From b0e4d68d5124581ae353493d69bea352de4cff8a Mon Sep 17 00:00:00 2001
From: Cy Schubert <cy@FreeBSD.org>
Date: Tue, 3 Apr 2018 19:36:00 +0000
Subject: Import MIT KRB5 1.16.

---
 .travis.yml                                        |   26 +
 NOTICE                                             |    2 +-
 README                                             |  287 +-
 doc/admin/admin_commands/kadmin_local.rst          |    7 +
 doc/admin/admin_commands/kpropd.rst                |    5 +
 doc/admin/admin_commands/ktutil.rst                |    2 +-
 doc/admin/conf_files/kadm5_acl.rst                 |   40 +-
 doc/admin/conf_files/kdc_conf.rst                  |   17 +-
 doc/admin/conf_files/krb5_conf.rst                 |   59 +-
 doc/admin/pkinit.rst                               |   20 +
 doc/admin/realm_config.rst                         |    2 +-
 doc/appdev/gssapi.rst                              |   19 +
 doc/appdev/index.rst                               |    1 +
 doc/appdev/y2038.rst                               |   28 +
 doc/basic/ccache_def.rst                           |    2 +-
 doc/build/options2configure.rst                    |    4 -
 doc/conf.py                                        |    2 +-
 .../_sources/admin/admin_commands/kadmin_local.txt |    7 +
 doc/html/_sources/admin/admin_commands/kpropd.txt  |    5 +
 doc/html/_sources/admin/admin_commands/ktutil.txt  |    2 +-
 doc/html/_sources/admin/conf_files/kadm5_acl.txt   |   40 +-
 doc/html/_sources/admin/conf_files/kdc_conf.txt    |   17 +-
 doc/html/_sources/admin/conf_files/krb5_conf.txt   |   59 +-
 doc/html/_sources/admin/pkinit.txt                 |   20 +
 doc/html/_sources/admin/realm_config.txt           |    2 +-
 doc/html/_sources/appdev/gssapi.txt                |   19 +
 doc/html/_sources/appdev/index.txt                 |    1 +
 .../appdev/refs/api/krb5_auth_con_initivector.txt  |   15 +-
 .../appdev/refs/api/krb5_fwd_tgt_creds.txt         |    2 +-
 .../appdev/refs/api/krb5_init_creds_free.txt       |    2 +-
 .../appdev/refs/api/krb5_init_creds_get.txt        |    4 +
 .../appdev/refs/api/krb5_init_creds_init.txt       |    4 +
 .../refs/api/krb5_init_creds_set_service.txt       |    2 +-
 .../appdev/refs/api/krb5_init_creds_step.txt       |    4 +
 doc/html/_sources/appdev/refs/api/krb5_mk_req.txt  |    2 +-
 .../_sources/appdev/refs/api/krb5_pac_verify.txt   |    2 +-
 .../_sources/appdev/refs/types/krb5_timestamp.txt  |    3 +-
 doc/html/_sources/appdev/y2038.txt                 |   28 +
 doc/html/_sources/basic/ccache_def.txt             |    2 +-
 doc/html/_sources/build/options2configure.txt      |    4 -
 doc/html/_sources/mitK5features.txt                |   95 +-
 doc/html/_sources/plugindev/certauth.txt           |   27 +
 doc/html/_sources/plugindev/index.txt              |    3 +
 doc/html/_sources/plugindev/kadm5_auth.txt         |   35 +
 doc/html/_sources/plugindev/kdcpolicy.txt          |   24 +
 doc/html/about.html                                |    4 +-
 doc/html/admin/admin_commands/index.html           |    4 +-
 doc/html/admin/admin_commands/k5srvutil.html       |    4 +-
 doc/html/admin/admin_commands/kadmin_local.html    |   10 +-
 doc/html/admin/admin_commands/kadmind.html         |    4 +-
 doc/html/admin/admin_commands/kdb5_ldap_util.html  |    4 +-
 doc/html/admin/admin_commands/kdb5_util.html       |    4 +-
 doc/html/admin/admin_commands/kprop.html           |    4 +-
 doc/html/admin/admin_commands/kpropd.html          |    8 +-
 doc/html/admin/admin_commands/kproplog.html        |    4 +-
 doc/html/admin/admin_commands/krb5kdc.html         |    4 +-
 doc/html/admin/admin_commands/ktutil.html          |    6 +-
 doc/html/admin/admin_commands/sserver.html         |    4 +-
 doc/html/admin/advanced/index.html                 |    4 +-
 doc/html/admin/advanced/ldapbackend.html           |    4 +-
 doc/html/admin/advanced/retiring-des.html          |    4 +-
 doc/html/admin/appl_servers.html                   |    4 +-
 doc/html/admin/auth_indicator.html                 |    4 +-
 doc/html/admin/backup_host.html                    |    4 +-
 doc/html/admin/conf_files/index.html               |    4 +-
 doc/html/admin/conf_files/kadm5_acl.html           |   41 +-
 doc/html/admin/conf_files/kdc_conf.html            |   23 +-
 doc/html/admin/conf_files/krb5_conf.html           |   63 +-
 doc/html/admin/conf_ldap.html                      |    4 +-
 doc/html/admin/database.html                       |    4 +-
 doc/html/admin/enctypes.html                       |    4 +-
 doc/html/admin/env_variables.html                  |    4 +-
 doc/html/admin/host_config.html                    |    4 +-
 doc/html/admin/https.html                          |    4 +-
 doc/html/admin/index.html                          |    4 +-
 doc/html/admin/install.html                        |    4 +-
 doc/html/admin/install_appl_srv.html               |    4 +-
 doc/html/admin/install_clients.html                |    4 +-
 doc/html/admin/install_kdc.html                    |    4 +-
 doc/html/admin/lockout.html                        |    4 +-
 doc/html/admin/otp.html                            |    4 +-
 doc/html/admin/pkinit.html                         |   23 +-
 doc/html/admin/princ_dns.html                      |    4 +-
 doc/html/admin/realm_config.html                   |    6 +-
 doc/html/admin/troubleshoot.html                   |    4 +-
 doc/html/admin/various_envs.html                   |    4 +-
 doc/html/appdev/gssapi.html                        |   29 +-
 doc/html/appdev/h5l_mit_apidiff.html               |   11 +-
 doc/html/appdev/index.html                         |    6 +-
 doc/html/appdev/init_creds.html                    |    5 +-
 doc/html/appdev/princ_handle.html                  |    5 +-
 doc/html/appdev/refs/api/index.html                |    7 +-
 .../appdev/refs/api/krb5_425_conv_principal.html   |    5 +-
 .../appdev/refs/api/krb5_524_conv_principal.html   |    5 +-
 .../appdev/refs/api/krb5_524_convert_creds.html    |    5 +-
 doc/html/appdev/refs/api/krb5_address_compare.html |    5 +-
 doc/html/appdev/refs/api/krb5_address_order.html   |    5 +-
 doc/html/appdev/refs/api/krb5_address_search.html  |    5 +-
 .../appdev/refs/api/krb5_allow_weak_crypto.html    |    5 +-
 .../appdev/refs/api/krb5_aname_to_localname.html   |    5 +-
 .../appdev/refs/api/krb5_anonymous_principal.html  |    5 +-
 doc/html/appdev/refs/api/krb5_anonymous_realm.html |    5 +-
 .../appdev/refs/api/krb5_appdefault_boolean.html   |    5 +-
 .../appdev/refs/api/krb5_appdefault_string.html    |    5 +-
 doc/html/appdev/refs/api/krb5_auth_con_free.html   |    5 +-
 .../appdev/refs/api/krb5_auth_con_genaddrs.html    |    5 +-
 .../refs/api/krb5_auth_con_get_checksum_func.html  |    5 +-
 .../appdev/refs/api/krb5_auth_con_getaddrs.html    |    5 +-
 .../refs/api/krb5_auth_con_getauthenticator.html   |    5 +-
 .../appdev/refs/api/krb5_auth_con_getflags.html    |    5 +-
 doc/html/appdev/refs/api/krb5_auth_con_getkey.html |    5 +-
 .../appdev/refs/api/krb5_auth_con_getkey_k.html    |    5 +-
 .../refs/api/krb5_auth_con_getlocalseqnumber.html  |    5 +-
 .../refs/api/krb5_auth_con_getlocalsubkey.html     |    5 +-
 .../appdev/refs/api/krb5_auth_con_getrcache.html   |    5 +-
 .../refs/api/krb5_auth_con_getrecvsubkey.html      |    5 +-
 .../refs/api/krb5_auth_con_getrecvsubkey_k.html    |    5 +-
 .../refs/api/krb5_auth_con_getremoteseqnumber.html |    5 +-
 .../refs/api/krb5_auth_con_getremotesubkey.html    |   11 +-
 .../refs/api/krb5_auth_con_getsendsubkey.html      |    5 +-
 .../refs/api/krb5_auth_con_getsendsubkey_k.html    |    5 +-
 doc/html/appdev/refs/api/krb5_auth_con_init.html   |    5 +-
 .../appdev/refs/api/krb5_auth_con_initivector.html |   35 +-
 .../refs/api/krb5_auth_con_set_checksum_func.html  |    5 +-
 .../refs/api/krb5_auth_con_set_req_cksumtype.html  |    5 +-
 .../appdev/refs/api/krb5_auth_con_setaddrs.html    |    5 +-
 .../appdev/refs/api/krb5_auth_con_setflags.html    |    5 +-
 .../appdev/refs/api/krb5_auth_con_setports.html    |    5 +-
 .../appdev/refs/api/krb5_auth_con_setrcache.html   |    5 +-
 .../refs/api/krb5_auth_con_setrecvsubkey.html      |    5 +-
 .../refs/api/krb5_auth_con_setrecvsubkey_k.html    |    5 +-
 .../refs/api/krb5_auth_con_setsendsubkey.html      |    5 +-
 .../refs/api/krb5_auth_con_setsendsubkey_k.html    |    5 +-
 .../refs/api/krb5_auth_con_setuseruserkey.html     |    5 +-
 doc/html/appdev/refs/api/krb5_build_principal.html |    5 +-
 .../refs/api/krb5_build_principal_alloc_va.html    |    5 +-
 .../appdev/refs/api/krb5_build_principal_ext.html  |    5 +-
 .../appdev/refs/api/krb5_build_principal_va.html   |   11 +-
 doc/html/appdev/refs/api/krb5_c_block_size.html    |    5 +-
 .../appdev/refs/api/krb5_c_checksum_length.html    |    5 +-
 doc/html/appdev/refs/api/krb5_c_crypto_length.html |    5 +-
 .../appdev/refs/api/krb5_c_crypto_length_iov.html  |    5 +-
 doc/html/appdev/refs/api/krb5_c_decrypt.html       |    5 +-
 doc/html/appdev/refs/api/krb5_c_decrypt_iov.html   |    5 +-
 .../appdev/refs/api/krb5_c_derive_prfplus.html     |    5 +-
 doc/html/appdev/refs/api/krb5_c_encrypt.html       |    5 +-
 doc/html/appdev/refs/api/krb5_c_encrypt_iov.html   |    5 +-
 .../appdev/refs/api/krb5_c_encrypt_length.html     |    5 +-
 .../appdev/refs/api/krb5_c_enctype_compare.html    |    5 +-
 doc/html/appdev/refs/api/krb5_c_free_state.html    |    5 +-
 doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html |    5 +-
 doc/html/appdev/refs/api/krb5_c_init_state.html    |    5 +-
 .../refs/api/krb5_c_is_coll_proof_cksum.html       |    5 +-
 .../appdev/refs/api/krb5_c_is_keyed_cksum.html     |    5 +-
 .../refs/api/krb5_c_keyed_checksum_types.html      |    5 +-
 doc/html/appdev/refs/api/krb5_c_keylengths.html    |    5 +-
 doc/html/appdev/refs/api/krb5_c_make_checksum.html |    5 +-
 .../appdev/refs/api/krb5_c_make_checksum_iov.html  |    5 +-
 .../appdev/refs/api/krb5_c_make_random_key.html    |    5 +-
 .../appdev/refs/api/krb5_c_padding_length.html     |    5 +-
 doc/html/appdev/refs/api/krb5_c_prf.html           |    5 +-
 doc/html/appdev/refs/api/krb5_c_prf_length.html    |    5 +-
 doc/html/appdev/refs/api/krb5_c_prfplus.html       |    5 +-
 .../appdev/refs/api/krb5_c_random_add_entropy.html |    5 +-
 .../appdev/refs/api/krb5_c_random_make_octets.html |    5 +-
 .../appdev/refs/api/krb5_c_random_os_entropy.html  |    5 +-
 doc/html/appdev/refs/api/krb5_c_random_seed.html   |    5 +-
 doc/html/appdev/refs/api/krb5_c_random_to_key.html |    5 +-
 doc/html/appdev/refs/api/krb5_c_string_to_key.html |    5 +-
 .../refs/api/krb5_c_string_to_key_with_params.html |    5 +-
 .../appdev/refs/api/krb5_c_valid_cksumtype.html    |    5 +-
 doc/html/appdev/refs/api/krb5_c_valid_enctype.html |    5 +-
 .../appdev/refs/api/krb5_c_verify_checksum.html    |    5 +-
 .../refs/api/krb5_c_verify_checksum_iov.html       |    5 +-
 .../appdev/refs/api/krb5_calculate_checksum.html   |    5 +-
 doc/html/appdev/refs/api/krb5_cc_cache_match.html  |    5 +-
 doc/html/appdev/refs/api/krb5_cc_close.html        |    5 +-
 doc/html/appdev/refs/api/krb5_cc_copy_creds.html   |    5 +-
 doc/html/appdev/refs/api/krb5_cc_default.html      |    5 +-
 doc/html/appdev/refs/api/krb5_cc_default_name.html |    5 +-
 doc/html/appdev/refs/api/krb5_cc_destroy.html      |    5 +-
 doc/html/appdev/refs/api/krb5_cc_dup.html          |    5 +-
 doc/html/appdev/refs/api/krb5_cc_end_seq_get.html  |    5 +-
 doc/html/appdev/refs/api/krb5_cc_gen_new.html      |    5 +-
 doc/html/appdev/refs/api/krb5_cc_get_config.html   |    5 +-
 doc/html/appdev/refs/api/krb5_cc_get_flags.html    |    5 +-
 .../appdev/refs/api/krb5_cc_get_full_name.html     |    5 +-
 doc/html/appdev/refs/api/krb5_cc_get_name.html     |    5 +-
 .../appdev/refs/api/krb5_cc_get_principal.html     |    5 +-
 doc/html/appdev/refs/api/krb5_cc_get_type.html     |    5 +-
 doc/html/appdev/refs/api/krb5_cc_initialize.html   |    5 +-
 .../appdev/refs/api/krb5_cc_last_change_time.html  |    5 +-
 doc/html/appdev/refs/api/krb5_cc_lock.html         |    5 +-
 doc/html/appdev/refs/api/krb5_cc_move.html         |    5 +-
 doc/html/appdev/refs/api/krb5_cc_new_unique.html   |    5 +-
 doc/html/appdev/refs/api/krb5_cc_next_cred.html    |    5 +-
 doc/html/appdev/refs/api/krb5_cc_remove_cred.html  |    5 +-
 doc/html/appdev/refs/api/krb5_cc_resolve.html      |    5 +-
 .../appdev/refs/api/krb5_cc_retrieve_cred.html     |    5 +-
 doc/html/appdev/refs/api/krb5_cc_select.html       |    5 +-
 doc/html/appdev/refs/api/krb5_cc_set_config.html   |    5 +-
 .../appdev/refs/api/krb5_cc_set_default_name.html  |    5 +-
 doc/html/appdev/refs/api/krb5_cc_set_flags.html    |    5 +-
 .../appdev/refs/api/krb5_cc_start_seq_get.html     |    5 +-
 doc/html/appdev/refs/api/krb5_cc_store_cred.html   |    5 +-
 .../appdev/refs/api/krb5_cc_support_switch.html    |    5 +-
 doc/html/appdev/refs/api/krb5_cc_switch.html       |    5 +-
 doc/html/appdev/refs/api/krb5_cc_unlock.html       |    5 +-
 .../appdev/refs/api/krb5_cccol_cursor_free.html    |    5 +-
 .../appdev/refs/api/krb5_cccol_cursor_new.html     |    5 +-
 .../appdev/refs/api/krb5_cccol_cursor_next.html    |    5 +-
 .../appdev/refs/api/krb5_cccol_have_content.html   |    5 +-
 .../refs/api/krb5_cccol_last_change_time.html      |    5 +-
 doc/html/appdev/refs/api/krb5_cccol_lock.html      |    5 +-
 doc/html/appdev/refs/api/krb5_cccol_unlock.html    |    5 +-
 doc/html/appdev/refs/api/krb5_change_password.html |    5 +-
 doc/html/appdev/refs/api/krb5_check_clockskew.html |    5 +-
 doc/html/appdev/refs/api/krb5_checksum_size.html   |    5 +-
 doc/html/appdev/refs/api/krb5_chpw_message.html    |    5 +-
 .../appdev/refs/api/krb5_cksumtype_to_string.html  |    5 +-
 .../appdev/refs/api/krb5_clear_error_message.html  |    5 +-
 doc/html/appdev/refs/api/krb5_copy_addresses.html  |    5 +-
 doc/html/appdev/refs/api/krb5_copy_authdata.html   |    5 +-
 .../appdev/refs/api/krb5_copy_authenticator.html   |    5 +-
 doc/html/appdev/refs/api/krb5_copy_checksum.html   |    5 +-
 doc/html/appdev/refs/api/krb5_copy_context.html    |    5 +-
 doc/html/appdev/refs/api/krb5_copy_creds.html      |    5 +-
 doc/html/appdev/refs/api/krb5_copy_data.html       |    5 +-
 .../appdev/refs/api/krb5_copy_error_message.html   |    5 +-
 doc/html/appdev/refs/api/krb5_copy_keyblock.html   |    5 +-
 .../refs/api/krb5_copy_keyblock_contents.html      |    5 +-
 doc/html/appdev/refs/api/krb5_copy_principal.html  |    5 +-
 doc/html/appdev/refs/api/krb5_copy_ticket.html     |    5 +-
 .../refs/api/krb5_decode_authdata_container.html   |    5 +-
 doc/html/appdev/refs/api/krb5_decode_ticket.html   |    5 +-
 doc/html/appdev/refs/api/krb5_decrypt.html         |    5 +-
 .../appdev/refs/api/krb5_deltat_to_string.html     |    5 +-
 doc/html/appdev/refs/api/krb5_eblock_enctype.html  |    5 +-
 .../refs/api/krb5_encode_authdata_container.html   |    5 +-
 doc/html/appdev/refs/api/krb5_encrypt.html         |    5 +-
 doc/html/appdev/refs/api/krb5_encrypt_size.html    |    5 +-
 doc/html/appdev/refs/api/krb5_enctype_to_name.html |    5 +-
 .../appdev/refs/api/krb5_enctype_to_string.html    |    5 +-
 doc/html/appdev/refs/api/krb5_expand_hostname.html |    5 +-
 doc/html/appdev/refs/api/krb5_find_authdata.html   |    5 +-
 doc/html/appdev/refs/api/krb5_finish_key.html      |    5 +-
 .../appdev/refs/api/krb5_finish_random_key.html    |    5 +-
 doc/html/appdev/refs/api/krb5_free_addresses.html  |    5 +-
 .../appdev/refs/api/krb5_free_ap_rep_enc_part.html |    5 +-
 doc/html/appdev/refs/api/krb5_free_authdata.html   |    5 +-
 .../appdev/refs/api/krb5_free_authenticator.html   |    5 +-
 doc/html/appdev/refs/api/krb5_free_checksum.html   |    5 +-
 .../refs/api/krb5_free_checksum_contents.html      |    5 +-
 doc/html/appdev/refs/api/krb5_free_cksumtypes.html |    5 +-
 doc/html/appdev/refs/api/krb5_free_context.html    |    5 +-
 .../appdev/refs/api/krb5_free_cred_contents.html   |    5 +-
 doc/html/appdev/refs/api/krb5_free_creds.html      |    5 +-
 doc/html/appdev/refs/api/krb5_free_data.html       |    5 +-
 .../appdev/refs/api/krb5_free_data_contents.html   |    5 +-
 .../appdev/refs/api/krb5_free_default_realm.html   |    5 +-
 doc/html/appdev/refs/api/krb5_free_enctypes.html   |    5 +-
 doc/html/appdev/refs/api/krb5_free_error.html      |    5 +-
 .../appdev/refs/api/krb5_free_error_message.html   |    5 +-
 doc/html/appdev/refs/api/krb5_free_host_realm.html |    5 +-
 doc/html/appdev/refs/api/krb5_free_keyblock.html   |    5 +-
 .../refs/api/krb5_free_keyblock_contents.html      |    5 +-
 .../refs/api/krb5_free_keytab_entry_contents.html  |    5 +-
 doc/html/appdev/refs/api/krb5_free_principal.html  |    5 +-
 doc/html/appdev/refs/api/krb5_free_string.html     |    5 +-
 doc/html/appdev/refs/api/krb5_free_tgt_creds.html  |    5 +-
 doc/html/appdev/refs/api/krb5_free_ticket.html     |    5 +-
 .../appdev/refs/api/krb5_free_unparsed_name.html   |    5 +-
 doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html   |    7 +-
 doc/html/appdev/refs/api/krb5_get_credentials.html |    5 +-
 .../refs/api/krb5_get_credentials_renew.html       |    5 +-
 .../refs/api/krb5_get_credentials_validate.html    |    5 +-
 .../appdev/refs/api/krb5_get_default_realm.html    |    5 +-
 .../appdev/refs/api/krb5_get_error_message.html    |    5 +-
 .../refs/api/krb5_get_fallback_host_realm.html     |    5 +-
 doc/html/appdev/refs/api/krb5_get_host_realm.html  |    5 +-
 .../refs/api/krb5_get_in_tkt_with_keytab.html      |    5 +-
 .../refs/api/krb5_get_in_tkt_with_password.html    |    5 +-
 .../appdev/refs/api/krb5_get_in_tkt_with_skey.html |    5 +-
 .../refs/api/krb5_get_init_creds_keytab.html       |    5 +-
 .../refs/api/krb5_get_init_creds_opt_alloc.html    |    5 +-
 .../refs/api/krb5_get_init_creds_opt_free.html     |    5 +-
 .../krb5_get_init_creds_opt_get_fast_flags.html    |    5 +-
 .../refs/api/krb5_get_init_creds_opt_init.html     |    5 +-
 .../krb5_get_init_creds_opt_set_address_list.html  |    5 +-
 .../api/krb5_get_init_creds_opt_set_anonymous.html |    5 +-
 .../krb5_get_init_creds_opt_set_canonicalize.html  |    5 +-
 ..._init_creds_opt_set_change_password_prompt.html |    5 +-
 .../krb5_get_init_creds_opt_set_etype_list.html    |    5 +-
 ...rb5_get_init_creds_opt_set_expire_callback.html |    5 +-
 .../krb5_get_init_creds_opt_set_fast_ccache.html   |    5 +-
 ...b5_get_init_creds_opt_set_fast_ccache_name.html |    5 +-
 .../krb5_get_init_creds_opt_set_fast_flags.html    |    5 +-
 .../krb5_get_init_creds_opt_set_forwardable.html   |    5 +-
 .../api/krb5_get_init_creds_opt_set_in_ccache.html |    5 +-
 .../krb5_get_init_creds_opt_set_out_ccache.html    |    5 +-
 .../refs/api/krb5_get_init_creds_opt_set_pa.html   |    5 +-
 .../krb5_get_init_creds_opt_set_pac_request.html   |    5 +-
 .../krb5_get_init_creds_opt_set_preauth_list.html  |    5 +-
 .../api/krb5_get_init_creds_opt_set_proxiable.html |    5 +-
 .../krb5_get_init_creds_opt_set_renew_life.html    |    5 +-
 .../api/krb5_get_init_creds_opt_set_responder.html |    5 +-
 .../refs/api/krb5_get_init_creds_opt_set_salt.html |    5 +-
 .../api/krb5_get_init_creds_opt_set_tkt_life.html  |    5 +-
 .../refs/api/krb5_get_init_creds_password.html     |    5 +-
 .../refs/api/krb5_get_permitted_enctypes.html      |    5 +-
 doc/html/appdev/refs/api/krb5_get_profile.html     |    5 +-
 .../appdev/refs/api/krb5_get_prompt_types.html     |    5 +-
 .../appdev/refs/api/krb5_get_renewed_creds.html    |    5 +-
 .../appdev/refs/api/krb5_get_server_rcache.html    |    5 +-
 .../appdev/refs/api/krb5_get_time_offsets.html     |    5 +-
 .../appdev/refs/api/krb5_get_validated_creds.html  |    5 +-
 doc/html/appdev/refs/api/krb5_init_context.html    |    5 +-
 .../appdev/refs/api/krb5_init_context_profile.html |    5 +-
 doc/html/appdev/refs/api/krb5_init_creds_free.html |    7 +-
 doc/html/appdev/refs/api/krb5_init_creds_get.html  |    7 +-
 .../appdev/refs/api/krb5_init_creds_get_creds.html |    5 +-
 .../appdev/refs/api/krb5_init_creds_get_error.html |    5 +-
 .../appdev/refs/api/krb5_init_creds_get_times.html |    5 +-
 doc/html/appdev/refs/api/krb5_init_creds_init.html |    6 +-
 .../refs/api/krb5_init_creds_set_keytab.html       |    5 +-
 .../refs/api/krb5_init_creds_set_password.html     |    5 +-
 .../refs/api/krb5_init_creds_set_service.html      |    7 +-
 doc/html/appdev/refs/api/krb5_init_creds_step.html |    7 +-
 doc/html/appdev/refs/api/krb5_init_keyblock.html   |    5 +-
 doc/html/appdev/refs/api/krb5_init_random_key.html |    5 +-
 .../appdev/refs/api/krb5_init_secure_context.html  |    5 +-
 .../appdev/refs/api/krb5_is_config_principal.html  |    5 +-
 .../appdev/refs/api/krb5_is_referral_realm.html    |    5 +-
 doc/html/appdev/refs/api/krb5_is_thread_safe.html  |    5 +-
 doc/html/appdev/refs/api/krb5_k_create_key.html    |    5 +-
 doc/html/appdev/refs/api/krb5_k_decrypt.html       |    5 +-
 doc/html/appdev/refs/api/krb5_k_decrypt_iov.html   |    5 +-
 doc/html/appdev/refs/api/krb5_k_encrypt.html       |    5 +-
 doc/html/appdev/refs/api/krb5_k_encrypt_iov.html   |    5 +-
 doc/html/appdev/refs/api/krb5_k_free_key.html      |    5 +-
 doc/html/appdev/refs/api/krb5_k_key_enctype.html   |    5 +-
 doc/html/appdev/refs/api/krb5_k_key_keyblock.html  |    5 +-
 doc/html/appdev/refs/api/krb5_k_make_checksum.html |    5 +-
 .../appdev/refs/api/krb5_k_make_checksum_iov.html  |    5 +-
 doc/html/appdev/refs/api/krb5_k_prf.html           |    5 +-
 doc/html/appdev/refs/api/krb5_k_reference_key.html |    5 +-
 .../appdev/refs/api/krb5_k_verify_checksum.html    |    5 +-
 .../refs/api/krb5_k_verify_checksum_iov.html       |    5 +-
 doc/html/appdev/refs/api/krb5_kt_add_entry.html    |    5 +-
 .../appdev/refs/api/krb5_kt_client_default.html    |    5 +-
 doc/html/appdev/refs/api/krb5_kt_close.html        |    5 +-
 doc/html/appdev/refs/api/krb5_kt_default.html      |    5 +-
 doc/html/appdev/refs/api/krb5_kt_default_name.html |    5 +-
 doc/html/appdev/refs/api/krb5_kt_dup.html          |    5 +-
 doc/html/appdev/refs/api/krb5_kt_end_seq_get.html  |    5 +-
 doc/html/appdev/refs/api/krb5_kt_free_entry.html   |    5 +-
 doc/html/appdev/refs/api/krb5_kt_get_entry.html    |    5 +-
 doc/html/appdev/refs/api/krb5_kt_get_name.html     |    5 +-
 doc/html/appdev/refs/api/krb5_kt_get_type.html     |    5 +-
 doc/html/appdev/refs/api/krb5_kt_have_content.html |    5 +-
 doc/html/appdev/refs/api/krb5_kt_next_entry.html   |    5 +-
 .../appdev/refs/api/krb5_kt_read_service_key.html  |    5 +-
 doc/html/appdev/refs/api/krb5_kt_remove_entry.html |    5 +-
 doc/html/appdev/refs/api/krb5_kt_resolve.html      |    5 +-
 .../appdev/refs/api/krb5_kt_start_seq_get.html     |    5 +-
 doc/html/appdev/refs/api/krb5_kuserok.html         |    5 +-
 .../refs/api/krb5_make_authdata_kdc_issued.html    |    5 +-
 doc/html/appdev/refs/api/krb5_merge_authdata.html  |    5 +-
 doc/html/appdev/refs/api/krb5_mk_1cred.html        |    5 +-
 doc/html/appdev/refs/api/krb5_mk_error.html        |    5 +-
 doc/html/appdev/refs/api/krb5_mk_ncred.html        |    5 +-
 doc/html/appdev/refs/api/krb5_mk_priv.html         |    5 +-
 doc/html/appdev/refs/api/krb5_mk_rep.html          |    5 +-
 doc/html/appdev/refs/api/krb5_mk_rep_dce.html      |    5 +-
 doc/html/appdev/refs/api/krb5_mk_req.html          |    7 +-
 doc/html/appdev/refs/api/krb5_mk_req_extended.html |    5 +-
 doc/html/appdev/refs/api/krb5_mk_safe.html         |    5 +-
 doc/html/appdev/refs/api/krb5_os_localaddr.html    |    5 +-
 doc/html/appdev/refs/api/krb5_pac_add_buffer.html  |    5 +-
 doc/html/appdev/refs/api/krb5_pac_free.html        |    5 +-
 doc/html/appdev/refs/api/krb5_pac_get_buffer.html  |    5 +-
 doc/html/appdev/refs/api/krb5_pac_get_types.html   |    5 +-
 doc/html/appdev/refs/api/krb5_pac_init.html        |    5 +-
 doc/html/appdev/refs/api/krb5_pac_parse.html       |    5 +-
 doc/html/appdev/refs/api/krb5_pac_sign.html        |    5 +-
 doc/html/appdev/refs/api/krb5_pac_verify.html      |    7 +-
 doc/html/appdev/refs/api/krb5_parse_name.html      |    5 +-
 .../appdev/refs/api/krb5_parse_name_flags.html     |    5 +-
 .../refs/api/krb5_prepend_error_message.html       |    5 +-
 doc/html/appdev/refs/api/krb5_principal2salt.html  |    5 +-
 .../appdev/refs/api/krb5_principal_compare.html    |    5 +-
 .../refs/api/krb5_principal_compare_any_realm.html |    5 +-
 .../refs/api/krb5_principal_compare_flags.html     |    5 +-
 doc/html/appdev/refs/api/krb5_process_key.html     |    5 +-
 doc/html/appdev/refs/api/krb5_prompter_posix.html  |    5 +-
 doc/html/appdev/refs/api/krb5_random_key.html      |    5 +-
 doc/html/appdev/refs/api/krb5_rd_cred.html         |    5 +-
 doc/html/appdev/refs/api/krb5_rd_error.html        |    5 +-
 doc/html/appdev/refs/api/krb5_rd_priv.html         |    5 +-
 doc/html/appdev/refs/api/krb5_rd_rep.html          |    5 +-
 doc/html/appdev/refs/api/krb5_rd_rep_dce.html      |    5 +-
 doc/html/appdev/refs/api/krb5_rd_req.html          |    5 +-
 doc/html/appdev/refs/api/krb5_rd_safe.html         |    5 +-
 doc/html/appdev/refs/api/krb5_read_password.html   |    5 +-
 doc/html/appdev/refs/api/krb5_realm_compare.html   |    5 +-
 doc/html/appdev/refs/api/krb5_recvauth.html        |    5 +-
 .../appdev/refs/api/krb5_recvauth_version.html     |    5 +-
 .../refs/api/krb5_responder_get_challenge.html     |    5 +-
 .../refs/api/krb5_responder_list_questions.html    |    5 +-
 .../api/krb5_responder_otp_challenge_free.html     |    5 +-
 .../refs/api/krb5_responder_otp_get_challenge.html |    5 +-
 .../refs/api/krb5_responder_otp_set_answer.html    |    5 +-
 .../api/krb5_responder_pkinit_challenge_free.html  |    5 +-
 .../api/krb5_responder_pkinit_get_challenge.html   |    5 +-
 .../refs/api/krb5_responder_pkinit_set_answer.html |    5 +-
 .../appdev/refs/api/krb5_responder_set_answer.html |    5 +-
 .../appdev/refs/api/krb5_salttype_to_string.html   |    5 +-
 doc/html/appdev/refs/api/krb5_sendauth.html        |    5 +-
 .../api/krb5_server_decrypt_ticket_keytab.html     |    5 +-
 .../appdev/refs/api/krb5_set_default_realm.html    |    5 +-
 .../refs/api/krb5_set_default_tgs_enctypes.html    |    5 +-
 .../appdev/refs/api/krb5_set_error_message.html    |    5 +-
 .../appdev/refs/api/krb5_set_kdc_recv_hook.html    |    5 +-
 .../appdev/refs/api/krb5_set_kdc_send_hook.html    |    5 +-
 doc/html/appdev/refs/api/krb5_set_password.html    |    5 +-
 .../refs/api/krb5_set_password_using_ccache.html   |    5 +-
 .../appdev/refs/api/krb5_set_principal_realm.html  |    5 +-
 doc/html/appdev/refs/api/krb5_set_real_time.html   |    5 +-
 .../appdev/refs/api/krb5_set_trace_callback.html   |    5 +-
 .../appdev/refs/api/krb5_set_trace_filename.html   |    5 +-
 doc/html/appdev/refs/api/krb5_sname_match.html     |    5 +-
 .../appdev/refs/api/krb5_sname_to_principal.html   |    5 +-
 .../appdev/refs/api/krb5_string_to_cksumtype.html  |    5 +-
 .../appdev/refs/api/krb5_string_to_deltat.html     |    5 +-
 .../appdev/refs/api/krb5_string_to_enctype.html    |    5 +-
 doc/html/appdev/refs/api/krb5_string_to_key.html   |    5 +-
 .../appdev/refs/api/krb5_string_to_salttype.html   |    5 +-
 .../appdev/refs/api/krb5_string_to_timestamp.html  |    5 +-
 doc/html/appdev/refs/api/krb5_timeofday.html       |    5 +-
 .../refs/api/krb5_timestamp_to_sfstring.html       |    5 +-
 .../appdev/refs/api/krb5_timestamp_to_string.html  |    5 +-
 doc/html/appdev/refs/api/krb5_tkt_creds_free.html  |    5 +-
 doc/html/appdev/refs/api/krb5_tkt_creds_get.html   |    5 +-
 .../appdev/refs/api/krb5_tkt_creds_get_creds.html  |    5 +-
 .../appdev/refs/api/krb5_tkt_creds_get_times.html  |    5 +-
 doc/html/appdev/refs/api/krb5_tkt_creds_init.html  |    5 +-
 doc/html/appdev/refs/api/krb5_tkt_creds_step.html  |    5 +-
 doc/html/appdev/refs/api/krb5_unparse_name.html    |    5 +-
 .../appdev/refs/api/krb5_unparse_name_ext.html     |    5 +-
 .../appdev/refs/api/krb5_unparse_name_flags.html   |    5 +-
 .../refs/api/krb5_unparse_name_flags_ext.html      |    5 +-
 doc/html/appdev/refs/api/krb5_us_timeofday.html    |    5 +-
 doc/html/appdev/refs/api/krb5_use_enctype.html     |    5 +-
 .../refs/api/krb5_verify_authdata_kdc_issued.html  |    5 +-
 doc/html/appdev/refs/api/krb5_verify_checksum.html |    5 +-
 .../appdev/refs/api/krb5_verify_init_creds.html    |    5 +-
 .../refs/api/krb5_verify_init_creds_opt_init.html  |    5 +-
 ...b5_verify_init_creds_opt_set_ap_req_nofail.html |    5 +-
 .../refs/api/krb5_vprepend_error_message.html      |    5 +-
 .../appdev/refs/api/krb5_vset_error_message.html   |    5 +-
 .../appdev/refs/api/krb5_vwrap_error_message.html  |    5 +-
 .../appdev/refs/api/krb5_wrap_error_message.html   |    5 +-
 doc/html/appdev/refs/index.html                    |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html    |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_DDP.html      |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_INET.html     |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_INET6.html    |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html   |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_ISO.html      |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html  |    5 +-
 doc/html/appdev/refs/macros/ADDRTYPE_XNS.html      |    5 +-
 doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html  |    5 +-
 .../refs/macros/AD_TYPE_FIELD_TYPE_MASK.html       |    5 +-
 .../appdev/refs/macros/AD_TYPE_REGISTERED.html     |    5 +-
 doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html  |    5 +-
 .../refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html     |    5 +-
 .../refs/macros/AP_OPTS_MUTUAL_REQUIRED.html       |    5 +-
 doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html  |    5 +-
 .../refs/macros/AP_OPTS_USE_SESSION_KEY.html       |    5 +-
 .../appdev/refs/macros/AP_OPTS_USE_SUBKEY.html     |    5 +-
 doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html |    5 +-
 .../refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html    |    5 +-
 .../refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html    |    5 +-
 doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html   |    5 +-
 doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html  |    5 +-
 .../refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html    |    5 +-
 .../refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html |    5 +-
 .../refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html |    5 +-
 .../refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html      |    5 +-
 .../macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html   |    5 +-
 .../macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html   |    5 +-
 .../refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html    |    5 +-
 .../appdev/refs/macros/CKSUMTYPE_NIST_SHA.html     |    5 +-
 doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html |    5 +-
 .../appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html  |    5 +-
 doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html |    5 +-
 .../appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html  |    5 +-
 .../macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html    |    5 +-
 .../macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html |    5 +-
 .../macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html    |    5 +-
 .../macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html |    5 +-
 .../appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html   |    5 +-
 .../refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html      |    5 +-
 .../refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html  |    5 +-
 .../refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html  |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html   |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html   |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html   |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html  |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html    |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html    |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html    |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html    |    5 +-
 .../appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html  |    5 +-
 .../appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html   |    5 +-
 .../appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html    |    5 +-
 doc/html/appdev/refs/macros/ENCTYPE_NULL.html      |    5 +-
 .../appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html    |    5 +-
 doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html   |    5 +-
 .../refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html       |    5 +-
 .../appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html   |    5 +-
 doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html   |    5 +-
 .../appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html |    5 +-
 .../appdev/refs/macros/KDC_OPT_CANONICALIZE.html   |    5 +-
 .../refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html     |    5 +-
 .../macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html    |    5 +-
 .../refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html       |    5 +-
 .../appdev/refs/macros/KDC_OPT_FORWARDABLE.html    |    5 +-
 doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html |    5 +-
 doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html |    5 +-
 doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html |    5 +-
 doc/html/appdev/refs/macros/KDC_OPT_PROXY.html     |    5 +-
 doc/html/appdev/refs/macros/KDC_OPT_RENEW.html     |    5 +-
 doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html |    5 +-
 .../appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html   |    5 +-
 .../refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html     |    5 +-
 doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html  |    5 +-
 .../appdev/refs/macros/KDC_TKT_COMMON_MASK.html    |    5 +-
 .../KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html       |    5 +-
 .../refs/macros/KRB5_ANONYMOUS_PRINCSTR.html       |    5 +-
 .../refs/macros/KRB5_ANONYMOUS_REALMSTR.html       |    5 +-
 doc/html/appdev/refs/macros/KRB5_AP_REP.html       |    5 +-
 doc/html/appdev/refs/macros/KRB5_AP_REQ.html       |    5 +-
 doc/html/appdev/refs/macros/KRB5_AS_REP.html       |    5 +-
 doc/html/appdev/refs/macros/KRB5_AS_REQ.html       |    5 +-
 .../appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html   |    5 +-
 .../refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html  |    5 +-
 .../appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html   |    5 +-
 .../macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html    |    5 +-
 .../appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html |    5 +-
 .../refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html     |    5 +-
 .../macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html |    5 +-
 .../refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html      |    5 +-
 .../macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html    |    5 +-
 .../appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html  |    5 +-
 .../appdev/refs/macros/KRB5_AUTHDATA_SESAME.html   |    5 +-
 .../refs/macros/KRB5_AUTHDATA_SIGNTICKET.html      |    5 +-
 .../refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html       |    5 +-
 .../refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html |    5 +-
 .../refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html     |    5 +-
 .../KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html     |    5 +-
 ...KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html |    5 +-
 .../KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html    |    5 +-
 ...RB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html |    5 +-
 .../refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html  |    5 +-
 .../macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html     |    5 +-
 .../refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html    |    5 +-
 .../refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html  |    5 +-
 doc/html/appdev/refs/macros/KRB5_CRED.html         |    5 +-
 .../refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html     |    5 +-
 .../appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html  |    5 +-
 .../appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html |    5 +-
 .../refs/macros/KRB5_CRYPTO_TYPE_HEADER.html       |    5 +-
 .../refs/macros/KRB5_CRYPTO_TYPE_PADDING.html      |    5 +-
 .../refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html    |    5 +-
 .../refs/macros/KRB5_CRYPTO_TYPE_STREAM.html       |    5 +-
 .../refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html      |    5 +-
 .../refs/macros/KRB5_CYBERSAFE_SECUREID.html       |    5 +-
 .../refs/macros/KRB5_DOMAIN_X500_COMPRESS.html     |    5 +-
 .../refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html |    5 +-
 doc/html/appdev/refs/macros/KRB5_ERROR.html        |    5 +-
 .../appdev/refs/macros/KRB5_FAST_REQUIRED.html     |    5 +-
 doc/html/appdev/refs/macros/KRB5_GC_CACHED.html    |    5 +-
 .../appdev/refs/macros/KRB5_GC_CANONICALIZE.html   |    5 +-
 .../macros/KRB5_GC_CONSTRAINED_DELEGATION.html     |    5 +-
 .../appdev/refs/macros/KRB5_GC_FORWARDABLE.html    |    5 +-
 doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html  |    5 +-
 .../refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html      |    5 +-
 doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html |    5 +-
 .../KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html      |    5 +-
 .../macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html  |    5 +-
 .../KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html      |    5 +-
 .../KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html     |    5 +-
 .../macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html |    5 +-
 .../KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html       |    5 +-
 .../KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html      |    5 +-
 .../macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html  |    5 +-
 .../macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html |    5 +-
 .../refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html  |    5 +-
 .../macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html   |    5 +-
 .../appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html  |    5 +-
 .../refs/macros/KRB5_INIT_CONTEXT_SECURE.html      |    5 +-
 .../macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html |    5 +-
 doc/html/appdev/refs/macros/KRB5_INT16_MAX.html    |    5 +-
 doc/html/appdev/refs/macros/KRB5_INT16_MIN.html    |    5 +-
 doc/html/appdev/refs/macros/KRB5_INT32_MAX.html    |    5 +-
 doc/html/appdev/refs/macros/KRB5_INT32_MIN.html    |    5 +-
 .../appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html   |    5 +-
 .../macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html   |    5 +-
 .../appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html   |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html   |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html  |    5 +-
 .../macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html     |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html  |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html     |    5 +-
 .../macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html    |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html  |    5 +-
 .../appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html   |    5 +-
 .../macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html     |    5 +-
 .../appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html   |    5 +-
 .../macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html |    5 +-
 .../macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html    |    5 +-
 .../appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html   |    5 +-
 .../appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html     |    5 +-
 .../macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html   |    5 +-
 .../macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html    |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html  |    5 +-
 .../macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html     |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html |    5 +-
 .../macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html     |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html  |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html    |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html  |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html    |    5 +-
 .../KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html      |    5 +-
 .../KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html    |    5 +-
 .../KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html      |    5 +-
 .../KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html    |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html |    5 +-
 .../KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html     |    5 +-
 .../KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html      |    5 +-
 .../macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html   |    5 +-
 .../macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html    |    5 +-
 .../refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html    |    5 +-
 .../macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html   |    5 +-
 .../refs/macros/KRB5_KPASSWD_ACCESSDENIED.html     |    5 +-
 .../appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html |    5 +-
 .../refs/macros/KRB5_KPASSWD_BAD_VERSION.html      |    5 +-
 .../appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html |    5 +-
 .../macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html   |    5 +-
 .../appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html |    5 +-
 .../appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html |    5 +-
 .../appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html   |    5 +-
 .../refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html     |    5 +-
 .../refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html     |    5 +-
 .../refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html     |    5 +-
 .../appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html  |    5 +-
 .../appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html  |    5 +-
 .../refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html  |    5 +-
 .../refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html       |    5 +-
 doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html     |    5 +-
 .../refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html     |    5 +-
 .../refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html     |    5 +-
 .../refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html     |    5 +-
 .../appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html  |    5 +-
 .../appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html  |    5 +-
 .../refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html  |    5 +-
 .../refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html       |    5 +-
 .../refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html  |    5 +-
 .../refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html  |    5 +-
 .../appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html   |    5 +-
 .../refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html   |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html   |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html  |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html  |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_UID.html       |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html   |    5 +-
 doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html |    5 +-
 .../appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html |    5 +-
 .../appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html   |    5 +-
 .../refs/macros/KRB5_PAC_CREDENTIALS_INFO.html     |    5 +-
 .../refs/macros/KRB5_PAC_DELEGATION_INFO.html      |    5 +-
 .../appdev/refs/macros/KRB5_PAC_LOGON_INFO.html    |    5 +-
 .../refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html     |    5 +-
 .../refs/macros/KRB5_PAC_SERVER_CHECKSUM.html      |    5 +-
 .../appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html  |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html  |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_AP_REQ.html     |    5 +-
 .../refs/macros/KRB5_PADATA_AS_CHECKSUM.html       |    5 +-
 .../macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html    |    5 +-
 .../macros/KRB5_PADATA_ENC_SANDIA_SECURID.html     |    5 +-
 .../refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html     |    5 +-
 .../refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html     |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html |    5 +-
 .../refs/macros/KRB5_PADATA_ETYPE_INFO2.html       |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_FOR_USER.html   |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html  |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_FX_ERROR.html   |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_FX_FAST.html    |    5 +-
 .../macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html    |    5 +-
 doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html  |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_OSF_DCE.html    |    5 +-
 .../refs/macros/KRB5_PADATA_OTP_CHALLENGE.html     |    5 +-
 .../refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html    |    5 +-
 .../refs/macros/KRB5_PADATA_OTP_REQUEST.html       |    5 +-
 .../refs/macros/KRB5_PADATA_PAC_REQUEST.html       |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html  |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html  |    5 +-
 .../refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html     |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html  |    5 +-
 .../refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html     |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_PW_SALT.html    |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_REFERRAL.html   |    5 +-
 .../refs/macros/KRB5_PADATA_S4U_X509_USER.html     |    5 +-
 .../refs/macros/KRB5_PADATA_SAM_CHALLENGE.html     |    5 +-
 .../refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html   |    5 +-
 .../refs/macros/KRB5_PADATA_SAM_REDIRECT.html      |    5 +-
 .../refs/macros/KRB5_PADATA_SAM_RESPONSE.html      |    5 +-
 .../refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html    |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_SESAME.html     |    5 +-
 .../refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html |    5 +-
 .../appdev/refs/macros/KRB5_PADATA_TGS_REQ.html    |    5 +-
 .../macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html     |    5 +-
 .../macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html    |    5 +-
 .../macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html  |    5 +-
 .../KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html       |    5 +-
 .../refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html   |    5 +-
 .../macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html    |    5 +-
 .../macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html  |    5 +-
 .../refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html |    5 +-
 .../macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html |    5 +-
 .../macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html     |    5 +-
 .../macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html    |    5 +-
 .../refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html  |    5 +-
 doc/html/appdev/refs/macros/KRB5_PRIV.html         |    5 +-
 .../refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html |    5 +-
 .../KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html       |    5 +-
 .../refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html     |    5 +-
 .../refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html      |    5 +-
 doc/html/appdev/refs/macros/KRB5_PVNO.html         |    5 +-
 .../appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html |    5 +-
 .../refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html     |    5 +-
 .../refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html    |    5 +-
 .../appdev/refs/macros/KRB5_REFERRAL_REALM.html    |    5 +-
 .../KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html      |    5 +-
 .../KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html    |    5 +-
 .../macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html   |    5 +-
 .../KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html     |    5 +-
 .../KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html    |    5 +-
 .../macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html  |    5 +-
 .../KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html     |    5 +-
 ...NDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html |    5 +-
 ...NDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html |    5 +-
 ...SPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html |    5 +-
 .../refs/macros/KRB5_RESPONDER_QUESTION_OTP.html   |    5 +-
 .../macros/KRB5_RESPONDER_QUESTION_PASSWORD.html   |    5 +-
 .../macros/KRB5_RESPONDER_QUESTION_PKINIT.html     |    5 +-
 doc/html/appdev/refs/macros/KRB5_SAFE.html         |    5 +-
 .../refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html  |    5 +-
 .../refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html   |    5 +-
 .../refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html       |    5 +-
 .../appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html  |    5 +-
 .../appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html |    5 +-
 .../appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html    |    5 +-
 .../refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html     |    5 +-
 .../appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html  |    5 +-
 .../appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html    |    5 +-
 .../refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html    |    5 +-
 .../appdev/refs/macros/KRB5_TC_MATCH_TIMES.html    |    5 +-
 .../refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html     |    5 +-
 doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html  |    5 +-
 doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html |    5 +-
 .../refs/macros/KRB5_TC_SUPPORTED_KTYPES.html      |    5 +-
 doc/html/appdev/refs/macros/KRB5_TGS_NAME.html     |    5 +-
 .../appdev/refs/macros/KRB5_TGS_NAME_SIZE.html     |    5 +-
 doc/html/appdev/refs/macros/KRB5_TGS_REP.html      |    5 +-
 doc/html/appdev/refs/macros/KRB5_TGS_REQ.html      |    5 +-
 .../macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html  |    5 +-
 .../KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html  |    5 +-
 .../appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html |    5 +-
 .../refs/macros/LR_TYPE_INTERPRETATION_MASK.html   |    5 +-
 .../refs/macros/LR_TYPE_THIS_SERVER_ONLY.html      |    5 +-
 .../appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html    |    5 +-
 doc/html/appdev/refs/macros/MSEC_DIRBIT.html       |    5 +-
 doc/html/appdev/refs/macros/MSEC_VAL_MASK.html     |    5 +-
 .../appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html   |    5 +-
 .../appdev/refs/macros/SALT_TYPE_NO_LENGTH.html    |    5 +-
 doc/html/appdev/refs/macros/THREEPARAMOPEN.html    |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html |    5 +-
 .../appdev/refs/macros/TKT_FLG_ENC_PA_REP.html     |    5 +-
 .../appdev/refs/macros/TKT_FLG_FORWARDABLE.html    |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html   |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html   |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_INVALID.html   |    5 +-
 .../appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html   |    5 +-
 .../appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html  |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_PROXY.html     |    5 +-
 doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html |    5 +-
 .../macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html     |    5 +-
 doc/html/appdev/refs/macros/VALID_INT_BITS.html    |    5 +-
 doc/html/appdev/refs/macros/VALID_UINT_BITS.html   |    5 +-
 doc/html/appdev/refs/macros/index.html             |    5 +-
 .../refs/macros/krb524_convert_creds_kdc.html      |    5 +-
 doc/html/appdev/refs/macros/krb524_init_ets.html   |    5 +-
 doc/html/appdev/refs/macros/krb5_const.html        |    5 +-
 .../appdev/refs/macros/krb5_princ_component.html   |    5 +-
 doc/html/appdev/refs/macros/krb5_princ_name.html   |    5 +-
 doc/html/appdev/refs/macros/krb5_princ_realm.html  |    5 +-
 .../appdev/refs/macros/krb5_princ_set_realm.html   |    5 +-
 .../refs/macros/krb5_princ_set_realm_data.html     |    5 +-
 .../refs/macros/krb5_princ_set_realm_length.html   |    5 +-
 doc/html/appdev/refs/macros/krb5_princ_size.html   |    5 +-
 doc/html/appdev/refs/macros/krb5_princ_type.html   |    5 +-
 doc/html/appdev/refs/macros/krb5_roundup.html      |    5 +-
 doc/html/appdev/refs/macros/krb5_x.html            |    5 +-
 doc/html/appdev/refs/macros/krb5_xc.html           |    5 +-
 doc/html/appdev/refs/types/index.html              |    5 +-
 doc/html/appdev/refs/types/krb5_address.html       |    5 +-
 doc/html/appdev/refs/types/krb5_addrtype.html      |    5 +-
 doc/html/appdev/refs/types/krb5_ap_rep.html        |    5 +-
 .../appdev/refs/types/krb5_ap_rep_enc_part.html    |    5 +-
 doc/html/appdev/refs/types/krb5_ap_req.html        |    5 +-
 doc/html/appdev/refs/types/krb5_auth_context.html  |    5 +-
 doc/html/appdev/refs/types/krb5_authdata.html      |    5 +-
 doc/html/appdev/refs/types/krb5_authdatatype.html  |    5 +-
 doc/html/appdev/refs/types/krb5_authenticator.html |    5 +-
 doc/html/appdev/refs/types/krb5_boolean.html       |    5 +-
 doc/html/appdev/refs/types/krb5_cc_cursor.html     |    5 +-
 doc/html/appdev/refs/types/krb5_ccache.html        |    5 +-
 doc/html/appdev/refs/types/krb5_cccol_cursor.html  |    5 +-
 doc/html/appdev/refs/types/krb5_checksum.html      |    5 +-
 doc/html/appdev/refs/types/krb5_cksumtype.html     |    5 +-
 doc/html/appdev/refs/types/krb5_const_pointer.html |    5 +-
 .../appdev/refs/types/krb5_const_principal.html    |    5 +-
 doc/html/appdev/refs/types/krb5_context.html       |    5 +-
 doc/html/appdev/refs/types/krb5_cred.html          |    5 +-
 doc/html/appdev/refs/types/krb5_cred_enc_part.html |    5 +-
 doc/html/appdev/refs/types/krb5_cred_info.html     |    5 +-
 doc/html/appdev/refs/types/krb5_creds.html         |    5 +-
 doc/html/appdev/refs/types/krb5_crypto_iov.html    |    5 +-
 doc/html/appdev/refs/types/krb5_cryptotype.html    |    5 +-
 doc/html/appdev/refs/types/krb5_data.html          |    5 +-
 doc/html/appdev/refs/types/krb5_deltat.html        |    5 +-
 doc/html/appdev/refs/types/krb5_enc_data.html      |    5 +-
 .../appdev/refs/types/krb5_enc_kdc_rep_part.html   |    5 +-
 doc/html/appdev/refs/types/krb5_enc_tkt_part.html  |    5 +-
 doc/html/appdev/refs/types/krb5_encrypt_block.html |    5 +-
 doc/html/appdev/refs/types/krb5_enctype.html       |    5 +-
 doc/html/appdev/refs/types/krb5_error.html         |    5 +-
 doc/html/appdev/refs/types/krb5_error_code.html    |    5 +-
 .../refs/types/krb5_expire_callback_func.html      |    5 +-
 doc/html/appdev/refs/types/krb5_flags.html         |    5 +-
 .../appdev/refs/types/krb5_get_init_creds_opt.html |    5 +-
 .../appdev/refs/types/krb5_gic_opt_pa_data.html    |    5 +-
 .../appdev/refs/types/krb5_init_creds_context.html |    5 +-
 doc/html/appdev/refs/types/krb5_int16.html         |    5 +-
 doc/html/appdev/refs/types/krb5_int32.html         |    5 +-
 doc/html/appdev/refs/types/krb5_kdc_rep.html       |    5 +-
 doc/html/appdev/refs/types/krb5_kdc_req.html       |    5 +-
 doc/html/appdev/refs/types/krb5_key.html           |    5 +-
 doc/html/appdev/refs/types/krb5_keyblock.html      |    5 +-
 doc/html/appdev/refs/types/krb5_keytab.html        |    5 +-
 doc/html/appdev/refs/types/krb5_keytab_entry.html  |    5 +-
 doc/html/appdev/refs/types/krb5_keyusage.html      |    5 +-
 doc/html/appdev/refs/types/krb5_kt_cursor.html     |    5 +-
 doc/html/appdev/refs/types/krb5_kvno.html          |    5 +-
 .../appdev/refs/types/krb5_last_req_entry.html     |    5 +-
 doc/html/appdev/refs/types/krb5_magic.html         |    5 +-
 .../refs/types/krb5_mk_req_checksum_func.html      |    5 +-
 doc/html/appdev/refs/types/krb5_msgtype.html       |    5 +-
 doc/html/appdev/refs/types/krb5_octet.html         |    5 +-
 doc/html/appdev/refs/types/krb5_pa_data.html       |    5 +-
 doc/html/appdev/refs/types/krb5_pa_pac_req.html    |    5 +-
 .../refs/types/krb5_pa_server_referral_data.html   |    5 +-
 .../refs/types/krb5_pa_svr_referral_data.html      |    5 +-
 doc/html/appdev/refs/types/krb5_pac.html           |    5 +-
 doc/html/appdev/refs/types/krb5_pointer.html       |    5 +-
 doc/html/appdev/refs/types/krb5_post_recv_fn.html  |    5 +-
 doc/html/appdev/refs/types/krb5_pre_send_fn.html   |    5 +-
 doc/html/appdev/refs/types/krb5_preauthtype.html   |    5 +-
 doc/html/appdev/refs/types/krb5_principal.html     |    5 +-
 .../appdev/refs/types/krb5_principal_data.html     |    5 +-
 doc/html/appdev/refs/types/krb5_prompt.html        |    5 +-
 doc/html/appdev/refs/types/krb5_prompt_type.html   |    5 +-
 doc/html/appdev/refs/types/krb5_prompter_fct.html  |    5 +-
 doc/html/appdev/refs/types/krb5_pwd_data.html      |    5 +-
 doc/html/appdev/refs/types/krb5_rcache.html        |    5 +-
 doc/html/appdev/refs/types/krb5_replay_data.html   |    5 +-
 .../appdev/refs/types/krb5_responder_context.html  |    5 +-
 doc/html/appdev/refs/types/krb5_responder_fn.html  |    5 +-
 .../refs/types/krb5_responder_otp_challenge.html   |    5 +-
 .../refs/types/krb5_responder_otp_tokeninfo.html   |    5 +-
 .../types/krb5_responder_pkinit_challenge.html     |    5 +-
 .../refs/types/krb5_responder_pkinit_identity.html |    5 +-
 doc/html/appdev/refs/types/krb5_response.html      |    5 +-
 doc/html/appdev/refs/types/krb5_ticket.html        |    5 +-
 doc/html/appdev/refs/types/krb5_ticket_times.html  |    5 +-
 doc/html/appdev/refs/types/krb5_timestamp.html     |    7 +-
 doc/html/appdev/refs/types/krb5_tkt_authent.html   |    5 +-
 .../appdev/refs/types/krb5_tkt_creds_context.html  |    5 +-
 .../appdev/refs/types/krb5_trace_callback.html     |    5 +-
 doc/html/appdev/refs/types/krb5_trace_info.html    |    5 +-
 doc/html/appdev/refs/types/krb5_transited.html     |    5 +-
 doc/html/appdev/refs/types/krb5_typed_data.html    |    5 +-
 doc/html/appdev/refs/types/krb5_ui_2.html          |    5 +-
 doc/html/appdev/refs/types/krb5_ui_4.html          |    5 +-
 .../refs/types/krb5_verify_init_creds_opt.html     |    5 +-
 .../appdev/refs/types/passwd_phrase_element.html   |    5 +-
 doc/html/appdev/y2038.html                         |  165 +
 doc/html/basic/ccache_def.html                     |    6 +-
 doc/html/basic/date_format.html                    |    4 +-
 doc/html/basic/index.html                          |    4 +-
 doc/html/basic/keytab_def.html                     |    4 +-
 doc/html/basic/rcache_def.html                     |    4 +-
 doc/html/basic/stash_file_def.html                 |    4 +-
 doc/html/build/directory_org.html                  |    4 +-
 doc/html/build/doing_build.html                    |    4 +-
 doc/html/build/index.html                          |   10 +-
 doc/html/build/options2configure.html              |    7 +-
 doc/html/build/osconf.html                         |    4 +-
 doc/html/build_this.html                           |    4 +-
 doc/html/copyright.html                            |    4 +-
 doc/html/formats/ccache_file_format.html           |    4 +-
 doc/html/formats/cookie.html                       |    4 +-
 doc/html/formats/index.html                        |    4 +-
 doc/html/formats/keytab_file_format.html           |    4 +-
 doc/html/genindex-A.html                           |    4 +-
 doc/html/genindex-C.html                           |    4 +-
 doc/html/genindex-E.html                           |    4 +-
 doc/html/genindex-K.html                           |    4 +-
 doc/html/genindex-L.html                           |    4 +-
 doc/html/genindex-M.html                           |    4 +-
 doc/html/genindex-P.html                           |    4 +-
 doc/html/genindex-R.html                           |    4 +-
 doc/html/genindex-S.html                           |    4 +-
 doc/html/genindex-T.html                           |    4 +-
 doc/html/genindex-V.html                           |    4 +-
 doc/html/genindex-all.html                         |    4 +-
 doc/html/genindex.html                             |    4 +-
 doc/html/index.html                                |   14 +-
 doc/html/mitK5defaults.html                        |    6 +-
 doc/html/mitK5features.html                        |   82 +-
 doc/html/mitK5license.html                         |    6 +-
 doc/html/objects.inv                               |  Bin 24130 -> 24220 bytes
 doc/html/plugindev/ccselect.html                   |    7 +-
 doc/html/plugindev/certauth.html                   |  170 +
 doc/html/plugindev/clpreauth.html                  |    7 +-
 doc/html/plugindev/general.html                    |    7 +-
 doc/html/plugindev/gssapi.html                     |    7 +-
 doc/html/plugindev/hostrealm.html                  |   13 +-
 doc/html/plugindev/index.html                      |   10 +-
 doc/html/plugindev/internal.html                   |   13 +-
 doc/html/plugindev/kadm5_auth.html                 |  177 +
 doc/html/plugindev/kadm5_hook.html                 |   13 +-
 doc/html/plugindev/kdcpolicy.html                  |  168 +
 doc/html/plugindev/kdcpreauth.html                 |    7 +-
 doc/html/plugindev/localauth.html                  |    7 +-
 doc/html/plugindev/locate.html                     |    7 +-
 doc/html/plugindev/profile.html                    |    7 +-
 doc/html/plugindev/pwqual.html                     |    7 +-
 doc/html/resources.html                            |    4 +-
 doc/html/search.html                               |    4 +-
 doc/html/searchindex.js                            |    2 +-
 doc/html/user/index.html                           |   10 +-
 doc/html/user/pwd_mgmt.html                        |    4 +-
 doc/html/user/tkt_mgmt.html                        |    4 +-
 doc/html/user/user_commands/index.html             |    4 +-
 doc/html/user/user_commands/kdestroy.html          |    4 +-
 doc/html/user/user_commands/kinit.html             |    4 +-
 doc/html/user/user_commands/klist.html             |    4 +-
 doc/html/user/user_commands/kpasswd.html           |    4 +-
 doc/html/user/user_commands/krb5-config.html       |    4 +-
 doc/html/user/user_commands/ksu.html               |    4 +-
 doc/html/user/user_commands/kswitch.html           |    4 +-
 doc/html/user/user_commands/kvno.html              |    4 +-
 doc/html/user/user_commands/sclient.html           |    4 +-
 doc/html/user/user_config/index.html               |    4 +-
 doc/html/user/user_config/k5identity.html          |    4 +-
 doc/html/user/user_config/k5login.html             |    4 +-
 doc/mitK5features.rst                              |   95 +-
 doc/notice.rst                                     |    2 +-
 doc/pdf/admin.pdf                                  |  Bin 742854 -> 748562 bytes
 doc/pdf/admin.tex                                  |  163 +-
 doc/pdf/appdev.pdf                                 |  Bin 1445440 -> 1452407 bytes
 doc/pdf/appdev.tex                                 |   98 +-
 doc/pdf/basic.pdf                                  |  Bin 138064 -> 138061 bytes
 doc/pdf/basic.tex                                  |    4 +-
 doc/pdf/build.pdf                                  |  Bin 153561 -> 153476 bytes
 doc/pdf/build.tex                                  |    6 +-
 doc/pdf/plugindev.pdf                              |  Bin 140040 -> 145446 bytes
 doc/pdf/plugindev.tex                              |   85 +-
 doc/pdf/user.pdf                                   |  Bin 200228 -> 200216 bytes
 doc/pdf/user.tex                                   |    2 +-
 doc/plugindev/certauth.rst                         |   27 +
 doc/plugindev/index.rst                            |    3 +
 doc/plugindev/kadm5_auth.rst                       |   35 +
 doc/plugindev/kdcpolicy.rst                        |   24 +
 src/Makefile.in                                    |    6 +-
 src/aclocal.m4                                     |   41 +-
 src/appl/gss-sample/t_gss_sample.py                |   18 +-
 src/appl/simple/client/sim_client.c                |    2 +-
 src/appl/simple/server/sim_server.c                |    3 +-
 src/appl/user_user/t_user2user.py                  |    6 +-
 src/ccapi/server/mac/ccs_os_pipe.c                 |    4 +-
 src/clients/kcpytkt/kcpytkt.c                      |   48 +-
 src/clients/kdeltkt/kdeltkt.c                      |   37 +-
 src/clients/kdestroy/kdestroy.c                    |   95 +-
 src/clients/kinit/kinit.c                          |  490 +-
 src/clients/kinit/kinit_kdb.c                      |   34 +-
 src/clients/klist/klist.c                          |  462 +-
 src/clients/kpasswd/Makefile.in                    |   10 +-
 src/clients/kpasswd/deps                           |    4 -
 src/clients/kpasswd/kpasswd.c                      |  110 +-
 src/clients/kpasswd/ksetpwd.c                      |  309 -
 src/clients/ksu/ccache.c                           |   22 +-
 src/clients/ksu/ksu.h                              |    2 +-
 src/clients/ksu/main.c                             |    2 +-
 src/clients/kvno/kvno.c                            |  299 +-
 src/config/ac-archive/README                       |   52 +-
 src/config/ac-archive/acx_pthread.m4               |  239 -
 src/config/ac-archive/ax_pthread.m4                |  485 +
 src/config/ac-archive/ax_recursive_eval.m4         |   56 +
 src/config/ac-archive/relpaths.m4                  |  155 -
 src/config/config.guess                            |  119 +-
 src/config/config.sub                              |   73 +-
 src/config/post.in                                 |    4 +-
 src/config/pre.in                                  |   13 +-
 src/configure                                      | 1198 ++-
 src/configure.in                                   |   97 +-
 src/include/Makefile.in                            |    3 +
 src/include/autoconf.h.in                          |   35 +-
 src/include/fake-addrinfo.h                        |    2 +-
 src/include/k5-cmocka.h                            |   16 +
 src/include/k5-input.h                             |    6 +-
 src/include/k5-int.h                               |   51 +-
 src/include/k5-platform.h                          |   32 +-
 src/include/k5-thread.h                            |   16 +
 src/include/k5-trace.h                             |   47 +-
 src/include/k5-utf8.h                              |   61 +-
 src/include/kdb.h                                  |    8 +-
 src/include/kdb_log.h                              |    5 +-
 src/include/krb5/certauth_plugin.h                 |  128 +
 src/include/krb5/kadm5_auth_plugin.h               |  306 +
 src/include/krb5/kdcpolicy_plugin.h                |  128 +
 src/include/krb5/kdcpreauth_plugin.h               |   21 +-
 src/include/krb5/krb5.hin                          |   54 +-
 src/include/net-server.h                           |    2 +-
 src/include/socket-utils.h                         |   11 +
 src/include/win-mac.h                              |    2 -
 src/kadmin/cli/deps                                |   13 +-
 src/kadmin/cli/getdate.y                           |    7 +-
 src/kadmin/cli/kadmin.c                            |    5 +-
 src/kadmin/dbutil/dump.c                           |   41 +-
 src/kadmin/dbutil/kdb5_mkey.c                      |    6 +-
 src/kadmin/dbutil/tabdump.c                        |    2 +-
 src/kadmin/ktutil/ktutil.c                         |   17 +-
 src/kadmin/ktutil/ktutil.h                         |    3 +-
 src/kadmin/ktutil/ktutil_funcs.c                   |   17 +-
 src/kadmin/server/Makefile.in                      |    6 +-
 src/kadmin/server/auth.c                           |  314 +
 src/kadmin/server/auth.h                           |   85 +
 src/kadmin/server/auth_acl.c                       |  755 ++
 src/kadmin/server/auth_self.c                      |   77 +
 src/kadmin/server/deps                             |  109 +-
 src/kadmin/server/ipropd_svc.c                     |   38 +-
 src/kadmin/server/misc.c                           |  127 +-
 src/kadmin/server/misc.h                           |   17 -
 src/kadmin/server/ovsec_kadmd.c                    |    8 +-
 src/kadmin/server/schpw.c                          |   49 +-
 src/kadmin/server/server_stubs.c                   |  340 +-
 src/kadmin/testing/util/tcl_kadm5.c                |   12 +-
 src/kdc/deps                                       |   40 +-
 src/kdc/dispatch.c                                 |   19 +-
 src/kdc/do_as_req.c                                |   90 +-
 src/kdc/do_tgs_req.c                               |   70 +-
 src/kdc/extern.c                                   |    4 +-
 src/kdc/fast_util.c                                |    4 +-
 src/kdc/kdc_log.c                                  |   29 +-
 src/kdc/kdc_preauth.c                              |   35 +-
 src/kdc/kdc_preauth_ec.c                           |   41 +-
 src/kdc/kdc_preauth_encts.c                        |    9 +-
 src/kdc/kdc_util.c                                 |   57 +-
 src/kdc/kdc_util.h                                 |   21 +-
 src/kdc/main.c                                     |    8 +
 src/kdc/policy.c                                   |  267 +-
 src/kdc/policy.h                                   |   19 +-
 src/kdc/replay.c                                   |    2 +-
 src/kdc/t_emptytgt.py                              |    5 +-
 src/kdc/t_replay.c                                 |   13 +-
 src/kdc/tgs_policy.c                               |   13 +-
 src/lib/apputils/net-server.c                      |  254 +-
 src/lib/apputils/udppktinfo.c                      |   14 +-
 src/lib/apputils/udppktinfo.h                      |    2 +-
 src/lib/crypto/builtin/des/des_int.h               |    2 +-
 src/lib/crypto/builtin/des/destest.c               |    3 +-
 src/lib/crypto/builtin/enc_provider/rc4.c          |    2 +-
 src/lib/crypto/builtin/sha2/sha256.c               |    4 +-
 src/lib/crypto/builtin/sha2/sha512.c               |    4 +-
 src/lib/crypto/krb/Makefile.in                     |    2 +-
 src/lib/crypto/krb/crypto_int.h                    |    1 +
 src/lib/crypto/krb/enctype_util.c                  |   16 +
 src/lib/crypto/krb/etypes.c                        |   33 +-
 src/lib/crypto/krb/s2k_des.c                       |    4 +-
 src/lib/crypto/krb/s2k_pbkdf2.c                    |    4 +-
 src/lib/crypto/krb/s2k_rc4.c                       |    8 +-
 src/lib/crypto/krb/string_to_key.c                 |    7 +-
 src/lib/crypto/krb/t_fortuna.c                     |    2 +-
 src/lib/crypto/libk5crypto.exports                 |    1 +
 src/lib/gssapi/generic/gssapi_ext.h                |   11 +
 src/lib/gssapi/generic/gssapi_generic.c            |    9 +
 src/lib/gssapi/krb5/accept_sec_context.c           |    8 +-
 src/lib/gssapi/krb5/acquire_cred.c                 |   13 +-
 src/lib/gssapi/krb5/context_time.c                 |    5 +-
 src/lib/gssapi/krb5/copy_ccache.c                  |   10 +-
 src/lib/gssapi/krb5/export_cred.c                  |    5 +-
 src/lib/gssapi/krb5/gssapiP_krb5.h                 |   12 +
 src/lib/gssapi/krb5/gssapi_krb5.c                  |   20 +-
 src/lib/gssapi/krb5/gssapi_krb5.h                  |   14 +
 src/lib/gssapi/krb5/iakerb.c                       |    4 +-
 src/lib/gssapi/krb5/init_sec_context.c             |   13 +-
 src/lib/gssapi/krb5/inq_context.c                  |   29 +-
 src/lib/gssapi/krb5/inq_cred.c                     |   46 +-
 src/lib/gssapi/krb5/k5sealv3.c                     |   10 +-
 src/lib/gssapi/krb5/k5unseal.c                     |    2 +-
 src/lib/gssapi/krb5/naming_exts.c                  |   40 +-
 src/lib/gssapi/krb5/s4u_gss_glue.c                 |    2 +-
 src/lib/gssapi/libgssapi_krb5.exports              |    2 +
 src/lib/gssapi/mechglue/g_accept_sec_context.c     |   22 +-
 src/lib/gssapi/mechglue/g_complete_auth_token.c    |    2 +
 src/lib/gssapi/mechglue/g_context_time.c           |    2 +
 src/lib/gssapi/mechglue/g_delete_sec_context.c     |   14 +-
 src/lib/gssapi/mechglue/g_dup_name.c               |    2 +-
 src/lib/gssapi/mechglue/g_exp_sec_context.c        |    2 +
 src/lib/gssapi/mechglue/g_glue.c                   |   20 +-
 src/lib/gssapi/mechglue/g_init_sec_context.c       |   19 +-
 src/lib/gssapi/mechglue/g_inq_context.c            |    2 +
 src/lib/gssapi/mechglue/g_inq_cred_oid.c           |    5 -
 src/lib/gssapi/mechglue/g_prf.c                    |    2 +
 src/lib/gssapi/mechglue/g_process_context.c        |    2 +
 src/lib/gssapi/mechglue/g_seal.c                   |    4 +
 src/lib/gssapi/mechglue/g_sign.c                   |    2 +
 src/lib/gssapi/mechglue/g_unseal.c                 |    2 +
 src/lib/gssapi/mechglue/g_unwrap_aead.c            |    2 +
 src/lib/gssapi/mechglue/g_unwrap_iov.c             |    4 +
 src/lib/gssapi/mechglue/g_verify.c                 |    2 +
 src/lib/gssapi/mechglue/g_wrap_aead.c              |    2 +
 src/lib/gssapi/mechglue/g_wrap_iov.c               |    8 +
 src/lib/gssapi32.def                               |    3 +
 src/lib/kadm5/chpass_util.c                        |    8 +-
 src/lib/kadm5/deps                                 |   14 +-
 src/lib/kadm5/kadm_err.et                          |    1 +
 src/lib/kadm5/srv/Makefile.in                      |   20 +-
 src/lib/kadm5/srv/deps                             |   21 -
 src/lib/kadm5/srv/libkadm5srv_mit.exports          |    5 -
 src/lib/kadm5/srv/server_acl.c                     |  823 --
 src/lib/kadm5/srv/server_acl.h                     |  100 -
 src/lib/kadm5/srv/server_kdb.c                     |    2 +-
 src/lib/kadm5/srv/server_misc.c                    |   14 +
 src/lib/kadm5/srv/svr_principal.c                  |   88 +-
 src/lib/kadm5/unit-test/setkey-test.c              |    3 +-
 src/lib/kdb/Makefile.in                            |    2 +-
 src/lib/kdb/deps                                   |    3 +-
 src/lib/kdb/kdb5.c                                 |   25 +-
 src/lib/kdb/kdb_convert.c                          |    4 +-
 src/lib/kdb/kdb_default.c                          |    2 +-
 src/lib/kdb/t_sort_key_data.c                      |    5 +-
 src/lib/krb5/asn.1/asn1_k_encode.c                 |    3 +-
 src/lib/krb5/ccache/Makefile.in                    |    3 +
 src/lib/krb5/ccache/cc-int.h                       |    4 +
 src/lib/krb5/ccache/cc_kcm.c                       |    4 +-
 src/lib/krb5/ccache/cc_keyring.c                   |   14 +-
 src/lib/krb5/ccache/cc_memory.c                    |    4 +-
 src/lib/krb5/ccache/cc_mslsa.c                     |    1 +
 src/lib/krb5/ccache/cc_retr.c                      |    5 +-
 src/lib/krb5/ccache/ccapi/stdcc_util.c             |   40 +-
 src/lib/krb5/ccache/cccursor.c                     |   49 +-
 src/lib/krb5/ccache/ccmarshal.c                    |    2 +-
 src/lib/krb5/ccache/ccselect.c                     |   52 +-
 src/lib/krb5/ccache/ccselect_hostname.c            |  146 +
 src/lib/krb5/ccache/deps                           |   11 +
 src/lib/krb5/keytab/kt_file.c                      |    8 +-
 src/lib/krb5/keytab/kt_memory.c                    |    2 +-
 src/lib/krb5/keytab/kt_srvtab.c                    |    2 +-
 src/lib/krb5/krb/Makefile.in                       |   14 +-
 src/lib/krb5/krb/deltat.c                          |   75 +-
 src/lib/krb5/krb/deps                              |   38 +-
 src/lib/krb5/krb/fwd_tgt.c                         |   28 +-
 src/lib/krb5/krb/gc_via_tkt.c                      |   11 +-
 src/lib/krb5/krb/gen_save_subkey.c                 |    3 +-
 src/lib/krb5/krb/get_creds.c                       |   15 +-
 src/lib/krb5/krb/get_in_tkt.c                      |  294 +-
 src/lib/krb5/krb/gic_opt.c                         |    2 +-
 src/lib/krb5/krb/gic_pwd.c                         |    4 +-
 src/lib/krb5/krb/init_creds_ctx.h                  |    9 +-
 src/lib/krb5/krb/init_ctx.c                        |    3 +-
 src/lib/krb5/krb/int-proto.h                       |   22 +-
 src/lib/krb5/krb/mk_req.c                          |    5 +-
 src/lib/krb5/krb/pac.c                             |    9 +-
 src/lib/krb5/krb/pac_sign.c                        |   21 +-
 src/lib/krb5/krb/plugin.c                          |    5 +-
 src/lib/krb5/krb/preauth2.c                        |  311 +-
 src/lib/krb5/krb/preauth_ec.c                      |    2 +
 src/lib/krb5/krb/send_tgs.c                        |   24 +-
 src/lib/krb5/krb/sendauth.c                        |   23 +-
 src/lib/krb5/krb/str_conv.c                        |    4 +-
 src/lib/krb5/krb/t_expire_warn.py                  |   13 +-
 src/lib/krb5/krb/t_kerb.c                          |   12 +-
 src/lib/krb5/krb/t_parse_host_string.c             |    5 +-
 src/lib/krb5/krb/t_valid_times.c                   |  109 +
 src/lib/krb5/krb/valid_times.c                     |    4 +-
 src/lib/krb5/krb/vfy_increds.c                     |    2 +-
 src/lib/krb5/krb/x-deltat.y                        |    1 -
 src/lib/krb5/os/Makefile.in                        |    2 +-
 src/lib/krb5/os/accessor.c                         |   13 +-
 src/lib/krb5/os/c_ustime.c                         |   15 +-
 src/lib/krb5/os/dnsglue.c                          |    2 +-
 src/lib/krb5/os/dnsglue.h                          |   19 +-
 src/lib/krb5/os/dnssrv.c                           |   18 +-
 src/lib/krb5/os/expand_path.c                      |    2 +-
 src/lib/krb5/os/genaddrs.c                         |    8 +-
 src/lib/krb5/os/hostaddr.c                         |    4 +-
 src/lib/krb5/os/localaddr.c                        |   24 +-
 src/lib/krb5/os/locate_kdc.c                       |   43 +-
 src/lib/krb5/os/sendto_kdc.c                       |    5 +-
 src/lib/krb5/os/t_locate_kdc.c                     |    2 +-
 src/lib/krb5/os/timeofday.c                        |    2 +-
 src/lib/krb5/os/toffset.c                          |    5 +-
 src/lib/krb5/os/trace.c                            |    7 +-
 src/lib/krb5/os/ustime.c                           |    9 +-
 src/lib/krb5/rcache/rc_dfl.c                       |   15 +-
 src/lib/krb5/rcache/ser_rc.c                       |    2 +-
 src/lib/krb5/rcache/t_replay.c                     |    8 +-
 src/lib/krb5/unicode/ure/ure.c                     |    2 +-
 src/lib/krb5_32.def                                |    3 +
 src/lib/rpc/deps                                   |    3 +-
 src/lib/rpc/pmap_rmt.c                             |    6 +-
 src/man/k5identity.man                             |    2 +-
 src/man/k5login.man                                |    2 +-
 src/man/k5srvutil.man                              |    2 +-
 src/man/kadm5.acl.man                              |   38 +-
 src/man/kadmin.man                                 |    9 +-
 src/man/kadmind.man                                |    2 +-
 src/man/kdb5_ldap_util.man                         |    2 +-
 src/man/kdb5_util.man                              |    2 +-
 src/man/kdc.conf.man                               |   19 +-
 src/man/kdestroy.man                               |    2 +-
 src/man/kinit.man                                  |    2 +-
 src/man/klist.man                                  |    2 +-
 src/man/kpasswd.man                                |    2 +-
 src/man/kprop.man                                  |    2 +-
 src/man/kpropd.man                                 |    7 +-
 src/man/kproplog.man                               |    2 +-
 src/man/krb5-config.man                            |    2 +-
 src/man/krb5.conf.man                              |   63 +-
 src/man/krb5kdc.man                                |    2 +-
 src/man/ksu.man                                    |    2 +-
 src/man/kswitch.man                                |    2 +-
 src/man/ktutil.man                                 |    4 +-
 src/man/kvno.man                                   |    2 +-
 src/man/sclient.man                                |    2 +-
 src/man/sserver.man                                |    2 +-
 src/patchlevel.h                                   |    8 +-
 src/plugins/audit/kdc_j_encode.c                   |   29 +-
 src/plugins/certauth/test/Makefile.in              |   20 +
 src/plugins/certauth/test/certauth_test.exports    |    2 +
 src/plugins/certauth/test/deps                     |   14 +
 src/plugins/certauth/test/main.c                   |  211 +
 src/plugins/kadm5_auth/test/Makefile.in            |   20 +
 src/plugins/kadm5_auth/test/deps                   |   22 +
 .../kadm5_auth/test/kadm5_auth_test.exports        |    2 +
 src/plugins/kadm5_auth/test/main.c                 |  305 +
 src/plugins/kdb/db2/db2_exp.c                      |    5 +-
 src/plugins/kdb/db2/kdb_db2.c                      |   13 +-
 src/plugins/kdb/db2/kdb_db2.h                      |    5 +-
 src/plugins/kdb/db2/libdb2/hash/hash.c             |   19 +-
 src/plugins/kdb/db2/lockout.c                      |    8 +-
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c        |    6 +-
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h        |   16 +-
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c   |    1 -
 .../kdb/ldap/libkdb_ldap/kerberos.openldap.ldif    |   68 +
 src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c     |   68 -
 src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c       |   98 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |    2 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c |    2 +-
 src/plugins/kdb/ldap/libkdb_ldap/lockout.c         |    8 +-
 src/plugins/kdcpolicy/test/Makefile.in             |   20 +
 src/plugins/kdcpolicy/test/deps                    |   14 +
 src/plugins/kdcpolicy/test/kdcpolicy_test.exports  |    1 +
 src/plugins/kdcpolicy/test/main.c                  |  111 +
 src/plugins/preauth/otp/main.c                     |    3 +-
 src/plugins/preauth/pkinit/Makefile.in             |    8 +-
 src/plugins/preauth/pkinit/deps                    |   11 +-
 src/plugins/preauth/pkinit/pkinit.h                |   10 +-
 src/plugins/preauth/pkinit/pkinit_clnt.c           |    7 +
 src/plugins/preauth/pkinit/pkinit_crypto.h         |   88 +-
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c     | 5800 ------------
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |  838 +-
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.h |   19 -
 src/plugins/preauth/pkinit/pkinit_identity.c       |   32 -
 src/plugins/preauth/pkinit/pkinit_matching.c       |  177 +-
 src/plugins/preauth/pkinit/pkinit_srv.c            |  448 +-
 src/plugins/preauth/pkinit/pkinit_trace.h          |   78 +-
 src/plugins/preauth/test/Makefile.in               |    4 +-
 src/plugins/preauth/test/cltest.c                  |   86 +-
 src/plugins/preauth/test/common.c                  |   61 +
 src/plugins/preauth/test/common.h                  |   41 +
 src/plugins/preauth/test/deps                      |   14 +-
 src/plugins/preauth/test/kdctest.c                 |   96 +-
 src/po/Makefile.in                                 |    2 +-
 src/po/de.po                                       | 9301 ++++++++++++++++++++
 src/po/mit-krb5.pot                                | 1592 ++--
 src/slave/kprop.c                                  |   68 +-
 src/slave/kprop_util.c                             |    4 +-
 src/slave/kpropd.c                                 |  203 +-
 src/tests/Makefile.in                              |   27 +-
 src/tests/create/kdb5_mkdums.c                     |    2 +-
 src/tests/dejagnu/pkinit-certs/ca.pem              |   54 +-
 src/tests/dejagnu/pkinit-certs/generic.p12         |  Bin 0 -> 2477 bytes
 src/tests/dejagnu/pkinit-certs/generic.pem         |   21 +
 src/tests/dejagnu/pkinit-certs/kdc.pem             |   50 +-
 src/tests/dejagnu/pkinit-certs/make-certs.sh       |   69 +-
 src/tests/dejagnu/pkinit-certs/privkey-enc.pem     |   52 +-
 src/tests/dejagnu/pkinit-certs/privkey.pem         |   50 +-
 src/tests/dejagnu/pkinit-certs/user-enc.p12        |  Bin 3029 -> 2837 bytes
 src/tests/dejagnu/pkinit-certs/user-upn.p12        |  Bin 0 -> 2829 bytes
 src/tests/dejagnu/pkinit-certs/user-upn.pem        |   28 +
 src/tests/dejagnu/pkinit-certs/user-upn2.p12       |  Bin 0 -> 2813 bytes
 src/tests/dejagnu/pkinit-certs/user-upn2.pem       |   28 +
 src/tests/dejagnu/pkinit-certs/user-upn3.p12       |  Bin 0 -> 2829 bytes
 src/tests/dejagnu/pkinit-certs/user-upn3.pem       |   28 +
 src/tests/dejagnu/pkinit-certs/user.p12            |  Bin 3104 -> 2837 bytes
 src/tests/dejagnu/pkinit-certs/user.pem            |   56 +-
 src/tests/deps                                     |   16 +-
 src/tests/gssapi/Makefile.in                       |   27 +-
 src/tests/gssapi/deps                              |    7 +-
 src/tests/gssapi/t_authind.py                      |   20 +-
 src/tests/gssapi/t_ccselect.py                     |   69 +-
 src/tests/gssapi/t_client_keytab.py                |   60 +-
 src/tests/gssapi/t_enctypes.c                      |   14 +
 src/tests/gssapi/t_enctypes.py                     |    4 +-
 src/tests/gssapi/t_export_cred.py                  |    4 +-
 src/tests/gssapi/t_gssapi.py                       |  130 +-
 src/tests/gssapi/t_invalid.c                       |   57 +-
 src/tests/gssapi/t_lifetime.c                      |  140 +
 src/tests/gssapi/t_s4u.c                           |   20 +
 src/tests/gssapi/t_s4u.py                          |   21 +-
 src/tests/hammer/kdc5_hammer.c                     |   47 +-
 src/tests/icinterleave.c                           |  128 +
 src/tests/icred.c                                  |   67 +-
 src/tests/kdbtest.c                                |    5 +-
 src/tests/responder.c                              |    2 +-
 src/tests/t_audit.py                               |   11 +-
 src/tests/t_authdata.py                            |   66 +-
 src/tests/t_ccache.py                              |   60 +-
 src/tests/t_certauth.py                            |   47 +
 src/tests/t_crossrealm.py                          |   49 +-
 src/tests/t_dump.py                                |   31 +-
 src/tests/t_general.py                             |   37 +-
 src/tests/t_hostrealm.py                           |    5 +-
 src/tests/t_iprop.py                               |  103 +-
 src/tests/t_kadm5_auth.py                          |   81 +
 src/tests/t_kadm5_hook.py                          |   10 +-
 src/tests/t_kadmin_acl.py                          |  269 +-
 src/tests/t_kadmin_parsing.py                      |   30 +-
 src/tests/t_kdb.py                                 |  219 +-
 src/tests/t_kdb_locking.py                         |    5 +-
 src/tests/t_kdcpolicy.py                           |   62 +
 src/tests/t_keydata.py                             |   16 +-
 src/tests/t_keyrollover.py                         |   16 +-
 src/tests/t_keytab.py                              |   50 +-
 src/tests/t_kprop.py                               |   13 +-
 src/tests/t_localauth.py                           |    5 +-
 src/tests/t_mkey.py                                |   45 +-
 src/tests/t_otp.py                                 |   10 +-
 src/tests/t_pkinit.py                              |  154 +-
 src/tests/t_policy.py                              |  101 +-
 src/tests/t_preauth.py                             |  183 +-
 src/tests/t_pwqual.py                              |   25 +-
 src/tests/t_referral.py                            |   18 +-
 src/tests/t_renew.py                               |   78 +-
 src/tests/t_salt.py                                |   12 +-
 src/tests/t_skew.py                                |   22 +-
 src/tests/t_stringattr.py                          |    4 +-
 src/tests/t_y2038.py                               |   75 +
 src/util/depfix.pl                                 |    2 +-
 src/util/k5test.py                                 |   37 +-
 src/util/profile/prof_parse.c                      |    6 +-
 src/util/profile/profile_tcl.c                     |    2 -
 src/util/ss/data.c                                 |    3 -
 src/util/support/Makefile.in                       |   10 +-
 src/util/support/cache-addrinfo.h                  |   12 +-
 src/util/support/deps                              |    6 +-
 src/util/support/fake-addrinfo.c                   |   16 +-
 src/util/support/gmt_mktime.c                      |   17 +-
 src/util/support/libkrb5support-fixed.exports      |    5 +-
 src/util/support/plugins.c                         |    5 +-
 src/util/support/t_utf16.c                         |  117 +
 src/util/support/threads.c                         |    6 -
 src/util/support/utf8.c                            |    2 +-
 src/util/support/utf8_conv.c                       |  475 +-
 src/util/verto/README                              |    2 +-
 src/util/verto/libverto.exports                    |    1 +
 src/util/verto/verto-k5ev.c                        |   24 +-
 src/util/verto/verto-libev.c                       |    5 +
 src/util/verto/verto.c                             |  131 +-
 src/util/verto/verto.h                             |   20 +-
 src/windows/cns/tktlist.c                          |   10 +-
 src/windows/include/leashwin.h                     |   12 +-
 src/windows/leash/KrbListTickets.cpp               |   12 +-
 src/windows/leash/LeashView.cpp                    |   22 +-
 src/windows/leashdll/lshfunc.c                     |    2 +-
 src/windows/ms2mit/ms2mit.c                        |    2 +-
 1424 files changed, 26823 insertions(+), 16546 deletions(-)
 create mode 100644 .travis.yml
 create mode 100644 doc/appdev/y2038.rst
 create mode 100644 doc/html/_sources/appdev/y2038.txt
 create mode 100644 doc/html/_sources/plugindev/certauth.txt
 create mode 100644 doc/html/_sources/plugindev/kadm5_auth.txt
 create mode 100644 doc/html/_sources/plugindev/kdcpolicy.txt
 create mode 100644 doc/html/appdev/y2038.html
 create mode 100644 doc/html/plugindev/certauth.html
 create mode 100644 doc/html/plugindev/kadm5_auth.html
 create mode 100644 doc/html/plugindev/kdcpolicy.html
 create mode 100644 doc/plugindev/certauth.rst
 create mode 100644 doc/plugindev/kadm5_auth.rst
 create mode 100644 doc/plugindev/kdcpolicy.rst
 delete mode 100644 src/clients/kpasswd/ksetpwd.c
 delete mode 100644 src/config/ac-archive/acx_pthread.m4
 create mode 100644 src/config/ac-archive/ax_pthread.m4
 create mode 100644 src/config/ac-archive/ax_recursive_eval.m4
 delete mode 100644 src/config/ac-archive/relpaths.m4
 create mode 100644 src/include/k5-cmocka.h
 create mode 100644 src/include/krb5/certauth_plugin.h
 create mode 100644 src/include/krb5/kadm5_auth_plugin.h
 create mode 100644 src/include/krb5/kdcpolicy_plugin.h
 create mode 100644 src/kadmin/server/auth.c
 create mode 100644 src/kadmin/server/auth.h
 create mode 100644 src/kadmin/server/auth_acl.c
 create mode 100644 src/kadmin/server/auth_self.c
 delete mode 100644 src/lib/kadm5/srv/server_acl.c
 delete mode 100644 src/lib/kadm5/srv/server_acl.h
 create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c
 create mode 100644 src/lib/krb5/krb/t_valid_times.c
 create mode 100644 src/plugins/certauth/test/Makefile.in
 create mode 100644 src/plugins/certauth/test/certauth_test.exports
 create mode 100644 src/plugins/certauth/test/deps
 create mode 100644 src/plugins/certauth/test/main.c
 create mode 100644 src/plugins/kadm5_auth/test/Makefile.in
 create mode 100644 src/plugins/kadm5_auth/test/deps
 create mode 100644 src/plugins/kadm5_auth/test/kadm5_auth_test.exports
 create mode 100644 src/plugins/kadm5_auth/test/main.c
 create mode 100644 src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif
 create mode 100644 src/plugins/kdcpolicy/test/Makefile.in
 create mode 100644 src/plugins/kdcpolicy/test/deps
 create mode 100644 src/plugins/kdcpolicy/test/kdcpolicy_test.exports
 create mode 100644 src/plugins/kdcpolicy/test/main.c
 delete mode 100644 src/plugins/preauth/pkinit/pkinit_crypto_nss.c
 create mode 100644 src/plugins/preauth/test/common.c
 create mode 100644 src/plugins/preauth/test/common.h
 create mode 100644 src/po/de.po
 create mode 100644 src/tests/dejagnu/pkinit-certs/generic.p12
 create mode 100644 src/tests/dejagnu/pkinit-certs/generic.pem
 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.p12
 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.pem
 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.p12
 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.pem
 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.p12
 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.pem
 create mode 100644 src/tests/gssapi/t_lifetime.c
 create mode 100644 src/tests/icinterleave.c
 create mode 100644 src/tests/t_certauth.py
 create mode 100644 src/tests/t_kadm5_auth.py
 create mode 100644 src/tests/t_kdcpolicy.py
 create mode 100644 src/tests/t_y2038.py
 create mode 100644 src/util/support/t_utf16.c

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 000000000000..ec170eda02b9
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,26 @@
+language: c++
+
+sudo: required
+
+dist: xenial
+
+matrix:
+  include:
+  - compiler: clang
+    env: MAKEVARS=CPPFLAGS=-Werror
+  - compiler: gcc
+
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -y bison dejagnu gettext keyutils ldap-utils libldap2-dev libkeyutils-dev libssl-dev python-cjson python-paste python-pyrad slapd tcl-dev tcsh
+  - mkdir -p cmocka/build
+  - cd cmocka
+  - wget https://cmocka.org/files/1.1/cmocka-1.1.1.tar.xz
+  - tar -xvf cmocka-1.1.1.tar.xz
+  - cd build
+  - cmake ../cmocka-1.1.1 -DCMAKE_INSTALL_PREFIX=/usr
+  - make
+  - sudo make install
+  - cd ../..
+
+script: cd src && autoreconf && ./configure --enable-maintainer-mode --with-ldap && make $MAKEVARS && make check
diff --git a/NOTICE b/NOTICE
index ff102ff3f113..1db2420a7e09 100644
--- a/NOTICE
+++ b/NOTICE
@@ -583,7 +583,7 @@ Marked test programs in src/lib/krb5/krb have the following copyright:
 
 ======================================================================
 
-The KCM Mach RPC definition file used on OS X has the following
+The KCM Mach RPC definition file used on macOS has the following
 copyright:
 
       Copyright (C) 2009 Kungliga Tekniska Högskola
diff --git a/README b/README
index a8eabd5ab9e2..f702e486b45d 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-                   Kerberos Version 5, Release 1.15
+                   Kerberos Version 5, Release 1.16
 
                             Release Notes
                         The MIT Kerberos Team
@@ -73,192 +73,149 @@ from using single-DES cryptosystems.  Among these is a configuration
 variable that enables "weak" enctypes, which defaults to "false"
 beginning with krb5-1.8.
 
