly
+with a KDC as is outlined in RFC4120, and with kpasswd services in a
+similar fashion, the client libraries can attempt to use an HTTPS
+proxy server to communicate with a KDC or kpasswd service, using the
+protocol outlined in [MS-KKDCP].</p>
+<p>Communicating with a KDC through an HTTPS proxy allows clients to
+contact servers when network firewalls might otherwise prevent them
+from doing so.  The use of TLS also encrypts all traffic between the
+clients and the KDC, preventing observers from conducting password
+dictionary attacks or from observing the client and server principals
+being authenticated, at additional computational cost to both clients
+and servers.</p>
+<p>An HTTPS proxy server is provided as a feature in some versions of
+Microsoft Windows Server, and a WSGI implementation named <cite>kdcproxy</cite>
+is available in the python package index.</p>
+<div class="section" id="configuring-the-clients">
+<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2>
+<p>To use an HTTPS proxy, a client host must trust the CA which issued
+that proxy&#8217;s SSL certificate.  If that CA&#8217;s certificate is not in the
+system-wide default set of trusted certificates, configure the
+following relation in the client host&#8217;s <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file in
+the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> subsection:</p>
+<div class="highlight-python"><div class="highlight"><pre>http_anchors = FILE:/etc/krb5/cacert.pem
+</pre></div>
+</div>
+<p>Adjust the pathname to match the path of the file which contains a
+copy of the CA&#8217;s certificate.  The <cite>http_anchors</cite> option is documented
+more fully in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p>
+<p>Configure the client to access the KDC and kpasswd service by
+specifying their locations in its <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file in the form
+of HTTPS URLs for the proxy server:</p>
+<div class="highlight-python"><div class="highlight"><pre>kdc = https://server.fqdn/KdcProxy
+kpasswd_server = https://server.fqdn/KdcProxy
+</pre></div>
+</div>
+<p>If the proxy and client are properly configured, client commands such
+as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class="docutils literal"><span class="pre">kvno</span></tt>, and <tt class="docutils literal"><span class="pre">kpasswd</span></tt> should all function normally.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">HTTPS proxy configuration</a><ul>
+<li><a class="reference internal" href="#configuring-the-clients">Configuring the clients</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">HTTPS proxy configuration</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="enctypes.html" title="Encryption types"
+            >previous</a> |
+        <a href="auth_indicator.html" title="Authentication indicators"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__HTTPS proxy configuration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/index.html b/doc/html/admin/index.html
new file mode 100644
index 000000000000..adfb25bb083c
--- /dev/null
+++ b/doc/html/admin/index.html
@@ -0,0 +1,187 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>For administrators &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="next" title="Installation guide" href="install.html" />
+    <link rel="prev" title="sclient" href="../user/user_commands/sclient.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="../user/user_commands/sclient.html" title="sclient"
+            accesskey="P">previous</a> |
+        <a href="install.html" title="Installation guide"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__For administrators">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="for-administrators">
+<h1>For administrators<a class="headerlink" href="#for-administrators" title="Permalink to this headline">¶</a></h1>
+<div class="toctree-wrapper compound">
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l1"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l1"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l1"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l1"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l1"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l1"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l1"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l1"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l1"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l1"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l1"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l1"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+</ul>
+</div>
+<div class="toctree-wrapper compound">
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l1"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l1"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l1"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l1"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">For administrators</a><ul>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="current reference internal" href="">For administrators</a><ul>
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="../user/user_commands/sclient.html" title="sclient"
+            >previous</a> |
+        <a href="install.html" title="Installation guide"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__For administrators">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/install.html b/doc/html/admin/install.html
new file mode 100644
index 000000000000..ba51b3e151d9
--- /dev/null
+++ b/doc/html/admin/install.html
@@ -0,0 +1,202 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Installation guide &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Installing KDCs" href="install_kdc.html" />
+    <link rel="prev" title="For administrators" href="index.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="index.html" title="For administrators"
+            accesskey="P">previous</a> |
+        <a href="install_kdc.html" title="Installing KDCs"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installation guide">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="installation-guide">
+<h1>Installation guide<a class="headerlink" href="#installation-guide" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="contents">
+<h2>Contents<a class="headerlink" href="#contents" title="Permalink to this headline">¶</a></h2>
+<div class="toctree-wrapper compound">
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="install_kdc.html">Installing KDCs</a><ul>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-and-configure-the-master-kdc">Install and configure the master KDC</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#edit-kdc-configuration-files">Edit KDC configuration files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#create-the-kdc-database">Create the KDC database</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-administrators-to-the-acl-file">Add administrators to the ACL file</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-administrators-to-the-kerberos-database">Add administrators to the Kerberos database</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#start-the-kerberos-daemons-on-the-master-kdc">Start the Kerberos daemons on the master KDC</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#install-the-slave-kdcs">Install the slave KDCs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#add-kerberos-principals-to-the-database">Add Kerberos principals to the database</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#switching-master-and-slave-kdcs">Switching master and slave KDCs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_kdc.html#incremental-database-propagation">Incremental database propagation</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a><ul>
+<li class="toctree-l2"><a class="reference internal" href="install_clients.html#client-machine-configuration-files">Client machine configuration files</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a><ul>
+<li class="toctree-l2"><a class="reference internal" href="install_appl_srv.html#the-keytab-file">The keytab file</a></li>
+<li class="toctree-l2"><a class="reference internal" href="install_appl_srv.html#some-advice-about-secure-hosts">Some advice about secure hosts</a></li>
+</ul>
+</li>
+</ul>
+</div>
+</div>
+<div class="section" id="additional-references">
+<h2>Additional references<a class="headerlink" href="#additional-references" title="Permalink to this headline">¶</a></h2>
+<ol class="arabic simple">
+<li>Debian: <a class="reference external" href="http://techpubs.spinlocksolutions.com/dklar/kerberos.html">Setting up MIT Kerberos 5</a></li>
+<li>Solaris: <a class="reference external" href="http://download.oracle.com/docs/cd/E19253-01/816-4557/6maosrjv2/index.html">Configuring the Kerberos Service</a></li>
+</ol>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Installation guide</a><ul>
+<li><a class="reference internal" href="#contents">Contents</a></li>
+<li><a class="reference internal" href="#additional-references">Additional references</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2 current"><a class="current reference internal" href="">Installation guide</a><ul>
+<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li>
+<li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li>
+<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="index.html" title="For administrators"
+            >previous</a> |
+        <a href="install_kdc.html" title="Installing KDCs"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installation guide">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/install_appl_srv.html b/doc/html/admin/install_appl_srv.html
new file mode 100644
index 000000000000..21a292e941d1
--- /dev/null
+++ b/doc/html/admin/install_appl_srv.html
@@ -0,0 +1,235 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>UNIX Application Servers &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="Installation guide" href="install.html" />
+    <link rel="next" title="Configuration Files" href="conf_files/index.html" />
+    <link rel="prev" title="Installing and configuring UNIX client machines" href="install_clients.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="install_clients.html" title="Installing and configuring UNIX client machines"
+            accesskey="P">previous</a> |
+        <a href="conf_files/index.html" title="Configuration Files"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__UNIX Application Servers">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="unix-application-servers">
+<h1>UNIX Application Servers<a class="headerlink" href="#unix-application-servers" title="Permalink to this headline">¶</a></h1>
+<p>An application server is a host that provides one or more services
+over the network.  Application servers can be &#8220;secure&#8221; or &#8220;insecure.&#8221;
+A &#8220;secure&#8221; host is set up to require authentication from every client
+connecting to it.  An &#8220;insecure&#8221; host will still provide Kerberos
+authentication, but will also allow unauthenticated clients to
+connect.</p>
+<p>If you have Kerberos V5 installed on all of your client machines, MIT
+recommends that you make your hosts secure, to take advantage of the
+security that Kerberos authentication affords.  However, if you have
+some clients that do not have Kerberos V5 installed, you can run an
+insecure server, and still take advantage of Kerberos V5&#8217;s single
+sign-on capability.</p>
+<div class="section" id="the-keytab-file">
+<span id="keytab-file"></span><h2>The keytab file<a class="headerlink" href="#the-keytab-file" title="Permalink to this headline">¶</a></h2>
+<p>All Kerberos server machines need a keytab file to authenticate to the
+KDC.  By default on UNIX-like systems this file is named <a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>.
+The keytab file is an local copy of the host&#8217;s key.  The keytab file
+is a potential point of entry for a break-in, and if compromised,
+would allow unrestricted access to its host.  The keytab file should
+be readable only by root, and should exist only on the machine&#8217;s local
+disk.  The file should not be part of any backup of the machine,
+unless access to the backup data is secured as tightly as access to
+the machine&#8217;s root password.</p>
+<p>In order to generate a keytab for a host, the host must have a
+principal in the Kerberos database.  The procedure for adding hosts to
+the database is described fully in <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>.  (See
+<a class="reference internal" href="install_kdc.html#slave-host-key"><em>Create host keytabs for slave KDCs</em></a> for a brief description.)  The keytab is
+generated by running <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> and issuing the <a class="reference internal" href="admin_commands/kadmin_local.html#ktadd"><em>ktadd</em></a>
+command.</p>
+<p>For example, to generate a keytab file to allow the host
+<tt class="docutils literal"><span class="pre">trillium.mit.edu</span></tt> to authenticate for the services host, ftp, and
+pop, the administrator <tt class="docutils literal"><span class="pre">joeadmin</span></tt> would issue the command (on
+<tt class="docutils literal"><span class="pre">trillium.mit.edu</span></tt>):</p>
+<div class="highlight-python"><div class="highlight"><pre>trillium% kadmin
+kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
+    pop/trillium.mit.edu
+kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
+    kvno 3, encryption type DES-CBC-CRC added to keytab
+    FILE:/etc/krb5.keytab.
+kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
+    kvno 3, encryption type DES-CBC-CRC added to keytab
+    FILE:/etc/krb5.keytab.
+kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
+    kvno 3, encryption type DES-CBC-CRC added to keytab
+    FILE:/etc/krb5.keytab.
+kadmin5: quit
+trillium%
+</pre></div>
+</div>
+<p>If you generate the keytab file on another host, you need to get a
+copy of the keytab file onto the destination host (<tt class="docutils literal"><span class="pre">trillium</span></tt>, in
+the above example) without sending it unencrypted over the network.</p>
+</div>
+<div class="section" id="some-advice-about-secure-hosts">
+<h2>Some advice about secure hosts<a class="headerlink" href="#some-advice-about-secure-hosts" title="Permalink to this headline">¶</a></h2>
+<p>Kerberos V5 can protect your host from certain types of break-ins, but
+it is possible to install Kerberos V5 and still leave your host
+vulnerable to attack.  Obviously an installation guide is not the
+place to try to include an exhaustive list of countermeasures for
+every possible attack, but it is worth noting some of the larger holes
+and how to close them.</p>
+<p>We recommend that backups of secure machines exclude the keytab file
+(<a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>).  If this is not possible, the backups should at least be
+done locally, rather than over a network, and the backup tapes should
+be physically secured.</p>
+<p>The keytab file and any programs run by root, including the Kerberos
+V5 binaries, should be kept on local disk.  The keytab file should be
+readable only by root.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">UNIX Application Servers</a><ul>
+<li><a class="reference internal" href="#the-keytab-file">The keytab file</a></li>
+<li><a class="reference internal" href="#some-advice-about-secure-hosts">Some advice about secure hosts</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li>
+<li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">UNIX Application Servers</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="install_clients.html" title="Installing and configuring UNIX client machines"
+            >previous</a> |
+        <a href="conf_files/index.html" title="Configuration Files"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__UNIX Application Servers">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/install_clients.html b/doc/html/admin/install_clients.html
new file mode 100644
index 000000000000..a75799d4b763
--- /dev/null
+++ b/doc/html/admin/install_clients.html
@@ -0,0 +1,212 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Installing and configuring UNIX client machines &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="Installation guide" href="install.html" />
+    <link rel="next" title="UNIX Application Servers" href="install_appl_srv.html" />
+    <link rel="prev" title="Installing KDCs" href="install_kdc.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="install_kdc.html" title="Installing KDCs"
+            accesskey="P">previous</a> |
+        <a href="install_appl_srv.html" title="UNIX Application Servers"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing and configuring UNIX client machines">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="installing-and-configuring-unix-client-machines">
+<h1>Installing and configuring UNIX client machines<a class="headerlink" href="#installing-and-configuring-unix-client-machines" title="Permalink to this headline">¶</a></h1>
+<p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>,
+<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><em>klist</em></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>.  All of
+these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><em>BINDIR</em></a>.</p>
+<p>You can often integrate Kerberos with the login system on client
+machines, typically through the use of PAM.  The details vary by
+operating system, and should be covered in your operating system&#8217;s
+documentation.  If you do this, you will need to make sure your users
+know to use their Kerberos passwords when they log in.</p>
+<p>You will also need to educate your users to use the ticket management
+programs kinit, klist, and kdestroy.  If you do not have Kerberos
+password changing integrated into the native password program (again,
+typically through PAM), you will need to educate users to use kpasswd
+in place of its non-Kerberos counterparts passwd.</p>
+<div class="section" id="client-machine-configuration-files">
+<h2>Client machine configuration files<a class="headerlink" href="#client-machine-configuration-files" title="Permalink to this headline">¶</a></h2>
+<p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file.
+At a minimum, it should define a <strong>default_realm</strong> setting in
+<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>.  If you are not using DNS SRV records
+(<a class="reference internal" href="realm_config.html#kdc-hostnames"><em>Hostnames for KDCs</em></a>) or URI records (<a class="reference internal" href="realm_config.html#kdc-discovery"><em>KDC Discovery</em></a>), it must
+also contain a <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section containing information for your
+realm&#8217;s KDCs.</p>
+<p>Consider setting <strong>rdns</strong> to false in order to reduce your dependence
+on precisely correct DNS information for service hostnames.  Turning
+this flag off means that service hostnames will be canonicalized
+through forward name resolution (which adds your domain name to
+unqualified hostnames, and resolves CNAME records in DNS), but not
+through reverse address lookup.  The default value of this flag is
+true for historical reasons only.</p>
+<p>If you anticipate users frequently logging into remote hosts
+(e.g., using ssh) using forwardable credentials, consider setting
+<strong>forwardable</strong> to true so that users obtain forwardable tickets by
+default.  Otherwise users will need to use <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-f</span></tt> to get
+forwardable tickets.</p>
+<p>Consider adjusting the <strong>ticket_lifetime</strong> setting to match the likely
+length of sessions for your users.  For instance, if most of your
+users will be logging in for an eight-hour workday, you could set the
+default to ten hours so that tickets obtained in the morning expire
+shortly after the end of the workday.  Users can still manually
+request longer tickets when necessary, up to the maximum allowed by
+each user&#8217;s principal record on the KDC.</p>
+<p>If a client host may access services in different realms, it may be
+useful to define a <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> mapping so that clients know
+which hosts belong to which realms.  However, if your clients and KDC
+are running release 1.7 or later, it is also reasonable to leave this
+section out on client machines and just define it in the KDC&#8217;s
+krb5.conf.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Installing and configuring UNIX client machines</a><ul>
+<li><a class="reference internal" href="#client-machine-configuration-files">Client machine configuration files</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">Installing and configuring UNIX client machines</a></li>
+<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="install_kdc.html" title="Installing KDCs"
+            >previous</a> |
+        <a href="install_appl_srv.html" title="UNIX Application Servers"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing and configuring UNIX client machines">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/install_kdc.html b/doc/html/admin/install_kdc.html
new file mode 100644
index 000000000000..ceec8cb320fd
--- /dev/null
+++ b/doc/html/admin/install_kdc.html
@@ -0,0 +1,655 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Installing KDCs &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="Installation guide" href="install.html" />
+    <link rel="next" title="Installing and configuring UNIX client machines" href="install_clients.html" />
+    <link rel="prev" title="Installation guide" href="install.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="install.html" title="Installation guide"
+            accesskey="P">previous</a> |
+        <a href="install_clients.html" title="Installing and configuring UNIX client machines"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing KDCs">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="installing-kdcs">
+<h1>Installing KDCs<a class="headerlink" href="#installing-kdcs" title="Permalink to this headline">¶</a></h1>
+<p>When setting up Kerberos in a production environment, it is best to
+have multiple slave KDCs alongside with a master KDC to ensure the
+continued availability of the Kerberized services.  Each KDC contains
+a copy of the Kerberos database.  The master KDC contains the writable
+copy of the realm database, which it replicates to the slave KDCs at
+regular intervals.  All database changes (such as password changes)
+are made on the master KDC.  Slave KDCs provide Kerberos
+ticket-granting services, but not database administration, when the
+master KDC is unavailable.  MIT recommends that you install all of
+your KDCs to be able to function as either the master or one of the
+slaves.  This will enable you to easily switch your master KDC with
+one of the slaves if necessary (see <a class="reference internal" href="#switch-master-slave"><em>Switching master and slave KDCs</em></a>).  This
+installation procedure is based on that recommendation.</p>
+<div class="admonition warning">
+<p class="first admonition-title">Warning</p>
+<ul class="last simple">
+<li>The Kerberos system relies on the availability of correct time
+information.  Ensure that the master and all slave KDCs have
+properly synchronized clocks.</li>
+<li>It is best to install and run KDCs on secured and dedicated
+hardware with limited access.  If your KDC is also a file
+server, FTP server, Web server, or even just a client machine,
+someone who obtained root access through a security hole in any
+of those areas could potentially gain access to the Kerberos
+database.</li>
+</ul>
+</div>
+<div class="section" id="install-and-configure-the-master-kdc">
+<h2>Install and configure the master KDC<a class="headerlink" href="#install-and-configure-the-master-kdc" title="Permalink to this headline">¶</a></h2>
+<p>Install Kerberos either from the OS-provided packages or from the
+source (See <a class="reference internal" href="../build/doing_build.html#do-build"><em>Building within a single tree</em></a>).</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p>For the purpose of this document we will use the following
+names:</p>
+<div class="highlight-python"><div class="highlight"><pre>kerberos.mit.edu    - master KDC
+kerberos-1.mit.edu  - slave KDC
+ATHENA.MIT.EDU      - realm name
+.k5.ATHENA.MIT.EDU  - stash file
+admin/admin         - admin principal
+</pre></div>
+</div>
+<p class="last">See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default names and locations
+of the relevant to this topic files.  Adjust the names and
+paths to your system environment.</p>
+</div>
+</div>
+<div class="section" id="edit-kdc-configuration-files">
+<h2>Edit KDC configuration files<a class="headerlink" href="#edit-kdc-configuration-files" title="Permalink to this headline">¶</a></h2>
+<p>Modify the configuration files, <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> and
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, to reflect the correct information (such as
+domain-realm mappings and Kerberos servers names) for your realm.
+(See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the recommended default locations for
+these files).</p>
+<p>Most of the tags in the configuration have default values that will
+work well for most sites.  There are some tags in the
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file whose values must be specified, and this
+section will explain those.</p>
+<p>If the locations for these configuration files differs from the
+default ones, set <strong>KRB5_CONFIG</strong> and <strong>KRB5_KDC_PROFILE</strong> environment
+variables to point to the krb5.conf and kdc.conf respectively.  For
+example:</p>
+<div class="highlight-python"><div class="highlight"><pre>export KRB5_CONFIG=/yourdir/krb5.conf
+export KRB5_KDC_PROFILE=/yourdir/kdc.conf
+</pre></div>
+</div>
+<div class="section" id="krb5-conf">
+<h3>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h3>
+<p>If you are not using DNS TXT records (see <a class="reference internal" href="realm_config.html#mapping-hostnames"><em>Mapping hostnames onto Kerberos realms</em></a>),
+you must specify the <strong>default_realm</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>
+section.  If you are not using DNS URI or SRV records (see
+<a class="reference internal" href="realm_config.html#kdc-hostnames"><em>Hostnames for KDCs</em></a> and <a class="reference internal" href="realm_config.html#kdc-discovery"><em>KDC Discovery</em></a>), you must include the
+<strong>kdc</strong> tag for each <em>realm</em> in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section.  To
+communicate with the kadmin server in each realm, the <strong>admin_server</strong>
+tag must be set in the
+<a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section.</p>
+<p>An example krb5.conf file:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+    default_realm = ATHENA.MIT.EDU
+
+[realms]
+    ATHENA.MIT.EDU = {
+        kdc = kerberos.mit.edu
+        kdc = kerberos-1.mit.edu
+        admin_server = kerberos.mit.edu
+    }
+</pre></div>
+</div>
+</div>
+<div class="section" id="kdc-conf">
+<h3>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h3>
+<p>The kdc.conf file can be used to control the listening ports of the
+KDC and kadmind, as well as realm-specific defaults, the database type
+and location, and logging.</p>
+<p>An example kdc.conf file:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
+    kdc_listen = 88
+    kdc_tcp_listen = 88
+
+[realms]
+    ATHENA.MIT.EDU = {
+        kadmind_port = 749
+        max_life = 12h 0m 0s
+        max_renewable_life = 7d 0h 0m 0s
+        master_key_type = aes256-cts
+        supported_enctypes = aes256-cts:normal aes128-cts:normal
+        # If the default location does not suit your setup,
+        # explicitly configure the following values:
+        #    database_name = /var/krb5kdc/principal
+        #    key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
+        #    acl_file = /var/krb5kdc/kadm5.acl
+    }
+
+[logging]
+    # By default, the KDC and kadmind will log output using
+    # syslog.  You can instead send log output to files like this:
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmin.log
+    default = FILE:/var/log/krb5lib.log
+</pre></div>
+</div>
+<p>Replace <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> and <tt class="docutils literal"><span class="pre">kerberos.mit.edu</span></tt> with the name of
+your Kerberos realm and server respectively.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">You have to have write permission on the target directories
+(these directories must exist) used by <strong>database_name</strong>,
+<strong>key_stash_file</strong>, and <strong>acl_file</strong>.</p>
+</div>
+</div>
+</div>
+<div class="section" id="create-the-kdc-database">
+<span id="create-db"></span><h2>Create the KDC database<a class="headerlink" href="#create-the-kdc-database" title="Permalink to this headline">¶</a></h2>
+<p>You will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> command on the master KDC to
+create the Kerberos database and the optional <a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><em>stash file</em></a>.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">If you choose not to install a stash file, the KDC will
+prompt you for the master key each time it starts up.  This
+means that the KDC will not be able to start automatically,
+such as after a system reboot.</p>
+</div>
+<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> will prompt you for the master password for the
+Kerberos database.  This password can be any string.  A good password
+is one you can remember, but that no one else can guess.  Examples of
+bad passwords are words that can be found in a dictionary, any common
+or popular name, especially a famous person (or cartoon character),
+your username in any form (e.g., forward, backward, repeated twice,
+etc.), and any of the sample passwords that appear in this manual.
+One example of a password which might be good if it did not appear in
+this manual is &#8220;MITiys4K5!&#8221;, which represents the sentence &#8220;MIT is
+your source for Kerberos 5!&#8221;  (It&#8217;s the first letter of each word,
+substituting the numeral &#8220;4&#8221; for the word &#8220;for&#8221;, and includes the
+punctuation mark at the end.)</p>
+<p>The following is an example of how to create a Kerberos database and
+stash file on the master KDC, using the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> command.
+Replace <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> with the name of your Kerberos realm:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util create -r ATHENA.MIT.EDU -s
+
+Initializing database &#39;/usr/local/var/krb5kdc/principal&#39; for realm &#39;ATHENA.MIT.EDU&#39;,
+master key name &#39;K/M@ATHENA.MIT.EDU&#39;
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+Enter KDC database master key:  &lt;= Type the master password.
+Re-enter KDC database master key to verify:  &lt;= Type it again.
+shell%
+</pre></div>
+</div>
+<p>This will create five files in <a class="reference internal" href="../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt> (or at the locations specified
+in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>):</p>
+<ul class="simple">
+<li>two Kerberos database files, <tt class="docutils literal"><span class="pre">principal</span></tt>, and <tt class="docutils literal"><span class="pre">principal.ok</span></tt></li>
+<li>the Kerberos administrative database file, <tt class="docutils literal"><span class="pre">principal.kadm5</span></tt></li>
+<li>the administrative database lock file, <tt class="docutils literal"><span class="pre">principal.kadm5.lock</span></tt></li>
+<li>the stash file, in this example <tt class="docutils literal"><span class="pre">.k5.ATHENA.MIT.EDU</span></tt>.  If you do
+not want a stash file, run the above command without the <strong>-s</strong>
+option.</li>
+</ul>
+<p>For more information on administrating Kerberos database see
+<a class="reference internal" href="database.html#db-operations"><em>Operations on the Kerberos database</em></a>.</p>
+</div>
+<div class="section" id="add-administrators-to-the-acl-file">
+<span id="admin-acl"></span><h2>Add administrators to the ACL file<a class="headerlink" href="#add-administrators-to-the-acl-file" title="Permalink to this headline">¶</a></h2>
+<p>Next, you need create an Access Control List (ACL) file and put the
+Kerberos principal of at least one of the administrators into it.
+This file is used by the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon to control which
+principals may view and make privileged modifications to the Kerberos
+database files.  The ACL filename is determined by the <strong>acl_file</strong>
+variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; the default is <a class="reference internal" href="../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.</p>
+<p>For more information on Kerberos ACL file see <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</p>
+</div>
+<div class="section" id="add-administrators-to-the-kerberos-database">
+<span id="addadmin-kdb"></span><h2>Add administrators to the Kerberos database<a class="headerlink" href="#add-administrators-to-the-kerberos-database" title="Permalink to this headline">¶</a></h2>
+<p>Next you need to add administrative principals (i.e., principals who
+are allowed to administer Kerberos database) to the Kerberos database.