-Major changes in 1.15.1 (2017-03-01)
-------------------------------------
+Major changes in 1.16 (2017-12-05)
+----------------------------------
 
-This is a bug fix release.
+Administrator experience:
 
-* Allow KDB modules to determine how the e_data field of principal
-  fields is freed
+* The KDC can match PKINIT client certificates against the
+  "pkinit_cert_match" string attribute on the client principal entry,
+  using the same syntax as the existing "pkinit_cert_match" profile
+  option.
 
-* Fix udp_preference_limit when the KDC location is configured with
-  SRV records
+* The ktutil addent command supports the "-k 0" option to ignore the
+  key version, and the "-s" option to use a non-default salt string.
 
-* Fix KDC and kadmind startup on some IPv4-only systems
+* kpropd supports a --pid-file option to write a pid file at startup,
+  when it is run in standalone mode.
 
-* Fix the processing of PKINIT certificate matching rules which have
-  two components and no explicit relation
+* The "encrypted_challenge_indicator" realm option can be used to
+  attach an authentication indicator to tickets obtained using FAST
+  encrypted challenge pre-authentication.
 
-* Improve documentation
+* Localization support can be disabled at build time with the
+  --disable-nls configure option.
 
-krb5-1.15.1 changes by ticket ID
---------------------------------
+Developer experience:
 
-7940    PKINIT docs only work for one-component client principals
-8523    Add krbPwdPolicy attributes to kerberos.ldif
-8524    Add caveats to krbtgt change documentation
-8525    Fix error handling in PKINIT decode_data()
-8530    KDC/kadmind explicit wildcard listener addresses do not use pktinfo
-8531    KDC/kadmind may fail to start on IPv4-only systems
-8532    Fix GSSAPI authind attribute name in docs
-8538    Need a way to free KDB module e_data
-8540    Document default realm and login authorization
-8552    Add GSSAPI S4U documentation
-8553    Fix PKINIT two-component matching rule parsing
-8554    udp_preference_limit fails with SRV records
+* The kdcpolicy pluggable interface allows modules control whether
+  tickets are issued by the KDC.
 
+* The kadm5_auth pluggable interface allows modules to control whether
+  kadmind grants access to a kadmin request.
 
-Major changes in 1.15 (2016-12-01)
-----------------------------------
-
-Administrator experience:
+* The certauth pluggable interface allows modules to control which
+  PKINIT client certificates can authenticate to which client
+  principals.
 
-* Improve support for multihomed Kerberos servers by adding options
-  for specifying restricted listening addresses for the KDC and
-  kadmind.
+* KDB modules can use the client and KDC interface IP addresses to
+  determine whether to allow an AS request.
 
-* Add support to kadmin for remote extraction of current keys without
-  changing them (requires a special kadmin permission that is excluded
-  from the wildcard permission), with the exception of highly
-  protected keys.
+* GSS applications can query the bit strength of a krb5 GSS context
+  using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+  gss_inquire_sec_context_by_oid().
 
-* Add a lockdown_keys principal attribute to prevent retrieval of the
-  principal's keys (old or new) via the kadmin protocol.  In newly
-  created databases, this attribute is set on the krbtgt and kadmin
-  principals.
+* GSS applications can query the impersonator name of a krb5 GSS
+  credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+  gss_inquire_cred_by_oid().
 
-* Restore recursive dump capability for DB2 back end, so sites can
-  more easily recover from database corruption resulting from power
-  failure events.
+* kdcpreauth modules can query the KDC for the canonicalized requested
+  client principal name, or match a principal name against the
+  requested client principal name with canonicalization.
 
-* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
- in addition to SRV records.  URI records can convey TCP and UDP
- servers and master KDC status in a single DNS lookup, and can also
- point to HTTPS proxy servers.
+Protocol evolution:
 
-* Add support for password history to the LDAP back end.
+* The client library will continue to try pre-authentication
+  mechanisms after most failure conditions.
 
-* Add support for principal renaming to the LDAP back end.
+* The KDC will issue trivially renewable tickets (where the renewable
+  lifetime is equal to or less than the ticket lifetime) if requested
+  by the client, to be friendlier to scripts.
 
-* Use the getrandom system call on supported Linux kernels to avoid
-  blocking problems when getting entropy from the operating system.
+* The client library will use a random nonce for TGS requests instead
+  of the current system time.
 
-* In the PKINIT client, use the correct DigestInfo encoding for PKCS
-  #1 signatures, so that some especially strict smart cards will work.
+* For the RC4 string-to-key or PAC operations, UTF-16 is supported
+  (previously only UCS-2 was supported).
 
-Code quality:
+* When matching PKINIT client certificates, UPN SANs will be matched
+  correctly as UPNs, with canonicalization.
 
-* Clean up numerous compilation warnings.
+User experience:
 
-* Remove various infrequently built modules, including some preauth
-  modules that were not built by default.
+* Dates after the year 2038 are accepted (provided that the platform
+  time facilities support them), through the year 2106.
 
-Developer experience:
+* Automatic credential cache selection based on the client realm will
+  take into account the fallback realm and the service hostname.
 
-* Add support for building with OpenSSL 1.1.
+* Referral and alternate cross-realm TGTs will not be cached, avoiding
+  some scenarios where they can be added to the credential cache
+  multiple times.
 
-* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
-  authenticators in the replay cache.  This helps sites that must
-  build with FIPS 140 conformant libraries that lack MD5.
+* A German translation has been added.
 
-* Eliminate util/reconf and allow the use of autoreconf alone to
-  regenerate the configure script.
+Code quality:
 
-Protocol evolution:
+* The build is warning-clean under clang with the configured warning
+  options.
 
-* Add support for the AES-SHA2 enctypes, which allows sites to conform
-  to Suite B crypto requirements.
+* The automated test suite runs cleanly under AddressSanitizer.
 
-krb5-1.15 changes by ticket ID
+krb5-1.16 changes by ticket ID
 ------------------------------
 
-1093    KDC could use feature to limit listening interfaces
-5889    password history doesn't work with LDAP KDB
-6666    some non-default plugin directories don't build in 1.8 branch
-7852    kadmin.local's ktadd -norandkey does not handle multiple kvnos
-        in the KDB
-7985    Add krb5_get_init_creds_opt_set_pac_request
-8065    Renaming principals with LDAP KDB deletes the principal
-8277    iprop can choose wrong realm
-8278    Add krb5_expand_hostname() API
-8280    Fix impersonate_name to work with interposers
-8295    kdb5_ldap_stash_service_password() stash file logic needs tweaking
-8297    jsonwalker.py test fails
-8298    Audit Test fails when system has IPV6 address
-8299    Remove util/reconf
-8329    Only run export-check.pl in maintainer mode
-8344    Create KDC and kadmind log files with mode 0640
-8345    Remove nss libk5crypto implementation
-8348    Remove workaround when binding to udp addresses and pktinfo
-        isn't supported by the system
-8353    Replace MD5 use in rcache with SHA-256
-8354    Only store latest keys in key history entry
-8355    Add kadm5_setkey_principal_4 RPC to kadmin
-8364    Add get_principal_keys RPC to kadmin
-8365    Add the ability to lock down principal keys
-8366    Increase initial DNS buffer size
-8368    Remove hdb KDB module
-8371    Improve libkadm5 client RPC thread safety
-8372    Use cached S4U2Proxy tickets in GSSAPI
-8374    Interoperate with incomplete SPNEGO responses
-8375    Allow zero cksumtype in krb5_k_verify_checksum()
-8379    Add auth indicator handling to libkdb_ldap
-8381    Don't fall back to master on password read error
-8386    Add KDC pre-send and post-receive KDC hooks
-8388    Remove port 750 from the KDC default ports
-8389    Make profile includedir accept all *.conf files
-8391    Add kinit long option support for all platforms
-8393    Password Expiration "Never" Inconsistently Applied
-8394    Add debug message filtering to krb5_klog_syslog
-8396    Skip password prompt when running ksu as root
-8398    Add libk5crypto support for OpenSSL 1.1.0
-8399    Unconstify some krb5 GSS OIDs
-8403    kinit documentation page
-8404    Remove non-DFSG documentation
-8405    Work around python-ldap bug in kerberos.ldif
-8412    Link correct VS2015 C libraries for debug builds
-8414    Use library malloc for principal, policy entries
-8418    Add libkdb function to specialize principal's salt
-8419    Do not indicate deprecated GSS mechanisms
-8423    Add SPNEGO special case for NTLMSSP+MechListMIC
-8425    Add auth-indicator authdata module
-8426    test_check_allowed_to_delegate() should free unparsed princ output
-8428    Minimize timing leaks in PKINIT decryption
-8429    Fix Makefile for paths containing '+' character
-8434    Fix memory leak in old gssrpc authentication
-8436    Update libev sources to 4.22
-8446    Fix leak in key change operations
-8451    Add hints for -A flag to kdestroy
-8456    Add the kprop-port option to kadmind
-8462    Better handle failures to resolve client keytab
-8464    Set prompt type for OTP preauth prompt
-8465    Improve bad password inference in kinit
-8466    Rename k5-queue.h macros
-8471    Change KDC error for encrypted timestamp preauth
-8476    Restore recursive dump functionality
-8478    usability improvements for bttest
-8488    Stop generating doc/CHANGES
-8490    Add aes-sha2 enctype support
-8494    Add krb5_db_register_keytab()
-8496    Add KDC discovery from URI records
-8498    Potential memory leak in prepare_error_as()
-8499    Use getrandom system call on recent Linux kernels
-8500    Document krb5_kt_next_entry() requirement
-8502    ret_boolean in profile_get_boolean() should be krb5_boolean *
-        instead of int *
-8504    Properly handle EOF condition on libkrad sockets
-8506    PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
-8507    Suggest unlocked iteration for mkey rollover
-8508    Clarify krb5_kt_resolve() API documentation
-8509    Leak in krb5_cccol_have_content with truncated ccache
-8510    Update features list for 1.15
-8512    Fix detection of libaceclnt for securid_sam2
-8513    Add doxygen comments for RFC 8009, RFC 4757
-8514    Make zap() more reliable
-8516    Fix declaration without type in t_shs3.c
-8520    Relicense ccapi/common/win/OldCC/autolock.hxx
-8521    Allow slapd path configuration in t_kdb.py
-
+3349    Allow keytab entries to ignore the key version
+7647    let ktutil support non-default salts
+7877    Interleaved init_creds operations use same per-request preauth context
+8352    Year 2038 fixes
+8515    Add German translation
+8517    Add KRB5_TRACE calls for DNS lookups
+8518    Remove redeclaration of ttyname() in ksu
+8526    Constify service and hostname in krb5_mk_req()
+8527    Clean up memory handling in krb5_fwd_tgt_creds()
+8528    Improve PKINIT UPN SAN matching
+8529    Add OpenLDAP LDIF file for Kerberos schema
+8533    Bug in src/tests/responder.c
+8534    Add configure option to disable nls support
+8537    Preauthentication should continue after failure
+8539    Preauth tryagain should copy KDC cookie
+8544    Wrong PKCS11 PIN can trigger PKINIT draft9 code
+8548    Add OID to inquire GSS cred impersonator name
+8549    Use fallback realm for GSSAPI ccache selection
+8558    kvno memory leak (1.15.1)
+8561    Add certauth pluggable interface
+8562    Add the certauth dbmatch module
+8568    Convert some pkiDebug messages to TRACE macros
+8569    Add support to query the SSF of a GSS context
+8570    Add the client_name() kdcpreauth callback
+8571    Use the canonical client principal name for OTP
+8572    Un-deprecate krb5_auth_con_initivector()
+8575    Add FAST encrypted challenge auth indicator
+8577    Replace UCS-2 conversions with UTF-16
+8578    Add various bound checks
+8579    duplicate caching of some cross-realm TGTs
+8582    Use a random nonce in TGS requests
+8583    Pass client address to DAL audit_as_req
+8592    Parse all kadm5.acl fields at startup
+8595    Pluggable interface for kadmin authorization
+8597    acx_pthread.m4 needs to be updated
+8602    Make ccache name work for klist/kdestroy -A
+8603    Remove incomplete PKINIT OCSP support
+8606    Add KDC policy pluggable interface
+8607    kpropd should write a pidfile when started in standalone mode...
+8608    Fix AIX build issues
+8609    Renewed tickets can be marked renewable with no renewable endtime
+8610    Don't set ctime in KDC error replies
+8612    Bump bundled libverto for 0.3.0 release
+8613    Add hostname-based ccselect module
+8615    Abort client preauth on keyboard interrupt
+8616    Fix default enctype order in docs
+8617    PKINIT matching can crash for certs with long issuer and subject
+8620    Length check when parsing GSS token encapsulation
+8621    Expose context errors in pkinit_server_plugin_init
+8623    Update features list for 1.16
+8624    Update config.guess, config.sub
 
 Acknowledgements
 ----------------
@@ -349,7 +306,7 @@ Past and present members of the Kerberos Team at MIT:
     Zhanna Tsitkova
     Ted Ts'o
     Marshall Vale
-    Tom Yu
+    Taylor Yu
 
 The following external contributors have provided code, patches, bug
 reports, suggestions, and valuable resources:
@@ -372,7 +329,9 @@ reports, suggestions, and valuable resources:
     Radoslav Bodo
     Sumit Bose
     Emmanuel Bouillon
+    Isaac Boukris
     Philip Brown
+    Samuel Cabrero
     Michael Calmer
     Andrea Campi
     Julien Chaffraix
@@ -396,7 +355,9 @@ reports, suggestions, and valuable resources:
     Mark Deneen
     Günther Deschner
     John Devitofranceschi
+    Marc Dionne
     Roland Dowdeswell
+    Dorian Ducournau
     Viktor Dukhovni
     Jason Edgecombe
     Mark Eichin
@@ -421,6 +382,7 @@ reports, suggestions, and valuable resources:
     Philip Guenther
     Dominic Hargreaves
     Robbie Harwood
+    John Hascall
     Jakob Haufe
     Matthieu Hautreux
     Jochen Hein
@@ -441,18 +403,25 @@ reports, suggestions, and valuable resources:
     Pavel Jindra
     Brian Johannesmeyer
     Joel Johnson
+    Alexander Karaivanov
     Anders Kaseorg
+    Bar Katz
+    Zentaro Kavanagh
+    Mubashir Kazia
     W. Trevor King
     Patrik Kis
+    Martin Kittel
     Mikkel Kruse
     Reinhard Kugler
     Tomas Kuthan
     Pierre Labastie
+    Chris Leick
     Volker Lendecke
     Jan iankko Lieskovsky
     Todd Lipcon
     Oliver Loch
     Kevin Longfellow
+    Frank Lonigro
     Jon Looney
     Nuno Lopes
     Ryan Lynch
@@ -486,6 +455,7 @@ reports, suggestions, and valuable resources:
     Jonathan Reams
     Jonathan Reed
     Robert Relyea
+    Tony Reix
     Martin Rex
     Jason Rogers
     Matt Rogers
@@ -493,10 +463,13 @@ reports, suggestions, and valuable resources:
     Solly Ross
     Mike Roszkowski
     Guillaume Rousse
+    Joshua Schaeffer
     Andreas Schneider
     Tom Shaw
     Jim Shi
     Peter Shoults
+    Richard Silverman
+    Cel Skeggs
     Simo Sorce
     Michael Spang
     Michael Ströder
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 50c3b99ea428..9b5ccf4e911a 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -661,6 +661,13 @@ KDC:
     *principal*.  The *value* is a JSON string representing an array
     of objects, each having optional ``type`` and ``username`` fields.
 
+**pkinit_cert_match**
+    Specifies a matching expression that defines the certificate
+    attributes required for the client certificate used by the
+    principal during PKINIT authentication.  The matching expression
+    is in the same format as those used by the **pkinit_cert_match**
+    option in :ref:`krb5.conf(5)`.  (New in release 1.16.)
+
 This command requires the **modify** privilege.
 
 Alias: **setstr**
diff --git a/doc/admin/admin_commands/kpropd.rst b/doc/admin/admin_commands/kpropd.rst
index 5e01e2f14bc1..5468b06754e1 100644
--- a/doc/admin/admin_commands/kpropd.rst
+++ b/doc/admin/admin_commands/kpropd.rst
@@ -14,6 +14,7 @@ SYNOPSIS
 [**-F** *principal_database*]
 [**-p** *kdb5_util_prog*]
 [**-P** *port*]
+[**--pid-file**\ =\ *pid_file*]
 [**-d**]
 [**-t**]
 
@@ -104,6 +105,10 @@ OPTIONS
     Allows the user to specify the path to the kpropd.acl file; by
     default the path used is |kdcdir|\ ``/kpropd.acl``.
 
+**--pid-file**\ =\ *pid_file*
+    In standalone mode, write the process ID of the daemon into
+    *pid_file*.
+
 
 ENVIRONMENT
 -----------
diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst
index d55ddc8944c6..2eb19ded2769 100644
--- a/doc/admin/admin_commands/ktutil.rst
+++ b/doc/admin/admin_commands/ktutil.rst
@@ -87,7 +87,7 @@ add_entry
 ~~~~~~~~~
 
     **add_entry** {**-key**\|\ **-password**} **-p** *principal*
-    **-k** *kvno* **-e** *enctype*
+    **-k** *kvno* **-e** *enctype* [**-s** *salt*]
 
 Add *principal* to keylist using key or password.
 
diff --git a/doc/admin/conf_files/kadm5_acl.rst b/doc/admin/conf_files/kadm5_acl.rst
index d23fb8a5789e..290bf0e037a7 100644
--- a/doc/admin/conf_files/kadm5_acl.rst
+++ b/doc/admin/conf_files/kadm5_acl.rst
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
     */root@ATHENA.MIT.EDU     l   *                           # line 5
     sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
 
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1).  He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2).  His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1).  He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2).  His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
 
 (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
 or change the password of their null instance, but not any other
@@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target
 principals.
 
 (line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+
+MODULE BEHAVIOR
+---------------
+
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
 
 SEE ALSO
 --------
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 13077ecf4bc2..3af1c3796e6b 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
 **acl_file**
     (String.)  Location of the access control list file that
     :ref:`kadmind(8)` uses to determine which principals are allowed
-    which permissions on the Kerberos database.  The default value is
-    |kdcdir|\ ``/kadm5.acl``.  For more information on Kerberos ACL
-    file see :ref:`kadm5.acl(5)`.
+    which permissions on the Kerberos database.  To operate without an
+    ACL file, set this relation to the empty string with ``acl_file =
+    ""``.  The default value is |kdcdir|\ ``/kadm5.acl``.  For more
+    information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
 
 **database_module**
     (String.)  This relation indicates the name of the configuration
@@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection:
     if there is no policy assigned to the principal, no dictionary
     checks of passwords will be performed.
 
+**encrypted_challenge_indicator**
+    (String.)  Specifies the authentication indicator value that the KDC
+    asserts into tickets obtained using FAST encrypted challenge
+    pre-authentication.  New in 1.16.
+
 **host_based_services**
     (Whitespace- or comma-separated list.)  Lists services which will
     get host-based referral processing even if the server principal is
@@ -765,9 +771,6 @@ For information about the syntax of some of these options, see
     pkinit is used to authenticate.  This option may be specified
     multiple times.  (New in release 1.14.)
 
-**pkinit_kdc_ocsp**
-    Specifies the location of the KDC's OCSP.
-
 **pkinit_pool**
     Specifies the location of intermediate certificates which may be
     used by the KDC to complete the trust chain between a client's
@@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts                 Camellia-256 CTS mode with
 camellia128-cts-cmac camellia128-cts                 Camellia-128 CTS mode with CMAC
 des                                                  The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
 des3                                                 The triple DES family: des3-cbc-sha1
-aes                                                  The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+aes                                                  The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 rc4                                                  The RC4 family: arcfour-hmac
 camellia                                             The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
 ==================================================== =========================================================
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 653aad613cbc..4ed9832c7b17 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -55,9 +55,10 @@ following directives at the beginning of a line::
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ".conf" are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".".  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
 
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations:
     the local user or by root.
 
 **kcm_mach_service**
-    On OS X only, determines the name of the bootstrap service used to
+    On macOS only, determines the name of the bootstrap service used to
     contact the KCM daemon for the KCM credential cache type.  If the
     value is ``-``, Mach RPC will not be used to contact the KCM
     daemon.  The default value is ``org.h5l.kcm``.
@@ -744,6 +745,10 @@ disabled with the disable tag):
     Uses the service realm to guess an appropriate cache from the
     collection
 
+**hostname**
+    If the service principal is host-based, uses the service hostname
+    to guess an appropriate cache from the collection
+
 .. _pwqual:
 
 pwqual interface
@@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.
 
+.. _kadm5_auth:
+
+kadm5_auth interface
+####################
+
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:
+
+**acl**
+    This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+    operations which are allowed according to the rules in the file.
+
+**self**
+    This module authorizes self-service operations including password
+    changes, creation of new random keys, fetching the client's
+    principal record or string attributes, and fetching the policy
+    record associated with the client principal.
+
 .. _clpreauth:
 
 .. _kdcpreauth:
@@ -858,6 +883,32 @@ built-in modules exist for this interface:
     This module authorizes a principal to a local account if the
     principal name maps to the local account name.
 
+.. _certauth:
+
+certauth interface
+##################
+
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built-in modules exist for this interface:
+
+**pkinit_san**
+    This module authorizes the certificate if it contains a PKINIT
+    Subject Alternative Name for the requested client principal, or a
+    Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
+    is set to true for the realm.
+
+**pkinit_eku**
+    This module rejects the certificate if it does not contain an
+    Extended Key Usage attribute consistent with the
+    **pkinit_eku_checking** value for the realm.
+
+**dbmatch**
+    This module authorizes or rejects the certificate according to
+    whether it matches the **pkinit_cert_match** string attribute on
+    the client principal, if that attribute is present.
+
 
 PKINIT options
 --------------
diff --git a/doc/admin/pkinit.rst b/doc/admin/pkinit.rst
index 460d75d1e2be..c601c5c9ebba 100644
--- a/doc/admin/pkinit.rst
+++ b/doc/admin/pkinit.rst
@@ -223,6 +223,26 @@ time as follows::
 
     kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'
 
+By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT.  Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+**pkinit_cert_match** string attribute on each client principal entry.
+For example::
+
+    kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$"
+
+The **pkinit_cert_match** string attribute follows the syntax used by
+the :ref:`krb5.conf(5)` **pkinit_cert_match** relation.  To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the **pkinit_eku_checking** relation;
+for example::
+
+    [kdcdefaults]
+        pkinit_eku_checking = none
+
+
 
 Configuring the clients
 -----------------------
diff --git a/doc/admin/realm_config.rst b/doc/admin/realm_config.rst
index c016d720fded..c7d9164f5e78 100644
--- a/doc/admin/realm_config.rst
+++ b/doc/admin/realm_config.rst
@@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query.
 
 The client performs a query for the following URI records:
 
-* ``_kerberos.REALM`` for fiding KDCs.
+* ``_kerberos.REALM`` for finding KDCs.
 * ``_kerberos-adm.REALM`` for finding kadmin services.
 * ``_kpasswd.REALM`` for finding password services.
 
diff --git a/doc/appdev/gssapi.rst b/doc/appdev/gssapi.rst
index 0258f793b99b..c39bbddb9738 100644
--- a/doc/appdev/gssapi.rst
+++ b/doc/appdev/gssapi.rst
@@ -312,6 +312,25 @@ issue a ticket from the client to the target service.  The GSSAPI
 library will then use this ticket to authenticate to the target
 service.
 
+If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID
+(new in release 1.16, declared in ``<gssapi/gssapi_krb5.h>``) using
+the gss_inquire_cred_by_oid extension (declared in
+``<gssapi/gssapi_ext.h>``)::
+
+    OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+                                      const gss_cred_id_t cred_handle,
+                                      gss_OID desired_object,
+                                      gss_buffer_set_t *data_set);
+
+If the call succeeds and *cred_handle* is a proxy credential,
+*data_set* will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service.  If *cred_handle*
+is not a proxy credential, *data_set* will be set to an empty buffer
+set.  If the library does not support the query,
+gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**.
+
 
 AEAD message wrapping
 ---------------------
diff --git a/doc/appdev/index.rst b/doc/appdev/index.rst
index 3d62045ca870..961bb1e9e23a 100644
--- a/doc/appdev/index.rst
+++ b/doc/appdev/index.rst
@@ -5,6 +5,7 @@ For application developers
    :maxdepth: 1
 
    gssapi.rst
+   y2038.rst
    h5l_mit_apidiff.rst
    init_creds.rst
    princ_handle.rst
diff --git a/doc/appdev/y2038.rst b/doc/appdev/y2038.rst
new file mode 100644
index 000000000000..bc4122dad0a4
--- /dev/null
+++ b/doc/appdev/y2038.rst
@@ -0,0 +1,28 @@
+Year 2038 considerations for uses of krb5_timestamp
+===================================================
+
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038.  This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+:c:type:`krb5_timestamp` type.  For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values.  To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t::
+
+    (time_t)(uint32_t)timestamp
+
+Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type.  This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times.  Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.
diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
index ff857f4f9422..d147f0d7aa99 100644
--- a/doc/basic/ccache_def.rst
+++ b/doc/basic/ccache_def.rst
@@ -64,7 +64,7 @@ library.
 
    KCM client support is new in release 1.13.  A KCM daemon has not
    yet been implemented in MIT krb5, but the client will interoperate
-   with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+   with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
    provides a KCM daemon as part of the operating system, and the
    **KCM** cache type is used as the default cache on that platform in
    a default build.
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
index 0fd03072cd2d..ac1a8b9515b0 100644
--- a/doc/build/options2configure.rst
+++ b/doc/build/options2configure.rst
@@ -350,10 +350,6 @@ Optional packages
     prng specify ``--with-prng-alg=os``.  The default is ``fortuna``.
     (See :ref:`mitK5features`)
 
-**-**\ **-with-pkinit-crypto-impl=**\ *IMPL*
-    Use the specified pkinit crypto implementation *IMPL*.
-    Defaults to using OpenSSL.
-
 **-**\ **-without-libedit**
     Do not compile and link against libedit.  Some utilities will no
     longer offer command history or completion in interactive mode if
diff --git a/doc/conf.py b/doc/conf.py
index 3ee2df6301f5..ccd02d6b7e6e 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -272,7 +272,7 @@ else:
     rst_epilog += '''
 .. |krb5conf| replace:: ``/etc/krb5.conf``
 .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
-.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4``
+.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4``
 .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
 .. |copy| unicode:: U+000A9
 '''
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
index 50c3b99ea428..9b5ccf4e911a 100644
--- a/doc/html/_sources/admin/admin_commands/kadmin_local.txt
+++ b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
@@ -661,6 +661,13 @@ KDC:
     *principal*.  The *value* is a JSON string representing an array
     of objects, each having optional ``type`` and ``username`` fields.
 
+**pkinit_cert_match**
+    Specifies a matching expression that defines the certificate
+    attributes required for the client certificate used by the
+    principal during PKINIT authentication.  The matching expression
+    is in the same format as those used by the **pkinit_cert_match**
+    option in :ref:`krb5.conf(5)`.  (New in release 1.16.)
+
 This command requires the **modify** privilege.
 
 Alias: **setstr**
diff --git a/doc/html/_sources/admin/admin_commands/kpropd.txt b/doc/html/_sources/admin/admin_commands/kpropd.txt
index 5e01e2f14bc1..5468b06754e1 100644
--- a/doc/html/_sources/admin/admin_commands/kpropd.txt
+++ b/doc/html/_sources/admin/admin_commands/kpropd.txt
@@ -14,6 +14,7 @@ SYNOPSIS
 [**-F** *principal_database*]
 [**-p** *kdb5_util_prog*]
 [**-P** *port*]
+[**--pid-file**\ =\ *pid_file*]
 [**-d**]
 [**-t**]
 
@@ -104,6 +105,10 @@ OPTIONS
     Allows the user to specify the path to the kpropd.acl file; by
     default the path used is |kdcdir|\ ``/kpropd.acl``.
 
+**--pid-file**\ =\ *pid_file*
+    In standalone mode, write the process ID of the daemon into
+    *pid_file*.
+
 
 ENVIRONMENT
 -----------
diff --git a/doc/html/_sources/admin/admin_commands/ktutil.txt b/doc/html/_sources/admin/admin_commands/ktutil.txt
index d55ddc8944c6..2eb19ded2769 100644
--- a/doc/html/_sources/admin/admin_commands/ktutil.txt
+++ b/doc/html/_sources/admin/admin_commands/ktutil.txt
@@ -87,7 +87,7 @@ add_entry
 ~~~~~~~~~
 
     **add_entry** {**-key**\|\ **-password**} **-p** *principal*
-    **-k** *kvno* **-e** *enctype*
+    **-k** *kvno* **-e** *enctype* [**-s** *salt*]
 
 Add *principal* to keylist using key or password.
 
diff --git a/doc/html/_sources/admin/conf_files/kadm5_acl.txt b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
index d23fb8a5789e..290bf0e037a7 100644
--- a/doc/html/_sources/admin/conf_files/kadm5_acl.txt
+++ b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
     */root@ATHENA.MIT.EDU     l   *                           # line 5
     sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
 
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1).  He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2).  His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1).  He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2).  His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
 
 (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
 or change the password of their null instance, but not any other
@@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target
 principals.
 
 (line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+
+MODULE BEHAVIOR
+---------------
+
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
 
 SEE ALSO
 --------
diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.txt b/doc/html/_sources/admin/conf_files/kdc_conf.txt
index 13077ecf4bc2..3af1c3796e6b 100644
--- a/doc/html/_sources/admin/conf_files/kdc_conf.txt
+++ b/doc/html/_sources/admin/conf_files/kdc_conf.txt
@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
 **acl_file**
     (String.)  Location of the access control list file that
     :ref:`kadmind(8)` uses to determine which principals are allowed
-    which permissions on the Kerberos database.  The default value is
-    |kdcdir|\ ``/kadm5.acl``.  For more information on Kerberos ACL
-    file see :ref:`kadm5.acl(5)`.
+    which permissions on the Kerberos database.  To operate without an
+    ACL file, set this relation to the empty string with ``acl_file =
+    ""``.  The default value is |kdcdir|\ ``/kadm5.acl``.  For more
+    information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
 
 **database_module**
     (String.)  This relation indicates the name of the configuration
@@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection:
     if there is no policy assigned to the principal, no dictionary
     checks of passwords will be performed.
 
+**encrypted_challenge_indicator**
+    (String.)  Specifies the authentication indicator value that the KDC
+    asserts into tickets obtained using FAST encrypted challenge
+    pre-authentication.  New in 1.16.
+
 **host_based_services**
     (Whitespace- or comma-separated list.)  Lists services which will
     get host-based referral processing even if the server principal is
@@ -765,9 +771,6 @@ For information about the syntax of some of these options, see
     pkinit is used to authenticate.  This option may be specified
     multiple times.  (New in release 1.14.)
 
-**pkinit_kdc_ocsp**
-    Specifies the location of the KDC's OCSP.
-
 **pkinit_pool**
     Specifies the location of intermediate certificates which may be
     used by the KDC to complete the trust chain between a client's
@@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts                 Camellia-256 CTS mode with
 camellia128-cts-cmac camellia128-cts                 Camellia-128 CTS mode with CMAC
 des                                                  The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
 des3                                                 The triple DES family: des3-cbc-sha1
-aes                                                  The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+aes                                                  The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 rc4                                                  The RC4 family: arcfour-hmac
 camellia                                             The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
 ==================================================== =========================================================
diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.txt b/doc/html/_sources/admin/conf_files/krb5_conf.txt
index 653aad613cbc..4ed9832c7b17 100644
--- a/doc/html/_sources/admin/conf_files/krb5_conf.txt
+++ b/doc/html/_sources/admin/conf_files/krb5_conf.txt
@@ -55,9 +55,10 @@ following directives at the beginning of a line::
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ".conf" are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".".  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
 
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations:
     the local user or by root.
 
 **kcm_mach_service**
-    On OS X only, determines the name of the bootstrap service used to
+    On macOS only, determines the name of the bootstrap service used to
     contact the KCM daemon for the KCM credential cache type.  If the
     value is ``-``, Mach RPC will not be used to contact the KCM
     daemon.  The default value is ``org.h5l.kcm``.
@@ -744,6 +745,10 @@ disabled with the disable tag):
     Uses the service realm to guess an appropriate cache from the
     collection
 
+**hostname**
+    If the service principal is host-based, uses the service hostname
+    to guess an appropriate cache from the collection
+
 .. _pwqual:
 
 pwqual interface
@@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.
 
+.. _kadm5_auth:
+
+kadm5_auth interface
+####################
+
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:
+
+**acl**
+    This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+    operations which are allowed according to the rules in the file.
+
+**self**
+    This module authorizes self-service operations including password
+    changes, creation of new random keys, fetching the client's
+    principal record or string attributes, and fetching the policy
+    record associated with the client principal.
+
 .. _clpreauth:
 
 .. _kdcpreauth:
@@ -858,6 +883,32 @@ built-in modules exist for this interface:
     This module authorizes a principal to a local account if the
     principal name maps to the local account name.
 
+.. _certauth:
+
+certauth interface
+##################
+
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built-in modules exist for this interface:
+
+**pkinit_san**
+    This module authorizes the certificate if it contains a PKINIT
+    Subject Alternative Name for the requested client principal, or a
+    Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
+    is set to true for the realm.
+
+**pkinit_eku**
+    This module rejects the certificate if it does not contain an
+    Extended Key Usage attribute consistent with the
+    **pkinit_eku_checking** value for the realm.
+
+**dbmatch**
+    This module authorizes or rejects the certificate according to
+    whether it matches the **pkinit_cert_match** string attribute on
+    the client principal, if that attribute is present.
+
 
 PKINIT options
 --------------
diff --git a/doc/html/_sources/admin/pkinit.txt b/doc/html/_sources/admin/pkinit.txt
index 460d75d1e2be..c601c5c9ebba 100644
--- a/doc/html/_sources/admin/pkinit.txt
+++ b/doc/html/_sources/admin/pkinit.txt
@@ -223,6 +223,26 @@ time as follows::
 
     kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'
 
+By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT.  Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+**pkinit_cert_match** string attribute on each client principal entry.
+For example::
+
+    kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$"
+
+The **pkinit_cert_match** string attribute follows the syntax used by
+the :ref:`krb5.conf(5)` **pkinit_cert_match** relation.  To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the **pkinit_eku_checking** relation;
+for example::
+
+    [kdcdefaults]
+        pkinit_eku_checking = none
+
+
 
 Configuring the clients
 -----------------------
diff --git a/doc/html/_sources/admin/realm_config.txt b/doc/html/_sources/admin/realm_config.txt
index c016d720fded..c7d9164f5e78 100644
--- a/doc/html/_sources/admin/realm_config.txt
+++ b/doc/html/_sources/admin/realm_config.txt
@@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query.
 
 The client performs a query for the following URI records:
 
-* ``_kerberos.REALM`` for fiding KDCs.
+* ``_kerberos.REALM`` for finding KDCs.
 * ``_kerberos-adm.REALM`` for finding kadmin services.
 * ``_kpasswd.REALM`` for finding password services.
 
diff --git a/doc/html/_sources/appdev/gssapi.txt b/doc/html/_sources/appdev/gssapi.txt
index 0258f793b99b..c39bbddb9738 100644
--- a/doc/html/_sources/appdev/gssapi.txt
+++ b/doc/html/_sources/appdev/gssapi.txt
@@ -312,6 +312,25 @@ issue a ticket from the client to the target service.  The GSSAPI
 library will then use this ticket to authenticate to the target
 service.
 
+If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID
+(new in release 1.16, declared in ``<gssapi/gssapi_krb5.h>``) using
+the gss_inquire_cred_by_oid extension (declared in
+``<gssapi/gssapi_ext.h>``)::
+
+    OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+                                      const gss_cred_id_t cred_handle,
+                                      gss_OID desired_object,
+                                      gss_buffer_set_t *data_set);
+
+If the call succeeds and *cred_handle* is a proxy credential,
+*data_set* will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service.  If *cred_handle*
+is not a proxy credential, *data_set* will be set to an empty buffer
+set.  If the library does not support the query,
+gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**.
+
 
 AEAD message wrapping
 ---------------------
diff --git a/doc/html/_sources/appdev/index.txt b/doc/html/_sources/appdev/index.txt
index 3d62045ca870..961bb1e9e23a 100644
--- a/doc/html/_sources/appdev/index.txt
+++ b/doc/html/_sources/appdev/index.txt
@@ -5,6 +5,7 @@ For application developers
    :maxdepth: 1
 
    gssapi.rst
+   y2038.rst
    h5l_mit_apidiff.rst
    init_creds.rst
    princ_handle.rst
diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
index 7d5bf4cf03ee..4dc9e0afb9a0 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
@@ -1,5 +1,5 @@
-krb5_auth_con_initivector
-=========================
+krb5_auth_con_initivector -  Cause an auth context to use cipher state. 
+========================================================================
 
 ..
 
@@ -10,30 +10,31 @@ krb5_auth_con_initivector
 
 :param:
 
-	          **context**
+	          **[in]** **context** - Library context
 
-	          **auth_context**
+	          **[in]** **auth_context** - Authentication context
 
 
 ..
 
 
+:retval:
+         -   0   Success; otherwise - Kerberos error codes
 
-..
 
+..
 
-DEPRECATED Not replaced. 
 
 
 
 
 
 
+Prepare *auth_context* to use cipher state when :c:func:`krb5_mk_priv()` or :c:func:`krb5_rd_priv()` encrypt or decrypt data.
 
 
 
 
-RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API.
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
index a6273bbb2c75..fab6d70594f3 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
@@ -3,7 +3,7 @@ krb5_fwd_tgt_creds -  Get a forwarded TGT and format a KRB-CRED message.
 
 ..
 
-.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, const char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
 
 ..
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
index 85efec065a5e..011fe47837fd 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
@@ -27,7 +27,7 @@ krb5_init_creds_free -  Free an initial credentials context.
 
 
 
-
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
index 05c26f3759b4..291fa509269d 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
@@ -34,6 +34,10 @@ This function synchronously obtains credentials using a context created by :c:fu
 
 
 
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
index 6bbbeed869e4..c703124106db 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
@@ -44,6 +44,10 @@ This function creates a new context for acquiring initial credentials. Use :c:fu
 
 
 
+Any subsequent calls to :c:func:`krb5_init_creds_step()` , :c:func:`krb5_init_creds_get()` , or :c:func:`krb5_init_creds_free()` for this initial credentials context must use the same *context* argument as the one passed to this function.
+
+
+
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
index d08ffc7d629d..67b9b5d6de0b 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
@@ -32,7 +32,7 @@ krb5_init_creds_set_service -  Specify a service principal for acquiring initial
 
 
 
-This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
+Thisfunction supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
index c4e8a202aa53..8008e6724f1a 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
@@ -50,6 +50,10 @@ If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should tr
 
 
 
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
index e3a5da424a8d..695eb79399cb 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
@@ -3,7 +3,7 @@ krb5_mk_req -  Create a KRB_AP_REQ message.
 
 ..
 
-.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, char * service, char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, const char * service, const char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
 
 ..
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
index d9af52f770ab..338b43a1453e 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
@@ -62,7 +62,7 @@ If successful, *pac* is marked as verified.
 
 .. note::
 
-	 A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
+	 A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
  
 
 
diff --git a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
index e9263e49d1b7..dc3e9eee79ab 100644
--- a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
+++ b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
@@ -9,8 +9,9 @@ krb5_timestamp
 .. c:type:: krb5_timestamp
 ..
 
+Represents a timestamp in seconds since the POSIX epoch.
 
-
+This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t.
 
 Declaration
 ------------
diff --git a/doc/html/_sources/appdev/y2038.txt b/doc/html/_sources/appdev/y2038.txt
new file mode 100644
index 000000000000..bc4122dad0a4
--- /dev/null
+++ b/doc/html/_sources/appdev/y2038.txt
@@ -0,0 +1,28 @@
+Year 2038 considerations for uses of krb5_timestamp
+===================================================
+
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038.  This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+:c:type:`krb5_timestamp` type.  For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values.  To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t::
+
+    (time_t)(uint32_t)timestamp
+
+Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type.  This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times.  Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.
diff --git a/doc/html/_sources/basic/ccache_def.txt b/doc/html/_sources/basic/ccache_def.txt
index ff857f4f9422..d147f0d7aa99 100644
--- a/doc/html/_sources/basic/ccache_def.txt
+++ b/doc/html/_sources/basic/ccache_def.txt
@@ -64,7 +64,7 @@ library.
 
    KCM client support is new in release 1.13.  A KCM daemon has not
    yet been implemented in MIT krb5, but the client will interoperate
-   with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+   with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
    provides a KCM daemon as part of the operating system, and the
    **KCM** cache type is used as the default cache on that platform in
    a default build.
diff --git a/doc/html/_sources/build/options2configure.txt b/doc/html/_sources/build/options2configure.txt
index 0fd03072cd2d..ac1a8b9515b0 100644
--- a/doc/html/_sources/build/options2configure.txt
+++ b/doc/html/_sources/build/options2configure.txt
@@ -350,10 +350,6 @@ Optional packages
     prng specify ``--with-prng-alg=os``.  The default is ``fortuna``.
     (See :ref:`mitK5features`)
 
-**-**\ **-with-pkinit-crypto-impl=**\ *IMPL*
-    Use the specified pkinit crypto implementation *IMPL*.
-    Defaults to using OpenSSL.
-
 **-**\ **-without-libedit**
     Do not compile and link against libedit.  Some utilities will no
     longer offer command history or completion in interactive mode if
diff --git a/doc/html/_sources/mitK5features.txt b/doc/html/_sources/mitK5features.txt
index b4e4b8b9b780..9df7e34d65be 100644
--- a/doc/html/_sources/mitK5features.txt
+++ b/doc/html/_sources/mitK5features.txt
@@ -19,8 +19,8 @@ Quick facts
 License - :ref:`mitK5license`
 
 Releases:
-    - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/
-    - Supported: http://web.mit.edu/kerberos/krb5-1.14/
+    - Latest stable: http://web.mit.edu/kerberos/krb5-1.16/
+    - Supported: http://web.mit.edu/kerberos/krb5-1.15/
     - Release cycle: 9 -- 12 months
 
 Supported platforms \/ OS distributions:
@@ -162,7 +162,7 @@ Release 1.13
  -   Add client support for the Kerberos Cache Manager protocol. If
      the host is running a Heimdal kcm daemon, caches served by the
      daemon can be accessed with the KCM: cache type.
- -   When built on OS X 10.7 and higher, use "KCM:" as the default
+ -   When built on macOS 10.7 and higher, use "KCM:" as the default
      cachetype, unless overridden by command-line options or
      krb5-config values.
  -   Add support for doing unlocked database dumps for the DB2 KDC
@@ -309,6 +309,95 @@ Release 1.15
   - Add support for the AES-SHA2 enctypes, which allows sites to
     conform to Suite B crypto requirements.
 
+Release 1.16
+
+* Administrator experience:
+
+  - The KDC can match PKINIT client certificates against the
+    "pkinit_cert_match" string attribute on the client principal
+    entry, using the same syntax as the existing "pkinit_cert_match"
+    profile option.
+
+  - The ktutil addent command supports the "-k 0" option to ignore the
+    key version, and the "-s" option to use a non-default salt string.
+
+  - kpropd supports a --pid-file option to write a pid file at
+    startup, when it is run in standalone mode.
+
+  - The "encrypted_challenge_indicator" realm option can be used to
+    attach an authentication indicator to tickets obtained using FAST
+    encrypted challenge pre-authentication.
+
+  - Localization support can be disabled at build time with the
+    --disable-nls configure option.
+
+* Developer experience:
+
+  - The kdcpolicy pluggable interface allows modules control whether
+    tickets are issued by the KDC.
+
+  - The kadm5_auth pluggable interface allows modules to control
+    whether kadmind grants access to a kadmin request.
+
+  - The certauth pluggable interface allows modules to control which
+    PKINIT client certificates can authenticate to which client
+    principals.
+
+  - KDB modules can use the client and KDC interface IP addresses to
+    determine whether to allow an AS request.
+
+  - GSS applications can query the bit strength of a krb5 GSS context
+    using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+    gss_inquire_sec_context_by_oid().
+
+  - GSS applications can query the impersonator name of a krb5 GSS
+    credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+    gss_inquire_cred_by_oid().
+
+  - kdcpreauth modules can query the KDC for the canonicalized
+    requested client principal name, or match a principal name against
+    the requested client principal name with canonicalization.
+
+* Protocol evolution:
+
+  - The client library will continue to try pre-authentication
+    mechanisms after most failure conditions.
+
+  - The KDC will issue trivially renewable tickets (where the
+    renewable lifetime is equal to or less than the ticket lifetime)
+    if requested by the client, to be friendlier to scripts.
+
+  - The client library will use a random nonce for TGS requests
+    instead of the current system time.
+
+  - For the RC4 string-to-key or PAC operations, UTF-16 is supported
+    (previously only UCS-2 was supported).
+
+  - When matching PKINIT client certificates, UPN SANs will be matched
+    correctly as UPNs, with canonicalization.
+
+* User experience:
+
+  - Dates after the year 2038 are accepted (provided that the platform
+    time facilities support them), through the year 2106.
+
+  - Automatic credential cache selection based on the client realm
+    will take into account the fallback realm and the service
+    hostname.
+
+  - Referral and alternate cross-realm TGTs will not be cached,
+    avoiding some scenarios where they can be added to the credential
+    cache multiple times.
+
+  - A German translation has been added.
+
+* Code quality:
+
+  - The build is warning-clean under clang with the configured warning
+    options.
+
+  - The automated test suite runs cleanly under AddressSanitizer.
+
 `Pre-authentication mechanisms`
 
 - PW-SALT                                         :rfc:`4120#section-5.2.7.3`
diff --git a/doc/html/_sources/plugindev/certauth.txt b/doc/html/_sources/plugindev/certauth.txt
new file mode 100644
index 000000000000..8a7f7c5ebad6
--- /dev/null
+++ b/doc/html/_sources/plugindev/certauth.txt
@@ -0,0 +1,27 @@
+.. _certauth_plugin:
+
+PKINIT certificate authorization interface (certauth)
+=====================================================
+
+The certauth interface was first introduced in release 1.16.  It
+allows customization of the X.509 certificate attribute requirements
+placed on certificates used by PKINIT enabled clients.  For a detailed
+description of the certauth interface, see the header file
+``<krb5/certauth_plugin.h>``
+
+A certauth module implements the **authorize** method to determine
+whether a client's certificate is authorized to authenticate a client
+principal.  **authorize** receives the DER-encoded certificate, the
+requested client principal, and a pointer to the client's
+krb5_db_entry (for modules that link against libkdb5).  It returns the
+authorization status and optionally outputs a list of authentication
+indicator strings to be added to the ticket.  A module must use its
+own internal or library-provided ASN.1 certificate decoder.
+
+A module can optionally create and destroy module data with the
+**init** and **fini** methods.  Module data objects last for the
+lifetime of the KDC process.
+
+If a module allocates and returns a list of authentication indicators
+from **authorize**, it must also implement the **free_ind** method
+to free the list.
diff --git a/doc/html/_sources/plugindev/index.txt b/doc/html/_sources/plugindev/index.txt
index 3fb921778cb5..5e7834635f42 100644
--- a/doc/html/_sources/plugindev/index.txt
+++ b/doc/html/_sources/plugindev/index.txt
@@ -25,11 +25,14 @@ Contents
    ccselect.rst
    pwqual.rst
    kadm5_hook.rst
+   kadm5_auth.rst
    hostrealm.rst
    localauth.rst
    locate.rst
    profile.rst
    gssapi.rst
    internal.rst
+   certauth.rst
+   kdcpolicy.rst
 
 .. TODO: GSSAPI mechanism plugins
diff --git a/doc/html/_sources/plugindev/kadm5_auth.txt b/doc/html/_sources/plugindev/kadm5_auth.txt
new file mode 100644
index 000000000000..b4839617bd2f
--- /dev/null
+++ b/doc/html/_sources/plugindev/kadm5_auth.txt
@@ -0,0 +1,35 @@
+.. _kadm5_auth_plugin:
+
+kadmin authorization interface (kadm5_auth)
+===========================================
+
+The kadm5_auth interface (new in release 1.16) allows modules to
+determine whether a client principal is authorized to perform an
+operation in the kadmin protocol, and to apply restrictions to
+principal operations.  For a detailed description of the kadm5_auth
+interface, see the header file ``<krb5/kadm5_auth_plugin.h>``.
+
+A module can create and destroy per-process state objects by
+implementing the **init** and **fini** methods.  State objects have
+the type kadm5_auth_modinfo, which is an abstract pointer type.  A
+module should typically cast this to an internal type for the state
+object.
+
+The kadm5_auth interface has one method for each kadmin operation,
+with parameters specific to the operation.  Each method can return
+either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the
+decision to other modules, or another error (canonically EPERM) to
+authoritatively deny access.  Access is granted if at least one module
+grants access and no module authoritatively denies access.
+
+The **addprinc** and **modprinc** methods can also impose restrictions
+on the principal operation by returning a ``struct
+kadm5_auth_restrictions`` object.  The module should also implement
+the **free_restrictions** method if it dynamically allocates
+restrictions objects for principal operations.
+
+kadm5_auth modules can optionally inspect principal or policy objects.
+To do this, the module must also include ``<kadm5/admin.h>`` to gain
+access to the structure definitions for those objects.  As the kadmin
+interface is explicitly not as stable as other public interfaces,
+modules which do this may not retain compatibility across releases.
diff --git a/doc/html/_sources/plugindev/kdcpolicy.txt b/doc/html/_sources/plugindev/kdcpolicy.txt
new file mode 100644
index 000000000000..74f21f08fbf4
--- /dev/null
+++ b/doc/html/_sources/plugindev/kdcpolicy.txt
@@ -0,0 +1,24 @@
+.. _kdcpolicy_plugin:
+
+KDC policy interface (kdcpolicy)
+================================
+
+The kdcpolicy interface was first introduced in release 1.16.  It
+allows modules to veto otherwise valid AS and TGS requests or restrict
+the lifetime and renew time of the resulting ticket.  For a detailed
+description of the kdcpolicy interface, see the header file
+``<krb5/kdcpolicy_plugin.h>``.
+
+The optional **check_as** and **check_tgs** functions allow the module
+to perform access control.  Additionally, a module can create and
+destroy module data with the **init** and **fini** methods.  Module
+data objects last for the lifetime of the KDC process, and are
+provided to all other methods.  The data has the type
+krb5_kdcpolicy_moddata, which should be cast to the appropriate
+internal type.
+
+kdcpolicy modules can optionally inspect principal entries.  To do
+this, the module must also include ``<kdb.h>`` to gain access to the
+principal entry structure definition.  As the KDB interface is
+explicitly not as stable as other public interfaces, modules which do
+this may not retain compatibility across releases.
diff --git a/doc/html/about.html b/doc/html/about.html
index 7b9f23462bea..d1e3a2e86e87 100644
--- a/doc/html/about.html
+++ b/doc/html/about.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -142,7 +142,7 @@ to maintain.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html
index aeab6f19fdba..70300c8e3886 100644
--- a/doc/html/admin/admin_commands/index.html
+++ b/doc/html/admin/admin_commands/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -161,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html
index 6efa10e95cbe..6b2b3304c936 100644
--- a/doc/html/admin/admin_commands/k5srvutil.html
+++ b/doc/html/admin/admin_commands/k5srvutil.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -200,7 +200,7 @@ place.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html
index b1e796c3c214..270fc9376f04 100644
--- a/doc/html/admin/admin_commands/kadmin_local.html
+++ b/doc/html/admin/admin_commands/kadmin_local.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -587,6 +587,12 @@ accepted values.</dd>
 <dd>Enables One Time Passwords (OTP) preauthentication for a client
 <em>principal</em>.  The <em>value</em> is a JSON string representing an array
 of objects, each having optional <tt class="docutils literal"><span class="pre">type</span></tt> and <tt class="docutils literal"><span class="pre">username</span></tt> fields.</dd>
+<dt><strong>pkinit_cert_match</strong></dt>
+<dd>Specifies a matching expression that defines the certificate
+attributes required for the client certificate used by the
+principal during PKINIT authentication.  The matching expression
+is in the same format as those used by the <strong>pkinit_cert_match</strong>
+option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  (New in release 1.16.)</dd>
 </dl>
 <p>This command requires the <strong>modify</strong> privilege.</p>
 <p>Alias: <strong>setstr</strong></p>
@@ -958,7 +964,7 @@ interface to the OpenVision Kerberos administration program.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html
index 7cf3d38e7726..d30f4cede9e9 100644
--- a/doc/html/admin/admin_commands/kadmind.html
+++ b/doc/html/admin/admin_commands/kadmind.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -253,7 +253,7 @@ to full resync requests when iprop is enabled.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html
index 673118aac6b8..b47450502a01 100644
--- a/doc/html/admin/admin_commands/kdb5_ldap_util.html
+++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -536,7 +536,7 @@ userpolicy
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html
index 66fec5262644..87493732a708 100644
--- a/doc/html/admin/admin_commands/kdb5_util.html
+++ b/doc/html/admin/admin_commands/kdb5_util.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -591,7 +591,7 @@ bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html
index 962d316aab40..73939b48421a 100644
--- a/doc/html/admin/admin_commands/kprop.html
+++ b/doc/html/admin/admin_commands/kprop.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -199,7 +199,7 @@ on the remote host.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html
index b8252223a043..163f4ac8cd75 100644
--- a/doc/html/admin/admin_commands/kpropd.html
+++ b/doc/html/admin/admin_commands/kpropd.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -75,6 +75,7 @@
 [<strong>-F</strong> <em>principal_database</em>]
 [<strong>-p</strong> <em>kdb5_util_prog</em>]
 [<strong>-P</strong> <em>port</em>]
+[<strong>&#8211;pid-file</strong>=<em>pid_file</em>]
 [<strong>-d</strong>]
 [<strong>-t</strong>]</p>
 </div>
@@ -149,6 +150,9 @@ is only useful in combination with the <strong>-S</strong> option.</dd>
 <dt><strong>-a</strong> <em>acl_file</em></dt>
 <dd>Allows the user to specify the path to the kpropd.acl file; by
 default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kpropd.acl</span></tt>.</dd>
+<dt><strong>&#8211;pid-file</strong>=<em>pid_file</em></dt>
+<dd>In standalone mode, write the process ID of the daemon into
+<em>pid_file</em>.</dd>
 </dl>
 </div>
 <div class="section" id="environment">
@@ -262,7 +266,7 @@ will allow Kerberos database propagation via <a class="reference internal" href=
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html
index a961170ccf98..50b7c7e4d35a 100644
--- a/doc/html/admin/admin_commands/kproplog.html
+++ b/doc/html/admin/admin_commands/kproplog.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -225,7 +225,7 @@ output generated for one entry:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html
index 22a0c0ca87e4..f39779bf4f0e 100644
--- a/doc/html/admin/admin_commands/krb5kdc.html
+++ b/doc/html/admin/admin_commands/krb5kdc.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -253,7 +253,7 @@ description for further details.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html
index de4700ef9cc1..ba95ebbe71ff 100644
--- a/doc/html/admin/admin_commands/ktutil.html
+++ b/doc/html/admin/admin_commands/ktutil.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -130,7 +130,7 @@ V4 srvtab file.</p>
 <h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3>
 <blockquote>
 <div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em>
-<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em></div></blockquote>
+<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em> [<strong>-s</strong> <em>salt</em>]</div></blockquote>
 <p>Add <em>principal</em> to keylist using key or password.</p>
 <p>Alias: <strong>addent</strong></p>
 </div>
@@ -268,7 +268,7 @@ ktutil:
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html
index 15e622cf0b5d..1e5e1941f991 100644
--- a/doc/html/admin/admin_commands/sserver.html
+++ b/doc/html/admin/admin_commands/sserver.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -246,7 +246,7 @@ probably not installed in the proper directory.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/advanced/index.html b/doc/html/admin/advanced/index.html
index 223fd15864f6..603f95e2ecd8 100644
--- a/doc/html/admin/advanced/index.html
+++ b/doc/html/admin/advanced/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -143,7 +143,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/advanced/ldapbackend.html b/doc/html/admin/advanced/ldapbackend.html
index e74d2b80770a..662067e84ff6 100644
--- a/doc/html/admin/advanced/ldapbackend.html
+++ b/doc/html/admin/advanced/ldapbackend.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -280,7 +280,7 @@ master key stash:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/advanced/retiring-des.html b/doc/html/admin/advanced/retiring-des.html
index ec846446c12f..8ac29b3dca51 100644
--- a/doc/html/admin/advanced/retiring-des.html
+++ b/doc/html/admin/advanced/retiring-des.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -526,7 +526,7 @@ converted to the new master key.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/appl_servers.html b/doc/html/admin/appl_servers.html
index ef7f37524d9c..09dea1613c52 100644
--- a/doc/html/admin/appl_servers.html
+++ b/doc/html/admin/appl_servers.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -332,7 +332,7 @@ point for learning to configure firewalls.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/auth_indicator.html b/doc/html/admin/auth_indicator.html
index 0d91bfe5f5cd..25f97cfe94b5 100644
--- a/doc/html/admin/auth_indicator.html
+++ b/doc/html/admin/auth_indicator.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -182,7 +182,7 @@ attribute.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/backup_host.html b/doc/html/admin/backup_host.html
index c62dfd5b6809..9e005ec8557a 100644
--- a/doc/html/admin/backup_host.html
+++ b/doc/html/admin/backup_host.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -167,7 +167,7 @@ corrupted, you can load the most recent dump onto the master KDC.
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html
index 8b6207cb6a03..2325611706ae 100644
--- a/doc/html/admin/conf_files/index.html
+++ b/doc/html/admin/conf_files/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -159,7 +159,7 @@ KDC database.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 640fc7bc1c9c..05eab8bbae62 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -203,15 +203,16 @@ joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
 sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
 </pre></div>
 </div>
-<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with
-an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p>
-<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his
-<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line
-1).  He has no permissions at all with his null instance,
-<tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt> (matches line 2).  His <tt class="docutils literal"><span class="pre">root</span></tt> and other
-non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have
-inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt>
-(matches line 3).</p>
+<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an
+<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting
+keys.</p>
+<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except
+extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance,
+<tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line 1).  He has no
+permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt>
+(matches line 2).  His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null
+instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions
+with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p>
 <p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire
 or change the password of their null instance, but not any other
 null instance.  (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the
@@ -222,9 +223,20 @@ in the database.  This line is separate from line 4, because list
 permission can only be granted globally, not to specific target
 principals.</p>
 <p>(line 6) Finally, the Service Management System principal
-<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.</p>
+<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.</p>
+</div>
+<div class="section" id="module-behavior">
+<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>
+<p>The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.</p>
+<p>To operate without an ACL file, set the <em>acl_file</em> variable in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></tt>.</p>
 </div>
 <div class="section" id="see-also">
 <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
@@ -244,6 +256,7 @@ tickets with a life of longer than 9 hours.</p>
 <li><a class="reference internal" href="#description">DESCRIPTION</a></li>
 <li><a class="reference internal" href="#syntax">SYNTAX</a></li>
 <li><a class="reference internal" href="#example">EXAMPLE</a></li>
+<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li>
 <li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
 </ul>
 </li>
@@ -309,7 +322,7 @@ tickets with a life of longer than 9 hours.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html
index b81a78f740f7..183e63cd26d8 100644
--- a/doc/html/admin/conf_files/kdc_conf.html
+++ b/doc/html/admin/conf_files/kdc_conf.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -149,9 +149,10 @@ to define one parameter for the ATHENA.MIT.EDU realm:</p>
 <dt><strong>acl_file</strong></dt>
 <dd>(String.)  Location of the access control list file that
 <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed
-which permissions on the Kerberos database.  The default value is
-<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.  For more information on Kerberos ACL
-file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd>
+which permissions on the Kerberos database.  To operate without an
+ACL file, set this relation to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span>
+<span class="pre">&quot;&quot;</span></tt>.  The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.  For more
+information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd>
 <dt><strong>database_module</strong></dt>
 <dd>(String.)  This relation indicates the name of the configuration
 section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters
@@ -242,6 +243,10 @@ are not allowed as passwords.  The file should contain one string
 per line, with no additional whitespace.  If none is specified or
 if there is no policy assigned to the principal, no dictionary
 checks of passwords will be performed.</dd>
+<dt><strong>encrypted_challenge_indicator</strong></dt>
+<dd>(String.)  Specifies the authentication indicator value that the KDC
+asserts into tickets obtained using FAST encrypted challenge
+pre-authentication.  New in 1.16.</dd>
 <dt><strong>host_based_services</strong></dt>
 <dd>(Whitespace- or comma-separated list.)  Lists services which will
 get host-based referral processing even if the server principal is
@@ -741,8 +746,6 @@ This option is required if pkinit is to be supported by the KDC.</dd>
 <dd>Specifies an authentication indicator to include in the ticket if
 pkinit is used to authenticate.  This option may be specified
 multiple times.  (New in release 1.14.)</dd>
-<dt><strong>pkinit_kdc_ocsp</strong></dt>
-<dd>Specifies the location of the KDC&#8217;s OCSP.</dd>
 <dt><strong>pkinit_pool</strong></dt>
 <dd>Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client&#8217;s
@@ -776,8 +779,8 @@ Encryption types marked as &#8220;weak&#8221; are available for compatibility bu
 not recommended for use.</p>
 <table border="1" class="docutils">
 <colgroup>
-<col width="44%" />
-<col width="56%" />
+<col width="30%" />
+<col width="70%" />
 </colgroup>
 <tbody valign="top">
 <tr class="row-odd"><td>des-cbc-crc</td>
@@ -832,7 +835,7 @@ not recommended for use.</p>
 <td>The triple DES family: des3-cbc-sha1</td>
 </tr>
 <tr class="row-even"><td>aes</td>
-<td>The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96</td>
+<td>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</td>
 </tr>
 <tr class="row-odd"><td>rc4</td>
 <td>The RC4 family: arcfour-hmac</td>
@@ -1045,7 +1048,7 @@ follows:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html
index ca50e7ad27f1..70144fa0bde9 100644
--- a/doc/html/admin/conf_files/krb5_conf.html
+++ b/doc/html/admin/conf_files/krb5_conf.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,9 +112,10 @@ includedir DIRNAME
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in &#8221;.conf&#8221; are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.</p>
+1.15, files with names ending in &#8221;.conf&#8221; are also included, unless the
+name begins with &#8221;.&#8221;.  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.</p>
 <p>The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
 following directive at the beginning of a line before any section
@@ -223,7 +224,7 @@ the client should request when making a TGS-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
 commas or whitespace.  See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in
 <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag.
-The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types
+The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types
 will be implicitly removed from this list if the value of
 <strong>allow_weak_crypto</strong> is false.</p>
 <p class="last">Do not set this unless required for specific backward
@@ -236,7 +237,7 @@ libraries are upgraded.</p>
 the client should request when making an AS-REQ, in order of
 preference from highest to lowest.  The format is the same as for
 default_tgs_enctypes.  The default value for this tag is
-<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
 removed from this list if the value of <strong>allow_weak_crypto</strong> is
 false.</p>
 <p class="last">Do not set this unless required for specific backward
@@ -308,7 +309,7 @@ files in the user&#8217;s home directory, with the filename .k5login.
 For security reasons, .k5login files must be owned by
 the local user or by root.</dd>
 <dt><strong>kcm_mach_service</strong></dt>
-<dd>On OS X only, determines the name of the bootstrap service used to
+<dd>On macOS only, determines the name of the bootstrap service used to
 contact the KCM daemon for the KCM credential cache type.  If the
 value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM
 daemon.  The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd>
@@ -379,7 +380,7 @@ used across NATs.  The default value is true.</dd>
 <dt><strong>permitted_enctypes</strong></dt>
 <dd>Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
-<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
 removed from this list if the value of <strong>allow_weak_crypto</strong> is
 false.</dd>
 <dt><strong>plugin_base_dir</strong></dt>
@@ -749,6 +750,9 @@ client principal</dd>
 <dt><strong>realm</strong></dt>
 <dd>Uses the service realm to guess an appropriate cache from the
 collection</dd>
+<dt><strong>hostname</strong></dt>
+<dd>If the service principal is host-based, uses the service hostname
+to guess an appropriate cache from the collection</dd>
 </dl>
 </div>
 <div class="section" id="pwqual-interface">
@@ -776,6 +780,23 @@ interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.</p>
 </div>
+<div class="section" id="kadm5-auth-interface">
+<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4>
+<p>The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>acl</strong></dt>
+<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file, and authorizes
+operations which are allowed according to the rules in the file.</dd>
+<dt><strong>self</strong></dt>
+<dd>This module authorizes self-service operations including password
+changes, creation of new random keys, fetching the client&#8217;s
+principal record or string attributes, and fetching the policy
+record associated with the client principal.</dd>
+</dl>
+</div>
 <div class="section" id="clpreauth-and-kdcpreauth-interfaces">
 <span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4>
 <p>The clpreauth and kdcpreauth interfaces allow plugin modules to
@@ -840,6 +861,28 @@ the account&#8217;s <a class="reference internal" href="../../user/user_config/k
 principal name maps to the local account name.</dd>
 </dl>
 </div>
+<div class="section" id="certauth-interface">
+<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4>
+<p>The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>pkinit_san</strong></dt>
+<dd>This module authorizes the certificate if it contains a PKINIT
+Subject Alternative Name for the requested client principal, or a
+Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong>
+is set to true for the realm.</dd>
+<dt><strong>pkinit_eku</strong></dt>
+<dd>This module rejects the certificate if it does not contain an
+Extended Key Usage attribute consistent with the
+<strong>pkinit_eku_checking</strong> value for the realm.</dd>
+<dt><strong>dbmatch</strong></dt>
+<dd>This module authorizes or rejects the certificate according to
+whether it matches the <strong>pkinit_cert_match</strong> string attribute on
+the client principal, if that attribute is present.</dd>
+</dl>
+</div>
 </div>
 </div>
 <div class="section" id="pkinit-options">
@@ -1195,9 +1238,11 @@ Valid parameters are:</p>
 <li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li>
 <li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li>
 <li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li>
+<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li>
 <li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li>
 <li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li>
 <li><a class="reference internal" href="#localauth-interface">localauth interface</a></li>
+<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li>
 </ul>
 </li>
 </ul>
@@ -1275,7 +1320,7 @@ Valid parameters are:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_ldap.html b/doc/html/admin/conf_ldap.html
index 7cdd64dd2cb4..2a9b830ca2a7 100644
--- a/doc/html/admin/conf_ldap.html
+++ b/doc/html/admin/conf_ldap.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -304,7 +304,7 @@ for initial ticket requests.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/database.html b/doc/html/admin/database.html
index dc1cd1971fc9..3b52d123088c 100644
--- a/doc/html/admin/database.html
+++ b/doc/html/admin/database.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -1834,7 +1834,7 @@ config file, and the per-slave dump files are stored in
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/enctypes.html b/doc/html/admin/enctypes.html
index 1cee3212704b..56e5b6be0ae2 100644
--- a/doc/html/admin/enctypes.html
+++ b/doc/html/admin/enctypes.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -321,7 +321,7 @@ single-DES enctypes by default.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/env_variables.html b/doc/html/admin/env_variables.html
index 087accf2a729..a5a6c8ae1109 100644
--- a/doc/html/admin/env_variables.html
+++ b/doc/html/admin/env_variables.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -168,7 +168,7 @@ programs).</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/host_config.html b/doc/html/admin/host_config.html
index 809a2db19269..3c0dbaa87656 100644
--- a/doc/html/admin/host_config.html
+++ b/doc/html/admin/host_config.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -342,7 +342,7 @@ take over, and the rest of krb5.conf will be ignored.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/https.html b/doc/html/admin/https.html
index 4dcdc1b25d44..7429ffb922ee 100644
--- a/doc/html/admin/https.html
+++ b/doc/html/admin/https.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -176,7 +176,7 @@ as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class="
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/index.html b/doc/html/admin/index.html
index adfb25bb083c..54fffddfba05 100644
--- a/doc/html/admin/index.html
+++ b/doc/html/admin/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -163,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install.html b/doc/html/admin/install.html
index ba51b3e151d9..9c321e46a69f 100644
--- a/doc/html/admin/install.html
+++ b/doc/html/admin/install.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -178,7 +178,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install_appl_srv.html b/doc/html/admin/install_appl_srv.html
index 21a292e941d1..753e53d0f1cb 100644
--- a/doc/html/admin/install_appl_srv.html
+++ b/doc/html/admin/install_appl_srv.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -211,7 +211,7 @@ readable only by root.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install_clients.html b/doc/html/admin/install_clients.html
index a75799d4b763..9c4fabbd0f03 100644
--- a/doc/html/admin/install_clients.html
+++ b/doc/html/admin/install_clients.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -188,7 +188,7 @@ krb5.conf.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install_kdc.html b/doc/html/admin/install_kdc.html
index ceec8cb320fd..b3984a5ed599 100644
--- a/doc/html/admin/install_kdc.html
+++ b/doc/html/admin/install_kdc.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -631,7 +631,7 @@ for details.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html
index 96cae8efd487..ad1b66e5458c 100644
--- a/doc/html/admin/lockout.html
+++ b/doc/html/admin/lockout.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -276,7 +276,7 @@ read access, account lockout will not function.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/otp.html b/doc/html/admin/otp.html
index 7c99a4e135d1..4375c3ff6bbb 100644
--- a/doc/html/admin/otp.html
+++ b/doc/html/admin/otp.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -224,7 +224,7 @@ equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre">
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/pkinit.html b/doc/html/admin/pkinit.html
index 60645816cd16..50e073c82f0f 100644
--- a/doc/html/admin/pkinit.html
+++ b/doc/html/admin/pkinit.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -266,6 +266,25 @@ time as follows:</p>
 <div class="highlight-python"><div class="highlight"><pre>kadmin -q &#39;add_principal +requires_preauth -nokey YOUR_PRINCNAME&#39;
 </pre></div>
 </div>
+<p>By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT.  Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+<strong>pkinit_cert_match</strong> string attribute on each client principal entry.
+For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin set_string user@REALM pkinit_cert_match &quot;&lt;SUBJECT&gt;CN=user@REALM$&quot;
+</pre></div>
+</div>
+<p>The <strong>pkinit_cert_match</strong> string attribute follows the syntax used by
+the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> <strong>pkinit_cert_match</strong> relation.  To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the <strong>pkinit_eku_checking</strong> relation;
+for example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
+    pkinit_eku_checking = none
+</pre></div>
+</div>
 </div>
 <div class="section" id="configuring-the-clients">
 <h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2>
@@ -423,7 +442,7 @@ will have the client name <tt class="docutils literal"><span class="pre">WELLKNO
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/princ_dns.html b/doc/html/admin/princ_dns.html
index b1097c57a0f6..ecf6c969c612 100644
--- a/doc/html/admin/princ_dns.html
+++ b/doc/html/admin/princ_dns.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -238,7 +238,7 @@ krb5-1.10 or later.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/realm_config.html b/doc/html/admin/realm_config.html
index c64eeab32de2..2d5ca3ae7918 100644
--- a/doc/html/admin/realm_config.html
+++ b/doc/html/admin/realm_config.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -245,7 +245,7 @@ to other transport types, or find a master server.  The URI record can
 convey more information about a realm&#8217;s KDCs with a single query.</p>
 <p>The client performs a query for the following URI records:</p>
 <ul class="simple">
-<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for fiding KDCs.</li>
+<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for finding KDCs.</li>
 <li><tt class="docutils literal"><span class="pre">_kerberos-adm.REALM</span></tt> for finding kadmin services.</li>
 <li><tt class="docutils literal"><span class="pre">_kpasswd.REALM</span></tt> for finding password services.</li>
 </ul>
@@ -375,7 +375,7 @@ database to additional slaves.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/troubleshoot.html b/doc/html/admin/troubleshoot.html
index 85782d4b97f7..96d17b09d369 100644
--- a/doc/html/admin/troubleshoot.html
+++ b/doc/html/admin/troubleshoot.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -249,7 +249,7 @@ location on the slave.</li>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/various_envs.html b/doc/html/admin/various_envs.html
index 23c8e7bb5b66..7dfb6478b4e0 100644
--- a/doc/html/admin/various_envs.html
+++ b/doc/html/admin/various_envs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -165,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/gssapi.html b/doc/html/appdev/gssapi.html
index 51eb7706a1df..3d76d64248cd 100644
--- a/doc/html/appdev/gssapi.html
+++ b/doc/html/appdev/gssapi.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="up" title="For application developers" href="index.html" />
-    <link rel="next" title="Differences between Heimdal and MIT Kerberos API" href="h5l_mit_apidiff.html" />
+    <link rel="next" title="Year 2038 considerations for uses of krb5_timestamp" href="y2038.html" />
     <link rel="prev" title="For application developers" href="index.html" /> 
   </head>
   <body>
@@ -44,7 +44,7 @@
             accesskey="C">Contents</a> |
         <a href="index.html" title="For application developers"
             accesskey="P">previous</a> |
-        <a href="h5l_mit_apidiff.html" title="Differences between Heimdal and MIT Kerberos API"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             accesskey="N">next</a> |
         <a href="../genindex.html" title="General Index"
             accesskey="I">index</a> |
@@ -334,6 +334,24 @@ intermediate service has the appropriate permissions, the KDC will
 issue a ticket from the client to the target service.  The GSSAPI
 library will then use this ticket to authenticate to the target
 service.</p>
+<p>If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the <strong>GSS_KRB5_GET_CRED_IMPERSONATOR</strong> OID
+(new in release 1.16, declared in <tt class="docutils literal"><span class="pre">&lt;gssapi/gssapi_krb5.h&gt;</span></tt>) using
+the gss_inquire_cred_by_oid extension (declared in
+<tt class="docutils literal"><span class="pre">&lt;gssapi/gssapi_ext.h&gt;</span></tt>):</p>
+<div class="highlight-python"><div class="highlight"><pre>OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+                                  const gss_cred_id_t cred_handle,
+                                  gss_OID desired_object,
+                                  gss_buffer_set_t *data_set);
+</pre></div>
+</div>
+<p>If the call succeeds and <em>cred_handle</em> is a proxy credential,
+<em>data_set</em> will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service.  If <em>cred_handle</em>
+is not a proxy credential, <em>data_set</em> will be set to an empty buffer
+set.  If the library does not support the query,
+gss_inquire_cred_by_oid will return <strong>GSS_S_UNAVAILABLE</strong>.</p>
 </div>
 <div class="section" id="aead-message-wrapping">
 <h2>AEAD message wrapping<a class="headerlink" href="#aead-message-wrapping" title="Permalink to this headline">¶</a></h2>
@@ -649,6 +667,7 @@ if (GSS_ERROR(major))
 <li class="toctree-l2 current"><a class="current reference internal" href="">Developing with GSSAPI</a><ul class="simple">
 </ul>
 </li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -681,7 +700,7 @@ if (GSS_ERROR(major))
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -690,7 +709,7 @@ if (GSS_ERROR(major))
             >Contents</a> |
         <a href="index.html" title="For application developers"
             >previous</a> |
-        <a href="h5l_mit_apidiff.html" title="Differences between Heimdal and MIT Kerberos API"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             >next</a> |
         <a href="../genindex.html" title="General Index"
             >index</a> |
diff --git a/doc/html/appdev/h5l_mit_apidiff.html b/doc/html/appdev/h5l_mit_apidiff.html
index ace7c9749bb2..a2c475674e8a 100644
--- a/doc/html/appdev/h5l_mit_apidiff.html
+++ b/doc/html/appdev/h5l_mit_apidiff.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -29,7 +29,7 @@
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="up" title="For application developers" href="index.html" />
     <link rel="next" title="Initial credentials" href="init_creds.html" />
-    <link rel="prev" title="Developing with GSSAPI" href="gssapi.html" /> 
+    <link rel="prev" title="Year 2038 considerations for uses of krb5_timestamp" href="y2038.html" /> 
   </head>
   <body>
     <div class="header-wrapper">
@@ -42,7 +42,7 @@
                 
         <a href="../index.html" title="Full Table of Contents"
             accesskey="C">Contents</a> |
-        <a href="gssapi.html" title="Developing with GSSAPI"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             accesskey="P">previous</a> |
         <a href="init_creds.html" title="Initial credentials"
             accesskey="N">next</a> |
@@ -131,6 +131,7 @@ if it wasn&#8217;t explicitly set in the context</td>
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,14 +164,14 @@ if it wasn&#8217;t explicitly set in the context</td>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
                 