+You <em>must</em> add at least one principal now to allow communication
+between the Kerberos administration daemon kadmind and the kadmin
+program over the network for further administration.  To do this, use
+the kadmin.local utility on the master KDC.  kadmin.local is designed
+to be run on the master KDC host without using Kerberos authentication
+to an admin server; instead, it must have read and write access to the
+Kerberos database on the local filesystem.</p>
+<p>The administrative principals you create should be the ones you added
+to the ACL file (see <a class="reference internal" href="#admin-acl"><em>Add administrators to the ACL file</em></a>).</p>
+<p>In the following example, the administrative principal <tt class="docutils literal"><span class="pre">admin/admin</span></tt>
+is created:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kadmin.local
+
+kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU
+
+WARNING: no policy specified for &quot;admin/admin@ATHENA.MIT.EDU&quot;;
+assigning &quot;default&quot;.
+Enter password for principal admin/admin@ATHENA.MIT.EDU:  &lt;= Enter a password.
+Re-enter password for principal admin/admin@ATHENA.MIT.EDU:  &lt;= Type it again.
+Principal &quot;admin/admin@ATHENA.MIT.EDU&quot; created.
+kadmin.local:
+</pre></div>
+</div>
+</div>
+<div class="section" id="start-the-kerberos-daemons-on-the-master-kdc">
+<span id="start-kdc-daemons"></span><h2>Start the Kerberos daemons on the master KDC<a class="headerlink" href="#start-the-kerberos-daemons-on-the-master-kdc" title="Permalink to this headline">¶</a></h2>
+<p>At this point, you are ready to start the Kerberos KDC
+(<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>) and administrative daemons on the Master KDC.  To
+do so, type:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span>
+<span class="n">shell</span><span class="o">%</span> <span class="n">kadmind</span>
+</pre></div>
+</div>
+<p>Each server daemon will fork and run in the background.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Assuming you want these daemons to start up automatically at
+boot time, you can add them to the KDC&#8217;s <tt class="docutils literal"><span class="pre">/etc/rc</span></tt> or
+<tt class="docutils literal"><span class="pre">/etc/inittab</span></tt> file.  You need to have a
+<a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><em>stash file</em></a> in order to do this.</p>
+</div>
+<p>You can verify that they started properly by checking for their
+startup messages in the logging locations you defined in
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> (see <a class="reference internal" href="conf_files/kdc_conf.html#logging"><em>[logging]</em></a>).  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% tail /var/log/krb5kdc.log
+Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
+shell% tail /var/log/kadmin.log
+Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
+</pre></div>
+</div>
+<p>Any errors the daemons encounter while starting will also be listed in
+the logging output.</p>
+<p>As an additional verification, check if <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> succeeds
+against the principals that you have created on the previous step
+(<a class="reference internal" href="#addadmin-kdb"><em>Add administrators to the Kerberos database</em></a>).  Run:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kinit admin/admin@ATHENA.MIT.EDU
+</pre></div>
+</div>
+</div>
+<div class="section" id="install-the-slave-kdcs">
+<h2>Install the slave KDCs<a class="headerlink" href="#install-the-slave-kdcs" title="Permalink to this headline">¶</a></h2>
+<p>You are now ready to start configuring the slave KDCs.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Assuming you are setting the KDCs up so that you can easily
+switch the master KDC with one of the slaves, you should
+perform each of these steps on the master KDC as well as the
+slave KDCs, unless these instructions specify otherwise.</p>
+</div>
+<div class="section" id="create-host-keytabs-for-slave-kdcs">
+<span id="slave-host-key"></span><h3>Create host keytabs for slave KDCs<a class="headerlink" href="#create-host-keytabs-for-slave-kdcs" title="Permalink to this headline">¶</a></h3>
+<p>Each KDC needs a <tt class="docutils literal"><span class="pre">host</span></tt> key in the Kerberos database.  These keys
+are used for mutual authentication when propagating the database dump
+file from the master KDC to the secondary KDC servers.</p>
+<p>On the master KDC, connect to administrative interface and create the
+host principal for each of the KDCs&#8217; <tt class="docutils literal"><span class="pre">host</span></tt> services.  For example,
+if the master KDC were called <tt class="docutils literal"><span class="pre">kerberos.mit.edu</span></tt>, and you had a
+slave KDC named <tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt>, you would type the following:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kadmin
+kadmin: addprinc -randkey host/kerberos.mit.edu
+NOTICE: no policy specified for &quot;host/kerberos.mit.edu@ATHENA.MIT.EDU&quot;; assigning &quot;default&quot;
+Principal &quot;host/kerberos.mit.edu@ATHENA.MIT.EDU&quot; created.
+
+kadmin: addprinc -randkey host/kerberos-1.mit.edu
+NOTICE: no policy specified for &quot;host/kerberos-1.mit.edu@ATHENA.MIT.EDU&quot;; assigning &quot;default&quot;
+Principal &quot;host/kerberos-1.mit.edu@ATHENA.MIT.EDU&quot; created.
+</pre></div>
+</div>
+<p>It is not strictly necessary to have the master KDC server in the
+Kerberos database, but it can be handy if you want to be able to swap
+the master KDC with one of the slaves.</p>
+<p>Next, extract <tt class="docutils literal"><span class="pre">host</span></tt> random keys for all participating KDCs and
+store them in each host&#8217;s default keytab file.  Ideally, you should
+extract each keytab locally on its own KDC.  If this is not feasible,
+you should use an encrypted session to send them across the network.
+To extract a keytab directly on a slave KDC called
+<tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt>, you would execute the following command:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd host/kerberos-1.mit.edu
+Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
+    type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
+Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
+    type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
+Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
+    type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
+Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
+    type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
+</pre></div>
+</div>
+<p>If you are instead extracting a keytab for the slave KDC called
+<tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt> on the master KDC, you should use a dedicated
+temporary keytab file for that machine&#8217;s keytab:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu
+Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
+    type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
+Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
+    type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
+</pre></div>
+</div>
+<p>The file <tt class="docutils literal"><span class="pre">/tmp/kerberos-1.keytab</span></tt> can then be installed as
+<tt class="docutils literal"><span class="pre">/etc/krb5.keytab</span></tt> on the host <tt class="docutils literal"><span class="pre">kerberos-1.mit.edu</span></tt>.</p>
+</div>
+<div class="section" id="configure-slave-kdcs">
+<h3>Configure slave KDCs<a class="headerlink" href="#configure-slave-kdcs" title="Permalink to this headline">¶</a></h3>
+<p>Database propagation copies the contents of the master&#8217;s database, but
+does not propagate configuration files, stash files, or the kadm5 ACL
+file.  The following files must be copied by hand to each slave (see
+<a class="reference internal" href="../mitK5defaults.html#mitk5defaults"><em>MIT Kerberos defaults</em></a> for the default locations for these files):</p>
+<ul class="simple">
+<li>krb5.conf</li>
+<li>kdc.conf</li>
+<li>kadm5.acl</li>
+<li>master key stash file</li>
+</ul>
+<p>Move the copied files into their appropriate directories, exactly as
+on the master KDC.  kadm5.acl is only needed to allow a slave to swap
+with the master KDC.</p>
+<p>The database is propagated from the master KDC to the slave KDCs via
+the <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><em>kpropd</em></a> daemon.  You must explicitly specify the
+principals which are allowed to provide Kerberos dump updates on the
+slave machine with a new database.  Create a file named kpropd.acl in
+the KDC state directory containing the <tt class="docutils literal"><span class="pre">host</span></tt> principals for each of
+the KDCs:</p>
+<div class="highlight-python"><div class="highlight"><pre>host/kerberos.mit.edu@ATHENA.MIT.EDU
+host/kerberos-1.mit.edu@ATHENA.MIT.EDU
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">If you expect that the master and slave KDCs will be
+switched at some point of time, list the host principals
+from all participating KDC servers in kpropd.acl files on
+all of the KDCs.  Otherwise, you only need to list the
+master KDC&#8217;s host principal in the kpropd.acl files of the
+slave KDCs.</p>
+</div>
+<p>Then, add the following line to <tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> on each KDC
+(adjust the path to kpropd):</p>
+<div class="highlight-python"><div class="highlight"><pre>krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+</pre></div>
+</div>
+<p>You also need to add the following line to <tt class="docutils literal"><span class="pre">/etc/services</span></tt> on each
+KDC, if it is not already present (assuming that the default port is
+used):</p>
+<div class="highlight-python"><div class="highlight"><pre>krb5_prop       754/tcp               # Kerberos slave propagation
+</pre></div>
+</div>
+<p>Restart inetd daemon.</p>
+<p>Alternatively, start <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><em>kpropd</em></a> as a stand-alone daemon.  This is
+required when incremental propagation is enabled.</p>
+<p>Now that the slave KDC is able to accept database propagation, you’ll
+need to propagate the database from the master server.</p>
+<p>NOTE: Do not start the slave KDC yet; you still do not have a copy of
+the master&#8217;s database.</p>
+</div>
+<div class="section" id="propagate-the-database-to-each-slave-kdc">
+<span id="kprop-to-slaves"></span><h3>Propagate the database to each slave KDC<a class="headerlink" href="#propagate-the-database-to-each-slave-kdc" title="Permalink to this headline">¶</a></h3>
+<p>First, create a dump file of the database on the master KDC, as
+follows:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
+</pre></div>
+</div>
+<p>Then, manually propagate the database to each slave KDC, as in the
+following example:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu
+
+Database propagation to kerberos-1.mit.edu: SUCCEEDED
+</pre></div>
+</div>
+<p>You will need a script to dump and propagate the database. The
+following is an example of a Bourne shell script that will do this.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Remember that you need to replace <tt class="docutils literal"><span class="pre">/usr/local/var/krb5kdc</span></tt>
+with the name of the KDC state directory.</p>
+</div>
+<div class="highlight-python"><div class="highlight"><pre>#!/bin/sh
+
+kdclist = &quot;kerberos-1.mit.edu kerberos-2.mit.edu&quot;
+
+kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
+
+for kdc in $kdclist
+do
+    kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
+done
+</pre></div>
+</div>
+<p>You will need to set up a cron job to run this script at the intervals
+you decided on earlier (see <a class="reference internal" href="realm_config.html#db-prop"><em>Database propagation</em></a>).</p>
+<p>Now that the slave KDC has a copy of the Kerberos database, you can
+start the krb5kdc daemon:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">shell</span><span class="o">%</span> <span class="n">krb5kdc</span>
+</pre></div>
+</div>
+<p>As with the master KDC, you will probably want to add this command to
+the KDCs&#8217; <tt class="docutils literal"><span class="pre">/etc/rc</span></tt> or <tt class="docutils literal"><span class="pre">/etc/inittab</span></tt> files, so they will start
+the krb5kdc daemon automatically at boot time.</p>
+<div class="section" id="propagation-failed">
+<h4>Propagation failed?<a class="headerlink" href="#propagation-failed" title="Permalink to this headline">¶</a></h4>
+<p>You may encounter the following error messages. For a more detailed
+discussion on possible causes and solutions click on the error link
+to be redirected to <a class="reference internal" href="troubleshoot.html#troubleshoot"><em>Troubleshooting</em></a> section.</p>
+<ol class="arabic simple">
+<li><a class="reference internal" href="troubleshoot.html#kprop-no-route"><em>kprop: No route to host while connecting to server</em></a></li>
+<li><a class="reference internal" href="troubleshoot.html#kprop-con-refused"><em>kprop: Connection refused while connecting to server</em></a></li>
+<li><a class="reference internal" href="troubleshoot.html#kprop-sendauth-exchange"><em>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</em></a></li>
+</ol>
+</div>
+</div>
+</div>
+<div class="section" id="add-kerberos-principals-to-the-database">
+<h2>Add Kerberos principals to the database<a class="headerlink" href="#add-kerberos-principals-to-the-database" title="Permalink to this headline">¶</a></h2>
+<p>Once your KDCs are set up and running, you are ready to use
+<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> to load principals for your users, hosts, and other
+services into the Kerberos database.  This procedure is described
+fully in <a class="reference internal" href="database.html#add-mod-del-princs"><em>Adding, modifying and deleting principals</em></a>.</p>
+<p>You may occasionally want to use one of your slave KDCs as the master.
+This might happen if you are upgrading the master KDC, or if your
+master KDC has a disk crash.  See the following section for the
+instructions.</p>
+</div>
+<div class="section" id="switching-master-and-slave-kdcs">
+<span id="switch-master-slave"></span><h2>Switching master and slave KDCs<a class="headerlink" href="#switching-master-and-slave-kdcs" title="Permalink to this headline">¶</a></h2>
+<p>You may occasionally want to use one of your slave KDCs as the master.
+This might happen if you are upgrading the master KDC, or if your
+master KDC has a disk crash.</p>
+<p>Assuming you have configured all of your KDCs to be able to function
+as either the master KDC or a slave KDC (as this document recommends),
+all you need to do to make the changeover is:</p>
+<p>If the master KDC is still running, do the following on the <em>old</em>
+master KDC:</p>
+<ol class="arabic simple">
+<li>Kill the kadmind process.</li>
+<li>Disable the cron job that propagates the database.</li>
+<li>Run your database propagation script manually, to ensure that the
+slaves all have the latest copy of the database (see
+<a class="reference internal" href="#kprop-to-slaves"><em>Propagate the database to each slave KDC</em></a>).</li>
+</ol>
+<p>On the <em>new</em> master KDC:</p>
+<ol class="arabic simple">
+<li>Start the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon (see <a class="reference internal" href="#start-kdc-daemons"><em>Start the Kerberos daemons on the master KDC</em></a>).</li>
+<li>Set up the cron job to propagate the database (see
+<a class="reference internal" href="#kprop-to-slaves"><em>Propagate the database to each slave KDC</em></a>).</li>
+<li>Switch the CNAMEs of the old and new master KDCs.  If you can&#8217;t do
+this, you&#8217;ll need to change the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file on every
+client machine in your Kerberos realm.</li>
+</ol>
+</div>
+<div class="section" id="incremental-database-propagation">
+<h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Permalink to this headline">¶</a></h2>
+<p>If you expect your Kerberos database to become large, you may wish to
+set up incremental propagation to slave KDCs.  See <a class="reference internal" href="database.html#incr-db-prop"><em>Incremental database propagation</em></a>
+for details.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Installing KDCs</a><ul>
+<li><a class="reference internal" href="#install-and-configure-the-master-kdc">Install and configure the master KDC</a></li>
+<li><a class="reference internal" href="#edit-kdc-configuration-files">Edit KDC configuration files</a><ul>
+<li><a class="reference internal" href="#krb5-conf">krb5.conf</a></li>
+<li><a class="reference internal" href="#kdc-conf">kdc.conf</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#create-the-kdc-database">Create the KDC database</a></li>
+<li><a class="reference internal" href="#add-administrators-to-the-acl-file">Add administrators to the ACL file</a></li>
+<li><a class="reference internal" href="#add-administrators-to-the-kerberos-database">Add administrators to the Kerberos database</a></li>
+<li><a class="reference internal" href="#start-the-kerberos-daemons-on-the-master-kdc">Start the Kerberos daemons on the master KDC</a></li>
+<li><a class="reference internal" href="#install-the-slave-kdcs">Install the slave KDCs</a><ul>
+<li><a class="reference internal" href="#create-host-keytabs-for-slave-kdcs">Create host keytabs for slave KDCs</a></li>
+<li><a class="reference internal" href="#configure-slave-kdcs">Configure slave KDCs</a></li>
+<li><a class="reference internal" href="#propagate-the-database-to-each-slave-kdc">Propagate the database to each slave KDC</a><ul>
+<li><a class="reference internal" href="#propagation-failed">Propagation failed?</a></li>
+</ul>
+</li>
+</ul>
+</li>
+<li><a class="reference internal" href="#add-kerberos-principals-to-the-database">Add Kerberos principals to the database</a></li>
+<li><a class="reference internal" href="#switching-master-and-slave-kdcs">Switching master and slave KDCs</a></li>
+<li><a class="reference internal" href="#incremental-database-propagation">Incremental database propagation</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current">
+<li class="toctree-l3 current"><a class="current reference internal" href="">Installing KDCs</a></li>
+<li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li>
+<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="install.html" title="Installation guide"
+            >previous</a> |
+        <a href="install_clients.html" title="Installing and configuring UNIX client machines"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing KDCs">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html
new file mode 100644
index 000000000000..96cae8efd487
--- /dev/null
+++ b/doc/html/admin/lockout.html
@@ -0,0 +1,300 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Account lockout &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Configuring Kerberos with OpenLDAP back-end" href="conf_ldap.html" />
+    <link rel="prev" title="Database administration" href="database.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="database.html" title="Database administration"
+            accesskey="P">previous</a> |
+        <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="account-lockout">
+<h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1>
+<p>As of release 1.8, the KDC can be configured to lock out principals
+after a number of failed authentication attempts within a period of
+time.  Account lockout can make it more difficult to attack a
+principal&#8217;s password by brute force, but also makes it easy for an
+attacker to deny access to a principal.</p>
+<div class="section" id="configuring-account-lockout">
+<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Permalink to this headline">¶</a></h2>
+<p>Account lockout only works for principals with the
+<strong>+requires_preauth</strong> flag set.  Without this flag, the KDC cannot
+know whether or not a client successfully decrypted the ticket it
+issued.  It is also important to set the <strong>-allow_svr</strong> flag on a
+principal to protect its password from an off-line dictionary attack
+through a TGS request.  You can set these flags on a principal with
+<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> as follows:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc +requires_preauth -allow_svr PRINCNAME
+</pre></div>
+</div>
+<p>Account lockout parameters are configured via <a class="reference internal" href="database.html#policies"><em>policy objects</em></a>.  There may be an existing policy associated with user
+principals (such as the &#8220;default&#8221; policy), or you may need to create a
+new one and associate it with each user principal.</p>
+<p>The policy parameters related to account lockout are:</p>
+<ul class="simple">
+<li><a class="reference internal" href="database.html#policy-maxfailure"><em>maxfailure</em></a>: the number of failed attempts
+before the principal is locked out</li>
+<li><a class="reference internal" href="database.html#policy-failurecountinterval"><em>failurecountinterval</em></a>: the
+allowable interval between failed attempts</li>
+<li><a class="reference internal" href="database.html#policy-lockoutduration"><em>lockoutduration</em></a>: the amount of time
+a principal is locked out for</li>
+</ul>
+<p>Here is an example of setting these parameters on a new policy and
+associating it with a principal:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: addpol -maxfailure 10 -failurecountinterval 180
+    -lockoutduration 60 lockout_policy
+kadmin: modprinc -policy lockout_policy PRINCNAME
+</pre></div>
+</div>
+</div>
+<div class="section" id="testing-account-lockout">
+<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Permalink to this headline">¶</a></h2>
+<p>To test that account lockout is working, try authenticating as the
+principal (hopefully not one that might be in use) multiple times with
+the wrong password.  For instance, if <strong>maxfailure</strong> is set to 2, you
+might see:</p>
+<div class="highlight-python"><div class="highlight"><pre>$ kinit user
+Password for user@KRBTEST.COM:
+kinit: Password incorrect while getting initial credentials
+$ kinit user
+Password for user@KRBTEST.COM:
+kinit: Password incorrect while getting initial credentials
+$ kinit user
+kinit: Client&#39;s credentials have been revoked while getting initial credentials
+</pre></div>
+</div>
+</div>
+<div class="section" id="account-lockout-principal-state">
+<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Permalink to this headline">¶</a></h2>
+<p>A principal entry keeps three pieces of state related to account
+lockout:</p>
+<ul class="simple">
+<li>The time of last successful authentication</li>
+<li>The time of last failed authentication</li>
+<li>A counter of failed attempts</li>
+</ul>
+<p>The time of last successful authentication is not actually needed for
+the account lockout system to function, but may be of administrative
+interest.  These fields can be observed with the <strong>getprinc</strong> kadmin
+command.  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc user
+Principal: user@KRBTEST.COM
+...
+Last successful authentication: [never]
+Last failed authentication: Mon Dec 03 12:30:33 EST 2012
+Failed password attempts: 2
+...
+</pre></div>
+</div>
+<p>A principal which has been locked out can be administratively unlocked
+with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin command:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc -unlock PRINCNAME
+</pre></div>
+</div>
+<p>This command will reset the number of failed attempts to 0.</p>
+</div>
+<div class="section" id="kdc-replication-and-account-lockout">
+<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Permalink to this headline">¶</a></h2>
+<p>The account lockout state of a principal is not replicated by either
+traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><em>kprop</em></a> or incremental propagation.  Because of
+this, the number of attempts an attacker can make within a time period
+is multiplied by the number of KDCs.  For instance, if the
+<strong>maxfailure</strong> parameter on a policy is 10 and there are four KDCs in
+the environment (a master and three slaves), an attacker could make as
+many as 40 attempts before the principal is locked out on all four
+KDCs.</p>
+<p>An administrative unlock is propagated from the master to the slave
+KDCs during the next propagation.  Propagation of an administrative
+unlock will cause the counter of failed attempts on each slave to
+reset to 1 on the next failure.</p>
+<p>If a KDC environment uses a replication strategy other than kprop or
+incremental propagation, such as the LDAP KDB module with multi-master
+LDAP replication, then account lockout state may be replicated between
+KDCs and the concerns of this section may not apply.</p>
+</div>
+<div class="section" id="kdc-performance-and-account-lockout">
+<h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2>
+<p>In order to fully track account lockout state, the KDC must write to
+the the database on each successful and failed authentication.
+Writing to the database is generally more expensive than reading from
+it, so these writes may have a significant impact on KDC performance.
+As of release 1.9, it is possible to turn off account lockout state
+tracking in order to improve performance, by setting the
+<strong>disable_last_success</strong> and <strong>disable_lockout</strong> variables in the
+database module subsection of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.  For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[dbmodules]
+    DB = {
+        disable_last_success = true
+        disable_lockout = true
+    }
+</pre></div>
+</div>
+<p>Of the two variables, setting <strong>disable_last_success</strong> will usually
+have the largest positive impact on performance, and will still allow
+account lockout policies to operate.  However, it will make it
+impossible to observe the last successful authentication time with
+kadmin.</p>
+</div>
+<div class="section" id="kdc-setup-and-account-lockout">
+<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Permalink to this headline">¶</a></h2>
+<p>To update the account lockout state on principals, the KDC must be
+able to write to the principal database.  For the DB2 module, no
+special setup is required.  For the LDAP module, the KDC DN must be
+granted write access to the principal objects.  If the KDC DN has only
+read access, account lockout will not function.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Account lockout</a><ul>
+<li><a class="reference internal" href="#configuring-account-lockout">Configuring account lockout</a></li>
+<li><a class="reference internal" href="#testing-account-lockout">Testing account lockout</a></li>
+<li><a class="reference internal" href="#account-lockout-principal-state">Account lockout principal state</a></li>
+<li><a class="reference internal" href="#kdc-replication-and-account-lockout">KDC replication and account lockout</a></li>
+<li><a class="reference internal" href="#kdc-performance-and-account-lockout">KDC performance and account lockout</a></li>
+<li><a class="reference internal" href="#kdc-setup-and-account-lockout">KDC setup and account lockout</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Account lockout</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="database.html" title="Database administration"
+            >previous</a> |
+        <a href="conf_ldap.html" title="Configuring Kerberos with OpenLDAP back-end"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Account lockout">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/otp.html b/doc/html/admin/otp.html
new file mode 100644
index 000000000000..7c99a4e135d1
--- /dev/null
+++ b/doc/html/admin/otp.html
@@ -0,0 +1,248 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>OTP Preauthentication &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Principal names and DNS" href="princ_dns.html" />
+    <link rel="prev" title="PKINIT configuration" href="pkinit.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="pkinit.html" title="PKINIT configuration"
+            accesskey="P">previous</a> |
+        <a href="princ_dns.html" title="Principal names and DNS"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__OTP Preauthentication">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="otp-preauthentication">
+<span id="otp-preauth"></span><h1>OTP Preauthentication<a class="headerlink" href="#otp-preauthentication" title="Permalink to this headline">¶</a></h1>
+<p>OTP is a preauthentication mechanism for Kerberos 5 which uses One
+Time Passwords (OTP) to authenticate the client to the KDC.  The OTP
+is passed to the KDC over an encrypted FAST channel in clear-text.
+The KDC uses the password along with per-user configuration to proxy
+the request to a third-party RADIUS system.  This enables
+out-of-the-box compatibility with a large number of already widely
+deployed proprietary systems.</p>
+<p>Additionally, our implementation of the OTP system allows for the
+passing of RADIUS requests over a UNIX domain stream socket.  This
+permits the use of a local companion daemon which can handle the
+details of authentication.</p>
+<div class="section" id="defining-token-types">
+<h2>Defining token types<a class="headerlink" href="#defining-token-types" title="Permalink to this headline">¶</a></h2>
+<p>Token types are defined in either <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> or
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> according to the following format:</p>
+<div class="highlight-python"><div class="highlight"><pre>[otp]
+    &lt;name&gt; = {
+        server = &lt;host:port or filename&gt; (default: see below)
+        secret = &lt;filename&gt;
+        timeout = &lt;integer&gt; (default: 5 [seconds])
+        retries = &lt;integer&gt; (default: 3)
+        strip_realm = &lt;boolean&gt; (default: true)
+        indicator = &lt;string&gt; (default: none)
+    }
+</pre></div>
+</div>
+<p>If the server field begins with &#8216;/&#8217;, it will be interpreted as a UNIX
+socket.  Otherwise, it is assumed to be in the format host:port.  When
+a UNIX domain socket is specified, the secret field is optional and an
+empty secret is used by default.  If the server field is not
+specified, it defaults to <a class="reference internal" href="../mitK5defaults.html#paths"><em>RUNSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/&lt;name&gt;.socket</span></tt>.</p>
+<p>When forwarding the request over RADIUS, by default the principal is
+used in the User-Name attribute of the RADIUS packet.  The strip_realm
+parameter controls whether the principal is forwarded with or without
+the realm portion.</p>
+<p>If an indicator field is present, tickets issued using this token type
+will be annotated with the specified authentication indicator (see
+<a class="reference internal" href="auth_indicator.html#auth-indicator"><em>Authentication indicators</em></a>).  This key may be specified multiple times to
+add multiple indicators.</p>
+</div>
+<div class="section" id="the-default-token-type">
+<h2>The default token type<a class="headerlink" href="#the-default-token-type" title="Permalink to this headline">¶</a></h2>
+<p>A default token type is used internally when no token type is specified for a
+given user.  It is defined as follows:</p>
+<div class="highlight-python"><div class="highlight"><pre>[otp]
+    DEFAULT = {
+        strip_realm = false
+    }
+</pre></div>
+</div>
+<p>The administrator may override the internal <tt class="docutils literal"><span class="pre">DEFAULT</span></tt> token type
+simply by defining a configuration with the same name.</p>
+</div>
+<div class="section" id="token-instance-configuration">
+<h2>Token instance configuration<a class="headerlink" href="#token-instance-configuration" title="Permalink to this headline">¶</a></h2>
+<p>To enable OTP for a client principal, the administrator must define
+the <strong>otp</strong> string attribute for that principal.  (See
+<a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a>.)  The <strong>otp</strong> user string is a JSON string of the
+format:</p>
+<div class="highlight-xml"><div class="highlight"><pre>[{
+    &quot;type&quot;: <span class="nt">&lt;string&gt;</span>,
+    &quot;username&quot;: <span class="nt">&lt;string&gt;</span>,
+    &quot;indicators&quot;: [<span class="nt">&lt;string&gt;</span>, ...]