         <a href="../index.html" title="Full Table of Contents"
             >Contents</a> |
-        <a href="gssapi.html" title="Developing with GSSAPI"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             >previous</a> |
         <a href="init_creds.html" title="Initial credentials"
             >next</a> |
diff --git a/doc/html/appdev/index.html b/doc/html/appdev/index.html
index f992c979195c..3c13ae68d7c6 100644
--- a/doc/html/appdev/index.html
+++ b/doc/html/appdev/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -67,6 +67,7 @@
 <div class="toctree-wrapper compound">
 <ul>
 <li class="toctree-l1"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l1"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l1"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l1"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -99,6 +100,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="current reference internal" href="">For application developers</a><ul>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -131,7 +133,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/init_creds.html b/doc/html/appdev/init_creds.html
index 16278e4565bc..abc80c6f9b9c 100644
--- a/doc/html/appdev/init_creds.html
+++ b/doc/html/appdev/init_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -384,6 +384,7 @@ that the users would access reside on networked servers.</p>
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Initial credentials</a><ul class="simple">
 </ul>
@@ -418,7 +419,7 @@ that the users would access reside on networked servers.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/princ_handle.html b/doc/html/appdev/princ_handle.html
index 21865008b219..afe88645ce76 100644
--- a/doc/html/appdev/princ_handle.html
+++ b/doc/html/appdev/princ_handle.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/index.html b/doc/html/appdev/refs/api/index.html
index 87c65e42c89c..ca61a0c120a9 100644
--- a/doc/html/appdev/refs/api/index.html
+++ b/doc/html/appdev/refs/api/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -442,7 +442,7 @@
 <li class="toctree-l1"><a class="reference internal" href="krb5_524_convert_creds.html">krb5_524_convert_creds -  Convert a Kerberos V5 credentials to a Kerberos V4 credentials.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_getlocalsubkey.html">krb5_auth_con_getlocalsubkey</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_getremotesubkey.html">krb5_auth_con_getremotesubkey</a></li>
-<li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_initivector.html">krb5_auth_con_initivector</a></li>
+<li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_initivector.html">krb5_auth_con_initivector -  Cause an auth context to use cipher state.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_build_principal_va.html">krb5_build_principal_va</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_c_random_seed.html">krb5_c_random_seed</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_calculate_checksum.html">krb5_calculate_checksum</a></li>
@@ -497,6 +497,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -534,7 +535,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_425_conv_principal.html b/doc/html/appdev/refs/api/krb5_425_conv_principal.html
index 8219f9ec89c9..dc8b6b4ccc5d 100644
--- a/doc/html/appdev/refs/api/krb5_425_conv_principal.html
+++ b/doc/html/appdev/refs/api/krb5_425_conv_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_524_conv_principal.html b/doc/html/appdev/refs/api/krb5_524_conv_principal.html
index fd96e8f71ef8..ea1ecf81531a 100644
--- a/doc/html/appdev/refs/api/krb5_524_conv_principal.html
+++ b/doc/html/appdev/refs/api/krb5_524_conv_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_524_convert_creds.html b/doc/html/appdev/refs/api/krb5_524_convert_creds.html
index 0824cda5e558..c8975c429285 100644
--- a/doc/html/appdev/refs/api/krb5_524_convert_creds.html
+++ b/doc/html/appdev/refs/api/krb5_524_convert_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@ int <tt class="descname">krb5_524_convert_creds</tt><big>(</big><a class="refere
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@ int <tt class="descname">krb5_524_convert_creds</tt><big>(</big><a class="refere
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_address_compare.html b/doc/html/appdev/refs/api/krb5_address_compare.html
index fdb5a3c1d291..c99873eb9b57 100644
--- a/doc/html/appdev/refs/api/krb5_address_compare.html
+++ b/doc/html/appdev/refs/api/krb5_address_compare.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_address_order.html b/doc/html/appdev/refs/api/krb5_address_order.html
index 0f68b02f872d..af05b7d78f35 100644
--- a/doc/html/appdev/refs/api/krb5_address_order.html
+++ b/doc/html/appdev/refs/api/krb5_address_order.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@ int <tt class="descname">krb5_address_order</tt><big>(</big><a class="reference
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@ int <tt class="descname">krb5_address_order</tt><big>(</big><a class="reference
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_address_search.html b/doc/html/appdev/refs/api/krb5_address_search.html
index 1a00022b7851..00a95537c27b 100644
--- a/doc/html/appdev/refs/api/krb5_address_search.html
+++ b/doc/html/appdev/refs/api/krb5_address_search.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html b/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html
index 1d0d0726d003..adab192b7f36 100644
--- a/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html
+++ b/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_aname_to_localname.html b/doc/html/appdev/refs/api/krb5_aname_to_localname.html
index 059ff5de1be7..3ecc1e37e3ff 100644
--- a/doc/html/appdev/refs/api/krb5_aname_to_localname.html
+++ b/doc/html/appdev/refs/api/krb5_aname_to_localname.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_anonymous_principal.html b/doc/html/appdev/refs/api/krb5_anonymous_principal.html
index fb0f250dc18a..63ba2ceb2bbf 100644
--- a/doc/html/appdev/refs/api/krb5_anonymous_principal.html
+++ b/doc/html/appdev/refs/api/krb5_anonymous_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_anonymous_realm.html b/doc/html/appdev/refs/api/krb5_anonymous_realm.html
index d3fe823ca3a1..8e9a4e9d8af8 100644
--- a/doc/html/appdev/refs/api/krb5_anonymous_realm.html
+++ b/doc/html/appdev/refs/api/krb5_anonymous_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@ const <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" t
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@ const <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" t
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_appdefault_boolean.html b/doc/html/appdev/refs/api/krb5_appdefault_boolean.html
index 7c2e0efd9da6..3c5d84cfe65f 100644
--- a/doc/html/appdev/refs/api/krb5_appdefault_boolean.html
+++ b/doc/html/appdev/refs/api/krb5_appdefault_boolean.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@ void <tt class="descname">krb5_appdefault_boolean</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@ void <tt class="descname">krb5_appdefault_boolean</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_appdefault_string.html b/doc/html/appdev/refs/api/krb5_appdefault_string.html
index 6d929ce78a22..031c300d0149 100644
--- a/doc/html/appdev/refs/api/krb5_appdefault_string.html
+++ b/doc/html/appdev/refs/api/krb5_appdefault_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@ void <tt class="descname">krb5_appdefault_string</tt><big>(</big><a class="refer
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@ void <tt class="descname">krb5_appdefault_string</tt><big>(</big><a class="refer
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_free.html b/doc/html/appdev/refs/api/krb5_auth_con_free.html
index d015145ffa86..21cc3895a6b0 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_free.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html
index 2e13f304b6b6..fed42f3e08be 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html b/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html
index ab20b43e2536..b0b3548c4ab7 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html
index eddcdcdbed98..a01fa20e611d 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html b/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html
index 9a06c86fc897..8fb79ab515be 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getflags.html b/doc/html/appdev/refs/api/krb5_auth_con_getflags.html
index 556548b3aa4f..f1d11da57899 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getflags.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getflags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getkey.html
index a1c38f68be9e..ef975b142804 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html
index 5eb4d483d427..23a6d05e85b7 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html b/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html
index 274cfb83d8bf..5be866a4f845 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html
index 5049ee18b168..ef5a42b8a9c1 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html b/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html
index 5c2deb7d433f..91c5209614d5 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html
index 408624f5fa65..27383ff0b9d9 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html
index 80a6d61a2538..65c75e771536 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html b/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html
index bb8baae2c6ed..e9d18aeef72d 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html
index c7b13b478b8e..906f23f4028c 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../../../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../../../index.html" />
     <link rel="up" title="krb5 API" href="index.html" />
-    <link rel="next" title="krb5_auth_con_initivector" href="krb5_auth_con_initivector.html" />
+    <link rel="next" title="krb5_auth_con_initivector - Cause an auth context to use cipher state." href="krb5_auth_con_initivector.html" />
     <link rel="prev" title="krb5_auth_con_getlocalsubkey" href="krb5_auth_con_getlocalsubkey.html" /> 
   </head>
   <body>
@@ -44,7 +44,7 @@
             accesskey="C">Contents</a> |
         <a href="krb5_auth_con_getlocalsubkey.html" title="krb5_auth_con_getlocalsubkey"
             accesskey="P">previous</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             accesskey="N">next</a> |
         <a href="../../../genindex.html" title="General Index"
             accesskey="I">index</a> |
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -148,7 +149,7 @@
             >Contents</a> |
         <a href="krb5_auth_con_getlocalsubkey.html" title="krb5_auth_con_getlocalsubkey"
             >previous</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             >next</a> |
         <a href="../../../genindex.html" title="General Index"
             >index</a> |
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html
index 2ce5c7d09fc8..61ba4117be14 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html
index d570a4f9a3fa..6a8e3cf54e47 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_init.html b/doc/html/appdev/refs/api/krb5_auth_con_init.html
index 66bd08fcbd21..a0f1d9d1e54a 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_init.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_init.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_initivector.html b/doc/html/appdev/refs/api/krb5_auth_con_initivector.html
index 1351d4e71ec6..d986ad4be9b4 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_initivector.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_initivector.html
@@ -6,7 +6,7 @@
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     
-    <title>krb5_auth_con_initivector &mdash; MIT Kerberos Documentation</title>
+    <title>krb5_auth_con_initivector - Cause an auth context to use cipher state. &mdash; MIT Kerberos Documentation</title>
     
     <link rel="stylesheet" href="../../../_static/agogo.css" type="text/css" />
     <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -50,7 +50,7 @@
             accesskey="I">index</a> |
         <a href="../../../search.html" title="Enter search criteria"
             accesskey="S">Search</a> |
-    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector">feedback</a>
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector -  Cause an auth context to use cipher state.">feedback</a>
             </div>
         </div>
     </div>
@@ -63,8 +63,8 @@
         <div class="bodywrapper">
           <div class="body">
             
-  <div class="section" id="krb5-auth-con-initivector">
-<h1>krb5_auth_con_initivector<a class="headerlink" href="#krb5-auth-con-initivector" title="Permalink to this headline">¶</a></h1>
+  <div class="section" id="krb5-auth-con-initivector-cause-an-auth-context-to-use-cipher-state">
+<h1>krb5_auth_con_initivector -  Cause an auth context to use cipher state.<a class="headerlink" href="#krb5-auth-con-initivector-cause-an-auth-context-to-use-cipher-state" title="Permalink to this headline">¶</a></h1>
 <dl class="function">
 <dt id="c.krb5_auth_con_initivector">
 <a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> <tt class="descname">krb5_auth_con_initivector</tt><big>(</big><a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a><em>&nbsp;context</em>, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a><em>&nbsp;auth_context</em><big>)</big><a class="headerlink" href="#c.krb5_auth_con_initivector" title="Permalink to this definition">¶</a></dt>
@@ -74,14 +74,24 @@
 <col class="field-name" />
 <col class="field-body" />
 <tbody valign="top">
-<tr class="field-odd field"><th class="field-name">param:</th><td class="field-body"><p class="first"><strong>context</strong></p>
-<p class="last"><strong>auth_context</strong></p>
+<tr class="field-odd field"><th class="field-name">param:</th><td class="field-body"><p class="first"><strong>[in]</strong> <strong>context</strong> - Library context</p>
+<p class="last"><strong>[in]</strong> <strong>auth_context</strong> - Authentication context</p>
 </td>
 </tr>
 </tbody>
 </table>
-<p>DEPRECATED Not replaced.</p>
-<p>RFC 4120 doesn&#8217;t have anything like the initvector concept; only really old protocols may need this API.</p>
+<table class="docutils field-list" frame="void" rules="none">
+<col class="field-name" />
+<col class="field-body" />
+<tbody valign="top">
+<tr class="field-odd field"><th class="field-name">retval:</th><td class="field-body"><ul class="first last simple">
+<li>0   Success; otherwise - Kerberos error codes</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+<p>Prepare <em>auth_context</em> to use cipher state when <a class="reference internal" href="krb5_mk_priv.html#c.krb5_mk_priv" title="krb5_mk_priv"><tt class="xref c c-func docutils literal"><span class="pre">krb5_mk_priv()</span></tt></a> or <a class="reference internal" href="krb5_rd_priv.html#c.krb5_rd_priv" title="krb5_rd_priv"><tt class="xref c c-func docutils literal"><span class="pre">krb5_rd_priv()</span></tt></a> encrypt or decrypt data.</p>
 </div>
 
 
@@ -92,7 +102,7 @@
         <div class="sidebar">
     <h2>On this page</h2>
     <ul>
-<li><a class="reference internal" href="#">krb5_auth_con_initivector</a></li>
+<li><a class="reference internal" href="#">krb5_auth_con_initivector -  Cause an auth context to use cipher state.</a></li>
 </ul>
 
     <br/>
@@ -102,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -154,7 +165,7 @@
             >index</a> |
         <a href="../../../search.html" title="Enter search criteria"
             >Search</a> |
-    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector">feedback</a>
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector -  Cause an auth context to use cipher state.">feedback</a>
             </div>
         </div>
     </div>
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html b/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html
index 0f83652ffcb1..3264450016bc 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html b/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html
index d36967d41a80..d4749be11a99 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html
index 707a2a275ab4..01cc0a37e0dd 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setflags.html b/doc/html/appdev/refs/api/krb5_auth_con_setflags.html
index 3e3592cdb59d..141e994753af 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setflags.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setflags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setports.html b/doc/html/appdev/refs/api/krb5_auth_con_setports.html
index 9b798296ebe7..6925b45b79a7 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setports.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setports.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html b/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html
index 3bb93fe53206..77182c63c850 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html
index d56418a8f327..430b0df2420e 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html
index 381b76c3caaa..d704f27f9863 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html
index 3d9197a483d9..0756262eb06d 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html
index a4d2b58772ad..cdd432773963 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html
index 3cefdd403d07..2bbb8f410b73 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal.html b/doc/html/appdev/refs/api/krb5_build_principal.html
index 498fa1cadbae..1ff489f5101a 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -123,6 +123,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -160,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html b/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html
index 2d66e4443cef..597d6cd87a90 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal_ext.html b/doc/html/appdev/refs/api/krb5_build_principal_ext.html
index 09cd14028bf2..fe57ca549a61 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal_ext.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal_ext.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal_va.html b/doc/html/appdev/refs/api/krb5_build_principal_va.html
index 3cc02e3a67ac..61cfb1caa45f 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal_va.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal_va.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -29,7 +29,7 @@
     <link rel="top" title="MIT Kerberos Documentation" href="../../../index.html" />
     <link rel="up" title="krb5 API" href="index.html" />
     <link rel="next" title="krb5_c_random_seed" href="krb5_c_random_seed.html" />
-    <link rel="prev" title="krb5_auth_con_initivector" href="krb5_auth_con_initivector.html" /> 
+    <link rel="prev" title="krb5_auth_con_initivector - Cause an auth context to use cipher state." href="krb5_auth_con_initivector.html" /> 
   </head>
   <body>
     <div class="header-wrapper">
@@ -42,7 +42,7 @@
                 
         <a href="../../../index.html" title="Full Table of Contents"
             accesskey="C">Contents</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             accesskey="P">previous</a> |
         <a href="krb5_c_random_seed.html" title="krb5_c_random_seed"
             accesskey="N">next</a> |
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,14 +142,14 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
                 
         <a href="../../../index.html" title="Full Table of Contents"
             >Contents</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             >previous</a> |
         <a href="krb5_c_random_seed.html" title="krb5_c_random_seed"
             >next</a> |
diff --git a/doc/html/appdev/refs/api/krb5_c_block_size.html b/doc/html/appdev/refs/api/krb5_c_block_size.html
index b2f8e7ddefc3..7899da3c213d 100644
--- a/doc/html/appdev/refs/api/krb5_c_block_size.html
+++ b/doc/html/appdev/refs/api/krb5_c_block_size.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_checksum_length.html b/doc/html/appdev/refs/api/krb5_c_checksum_length.html
index 6b179a1d7bee..c095d5ea75fe 100644
--- a/doc/html/appdev/refs/api/krb5_c_checksum_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_checksum_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_crypto_length.html b/doc/html/appdev/refs/api/krb5_c_crypto_length.html
index afd4b0ef9a14..7011c0d98b6f 100644
--- a/doc/html/appdev/refs/api/krb5_c_crypto_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_crypto_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html b/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html
index 9f948b39de9f..d271e3bcf59d 100644
--- a/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_decrypt.html b/doc/html/appdev/refs/api/krb5_c_decrypt.html
index 8337649a6448..0e5d0c94850c 100644
--- a/doc/html/appdev/refs/api/krb5_c_decrypt.html
+++ b/doc/html/appdev/refs/api/krb5_c_decrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html b/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html
index 66464e2a7403..794dd64adf71 100644
--- a/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html b/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html
index 408fcb66aef0..0a34bf9f8a22 100644
--- a/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html
+++ b/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt.html b/doc/html/appdev/refs/api/krb5_c_encrypt.html
index 6a47c3c7e36d..35f90cacc1be 100644
--- a/doc/html/appdev/refs/api/krb5_c_encrypt.html
+++ b/doc/html/appdev/refs/api/krb5_c_encrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html b/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html
index e894538f1ce0..a1cf845800d6 100644
--- a/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt_length.html b/doc/html/appdev/refs/api/krb5_c_encrypt_length.html
index 96bf8a55dbb7..49df59f9aa1d 100644
--- a/doc/html/appdev/refs/api/krb5_c_encrypt_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_encrypt_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_enctype_compare.html b/doc/html/appdev/refs/api/krb5_c_enctype_compare.html
index ecfd1b68a799..436e2a0d44d9 100644
--- a/doc/html/appdev/refs/api/krb5_c_enctype_compare.html
+++ b/doc/html/appdev/refs/api/krb5_c_enctype_compare.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_free_state.html b/doc/html/appdev/refs/api/krb5_c_free_state.html
index 3560b4e76a4b..a11ef8de0ddb 100644
--- a/doc/html/appdev/refs/api/krb5_c_free_state.html
+++ b/doc/html/appdev/refs/api/krb5_c_free_state.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html b/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html
index 0e7fe96947c8..287faade26f5 100644
--- a/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html
+++ b/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_init_state.html b/doc/html/appdev/refs/api/krb5_c_init_state.html
index c6c96e6c390d..6fc25ecd7a97 100644
--- a/doc/html/appdev/refs/api/krb5_c_init_state.html
+++ b/doc/html/appdev/refs/api/krb5_c_init_state.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html b/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html
index 7601c114ef97..d57afa507dc4 100644
--- a/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html
+++ b/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html b/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html
index ba1104437d05..b48f09f4f23c 100644
--- a/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html
+++ b/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html b/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html
index fdfd73141496..f790282647eb 100644
--- a/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html
+++ b/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_keylengths.html b/doc/html/appdev/refs/api/krb5_c_keylengths.html
index dde17047c6d2..d799f0791d52 100644
--- a/doc/html/appdev/refs/api/krb5_c_keylengths.html
+++ b/doc/html/appdev/refs/api/krb5_c_keylengths.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_make_checksum.html b/doc/html/appdev/refs/api/krb5_c_make_checksum.html
index d62321e21ed3..4e4682a967a4 100644
--- a/doc/html/appdev/refs/api/krb5_c_make_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_c_make_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -124,6 +124,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -161,7 +162,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html b/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html
index eb5a004ec7cb..271f81bf94f3 100644
--- a/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -124,6 +124,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -161,7 +162,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_make_random_key.html b/doc/html/appdev/refs/api/krb5_c_make_random_key.html
index 30705401b17c..af029200efe0 100644
--- a/doc/html/appdev/refs/api/krb5_c_make_random_key.html
+++ b/doc/html/appdev/refs/api/krb5_c_make_random_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_padding_length.html b/doc/html/appdev/refs/api/krb5_c_padding_length.html
index 2c28835c3172..4a1f87fef484 100644
--- a/doc/html/appdev/refs/api/krb5_c_padding_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_padding_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_prf.html b/doc/html/appdev/refs/api/krb5_c_prf.html
index a277d4f5019e..9960de9ee7e6 100644
--- a/doc/html/appdev/refs/api/krb5_c_prf.html
+++ b/doc/html/appdev/refs/api/krb5_c_prf.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_prf_length.html b/doc/html/appdev/refs/api/krb5_c_prf_length.html
index f8aa66059f1b..14725f020c83 100644
--- a/doc/html/appdev/refs/api/krb5_c_prf_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_prf_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_prfplus.html b/doc/html/appdev/refs/api/krb5_c_prfplus.html
index 0540f422f490..92c208a228e7 100644
--- a/doc/html/appdev/refs/api/krb5_c_prfplus.html
+++ b/doc/html/appdev/refs/api/krb5_c_prfplus.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html b/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html
index 1fa98358d1be..5f89b3108fcb 100644
--- a/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html
+++ b/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_random_make_octets.html b/doc/html/appdev/refs/api/krb5_c_random_make_octets.html
index 178d1c669a95..58699da4e3c2 100644
--- a/doc/html/appdev/refs/api/krb5_c_random_make_octets.html
+++ b/doc/html/appdev/refs/api/krb5_c_random_make_octets.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html b/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html
index 0465e07e7a05..04e4c387017d 100644
--- a/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html
+++ b/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_random_seed.html b/doc/html/appdev/refs/api/krb5_c_random_seed.html
index 7739eac8fe92..c1e2be0e17e6 100644
--- a/doc/html/appdev/refs/api/krb5_c_random_seed.html
+++ b/doc/html/appdev/refs/api/krb5_c_random_seed.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_random_to_key.html b/doc/html/appdev/refs/api/krb5_c_random_to_key.html
index 323ef3e1302b..5640edcd6191 100644
--- a/doc/html/appdev/refs/api/krb5_c_random_to_key.html
+++ b/doc/html/appdev/refs/api/krb5_c_random_to_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_string_to_key.html b/doc/html/appdev/refs/api/krb5_c_string_to_key.html
index d115c6975c56..629271b38d48 100644
--- a/doc/html/appdev/refs/api/krb5_c_string_to_key.html
+++ b/doc/html/appdev/refs/api/krb5_c_string_to_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,6 +115,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -152,7 +153,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html b/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html
index 688cd55e56d4..ad9140a5da00 100644
--- a/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html
+++ b/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html b/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html
index 4aa3d8cc2788..f6ed98bdf5f1 100644
--- a/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html
+++ b/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_valid_enctype.html b/doc/html/appdev/refs/api/krb5_c_valid_enctype.html
index 7b29f582e46d..f703f5773d0e 100644
--- a/doc/html/appdev/refs/api/krb5_c_valid_enctype.html
+++ b/doc/html/appdev/refs/api/krb5_c_valid_enctype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_verify_checksum.html b/doc/html/appdev/refs/api/krb5_c_verify_checksum.html
index 0fead60675c5..91311901bab7 100644
--- a/doc/html/appdev/refs/api/krb5_c_verify_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_c_verify_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html b/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html
index cf639d6705a7..3ff8ff7bedd6 100644
--- a/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_calculate_checksum.html b/doc/html/appdev/refs/api/krb5_calculate_checksum.html
index c3cfe65c0ffc..7b9f173754dc 100644
--- a/doc/html/appdev/refs/api/krb5_calculate_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_calculate_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_cache_match.html b/doc/html/appdev/refs/api/krb5_cc_cache_match.html
index 6a50c2a75460..980e721ce889 100644
--- a/doc/html/appdev/refs/api/krb5_cc_cache_match.html
+++ b/doc/html/appdev/refs/api/krb5_cc_cache_match.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_close.html b/doc/html/appdev/refs/api/krb5_cc_close.html
index 3410b6ee8c7b..f65cf3208ee8 100644
--- a/doc/html/appdev/refs/api/krb5_cc_close.html
+++ b/doc/html/appdev/refs/api/krb5_cc_close.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_copy_creds.html b/doc/html/appdev/refs/api/krb5_cc_copy_creds.html
index 0539062ba44e..43baac5d7acf 100644
--- a/doc/html/appdev/refs/api/krb5_cc_copy_creds.html
+++ b/doc/html/appdev/refs/api/krb5_cc_copy_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_default.html b/doc/html/appdev/refs/api/krb5_cc_default.html
index 30cc58e6d5b8..892578a0ac86 100644
--- a/doc/html/appdev/refs/api/krb5_cc_default.html
+++ b/doc/html/appdev/refs/api/krb5_cc_default.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_default_name.html b/doc/html/appdev/refs/api/krb5_cc_default_name.html
index bef9bf1a2c0a..e7c0a3c4010c 100644
--- a/doc/html/appdev/refs/api/krb5_cc_default_name.html
+++ b/doc/html/appdev/refs/api/krb5_cc_default_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@ const char * <tt class="descname">krb5_cc_default_name</tt><big>(</big><a class=
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@ const char * <tt class="descname">krb5_cc_default_name</tt><big>(</big><a class=
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_destroy.html b/doc/html/appdev/refs/api/krb5_cc_destroy.html
index 0d77ae374d40..b6e89f6f5087 100644
--- a/doc/html/appdev/refs/api/krb5_cc_destroy.html
+++ b/doc/html/appdev/refs/api/krb5_cc_destroy.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_dup.html b/doc/html/appdev/refs/api/krb5_cc_dup.html
index ad52144a68e0..8e4684e1ef67 100644
--- a/doc/html/appdev/refs/api/krb5_cc_dup.html
+++ b/doc/html/appdev/refs/api/krb5_cc_dup.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html b/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html
index e41f3705e249..09289c3d7e7c 100644
--- a/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html
+++ b/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_gen_new.html b/doc/html/appdev/refs/api/krb5_cc_gen_new.html
index 55a96707b69c..e3e12d592cf3 100644
--- a/doc/html/appdev/refs/api/krb5_cc_gen_new.html
+++ b/doc/html/appdev/refs/api/krb5_cc_gen_new.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_get_config.html b/doc/html/appdev/refs/api/krb5_cc_get_config.html
index dec8bc290d52..24f1b3b90f1f 100644
--- a/doc/html/appdev/refs/api/krb5_cc_get_config.html
+++ b/doc/html/appdev/refs/api/krb5_cc_get_config.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_get_flags.html b/doc/html/appdev/refs/api/krb5_cc_get_flags.html
index 584fb88e9dab..44c31f693c56 100644
--- a/doc/html/appdev/refs/api/krb5_cc_get_flags.html
+++ b/doc/html/appdev/refs/api/krb5_cc_get_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_get_full_name.html b/doc/html/appdev/refs/api/krb5_cc_get_full_name.html
index 5e4301d247b1..95dbfcededca 100644
--- a/doc/html/appdev/refs/api/krb5_cc_get_full_name.html
+++ b/doc/html/appdev/refs/api/krb5_cc_get_full_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_get_name.html b/doc/html/appdev/refs/api/krb5_cc_get_name.html
index 8e706ee095ae..396f37c4f893 100644
--- a/doc/html/appdev/refs/api/krb5_cc_get_name.html
+++ b/doc/html/appdev/refs/api/krb5_cc_get_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,6 +115,7 @@ const char * <tt class="descname">krb5_cc_get_name</tt><big>(</big><a class="ref
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -152,7 +153,7 @@ const char * <tt class="descname">krb5_cc_get_name</tt><big>(</big><a class="ref
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_get_principal.html b/doc/html/appdev/refs/api/krb5_cc_get_principal.html
index 88cf9a8e18a0..7ba59234e183 100644
--- a/doc/html/appdev/refs/api/krb5_cc_get_principal.html
+++ b/doc/html/appdev/refs/api/krb5_cc_get_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_get_type.html b/doc/html/appdev/refs/api/krb5_cc_get_type.html
index a19e39ba7cd9..35185d2512f7 100644
--- a/doc/html/appdev/refs/api/krb5_cc_get_type.html
+++ b/doc/html/appdev/refs/api/krb5_cc_get_type.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@ const char * <tt class="descname">krb5_cc_get_type</tt><big>(</big><a class="ref
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@ const char * <tt class="descname">krb5_cc_get_type</tt><big>(</big><a class="ref
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_initialize.html b/doc/html/appdev/refs/api/krb5_cc_initialize.html
index c2171117c763..97be2d4a7fe3 100644
--- a/doc/html/appdev/refs/api/krb5_cc_initialize.html
+++ b/doc/html/appdev/refs/api/krb5_cc_initialize.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_last_change_time.html b/doc/html/appdev/refs/api/krb5_cc_last_change_time.html
index 963fedd7340a..5571d6533190 100644
--- a/doc/html/appdev/refs/api/krb5_cc_last_change_time.html
+++ b/doc/html/appdev/refs/api/krb5_cc_last_change_time.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_lock.html b/doc/html/appdev/refs/api/krb5_cc_lock.html
index d602bd7a03f8..53a887218442 100644
--- a/doc/html/appdev/refs/api/krb5_cc_lock.html
+++ b/doc/html/appdev/refs/api/krb5_cc_lock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_move.html b/doc/html/appdev/refs/api/krb5_cc_move.html
index 9b117b56923e..7b9f40b920a9 100644
--- a/doc/html/appdev/refs/api/krb5_cc_move.html
+++ b/doc/html/appdev/refs/api/krb5_cc_move.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_new_unique.html b/doc/html/appdev/refs/api/krb5_cc_new_unique.html
index f4a5739e73b9..6c7ed47dd0d9 100644
--- a/doc/html/appdev/refs/api/krb5_cc_new_unique.html
+++ b/doc/html/appdev/refs/api/krb5_cc_new_unique.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_next_cred.html b/doc/html/appdev/refs/api/krb5_cc_next_cred.html
index d254b8c14912..f64cde3fc503 100644
--- a/doc/html/appdev/refs/api/krb5_cc_next_cred.html
+++ b/doc/html/appdev/refs/api/krb5_cc_next_cred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_remove_cred.html b/doc/html/appdev/refs/api/krb5_cc_remove_cred.html
index eda9f5db4376..bfdd0be440c8 100644
--- a/doc/html/appdev/refs/api/krb5_cc_remove_cred.html
+++ b/doc/html/appdev/refs/api/krb5_cc_remove_cred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -123,6 +123,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -160,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_resolve.html b/doc/html/appdev/refs/api/krb5_cc_resolve.html
index 8d18210d649a..ae60235cde3e 100644
--- a/doc/html/appdev/refs/api/krb5_cc_resolve.html
+++ b/doc/html/appdev/refs/api/krb5_cc_resolve.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html b/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html
index d8771188ab9f..dd1e1140caea 100644
--- a/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html
+++ b/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -133,6 +133,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -170,7 +171,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_select.html b/doc/html/appdev/refs/api/krb5_cc_select.html
index d4ea80bf92cc..3297d4ddfaf4 100644
--- a/doc/html/appdev/refs/api/krb5_cc_select.html
+++ b/doc/html/appdev/refs/api/krb5_cc_select.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_set_config.html b/doc/html/appdev/refs/api/krb5_cc_set_config.html
index 70a74d22207f..0358fc9eebdb 100644
--- a/doc/html/appdev/refs/api/krb5_cc_set_config.html
+++ b/doc/html/appdev/refs/api/krb5_cc_set_config.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -127,6 +127,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -164,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_set_default_name.html b/doc/html/appdev/refs/api/krb5_cc_set_default_name.html
index fb4831516619..5afeed30dc5d 100644
--- a/doc/html/appdev/refs/api/krb5_cc_set_default_name.html
+++ b/doc/html/appdev/refs/api/krb5_cc_set_default_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_set_flags.html b/doc/html/appdev/refs/api/krb5_cc_set_flags.html
index cc8a3a1f9982..70ed07fb942a 100644
--- a/doc/html/appdev/refs/api/krb5_cc_set_flags.html
+++ b/doc/html/appdev/refs/api/krb5_cc_set_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html b/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html
index fc5b7f9d9892..03d42a097333 100644
--- a/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html
+++ b/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_store_cred.html b/doc/html/appdev/refs/api/krb5_cc_store_cred.html
index 7b7cf365e459..ac3f299246ea 100644
--- a/doc/html/appdev/refs/api/krb5_cc_store_cred.html
+++ b/doc/html/appdev/refs/api/krb5_cc_store_cred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_support_switch.html b/doc/html/appdev/refs/api/krb5_cc_support_switch.html
index 8ce797e7e915..3fdd7d72f038 100644
--- a/doc/html/appdev/refs/api/krb5_cc_support_switch.html
+++ b/doc/html/appdev/refs/api/krb5_cc_support_switch.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_switch.html b/doc/html/appdev/refs/api/krb5_cc_switch.html
index 8eb19522b2ee..540a2a9fb582 100644
--- a/doc/html/appdev/refs/api/krb5_cc_switch.html
+++ b/doc/html/appdev/refs/api/krb5_cc_switch.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cc_unlock.html b/doc/html/appdev/refs/api/krb5_cc_unlock.html
index 4f0bc69c0d8b..ed0aa46ff44e 100644
--- a/doc/html/appdev/refs/api/krb5_cc_unlock.html
+++ b/doc/html/appdev/refs/api/krb5_cc_unlock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html b/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html
index 46e930f2b593..15fe7dfc8754 100644
--- a/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html
+++ b/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,6 +115,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -152,7 +153,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html b/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html
index d44fe06885f1..942c382db6f4 100644
--- a/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html
+++ b/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html b/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html
index b771fc169d13..3b894180513c 100644
--- a/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html
+++ b/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cccol_have_content.html b/doc/html/appdev/refs/api/krb5_cccol_have_content.html
index 2f40efe3e896..02829d1cd285 100644
--- a/doc/html/appdev/refs/api/krb5_cccol_have_content.html
+++ b/doc/html/appdev/refs/api/krb5_cccol_have_content.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cccol_last_change_time.html b/doc/html/appdev/refs/api/krb5_cccol_last_change_time.html
index fe554b8565d5..947a79602b63 100644
--- a/doc/html/appdev/refs/api/krb5_cccol_last_change_time.html
+++ b/doc/html/appdev/refs/api/krb5_cccol_last_change_time.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cccol_lock.html b/doc/html/appdev/refs/api/krb5_cccol_lock.html
index a1276d947ef1..39a82bbf1ea3 100644
--- a/doc/html/appdev/refs/api/krb5_cccol_lock.html
+++ b/doc/html/appdev/refs/api/krb5_cccol_lock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cccol_unlock.html b/doc/html/appdev/refs/api/krb5_cccol_unlock.html
index 863746319221..fcde8bbd7618 100644
--- a/doc/html/appdev/refs/api/krb5_cccol_unlock.html
+++ b/doc/html/appdev/refs/api/krb5_cccol_unlock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -110,6 +110,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -147,7 +148,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_change_password.html b/doc/html/appdev/refs/api/krb5_change_password.html
index 299721f3daa3..ecd55c5f116f 100644
--- a/doc/html/appdev/refs/api/krb5_change_password.html
+++ b/doc/html/appdev/refs/api/krb5_change_password.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_check_clockskew.html b/doc/html/appdev/refs/api/krb5_check_clockskew.html
index 3406545cd21d..73073349e0cf 100644
--- a/doc/html/appdev/refs/api/krb5_check_clockskew.html
+++ b/doc/html/appdev/refs/api/krb5_check_clockskew.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_checksum_size.html b/doc/html/appdev/refs/api/krb5_checksum_size.html
index 06552172dfb4..7f9052aee9f4 100644
--- a/doc/html/appdev/refs/api/krb5_checksum_size.html
+++ b/doc/html/appdev/refs/api/krb5_checksum_size.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ size_t <tt class="descname">krb5_checksum_size</tt><big>(</big><a class="referen
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ size_t <tt class="descname">krb5_checksum_size</tt><big>(</big><a class="referen
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_chpw_message.html b/doc/html/appdev/refs/api/krb5_chpw_message.html
index 565f35078bf8..9999e979f0ba 100644
--- a/doc/html/appdev/refs/api/krb5_chpw_message.html
+++ b/doc/html/appdev/refs/api/krb5_chpw_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -123,6 +123,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -160,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html b/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html
index ccab40fcd9b5..6a79e0188471 100644
--- a/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html
+++ b/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_clear_error_message.html b/doc/html/appdev/refs/api/krb5_clear_error_message.html
index 09b915c79ed6..23749feca9b5 100644
--- a/doc/html/appdev/refs/api/krb5_clear_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_clear_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,6 +99,7 @@ void <tt class="descname">krb5_clear_error_message</tt><big>(</big><a class="ref
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -136,7 +137,7 @@ void <tt class="descname">krb5_clear_error_message</tt><big>(</big><a class="ref
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_addresses.html b/doc/html/appdev/refs/api/krb5_copy_addresses.html
index 73c7f4042281..ba18027174de 100644
--- a/doc/html/appdev/refs/api/krb5_copy_addresses.html
+++ b/doc/html/appdev/refs/api/krb5_copy_addresses.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_authdata.html b/doc/html/appdev/refs/api/krb5_copy_authdata.html
index 306c69598983..2db5a9230144 100644
--- a/doc/html/appdev/refs/api/krb5_copy_authdata.html
+++ b/doc/html/appdev/refs/api/krb5_copy_authdata.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_authenticator.html b/doc/html/appdev/refs/api/krb5_copy_authenticator.html
index aee07d9754f4..d700e20b9b33 100644
--- a/doc/html/appdev/refs/api/krb5_copy_authenticator.html
+++ b/doc/html/appdev/refs/api/krb5_copy_authenticator.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_checksum.html b/doc/html/appdev/refs/api/krb5_copy_checksum.html
index 6fd75698efbf..f15c0757d756 100644
--- a/doc/html/appdev/refs/api/krb5_copy_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_copy_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_context.html b/doc/html/appdev/refs/api/krb5_copy_context.html
index 855eef72161c..d372583a55dd 100644
--- a/doc/html/appdev/refs/api/krb5_copy_context.html
+++ b/doc/html/appdev/refs/api/krb5_copy_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_creds.html b/doc/html/appdev/refs/api/krb5_copy_creds.html
index e86a16fe7bfb..212da156ef9e 100644
--- a/doc/html/appdev/refs/api/krb5_copy_creds.html
+++ b/doc/html/appdev/refs/api/krb5_copy_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_data.html b/doc/html/appdev/refs/api/krb5_copy_data.html
index 89650a6c2e40..17d17e9e3564 100644
--- a/doc/html/appdev/refs/api/krb5_copy_data.html
+++ b/doc/html/appdev/refs/api/krb5_copy_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_error_message.html b/doc/html/appdev/refs/api/krb5_copy_error_message.html
index 5fa85a56486d..77d157c461ef 100644
--- a/doc/html/appdev/refs/api/krb5_copy_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_copy_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_copy_error_message</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_copy_error_message</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_keyblock.html b/doc/html/appdev/refs/api/krb5_copy_keyblock.html
index 4f0be5526826..80ed2adee413 100644
--- a/doc/html/appdev/refs/api/krb5_copy_keyblock.html
+++ b/doc/html/appdev/refs/api/krb5_copy_keyblock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html b/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html
index ef2b1e3bafa6..a2e802ed826f 100644
--- a/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html
+++ b/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_principal.html b/doc/html/appdev/refs/api/krb5_copy_principal.html
index 4eb81ecf8c2e..43c8412af64d 100644
--- a/doc/html/appdev/refs/api/krb5_copy_principal.html
+++ b/doc/html/appdev/refs/api/krb5_copy_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_copy_ticket.html b/doc/html/appdev/refs/api/krb5_copy_ticket.html
index 4b0336dd0eff..d2277f139e3f 100644
--- a/doc/html/appdev/refs/api/krb5_copy_ticket.html
+++ b/doc/html/appdev/refs/api/krb5_copy_ticket.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_decode_authdata_container.html b/doc/html/appdev/refs/api/krb5_decode_authdata_container.html
index 8139751ad232..070640cd7c37 100644
--- a/doc/html/appdev/refs/api/krb5_decode_authdata_container.html
+++ b/doc/html/appdev/refs/api/krb5_decode_authdata_container.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_decode_ticket.html b/doc/html/appdev/refs/api/krb5_decode_ticket.html
index 847b04286949..71b17d750c88 100644
--- a/doc/html/appdev/refs/api/krb5_decode_ticket.html
+++ b/doc/html/appdev/refs/api/krb5_decode_ticket.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_decrypt.html b/doc/html/appdev/refs/api/krb5_decrypt.html
index bbe1b75e6a96..5ca893200782 100644
--- a/doc/html/appdev/refs/api/krb5_decrypt.html
+++ b/doc/html/appdev/refs/api/krb5_decrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -105,6 +105,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -142,7 +143,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_deltat_to_string.html b/doc/html/appdev/refs/api/krb5_deltat_to_string.html
index 3ad7166e84f3..a9a943f4d32f 100644
--- a/doc/html/appdev/refs/api/krb5_deltat_to_string.html
+++ b/doc/html/appdev/refs/api/krb5_deltat_to_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_eblock_enctype.html b/doc/html/appdev/refs/api/krb5_eblock_enctype.html
index 8d3c2e93b979..d6ef793dd164 100644
--- a/doc/html/appdev/refs/api/krb5_eblock_enctype.html
+++ b/doc/html/appdev/refs/api/krb5_eblock_enctype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_encode_authdata_container.html b/doc/html/appdev/refs/api/krb5_encode_authdata_container.html
index 4398c81e66d6..3759727f061d 100644
--- a/doc/html/appdev/refs/api/krb5_encode_authdata_container.html
+++ b/doc/html/appdev/refs/api/krb5_encode_authdata_container.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_encrypt.html b/doc/html/appdev/refs/api/krb5_encrypt.html
index 4f18d74a1f3f..73f11c158c82 100644
--- a/doc/html/appdev/refs/api/krb5_encrypt.html
+++ b/doc/html/appdev/refs/api/krb5_encrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -105,6 +105,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -142,7 +143,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_encrypt_size.html b/doc/html/appdev/refs/api/krb5_encrypt_size.html
index f1fca07fb363..9dc43975151d 100644
--- a/doc/html/appdev/refs/api/krb5_encrypt_size.html
+++ b/doc/html/appdev/refs/api/krb5_encrypt_size.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ size_t <tt class="descname">krb5_encrypt_size</tt><big>(</big>size_t<em>&nbsp;le
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ size_t <tt class="descname">krb5_encrypt_size</tt><big>(</big>size_t<em>&nbsp;le
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_enctype_to_name.html b/doc/html/appdev/refs/api/krb5_enctype_to_name.html
index 82340ab65622..e58253752633 100644
--- a/doc/html/appdev/refs/api/krb5_enctype_to_name.html
+++ b/doc/html/appdev/refs/api/krb5_enctype_to_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_enctype_to_string.html b/doc/html/appdev/refs/api/krb5_enctype_to_string.html
index ca67cc3e601a..98358f432b73 100644
--- a/doc/html/appdev/refs/api/krb5_enctype_to_string.html
+++ b/doc/html/appdev/refs/api/krb5_enctype_to_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_expand_hostname.html b/doc/html/appdev/refs/api/krb5_expand_hostname.html
index 8fa1b810c909..5adbf6ba116f 100644
--- a/doc/html/appdev/refs/api/krb5_expand_hostname.html
+++ b/doc/html/appdev/refs/api/krb5_expand_hostname.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_find_authdata.html b/doc/html/appdev/refs/api/krb5_find_authdata.html
index 07fbe8385eb9..f85cfc02c280 100644
--- a/doc/html/appdev/refs/api/krb5_find_authdata.html
+++ b/doc/html/appdev/refs/api/krb5_find_authdata.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -108,6 +108,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_finish_key.html b/doc/html/appdev/refs/api/krb5_finish_key.html
index 162fa9653a42..e53fd483d398 100644
--- a/doc/html/appdev/refs/api/krb5_finish_key.html
+++ b/doc/html/appdev/refs/api/krb5_finish_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_finish_random_key.html b/doc/html/appdev/refs/api/krb5_finish_random_key.html
index 06c5d55bd81e..d9638fc5ed44 100644
--- a/doc/html/appdev/refs/api/krb5_finish_random_key.html
+++ b/doc/html/appdev/refs/api/krb5_finish_random_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_addresses.html b/doc/html/appdev/refs/api/krb5_free_addresses.html
index 079adc2bf6db..5fb390f8e93e 100644
--- a/doc/html/appdev/refs/api/krb5_free_addresses.html
+++ b/doc/html/appdev/refs/api/krb5_free_addresses.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -105,6 +105,7 @@ void <tt class="descname">krb5_free_addresses</tt><big>(</big><a class="referenc
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -142,7 +143,7 @@ void <tt class="descname">krb5_free_addresses</tt><big>(</big><a class="referenc
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html b/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html
index 88a58b6a5463..0ef6c2906b77 100644
--- a/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html
+++ b/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_ap_rep_enc_part</tt><big>(</big><a class="re
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_ap_rep_enc_part</tt><big>(</big><a class="re
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_authdata.html b/doc/html/appdev/refs/api/krb5_free_authdata.html
index 7b899940c8ed..b7bc980fe455 100644
--- a/doc/html/appdev/refs/api/krb5_free_authdata.html
+++ b/doc/html/appdev/refs/api/krb5_free_authdata.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -105,6 +105,7 @@ void <tt class="descname">krb5_free_authdata</tt><big>(</big><a class="reference
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -142,7 +143,7 @@ void <tt class="descname">krb5_free_authdata</tt><big>(</big><a class="reference
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_authenticator.html b/doc/html/appdev/refs/api/krb5_free_authenticator.html
index 819ec0d3cd7c..643533387d9d 100644
--- a/doc/html/appdev/refs/api/krb5_free_authenticator.html
+++ b/doc/html/appdev/refs/api/krb5_free_authenticator.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_authenticator</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_authenticator</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_checksum.html b/doc/html/appdev/refs/api/krb5_free_checksum.html
index e0889174a642..03979c9d2175 100644
--- a/doc/html/appdev/refs/api/krb5_free_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_free_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_checksum</tt><big>(</big><a class="reference
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_checksum</tt><big>(</big><a class="reference
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_checksum_contents.html b/doc/html/appdev/refs/api/krb5_free_checksum_contents.html
index b8443181c80a..935ac6667342 100644
--- a/doc/html/appdev/refs/api/krb5_free_checksum_contents.html
+++ b/doc/html/appdev/refs/api/krb5_free_checksum_contents.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_checksum_contents</tt><big>(</big><a class="
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_checksum_contents</tt><big>(</big><a class="
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_cksumtypes.html b/doc/html/appdev/refs/api/krb5_free_cksumtypes.html
index 6426f38ee3b2..17e608d8eb9e 100644
--- a/doc/html/appdev/refs/api/krb5_free_cksumtypes.html
+++ b/doc/html/appdev/refs/api/krb5_free_cksumtypes.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_free_cksumtypes</tt><big>(</big><a class="referen
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_free_cksumtypes</tt><big>(</big><a class="referen
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_context.html b/doc/html/appdev/refs/api/krb5_free_context.html
index 55b554a08b61..f59f355e0dc8 100644
--- a/doc/html/appdev/refs/api/krb5_free_context.html
+++ b/doc/html/appdev/refs/api/krb5_free_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,6 +99,7 @@ void <tt class="descname">krb5_free_context</tt><big>(</big><a class="reference
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -136,7 +137,7 @@ void <tt class="descname">krb5_free_context</tt><big>(</big><a class="reference
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_cred_contents.html b/doc/html/appdev/refs/api/krb5_free_cred_contents.html
index 5502b7b78949..d06883be3348 100644
--- a/doc/html/appdev/refs/api/krb5_free_cred_contents.html
+++ b/doc/html/appdev/refs/api/krb5_free_cred_contents.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_cred_contents</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_cred_contents</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_creds.html b/doc/html/appdev/refs/api/krb5_free_creds.html
index 944ce63b4948..fa532ccb2c64 100644
--- a/doc/html/appdev/refs/api/krb5_free_creds.html
+++ b/doc/html/appdev/refs/api/krb5_free_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_creds</tt><big>(</big><a class="reference in
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_creds</tt><big>(</big><a class="reference in
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_data.html b/doc/html/appdev/refs/api/krb5_free_data.html
index dc427eb5c716..99b5f108d8d7 100644
--- a/doc/html/appdev/refs/api/krb5_free_data.html
+++ b/doc/html/appdev/refs/api/krb5_free_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_data</tt><big>(</big><a class="reference int
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_data</tt><big>(</big><a class="reference int
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_data_contents.html b/doc/html/appdev/refs/api/krb5_free_data_contents.html
index ab0442b75f4e..bd07eac52489 100644
--- a/doc/html/appdev/refs/api/krb5_free_data_contents.html
+++ b/doc/html/appdev/refs/api/krb5_free_data_contents.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_data_contents</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_data_contents</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_default_realm.html b/doc/html/appdev/refs/api/krb5_free_default_realm.html
index f2afa5bfa6c9..c07362298379 100644
--- a/doc/html/appdev/refs/api/krb5_free_default_realm.html
+++ b/doc/html/appdev/refs/api/krb5_free_default_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_free_default_realm</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_free_default_realm</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_enctypes.html b/doc/html/appdev/refs/api/krb5_free_enctypes.html
index e7f310aa0393..0ab6a147e61a 100644
--- a/doc/html/appdev/refs/api/krb5_free_enctypes.html
+++ b/doc/html/appdev/refs/api/krb5_free_enctypes.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@ void <tt class="descname">krb5_free_enctypes</tt><big>(</big><a class="reference
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@ void <tt class="descname">krb5_free_enctypes</tt><big>(</big><a class="reference
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_error.html b/doc/html/appdev/refs/api/krb5_free_error.html
index 267aa6951293..45395c927de3 100644
--- a/doc/html/appdev/refs/api/krb5_free_error.html
+++ b/doc/html/appdev/refs/api/krb5_free_error.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_error</tt><big>(</big><a class="reference in
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_error</tt><big>(</big><a class="reference in
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_error_message.html b/doc/html/appdev/refs/api/krb5_free_error_message.html
index cb1a770d9875..d98475c15783 100644
--- a/doc/html/appdev/refs/api/krb5_free_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_free_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_free_error_message</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_free_error_message</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_host_realm.html b/doc/html/appdev/refs/api/krb5_free_host_realm.html
index aff2651e6bb3..78f249a10552 100644
--- a/doc/html/appdev/refs/api/krb5_free_host_realm.html
+++ b/doc/html/appdev/refs/api/krb5_free_host_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_keyblock.html b/doc/html/appdev/refs/api/krb5_free_keyblock.html
index eb945d6401be..0375ea9534b7 100644
--- a/doc/html/appdev/refs/api/krb5_free_keyblock.html
+++ b/doc/html/appdev/refs/api/krb5_free_keyblock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_keyblock</tt><big>(</big><a class="reference
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_keyblock</tt><big>(</big><a class="reference
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html b/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html
index 8757e57e7e21..35d643f019a1 100644
--- a/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html
+++ b/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_keyblock_contents</tt><big>(</big><a class="
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_keyblock_contents</tt><big>(</big><a class="
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html b/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html
index 629ded89d910..eaf8f5769767 100644
--- a/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html
+++ b/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,6 +115,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -152,7 +153,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_principal.html b/doc/html/appdev/refs/api/krb5_free_principal.html
index 8f6ee251b964..420bb636041b 100644
--- a/doc/html/appdev/refs/api/krb5_free_principal.html
+++ b/doc/html/appdev/refs/api/krb5_free_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_free_principal</tt><big>(</big><a class="referenc
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_free_principal</tt><big>(</big><a class="referenc
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_string.html b/doc/html/appdev/refs/api/krb5_free_string.html
index ab46d5ef04c2..de3ea2764e8e 100644
--- a/doc/html/appdev/refs/api/krb5_free_string.html
+++ b/doc/html/appdev/refs/api/krb5_free_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@ void <tt class="descname">krb5_free_string</tt><big>(</big><a class="reference i
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@ void <tt class="descname">krb5_free_string</tt><big>(</big><a class="reference i
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_tgt_creds.html b/doc/html/appdev/refs/api/krb5_free_tgt_creds.html
index 3afac593365b..6d795ed7b616 100644
--- a/doc/html/appdev/refs/api/krb5_free_tgt_creds.html
+++ b/doc/html/appdev/refs/api/krb5_free_tgt_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@ void <tt class="descname">krb5_free_tgt_creds</tt><big>(</big><a class="referenc
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@ void <tt class="descname">krb5_free_tgt_creds</tt><big>(</big><a class="referenc
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_ticket.html b/doc/html/appdev/refs/api/krb5_free_ticket.html
index 06d803a66af3..f556aa15148b 100644
--- a/doc/html/appdev/refs/api/krb5_free_ticket.html
+++ b/doc/html/appdev/refs/api/krb5_free_ticket.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_free_ticket</tt><big>(</big><a class="reference i
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_free_ticket</tt><big>(</big><a class="reference i
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_free_unparsed_name.html b/doc/html/appdev/refs/api/krb5_free_unparsed_name.html
index 7abca06a2692..bd50906536c3 100644
--- a/doc/html/appdev/refs/api/krb5_free_unparsed_name.html
+++ b/doc/html/appdev/refs/api/krb5_free_unparsed_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_free_unparsed_name</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_free_unparsed_name</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html b/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html
index 99533936e6da..a4022d98bd30 100644
--- a/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html
+++ b/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -67,7 +67,7 @@
 <h1>krb5_fwd_tgt_creds -  Get a forwarded TGT and format a KRB-CRED message.<a class="headerlink" href="#krb5-fwd-tgt-creds-get-a-forwarded-tgt-and-format-a-krb-cred-message" title="Permalink to this headline">¶</a></h1>
 <dl class="function">
 <dt id="c.krb5_fwd_tgt_creds">
-<a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> <tt class="descname">krb5_fwd_tgt_creds</tt><big>(</big><a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a><em>&nbsp;context</em>, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a><em>&nbsp;auth_context</em>, char *<em>&nbsp;rhost</em>, <a class="reference internal" href="../types/krb5_principal.html#c.krb5_principal" title="krb5_principal">krb5_principal</a><em>&nbsp;client</em>, <a class="reference internal" href="../types/krb5_principal.html#c.krb5_principal" title="krb5_principal">krb5_principal</a><em>&nbsp;server</em>, <a class="reference internal" href="../types/krb5_ccache.html#c.krb5_ccache" title="krb5_ccache">krb5_ccache</a><em>&nbsp;cc</em>, int<em>&nbsp;forwardable</em>, <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> *<em>&nbsp;outbuf</em><big>)</big><a class="headerlink" href="#c.krb5_fwd_tgt_creds" title="Permalink to this definition">¶</a></dt>
+<a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> <tt class="descname">krb5_fwd_tgt_creds</tt><big>(</big><a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a><em>&nbsp;context</em>, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a><em>&nbsp;auth_context</em>, const char *<em>&nbsp;rhost</em>, <a class="reference internal" href="../types/krb5_principal.html#c.krb5_principal" title="krb5_principal">krb5_principal</a><em>&nbsp;client</em>, <a class="reference internal" href="../types/krb5_principal.html#c.krb5_principal" title="krb5_principal">krb5_principal</a><em>&nbsp;server</em>, <a class="reference internal" href="../types/krb5_ccache.html#c.krb5_ccache" title="krb5_ccache">krb5_ccache</a><em>&nbsp;cc</em>, int<em>&nbsp;forwardable</em>, <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> *<em>&nbsp;outbuf</em><big>)</big><a class="headerlink" href="#c.krb5_fwd_tgt_creds" title="Permalink to this definition">¶</a></dt>
 <dd></dd></dl>
 
 <table class="docutils field-list" frame="void" rules="none">
@@ -127,6 +127,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -164,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_credentials.html b/doc/html/appdev/refs/api/krb5_get_credentials.html
index 789e9790d1a5..b1bc88608c41 100644
--- a/doc/html/appdev/refs/api/krb5_get_credentials.html
+++ b/doc/html/appdev/refs/api/krb5_get_credentials.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -133,6 +133,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -170,7 +171,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_credentials_renew.html b/doc/html/appdev/refs/api/krb5_get_credentials_renew.html
index 84f930c779e8..7cf1ac445030 100644
--- a/doc/html/appdev/refs/api/krb5_get_credentials_renew.html
+++ b/doc/html/appdev/refs/api/krb5_get_credentials_renew.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_credentials_validate.html b/doc/html/appdev/refs/api/krb5_get_credentials_validate.html
index 1029a8f2c45e..2651bb8fa506 100644
--- a/doc/html/appdev/refs/api/krb5_get_credentials_validate.html
+++ b/doc/html/appdev/refs/api/krb5_get_credentials_validate.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_default_realm.html b/doc/html/appdev/refs/api/krb5_get_default_realm.html
index 20895752596b..4e1103f7e781 100644
--- a/doc/html/appdev/refs/api/krb5_get_default_realm.html
+++ b/doc/html/appdev/refs/api/krb5_get_default_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_error_message.html b/doc/html/appdev/refs/api/krb5_get_error_message.html
index 185db688752b..0a34c8067549 100644
--- a/doc/html/appdev/refs/api/krb5_get_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_get_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@ const char * <tt class="descname">krb5_get_error_message</tt><big>(</big><a clas
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@ const char * <tt class="descname">krb5_get_error_message</tt><big>(</big><a clas
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html b/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html
index 9ccec421c4cd..6d86a2c7dc7e 100644
--- a/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html
+++ b/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_host_realm.html b/doc/html/appdev/refs/api/krb5_get_host_realm.html
index 83923973eedc..75c91eb240ca 100644
--- a/doc/html/appdev/refs/api/krb5_get_host_realm.html
+++ b/doc/html/appdev/refs/api/krb5_get_host_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html
index 7bfcce7a2c22..3d79e72e2067 100644
--- a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html
+++ b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -108,6 +108,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html
index 6605fff17870..e284f3ef35e6 100644
--- a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html
+++ b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -108,6 +108,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html
index b53fb9ebbdcc..b28ce558b9a2 100644
--- a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html
+++ b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -108,6 +108,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html b/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html
index 364dbc9fd7d4..38ed85af3543 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html
index 967ccde286f8..fe29b00eb110 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html
index 09a91a71648d..5094666be422 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@ void <tt class="descname">krb5_get_init_creds_opt_free</tt><big>(</big><a class=
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@ void <tt class="descname">krb5_get_init_creds_opt_free</tt><big>(</big><a class=
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html
index cbac972e63da..e85a07ea8595 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html
index a507a993306f..955f6c8a3225 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,6 +99,7 @@ void <tt class="descname">krb5_get_init_creds_opt_init</tt><big>(</big><a class=
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -136,7 +137,7 @@ void <tt class="descname">krb5_get_init_creds_opt_init</tt><big>(</big><a class=
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html
index f22261f8636e..2bd4c17c420c 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_address_list</tt><big>(</b
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_address_list</tt><big>(</b
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html
index 60b80f10f6f6..fb55e7fb6223 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_anonymous</tt><big>(</big>
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_anonymous</tt><big>(</big>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html
index 334ce145a8de..e44e83e91fc2 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_canonicalize</tt><big>(</b
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_canonicalize</tt><big>(</b
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html
index 19cd682b2c96..bc7ce9e0d608 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_change_password_prompt</tt
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_change_password_prompt</tt
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html
index 8a95c01a47cf..defdca9e5688 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_etype_list</tt><big>(</big
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_etype_list</tt><big>(</big
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html
index 62a56035f5a3..b510ff7ec2a6 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,6 +115,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -152,7 +153,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html
index 2803db8b095f..5f4a7b5148e8 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html
index 57e1738228b7..26edc4d507e7 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html
index 5756f9e687f9..0d1b6a86cb11 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html
index f1d1207a4a54..8982224b5915 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_forwardable</tt><big>(</bi
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_forwardable</tt><big>(</bi
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html
index a9e2d9559dd6..557d38ba2aca 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html
index e99c18eca03c..23a1643b99ba 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html
index 336cf685ccdd..44ccd0d065f8 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html
index 9dc6ab3800f8..59d376e477af 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html
index 9525ab539214..2b16aa3d48be 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_preauth_list</tt><big>(</b
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_preauth_list</tt><big>(</b
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html
index dcda2092babe..a23cea1560a1 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_proxiable</tt><big>(</big>
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_proxiable</tt><big>(</big>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html
index defdfce547c8..f4dbc0261a4a 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_renew_life</tt><big>(</big
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_renew_life</tt><big>(</big
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html
index 47de8c2c2353..a6402995dea6 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html
index bf7825fb4a76..bba3b68898eb 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_salt</tt><big>(</big><a cl
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_salt</tt><big>(</big><a cl
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html
index eec9306b0be1..783eb24c6247 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_tkt_life</tt><big>(</big><
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_get_init_creds_opt_set_tkt_life</tt><big>(</big><
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_password.html b/doc/html/appdev/refs/api/krb5_get_init_creds_password.html
index c46a676254f5..003f919d2534 100644
--- a/doc/html/appdev/refs/api/krb5_get_init_creds_password.html
+++ b/doc/html/appdev/refs/api/krb5_get_init_creds_password.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -133,6 +133,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -170,7 +171,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html b/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html
index aad743198ed1..fff084504e56 100644
--- a/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html
+++ b/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_profile.html b/doc/html/appdev/refs/api/krb5_get_profile.html
index 07f1426434be..15555a570dc5 100644
--- a/doc/html/appdev/refs/api/krb5_get_profile.html
+++ b/doc/html/appdev/refs/api/krb5_get_profile.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_prompt_types.html b/doc/html/appdev/refs/api/krb5_get_prompt_types.html
index 2991be718438..a8576e18c679 100644
--- a/doc/html/appdev/refs/api/krb5_get_prompt_types.html
+++ b/doc/html/appdev/refs/api/krb5_get_prompt_types.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_renewed_creds.html b/doc/html/appdev/refs/api/krb5_get_renewed_creds.html
index 9396f8077495..78191e3ffd10 100644
--- a/doc/html/appdev/refs/api/krb5_get_renewed_creds.html
+++ b/doc/html/appdev/refs/api/krb5_get_renewed_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_server_rcache.html b/doc/html/appdev/refs/api/krb5_get_server_rcache.html
index 4035f1f167c8..042074cdf5c5 100644
--- a/doc/html/appdev/refs/api/krb5_get_server_rcache.html
+++ b/doc/html/appdev/refs/api/krb5_get_server_rcache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_time_offsets.html b/doc/html/appdev/refs/api/krb5_get_time_offsets.html
index c111da3392af..d133dc90f046 100644
--- a/doc/html/appdev/refs/api/krb5_get_time_offsets.html
+++ b/doc/html/appdev/refs/api/krb5_get_time_offsets.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_get_validated_creds.html b/doc/html/appdev/refs/api/krb5_get_validated_creds.html
index 04968f0e53dc..2680a48e2060 100644
--- a/doc/html/appdev/refs/api/krb5_get_validated_creds.html
+++ b/doc/html/appdev/refs/api/krb5_get_validated_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_context.html b/doc/html/appdev/refs/api/krb5_init_context.html
index 6e10a1213002..89b849533b73 100644
--- a/doc/html/appdev/refs/api/krb5_init_context.html
+++ b/doc/html/appdev/refs/api/krb5_init_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_context_profile.html b/doc/html/appdev/refs/api/krb5_init_context_profile.html
index 7ccc0d03e80b..1e1fad41983c 100644
--- a/doc/html/appdev/refs/api/krb5_init_context_profile.html
+++ b/doc/html/appdev/refs/api/krb5_init_context_profile.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -108,6 +108,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_free.html b/doc/html/appdev/refs/api/krb5_init_creds_free.html
index bf2b75ad4ddc..34c8328f32f8 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_free.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -80,6 +80,8 @@ void <tt class="descname">krb5_init_creds_free</tt><big>(</big><a class="referen
 </tr>
 </tbody>
 </table>
+<blockquote>
+<div><em>context</em> must be the same as the one passed to <a class="reference internal" href="krb5_init_creds_init.html#c.krb5_init_creds_init" title="krb5_init_creds_init"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_init()</span></tt></a> for this initial credentials context.</div></blockquote>
 </div>
 
 
@@ -100,6 +102,7 @@ void <tt class="descname">krb5_init_creds_free</tt><big>(</big><a class="referen
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +140,7 @@ void <tt class="descname">krb5_init_creds_free</tt><big>(</big><a class="referen
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get.html b/doc/html/appdev/refs/api/krb5_init_creds_get.html
index 577b47d034a0..5bf396c227e9 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_get.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_get.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -92,6 +92,8 @@
 </tbody>
 </table>
 <p>This function synchronously obtains credentials using a context created by <a class="reference internal" href="krb5_init_creds_init.html#c.krb5_init_creds_init" title="krb5_init_creds_init"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_init()</span></tt></a> . On successful return, the credentials can be retrieved with <a class="reference internal" href="krb5_init_creds_get_creds.html#c.krb5_init_creds_get_creds" title="krb5_init_creds_get_creds"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_get_creds()</span></tt></a> .</p>
+<blockquote>
+<div><em>context</em> must be the same as the one passed to <a class="reference internal" href="krb5_init_creds_init.html#c.krb5_init_creds_init" title="krb5_init_creds_init"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_init()</span></tt></a> for this initial credentials context.</div></blockquote>
 </div>
 
 
@@ -112,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html b/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html
index f352d16853f2..c0c5dccebefb 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get_error.html b/doc/html/appdev/refs/api/krb5_init_creds_get_error.html
index 6d1676a7f462..e1d0fc3db171 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_get_error.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_get_error.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get_times.html b/doc/html/appdev/refs/api/krb5_init_creds_get_times.html
index 9457b40f62c3..9d6110128197 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_get_times.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_get_times.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_init.html b/doc/html/appdev/refs/api/krb5_init_creds_init.html
index bfb1d9277561..77d44f7830d4 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_init.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_init.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 </tbody>
 </table>
 <p>This function creates a new context for acquiring initial credentials. Use <a class="reference internal" href="krb5_init_creds_free.html#c.krb5_init_creds_free" title="krb5_init_creds_free"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_free()</span></tt></a> to free <em>ctx</em> when it is no longer needed.</p>
+<p>Any subsequent calls to <a class="reference internal" href="krb5_init_creds_step.html#c.krb5_init_creds_step" title="krb5_init_creds_step"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_step()</span></tt></a> , <a class="reference internal" href="krb5_init_creds_get.html#c.krb5_init_creds_get" title="krb5_init_creds_get"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_get()</span></tt></a> , or <a class="reference internal" href="krb5_init_creds_free.html#c.krb5_init_creds_free" title="krb5_init_creds_free"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_free()</span></tt></a> for this initial credentials context must use the same <em>context</em> argument as the one passed to this function.</p>
 </div>
 
 
@@ -117,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html b/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html
index 2124d858b7b6..2f89b87b5a59 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_set_password.html b/doc/html/appdev/refs/api/krb5_init_creds_set_password.html
index b6b7044757ef..c7e350fcaf15 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_set_password.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_set_password.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_set_service.html b/doc/html/appdev/refs/api/krb5_init_creds_set_service.html
index 0c446fa21622..3b792c5bd6a8 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_set_service.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_set_service.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -92,7 +92,7 @@
 </tr>
 </tbody>
 </table>
-<p>This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. <em>service</em> is parsed as a principal name; any realm part is ignored.</p>
+<p>Thisfunction supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. <em>service</em> is parsed as a principal name; any realm part is ignored.</p>
 </div>
 
 
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_creds_step.html b/doc/html/appdev/refs/api/krb5_init_creds_step.html
index a8b272ca4b8e..f3d4b656f110 100644
--- a/doc/html/appdev/refs/api/krb5_init_creds_step.html
+++ b/doc/html/appdev/refs/api/krb5_init_creds_step.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -98,6 +98,8 @@
 <p>This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, <em>in</em> should be set to an empty buffer; on subsequent calls, it should be set to the KDC&#8217;s reply to the previous request.</p>
 <p>If more requests are needed, <em>flags</em> will be set to <a class="reference internal" href="../macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html#KRB5_INIT_CREDS_STEP_FLAG_CONTINUE" title="KRB5_INIT_CREDS_STEP_FLAG_CONTINUE"><tt class="xref py py-data docutils literal"><span class="pre">KRB5_INIT_CREDS_STEP_FLAG_CONTINUE</span></tt></a> and the next request will be placed in <em>out</em> . If no more requests are needed, <em>flags</em> will not contain <a class="reference internal" href="../macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html#KRB5_INIT_CREDS_STEP_FLAG_CONTINUE" title="KRB5_INIT_CREDS_STEP_FLAG_CONTINUE"><tt class="xref py py-data docutils literal"><span class="pre">KRB5_INIT_CREDS_STEP_FLAG_CONTINUE</span></tt></a> and <em>out</em> will be empty.</p>
 <p>If this function returns <strong>KRB5KRB_ERR_RESPONSE_TOO_BIG</strong> , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed.</p>
+<blockquote>
+<div><em>context</em> must be the same as the one passed to <a class="reference internal" href="krb5_init_creds_init.html#c.krb5_init_creds_init" title="krb5_init_creds_init"><tt class="xref c c-func docutils literal"><span class="pre">krb5_init_creds_init()</span></tt></a> for this initial credentials context.</div></blockquote>
 </div>
 
 
@@ -118,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_keyblock.html b/doc/html/appdev/refs/api/krb5_init_keyblock.html
index d3a3c64c7683..8c3d2f8a4c3b 100644
--- a/doc/html/appdev/refs/api/krb5_init_keyblock.html
+++ b/doc/html/appdev/refs/api/krb5_init_keyblock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_random_key.html b/doc/html/appdev/refs/api/krb5_init_random_key.html
index 25799ffd1353..1c85ef5812cb 100644
--- a/doc/html/appdev/refs/api/krb5_init_random_key.html
+++ b/doc/html/appdev/refs/api/krb5_init_random_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_init_secure_context.html b/doc/html/appdev/refs/api/krb5_init_secure_context.html
index 1c304bd3bc7d..6d8a66d78819 100644
--- a/doc/html/appdev/refs/api/krb5_init_secure_context.html
+++ b/doc/html/appdev/refs/api/krb5_init_secure_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_is_config_principal.html b/doc/html/appdev/refs/api/krb5_is_config_principal.html
index e14c6f5d1743..a49ef9eabd6a 100644
--- a/doc/html/appdev/refs/api/krb5_is_config_principal.html
+++ b/doc/html/appdev/refs/api/krb5_is_config_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_is_referral_realm.html b/doc/html/appdev/refs/api/krb5_is_referral_realm.html
index 7188f4dc419e..4df9246ccaa8 100644
--- a/doc/html/appdev/refs/api/krb5_is_referral_realm.html
+++ b/doc/html/appdev/refs/api/krb5_is_referral_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_is_thread_safe.html b/doc/html/appdev/refs/api/krb5_is_thread_safe.html
index ec9377159452..0bcb4059d5fe 100644
--- a/doc/html/appdev/refs/api/krb5_is_thread_safe.html
+++ b/doc/html/appdev/refs/api/krb5_is_thread_safe.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_create_key.html b/doc/html/appdev/refs/api/krb5_k_create_key.html
index cae0b6b215de..fb625d0d9f2b 100644
--- a/doc/html/appdev/refs/api/krb5_k_create_key.html
+++ b/doc/html/appdev/refs/api/krb5_k_create_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_decrypt.html b/doc/html/appdev/refs/api/krb5_k_decrypt.html
index 2d302d876548..53bfbce50f4b 100644
--- a/doc/html/appdev/refs/api/krb5_k_decrypt.html
+++ b/doc/html/appdev/refs/api/krb5_k_decrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html b/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html
index 354cbe3452e9..2c02e7b431b3 100644
--- a/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html
+++ b/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_encrypt.html b/doc/html/appdev/refs/api/krb5_k_encrypt.html
index c7208d5b86ba..508643a8fa2a 100644
--- a/doc/html/appdev/refs/api/krb5_k_encrypt.html
+++ b/doc/html/appdev/refs/api/krb5_k_encrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html b/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html
index cde769b9e17c..14225e5dff3d 100644
--- a/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html
+++ b/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_free_key.html b/doc/html/appdev/refs/api/krb5_k_free_key.html
index ae4f157be1d9..d0a9357c8e16 100644
--- a/doc/html/appdev/refs/api/krb5_k_free_key.html
+++ b/doc/html/appdev/refs/api/krb5_k_free_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_k_free_key</tt><big>(</big><a class="reference in
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_k_free_key</tt><big>(</big><a class="reference in
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_key_enctype.html b/doc/html/appdev/refs/api/krb5_k_key_enctype.html
index b65ce06a8137..b17e5b7c9fe4 100644
--- a/doc/html/appdev/refs/api/krb5_k_key_enctype.html
+++ b/doc/html/appdev/refs/api/krb5_k_key_enctype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_key_keyblock.html b/doc/html/appdev/refs/api/krb5_k_key_keyblock.html
index 20f9f191c577..5bbcbcabcd98 100644
--- a/doc/html/appdev/refs/api/krb5_k_key_keyblock.html
+++ b/doc/html/appdev/refs/api/krb5_k_key_keyblock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_make_checksum.html b/doc/html/appdev/refs/api/krb5_k_make_checksum.html
index 52f77308a04f..9fda3cd6c390 100644
--- a/doc/html/appdev/refs/api/krb5_k_make_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_k_make_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -124,6 +124,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -161,7 +162,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html b/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html
index a2f819b4f1c2..476a8bf3b8b8 100644
--- a/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html
+++ b/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -124,6 +124,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -161,7 +162,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_prf.html b/doc/html/appdev/refs/api/krb5_k_prf.html
index 7601398052e7..df5167733de9 100644
--- a/doc/html/appdev/refs/api/krb5_k_prf.html
+++ b/doc/html/appdev/refs/api/krb5_k_prf.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_reference_key.html b/doc/html/appdev/refs/api/krb5_k_reference_key.html
index 496f753dbb03..72b69072405a 100644
--- a/doc/html/appdev/refs/api/krb5_k_reference_key.html
+++ b/doc/html/appdev/refs/api/krb5_k_reference_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ void <tt class="descname">krb5_k_reference_key</tt><big>(</big><a class="referen
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ void <tt class="descname">krb5_k_reference_key</tt><big>(</big><a class="referen
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_verify_checksum.html b/doc/html/appdev/refs/api/krb5_k_verify_checksum.html
index 5d3710c78fc3..ae7df5eb71a7 100644
--- a/doc/html/appdev/refs/api/krb5_k_verify_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_k_verify_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html b/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html
index 9802e550aa15..cb655712bff1 100644
--- a/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html
+++ b/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_add_entry.html b/doc/html/appdev/refs/api/krb5_kt_add_entry.html
index 5f6ca8d11543..25819c393b46 100644
--- a/doc/html/appdev/refs/api/krb5_kt_add_entry.html
+++ b/doc/html/appdev/refs/api/krb5_kt_add_entry.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_client_default.html b/doc/html/appdev/refs/api/krb5_kt_client_default.html
index 62418fe05ed5..32a702b53147 100644
--- a/doc/html/appdev/refs/api/krb5_kt_client_default.html
+++ b/doc/html/appdev/refs/api/krb5_kt_client_default.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_close.html b/doc/html/appdev/refs/api/krb5_kt_close.html
index d75f4b610b4a..b1a4682d0c79 100644
--- a/doc/html/appdev/refs/api/krb5_kt_close.html
+++ b/doc/html/appdev/refs/api/krb5_kt_close.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_default.html b/doc/html/appdev/refs/api/krb5_kt_default.html
index ac818a5509df..49f401f55f1f 100644
--- a/doc/html/appdev/refs/api/krb5_kt_default.html
+++ b/doc/html/appdev/refs/api/krb5_kt_default.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_default_name.html b/doc/html/appdev/refs/api/krb5_kt_default_name.html
index 71d516df5f99..cdc9424bfabc 100644
--- a/doc/html/appdev/refs/api/krb5_kt_default_name.html
+++ b/doc/html/appdev/refs/api/krb5_kt_default_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_dup.html b/doc/html/appdev/refs/api/krb5_kt_dup.html
index 94cfbccf405b..0ab990bce9f2 100644
--- a/doc/html/appdev/refs/api/krb5_kt_dup.html
+++ b/doc/html/appdev/refs/api/krb5_kt_dup.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html b/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html
index fe830068ea39..5554efa3cda8 100644
--- a/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html
+++ b/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_free_entry.html b/doc/html/appdev/refs/api/krb5_kt_free_entry.html
index 5792e3a6ed1c..f88efa55d2dd 100644
--- a/doc/html/appdev/refs/api/krb5_kt_free_entry.html
+++ b/doc/html/appdev/refs/api/krb5_kt_free_entry.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_get_entry.html b/doc/html/appdev/refs/api/krb5_kt_get_entry.html
index a29513b3b808..7fbb3f1e07f3 100644
--- a/doc/html/appdev/refs/api/krb5_kt_get_entry.html
+++ b/doc/html/appdev/refs/api/krb5_kt_get_entry.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_get_name.html b/doc/html/appdev/refs/api/krb5_kt_get_name.html
index 55f68749f6c4..80ccd31b07d4 100644
--- a/doc/html/appdev/refs/api/krb5_kt_get_name.html
+++ b/doc/html/appdev/refs/api/krb5_kt_get_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_get_type.html b/doc/html/appdev/refs/api/krb5_kt_get_type.html
index 32968f6aaaaa..5f53f9cb74c3 100644
--- a/doc/html/appdev/refs/api/krb5_kt_get_type.html
+++ b/doc/html/appdev/refs/api/krb5_kt_get_type.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@ const char * <tt class="descname">krb5_kt_get_type</tt><big>(</big><a class="ref
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@ const char * <tt class="descname">krb5_kt_get_type</tt><big>(</big><a class="ref
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_have_content.html b/doc/html/appdev/refs/api/krb5_kt_have_content.html
index 7d493b0320b5..0653fe0c10f0 100644
--- a/doc/html/appdev/refs/api/krb5_kt_have_content.html
+++ b/doc/html/appdev/refs/api/krb5_kt_have_content.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_next_entry.html b/doc/html/appdev/refs/api/krb5_kt_next_entry.html
index ee0e30c86cf6..c174265f2252 100644
--- a/doc/html/appdev/refs/api/krb5_kt_next_entry.html
+++ b/doc/html/appdev/refs/api/krb5_kt_next_entry.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_read_service_key.html b/doc/html/appdev/refs/api/krb5_kt_read_service_key.html
index 00780d5987f0..f22d42694aac 100644
--- a/doc/html/appdev/refs/api/krb5_kt_read_service_key.html
+++ b/doc/html/appdev/refs/api/krb5_kt_read_service_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -123,6 +123,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -160,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_remove_entry.html b/doc/html/appdev/refs/api/krb5_kt_remove_entry.html
index 636a1bed41c5..63040d741da8 100644
--- a/doc/html/appdev/refs/api/krb5_kt_remove_entry.html
+++ b/doc/html/appdev/refs/api/krb5_kt_remove_entry.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_resolve.html b/doc/html/appdev/refs/api/krb5_kt_resolve.html
index a74a82749057..caa58d8b6577 100644
--- a/doc/html/appdev/refs/api/krb5_kt_resolve.html
+++ b/doc/html/appdev/refs/api/krb5_kt_resolve.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html b/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html
index 3f8924f192dc..2a9432323342 100644
--- a/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html
+++ b/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_kuserok.html b/doc/html/appdev/refs/api/krb5_kuserok.html
index 9ec904499ab8..d4de339ea9b4 100644
--- a/doc/html/appdev/refs/api/krb5_kuserok.html
+++ b/doc/html/appdev/refs/api/krb5_kuserok.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html b/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html
index 565f6a10049a..b4ee2febb6aa 100644
--- a/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html
+++ b/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_merge_authdata.html b/doc/html/appdev/refs/api/krb5_merge_authdata.html
index 8fcd1fdc307e..566391669528 100644
--- a/doc/html/appdev/refs/api/krb5_merge_authdata.html
+++ b/doc/html/appdev/refs/api/krb5_merge_authdata.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_1cred.html b/doc/html/appdev/refs/api/krb5_mk_1cred.html
index 6c57213aea1b..0c4917ef0699 100644
--- a/doc/html/appdev/refs/api/krb5_mk_1cred.html
+++ b/doc/html/appdev/refs/api/krb5_mk_1cred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_error.html b/doc/html/appdev/refs/api/krb5_mk_error.html
index cb1e1e9b0e4f..8a8213521ac1 100644
--- a/doc/html/appdev/refs/api/krb5_mk_error.html
+++ b/doc/html/appdev/refs/api/krb5_mk_error.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_ncred.html b/doc/html/appdev/refs/api/krb5_mk_ncred.html
index cfe00a919648..b2011a3c6003 100644
--- a/doc/html/appdev/refs/api/krb5_mk_ncred.html
+++ b/doc/html/appdev/refs/api/krb5_mk_ncred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -127,6 +127,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -164,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_priv.html b/doc/html/appdev/refs/api/krb5_mk_priv.html
index 15ed1aed99e8..43b7cb7fdb6e 100644
--- a/doc/html/appdev/refs/api/krb5_mk_priv.html
+++ b/doc/html/appdev/refs/api/krb5_mk_priv.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -129,6 +129,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -166,7 +167,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_rep.html b/doc/html/appdev/refs/api/krb5_mk_rep.html
index 2231cadfe16b..9994e66dac9c 100644
--- a/doc/html/appdev/refs/api/krb5_mk_rep.html
+++ b/doc/html/appdev/refs/api/krb5_mk_rep.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,6 +115,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -152,7 +153,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_rep_dce.html b/doc/html/appdev/refs/api/krb5_mk_rep_dce.html
index 0dbe86722d2d..376b36169c28 100644
--- a/doc/html/appdev/refs/api/krb5_mk_rep_dce.html
+++ b/doc/html/appdev/refs/api/krb5_mk_rep_dce.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_req.html b/doc/html/appdev/refs/api/krb5_mk_req.html
index 50440080351f..8b30204dc2bd 100644
--- a/doc/html/appdev/refs/api/krb5_mk_req.html
+++ b/doc/html/appdev/refs/api/krb5_mk_req.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -67,7 +67,7 @@
 <h1>krb5_mk_req -  Create a KRB_AP_REQ message.<a class="headerlink" href="#krb5-mk-req-create-a-krb-ap-req-message" title="Permalink to this headline">¶</a></h1>
 <dl class="function">
 <dt id="c.krb5_mk_req">
-<a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> <tt class="descname">krb5_mk_req</tt><big>(</big><a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a><em>&nbsp;context</em>, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a> *<em>&nbsp;auth_context</em>, <a class="reference internal" href="../types/krb5_flags.html#c.krb5_flags" title="krb5_flags">krb5_flags</a><em>&nbsp;ap_req_options</em>, char *<em>&nbsp;service</em>, char *<em>&nbsp;hostname</em>, <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> *<em>&nbsp;in_data</em>, <a class="reference internal" href="../types/krb5_ccache.html#c.krb5_ccache" title="krb5_ccache">krb5_ccache</a><em>&nbsp;ccache</em>, <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> *<em>&nbsp;outbuf</em><big>)</big><a class="headerlink" href="#c.krb5_mk_req" title="Permalink to this definition">¶</a></dt>
+<a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> <tt class="descname">krb5_mk_req</tt><big>(</big><a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a><em>&nbsp;context</em>, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a> *<em>&nbsp;auth_context</em>, <a class="reference internal" href="../types/krb5_flags.html#c.krb5_flags" title="krb5_flags">krb5_flags</a><em>&nbsp;ap_req_options</em>, const char *<em>&nbsp;service</em>, const char *<em>&nbsp;hostname</em>, <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> *<em>&nbsp;in_data</em>, <a class="reference internal" href="../types/krb5_ccache.html#c.krb5_ccache" title="krb5_ccache">krb5_ccache</a><em>&nbsp;ccache</em>, <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> *<em>&nbsp;outbuf</em><big>)</big><a class="headerlink" href="#c.krb5_mk_req" title="Permalink to this definition">¶</a></dt>
 <dd></dd></dl>
 
 <table class="docutils field-list" frame="void" rules="none">
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_req_extended.html b/doc/html/appdev/refs/api/krb5_mk_req_extended.html
index 2c10dd820de0..e77bd6712e74 100644
--- a/doc/html/appdev/refs/api/krb5_mk_req_extended.html
+++ b/doc/html/appdev/refs/api/krb5_mk_req_extended.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -131,6 +131,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -168,7 +169,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_mk_safe.html b/doc/html/appdev/refs/api/krb5_mk_safe.html
index ec95d7345419..52a3f3c83852 100644
--- a/doc/html/appdev/refs/api/krb5_mk_safe.html
+++ b/doc/html/appdev/refs/api/krb5_mk_safe.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -124,6 +124,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -161,7 +162,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_os_localaddr.html b/doc/html/appdev/refs/api/krb5_os_localaddr.html
index e7c0627cd716..f70d6a684442 100644
--- a/doc/html/appdev/refs/api/krb5_os_localaddr.html
+++ b/doc/html/appdev/refs/api/krb5_os_localaddr.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_add_buffer.html b/doc/html/appdev/refs/api/krb5_pac_add_buffer.html
index ddc059a35469..0459278405f7 100644
--- a/doc/html/appdev/refs/api/krb5_pac_add_buffer.html
+++ b/doc/html/appdev/refs/api/krb5_pac_add_buffer.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_free.html b/doc/html/appdev/refs/api/krb5_pac_free.html
index 2685f25d38bf..1c26677f4e2f 100644
--- a/doc/html/appdev/refs/api/krb5_pac_free.html
+++ b/doc/html/appdev/refs/api/krb5_pac_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_pac_free</tt><big>(</big><a class="reference inte
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_pac_free</tt><big>(</big><a class="reference inte
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_get_buffer.html b/doc/html/appdev/refs/api/krb5_pac_get_buffer.html
index 997e0f9a5cc1..accdc31c266b 100644
--- a/doc/html/appdev/refs/api/krb5_pac_get_buffer.html
+++ b/doc/html/appdev/refs/api/krb5_pac_get_buffer.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_get_types.html b/doc/html/appdev/refs/api/krb5_pac_get_types.html
index a1e4d99ca5b0..25b68c366201 100644
--- a/doc/html/appdev/refs/api/krb5_pac_get_types.html
+++ b/doc/html/appdev/refs/api/krb5_pac_get_types.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_init.html b/doc/html/appdev/refs/api/krb5_pac_init.html
index 3096149d5ab2..a62d0c9e5f5f 100644
--- a/doc/html/appdev/refs/api/krb5_pac_init.html
+++ b/doc/html/appdev/refs/api/krb5_pac_init.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_parse.html b/doc/html/appdev/refs/api/krb5_pac_parse.html
index e941c2405f0c..f40ef3f113aa 100644
--- a/doc/html/appdev/refs/api/krb5_pac_parse.html
+++ b/doc/html/appdev/refs/api/krb5_pac_parse.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_sign.html b/doc/html/appdev/refs/api/krb5_pac_sign.html
index 93252d6aafc9..83be7ea276e3 100644
--- a/doc/html/appdev/refs/api/krb5_pac_sign.html
+++ b/doc/html/appdev/refs/api/krb5_pac_sign.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -110,6 +110,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -147,7 +148,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_pac_verify.html b/doc/html/appdev/refs/api/krb5_pac_verify.html
index 4527158c6a85..6fc684237a93 100644
--- a/doc/html/appdev/refs/api/krb5_pac_verify.html
+++ b/doc/html/appdev/refs/api/krb5_pac_verify.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,7 +99,7 @@
 <p>If successful, <em>pac</em> is marked as verified.</p>
 <div class="admonition note">
 <p class="first admonition-title">Note</p>
-<p class="last">A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.</p>
+<p class="last">A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.</p>
 </div>
 </div>
 