+ }, ...]
+</pre></div>
+</div>
+<p>This is an array of token objects.  Both fields of token objects are
+optional.  The <strong>type</strong> field names the token type of this token; if
+not specified, it defaults to <tt class="docutils literal"><span class="pre">DEFAULT</span></tt>.  The <strong>username</strong> field
+specifies the value to be sent in the User-Name RADIUS attribute.  If
+not specified, the principal name is sent, with or without realm as
+defined in the token type.  The <strong>indicators</strong> field specifies a list
+of authentication indicators to annotate tickets with, overriding any
+indicators specified in the token type.</p>
+<p>For ease of configuration, an empty array (<tt class="docutils literal"><span class="pre">[]</span></tt>) is treated as
+equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre">[{}]</span></tt>).</p>
+</div>
+<div class="section" id="other-considerations">
+<h2>Other considerations<a class="headerlink" href="#other-considerations" title="Permalink to this headline">¶</a></h2>
+<ol class="arabic simple">
+<li>FAST is required for OTP to work.</li>
+</ol>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">OTP Preauthentication</a><ul>
+<li><a class="reference internal" href="#defining-token-types">Defining token types</a></li>
+<li><a class="reference internal" href="#the-default-token-type">The default token type</a></li>
+<li><a class="reference internal" href="#token-instance-configuration">Token instance configuration</a></li>
+<li><a class="reference internal" href="#other-considerations">Other considerations</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">OTP Preauthentication</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="pkinit.html" title="PKINIT configuration"
+            >previous</a> |
+        <a href="princ_dns.html" title="Principal names and DNS"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__OTP Preauthentication">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/pkinit.html b/doc/html/admin/pkinit.html
new file mode 100644
index 000000000000..60645816cd16
--- /dev/null
+++ b/doc/html/admin/pkinit.html
@@ -0,0 +1,447 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>PKINIT configuration &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="OTP Preauthentication" href="otp.html" />
+    <link rel="prev" title="Backups of secure hosts" href="backup_host.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="backup_host.html" title="Backups of secure hosts"
+            accesskey="P">previous</a> |
+        <a href="otp.html" title="OTP Preauthentication"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT configuration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="pkinit-configuration">
+<span id="pkinit"></span><h1>PKINIT configuration<a class="headerlink" href="#pkinit-configuration" title="Permalink to this headline">¶</a></h1>
+<p>PKINIT is a preauthentication mechanism for Kerberos 5 which uses
+X.509 certificates to authenticate the KDC to clients and vice versa.
+PKINIT can also be used to enable anonymity support, allowing clients
+to communicate securely with the KDC or with application servers
+without authenticating as a particular client principal.</p>
+<div class="section" id="creating-certificates">
+<h2>Creating certificates<a class="headerlink" href="#creating-certificates" title="Permalink to this headline">¶</a></h2>
+<p>PKINIT requires an X.509 certificate for the KDC and one for each
+client principal which will authenticate using PKINIT.  For anonymous
+PKINIT, a KDC certificate is required, but client certificates are
+not.  A commercially issued server certificate can be used for the KDC
+certificate, but generally cannot be used for client certificates.</p>
+<p>The instruction in this section describe how to establish a
+certificate authority and create standard PKINIT certificates.  Skip
+this section if you are using a commercially issued server certificate
+as the KDC certificate for anonymous PKINIT, or if you are configuring
+a client to use an Active Directory KDC.</p>
+<div class="section" id="generating-a-certificate-authority-certificate">
+<h3>Generating a certificate authority certificate<a class="headerlink" href="#generating-a-certificate-authority-certificate" title="Permalink to this headline">¶</a></h3>
+<p>You can establish a new certificate authority (CA) for use with a
+PKINIT deployment with the commands:</p>
+<div class="highlight-python"><div class="highlight"><pre>openssl genrsa -out cakey.pem 2048
+openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
+</pre></div>
+</div>
+<p>The second command will ask for the values of several certificate
+fields.  These fields can be set to any values.  You can adjust the
+expiration time of the CA certificate by changing the number after
+<tt class="docutils literal"><span class="pre">-days</span></tt>.  Since the CA certificate must be deployed to client
+machines each time it changes, it should normally have an expiration
+time far in the future; however, expiration times after 2037 may cause
+interoperability issues in rare circumstances.</p>
+<p>The result of these commands will be two files, cakey.pem and
+cacert.pem.  cakey.pem will contain a 2048-bit RSA private key, which
+must be carefully protected.  cacert.pem will contain the CA
+certificate, which must be placed in the filesytems of the KDC and
+each client host.  cakey.pem will be required to create KDC and client
+certificates.</p>
+</div>
+<div class="section" id="generating-a-kdc-certificate">
+<h3>Generating a KDC certificate<a class="headerlink" href="#generating-a-kdc-certificate" title="Permalink to this headline">¶</a></h3>
+<p>A KDC certificate for use with PKINIT is required to have some unusual
+fields, which makes generating them with OpenSSL somewhat complicated.
+First, you will need a file containing the following:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
+</pre></div>
+</div>
+<p>If the above contents are placed in extensions.kdc, you can generate
+and sign a KDC certificate with the following commands:</p>
+<div class="highlight-python"><div class="highlight"><pre>openssl genrsa -out kdckey.pem 2048
+openssl req -new -out kdc.req -key kdckey.pem
+env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \
+    -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \
+    -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
+rm kdc.req
+</pre></div>
+</div>
+<p>The second command will ask for the values of certificate fields,
+which can be set to any values.  In the third command, substitute your
+KDC&#8217;s realm name for YOUR_REALMNAME.  You can adjust the certificate&#8217;s
+expiration date by changing the number after <tt class="docutils literal"><span class="pre">-days</span></tt>.  Remember to
+create a new KDC certificate before the old one expires.</p>
+<p>The result of this operation will be in two files, kdckey.pem and
+kdc.pem.  Both files must be placed in the KDC&#8217;s filesystem.
+kdckey.pem, which contains the KDC&#8217;s private key, must be carefully
+protected.</p>
+<p>If you examine the KDC certificate with <tt class="docutils literal"><span class="pre">openssl</span> <span class="pre">x509</span> <span class="pre">-in</span> <span class="pre">kdc.pem</span>
+<span class="pre">-text</span> <span class="pre">-noout</span></tt>, OpenSSL will not know how to display the KDC principal
+name in the Subject Alternative Name extension, so it will appear as
+<tt class="docutils literal"><span class="pre">othername:&lt;unsupported&gt;</span></tt>.  This is normal and does not mean
+anything is wrong with the KDC certificate.</p>
+</div>
+<div class="section" id="generating-client-certificates">
+<h3>Generating client certificates<a class="headerlink" href="#generating-client-certificates" title="Permalink to this headline">¶</a></h3>
+<p>PKINIT client certificates also must have some unusual certificate
+fields.  To generate a client certificate with OpenSSL for a
+single-component principal name, you will need an extensions file
+(different from the KDC extensions file above) containing:</p>
+<div class="highlight-python"><div class="highlight"><pre>[client_cert]
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.4
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
+
+[princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:principal_seq
+
+[principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:principals
+
+[principals]
+princ1=GeneralString:${ENV::CLIENT}
+</pre></div>
+</div>
+<p>If the above contents are placed in extensions.client, you can
+generate and sign a client certificate with the following commands:</p>
+<div class="highlight-python"><div class="highlight"><pre>openssl genrsa -out clientkey.pem 2048
+openssl req -new -key clientkey.pem -out client.req
+env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \
+    -CAkey cakey.pem -CA cacert.pem -req -in client.req \
+    -extensions client_cert -extfile extensions.client \
+    -days 365 -out client.pem
+rm client.req
+</pre></div>
+</div>
+<p>Normally, the first two commands should be run on the client host, and
+the resulting client.req file transferred to the certificate authority
+host for the third command.  As in the previous steps, the second
+command will ask for the values of certificate fields, which can be
+set to any values.  In the third command, substitute your realm&#8217;s name
+for YOUR_REALMNAME and the client&#8217;s principal name (without realm) for
+YOUR_PRINCNAME.  You can adjust the certificate&#8217;s expiration date by
+changing the number after <tt class="docutils literal"><span class="pre">-days</span></tt>.</p>
+<p>The result of this operation will be two files, clientkey.pem and
+client.pem.  Both files must be present on the client&#8217;s host;
+clientkey.pem, which contains the client&#8217;s private key, must be
+protected from access by others.</p>
+<p>As in the KDC certificate, OpenSSL will display the client principal
+name as <tt class="docutils literal"><span class="pre">othername:&lt;unsupported&gt;</span></tt> in the Subject Alternative Name
+extension of a PKINIT client certificate.</p>
+<p>If the client principal name contains more than one component
+(e.g. <tt class="docutils literal"><span class="pre">host/example.com&#64;REALM</span></tt>), the <tt class="docutils literal"><span class="pre">[principals]</span></tt> section of
+<tt class="docutils literal"><span class="pre">extensions.client</span></tt> must be altered to contain multiple entries.
+(Simply setting <tt class="docutils literal"><span class="pre">CLIENT</span></tt> to <tt class="docutils literal"><span class="pre">host/example.com</span></tt> would generate a
+certificate for <tt class="docutils literal"><span class="pre">host\/example.com&#64;REALM</span></tt> which would not match the
+multi-component principal name.)  For a two-component principal, the
+section should read:</p>
+<div class="highlight-python"><div class="highlight"><pre>[principals]
+princ1=GeneralString:${ENV::CLIENT1}
+princ2=GeneralString:${ENV::CLIENT2}
+</pre></div>
+</div>
+<p>The environment variables <tt class="docutils literal"><span class="pre">CLIENT1</span></tt> and <tt class="docutils literal"><span class="pre">CLIENT2</span></tt> must then be set
+to the first and second components when running <tt class="docutils literal"><span class="pre">openssl</span> <span class="pre">x509</span></tt>.</p>
+</div>
+</div>
+<div class="section" id="configuring-the-kdc">
+<h2>Configuring the KDC<a class="headerlink" href="#configuring-the-kdc" title="Permalink to this headline">¶</a></h2>
+<p>The KDC must have filesystem access to the KDC certificate (kdc.pem)
+and the KDC private key (kdckey.pem).  Configure the following
+relation in the KDC&#8217;s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file, either in the
+<a class="reference internal" href="conf_files/kdc_conf.html#kdcdefaults"><em>[kdcdefaults]</em></a> section or in a <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> subsection (with
+appropriate pathnames):</p>
+<div class="highlight-python"><div class="highlight"><pre>pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
+</pre></div>
+</div>
+<p>If any clients will authenticate using regular (as opposed to
+anonymous) PKINIT, the KDC must also have filesystem access to the CA
+certificate (cacert.pem), and the following configuration (with the
+appropriate pathname):</p>
+<div class="highlight-python"><div class="highlight"><pre>pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
+</pre></div>
+</div>
+<p>Because of the larger size of requests and responses using PKINIT, you
+may also need to allow TCP access to the KDC:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">kdc_tcp_listen</span> <span class="o">=</span> <span class="mi">88</span>
+</pre></div>
+</div>
+<p>Restart the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to pick up the configuration
+changes.</p>
+<p>The principal entry for each PKINIT-using client must be configured to
+require preauthentication.  Ensure this with the command:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin -q &#39;modprinc +requires_preauth YOUR_PRINCNAME&#39;
+</pre></div>
+</div>
+<p>Starting with release 1.12, it is possible to remove the long-term
+keys of a principal entry, which can save some space in the database
+and help to clarify some PKINIT-related error conditions by not asking
+for a password:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin -q &#39;purgekeys -all YOUR_PRINCNAME&#39;
+</pre></div>
+</div>
+<p>These principal options can also be specified at principal creation
+time as follows:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin -q &#39;add_principal +requires_preauth -nokey YOUR_PRINCNAME&#39;
+</pre></div>
+</div>
+</div>
+<div class="section" id="configuring-the-clients">
+<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2>
+<p>Client hosts must be configured to trust the issuing authority for the
+KDC certificate.  For a newly established certificate authority, the
+client host must have filesystem access to the CA certificate
+(cacert.pem) and the following relation in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> in the
+appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> subsection (with appropriate pathnames):</p>
+<div class="highlight-python"><div class="highlight"><pre>pkinit_anchors = FILE:/etc/krb5/cacert.pem
+</pre></div>
+</div>
+<p>If the KDC certificate is a commercially issued server certificate,
+the issuing certificate is most likely included in a system directory.
+You can specify it by filename as above, or specify the whole
+directory like so:</p>
+<div class="highlight-python"><div class="highlight"><pre>pkinit_anchors = DIR:/etc/ssl/certs
+</pre></div>
+</div>
+<p>A commercially issued server certificate will usually not have the
+standard PKINIT principal name or Extended Key Usage extensions, so
+the following additional configuration is required:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">pkinit_eku_checking</span> <span class="o">=</span> <span class="n">kpServerAuth</span>
+<span class="n">pkinit_kdc_hostname</span> <span class="o">=</span> <span class="n">hostname</span><span class="o">.</span><span class="n">of</span><span class="o">.</span><span class="n">kdc</span><span class="o">.</span><span class="n">certificate</span>
+</pre></div>
+</div>
+<p>Multiple <strong>pkinit_kdc_hostname</strong> relations can be configured to
+recognize multiple KDC certificates.  If the KDC is an Active
+Directory domain controller, setting <strong>pkinit_kdc_hostname</strong> is
+necessary, but it should not be necessary to set
+<strong>pkinit_eku_checking</strong>.</p>
+<p>To perform regular (as opposed to anonymous) PKINIT authentication, a
+client host must have filesystem access to a client certificate
+(client.pem), and the corresponding private key (clientkey.pem).
+Configure the following relations in the client host&#8217;s
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file in the appropriate <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> subsection
+(with appropriate pathnames):</p>
+<div class="highlight-python"><div class="highlight"><pre>pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
+</pre></div>
+</div>
+<p>If the KDC and client are properly configured, it should now be
+possible to run <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">username</span></tt> without entering a password.</p>
+</div>
+<div class="section" id="anonymous-pkinit">
+<span id="id1"></span><h2>Anonymous PKINIT<a class="headerlink" href="#anonymous-pkinit" title="Permalink to this headline">¶</a></h2>
+<p>Anonymity support in Kerberos allows a client to obtain a ticket
+without authenticating as any particular principal.  Such a ticket can
+be used as a FAST armor ticket, or to securely communicate with an
+application server anonymously.</p>
+<p>To configure anonymity support, you must generate or otherwise procure
+a KDC certificate and configure the KDC host, but you do not need to
+generate any client certificates.  On the KDC, you must set the
+<strong>pkinit_identity</strong> variable to provide the KDC certificate, but do
+not need to set the <strong>pkinit_anchors</strong> variable or store the issuing
+certificate if you won&#8217;t have any client certificates to verify.  On
+client hosts, you must set the <strong>pkinit_anchors</strong> variable (and
+possibly <strong>pkinit_kdc_hostname</strong> and <strong>pkinit_eku_checking</strong>) in order
+to trust the issuing authority for the KDC certificate, but do not
+need to set the <strong>pkinit_identities</strong> variable.</p>
+<p>Anonymity support is not enabled by default.  To enable it, you must
+create the principal <tt class="docutils literal"><span class="pre">WELLKNOWN/ANONYMOUS</span></tt> using the command:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin -q &#39;addprinc -randkey WELLKNOWN/ANONYMOUS&#39;
+</pre></div>
+</div>
+<p>Some Kerberos deployments include application servers which lack
+proper access control, and grant some level of access to any user who
+can authenticate.  In such an environment, enabling anonymity support
+on the KDC would present a security issue.  If you need to enable
+anonymity support for TGTs (for use as FAST armor tickets) without
+enabling anonymous authentication to application servers, you can set
+the variable <strong>restrict_anonymous_to_tgt</strong> to <tt class="docutils literal"><span class="pre">true</span></tt> in the
+appropriate <a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> subsection of the KDC&#8217;s
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.</p>
+<p>To obtain anonymous credentials on a client, run <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span></tt>, or
+<tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span> <span class="pre">&#64;REALMNAME</span></tt> to specify a realm.  The resulting tickets
+will have the client name <tt class="docutils literal"><span class="pre">WELLKNOWN/ANONYMOUS&#64;WELLKNOWN:ANONYMOUS</span></tt>.</p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">PKINIT configuration</a><ul>
+<li><a class="reference internal" href="#creating-certificates">Creating certificates</a><ul>
+<li><a class="reference internal" href="#generating-a-certificate-authority-certificate">Generating a certificate authority certificate</a></li>
+<li><a class="reference internal" href="#generating-a-kdc-certificate">Generating a KDC certificate</a></li>
+<li><a class="reference internal" href="#generating-client-certificates">Generating client certificates</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#configuring-the-kdc">Configuring the KDC</a></li>
+<li><a class="reference internal" href="#configuring-the-clients">Configuring the clients</a></li>
+<li><a class="reference internal" href="#anonymous-pkinit">Anonymous PKINIT</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">PKINIT configuration</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="backup_host.html" title="Backups of secure hosts"
+            >previous</a> |
+        <a href="otp.html" title="OTP Preauthentication"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT configuration">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/princ_dns.html b/doc/html/admin/princ_dns.html
new file mode 100644
index 000000000000..b1097c57a0f6
--- /dev/null
+++ b/doc/html/admin/princ_dns.html
@@ -0,0 +1,262 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Principal names and DNS &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Encryption types" href="enctypes.html" />
+    <link rel="prev" title="OTP Preauthentication" href="otp.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="otp.html" title="OTP Preauthentication"
+            accesskey="P">previous</a> |
+        <a href="enctypes.html" title="Encryption types"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Principal names and DNS">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="principal-names-and-dns">
+<h1>Principal names and DNS<a class="headerlink" href="#principal-names-and-dns" title="Permalink to this headline">¶</a></h1>
+<p>Kerberos clients can do DNS lookups to canonicalize service principal
+names.  This can cause difficulties when setting up Kerberos
+application servers, especially when the client&#8217;s name for the service
+is different from what the service thinks its name is.</p>
+<div class="section" id="service-principal-names">
+<h2>Service principal names<a class="headerlink" href="#service-principal-names" title="Permalink to this headline">¶</a></h2>
+<p>A frequently used kind of principal name is the host-based service
+principal name.  This kind of principal name has two components: a
+service name and a hostname.  For example, <tt class="docutils literal"><span class="pre">imap/imap.example.com</span></tt>
+is the principal name of the &#8220;imap&#8221; service on the host
+&#8220;imap.example.com&#8221;.  Other possible service names for the first
+component include &#8220;host&#8221; (remote login services such as ssh), &#8220;HTTP&#8221;,
+and &#8220;nfs&#8221; (Network File System).</p>
+<p>Service administrators often publish well-known hostname aliases that
+they would prefer users to use instead of the canonical name of the
+service host.  This gives service administrators more flexibility in
+deploying services.  For example, a shell login server might be named
+&#8220;long-vanity-hostname.example.com&#8221;, but users will naturally prefer to
+type something like &#8220;login.example.com&#8221;.  Hostname aliases also allow
+for administrators to set up load balancing for some sorts of services
+based on rotating <tt class="docutils literal"><span class="pre">CNAME</span></tt> records in DNS.</p>
+</div>
+<div class="section" id="service-principal-canonicalization">
+<h2>Service principal canonicalization<a class="headerlink" href="#service-principal-canonicalization" title="Permalink to this headline">¶</a></h2>
+<p>MIT Kerberos clients currently always do forward resolution (looking
+up the IPv4 and possibly IPv6 addresses using <tt class="docutils literal"><span class="pre">getaddrinfo()</span></tt>) of
+the hostname part of a host-based service principal to canonicalize
+the hostname.  They obtain the &#8220;canonical&#8221; name of the host when doing
+so.  By default, MIT Kerberos clients will also then do reverse DNS
+resolution (looking up the hostname associated with the IPv4 or IPv6
+address using <tt class="docutils literal"><span class="pre">getnameinfo()</span></tt>) of the hostname.  Using the
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> setting:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+    rdns = false
+</pre></div>
+</div>
+<p>will disable reverse DNS lookup on clients.  The default setting is
+&#8220;true&#8221;.</p>
+<p>Operating system bugs may prevent a setting of <tt class="docutils literal"><span class="pre">rdns</span> <span class="pre">=</span> <span class="pre">false</span></tt> from
+disabling reverse DNS lookup.  Some versions of GNU libc have a bug in
+<tt class="docutils literal"><span class="pre">getaddrinfo()</span></tt> that cause them to look up <tt class="docutils literal"><span class="pre">PTR</span></tt> records even when
+not required.  MIT Kerberos releases krb5-1.10.2 and newer have a
+workaround for this problem, as does the krb5-1.9.x series as of
+release krb5-1.9.4.</p>
+</div>
+<div class="section" id="reverse-dns-mismatches">
+<h2>Reverse DNS mismatches<a class="headerlink" href="#reverse-dns-mismatches" title="Permalink to this headline">¶</a></h2>
+<p>Sometimes, an enterprise will have control over its forward DNS but
+not its reverse DNS.  The reverse DNS is sometimes under the control
+of the Internet service provider of the enterprise, and the enterprise
+may not have much influence in setting up reverse DNS records for its
+address space.  If there are difficulties with getting forward and
+reverse DNS to match, it is best to set <tt class="docutils literal"><span class="pre">rdns</span> <span class="pre">=</span> <span class="pre">false</span></tt> on client
+machines.</p>
+</div>
+<div class="section" id="overriding-application-behavior">
+<h2>Overriding application behavior<a class="headerlink" href="#overriding-application-behavior" title="Permalink to this headline">¶</a></h2>
+<p>Applications can choose to use a default hostname component in their
+service principal name when accepting authentication, which avoids
+some sorts of hostname mismatches.  Because not all relevant
+applications do this yet, using the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> setting:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+    ignore_acceptor_hostname = true
+</pre></div>
+</div>
+<p>will allow the Kerberos library to override the application&#8217;s choice
+of service principal hostname and will allow a server program to
+accept incoming authentications using any key in its keytab that
+matches the service name and realm name (if given).  This setting
+defaults to &#8220;false&#8221; and is available in releases krb5-1.10 and later.</p>
+</div>
+<div class="section" id="provisioning-keytabs">
+<h2>Provisioning keytabs<a class="headerlink" href="#provisioning-keytabs" title="Permalink to this headline">¶</a></h2>
+<p>One service principal entry that should be in the keytab is a
+principal whose hostname component is the canonical hostname that
+<tt class="docutils literal"><span class="pre">getaddrinfo()</span></tt> reports for all known aliases for the host.  If the
+reverse DNS information does not match this canonical hostname, an
+additional service principal entry should be in the keytab for this
+different hostname.</p>
+</div>
+<div class="section" id="specific-application-advice">
+<h2>Specific application advice<a class="headerlink" href="#specific-application-advice" title="Permalink to this headline">¶</a></h2>
+<div class="section" id="secure-shell-ssh">
+<h3>Secure shell (ssh)<a class="headerlink" href="#secure-shell-ssh" title="Permalink to this headline">¶</a></h3>
+<p>Setting <tt class="docutils literal"><span class="pre">GSSAPIStrictAcceptorCheck</span> <span class="pre">=</span> <span class="pre">no</span></tt> in the configuration file
+of modern versions of the openssh daemon will allow the daemon to try
+any key in its keytab when accepting a connection, rather than looking
+for the keytab entry that matches the host&#8217;s own idea of its name
+(typically the name that <tt class="docutils literal"><span class="pre">gethostname()</span></tt> returns).  This requires
+krb5-1.10 or later.</p>
+</div>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Principal names and DNS</a><ul>
+<li><a class="reference internal" href="#service-principal-names">Service principal names</a></li>
+<li><a class="reference internal" href="#service-principal-canonicalization">Service principal canonicalization</a></li>
+<li><a class="reference internal" href="#reverse-dns-mismatches">Reverse DNS mismatches</a></li>
+<li><a class="reference internal" href="#overriding-application-behavior">Overriding application behavior</a></li>
+<li><a class="reference internal" href="#provisioning-keytabs">Provisioning keytabs</a></li>
+<li><a class="reference internal" href="#specific-application-advice">Specific application advice</a><ul>
+<li><a class="reference internal" href="#secure-shell-ssh">Secure shell (ssh)</a></li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Principal names and DNS</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="otp.html" title="OTP Preauthentication"
+            >previous</a> |
+        <a href="enctypes.html" title="Encryption types"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Principal names and DNS">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/realm_config.html b/doc/html/admin/realm_config.html
new file mode 100644
index 000000000000..c64eeab32de2
--- /dev/null
+++ b/doc/html/admin/realm_config.html
@@ -0,0 +1,399 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Realm configuration decisions &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Database administration" href="database.html" />
+    <link rel="prev" title="kadm5.acl" href="conf_files/kadm5_acl.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="conf_files/kadm5_acl.html" title="kadm5.acl"
+            accesskey="P">previous</a> |
+        <a href="database.html" title="Database administration"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Realm configuration decisions">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="realm-configuration-decisions">
+<h1>Realm configuration decisions<a class="headerlink" href="#realm-configuration-decisions" title="Permalink to this headline">¶</a></h1>
+<p>Before installing Kerberos V5, it is necessary to consider the
+following issues:</p>
+<ul class="simple">
+<li>The name of your Kerberos realm (or the name of each realm, if you
+need more than one).</li>
+<li>How you will assign your hostnames to Kerberos realms.</li>
+<li>Which ports your KDC and and kadmind services will use, if they will
+not be using the default ports.</li>
+<li>How many slave KDCs you need and where they should be located.</li>
+<li>The hostnames of your master and slave KDCs.</li>
+<li>How frequently you will propagate the database from the master KDC
+to the slave KDCs.</li>
+</ul>
+<div class="section" id="realm-name">
+<h2>Realm name<a class="headerlink" href="#realm-name" title="Permalink to this headline">¶</a></h2>
+<p>Although your Kerberos realm can be any ASCII string, convention is to
+make it the same as your domain name, in upper-case letters.</p>
+<p>For example, hosts in the domain <tt class="docutils literal"><span class="pre">example.com</span></tt> would be in the
+Kerberos realm:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span>
+</pre></div>
+</div>
+<p>If you need multiple Kerberos realms, MIT recommends that you use
+descriptive names which end with your domain name, such as:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">BOSTON</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span>
+<span class="n">HOUSTON</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span>
+</pre></div>
+</div>
+</div>
+<div class="section" id="mapping-hostnames-onto-kerberos-realms">
+<span id="mapping-hostnames"></span><h2>Mapping hostnames onto Kerberos realms<a class="headerlink" href="#mapping-hostnames-onto-kerberos-realms" title="Permalink to this headline">¶</a></h2>
+<p>Mapping hostnames onto Kerberos realms is done in one of three ways.</p>
+<p>The first mechanism works through a set of rules in the
+<a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  You can specify
+mappings for an entire domain or on a per-hostname basis.  Typically
+you would do this by specifying the mappings for a given domain or
+subdomain and listing the exceptions.</p>
+<p>The second mechanism is to use KDC host-based service referrals.  With
+this method, the KDC&#8217;s krb5.conf has a full [domain_realm] mapping for
+hosts, but the clients do not, or have mappings for only a subset of
+the hosts they might contact.  When a client needs to contact a server
+host for which it has no mapping, it will ask the client realm&#8217;s KDC
+for the service ticket, and will receive a referral to the appropriate
+service realm.</p>
+<p>To use referrals, clients must be running MIT krb5 1.6 or later, and
+the KDC must be running MIT krb5 1.7 or later.  The
+<strong>host_based_services</strong> and <strong>no_host_referral</strong> variables in the
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-realms"><em>[realms]</em></a> section of <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> can be used to
+fine-tune referral behavior on the KDC.</p>
+<p>It is also possible for clients to use DNS TXT records, if
+<strong>dns_lookup_realm</strong> is enabled in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  Such lookups
+are disabled by default because DNS is an insecure protocol and security
+holes could result if DNS records are spoofed.  If enabled, the client
+will try to look up a TXT record formed by prepending the prefix
+<tt class="docutils literal"><span class="pre">_kerberos</span></tt> to the hostname in question.  If that record is not
+found, the client will attempt a lookup by prepending <tt class="docutils literal"><span class="pre">_kerberos</span></tt> to the
+host&#8217;s domain name, then its parent domain, up to the top-level domain.