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_parse_name.html b/doc/html/appdev/refs/api/krb5_parse_name.html
index c63021e0dce4..e52e3e3b645d 100644
--- a/doc/html/appdev/refs/api/krb5_parse_name.html
+++ b/doc/html/appdev/refs/api/krb5_parse_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_parse_name_flags.html b/doc/html/appdev/refs/api/krb5_parse_name_flags.html
index ce8525dea18a..84d54dce5d9a 100644
--- a/doc/html/appdev/refs/api/krb5_parse_name_flags.html
+++ b/doc/html/appdev/refs/api/krb5_parse_name_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -132,6 +132,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -169,7 +170,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_prepend_error_message.html b/doc/html/appdev/refs/api/krb5_prepend_error_message.html
index 6a86b6912123..0fd5f14b67d0 100644
--- a/doc/html/appdev/refs/api/krb5_prepend_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_prepend_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@ void <tt class="descname">krb5_prepend_error_message</tt><big>(</big><a class="r
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@ void <tt class="descname">krb5_prepend_error_message</tt><big>(</big><a class="r
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_principal2salt.html b/doc/html/appdev/refs/api/krb5_principal2salt.html
index 65a2b20d2802..4b4e7686575c 100644
--- a/doc/html/appdev/refs/api/krb5_principal2salt.html
+++ b/doc/html/appdev/refs/api/krb5_principal2salt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_principal_compare.html b/doc/html/appdev/refs/api/krb5_principal_compare.html
index 0ebc62ca272f..1ce019885fab 100644
--- a/doc/html/appdev/refs/api/krb5_principal_compare.html
+++ b/doc/html/appdev/refs/api/krb5_principal_compare.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html b/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html
index d54ac18d9adf..d2967dade00b 100644
--- a/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html
+++ b/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_principal_compare_flags.html b/doc/html/appdev/refs/api/krb5_principal_compare_flags.html
index bc65d9c4a2c8..2ce27b5cac7d 100644
--- a/doc/html/appdev/refs/api/krb5_principal_compare_flags.html
+++ b/doc/html/appdev/refs/api/krb5_principal_compare_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_process_key.html b/doc/html/appdev/refs/api/krb5_process_key.html
index d0432c883bec..e8c85dcc80c2 100644
--- a/doc/html/appdev/refs/api/krb5_process_key.html
+++ b/doc/html/appdev/refs/api/krb5_process_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_prompter_posix.html b/doc/html/appdev/refs/api/krb5_prompter_posix.html
index 9955867df4ce..ebe56ddc9436 100644
--- a/doc/html/appdev/refs/api/krb5_prompter_posix.html
+++ b/doc/html/appdev/refs/api/krb5_prompter_posix.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_random_key.html b/doc/html/appdev/refs/api/krb5_random_key.html
index 24ce9570e990..9dc045ff6cbb 100644
--- a/doc/html/appdev/refs/api/krb5_random_key.html
+++ b/doc/html/appdev/refs/api/krb5_random_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_rd_cred.html b/doc/html/appdev/refs/api/krb5_rd_cred.html
index 597f94422c71..c2835e30b52c 100644
--- a/doc/html/appdev/refs/api/krb5_rd_cred.html
+++ b/doc/html/appdev/refs/api/krb5_rd_cred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_rd_error.html b/doc/html/appdev/refs/api/krb5_rd_error.html
index e5159a883eb6..45f0b60aa484 100644
--- a/doc/html/appdev/refs/api/krb5_rd_error.html
+++ b/doc/html/appdev/refs/api/krb5_rd_error.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_rd_priv.html b/doc/html/appdev/refs/api/krb5_rd_priv.html
index 4dee9c710965..9e5fe2594802 100644
--- a/doc/html/appdev/refs/api/krb5_rd_priv.html
+++ b/doc/html/appdev/refs/api/krb5_rd_priv.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -128,6 +128,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -165,7 +166,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_rd_rep.html b/doc/html/appdev/refs/api/krb5_rd_rep.html
index 95effbe77503..c46392c265e9 100644
--- a/doc/html/appdev/refs/api/krb5_rd_rep.html
+++ b/doc/html/appdev/refs/api/krb5_rd_rep.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,6 +115,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -152,7 +153,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_rd_rep_dce.html b/doc/html/appdev/refs/api/krb5_rd_rep_dce.html
index 332aa1935abe..27ebbd7e29f5 100644
--- a/doc/html/appdev/refs/api/krb5_rd_rep_dce.html
+++ b/doc/html/appdev/refs/api/krb5_rd_rep_dce.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_rd_req.html b/doc/html/appdev/refs/api/krb5_rd_req.html
index 906727ad5313..26842142f685 100644
--- a/doc/html/appdev/refs/api/krb5_rd_req.html
+++ b/doc/html/appdev/refs/api/krb5_rd_req.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -132,6 +132,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -169,7 +170,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_rd_safe.html b/doc/html/appdev/refs/api/krb5_rd_safe.html
index 958213f9e9fc..ed4a6f0a7b9d 100644
--- a/doc/html/appdev/refs/api/krb5_rd_safe.html
+++ b/doc/html/appdev/refs/api/krb5_rd_safe.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -131,6 +131,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -168,7 +169,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_read_password.html b/doc/html/appdev/refs/api/krb5_read_password.html
index a2fb760065cd..8e9ab9cbb8ee 100644
--- a/doc/html/appdev/refs/api/krb5_read_password.html
+++ b/doc/html/appdev/refs/api/krb5_read_password.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -124,6 +124,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -161,7 +162,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_realm_compare.html b/doc/html/appdev/refs/api/krb5_realm_compare.html
index 792f7a00a49e..a4a04e2147b7 100644
--- a/doc/html/appdev/refs/api/krb5_realm_compare.html
+++ b/doc/html/appdev/refs/api/krb5_realm_compare.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_recvauth.html b/doc/html/appdev/refs/api/krb5_recvauth.html
index d28f846f0e13..9d53f118d9a2 100644
--- a/doc/html/appdev/refs/api/krb5_recvauth.html
+++ b/doc/html/appdev/refs/api/krb5_recvauth.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -123,6 +123,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -160,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_recvauth_version.html b/doc/html/appdev/refs/api/krb5_recvauth_version.html
index de0eddd294c5..dae96e426544 100644
--- a/doc/html/appdev/refs/api/krb5_recvauth_version.html
+++ b/doc/html/appdev/refs/api/krb5_recvauth_version.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_get_challenge.html b/doc/html/appdev/refs/api/krb5_responder_get_challenge.html
index 75d8cfa9cda0..b277a76e1fbf 100644
--- a/doc/html/appdev/refs/api/krb5_responder_get_challenge.html
+++ b/doc/html/appdev/refs/api/krb5_responder_get_challenge.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@ const char * <tt class="descname">krb5_responder_get_challenge</tt><big>(</big><
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@ const char * <tt class="descname">krb5_responder_get_challenge</tt><big>(</big><
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_list_questions.html b/doc/html/appdev/refs/api/krb5_responder_list_questions.html
index b7628f1b1981..050fe8fadb6b 100644
--- a/doc/html/appdev/refs/api/krb5_responder_list_questions.html
+++ b/doc/html/appdev/refs/api/krb5_responder_list_questions.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -105,6 +105,7 @@ const char *const * <tt class="descname">krb5_responder_list_questions</tt><big>
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -142,7 +143,7 @@ const char *const * <tt class="descname">krb5_responder_list_questions</tt><big>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html b/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html
index a4676ae74243..45c9cca5f8c5 100644
--- a/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html
+++ b/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -105,6 +105,7 @@ void <tt class="descname">krb5_responder_otp_challenge_free</tt><big>(</big><a c
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -142,7 +143,7 @@ void <tt class="descname">krb5_responder_otp_challenge_free</tt><big>(</big><a c
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html b/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html
index 9927e640f220..691caa61a981 100644
--- a/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html
+++ b/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html b/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html
index d449e7ed64db..001f1df6809b 100644
--- a/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html
+++ b/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html b/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html
index 96b0bb7cf179..f1a54b7fe106 100644
--- a/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html
+++ b/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -105,6 +105,7 @@ void <tt class="descname">krb5_responder_pkinit_challenge_free</tt><big>(</big><
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -142,7 +143,7 @@ void <tt class="descname">krb5_responder_pkinit_challenge_free</tt><big>(</big><
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html b/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html
index f75e1640e269..e98302c91834 100644
--- a/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html
+++ b/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html b/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html
index c2d082fea73f..ac968f9ffd2e 100644
--- a/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html
+++ b/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_responder_set_answer.html b/doc/html/appdev/refs/api/krb5_responder_set_answer.html
index f245604f2092..81de61ec62c8 100644
--- a/doc/html/appdev/refs/api/krb5_responder_set_answer.html
+++ b/doc/html/appdev/refs/api/krb5_responder_set_answer.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_salttype_to_string.html b/doc/html/appdev/refs/api/krb5_salttype_to_string.html
index 0c0de40511d8..ea86c1d625a9 100644
--- a/doc/html/appdev/refs/api/krb5_salttype_to_string.html
+++ b/doc/html/appdev/refs/api/krb5_salttype_to_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_sendauth.html b/doc/html/appdev/refs/api/krb5_sendauth.html
index 6d85afd4d272..ec271b9c379a 100644
--- a/doc/html/appdev/refs/api/krb5_sendauth.html
+++ b/doc/html/appdev/refs/api/krb5_sendauth.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -139,6 +139,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -176,7 +177,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html b/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html
index 4dc4d5806c81..a739254d7ec6 100644
--- a/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html
+++ b/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_default_realm.html b/doc/html/appdev/refs/api/krb5_set_default_realm.html
index c70f562e4872..bf75f5409810 100644
--- a/doc/html/appdev/refs/api/krb5_set_default_realm.html
+++ b/doc/html/appdev/refs/api/krb5_set_default_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html b/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html
index fbf2004bc774..270f777a9e49 100644
--- a/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html
+++ b/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_error_message.html b/doc/html/appdev/refs/api/krb5_set_error_message.html
index 392897558171..267e0d42f859 100644
--- a/doc/html/appdev/refs/api/krb5_set_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_set_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@ void <tt class="descname">krb5_set_error_message</tt><big>(</big><a class="refer
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@ void <tt class="descname">krb5_set_error_message</tt><big>(</big><a class="refer
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html b/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html
index 49180ef1c6c9..63c36cccf379 100644
--- a/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html
+++ b/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@ void <tt class="descname">krb5_set_kdc_recv_hook</tt><big>(</big><a class="refer
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@ void <tt class="descname">krb5_set_kdc_recv_hook</tt><big>(</big><a class="refer
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html b/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html
index 3884a426a085..e2e7287e22cf 100644
--- a/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html
+++ b/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@ void <tt class="descname">krb5_set_kdc_send_hook</tt><big>(</big><a class="refer
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@ void <tt class="descname">krb5_set_kdc_send_hook</tt><big>(</big><a class="refer
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_password.html b/doc/html/appdev/refs/api/krb5_set_password.html
index 475bc2fbfda1..3e1f4293989a 100644
--- a/doc/html/appdev/refs/api/krb5_set_password.html
+++ b/doc/html/appdev/refs/api/krb5_set_password.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -127,6 +127,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -164,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html b/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html
index 0ac2a5deaaeb..2ac7a01414b0 100644
--- a/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html
+++ b/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -127,6 +127,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -164,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_principal_realm.html b/doc/html/appdev/refs/api/krb5_set_principal_realm.html
index a0fd88e87a9c..06a101c5574e 100644
--- a/doc/html/appdev/refs/api/krb5_set_principal_realm.html
+++ b/doc/html/appdev/refs/api/krb5_set_principal_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_real_time.html b/doc/html/appdev/refs/api/krb5_set_real_time.html
index a01d6c9ca360..56c06aaa8677 100644
--- a/doc/html/appdev/refs/api/krb5_set_real_time.html
+++ b/doc/html/appdev/refs/api/krb5_set_real_time.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_trace_callback.html b/doc/html/appdev/refs/api/krb5_set_trace_callback.html
index 8f794f4cd2f7..2cc4af920487 100644
--- a/doc/html/appdev/refs/api/krb5_set_trace_callback.html
+++ b/doc/html/appdev/refs/api/krb5_set_trace_callback.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_set_trace_filename.html b/doc/html/appdev/refs/api/krb5_set_trace_filename.html
index 8902552a23e5..afabc95f3b3a 100644
--- a/doc/html/appdev/refs/api/krb5_set_trace_filename.html
+++ b/doc/html/appdev/refs/api/krb5_set_trace_filename.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_sname_match.html b/doc/html/appdev/refs/api/krb5_sname_match.html
index f08d00f6d810..3534a39b2549 100644
--- a/doc/html/appdev/refs/api/krb5_sname_match.html
+++ b/doc/html/appdev/refs/api/krb5_sname_match.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_sname_to_principal.html b/doc/html/appdev/refs/api/krb5_sname_to_principal.html
index f3d0fd021749..6c827bdf3735 100644
--- a/doc/html/appdev/refs/api/krb5_sname_to_principal.html
+++ b/doc/html/appdev/refs/api/krb5_sname_to_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -130,6 +130,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -167,7 +168,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html b/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html
index 7566beb3d457..5f4012cb36d1 100644
--- a/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html
+++ b/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_string_to_deltat.html b/doc/html/appdev/refs/api/krb5_string_to_deltat.html
index 7c70b02adc37..7c9995347108 100644
--- a/doc/html/appdev/refs/api/krb5_string_to_deltat.html
+++ b/doc/html/appdev/refs/api/krb5_string_to_deltat.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_string_to_enctype.html b/doc/html/appdev/refs/api/krb5_string_to_enctype.html
index ee660f54ac70..5caf826eb5c5 100644
--- a/doc/html/appdev/refs/api/krb5_string_to_enctype.html
+++ b/doc/html/appdev/refs/api/krb5_string_to_enctype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_string_to_key.html b/doc/html/appdev/refs/api/krb5_string_to_key.html
index c6fbbba3f54b..fdffc16ed29b 100644
--- a/doc/html/appdev/refs/api/krb5_string_to_key.html
+++ b/doc/html/appdev/refs/api/krb5_string_to_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_string_to_salttype.html b/doc/html/appdev/refs/api/krb5_string_to_salttype.html
index 33719a8c4f28..f41a8bdb519c 100644
--- a/doc/html/appdev/refs/api/krb5_string_to_salttype.html
+++ b/doc/html/appdev/refs/api/krb5_string_to_salttype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_string_to_timestamp.html b/doc/html/appdev/refs/api/krb5_string_to_timestamp.html
index 064f364b6193..19942e085894 100644
--- a/doc/html/appdev/refs/api/krb5_string_to_timestamp.html
+++ b/doc/html/appdev/refs/api/krb5_string_to_timestamp.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_timeofday.html b/doc/html/appdev/refs/api/krb5_timeofday.html
index a556bc63d075..a4e029022e06 100644
--- a/doc/html/appdev/refs/api/krb5_timeofday.html
+++ b/doc/html/appdev/refs/api/krb5_timeofday.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html b/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html
index b3c6aa2bebe6..8f1bf3eea94f 100644
--- a/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html
+++ b/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_timestamp_to_string.html b/doc/html/appdev/refs/api/krb5_timestamp_to_string.html
index b9405b545e82..4c86772a8234 100644
--- a/doc/html/appdev/refs/api/krb5_timestamp_to_string.html
+++ b/doc/html/appdev/refs/api/krb5_timestamp_to_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_free.html b/doc/html/appdev/refs/api/krb5_tkt_creds_free.html
index 90e809d0f9eb..58fa7031e078 100644
--- a/doc/html/appdev/refs/api/krb5_tkt_creds_free.html
+++ b/doc/html/appdev/refs/api/krb5_tkt_creds_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@ void <tt class="descname">krb5_tkt_creds_free</tt><big>(</big><a class="referenc
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@ void <tt class="descname">krb5_tkt_creds_free</tt><big>(</big><a class="referenc
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_get.html b/doc/html/appdev/refs/api/krb5_tkt_creds_get.html
index 0e5b185c3a53..2ad7431d9b71 100644
--- a/doc/html/appdev/refs/api/krb5_tkt_creds_get.html
+++ b/doc/html/appdev/refs/api/krb5_tkt_creds_get.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html b/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html
index 966c80bf467a..1cf47cd1b401 100644
--- a/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html
+++ b/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html b/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html
index 6b1e51863e7f..a1691f7c92fe 100644
--- a/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html
+++ b/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_init.html b/doc/html/appdev/refs/api/krb5_tkt_creds_init.html
index 54a8686ed18a..bd832f483067 100644
--- a/doc/html/appdev/refs/api/krb5_tkt_creds_init.html
+++ b/doc/html/appdev/refs/api/krb5_tkt_creds_init.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_step.html b/doc/html/appdev/refs/api/krb5_tkt_creds_step.html
index ec3ad4e575c1..b9705812127b 100644
--- a/doc/html/appdev/refs/api/krb5_tkt_creds_step.html
+++ b/doc/html/appdev/refs/api/krb5_tkt_creds_step.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_unparse_name.html b/doc/html/appdev/refs/api/krb5_unparse_name.html
index 6dab7f8fcfc8..9bb5a7776ee0 100644
--- a/doc/html/appdev/refs/api/krb5_unparse_name.html
+++ b/doc/html/appdev/refs/api/krb5_unparse_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_unparse_name_ext.html b/doc/html/appdev/refs/api/krb5_unparse_name_ext.html
index 58cf39bbef8b..715746078e1a 100644
--- a/doc/html/appdev/refs/api/krb5_unparse_name_ext.html
+++ b/doc/html/appdev/refs/api/krb5_unparse_name_ext.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_unparse_name_flags.html b/doc/html/appdev/refs/api/krb5_unparse_name_flags.html
index 299d66915b64..f34ea436701c 100644
--- a/doc/html/appdev/refs/api/krb5_unparse_name_flags.html
+++ b/doc/html/appdev/refs/api/krb5_unparse_name_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -130,6 +130,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -167,7 +168,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html b/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html
index 743bc43ffbc4..4295e9f684e6 100644
--- a/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html
+++ b/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_us_timeofday.html b/doc/html/appdev/refs/api/krb5_us_timeofday.html
index d515207b7907..f27498e45627 100644
--- a/doc/html/appdev/refs/api/krb5_us_timeofday.html
+++ b/doc/html/appdev/refs/api/krb5_us_timeofday.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_use_enctype.html b/doc/html/appdev/refs/api/krb5_use_enctype.html
index 246b83557fa1..450d670a23d4 100644
--- a/doc/html/appdev/refs/api/krb5_use_enctype.html
+++ b/doc/html/appdev/refs/api/krb5_use_enctype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html b/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html
index cae4c783f592..33a7b5d175d2 100644
--- a/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html
+++ b/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_verify_checksum.html b/doc/html/appdev/refs/api/krb5_verify_checksum.html
index 1e575c277561..49ba9ce86e21 100644
--- a/doc/html/appdev/refs/api/krb5_verify_checksum.html
+++ b/doc/html/appdev/refs/api/krb5_verify_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_verify_init_creds.html b/doc/html/appdev/refs/api/krb5_verify_init_creds.html
index 2d8211f93813..a7ebf61c7c49 100644
--- a/doc/html/appdev/refs/api/krb5_verify_init_creds.html
+++ b/doc/html/appdev/refs/api/krb5_verify_init_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html b/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html
index 90f25c87f20e..4940f09efbf2 100644
--- a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html
+++ b/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -98,6 +98,7 @@ void <tt class="descname">krb5_verify_init_creds_opt_init</tt><big>(</big><a cla
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -135,7 +136,7 @@ void <tt class="descname">krb5_verify_init_creds_opt_init</tt><big>(</big><a cla
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html b/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html
index db43696b1260..7b274f968ab2 100644
--- a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html
+++ b/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@ void <tt class="descname">krb5_verify_init_creds_opt_set_ap_req_nofail</tt><big>
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@ void <tt class="descname">krb5_verify_init_creds_opt_set_ap_req_nofail</tt><big>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_vprepend_error_message.html b/doc/html/appdev/refs/api/krb5_vprepend_error_message.html
index bbbbee893e1d..576b4cf2be2b 100644
--- a/doc/html/appdev/refs/api/krb5_vprepend_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_vprepend_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@ void <tt class="descname">krb5_vprepend_error_message</tt><big>(</big><a class="
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@ void <tt class="descname">krb5_vprepend_error_message</tt><big>(</big><a class="
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_vset_error_message.html b/doc/html/appdev/refs/api/krb5_vset_error_message.html
index 44b92908e1da..cc5745b965ab 100644
--- a/doc/html/appdev/refs/api/krb5_vset_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_vset_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@ void <tt class="descname">krb5_vset_error_message</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@ void <tt class="descname">krb5_vset_error_message</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_vwrap_error_message.html b/doc/html/appdev/refs/api/krb5_vwrap_error_message.html
index 6688822020c1..588f6cf91465 100644
--- a/doc/html/appdev/refs/api/krb5_vwrap_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_vwrap_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@ void <tt class="descname">krb5_vwrap_error_message</tt><big>(</big><a class="ref
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@ void <tt class="descname">krb5_vwrap_error_message</tt><big>(</big><a class="ref
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_wrap_error_message.html b/doc/html/appdev/refs/api/krb5_wrap_error_message.html
index d70e55903bda..b6e628d06450 100644
--- a/doc/html/appdev/refs/api/krb5_wrap_error_message.html
+++ b/doc/html/appdev/refs/api/krb5_wrap_error_message.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@ void <tt class="descname">krb5_wrap_error_message</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@ void <tt class="descname">krb5_wrap_error_message</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/index.html b/doc/html/appdev/refs/index.html
index 0491244f7016..1abcc7343846 100644
--- a/doc/html/appdev/refs/index.html
+++ b/doc/html/appdev/refs/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -92,6 +92,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -129,7 +130,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html b/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html
index e53931c0ff6c..b5b66b235f71 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html b/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html
index 504c7e64ad88..f66b7ba43d5a 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html b/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html
index 2e6023da7063..836fc1878011 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_INET.html b/doc/html/appdev/refs/macros/ADDRTYPE_INET.html
index 9a64e0fb41a1..7a44ed2608e4 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_INET.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_INET.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html b/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html
index 655fda8cde38..66e6ead2f740 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html b/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html
index afbcf47ee8ad..cec77c8a1005 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html b/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html
index fb889d1da58f..fe3f61a29d53 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html b/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html
index 11d2215df6ea..28998ae70538 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html b/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html
index 702a84cd1350..a276f56ac279 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html b/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html
index e3cbc12e00ac..d1a0ab6b761b 100644
--- a/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html
+++ b/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html b/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html
index 828e6186bae1..b848c19f6a8b 100644
--- a/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html
+++ b/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html b/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html
index e93a7be2642f..b0b4753ae144 100644
--- a/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html
+++ b/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html b/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html
index 54f2d657ef25..7e45e96a86a2 100644
--- a/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html
+++ b/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html b/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html
index d17ffdafa401..06950728dc05 100644
--- a/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html
+++ b/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html b/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html
index dfb783c74c30..570faa8181cf 100644
--- a/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html
+++ b/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html b/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html
index 8cb382c5a95b..c3a668e63f51 100644
--- a/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html
+++ b/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html b/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html
index bdc667be3491..dda08209f785 100644
--- a/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html
+++ b/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html b/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html
index f5083b1561d5..5623b680a98d 100644
--- a/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html
+++ b/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html b/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html
index e320fb9bea56..258f5f12fbaf 100644
--- a/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html
+++ b/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html b/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html
index 34132a1c5a11..7ed36c0fe777 100644
--- a/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html
+++ b/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html b/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html
index c8f0d9e70f23..5b01cadcac66 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html b/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html
index 31b2e34ca4d3..8c8cba320583 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html b/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html
index 5252baaa0a18..d0cdfaf8db11 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html b/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html
index a44048ebeb5f..7cdc7e27ce61 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html
index f899ceda24f6..9085e6b033de 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html
index cde03b5aaeae..d84630af268b 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html
index 76e003a7d5af..165c8af22ebf 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html
index aba811cefc8c..ed9cf2b0d2b2 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html
index 25b69317fab2..5f115632ebef 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html
index 8a22f2fbf738..6c7b1b7dc28d 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html b/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html
index 18bed0ad6e21..6011890b1915 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html b/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html
index 39f2bb584484..0a6166a9e10b 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html
index 076a95ea7050..c598c4628485 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html
index 9548a9abb34e..c0ef4136dace 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html
index 48b6fe8c3e56..83f65afc0231 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html
index 23871d1e97b5..779de3758e75 100644
--- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html
+++ b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html b/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html
index 80bd7d1937e5..488b64d493d8 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html b/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html
index e0a2b2009b60..e462b099e721 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html b/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html
index 373a96a932ed..5128150f686d 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html b/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html
index 5db8c63adfeb..c2d7b6412dbb 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html b/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html
index 70e3aafede10..d4e98811525d 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html b/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html
index dc40981b9d5a..e01e13fefa3e 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html b/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html
index cfc4000c7e96..708199abf98f 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html b/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html
index f1aadc844edc..b494e8cc2056 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html
index eb0476ab12d4..5d2b4fdc733d 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html
index d15d761fd00a..b10bf712396a 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html
index 49320b3cf1d9..d904c1d6627f 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html
index 61373df40ad3..1ccde82429c5 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html
index a16968cf344b..d9bd1685a873 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html
index 8e9f8bdf1efa..35c6e9659f0a 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html
index 3ef08a254da9..9ed69e6faa6e 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html
index 4f68122c09e3..c317572e1cf3 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html
index db40c282b144..aa7d2e79e5e9 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html b/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html
index f8989273b971..090465602a4e 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html b/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html
index d352df490091..34f5235da165 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_NULL.html b/doc/html/appdev/refs/macros/ENCTYPE_NULL.html
index 6fee89ea7170..6a6abac69b2c 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_NULL.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_NULL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html
index 214d9c313462..fafd101abad8 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html
index f1188c96b217..12889d34f538 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html
index 44240004f585..38d3c642940a 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html b/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html
index 781ebdabd0a5..6c7bf6d83d1c 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html b/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html
index 22127f781ce8..ea62fd99f669 100644
--- a/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html
+++ b/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html b/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html
index 642a728737c7..b315a9f47de3 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html b/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html
index b2f0f8738e82..6cd1574fd8bc 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html b/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html
index 1aab4a738902..7f83ffa0d50e 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html b/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html
index 787cc8ef2113..3e15ee30ac83 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html b/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html
index e169dd1ba85c..e9feb4e0452b 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html b/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html
index d5f3c1867aa3..3735f7f13c3f 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html b/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html
index d305546404df..976b59d8ac70 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html b/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html
index 60277ee39335..330c801ab763 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html b/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html
index 91c00c4938ad..5efd75f0006a 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html b/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html
index f8631c5a47bc..8d5fce4db6ca 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html b/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html
index b794413c9dac..e682d57afe1a 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html b/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html
index 316d6b4a9086..49aebfdb1fe0 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html b/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html
index 77f950a18220..b379bbe27e8a 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html b/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html
index 9bdf2f96b47e..038d44e5374a 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html b/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html
index 97a0ffd21d25..acaf23258dab 100644
--- a/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html
+++ b/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html b/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html
index c902d0a24a40..0e792a4873e7 100644
--- a/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html
+++ b/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html b/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html
index 4104a7a6d0df..bb613563eb35 100644
--- a/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html
+++ b/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html b/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html
index 46de0c473703..fb90532aafee 100644
--- a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html
+++ b/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html b/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html
index dc6367d84692..cba337441a92 100644
--- a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html
+++ b/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AP_REP.html b/doc/html/appdev/refs/macros/KRB5_AP_REP.html
index 5beb728578b8..0eabb073c379 100644
--- a/doc/html/appdev/refs/macros/KRB5_AP_REP.html
+++ b/doc/html/appdev/refs/macros/KRB5_AP_REP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AP_REQ.html b/doc/html/appdev/refs/macros/KRB5_AP_REQ.html
index f8749b503a7a..c2cd31fd2cf2 100644
--- a/doc/html/appdev/refs/macros/KRB5_AP_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_AP_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AS_REP.html b/doc/html/appdev/refs/macros/KRB5_AS_REP.html
index 42b2ed0a6c48..f82b6a86d9c1 100644
--- a/doc/html/appdev/refs/macros/KRB5_AS_REP.html
+++ b/doc/html/appdev/refs/macros/KRB5_AS_REP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AS_REQ.html b/doc/html/appdev/refs/macros/KRB5_AS_REQ.html
index cbbc4cbd6898..fa042894d3c4 100644
--- a/doc/html/appdev/refs/macros/KRB5_AS_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_AS_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html
index 8290ed9a019d..24ea7bcbb2f2 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html
index af7ef0cc03e3..74d272a8fafe 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html
index 68c6ea6adabb..c812ccbe62d7 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html
index 74e22c6eb3fe..ef9e5696e874 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html
index a91c99b1ed6e..2acd26ecf466 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html
index bc626ac3648d..8a601f86ad36 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html
index 45de0c1c4736..d1c9af0ce4ca 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html
index f92a0c0e6701..4ba802456cbb 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html
index 0e76e2ce028d..0f9d800e9f0d 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html
index a27c0f67643b..c724da00ae2b 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html
index 80f46afeecc5..8c2aafe34f6d 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html
index 5d042b2a7899..c4b9a389d240 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html
index fadb055c765d..65d3f99c01c8 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html
index c2249d324020..a42290c2746c 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html
index b1eabe678186..2e0a63c837bc 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html
index f5ea3bbbf1cb..ca6bca32543a 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html
index 940041c43330..4729d415b297 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html
index a2494163f785..a66e86586da1 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html
index 4c3552821438..b27119fd89a6 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html
index c670b1bbd079..84377c717443 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html
index e57498912c65..60d26598a9d3 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html
index 6cbe2f558dd6..f19404487da7 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html
index ccc40bd459db..3f89627f48d9 100644
--- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html
+++ b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRED.html b/doc/html/appdev/refs/macros/KRB5_CRED.html
index 2c6659695b7b..e55f52f650b2 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRED.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html
index d4b6cfbb424f..bf1606721317 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html
index c78079abddfc..9035d0cb3cdb 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html
index 2c2503f281a3..e5db39a39044 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html
index bd4aa386b16a..03bf6cef3883 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html
index 1523a151b050..e7d475c50cb4 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html
index 6c6a0ac09e98..9c73b3f46349 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html
index e197b96afaa4..0dc357270487 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html
index d45d13e1758a..d4a1db1fb9c1 100644
--- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html
+++ b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html b/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html
index bdf4c6d95f92..fc0d713ad1fb 100644
--- a/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html
+++ b/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html b/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html
index ac4d0dc8a2d5..cb02dd5d2cc2 100644
--- a/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html
+++ b/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html b/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html
index ca5ebb3ccdc1..34af6abc73b0 100644
--- a/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html
+++ b/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_ERROR.html b/doc/html/appdev/refs/macros/KRB5_ERROR.html
index a352d15f257a..be3cc376b379 100644
--- a/doc/html/appdev/refs/macros/KRB5_ERROR.html
+++ b/doc/html/appdev/refs/macros/KRB5_ERROR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html b/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html
index fe5a67dff489..022dee1b1966 100644
--- a/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html
+++ b/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html b/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html
index 01de46a3bed0..b45b45884210 100644
--- a/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html
+++ b/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html b/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html
index 1cfcc62acfa7..f39008e28b52 100644
--- a/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html b/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html
index 1698982a1768..64a2cd92513f 100644
--- a/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html
+++ b/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html b/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html
index cb6615bf840b..7837f66bfa16 100644
--- a/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html b/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html
index dd29bad24c8a..e5e3dcc4a299 100644
--- a/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html b/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html
index 404d0860696f..7c6552da341d 100644
--- a/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html
+++ b/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html b/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html
index 864dc4fc832c..f2639f2fd33b 100644
--- a/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html
+++ b/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html
index 4ca7c4201348..69a826b0606c 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html
index acbf8012b488..3f55e9d3d119 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html
index 38f05edb770f..d2a0c7cf9aa3 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html
index d5e4bbf55afc..bfb8c95ba998 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html
index c3669be067e8..f579c97cc480 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html
index bde1a2578ede..5331a4dc3f66 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html
index b55384371e95..04ddf1d2a89e 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html
index 31173deebfa0..166bca44977f 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html
index 450dd28f3879..07d80fee7d66 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html
index 2a9419a1de57..5e99d0ef73f5 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html
index e82761878e1e..34ef9716010d 100644
--- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html
+++ b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html b/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html
index db0eb29f54c5..a8dcd2c9da8d 100644
--- a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html
+++ b/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html b/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html
index 554869a29267..9cdff6b06cb5 100644
--- a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html
+++ b/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html b/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html
index d2da7266a9b9..240ce786d1b8 100644
--- a/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html
+++ b/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html b/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html
index 8672ef93e9af..55c87b97bfe4 100644
--- a/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html
+++ b/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html b/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html
index 0f419c24597b..17bd15bb6e89 100644
--- a/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html
+++ b/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html b/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html
index dae0c840ab48..3e1178dd0945 100644
--- a/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html
+++ b/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html b/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html
index f4b530ccd578..aaa8480b927e 100644
--- a/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html
+++ b/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html
index efe12208f8ca..c255df5fd4c8 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html
index 359812262d4c..1fc2fa69ef9f 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html
index e0e5781ca937..4933a0a81eb3 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html
index 822e42257d4f..ddf1542693c9 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html
index 6dbc4717af3e..131433d913f6 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html
index bd013645c668..dcf3a32577dc 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html
index 4b09c3d21288..7a12b31c4d69 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html
index 62f7e58e687b..742b3478cf13 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html
index 0b4c1b91bf4d..f7b95f401869 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html
index fd3ffdd03220..9e8d940e315f 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html
index 653728da6d50..ad05d6b7baf5 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html
index 1b7e2bf4cff3..72dd76f829a9 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html
index 4cae5cf24b28..da19fafd4819 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html
index 59428ba42bf0..997e6b038689 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html
index cc88185aa873..c65aeb17d123 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html
index 3e6ed4951fe8..e824a0da47d0 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html
index 19206c716f6c..bf0360eef252 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html
index afdbc56d73f0..f26d602e2fc9 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html
index 5b051ebb51b6..54571e19109d 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html
index 93287f13ff1f..18283d8fa0a4 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html
index 85b0a1df278c..7c43122fd868 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html
index 127fc433d6f5..79fb4de67484 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html
index cd9e6f72a2a0..69e712770eb1 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html
index f777cee68d2a..d22b2bb063ba 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html
index 9e4cda35c72e..792d4df47b7d 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html
index 90de4732c55a..d790a8eb8bc7 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html
index cfd56c25dd1d..2ae9b2fc0a0c 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html
index eaaa1d51c3aa..1875eea78b10 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html
index 765ae031f6a1..dd85a7990041 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html
index 10184574555b..ee580fad2087 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html
index add1f4830b50..6327219d1b00 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html
index a0c37038865b..055edf1b92b8 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html
index 187a301edbb0..92a10c0915c6 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html
index 85be42d28db4..20e0856a3033 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html
index bcd745f88830..28cd0c8e3061 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html
index 5c6d14f37cc7..56c3c1cf22e7 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html
index 66a19a2cb5fe..33c764aeebc9 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html
index 96b8ef8743ac..8d34c20018b0 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html
index 65438998b4b6..68393816e774 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html
index 4dd572192808..eb73d8186795 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html
index 055b52ada3b6..2fac97c67b5d 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html
index 8399fee08a0d..016117c8f47a 100644
--- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html
index 9df37946eb98..f09ab1194f67 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html
index 2a90b61359a8..242c1e120340 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html
index 44dec32a4b18..6b5b7fc6a90f 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html
index 714d3be62bb1..b900e78fd317 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html
index 67176fa52042..27996972e7f4 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html
index 8ccab4b76906..1ca5ad27e49c 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html
index 7392640be692..c79a856b0a7f 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html
index 124bbe29de5d..0b6077beeaa1 100644
--- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html
+++ b/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html
index 4f0e9eee758e..323302f3f7b7 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html
index aa562b9b330f..a5c1605cadcd 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html
index 2d69c5ae327c..3a206cf09cb6 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html
index 887f95863cfb..0b1ac100dae8 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html
index 221cc8b252cb..a2d2f1974eee 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html
index 693d7742ec0c..c7976ff6fb30 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html
index 2ef76d9841ea..5f3790ec533b 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html b/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html
index 031481265284..1b952fb6c084 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html
index 95eb91d14967..5ed28138dbef 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html
index 7320978ea089..0ff2f800c5b6 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html
index 30f6b0e1debb..8a617611a16f 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html
index c0f909d26894..eb2876a12ead 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html
index 4d97ab8d454d..77062d3dabb9 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html
index b9e230d3d8c9..59781940f1f4 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html
index 882a18253b24..0120f7aebce3 100644
--- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html
+++ b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html
index 4a2ec1a3e6ef..388cfd9c37d6 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html b/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html
index 96c3fd69f69d..c5726eaa0e14 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html
index 08a7aa663a9e..3c4235304d0b 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html b/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html
index 54d79ec0c0c5..61ccf6404801 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html
index c299d4635319..3465e3d638b1 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html b/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html
index ee5dfb84407d..c78f5d430e22 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html b/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html
index b3a05cf9c7e7..667f7911ce44 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html b/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html
index beff23e78b03..f9a3b0bcd8b9 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html b/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html
index a622096e77b9..51d7b0d81d45 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_UID.html b/doc/html/appdev/refs/macros/KRB5_NT_UID.html
index ab3a3496285d..81d6229a8d97 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_UID.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_UID.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html b/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html
index 42d624ee0091..49204a51c482 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html b/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html
index 1d6420a500a8..d0e2eeceb219 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html
index e134665bfe8d..f5f465a6844c 100644
--- a/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html
index 17d98b41ef31..322787649fc8 100644
--- a/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html
index afc3fc871ffb..0eb9a33085dd 100644
--- a/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html
index 8cc877d1f038..12985509b009 100644
--- a/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html
index 6d08ba6d50aa..b483fe964e34 100644
--- a/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html
index 6106661ab6c7..f99c9f02f6a5 100644
--- a/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html
index 1cd1879c5044..1d07e3b60da5 100644
--- a/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html
index 35e1ea9a8fef..8671712555af 100644
--- a/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html b/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html
index 90da364f9917..4a4d7b4337e3 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html b/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html
index 004aa4e32a68..f89160d60811 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html
index b85d801a1bdf..52acb36a60c5 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html
index d4d977ff8196..d62832fb4fbe 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html
index 7f452c13ef9b..374a00994c63 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html
index 31dc9ed21f32..414bb9dd7d87 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html
index b10f287033b3..a587c27fda03 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html
index 9f918ab795ef..b67c60d7c9fc 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html
index d95161c42249..f59eb62fb927 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html
index 5a574d4448fe..683c9821cbdd 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html
index 24e0e227c6fa..c46f4ba13630 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html
index ea836e688a69..e9ebdfe1e3d7 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html
index d2c4d4141245..688a12ef7581 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html b/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html
index 506344fc22d0..25548213ba89 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html
index 5e9c756db083..d448d07f6850 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html
index aca8c48c96de..d3f120867fb5 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html
index c8495392f344..2d4bbdbd4f0c 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html
index b1c504fc3616..038d7b8fb70b 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html
index 403deae8ec93..78856b769f51 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html
index b51d93a4cff1..3fe22738695f 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html
index 018a6a14e604..aec82898be26 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html
index 26fb86a291ae..91cc1abe2c31 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html
index 410b0d7ba930..a5018991265b 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html
index 0a83f4768f8c..7fa49fd552ec 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html
index 976004b6d191..9135d962f61b 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html
index bd94acf70e0e..60b24366b377 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html b/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html
index e794ee79cc71..5842ee97f693 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html b/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html
index a5474e668073..15a087dfe20c 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html
index ab1366b38798..4f3afb02ca13 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html
index 77f9c708f55d..9f35b84ee5fd 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html
index 1212f8bfc213..426df4c3a1f3 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html
index 7e12d7c8d151..06a05f1f50e7 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html
index e55b7c0bfca5..8ac2ebd7ee96 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html
index 8be81027ff9f..6ab39368e8f3 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html
index 63efabf8cb6b..a50590d308bc 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html b/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html
index feddd06d4a4b..1e6ad74a5f57 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html b/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html
index df1df228a2c5..e7516968d8ff 100644
--- a/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html
index 01c99af4808c..a9cfa99063fd 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html
index aee2c5c1e4f8..aee9b69e44e9 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html
index 966585744e59..600a3b26b050 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html
index 88fb196289e1..684d670dc4f9 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html
index 29178ca84e6b..3c78b0cef9e4 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html
index 1d2de91d6f9f..5592d2349975 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html
index c41aefdf0820..f95e5447e57c 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html
index 0d99eee74e55..1183788ad58a 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html
index 0364aed9a71f..6a3b99dba7db 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html
index e04992c7ad7f..537a38e4ad5e 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html
index dda2eafc4bc7..0aa367ad2fb5 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PRIV.html b/doc/html/appdev/refs/macros/KRB5_PRIV.html
index 23c2a26d814f..fe6b0a253b07 100644
--- a/doc/html/appdev/refs/macros/KRB5_PRIV.html
+++ b/doc/html/appdev/refs/macros/KRB5_PRIV.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html
index ccd2411c9d49..f15940858234 100644
--- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html
+++ b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html
index 87b75a1a81ad..a84782bad210 100644
--- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html
+++ b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html
index 87cb2a5ff20d..e4c2789699a8 100644
--- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html
+++ b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html
index 8aaf012c8ab3..2bb179ae67e3 100644
--- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html
+++ b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_PVNO.html b/doc/html/appdev/refs/macros/KRB5_PVNO.html
index a7777f586ce2..7fa0b1838b31 100644
--- a/doc/html/appdev/refs/macros/KRB5_PVNO.html
+++ b/doc/html/appdev/refs/macros/KRB5_PVNO.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html b/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html
index 0c528e1d8d41..1dedcd0635d2 100644
--- a/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html
+++ b/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html b/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html
index fcdfafbfebee..58338bf3377f 100644
--- a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html
+++ b/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html b/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html
index dd96b85a3731..8cd99f0beadb 100644
--- a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html
+++ b/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html b/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html
index 135b417580e3..fea1facc3dc8 100644
--- a/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html
+++ b/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html
index 036659aa6475..572fc72703cc 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html
index e633d99f4ee3..85d7f65ffa14 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html
index 27795a2af67a..34a123e48349 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html
index 3dbaf6b33d8a..8d3914fd8201 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html
index b52fc715cac6..13e9ef3e2d3f 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html
index f241a3566e10..de6b7f09a1cf 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html
index 55de476b5c90..296fd8e68376 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html
index 966f56bb6c43..39b21049cd18 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html
index fd38c29e5b10..3f8be2b5f946 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html
index d755519c9d59..6dea9c6e6f66 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html
index 151316ceeedd..e6b3c088fab8 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html
index 487fe1ff8e4a..b0bb8e3c4a5f 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html
index 34e2700036aa..7322afcf6d8a 100644
--- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html
+++ b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_SAFE.html b/doc/html/appdev/refs/macros/KRB5_SAFE.html
index 2c24363425e0..2b51babbcd2f 100644
--- a/doc/html/appdev/refs/macros/KRB5_SAFE.html
+++ b/doc/html/appdev/refs/macros/KRB5_SAFE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html b/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html
index 8ca9cfa71884..46a37094a550 100644
--- a/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html
+++ b/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html b/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html
index b00835b39634..8796da59b09c 100644
--- a/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html
+++ b/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html b/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html
index bb844f9d3d36..8035f640e2f8 100644
--- a/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html
+++ b/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html
index aabac2ce462a..cc7c0024749d 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html
index 47a991715373..4b7bd15f493a 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html
index 7b6e15050d19..14e3d6c0d332 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html
index 229f749df26a..0cee37ae8e47 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html
index 1755915cd3d9..14393ff577e2 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html
index 84717c732a75..393cbcadcb24 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html
index ca13dd55d603..97bc2de921f3 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html
index b13b3ebc78d4..54bb073217c7 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html
index a277982baba5..520326b9d67c 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html b/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html
index 7c602ef64741..60e8ddeb17c1 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html b/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html
index c83302436675..9682d7dc542f 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html b/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html
index b00028811694..f9e76377d386 100644
--- a/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html
+++ b/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html b/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html
index 392deeccb311..06901ee2b791 100644
--- a/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html
+++ b/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html b/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html
index 83763c36a294..bdfa88a2df18 100644
--- a/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html
+++ b/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_REP.html b/doc/html/appdev/refs/macros/KRB5_TGS_REP.html
index efeaea52304a..1ace486be228 100644
--- a/doc/html/appdev/refs/macros/KRB5_TGS_REP.html
+++ b/doc/html/appdev/refs/macros/KRB5_TGS_REP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html b/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html
index f9ead5956299..f2baa46df403 100644
--- a/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html
+++ b/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html b/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html
index 3d4d424cc459..46e7d03ee45d 100644
--- a/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html
+++ b/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html b/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html
index 58bbd3fbf6ed..36b21c2bd1a6 100644
--- a/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html
+++ b/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html b/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html
index 7fdf6c182e66..3083b0b8afc5 100644
--- a/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html
+++ b/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html b/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html
index f5f1d767ae78..8b44dc3e4b38 100644
--- a/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html
+++ b/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html b/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html
index 8f66895a5e86..f1c893ebccc5 100644
--- a/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html
+++ b/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html b/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html
index 2056f7e7a5ed..6aa8e70f9f7d 100644
--- a/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html
+++ b/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/MSEC_DIRBIT.html b/doc/html/appdev/refs/macros/MSEC_DIRBIT.html
index 44af4e54ea8d..4d8e0073ed0c 100644
--- a/doc/html/appdev/refs/macros/MSEC_DIRBIT.html
+++ b/doc/html/appdev/refs/macros/MSEC_DIRBIT.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html b/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html
index 869c4f0f8ed1..ac6252c687c9 100644
--- a/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html
+++ b/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html b/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html
index 5c8b57da5b25..adce638e30bd 100644
--- a/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html
+++ b/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html b/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html
index abd52d514594..43abc18e58f8 100644
--- a/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html
+++ b/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/THREEPARAMOPEN.html b/doc/html/appdev/refs/macros/THREEPARAMOPEN.html
index 6229d5df9033..5af41f3a07bb 100644
--- a/doc/html/appdev/refs/macros/THREEPARAMOPEN.html
+++ b/doc/html/appdev/refs/macros/THREEPARAMOPEN.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html b/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html
index 6d2c81319979..3196d4989239 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html b/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html
index 80a3770fca8e..9cdd77faf7e7 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html b/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html
index 41da3c77b597..e41b122a6c63 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html b/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html
index b98970acb94d..060609ce1d2a 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html b/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html
index 494d03980a04..58c928621b79 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html b/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html
index 177779dffc87..dbfccabe23a2 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html b/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html
index c0622e520089..b1460857cf49 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html b/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html
index 5905f9a58379..8ee629c2dc24 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html b/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html
index 09bd6482951f..bc78c829a712 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html b/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html
index 8b7721a5377a..1b2ef4a39c70 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html b/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html
index 85902deacbc9..3aa667452743 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html b/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html
index 06e03a08be67..b2f553271bf5 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html b/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html
index ec0caae819bd..d74936d46e0b 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html b/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html
index 175326137e10..12403167816e 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html b/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html
index c78d838a140a..ea2b1095d80c 100644
--- a/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html
+++ b/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/VALID_INT_BITS.html b/doc/html/appdev/refs/macros/VALID_INT_BITS.html
index 63746904822e..3d95239ae3a5 100644
--- a/doc/html/appdev/refs/macros/VALID_INT_BITS.html
+++ b/doc/html/appdev/refs/macros/VALID_INT_BITS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/VALID_UINT_BITS.html b/doc/html/appdev/refs/macros/VALID_UINT_BITS.html
index 4ef999a9c563..7340c2347fd1 100644
--- a/doc/html/appdev/refs/macros/VALID_UINT_BITS.html
+++ b/doc/html/appdev/refs/macros/VALID_UINT_BITS.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/index.html b/doc/html/appdev/refs/macros/index.html
index f8c70813bfa4..62c4a13a0d63 100644
--- a/doc/html/appdev/refs/macros/index.html
+++ b/doc/html/appdev/refs/macros/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -467,6 +467,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -504,7 +505,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html b/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html
index 54ce9ce5efab..a1ff9c127a3d 100644
--- a/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html
+++ b/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb524_init_ets.html b/doc/html/appdev/refs/macros/krb524_init_ets.html
index e63039b9df89..0831429ea34e 100644
--- a/doc/html/appdev/refs/macros/krb524_init_ets.html
+++ b/doc/html/appdev/refs/macros/krb524_init_ets.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_const.html b/doc/html/appdev/refs/macros/krb5_const.html
index 44db2b7c6b5b..620b50e2c807 100644
--- a/doc/html/appdev/refs/macros/krb5_const.html
+++ b/doc/html/appdev/refs/macros/krb5_const.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_component.html b/doc/html/appdev/refs/macros/krb5_princ_component.html
index b4e7489fbae6..24269ee571ae 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_component.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_component.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_name.html b/doc/html/appdev/refs/macros/krb5_princ_name.html
index 697ee6f8158a..28a8a0acca26 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_name.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_name.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_realm.html b/doc/html/appdev/refs/macros/krb5_princ_realm.html
index 7c7393f8593c..6ae40fe272e7 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_realm.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_set_realm.html b/doc/html/appdev/refs/macros/krb5_princ_set_realm.html
index 253ceb8935db..7cb89d36c320 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_set_realm.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_set_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html b/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html
index 4f41ab29e086..5be20a4d7333 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html b/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html
index c9fefc2aa908..9a34d6d3ddf0 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_size.html b/doc/html/appdev/refs/macros/krb5_princ_size.html
index af6a72fe6101..e9c03e1bc613 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_size.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_size.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_princ_type.html b/doc/html/appdev/refs/macros/krb5_princ_type.html
index 66c4903362ac..517ea0712308 100644
--- a/doc/html/appdev/refs/macros/krb5_princ_type.html
+++ b/doc/html/appdev/refs/macros/krb5_princ_type.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_roundup.html b/doc/html/appdev/refs/macros/krb5_roundup.html
index 302d0106845b..9e45e532944c 100644
--- a/doc/html/appdev/refs/macros/krb5_roundup.html
+++ b/doc/html/appdev/refs/macros/krb5_roundup.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_x.html b/doc/html/appdev/refs/macros/krb5_x.html
index 4a72622afc45..86fcb5daae04 100644
--- a/doc/html/appdev/refs/macros/krb5_x.html
+++ b/doc/html/appdev/refs/macros/krb5_x.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/macros/krb5_xc.html b/doc/html/appdev/refs/macros/krb5_xc.html
index 499e3162f0dd..03f9a83ce122 100644
--- a/doc/html/appdev/refs/macros/krb5_xc.html
+++ b/doc/html/appdev/refs/macros/krb5_xc.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -101,6 +101,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -138,7 +139,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/index.html b/doc/html/appdev/refs/types/index.html
index 4360581f51e7..86619732648a 100644
--- a/doc/html/appdev/refs/types/index.html
+++ b/doc/html/appdev/refs/types/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -195,6 +195,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -232,7 +233,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_address.html b/doc/html/appdev/refs/types/krb5_address.html
index e80c937381f3..3f877442e3ef 100644
--- a/doc/html/appdev/refs/types/krb5_address.html
+++ b/doc/html/appdev/refs/types/krb5_address.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@ unsigned int      <tt class="descname">krb5_address.length</tt><a class="headerl
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@ unsigned int      <tt class="descname">krb5_address.length</tt><a class="headerl
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_addrtype.html b/doc/html/appdev/refs/types/krb5_addrtype.html
index d6185e95000d..88c132b04c96 100644
--- a/doc/html/appdev/refs/types/krb5_addrtype.html
+++ b/doc/html/appdev/refs/types/krb5_addrtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ap_rep.html b/doc/html/appdev/refs/types/krb5_ap_rep.html
index 49b94e1ad88a..4e99b1fc3b2a 100644
--- a/doc/html/appdev/refs/types/krb5_ap_rep.html
+++ b/doc/html/appdev/refs/types/krb5_ap_rep.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html b/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html
index 9ad72b189a4f..cad7924a8559 100644
--- a/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html
+++ b/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -131,6 +131,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -168,7 +169,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ap_req.html b/doc/html/appdev/refs/types/krb5_ap_req.html
index d105e2dd2f42..adfa68f9b679 100644
--- a/doc/html/appdev/refs/types/krb5_ap_req.html
+++ b/doc/html/appdev/refs/types/krb5_ap_req.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_auth_context.html b/doc/html/appdev/refs/types/krb5_auth_context.html
index 50e7bf076a79..9b5a4de50084 100644
--- a/doc/html/appdev/refs/types/krb5_auth_context.html
+++ b/doc/html/appdev/refs/types/krb5_auth_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_authdata.html b/doc/html/appdev/refs/types/krb5_authdata.html
index d1c2a829b086..96d504930ed5 100644
--- a/doc/html/appdev/refs/types/krb5_authdata.html
+++ b/doc/html/appdev/refs/types/krb5_authdata.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@ unsigned int      <tt class="descname">krb5_authdata.length</tt><a class="header
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@ unsigned int      <tt class="descname">krb5_authdata.length</tt><a class="header
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_authdatatype.html b/doc/html/appdev/refs/types/krb5_authdatatype.html
index 32c438c81a88..225674a1ff8d 100644
--- a/doc/html/appdev/refs/types/krb5_authdatatype.html
+++ b/doc/html/appdev/refs/types/krb5_authdatatype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_authenticator.html b/doc/html/appdev/refs/types/krb5_authenticator.html
index a192cdf1e4c3..4d3cfc19a84c 100644
--- a/doc/html/appdev/refs/types/krb5_authenticator.html
+++ b/doc/html/appdev/refs/types/krb5_authenticator.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -150,6 +150,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -187,7 +188,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_boolean.html b/doc/html/appdev/refs/types/krb5_boolean.html
index 5c9d2b73cc73..e017992ccf4b 100644
--- a/doc/html/appdev/refs/types/krb5_boolean.html
+++ b/doc/html/appdev/refs/types/krb5_boolean.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_cc_cursor.html b/doc/html/appdev/refs/types/krb5_cc_cursor.html
index c23ed6809481..30c8a88cd89d 100644
--- a/doc/html/appdev/refs/types/krb5_cc_cursor.html
+++ b/doc/html/appdev/refs/types/krb5_cc_cursor.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -98,6 +98,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -135,7 +136,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ccache.html b/doc/html/appdev/refs/types/krb5_ccache.html
index 0d1a5bc267b3..ed6274d8dd2a 100644
--- a/doc/html/appdev/refs/types/krb5_ccache.html
+++ b/doc/html/appdev/refs/types/krb5_ccache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_cccol_cursor.html b/doc/html/appdev/refs/types/krb5_cccol_cursor.html
index 7459f791c3cf..e2557b6c2363 100644
--- a/doc/html/appdev/refs/types/krb5_cccol_cursor.html
+++ b/doc/html/appdev/refs/types/krb5_cccol_cursor.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -98,6 +98,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -135,7 +136,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_checksum.html b/doc/html/appdev/refs/types/krb5_checksum.html
index 72a30d4d8fdd..3448b964e162 100644
--- a/doc/html/appdev/refs/types/krb5_checksum.html
+++ b/doc/html/appdev/refs/types/krb5_checksum.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@ unsigned int      <tt class="descname">krb5_checksum.length</tt><a class="header
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@ unsigned int      <tt class="descname">krb5_checksum.length</tt><a class="header
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_cksumtype.html b/doc/html/appdev/refs/types/krb5_cksumtype.html
index 6d2f493b61c8..fd62a0e759ed 100644
--- a/doc/html/appdev/refs/types/krb5_cksumtype.html
+++ b/doc/html/appdev/refs/types/krb5_cksumtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_const_pointer.html b/doc/html/appdev/refs/types/krb5_const_pointer.html
index 19fa5ca7a507..689f7098d1ec 100644
--- a/doc/html/appdev/refs/types/krb5_const_pointer.html
+++ b/doc/html/appdev/refs/types/krb5_const_pointer.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_const_principal.html b/doc/html/appdev/refs/types/krb5_const_principal.html
index 92a36a91f726..a7854975ec82 100644
--- a/doc/html/appdev/refs/types/krb5_const_principal.html
+++ b/doc/html/appdev/refs/types/krb5_const_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -128,6 +128,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -165,7 +166,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_context.html b/doc/html/appdev/refs/types/krb5_context.html
index 660820fe672b..dd3067455eaf 100644
--- a/doc/html/appdev/refs/types/krb5_context.html
+++ b/doc/html/appdev/refs/types/krb5_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_cred.html b/doc/html/appdev/refs/types/krb5_cred.html
index fe2ab4b6fdc7..91ae6c1063b5 100644
--- a/doc/html/appdev/refs/types/krb5_cred.html
+++ b/doc/html/appdev/refs/types/krb5_cred.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_cred_enc_part.html b/doc/html/appdev/refs/types/krb5_cred_enc_part.html
index 1df64eda99f7..49c8baf55096 100644
--- a/doc/html/appdev/refs/types/krb5_cred_enc_part.html
+++ b/doc/html/appdev/refs/types/krb5_cred_enc_part.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -142,6 +142,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -179,7 +180,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_cred_info.html b/doc/html/appdev/refs/types/krb5_cred_info.html
index 3b23c47cd510..837cfce141fd 100644
--- a/doc/html/appdev/refs/types/krb5_cred_info.html
+++ b/doc/html/appdev/refs/types/krb5_cred_info.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -143,6 +143,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -180,7 +181,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_creds.html b/doc/html/appdev/refs/types/krb5_creds.html
index 13566474c9f7..97533a3867a6 100644
--- a/doc/html/appdev/refs/types/krb5_creds.html
+++ b/doc/html/appdev/refs/types/krb5_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -167,6 +167,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -204,7 +205,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_crypto_iov.html b/doc/html/appdev/refs/types/krb5_crypto_iov.html
index 8261cd27d89d..186fe488cf02 100644
--- a/doc/html/appdev/refs/types/krb5_crypto_iov.html
+++ b/doc/html/appdev/refs/types/krb5_crypto_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_cryptotype.html b/doc/html/appdev/refs/types/krb5_cryptotype.html
index d2d47ac77679..29866bc2878a 100644
--- a/doc/html/appdev/refs/types/krb5_cryptotype.html
+++ b/doc/html/appdev/refs/types/krb5_cryptotype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_data.html b/doc/html/appdev/refs/types/krb5_data.html
index 0a05ed37b938..d7ac64af0f73 100644
--- a/doc/html/appdev/refs/types/krb5_data.html
+++ b/doc/html/appdev/refs/types/krb5_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@ char *    <tt class="descname">krb5_data.data</tt><a class="headerlink" href="#c
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@ char *    <tt class="descname">krb5_data.data</tt><a class="headerlink" href="#c
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_deltat.html b/doc/html/appdev/refs/types/krb5_deltat.html
index c3600bc85046..554ccffa87f3 100644
--- a/doc/html/appdev/refs/types/krb5_deltat.html
+++ b/doc/html/appdev/refs/types/krb5_deltat.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_enc_data.html b/doc/html/appdev/refs/types/krb5_enc_data.html
index cb8b636dab22..553795cdb732 100644
--- a/doc/html/appdev/refs/types/krb5_enc_data.html
+++ b/doc/html/appdev/refs/types/krb5_enc_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html b/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html
index ee05b1f767b3..ce3253930e78 100644
--- a/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html
+++ b/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -168,6 +168,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -205,7 +206,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_enc_tkt_part.html b/doc/html/appdev/refs/types/krb5_enc_tkt_part.html
index 3e04a8b7e50f..397f813422ba 100644
--- a/doc/html/appdev/refs/types/krb5_enc_tkt_part.html
+++ b/doc/html/appdev/refs/types/krb5_enc_tkt_part.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -149,6 +149,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -186,7 +187,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_encrypt_block.html b/doc/html/appdev/refs/types/krb5_encrypt_block.html
index f0c0066f6876..87142ab9ab8d 100644
--- a/doc/html/appdev/refs/types/krb5_encrypt_block.html
+++ b/doc/html/appdev/refs/types/krb5_encrypt_block.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_enctype.html b/doc/html/appdev/refs/types/krb5_enctype.html
index b24c1cebd658..0ce5abf52de5 100644
--- a/doc/html/appdev/refs/types/krb5_enctype.html
+++ b/doc/html/appdev/refs/types/krb5_enctype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_error.html b/doc/html/appdev/refs/types/krb5_error.html
index 5be1033b5ae7..52833a6f5802 100644
--- a/doc/html/appdev/refs/types/krb5_error.html
+++ b/doc/html/appdev/refs/types/krb5_error.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -161,6 +161,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -198,7 +199,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_error_code.html b/doc/html/appdev/refs/types/krb5_error_code.html
index 048a601d2443..d449b82bf5f3 100644
--- a/doc/html/appdev/refs/types/krb5_error_code.html
+++ b/doc/html/appdev/refs/types/krb5_error_code.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,6 +99,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -136,7 +137,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_expire_callback_func.html b/doc/html/appdev/refs/types/krb5_expire_callback_func.html
index 6a5c2592627d..3f6852b27a1c 100644
--- a/doc/html/appdev/refs/types/krb5_expire_callback_func.html
+++ b/doc/html/appdev/refs/types/krb5_expire_callback_func.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_flags.html b/doc/html/appdev/refs/types/krb5_flags.html
index 6d7c66465051..b78f2f9a2904 100644
--- a/doc/html/appdev/refs/types/krb5_flags.html
+++ b/doc/html/appdev/refs/types/krb5_flags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html b/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html
index 57728f357971..7391ad7d31da 100644
--- a/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html
+++ b/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -157,6 +157,7 @@ int       <tt class="descname">krb5_get_init_creds_opt.preauth_list_length</tt><
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -194,7 +195,7 @@ int       <tt class="descname">krb5_get_init_creds_opt.preauth_list_length</tt><
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html b/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html
index 2079a04ac5bb..8fea5d2723bb 100644
--- a/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html
+++ b/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@ char *    <tt class="descname">krb5_gic_opt_pa_data.value</tt><a class="headerli
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@ char *    <tt class="descname">krb5_gic_opt_pa_data.value</tt><a class="headerli
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_init_creds_context.html b/doc/html/appdev/refs/types/krb5_init_creds_context.html
index ad1ec07eda99..6c0ee3b08a82 100644
--- a/doc/html/appdev/refs/types/krb5_init_creds_context.html
+++ b/doc/html/appdev/refs/types/krb5_init_creds_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_int16.html b/doc/html/appdev/refs/types/krb5_int16.html
index 56432645f008..d7671fa922b3 100644
--- a/doc/html/appdev/refs/types/krb5_int16.html
+++ b/doc/html/appdev/refs/types/krb5_int16.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_int32.html b/doc/html/appdev/refs/types/krb5_int32.html
index 0c849309efdb..87fad19078e5 100644
--- a/doc/html/appdev/refs/types/krb5_int32.html
+++ b/doc/html/appdev/refs/types/krb5_int32.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_kdc_rep.html b/doc/html/appdev/refs/types/krb5_kdc_rep.html
index 2fd07827fff8..ba68dcb66d9f 100644
--- a/doc/html/appdev/refs/types/krb5_kdc_rep.html
+++ b/doc/html/appdev/refs/types/krb5_kdc_rep.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -143,6 +143,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -180,7 +181,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_kdc_req.html b/doc/html/appdev/refs/types/krb5_kdc_req.html
index 047f5747864f..43cdc6654aa6 100644
--- a/doc/html/appdev/refs/types/krb5_kdc_req.html
+++ b/doc/html/appdev/refs/types/krb5_kdc_req.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -197,6 +197,7 @@ int       <tt class="descname">krb5_kdc_req.nktypes</tt><a class="headerlink" hr
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -234,7 +235,7 @@ int       <tt class="descname">krb5_kdc_req.nktypes</tt><a class="headerlink" hr
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_key.html b/doc/html/appdev/refs/types/krb5_key.html
index 0feb5e567582..14b358094330 100644
--- a/doc/html/appdev/refs/types/krb5_key.html
+++ b/doc/html/appdev/refs/types/krb5_key.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,6 +99,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -136,7 +137,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_keyblock.html b/doc/html/appdev/refs/types/krb5_keyblock.html
index fc906780c56b..3b8a485ff9b7 100644
--- a/doc/html/appdev/refs/types/krb5_keyblock.html
+++ b/doc/html/appdev/refs/types/krb5_keyblock.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@ unsigned int      <tt class="descname">krb5_keyblock.length</tt><a class="header
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@ unsigned int      <tt class="descname">krb5_keyblock.length</tt><a class="header
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_keytab.html b/doc/html/appdev/refs/types/krb5_keytab.html
index 4229254c2890..4425d17d42c7 100644
--- a/doc/html/appdev/refs/types/krb5_keytab.html
+++ b/doc/html/appdev/refs/types/krb5_keytab.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_keytab_entry.html b/doc/html/appdev/refs/types/krb5_keytab_entry.html
index 5e2bbecee5dc..610883da7995 100644
--- a/doc/html/appdev/refs/types/krb5_keytab_entry.html
+++ b/doc/html/appdev/refs/types/krb5_keytab_entry.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -131,6 +131,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -168,7 +169,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_keyusage.html b/doc/html/appdev/refs/types/krb5_keyusage.html
index a25beeaa10fa..e4ad749f46e8 100644
--- a/doc/html/appdev/refs/types/krb5_keyusage.html
+++ b/doc/html/appdev/refs/types/krb5_keyusage.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_kt_cursor.html b/doc/html/appdev/refs/types/krb5_kt_cursor.html
index 7b3087abd185..a88bbf90bdf4 100644
--- a/doc/html/appdev/refs/types/krb5_kt_cursor.html
+++ b/doc/html/appdev/refs/types/krb5_kt_cursor.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_kvno.html b/doc/html/appdev/refs/types/krb5_kvno.html
index aecb5887f77f..2df10dff10cf 100644
--- a/doc/html/appdev/refs/types/krb5_kvno.html
+++ b/doc/html/appdev/refs/types/krb5_kvno.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_last_req_entry.html b/doc/html/appdev/refs/types/krb5_last_req_entry.html
index 85850e27ddd1..dbc2ff4562db 100644
--- a/doc/html/appdev/refs/types/krb5_last_req_entry.html
+++ b/doc/html/appdev/refs/types/krb5_last_req_entry.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_magic.html b/doc/html/appdev/refs/types/krb5_magic.html
index 716b23da75c9..e499423b6ad8 100644
--- a/doc/html/appdev/refs/types/krb5_magic.html
+++ b/doc/html/appdev/refs/types/krb5_magic.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html b/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html
index 7d4c8b34199e..e4b309a52014 100644
--- a/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html
+++ b/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -98,6 +98,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -135,7 +136,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_msgtype.html b/doc/html/appdev/refs/types/krb5_msgtype.html
index 20c957b929b4..368c3d248c42 100644
--- a/doc/html/appdev/refs/types/krb5_msgtype.html
+++ b/doc/html/appdev/refs/types/krb5_msgtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_octet.html b/doc/html/appdev/refs/types/krb5_octet.html
index 1eb10a41501d..0d5c9a49a5e1 100644
--- a/doc/html/appdev/refs/types/krb5_octet.html
+++ b/doc/html/appdev/refs/types/krb5_octet.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pa_data.html b/doc/html/appdev/refs/types/krb5_pa_data.html
index 47d0c3c9c5d0..cb037de16d73 100644
--- a/doc/html/appdev/refs/types/krb5_pa_data.html
+++ b/doc/html/appdev/refs/types/krb5_pa_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@ unsigned int      <tt class="descname">krb5_pa_data.length</tt><a class="headerl
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@ unsigned int      <tt class="descname">krb5_pa_data.length</tt><a class="headerl
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pa_pac_req.html b/doc/html/appdev/refs/types/krb5_pa_pac_req.html
index 887ad606e083..618b40f46787 100644
--- a/doc/html/appdev/refs/types/krb5_pa_pac_req.html
+++ b/doc/html/appdev/refs/types/krb5_pa_pac_req.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html b/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html
index 1911f6ef2982..f3d428cea7b7 100644
--- a/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html
+++ b/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html b/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html
index 13eda4c4ab31..aabe85b513ef 100644
--- a/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html
+++ b/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -107,6 +107,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -144,7 +145,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pac.html b/doc/html/appdev/refs/types/krb5_pac.html
index 868ad05626a6..616d1710295a 100644
--- a/doc/html/appdev/refs/types/krb5_pac.html
+++ b/doc/html/appdev/refs/types/krb5_pac.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -98,6 +98,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -135,7 +136,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pointer.html b/doc/html/appdev/refs/types/krb5_pointer.html
index 6a846eb42f94..27163f57f304 100644
--- a/doc/html/appdev/refs/types/krb5_pointer.html
+++ b/doc/html/appdev/refs/types/krb5_pointer.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_post_recv_fn.html b/doc/html/appdev/refs/types/krb5_post_recv_fn.html
index d4bfb2609fcf..6619e40c05e7 100644
--- a/doc/html/appdev/refs/types/krb5_post_recv_fn.html
+++ b/doc/html/appdev/refs/types/krb5_post_recv_fn.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -100,6 +100,7 @@ The hook function should use <a class="reference internal" href="../api/krb5_cop
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -137,7 +138,7 @@ The hook function should use <a class="reference internal" href="../api/krb5_cop
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pre_send_fn.html b/doc/html/appdev/refs/types/krb5_pre_send_fn.html
index 094bb943881d..c24448c61692 100644
--- a/doc/html/appdev/refs/types/krb5_pre_send_fn.html
+++ b/doc/html/appdev/refs/types/krb5_pre_send_fn.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@ The hook function should use <a class="reference internal" href="../api/krb5_cop
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@ The hook function should use <a class="reference internal" href="../api/krb5_cop
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_preauthtype.html b/doc/html/appdev/refs/types/krb5_preauthtype.html
index 887982c5455b..b69f65a63a08 100644
--- a/doc/html/appdev/refs/types/krb5_preauthtype.html
+++ b/doc/html/appdev/refs/types/krb5_preauthtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_principal.html b/doc/html/appdev/refs/types/krb5_principal.html
index 136211805502..9a789d8fcdaa 100644
--- a/doc/html/appdev/refs/types/krb5_principal.html
+++ b/doc/html/appdev/refs/types/krb5_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -127,6 +127,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -164,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_principal_data.html b/doc/html/appdev/refs/types/krb5_principal_data.html
index 83808ce7d1c1..6398349a80f4 100644
--- a/doc/html/appdev/refs/types/krb5_principal_data.html
+++ b/doc/html/appdev/refs/types/krb5_principal_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -127,6 +127,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -164,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_prompt.html b/doc/html/appdev/refs/types/krb5_prompt.html
index 7ac8535a066d..df01dbc5810d 100644
--- a/doc/html/appdev/refs/types/krb5_prompt.html
+++ b/doc/html/appdev/refs/types/krb5_prompt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@ PIN)</p>
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@ PIN)</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_prompt_type.html b/doc/html/appdev/refs/types/krb5_prompt_type.html
index 8449ff05503f..d7d63d7dc0ec 100644
--- a/doc/html/appdev/refs/types/krb5_prompt_type.html
+++ b/doc/html/appdev/refs/types/krb5_prompt_type.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_prompter_fct.html b/doc/html/appdev/refs/types/krb5_prompter_fct.html
index 5a451e602cb1..bde7eb8abe49 100644
--- a/doc/html/appdev/refs/types/krb5_prompter_fct.html
+++ b/doc/html/appdev/refs/types/krb5_prompter_fct.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -98,6 +98,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -135,7 +136,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_pwd_data.html b/doc/html/appdev/refs/types/krb5_pwd_data.html
index 1128655f575c..7fcf72b34572 100644
--- a/doc/html/appdev/refs/types/krb5_pwd_data.html
+++ b/doc/html/appdev/refs/types/krb5_pwd_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@ int       <tt class="descname">krb5_pwd_data.sequence_count</tt><a class="header
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@ int       <tt class="descname">krb5_pwd_data.sequence_count</tt><a class="header
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_rcache.html b/doc/html/appdev/refs/types/krb5_rcache.html
index 32c2c9a6de0e..8bfca1828538 100644
--- a/doc/html/appdev/refs/types/krb5_rcache.html
+++ b/doc/html/appdev/refs/types/krb5_rcache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_replay_data.html b/doc/html/appdev/refs/types/krb5_replay_data.html
index 0ade7d5fd90c..5971ca9a4fa1 100644
--- a/doc/html/appdev/refs/types/krb5_replay_data.html
+++ b/doc/html/appdev/refs/types/krb5_replay_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_responder_context.html b/doc/html/appdev/refs/types/krb5_responder_context.html
index 7741924df0a9..2ab89ac4bbf7 100644
--- a/doc/html/appdev/refs/types/krb5_responder_context.html
+++ b/doc/html/appdev/refs/types/krb5_responder_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,6 +99,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -136,7 +137,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_responder_fn.html b/doc/html/appdev/refs/types/krb5_responder_fn.html
index 9b7fc1c03419..70a5831edf3e 100644
--- a/doc/html/appdev/refs/types/krb5_responder_fn.html
+++ b/doc/html/appdev/refs/types/krb5_responder_fn.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -99,6 +99,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -136,7 +137,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html b/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html
index 2dab684134fc..247ebc22317a 100644
--- a/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html
+++ b/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@ char *    <tt class="descname">krb5_responder_otp_challenge.service</tt><a class
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@ char *    <tt class="descname">krb5_responder_otp_challenge.service</tt><a class
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html b/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html
index f17e0a067281..86201db887c1 100644
--- a/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html
+++ b/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -136,6 +136,7 @@ char *    <tt class="descname">krb5_responder_otp_tokeninfo.alg_id</tt><a class=
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -173,7 +174,7 @@ char *    <tt class="descname">krb5_responder_otp_tokeninfo.alg_id</tt><a class=
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html b/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html
index d8c6bfc37589..19d70877f7e3 100644
--- a/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html
+++ b/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -106,6 +106,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -143,7 +144,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html b/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html
index eb1d09c3b25d..02924643407b 100644
--- a/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html
+++ b/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -111,6 +111,7 @@ char *    <tt class="descname">krb5_responder_pkinit_identity.identity</tt><a cl
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -148,7 +149,7 @@ char *    <tt class="descname">krb5_responder_pkinit_identity.identity</tt><a cl
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_response.html b/doc/html/appdev/refs/types/krb5_response.html
index 85ec20be6aac..d5464014713c 100644
--- a/doc/html/appdev/refs/types/krb5_response.html
+++ b/doc/html/appdev/refs/types/krb5_response.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ticket.html b/doc/html/appdev/refs/types/krb5_ticket.html
index 4c96c62e54f2..c081de382a91 100644
--- a/doc/html/appdev/refs/types/krb5_ticket.html
+++ b/doc/html/appdev/refs/types/krb5_ticket.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ticket_times.html b/doc/html/appdev/refs/types/krb5_ticket_times.html
index 807ff2582288..3dc4dc04da15 100644
--- a/doc/html/appdev/refs/types/krb5_ticket_times.html
+++ b/doc/html/appdev/refs/types/krb5_ticket_times.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -126,6 +126,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,7 +164,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_timestamp.html b/doc/html/appdev/refs/types/krb5_timestamp.html
index 554ee8551099..b1cf0b77990b 100644
--- a/doc/html/appdev/refs/types/krb5_timestamp.html
+++ b/doc/html/appdev/refs/types/krb5_timestamp.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -70,6 +70,8 @@
 <tt class="descname">krb5_timestamp</tt><a class="headerlink" href="#c.krb5_timestamp" title="Permalink to this definition">¶</a></dt>
 <dd></dd></dl>
 
+<p>Represents a timestamp in seconds since the POSIX epoch.</p>
+<p>This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t.</p>
 <div class="section" id="declaration">
 <h2>Declaration<a class="headerlink" href="#declaration" title="Permalink to this headline">¶</a></h2>
 <p>typedef krb5_int32 krb5_timestamp</p>
@@ -97,6 +99,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +137,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_tkt_authent.html b/doc/html/appdev/refs/types/krb5_tkt_authent.html
index 686eefeaa5c6..ed1b032766dc 100644
--- a/doc/html/appdev/refs/types/krb5_tkt_authent.html
+++ b/doc/html/appdev/refs/types/krb5_tkt_authent.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_tkt_creds_context.html b/doc/html/appdev/refs/types/krb5_tkt_creds_context.html
index 04720a149325..1b810c25459d 100644
--- a/doc/html/appdev/refs/types/krb5_tkt_creds_context.html
+++ b/doc/html/appdev/refs/types/krb5_tkt_creds_context.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_trace_callback.html b/doc/html/appdev/refs/types/krb5_trace_callback.html
index e822f3f83b93..9a8967f21635 100644
--- a/doc/html/appdev/refs/types/krb5_trace_callback.html
+++ b/doc/html/appdev/refs/types/krb5_trace_callback.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_trace_info.html b/doc/html/appdev/refs/types/krb5_trace_info.html
index 5915d35d4222..a89aaf749159 100644
--- a/doc/html/appdev/refs/types/krb5_trace_info.html
+++ b/doc/html/appdev/refs/types/krb5_trace_info.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -108,6 +108,7 @@ const char *      <tt class="descname">krb5_trace_info.message</tt><a class="hea
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@ const char *      <tt class="descname">krb5_trace_info.message</tt><a class="hea
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_transited.html b/doc/html/appdev/refs/types/krb5_transited.html
index e9f89225d84a..3b3d87c118ff 100644
--- a/doc/html/appdev/refs/types/krb5_transited.html
+++ b/doc/html/appdev/refs/types/krb5_transited.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_typed_data.html b/doc/html/appdev/refs/types/krb5_typed_data.html
index 325f4144093f..86386e68d59e 100644
--- a/doc/html/appdev/refs/types/krb5_typed_data.html
+++ b/doc/html/appdev/refs/types/krb5_typed_data.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@ unsigned int      <tt class="descname">krb5_typed_data.length</tt><a class="head
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@ unsigned int      <tt class="descname">krb5_typed_data.length</tt><a class="head
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ui_2.html b/doc/html/appdev/refs/types/krb5_ui_2.html
index 5aa31dc8279e..9cf7f0e34d71 100644
--- a/doc/html/appdev/refs/types/krb5_ui_2.html
+++ b/doc/html/appdev/refs/types/krb5_ui_2.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_ui_4.html b/doc/html/appdev/refs/types/krb5_ui_4.html
index ccfbe72043ae..f8ac9fcaae46 100644
--- a/doc/html/appdev/refs/types/krb5_ui_4.html
+++ b/doc/html/appdev/refs/types/krb5_ui_4.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -97,6 +97,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -134,7 +135,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html b/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html
index 347e58aef630..dfb0d8cf664d 100644
--- a/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html
+++ b/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@ int       <tt class="descname">krb5_verify_init_creds_opt.ap_req_nofail</tt><a c
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@ int       <tt class="descname">krb5_verify_init_creds_opt.ap_req_nofail</tt><a c
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/types/passwd_phrase_element.html b/doc/html/appdev/refs/types/passwd_phrase_element.html
index 40777d81b093..5056ac373c98 100644
--- a/doc/html/appdev/refs/types/passwd_phrase_element.html
+++ b/doc/html/appdev/refs/types/passwd_phrase_element.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/y2038.html b/doc/html/appdev/y2038.html
new file mode 100644
index 000000000000..9b5959cb4497
--- /dev/null
+++ b/doc/html/appdev/y2038.html
@@ -0,0 +1,165 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>Year 2038 considerations for uses of krb5_timestamp &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.16',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For application developers" href="index.html" />
+    <link rel="next" title="Differences between Heimdal and MIT Kerberos API" href="h5l_mit_apidiff.html" />
+    <link rel="prev" title="Developing with GSSAPI" href="gssapi.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="gssapi.html" title="Developing with GSSAPI"
+            accesskey="P">previous</a> |
+        <a href="h5l_mit_apidiff.html" title="Differences between Heimdal and MIT Kerberos API"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Year 2038 considerations for uses of krb5_timestamp">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="year-2038-considerations-for-uses-of-krb5-timestamp">
+<h1>Year 2038 considerations for uses of krb5_timestamp<a class="headerlink" href="#year-2038-considerations-for-uses-of-krb5-timestamp" title="Permalink to this headline">¶</a></h1>
+<p>POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038.  This documentation describes considerations
+for consumers of the MIT krb5 libraries.</p>
+<p>Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+<a class="reference internal" href="refs/types/krb5_timestamp.html#c.krb5_timestamp" title="krb5_timestamp"><tt class="xref c c-type docutils literal"><span class="pre">krb5_timestamp</span></tt></a> type.  For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values.  To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t:</p>
+<div class="highlight-python"><div class="highlight"><pre>(time_t)(uint32_t)timestamp
+</pre></div>
+</div>
+<p>Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type.  This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.</p>
+<p>The GSSAPI only uses representations of time intervals, not absolute
+times.  Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.</p>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">Year 2038 considerations for uses of krb5_timestamp</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For application developers</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Year 2038 considerations for uses of krb5_timestamp</a></li>
+<li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
+<li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
+<li class="toctree-l2"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
+<li class="toctree-l2"><a class="reference internal" href="refs/index.html">Complete reference - API and datatypes</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.16</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="gssapi.html" title="Developing with GSSAPI"
+            >previous</a> |
+        <a href="h5l_mit_apidiff.html" title="Differences between Heimdal and MIT Kerberos API"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Year 2038 considerations for uses of krb5_timestamp">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/basic/ccache_def.html b/doc/html/basic/ccache_def.html
index 6f4a8924e7ba..0ba9c7215668 100644
--- a/doc/html/basic/ccache_def.html
+++ b/doc/html/basic/ccache_def.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,7 +118,7 @@ Newly created caches must generally be named <tt class="docutils literal"><span
 where <em>uid</em> is the effective user ID of the running process.</p>
 <p>KCM client support is new in release 1.13.  A KCM daemon has not
 yet been implemented in MIT krb5, but the client will interoperate
-with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
 provides a KCM daemon as part of the operating system, and the
 <strong>KCM</strong> cache type is used as the default cache on that platform in
 a default build.</p>
@@ -262,7 +262,7 @@ descending order of priority:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/basic/date_format.html b/doc/html/basic/date_format.html
index 5e1d318d84a9..fb36f7d1a9cd 100644
--- a/doc/html/basic/date_format.html
+++ b/doc/html/basic/date_format.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -317,7 +317,7 @@ enclose it in double quotes;</li>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/basic/index.html b/doc/html/basic/index.html
index 268cec1d8928..195eec908e5d 100644
--- a/doc/html/basic/index.html
+++ b/doc/html/basic/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,7 +125,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/basic/keytab_def.html b/doc/html/basic/keytab_def.html
index d0fbeabe20df..b0d72332a0bd 100644
--- a/doc/html/basic/keytab_def.html
+++ b/doc/html/basic/keytab_def.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -170,7 +170,7 @@ decreasing order of preference:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/basic/rcache_def.html b/doc/html/basic/rcache_def.html
index 3bc9690898c5..379fc49c8818 100644
--- a/doc/html/basic/rcache_def.html
+++ b/doc/html/basic/rcache_def.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -206,7 +206,7 @@ that any authenticator seen is not a replay.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/basic/stash_file_def.html b/doc/html/basic/stash_file_def.html
index a84eab2aa993..f227b7d25263 100644
--- a/doc/html/basic/stash_file_def.html
+++ b/doc/html/basic/stash_file_def.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -134,7 +134,7 @@ This means that the KDC will not be able to start automatically, such as after a
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/build/directory_org.html b/doc/html/build/directory_org.html
index f9ccc59b6344..2de8defc3ce5 100644
--- a/doc/html/build/directory_org.html
+++ b/doc/html/build/directory_org.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -231,7 +231,7 @@ libraries;</li>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/build/doing_build.html b/doc/html/build/doing_build.html
index 6053b399e739..26c6d09e5991 100644
--- a/doc/html/build/doing_build.html
+++ b/doc/html/build/doing_build.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -267,7 +267,7 @@ should run <tt class="docutils literal"><span class="pre">autoreconf</span></tt>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/build/index.html b/doc/html/build/index.html
index ef685616954b..260cc5fd3fa0 100644
--- a/doc/html/build/index.html
+++ b/doc/html/build/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="next" title="Organization of the source directory" href="directory_org.html" />
-    <link rel="prev" title="Internal pluggable interfaces" href="../plugindev/internal.html" /> 
+    <link rel="prev" title="KDC policy interface (kdcpolicy)" href="../plugindev/kdcpolicy.html" /> 
   </head>
   <body>
     <div class="header-wrapper">
@@ -41,7 +41,7 @@
                 
         <a href="../index.html" title="Full Table of Contents"
             accesskey="C">Contents</a> |
-        <a href="../plugindev/internal.html" title="Internal pluggable interfaces"
+        <a href="../plugindev/kdcpolicy.html" title="KDC policy interface (kdcpolicy)"
             accesskey="P">previous</a> |
         <a href="directory_org.html" title="Organization of the source directory"
             accesskey="N">next</a> |
@@ -173,14 +173,14 @@ distribution information.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
                 
         <a href="../index.html" title="Full Table of Contents"
             >Contents</a> |
-        <a href="../plugindev/internal.html" title="Internal pluggable interfaces"
+        <a href="../plugindev/kdcpolicy.html" title="KDC policy interface (kdcpolicy)"
             >previous</a> |
         <a href="directory_org.html" title="Organization of the source directory"
             >next</a> |
diff --git a/doc/html/build/options2configure.html b/doc/html/build/options2configure.html
index 3552932b5ebf..9f15e2d5bd90 100644
--- a/doc/html/build/options2configure.html
+++ b/doc/html/build/options2configure.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -351,9 +351,6 @@ implemented crypto backend is <tt class="docutils literal"><span class="pre">ope
 <dd>Use specified PRNG algorithm.  For example, to use the OS native
 prng specify <tt class="docutils literal"><span class="pre">--with-prng-alg=os</span></tt>.  The default is <tt class="docutils literal"><span class="pre">fortuna</span></tt>.
 (See <a class="reference internal" href="../mitK5features.html#mitk5features"><em>MIT Kerberos features</em></a>)</dd>
-<dt><strong>-</strong><strong>-with-pkinit-crypto-impl=</strong><em>IMPL</em></dt>
-<dd>Use the specified pkinit crypto implementation <em>IMPL</em>.
-Defaults to using OpenSSL.</dd>
 <dt><strong>-</strong><strong>-without-libedit</strong></dt>
 <dd>Do not compile and link against libedit.  Some utilities will no
 longer offer command history or completion in interactive mode if
@@ -467,7 +464,7 @@ SS_LIB=&#39;-lss -lcurses&#39;  DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/build/osconf.html b/doc/html/build/osconf.html
index c71832d2c087..dc2c36cc51d5 100644
--- a/doc/html/build/osconf.html
+++ b/doc/html/build/osconf.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -140,7 +140,7 @@ default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/build_this.html b/doc/html/build_this.html
index e7eefff8518d..3535ea6dc94a 100644
--- a/doc/html/build_this.html
+++ b/doc/html/build_this.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -187,7 +187,7 @@ default custom build).</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/copyright.html b/doc/html/copyright.html
index 2451612a90c1..997ad64976d1 100644
--- a/doc/html/copyright.html
+++ b/doc/html/copyright.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,7 +114,7 @@ information.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="#">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/formats/ccache_file_format.html b/doc/html/formats/ccache_file_format.html
index d337aa1e00e7..d3c132732bb4 100644
--- a/doc/html/formats/ccache_file_format.html
+++ b/doc/html/formats/ccache_file_format.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -274,7 +274,7 @@ keytab.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/formats/cookie.html b/doc/html/formats/cookie.html
index f02cad59eb90..db73cfef5849 100644
--- a/doc/html/formats/cookie.html
+++ b/doc/html/formats/cookie.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -173,7 +173,7 @@ cookie data types.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/formats/index.html b/doc/html/formats/index.html
index 42e75c2fbb1a..b0d705b7d175 100644
--- a/doc/html/formats/index.html
+++ b/doc/html/formats/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,7 +121,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/formats/keytab_file_format.html b/doc/html/formats/keytab_file_format.html
index 843cb48a27e2..413b03483441 100644
--- a/doc/html/formats/keytab_file_format.html
+++ b/doc/html/formats/keytab_file_format.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -163,7 +163,7 @@ value of the 32-bit integer contained in those bytes is non-zero.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-A.html b/doc/html/genindex-A.html
index 97af9972e778..a83883e26065 100644
--- a/doc/html/genindex-A.html
+++ b/doc/html/genindex-A.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -187,7 +187,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-C.html b/doc/html/genindex-C.html
index 1f31624ef6f8..f7e1a8ec9ed5 100644
--- a/doc/html/genindex-C.html
+++ b/doc/html/genindex-C.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -171,7 +171,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-E.html b/doc/html/genindex-E.html
index b7c9001a9bae..68b06c0d97cc 100644
--- a/doc/html/genindex-E.html
+++ b/doc/html/genindex-E.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -207,7 +207,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-K.html b/doc/html/genindex-K.html
index adec2598f9dd..3bf3f38e787f 100644
--- a/doc/html/genindex-K.html
+++ b/doc/html/genindex-K.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -3951,7 +3951,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-L.html b/doc/html/genindex-L.html
index 6320279e723b..c3a16bd9fbf9 100644
--- a/doc/html/genindex-L.html
+++ b/doc/html/genindex-L.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,7 +115,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-M.html b/doc/html/genindex-M.html
index 7d14d34ff4cf..62711eadb35e 100644
--- a/doc/html/genindex-M.html
+++ b/doc/html/genindex-M.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,7 +119,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-P.html b/doc/html/genindex-P.html
index 98d96b015688..59087b2088ee 100644
--- a/doc/html/genindex-P.html
+++ b/doc/html/genindex-P.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -123,7 +123,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-R.html b/doc/html/genindex-R.html
index fe2ff13967e5..2f6f21289364 100644
--- a/doc/html/genindex-R.html
+++ b/doc/html/genindex-R.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -220,7 +220,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-S.html b/doc/html/genindex-S.html
index a4126c142263..101325d34a88 100644
--- a/doc/html/genindex-S.html
+++ b/doc/html/genindex-S.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,7 +115,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-T.html b/doc/html/genindex-T.html
index 7395588c1273..dfb9d5a0c5c7 100644
--- a/doc/html/genindex-T.html
+++ b/doc/html/genindex-T.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -171,7 +171,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-V.html b/doc/html/genindex-V.html
index 6c0390808f54..e0c75b70883a 100644
--- a/doc/html/genindex-V.html
+++ b/doc/html/genindex-V.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -115,7 +115,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex-all.html b/doc/html/genindex-all.html
index f6f11c7dc283..a4178ea0120a 100644
--- a/doc/html/genindex-all.html
+++ b/doc/html/genindex-all.html
@@ -16,7 +16,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -4520,7 +4520,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/genindex.html b/doc/html/genindex.html
index e4d70c01fac5..bec2e6c10ee0 100644
--- a/doc/html/genindex.html
+++ b/doc/html/genindex.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,7 +119,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/index.html b/doc/html/index.html
index abf3941b4035..bd562580f0ce 100644
--- a/doc/html/index.html
+++ b/doc/html/index.html
@@ -6,7 +6,7 @@
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     
-    <title>MIT Kerberos Documentation (1.15.1) &mdash; MIT Kerberos Documentation</title>
+    <title>MIT Kerberos Documentation (1.16) &mdash; MIT Kerberos Documentation</title>
     
     <link rel="stylesheet" href="_static/agogo.css" type="text/css" />
     <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -46,7 +46,7 @@
             accesskey="I">index</a> |
         <a href="search.html" title="Enter search criteria"
             accesskey="S">Search</a> |
-    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos Documentation (1.15.1)">feedback</a>
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos Documentation (1.16)">feedback</a>
             </div>
         </div>
     </div>
@@ -60,7 +60,7 @@
           <div class="body">
             
   <div class="section" id="mit-kerberos-documentation-release">
-<h1>MIT Kerberos Documentation (1.15.1)<a class="headerlink" href="#mit-kerberos-documentation-release" title="Permalink to this headline">¶</a></h1>
+<h1>MIT Kerberos Documentation (1.16)<a class="headerlink" href="#mit-kerberos-documentation-release" title="Permalink to this headline">¶</a></h1>
 <div class="toctree-wrapper compound">
 <ul>
 <li class="toctree-l1"><a class="reference internal" href="user/index.html">For users</a></li>
@@ -86,7 +86,7 @@
         <div class="sidebar">
     <h2>On this page</h2>
     <ul>
-<li><a class="reference internal" href="#">MIT Kerberos Documentation (1.15.1)</a></li>
+<li><a class="reference internal" href="#">MIT Kerberos Documentation (1.16)</a></li>
 </ul>
 