+For the hostname <tt class="docutils literal"><span class="pre">boston.engineering.example.com</span></tt>, the names looked up
+would be:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">_kerberos</span><span class="o">.</span><span class="n">boston</span><span class="o">.</span><span class="n">engineering</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
+<span class="n">_kerberos</span><span class="o">.</span><span class="n">engineering</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
+<span class="n">_kerberos</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
+<span class="n">_kerberos</span><span class="o">.</span><span class="n">com</span>
+</pre></div>
+</div>
+<p>The value of the first TXT record found is taken as the realm name.</p>
+<p>Even if you do not choose to use this mechanism within your site,
+you may wish to set it up anyway, for use when interacting with other sites.</p>
+</div>
+<div class="section" id="ports-for-the-kdc-and-admin-services">
+<h2>Ports for the KDC and admin services<a class="headerlink" href="#ports-for-the-kdc-and-admin-services" title="Permalink to this headline">¶</a></h2>
+<p>The default ports used by Kerberos are port 88 for the KDC and port
+749 for the admin server.  You can, however, choose to run on other
+ports, as long as they are specified in each host&#8217;s
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> files or in DNS SRV records, and the
+<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file on each KDC.  For a more thorough treatment of
+port numbers used by the Kerberos V5 programs, refer to the
+<a class="reference internal" href="appl_servers.html#conf-firewall"><em>Configuring your firewall to work with Kerberos V5</em></a>.</p>
+</div>
+<div class="section" id="slave-kdcs">
+<h2>Slave KDCs<a class="headerlink" href="#slave-kdcs" title="Permalink to this headline">¶</a></h2>
+<p>Slave KDCs provide an additional source of Kerberos ticket-granting
+services in the event of inaccessibility of the master KDC.  The
+number of slave KDCs you need and the decision of where to place them,
+both physically and logically, depends on the specifics of your
+network.</p>
+<p>Kerberos authentication requires that each client be able to contact a
+KDC.  Therefore, you need to anticipate any likely reason a KDC might
+be unavailable and have a slave KDC to take up the slack.</p>
+<p>Some considerations include:</p>
+<ul class="simple">
+<li>Have at least one slave KDC as a backup, for when the master KDC is
+down, is being upgraded, or is otherwise unavailable.</li>
+<li>If your network is split such that a network outage is likely to
+cause a network partition (some segment or segments of the network
+to become cut off or isolated from other segments), have a slave KDC
+accessible to each segment.</li>
+<li>If possible, have at least one slave KDC in a different building
+from the master, in case of power outages, fires, or other localized
+disasters.</li>
+</ul>
+</div>
+<div class="section" id="hostnames-for-kdcs">
+<span id="kdc-hostnames"></span><h2>Hostnames for KDCs<a class="headerlink" href="#hostnames-for-kdcs" title="Permalink to this headline">¶</a></h2>
+<p>MIT recommends that your KDCs have a predefined set of CNAME records
+(DNS hostname aliases), such as <tt class="docutils literal"><span class="pre">kerberos</span></tt> for the master KDC and
+<tt class="docutils literal"><span class="pre">kerberos-1</span></tt>, <tt class="docutils literal"><span class="pre">kerberos-2</span></tt>, ... for the slave KDCs.  This way, if
+you need to swap a machine, you only need to change a DNS entry,
+rather than having to change hostnames.</p>
+<p>As of MIT krb5 1.4, clients can locate a realm&#8217;s KDCs through DNS
+using SRV records (<span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc2782.html"><strong>RFC 2782</strong></a>), assuming the Kerberos realm name is
+also a DNS domain name.  These records indicate the hostname and port
+number to contact for that service, optionally with weighting and
+prioritization.  The domain name used in the SRV record name is the
+realm name.  Several different Kerberos-related service names are
+used:</p>
+<dl class="docutils">
+<dt>_kerberos._udp</dt>
+<dd>This is for contacting any KDC by UDP.  This entry will be used
+the most often.  Normally you should list port 88 on each of your
+KDCs.</dd>
+<dt>_kerberos._tcp</dt>
+<dd>This is for contacting any KDC by TCP.  The MIT KDC by default
+will not listen on any TCP ports, so unless you&#8217;ve changed the
+configuration or you&#8217;re running another KDC implementation, you
+should leave this unspecified.  If you do enable TCP support,
+normally you should use port 88.</dd>
+<dt>_kerberos-master._udp</dt>
+<dd><p class="first">This entry should refer to those KDCs, if any, that will
+immediately see password changes to the Kerberos database.  If a
+user is logging in and the password appears to be incorrect, the
+client will retry with the master KDC before failing with an
+&#8220;incorrect password&#8221; error given.</p>
+<p class="last">If you have only one KDC, or for whatever reason there is no
+accessible KDC that would get database changes faster than the
+others, you do not need to define this entry.</p>
+</dd>
+<dt>_kerberos-adm._tcp</dt>
+<dd>This should list port 749 on your master KDC.  Support for it is
+not complete at this time, but it will eventually be used by the
+<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> program and related utilities.  For now, you will
+also need the <strong>admin_server</strong> variable in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</dd>
+<dt>_kpasswd._udp</dt>
+<dd>This should list port 464 on your master KDC.  It is used when a
+user changes her password.  If this entry is not defined but a
+_kerberos-adm._tcp entry is defined, the client will use the
+_kerberos-adm._tcp entry with the port number changed to 749.</dd>
+</dl>
+<p>The DNS SRV specification requires that the hostnames listed be the
+canonical names, not aliases.  So, for example, you might include the
+following records in your (BIND-style) zone file:</p>
+<div class="highlight-python"><div class="highlight"><pre>$ORIGIN foobar.com.
+_kerberos               TXT       &quot;FOOBAR.COM&quot;
+kerberos                CNAME     daisy
+kerberos-1              CNAME     use-the-force-luke
+kerberos-2              CNAME     bunny-rabbit
+_kerberos._udp          SRV       0 0 88 daisy
+                        SRV       0 0 88 use-the-force-luke
+                        SRV       0 0 88 bunny-rabbit
+_kerberos-master._udp   SRV       0 0 88 daisy
+_kerberos-adm._tcp      SRV       0 0 749 daisy
+_kpasswd._udp           SRV       0 0 464 daisy
+</pre></div>
+</div>
+<p>Clients can also be configured with the explicit location of services
+using the <strong>kdc</strong>, <strong>master_kdc</strong>, <strong>admin_server</strong>, and
+<strong>kpasswd_server</strong> variables in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><em>[realms]</em></a> section of
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  Even if some clients will be configured with
+explicit server locations, providing SRV records will still benefit
+unconfigured clients, and be useful for other sites.</p>
+</div>
+<div class="section" id="kdc-discovery">
+<span id="id1"></span><h2>KDC Discovery<a class="headerlink" href="#kdc-discovery" title="Permalink to this headline">¶</a></h2>
+<p>As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI
+records (<span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc7553.html"><strong>RFC 7553</strong></a>).  Limitations with the SRV record format may
+result in extra DNS queries in situations where a client must failover
+to other transport types, or find a master server.  The URI record can
+convey more information about a realm&#8217;s KDCs with a single query.</p>
+<p>The client performs a query for the following URI records:</p>
+<ul class="simple">
+<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for fiding KDCs.</li>
+<li><tt class="docutils literal"><span class="pre">_kerberos-adm.REALM</span></tt> for finding kadmin services.</li>
+<li><tt class="docutils literal"><span class="pre">_kpasswd.REALM</span></tt> for finding password services.</li>
+</ul>
+<p>The URI record includes a priority, weight, and a URI string that
+consists of case-insensitive colon separated fields, in the form
+<tt class="docutils literal"><span class="pre">scheme:[flags]:transport:residual</span></tt>.</p>
+<ul class="simple">
+<li><em>scheme</em> defines the registered URI type.  It should always be
+<tt class="docutils literal"><span class="pre">krb5srv</span></tt>.</li>
+<li><em>flags</em> contains zero or more flag characters.  Currently the only
+valid flag is <tt class="docutils literal"><span class="pre">m</span></tt>, which indicates that the record is for a master
+server.</li>
+<li><em>transport</em> defines the transport type of the residual URL or
+address.  Accepted values are <tt class="docutils literal"><span class="pre">tcp</span></tt>, <tt class="docutils literal"><span class="pre">udp</span></tt>, or <tt class="docutils literal"><span class="pre">kkdcp</span></tt> for the
+MS-KKDCP type.</li>
+<li><em>residual</em> contains the hostname, IP address, or URL to be
+contacted using the specified transport, with an optional port
+extension.  The MS-KKDCP transport type uses a HTTPS URL, and can
+include a port and/or path extension.</li>
+</ul>
+<p>An example of URI records in a zone file:</p>
+<div class="highlight-python"><div class="highlight"><pre>_kerberos.EXAMPLE.COM  URI  10 1 krb5srv:m:tcp:kdc1.example.com
+                       URI  20 1 krb5srv:m:udp:kdc2.example.com:89
+                       URI  40 1 krb5srv::udp:10.10.0.23
+                       URI  30 1 krb5srv::kkdcp:https://proxy:89/auth
+</pre></div>
+</div>
+<p>URI lookups are enabled by default, and can be disabled by setting
+<strong>dns_uri_lookup</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> section of
+<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> to False.  When enabled, URI lookups take
+precedence over SRV lookups, falling back to SRV lookups if no URI
+records are found.</p>
+</div>
+<div class="section" id="database-propagation">
+<span id="db-prop"></span><h2>Database propagation<a class="headerlink" href="#database-propagation" title="Permalink to this headline">¶</a></h2>
+<p>The Kerberos database resides on the master KDC, and must be
+propagated regularly (usually by a cron job) to the slave KDCs.  In
+deciding how frequently the propagation should happen, you will need
+to balance the amount of time the propagation takes against the
+maximum reasonable amount of time a user should have to wait for a
+password change to take effect.</p>
+<p>If the propagation time is longer than this maximum reasonable time
+(e.g., you have a particularly large database, you have a lot of
+slaves, or you experience frequent network delays), you may wish to
+cut down on your propagation delay by performing the propagation in
+parallel.  To do this, have the master KDC propagate the database to
+one set of slaves, and then have each of these slaves propagate the
+database to additional slaves.</p>
+<p>See also <a class="reference internal" href="database.html#incr-db-prop"><em>Incremental database propagation</em></a></p>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Realm configuration decisions</a><ul>
+<li><a class="reference internal" href="#realm-name">Realm name</a></li>
+<li><a class="reference internal" href="#mapping-hostnames-onto-kerberos-realms">Mapping hostnames onto Kerberos realms</a></li>
+<li><a class="reference internal" href="#ports-for-the-kdc-and-admin-services">Ports for the KDC and admin services</a></li>
+<li><a class="reference internal" href="#slave-kdcs">Slave KDCs</a></li>
+<li><a class="reference internal" href="#hostnames-for-kdcs">Hostnames for KDCs</a></li>
+<li><a class="reference internal" href="#kdc-discovery">KDC Discovery</a></li>
+<li><a class="reference internal" href="#database-propagation">Database propagation</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Realm configuration decisions</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="conf_files/kadm5_acl.html" title="kadm5.acl"
+            >previous</a> |
+        <a href="database.html" title="Database administration"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Realm configuration decisions">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/troubleshoot.html b/doc/html/admin/troubleshoot.html
new file mode 100644
index 000000000000..85782d4b97f7
--- /dev/null
+++ b/doc/html/admin/troubleshoot.html
@@ -0,0 +1,273 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Troubleshooting &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="Advanced topics" href="advanced/index.html" />
+    <link rel="prev" title="Environment variables" href="env_variables.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="env_variables.html" title="Environment variables"
+            accesskey="P">previous</a> |
+        <a href="advanced/index.html" title="Advanced topics"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Troubleshooting">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="troubleshooting">