     <br/>
@@ -121,7 +121,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -134,7 +134,7 @@
             >index</a> |
         <a href="search.html" title="Enter search criteria"
             >Search</a> |
-    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos Documentation (1.15.1)">feedback</a>
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos Documentation (1.16)">feedback</a>
             </div>
         </div>
     </div>
diff --git a/doc/html/mitK5defaults.html b/doc/html/mitK5defaults.html
index c9cc6e619462..8f30500823d7 100644
--- a/doc/html/mitK5defaults.html
+++ b/doc/html/mitK5defaults.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -129,7 +129,7 @@
 <td>&nbsp;</td>
 </tr>
 <tr class="row-even"><td>Permitted enctypes</td>
-<td><tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt></td>
+<td><tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt></td>
 <td>&nbsp;</td>
 </tr>
 <tr class="row-odd"><td>KDC default port</td>
@@ -335,7 +335,7 @@ according to the operating system&#8217;s layout of <tt class="docutils literal"
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/mitK5features.html b/doc/html/mitK5features.html
index 7fa633c6c643..5fd257df2576 100644
--- a/doc/html/mitK5features.html
+++ b/doc/html/mitK5features.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -73,8 +73,8 @@
 <dl class="docutils">
 <dt>Releases:</dt>
 <dd><ul class="first last simple">
-<li>Latest stable: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.15/">http://web.mit.edu/kerberos/krb5-1.15/</a></li>
-<li>Supported: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.14/">http://web.mit.edu/kerberos/krb5-1.14/</a></li>
+<li>Latest stable: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.16/">http://web.mit.edu/kerberos/krb5-1.16/</a></li>
+<li>Supported: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.15/">http://web.mit.edu/kerberos/krb5-1.15/</a></li>
 <li>Release cycle: 9 &#8211; 12 months</li>
 </ul>
 </dd>
@@ -219,7 +219,7 @@ old keys. <a class="reference external" href="http://cve.mitre.org/cgi-bin/cvena
 <li>Add client support for the Kerberos Cache Manager protocol. If
 the host is running a Heimdal kcm daemon, caches served by the
 daemon can be accessed with the KCM: cache type.</li>
-<li>When built on OS X 10.7 and higher, use &#8220;KCM:&#8221; as the default
+<li>When built on macOS 10.7 and higher, use &#8220;KCM:&#8221; as the default
 cachetype, unless overridden by command-line options or
 krb5-config values.</li>
 <li>Add support for doing unlocked database dumps for the DB2 KDC
@@ -363,6 +363,78 @@ conform to Suite B crypto requirements.</li>
 </ul>
 </li>
 </ul>
+<p>Release 1.16</p>
+<ul class="simple">
+<li>Administrator experience:<ul>
+<li>The KDC can match PKINIT client certificates against the
+&#8220;pkinit_cert_match&#8221; string attribute on the client principal
+entry, using the same syntax as the existing &#8220;pkinit_cert_match&#8221;
+profile option.</li>
+<li>The ktutil addent command supports the &#8220;-k 0&#8221; option to ignore the
+key version, and the &#8220;-s&#8221; option to use a non-default salt string.</li>
+<li>kpropd supports a &#8211;pid-file option to write a pid file at
+startup, when it is run in standalone mode.</li>
+<li>The &#8220;encrypted_challenge_indicator&#8221; realm option can be used to
+attach an authentication indicator to tickets obtained using FAST
+encrypted challenge pre-authentication.</li>
+<li>Localization support can be disabled at build time with the
+&#8211;disable-nls configure option.</li>
+</ul>
+</li>
+<li>Developer experience:<ul>
+<li>The kdcpolicy pluggable interface allows modules control whether
+tickets are issued by the KDC.</li>
+<li>The kadm5_auth pluggable interface allows modules to control
+whether kadmind grants access to a kadmin request.</li>
+<li>The certauth pluggable interface allows modules to control which
+PKINIT client certificates can authenticate to which client
+principals.</li>
+<li>KDB modules can use the client and KDC interface IP addresses to
+determine whether to allow an AS request.</li>
+<li>GSS applications can query the bit strength of a krb5 GSS context
+using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+gss_inquire_sec_context_by_oid().</li>
+<li>GSS applications can query the impersonator name of a krb5 GSS
+credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+gss_inquire_cred_by_oid().</li>
+<li>kdcpreauth modules can query the KDC for the canonicalized
+requested client principal name, or match a principal name against
+the requested client principal name with canonicalization.</li>
+</ul>
+</li>
+<li>Protocol evolution:<ul>
+<li>The client library will continue to try pre-authentication
+mechanisms after most failure conditions.</li>
+<li>The KDC will issue trivially renewable tickets (where the
+renewable lifetime is equal to or less than the ticket lifetime)
+if requested by the client, to be friendlier to scripts.</li>
+<li>The client library will use a random nonce for TGS requests
+instead of the current system time.</li>
+<li>For the RC4 string-to-key or PAC operations, UTF-16 is supported
+(previously only UCS-2 was supported).</li>
+<li>When matching PKINIT client certificates, UPN SANs will be matched
+correctly as UPNs, with canonicalization.</li>
+</ul>
+</li>
+<li>User experience:<ul>
+<li>Dates after the year 2038 are accepted (provided that the platform
+time facilities support them), through the year 2106.</li>
+<li>Automatic credential cache selection based on the client realm
+will take into account the fallback realm and the service
+hostname.</li>
+<li>Referral and alternate cross-realm TGTs will not be cached,
+avoiding some scenarios where they can be added to the credential
+cache multiple times.</li>
+<li>A German translation has been added.</li>
+</ul>
+</li>
+<li>Code quality:<ul>
+<li>The build is warning-clean under clang with the configured warning
+options.</li>
+<li>The automated test suite runs cleanly under AddressSanitizer.</li>
+</ul>
+</li>
+</ul>
 <p><cite>Pre-authentication mechanisms</cite></p>
 <ul class="simple">
 <li>PW-SALT                                         <span class="target" id="index-11"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-5.2.7.3"><strong>RFC 4120</strong></a></li>
@@ -435,7 +507,7 @@ conform to Suite B crypto requirements.</li>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/mitK5license.html b/doc/html/mitK5license.html
index dc1b7386d965..57c6ebc568b6 100644
--- a/doc/html/mitK5license.html
+++ b/doc/html/mitK5license.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -586,7 +586,7 @@ OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
 </div></blockquote>
 <hr class="docutils" />
-<p>The KCM Mach RPC definition file used on OS X has the following copyright:</p>
+<p>The KCM Mach RPC definition file used on macOS has the following copyright:</p>
 <blockquote>
 <div><div class="line-block">
 <div class="line">Copyright © 2009 Kungliga Tekniska Högskola</div>
@@ -1263,7 +1263,7 @@ OF THE POSSIBILITY OF SUCH DAMAGE.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/objects.inv b/doc/html/objects.inv
index 64050f070032..85a7d4925775 100644
Binary files a/doc/html/objects.inv and b/doc/html/objects.inv differ
diff --git a/doc/html/plugindev/ccselect.html b/doc/html/plugindev/ccselect.html
index 1173f3b2aecc..d2e67a1982e4 100644
--- a/doc/html/plugindev/ccselect.html
+++ b/doc/html/plugindev/ccselect.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -108,12 +108,15 @@ module communicates its priority as a result of the <strong>init</strong> method
 <li class="toctree-l2 current"><a class="current reference internal" href="">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -141,7 +144,7 @@ module communicates its priority as a result of the <strong>init</strong> method
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/certauth.html b/doc/html/plugindev/certauth.html
new file mode 100644
index 000000000000..4acba25de80e
--- /dev/null
+++ b/doc/html/plugindev/certauth.html
@@ -0,0 +1,170 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>PKINIT certificate authorization interface (certauth) &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.16',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For plugin module developers" href="index.html" />
+    <link rel="next" title="KDC policy interface (kdcpolicy)" href="kdcpolicy.html" />
+    <link rel="prev" title="Internal pluggable interfaces" href="internal.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="internal.html" title="Internal pluggable interfaces"
+            accesskey="P">previous</a> |
+        <a href="kdcpolicy.html" title="KDC policy interface (kdcpolicy)"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT certificate authorization interface (certauth)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="pkinit-certificate-authorization-interface-certauth">
+<span id="certauth-plugin"></span><h1>PKINIT certificate authorization interface (certauth)<a class="headerlink" href="#pkinit-certificate-authorization-interface-certauth" title="Permalink to this headline">¶</a></h1>
+<p>The certauth interface was first introduced in release 1.16.  It
+allows customization of the X.509 certificate attribute requirements
+placed on certificates used by PKINIT enabled clients.  For a detailed
+description of the certauth interface, see the header file
+<tt class="docutils literal"><span class="pre">&lt;krb5/certauth_plugin.h&gt;</span></tt></p>
+<p>A certauth module implements the <strong>authorize</strong> method to determine
+whether a client&#8217;s certificate is authorized to authenticate a client
+principal.  <strong>authorize</strong> receives the DER-encoded certificate, the
+requested client principal, and a pointer to the client&#8217;s
+krb5_db_entry (for modules that link against libkdb5).  It returns the
+authorization status and optionally outputs a list of authentication
+indicator strings to be added to the ticket.  A module must use its
+own internal or library-provided ASN.1 certificate decoder.</p>
+<p>A module can optionally create and destroy module data with the
+<strong>init</strong> and <strong>fini</strong> methods.  Module data objects last for the
+lifetime of the KDC process.</p>
+<p>If a module allocates and returns a list of authentication indicators
+from <strong>authorize</strong>, it must also implement the <strong>free_ind</strong> method
+to free the list.</p>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">PKINIT certificate authorization interface (certauth)</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="clpreauth.html">Client preauthentication interface (clpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
+<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.16</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="internal.html" title="Internal pluggable interfaces"
+            >previous</a> |
+        <a href="kdcpolicy.html" title="KDC policy interface (kdcpolicy)"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT certificate authorization interface (certauth)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/plugindev/clpreauth.html b/doc/html/plugindev/clpreauth.html
index 66af218e96cd..5b951fd2b0d2 100644
--- a/doc/html/plugindev/clpreauth.html
+++ b/doc/html/plugindev/clpreauth.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -135,12 +135,15 @@ preauthentication mechanism computes one.</p>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -168,7 +171,7 @@ preauthentication mechanism computes one.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/general.html b/doc/html/plugindev/general.html
index c10ab03b07c7..14f582e302c4 100644
--- a/doc/html/plugindev/general.html
+++ b/doc/html/plugindev/general.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -168,12 +168,15 @@ fences_wicker_initvt(krb5_context context, int maj_ver,
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -201,7 +204,7 @@ fences_wicker_initvt(krb5_context context, int maj_ver,
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/gssapi.html b/doc/html/plugindev/gssapi.html
index beb9a566d0cf..cdd14a36a354 100644
--- a/doc/html/plugindev/gssapi.html
+++ b/doc/html/plugindev/gssapi.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -177,6 +177,7 @@ may be repeated multiple times.</li>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
@@ -185,6 +186,8 @@ may be repeated multiple times.</li>
 </ul>
 </li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -212,7 +215,7 @@ may be repeated multiple times.</li>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/hostrealm.html b/doc/html/plugindev/hostrealm.html
index 5c23a108b1e5..13c1d48bac06 100644
--- a/doc/html/plugindev/hostrealm.html
+++ b/doc/html/plugindev/hostrealm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -29,7 +29,7 @@
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="up" title="For plugin module developers" href="index.html" />
     <link rel="next" title="Local authorization interface (localauth)" href="localauth.html" />
-    <link rel="prev" title="KADM5 hook interface (kadm5_hook)" href="kadm5_hook.html" /> 
+    <link rel="prev" title="kadmin authorization interface (kadm5_auth)" href="kadm5_auth.html" /> 
   </head>
   <body>
     <div class="header-wrapper">
@@ -42,7 +42,7 @@
                 
         <a href="../index.html" title="Full Table of Contents"
             accesskey="C">Contents</a> |
-        <a href="kadm5_hook.html" title="KADM5 hook interface (kadm5_hook)"
+        <a href="kadm5_auth.html" title="kadmin authorization interface (kadm5_auth)"
             accesskey="P">previous</a> |
         <a href="localauth.html" title="Local authorization interface (localauth)"
             accesskey="N">next</a> |
@@ -118,12 +118,15 @@ deallocated consistently.</p>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -151,14 +154,14 @@ deallocated consistently.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
                 
         <a href="../index.html" title="Full Table of Contents"
             >Contents</a> |
-        <a href="kadm5_hook.html" title="KADM5 hook interface (kadm5_hook)"
+        <a href="kadm5_auth.html" title="kadmin authorization interface (kadm5_auth)"
             >previous</a> |
         <a href="localauth.html" title="Local authorization interface (localauth)"
             >next</a> |
diff --git a/doc/html/plugindev/index.html b/doc/html/plugindev/index.html
index 47d7eb82a39a..867d479b7d7f 100644
--- a/doc/html/plugindev/index.html
+++ b/doc/html/plugindev/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -80,6 +80,7 @@ plugin modules and how to enable and disable modules via
 <li class="toctree-l1"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l1"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l1"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l1"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l1"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l1"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
@@ -93,6 +94,8 @@ plugin modules and how to enable and disable modules via
 <li class="toctree-l2"><a class="reference internal" href="internal.html#authorization-data-interface-authdata">Authorization data interface (authdata)</a></li>
 </ul>
 </li>
+<li class="toctree-l1"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </div>
 </div>
@@ -125,12 +128,15 @@ plugin modules and how to enable and disable modules via
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -158,7 +164,7 @@ plugin modules and how to enable and disable modules via
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/internal.html b/doc/html/plugindev/internal.html
index de3fba160ac8..1b75ebe5109c 100644
--- a/doc/html/plugindev/internal.html
+++ b/doc/html/plugindev/internal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="up" title="For plugin module developers" href="index.html" />
-    <link rel="next" title="Building Kerberos V5" href="../build/index.html" />
+    <link rel="next" title="PKINIT certificate authorization interface (certauth)" href="certauth.html" />
     <link rel="prev" title="GSSAPI mechanism interface" href="gssapi.html" /> 
   </head>
   <body>
@@ -44,7 +44,7 @@
             accesskey="C">Contents</a> |
         <a href="gssapi.html" title="GSSAPI mechanism interface"
             accesskey="P">previous</a> |
-        <a href="../build/index.html" title="Building Kerberos V5"
+        <a href="certauth.html" title="PKINIT certificate authorization interface (certauth)"
             accesskey="N">next</a> |
         <a href="../genindex.html" title="General Index"
             accesskey="I">index</a> |
@@ -119,6 +119,7 @@ installed by the build.</p>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
@@ -127,6 +128,8 @@ installed by the build.</p>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Internal pluggable interfaces</a><ul class="simple">
 </ul>
 </li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -154,7 +157,7 @@ installed by the build.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -163,7 +166,7 @@ installed by the build.</p>
             >Contents</a> |
         <a href="gssapi.html" title="GSSAPI mechanism interface"
             >previous</a> |
-        <a href="../build/index.html" title="Building Kerberos V5"
+        <a href="certauth.html" title="PKINIT certificate authorization interface (certauth)"
             >next</a> |
         <a href="../genindex.html" title="General Index"
             >index</a> |
diff --git a/doc/html/plugindev/kadm5_auth.html b/doc/html/plugindev/kadm5_auth.html
new file mode 100644
index 000000000000..fc2bf3c241c2
--- /dev/null
+++ b/doc/html/plugindev/kadm5_auth.html
@@ -0,0 +1,177 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>kadmin authorization interface (kadm5_auth) &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.16',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For plugin module developers" href="index.html" />
+    <link rel="next" title="Host-to-realm interface (hostrealm)" href="hostrealm.html" />
+    <link rel="prev" title="KADM5 hook interface (kadm5_hook)" href="kadm5_hook.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="kadm5_hook.html" title="KADM5 hook interface (kadm5_hook)"
+            accesskey="P">previous</a> |
+        <a href="hostrealm.html" title="Host-to-realm interface (hostrealm)"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin authorization interface (kadm5_auth)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kadmin-authorization-interface-kadm5-auth">
+<span id="kadm5-auth-plugin"></span><h1>kadmin authorization interface (kadm5_auth)<a class="headerlink" href="#kadmin-authorization-interface-kadm5-auth" title="Permalink to this headline">¶</a></h1>
+<p>The kadm5_auth interface (new in release 1.16) allows modules to
+determine whether a client principal is authorized to perform an
+operation in the kadmin protocol, and to apply restrictions to
+principal operations.  For a detailed description of the kadm5_auth
+interface, see the header file <tt class="docutils literal"><span class="pre">&lt;krb5/kadm5_auth_plugin.h&gt;</span></tt>.</p>
+<p>A module can create and destroy per-process state objects by
+implementing the <strong>init</strong> and <strong>fini</strong> methods.  State objects have
+the type kadm5_auth_modinfo, which is an abstract pointer type.  A
+module should typically cast this to an internal type for the state
+object.</p>
+<p>The kadm5_auth interface has one method for each kadmin operation,
+with parameters specific to the operation.  Each method can return
+either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the
+decision to other modules, or another error (canonically EPERM) to
+authoritatively deny access.  Access is granted if at least one module
+grants access and no module authoritatively denies access.</p>
+<p>The <strong>addprinc</strong> and <strong>modprinc</strong> methods can also impose restrictions
+on the principal operation by returning a <tt class="docutils literal"><span class="pre">struct</span>
+<span class="pre">kadm5_auth_restrictions</span></tt> object.  The module should also implement
+the <strong>free_restrictions</strong> method if it dynamically allocates
+restrictions objects for principal operations.</p>
+<p>kadm5_auth modules can optionally inspect principal or policy objects.
+To do this, the module must also include <tt class="docutils literal"><span class="pre">&lt;kadm5/admin.h&gt;</span></tt> to gain
+access to the structure definitions for those objects.  As the kadmin
+interface is explicitly not as stable as other public interfaces,
+modules which do this may not retain compatibility across releases.</p>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">kadmin authorization interface (kadm5_auth)</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="clpreauth.html">Client preauthentication interface (clpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">kadmin authorization interface (kadm5_auth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
+<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.16</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="kadm5_hook.html" title="KADM5 hook interface (kadm5_hook)"
+            >previous</a> |
+        <a href="hostrealm.html" title="Host-to-realm interface (hostrealm)"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin authorization interface (kadm5_auth)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/plugindev/kadm5_hook.html b/doc/html/plugindev/kadm5_hook.html
index 35f076822d52..2ed57799b7a1 100644
--- a/doc/html/plugindev/kadm5_hook.html
+++ b/doc/html/plugindev/kadm5_hook.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="up" title="For plugin module developers" href="index.html" />
-    <link rel="next" title="Host-to-realm interface (hostrealm)" href="hostrealm.html" />
+    <link rel="next" title="kadmin authorization interface (kadm5_auth)" href="kadm5_auth.html" />
     <link rel="prev" title="Password quality interface (pwqual)" href="pwqual.html" /> 
   </head>
   <body>
@@ -44,7 +44,7 @@
             accesskey="C">Contents</a> |
         <a href="pwqual.html" title="Password quality interface (pwqual)"
             accesskey="P">previous</a> |
-        <a href="hostrealm.html" title="Host-to-realm interface (hostrealm)"
+        <a href="kadm5_auth.html" title="kadmin authorization interface (kadm5_auth)"
             accesskey="N">next</a> |
         <a href="../genindex.html" title="General Index"
             accesskey="I">index</a> |
@@ -110,12 +110,15 @@ across versions as other public pluggable interfaces.</p>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -143,7 +146,7 @@ across versions as other public pluggable interfaces.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -152,7 +155,7 @@ across versions as other public pluggable interfaces.</p>
             >Contents</a> |
         <a href="pwqual.html" title="Password quality interface (pwqual)"
             >previous</a> |
-        <a href="hostrealm.html" title="Host-to-realm interface (hostrealm)"
+        <a href="kadm5_auth.html" title="kadmin authorization interface (kadm5_auth)"
             >next</a> |
         <a href="../genindex.html" title="General Index"
             >index</a> |
diff --git a/doc/html/plugindev/kdcpolicy.html b/doc/html/plugindev/kdcpolicy.html
new file mode 100644
index 000000000000..55fadfcebeb6
--- /dev/null
+++ b/doc/html/plugindev/kdcpolicy.html
@@ -0,0 +1,168 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    
+    <title>KDC policy interface (kdcpolicy) &mdash; MIT Kerberos Documentation</title>
+    
+    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+    
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '../',
+        VERSION:     '1.16',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '.html',
+        HAS_SOURCE:  true
+      };
+    </script>
+    <script type="text/javascript" src="../_static/jquery.js"></script>
+    <script type="text/javascript" src="../_static/underscore.js"></script>
+    <script type="text/javascript" src="../_static/doctools.js"></script>
+    <link rel="author" title="About these documents" href="../about.html" />
+    <link rel="copyright" title="Copyright" href="../copyright.html" />
+    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+    <link rel="up" title="For plugin module developers" href="index.html" />
+    <link rel="next" title="Building Kerberos V5" href="../build/index.html" />
+    <link rel="prev" title="PKINIT certificate authorization interface (certauth)" href="certauth.html" /> 
+  </head>
+  <body>
+    <div class="header-wrapper">
+        <div class="header">
+            
+            
+            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+            
+            <div class="rel">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            accesskey="C">Contents</a> |
+        <a href="certauth.html" title="PKINIT certificate authorization interface (certauth)"
+            accesskey="P">previous</a> |
+        <a href="../build/index.html" title="Building Kerberos V5"
+            accesskey="N">next</a> |
+        <a href="../genindex.html" title="General Index"
+            accesskey="I">index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            accesskey="S">Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC policy interface (kdcpolicy)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+    <div class="content-wrapper">
+      <div class="content">
+        <div class="document">
+            
+      <div class="documentwrapper">
+        <div class="bodywrapper">
+          <div class="body">
+            
+  <div class="section" id="kdc-policy-interface-kdcpolicy">
+<span id="kdcpolicy-plugin"></span><h1>KDC policy interface (kdcpolicy)<a class="headerlink" href="#kdc-policy-interface-kdcpolicy" title="Permalink to this headline">¶</a></h1>
+<p>The kdcpolicy interface was first introduced in release 1.16.  It
+allows modules to veto otherwise valid AS and TGS requests or restrict
+the lifetime and renew time of the resulting ticket.  For a detailed
+description of the kdcpolicy interface, see the header file
+<tt class="docutils literal"><span class="pre">&lt;krb5/kdcpolicy_plugin.h&gt;</span></tt>.</p>
+<p>The optional <strong>check_as</strong> and <strong>check_tgs</strong> functions allow the module
+to perform access control.  Additionally, a module can create and
+destroy module data with the <strong>init</strong> and <strong>fini</strong> methods.  Module
+data objects last for the lifetime of the KDC process, and are
+provided to all other methods.  The data has the type
+krb5_kdcpolicy_moddata, which should be cast to the appropriate
+internal type.</p>
+<p>kdcpolicy modules can optionally inspect principal entries.  To do
+this, the module must also include <tt class="docutils literal"><span class="pre">&lt;kdb.h&gt;</span></tt> to gain access to the
+principal entry structure definition.  As the KDB interface is
+explicitly not as stable as other public interfaces, modules which do
+this may not retain compatibility across releases.</p>
+</div>
+
+
+          </div>
+        </div>
+      </div>
+        </div>
+        <div class="sidebar">
+    <h2>On this page</h2>
+    <ul>
+<li><a class="reference internal" href="#">KDC policy interface (kdcpolicy)</a></li>
+</ul>
+
+    <br/>
+    <h2>Table of contents</h2>
+    <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="clpreauth.html">Client preauthentication interface (clpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
+<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">KDC policy interface (kdcpolicy)</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+    <br/>
+    <h4><a href="../index.html">Full Table of Contents</a></h4>
+    <h4>Search</h4>
+    <form class="search" action="../search.html" method="get">
+      <input type="text" name="q" size="18" />
+      <input type="submit" value="Go" />
+      <input type="hidden" name="check_keywords" value="yes" />
+      <input type="hidden" name="area" value="default" />
+    </form>
+        </div>
+        <div class="clearer"></div>
+      </div>
+    </div>
+
+    <div class="footer-wrapper">
+        <div class="footer" >
+            <div class="right" ><i>Release: 1.16</i><br />
+                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+            </div>
+            <div class="left">
+                
+        <a href="../index.html" title="Full Table of Contents"
+            >Contents</a> |
+        <a href="certauth.html" title="PKINIT certificate authorization interface (certauth)"
+            >previous</a> |
+        <a href="../build/index.html" title="Building Kerberos V5"
+            >next</a> |
+        <a href="../genindex.html" title="General Index"
+            >index</a> |
+        <a href="../search.html" title="Enter search criteria"
+            >Search</a> |
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC policy interface (kdcpolicy)">feedback</a>
+            </div>
+        </div>
+    </div>
+
+  </body>
+</html>
\ No newline at end of file
diff --git a/doc/html/plugindev/kdcpreauth.html b/doc/html/plugindev/kdcpreauth.html
index b0566cfeb190..a755232152c2 100644
--- a/doc/html/plugindev/kdcpreauth.html
+++ b/doc/html/plugindev/kdcpreauth.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -155,12 +155,15 @@ callback to get an event context for use with the <a class="reference external"
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -188,7 +191,7 @@ callback to get an event context for use with the <a class="reference external"
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/localauth.html b/doc/html/plugindev/localauth.html
index a29a0aa4ae67..065df739a6e2 100644
--- a/doc/html/plugindev/localauth.html
+++ b/doc/html/plugindev/localauth.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -124,12 +124,15 @@ consistently.</p>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -157,7 +160,7 @@ consistently.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/locate.html b/doc/html/plugindev/locate.html
index e8e4d650128e..bfb236c442f0 100644
--- a/doc/html/plugindev/locate.html
+++ b/doc/html/plugindev/locate.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,12 +113,15 @@ object.</p>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -146,7 +149,7 @@ object.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/profile.html b/doc/html/plugindev/profile.html
index fb547ed2da3d..e35a7dbd4dfe 100644
--- a/doc/html/plugindev/profile.html
+++ b/doc/html/plugindev/profile.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -177,12 +177,15 @@ profile_module_init(const char *residual, struct profile_vtable *vtable,
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -210,7 +213,7 @@ profile_module_init(const char *residual, struct profile_vtable *vtable,
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/plugindev/pwqual.html b/doc/html/plugindev/pwqual.html
index 5c56a71819e2..2ce4c83a5eb3 100644
--- a/doc/html/plugindev/pwqual.html
+++ b/doc/html/plugindev/pwqual.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,12 +109,15 @@ it.</p>
 <li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Password quality interface (pwqual)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
 <li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
@@ -142,7 +145,7 @@ it.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/resources.html b/doc/html/resources.html
index 8d8b55faf0ed..c3c6e844bda9 100644
--- a/doc/html/resources.html
+++ b/doc/html/resources.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -167,7 +167,7 @@ administrators.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/search.html b/doc/html/search.html
index 0de8eb5e535f..fb6ebfc0b265 100644
--- a/doc/html/search.html
+++ b/doc/html/search.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -127,7 +127,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/searchindex.js b/doc/html/searchindex.js
index b66d718845fc..4ffa77ca326f 100644
--- a/doc/html/searchindex.js
+++ b/doc/html/searchindex.js
@@ -1 +1 @@
-Search.setIndex({envversion:42,terms:{libdefault:[794,10],req:[504,34,907,363,1,568,248,812,57],entropi:181,preauth_list_length:[829,644],"0x0011":[728,516],untrust:17,both:[504,821,907,812,515,70,463,208,17,248,4,532,275,493,330,814,215,662,44,203,437],localstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_auth_con_setflag:[745,181],principalnam:576,reboot:[613,895],four:[563,434,437,764,812,323],prefix:[812,10,672,493,181],dirnam:812,forget:[44,895,818,484],krb5_free_str:[509,188,181,110],whose:[521,895,484,276,302,17,794,812,70,184,473,56,323,44,32,45,88,104],string2kei:73,krb5_cc_get_config:181,"const":[449,3,453,876,671,230,672,494,485,12,224,247,249,881,586,631,480,235,701,31,703,708,274,277,719,49,723,815,286,287,51,507,291,292,734,59,744,300,72,752,77,38,310,759,81,526,765,242,535,811,331,102,791,663,914,110,111,341,282,344,346,69,565,349,568,569,124,910,827,818,577,821,819,131,620,136,137,831,832,140,835,240,595,658,377,378,840,841,39,603,385,606,609,853,389,114,856,394,863,397,399,400,403,524,258,632,877,362,251,887,188,417,267,890,190,191,628,421,422,197,901,903,848,789,428,820,657,373,627,436,857,211,917,215,444,505,669],krb5_sname_match:[731,568,181],aug:[70,44],sysadv6:713,cybersaf:[250,330],g_process_context:330,heimdal:[17,713],allow_renew:[70,44],salttyp:[423,10,248,690],ndnhnmn:176,concret:126,context_handl:[17,764],swap:[895,493],container_reference_dn:[44,484],under:[812,515,70,463,484,27,423,330,473,44,10,77,45,203],krb5_get_init_creds_opt_set_pa:181,keylist:[794,138],sha256:[10,248],worth:100,krb5_build_principal_ext:[731,181],merchant:330,digit:176,joeadmin:[44,32,100,184],everi:[895,181,812,100,44,10],risk:[521,248,27,73],downstream:[44,576],localhostnam:17,kvno:[794,423,361,563,895,70,762,147,248,275,711,138,321,73,100,44,309,519,370],userpkcs12:515,gssapi_ext:17,krb5_kt_cursor:[803,621,40,36],upstream:[44,576,452],slave_host:132,affect:[377,603,248,662,812,689,10,32,738,640],g_rel_buff:330,gss_store_cr:576,trailer:[17,181],look:[794,473,776,63,452,493,437,17,4,812,662,640,44,10,701,203,104,814],upn:[10,381,851,714,511],krb5_responder_context:[521,242,36,286,649,341,831,235,47,157,269],krb5_get_init_creds_opt_set_canonic:181,sclient:[762,361,814],supported_enctyp:[10,576,895,73,248],verif:[812,10,895],sequence_count:443,modtim:423,x86_64:[576,452],repres:[895,563,159,70,17,812],abil:[649,184,73,47],krb5_principal_compare_enterpris:511,miller:330,direct:[515,147,662,812,181,44],"10d":176,histor:[792,662],yacc:452,second:[449,422,287,394,51,793,372,10,493,511,461,411,302,17,18,686,29,640,504,852,628,130,70,27,318,812,368,914,323,265,904,34,208,327,662,176,189,279,44,45,437,104],krb5_auth_con_setrcach:181,"_passwd_phrase_el":889,krb5_enc_data:[336,114,840,39,259,636,36,669],krb5_address_search:181,even:[895,907,812,17,18,27,662,176,330,73,44,10,493,640,473],subsequ:[615,566,330,73,191,45,185],hide:[70,44,640],neg:[302,662],linkdn:[70,44],requisit:126,ptr:[741,856,826,17,526,598,473,901,309,324,910],krb5_auth_con_setrecvsubkey_k:181,ticket_flag:[44,484,793,323],krb5_get_init_creds_opt_set_renew_lif:181,conduct:275,"new":[774,504,855,724,434,895,70,17,147,248,181,423,73,699,44,10,812,794],dumptyp:423,topolog:689,metadata:423,krb5_kt_remove_entri:181,elimin:73,subtre:[70,10,515,484,44],algid:433,abov:[521,504,515,812,452,895,687,437,17,147,248,764,423,330,73,100,323,44,32,104],displai:[521,504,794,907,724,330,70,576,159,83,566,562,138,323,44,484,518,640],never:[794,820,759,434,131,51,812,70,119,73,56,44,10,791,104],etyp:[33,423,137,646,576],authorit:[393,687,226,812,698,608],here:[521,812,776,434,452,17,147,4,176,662,794,119,44,10,32,104],renew_til:[660,826,544,323],met:[437,330],krb5_cc_gen_new:181,cksum:[282,444,505,744,631],pepper2:72,path:[895,812,63,452,273,493,689,568,662,275,44,10,484,203,126],service_loc:226,interpret:[521,907,70,620,208,17,646,764,437,640],dry:423,hdata:656,alg_id:897,clientauth:812,krb5_verify_authdata_kdc_issu:181,krb5_set_default_tgs_enctyp:[105,181],precis:792,krb5_get_init_creds_opt_set_fast_ccach:181,permit:[70,208,181,812,44,10,32,188,532],krb5_pac_credentials_info:595,krb5_chpw_messag:181,ovsec_adm_import:[423,44],portabl:614,krb5_enctype_to_nam:181,service_nam:640,gssrpc:330,inittab:895,get_cooki:[576,850],realm_try_domain:812,unix:[794,812,228,662,423,10],krb5_string_to_enctyp:181,brg:330,mic_token:17,txt:[423,895,493],unit:[176,330,104,452],highli:[26,576],subjectaltnam:504,describ:[794,815,457,832,895,17,413,73,504,642,70,764,812,100,321,323,773,776,437,662,328,330,924,44,549,104],would:[613,576,56,10,493,119,895,17,184,73,473,521,504,764,812,100,321,423,273,540,662,44,104],ldap_kadmind_sasl_authcid:[10,484,44],init:[608,223,226,413,850,698,687,45,689],"0x02000000":[808,410],suit:[836,895,576,203,452],datadir:452,call:[521,895,17,662,812,321,73,44,10],clockskew:[812,794,568,640,815],recommend:[895,812,452,493,26,17,423,100,104,56,44,10,484,203,23,386],krb5_free_ticket:[102,181],difficulti:473,type:[70,423,45,724,484],until:[812,614,452,70,576,17,27,423,112,73,44,104],gss_inquire_nam:17,krb5_expire_callback_func:[907,36],unescap:423,maxtktlif:[44,484],krb5_auth_con_setport:[449,181],krb5_c_derive_prfplu:181,relat:[423,515,812,434,504,576,662,110,275,330,689,10,493,793],notic:[10,330,56,895],toolkit:836,warn:[895,907,855,70,576,330,44,10,126],exce:176,"0x00400000":351,free_str:[815,608],loss:[44,330],hole:[895,302,100,493],"0x00000100":587,unpack:26,must:[812,3,876,227,4,30,10,587,452,683,17,249,686,687,25,26,479,482,235,275,44,47,49,724,725,815,840,51,850,493,895,744,433,302,73,32,78,521,504,312,759,63,761,70,763,764,100,85,323,649,539,327,330,191,791,792,104,794,802,555,346,118,119,69,121,320,568,827,820,580,131,132,133,139,141,835,13,375,39,603,608,437,614,114,648,576,620,821,862,173,177,409,632,870,887,267,641,642,628,646,423,902,803,203,905,515,745,434,436,208,662,505,215,832,924,669],inputlen:182,g_compare_nam:330,word:[895,104],err:10,restor:[423,56],neglig:330,setup:[44,895],work:[70,423,724,689],krb5_verify_init_creds_opt_init:[521,519,181],server_kei:765,krb5_get_server_rcach:181,krb5_random_kei:181,rctmpdir:746,root:[794,613,63,452,895,437,812,100,184,73,56,10,32,783,119,814],"_krb5_cred_info":544,overrid:[812,70,208,423,73,44,10,45],defer:[17,608,687],renew_lifetim:812,give:[563,608,662,423,104,330,73,323,44,203,119,473],synchron:[794,895,566,147,181,812,73,753],kpasswd:[794,812,361,70,576,689,792,275,73,44,10,762,119],smtp:816,min_ver:4,indic:[70,423,73],fqdn:275,g_inquire_context:330,"0x0019":246,caution:70,unavail:[44,493,895],want:[895,70,437,226,588,662,104,44,442,203,119],pa_config_data:323,unsign:[615,453,454,551,877,635,185,577,360,525,647,479,914,108,374,651,596,377,535,843,101,154,91,499],krb5_keyblock:[876,840,111,734,736,11,346,69,298,179,300,247,181,143,349,72,310,369,131,322,197,483,653,603,210,669,791,505,444],crypto_test:330,enc:[794,70,576,423,882,44,10,793],end:[423,10,812,855],manipul:[44,155,515],quot:[176,70,423,672,44,549,489],ordinari:[576,203,73],keylength:604,how:[504,452,895,26,17,248,662,30,812,100,73,44,572,10,493],cname:[895,493,792,473],env:[273,504,812,147],answer:[521,812,341,181],verifi:[504,895,17,812,44,484,10],negoti:[10,576,323],krb5_mk_rep_dc:181,config:[361,855,524,452,737,576,764,812,28,137,44,836,10,77,762],client_cert:504,bindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],updat:[812,855,63,724,515,566,423,73,689,10],krb5_tc_match_flag:686,krb5_const:2,recogn:[504,70,147,812,10,783,640],outsid:[794,614],"_krb5_kt":582,x509:[504,576,640],rassen:330,after:[613,614,855,724,576,860,51,167,119,895,302,73,689,814,504,63,70,245,423,323,203,434,437,149,784,191,44,45,792,104],modprinc:[70,44,434,504],befor:[449,223,724,613,850,10,623,493,70,413,73,689,77,640,504,759,515,131,27,423,139,484,701,203,820,812,434,147,149,176,330,924,44,791,104],wrong:[504,437,330,434,104],krb5_cryptotyp:[551,924,36],retain:[724,70,330,184,73,44,10],core:[885,815,413,850,23],law:330,iprop_port:[10,44],sserver:427,demonstr:[73,814],krb5_principal_unparse_no_realm:489,renew_lif:[798,829],attempt:[423,776,743,434,70,519,437,17,812,275,44,556,323,10,493,639],third:[504,208,662,812,330,323],krb5_cc_last_change_tim:181,fallback_realm:687,opaqu:[251,181],bootstrap:812,credenti:[794,504,855,434,273,662,812,70,321,814,44,10,792],exclud:[423,576,100,56],alias:[794,515,70,576,138,473,44,493],maintain:[794,776,452,566,44,10,203],environ:70,incorpor:[10,776],enter:[504,895,70,764,104,914,832,73,484,44,45,119],exclus:[70,437,330],mechan:[515,70,812,321,44,10],order:[521,504,515,812,434,895,70,17,181,792,423,100,321,73,56,44,10,32,689],g10:330,origin:[521,452,70,17,764,330,73,44,493],belong:[352,792],feedback:776,softwar:[521,794,713,662,812,73],krb5_octet:[525,154,360,499,36],krb5_c_valid_enctyp:181,over:[794,10,493,895,17,876,248,181,72,73,77,310,473,521,812,100,776,208,662,44,45,505],govern:[44,330,25],becaus:[614,223,452,815,850,56,10,493,119,302,17,184,473,32,640,521,504,258,423,323,203,532,812,434,147,44],addit:[476,812,515,70,248,275,44,10,32],krb5_config:[895,63,273,132,576,812,28,45],privileg:[70,794,32],gss_c_nt_user_nam:17,keyboard:[423,44,45,181,689],enckrbcredpart:544,flexibl:[812,473],vari:[794,26,28,386,792,640],"_krb5_cccol_cursor":221,digest:[10,330],fip:576,directli:[521,476,812,895,70,17,275,44,10],clearpolici:[70,44,32],krb5_responder_set_answ:[521,341,181],fix:[423,576],krb5_cccol_lock:181,arg_keytab:[657,841],better:[44,78],krb5_deltat:[164,798,841,36,712,606,357,520],iprop:[10,576,330,63,689],krb5_responder_question_pkinit:[521,181],hidden:[521,848,139],solaris9ab:713,cred:[521,65,362,463,181,686,610],easier:[776,73],descend:614,krb5_get_init_creds_opt_set_tkt_lif:[521,181],them:[794,614,452,815,576,4,672,10,739,493,895,625,1,693,73,473,521,504,70,764,482,203,515,37,147,275,330,386,100,44,104],thei:[794,614,452,576,850,10,493,119,895,17,748,73,566,78,473,521,642,70,423,482,323,203,812,159,147,662,44,792,104],"0x0017":337,proce:437,safe:[812,267,662,181],slave_dumpfil:63,"break":[613,100,452],krb5_c_checksum_length:181,glorifi:4,uid_t:17,interrupt:[330,73,606],krb5_cc_lock:181,ccache_typ:812,gss_import_nam:[17,764],choic:[521,17,812,556,473,640],hhmmss:176,pkinit_dh_min_bit:[812,10],wrfile:73,newpw:[362,890,400],cb_data:[136,372],dumpfil:[423,44,452],accommod:521,lockout:[70,10,162,44],timeout:[10,208,73],each:[794,812,63,724,70,248,662,423,44,10,32,45,792],debug:[63,70,132,26,10,566],went:104,higher:[126,576,17,614],preferred_preauth_typ:812,side:[515,17,642,695,27,44],mean:[521,504,613,70,437,746,812,330,73,44,10,895,203,792,104,814],prohibit:[70,44,330],xconsortium:203,symmetri:10,autohead:203,resum:44,tlyu:[70,44],kcm_socket:812,appdata:812,lnsl:452,krb5_trace_nosupp:[853,372],nii:437,kdc_opt_renewable_ok:812,cusec:[904,727,457],service_passwd:[44,484],eku:[812,10],extract:[794,895,70,576,159,44,32],krb5_responder_pkinit_challeng:[521,649,269,36],otherrealm:812,krb5_init_creds_get_error:181,network:[794,452,56,493,174,119,895,17,184,306,473,521,642,70,768,812,100,836,275,664,606,44,45,104],log_:10,newli:[504,614,695,141,744,70,363,603,568,1,423,72,234,44,69,203,576,505,642],krb5_decode_authdata_contain:181,kdc_principal_seq:504,krb5plugin_service_locate_ft:226,content:[776,855,566,423,73,814],rewrit:27,kdb5_util_prog:63,reader:812,gov:[812,330],forth:812,wst:138,onlin:73,krb5_free_host_realm:181,inop:73,ignore_acceptor_hostnam:[812,17,473],krb5_address:[378,536,723,224,36,693,875,287,394,555,657,371,399,625],getrandom:576,situat:[10,493,646,73,662],ntt:330,free:[521,731,12,181],standard:[504,566,159,70,540,17,147,423,330,73,44,10,576],jennif:[70,44,119,104],"_krb5_pa_pac_req":767,"_krb5_responder_otp_tokeninfo":897,md4:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],md5:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],orig_hostnam:188,semfiajf42:10,workaround:473,libedit:452,argument:[521,449,535,70,689,181,423,784,73,151,44,10,45],openssh:[473,662],default_kdc_enctyp:746,openssl:[812,504,576,452,515],filter:[812,10],shrubberi:713,renew:[812,70,181,423,44,484,10],iso:26,unabl:[812,44,56],unknown:[97,147,814,323],regress:203,"_krb5_crypto_iov":924,onto:[812,895,100,56],licens:[26,462,452,576],user:[794,855,10,493,895,17,73,32,473,504,63,515,70,423,321,484,812,776,434,208,147,44,792],gss_ctx_id_t:[17,764],kfw:576,rang:640,entrycsn:855,render:[203,73],krb5_mk_rep:181,krb5_mk_req:[784,272,181],independ:[907,452,684,248,812,293,629],lockdown_kei:[70,44,32,576],thereof:330,restrict:[70,181,30,812,73,484,44,32],hook:181,unlik:[614,576,73,104],alreadi:[298,614,515,452,895,208,423,73,126,44,595,203,437,640],messag:[70,63],wasn:449,name_str:504,needchang:[70,44,484],agre:330,primari:[70,44,181,491],permitted_enctyp:[812,248],krb5_get_fallback_host_realm:181,krb5_auth_con_initivector:181,gss_mech_interpos:764,top:[614,203,26,126,45,493],krb5_rd_priv:181,kern:10,evolut:576,noout:504,fiction:4,travers:[423,44],krb5_kt_get_entri:181,master:[855,63,70,132,566,484,423,689,45],too:[820,759,207,131,791,422,70,129,44,346],krb5_realm_compar:[731,181],similarli:[794,672,118,104],krb5_cc_copy_cr:181,recent:[257,724,17,248,181,423,56],dict_fil:[10,689,455],outag:493,listen:[895,63,576,689,10,45,493],consol:10,randkei:[895,504,70,576,73,44],krb5_ldif:855,gss_c_buffer_flag_alloc:17,tool:[423,44,515],keytab_fil:640,noninfring:330,an2ln:[812,608],task:[521,535,73],somewhat:[504,27],nokei:[70,44,504],clpreauth_mymech_initvt:4,keyid:504,target:[895,614,576,17,812,323,32],keyword:[176,812],generalstr:504,provid:[794,614,452,815,286,493,119,895,17,568,248,473,689,885,519,576,521,504,70,639,812,100,203,515,776,437,147,662,149,275,330,44,45],verto:[330,452],gic_opt:413,krb5_address_compar:181,tree:[44,776,515,855,895],krb5_pac_server_checksum:595,cppflag:452,project:[776,452,576,4,330,303],matter:[812,56],nctx_out:141,getprinc:[434,70,576,423,73,44],krb5_checksum:[401,505,181,444],conf_keyfil:[44,484],minut:[812,821,484,27,176,104,215,44,10,119],krb5_encrypt_block:[222,419,36,719,261,526,896,856,910,609,819],userprincipalnam:10,lawyer:330,close:[458,100,88,543,181],boston:493,pass:[853,114,452,226,51,167,732,556,400,10,623,203,17,73,640,641,840,759,131,764,649,372,31,820,812,39,208,662,316,47,791,437,669],eventu:493,keyinfo:423,compon:[521,504,453,17,632,181,318,812,877,672,662,586,32,473],raw:[10,203],seed:[401,639,282,832],manner:330,increment:[63,566,73,689,10,32],"_krb5_pa_server_referral_data":220,slaptest:855,incompat:[885,812,203,452],minu:10,krb5_replay_data:[267,522,821,36,732,832,215,254],strength:576,realm:[794,855,63,70,132,484,423,321,73,689,32,45,814],pkinit_anchor:[504,70,812,44,10,640],delegated_cred_handl:17,new_mkey_fil:[423,44],latter:[515,18],thorough:493,kpasswd_serv:[275,812,493],contact:[812,614,63,606,70,132,518,275,698,44,10,493,23,73],krb5_set_principal_realm:[731,181],krb5_copy_address:181,output_cr:17,get_cr:521,expens:434,safe_checksum_typ:812,sock_dgram:226,though:[203,73,104],usernam:[504,863,895,70,208,17,812,104,573,44,640,814],kdb_log:330,glob:[70,44,423,794],object:[515,423,70,812,484,10],what:[812,540,17,27,4,455,423,413,850,73,44,10,32,119,248,104,473],last_success:423,regular:[504,895,437,17,812,73],letter:[895,493,104],eavesdropp:27,phase:437,choos:[515,73],authdatum:373,tradit:[423,434],cksumtyp:[600,272,247,385,744,674,91,310,505,756],ad_typ:[436,360,323],don:[614,452,437,814,116,203,119],krb5_auth_con_set_checksum_func:181,"0x00000004":[788,177,768],unpleas:73,"0x00000008":[202,664,763,16],lose:[423,44],lpr:10,doe:[794,614,452,815,620,494,10,346,701,119,895,17,632,73,129,687,519,473,521,504,642,63,70,135,764,423,874,374,203,812,708,437,159,330,608,44,45,104],declar:17,probabl:[895,423,73,44,203,814],wildcard:[783,10,32,576],krb5_auth_con_setaddr:[449,181],left:[812,10,4,316],sunwaadm:713,profile_vt:815,gss_get_mic_iov:17,random:[794,895,70,181,423,73,44,10],radiu:[10,208,576],pkc:[812,118],kerber:[895,437,73,792],krb5_anonymous_princip:181,kdc_err_more_preauth_data_requir:576,addr1:[287,394],protocol:[812,724,70,17,181,275,73,827,44,493,869],priv:181,involv:[812,850],consolid:776,arcfour:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],layout:[28,17],acquir:[70,44,17,423,181],rcach:[522,732,832,586,458,543],delet:[794,812,724,70,423,138,484,32],tty04:10,maxfailur:[70,44,434],configur:[70,566,484,689],bind_dn:70,krb5_checksum_s:181,auth_gssapi:[70,44],busi:330,ldap:[70,689,423,95,484,45],krb5_c_is_keyed_cksum:181,folder:812,pwservic:10,serv:[812,44,576,689],incorrect:[434,685,104,925,493,119],klein:330,likewis:437,stop:[45,4,689],compli:330,pcred:522,krb5_copy_data:181,credentials_cach:[70,44],db_module_dir:[10,515],cryptographi:73,report:[576,27,423,473,640,836,23],pa_hardwar:850,net:[812,330,713,23],qop_stat:17,bar:[423,812],g_export_nam:330,relianc:812,krb5_principal_compare_any_realm:[731,181],baz:812,"_krb5_responder_pkinit_ident":771,twice:[895,25,223,70,323,44,119],bad:[895,818,125],pkinit_kdc_hostnam:[812,504],max_renew_lif:423,krb5_k_make_checksum:[505,181],gss_c_both:17,testdir:147,krb5_build_princip:[521,731,181],respond:689,policy_nam:[44,484],human:[176,576,110],krb524:812,output_nam:764,padl:330,securid:[576,592],krb5_is_thread_saf:181,datatyp:155,num:566,mandatori:[600,744,631,247,385,310,505,444],result:[521,298,776,17,855,504,708,133,147,840,181,812,515,72,73,44,876,493,818,794,669],krb5_process_kei:181,respons:[615,390,850,343,238,559,634,68,569,362,413,185,689,75,640,521,504,583,70,636,518,27,34,907,687,330,44,543],corrupt:[423,44,576,56],themselv:[423,44],db_librari:[10,855,515],best:[895,73,473],subject:[504,776,812,330,44,10],awar:323,iterator_fre:815,stashfilenam:[423,44,484],authto:507,krb5_crypto_type_data:[385,247,310,600],remote_port:625,databas:724,krb5_verify_init_creds_opt:[521,572,519,204,36],krb5_set_default_realm:[449,181],discoveri:[895,792],gss_c_nt_machine_uid_nam:17,fail_count:423,xvm:73,simplest:[614,17,203,662],allow_tgs_req:[70,44],awai:[119,147,73,104],krb5_kdcpreauth_modreq:850,approach:17,include_pac:767,attribut:[515,855,70,208,484,248,423,321,44,10,32,566],accord:[563,502,70,208,393,646,764,812,28,323,44,437],extend:[812,10,855,181,504],krb5_pac_fre:181,change_tim:[449,237,257],ccach:[70,147,181,125,44,88],weak:[812,10,147,73,248],sysdoc:713,extens:[504,576,17,764,827,126,493],harvard:330,preprocessor:452,extent:[576,330],entryuuid:855,toler:812,pkinit_ident:[812,10,504],k5login:[762,748,662,812,437,119],krb5_init_secure_context:[624,181,862],protect:[794,504,267,745,434,576,17,248,27,423,100,832,827,118,78],g_imp_sec_context:330,expos:[521,70,437,423,525,73,44,640],ss_lib:452,howev:[100,504,812,434,70,493,423,330,73,56,44,10,203,792,104],krb5_responder_pkinit_get_challeng:[521,181],against:[521,895,821,695,373,724,258,631,568,181,812,73,215,662,10,493,444],krb5_tc_match_srv_nameonli:686,krb5_auth_con_getkey_k:181,logic:493,countri:330,mkeyvno:[423,44,484],com:[855,147,566,10,493,119,563,184,473,576,504,515,70,812,138,321,423,434,713,662,783,330,44,104],compromis:[613,614,812,100,73,56],fullname_out:509,rcommand:260,default_realm:[895,815,662,812,687,792],data_length:651,foobar:[493,184,452],int32_t:546,iterator_cr:815,loader:452,krb5_cc_store_cr:181,written:[330,70,159,847,689,77],exemplari:330,guid:[794,162],assum:[562,298,449,918,26,17,248,812,72,73,640,10,77,895,493,208,104,386],summar:562,sclogin:10,duplic:181,reciev:1,krb5_string_to_timestamp:181,byacc:452,failuretim:[70,44],krb5_enctyp:[450,224,105,551,730,55,171,604,868,69,298,530,871,349,143,182,22,755,819,657,896,365,137,370,411,597,378,36,711,603,149,316,651,91,825],fri:566,three:[642,434,576,248,73,323,493,104],been:[562,298,614,812,434,748,764,27,423,330,73,44,885,10,104,814],beep:[386,104],anl:812,keyspac:73,interest:[812,27,434,746],realmnam:[521,504],token_id:897,gss_krb5_nt_principal_nam:17,allow_dup_skei:[70,44],nofail:521,krb5_cccol_have_cont:181,life:[70,44,32,640,484],rather:[100,812,614,615,794,70,493,689,764,423,563,185,129,44,10,484,45,203,640,473],krb5_princ_nomatch:[422,318],krb5_auth_con_getkei:181,encourag:812,suppress:[452,70,437,646,423,386,44,10,576],s4uself:10,worker:45,search:[812,10,484,181,44],telnet:[812,260,437],anywher:119,pkinit_require_crl_check:[812,10],krb5_prompt_type_preauth:591,ldif:855,krb5_unparse_name_flag:[731,181],krb5_const_point:[401,261,222,282,36],sender:[267,821,832,215,189],krb5_425_conv_princip:181,ident:[70,10],appl_vers:[695,642],gnu:[576,330,203,473,452],servic:[724,63,70,814,484,45],properti:[812,762,330],commerci:[812,504,330],session_enctyp:[70,44],krb5_no_2nd_tkt:422,vagu:452,anchor:[812,10,640],keytyp:45,spawn:689,ulog:[10,44],kadmind_port:[10,895,689],printabl:[235,242],mexico:330,kdcproxi:275,tabl:[70,44,423,181],userpolici:[44,484],iov_count:17,disjoint:776,gssapistrictacceptorcheck:473,krb5_cc_select:181,conf:[794,476,776,855,63,724,70,132,566,484,95,423,138,321,73,56,689,427,32,45,814],module_nam:812,sever:[794,504,614,452,70,493,27,812,44,321,323,836,10,203],krb5_kt_start_seq_get:[621,181],disabl:[328,812,452,895,273,493,372,147,748,662,248,167,70,241,73,44,10,623,203,473],intact:330,target_princip:32,incorrectli:104,perform:[895,812,515,70,689,423,814,484,44,10,32],suggest:[776,907],make:[794,855,56,10,493,895,17,248,181,73,814,504,515,70,423,100,812,776,434,147,662,604,44,792],camellia:[10,576],bunni:493,default_tkt_enctyp:[812,248],krb5_principal2salt:181,disable_lockout:[10,434,515],krb5_princ_set_realm:2,complex:576,split:[70,576,493],big:[302,563,764,323],gss_unwrap_iov:17,return_pwd:914,complet:[121,17,812,642,761,860,133,568,245,423,73,44,10,484,155,493],uninterrupt:73,unlockit:[70,10,44],evid:17,rfc4120:275,krb5_k_reference_kei:181,keydata:423,pick:[10,203,504],hand:[44,73,895],idea:473,"0x0101":749,"0x0100":[778,262],tune:493,squar:[812,10,662],gss_verify_mic_iov:17,g_glue:330,kept:[70,10,100,56,44],krb5_init_creds_set_keytab:181,scenario:73,kprop:[423,427,689],thu:[44,437,27,452],default_profile_path:746,inherit:[437,119],krb5_boolean:[18,584,863,494,399,171,510,511,411,871,631,247,71,358,130,394,368,265,36,37,912,385,920,789,444],client:[794,476,515,273,248,662,812,70,321,73,44,10,814],shortli:[792,119],rekei:73,thi:[812,453,227,230,877,9,458,12,411,243,726,463,17,247,248,249,686,586,566,256,257,631,693,639,483,699,484,703,486,555,708,272,37,273,279,44,45,49,502,724,504,840,51,507,842,732,734,56,10,736,895,738,493,298,743,745,65,1,70,72,73,689,32,69,310,521,522,312,759,63,81,348,100,85,245,774,89,776,94,191,651,102,791,792,794,796,105,107,340,110,111,112,716,648,346,723,565,349,334,725,124,814,357,859,575,818,473,369,131,363,364,921,144,658,377,600,841,39,603,147,149,385,606,610,543,611,114,855,412,194,166,887,168,171,621,403,625,869,406,624,178,524,409,876,181,182,882,185,753,188,417,267,133,744,644,421,422,322,423,920,653,428,820,515,907,627,434,436,208,801,662,915,916,666,217,832,444,505,669],gss_inquire_cr:17,programm:540,preauthent:[162,70,662,812,321,44,10],krb5_is_referral_realm:181,gss_c_buffer_type_mic_token:17,"0x00080000":459,unchang:[70,794,437,73],lr_type:503,identifi:[267,812,45,362,586,661,662,249,730,330,793,689,324,78],just:[794,895,614,812,643,746,437,17,423,413,184,73,44,10,267,203,792,104],krb5_bad_enctyp:[651,251],"_kerbero":493,via:[521,895,776,812,63,434,70,181,423,44,10],addent:138,krb5_auth_con_setsendsubkey_k:181,yet:[895,614,812,452,423,473,885,44,104],previous:[70,44,17,423,181],"0x00000010":[812,683,858,861],easi:[104,434,73,56],krb5_principal_parse_require_realm:632,interfer:203,krb5kdc_err_key_exp:606,had:[895,662,423,184,104,44,119],admcil:32,"0x00010000":[297,7],newest:44,els:[437,119,104,4,895],save:[504,563,667,16,576,850,115,266],hat:330,opt:[796,798,725,107,229,556,55,743,407,827,817,575,520,521,644,81,371,142,532,706,907,537,37,540,787,280],applic:[776,814],rev:[423,44],preserv:[423,44,330],donat:[44,330],vaniti:473,filesytem:504,euid:[812,28],database_nam:[10,895,44],krb5_tkt_creds_init:[735,181],krb5_get_init_creds_opt_set_etype_list:181,daemon:[228,63,812,44,10,32],herebi:330,ctime:[904,727,457],specif:[476,515,895,70,689,248,812,73,44,10,32,45],arbitrari:[70,44,17],uint16_t:810,moira:330,manual:[895,776,452,423,44,45,203,792],unstabl:223,krb5_ccselect_moddata:698,krb5_c_keylength:181,v4_instance_convert:812,unnecessari:44,krb5_mk_1cred:181,kdc_max_dgram_reply_s:10,underli:17,www:[515,576,713],right:[820,759,462,131,484,330,44,10,32,791,924],old:[794,504,743,724,895,70,576,812,211,27,423,73,44,10,38,869,119],deal:[614,330],interv:[895,434,63,70,176,44],krb5_principal_compare_flag:[731,181],intern:[482,208,72,147],kadm5:[70,423,689,476],indirect:330,successfulli:[521,907,434,70,17,857,423,814,572,44,59],"0x80000000":[670,290],krb5_no_tkt_suppli:[422,318],transmiss:56,insensit:[176,424,493,511],wicker_foot:4,normal:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_auth_con_setrecvsubkei:[449,181],dbname:[70,44,45,423],buffer:[164,129,207,17,181,149,39,832,185,171,44,756,346,597,669],krb5_k_encrypt:181,equal:[794,302,437],krb5_prompt_type_new_password_again:591,icr:17,timestampp:781,foo:[70,423,812,794],localhost:794,gss_iov_buffer_type_data:17,krb5_princ_siz:[439,2],gss_s_unavail:17,insecur:[100,17,493,73,656],pose:73,delold:[73,724],key_exp:324,krb5_cc_cache_match:181,promot:[330,73],repositori:126,krb5_typed_data:36,post:181,timeret:740,plug:330,krb5_kt_get_nam:181,sshd:812,sasl_authzid:70,alexand:330,unpars:[17,181],seqnumb:[312,85],slightli:452,appplic:181,simul:437,gss_accept_sec_context:[576,17,764],canonic:[812,794,792,515],cipher:[812,73,181,248],keyprocarg:730,g_imp_nam:330,krb5_auth_con_getremotesubkei:181,krbprincipalnam:515,free_valu:815,krb5_c_block_siz:181,telephon:330,almeida:330,authfrom:507,preauth:[33,576,878,413,850,323,10],krb5_tkt_creds_get_cr:[735,181],init_cr:521,deploi:[504,208,203,473],encod:[521,274,812,181],default_principal_expir:[176,10],libev:330,down:[493,27],creativ:330,ad_kdcissu:[403,373],formerli:285,wrap:44,initvector:869,info2:576,storag:[521,49,693,463,164,227,181,171,625,597,756],compile_et:452,accordingli:203,allowedkeysalt:[70,44],wai:[614,603,452,107,556,493,119,176,17,885,126,576,521,642,812,159,662,783,330,608,44,104],support:[70,423,45,689],transform:452,disable_last_success:[10,434,515],avail:[812,70,423,138,73,10,814],reli:[794,895,452],krb5_pac_init:181,editor:776,krb5_c_random_add_entropi:181,telegraph:330,fork:[895,437,45],head:812,iprop_resync_timeout:[10,44],disallow_forward:[44,484],form:[794,613,614,576,620,10,493,562,895,17,249,816,640,267,70,527,812,832,235,701,783,776,273,662,275,330,386,44,918],offer:452,altogeth:10,x509_anchor:[812,640],refcount:576,back:855,krb5_k_create_kei:181,k5login_directori:[812,662],admin_serv:[895,63,70,812,44,10,493],krb5_init_context:[624,181],"true":[566,394,863,494,399,171,10,510,511,411,871,17,18,248,71,184,73,572,358,473,504,130,727,812,368,584,767,265,515,907,434,208,147,912,44,789,792,793],freenod:23,reset:[521,434,70,576,916,372,44,566],absent:640,attr:[81,515,878],ldap_kdc_sasl_authcid:[10,484,44],wicker_slat:4,inquir:[70,44,32,794],passwd_phrase_el:[443,36],maximum:[521,812,794,70,484,423,104,914,850,73,44,10,374,45,493,792,640],tell:[540,104,689,45,203,119],inaccur:812,gss_export_cr:17,fermi:330,absenc:[521,10],mitiys4k5:895,distclean:203,autoconf:836,retir:95,"30m":176,trim:[39,669],later:[827,563,302,17,147,248,608,44,330,473,191,687,10,493,118,792],alongsid:895,hardcod:[815,614,159],chrand:[70,44],decrypt:[70,44,17,434,181],krb5_auth_con_fre:181,outcr:627,ipropd_svc:330,exist:[521,895,776,812,724,434,515,70,17,181,423,662,100,73,484,44,10,77,859,794,823],krb5_cc_get_nam:181,request:[794,812,63,515,70,566,689,423,321,73,44,10,32,45],getusershel:437,check:[895,662,17,181,812,124,814,44,10,428,686],maxpathlen:109,courtesan:330,vista:[576,248],gss_c_no_credenti:17,encrypt:[794,724,70,423,73,56],kadm5_pass_q_:455,inauthdat1:628,krb5_get_in_tkt_with_skei:181,when:[223,452,453,455,230,672,10,12,726,17,248,249,686,687,254,23,73,695,27,28,698,701,30,711,491,40,745,275,308,316,718,44,45,723,815,51,507,292,734,56,509,739,493,895,744,433,606,1,559,143,517,689,489,521,504,63,70,764,321,323,88,812,535,540,159,543,783,191,102,549,104,794,796,105,107,110,111,556,118,119,69,562,565,566,568,569,814,357,473,821,369,363,586,914,921,141,126,658,730,841,603,147,384,848,386,608,91,610,208,614,576,393,860,862,736,915,406,524,875,632,877,251,887,188,640,641,364,642,628,644,420,646,765,245,423,901,903,653,656,515,627,872,436,437,684,662,792,832,505],actor:32,database_modul:[10,855,515],krb5_free_error:181,test:[70,566,812,73,44,45,814],krb5_c_crypto_length_iov:181,roll:44,"0x40000000":[541,335,720,770],realiti:776,krb5_get_default_realm:181,bullopensourc:713,intend:[521,70,437,17,147,848,44,45],krb5_plugin_vt:4,kdcpreauth_plugin:850,g_dup_nam:330,center:[836,45,330],outreach:73,krb5_pac_sign:181,muse:330,consid:[776,452,258,147,27,812,73,323,493,792],easili:[895,576,203,73],krb5_c_random_to_kei:181,"_krb5_respons":583,camellia128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],lsocket:452,lastpwd:423,modpol:[70,44],longer:[452,453,30,230,672,12,726,17,249,686,586,254,695,872,701,711,491,40,308,316,718,44,723,730,292,734,509,739,493,744,745,684,1,143,517,32,489,88,535,102,792,104,105,107,110,111,69,565,568,569,357,821,369,363,364,832,141,507,627,603,384,91,610,393,860,862,736,915,406,524,875,632,877,251,887,188,640,641,642,628,420,765,245,901,903,653,656,658,436,549,921,505],furthermor:[330,73,907],libldap2:855,krb5_k_decrypt:181,pseudo:181,flag:[521,812,256,724,434,515,70,17,181,423,662,73,484,44,920,10,32,493,792],krb5_c_fx_cf2_simpl:181,krb5ccname:[562,614,273,918,437,646,386,191,640],pathnam:[504,812,63,746,159,662,275,689,44,203],srvtab:[138,159],time:[794,449,855,724,566,10,493,895,17,73,32,504,515,70,423,484,812,776,434,208,147,662,44,45],g_delete_sec_context:330,backward:[812,895,646,248,63],daili:73,krb5_string_to_cksumtyp:181,iprop_slave_pol:[10,63,44],mydomain:10,concept:869,relai:45,chain:[812,10],krb5_get_credenti:181,skip:[572,44,519,452,504],krb5_kpasswd_autherror:362,global:[515,524,273,484,181,812,44,10,77,32],newprinc:[70,44],gss_c_deleg_policy_flag:576,signific:434,supplement:10,netbsd:[576,330],extendedkeyusag:504,hierarch:[812,576,689],decid:[895,907,493,104],hold:[614,745,70,164,879,874,171,597,756],depend:[521,603,242,452,26,17,4,455,28,119,235,527,493,118,104,792],zone:[176,493,73],pem:[275,504,812,321,515],decim:[423,17,323],readabl:[794,613,812,576,159,110,176,100],lkrb5:540,krb5_wrap_error_messag:[140,181],decis:162,umich:330,"0x000f":[150,578],downtim:73,"0x000d":416,"0x000e":775,aspx:713,"0x000c":[899,199],keyindex:423,iakerb:576,sourc:[776,45],string:[521,895,812,70,208,17,248,181,423,321,662,484,44,10,32,493,794],impend:521,krb5_kdc_rep:[378,657,224,36],auth_to_loc:[812,662,608],krb5_salttype_to_str:181,netlib:452,feasibl:895,implicitli:812,condit:[504,437,330,393],ok_as_deleg:[70,44],exact:[515,26],local_realm:437,krb5_responder_pkinit_ident:[319,36],"0x00000020":[830,13,700],hour:[437,484,176,104,44,10,32,792,119],"0x0008":[305,482,619,84],"0x0009":[655,326],did:[895,318,422,104,258],mkeynam:[423,44,45],"0x0004":[414,804,83,834],"0x0005":[786,244],"0x0002":[92,383,355,867,902,127],"0x0003":[766,356],"0x0000":585,"0x0001":[913,301,696,456,233,426,539],item:[37,515,482,850],unsupport:[504,452],representaton:636,team:23,cooki:475,round:[576,850],dir:[562,504,614,452,273,918,812,28,386,10,640],in_data:[363,1,642],prevent:[5,812,223,724,788,70,576,1,27,248,275,330,640,44,10,32,45,119,473],slower:73,yyyi:176,pkinit_kdc_ocsp:10,desir:[580,226,452,363,17,662,532,556,73,44,346,437],krb5_cc_move:181,"_krb5_get_init_cr":829,plu:[10,437,104],sign:[504,70,17,147,181,812,100,44,10,32],"_krb5_last_req_entri":503,no_host_referr:[10,493],containerref:[44,484],btree:[423,44],port:[794,895,63,273,132,208,689,812,70,814,44,10,45],master_key_typ:[895,423,44,73,484,10],pw_expir:423,portnum:45,appear:[521,504,895,147,4,330,73,323,10,493],often:[515,203,159,662,473,44,885,10,493,792],krb5_cc_dup:181,repli:[615,248,167,796,850,623,59,563,569,413,72,185,917,640,814,521,422,83,907,139,35,857,848],krb5_get_init_creds_opt_set_proxi:181,systest:[70,44],remain:[449,614,907,223,70,302,17,192,423,330,850,73,44,689,10,437],krb5_get_init_creds_opt_alloc:[521,181],current:[812,724,662,515,70,566,181,423,191,138,73,63,44,10,493,473],sinc:[794,504,515,70,1,181,812,814,56,44,73],wors:812,subdomain:[783,493],krb5_appdefault_str:[124,181],an2ln_typ:608,va_list:[577,181,877],myrealm:521,deriv:[181,423,73,44,10,791,669],pkinit_allow_upn:10,gener:[794,724,434,566,248,812,100,73,56,44,10,32,814],krb5_responder_context_st:527,satisfi:203,explicitli:[449,223,452,895,37,576,662,70,73,44,32,104],modif:[895,812,566,181,423,32],address:[794,449,776,181,812,473,44,10,493,792],k5srvutil:427,along:[776,208,924,614,452],krb5_responder_otp_set_answ:[521,181],wait:[10,493,63,44],box:208,krb5_kt_free_entri:181,susec:457,rlogin:437,checksum:[812,17,181],sscope:[44,484],master_key_nam:[423,10,44],queue:[10,330],kcm_mach_servic:812,behav:[70,572,17,479,452],krb5_chpw_fail:606,extrem:70,bob:[437,184],output_payload_buff:17,commonli:[147,63],semant:521,regardless:[423,812,32,17],stduser:44,extra:[44,26,493,109,32],modul:[812,70,423,44,689,10],prefer:[159,70,107,17,812,473,687,44,576],expdat:[70,44],leav:[70,662,100,73,44,493,792],krb5_responder_question_password:521,fake:[521,812],marker:323,instal:[794,855,162,662,812,814,56,44,73],krb5_copy_authent:181,random_data:298,password_changing_servic:[70,44],old_cod:[38,140],memori:[17,147,447,181,453],sake:437,wicker:4,athent:606,univers:330,visit:104,live:[423,4],book:[794,576],criteria:614,msg:397,scope:[44,484],strdup:815,kbd5_util:44,challeng:[521,812,181],tightli:[613,100,73,662],athena:[794,895,452,70,815,484,662,812,330,104,100,44,10,32,119,73],krb5_mk_req_extend:[363,181],gssi_:764,log_daemon:10,afford:100,peopl:10,rlen:[535,877,577,453],ctype:[721,282,584,401,510,358],src_ctx:508,krb5_pac_get_buff:181,prototyp:[836,4],examin:[812,504,413,850],"_krb5_pwd_data":443,krb_ap_rep:181,ap_opts_use_session_kei:1,libpam:713,allow_tix:[70,44],subschema:515,default_kdb_fil:746,"_krb5_pa_svr_referral_data":304,runstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],prepar:181,ldap_kerberos_container_dn:[10,855,515],uniqu:[70,794,181],cat:423,descriptor:[256,695,642,234],krb5_responder_pkinit_flags_token_:118,preauth_plugin:[413,850],old_princip:70,can:[223,452,226,4,455,232,10,17,248,129,687,258,26,27,698,484,701,30,32,273,672,275,44,45,724,293,56,739,59,895,748,73,689,753,519,521,504,63,70,764,527,100,321,323,423,776,159,176,191,792,104,794,566,341,119,563,473,572,126,629,138,832,372,476,147,608,850,437,614,855,576,393,493,413,885,640,644,812,203,515,434,660,735,208,857,662,217],inadequ:147,purpos:[895,452,248,812,330,518,10,45],logon:[10,595,538],krbdev:23,sighup:[45,147],cred_usag:17,stream:[895,63,208,17,814,10],krb5_kt_client_default:181,curri:794,krb5_authent:[872,181],backslash:672,topic:776,spi:764,keyusag:504,kdclist:895,host_realm:687,surround:662,sharp:32,krb5_kei:[774,406,181,915,921,699],k5_random_kei:[143,298],krb5_respons:36,krb5_get_error_messag:181,alwai:[794,449,166,115,10,458,345,493,242,243,302,473,151,77,73,812,323,266,915,212,784,920,44,45,447],lxml:126,multipl:[794,614,576,4,850,10,493,895,17,73,640,521,504,70,27,764,812,321,203,515,434,273,208,662,783,78,44,45],strlen:[521,17],krb5_pa_server_referral_data:36,ch06s05:713,modulenam:812,sharealik:330,write:[895,614,515,812,434,853,815,27,662,423,138,848,776,44,10,45,532],till:34,purg:[70,423,576,27,73],krb5_keyusage_pa_sam_challenge_trackid:547,aklog:920,krb5_verify_checksum:181,krb5_is_config_princip:[731,181],map:[812,895,792,662],product:[895,330],krb5_kt_end:803,prof_no_rel:815,krb5_us_timeofdai:181,southern:330,usabl:181,sni:576,appnam:[124,428],membership:521,keyfilenam:812,xore:[812,568],commit:[566,330,223],mai:[794,1,918,223,452,725,568,576,51,30,167,437,796,850,473,10,623,493,869,119,562,895,746,31,302,17,18,248,857,413,72,73,687,885,32,519,78,386,521,504,642,63,515,70,639,27,764,423,482,323,701,203,783,377,812,907,434,39,273,815,208,603,147,662,792,176,436,330,23,640,44,45,919,334,104,669],underscor:[812,330],mcred:686,krb5_unparse_name_ext:181,man:[70,812,776,27,452],for_us:646,regularli:[493,56],gethostnam:[17,473],practic:[521,39,576,812,73,669],rep_cksum:220,failurecountinterv:[70,44,434],stdin:848,explicit:[515,662,812,73,32,493],kldap:[10,855],krb5_expand_hostnam:181,inform:[855,70,132,566,423,689],"switch":[228,73,662],preced:[437,812,73,45,493,302],combin:[794,63,70,17,248,181,44,10],block:[10,73,181],anoth:[349,70,147,181,812,100,56,44,9,10,493],outaddr:723,untest:452,ordinarili:[907,724],talk:27,ssh:[794,792],krb5_get_init_cr:[378,556,532],denot:[176,423,32,563],"_krb5_typed_data":647,anticip:[493,792],krb5_auth_con_getrecvsubkei:181,changeov:895,acl_fil:[10,32,895,63,689],pkinit_revok:[812,10],krb5_timestamp:[449,237,502,503,727,457,257,461,879,278,583,258,765,874,29,904,324,34,36,660,781,740,847,189,279,220,852],opensc:812,lss:452,key_stash_fil:[423,10,895,44],size_t:[721,222,164,282,674,171,401,149,530,247,879,182,310,690,759,131,261,365,831,874,901,597,820,600,825,148,604,385,316,651,756,791],still:[737,895,812,434,70,493,437,646,611,792,423,100,73,689,44,45,203,576,640],pointer:[449,1,223,226,4,455,555,292,850,798,320,242,409,334,17,569,413,125,752,309,521,522,191,628,479,591,698,372,324,887,656,535,276,781,397,544,341,875,924],keysalt:[70,794,724],dynam:[328,812,4,815],entiti:[17,330],fsanit:452,conjunct:646,unswapp:614,group:330,krb5_auth_con_getlocalsubkei:181,cygnu:[594,330],polici:[812,70,484,423,321,689,10,32],default_tgs_enctyp:[812,248],othernam:504,slotid:812,kadmin:[427,724],handle_out_of_space_error:17,platform:[614,26,203,576,452],window:[764,812,614,890,815,576,248,4,27,275,400,836,662,24,851,714,104,218],krb5_rd_safe:181,mail:[10,614],krb5_init_context_profil:181,main:[273,649,23,47],gss_c_null_oid:17,krb5_cccol_unlock:[112,181],krb5_error:[903,168,642,565,74],krb5_ticket:181,non:[449,114,1,724,725,247,576,840,30,730,556,400,737,302,631,568,18,70,73,77,640,890,759,642,744,258,131,639,812,323,32,820,907,39,437,857,792,385,44,444,791,540,505,669],within:[794,895,393,434,273,493,17,181,812,70,44,10,88],g_acquire_cr:330,krb5_set_kdc_send_hook:181,krb5_tkt_authent:36,supersed:[45,73],initi:[895,434,515,70,248,812,814,484,44,73],nation:330,underneath:515,therebi:184,krb5_auth_con_get_checksum_func:181,nlgilman:814,now:[504,841,63,895,83,73,357,493,104,606],discuss:[885,895,330,27,23],nor:[562,812,437,330],possess:104,outweigh:27,sequenti:181,term:[504,614,70,576,159,147,248,413,330,850,73,44,559],subkei:181,x509_user_ident:[812,321,640],krb5_cc_notfound:[163,393,88],simpl:[98,72,814,56,484,44],didn:[814,662],krb5_authdatatyp:[291,274,360,436,36],crypto:[377,580,530,452,576,812,330,73,836],separ:[812,776,515,273,38,484,211,662,423,70,672,482,321,44,217,10,32,45,493],krb5_auth_con_getflag:181,rock:[413,850],januari:[176,44],princ_tktpolici:423,ters:[70,44],compil:[776,452,746,540,576,437,330,203,26],failov:493,domain:[794,504,895,208,792,812,814,10,493,576,104],replai:[273,17,181],minclass:[70,44],regener:126,replac:[222,855,452,856,896,869,895,530,224,179,302,413,307,577,819,419,657,70,261,526,812,697,484,910,378,922,210,662,330,640,44,719],individu:[10,566,330,104],krb5_nt_srv_hst:[701,318],continu:[895,563,724,437,423,330,56,576],lookasid:452,ensur:[521,504,515,608,895,687,857,112,73,56,44,9,10,794,59,104],"0x4000":581,krb5_c_encrypt_iov:181,year:176,distributor:330,happen:[895,70,147,56,44,10,493,104],in_length:[401,282],g_seal:330,shown:[812,10,614],accomplish:44,gss_release_iov_buff:17,"0x0018":[295,156],space:[504,580,114,840,207,70,38,26,39,876,211,479,176,914,321,473,129,10,648,346,669],profit:330,precomput:181,krb5_prompter_fct:[357,606,36],bindpwd:70,krb5_last_req_entri:[324,36],"0x0010":[96,677,487,839],"0x0013":[529,873],"0x0012":[52,180],profil:[812,10,476],setstr:[70,321],"void":[722,49,557,798,688,815,372,227,801,167,842,168,796,508,55,9,623,62,59,120,60,555,624,743,178,407,409,17,486,124,882,428,151,278,22,752,376,38,520,397,572,521,226,331,644,194,725,480,136,320,371,140,264,357,348,240,142,144,204,269,706,89,901,907,537,435,911,912,94,857,211,845,784,811,848,606,787,666,919,103,157,280],internet:473,libkrb5:[812,17,662],krb5_parse_nam:[521,731,181],correct:[45,73,689],krb5_const_princip:[568,227,403,511,524,726,258,18,71,129,77,489,130,479,765,368,108,265,429,36,711,217,549],integr:[521,267,821,26,17,248,792,28,330,832,215,836,576,104],earlier:[895,248,30,812,608,10],krb5_kdcpreauth_moddata:850,"goto":521,pwexpir:[70,44,32],migrat:[44,576,147,73],chl_out:649,krb5cc_ttypa:104,envelop:[150,775,416,899],krb5_cc_resolv:[708,181],request_tim:583,return_padata:850,california:330,lab:[44,330,484],gss_c_no_nam:17,org:[515,576,713,812,330,184,484,44,203,126,23],"byte":[521,17,181,182,10,669],sunw_dbprop_master_ulogs:44,card:[70,10,812,44],care:[70,17,662,73,885,44,32],from_mast:[28,63],suffici:[70,44,73,452,484],g_inquire_nam:330,rule:[794,783,393,70,437,17,646,662,812,184,44,493],sysconfdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],refus:[895,73,814],recov:[423,44,413,576],turn:[794,434,63,437,812,914,848,452,792],gssi_import_sec_context_by_mech:764,place:[521,449,63,724,504,17,248,181,812,100,73,689,662,45,493,792],reject_bad_transit:10,principl:469,"0x001a":404,imposs:[44,434],frequent:[473,493,73,792],first:[449,615,452,453,566,287,394,51,372,796,473,10,493,511,895,563,411,302,17,248,185,687,126,32,814,504,25,628,130,70,586,27,86,423,368,914,321,323,265,203,812,515,437,159,662,783,330,924,191,608,44,104],oper:[794,515,724,70,566,484,812,73,689,10,32,45],redhat:576,carri:70,onc:[521,895,614,226,812,223,745,70,17,27,423,914,73,44,794,203,119,925],arrai:[70,521,208,17,181],tokeninfo:[514,831,433],yourself:104,acquisit:[17,739],rpcbind:44,"long":[614,815,576,109,341,850,493,559,242,17,248,413,73,473,504,70,39,159,147,330,44,669],yarrow:576,oppos:504,custom:[812,28,576,126],open:[521,423,181,812,217,44],predefin:493,size:[504,566,147,181,812,44,10],ret_as_repli:[378,224,657],given:[724,10,493,298,12,181,249,124,73,125,473,521,63,70,363,423,484,428,812,208,147,662,44,45],"_krb5_ccach":339,breviti:563,silent:562,convent:[815,493,549],local_port:625,teardown:203,fmt:[811,211,140,331,240,38],parallel:[493,576,45,203],krb5_tkt_creds_fre:181,citi:330,necessarili:73,draft:[391,576,552,542],userinfo:713,krb5_auth_context_generate_local_addr:256,conveni:521,friend:104,includ:[794,855,566,10,493,895,17,181,182,473,32,504,639,423,100,321,515,708,812,44,792,669],krb5_c_padding_length:181,allow_svr:[70,44,434],grant:[521,504,841,434,895,70,17,248,181,422,812,662,73,44,10,32,30,493,703,606],especi:[794,895,576,473],copi:[794,504,855,895,17,147,248,322,275,100,483,181,56,44],specifi:[794,476,63,70,132,566,484,423,321,73,689,10,32,45],test2:[70,44,176],kdc_default_opt:812,enclos:[176,10,812],pnl:812,mostli:452,gss_iov_buffer_desc_struct:17,krb5_tkt_creds_context:[121,615,739,36,735,860,62],e19253:713,holder:330,than:[794,614,615,473,185,576,287,10,493,119,563,302,17,248,413,814,129,689,32,640,73,504,642,70,27,764,423,100,484,203,656,812,434,662,44,45],royal:330,ckfrom:658,wide:[275,812,208],ciphertext:[820,563,759,39,131,636,840,114,182,370,791,669],sasl_realm:70,sasl_mech:70,gss_get_name_attribut:17,exampl:[70,423,566,484],kinit:[521,176,614,515,812,434,504,273,762,147,662,275,70,413,321,814,44,895,792],temporarili:70,posix:[423,563],balanc:[493,73,473],were:[794,895,614,576,17,812,330,73,519,239,104],posit:[423,302,662,434],new_message_out:59,worcest:330,kdc_princip:504,seri:[473,181],pre:[515,695,535,642,363,17,568,1,181,167,321,606,234,776],lowest:812,sai:27,prf:181,san:[812,10],sam:[576,564,601,602],keyblock:181,"_krb5_prompt":139,slat:4,krb5_init_creds_init:[753,181],ani:[794,473,566,393,56,10,493,895,17,181,73,129,32,818,686,521,504,823,63,70,423,100,321,859,812,776,208,147,662,44,45],ank:[70,44],dash:812,userconfig:812,properli:[275,504,147,452,895],krb5_cc_destroi:181,result_str:[362,890,400,110],bitwis:[118,65],engin:493,techniqu:521,advic:228,krb5_tc_match_ktyp:686,shadowlastchang:515,consortium:23,x509_proxy_ca:812,note:[15,325,423,725,70,393,248,176,213,100,850,73,484,44,10,547,895,203,812,104,907],krb5_ccache_conf_data:323,ideal:[521,44,203,794,895],includedir:[812,452],take:[449,389,223,732,10,493,119,298,17,248,73,32,521,812,482,698,535,437,603,147,662,176,100,924,44,45,104],advis:[330,73],"_krb5_error":457,hwauth:10,outptr:[261,222],noth:[27,63],channel:[521,208,17,73],begin:[820,812,114,759,39,131,815,208,323,840,662,423,687,783,44,739,791,689,669],sure:[794,515,70,484,147,104,73,640,44,792,119,814],eblock:[222,419,856,719,261,526,896,910,609,819],trace:273,stashsrvpw:70,multipli:434,g_accept_sec_context:330,compress:26,statu:[562,70,437,646,764,330,773,576],default_domain:812,krb5_kt_resolv:181,beta:[423,44],mk_req:376,krb5_get_init_creds_opt_set_anonym:[521,181],sublicens:330,pair:[812,855,248,878,423,10],time_rec:[576,17],america:330,krb5_encrypt:181,unalloc:316,renam:[70,44,576,223,452],ccachenam:452,adopt:812,drive:203,krb5_copy_checksum:181,aes128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_rc_requir:[522,732],sbindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],runtim:[273,28],subtag:812,krb5_decode_ticket:181,ckf_:118,salt:[794,724,70,603,181,423,44,10,69],hmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],gracefulli:764,recipi:[330,189],krb5_gc_cach:30,krb5_pa_data:[34,35,324,36],krb5_prop:[794,895,147],show:[562,614,724,147,423,28,139,126,10,104],"0x54800000":824,pkinit_ind:[10,321],ldapuri:[70,44,484],krb5_524_convert_cr:181,bin:[895,452,437,28,126,203],subprocess:45,"3h30m":104,tkt:793,"0x1fff":618,krb5_get_init_creds_opt:[796,798,725,107,229,556,55,743,407,827,357,817,575,520,521,644,81,371,142,532,706,907,537,841,36,37,606,787,280],permiss:[794,476,614,823,895,70,463,576,17,330,44,10,32,859,104],krb5_kdcrep_skew:422,threshold:44,kerberosnf:713,etype_list:[55,829],tend:794,unfinish:850,gss_wrapex:576,help:[504,452,815,540,27,23,576,104],xml:126,userdata:[267,832],onli:[794,812,725,566,51,30,399,10,493,869,895,17,248,181,73,689,32,310,686,521,63,515,70,423,100,476,907,434,147,662,44,45,792],slow:27,fenc:4,input_payload_buff:17,krb5_c_crypto_length:181,g_dsp_statu:330,activ:[504,812,63,110,423,386,44,73],state:[423,10,566,73,895],dict:[70,44,812],overwritten:[10,924],inaddr:723,krb5_free_checksum_cont:[505,181],nearli:70,variou:[73,162],get:[70,855,73,814],wicker_brac:4,secondari:895,ssl:[275,504,515],cannot:[70,44,794,434,504],om_uint32:[17,764],"import":[794,895,812,434,423,73,56,484,44,32],krb5_build_principal_alloc_va:[731,535,181],pipermail:23,requir:[794,267,504,107,725,229,732,473,832,10,604,493,895,566,17,876,248,181,814,689,254,73,521,522,821,63,515,70,827,423,100,321,651,377,812,434,208,662,149,215,44],krb5_use_enctyp:181,input_message_buff:17,ldopt:452,requires_hwauth:[70,44,850],krb5_prompt_typ:[591,36],delprinc:[70,44],krb5_sname_to_princip:[731,181],borrow:104,yield:850,across:[895,223,17,812,56,10,119],"_krb5_responder_otp_challeng":514,bison:452,krb5_key_st:78,krb5_cccol_cursor:[684,342,517,36],kpclientauth:10,where:[794,614,452,576,4,56,10,493,563,17,249,73,689,640,521,63,515,70,132,26,27,423,701,203,812,437,159,662,44,104],summari:[566,63],wiki:[576,203],kernel:[836,576,614],caller:[615,648,1,3,815,576,840,341,114,850,458,737,346,242,17,876,131,185,687,519,521,580,759,81,914,907,832,835,803,820,708,39,191,791,543,924,669],kiprop:[44,63,689],tekniska:330,nfsv4:713,ap_req_authdata:436,placehold:[836,26],keepold:[70,44,576,73],change_password_for:[890,400],krb5_transit:[826,36],krb5_auth_con_setsendsubkei:[449,181],krb5_responder_otp_challeng:[521,47,157,36],minlif:[70,44],request_init:413,krb5_c_random_make_octet:181,ocsp:10,detect:[522,63,452,27,764,423,732,832,73,44],review:26,enumer:73,label:[812,330],enough:[114,502,39,70,840,109,44,669],listinfo:23,between:[895,812,434,70,566,147,275,44,10],kdc_cert:504,pwchang:10,qop_req:17,krb5_cksumtyp:[721,282,600,272,36,584,435,247,674,590,385,505,401,744,154,91,510,310,358,756],krb5_principal_unparse_displai:489,oeap:775,kdb5_err:330,sname:[701,646],august:330,parent:[812,28,614,493],screen:104,krb5_free_checksum:[658,181],style:[691,811,70,812,846,140,331,44,493],tktpolici:[70,44,484],no_auth_data_requir:[70,44],cycl:576,sparc:576,kdb5_util_path:689,in_tkt_servic:[841,422,703,606],uncondition:[51,452],substhtml:126,come:[521,26,568,812,203,119],valid:[298,17,584,181,812,44,115,266,10,493],"0x00000040":870,krb524_krb4_disabl:345,fit:[374,330],"0x0020":675,pertain:[45,330],contract:330,enable_onli:[812,662],jqpublic:437,present:[632,341,10,239,562,895,242,918,302,17,18,838,73,815,254,640,521,504,63,27,812,321,833,235,595,203,515,907,660,273,208,159,732,662,386,216,44,104],krb5_finish_random_kei:181,mani:[434,70,147,662,812,56,885,44,493,104],krb5_princ_set_realm_data:2,stime:457,unrecogn:452,among:521,krb5_c_encrypt_length:[840,181],gss_c_buffer_type_data:17,krb5_cc_default:181,locate_plugin:226,output_message_buff:17,period:[812,63,434,423,104,56,44,10,640,73],dispatch:764,pol:[70,44,32],featur:[275,649,47],colon:[672,273,38,620,211,662,812,44,484,10,493],libdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],allow_forward:[70,44,484],supervisor:45,poll:[10,576,689,63,44],einval:[450,432,781,590,606,235],krb5_lname_notran:129,resynchron:566,krb5_k_key_enctyp:181,input_name_typ:764,marc:330,krb5_tc_match_is_skei:686,rebuild:[126,452],invers:302,mark:[895,258,70,423,330,44,10],krb5_invalid_princip:217,skei:[10,793],krb5cc_320:104,krb5_c_valid_cksumtyp:181,certifi:812,crawford:330,"abstract":[413,850,223,698,455],procedur:423,cipher_st:[820,114,759,39,131,840,791,669],manual_test:203,keyexchang:72,resolut:[794,437,17,792,473,576,656],gss_c_nt_string_uid_nam:17,krb5_c_verify_checksum:[505,181],optimist:[181,644],wake:794,rememb:[504,895,323],preauth_requir:[413,850],andrea:330,krb5_sendauth:181,those:[794,452,576,850,493,895,302,17,413,184,73,885,126,32,521,70,646,764,812,423,330,44],outcksum:401,"case":[614,1,724,4,850,10,493,511,783,17,568,413,73,885,32,572,521,25,642,70,316,27,423,424,701,812,907,436,437,159,662,176,330,608,44],ivec:[261,222],interoper:[504,614,400,890],principal_seq:504,enc_errbuf:903,gss_s_cred_unavail:17,cast:[223,226,4,455,413,850,698],invok:[521,566,608,25,63,437,226,764,812,784,138,850,814,191,372,44,689,640,907],db_lib:452,testus:[70,44],del_polici:[70,44],region:[600,17,247,385,310,924],setuid:[273,147],advantag:[812,100,73,248],stdout:[273,848,147],krb5_error_cod:[744,450,222,224,453,876,695,229,230,672,674,234,235,458,11,12,595,240,461,411,243,681,463,896,247,114,249,881,686,415,586,254,690,256,257,277,258,693,887,639,74,135,479,872,483,699,266,701,30,703,261,359,272,36,37,274,364,712,40,740,276,716,308,491,279,719,47,282,502,684,286,840,51,507,291,292,293,509,737,730,604,642,298,628,745,65,91,1,732,143,72,517,307,848,77,69,519,310,489,521,522,312,759,524,81,316,526,318,718,85,245,108,88,532,907,774,649,535,536,811,146,825,726,781,922,329,784,852,787,671,651,102,791,549,874,237,853,105,107,827,551,340,110,111,112,556,342,115,344,346,723,121,627,565,349,334,352,568,569,711,910,125,357,859,817,575,818,577,580,393,129,369,131,620,363,133,365,590,137,38,921,140,141,372,373,374,862,756,597,658,377,378,600,841,39,765,603,148,149,735,384,385,606,734,609,610,543,611,158,389,615,648,412,856,163,164,860,821,166,395,736,697,400,171,621,401,403,625,738,823,406,739,179,629,875,631,632,877,869,879,182,251,185,151,914,753,188,417,267,890,641,190,331,419,420,421,422,322,197,362,920,803,200,901,903,653,761,656,429,820,657,432,205,206,207,436,300,210,211,915,916,831,917,505,215,217,832,444,447,669],henc:814,krb5_deltat_badformat:712,worri:[515,203],ktutil:[427,724],gss_add_cr:764,authtim:[660,258,765,323],texinfo:776,krb5_pac_data:54,time_t:423,inquiri:32,krb5_randsourc:377,author:[70,10,812],media:[812,44,484],same:[794,614,452,576,287,394,51,4,111,556,293,9,10,493,119,411,65,17,18,511,72,814,689,77,640,130,70,629,27,764,812,368,484,265,32,515,535,208,349,662,78,191,44,45,437],trip:[576,850],binari:[812,100],epoch:181,pac:[70,10,181,44],pad:[17,181],timestamp:[812,181,423,73,266,115],autolock:330,grain:17,hxx:330,pam:792,week:[44,484],exhaust:100,default_ccache_nam:[812,614,191],finish:181,krb5_unparse_name_flags_ext:181,bb463167:713,"_krb5_verify_init_creds_opt":6,confidenti:[576,17,248],someon:[812,895,119,104,56],companion:208,krbcanonicalnam:515,capabl:[576,100,119],openldap:[70,855,484],common_appdata:812,preiniti:[648,580,876,346],improv:[776,434,576,812,73,10,23],extern:[10,17,855,323],kreen:330,cartoon:895,krb5_eblock_enctyp:181,krb5_c_decrypt_iov:181,krb5_string_to_deltat:181,macro:98,markup:[126,776],krb5_clear_error_messag:181,without:[504,614,812,434,452,895,70,203,208,17,478,662,649,100,73,63,44,10,738,59,47],krb5_auth_context_do_tim:[267,821,745,832,115,215,266],pktinfo:45,gain:[895,73,104],disassoci:[45,689],krb5_responder_list_quest:[521,181],inauthdat2:628,comment:[794,776],trust:[812,504,17,862,275,10,640],requires_pwchang:[44,484],authorization_data:[727,34,826],execut:[521,423,515,452,895,70,26,167,540],addrlist:399,extfil:504,krb5_free_princip:[521,535,453,491,393,181,731,877,12,726],acceler:330,rest:[662,452],krb5_free_ap_rep_enc_part:181,host_based_servic:[10,493],krb5_plugin_no_handl:[226,608,687],helpdesk:73,kill:895,invalid:[562,812,243,730,73,191,640,217,44,818,104,606],aspect:[885,794,662],flavor:[70,44],getstr:70,speed:515,subtree_dn_list:[44,484],samba:662,gss_buffer_desc:17,stai:[70,794],hint:[70,10,671,44],krb5_tc_match_tim:686,html_subst:126,regent:330,except:[794,70,363,17,576,812,330,44,10,32,493,437],param:[3,9,62,12,18,22,37,40,47,49,51,55,11,65,71,72,74,77,81,85,88,89,609,94,102,103,105,107,110,111,112,615,115,69,121,124,125,130,131,133,137,921,140,141,142,144,148,149,157,158,163,164,166,167,168,171,178,524,182,251,185,188,190,787,322,197,874,204,373,179,207,362,210,211,215,217,222,224,227,229,230,234,242,243,247,249,254,256,257,258,261,264,265,266,269,272,274,740,276,279,280,282,286,287,291,292,293,298,300,307,310,489,312,318,108,146,329,331,200,340,341,342,344,345,346,349,334,352,357,358,412,363,364,365,368,371,372,205,374,206,377,378,384,385,543,389,393,394,397,399,400,401,403,406,407,409,681,415,417,419,420,421,422,428,429,432,435,735,669,447,450,453,30,458,461,463,129,135,479,872,483,235,486,359,491,308,316,502,507,509,510,511,517,519,520,522,526,411,532,535,536,537,651,549,551,555,716,557,565,856,568,569,827,572,575,577,580,860,629,590,591,240,595,597,600,39,603,604,606,91,610,611,114,620,623,624,625,627,631,632,641,642,628,644,649,653,656,657,658,395,666,444,671,672,494,674,530,726,686,586,688,690,693,639,695,697,699,701,703,706,708,711,712,556,718,719,721,722,723,725,730,842,732,734,736,737,738,739,743,745,1,143,753,120,38,756,759,761,348,765,774,781,784,191,789,791,796,237,798,801,803,277,320,811,910,859,817,818,819,821,840,823,369,831,832,835,841,845,436,848,825,852,853,648,508,194,584,862,863,621,868,869,871,875,876,877,879,881,882,151,887,267,890,744,896,245,901,903,820,907,911,912,684,914,915,916,917,920,922,505],desktop:521,identif:[576,330],gss:[836,576,764,662,323],princ_look_ahead:437,ricciardi:713,treatment:493,versa:[504,576],db_arg:[70,44,45,689],vulner:[521,576,100,73,44,23],disrupt:73,princ_meta:423,microsystem:330,earli:73,"_krb5_context":[630,818,125],around:[44,452],krb5_c_is_coll_proof_cksum:181,read:[521,504,515,812,434,895,273,566,484,181,423,70,138,662,44,10],address1:323,address2:323,zephyr:[330,73],ap_req_opt:[363,1,568,642],inetd:[895,147,814,63],traffic:275,insist:437,grammar:[302,323],yyyymmddhhmmss:176,presum:27,fortuna:[576,330,452],gss_c_nt_hostbased_servic:17,intel:330,whitespac:[70,10,812,44],unimpl:4,apputil:836,integ:[794,504,563,70,208,812,44,323,10,302],server:[63,724,70,132,566,484,423,814,689,45],benefit:493,"0x20000000":[905,822,605,175],either:[794,449,614,4,10,739,59,121,17,248,184,504,895,364,479,812,482,832,203,515,907,434,37,761,208,147,436,330,608,44,437,104],rcmd:812,krb5_principal_compare_utf8:511,output:[794,895,70,840,349,131,876,566,17,147,181,423,273,72,44,10,791,669],iran:330,rollov:[423,44],manag:[815,762,576,484,44,32,792],iprop_listen:10,sbin:[63,28,814,452,895],my_cach:437,maj_ver:4,default_client_keytab_nam:[812,159],sha384:[10,248],legitim:[521,437,27],ldap_conns_per_serv:[10,515],krb5_kpasswd_softerror:362,adequ:27,krb5_free_data_cont:[524,181],authent:[794,855,70,423,73,484,45,814],respect:[895,70,30,176,693,672,330,625,119],load_dump:[423,44],krb5_set_password_using_ccach:[731,181],krb5_aname_to_localnam:181,constitut:330,err_fmt:[812,576],af_unspec:226,nonzero:[812,646,30],basic:815,krb5_pre_send_fn:[623,36],keytab:[63,724,70,132,138,73,814],confirm:[724,70,576,247,423,385,484,44],sudan:330,krb5_copy_keyblock_cont:181,highest:[794,730,812,70,423,711,73,519],definit:[836,10,45,321,330],token:[812,10,321],legal:[437,316],randsourc:377,"0x00100000":866,exit:[562,614,63,70,576,646,138,44,45,104],g_rel_oid_set:330,keyfil:[423,10,515,44],damag:[614,330],notabl:44,refer:[70,484],kdc_tcp_port:10,power:[576,493],krb5_realm_cant_resolv:606,inspect:[167,321,623,59,857],gratitud:330,openvis:[70,330],broken:[73,452],pressvr:73,fulli:[521,895,794,812,434,70,275,100,44,32,640],regexp:812,referr:[576,552,812,292,656,687,10,678,493,701,104,218],krb5_auth_context_ret_tim:[267,821,732,832,115,215,266,254],appli:[476,907,812,434,70,437,17,147,748,640,330,850,73,44,9,10,32,45,104],unicod:330,basch:330,src:[855,452,330,126,203,611],central:776,krb5_data:[49,840,110,669,346,69,298,524,300,876,181,362,124,77,580,131,197,428,377,922,349,603,791,505,444],krb5_timestamp_to_sfstr:181,acl:[70,476,63,689],addition:[812,208,45,104],krb5_get_credentials_valid:181,srv:[812,895,576,493,792],stand:895,act:[32,45,27,576],"_tcp":493,tape:100,routin:[812,139],cflag:[540,452],krb5_c_:[222,530,419,856,261,526,922,896,910,719,819],gss_import_cr:[17,764],multihom:812,surviv:614,krb5_kt_notfound:135,quietli:386,trademark:330,"01am":44,your:[776,814],willi:73,zanarotti:521,log:[566,63],her:[493,184,104],area:[521,895],heim_org:812,dec_error:903,brute:[44,73,434],overwrit:[423,44,881,386],krb5_copy_ticket:181,start:[794,812,776,855,63,515,70,689,228,248,423,73,44,10,32,45],interfac:[70,10,138,45,73],ipv4:473,lot:493,ipv6:[812,576,473],besid:812,strictli:895,restrict_anonymous_to_tgt:[10,504],unam:662,krb5_principal_compare_ignore_realm:511,krb5_encrypt_s:181,tupl:[70,44],bundl:[812,330],regard:330,jul:176,krb5_auth_con_getaddr:[449,181],krb5_cc_get_full_nam:181,preselect:640,krb_ap_req:181,krb5_responder_otp_get_challeng:[521,181],src_name:17,cryptograph:[576,17,73,330],padata:[34,35,850,413],faster:[493,614,203],tripl:[10,576,73],immedi:[812,576,423,850,73,44,493],krb5_rd_cred:[732,181],possibl:[521,504,515,812,434,453,70,17,248,181,423,100,73,56,44,10,484,895,493,794,473],ovsec_adm_export:[423,44],spnego_mech:330,krb5_get_init_creds_keytab:[657,181],unusu:[504,662],mkey_convert:[423,44],krb5_init_creds_step:[245,181,761],sasl_authcid:70,krb5_init_creds_get_tim:181,connect:[895,63,70,689,44,100,814,484,10,473],cbc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],proxy_imperson:323,uid:[614,437,17,812,28,184],creat:[70,689],certain:[452,107,646,100,330,44],todd:330,gssapi:[812,10,321],fellow:330,krb5_cksumtype_to_str:181,decreas:[812,159],file:[70,132,484,423,689],krb5_pa_pac_req:36,yymmddhhmmss:176,encompass:17,fill:[217,521,129,181],workdai:792,again:[764,895,27,662,104,44,772,792,119,73],gss_import_sec_context:764,adminjohndoefoo:812,osconf:26,dbmodul:[70,855],reforward:104,krb5_cc_default_nam:[181,125],prepend:[38,493,211,452],field:[521,449,812,434,504,70,208,181,423,44,10,493],cleanup:[521,815],collis:181,gss_c_dce_styl:17,writabl:[815,158,895],ignor:[737,794,641,257,841,258,273,421,17,632,422,181,812,70,606,662,10,32,703],you:[794,613,855,452,232,56,10,493,119,895,746,814,689,126,23,504,70,26,812,100,321,484,203,515,776,434,437,147,662,176,330,386,44,45,792,104],intermedi:[576,17,30,812,44,323,10,104],krb524_init_et:2,adminhost:[70,44],kdcdefault:45,symbol:[26,4,423,28,672,764,126,203],krb5_tc_match_flags_exact:686,drift:794,mkei:423,andrew:[44,484],ansi:26,track:[434,70,566,27,423,44,23],krb5_k_prf:181,krb5_kt_next_entri:181,pool:73,reduc:[820,759,452,131,791,812,73,44,203,792],gss_iov_buffer_type_sign_onli:17,pkinit:[70,321],mkey_fil:[423,44],directori:[504,614,855,258,273,484,27,662,110,812,814,44,10,895,792],noaddress:812,mask:[266,916,115,447,686],out_flag:817,password:[794,812,855,515,70,566,484,423,138,321,73,56,689,10,32,45],potenti:[521,613,100,73,895],cpp:452,escap:116,enctype_nul:349,kprop_path:689,dst:611,unset:[9,812,17,181],cpw:[70,44,73],pto:102,represent:[812,17,181],all:[794,812,724,473,566,56,10,895,684,17,248,181,73,32,686,521,504,641,515,70,423,100,476,776,434,273,662,792,275,44,517],dist:26,krb5_get_in_tkt_with_password:181,gss_c_buffer_type_head:17,alg:452,lack:[504,137,576],concern:[330,434,104],pluggabl:[328,812,662,4],month:[176,576],krb5krb_err_response_too_big:[615,185],krb5_get_in_tkt_with_keytab:181,krb5_init_creds_set_servic:181,ldap_kdc_dn:[10,515,484,855,44],pty:[836,330],krb5_copy_authdata:181,follow:[794,614,855,452,540,632,576,51,4,229,672,386,10,783,493,701,119,562,176,563,724,746,918,302,17,568,748,184,73,815,885,32,566,23,489,504,256,63,895,70,132,646,27,764,423,591,907,323,836,595,203,248,812,515,434,273,208,159,914,662,275,330,848,640,44,45,437,104],disk:[521,613,614,895,26,484,27,423,100,56,689,44,794],krb5_tc_match_authdata:686,unansw:919,krb5_kt_dup:181,seed_length:[401,282],uint8_t:923,laboratori:330,strptime:330,nt_wellknown:86,former:18,krb5_server_decrypt_ticket_keytab:181,tail:895,ap_req_nofail:[572,6],dest_ctx:508,gss_iov_buffer_type_pad:17,hist_kvno:423,introduc:[223,273,687,812,70,608,10],requires_preauth:[504,434,70,73,484,44],cachenam:[614,918],liter:4,masquerad:[119,104,56],r13:[423,44],song:330,fals:[394,863,494,399,171,10,493,511,411,871,510,18,248,71,184,73,572,358,473,504,130,584,812,368,265,907,208,662,912,44,789,792],subcommand:73,krb5_kpasswd_malform:362,offlin:[73,640],util:[44,493,895,855,731],krb5_make_authdata_kdc_issu:181,candid:437,worst:73,gss_add_cred_from:764,failur:[576,226,455,346,463,247,73,489,521,631,70,479,812,108,423,434,711,330,385,606,44,444],veri:[815,27,812,73,44,10],ticket:[794,812,724,515,70,423,321,73,484,10,32,814],hostrealm_plugin:687,krb5_cc_next_cr:[243,181],krb5_cc_retrieve_cr:[181,65],k5login_authorit:[812,184,662],quux:812,list:[70,776,724,689],krb5_c_string_to_kei:181,kpasswd_listen:10,krb5_free_context:[191,181,141],adjust:[820,895,759,504,131,181,275,73,791,792],"_krb5_encrypt_block":755,cosin:855,stderr:10,small:129,getdat:[70,44,32,423,484],anam:[437,129],krb5_pac_delegation_info:595,pid_fil:[45,689],enterpris:[469,632,473,640],krb5_auth_con_getrcach:181,gss_c_nt_anonym:17,ten:[792,104],krb5_prompter_posix:[521,181],handi:895,edu:[794,815,576,10,119,895,73,32,23,814,70,26,812,100,484,776,437,713,662,330,44,104],past:[70,44,23],syslog:[812,10,895],zero:[449,70,639,17,247,181,812,493,444],design:[521,895,614,27,662,730],v4_realm:812,changepw:[794,907,70,362,73,44,400],further:[895,45,184,27],tls_cacert:515,max_renewable_lif:[10,895],kdb:[855,434,576,328,330,689,836,44],krb5_init_context_kdc:737,subjectalternativenam:812,last_req:324,get_princ:[70,44],abc:452,sub:[812,44,836,484],richard:330,defin:[812,10,792,814,895],gss_get_mic_iov_length:17,section:[70,45],abl:[794,613,614,812,434,895,437,275,321,104,44,10,32,493,119],brief:[885,836,100],pppcred:254,forc:[63,434,70,566,484,812,73,191,44,10,32,493],"public":812,version:[794,449,724,566,51,730,10,17,181,73,827,77,473,70,695,423,484,812,776,711,275,44,45],intersect:248,krb5_cccol_cursor_new:[342,181],osf:43,option2:812,krb5_auth_con_getrecvsubkey_k:181,option1:812,g_context_tim:330,full:[63,566,181,44,73,689,10,493],hash:[423,44,576,812,504],berkelei:[330,452],vtabl:[815,413,850,4],keepkvno:70,unmodifi:[437,330],sophist:521,modular:576,tkt_life:[520,829],middl:27,solari:[228,576,203,452],excess:203,variad:[535,140,811],method:[226,223,815,323,4,455,812,413,608,698,687,656,850,493,640],fred:662,modifi:70,invoc:[423,17,147],valu:[794,855,10,493,895,17,248,181,73,32,521,504,515,70,423,321,484,812,273,208,662,44,45,792],krb5_cc_unlock:[205,181],getpwuid:[70,44],krb5_cred_enc_part:[336,36],naval:330,krb5_finish_kei:181,krb5_fences_vt:4,principal_out:[672,632],observ:[275,434],prior:[63,17,147,423,330,191,44,10],out_cr:[697,30,642,307],krb5_clpreauth_moddata:413,krb5_pac_upn_dns_info:595,action:[223,27,423,330,73,689],diffi:[812,10,640],krb5_gc:739,rkt:138,mkvno:423,marko:330,depart:330,sprecif:26,reiniti:611,transit:[562,826,805,568,573,646,828,812,241,104,496,10,640],krb5_recvauth_vers:181,deprec:10,acceptor_cred_handl:17,famili:[261,530,419,856,556,226,526,922,896,222,910,10,719,532,819],heurist:[783,437,393,812,698,656],decrement:181,krb5_prepend_error_messag:181,handle_error:17,select:[423,44,812,73],yflag:452,hexadecim:[423,576],paus:44,proceed:44,gss_iov_buffer_desc:17,krb5_deltat_to_str:181,generalizedtim:563,regist:[328,812,89,94,662,740,168,330,348,689,44,493,549,486,429],pa_typ:[635,323],coverag:203,ldap_kadmind_sasl_authzid:10,krb5_set_trace_callback:181,krb5_init_random_kei:181,command_opt:[423,44,484],formul:812,morn:792,ldap_serv:[10,855,515],krb5_cc_start_seq_get:[610,243,181],standart:855,upstreamhostnam:44,krb5_get_init_creds_opt_set_salt:[181,644],minor:[764,17,26,226,27,4,73,576],more:[794,614,615,452,473,576,672,850,343,10,493,118,119,895,433,746,334,17,68,73,687,32,23,185,521,504,515,27,423,100,836,31,812,434,159,147,275,44],flat:614,mellon:330,door:713,flagnam:32,canon:[794,515,689,473,171,608,44,493],krb5_auth_con_setuseruserkei:181,gss_oid:764,krb5_tkt_creds_get:181,update_rel:815,"0x0040":252,krb5_copy_error_messag:181,krb5_get_init_creds_opt_set_address_list:181,krb5_init_creds_get:181,cacert:[275,504,515],compani:104,destin:[100,203],new_princip:70,cach:[794,449,273,17,181,812,70,73,662,44],interface_module_initvt:4,dictat:44,none:[515,49,206,273,208,912,227,27,248,812,70,44,831,437,74,10,88,286],endpoint:[256,330],nonc:[34,324,917,189],krb5_trace_info:[136,372,36],valuabl:[521,330],"0x000b":560,der:[563,850],outlin:[275,776],krb5_auth_context:181,dev:[273,10,855,812,147],krb5_c_make_checksum_iov:181,actual_mech:17,krb5_calculate_checksum:181,kdcpreauth_mymech_initvt:4,learn:794,dec:[176,44,434,895],gss_iov_buffer_type_mic_token:17,krb5:[794,855,724,566,56,10,95,73,689,32,814,63,70,132,423,138,321,484,427,476,776,45],krb4:576,ap_opts_use_subkei:1,prompt:[521,895,724,70,181,423,484,44],ap_opt:[259,363,1,837,642],tr_type:496,registr:812,share:[521,776,452,815,1,4,812,764,73,662,44,119],krb5_kdcrep_modifi:422,krb5_get_init_creds_opt_set_fast_ccache_nam:[575,181],krb5_free_cr:[627,181],tabular:[423,576],minimum:[70,10,792,44],resync:[44,576,566,689],gss_oid_set:[17,764],incom:[10,473],phrase:889,krb5_get_init_creds_opt_get_fast_flag:181,krb5_cred:[521,65,362,463,181,686,345,610],tr_content:496,cours:56,newlin:[672,848],secur:[70,132,73,794],programmat:521,ascii:[423,44,493,323],isi:437,krb5_k_verify_checksum_iov:[247,600,181],subsess:[1,46,248],krb5_k_make_checksum_iov:[310,181],csv:[423,576],input_assoc_buff:17,sign_onli:17,isn:[27,330,44,10,595,203],trace_log:147,"_krb5_get_init_creds_opt":829,resourc:[521,61,17,203,713],redwood:330,referenc:[515,330,323],flip:73,variant:[44,576,764,452],reflect:[820,895,563,759,131,334,832,191,44,791],okai:[70,44,104,562],des_crc_session_support:[10,248],offset:[45,181],krb524_convert_creds_kdc:2,unlink:[423,44],associ:[614,474,434,70,566,17,27,44,330,473,323,10,32,689],maxlif:[70,44,32],kdc_port:10,circumst:[10,504],"short":[207,159,147,812,73,32],krb5_set_real_tim:181,confus:330,krb5_k_encrypt_iov:[131,759,181],stash:[70,484],krb5_encode_authdata_contain:[291,181],caus:[452,685,10,493,562,895,17,18,73,827,640,473,504,70,639,689,27,423,812,907,434,273,330,386,44,918],suncc:452,stash_fil:[423,44],is_last_req:[907,278],alphabet:176,"0x00000080":327,seq:29,g_canon_nam:330,sunw_dbprop_slave_pol:44,iprop_master_ulogs:[10,44],ldap_kadmind_sasl_mech:10,sendauth:[895,814],rotat:473,concatent:764,soon:[44,63],held:[562,330],cache_nam:[70,44,386,640,562],createtimestamp:855,through:[521,895,641,812,223,434,853,656,372,662,275,44,321,104,323,572,10,794,493,792,119],delstr:70,gss_acquire_cred_impersonate_nam:17,krb5_ktname:[273,28,17,159],krb5_keytab_entri:[158,329,276,36,395,711,803],krb5_string_to_kei:181,paramet:[423,10,45],member:10,typedef:[221,454,6,457,676,17,466,259,636,480,29,485,31,34,35,490,717,826,189,496,790,336,501,503,727,54,59,60,513,425,514,304,481,752,309,755,78,525,317,531,319,767,771,324,773,544,101,546,499,793,339,807,809,810,376,360,582,583,897,829,909,370,139,837,596,843,660,847,153,154,865,172,630,878,635,278,889,299,647,898,650,900,904,136,387,857,527,919,443,923,220,924],get_valu:815,sale:330,extra_address:812,relev:[436,895,563,473,745],html:[515,776,26,713,126,576],rapidli:794,famou:895,component1:[302,323],"0x00800000":[512,333],krb5_auth_con_getsendsubkey_k:181,might:[895,434,452,493,17,4,275,662,330,73,56,323,44,203,119,473],alter:[504,73],"0x00020000":198,kpkdc:812,good:[794,895,639,330,104,44,119,814],"return":[521,515,63,70,566,17,394,181,812,814,44,217,10,473],lowercas:44,sentenc:895,component2:[302,323],message_out:110,framework:[576,17,330],casio:73,krb5_authdata:[373,628,36,436,409,291,274,887,403],sign1:17,sign2:17,foot:4,krb5_prompt_type_password:591,detach:63,krb5_free_authent:[507,872,181],getpol:[70,44],krb5_fwd_tgt_cred:181,administr:776,troubleshoot:[895,162],level:[504,70,493,17,484,44,815,45,203,126],userid:[812,452],instruct:[44,895,23,452,504],refresh:[17,323],"0x0006":[270,673],slave_datatrans_hostnam:44,val:[722,194,557,178,435,409,94,801,348,555,842,168,882,264,666,22,144,486],principal_nam:504,"0x0007":[106,93],ceas:[423,44,776],found:[895,918,452,65,428,132,437,393,568,686,730,436,124,119,44,10,45,493,812,104,814],intervent:73,krb_error:181,truncat:104,krb5_mk_ncred:[522,181],subsystem:452,krb5_anonymous_realm:181,cost:[275,44,330,452],weight:493,tryagain:413,unkei:521,referred_realm:220,krb5_pointer:[501,222,642,36,261,526,695,730,856,234,910,790],realli:869,krb5_c_random_os_entropi:181,krb5_princ_nam:2,iter:[70,10,181,44],gennadi:437,http:[812,515],energi:330,beyond:[885,413,850],todo:119,event:[493,181],http_anchor:[275,812],ftp:[895,100],authdata:[373,628,274,30,328,291,323,403,793],krb5_anonymous_princstr:227,krb5cc_p11795:104,usec:[457,727,189,29],krb5_allow_weak_crypto:181,publish:[330,473],research:330,krb5_auth_context_ret_sequ:[267,821,364,732,832,115,215,266,254],enomem:[522,395,318,292,732,346],print:[63,70,132,437,646,576,423,914,44,540],occurr:9,wicker_construct:4,clpreauth_plugin:413,qualifi:[70,44,32,812,794],oid:[576,764,662],add_auth_ind:[576,850],proxi:[812,10],danilo:330,ldapadd:855,differ:[794,812,515,70,423,814],asc:26,krb5_generate_seq_numb:364,reason:[258,437,662,812,330,119,56,323,493,792,104,73],base:[614,648,876,576,455,850,10,493,895,12,17,18,413,124,473,586,885,126,640,521,256,70,812,28,428,515,776,149,783,330,44,104],krb5_init_context_secur:737,ask:[423,521,493,181,504],earliest:[423,686],workstat:521,lag:437,basi:[44,493,73,476],db_185:452,thread:[614,576,78,452],daisi:493,krb5_get_init_creds_opt_set_in_ccach:181,omit:[515,128,815,302,662,212,323,489],krb5_string_to_salttyp:181,krb5_cccol:698,gss_cred_id_t:[17,764],perhap:[70,10,73,44],iprop_hdr:330,krb5_free_enctyp:181,syria:330,lifetim:[812,70,181,423,73,44,686],assign:[895,70,625,181,693,44,10,32,493],major:[26,17,4],gpg:26,get_tgt_via_passwd:437,notifi:23,kdb_convert:330,binddn:70,exchang:895,more_preauth_data_requir:413,number:[794,724,566,10,493,181,73,689,32,814,521,504,63,70,812,138,484,266,423,434,208,44,45],sometim:[44,473,640],"3de":73,pop:100,smaller:[812,302],done:[895,614,855,63,452,515,815,437,413,100,850,44,493],krb5_524_conv_princip:181,stdlib:815,blank:783,krb5_pac_verifi:181,stabl:[576,223,455],verify_ap_req_nofail:812,miss:[126,422],gpl:330,guess:[812,895,576],guest:[70,44,812],vararg:535,interact:[70,44,812,493,724],size_return:914,least:[794,895,114,925,39,302,840,479,100,686,608,44,375,493,669],dfl:[273,27],writeabl:395,accept:[815,576,226,10,493,895,65,248,73,689,640,473,63,70,764,812,321,698,701,203,159,147,176,330,44,104],natur:473,krb5_roundup:2,scheme:493,kadm5_hook_modinfo:223,store:[794,724,840,56,10,895,17,248,181,70,73,689,521,504,63,515,131,812,484,423,784,44,791,669],krb5_lname_no_tran:608,memset:521,your_realmnam:504,relationship:[812,608],behind:[73,662],iprop_logfil:[10,44],krbnfs_howto_v3:713,appropri:[521,423,393,812,504,437,17,662,562,275,879,850,73,235,44,895,493,640,698],pars:[794,521,70,17,662,155],modbi:423,fall:[614,493,27],crypto_entri:755,gss_error:17,grace:640,krb5_get_init_creds_opt_set_fast_flag:[181,827],test_html:126,kind:[614,411,17,27,764,413,330,850,473],pwexpdat:[70,44],contrari:[521,17],prebuilt:203,krb5_get_init_creds_opt_init:181,whenev:521,remot:[794,256,536,70,132,17,181,792,473,44,10,689],gotten:104,remov:[70,423,855,724],sunw_dbprop_en:44,kkdcp:[275,576,330,493],"_krb5_address":499,unconfigur:[126,493],admcilsp:32,str:17,arrang:44,"_krb5_cred_enc_part":189,toward:[44,776],master_kdc:[812,493],randomli:[248,724],ktid:249,comput:[521,449,535,812,17,181,275,73,10],deleg:[70,10,44],strengthen:73,well:[521,895,452,473,576,17,812,311,687,836,44,73],clientkei:504,beforehand:17,krb5_config_cantopen:217,packag:[275,855,203,895],local0:10,allow_weak_crypto:[147,248,181,812,73,10],expir:[504,812,724,70,423,44,10,32,792],service2:646,service1:646,"null":[521,449,536,17,181,812,399,32],option:724,principal_databas:63,krb5_auth_context_generate_remote_addr:256,dec_err:565,onlyrealm:[10,73],equival:[362,890,208,400,576],remote_addr:[693,449,536,568],krb5_free_keyblock_cont:[143,603,734,181,69],cfr:330,self:515,s_address:189,nktype:34,luser:863,add_rel:815,schema_convert:855,brace:4,krb5_auth_context_do_sequ:[267,312,364,821,85,115,215,832,266],krb5_ticket_tim:[121,761,36,826,544,324,793],krb5_responder_otp_tokeninfo:[514,36],distribut:[855,452,746,26,330,836,45,203,576,104],exec:[437,540,452],vno:[70,730,711,847,73,44],previou:[449,776,615,504,105,812,70,556,881,185,323,44,895,38,818,140],reach:[812,803,517],krb5_auth_context_generate_remote_full_addr:256,react:743,most:[504,393,812,257,724,895,17,147,248,181,423,662,56,44,10,493,792],spnego:[576,330],plan:44,profile_releas:334,krb5_cc_set_default_nam:[191,181],kdc_listen:[10,895],dump_fil:689,ppcred:732,addr:[378,224,657,875,399,544,324,793],allow_proxi:[70,44],hereaft:330,x11r6:203,krb5_prompt:[848,36],clear:[521,794,70,208,181,423,138,191,44,818],lehman:330,cover:792,krb5_enc_kdc_rep_part:36,enctypep:450,auth_to_local_nam:[812,662],part:[336,613,614,826,672,563,568,248,71,881,882,73,815,309,473,421,422,764,812,100,323,703,35,437,147,330,44],exp:[794,504,70,248,812,10],add:[794,812,228,515,70,566,423,138,73,44,10,32,792,814],kswitch:[614,361