+<span id="troubleshoot"></span><h1>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="trace-logging">
+<span id="id1"></span><h2>Trace logging<a class="headerlink" href="#trace-logging" title="Permalink to this headline">¶</a></h2>
+<p>Most programs using MIT krb5 1.9 or later can be made to provide
+information about internal krb5 library operations using trace
+logging.  To enable this, set the <strong>KRB5_TRACE</strong> environment variable
+to a filename before running the program.  On many operating systems,
+the filename <tt class="docutils literal"><span class="pre">/dev/stdout</span></tt> can be used to send trace logging output
+to standard output.</p>
+<p>Some programs do not honor <strong>KRB5_TRACE</strong>, either because they use
+secure library contexts (this generally applies to setuid programs and
+parts of the login system) or because they take direct control of the
+trace logging system using the API.</p>
+<p>Here is a short example showing trace logging output for an invocation
+of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno-1"><em>kvno</em></a> command:</p>
+<div class="highlight-python"><div class="highlight"><pre>shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM
+[9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -&gt;
+    krbtgt/KRBTEST.COM@KRBTEST.COM using ccache
+    FILE:/me/krb5/build/testdir/ccache
+[9138] 1332348778.823381: Retrieving user@KRBTEST.COM -&gt;
+    krbtgt/KRBTEST.COM@KRBTEST.COM from
+    FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0
+krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1
+</pre></div>
+</div>
+</div>
+<div class="section" id="list-of-errors">
+<h2>List of errors<a class="headerlink" href="#list-of-errors" title="Permalink to this headline">¶</a></h2>
+<div class="section" id="frequently-seen-errors">
+<h3>Frequently seen errors<a class="headerlink" href="#frequently-seen-errors" title="Permalink to this headline">¶</a></h3>
+<ol class="arabic simple">
+<li><a class="reference internal" href="#init-creds-etype-nosupp"><em>KDC has no support for encryption type while getting initial credentials</em></a></li>
+<li><a class="reference internal" href="#cert-chain-etype-nosupp"><em>credential verification failed: KDC has no support for encryption type</em></a></li>
+<li><a class="reference internal" href="#err-cert-chain-cert-expired"><em>Cannot create cert chain: certificate has expired</em></a></li>
+</ol>
+</div>
+<div class="section" id="errors-seen-by-admins">
+<h3>Errors seen by admins<a class="headerlink" href="#errors-seen-by-admins" title="Permalink to this headline">¶</a></h3>
+<ol class="arabic simple" id="prop-failed-start">
+<li><a class="reference internal" href="#kprop-no-route"><em>kprop: No route to host while connecting to server</em></a></li>
+<li><a class="reference internal" href="#kprop-con-refused"><em>kprop: Connection refused while connecting to server</em></a></li>
+<li><a class="reference internal" href="#kprop-sendauth-exchange"><em>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</em></a></li>
+</ol>
+<hr class="docutils" id="prop-failed-end" />
+<div class="section" id="kdc-has-no-support-for-encryption-type-while-getting-initial-credentials">
+<span id="init-creds-etype-nosupp"></span><h4>KDC has no support for encryption type while getting initial credentials<a class="headerlink" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials" title="Permalink to this headline">¶</a></h4>
+</div>
+<div class="section" id="credential-verification-failed-kdc-has-no-support-for-encryption-type">
+<span id="cert-chain-etype-nosupp"></span><h4>credential verification failed: KDC has no support for encryption type<a class="headerlink" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type" title="Permalink to this headline">¶</a></h4>
+<p>This most commonly happens when trying to use a principal with only
+DES keys, in a release (MIT krb5 1.7 or later) which disables DES by
+default.  DES encryption is considered weak due to its inadequate key
+size.  If you cannot migrate away from its use, you can re-enable DES
+by adding <tt class="docutils literal"><span class="pre">allow_weak_crypto</span> <span class="pre">=</span> <span class="pre">true</span></tt> to the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><em>[libdefaults]</em></a>
+section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p>
+</div>
+<div class="section" id="cannot-create-cert-chain-certificate-has-expired">
+<span id="err-cert-chain-cert-expired"></span><h4>Cannot create cert chain: certificate has expired<a class="headerlink" href="#cannot-create-cert-chain-certificate-has-expired" title="Permalink to this headline">¶</a></h4>
+<p>This error message indicates that PKINIT authentication failed because
+the client certificate, KDC certificate, or one of the certificates in
+the signing chain above them has expired.</p>
+<p>If the KDC certificate has expired, this message appears in the KDC
+log file, and the client will receive a &#8220;Preauthentication failed&#8221;
+error.  (Prior to release 1.11, the KDC log file message erroneously
+appears as &#8220;Out of memory&#8221;.  Prior to release 1.12, the client will
+receive a &#8220;Generic error&#8221;.)</p>
+<p>If the client or a signing certificate has expired, this message may
+appear in <a class="reference internal" href="#trace-logging">trace_logging</a> output from <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> or, starting in
+release 1.12, as an error message from kinit or another program which
+gets initial tickets.  The error message is more likely to appear
+properly on the client if the principal entry has no long-term keys.</p>
+</div>
+<div class="section" id="kprop-no-route-to-host-while-connecting-to-server">
+<span id="kprop-no-route"></span><h4>kprop: No route to host while connecting to server<a class="headerlink" href="#kprop-no-route-to-host-while-connecting-to-server" title="Permalink to this headline">¶</a></h4>
+<p>Make sure that the hostname of the slave (as given to kprop) is
+correct, and that any firewalls between the master and the slave allow
+a connection on port 754.</p>
+</div>
+<div class="section" id="kprop-connection-refused-while-connecting-to-server">
+<span id="kprop-con-refused"></span><h4>kprop: Connection refused while connecting to server<a class="headerlink" href="#kprop-connection-refused-while-connecting-to-server" title="Permalink to this headline">¶</a></h4>
+<p>If the slave is intended to run kpropd out of inetd, make sure that
+inetd is configured to accept krb5_prop connections.  inetd may need
+to be restarted or sent a SIGHUP to recognize the new configuration.
+If the slave is intended to run kpropd in standalone mode, make sure
+that it is running.</p>
+</div>
+<div class="section" id="kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server">
+<span id="kprop-sendauth-exchange"></span><h4>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server<a class="headerlink" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server" title="Permalink to this headline">¶</a></h4>
+<p>Make sure that:</p>
+<ol class="arabic simple">
+<li>The time is synchronized between the master and slave KDCs.</li>
+<li>The master stash file was copied from the master to the expected
+location on the slave.</li>
+<li>The slave has a keytab file in the default location containing a
+<tt class="docutils literal"><span class="pre">host</span></tt> principal for the slave&#8217;s hostname.</li>
+</ol>
+</div>
+</div>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Troubleshooting</a><ul>
+<li><a class="reference internal" href="#trace-logging">Trace logging</a></li>
+<li><a class="reference internal" href="#list-of-errors">List of errors</a><ul>
+<li><a class="reference internal" href="#frequently-seen-errors">Frequently seen errors</a></li>
+<li><a class="reference internal" href="#errors-seen-by-admins">Errors seen by admins</a><ul>
+<li><a class="reference internal" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials">KDC has no support for encryption type while getting initial credentials</a></li>
+<li><a class="reference internal" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type">credential verification failed: KDC has no support for encryption type</a></li>
+<li><a class="reference internal" href="#cannot-create-cert-chain-certificate-has-expired">Cannot create cert chain: certificate has expired</a></li>
+<li><a class="reference internal" href="#kprop-no-route-to-host-while-connecting-to-server">kprop: No route to host while connecting to server</a></li>
+<li><a class="reference internal" href="#kprop-connection-refused-while-connecting-to-server">kprop: Connection refused while connecting to server</a></li>
+<li><a class="reference internal" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</a></li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Troubleshooting</a><ul class="simple">
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="env_variables.html" title="Environment variables"
+            >previous</a> |
+        <a href="advanced/index.html" title="Advanced topics"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Troubleshooting">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/admin/various_envs.html b/doc/html/admin/various_envs.html
new file mode 100644
index 000000000000..23c8e7bb5b66
--- /dev/null
+++ b/doc/html/admin/various_envs.html
@@ -0,0 +1,189 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Various links &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.15.1',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For administrators" href="index.html" />
+    <link rel="next" title="For application developers" href="../appdev/index.html" />
+    <link rel="prev" title="Retiring DES" href="advanced/retiring-des.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="advanced/retiring-des.html" title="Retiring DES"
+            accesskey="P">previous</a> |
+        <a href="../appdev/index.html" title="For application developers"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Various links">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="various-links">
+<h1>Various links<a class="headerlink" href="#various-links" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="whitepapers">
+<h2>Whitepapers<a class="headerlink" href="#whitepapers" title="Permalink to this headline">¶</a></h2>
+<ol class="arabic simple">
+<li><a class="reference external" href="http://kerberos.org/software/whitepapers.html">http://kerberos.org/software/whitepapers.html</a></li>
+</ol>
+</div>
+<div class="section" id="tutorials">
+<h2>Tutorials<a class="headerlink" href="#tutorials" title="Permalink to this headline">¶</a></h2>
+<ol class="arabic simple">
+<li>Fulvio Ricciardi  &lt;<a class="reference external" href="http://www.kerberos.org/software/tutorial.html">http://www.kerberos.org/software/tutorial.html</a>&gt;_</li>
+</ol>
+</div>
+<div class="section" id="troubleshooting">
+<h2>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h2>
+<ol class="arabic simple">
+<li><a class="reference external" href="http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html">http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html</a></li>
+<li><a class="reference external" href="http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto_v3.pdf">http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto_v3.pdf</a></li>
+<li><a class="reference external" href="http://sysdoc.doors.ch/HP/T1417-90005.pdf">http://sysdoc.doors.ch/HP/T1417-90005.pdf</a></li>
+<li><a class="reference external" href="http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html">http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html</a></li>
+<li><a class="reference external" href="http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html">http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html</a></li>
+<li><a class="reference external" href="http://technet.microsoft.com/en-us/library/bb463167.aspx#EBAA">http://technet.microsoft.com/en-us/library/bb463167.aspx#EBAA</a></li>
+<li><a class="reference external" href="https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528">https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528</a></li>
+<li><a class="reference external" href="http://h71000.www7.hp.com/doc/83final/ba548_90007/ch06s05.html">http://h71000.www7.hp.com/doc/83final/ba548_90007/ch06s05.html</a></li>
+</ol>
+</div>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Various links</a><ul>
+<li><a class="reference internal" href="#whitepapers">Whitepapers</a></li>
+<li><a class="reference internal" href="#tutorials">Tutorials</a></li>
+<li><a class="reference internal" href="#troubleshooting">Troubleshooting</a></li>
+</ul>
+</li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
+<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration  programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Various links</a><ul class="simple">
+</ul>
+</li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.15.1</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="advanced/retiring-des.html" title="Retiring DES"
+            >previous</a> |
+        <a href="../appdev/index.html" title="For application developers"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Various links">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file