,762],enctyp:[812,423,138,73,44,10],krb5_unparse_nam:[731,181],usual:[521,504,614,159,434,452,39,70,17,646,821,323,812,814,215,44,10,45,493,104,669],microsoft:[812,576,17,713,248,275,400,236,10],sector:[423,44],wsgi:275,afs3:[10,73],"0x8000":[431,780,892,145],your_princnam:504,carefulli:504,hostnam:[794,504,895,70,812,814,44,10,792,473],consult:[812,608],krb5_magic:[336,503,727,485,457,525,755,189,360,259,636,370,904,324,596,34,35,36,826,847,544,154,793,499],gss_name_t:[17,764],python:[275,126],fini:[223,687,226,413,850,698,608],modifiersnam:855,session:[794,70,812,73,44,10],passwd:[889,437,330,484,44,792],tmpbuild:203,krb5_cccol_cursor_next:[342,181,684],fine:[17,493],find:[17,181,812,814,217,44,493],privsvr:258,impact:434,krb5_c_prfplu:181,kprop_port:[273,28,689],kadm:540,copyright:[836,26],"0x0200":468,ticket_lifetim:[812,792],solut:895,local_addr:[693,449,536],krb5_cc_cursor:[133,610,243,36],gssapi_err_gener:330,couldn:814,templat:836,krb5_gic_opt_pa_data:36,log_info:10,iec:26,ckto:658,krb5_libos_badpwdmatch:[914,606],krb5_change_password:181,hit:181,unus:[848,642,671],krb5_x:2,luke:493,lehmann:330,express:[70,44,330,812,176],last_fail:423,nativ:[452,302,792,649,28,323,576,47],mainten:[70,44,423],r_address:189,authoriaz:727,liabl:330,krb5_responder_question_otp:[521,181],krb5_verify_init_cr:[521,181],hin:26,think:[119,4,473],establish:[504,17,27],krb5_init_creds_set_password:181,crt:[812,10],synthet:[167,323],synthes:[623,857],krb5_auth_con_set_req_cksumtyp:181,rfc:[17,181,812,73,10,493,869],crc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],salttypep:432,encrypted_timestamp:812,crl:[812,10],reply_out:59,certif:[275,10,812,515],set:[70,423,776,484,689],dump:689,tokenid:433,slavehostnam:63,pid:[45,689],startup:895,krb5_get_permitted_enctyp:181,decompos:478,mutabl:78,emac:452,sed:452,sec:181,arg:[741,811,452,70,437,598,140,331,44],reserv:[330,462],delpol:[70,44],unqualifi:792,whatsoev:330,analog:794,encrypted_challeng:812,gss_iov_buffer_flag_alloc:17,simultan:78,gladman:330,"_krb5_responder_pkinit_challeng":319,someth:[10,814,27,473,73],particip:[812,895],nopw:[70,44],reus:44,mutex:78,recv_hook:167,kth:330,netlogon:236,experi:[776,576,493,73],krb5_merge_authdata:181,altern:[504,63,452,895,715,17,662,812,28,330,10,203,640],krb5_set_kdc_recv_hook:181,bourn:895,plugin_base_dir:812,syntact:812,numer:[562,423,890,895,362,576,176,400],norandkei:[70,794],ebaa:713,isol:493,disallow:32,krb5_anonymous_realmstr:49,krb5_flag:[224,229,737,739,324,65,1,568,686,307,817,642,657,259,363,697,30,378,36,826,916,447,544,793],fundsxpress:330,succeed:[895,814],outfil:423,oid_op:330,local7:10,enc_err:565,stale:[812,776,248],struct:[345,737,334,17,181],disclaim:330,fail:[794,812,724,70,423,73,44,10],last:[449,434,70,566,181,423,44,10],delimit:[812,374],mandir:452,db_header:452,alon:[895,4],dns_lookup_kdc:812,unspecifi:[812,493,27],vopt:521,context:[521,449,287,394,17,147,181,812,920,124,399,166,129,217,345,12,428],pdf:[776,713],prng:[377,580,452,576,330,639],whole:[44,77,504,524,258],require_auth:[70,576,321],krb5_kt_have_cont:181,simpli:[521,504,208,17,662,764,104,203,559,119],reject:[794,895,812,321,814,10],tgt:[521,504,320,248,181,73,44,10],point:[794,613,614,1,452,895,70,924,576,17,479,812,100,73,44,519,23],schedul:[44,73],ret_valu:[124,428],cryptosystem:73,krb5_crypto_typ:[551,924],residu:[562,614,273,918,620,249,812,386,608,815,493,640],header:[423,812,17,181],fashion:[275,437,330],realm1:45,smard:812,realm3:45,linux:[576,614,452],cakei:504,krb5_os_localaddr:181,bridg:576,mission:437,krb5rcachetyp:[273,27],etype_list_length:[55,829],backend:95,authz:34,krb5_cc_get_princip:[731,181],outbuf:[267,821,364,363,1,318,384,832,215],krb5_get_init_creds_opt_set_forward:181,stamp:[423,566],krb5_fcc_intern:125,devic:[70,10,812,521,44],due:[44,32,147,27,73],empti:[521,812,453,70,208,181,423,292,185,44,10,32],implicit:10,have_getusershel:437,whom:[330,119],secret:[521,70,208,17,812,847,10,119],libverto:[850,452],krb5_c_init_st:181,dup:10,name_s:207,krb5_get_renewed_cr:[181,307],krb5_plugin_ver_notsupp:4,nonexist:576,address_list:829,kdc_tcp_listen:[10,895,504],"_krb5_checksum":154,modern:[794,44,73,473],brother:330,nrl:330,fire:493,clariti:437,buflen:[164,879,874,171,690,597,756],consequenti:330,coordin:764,nonrepudi:504,understand:521,krb5_copy_princip:[731,181],func:[784,151],demand:519,input_ccach:640,educ:792,enc_part:[336,636,309,35],imap:[783,473,452],"_krb5_init_creds_context":650,acount:662,krb5_pac_privsvr_checksum:595,creativecommon:330,stolen:104,datarootdir:452,nofork:689,kdc_tcp_listen_backlog:10,krb5_mk_priv:181,erron:147,rep_result:642,durat:[70,10,660,812,44],camellia256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],norealm:[10,73],"while":[895,434,70,812,321,814,44,10,73],gss_init_sec_context:17,match:[794,724,30,10,346,65,17,181,124,686,32,473,504,70,422,318,423,428,812,776,436,662,275,44,792],behavior:[70,10,812,73,662],error:[70,63],krb5rcachedir:[273,28,27],input_name_buff:764,pepper1:72,robin:794,subsect:[504,812,434,515,662,275,321,10],propag:[812,63,132,423,73,56,689,10,32],malloc:815,ldname:452,readi:[423,895],g_userok:330,krb5_timestamp_to_str:181,influenc:473,readm:[836,26],confound:182,revers:[423,44,812,792,794],itself:[794,613,614,94,685,194,555,842,168,850,10,178,409,17,882,73,689,688,521,63,70,764,812,348,144,486,89,159,801,662,793,666,44,45,104],cred_handl:[17,764],dget_tgt_via_passwd:437,limit:[895,437,330,44,10,493],yourdir:895,illinoi:713,rcptr:586,dedic:895,"_krb5_ticket":309,ccselect_plugin:[698,4],gs2:576,my_respond:521,minim:[423,44,73],error_t:330,mistakenli:9,new_reply_out:[857,59],krb5_kvno:[711,730,370,847,36],serverauth:812,krb5_cc_set_config:[449,181],shorter:812,libc:473,lengthi:576,decod:[521,291,812,181,463],krb5_mk_error:181,viola:794,sqlite3:423,wicker_materi:4,swig:330,conflict:[15,325,568,662,213,764,547],krb5_principal_unparse_short:489,sell:330,k5user:437,"0x00200000":313,x86:[576,452],g_inquire_cr:330,optim:452,nersc:812,cppopt:452,alert:10,krb5_int32:[266,727,115,234,457,676,865,461,773,481,189,690,312,299,695,531,85,904,701,324,485,432,36,717,387,279,852],temporari:[895,855,70,159,27,812,28,44],glossolalia:73,enctype_aes128_cts_hmac_sha1_96:578,enctype_aes256_cts_hmac_sha1_96:96,transitori:73,built:[521,812,662,181],sha2:[10,576],lower:[783,25,70,815,17,812,44,32,656],sha1:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],is_skei:[173,686,793,323],ktype:[378,34,871,224,657,105],older:[44,576,850,73],entri:[794,855,566,10,493,895,814,17,181,73,32,473,521,504,63,70,812,138,515,434,147,100,44],krb5_princ_typ:2,keytab_nam:562,harm:27,honor:[147,104],www7:713,person:[895,119,330,104,56],medvinski:437,krb5_cc_end_seq_get:181,uint32_t:809,"0x10000000":[757,398],ppdata:[522,732],mon:[70,44,434],ldb:452,construct:[521,776,615,857,363,17,646,4,185,59,576,417],krb5_kdc_req:36,dejagnu:[203,452],gss_c_accept:17,anonym:[70,10,662,44],ba548_90007:713,mslsa:614,outprinc:726,envvar:812,emailprotect:812,krb5_get_validated_cr:[697,181],"76cho3000":330,administ:[794,895,689],question:[10,776,493],g_verifi:330,myremotetokentyp:10,priorit:493,confvalid:836,cut:493,restructuredtext:776,lockouttim:[70,44],forbid:[70,44],ldap_kdc_sasl_realm:10,hostaccount:662,win:330,input:[791,17,181,44,12,669],gss_buffer_t:[17,764],slave:[794,812,228,63,132,566,689,423,100,73,56,44,10],approxim:26,useless:73,passcod:592,vendor:[540,897,433],authdata2:323,authdata1:323,format:[423,10,32,812,776],princ1:[265,368,504,511,130],princ2:[265,368,504,511,130],allow_postd:[70,44,484],transmit:[615,576,17,850,185,44],apt:855,step:[794,504,855,895,437,423,73,44],resid:[521,613,783,330,184,493,794],gss_iov_buffer_t:17,inetcomperson:855,account_expir:[907,278],krb5_c_prf:181,redirect:[812,895],g_exp_sec_context:330,success:[450,453,876,455,230,672,674,234,10,11,12,595,461,411,726,463,247,249,881,686,129,687,599,254,690,256,257,277,258,693,887,586,695,27,872,483,699,701,229,703,708,272,276,274,712,40,740,711,716,308,491,279,44,756,502,840,507,291,292,734,736,133,604,298,744,745,300,1,732,143,72,517,74,848,77,69,519,310,489,521,522,312,759,63,761,70,316,318,718,85,245,108,88,774,423,535,536,146,825,781,852,671,651,102,791,549,874,105,107,551,340,110,111,112,114,342,344,346,723,121,565,30,773,334,352,568,569,479,125,572,357,859,817,818,580,823,369,131,620,363,364,365,590,137,921,141,374,597,658,377,730,600,841,39,603,148,149,384,385,606,91,610,543,611,158,389,615,648,412,164,860,821,862,400,171,621,625,738,406,739,524,875,631,632,877,879,182,413,251,185,914,753,415,639,417,267,890,641,190,642,628,420,421,646,422,322,197,362,803,200,901,903,653,429,820,432,205,627,434,207,735,437,684,395,916,917,505,215,217,832,444,447,669],authdata_plugin:885,lnsize_in:129,signal:45,threadsaf:912,krb5_vwrap_error_messag:181,resolv:[794,792,181],elaps:[70,44],collect:[273,812,17,181],princip:[63,724,70,132,566,484,423,138,73,689,45,814],"boolean":[208,181,423,44,920,10],wicker_appear:4,"0x0080":607,fnal:330,popular:895,krb5_get_credentials_renew:181,"1foo":812,two:[449,434,476,70,504,248,181,812,662,44,10,895,473],signedpath:[70,10,44],krb5_get_init_creds_password:[521,907,743,224,181],encount:[562,895,812],krb5_pac:[258,420,36,148,765,718,901,688,595],simplifi:532,acknowledg:330,creation:[812,44,563,73,504],some:[423,228,724,273,812,662,275,70,73,44,10],gen_sym:437,listpol:[70,44],kdc1:493,strongest:[639,248],krb5_read_error:181,sampl:[794,814],referral_valid_until:220,cacheconf:323,structuralobjectclass:855,sizeof:[521,815,17],surpris:73,modulepath:812,certlabel:812,krb5_c_random_se:181,"0x2000":396,charg:330,issueraltnam:504,"0x01000000":354,per:[614,423,223,815,566,226,455,850,10,493,17,248,413,73,687,521,70,812,698,476,208,662,608,44,45],gss_qop_t:17,recognit:[576,330],substitut:[812,504,330,895],retri:[10,208,493],larg:[521,895,759,791,131,346,208,493,820,44,10,203],slash:672,numwork:45,necessari:[853,504,515,855,895,70,17,479,4,812,413,73,885,44,119,493,792,104,606],reproduc:330,datebas:689,machin:[794,476,228,63,515,812,100,73,56,689,814],krb5_c_enctype_compar:181,run:[794,614,855,452,576,10,493,562,895,248,73,689,126,566,814,504,63,515,70,26,423,28,100,203,812,437,147,662,386,44,45,792],refresh_tim:323,winbind:662,pa_type_list:[413,850],agreement:330,unport:330,fulvio:713,"0x00000001":[5,268,214,174,375,46],kdc2:493,ap_req_checksum_typ:812,from:[776,63,724,70,132,566,484,423,138,689,45],krb5_auth_con_getsendsubkei:[210,181],resiz:479,cmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_get_profil:181,usa:330,constraint:[783,330],mechglu:[330,764],materi:[521,330,73,4],prove:[521,413,850],gss_krb5_cred_no_ci_flags_x:576,dns_uri_lookup:[812,493],strcmp:815,disclosur:[32,576],argv_pars:330,gss_create_empty_oid_set:764,userok:608,loadabl:[812,10,764],"5h30m":640,fulfil:437,hesiod:[812,330,452],timeofdai:852,real:[812,461,437,381,511],primarili:[920,518],krb5_referral_realm:181,krb5_keyusage_pa_sam_respons:325,canonhost_out:188,"_krb5_data":596,target_user_login_nam:437,bsd:[576,330],krb5_rd_rep:181,krb5_rd_req:181,mydir:614,contributor:[330,462],chang:[794,812,724,515,70,566,423,73,10,32],nss:330,inclus:330,institut:[330,462],fictiti:104,carnegi:330,megabyt:26,krb5_pwd_data:36,fast:[812,10,208,181,504],krb5_get_init_creds_opt_set_pac_request:181,krb5_get_init_creds_opt_set_respond:[521,181],prompt2:914,krb5_tc_supported_ktyp:686,pocoo:126,krb5_chpw_pwdnull:606,forward:[794,895,70,208,17,181,812,473,44,10,792],crit:10,mach:[812,330],usr:[126,895,855,63,452,437,484,812,28,814,44,10,540],"0x00000002":[779,667,800,315,306,173],krb5_enc_tkt_part:36,gss_iov_buffer_type_stream:17,vprintf:[811,140,331],krb5_mk_safe:[267,181],server1:[44,484],krb5_cc_nosupp:65,pwd:203,screensav:104,link:[895,776,515,162,812,44],translat:[812,129],newer:[452,423,473,44,10,73],krb5_free_unparsed_nam:181,line:[70,776],mitig:[521,576,27],krb5_crypto_type_sign_onli:[385,600,247,310,149],info:[33,895,891,161,576,136,665,10,324,793],concaten:[482,563,764],gss_wrap_iov:17,utf:[521,242,330,593,235,511],consist:[608,26,159,323,812,672,687,493],princ_stringattr:423,confusingli:521,checkout:126,dns_lookup_realm:[812,493],infd:256,fdii:104,redistribut:330,doc:[126,713,515],readlin:452,gssapiv2:17,similar:[648,632,576,226,4,234,411,811,17,247,877,575,310,489,267,759,744,631,131,363,479,423,368,140,820,812,600,437,603,275,385,505,791,104,444],impl:452,krb5krb_ap_err_skew:502,kaduk:73,gss_c_buffer_type_trail:17,constant:[521,49,227,661,485,678],curs:452,user_dn:[44,484],flush:815,doesn:[614,724,352,27,423,44,869,119],unauthent:100,"char":[449,450,224,453,671,672,494,12,3,17,249,129,690,695,479,264,235,701,31,703,708,712,308,489,815,286,51,292,509,741,514,72,752,77,38,756,521,81,318,108,771,242,535,781,331,191,549,110,341,277,344,120,811,124,428,827,818,577,362,363,590,914,831,139,140,835,240,374,596,597,841,848,606,853,557,164,620,863,397,400,171,524,632,877,878,879,881,188,417,890,642,421,897,422,874,656,432,207,211,217],container_dn:[70,44],incomplet:812,int_max:380,openldap_ldapconf:10,home:[783,437,748,662,812,184,484,44,119],krb5_free_address:[723,181],enc_padata:324,kdcissu:181,unifi:776,krb5_get_init_creds_opt_set_change_password_prompt:181,krb5_principal_parse_enterpris:632,"0x0400":66,pre_auth_typ:[378,224,657],ticket_authdata:436,bracket:[812,10,662],krb5_ccselect_vt:4,nat:[812,44],krb5_cc_close:[88,181],addpol:[70,44,434],"0xfffffff0":21,krb5_kt_nowrit:[158,395],particular:[521,504,724,452,17,249,812,119,330,321,73,56,10,32,203,104],interface_modname_initvt:4,krb5_pwqual_moddata:455,krb5_cred_info:[189,36],clean:[737,44,862,372],lucid:95,meaning:[70,44],search_scop:[44,484],libtool:4,refrain:764,mymodul:662,gss_acquire_cr:[576,17],true_principal_nam:220,infrequ:576,algorithm:[452,437,603,248,330,73],vice:[504,576],krb5_kt_read_service_kei:181,krb5_free_keyblock:[111,736,653,181,369],ldap_kdc_sasl_mech:10,namelen:374,delta:[10,181],krb5_k_free_kei:[406,251,921,181,915],inout:[820,114,759,600,642,39,131,363,695,568,479,149,840,1,914,234,791,310,669],"_krb5_auth_context":513,far:504,fresh:[794,437,776,56],creatorsnam:855,krb5_context:[449,3,453,671,494,674,877,9,458,11,12,411,243,681,463,247,686,129,629,256,257,693,639,872,483,699,266,708,272,491,721,502,287,507,509,738,604,298,745,65,143,72,517,77,69,310,521,312,85,88,774,535,536,146,825,163,784,191,651,791,237,551,340,110,112,716,342,115,345,346,723,349,352,124,125,859,818,577,580,840,823,369,131,620,133,365,921,658,377,603,149,91,610,543,611,393,394,166,736,399,401,625,869,406,179,876,181,182,151,887,322,197,362,920,653,428,922,205,524,300,210,684,915,916,505,217,444,447,669],endtim:[660,30,323],realmlist:277,getaddrinfo:473,code:[453,30,230,674,877,9,10,11,12,411,726,463,17,247,686,129,256,257,693,639,872,483,699,671,272,276,491,277,308,274,44,723,840,507,291,734,736,738,604,298,745,65,143,72,517,77,310,756,521,312,318,85,774,812,776,535,536,146,825,102,791,551,340,110,111,112,716,342,346,69,352,125,818,580,393,823,369,131,133,365,921,141,597,658,377,603,147,149,91,610,543,611,164,620,171,625,406,627,876,181,182,887,190,322,197,362,653,205,524,300,684,916,505,217,669,447,444],partial:[521,32,73],autodoc:126,queri:[521,70,576,17,44,493],makedepend:836,keytabl:847,recomput:191,jimi:814,edt:[70,44],krb5_princ_realm:2,oldcc:330,cmd_path:437,krb5_copy_context:181,issuer:[812,504,403,373],proponli:[44,689],privat:[504,709,452,576,812,23],procur:[504,330],krb5_rd_rep_dc:181,ac02:330,slot:[812,138],sensit:556,elsewher:56,friendli:576,send:[794,895,776,273,689,147,248,181,812,100,44,10],cachetyp:576,nippon:330,behalf:646,krb5_kt_close:181,aris:330,fatal:393,sent:[563,642,203,208,17,147,27,423,850,44,10,623,59,576,104],deactiv:10,lndir:836,alphanumer:812,rollback:73,whichev:794,kcm:[812,576,330,614],rout:895,hierarchi:44,krbtest:[563,434,147,783,321,44],disast:493,max_renewable_ticket_lif:[44,484],spoof:[812,493],korea:330,krb5_build_principal_va:181,tri:[449,568,812,687,10,519],portmapp:44,magic:[336,503,727,900,457,425,525,904,635,125,309,755,818,189,889,360,583,259,636,647,370,443,485,837,324,596,34,35,826,847,544,496,154,793,499],complic:[504,452],"try":[452,434,437,17,147,812,100,473,44,493,119],ctx:[615,699,286,860,51,736,341,240,9,62,121,406,739,242,811,245,919,17,185,74,357,753,38,397,417,761,412,421,322,649,831,921,140,141,235,653,269,774,735,911,211,331,483,157,47],krb5_princ_set_realm_length:2,addr2:[287,394],freed:[449,722,49,557,3,194,227,51,166,555,168,59,120,178,745,300,409,334,882,22,348,649,688,264,835,144,242,89,708,435,276,94,857,341,191,666,543,47],modifytimestamp:855,proof:181,pleas:[794,10,776,433,23],malici:[70,44,521],impli:[330,640],"0x8":838,"0x3":772,"0x2":[212,448,679,833],"0x1":[128,68,382,343,216,886],kadm5_hook_plugin:223,pkcs11:[812,330],pkcs12:812,"0x4":[469,116,296],cron:[10,493,56,895],krb5_prog_etype_nosupp:137,gmbh:330,name_typ:504,download:[330,713,63],aprepencpart:636,odd:104,click:895,append:[853,452,70,159,44,10],krb5_vprepend_error_messag:181,compat:[812,10,63],index:[423,515,26,713,275,831],compar:[731,181],chicago:330,tmppolici:[44,484],resembl:118,"_krb5_ticket_tim":660,access:[794,613,614,576,850,56,10,493,895,17,413,73,689,885,32,566,521,504,63,515,70,762,812,100,203,476,434,662,275,608,44,792],gss_c_buffer_type_sign_onli:17,rhost:318,princ_nam:504,udp_preference_limit:812,addprinc:[70,44,895,176,504],trillium:[794,100,104],whatev:493,krb5_auth_context_generate_local_full_addr:256,ldap_service_password_fil:[10,855,515],krb5_kdc_unreach:606,krb5_auth_con_genaddr:181,leg:576,g_init_sec_context:330,len:[825,148,901,814],target_principal_nam:437,bodi:[34,850],intercept:[764,662],logout:[386,104],ubuntu:95,safer:119,becom:[423,776,812,191,841,895,437,640,73,56,357,44,493,119,606],cf2:181,krb5_cc_get_typ:181,rtime:34,great:[32,375,422,686],produc:[521,298,812,26,562,423,182,413,850,687,44,540],convers:[812,563],krbadmin:[10,515],larger:[504,302,100,576],technolog:[330,462],autoreconf:203,dsa:326,cert:[812,504,321,515],typic:[521,794,792,223,37,586,17,248,4,455,812,28,413,850,698,689,10,149,493,126,473],rdn:[812,794,17,792,473],inptr:[261,222],explain:895,revoc:[812,10],writer:776,starttim:[660,323],danger:[437,56],revok:[812,10,434],realloc:449,g_initi:330,dprinc_look_ahead:437,foundat:330,princ_out:393,"8h30":176,expect:[895,258,765,147,83,422,812,413,73,885,126,104],auth_context:[312,166,732,115,234,736,458,11,625,869,832,784,406,179,1,568,569,151,821,254,267,522,256,695,642,369,693,363,364,318,872,921,266,653,536,745,272,210,915,384,917,215,85,543],krb5_ui_2:36,krb5_c_encrypt:181,asan:452,getnameinfo:473,gss_wrap_aead:17,oldest_kvno_to_keep:70,fee:330,feb:566,tar:[26,203],eperm:608,commun:[504,614,515,812,895,17,857,776,275,330,698,836,44,23],client1:504,client2:504,doubl:176,chl:[521,269,157,47],kpasswd_port:10,g_dsp_name:330,next:[377,895,434,131,840,181,423,70,56,44,791,669],krb5_trace:[273,853,147,372],few:[119,452],gss_add_oid_set_memb:764,gss_c_qop_default:17,krb5_decrypt:181,db_princ_arg:[70,44],gssi_import_cred_by_mech:764,stage:[73,223],remaind:812,sort:473,armor_ccach:640,addrtyp:[431,499,323],comparison:812,factor:812,gss_export_nam:17,trail:[10,437],keytab_out:200,rabbit:493,actual:[521,820,114,759,744,434,39,131,505,631,27,149,423,73,840,44,444,791,248,104,669],krb5srv:493,socket:[812,10,208,181],high:[321,27,73],account:[812,10,162,662,44],schneier:576,retriev:[70,423],krb5_kuserok:[731,181],augment:764,alia:[708,3,70,181,138,44],ride:10,alic:[783,138,184,662],critic:[521,23],inprinc:726,subregion:17,obvious:100,endian:[302,563,764,323],meet:783,adtyp:360,"0x08000000":[445,844],fetch:[524,689,423,458,484,44,45,519],client_kei:576,control:[794,615,452,473,815,576,226,455,10,895,743,746,17,748,73,687,885,32,519,185,521,504,515,689,812,698,248,476,208,147,662,328,608],sqlite:423,malform:[362,58,318,323],contempl:330,process:[521,895,812,70,566,17,181,423,73,191,44,10,45,689,794],pcreddata:254,sudo:855,mech_typ:764,krbcontain:[10,855,515],"_krb5_ap_req":259,"_krb5_ap_rep":[636,904],tag:[812,10,895,323],proprietari:208,"_profile_t":[737,334],tab:[70,44,576,423,672],krb5_kdc_profil:[895,63,273,576,28,10,45,566],addrtype_addrport:[821,215],serial:[566,17],krb5_clpreauth_modreq:413,krb5_principal_parse_ignore_realm:632,repl:569,"function":[483,49,453,840,227,312,166,877,736,458,12,895,406,411,745,349,625,17,876,181,182,124,72,73,310,521,256,369,131,70,322,423,920,921,699,44,653,651,428,774,434,272,693,915,275,217,85,791,543,505,669],delai:[452,576,27,44,493,640],pkinit_pool:[812,10],aes256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],deltatp:712,unrestrict:[613,100],krb5_k_key_keyblock:181,occur:[237,745,258,70,566,27,423,372,44],local_appdata:812,brian:330,kbuild:836,"05pm":176,commonconfig:812,krb5_set_trace_filenam:181,subdirectori:[812,28,836,662,126],pwqual_plugin:455,instead:[452,576,672,850,10,59,562,895,811,184,73,689,575,473,521,63,258,70,421,764,423,140,142,812,437,329,330,44],kdb5_util:[427,689],unenc_authdata:34,keyencipher:[812,504],circular:44,msdn:576,klau:330,overridden:[724,576,27,812,32,45],"0x7fff":[888,705],roam:812,gcc:452,"_krb5_enc_data":370,conf_stat:17,inst:217,request_fini:413,krb5_init_creds_context:[36,412,911,421,761,245,185,74,357,753,417],dbutil:330,krb5_cc_new_uniqu:181,krb5_pac_client_info:595,alloc:[521,840,745,453,131,17,181,149,166,791,669],drop:576,essenti:10,pkinit_eku_check:[812,10,504],amount:[580,114,434,493,26,840,812,914,10,346],counter:[70,44,434],interprocess_token:764,element:[521,181],issu:[521,504,373,724,434,660,70,208,17,248,275,100,73,44,10,403,493,812],winbind_krb5_loc:662,unaccept:27,allow:[794,812,724,473,56,10,895,17,248,181,73,689,32,814,521,504,63,70,423,100,321,484,476,434,208,147,662,275,44,45,792],minlength:[70,44],delent:138,krb5_k:78,fallback:[70,44,812,521,687],default_keytab_nam:[812,159,746],retval:[450,453,876,229,230,672,494,674,234,235,458,11,12,595,461,411,243,726,463,247,249,881,686,129,586,254,690,256,257,277,258,693,887,639,695,135,479,872,483,699,265,266,701,30,703,272,276,274,712,40,740,711,716,308,491,279,756,502,684,287,507,291,292,734,736,133,604,511,298,744,745,65,1,732,143,72,517,74,848,77,69,519,310,489,522,312,759,761,316,318,718,85,245,108,88,774,535,536,146,825,781,784,852,671,651,102,791,549,874,853,105,107,551,340,110,111,112,114,342,115,344,345,723,121,369,627,565,334,352,568,569,125,357,859,817,818,580,840,823,130,131,620,363,364,365,590,368,137,921,141,374,597,658,377,730,600,841,39,603,148,149,384,385,606,91,610,543,611,158,389,615,648,412,163,164,860,821,166,862,863,400,171,621,625,738,406,739,524,875,631,632,877,879,182,251,185,151,914,753,415,417,267,890,641,190,642,628,420,421,422,322,197,362,920,803,200,901,903,653,429,820,432,205,206,207,735,912,300,395,915,916,917,505,215,217,832,444,447,669],krb5lib:895,houston:493,krb5_cc_get_flag:181,h5l:[812,449],"h\u00f6gskola":330,move:[10,181,895],mkeytyp:[423,44,484],krb5_cc_set_flag:181,tcl:[203,452],comma:[812,70,423,44,10,45],defktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],cbdata:815,bunch:44,gss_c_nt_export_nam:17,key_data:[251,359],krb5_kt_default_nam:181,gss_acquire_cred_with_password:576,krb5_pac_pars:181,mypreauth:662,krb5_tkt_creds_step_flag_continu:615,chosen:[521,783,26,17,248,812,28,321,698,576],banner:[521,752,848],"_krb5_ap_rep_enc_part":904,whether:[521,812,411,63,434,208,248,181,423,662,73,689,10,45],restart:[504,895,147,73,44,10,32,814],krb5_preauth_fail:606,total:[10,437,640],anyon:[184,119],lockout_polici:434,therefor:[44,850,515,493,323],wellknown:[521,504,883,86],minor_statu:[17,764],"_krb5_enc_kdc_rep_part":324,krb5_get_host_realm:181,crash:[812,895,56],krb5_appdefault_boolean:181,dal:885,auto:576,sid:[812,846,851],dai:[504,812,70,181,740,484,44],auth:[515,17,181,321,166,10,493],krb5_free_cksumtyp:[91,181],mention:[10,330,515],krb5_end_seq_get:610,facilit:576,front:[10,672],krb5_pac_logon_info:595,krb5_timeofdai:181,gss_unwrap_aead:17,anyth:[812,504,869],edit:[228,138,855,814,724],unlimit:330,new_stat:197,uidnumb:614,dugsong:330,ietf:576,capath:10,mode:[423,63,452,913,70,437,147,83,150,899,355,73,44,10,576,640,356],ldap_kadmind_sasl_realm:10,tmpdir:27,verifier_cred_handl:764,subset:[836,493,452],usc:437,chunk:[310,600],relinguish:543,consum:885,localfr:662,keyagr:504,"static":[521,815,4],krb5_c_prf_length:[876,181],awk:423,our:[836,10,208,330,203],patch:44,iprop_en:[10,689,63,44],token_flag:771,special:[764,614,434,576,17,27,662,330,311,44,10,116,640,489],out:[450,452,453,876,30,230,672,674,234,458,12,411,726,247,249,686,129,586,656,253,254,690,257,631,639,695,872,266,701,671,703,711,274,364,712,40,740,308,491,279,44,756,47,723,504,840,507,291,292,293,509,737,739,298,744,745,606,1,732,143,72,517,74,489,522,312,63,761,70,316,318,718,85,108,88,532,774,812,535,536,146,825,781,330,651,102,549,200,237,105,107,551,110,111,803,114,346,119,69,121,565,349,334,568,569,124,814,125,357,817,580,393,369,362,620,363,133,365,590,914,921,141,374,597,658,730,841,39,915,765,603,147,148,604,384,385,386,734,91,610,852,614,615,648,164,860,821,862,736,400,171,621,402,403,406,524,408,629,875,632,877,879,182,251,185,151,887,188,267,890,641,190,642,628,420,645,646,422,245,197,649,874,901,903,652,653,428,429,432,373,627,434,207,436,208,415,684,792,917,505,215,217,832,444,447,669],variabl:[794,812,63,70,132,566,689,423,321,484,44,10,32,45],krb5_free_authdata:[436,887,181],matt:330,krb5_init_creds_get_cr:[753,181],intrud:104,contigu:17,reload:44,krb5_responder_pkinit_set_answ:[521,181],defend:27,develop:776,kdestroi:[614,762,792],send_hook:623,ret:[521,429],kdc_princ_nam:504,guarante:73,suitabl:[452,576,423,330,203,104],rel:[812,10,181],inaccess:493,hardwar:[521,562,895,70,850,44,10,104],krb5_cc_remove_cr:181,result_cod:[362,890,400],red:330,clarifi:504,krb5_set_error_messag:181,experiment:576,insid:[436,794,576,248],workflow:73,bleep:[70,44,138,184,104],krb5_post_recv_fn:[167,36],cleartext:[904,324,189],receiv:[63,70,566,17,147,181,812,73,44,10,493,689],standalon:[147,63],"_krb5_authdata":360,dictionari:[895,812,434,455,275,10,640],releas:[393,112,10,625,69,406,684,17,248,181,693,473,689,521,504,63,70,423,921,44,812,776,434,273,603,147,915,321,792,505],likelihood:44,afterward:[44,223],shortest:171,maxrenewlif:[70,44,32,484],postdat:[562,70,422,104,44,10,32,640],gssapiauthent:662,krb5_get_init_creds_opt_set_preauth_list:181,proxiabl:[70,10,812,181,44],backspac:672,unquot:423,could:[895,776,434,437,27,4,792,812,104,321,73,56,662,493,576,119],put:[904,672,45,895,689],mac:[836,258],keep:[794,434,70,26,27,44,203,566,119],counterpart:[32,792],conf_req_flag:17,length:[521,535,70,17,181,877,44,10,792],krb5_gc_user_us:30,ksu_opt:437,ltd:330,"_krb5_trace_info":31,ret_princ:701,distinguish:[812,44,330,484],krb5_princ_compon:2,krb5_find_authdata:181,endors:330,suffix:[662,452],krb5_responder_fn:[527,787,36],krb5_tc_match_times_exact:686,qualiti:[328,812,576,662],lcurs:452,echo:[914,848],date:[70,10,812,423,63],gssapip_spnego:330,certid:812,submit:[17,248],pgp:[26,23],lib:504,owner:330,"_krb5_tkt_authent":837,facil:[794,10,17,689],princ:[794,906,702,563,160,453,70,439,812,18,877,423,231,535,799,217,294,574,12,577],g_rel_cr:330,prioriti:[614,73,10,493,656,698],renewable_lif:640,strict:330,data:[521,449,812,515,70,566,17,248,181,423,100,73,44,10],annot:[208,321,576],enckdcreppart:324,mkdir:203,system:[794,890,110,400,10,740,461,17,181,73,129,32,473,521,504,641,823,895,70,639,423,100,812,434,273,208,147,275,191,44,45,792],wrapper:31,basicconstraint:504,hotp:70,attack:[521,812,724,434,576,27,275,100,832,73,44,640],uint_max:[612,392,283],physic:[100,493],lockit:70,termin:[45,181,689],"final":[812,32,133,203,604],rpath:[540,203,452],prone:576,kpserverauth:[812,504],udp:[794,812,615,576,226,275,185,10,45,493],shell:[70,44,895,484],krb5_ui_4:[36,420,29,727,148,917,457,904,595],eavesdrop:17,krb5_mk_req_checksum_func:[784,151,36],juli:176,rsa:[504,195,812,560,775,330,355,356,10,416,640],v5cred:345,biggest:73,krb5_set_password:[731,181,110],shall:330,krb5_address_ord:181,rst:[126,138],exactli:[895,437,479,763,812,686,173,683],krb5_auth_con_getlocalseqnumb:181,haven:452,securecooki:563,cacreateseri:504,krb5_free_cred_cont:[521,610,686,181],slack:493,particularli:[273,540,73,56,493,119],charact:[895,25,70,812,672,874,44,10,116,493,32,489],claim:330,sweden:330,crawdad:330,bind:[515,70,540,44,484,10,493,576],lrealm:[344,308,120],krb5_crypto_iov:[820,759,600,36,131,247,149,385,791,310],start_tim:[841,357,606,640],unencrypt:[336,34,35,727,100,215],asn:181,dbadmin:32,krb5_tkt_creds_get_tim:181,plaintext:[651,652],linker:452,initvt:4,correspond:[521,449,907,812,223,258,504,17,620,4,423,591,129,660,126,32,576],tom:70,mk_cmd:452,have:[794,614,223,724,473,576,226,4,455,850,56,10,493,869,119,121,563,349,302,17,748,413,184,73,885,126,32,640,814,521,504,821,63,895,70,26,27,764,423,100,698,323,203,248,656,812,776,686,434,761,437,662,330,215,44,45,792,104],ari:437,need:[452,453,30,230,672,234,10,12,726,17,249,686,687,254,23,73,26,695,872,701,711,491,40,308,316,718,44,723,504,815,840,507,292,734,509,739,493,895,744,745,684,1,68,118,143,517,689,32,489,521,522,759,764,100,88,812,535,536,540,176,102,791,549,104,794,796,105,107,110,111,114,343,559,119,69,563,565,568,569,814,357,821,369,131,363,586,921,141,126,836,658,730,39,603,147,732,384,608,91,610,614,615,576,393,860,862,736,915,869,406,524,875,632,877,251,185,885,887,188,640,267,641,364,642,628,420,765,245,423,901,903,653,203,656,820,515,627,434,436,792,215,832,505,669],chpass:[70,44,223],k5_gic_opt:[606,841],krb5_c_string_to_key_with_param:181,verbatim:330,min:[70,44,32,176],mic:855,cksumtypep:590,r18:[423,44],mix:104,localedir:452,initiator_cred_handl:17,which:[794,887,614,603,855,223,452,540,815,286,226,1,4,455,341,556,850,473,783,10,484,493,895,563,746,302,17,568,413,184,73,689,885,32,576,814,521,504,821,257,63,515,70,132,26,646,27,764,423,28,138,832,698,323,836,203,812,656,649,566,907,434,660,273,711,208,159,147,662,792,275,436,330,215,316,44,45,437,104,47],gss_:764,htmlsrc:126,ncsa:713,singl:[521,504,776,662,895,70,274,17,248,181,812,100,73,44,10,403,493],uppercas:[812,608],happi:330,unless:[613,724,576,248,730,10,493,895,17,748,73,572,32,519,70,423,100,372,812,437,662,608,44],deploy:[504,73],gss_c_buffer_type_pad:17,lk5crypto:540,who:[504,776,895,44,321,104,484,10,119],oracl:[330,713],presid:330,ldap_kadmind_dn:[10,515,484,855,44],kungliga:330,krb5_cccol_last_change_tim:[449,181],ap_opts_mutual_requir:[1,568,642],eight:792,"_krb5_transit":496,pa_real:413,segment:493,kerboro:476,gss_add_cred_with_password:764,pa_replaces_kei:850,krb5_cc_switch:181,marshal:[576,563,323],placement:27,won:[812,504,104],url:[275,10,493],hopefulli:434,stronger:[812,321,73,248],uri:[895,70,576,812,44,484,10,493,792],issuanc:[70,44],inde:104,deni:[434,70,437,662,608,44],furnish:330,determin:[895,256,393,411,63,273,876,17,812,840,181,423,70,662,191,44,10,689],occasion:[895,27],constrain:[70,44],krb5_trace_callback:[372,36],"_krb5_enc_tkt_part":826,gss_cred_usage_t:17,krb5_ap_rep_enc_part:181,maco:836,source_us:437,krb5_keytab_entry_st:847,"12h":[10,895],text:[521,504,563,242,208,662,110,423,139,457,44,540,924],verbos:[794,70,423,44,203,640],tty:[44,484],lcom_err:540,localauth_plugin:608,visibl:[44,576,73],anywai:[521,10,1,493],krb5_keytab:[158,389,293,234,621,568,249,519,412,695,135,200,835,803,374,657,206,841,36,711,415,40,395],subjectkeyidentifi:504,ksu:[361,330,762],kadmin5:100,krb5_kt_default:181,locat:[515,63,273,132,812,689,10,32,45],launchpad:713,much:[473,73,119,686],klist:[794,614,762,159,73,792],forev:[70,44],incident:330,should:[794,855,724,473,56,10,493,895,17,248,73,689,814,521,504,515,70,423,100,484,812,776,662,275,44,45,792],resubmit:640,suppos:[184,104],execprefix:452,libkdb_ldap:855,local:[521,895,855,63,662,70,208,17,181,812,100,73,44,10,484,493,794,814],hope:330,meant:104,count:[774,70,181,423,699,44],keyr:[576,614],aesni:[330,452],krb5_verify_init_creds_opt_set_ap_req_nofail:[521,519,181],armor:[10,181,504],cuba:330,password_expir:[907,278],convert:[812,17,855,73,181],michigan:330,kdckei:504,krb5_pac_get_typ:181,autom:203,krb5_kpasswd_success:[362,400],g_store_cr:330,theori:330,increas:[131,328,820,759,791],krb5_enctype_to_str:181,db3:452,db2:[434,70,576,28,44,836,10],krb5_kpasswd_harderror:362,result_code_str:[362,890,400],k5_vic_opt:[572,204],krb5_rcach:[458,586,543,36],source_cache_nam:437,my_proxi:812,princnam:[521,614,434],enabl:[794,614,452,10,493,895,745,17,73,689,504,63,70,26,27,812,832,515,437,147,662,328,920,44,208],"0x00040000":170,upper:[70,44,32,25,493],krb5_xc:2,s4u2proxi:[17,323],admin23:515,sha:[812,10,576,73],kadmind:[70,427],des3:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],she:[184,104],partit:493,contain:[794,566,393,620,399,736,10,493,895,17,181,689,32,521,504,63,369,70,423,484,653,812,515,147,662,275,44,792],nist:812,dnsname:812,conform:[812,26,25,576],listprinc:[70,44],krb5_rc_st:807,unimport:323,signatur:[195,373,326,815,26,764,560],persist:614,frame:323,knowledg:[776,413,850,73,56,519],abort:[598,741,226],packet:[10,208,45,850,1],dcmd_path:437,krb5_prompt_type_new_password:591,p27:713,krb5_free_tgt_cr:181,int16_t:153,troubl:713,krb5_copy_cr:181,krb5_principal_data:[731,485,900,36],krb5_principal_compare_casefold:511,correctli:[857,17,59,814,119],pattern:[423,812,783,662],dll:[764,815,662,4],cache_out:[393,88],slapd:[515,855],time_req:17,krbcore:23,progress:[10,73],neither:[562,70,437,17,812,330,44],num_prompt:[752,848],email:[816,776,119],auto_to_loc:812,perfect:27,krb5_c_decrypt:181,sole:812,nowait:[895,814,63],k5ident:[812,762,748,662],kei:[855,724,70,566,423,138,814,484,45],enc_part2:[336,309,35,389],krbtgt:70,top_srcdir:126,job:[895,493,63,56],entir:[70,478,850,73,323,493],crc32:812,mailbox:27,lawsuit:330,embed:523,convei:[773,576,54,73,330,44,493],david:[794,44,119,104],doxygen:[126,776],plugin:[70,10,855],admin:[794,895,855,63,515,70,484,812,321,73,689,44,32],goal:521,modnam:[812,662],g_sign:330,krb5_cc_support_switch:181,etc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],instanc:[434,273,662,812,44,32,792],sesam:[521,303],kv5m_context:[818,125],ccapi:[836,330],gssd_pname_to_uid:330,freeli:330,krb5_responder_otp_challenge_fre:[521,181],krb5cc_1984:437,krb5_pa_svr_referral_data:36,krb5kdc:[776,63,724,70,132,566,689,423,484,427],gss_display_statu:764,krb5_cccol_cursor_fre:181,cc246091:576,kpropd_rpc:330,arriv:27,walk:[423,44,119],vnder:73,rpc:[812,10,17,181,44],ucb:437,commenc:895,hellman:[812,10,640],advertis:[812,330],msg_type:[34,35,324],krb5_vset_error_messag:181,mailman:23,gssi_import_name_by_mech:764,tort:330,target_nam:17,"_krb5_kdc_req":34,"_krb5_kdc_rep":35,krb5_init_creds_fre:181,e_data:[850,457],insuffici:[522,452,732,395,292,318],g_unseal:330,json:[521,433,70,208,649,323,118,47],krb5kdc_err_more_preauth_data_requir:850,treat:[258,70,208,17,646,812,399,511,323,640,593],krb5_fences_vtable_v2:4,foreground:[63,689],popul:[449,73,611],infrastructur:[812,836,203],bit:[521,504,302,17,568,686,323,916,115,266,10,437,447,73],searchscop:[44,484],caddr:[324,826,544],presenc:323,sock_stream:226,assert:[576,17,850,323],krb5_principal_parse_no_realm:632,krb5_recvauth:181,srcdir:126,otp:[70,321],presens:812,profile_module_init_fn:815,kdc_timesync:812,gss_wrap_iov_length:17,replic:[895,63],multi:[504,576,434],novel:330,requested_principal_nam:220,virtual:[812,794],plain:563,krb5_libos_pwdintr:606,cursor:[133,610,243,181],pkinit_cert_match:812,realmsp:[292,656],in_cr:[697,30,642,1,307],wild:[70,44],kdc_option:34,cve:576,krb5_kt_end_seq_get:181,layer:[885,576,764],c89:26,blocksiz:365,cell:73,cultur:330,kdc:[855,63,70,566,689,423,484,45],site:[794,44,493,895],archiv:26,default_valu:[124,428],substanti:330,lightweight:836,krb5_auth_con_getremoteseqnumb:181,headernam:452,revis:330,wkt:138,greater:287,tamper:17,incr:627,denial:812,let:[226,184,39,669],portiion:330,parti:[208,17,662,330],cc246071:576,num_data:[820,759,600,131,247,149,385,791,310],cross:[812,10],bjaspan:[70,44],himself:104,handl:[70,208,17,181,423,73,458,44,32,88],incc:146,krb5_fast_requir:229,largest:434,fubar:812,com_err:[773,452],fide:493,difficult:434,v4cred:345,massachusett:[330,462],krb5_keyusag:[820,114,759,600,744,36,131,631,39,247,840,197,385,444,791,310,505,669],digitalsignatur:[812,504],api:[776,17,147,73],upon:[423,44,437,63,452],effect:[614,812,482,73,44,10,32,493],krb5_free_data:[230,181],krb5_int16:36,uucp:10,tortiou:330,"83final":713,dealloc:[608,877,687],login:[273,10,812],expand:812,audit:576,krb5_preauthtyp:[378,224,644,36,829,635,657],johndo:812,mech:[576,764,662],off:[794,434,662,812,914,848,493,792],"0x04000000":[209,464],client_princ:521,krb5_k_verify_checksum:[181,444],interpos:662,authoritykeyidentifi:504,concis:815,theodor:330,set_cooki:[576,850],krb5_c_make_checksum:181,krb5_pac_add_buff:181,filesystem:[10,44,504,895,28],undefin:[437,133],undertaken:776,sandia:330,gss_iov_buffer_type_head:17,piec:[434,586],latest:[895,660,576,30,203,104],test1:[70,44,176],test3:[70,44,176],krb5_auth_con_init:[181,166],deltat:164,test4:176,librari:[3,453,671,230,494,674,877,9,458,11,12,411,243,726,463,17,247,248,686,129,629,256,257,693,639,872,483,699,266,486,555,708,272,491,713,275,274,502,287,507,291,734,10,509,738,604,298,745,65,143,72,517,77,69,310,521,312,70,348,85,88,774,812,535,536,146,825,163,784,191,651,102,791,794,237,551,340,110,111,112,716,342,115,346,723,349,352,124,473,125,859,818,580,840,823,369,131,620,133,365,921,141,658,377,476,603,147,149,91,610,543,611,508,393,394,166,736,399,625,406,178,524,409,876,181,182,882,151,887,188,322,197,362,920,653,428,205,627,435,436,300,684,915,916,505,217,444,447,669],less:[794,614,70,302,287,10,203,576],cheetah:126,boot:[613,895],obtain:[796,724,56,10,895,1,568,248,181,473,125,753,521,504,642,761,70,363,812,321,656,784,44,792],tcp:[794,504,615,812,63,895,576,226,275,814,44,10,493,185],ok_to_auth_as_deleg:[70,44,17],token_len:17,server_str:110,est:[176,44,434],heavili:27,glue:836,taken:[423,907,493,73],tclpath:452,web:[895,26,614],krb5_init_creds_step_flag_continu:185,krb5_read_password:181,in_authdat:887,makefil:[126,203,452],technet:713,krb5_nt_unknown:701,script:[895,452,70,689,836,44,45,203],kproplog:[427,63],jellinghau:330,edata:850,adm:[10,493,515],rctx:[521,242,919,286,649,341,831,235,47,157,269],smart:[812,10],gmt:176,e2big:346,fences_wicker_initvt:4,renprinc:70,krb5_rc_close:586,rename_sect:815,hard:[10,44],containerdn:[70,44],krb5_copy_keyblock:181,punctuat:[70,44,812,25,895],five:[895,821,25,223,70,812,27,176,215,44],know:[504,452,434,27,764,812,792,104],dns_canonicalize_hostnam:812,kdc_req_checksum_typ:812,recurs:[423,44,576],gssapi_krb5:17,krb5_c_keyed_checksum_typ:181,name:[794,855,724,162,10,895,73,689,32,814,504,63,515,70,423,100,321,484,812,273,208,662,275,44,45,792],insert:[324,544],s4u2self:[17,646],outcc:146,like:[794,613,614,452,473,171,493,869,895,17,73,126,32,814,504,63,70,27,812,100,203,423,147,44,792],lost:[330,203,56],safest:104,corpor:330,outauthdat:628,princ_lockout:423,slave_datatran:[28,895,132],ldflag:452,krb5_principal_compar:[731,181],krb5_free_default_realm:181,princ_flag:423,"_krb5_pa_data":635,desired_nam:17,expected_nonc:583,architectur:[203,452],page:[70,812,26,776,452],krb5_addrtyp:[499,36],titl:[836,330],retransmit:452,krb5_msgtype:[534,34,35,709,36,633,634,742,390,57,75,76,238,324],fast_avail:323,t1417:713,suppli:[521,907,257,70,17,181,318],krb5_check_clockskew:181,krb5_auth_con_getauthent:181,destdir:203,mit1:563,k5wiki:[576,203,23],"export":[10,895],ldap_kdc_sasl_authzid:10,unencapsul:576,mistak:119,proper:[504,855,568,814,44,203],krb5_k_decrypt_iov:[791,181],transport:[44,615,493,185],tmp:[794,895,855,746,70,437,27,812,28,104],krb5_get_init_creds_opt_fre:[521,107,181],desired_mech:[17,764],"_krb5_gic_opt_pa_data":878,lead:[10,437],sphinx_arg:126,ticket_info:189,avoid:[521,907,855,452,70,576,73,32,104,473],octet:181,interface_plugin:4,outgo:794,jeremi:330,krb5_tc_match_2nd_tkt:686,server_port:814,sequenc:[266,181,504],krb5_get_time_offset:181,preauth_list:[829,644],lockoutdur:[70,44,434],stockholm:330,pepper:181,investig:452,liabil:330,krb5_responder_get_challeng:[521,181],mssclogin:812,krb5_get_prompt_typ:[521,181],"0x00000200":802,host:[794,63,70,132,321,73,689,814],although:[159,455,330,104,687,493,119],krb5_kt_name_toolong:374,gss_iov:576,"0x00008000":[470,8],keytabnam:452,flag_rsa_protocol:640,microsecond:[461,323,852,29,279,904,189],expiri:[576,907,73],"_kpasswd":493,unprint:[70,44],about:[776,10,32,73,515],ntlm:576,rare:504,interven:44,krb5_ccach:[237,224,890,393,620,30,556,509,738,739,823,3,243,65,463,352,703,681,517,307,77,519,686,125,642,657,363,133,422,318,697,671,88,532,378,708,205,524,146,36,491,575,859,916,716,611,629,610,447],column:423,krb5_cc_badnam:318,eytab:[70,794],krb5_tkt_creds_step:[121,739,860,181],"_krb5_authent":727,statement:[330,646],krb5_crypto_type_checksum:[385,247,310,600],krb:[812,181],fast_ccache_nam:827,krb5_client_ktnam:[273,28,159],zonetest:73,kadmind_listen:10,profile_tcl:330,own:[764,895,776,70,437,4,455,812,794,184,104,44,10,623,119,473],generic_trusted_ca:[812,10],absolut:[812,10],builtin:[576,330,452],automat:[613,614,63,895,70,437,159,423,386,56,689,44,203,104],warranti:330,automak:4,guard:27,outdata:[267,522,821,230,732,832,215,254],req_pac:37,sspi:576,checksum_typ:154,inbuf:[917,821,568,569,215],dug:330,gss_iov_buffer_type_trail:17,merg:[10,181,476],"_udp":493,krb5_c_make_random_kei:181,defccnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],explcit:330,haddl:543,transfer:[504,689],profile_module_init:815,trigger:27,mgluep:330,ldapi:[10,515,484,855,44],"0x01ff":622,"var":[504,855,63,452,895,746,484,27,812,28,44,10],groff:776,userpassword:515,cancel:44,target_us:437,krb5_parse_name_flag:[731,181],krb5_get_init_creds_opt_set_expire_callback:181,north:330,unwrap:[17,181],seq_numb:[904,727],subscrib:23,message_typ:583,wed:44,unambigu:907,krb5_config_notenufspac:[129,207],eas:208,ear:330,bug:[776,713,473,836,44,203,23],g_rel_nam:330,realm2:45,succe:[521,10,812,519,895],made:[895,614,223,63,37,147,812,137,330,191,737,885,44,918],defcktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],temp:[812,27],rc4:[10,576],wish:[895,452,746,556,493,26,17,764,455,812,330,321,104,203,119],daffodil:[794,104],"_krb5_cred":[336,793],krb5_c_verify_checksum_iov:[310,181],rc2:899,krb5_free_error_messag:181,asynchron:[739,850],record:[895,812,302,27,792,423,473,44,45,493,576],below:[812,515,208,662,423,437,330,44,836,10,118],devicenam:10,genrsa:504,vpath:[26,203],dce:[812,17,181],lynx:855,krb5_c_free_stat:181,otherwis:[450,452,876,229,230,674,234,10,11,12,461,411,726,17,247,686,586,254,517,256,25,257,258,693,639,695,872,483,699,265,30,703,272,276,274,712,275,716,316,279,44,723,840,507,291,732,734,736,133,604,493,511,298,744,745,300,1,143,71,72,73,74,753,519,310,756,504,312,759,761,70,718,85,245,774,812,536,146,825,781,912,330,651,102,791,792,104,794,105,18,107,551,614,340,111,112,114,342,69,562,121,369,565,568,569,357,817,358,580,130,131,860,363,364,365,590,368,914,921,690,595,597,377,600,841,39,603,148,149,735,384,385,606,91,610,543,389,615,648,412,164,394,821,863,437,399,171,625,406,739,627,875,631,632,879,182,251,185,887,640,417,267,190,642,628,895,420,421,422,322,197,423,874,901,903,653,789,429,820,432,205,658,436,208,362,684,916,917,505,215,832,444,447,669],problem:[855,576,1,27,73,44,23,473],strategi:434,time_offset:45,display:110,krb5_cc_initi:[491,181],netbio:399,firm:330,default_principal_flag:[10,32,576],krb5_get_init_creds_opt_set_out_ccach:181,cb_ret:815,evalu:812,x509_proxi:812,"int":[615,453,287,551,360,4,6,400,345,511,743,877,17,632,479,525,124,635,890,185,129,572,752,577,489,55,706,256,454,644,362,639,647,318,914,139,829,108,91,374,651,596,377,34,535,537,207,843,848,443,101,154,280,725,499],dure:[895,63,434,273,44,56,689,10],indata:230,filenam:[853,504,812,63,724,895,273,132,208,17,147,423,70,44,10,484],max_lif:[423,10,895],gss_add_cred_impersonate_nam:764,strip_realm:[10,208],max_ticket_lif:[44,484],implement:[449,614,223,452,815,576,226,4,455,850,400,10,345,346,65,493,302,17,413,73,687,885,23,521,890,744,27,764,812,698,323,203,776,208,662,275,330,505,608,44,437,104],ini:812,remotehost:518,regul:330,kpropd:[132,689,427],inc:[330,104],mutual:[895,822,642,636,437,1,390],"0x000a":195,"_krb5_tkt_creds_context":172,countermeasur:100,t_mddriver:330,privsvr_kei:765,krb5_princip:[722,453,393,863,731,877,12,726,181,357,577,521,823,422,318,88,703,730,535,841,491,606],detail:[614,223,815,576,226,455,850,895,433,334,248,413,73,687,208,26,698,836,437,662,608,45,792],free_modreq:850,lname:[437,129],"default":[63,724,70,132,484,423,814,689,45],other:[794,895,812,434,70,689,248,662,423,73,44,10,32,45],lookup:[501,452,188,576,226,812,473,493,792],futur:[504,17,51,687,44,31,818],sick:330,varieti:248,getopt:836,krb5cc_:[28,437],gss_c_buffer_type_stream:17,known:[521,620,248,181,423,473,44,10],repeat:[895,812,764,423,323,10,78],second_ticket:[34,793,323],"class":[70,44,25],reconf:836,h71000:713,krb5_kt_get_typ:181,unser:17,beeblebrox:895,uncommon:27,sasl:[70,576,17,44,484,10],strlcpy:330,olcschemaconfig:855,krb5_rd_error:181,debian:[576,228],krb5_free_keytab_entry_cont:181,kdb5_ldap_util:[70,427,689],free_list:687,multithread:181,experienc:[776,226],maxnumb:[70,44],sphinx:126,fund:330,appl:[836,330,258],krb5_kt_add_entri:181,krb5_init_keyblock:181,g_util:330,portion:[461,852,208,29,727,249,812,870,330,686,457,279,904,189],emerg:10,krb5_responder_pkinit_challenge_fre:181,"0x0014":[50,894,405],keybyt:604,"_krb5_keyblock":525,recvauth:[695,642],rep:[190,636,364,569,384,35,882,767,917,324]},objtypes:{"0":"c:function","1":"c:member","2":"c:type","3":"py:data"},objnames:{"0":["c","function","C function"],"1":["c","member","C member"],"2":["c","type","C type"],"3":["py","data","Python data"]},filenames:["appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","appdev/refs/api/krb5_mk_req_extended","appdev/refs/macros/index","appdev/refs/api/krb5_cc_get_type","plugindev/general","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME","appdev/refs/types/krb5_verify_init_creds_opt","appdev/refs/macros/TKT_FLG_ENC_PA_REP","appdev/refs/macros/TKT_FLG_ANONYMOUS","appdev/refs/api/krb5_clear_error_message","admin/conf_files/kdc_conf","appdev/refs/api/krb5_auth_con_setuseruserkey","appdev/refs/api/krb5_425_conv_principal","appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA","appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE","appdev/gssapi","appdev/refs/api/krb5_sname_match","appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC","appdev/refs/macros/AP_OPTS_WIRE_MASK","appdev/refs/api/krb5_free_enctypes","resources","appdev/refs/macros/KRB5_PADATA_PAC_REQUEST","user/user_commands/kpasswd","build/index","basic/rcache_def","mitK5defaults","appdev/refs/types/krb5_replay_data","appdev/refs/api/krb5_get_credentials","appdev/refs/types/krb5_trace_info","admin/conf_files/kadm5_acl","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO","appdev/refs/types/krb5_kdc_req","appdev/refs/types/krb5_kdc_rep","appdev/refs/types/index","appdev/refs/api/krb5_get_init_creds_opt_set_pac_request","appdev/refs/api/krb5_wrap_error_message","appdev/refs/api/krb5_k_decrypt","appdev/refs/api/krb5_kt_start_seq_get","appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED","appdev/refs/macros/KRB5_AUTHDATA_CAMMAC","appdev/refs/macros/KRB5_PADATA_OSF_DCE","admin/database","admin/admin_commands/krb5kdc","appdev/refs/macros/AP_OPTS_USE_SUBKEY","appdev/refs/api/krb5_responder_otp_get_challenge","appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME","appdev/refs/api/krb5_anonymous_realm","appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256","appdev/refs/api/krb5_get_error_message","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96","appdev/refs/macros/KRB5_PADATA_PK_AS_REP","appdev/refs/types/krb5_pac","appdev/refs/api/krb5_get_init_creds_opt_set_etype_list","admin/backup_host","appdev/refs/macros/KRB5_AP_REQ","appdev/refs/macros/KRB5_KPASSWD_MALFORMED","appdev/refs/types/krb5_pre_send_fn","appdev/refs/types/krb5_pointer","index","appdev/refs/api/krb5_tkt_creds_free","admin/admin_commands/kpropd","appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR","appdev/refs/api/krb5_cc_remove_cred","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","appdev/refs/macros/KRB5_NT_UID","appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/api/krb5_c_string_to_key","admin/admin_commands/kadmin_local","appdev/refs/api/krb5_is_config_principal","appdev/refs/api/krb5_c_fx_cf2_simple","admin/advanced/retiring-des","appdev/refs/api/krb5_init_creds_get_error","appdev/refs/macros/KRB5_TGS_REP","appdev/refs/macros/KRB5_TGS_REQ","appdev/refs/api/krb5_cc_set_config","appdev/refs/types/krb5_key","appdev/refs/macros/KRB5_REALM_BRANCH_CHAR","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","appdev/refs/api/krb5_get_init_creds_opt_set_pa","appdev/refs/macros/KRB5_KPASSWD_HARDERROR","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1","appdev/refs/api/krb5_auth_con_getlocalseqnumber","appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR","appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR","appdev/refs/api/krb5_cc_cache_match","appdev/refs/api/krb5_free_keyblock_contents","appdev/refs/macros/krb524_convert_creds_kdc","appdev/refs/api/krb5_c_keyed_checksum_types","appdev/refs/macros/CKSUMTYPE_RSA_MD4","appdev/refs/macros/CKSUMTYPE_RSA_MD5","appdev/refs/api/krb5_free_keyblock","admin/advanced/index","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256","appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION","appdev/refs/index","appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE","admin/install_appl_srv","appdev/refs/types/krb5_msgtype","appdev/refs/api/krb5_copy_ticket","appdev/refs/api/krb5_k_reference_key","user/tkt_mgmt","appdev/refs/api/krb5_get_permitted_enctypes","appdev/refs/macros/ADDRTYPE_ISO","appdev/refs/api/krb5_get_init_creds_opt_alloc","appdev/refs/api/krb5_unparse_name_flags_ext","appdev/refs/macros/MAX_KEYTAB_NAME_LEN","appdev/refs/api/krb5_chpw_message","appdev/refs/api/krb5_copy_keyblock","appdev/refs/api/krb5_cccol_lock","appdev/refs/macros/KRB5_PADATA_AP_REQ","appdev/refs/api/krb5_k_encrypt","appdev/refs/api/krb5_auth_con_setflags","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY","appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT","user/pwd_mgmt","appdev/refs/api/krb5_free_default_realm","appdev/refs/api/krb5_tkt_creds_get_times","appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE","appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP","appdev/refs/api/krb5_appdefault_boolean","appdev/refs/api/krb5_cc_default","build_this","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT","appdev/refs/api/krb5_aname_to_localname","appdev/refs/api/krb5_realm_compare","appdev/refs/api/krb5_c_encrypt_iov","admin/admin_commands/kprop","appdev/refs/api/krb5_cc_start_seq_get","appdev/refs/macros/KRB5_INT32_MIN","appdev/refs/api/krb5_kt_have_content","appdev/refs/types/krb5_trace_callback","appdev/refs/api/krb5_set_default_tgs_enctypes","admin/admin_commands/ktutil","appdev/refs/types/krb5_prompt","appdev/refs/api/krb5_vwrap_error_message","appdev/refs/api/krb5_copy_context","appdev/refs/api/krb5_get_init_creds_opt_init","appdev/refs/api/krb5_c_make_random_key","appdev/refs/api/krb5_free_ticket","appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY","appdev/refs/api/krb5_cc_copy_creds","admin/troubleshoot","appdev/refs/api/krb5_pac_get_types","appdev/refs/api/krb5_c_crypto_length_iov","appdev/refs/macros/ENCTYPE_DES3_CBC_ENV","appdev/refs/api/krb5_auth_con_get_checksum_func","appdev/refs/macros/KRB5_KPASSWD_SOFTERROR","appdev/refs/types/krb5_int16","appdev/refs/types/krb5_checksum","appdev/index","appdev/refs/macros/ADDRTYPE_INET6","appdev/refs/api/krb5_responder_otp_challenge_free","appdev/refs/api/krb5_kt_remove_entry","basic/keytab_def","appdev/refs/macros/krb5_princ_type","appdev/refs/macros/KRB5_PAC_DELEGATION_INFO","admin/index","appdev/refs/api/krb5_cccol_have_content","appdev/refs/api/krb5_deltat_to_string","formats/index","appdev/refs/api/krb5_auth_con_free","appdev/refs/api/krb5_set_kdc_recv_hook","appdev/refs/api/krb5_free_error","appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL","appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE","appdev/refs/api/krb5_enctype_to_name","appdev/refs/types/krb5_tkt_creds_context","appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","appdev/refs/macros/KDC_OPT_FORWARDED","basic/date_format","appdev/refs/macros/KRB5_TC_MATCH_FLAGS","appdev/refs/api/krb5_free_authenticator","appdev/refs/api/krb5_auth_con_getremotesubkey","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256","appdev/refs/api/index","appdev/refs/api/krb5_c_encrypt_length","appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO","user/user_config/k5login","appdev/refs/api/krb5_init_creds_step","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC","appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ","appdev/refs/api/krb5_expand_hostname","appdev/refs/types/krb5_cred_enc_part","appdev/refs/api/krb5_decode_ticket","appdev/refs/api/krb5_cc_default_name","appdev/refs/macros/KRB5_NT_SRV_XHST","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM","appdev/refs/api/krb5_free_data","appdev/refs/macros/ENCTYPE_MD5_RSA_CMS","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ","appdev/refs/api/krb5_c_init_state","appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3","appdev/refs/api/krb5_kt_client_default","appdev/refs/macros/KRB5_INT16_MIN","appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY","build/doing_build","appdev/refs/api/krb5_verify_init_creds_opt_init","appdev/refs/api/krb5_cc_lock","appdev/refs/api/krb5_kt_close","appdev/refs/api/krb5_kt_default_name","admin/otp","appdev/refs/macros/TKT_FLG_MAY_POSTDATE","appdev/refs/api/krb5_auth_con_getlocalsubkey","appdev/refs/api/krb5_prepend_error_message","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE","appdev/refs/macros/KDC_OPT_VALIDATE","appdev/refs/api/krb5_rd_priv","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM","appdev/refs/api/krb5_524_conv_principal","appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO","appdev/refs/macros/KRB5_PADATA_FX_COOKIE","appdev/refs/types/krb5_pa_server_referral_data","appdev/refs/types/krb5_cccol_cursor","appdev/refs/api/krb5_decrypt","plugindev/kadm5_hook","appdev/refs/api/krb5_get_in_tkt_with_password","appdev/refs/macros/KRB5_PADATA_FX_ERROR","plugindev/locate","appdev/refs/api/krb5_anonymous_principal","admin/install","appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags","appdev/refs/api/krb5_copy_data","appdev/refs/macros/krb5_princ_set_realm_data","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","appdev/refs/api/krb5_recvauth_version","appdev/refs/api/krb5_responder_set_answer","appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR","appdev/refs/api/krb5_cc_last_change_time","appdev/refs/macros/KRB5_ERROR","appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED","appdev/refs/api/krb5_set_error_message","appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK","appdev/refs/api/krb5_responder_get_challenge","appdev/refs/api/krb5_cc_end_seq_get","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA","appdev/refs/api/krb5_init_creds_get_creds","appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC","appdev/refs/api/krb5_c_verify_checksum_iov","admin/enctypes","appdev/refs/api/krb5_kt_resolve","appdev/refs/macros/KRB5_CYBERSAFE_SECUREID","appdev/refs/api/krb5_k_create_key","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM","appdev/refs/api/krb5_rd_cred","appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED","appdev/refs/api/krb5_auth_con_genaddrs","appdev/refs/api/krb5_cccol_last_change_time","appdev/refs/api/krb5_pac_verify","appdev/refs/types/krb5_ap_req","appdev/refs/macros/KRB5_NT_SRV_HST","appdev/refs/api/krb5_encrypt","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","appdev/refs/macros/KRB5_PADATA_PKINIT_KX","appdev/refs/api/krb5_free_string","appdev/refs/api/krb5_principal_compare","appdev/refs/api/krb5_auth_con_getflags","appdev/refs/api/krb5_mk_priv","appdev/refs/macros/KRB5_TC_OPENCLOSE","appdev/refs/api/krb5_responder_pkinit_challenge_free","appdev/refs/macros/ADDRTYPE_XNS","appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE","appdev/refs/api/krb5_auth_con_set_req_cksumtype","admin/env_variables","appdev/refs/api/krb5_encode_authdata_container","admin/https","appdev/refs/api/krb5_free_keytab_entry_contents","appdev/refs/api/krb5_free_host_realm","appdev/refs/types/krb5_expire_callback_func","appdev/refs/api/krb5_get_time_offsets","appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize","appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED","appdev/refs/api/krb5_verify_checksum","appdev/refs/macros/SALT_TYPE_AFS_LENGTH","appdev/refs/macros/KRB5_KPASSWD_AUTHERROR","appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET","appdev/refs/api/krb5_responder_pkinit_set_answer","appdev/refs/api/krb5_address_order","appdev/refs/macros/KRB5_PADATA_NONE","appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC","appdev/refs/macros/AP_OPTS_RESERVED","appdev/refs/api/krb5_decode_authdata_container","appdev/refs/api/krb5_get_host_realm","appdev/refs/api/krb5_kt_dup","appdev/refs/macros/krb5_princ_set_realm","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP","appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH","appdev/refs/macros/KDC_OPT_CANONICALIZE","appdev/refs/api/krb5_c_random_to_key","appdev/refs/types/krb5_authdatatype","appdev/refs/api/krb5_c_free_state","appdev/refs/macros/CKSUMTYPE_CRC32","formats/keytab_file_format","appdev/refs/macros/KRB5_PADATA_SESAME","appdev/refs/types/krb5_pa_svr_referral_data","appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","appdev/refs/api/krb5_get_credentials_renew","appdev/refs/api/krb5_get_default_realm","appdev/refs/types/krb5_ticket","appdev/refs/api/krb5_c_make_checksum_iov","appdev/refs/macros/KRB5_NT_WELLKNOWN","appdev/refs/api/krb5_auth_con_getremoteseqnumber","appdev/refs/macros/TKT_FLG_PRE_AUTH","appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX","appdev/refs/macros/KDC_OPT_RENEW","appdev/refs/api/krb5_init_keyblock","appdev/refs/types/krb5_keyusage","appdev/refs/api/krb5_fwd_tgt_creds","appdev/refs/types/krb5_responder_pkinit_challenge","appdev/refs/api/krb5_free_tgt_creds","admin/auth_indicator","appdev/refs/api/krb5_auth_con_setrecvsubkey","formats/ccache_file_format","appdev/refs/types/krb5_enc_kdc_rep_part","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS","appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT","plugindev/index","appdev/refs/api/krb5_kt_free_entry","mitK5license","appdev/refs/api/krb5_vset_error_message","appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD","appdev/refs/macros/TKT_FLG_RENEWABLE","appdev/refs/api/krb5_get_profile","appdev/refs/macros/TKT_FLG_FORWARDABLE","appdev/refs/types/krb5_cred","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC","appdev/refs/macros/krb524_init_ets","appdev/refs/types/krb5_ccache","appdev/refs/api/krb5_cccol_unlock","appdev/refs/api/krb5_responder_list_questions","appdev/refs/api/krb5_cccol_cursor_free","appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/api/krb5_set_default_realm","appdev/refs/api/krb5_524_convert_creds","appdev/refs/api/krb5_c_prfplus","appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART","appdev/refs/api/krb5_free_checksum","appdev/refs/api/krb5_c_derive_prfplus","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","appdev/refs/macros/TKT_FLG_INITIAL","appdev/refs/api/krb5_cc_switch","appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM","appdev/refs/macros/TKT_FLG_INVALID","appdev/refs/macros/ENCTYPE_DES_CBC_MD4","appdev/refs/macros/ENCTYPE_DES_CBC_MD5","appdev/refs/api/krb5_init_creds_init","appdev/refs/api/krb5_c_is_keyed_cksum","appdev/refs/api/krb5_k_key_keyblock","appdev/refs/types/krb5_authdata","user/user_commands/index","appdev/refs/api/krb5_change_password","appdev/refs/api/krb5_mk_req","appdev/refs/api/krb5_mk_rep","appdev/refs/api/krb5_c_block_size","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","appdev/refs/api/krb5_principal_compare_any_realm","appdev/refs/api/krb5_auth_con_getkey","appdev/refs/types/krb5_enc_data","appdev/refs/api/krb5_get_init_creds_opt_set_address_list","appdev/refs/api/krb5_set_trace_callback","appdev/refs/api/krb5_verify_authdata_kdc_issued","appdev/refs/api/krb5_kt_get_name","appdev/refs/macros/KRB5_TC_MATCH_TIMES","appdev/refs/types/krb5_mk_req_checksum_func","appdev/refs/api/krb5_c_random_add_entropy","appdev/refs/api/krb5_get_in_tkt_with_skey","appdev/refs/macros/KRB5_PADATA_PW_SALT","appdev/refs/macros/VALID_INT_BITS","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE","appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE","appdev/refs/macros/ADDRTYPE_INET","appdev/refs/api/krb5_mk_rep_dce","appdev/refs/api/krb5_k_verify_checksum_iov","user/user_commands/kdestroy","appdev/refs/types/krb5_cksumtype","appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ","appdev/refs/api/krb5_server_decrypt_ticket_keytab","appdev/refs/macros/KRB5_AP_REP","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2","appdev/refs/macros/VALID_UINT_BITS","appdev/refs/api/krb5_cc_select","appdev/refs/api/krb5_address_compare","appdev/refs/api/krb5_kt_add_entry","appdev/refs/macros/AD_TYPE_REGISTERED","appdev/refs/api/krb5_free_error_message","appdev/refs/macros/KDC_OPT_PROXIABLE","appdev/refs/api/krb5_address_search","appdev/refs/api/krb5_set_password","appdev/refs/api/krb5_calculate_checksum","appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING","appdev/refs/api/krb5_make_authdata_kdc_issued","appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC","appdev/refs/macros/ADDRTYPE_NETBIOS","appdev/refs/api/krb5_auth_con_getrecvsubkey_k","appdev/refs/api/krb5_get_init_creds_opt_free","appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER","appdev/refs/api/krb5_free_authdata","appdev/refs/macros/TKT_FLG_POSTDATED","appdev/refs/api/krb5_c_enctype_compare","appdev/refs/api/krb5_init_creds_set_keytab","plugindev/clpreauth","appdev/refs/macros/CKSUMTYPE_DESCBC","appdev/refs/api/krb5_kt_default","appdev/refs/macros/ENCTYPE_RSA_ENV","appdev/refs/api/krb5_init_creds_set_password","appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH","appdev/refs/api/krb5_finish_key","appdev/refs/api/krb5_pac_get_buffer","appdev/refs/api/krb5_init_creds_set_service","appdev/refs/api/krb5_get_validated_creds","admin/admin_commands/kdb5_util","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD","appdev/refs/types/krb5_principal_data","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","admin/admin_commands/index","appdev/refs/api/krb5_appdefault_string","appdev/refs/api/krb5_principal2salt","appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION","appdev/refs/macros/ADDRTYPE_IS_LOCAL","appdev/refs/api/krb5_string_to_salttype","appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP","admin/lockout","appdev/refs/api/krb5_free_cksumtypes","appdev/refs/api/krb5_find_authdata","user/user_commands/ksu","appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE","appdev/refs/macros/krb5_princ_component","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT","appdev/refs/macros/krb5_roundup","appdev/refs/macros/KRB5_GC_CACHED","appdev/refs/types/krb5_pwd_data","appdev/refs/api/krb5_c_verify_checksum","appdev/refs/macros/TKT_FLG_PROXY","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","appdev/refs/api/krb5_cc_get_flags","appdev/refs/macros/KRB5_INIT_CONTEXT_KDC","appdev/h5l_mit_apidiff","appdev/refs/api/krb5_string_to_enctype","appdev/refs/macros/KRB5_GC_NO_STORE","build/options2configure","appdev/refs/api/krb5_build_principal_ext","appdev/refs/types/krb5_boolean","plugindev/pwqual","appdev/refs/macros/KRB5_FAST_REQUIRED","appdev/refs/types/krb5_error","appdev/refs/api/krb5_auth_con_getrcache","appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED","appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE","appdev/refs/api/krb5_set_real_time","copyright","appdev/refs/api/krb5_cc_store_cred","appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","appdev/refs/types/krb5_preauthtype","appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE","appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS","appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","admin/princ_dns","appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY","appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE","admin/conf_files/index","appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED","appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM","appdev/refs/api/krb5_unparse_name_ext","appdev/refs/types/krb5_const_pointer","appdev/refs/types/krb5_flags","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","appdev/refs/api/krb5_auth_con_setsendsubkey","admin/admin_commands/kdb5_ldap_util","appdev/refs/types/krb5_const_principal","appdev/refs/api/krb5_free_checksum_contents","appdev/refs/macros/ADDRTYPE_DDP","appdev/refs/macros/KRB5_NT_SRV_INST","appdev/refs/api/krb5_unparse_name_flags","appdev/refs/types/krb5_magic","appdev/refs/api/krb5_cc_get_principal","appdev/refs/macros/KRB5_NT_X500_PRINCIPAL","admin/realm_config","appdev/refs/api/krb5_cc_support_switch","appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME","appdev/refs/types/krb5_transited","appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO","appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC","appdev/refs/types/krb5_address","appdev/refs/macros/KRB5_PVNO","appdev/refs/types/krb5_cc_cursor","appdev/refs/api/krb5_check_clockskew","appdev/refs/types/krb5_last_req_entry","admin/pkinit","appdev/refs/api/krb5_c_make_checksum","appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL","appdev/refs/api/krb5_copy_authenticator","appdev/refs/api/krb5_copy_error_message","appdev/refs/api/krb5_cc_get_full_name","appdev/refs/api/krb5_c_valid_cksumtype","appdev/refs/api/krb5_principal_compare_flags","appdev/refs/macros/KDC_OPT_RENEWABLE","appdev/refs/types/krb5_auth_context","appdev/refs/types/krb5_responder_otp_challenge","admin/conf_ldap","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128","appdev/refs/api/krb5_cccol_cursor_next","user/user_commands/sclient","appdev/refs/api/krb5_verify_init_creds","appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life","appdev/init_creds","appdev/refs/api/krb5_mk_1cred","appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA","appdev/refs/api/krb5_cc_get_config","appdev/refs/types/krb5_keyblock","appdev/refs/api/krb5_init_random_key","appdev/refs/types/krb5_responder_context","appdev/refs/macros/KRB5_PADATA_OTP_REQUEST","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128","appdev/refs/api/krb5_encrypt_size","appdev/refs/types/krb5_enctype","appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache","appdev/refs/macros/KRB5_GC_CANONICALIZE","appdev/refs/macros/KRB5_SAFE","appdev/refs/api/krb5_build_principal","appdev/refs/api/krb5_auth_con_getaddrs","appdev/refs/api/krb5_get_init_creds_opt_set_forwardable","appdev/refs/macros/KRB5_PAC_LOGON_INFO","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","user/user_commands/krb5-config","appdev/refs/macros/AP_OPTS_USE_SESSION_KEY","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2","appdev/refs/api/krb5_auth_con_setrcache","appdev/refs/types/krb5_cred_info","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM","appdev/refs/types/krb5_int32","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY","appdev/refs/api/krb5_unparse_name","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2","appdev/refs/api/krb5_c_crypto_length","appdev/refs/macros/KRB5_PADATA_REFERRAL","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT","appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE","appdev/refs/api/krb5_free_addresses","appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache","appdev/refs/api/krb5_free_unparsed_name","appdev/refs/macros/KRB5_LRQ_NONE","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD","appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS","appdev/refs/macros/KRB5_GC_FORWARDABLE","user/user_commands/klist","formats/cookie","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE","appdev/refs/api/krb5_mk_error","admin/admin_commands/kproplog","appdev/refs/macros/KRB5_TGS_NAME","appdev/refs/api/krb5_rd_req","appdev/refs/api/krb5_rd_rep","appdev/refs/macros/THREEPARAMOPEN","appdev/refs/macros/KRB5_INT32_MAX","appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail","appdev/refs/macros/KRB5_PADATA_FOR_USER","appdev/refs/macros/krb5_princ_set_realm_length","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache","mitK5features","appdev/refs/api/krb5_build_principal_va","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128","basic/index","appdev/refs/api/krb5_c_random_make_octets","appdev/refs/macros/AD_TYPE_EXTERNAL","appdev/refs/types/krb5_keytab","appdev/refs/types/krb5_response","appdev/refs/api/krb5_c_is_coll_proof_cksum","appdev/refs/macros/ENCTYPE_NULL","appdev/refs/api/krb5_get_server_rcache","appdev/refs/macros/KRB5_TC_MATCH_KTYPE","appdev/refs/macros/KRB5_GC_USER_USER","appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART","appdev/refs/api/krb5_string_to_cksumtype","appdev/refs/api/krb5_get_prompt_types","appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8","appdev/refs/macros/KRB5_PADATA_AFS3_SALT","appdev/refs/api/krb5_pac_add_buffer","appdev/refs/types/krb5_data","appdev/refs/api/krb5_enctype_to_string","appdev/refs/macros/krb5_x","appdev/refs/macros/KRB5_KPASSWD_SUCCESS","appdev/refs/api/krb5_k_make_checksum_iov","appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE","appdev/refs/api/krb5_c_string_to_key_with_params","appdev/refs/api/krb5_c_keylengths","appdev/refs/macros/TKT_FLG_FORWARDED","appdev/refs/api/krb5_get_init_creds_password","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT","plugindev/localauth","appdev/refs/api/krb5_string_to_key","appdev/refs/api/krb5_cc_next_cred","appdev/refs/api/krb5_cc_move","appdev/refs/macros/SALT_TYPE_NO_LENGTH","basic/stash_file_def","basic/ccache_def","appdev/refs/api/krb5_tkt_creds_step","appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME","appdev/refs/macros/KRB5_AUTHDATA_AND_OR","appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE","appdev/refs/api/krb5_cc_resolve","appdev/refs/api/krb5_kt_end_seq_get","appdev/refs/macros/ENCTYPE_UNKNOWN","appdev/refs/api/krb5_set_kdc_send_hook","appdev/refs/api/krb5_free_context","appdev/refs/api/krb5_auth_con_setports","appdev/refs/macros/KRB5_PADATA_FX_FAST","appdev/refs/api/krb5_copy_creds","appdev/refs/api/krb5_merge_authdata","appdev/refs/api/krb5_cc_dup","appdev/refs/types/krb5_context","appdev/refs/api/krb5_k_verify_checksum","appdev/refs/api/krb5_parse_name_flags","appdev/refs/macros/KRB5_AS_REQ","appdev/refs/macros/KRB5_AS_REP","appdev/refs/types/krb5_pa_data","appdev/refs/types/krb5_ap_rep","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ","appdev/refs/macros/KRB5_AUTHDATA_SESAME","appdev/refs/api/krb5_c_random_os_entropy","user/user_commands/kinit","appdev/refs/api/krb5_init_secure_context","appdev/refs/api/krb5_sendauth","appdev/refs/macros/KRB5_NT_PRINCIPAL","appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list","appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER","user/user_commands/kvno","appdev/refs/types/krb5_typed_data","appdev/refs/api/krb5_k_prf","appdev/refs/api/krb5_responder_pkinit_get_challenge","appdev/refs/types/krb5_init_creds_context","appdev/refs/api/krb5_c_padding_length","appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA","appdev/refs/api/krb5_auth_con_getrecvsubkey","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT","appdev/refs/macros/CKSUMTYPE_NIST_SHA","appdev/refs/api/krb5_get_fallback_host_realm","appdev/refs/api/krb5_get_in_tkt_with_keytab","appdev/refs/api/krb5_copy_checksum","appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART","appdev/refs/types/krb5_ticket_times","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL","admin/host_config","appdev/refs/macros/krb5_const","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","appdev/refs/macros/KRB5_PAC_CLIENT_INFO","appdev/refs/api/krb5_free_creds","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED","appdev/refs/api/krb5_c_decrypt","appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY","appdev/refs/api/krb5_cc_new_unique","appdev/refs/api/krb5_parse_name","appdev/refs/macros/ENCTYPE_DES3_CBC_RAW","appdev/refs/api/krb5_c_checksum_length","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","appdev/refs/types/krb5_deltat","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1","appdev/refs/macros/KRB5_REFERRAL_REALM","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD","appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM","appdev/refs/api/krb5_cc_gen_new","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT","appdev/refs/api/krb5_cccol_cursor_new","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","appdev/refs/api/krb5_cc_retrieve_cred","plugindev/hostrealm","appdev/refs/api/krb5_pac_free","admin/admin_commands/kadmind","appdev/refs/api/krb5_salttype_to_string","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","appdev/refs/api/krb5_auth_con_setaddrs","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","appdev/refs/api/krb5_recvauth","appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION","appdev/refs/api/krb5_get_credentials_validate","plugindev/ccselect","appdev/refs/api/krb5_auth_con_setrecvsubkey_k","appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK","appdev/refs/api/krb5_sname_to_principal","appdev/refs/macros/krb5_princ_size","appdev/refs/api/krb5_get_renewed_creds","appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM","appdev/refs/macros/MSEC_VAL_MASK","appdev/refs/api/krb5_get_init_creds_opt_set_proxiable","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED","appdev/refs/api/krb5_cc_get_name","appdev/refs/macros/KRB5_PRIV","appdev/refs/macros/KRB5_PADATA_TGS_REQ","appdev/refs/api/krb5_kt_get_entry","appdev/refs/api/krb5_string_to_deltat","admin/various_envs","appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL","appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","appdev/refs/api/krb5_cc_unlock","appdev/refs/types/krb5_cryptotype","appdev/refs/api/krb5_pac_init","appdev/refs/api/krb5_process_key","appdev/refs/macros/KDC_OPT_FORWARDABLE","appdev/refs/api/krb5_checksum_size","appdev/refs/api/krb5_free_principal","appdev/refs/api/krb5_copy_addresses","admin/admin_commands/k5srvutil","appdev/refs/api/krb5_get_init_creds_opt_set_anonymous","appdev/refs/api/krb5_copy_principal","appdev/refs/types/krb5_authenticator","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","appdev/refs/api/krb5_kt_read_service_key","appdev/princ_handle","appdev/refs/api/krb5_mk_ncred","appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL","appdev/refs/api/krb5_copy_keyblock_contents","appdev/refs/api/krb5_tkt_creds_get","appdev/refs/api/krb5_auth_con_getsendsubkey","appdev/refs/api/krb5_init_context_profile","appdev/refs/api/krb5_cc_close","appdev/refs/api/krb5_tkt_creds_init","appdev/refs/api/krb5_timeofday","appdev/refs/macros/krb5_xc","appdev/refs/macros/KRB5_CRED","appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt","appdev/refs/api/krb5_k_make_checksum","appdev/refs/api/krb5_auth_con_init","build/osconf","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP","user/user_config/index","appdev/refs/macros/ADDRTYPE_IPPORT","appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST","appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","appdev/refs/types/krb5_prompter_fct","appdev/refs/api/krb5_init_creds_get","appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME","appdev/refs/types/krb5_encrypt_block","appdev/refs/api/krb5_cksumtype_to_string","appdev/refs/macros/TKT_FLG_PROXIABLE","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","appdev/refs/api/krb5_k_decrypt_iov","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","appdev/refs/api/krb5_init_creds_get_times","user/index","appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT","plugindev/gssapi","appdev/refs/api/krb5_pac_sign","appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES","appdev/refs/types/krb5_pa_pac_req","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP","appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD","appdev/refs/types/krb5_responder_pkinit_identity","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","appdev/refs/types/krb5_error_code","appdev/refs/api/krb5_auth_con_setsendsubkey_k","appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV","about","appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM","appdev/refs/macros/ADDRTYPE_ADDRPORT","appdev/refs/macros/KRB5_TC_NOTICKET","appdev/refs/macros/AD_TYPE_RESERVED","appdev/refs/api/krb5_string_to_timestamp","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH","user/user_config/k5identity","appdev/refs/api/krb5_auth_con_set_checksum_func","appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME","appdev/refs/macros/ADDRTYPE_CHAOS","appdev/refs/api/krb5_get_init_creds_opt_set_responder","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE","appdev/refs/api/krb5_is_referral_realm","appdev/refs/types/krb5_kt_cursor","appdev/refs/api/krb5_c_decrypt_iov","admin/install_clients","appdev/refs/types/krb5_creds","admin/appl_servers","appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL","appdev/refs/api/krb5_get_init_creds_opt_set_salt","appdev/refs/macros/KRB5_TGS_NAME_SIZE","appdev/refs/api/krb5_get_init_creds_opt_set_renew_life","appdev/refs/macros/krb5_princ_realm","appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION","appdev/refs/api/krb5_free_cred_contents","appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES","appdev/refs/api/krb5_kt_next_entry","appdev/refs/macros/ENCTYPE_DES_CBC_RAW","appdev/refs/macros/KRB5_PADATA_S4U_X509_USER","appdev/refs/macros/KRB5_INT16_MAX","appdev/refs/types/krb5_rcache","appdev/refs/macros/KDC_OPT_POSTDATED","appdev/refs/types/krb5_ui_4","appdev/refs/types/krb5_ui_2","appdev/refs/api/krb5_vprepend_error_message","admin/conf_files/krb5_conf","appdev/refs/macros/KRB5_NT_UNKNOWN","admin/admin_commands/sserver","plugindev/profile","appdev/refs/macros/KRB5_NT_SMTP_NAME","appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags","appdev/refs/api/krb5_cc_set_default_name","appdev/refs/api/krb5_eblock_enctype","appdev/refs/api/krb5_k_encrypt_iov","appdev/refs/api/krb5_rd_safe","appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED","appdev/refs/api/krb5_cc_initialize","appdev/refs/macros/KDC_TKT_COMMON_MASK","appdev/refs/api/krb5_c_prf_length","appdev/refs/types/krb5_enc_tkt_part","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name","appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS","appdev/refs/types/krb5_get_init_creds_opt","appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY","appdev/refs/api/krb5_responder_otp_set_answer","appdev/refs/api/krb5_mk_safe","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","appdev/refs/api/krb5_kt_get_type","build/directory_org","appdev/refs/types/krb5_tkt_authent","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","appdev/refs/api/krb5_c_encrypt","appdev/refs/api/krb5_get_init_creds_keytab","appdev/refs/api/krb5_free_data_contents","appdev/refs/types/krb5_kvno","appdev/refs/macros/KDC_OPT_PROXY","appdev/refs/api/krb5_k_free_key","appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID","appdev/refs/types/krb5_keytab_entry","appdev/refs/api/krb5_prompter_posix","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD","plugindev/kdcpreauth","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL","appdev/refs/api/krb5_us_timeofday","appdev/refs/api/krb5_set_trace_filename","appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART","admin/advanced/ldapbackend","appdev/refs/api/krb5_finish_random_key","appdev/refs/types/krb5_post_recv_fn","appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL","appdev/refs/api/krb5_cc_destroy","appdev/refs/api/krb5_tkt_creds_get_creds","appdev/refs/macros/KDC_OPT_RENEWABLE_OK","appdev/refs/api/krb5_init_context","appdev/refs/api/krb5_kuserok","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","appdev/refs/types/krb5_addrtype","appdev/refs/macros/TKT_FLG_HW_AUTH","appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS","appdev/refs/api/krb5_k_key_enctype","appdev/refs/api/krb5_auth_con_initivector","appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY","appdev/refs/api/krb5_c_valid_enctype","appdev/refs/api/krb5_auth_con_getauthenticator","appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128","appdev/refs/api/krb5_timestamp_to_sfstring","appdev/refs/api/krb5_os_localaddr","appdev/refs/api/krb5_c_prf","appdev/refs/api/krb5_build_principal_alloc_va","appdev/refs/types/krb5_gic_opt_pa_data","appdev/refs/api/krb5_timestamp_to_string","appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC","appdev/refs/api/krb5_set_principal_realm","appdev/refs/api/krb5_free_ap_rep_enc_part","appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR","appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM","plugindev/internal","appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD","appdev/refs/api/krb5_copy_authdata","appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK","appdev/refs/types/passwd_phrase_element","appdev/refs/api/krb5_set_password_using_ccache","appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO","appdev/refs/macros/MSEC_DIRBIT","appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192","admin/install_kdc","appdev/refs/api/krb5_use_enctype","appdev/refs/types/krb5_responder_otp_tokeninfo","appdev/refs/types/krb5_prompt_type","appdev/refs/macros/ENCTYPE_RC2_CBC_ENV","appdev/refs/types/krb5_principal","appdev/refs/api/krb5_pac_parse","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","appdev/refs/api/krb5_rd_error","appdev/refs/types/krb5_ap_rep_enc_part","appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD","appdev/refs/macros/krb5_princ_name","appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback","appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR","appdev/refs/types/krb5_timestamp","appdev/refs/api/krb5_random_key","appdev/refs/api/krb5_init_creds_free","appdev/refs/api/krb5_is_thread_safe","appdev/refs/macros/ENCTYPE_DES_CBC_CRC","appdev/refs/api/krb5_read_password","appdev/refs/api/krb5_auth_con_getkey_k","appdev/refs/api/krb5_cc_set_flags","appdev/refs/api/krb5_rd_rep_dce","user/user_commands/kswitch","appdev/refs/types/krb5_responder_fn","appdev/refs/api/krb5_allow_weak_crypto","appdev/refs/api/krb5_auth_con_getsendsubkey_k","appdev/refs/api/krb5_c_random_seed","appdev/refs/types/krb5_octet","appdev/refs/types/krb5_crypto_iov","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW"],titles:["KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","krb5_mk_req_extended -  Create a KRB_AP_REQ message using supplied credentials.","krb5 simple macros","krb5_cc_get_type -  Retrieve the type of a credential cache.","General plugin concepts","KRB5_AUTH_CONTEXT_DO_TIME","krb5_verify_init_creds_opt","TKT_FLG_ENC_PA_REP","TKT_FLG_ANONYMOUS","krb5_clear_error_message -  Clear the extended error message in a context.","kdc.conf","krb5_auth_con_setuseruserkey -  Set the session key in an auth context.","krb5_425_conv_principal -  Convert a Kerberos V4 principal to a Kerberos V5 principal.","KRB5_TC_MATCH_AUTHDATA","KRB5_ANONYMOUS_PRINCSTR","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","KRB5_AUTH_CONTEXT_RET_SEQUENCE","Developing with GSSAPI","krb5_sname_match -  Test whether a principal matches a matching principal.","KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","KRB5_AUTHDATA_MANDATORY_FOR_KDC","AP_OPTS_WIRE_MASK","krb5_free_enctypes -  Free an array of encryption types.","Resources","KRB5_PADATA_PAC_REQUEST","kpasswd","Building Kerberos V5","replay cache","MIT Kerberos defaults","krb5_replay_data","krb5_get_credentials -  Get an additional ticket.","krb5_trace_info","kadm5.acl","KRB5_PADATA_ETYPE_INFO","krb5_kdc_req","krb5_kdc_rep","krb5 types and structures","krb5_get_init_creds_opt_set_pac_request -  Ask the KDC to include or not include a PAC in the ticket.","krb5_wrap_error_message -  Add a prefix to a different error code&#8217;s message.","krb5_k_decrypt -  Decrypt data using a key (operates on opaque key).","krb5_kt_start_seq_get -  Start a sequential retrieval of key table entries.","KRB5_AUTHDATA_KDC_ISSUED","KRB5_AUTHDATA_CAMMAC","KRB5_PADATA_OSF_DCE","Database administration","krb5kdc","AP_OPTS_USE_SUBKEY","krb5_responder_otp_get_challenge -  Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.","KRB5_LRQ_ONE_PW_EXPTIME","krb5_anonymous_realm -  Return an anonymous realm data.","CKSUMTYPE_HMAC_SHA384_192_AES256","krb5_get_error_message -  Get the (possibly extended) error message for a code.","ENCTYPE_AES256_CTS_HMAC_SHA1_96","KRB5_PADATA_PK_AS_REP","krb5_pac","krb5_get_init_creds_opt_set_etype_list -  Set allowable encryption types in initial credential options.","Backups of secure hosts","KRB5_AP_REQ","KRB5_KPASSWD_MALFORMED","krb5_pre_send_fn","krb5_pointer","MIT Kerberos Documentation (1.15.1)","krb5_tkt_creds_free -  Free a TGS request context.","kpropd","CKSUMTYPE_HMAC_MD5_ARCFOUR","krb5_cc_remove_cred -  Remove credentials from a credential cache.","KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","KRB5_NT_UID","KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","krb5_c_string_to_key -  Convert a string (such a password) to a key.","kadmin","krb5_is_config_principal -  Test whether a principal is a configuration principal.","krb5_c_fx_cf2_simple -  Compute the KRB-FX-CF2 combination of two keys and pepper strings.","Retiring DES","krb5_init_creds_get_error -  Get the last error from KDC from an initial credentials context.","KRB5_TGS_REP","KRB5_TGS_REQ","krb5_cc_set_config -  Store a configuration value in a credential cache.","krb5_key","KRB5_REALM_BRANCH_CHAR","KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","krb5_get_init_creds_opt_set_pa -  Supply options for preauthentication in initial credential options.","KRB5_KPASSWD_HARDERROR","KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","ENCTYPE_DES_HMAC_SHA1","krb5_auth_con_getlocalseqnumber -  Retrieve the local sequence number from an auth context.","KRB5_WELLKNOWN_NAMESTR","KRB5_AUTHDATA_FX_ARMOR","krb5_cc_cache_match -  Find a credential cache with a specified client principal.","krb5_free_keyblock_contents -  Free the contents of a krb5_keyblock structure.","krb524_convert_creds_kdc","krb5_c_keyed_checksum_types -  Return a list of keyed checksum types usable with an encryption type.","CKSUMTYPE_RSA_MD4","CKSUMTYPE_RSA_MD5","krb5_free_keyblock -  Free a krb5_keyblock structure.","Advanced topics","CKSUMTYPE_HMAC_SHA1_96_AES256","KRB5_KPASSWD_BAD_VERSION","Complete reference - API and datatypes","KRB5_KEYUSAGE_AD_MTE","UNIX Application Servers","krb5_msgtype","krb5_copy_ticket -  Copy a krb5_ticket structure.","krb5_k_reference_key -  Increment the reference count on a key.","Ticket management","krb5_get_permitted_enctypes -  Return a list of encryption types permitted for session keys.","ADDRTYPE_ISO","krb5_get_init_creds_opt_alloc -  Allocate a new initial credential options structure.","krb5_unparse_name_flags_ext -  Convert krb5_principal structure to string format with flags.","MAX_KEYTAB_NAME_LEN","krb5_chpw_message -  Get a result message for changing or setting a password.","krb5_copy_keyblock -  Copy a keyblock.","krb5_cccol_lock -  Acquire a global lock for credential caches.","KRB5_PADATA_AP_REQ","krb5_k_encrypt -  Encrypt data using a key (operates on opaque key).","krb5_auth_con_setflags -  Set a flags field in a krb5_auth_context structure.","KRB5_PRINCIPAL_UNPARSE_DISPLAY","KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","KRB5_RESPONDER_QUESTION_PKINIT","Password management","krb5_free_default_realm -  Free a default realm string returned by krb5_get_default_realm() .","krb5_tkt_creds_get_times -  Retrieve ticket times from a TGS request context.","KRB5_PADATA_OTP_PIN_CHANGE","KRB5_ENCPADATA_REQ_ENC_PA_REP","krb5_appdefault_boolean -  Retrieve a boolean value from the appdefaults section of krb5.conf.","krb5_cc_default -  Resolve the default credential cache name.","How to build this documentation from the source","KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","KRB5_PRINCIPAL_UNPARSE_SHORT","krb5_aname_to_localname -  Convert a principal name to a local name.","krb5_realm_compare -  Compare the realms of two principals.","krb5_c_encrypt_iov -  Encrypt data in place supporting AEAD (operates on keyblock).","kprop","krb5_cc_start_seq_get -  Prepare to sequentially read every credential in a credential cache.","KRB5_INT32_MIN","krb5_kt_have_content -  Check if a keytab exists and contains entries.","krb5_trace_callback","krb5_set_default_tgs_enctypes -  Set default TGS encryption types in a krb5_context structure.","ktutil","krb5_prompt","krb5_vwrap_error_message -  Add a prefix to a different error code&#8217;s message using a va_list.","krb5_copy_context -  Copy a krb5_context structure.","krb5_get_init_creds_opt_init","krb5_c_make_random_key -  Generate an enctype-specific random encryption key.","krb5_free_ticket -  Free a ticket.","LR_TYPE_THIS_SERVER_ONLY","krb5_cc_copy_creds -  Copy a credential cache.","Troubleshooting","krb5_pac_get_types -  Return an array of buffer types in a PAC handle.","krb5_c_crypto_length_iov -  Fill in lengths for header, trailer and padding in a IOV array.","ENCTYPE_DES3_CBC_ENV","krb5_auth_con_get_checksum_func -  Get the checksum callback from an auth context.","KRB5_KPASSWD_SOFTERROR","krb5_int16","krb5_checksum","For application developers","ADDRTYPE_INET6","krb5_responder_otp_challenge_free -  Free the value returned by krb5_responder_otp_get_challenge() .","krb5_kt_remove_entry -  Remove an entry from a key table.","keytab","krb5_princ_type","KRB5_PAC_DELEGATION_INFO","For administrators","krb5_cccol_have_content -  Check if the credential cache collection contains any credentials.","krb5_deltat_to_string -  Convert a relative time value to a string.","Protocols and file formats","krb5_auth_con_free -  Free a krb5_auth_context structure.","krb5_set_kdc_recv_hook -  Set a KDC post-receive hook function.","krb5_free_error -  Free an error allocated by krb5_read_error() or krb5_sendauth() .","KRB5_LRQ_ONE_LAST_INITIAL","TKT_FLG_OK_AS_DELEGATE","krb5_enctype_to_name -  Convert an encryption type to a name or alias.","krb5_tkt_creds_context","KRB5_TC_MATCH_IS_SKEY","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","KDC_OPT_FORWARDED","Supported date and time formats","KRB5_TC_MATCH_FLAGS","krb5_free_authenticator -  Free a krb5_authenticator structure.","krb5_auth_con_getremotesubkey","CKSUMTYPE_CMAC_CAMELLIA256","krb5 API","krb5_c_encrypt_length -  Compute encrypted data length.","KRB5_PADATA_USE_SPECIFIED_KVNO",".k5login","krb5_init_creds_step -  Get the next KDC request for acquiring initial credentials.","KRB5_KEYUSAGE_GSS_TOK_MIC","KRB5_LRQ_ONE_LAST_REQ","krb5_expand_hostname -  Canonicalize a hostname, possibly using name service.","krb5_cred_enc_part","krb5_decode_ticket -  Decode an ASN.1-formatted ticket.","krb5_cc_default_name -  Return the name of the default credential cache.","KRB5_NT_SRV_XHST","KRB5_KEYUSAGE_FAST_REQ_CHKSUM","krb5_free_data -  Free a krb5_data structure.","ENCTYPE_MD5_RSA_CMS","KRB5_KEYUSAGE_AS_REQ","krb5_c_init_state -  Initialize a new cipher state.","KDC_OPT_CNAME_IN_ADDL_TKT","CKSUMTYPE_HMAC_SHA1_DES3","krb5_kt_client_default -  Resolve the default client key table.","KRB5_INT16_MIN","KDC_OPT_ENC_TKT_IN_SKEY","Doing the build","krb5_verify_init_creds_opt_init -  Initialize a credential verification options structure.","krb5_cc_lock -  Lock a credential cache.","krb5_kt_close -  Close a key table handle.","krb5_kt_default_name -  Get the default key table name.","OTP Preauthentication","TKT_FLG_MAY_POSTDATE","krb5_auth_con_getlocalsubkey","krb5_prepend_error_message -  Add a prefix to the message for an error code.","KRB5_PRINCIPAL_UNPARSE_NO_REALM","KRB5_KEYUSAGE_PA_SAM_RESPONSE","KDC_OPT_VALIDATE","krb5_rd_priv -  Process a KRB-PRIV message.","KRB5_PRINCIPAL_PARSE_NO_REALM","krb5_524_conv_principal -  Convert a Kerberos V5 principal to a Kerberos V4 principal.","KRB5_PADATA_SVR_REFERRAL_INFO","KRB5_PADATA_FX_COOKIE","krb5_pa_server_referral_data","krb5_cccol_cursor","krb5_decrypt","KADM5 hook interface (kadm5_hook)","krb5_get_in_tkt_with_password","KRB5_PADATA_FX_ERROR","Server location interface (locate)","krb5_anonymous_principal -  Build an anonymous principal.","Installation guide","krb5_get_init_creds_opt_set_fast_flags -  Set FAST flags in initial credential options.","krb5_copy_data -  Copy a krb5_data object.","krb5_princ_set_realm_data","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","krb5_recvauth_version -  Server function for sendauth protocol with version parameter.","krb5_responder_set_answer -  Answer a named question in the responder context.","CKSUMTYPE_MD5_HMAC_ARCFOUR","krb5_cc_last_change_time -  Return a timestamp of the last modification to a credential cache.","KRB5_ERROR","KRB5_KPASSWD_INITIAL_FLAG_NEEDED","krb5_set_error_message -  Set an extended error message for an error code.","KRB5_GC_NO_TRANSIT_CHECK","krb5_responder_get_challenge -  Retrieve the challenge data for a given question in the responder context.","krb5_cc_end_seq_get -  Finish a series of sequential processing credential cache entries.","ENCTYPE_DES3_CBC_SHA","krb5_init_creds_get_creds -  Retrieve acquired credentials from an initial credentials context.","ENCTYPE_CAMELLIA128_CTS_CMAC","krb5_c_verify_checksum_iov -  Validate a checksum element in IOV array (operates on keyblock).","Encryption types","krb5_kt_resolve -  Get a handle for a key table.","KRB5_CYBERSAFE_SECUREID","krb5_k_create_key -  Create a krb5_key from the enctype and key data in a keyblock.","KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","KRB5_CRYPTO_TYPE_CHECKSUM","krb5_rd_cred -  Read and validate a KRB-CRED message.","KRB5_KEYUSAGE_FAST_FINISHED","krb5_auth_con_genaddrs -  Generate auth context addresses from a connected socket.","krb5_cccol_last_change_time -  Return a timestamp of the last modification of any known credential cache.","krb5_pac_verify -  Verify a PAC.","krb5_ap_req","KRB5_NT_SRV_HST","krb5_encrypt","KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","KRB5_PADATA_PKINIT_KX","krb5_free_string -  Free a string allocated by a krb5 function.","krb5_principal_compare -  Compare two principals.","krb5_auth_con_getflags -  Retrieve flags from a krb5_auth_context structure.","krb5_mk_priv -  Format a KRB-PRIV message.","KRB5_TC_OPENCLOSE","krb5_responder_pkinit_challenge_free -  Free the value returned by krb5_responder_pkinit_get_challenge() .","ADDRTYPE_XNS","KRB5_PADATA_OTP_CHALLENGE","krb5_auth_con_set_req_cksumtype -  Set checksum type in an an auth context.","Environment variables","krb5_encode_authdata_container -  Wrap authorization data in a container.","HTTPS proxy configuration","krb5_free_keytab_entry_contents -  Free the contents of a key table entry.","krb5_free_host_realm -  Free the memory allocated by krb5_get_host_realm() .","krb5_expire_callback_func","krb5_get_time_offsets -  Return the time offsets from the os context.","krb5_get_init_creds_opt_set_canonicalize -  Set or unset the canonicalize flag in initial credential options.","KRB5_KPASSWD_ACCESSDENIED","krb5_verify_checksum","SALT_TYPE_AFS_LENGTH","KRB5_KPASSWD_AUTHERROR","KRB5_AUTHDATA_SIGNTICKET","krb5_responder_pkinit_set_answer -  Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.","krb5_address_order -  Return an ordering of the specified addresses.","KRB5_PADATA_NONE","KRB5_KEYUSAGE_FAST_ENC","AP_OPTS_RESERVED","krb5_decode_authdata_container -  Unwrap authorization data.","krb5_get_host_realm -  Get the Kerberos realm names for a host.","krb5_kt_dup -  Duplicate keytab handle.","krb5_princ_set_realm","ENCTYPE_ARCFOUR_HMAC_EXP","KRB5_PROMPT_TYPE_PREAUTH","KDC_OPT_CANONICALIZE","krb5_c_random_to_key -  Generate an enctype-specific key from random data.","krb5_authdatatype","krb5_c_free_state -  Free a cipher state previously allocated by krb5_c_init_state() .","CKSUMTYPE_CRC32","Keytab file format","KRB5_PADATA_SESAME","krb5_pa_svr_referral_data","CKSUMTYPE_RSA_MD5_DES","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","krb5_get_credentials_renew","krb5_get_default_realm -  Retrieve the default realm.","krb5_ticket","krb5_c_make_checksum_iov -  Fill in a checksum element in IOV array (operates on keyblock)","KRB5_NT_WELLKNOWN","krb5_auth_con_getremoteseqnumber -  Retrieve the remote sequence number from an auth context.","TKT_FLG_PRE_AUTH","KRB5_KEYUSAGE_PA_PKINIT_KX","KDC_OPT_RENEW","krb5_init_keyblock -  Initialize an empty krb5_keyblock .","krb5_keyusage","krb5_fwd_tgt_creds -  Get a forwarded TGT and format a KRB-CRED message.","krb5_responder_pkinit_challenge","krb5_free_tgt_creds -  Free an array of credential structures.","Authentication indicators","krb5_auth_con_setrecvsubkey -  Set the receiving subkey in an auth context with a keyblock.","Credential cache file format","krb5_enc_kdc_rep_part","KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","ENCTYPE_DSA_SHA1_CMS","KRB5_TC_MATCH_2ND_TKT","For plugin module developers","krb5_kt_free_entry","MIT Kerberos License information","krb5_vset_error_message -  Set an extended error message for an error code using a va_list.","KRB5_PADATA_PK_AS_REP_OLD","TKT_FLG_RENEWABLE","krb5_get_profile -  Retrieve configuration profile from the context.","TKT_FLG_FORWARDABLE","krb5_cred","ENCTYPE_ARCFOUR_HMAC","krb524_init_ets","krb5_ccache","krb5_cccol_unlock -  Release a global lock for credential caches.","krb5_responder_list_questions -  List the question names contained in the responder context.","krb5_cccol_cursor_free -  Free a credential cache collection cursor.","KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","krb5_set_default_realm -  Override the default realm for the specified context.","krb5_524_convert_creds -  Convert a Kerberos V5 credentials to a Kerberos V4 credentials.","krb5_c_prfplus -  Generate pseudo-random bytes using RFC 6113 PRF+.","KRB5_KEYUSAGE_AS_REP_ENCPART","krb5_free_checksum -  Free a krb5_checksum structure.","krb5_c_derive_prfplus -  Derive a key using some input data (via RFC 6113 PRF+).","KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","TKT_FLG_INITIAL","krb5_cc_switch -  Make a credential cache the primary cache for its collection.","KRB5_PAC_PRIVSVR_CHECKSUM","TKT_FLG_INVALID","ENCTYPE_DES_CBC_MD4","ENCTYPE_DES_CBC_MD5","krb5_init_creds_init -  Create a context for acquiring initial credentials.","krb5_c_is_keyed_cksum -  Test whether a checksum type is keyed.","krb5_k_key_keyblock -  Retrieve a copy of the keyblock from a krb5_key structure.","krb5_authdata","User commands","krb5_change_password -  Change a password for an existing Kerberos account.","krb5_mk_req -  Create a KRB_AP_REQ message.","krb5_mk_rep -  Format and encrypt a KRB_AP_REP message.","krb5_c_block_size -  Return cipher block size.","KRB5_KEYUSAGE_AP_REQ_AUTH","KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","krb5_principal_compare_any_realm -  Compare two principals ignoring realm components.","krb5_auth_con_getkey -  Retrieve the session key from an auth context as a keyblock.","krb5_enc_data","krb5_get_init_creds_opt_set_address_list -  Set address restrictions in initial credential options.","krb5_set_trace_callback -  Specify a callback function for trace events.","krb5_verify_authdata_kdc_issued -  Unwrap and verify AD-KDCIssued authorization data.","krb5_kt_get_name -  Get a key table name.","KRB5_TC_MATCH_TIMES","krb5_mk_req_checksum_func","krb5_c_random_add_entropy -  Add entropy to the pseudo-random number generator.","krb5_get_in_tkt_with_skey","KRB5_PADATA_PW_SALT","VALID_INT_BITS","KRB5_PRINCIPAL_COMPARE_ENTERPRISE","KRB5_INIT_CONTEXT_SECURE","ADDRTYPE_INET","krb5_mk_rep_dce -  Format and encrypt a KRB_AP_REP message for DCE RPC.","krb5_k_verify_checksum_iov -  Validate a checksum element in IOV array (operates on opaque key).","kdestroy","krb5_cksumtype","KRB5_LRQ_ALL_LAST_REQ","krb5_server_decrypt_ticket_keytab -  Decrypt a ticket using the specified key table.","KRB5_AP_REP","KRB5_PADATA_SAM_CHALLENGE_2","VALID_UINT_BITS","krb5_cc_select -  Select a credential cache to use with a server principal.","krb5_address_compare -  Compare two Kerberos addresses.","krb5_kt_add_entry -  Add a new entry to a key table.","AD_TYPE_REGISTERED","krb5_free_error_message -  Free an error message generated by krb5_get_error_message() .","KDC_OPT_PROXIABLE","krb5_address_search -  Search a list of addresses for a specified address.","krb5_set_password -  Set a password for a principal using specified credentials.","krb5_calculate_checksum","KRB5_CRYPTO_TYPE_PADDING","krb5_make_authdata_kdc_issued -  Encode and sign AD-KDCIssued authorization data.","ENCTYPE_CAMELLIA256_CTS_CMAC","ADDRTYPE_NETBIOS","krb5_auth_con_getrecvsubkey_k -  Retrieve the receiving subkey from an auth context as a keyblock.","krb5_get_init_creds_opt_free -  Free initial credential options.","KRB5_CRYPTO_TYPE_TRAILER","krb5_free_authdata -  Free the storage assigned to array of authentication data.","TKT_FLG_POSTDATED","krb5_c_enctype_compare -  Compare two encryption types.","krb5_init_creds_set_keytab -  Specify a keytab to use for acquiring initial credentials.","Client preauthentication interface (clpreauth)","CKSUMTYPE_DESCBC","krb5_kt_default -  Resolve the default key table.","ENCTYPE_RSA_ENV","krb5_init_creds_set_password -  Set a password for acquiring initial credentials.","KRB5_KEYUSAGE_AD_SIGNEDPATH","krb5_finish_key","krb5_pac_get_buffer -  Retrieve a buffer value from a PAC.","krb5_init_creds_set_service -  Specify a service principal for acquiring initial credentials.","krb5_get_validated_creds -  Get validated credentials from the KDC.","kdb5_util","KRB5_PRINCIPAL_COMPARE_CASEFOLD","krb5_principal_data","KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","Administration  programs","krb5_appdefault_string -  Retrieve a string value from the appdefaults section of krb5.conf.","krb5_principal2salt -  Convert a principal name into the default salt for that principal.","KRB5_GC_CONSTRAINED_DELEGATION","ADDRTYPE_IS_LOCAL","krb5_string_to_salttype -  Convert a string to a salt type.","KRB5_RESPONDER_QUESTION_OTP","Account lockout","krb5_free_cksumtypes -  Free an array of checksum types.","krb5_find_authdata -  Find authorization data elements.","ksu","KRB5_PADATA_ENCRYPTED_CHALLENGE","krb5_princ_component","KRB5_LRQ_ALL_LAST_TGT","krb5_roundup","KRB5_GC_CACHED","krb5_pwd_data","krb5_c_verify_checksum -  Verify a checksum (operates on keyblock).","TKT_FLG_PROXY","KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","krb5_cc_get_flags -  Retrieve flags from a credential cache structure.","KRB5_INIT_CONTEXT_KDC","Differences between Heimdal and MIT Kerberos API","krb5_string_to_enctype -  Convert a string to an encryption type.","KRB5_GC_NO_STORE","Options to <em>configure</em>","krb5_build_principal_ext -  Build a principal name using length-counted strings.","krb5_boolean","Password quality interface (pwqual)","KRB5_FAST_REQUIRED","krb5_error","krb5_auth_con_getrcache -  Retrieve the replay cache from an auth context.","TKT_FLG_TRANSIT_POLICY_CHECKED","KRB5_KEYUSAGE_AD_ITE","krb5_set_real_time -  Set time offset field in a krb5_context structure.","Copyright","krb5_cc_store_cred -  Store credentials in a credential cache.","KDC_OPT_ALLOW_POSTDATE","KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","krb5_preauthtype","KRB5_AUTHDATA_ETYPE_NEGOTIATION","KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","KRB5_PRINCIPAL_PARSE_ENTERPRISE","KDC_OPT_REQUEST_ANONYMOUS","KRB5_AUTHDATA_IF_RELEVANT","KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","Principal names and DNS","KRB5_CRYPTO_TYPE_SIGN_ONLY","KRB5_KEYUSAGE_PA_FX_COOKIE","Configuration Files","KRB5_KEYUSAGE_IAKERB_FINISHED","KRB5_CRYPTO_TYPE_STREAM","krb5_unparse_name_ext -  Convert krb5_principal structure to string and length.","krb5_const_pointer","krb5_flags","KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","krb5_auth_con_setsendsubkey -  Set the send subkey in an auth context with a keyblock.","kdb5_ldap_util","krb5_const_principal","krb5_free_checksum_contents -  Free the contents of a krb5_checksum structure.","ADDRTYPE_DDP","KRB5_NT_SRV_INST","krb5_unparse_name_flags -  Convert krb5_principal structure to a string with flags.","krb5_magic","krb5_cc_get_principal -  Get the default principal of a credential cache.","KRB5_NT_X500_PRINCIPAL","Realm configuration decisions","krb5_cc_support_switch -  Determine whether a credential cache type supports switching.","KRB5_PADATA_ENC_UNIX_TIME","krb5_transited","KRB5_PAC_CREDENTIALS_INFO","KRB5_AUTHDATA_WIN2K_PAC","krb5_address","KRB5_PVNO","krb5_cc_cursor","krb5_check_clockskew -  Check if a timestamp is within the allowed clock skew of the current time.","krb5_last_req_entry","PKINIT configuration","krb5_c_make_checksum -  Compute a checksum (operates on keyblock).","KRB5_LRQ_ALL_LAST_RENEWAL","krb5_copy_authenticator -  Copy a krb5_authenticator structure.","krb5_copy_error_message -  Copy the most recent extended error message from one context to another.","krb5_cc_get_full_name -  Retrieve the full name of a credential cache.","krb5_c_valid_cksumtype -  Verify that specified checksum type is a valid Kerberos checksum type.","krb5_principal_compare_flags -  Compare two principals with additional flags.","KDC_OPT_RENEWABLE","krb5_auth_context","krb5_responder_otp_challenge","Configuring Kerberos with OpenLDAP back-end","CKSUMTYPE_CMAC_CAMELLIA128","krb5_cccol_cursor_next -  Get the next credential cache in the collection.","sclient","krb5_verify_init_creds -  Verify initial credentials against a keytab.","krb5_get_init_creds_opt_set_tkt_life -  Set the ticket lifetime in initial credential options.","Initial credentials","krb5_mk_1cred -  Format a KRB-CRED message for a single set of credentials.","KRB5_PADATA_GET_FROM_TYPED_DATA","krb5_cc_get_config -  Get a configuration value from a credential cache.","krb5_keyblock","krb5_init_random_key","krb5_responder_context","KRB5_PADATA_OTP_REQUEST","ENCTYPE_AES128_CTS_HMAC_SHA256_128","krb5_encrypt_size","krb5_enctype","krb5_get_init_creds_opt_set_out_ccache -  Set an output credential cache in initial credential options.","KRB5_GC_CANONICALIZE","KRB5_SAFE","krb5_build_principal -  Build a principal name using null-terminated strings.","krb5_auth_con_getaddrs -  Retrieve address fields from an auth context.","krb5_get_init_creds_opt_set_forwardable -  Set or unset the forwardable flag in initial credential options.","KRB5_PAC_LOGON_INFO","KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","krb5-config","AP_OPTS_USE_SESSION_KEY","KRB5_PADATA_SAM_RESPONSE_2","krb5_auth_con_setrcache -  Set the replay cache in an auth context.","krb5_cred_info","KRB5_KEYUSAGE_APP_DATA_CKSUM","krb5_int32","KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","KRB5_CRYPTO_TYPE_EMPTY","krb5_unparse_name -  Convert a krb5_principal structure to a string representation.","KRB5_PADATA_ETYPE_INFO2","krb5_c_crypto_length -  Return a length of a message field specific to the encryption type.","KRB5_PADATA_REFERRAL","KRB5_LRQ_ONE_LAST_TGT","KRB5_AUTHDATA_OSF_DCE","krb5_free_addresses -  Free the data stored in array of addresses.","krb5_get_init_creds_opt_set_in_ccache -  Set an input credential cache in initial credential options.","krb5_free_unparsed_name -  Free a string representation of a principal.","KRB5_LRQ_NONE","KRB5_RESPONDER_QUESTION_PASSWORD","ENCTYPE_SHA1_RSA_CMS","KRB5_GC_FORWARDABLE","klist","KDC cookie format","KRB5_PADATA_SAM_CHALLENGE","krb5_mk_error -  Format and encode a KRB_ERROR message.","kproplog","KRB5_TGS_NAME","krb5_rd_req -  Parse and decrypt a KRB_AP_REQ message.","krb5_rd_rep -  Parse and decrypt a KRB_AP_REP message.","THREEPARAMOPEN","KRB5_INT32_MAX","krb5_verify_init_creds_opt_set_ap_req_nofail -  Set whether credential verification is required.","KRB5_PADATA_FOR_USER","krb5_princ_set_realm_length","krb5_get_init_creds_opt_set_fast_ccache -  Set FAST armor cache in initial credential options.","MIT Kerberos features","krb5_build_principal_va","CKSUMTYPE_HMAC_SHA1_96_AES128","Kerberos V5 concepts","krb5_c_random_make_octets -  Generate pseudo-random bytes.","AD_TYPE_EXTERNAL","krb5_keytab","krb5_response","krb5_c_is_coll_proof_cksum -  Test whether a checksum type is collision-proof.","ENCTYPE_NULL","krb5_get_server_rcache -  Generate a replay cache object for server use and open it.","KRB5_TC_MATCH_KTYPE","KRB5_GC_USER_USER","KRB5_KEYUSAGE_AP_REP_ENCPART","krb5_string_to_cksumtype -  Convert a string to a checksum type.","krb5_get_prompt_types -  Get prompt types array from a context.","KRB5_PADATA_ENC_SANDIA_SECURID","KRB5_PRINCIPAL_COMPARE_UTF8","KRB5_PADATA_AFS3_SALT","krb5_pac_add_buffer -  Add a buffer to a PAC handle.","krb5_data","krb5_enctype_to_string -  Convert an encryption type to a string.","krb5_x","KRB5_KPASSWD_SUCCESS","krb5_k_make_checksum_iov -  Fill in a checksum element in IOV array (operates on opaque key)","KRB5_PADATA_SAM_REDIRECT","KRB5_PADATA_SAM_RESPONSE","krb5_c_string_to_key_with_params -  Convert a string (such as a password) to a key with additional parameters.","krb5_c_keylengths -  Return length of the specified key in bytes.","TKT_FLG_FORWARDED","krb5_get_init_creds_password -  Get initial credentials using a password.","KRB5_GET_INIT_CREDS_OPT_SALT","Local authorization interface (localauth)","krb5_string_to_key","krb5_cc_next_cred -  Retrieve the next entry from the credential cache.","krb5_cc_move -  Move a credential cache.","SALT_TYPE_NO_LENGTH","stash file","Credential cache","krb5_tkt_creds_step -  Get the next KDC request in a TGS exchange.","KRB5_LRQ_ONE_ACCT_EXPTIME","KRB5_AUTHDATA_AND_OR","AD_TYPE_FIELD_TYPE_MASK","KRB5_GET_INIT_CREDS_OPT_PROXIABLE","krb5_cc_resolve -  Resolve a credential cache name.","krb5_kt_end_seq_get -  Release a keytab cursor.","ENCTYPE_UNKNOWN","krb5_set_kdc_send_hook -  Set a KDC pre-send hook function.","krb5_free_context -  Free a krb5 library context.","krb5_auth_con_setports -  Set local and remote port fields in an auth context.","KRB5_PADATA_FX_FAST","krb5_copy_creds -  Copy a krb5_creds structure.","krb5_merge_authdata -  Merge two authorization data lists into a new list.","krb5_cc_dup -  Duplicate ccache handle.","krb5_context","krb5_k_verify_checksum -  Verify a checksum (operates on opaque key).","krb5_parse_name_flags -  Convert a string principal name to a krb5_principal with flags.","KRB5_AS_REQ","KRB5_AS_REP","krb5_pa_data","krb5_ap_rep","KRB5_PADATA_PK_AS_REQ","KRB5_AUTHDATA_SESAME","krb5_c_random_os_entropy -  Collect entropy from the OS if possible.","kinit","krb5_init_secure_context -  Create a krb5 library context using only configuration files.","krb5_sendauth -  Client function for sendauth protocol.","KRB5_NT_PRINCIPAL","krb5_get_init_creds_opt_set_preauth_list -  Set preauthentication types in initial credential options.","KRB5_CRYPTO_TYPE_HEADER","kvno","krb5_typed_data","krb5_k_prf -  Generate enctype-specific pseudo-random bytes (operates on opaque key).","krb5_responder_pkinit_get_challenge -  Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.","krb5_init_creds_context","krb5_c_padding_length -  Return a number of padding octets.","KRB5_CRYPTO_TYPE_DATA","krb5_auth_con_getrecvsubkey -  Retrieve the receiving subkey from an auth context as a keyblock.","KRB5_KEYUSAGE_APP_DATA_ENCRYPT","CKSUMTYPE_NIST_SHA","krb5_get_fallback_host_realm","krb5_get_in_tkt_with_keytab","krb5_copy_checksum -  Copy a krb5_checksum structure.","KRB5_KEYUSAGE_KRB_PRIV_ENCPART","krb5_ticket_times","KRB5_RESPONDER_OTP_FORMAT_DECIMAL","Host configuration","krb5_const","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","KRB5_PAC_CLIENT_INFO","krb5_free_creds -  Free a krb5_creds structure.","KRB5_AUTH_CONTEXT_RET_TIME","KRB5_LRQ_ONE_LAST_TGT_ISSUED","krb5_c_decrypt -  Decrypt data using a key (operates on keyblock).","KRB5_SAM_USE_SAD_AS_KEY","krb5_cc_new_unique -  Create a new credential cache of the specified type with a unique name.","krb5_parse_name -  Convert a string principal name to a krb5_principal structure.","ENCTYPE_DES3_CBC_RAW","krb5_c_checksum_length -  Return the length of checksums for a checksum type.","KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","krb5_deltat","ENCTYPE_DES3_CBC_SHA1","KRB5_REFERRAL_REALM","KRB5_PROMPT_TYPE_NEW_PASSWORD","KRB5_KEYUSAGE_KRB_SAFE_CKSUM","krb5_cc_gen_new","KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","KRB5_TC_MATCH_FLAGS_EXACT","krb5_cccol_cursor_new -  Prepare to iterate over the collection of known credential caches.","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","krb5_cc_retrieve_cred -  Retrieve a specified credentials from a credential cache.","Host-to-realm interface (hostrealm)","krb5_pac_free -  Free a PAC handle.","kadmind","krb5_salttype_to_string -  Convert a salt type to a string.","KRB5_NT_MS_PRINCIPAL_AND_ID","KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","krb5_auth_con_setaddrs -  Set the local and remote addresses in an auth context.","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","krb5_recvauth -  Server function for sendauth protocol.","KRB5_RECVAUTH_SKIP_VERSION","krb5_get_credentials_validate","Credential cache selection interface (ccselect)","krb5_auth_con_setrecvsubkey_k -  Set the receiving subkey in an auth context.","KDC_OPT_DISABLE_TRANSITED_CHECK","krb5_sname_to_principal -  Generate a full principal name from a service name.","krb5_princ_size","krb5_get_renewed_creds -  Get renewed credential from KDC using an existing credential.","KRB5_KEYUSAGE_KRB_ERROR_CKSUM","MSEC_VAL_MASK","krb5_get_init_creds_opt_set_proxiable -  Set or unset the proxiable flag in initial credential options.","KRB5_LRQ_ALL_LAST_TGT_ISSUED","krb5_cc_get_name -  Retrieve the name, but not type of a credential cache.","KRB5_PRIV","KRB5_PADATA_TGS_REQ","krb5_kt_get_entry -  Get an entry from a key table.","krb5_string_to_deltat -  Convert a string to a delta time value.","Various links","KRB5_NT_ENTERPRISE_PRINCIPAL","KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","krb5_cc_unlock -  Unlock a credential cache.","krb5_cryptotype","krb5_pac_init -  Create an empty Privilege Attribute Certificate (PAC) handle.","krb5_process_key","KDC_OPT_FORWARDABLE","krb5_checksum_size","krb5_free_principal -  Free the storage assigned to a principal.","krb5_copy_addresses -  Copy an array of addresses.","k5srvutil","krb5_get_init_creds_opt_set_anonymous -  Set or unset the anonymous flag in initial credential options.","krb5_copy_principal -  Copy a principal.","krb5_authenticator","ENCTYPE_AES128_CTS_HMAC_SHA1_96","KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","krb5_kt_read_service_key -  Retrieve a service key from a key table.","Principal manipulation and parsing","krb5_mk_ncred -  Format a KRB-CRED message for an array of credentials.","KRB5_LRQ_ONE_LAST_RENEWAL","krb5_copy_keyblock_contents -  Copy the contents of a keyblock.","krb5_tkt_creds_get -  Synchronously obtain credentials using a TGS request context.","krb5_auth_con_getsendsubkey -  Retrieve the send subkey from an auth context as a keyblock.","krb5_init_context_profile -  Create a krb5 library context using a specified profile.","krb5_cc_close -  Close a credential cache handle.","krb5_tkt_creds_init -  Create a context to get credentials from a KDC&#8217;s Ticket Granting Service.","krb5_timeofday -  Retrieve the current time with context specific time offset adjustment.","krb5_xc","KRB5_CRED","krb5_get_init_creds_opt_set_change_password_prompt -  Set or unset change-password-prompt flag in initial credential options.","krb5_k_make_checksum -  Compute a checksum (operates on opaque key).","krb5_auth_con_init -  Create and initialize an authentication context.","osconf.hin","KRB5_KEYUSAGE_FAST_REP","User config files","ADDRTYPE_IPPORT","KRB5_KEYUSAGE_PA_OTP_REQUEST","KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","krb5_prompter_fct","krb5_init_creds_get -  Acquire credentials using an initial credentials context.","KRB5_LRQ_ALL_ACCT_EXPTIME","krb5_encrypt_block","krb5_cksumtype_to_string -  Convert a checksum type to a string.","TKT_FLG_PROXIABLE","KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","krb5_k_decrypt_iov -  Decrypt data in place supporting AEAD (operates on opaque key).","KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","krb5_init_creds_get_times -  Retrieve ticket times from an initial credentials context.","For users","KRB5_TC_MATCH_TIMES_EXACT","GSSAPI mechanism interface","krb5_pac_sign -  Sign a PAC.","CKSUMTYPE_RSA_MD4_DES","krb5_pa_pac_req","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","KRB5_PADATA_ENC_TIMESTAMP","KRB5_SAM_SEND_ENCRYPTED_SAD","krb5_responder_pkinit_identity","KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","krb5_error_code","krb5_auth_con_setsendsubkey_k -  Set the send subkey in an auth context.","ENCTYPE_RSA_ES_OAEP_ENV","Contributing to the MIT Kerberos Documentation","KRB5_PADATA_AS_CHECKSUM","ADDRTYPE_ADDRPORT","KRB5_TC_NOTICKET","AD_TYPE_RESERVED","krb5_string_to_timestamp -  Convert a string to a timestamp.","KRB5_KEYUSAGE_TGS_REQ_AUTH",".k5identity","krb5_auth_con_set_checksum_func -  Set a checksum callback in an auth context.","KRB5_LRQ_ALL_PW_EXPTIME","ADDRTYPE_CHAOS","krb5_get_init_creds_opt_set_responder -  Set the responder function in initial credential options.","KRB5_AUTH_CONTEXT_DO_SEQUENCE","krb5_is_referral_realm -  Check for a match with KRB5_REFERRAL_REALM.","krb5_kt_cursor","krb5_c_decrypt_iov -  Decrypt data in place supporting AEAD (operates on keyblock).","Installing and configuring UNIX client machines","krb5_creds","Application servers","KRB5_LRQ_ALL_LAST_INITIAL","krb5_get_init_creds_opt_set_salt -  Set salt for optimistic preauthentication in initial credential options.","KRB5_TGS_NAME_SIZE","krb5_get_init_creds_opt_set_renew_life -  Set the ticket renewal lifetime in initial credential options.","krb5_princ_realm","AP_OPTS_ETYPE_NEGOTIATION","krb5_free_cred_contents -  Free the contents of a krb5_creds structure.","KRB5_TC_SUPPORTED_KTYPES","krb5_kt_next_entry -  Retrieve the next entry from the key table.","ENCTYPE_DES_CBC_RAW","KRB5_PADATA_S4U_X509_USER","KRB5_INT16_MAX","krb5_rcache","KDC_OPT_POSTDATED","krb5_ui_4","krb5_ui_2","krb5_vprepend_error_message -  Add a prefix to the message for an error code using a va_list.","krb5.conf","KRB5_NT_UNKNOWN","sserver","Configuration interface (profile)","KRB5_NT_SMTP_NAME","krb5_get_init_creds_opt_get_fast_flags -  Retrieve FAST flags from initial credential options.","krb5_cc_set_default_name -  Set the default credential cache name.","krb5_eblock_enctype","krb5_k_encrypt_iov -  Encrypt data in place supporting AEAD (operates on opaque key).","krb5_rd_safe -  Process KRB-SAFE message.","AP_OPTS_MUTUAL_REQUIRED","krb5_cc_initialize -  Initialize a credential cache.","KDC_TKT_COMMON_MASK","krb5_c_prf_length -  Get the output length of pseudo-random functions for an encryption type.","krb5_enc_tkt_part","krb5_get_init_creds_opt_set_fast_ccache_name -  Set location of FAST armor ccache in initial credential options.","KRB5_DOMAIN_X500_COMPRESS","krb5_get_init_creds_opt","KRB5_AUTH_CONTEXT_USE_SUBKEY","krb5_responder_otp_set_answer -  Answer the KRB5_RESPONDER_QUESTION_OTP question.","krb5_mk_safe -  Format a KRB-SAFE message.","KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","krb5_kt_get_type -  Return the type of a key table.","Organization of the source directory","krb5_tkt_authent","KRB5_PRINCIPAL_PARSE_IGNORE_REALM","KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","krb5_c_encrypt -  Encrypt data using a key (operates on keyblock).","krb5_get_init_creds_keytab -  Get initial credentials using a key table.","krb5_free_data_contents -  Free the contents of a krb5_data structure and zero the data field.","krb5_kvno","KDC_OPT_PROXY","krb5_k_free_key -  Decrement the reference count on a key and free it if it hits zero.","KRB5_NT_ENT_PRINCIPAL_AND_ID","krb5_keytab_entry","krb5_prompter_posix -  Prompt user for password.","KRB5_PADATA_PK_AS_REQ_OLD","KDC preauthentication interface (kdcpreauth)","KRB5_NT_MS_PRINCIPAL","krb5_us_timeofday -  Retrieve the system time of day, in sec and ms, since the epoch.","krb5_set_trace_filename -  Specify a file name for directing trace events.","KRB5_KEYUSAGE_KRB_CRED_ENCPART","LDAP backend on Ubuntu 10.4 (lucid)","krb5_finish_random_key","krb5_post_recv_fn","KRB5_AUTH_CONTEXT_PERMIT_ALL","krb5_cc_destroy -  Destroy a credential cache.","krb5_tkt_creds_get_creds -  Retrieve acquired credentials from a TGS request context.","KDC_OPT_RENEWABLE_OK","krb5_init_context -  Create a krb5 library context.","krb5_kuserok -  Determine if a principal is authorized to log in as a local user.","KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","krb5_addrtype","TKT_FLG_HW_AUTH","KRB5_RECVAUTH_BADAUTHVERS","krb5_k_key_enctype -  Retrieve the enctype of a krb5_key structure.","krb5_auth_con_initivector","KRB5_TC_MATCH_SRV_NAMEONLY","krb5_c_valid_enctype -  Verify that a specified encryption type is a valid Kerberos encryption type.","krb5_auth_con_getauthenticator -  Retrieve the authenticator from an auth context.","CKSUMTYPE_HMAC_SHA256_128_AES128","krb5_timestamp_to_sfstring -  Convert a timestamp to a string, with optional output padding.","krb5_os_localaddr -  Return all interface addresses for this host.","krb5_c_prf -  Generate enctype-specific pseudo-random bytes.","krb5_build_principal_alloc_va -  Build a principal name, using a precomputed variable argument list.","krb5_gic_opt_pa_data","krb5_timestamp_to_string -  Convert a timestamp to a string.","KRB5_KEYUSAGE_CAMMAC","krb5_set_principal_realm -  Set the realm field of a principal.","krb5_free_ap_rep_enc_part -  Free a krb5_ap_rep_enc_part structure.","KRB5_ANONYMOUS_REALMSTR","KRB5_PAC_SERVER_CHECKSUM","Internal pluggable interfaces","KRB5_PROMPT_TYPE_PASSWORD","krb5_copy_authdata -  Copy an authorization data list.","LR_TYPE_INTERPRETATION_MASK","passwd_phrase_element","krb5_set_password_using_ccache -  Set a password for a principal using cached credentials.","KRB5_PAC_UPN_DNS_INFO","MSEC_DIRBIT","KRB5_KEYUSAGE_KDC_REP_TICKET","ENCTYPE_AES256_CTS_HMAC_SHA384_192","Installing KDCs","krb5_use_enctype","krb5_responder_otp_tokeninfo","krb5_prompt_type","ENCTYPE_RC2_CBC_ENV","krb5_principal","krb5_pac_parse -  Unparse an encoded PAC into a new handle.","KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","krb5_rd_error -  Decode a KRB-ERROR message.","krb5_ap_rep_enc_part","KRB5_SAM_MUST_PK_ENCRYPT_SAD","krb5_princ_name","krb5_get_init_creds_opt_set_expire_callback -  Set an expiration callback in initial credential options.","KRB5_AUTHDATA_AUTH_INDICATOR","krb5_timestamp","krb5_random_key","krb5_init_creds_free -  Free an initial credentials context.","krb5_is_thread_safe -  Test whether the Kerberos library was built with multithread support.","ENCTYPE_DES_CBC_CRC","krb5_read_password -  Read a password from keyboard input.","krb5_auth_con_getkey_k -  Retrieve the session key from an auth context.","krb5_cc_set_flags -  Set options flags on a credential cache.","krb5_rd_rep_dce -  Parse and decrypt a KRB_AP_REP message for DCE RPC.","kswitch","krb5_responder_fn","krb5_allow_weak_crypto -  Allow the appplication to override the profile&#8217;s allow_weak_crypto setting.","krb5_auth_con_getsendsubkey_k -  Retrieve the send subkey from an auth context.","krb5_c_random_seed","krb5_octet","krb5_crypto_iov","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW"],objects:{"":{krb5_c_string_to_key:[69,0,1,"c.krb5_c_string_to_key"],KRB5_LRQ_ALL_LAST_TGT_ISSUED:[707,3,1,""],krb5_get_in_tkt_with_password:[224,0,1,"c.krb5_get_in_tkt_with_password"],KRB5_TGS_NAME:[567,3,1,""],KRB5_INT32_MIN:[134,3,1,""],KRB5_KEYUSAGE_AD_SIGNEDPATH:[418,3,1,""],krb5_get_in_tkt_with_keytab:[657,0,1,"c.krb5_get_in_tkt_with_keytab"],krb5_pac_parse:[901,0,1,"c.krb5_pac_parse"],krb5_copy_authdata:[887,0,1,"c.krb5_copy_authdata"],krb5_address_compare:[394,0,1,"c.krb5_address_compare"],krb5_copy_context:[141,0,1,"c.krb5_copy_context"],krb5_cc_get_config:[524,0,1,"c.krb5_cc_get_config"],KRB5_AUTHDATA_KDC_ISSUED:[41,3,1,""],krb5_sname_match:[18,0,1,"c.krb5_sname_match"],KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:[343,3,1,""],ENCTYPE_DES_HMAC_SHA1:[84,3,1,""],krb5_transited:[496,2,1,"c.krb5_transited"],krb5_kt_remove_entry:[158,0,1,"c.krb5_kt_remove_entry"],krb5_server_decrypt_ticket_keytab:[389,0,1,"c.krb5_server_decrypt_ticket_keytab"],krb5_free_ticket:[144,0,1,"c.krb5_free_ticket"],krb5_kt_close:[206,0,1,"c.krb5_kt_close"],krb5_get_init_creds_opt_set_pa:[81,0,1,"c.krb5_get_init_creds_opt_set_pa"],MSEC_VAL_MASK:[705,3,1,""],ENCTYPE_DES3_CBC_SHA1:[677,3,1,""],KRB5_KPASSWD_ACCESSDENIED:[281,3,1,""],krb5_build_principal_ext:[453,0,1,"c.krb5_build_principal_ext"],TKT_FLG_FORWARDED:[605,3,1,""],krb5_c_free_state:[300,0,1,"c.krb5_c_free_state"],krb5_free_cksumtypes:[435,0,1,"c.krb5_free_cksumtypes"],KRB5_PADATA_SAM_REDIRECT:[601,3,1,""],CKSUMTYPE_HMAC_SHA1_96_AES256:[96,3,1,""],KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:[772,3,1,""],krb5_build_principal_va:[577,0,1,"c.krb5_build_principal_va"],krb5_prompter_fct:[752,2,1,"c.krb5_prompter_fct"],krb5_k_key_enctype:[868,0,1,"c.krb5_k_key_enctype"],KRB5_PADATA_PK_AS_REQ_OLD:[849,3,1,""],krb5_eblock_enctype:[819,0,1,"c.krb5_eblock_enctype"],krb5_get_init_creds_opt_set_fast_ccache_name:[827,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache_name"],krb5_responder_pkinit_get_challenge:[649,0,1,"c.krb5_responder_pkinit_get_challenge"],KRB5_PAC_SERVER_CHECKSUM:[884,3,1,""],KRB5_CRYPTO_TYPE_DATA:[652,3,1,""],krb5_keyblock:[525,2,1,"c.krb5_keyblock"],KRB5_PAC_UPN_DNS_INFO:[891,3,1,""],krb5_princ_realm:[799,3,1,""],krb5_principal_data:[425,2,1,"c.krb5_principal_data"],krb5_c_derive_prfplus:[349,0,1,"c.krb5_c_derive_prfplus"],ENCTYPE_UNKNOWN:[622,3,1,""],krb5_tkt_creds_get_creds:[860,0,1,"c.krb5_tkt_creds_get_creds"],krb5_cc_store_cred:[463,0,1,"c.krb5_cc_store_cred"],krb5_rd_priv:[215,0,1,"c.krb5_rd_priv"],KRB5_KEYUSAGE_PA_FX_COOKIE:[475,3,1,""],krb5_cc_move:[611,0,1,"c.krb5_cc_move"],krb5_verify_authdata_kdc_issued:[373,0,1,"c.krb5_verify_authdata_kdc_issued"],krb5_aname_to_localname:[129,0,1,"c.krb5_aname_to_localname"],KRB5_AP_REQ:[57,3,1,""],KRB5_AP_REP:[390,3,1,""],krb5_enc_data:[370,2,1,"c.krb5_enc_data"],krb5_address_search:[399,0,1,"c.krb5_address_search"],krb5_free_authenticator:[178,0,1,"c.krb5_free_authenticator"],krb5_get_permitted_enctypes:[105,0,1,"c.krb5_get_permitted_enctypes"],krb5_c_random_make_octets:[580,0,1,"c.krb5_c_random_make_octets"],KRB5_KEYUSAGE_GSS_TOK_MIC:[186,3,1,""],krb5_cc_dup:[629,0,1,"c.krb5_cc_dup"],KRB5_PRIV:[709,3,1,""],KRB5_PADATA_OTP_CHALLENGE:[271,3,1,""],TKT_FLG_PROXIABLE:[757,3,1,""],krb5_auth_con_setrecvsubkey_k:[699,0,1,"c.krb5_auth_con_setrecvsubkey_k"],krb5_cccol_cursor_new:[684,0,1,"c.krb5_cccol_cursor_new"],krb5_auth_con_getrecvsubkey_k:[406,0,1,"c.krb5_auth_con_getrecvsubkey_k"],krb5_verify_init_creds_opt:[6,2,1,"c.krb5_verify_init_creds_opt"],KRB5_PADATA_AP_REQ:[113,3,1,""],KRB5_KEYUSAGE_AS_REQ:[196,3,1,""],krb5_cc_gen_new:[681,0,1,"c.krb5_cc_gen_new"],KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:[729,3,1,""],krb5_auth_con_getrcache:[458,0,1,"c.krb5_auth_con_getrcache"],KRB5_PADATA_PK_AS_REP:[53,3,1,""],KRB5_PADATA_PK_AS_REQ:[637,3,1,""],AD_TYPE_EXTERNAL:[581,3,1,""],krb5_cc_unlock:[716,0,1,"c.krb5_cc_unlock"],krb5_cred_enc_part:[189,2,1,"c.krb5_cred_enc_part"],passwd_phrase_element:[889,2,1,"c.passwd_phrase_element"],KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:[262,3,1,""],krb5_flags:[481,2,1,"c.krb5_flags"],krb5_cc_select:[393,0,1,"c.krb5_cc_select"],krb5_mk_req_extended:[1,0,1,"c.krb5_mk_req_extended"],krb5_kt_free_entry:[329,0,1,"c.krb5_kt_free_entry"],KRB5_AUTHDATA_IF_RELEVANT:[471,3,1,""],krb5_finish_key:[419,0,1,"c.krb5_finish_key"],krb5_creds:[793,2,1,"c.krb5_creds"],krb5_boolean:[454,2,1,"c.krb5_boolean"],krb5_responder_pkinit_identity:[771,2,1,"c.krb5_responder_pkinit_identity"],krb524_convert_creds_kdc:[90,3,1,""],KRB5_NT_SRV_HST:[260,3,1,""],krb5_get_init_creds_opt_free:[407,0,1,"c.krb5_get_init_creds_opt_free"],KRB5_AUTHDATA_AND_OR:[617,3,1,""],KRB5_CRYPTO_TYPE_HEADER:[645,3,1,""],KRB5_PRINCIPAL_UNPARSE_DISPLAY:[116,3,1,""],KRB5_NT_WELLKNOWN:[311,3,1,""],krb5_get_init_creds_opt_set_proxiable:[706,0,1,"c.krb5_get_init_creds_opt_set_proxiable"],krb5_ui_4:[809,2,1,"c.krb5_ui_4"],KRB5_NT_ENTERPRISE_PRINCIPAL:[714,3,1,""],krb5_cc_get_flags:[447,0,1,"c.krb5_cc_get_flags"],KRB5_KPASSWD_MALFORMED:[58,3,1,""],KRB5_AS_REP:[634,3,1,""],KRB5_AS_REQ:[633,3,1,""],krb5_init_random_key:[526,0,1,"c.krb5_init_random_key"],KRB5_CRYPTO_TYPE_PADDING:[402,3,1,""],krb5_k_create_key:[251,0,1,"c.krb5_k_create_key"],ENCTYPE_RC2_CBC_ENV:[899,3,1,""],krb5_rd_rep_dce:[917,0,1,"c.krb5_rd_rep_dce"],KRB5_PADATA_ETYPE_INFO2:[550,3,1,""],krb5_set_trace_callback:[372,0,1,"c.krb5_set_trace_callback"],krb5_key:[78,2,1,"c.krb5_key"],krb5_pwd_data:[443,2,1,"c.krb5_pwd_data"],KRB5_PAC_CREDENTIALS_INFO:[497,3,1,""],KRB5_PADATA_OTP_REQUEST:[528,3,1,""],krb5_cc_start_seq_get:[133,0,1,"c.krb5_cc_start_seq_get"],krb5_copy_error_message:[508,0,1,"c.krb5_copy_error_message"],KRB5_TGS_NAME_SIZE:[797,3,1,""],krb5_expire_callback_func:[278,2,1,"c.krb5_expire_callback_func"],krb5_realm_compare:[130,0,1,"c.krb5_realm_compare"],KDC_OPT_CANONICALIZE:[297,3,1,""],krb5_c_fx_cf2_simple:[72,0,1,"c.krb5_c_fx_cf2_simple"],krb5_cc_close:[738,0,1,"c.krb5_cc_close"],krb5_tkt_creds_get:[735,0,1,"c.krb5_tkt_creds_get"],CKSUMTYPE_HMAC_SHA1_DES3:[199,3,1,""],krb5_auth_con_setaddrs:[693,0,1,"c.krb5_auth_con_setaddrs"],krb5_get_init_creds_opt_set_address_list:[371,0,1,"c.krb5_get_init_creds_opt_set_address_list"],krb5_k_verify_checksum:[631,0,1,"c.krb5_k_verify_checksum"],krb5_init_creds_get:[753,0,1,"c.krb5_init_creds_get"],krb5_ap_req:[259,2,1,"c.krb5_ap_req"],krb5_ap_rep:[636,2,1,"c.krb5_ap_rep"],KDC_OPT_POSTDATED:[808,3,1,""],CKSUMTYPE_RSA_MD5_DES:[305,3,1,""],MSEC_DIRBIT:[892,3,1,""],krb5_get_init_creds_opt_set_out_ccache:[532,0,1,"c.krb5_get_init_creds_opt_set_out_ccache"],CKSUMTYPE_HMAC_SHA384_192_AES256:[50,3,1,""],krb5_kuserok:[863,0,1,"c.krb5_kuserok"],KRB5_TC_MATCH_KTYPE:[587,3,1,""],TKT_FLG_MAY_POSTDATE:[209,3,1,""],krb5_auth_context:[513,2,1,"c.krb5_auth_context"],AP_OPTS_USE_SESSION_KEY:[541,3,1,""],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:[232,3,1,""],krb5_c_make_checksum_iov:[310,0,1,"c.krb5_c_make_checksum_iov"],krb5_verify_init_creds_opt_init:[204,0,1,"c.krb5_verify_init_creds_opt_init"],krb5_calculate_checksum:[401,0,1,"c.krb5_calculate_checksum"],KRB5_WELLKNOWN_NAMESTR:[86,3,1,""],THREEPARAMOPEN:[570,3,1,""],KRB5_RESPONDER_QUESTION_PKINIT:[118,3,1,""],krb5_kt_get_name:[374,0,1,"c.krb5_kt_get_name"],MAX_KEYTAB_NAME_LEN:[109,3,1,""],KDC_OPT_PROXY:[844,3,1,""],KRB5_KEYUSAGE_KRB_ERROR_CKSUM:[704,3,1,""],KRB5_TC_MATCH_TIMES:[375,3,1,""],krb5_kt_client_default:[200,0,1,"c.krb5_kt_client_default"],krb5_principal:[900,2,1,"c.krb5_principal"],KRB5_NT_SRV_XHST:[192,3,1,""],krb5_encode_authdata_container:[274,0,1,"c.krb5_encode_authdata_container"],KRB5_TC_MATCH_AUTHDATA:[13,3,1,""],krb5_cred:[336,2,1,"c.krb5_cred"],krb5_authenticator:[727,2,1,"c.krb5_authenticator"],krb5_k_key_keyblock:[359,0,1,"c.krb5_k_key_keyblock"],krb5_pa_server_referral_data:[220,2,1,"c.krb5_pa_server_referral_data"],KRB5_CRYPTO_TYPE_SIGN_ONLY:[474,3,1,""],krb5_cc_last_change_time:[237,0,1,"c.krb5_cc_last_change_time"],KRB5_PRINCIPAL_PARSE_IGNORE_REALM:[838,3,1,""],krb5_init_creds_get_times:[761,0,1,"c.krb5_init_creds_get_times"],KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:[252,3,1,""],krb5_cccol_unlock:[340,0,1,"c.krb5_cccol_unlock"],KRB5_AUTHDATA_SIGNTICKET:[285,3,1,""],krb5_c_init_state:[197,0,1,"c.krb5_c_init_state"],krb5_auth_con_get_checksum_func:[151,0,1,"c.krb5_auth_con_get_checksum_func"],krb5_free_principal:[722,0,1,"c.krb5_free_principal"],KRB5_GC_CANONICALIZE:[533,3,1,""],krb5_responder_otp_set_answer:[831,0,1,"c.krb5_responder_otp_set_answer"],krb5_const:[663,3,1,""],ADDRTYPE_IPPORT:[749,3,1,""],krb5_vwrap_error_message:[140,0,1,"c.krb5_vwrap_error_message"],KRB5_PADATA_ENC_TIMESTAMP:[769,3,1,""],ADDRTYPE_IS_LOCAL:[431,3,1,""],TKT_FLG_HW_AUTH:[866,3,1,""],ENCTYPE_NULL:[585,3,1,""],krb5_verify_init_creds:[519,0,1,"c.krb5_verify_init_creds"],krb5_set_real_time:[461,0,1,"c.krb5_set_real_time"],krb5_find_authdata:[436,0,1,"c.krb5_find_authdata"],krb5_init_creds_context:[650,2,1,"c.krb5_init_creds_context"],krb5_us_timeofday:[852,0,1,"c.krb5_us_timeofday"],krb5_c_keylengths:[604,0,1,"c.krb5_c_keylengths"],krb5_unparse_name_ext:[479,0,1,"c.krb5_unparse_name_ext"],KRB5_PADATA_FX_FAST:[626,3,1,""],KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:[715,3,1,""],krb5_error_code:[773,2,1,"c.krb5_error_code"],krb5_free_enctypes:[22,0,1,"c.krb5_free_enctypes"],krb5_k_encrypt_iov:[820,0,1,"c.krb5_k_encrypt_iov"],krb5_auth_con_setrcache:[543,0,1,"c.krb5_auth_con_setrcache"],krb5_fwd_tgt_creds:[318,0,1,"c.krb5_fwd_tgt_creds"],krb5_prompt:[139,2,1,"c.krb5_prompt"],KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:[465,3,1,""],krb5_copy_addresses:[723,0,1,"c.krb5_copy_addresses"],krb5_get_init_creds_opt_init:[142,0,1,"c.krb5_get_init_creds_opt_init"],krb5_get_renewed_creds:[703,0,1,"c.krb5_get_renewed_creds"],krb5_anonymous_principal:[227,0,1,"c.krb5_anonymous_principal"],krb5_c_make_random_key:[143,0,1,"c.krb5_c_make_random_key"],krb5_cc_initialize:[823,0,1,"c.krb5_cc_initialize"],KDC_TKT_COMMON_MASK:[824,3,1,""],krb5_c_valid_cksumtype:[510,0,1,"c.krb5_c_valid_cksumtype"],krb5_string_to_key:[609,0,1,"c.krb5_string_to_key"],krb5_get_in_tkt_with_skey:[378,0,1,"c.krb5_get_in_tkt_with_skey"],krb5_auth_con_setports:[625,0,1,"c.krb5_auth_con_setports"],krb5_timestamp:[909,2,1,"c.krb5_timestamp"],krb5_ticket_times:[660,2,1,"c.krb5_ticket_times"],KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:[174,3,1,""],krb5_auth_con_getrecvsubkey:[653,0,1,"c.krb5_auth_con_getrecvsubkey"],KDC_OPT_VALIDATE:[214,3,1,""],ENCTYPE_DES3_CBC_SHA:[244,3,1,""],KRB5_SAFE:[534,3,1,""],krb5_copy_creds:[627,0,1,"c.krb5_copy_creds"],krb5_k_make_checksum_iov:[600,0,1,"c.krb5_k_make_checksum_iov"],krb5_princ_name:[906,3,1,""],KRB5_AUTH_CONTEXT_DO_SEQUENCE:[788,3,1,""],TKT_FLG_POSTDATED:[410,3,1,""],AP_OPTS_ETYPE_NEGOTIATION:[800,3,1,""],KRB5_NT_SMTP_NAME:[816,3,1,""],krb5_princ_set_realm:[294,3,1,""],KRB5_GC_USER_USER:[588,3,1,""],krb5_pac_verify:[258,0,1,"c.krb5_pac_verify"],krb5_deltat:[676,2,1,"c.krb5_deltat"],krb5_rd_safe:[821,0,1,"c.krb5_rd_safe"],krb5_auth_con_getlocalsubkey:[210,0,1,"c.krb5_auth_con_getlocalsubkey"],krb5_enctype:[531,2,1,"c.krb5_enctype"],krb5_sendauth:[642,0,1,"c.krb5_sendauth"],krb5_auth_con_getsendsubkey_k:[921,0,1,"c.krb5_auth_con_getsendsubkey_k"],KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:[350,3,1,""],krb5_k_verify_checksum_iov:[385,0,1,"c.krb5_k_verify_checksum_iov"],krb5_get_host_realm:[292,0,1,"c.krb5_get_host_realm"],KRB5_CRYPTO_TYPE_TRAILER:[408,3,1,""],krb5_appdefault_boolean:[124,0,1,"c.krb5_appdefault_boolean"],krb5_set_kdc_send_hook:[623,0,1,"c.krb5_set_kdc_send_hook"],KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:[446,3,1,""],krb5_unparse_name:[549,0,1,"c.krb5_unparse_name"],krb5_timeofday:[740,0,1,"c.krb5_timeofday"],krb5_c_checksum_length:[674,0,1,"c.krb5_c_checksum_length"],krb5_c_make_checksum:[505,0,1,"c.krb5_c_make_checksum"],krb5_authdata:[360,2,1,"c.krb5_authdata"],KRB5_SAM_SEND_ENCRYPTED_SAD:[770,3,1,""],krb5_set_kdc_recv_hook:[167,0,1,"c.krb5_set_kdc_recv_hook"],krb5_cc_lock:[205,0,1,"c.krb5_cc_lock"],KRB5_GC_NO_STORE:[451,3,1,""],krb5_responder_otp_get_challenge:[47,0,1,"c.krb5_responder_otp_get_challenge"],krb5_responder_context:[527,2,1,"c.krb5_responder_context"],krb5_c_is_coll_proof_cksum:[584,0,1,"c.krb5_c_is_coll_proof_cksum"],KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:[758,3,1,""],KRB5_PADATA_ETYPE_INFO:[33,3,1,""],krb5_cc_get_principal:[491,0,1,"c.krb5_cc_get_principal"],KRB5_PADATA_TGS_REQ:[710,3,1,""],CKSUMTYPE_CMAC_CAMELLIA128:[516,3,1,""],krb5_rd_req:[568,0,1,"c.krb5_rd_req"],KRB5_CRED:[742,3,1,""],krb5_responder_otp_challenge:[514,2,1,"c.krb5_responder_otp_challenge"],krb5_unparse_name_flags:[489,0,1,"c.krb5_unparse_name_flags"],krb5_anonymous_realm:[49,0,1,"c.krb5_anonymous_realm"],krb5_auth_con_free:[166,0,1,"c.krb5_auth_con_free"],KRB5_KEYUSAGE_KRB_PRIV_ENCPART:[659,3,1,""],CKSUMTYPE_DESCBC:[414,3,1,""],KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:[760,3,1,""],krb5_timestamp_to_sfstring:[874,0,1,"c.krb5_timestamp_to_sfstring"],krb5_pointer:[60,2,1,"c.krb5_pointer"],VALID_INT_BITS:[380,3,1,""],KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:[833,3,1,""],krb5_init_creds_step:[185,0,1,"c.krb5_init_creds_step"],krb5_get_init_creds_opt_set_responder:[787,0,1,"c.krb5_get_init_creds_opt_set_responder"],KRB5_PROMPT_TYPE_NEW_PASSWORD:[679,3,1,""],krb5_pa_pac_req:[767,2,1,"c.krb5_pa_pac_req"],krb5_get_server_rcache:[586,0,1,"c.krb5_get_server_rcache"],krb5_responder_otp_tokeninfo:[897,2,1,"c.krb5_responder_otp_tokeninfo"],krb5_init_creds_get_error:[74,0,1,"c.krb5_init_creds_get_error"],KRB5_PADATA_SESAME:[303,3,1,""],KDC_OPT_ENC_TKT_IN_SKEY:[202,3,1,""],KRB5_CRYPTO_TYPE_STREAM:[478,3,1,""],ADDRTYPE_INET:[383,3,1,""],krb5_allow_weak_crypto:[920,0,1,"c.krb5_allow_weak_crypto"],KRB5_KEYUSAGE_FAST_ENC:[289,3,1,""],krb5_last_req_entry:[503,2,1,"c.krb5_last_req_entry"],KRB5_PAC_PRIVSVR_CHECKSUM:[353,3,1,""],krb5_free_host_realm:[277,0,1,"c.krb5_free_host_realm"],krb5_cccol_have_content:[163,0,1,"c.krb5_cccol_have_content"],krb5_auth_con_getauthenticator:[872,0,1,"c.krb5_auth_con_getauthenticator"],krb5_princ_set_realm_length:[574,3,1,""],KRB5_SAM_USE_SAD_AS_KEY:[670,3,1,""],krb5_post_recv_fn:[857,2,1,"c.krb5_post_recv_fn"],krb5_cc_default_name:[191,0,1,"c.krb5_cc_default_name"],KRB5_PVNO:[500,3,1,""],KRB5_PRINCIPAL_PARSE_NO_REALM:[216,3,1,""],krb5_get_fallback_host_realm:[656,0,1,"c.krb5_get_fallback_host_realm"],krb5_checksum_size:[721,0,1,"c.krb5_checksum_size"],ENCTYPE_DES3_CBC_RAW:[673,3,1,""],KRB5_AUTH_CONTEXT_RET_TIME:[667,3,1,""],LR_TYPE_THIS_SERVER_ONLY:[145,3,1,""],KRB5_NT_ENT_PRINCIPAL_AND_ID:[846,3,1,""],KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:[0,3,1,""],krb5_auth_con_getlocalseqnumber:[85,0,1,"c.krb5_auth_con_getlocalseqnumber"],KRB5_RESPONDER_OTP_FORMAT_DECIMAL:[661,3,1,""],KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:[306,3,1,""],krb5_get_init_creds_opt_set_preauth_list:[644,0,1,"c.krb5_get_init_creds_opt_set_preauth_list"],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:[685,3,1,""],KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:[547,3,1,""],KRB5_ENCPADATA_REQ_ENC_PA_REP:[123,3,1,""],CKSUMTYPE_RSA_MD4_DES:[766,3,1,""],KRB5_TC_MATCH_FLAGS_EXACT:[683,3,1,""],krb5_random_key:[910,0,1,"c.krb5_random_key"],krb5_free_keytab_entry_contents:[276,0,1,"c.krb5_free_keytab_entry_contents"],ENCTYPE_AES256_CTS_HMAC_SHA1_96:[52,3,1,""],krb5_responder_fn:[919,2,1,"c.krb5_responder_fn"],krb5_mk_rep:[364,0,1,"c.krb5_mk_rep"],krb5_mk_req:[363,0,1,"c.krb5_mk_req"],KRB5_FAST_REQUIRED:[456,3,1,""],KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:[664,3,1,""],krb5_clear_error_message:[9,0,1,"c.krb5_clear_error_message"],CKSUMTYPE_CMAC_CAMELLIA256:[180,3,1,""],krb5_mk_ncred:[732,0,1,"c.krb5_mk_ncred"],krb5_wrap_error_message:[38,0,1,"c.krb5_wrap_error_message"],ENCTYPE_DES_CBC_MD5:[356,3,1,""],ENCTYPE_DES_CBC_MD4:[355,3,1,""],krb5_get_init_creds_opt_set_pac_request:[37,0,1,"c.krb5_get_init_creds_opt_set_pac_request"],krb5_string_to_salttype:[432,0,1,"c.krb5_string_to_salttype"],krb5_address:[499,2,1,"c.krb5_address"],KRB5_PRINCIPAL_UNPARSE_SHORT:[128,3,1,""],krb5_kt_get_entry:[711,0,1,"c.krb5_kt_get_entry"],krb5_get_init_creds_opt_set_in_ccache:[556,0,1,"c.krb5_get_init_creds_opt_set_in_ccache"],krb5_auth_con_initivector:[869,0,1,"c.krb5_auth_con_initivector"],krb5_c_random_os_entropy:[639,0,1,"c.krb5_c_random_os_entropy"],ADDRTYPE_XNS:[270,3,1,""],KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:[839,3,1,""],krb5_prompter_posix:[848,0,1,"c.krb5_prompter_posix"],krb5_const_pointer:[480,2,1,"c.krb5_const_pointer"],AD_TYPE_REGISTERED:[396,3,1,""],krb5_keyusage:[317,2,1,"c.krb5_keyusage"],KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:[15,3,1,""],KRB5_PROMPT_TYPE_PASSWORD:[886,3,1,""],ENCTYPE_DES_CBC_CRC:[913,3,1,""],KRB5_PAC_DELEGATION_INFO:[161,3,1,""],KDC_OPT_PROXIABLE:[398,3,1,""],krb5_c_random_seed:[922,0,1,"c.krb5_c_random_seed"],KRB5_TC_SUPPORTED_KTYPES:[802,3,1,""],KRB5_NT_SRV_INST:[488,3,1,""],krb5_kt_have_content:[135,0,1,"c.krb5_kt_have_content"],KRB5_LRQ_NONE:[558,3,1,""],krb5_set_password:[400,0,1,"c.krb5_set_password"],KRB5_PADATA_ENC_UNIX_TIME:[495,3,1,""],krb5_tkt_creds_context:[172,2,1,"c.krb5_tkt_creds_context"],krb5_addrtype:[865,2,1,"c.krb5_addrtype"],krb5_init_creds_get_creds:[245,0,1,"c.krb5_init_creds_get_creds"],KRB5_AUTHDATA_AUTH_INDICATOR:[908,3,1,""],krb5_c_encrypt:[840,0,1,"c.krb5_c_encrypt"],krb5_use_enctype:[896,0,1,"c.krb5_use_enctype"],KRB5_PADATA_SVR_REFERRAL_INFO:[218,3,1,""],KRB5_KEYUSAGE_PA_PKINIT_KX:[314,3,1,""],krb5_get_init_creds_opt_set_fast_flags:[229,0,1,"c.krb5_get_init_creds_opt_set_fast_flags"],krb5_enctype_to_string:[597,0,1,"c.krb5_enctype_to_string"],krb5_get_validated_creds:[422,0,1,"c.krb5_get_validated_creds"],krb5_merge_authdata:[628,0,1,"c.krb5_merge_authdata"],krb5_checksum:[154,2,1,"c.krb5_checksum"],krb5_crypto_iov:[924,2,1,"c.krb5_crypto_iov"],krb5_encrypt_block:[755,2,1,"c.krb5_encrypt_block"],krb5_cc_destroy:[859,0,1,"c.krb5_cc_destroy"],KRB5_KEYUSAGE_AD_ITE:[460,3,1,""],KRB5_AUTH_CONTEXT_USE_SUBKEY:[830,3,1,""],krb5_init_creds_init:[357,0,1,"c.krb5_init_creds_init"],krb5_c_padding_length:[651,0,1,"c.krb5_c_padding_length"],TKT_FLG_ENC_PA_REP:[7,3,1,""],KDC_OPT_RENEWABLE:[512,3,1,""],KRB5_RESPONDER_QUESTION_PASSWORD:[559,3,1,""],krb5_responder_otp_challenge_free:[157,0,1,"c.krb5_responder_otp_challenge_free"],KRB5_PADATA_PAC_REQUEST:[24,3,1,""],TKT_FLG_PRE_AUTH:[313,3,1,""],krb5_cksumtype:[387,2,1,"c.krb5_cksumtype"],krb5_replay_data:[29,2,1,"c.krb5_replay_data"],krb5_responder_list_questions:[341,0,1,"c.krb5_responder_list_questions"],KDC_OPT_REQUEST_ANONYMOUS:[470,3,1,""],krb5_salttype_to_string:[690,0,1,"c.krb5_salttype_to_string"],KDC_OPT_DISABLE_TRANSITED_CHECK:[700,3,1,""],krb5_copy_keyblock_contents:[734,0,1,"c.krb5_copy_keyblock_contents"],ENCTYPE_SHA1_RSA_CMS:[560,3,1,""],CKSUMTYPE_NIST_SHA:[655,3,1,""],krb5_set_principal_realm:[881,0,1,"c.krb5_set_principal_realm"],KRB5_TC_MATCH_IS_SKEY:[173,3,1,""],krb5_init_keyblock:[316,0,1,"c.krb5_init_keyblock"],KRB5_KPASSWD_AUTHERROR:[284,3,1,""],ADDRTYPE_ADDRPORT:[778,3,1,""],CKSUMTYPE_HMAC_MD5_ARCFOUR:[64,3,1,""],KRB5_AUTHDATA_SESAME:[638,3,1,""],krb5_enctype_to_name:[171,0,1,"c.krb5_enctype_to_name"],krb5_encrypt_size:[530,0,1,"c.krb5_encrypt_size"],krb5_rcache:[807,2,1,"c.krb5_rcache"],KRB5_PRINCIPAL_COMPARE_UTF8:[593,3,1,""],krb5_tkt_creds_get_times:[121,0,1,"c.krb5_tkt_creds_get_times"],krb5_free_string:[264,0,1,"c.krb5_free_string"],krb5_free_keyblock_contents:[89,0,1,"c.krb5_free_keyblock_contents"],krb5_encrypt:[261,0,1,"c.krb5_encrypt"],krb5_cc_switch:[352,0,1,"c.krb5_cc_switch"],ADDRTYPE_NETBIOS:[405,3,1,""],krb5_auth_con_set_checksum_func:[784,0,1,"c.krb5_auth_con_set_checksum_func"],krb5_princ_type:[160,3,1,""],krb5_k_decrypt_iov:[759,0,1,"c.krb5_k_decrypt_iov"],krb5_auth_con_set_req_cksumtype:[272,0,1,"c.krb5_auth_con_set_req_cksumtype"],KRB5_PADATA_NONE:[288,3,1,""],krb5_roundup:[441,3,1,""],krb5_enc_kdc_rep_part:[324,2,1,"c.krb5_enc_kdc_rep_part"],ENCTYPE_AES256_CTS_HMAC_SHA384_192:[894,3,1,""],krb5_decode_ticket:[190,0,1,"c.krb5_decode_ticket"],krb5_trace_callback:[136,2,1,"c.krb5_trace_callback"],krb5_ap_rep_enc_part:[904,2,1,"c.krb5_ap_rep_enc_part"],krb5_pa_data:[635,2,1,"c.krb5_pa_data"],KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:[83,3,1,""],AP_OPTS_WIRE_MASK:[21,3,1,""],krb5_cc_copy_creds:[146,0,1,"c.krb5_cc_copy_creds"],KRB5_LRQ_ONE_LAST_RENEWAL:[733,3,1,""],KRB5_INT16_MIN:[201,3,1,""],krb5_get_profile:[334,0,1,"c.krb5_get_profile"],KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:[80,3,1,""],krb5_get_init_creds_opt:[829,2,1,"c.krb5_get_init_creds_opt"],krb5_cccol_cursor_next:[517,0,1,"c.krb5_cccol_cursor_next"],krb5_copy_checksum:[658,0,1,"c.krb5_copy_checksum"],krb5_get_init_creds_opt_alloc:[107,0,1,"c.krb5_get_init_creds_opt_alloc"],krb5_keytab:[582,2,1,"c.krb5_keytab"],krb5_init_creds_set_service:[421,0,1,"c.krb5_init_creds_set_service"],KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:[482,3,1,""],krb5_cccol_cursor_free:[342,0,1,"c.krb5_cccol_cursor_free"],krb5_c_crypto_length:[551,0,1,"c.krb5_c_crypto_length"],krb5_get_error_message:[51,0,1,"c.krb5_get_error_message"],krb5_cc_cursor:[501,2,1,"c.krb5_cc_cursor"],krb5_make_authdata_kdc_issued:[403,0,1,"c.krb5_make_authdata_kdc_issued"],ADDRTYPE_ISO:[106,3,1,""],krb5_c_is_keyed_cksum:[358,0,1,"c.krb5_c_is_keyed_cksum"],KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:[692,3,1,""],KDC_OPT_CNAME_IN_ADDL_TKT:[198,3,1,""],krb5_ccache:[339,2,1,"c.krb5_ccache"],krb5_change_password:[362,0,1,"c.krb5_change_password"],krb5_verify_init_creds_opt_set_ap_req_nofail:[572,0,1,"c.krb5_verify_init_creds_opt_set_ap_req_nofail"],krb5_x:[598,3,1,""],KRB5_PADATA_AFS3_SALT:[594,3,1,""],krb5_verify_checksum:[282,0,1,"c.krb5_verify_checksum"],KRB5_GC_CACHED:[442,3,1,""],krb5_keytab_entry:[847,2,1,"c.krb5_keytab_entry"],krb5_copy_data:[230,0,1,"c.krb5_copy_data"],krb5_kt_dup:[293,0,1,"c.krb5_kt_dup"],CKSUMTYPE_HMAC_SHA1_96_AES128:[578,3,1,""],krb5_free_addresses:[555,0,1,"c.krb5_free_addresses"],krb5_build_principal_alloc_va:[877,0,1,"c.krb5_build_principal_alloc_va"],KRB5_INT32_MAX:[571,3,1,""],KRB5_LRQ_ALL_LAST_INITIAL:[795,3,1,""],krb5_ticket:[309,2,1,"c.krb5_ticket"],KRB5_ANONYMOUS_REALMSTR:[883,3,1,""],krb5_init_creds_set_password:[417,0,1,"c.krb5_init_creds_set_password"],krb5_principal_compare_any_realm:[368,0,1,"c.krb5_principal_compare_any_realm"],KRB5_PADATA_SAM_RESPONSE:[602,3,1,""],krb5_free_authdata:[409,0,1,"c.krb5_free_authdata"],krb5_cccol_cursor:[221,2,1,"c.krb5_cccol_cursor"],KRB5_TC_MATCH_FLAGS:[177,3,1,""],krb5_k_make_checksum:[744,0,1,"c.krb5_k_make_checksum"],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:[925,3,1,""],krb5_is_config_principal:[71,0,1,"c.krb5_is_config_principal"],krb5_prompt_type:[898,2,1,"c.krb5_prompt_type"],TKT_FLG_OK_AS_DELEGATE:[170,3,1,""],krb5_expand_hostname:[188,0,1,"c.krb5_expand_hostname"],krb5_process_key:[719,0,1,"c.krb5_process_key"],krb5_auth_con_setsendsubkey:[483,0,1,"c.krb5_auth_con_setsendsubkey"],KDC_OPT_ALLOW_POSTDATE:[464,3,1,""],krb5_mk_req_checksum_func:[376,2,1,"c.krb5_mk_req_checksum_func"],KRB5_KEYUSAGE_KDC_REP_TICKET:[893,3,1,""],KRB5_PADATA_FX_COOKIE:[219,3,1,""],krb5_set_trace_filename:[853,0,1,"c.krb5_set_trace_filename"],KRB5_DOMAIN_X500_COMPRESS:[828,3,1,""],krb5_sname_to_principal:[701,0,1,"c.krb5_sname_to_principal"],KRB5_KEYUSAGE_KRB_SAFE_CKSUM:[680,3,1,""],SALT_TYPE_AFS_LENGTH:[283,3,1,""],krb5_free_checksum_contents:[486,0,1,"c.krb5_free_checksum_contents"],krb5_kt_default_name:[207,0,1,"c.krb5_kt_default_name"],KRB5_KPASSWD_SOFTERROR:[152,3,1,""],krb5_preauthtype:[466,2,1,"c.krb5_preauthtype"],krb5_set_default_realm:[344,0,1,"c.krb5_set_default_realm"],krb5_free_cred_contents:[801,0,1,"c.krb5_free_cred_contents"],KRB5_AUTHDATA_OSF_DCE:[554,3,1,""],krb5_cc_retrieve_cred:[686,0,1,"c.krb5_cc_retrieve_cred"],KRB5_AUTHDATA_MANDATORY_FOR_KDC:[20,3,1,""],krb5_responder_set_answer:[235,0,1,"c.krb5_responder_set_answer"],krb5_c_keyed_checksum_types:[91,0,1,"c.krb5_c_keyed_checksum_types"],KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:[472,3,1,""],KRB5_KPASSWD_HARDERROR:[82,3,1,""],KRB5_LRQ_ONE_LAST_TGT:[553,3,1,""],krb5_cksumtype_to_string:[756,0,1,"c.krb5_cksumtype_to_string"],KRB5_AUTH_CONTEXT_RET_SEQUENCE:[16,3,1,""],krb5_c_decrypt:[669,0,1,"c.krb5_c_decrypt"],KRB5_PRINCIPAL_COMPARE_CASEFOLD:[424,3,1,""],KRB5_LRQ_ALL_ACCT_EXPTIME:[754,3,1,""],KRB5_NT_UID:[67,3,1,""],krb5_free_checksum:[348,0,1,"c.krb5_free_checksum"],TKT_FLG_ANONYMOUS:[8,3,1,""],krb5_cc_support_switch:[494,0,1,"c.krb5_cc_support_switch"],KRB5_KPASSWD_BAD_VERSION:[97,3,1,""],KRB5_CRYPTO_TYPE_EMPTY:[548,3,1,""],CKSUMTYPE_HMAC_SHA256_128_AES128:[873,3,1,""],KRB5_KEYUSAGE_FAST_REP:[747,3,1,""],krb5_init_secure_context:[641,0,1,"c.krb5_init_secure_context"],krb5_get_init_creds_opt_set_anonymous:[725,0,1,"c.krb5_get_init_creds_opt_set_anonymous"],krb5_principal_compare:[265,0,1,"c.krb5_principal_compare"],krb5_finish_random_key:[856,0,1,"c.krb5_finish_random_key"],KRB5_PAC_CLIENT_INFO:[665,3,1,""],krb5_auth_con_setflags:[115,0,1,"c.krb5_auth_con_setflags"],krb5_kt_end_seq_get:[621,0,1,"c.krb5_kt_end_seq_get"],krb5_responder_get_challenge:[242,0,1,"c.krb5_responder_get_challenge"],KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:[694,3,1,""],KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:[539,3,1,""],krb5_auth_con_getkey_k:[915,0,1,"c.krb5_auth_con_getkey_k"],KRB5_INIT_CONTEXT_SECURE:[382,3,1,""],KRB5_LRQ_ALL_LAST_TGT:[440,3,1,""],krb5_get_init_creds_opt_set_canonicalize:[280,0,1,"c.krb5_get_init_creds_opt_set_canonicalize"],krb5_princ_set_realm_data:[231,3,1,""],KRB5_AUTH_CONTEXT_PERMIT_ALL:[858,3,1,""],krb5_pa_svr_referral_data:[304,2,1,"c.krb5_pa_svr_referral_data"],TKT_FLG_INITIAL:[351,3,1,""],KRB5_AUTHDATA_ETYPE_NEGOTIATION:[467,3,1,""],KRB5_AUTH_CONTEXT_DO_TIME:[5,3,1,""],krb5_c_encrypt_length:[182,0,1,"c.krb5_c_encrypt_length"],KRB5_GET_INIT_CREDS_OPT_PROXIABLE:[619,3,1,""],AP_OPTS_RESERVED:[290,3,1,""],krb5_cc_default:[125,0,1,"c.krb5_cc_default"],TKT_FLG_TRANSIT_POLICY_CHECKED:[459,3,1,""],krb5_init_creds_free:[911,0,1,"c.krb5_init_creds_free"],KRB5_GET_INIT_CREDS_OPT_SALT:[607,3,1,""],KRB5_REALM_BRANCH_CHAR:[79,3,1,""],krb5_const_principal:[485,2,1,"c.krb5_const_principal"],krb5_os_localaddr:[875,0,1,"c.krb5_os_localaddr"],krb5_k_encrypt:[114,0,1,"c.krb5_k_encrypt"],krb5_string_to_timestamp:[781,0,1,"c.krb5_string_to_timestamp"],ENCTYPE_ARCFOUR_HMAC_EXP:[295,3,1,""],krb5_cccol_last_change_time:[257,0,1,"c.krb5_cccol_last_change_time"],CKSUMTYPE_MD5_HMAC_ARCFOUR:[236,3,1,""],krb5_tkt_creds_step:[615,0,1,"c.krb5_tkt_creds_step"],KRB5_TC_NOTICKET:[779,3,1,""],krb524_init_ets:[338,3,1,""],AD_TYPE_RESERVED:[780,3,1,""],KDC_OPT_FORWARDED:[175,3,1,""],KRB5_LRQ_ALL_PW_EXPTIME:[785,3,1,""],KRB5_KEYUSAGE_APP_DATA_ENCRYPT:[654,3,1,""],krb5_get_init_creds_opt_get_fast_flags:[817,0,1,"c.krb5_get_init_creds_opt_get_fast_flags"],krb5_error:[457,2,1,"c.krb5_error"],KRB5_KEYUSAGE_PA_SAM_RESPONSE:[213,3,1,""],krb5_responder_pkinit_set_answer:[286,0,1,"c.krb5_responder_pkinit_set_answer"],CKSUMTYPE_CRC32:[301,3,1,""],ADDRTYPE_INET6:[156,3,1,""],KRB5_LRQ_ONE_PW_EXPTIME:[48,3,1,""],KRB5_GC_NO_TRANSIT_CHECK:[241,3,1,""],KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:[902,3,1,""],krb5_c_verify_checksum:[444,0,1,"c.krb5_c_verify_checksum"],krb5_rd_error:[903,0,1,"c.krb5_rd_error"],krb5_cc_set_default_name:[818,0,1,"c.krb5_cc_set_default_name"],krb5_recvauth:[695,0,1,"c.krb5_recvauth"],KRB5_TC_MATCH_SRV_NAMEONLY:[870,3,1,""],krb5_auth_con_getkey:[369,0,1,"c.krb5_auth_con_getkey"],KRB5_AUTHDATA_WIN2K_PAC:[498,3,1,""],KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:[19,3,1,""],krb5_kt_cursor:[790,2,1,"c.krb5_kt_cursor"],krb5_cryptotype:[717,2,1,"c.krb5_cryptotype"],krb5_mk_priv:[267,0,1,"c.krb5_mk_priv"],ENCTYPE_DSA_SHA1_CMS:[326,3,1,""],CKSUMTYPE_RSA_MD4:[92,3,1,""],KRB5_PADATA_OTP_PIN_CHANGE:[122,3,1,""],TKT_FLG_FORWARDABLE:[335,3,1,""],TKT_FLG_INVALID:[354,3,1,""],KRB5_RESPONDER_QUESTION_OTP:[433,3,1,""],krb5_magic:[490,2,1,"c.krb5_magic"],krb5_get_init_creds_opt_set_salt:[796,0,1,"c.krb5_get_init_creds_opt_set_salt"],ENCTYPE_DES_CBC_RAW:[804,3,1,""],krb5_tkt_creds_free:[62,0,1,"c.krb5_tkt_creds_free"],KRB5_KEYUSAGE_FAST_REQ_CHKSUM:[193,3,1,""],ENCTYPE_CAMELLIA256_CTS_CMAC:[404,3,1,""],krb5_kt_start_seq_get:[40,0,1,"c.krb5_kt_start_seq_get"],krb5_auth_con_getflags:[266,0,1,"c.krb5_auth_con_getflags"],KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:[367,3,1,""],krb5_get_init_creds_opt_set_tkt_life:[520,0,1,"c.krb5_get_init_creds_opt_set_tkt_life"],KRB5_NT_PRINCIPAL:[643,3,1,""],krb5_kvno:[843,2,1,"c.krb5_kvno"],krb5_auth_con_getaddrs:[536,0,1,"c.krb5_auth_con_getaddrs"],ENCTYPE_CAMELLIA128_CTS_CMAC:[246,3,1,""],krb5_cc_set_config:[77,0,1,"c.krb5_cc_set_config"],krb5_chpw_message:[110,0,1,"c.krb5_chpw_message"],krb5_cccol_lock:[112,0,1,"c.krb5_cccol_lock"],KRB5_PADATA_ENC_SANDIA_SECURID:[592,3,1,""],krb5_mk_error:[565,0,1,"c.krb5_mk_error"],krb5_princ_component:[439,3,1,""],krb5_425_conv_principal:[12,0,1,"c.krb5_425_conv_principal"],krb5_unparse_name_flags_ext:[108,0,1,"c.krb5_unparse_name_flags_ext"],KRB5_KEYUSAGE_KRB_CRED_ENCPART:[854,3,1,""],KRB5_PADATA_REFERRAL:[552,3,1,""],TKT_FLG_PROXY:[445,3,1,""],KRB5_LRQ_ONE_LAST_REQ:[187,3,1,""],krb5_free_data:[194,0,1,"c.krb5_free_data"],krb5_int16:[153,2,1,"c.krb5_int16"],krb5_int32:[546,2,1,"c.krb5_int32"],KRB5_PRINCIPAL_COMPARE_ENTERPRISE:[381,3,1,""],krb5_k_reference_key:[103,0,1,"c.krb5_k_reference_key"],KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:[675,3,1,""],KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:[468,3,1,""],krb5_string_to_enctype:[450,0,1,"c.krb5_string_to_enctype"],krb5_init_creds_set_keytab:[412,0,1,"c.krb5_init_creds_set_keytab"],krb5_c_decrypt_iov:[791,0,1,"c.krb5_c_decrypt_iov"],krb5_string_to_deltat:[712,0,1,"c.krb5_string_to_deltat"],krb5_timestamp_to_string:[879,0,1,"c.krb5_timestamp_to_string"],krb5_kt_get_type:[835,0,1,"c.krb5_kt_get_type"],krb5_cc_end_seq_get:[243,0,1,"c.krb5_cc_end_seq_get"],KRB5_CYBERSAFE_SECUREID:[250,3,1,""],ENCTYPE_AES128_CTS_HMAC_SHA1_96:[728,3,1,""],krb5_is_referral_realm:[789,0,1,"c.krb5_is_referral_realm"],KRB5_PADATA_PW_SALT:[379,3,1,""],krb5_c_prf_length:[825,0,1,"c.krb5_c_prf_length"],krb5_authdatatype:[299,2,1,"c.krb5_authdatatype"],ENCTYPE_DES3_CBC_ENV:[150,3,1,""],krb5_kdc_req:[34,2,1,"c.krb5_kdc_req"],krb5_kdc_rep:[35,2,1,"c.krb5_kdc_rep"],krb5_get_init_creds_opt_set_fast_ccache:[575,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache"],krb5_gic_opt_pa_data:[878,2,1,"c.krb5_gic_opt_pa_data"],krb5_string_to_cksumtype:[590,0,1,"c.krb5_string_to_cksumtype"],krb5_free_ap_rep_enc_part:[882,0,1,"c.krb5_free_ap_rep_enc_part"],KRB5_ERROR:[238,3,1,""],KRB5_PADATA_USE_SPECIFIED_KVNO:[183,3,1,""],KRB5_LRQ_ONE_LAST_TGT_ISSUED:[668,3,1,""],krb5_auth_con_setsendsubkey_k:[774,0,1,"c.krb5_auth_con_setsendsubkey_k"],KRB5_KEYUSAGE_CAMMAC:[880,3,1,""],krb5_get_init_creds_opt_set_renew_life:[798,0,1,"c.krb5_get_init_creds_opt_set_renew_life"],KRB5_PADATA_ENCRYPTED_CHALLENGE:[438,3,1,""],KRB5_PADATA_SAM_CHALLENGE_2:[391,3,1,""],ENCTYPE_RSA_ES_OAEP_ENV:[775,3,1,""],krb5_read_password:[914,0,1,"c.krb5_read_password"],KRB5_PRINCIPAL_PARSE_ENTERPRISE:[469,3,1,""],krb5_prepend_error_message:[211,0,1,"c.krb5_prepend_error_message"],krb5_appdefault_string:[428,0,1,"c.krb5_appdefault_string"],KRB5_PAC_LOGON_INFO:[538,3,1,""],KRB5_INT16_MAX:[806,3,1,""],KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:[66,3,1,""],krb5_cc_remove_cred:[65,0,1,"c.krb5_cc_remove_cred"],KRB5_KEYUSAGE_APP_DATA_CKSUM:[545,3,1,""],KDC_OPT_FORWARDABLE:[720,3,1,""],LR_TYPE_INTERPRETATION_MASK:[888,3,1,""],krb5_build_principal:[535,0,1,"c.krb5_build_principal"],krb5_524_conv_principal:[217,0,1,"c.krb5_524_conv_principal"],krb5_copy_keyblock:[111,0,1,"c.krb5_copy_keyblock"],krb5_pac_get_buffer:[420,0,1,"c.krb5_pac_get_buffer"],KRB5_RECVAUTH_SKIP_VERSION:[696,3,1,""],KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:[864,3,1,""],krb5_tkt_creds_init:[739,0,1,"c.krb5_tkt_creds_init"],krb5_c_prf:[876,0,1,"c.krb5_c_prf"],KRB5_PRINCIPAL_UNPARSE_NO_REALM:[212,3,1,""],krb5_get_init_creds_opt_set_etype_list:[55,0,1,"c.krb5_get_init_creds_opt_set_etype_list"],krb5_get_prompt_types:[591,0,1,"c.krb5_get_prompt_types"],KRB5_ANONYMOUS_PRINCSTR:[14,3,1,""],KRB5_GC_CONSTRAINED_DELEGATION:[430,3,1,""],KRB5_PADATA_PKINIT_KX:[263,3,1,""],krb5_524_convert_creds:[345,0,1,"c.krb5_524_convert_creds"],krb5_auth_con_genaddrs:[256,0,1,"c.krb5_auth_con_genaddrs"],KRB5_KPASSWD_SUCCESS:[599,3,1,""],krb5_ui_2:[810,2,1,"c.krb5_ui_2"],krb5_free_default_realm:[120,0,1,"c.krb5_free_default_realm"],krb5_get_credentials_renew:[307,0,1,"c.krb5_get_credentials_renew"],KRB5_SAM_MUST_PK_ENCRYPT_SAD:[905,3,1,""],KRB5_CRYPTO_TYPE_CHECKSUM:[253,3,1,""],krb5_mk_1cred:[522,0,1,"c.krb5_mk_1cred"],krb5_get_init_creds_password:[606,0,1,"c.krb5_get_init_creds_password"],KRB5_GC_FORWARDABLE:[561,3,1,""],krb5_pac:[54,2,1,"c.krb5_pac"],krb5_msgtype:[101,2,1,"c.krb5_msgtype"],KRB5_LRQ_ONE_ACCT_EXPTIME:[616,3,1,""],krb5_c_valid_enctype:[871,0,1,"c.krb5_c_valid_enctype"],SALT_TYPE_NO_LENGTH:[612,3,1,""],KRB5_LRQ_ONE_LAST_INITIAL:[169,3,1,""],KRB5_KEYUSAGE_TGS_REQ_AUTH:[782,3,1,""],krb5_recvauth_version:[234,0,1,"c.krb5_recvauth_version"],krb5_mk_rep_dce:[384,0,1,"c.krb5_mk_rep_dce"],KRB5_REFERRAL_REALM:[678,3,1,""],krb5_pre_send_fn:[59,2,1,"c.krb5_pre_send_fn"],KRB5_KPASSWD_INITIAL_FLAG_NEEDED:[239,3,1,""],ENCTYPE_AES128_CTS_HMAC_SHA256_128:[529,3,1,""],krb5_vset_error_message:[331,0,1,"c.krb5_vset_error_message"],KRB5_LRQ_ALL_LAST_REQ:[388,3,1,""],KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:[127,3,1,""],krb5_pac_get_types:[148,0,1,"c.krb5_pac_get_types"],KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:[834,3,1,""],krb5_auth_con_setrecvsubkey:[322,0,1,"c.krb5_auth_con_setrecvsubkey"],krb5_set_error_message:[240,0,1,"c.krb5_set_error_message"],KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:[768,3,1,""],KRB5_RECVAUTH_BADAUTHVERS:[867,3,1,""],KRB5_PADATA_GET_FROM_TYPED_DATA:[523,3,1,""],krb5_auth_con_getsendsubkey:[736,0,1,"c.krb5_auth_con_getsendsubkey"],krb5_free_data_contents:[842,0,1,"c.krb5_free_data_contents"],KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:[426,3,1,""],KRB5_KEYUSAGE_AS_REP_ENCPART:[347,3,1,""],krb5_cc_cache_match:[88,0,1,"c.krb5_cc_cache_match"],krb5_typed_data:[647,2,1,"c.krb5_typed_data"],krb5_free_error_message:[397,0,1,"c.krb5_free_error_message"],krb5_c_random_add_entropy:[377,0,1,"c.krb5_c_random_add_entropy"],krb5_free_creds:[666,0,1,"c.krb5_free_creds"],KRB5_NT_UNKNOWN:[813,3,1,""],AP_OPTS_MUTUAL_REQUIRED:[822,3,1,""],ENCTYPE_RSA_ENV:[416,3,1,""],krb5_auth_con_setuseruserkey:[11,0,1,"c.krb5_auth_con_setuseruserkey"],krb5_data:[596,2,1,"c.krb5_data"],KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:[117,3,1,""],KRB5_AUTHDATA_FX_ARMOR:[87,3,1,""],KRB5_PADATA_SAM_RESPONSE_2:[542,3,1,""],KRB5_TC_MATCH_2ND_TKT:[327,3,1,""],krb5_c_block_size:[365,0,1,"c.krb5_c_block_size"],KRB5_PADATA_PK_AS_REP_OLD:[332,3,1,""],ENCTYPE_MD5_RSA_CMS:[195,3,1,""],KRB5_PADATA_FOR_USER:[573,3,1,""],krb5_responder_pkinit_challenge_free:[269,0,1,"c.krb5_responder_pkinit_challenge_free"],krb5_auth_con_getremotesubkey:[179,0,1,"c.krb5_auth_con_getremotesubkey"],krb5_address_order:[287,0,1,"c.krb5_address_order"],krb5_set_default_tgs_enctypes:[137,0,1,"c.krb5_set_default_tgs_enctypes"],krb5_kt_resolve:[249,0,1,"c.krb5_kt_resolve"],KRB5_PADATA_SAM_CHALLENGE:[564,3,1,""],krb5_tkt_authent:[837,2,1,"c.krb5_tkt_authent"],krb5_princ_size:[702,3,1,""],krb5_trace_info:[31,2,1,"c.krb5_trace_info"],krb5_rd_rep:[569,0,1,"c.krb5_rd_rep"],krb5_cc_get_type:[3,0,1,"c.krb5_cc_get_type"],KRB5_PADATA_OSF_DCE:[43,3,1,""],KRB5_NT_MS_PRINCIPAL_AND_ID:[691,3,1,""],KDC_OPT_RENEW:[315,3,1,""],KRB5_PADATA_FX_ERROR:[225,3,1,""],KRB5_LRQ_ALL_LAST_RENEWAL:[506,3,1,""],ADDRTYPE_CHAOS:[786,3,1,""],krb5_copy_ticket:[102,0,1,"c.krb5_copy_ticket"],krb5_pac_init:[718,0,1,"c.krb5_pac_init"],krb5_parse_name:[672,0,1,"c.krb5_parse_name"],krb5_copy_principal:[726,0,1,"c.krb5_copy_principal"],KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:[751,3,1,""],KRB5_TC_MATCH_TIMES_EXACT:[763,3,1,""],krb5_enc_tkt_part:[826,2,1,"c.krb5_enc_tkt_part"],krb5_mk_safe:[832,0,1,"c.krb5_mk_safe"],KRB5_KEYUSAGE_FAST_FINISHED:[255,3,1,""],krb5_check_clockskew:[502,0,1,"c.krb5_check_clockskew"],KRB5_AUTHDATA_CAMMAC:[42,3,1,""],KRB5_KEYUSAGE_AP_REQ_AUTH:[366,3,1,""],KRB5_TC_OPENCLOSE:[268,3,1,""],krb5_pac_add_buffer:[595,0,1,"c.krb5_pac_add_buffer"],krb5_get_credentials_validate:[697,0,1,"c.krb5_get_credentials_validate"],krb5_init_context:[862,0,1,"c.krb5_init_context"],krb5_cc_new_unique:[671,0,1,"c.krb5_cc_new_unique"],krb5_kt_default:[415,0,1,"c.krb5_kt_default"],krb5_is_thread_safe:[912,0,1,"c.krb5_is_thread_safe"],krb5_cc_resolve:[620,0,1,"c.krb5_cc_resolve"],krb5_rd_cred:[254,0,1,"c.krb5_rd_cred"],krb5_decrypt:[222,0,1,"c.krb5_decrypt"],krb5_xc:[741,3,1,""],ADDRTYPE_DDP:[487,3,1,""],krb5_c_enctype_compare:[411,0,1,"c.krb5_c_enctype_compare"],krb5_c_verify_checksum_iov:[247,0,1,"c.krb5_c_verify_checksum_iov"],krb5_get_init_creds_opt_set_forwardable:[537,0,1,"c.krb5_get_init_creds_opt_set_forwardable"],krb5_get_init_creds_keytab:[841,0,1,"c.krb5_get_init_creds_keytab"],CKSUMTYPE_RSA_MD5:[93,3,1,""],KRB5_NT_X500_PRINCIPAL:[492,3,1,""],KDC_OPT_RENEWABLE_OK:[861,3,1,""],krb5_auth_con_getremoteseqnumber:[312,0,1,"c.krb5_auth_con_getremoteseqnumber"],KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:[233,3,1,""],krb5_free_unparsed_name:[557,0,1,"c.krb5_free_unparsed_name"],krb5_k_decrypt:[39,0,1,"c.krb5_k_decrypt"],krb5_cc_get_name:[708,0,1,"c.krb5_cc_get_name"],krb5_c_encrypt_iov:[131,0,1,"c.krb5_c_encrypt_iov"],krb5_deltat_to_string:[164,0,1,"c.krb5_deltat_to_string"],krb5_copy_authenticator:[507,0,1,"c.krb5_copy_authenticator"],krb5_vprepend_error_message:[811,0,1,"c.krb5_vprepend_error_message"],krb5_get_time_offsets:[279,0,1,"c.krb5_get_time_offsets"],KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:[325,3,1,""],krb5_parse_name_flags:[632,0,1,"c.krb5_parse_name_flags"],KRB5_KEYUSAGE_IAKERB_FINISHED:[477,3,1,""],krb5_cc_get_full_name:[509,0,1,"c.krb5_cc_get_full_name"],krb5_init_context_profile:[737,0,1,"c.krb5_init_context_profile"],KRB5_KEYUSAGE_AD_MTE:[99,3,1,""],krb5_c_string_to_key_with_params:[603,0,1,"c.krb5_c_string_to_key_with_params"],krb5_response:[583,2,1,"c.krb5_response"],krb5_get_init_creds_opt_set_change_password_prompt:[743,0,1,"c.krb5_get_init_creds_opt_set_change_password_prompt"],KRB5_PADATA_AS_CHECKSUM:[777,3,1,""],krb5_free_context:[624,0,1,"c.krb5_free_context"],krb5_auth_con_init:[745,0,1,"c.krb5_auth_con_init"],ENCTYPE_ARCFOUR_HMAC:[337,3,1,""],krb5_pac_free:[688,0,1,"c.krb5_pac_free"],krb5_set_password_using_ccache:[890,0,1,"c.krb5_set_password_using_ccache"],AP_OPTS_USE_SUBKEY:[46,3,1,""],krb5_free_error:[168,0,1,"c.krb5_free_error"],krb5_c_crypto_length_iov:[149,0,1,"c.krb5_c_crypto_length_iov"],KRB5_INIT_CONTEXT_KDC:[448,3,1,""],VALID_UINT_BITS:[392,3,1,""],krb5_free_tgt_creds:[320,0,1,"c.krb5_free_tgt_creds"],krb5_get_default_realm:[308,0,1,"c.krb5_get_default_realm"],krb5_cred_info:[544,2,1,"c.krb5_cred_info"],krb5_c_random_to_key:[298,0,1,"c.krb5_c_random_to_key"],KRB5_NT_MS_PRINCIPAL:[851,3,1,""],TKT_FLG_RENEWABLE:[333,3,1,""],krb5_pac_sign:[765,0,1,"c.krb5_pac_sign"],KRB5_PADATA_S4U_X509_USER:[805,3,1,""],KRB5_TGS_REQ:[76,3,1,""],KRB5_TGS_REP:[75,3,1,""],KRB5_PROMPT_TYPE_PREAUTH:[296,3,1,""],krb5_k_prf:[648,0,1,"c.krb5_k_prf"],krb5_kt_read_service_key:[730,0,1,"c.krb5_kt_read_service_key"],krb5_octet:[923,2,1,"c.krb5_octet"],krb5_principal_compare_flags:[511,0,1,"c.krb5_principal_compare_flags"],krb5_get_init_creds_opt_set_expire_callback:[907,0,1,"c.krb5_get_init_creds_opt_set_expire_callback"],krb5_k_free_key:[845,0,1,"c.krb5_k_free_key"],krb5_kt_next_entry:[803,0,1,"c.krb5_kt_next_entry"],krb5_free_keyblock:[94,0,1,"c.krb5_free_keyblock"],KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:[682,3,1,""],krb5_get_credentials:[30,0,1,"c.krb5_get_credentials"],krb5_decode_authdata_container:[291,0,1,"c.krb5_decode_authdata_container"],KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:[68,3,1,""],AD_TYPE_FIELD_TYPE_MASK:[618,3,1,""],krb5_cc_set_flags:[916,0,1,"c.krb5_cc_set_flags"],krb5_cc_next_cred:[610,0,1,"c.krb5_cc_next_cred"],krb5_principal2salt:[429,0,1,"c.krb5_principal2salt"],krb5_c_prfplus:[346,0,1,"c.krb5_c_prfplus"],krb5_responder_pkinit_challenge:[319,2,1,"c.krb5_responder_pkinit_challenge"],krb5_context:[630,2,1,"c.krb5_context"],KRB5_KEYUSAGE_PA_OTP_REQUEST:[750,3,1,""],krb5_kt_add_entry:[395,0,1,"c.krb5_kt_add_entry"],KRB5_KEYUSAGE_AP_REP_ENCPART:[589,3,1,""]},krb5_responder_pkinit_identity:{token_flags:[771,1,1,"c.krb5_responder_pkinit_identity.token_flags"],identity:[771,1,1,"c.krb5_responder_pkinit_identity.identity"]},krb5_kdc_req:{rtime:[34,1,1,"c.krb5_kdc_req.rtime"],nonce:[34,1,1,"c.krb5_kdc_req.nonce"],authorization_data:[34,1,1,"c.krb5_kdc_req.authorization_data"],addresses:[34,1,1,"c.krb5_kdc_req.addresses"],msg_type:[34,1,1,"c.krb5_kdc_req.msg_type"],from:[34,1,1,"c.krb5_kdc_req.from"],kdc_options:[34,1,1,"c.krb5_kdc_req.kdc_options"],unenc_authdata:[34,1,1,"c.krb5_kdc_req.unenc_authdata"],server:[34,1,1,"c.krb5_kdc_req.server"],nktypes:[34,1,1,"c.krb5_kdc_req.nktypes"],till:[34,1,1,"c.krb5_kdc_req.till"],client:[34,1,1,"c.krb5_kdc_req.client"],second_ticket:[34,1,1,"c.krb5_kdc_req.second_ticket"],ktype:[34,1,1,"c.krb5_kdc_req.ktype"],magic:[34,1,1,"c.krb5_kdc_req.magic"],padata:[34,1,1,"c.krb5_kdc_req.padata"]},krb5_kdc_rep:{magic:[35,1,1,"c.krb5_kdc_rep.magic"],msg_type:[35,1,1,"c.krb5_kdc_rep.msg_type"],enc_part2:[35,1,1,"c.krb5_kdc_rep.enc_part2"],padata:[35,1,1,"c.krb5_kdc_rep.padata"],client:[35,1,1,"c.krb5_kdc_rep.client"],ticket:[35,1,1,"c.krb5_kdc_rep.ticket"],enc_part:[35,1,1,"c.krb5_kdc_rep.enc_part"]},krb5_gic_opt_pa_data:{attr:[878,1,1,"c.krb5_gic_opt_pa_data.attr"],value:[878,1,1,"c.krb5_gic_opt_pa_data.value"]},krb5_tkt_authent:{authenticator:[837,1,1,"c.krb5_tkt_authent.authenticator"],ticket:[837,1,1,"c.krb5_tkt_authent.ticket"],magic:[837,1,1,"c.krb5_tkt_authent.magic"],ap_options:[837,1,1,"c.krb5_tkt_authent.ap_options"]},krb5_keytab_entry:{vno:[847,1,1,"c.krb5_keytab_entry.vno"],timestamp:[847,1,1,"c.krb5_keytab_entry.timestamp"],magic:[847,1,1,"c.krb5_keytab_entry.magic"],key:[847,1,1,"c.krb5_keytab_entry.key"],principal:[847,1,1,"c.krb5_keytab_entry.principal"]},krb5_get_init_creds_opt:{proxiable:[829,1,1,"c.krb5_get_init_creds_opt.proxiable"],forwardable:[829,1,1,"c.krb5_get_init_creds_opt.forwardable"],preauth_list_length:[829,1,1,"c.krb5_get_init_creds_opt.preauth_list_length"],renew_life:[829,1,1,"c.krb5_get_init_creds_opt.renew_life"],tkt_life:[829,1,1,"c.krb5_get_init_creds_opt.tkt_life"],flags:[829,1,1,"c.krb5_get_init_creds_opt.flags"],preauth_list:[829,1,1,"c.krb5_get_init_creds_opt.preauth_list"],etype_list:[829,1,1,"c.krb5_get_init_creds_opt.etype_list"],salt:[829,1,1,"c.krb5_get_init_creds_opt.salt"],etype_list_length:[829,1,1,"c.krb5_get_init_creds_opt.etype_list_length"],address_list:[829,1,1,"c.krb5_get_init_creds_opt.address_list"]},krb5_const_principal:{type:[485,1,1,"c.krb5_const_principal.type"],length:[485,1,1,"c.krb5_const_principal.length"],magic:[485,1,1,"c.krb5_const_principal.magic"],realm:[485,1,1,"c.krb5_const_principal.realm"],data:[485,1,1,"c.krb5_const_principal.data"]},krb5_pa_pac_req:{include_pac:[767,1,1,"c.krb5_pa_pac_req.include_pac"]},krb5_responder_otp_tokeninfo:{vendor:[897,1,1,"c.krb5_responder_otp_tokeninfo.vendor"],format:[897,1,1,"c.krb5_responder_otp_tokeninfo.format"],challenge:[897,1,1,"c.krb5_responder_otp_tokeninfo.challenge"],length:[897,1,1,"c.krb5_responder_otp_tokeninfo.length"],flags:[897,1,1,"c.krb5_responder_otp_tokeninfo.flags"],token_id:[897,1,1,"c.krb5_responder_otp_tokeninfo.token_id"],alg_id:[897,1,1,"c.krb5_responder_otp_tokeninfo.alg_id"]},krb5_enc_data:{ciphertext:[370,1,1,"c.krb5_enc_data.ciphertext"],magic:[370,1,1,"c.krb5_enc_data.magic"],kvno:[370,1,1,"c.krb5_enc_data.kvno"],enctype:[370,1,1,"c.krb5_enc_data.enctype"]},krb5_cred:{tickets:[336,1,1,"c.krb5_cred.tickets"],magic:[336,1,1,"c.krb5_cred.magic"],enc_part:[336,1,1,"c.krb5_cred.enc_part"],enc_part2:[336,1,1,"c.krb5_cred.enc_part2"]},krb5_pa_data:{length:[635,1,1,"c.krb5_pa_data.length"],pa_type:[635,1,1,"c.krb5_pa_data.pa_type"],magic:[635,1,1,"c.krb5_pa_data.magic"],contents:[635,1,1,"c.krb5_pa_data.contents"]},krb5_address:{addrtype:[499,1,1,"c.krb5_address.addrtype"],length:[499,1,1,"c.krb5_address.length"],magic:[499,1,1,"c.krb5_address.magic"],contents:[499,1,1,"c.krb5_address.contents"]},krb5_response:{magic:[583,1,1,"c.krb5_response.magic"],message_type:[583,1,1,"c.krb5_response.message_type"],response:[583,1,1,"c.krb5_response.response"],expected_nonce:[583,1,1,"c.krb5_response.expected_nonce"],request_time:[583,1,1,"c.krb5_response.request_time"]},krb5_authenticator:{magic:[727,1,1,"c.krb5_authenticator.magic"],ctime:[727,1,1,"c.krb5_authenticator.ctime"],checksum:[727,1,1,"c.krb5_authenticator.checksum"],seq_number:[727,1,1,"c.krb5_authenticator.seq_number"],client:[727,1,1,"c.krb5_authenticator.client"],subkey:[727,1,1,"c.krb5_authenticator.subkey"],cusec:[727,1,1,"c.krb5_authenticator.cusec"],authorization_data:[727,1,1,"c.krb5_authenticator.authorization_data"]},krb5_pa_server_referral_data:{true_principal_name:[220,1,1,"c.krb5_pa_server_referral_data.true_principal_name"],requested_principal_name:[220,1,1,"c.krb5_pa_server_referral_data.requested_principal_name"],referral_valid_until:[220,1,1,"c.krb5_pa_server_referral_data.referral_valid_until"],rep_cksum:[220,1,1,"c.krb5_pa_server_referral_data.rep_cksum"],referred_realm:[220,1,1,"c.krb5_pa_server_referral_data.referred_realm"]},krb5_transited:{tr_contents:[496,1,1,"c.krb5_transited.tr_contents"],tr_type:[496,1,1,"c.krb5_transited.tr_type"],magic:[496,1,1,"c.krb5_transited.magic"]},krb5_pwd_data:{sequence_count:[443,1,1,"c.krb5_pwd_data.sequence_count"],magic:[443,1,1,"c.krb5_pwd_data.magic"],element:[443,1,1,"c.krb5_pwd_data.element"]},krb5_error:{magic:[457,1,1,"c.krb5_error.magic"],ctime:[457,1,1,"c.krb5_error.ctime"],susec:[457,1,1,"c.krb5_error.susec"],text:[457,1,1,"c.krb5_error.text"],e_data:[457,1,1,"c.krb5_error.e_data"],server:[457,1,1,"c.krb5_error.server"],client:[457,1,1,"c.krb5_error.client"],stime:[457,1,1,"c.krb5_error.stime"],cusec:[457,1,1,"c.krb5_error.cusec"],error:[457,1,1,"c.krb5_error.error"]},krb5_principal:{data:[900,1,1,"c.krb5_principal.data"],length:[900,1,1,"c.krb5_principal.length"],magic:[900,1,1,"c.krb5_principal.magic"],realm:[900,1,1,"c.krb5_principal.realm"],type:[900,1,1,"c.krb5_principal.type"]},krb5_last_req_entry:{lr_type:[503,1,1,"c.krb5_last_req_entry.lr_type"],magic:[503,1,1,"c.krb5_last_req_entry.magic"],value:[503,1,1,"c.krb5_last_req_entry.value"]},krb5_enc_tkt_part:{caddrs:[826,1,1,"c.krb5_enc_tkt_part.caddrs"],magic:[826,1,1,"c.krb5_enc_tkt_part.magic"],transited:[826,1,1,"c.krb5_enc_tkt_part.transited"],times:[826,1,1,"c.krb5_enc_tkt_part.times"],session:[826,1,1,"c.krb5_enc_tkt_part.session"],flags:[826,1,1,"c.krb5_enc_tkt_part.flags"],client:[826,1,1,"c.krb5_enc_tkt_part.client"],authorization_data:[826,1,1,"c.krb5_enc_tkt_part.authorization_data"]},krb5_cred_info:{caddrs:[544,1,1,"c.krb5_cred_info.caddrs"],magic:[544,1,1,"c.krb5_cred_info.magic"],times:[544,1,1,"c.krb5_cred_info.times"],session:[544,1,1,"c.krb5_cred_info.session"],flags:[544,1,1,"c.krb5_cred_info.flags"],client:[544,1,1,"c.krb5_cred_info.client"],server:[544,1,1,"c.krb5_cred_info.server"]},krb5_keyblock:{length:[525,1,1,"c.krb5_keyblock.length"],magic:[525,1,1,"c.krb5_keyblock.magic"],contents:[525,1,1,"c.krb5_keyblock.contents"],enctype:[525,1,1,"c.krb5_keyblock.enctype"]},krb5_replay_data:{timestamp:[29,1,1,"c.krb5_replay_data.timestamp"],usec:[29,1,1,"c.krb5_replay_data.usec"],seq:[29,1,1,"c.krb5_replay_data.seq"]},krb5_authdata:{length:[360,1,1,"c.krb5_authdata.length"],magic:[360,1,1,"c.krb5_authdata.magic"],ad_type:[360,1,1,"c.krb5_authdata.ad_type"],contents:[360,1,1,"c.krb5_authdata.contents"]},krb5_typed_data:{data:[647,1,1,"c.krb5_typed_data.data"],length:[647,1,1,"c.krb5_typed_data.length"],magic:[647,1,1,"c.krb5_typed_data.magic"],type:[647,1,1,"c.krb5_typed_data.type"]},krb5_ticket_times:{endtime:[660,1,1,"c.krb5_ticket_times.endtime"],renew_till:[660,1,1,"c.krb5_ticket_times.renew_till"],starttime:[660,1,1,"c.krb5_ticket_times.starttime"],authtime:[660,1,1,"c.krb5_ticket_times.authtime"]},krb5_ap_req:{authenticator:[259,1,1,"c.krb5_ap_req.authenticator"],ticket:[259,1,1,"c.krb5_ap_req.ticket"],magic:[259,1,1,"c.krb5_ap_req.magic"],ap_options:[259,1,1,"c.krb5_ap_req.ap_options"]},krb5_ap_rep:{enc_part:[636,1,1,"c.krb5_ap_rep.enc_part"],magic:[636,1,1,"c.krb5_ap_rep.magic"]},krb5_verify_init_creds_opt:{flags:[6,1,1,"c.krb5_verify_init_creds_opt.flags"],ap_req_nofail:[6,1,1,"c.krb5_verify_init_creds_opt.ap_req_nofail"]},krb5_ticket:{enc_part:[309,1,1,"c.krb5_ticket.enc_part"],server:[309,1,1,"c.krb5_ticket.server"],magic:[309,1,1,"c.krb5_ticket.magic"],enc_part2:[309,1,1,"c.krb5_ticket.enc_part2"]},krb5_cred_enc_part:{nonce:[189,1,1,"c.krb5_cred_enc_part.nonce"],magic:[189,1,1,"c.krb5_cred_enc_part.magic"],s_address:[189,1,1,"c.krb5_cred_enc_part.s_address"],ticket_info:[189,1,1,"c.krb5_cred_enc_part.ticket_info"],timestamp:[189,1,1,"c.krb5_cred_enc_part.timestamp"],usec:[189,1,1,"c.krb5_cred_enc_part.usec"],r_address:[189,1,1,"c.krb5_cred_enc_part.r_address"]},krb5_trace_info:{message:[31,1,1,"c.krb5_trace_info.message"]},passwd_phrase_element:{passwd:[889,1,1,"c.passwd_phrase_element.passwd"],phrase:[889,1,1,"c.passwd_phrase_element.phrase"],magic:[889,1,1,"c.passwd_phrase_element.magic"]},krb5_crypto_iov:{data:[924,1,1,"c.krb5_crypto_iov.data"],flags:[924,1,1,"c.krb5_crypto_iov.flags"]},krb5_data:{data:[596,1,1,"c.krb5_data.data"],length:[596,1,1,"c.krb5_data.length"],magic:[596,1,1,"c.krb5_data.magic"]},krb5_enc_kdc_rep_part:{nonce:[324,1,1,"c.krb5_enc_kdc_rep_part.nonce"],caddrs:[324,1,1,"c.krb5_enc_kdc_rep_part.caddrs"],magic:[324,1,1,"c.krb5_enc_kdc_rep_part.magic"],msg_type:[324,1,1,"c.krb5_enc_kdc_rep_part.msg_type"],last_req:[324,1,1,"c.krb5_enc_kdc_rep_part.last_req"],times:[324,1,1,"c.krb5_enc_kdc_rep_part.times"],key_exp:[324,1,1,"c.krb5_enc_kdc_rep_part.key_exp"],session:[324,1,1,"c.krb5_enc_kdc_rep_part.session"],flags:[324,1,1,"c.krb5_enc_kdc_rep_part.flags"],server:[324,1,1,"c.krb5_enc_kdc_rep_part.server"],enc_padata:[324,1,1,"c.krb5_enc_kdc_rep_part.enc_padata"]},krb5_encrypt_block:{crypto_entry:[755,1,1,"c.krb5_encrypt_block.crypto_entry"],magic:[755,1,1,"c.krb5_encrypt_block.magic"],key:[755,1,1,"c.krb5_encrypt_block.key"]},krb5_prompt:{reply:[139,1,1,"c.krb5_prompt.reply"],hidden:[139,1,1,"c.krb5_prompt.hidden"],prompt:[139,1,1,"c.krb5_prompt.prompt"]},krb5_checksum:{checksum_type:[154,1,1,"c.krb5_checksum.checksum_type"],length:[154,1,1,"c.krb5_checksum.length"],magic:[154,1,1,"c.krb5_checksum.magic"],contents:[154,1,1,"c.krb5_checksum.contents"]},krb5_principal_data:{realm:[425,1,1,"c.krb5_principal_data.realm"],length:[425,1,1,"c.krb5_principal_data.length"],magic:[425,1,1,"c.krb5_principal_data.magic"],data:[425,1,1,"c.krb5_principal_data.data"],type:[425,1,1,"c.krb5_principal_data.type"]},krb5_responder_pkinit_challenge:{identities:[319,1,1,"c.krb5_responder_pkinit_challenge.identities"]},krb5_responder_otp_challenge:{tokeninfo:[514,1,1,"c.krb5_responder_otp_challenge.tokeninfo"],service:[514,1,1,"c.krb5_responder_otp_challenge.service"]},krb5_creds:{authdata:[793,1,1,"c.krb5_creds.authdata"],magic:[793,1,1,"c.krb5_creds.magic"],addresses:[793,1,1,"c.krb5_creds.addresses"],keyblock:[793,1,1,"c.krb5_creds.keyblock"],server:[793,1,1,"c.krb5_creds.server"],client:[793,1,1,"c.krb5_creds.client"],ticket_flags:[793,1,1,"c.krb5_creds.ticket_flags"],second_ticket:[793,1,1,"c.krb5_creds.second_ticket"],is_skey:[793,1,1,"c.krb5_creds.is_skey"],ticket:[793,1,1,"c.krb5_creds.ticket"],times:[793,1,1,"c.krb5_creds.times"]},krb5_pa_svr_referral_data:{principal:[304,1,1,"c.krb5_pa_svr_referral_data.principal"]},krb5_ap_rep_enc_part:{seq_number:[904,1,1,"c.krb5_ap_rep_enc_part.seq_number"],magic:[904,1,1,"c.krb5_ap_rep_enc_part.magic"],subkey:[904,1,1,"c.krb5_ap_rep_enc_part.subkey"],cusec:[904,1,1,"c.krb5_ap_rep_enc_part.cusec"],ctime:[904,1,1,"c.krb5_ap_rep_enc_part.ctime"]}},titleterms:{libdefault:812,entropi:[377,639],kdc_tkt_common_mask:824,krb5_auth_con_setflag:115,prefix:[38,140,811,211],consider:208,krb5_free_str:264,krb5_cc_get_config:524,krb5_sname_match:18,heimdal:449,krb5_free_ticket:144,krb5_get_init_creds_opt_set_pa:81,krb5_build_principal_ext:453,everi:133,kadmin:[70,44],kvno:646,krb5_responder_context:527,krb5_get_init_creds_opt_set_canonic:280,sclient:518,verif:[572,147,204,119],krb5_principal_compare_enterpris:381,direct:853,krb5_auth_con_setrcach:543,krb5_enc_data:370,krb5_nt_ms_princip:851,krb5_address_search:399,krb5_auth_con_setaddr:693,krb5_auth_con_setrecvsubkey_k:699,krb5_get_init_creds_opt_set_renew_lif:798,"new":[628,107,395,671,901,197,437],krb5_kt_remove_entri:158,manipul:731,krb5_auth_context_do_tim:5,krb5_cc_gen_new:681,path:28,krb5_tgs_name:567,acceptor:17,krb5_keyusage_app_data_cksum:545,krb5_verify_authdata_kdc_issu:373,krb5_set_default_tgs_enctyp:137,krb5_get_init_creds_opt_set_fast_ccach:575,cksumtype_hmac_sha1_96_aes128:578,permit:105,krb5_chpw_messag:110,krb5_boolean:454,kdc_opt_cname_in_addl_tkt:198,krb5_enctype_to_nam:171,unix:[28,100,792],subkei:[774,406,322,483,699,736,921,653],krb5_responder_otp_flags_nextotp:83,call:181,krb5_sam_must_pk_encrypt_sad:905,type:[450,3,105,551,614,671,494,674,55,171,10,510,591,411,452,17,248,73,22,358,690,644,584,27,590,137,708,835,756,597,871,432,272,36,208,435,147,148,91,825],krb5_expire_callback_func:278,krb5_c_derive_prfplu:349,restor:44,setup:434,work:794,krb5_verify_init_creds_opt_init:204,krb5_get_server_rcach:586,overrid:[344,920,473],krb5_responder_pkinit_flags_token_user_pin_lock:232,kpasswd:25,krb5_lrq_one_pw_exptim:48,indic:321,end:515,krb5_padata_pk_as_req:637,cksumtype_rsa_md5:93,cksumtype_rsa_md4:92,krb5_string_to_cksumtyp:590,how:126,answer:[235,286,831],verifi:[521,373,871,631,519,258,510,444],enctype_des3_cbc_sha1:677,krb5_auth_con_getflag:266,updat:[44,126],krb5_tc_match_flag:177,krb5_const:663,krb5_gc_forward:561,krb5_cryptotyp:717,sserver:814,krb5_cc_last_change_tim:237,opaqu:[820,114,759,600,744,631,39,385,648],credenti:[3,229,494,77,243,463,17,686,257,698,671,703,706,708,491,716,280,725,732,55,509,738,739,743,65,1,517,74,753,519,520,521,522,761,81,323,88,532,537,146,163,191,796,237,798,107,340,112,556,342,345,827,320,352,125,572,357,859,817,575,818,823,412,620,133,371,841,147,606,610,611,614,393,860,400,524,185,417,890,787,644,421,422,245,204,907,205,407,735,911,684,916,447],receiv:[167,406,699,653,322],environ:[562,918,63,452,273,132,566,646,386,45,640],krb5_prompt:139,krb5_kt_resolv:249,order:287,over:684,krb5_free_checksum_cont:486,privileg:[718,44],keyboard:914,krb5_parse_name_flag:632,krb5_responder_set_answ:235,tkt_flg_initi:351,krb5_keyusage_tgs_req_ad_sesskei:472,s4u:17,krb5_deltat:676,create_polici:484,krb5_sendauth:[168,642],krb5_auth_con_genaddr:256,cred:[522,732,254,318],krb5_get_init_creds_opt_set_tkt_lif:520,ccselect:[812,698],safe:[821,832],krb5_c_checksum_length:674,krb5_cc_lock:205,krb5_tc_match_tim:375,krb5_c_is_coll_proof_cksum:584,lockout:434,each:895,krb5_safe:534,cksumtype_hmac_md5_arcfour:64,krb5_principal_compare_ignore_realm:760,kdc_opt_renewable_ok:861,krb5_pa_pac_req:767,krb5_responder_pkinit_challeng:319,krb5_init_creds_get_error:74,content:[89,228,476,276,26,801,328,842,734,486],krb5_free_host_realm:277,krb5_init_context_kdc:448,krb5_wellknown_namestr:86,free:[722,557,194,166,801,555,842,397,277,342,62,120,624,178,407,300,409,882,22,348,688,320,264,144,486,269,89,435,276,911,94,168,845,666,157],krb5_trace_info:31,krb5_pac_delegation_info:161,renew:[703,798],krb5_padata_for_us:573,onto:493,krb5_mk_rep:364,krb5_mk_req:363,krb5_authdata_cammac:42,restrict:371,hook:[167,623,223],instruct:437,klist:[562,104],primari:352,krb5_get_fallback_host_realm:656,krb5_auth_con_initivector:869,krb5_prompter_posix:848,krb5_524_conv_princip:217,krb5_kt_get_entri:711,master:[44,73,895],krb5_realm_compar:130,krb5_c_random_os_entropi:639,krb5_keyusage_pa_s4u_x509_user_repli:325,krb5_cc_copy_cr:146,tool:614,krb5_tc_supported_ktyp:802,target:437,krb5_c_encrypt:840,krb5_get_init_creds_opt_proxi:619,krb5_address_compar:394,tree:203,krb5_pac_server_checksum:884,cksumtype_hmac_sha1_96_aes256:96,krb5_checksum:[348,154,658,486],krb5_flag:481,krb5_encrypt_block:755,provis:473,krb5_padata_otp_pin_chang:122,increment:[44,103,895],seen:147,krb5_replay_data:29,krb5_responder_otp_flags_collect_pin:902,realm:[49,130,292,662,812,368,44,881,308,687,344,10,493,120],cksumtype_descbc:414,krb5_set_principal_realm:881,krb5_copy_address:723,krb5_init_keyblock:316,krb5_cc_end_seq_get:243,object:[230,44,586],krb5_auth_con_set_checksum_func:784,declar:[221,454,6,457,676,466,259,636,480,29,485,31,34,35,490,717,826,189,496,790,336,501,503,727,54,59,60,513,425,514,304,481,752,309,755,78,525,317,531,319,767,771,324,773,544,101,546,499,793,339,807,809,810,376,360,582,583,897,829,909,370,139,837,596,843,660,847,153,154,865,172,630,878,635,278,889,299,647,898,650,900,904,136,387,857,527,919,443,923,220,924],random:[377,298,580,648,825,876,143,346],syntax:32,krb5_anonymous_princip:227,tkt_flg_may_postd:209,priv:[267,215],absolut:176,acquir:[412,421,860,245,112,185,357,753,417],rcach:27,kdestroi:[386,104],krb5_checksum_s:721,ldap:[44,855],krb5_c_is_keyed_cksum:358,krb5_copy_data:230,krb5_principal_compare_any_realm:368,"public":[2,181,36],krb5_k_make_checksum:744,krb5_build_princip:535,respond:[521,235,341,242,787],krb5_is_thread_saf:912,datatyp:98,result:110,krb5_process_kei:719,krb5_nt_srv_xhst:192,fail:[895,147],databas:[895,855,70,73,56,885,44,493],krb5_set_default_realm:344,discoveri:493,cksumtype_cmac_camellia128:516,krb5_kpasswd_bad_vers:97,irc:23,attribut:[718,17],tkt_flg_proxiabl:757,extend:[9,240,51,331,508],ccach:[614,629,827],tkt_flg_postdat:410,krb5_get_init_creds_opt_preauth_list:252,k5login:184,krb5_init_secure_context:641,krb5_kt_end_seq_get:621,cksumtype_rsa_md5_d:305,krb5_responder_pkinit_get_challeng:[649,269],against:519,tabdump:423,cksumtype_nist_sha:655,krb5_auth_con_getkey_k:915,login:662,addrtype_ipport:749,krb5_cc_store_cr:463,guid:228,krb5_k_encrypt:114,duplic:[293,629],krb5_wrap_error_messag:38,krb5_tkt_creds_get_tim:121,list_request:[70,138],clear_list:138,keyblock:[406,359,369,131,840,247,322,111,251,483,736,734,653,444,791,310,505,669],krb5_encpadata_req_enc_pa_rep:123,add_mkei:423,krb5_cccol_have_cont:163,krb5_auth_con_getkei:369,krb5_cc_unlock:716,argument:877,multithread:912,krb5_prompt_type_preauth:296,krb5_unparse_name_flag:489,krb5_const_point:480,krb5_425_conv_princip:12,ident:[812,286],ad_type_reserv:780,servic:[188,421,248,730,73,44,701,739,493,473],properti:104,conf:[812,10,124,428,895],krb5_cc_get_full_nam:509,krb5_kt_start_seq_get:40,krb5_principal_unparse_no_realm:212,perform:[27,434],make:352,format:[267,522,563,565,302,108,165,732,318,176,384,190,832,323,44,364],krb5_c_valid_enctyp:871,krb5_princ_set_realm:294,complet:98,krb5_k_reference_kei:103,krb5_get_init_creds_opt_tkt_lif:426,tune:452,krb5_init_creds_set_keytab:412,client:[504,642,159,275,413,200,88,792],thi:[176,126,875],krb5_tc_match_ktyp:587,preauthent:[796,644,81,208,413,850],krb5_is_referral_realm:789,rout:147,update_princ_encrypt:423,protocol:[695,165,642,234],cksumtype_crc32:301,krb5_auth_con_setsendsubkey_k:774,krb5_principal_parse_ignore_realm:838,previous:300,krb5_pac_fre:688,krb5_c_prf:876,krb5_keyusage_iakerb_finish:477,krb5_padata_etype_info2:550,applic:[794,155,73,100,473],krb5_authdata_etype_negoti:467,background:[776,27],krb5_tkt_creds_init:739,krb5_get_init_creds_opt_set_etype_list:55,add_entri:138,daemon:895,specif:[298,648,876,551,740,473,143],krb5_authdata_fx_armor:87,krb5_int32_min:134,threeparamopen:570,krb5_c_keylength:604,kdc_opt_postd:808,write_kt:138,krb5_mk_1cred:522,krb5_keyusage_ad_kdcissued_cksum:117,krb5_principal_compare_flag:511,krb5_nt_srv_inst:488,intern:[885,36],kadm5:[32,223],krb5_keyusage_pa_otp_request:750,enctype_sha1_rsa_cm:560,krb5_keyusage_krb_error_cksum:704,krb5_auth_con_setrecvsubkei:322,krb5_prompt_type_new_password_again:772,krb5_princ_siz:702,krb5_cc_cache_match:88,krb5_typed_data:647,post:167,delete_polici:[70,44],krb5_kt_get_nam:374,appplic:920,canonic:[188,473,280],krb5_c_block_siz:365,krb5_gc_constrained_deleg:430,krb5_tkt_creds_get_cr:860,encod:[403,901,565],wrap:[274,17],precomput:877,support:[820,759,131,912,147,176,494,73,791],krb5_gc_no_transit_check:241,avail:44,cksumtype_cmac_camellia256:180,krb5_pac_init:718,krb5_keyusage_fast_finish:255,kdcpreauth:[812,850],krb5_padata_pkinit_kx:263,krb5_cc_start_seq_get:133,krb5_init_context:862,hostrealm:[812,687],enctype_aes128_cts_hmac_sha256_128:529,autoconf:203,retir:73,krb5_altauth_att_challenge_respons:715,decrypt:[389,759,39,568,569,917,791,669],ad_type_field_type_mask:618,exist:[362,135,703],krb5_cc_get_nam:708,check:[163,789,135,502],encrypt:[450,114,105,840,551,55,171,10,411,871,248,143,182,22,131,364,137,597,820,147,384,91,825],krb5_get_in_tkt_with_skei:378,krb5_free_princip:722,krb5_keyusage_ad_signedpath:418,krb5_free_error:168,test:[434,18,912,584,71,203,358],krb5_c_crypto_length_iov:149,krb5_auth_context_use_subkei:830,krb5_nt_princip:643,krb5_get_default_realm:[308,120],krb5_set_password_using_ccach:890,krb5_pac_sign:765,krb5_c_random_to_kei:298,salt:[796,690,432,429],krb5_k_decrypt:39,pseudo:[377,580,648,346,876,825],krb5_c_fx_cf2_simpl:72,ignor:368,time:[521,121,461,502,761,164,712,740,279,176,852],krb5_kt_next_entri:803,concept:[579,4],chain:147,krb5_get_credenti:30,global:[112,340],krb5_c_string_to_kei:69,krb5_pa_data:635,krb5_gc_canonic:533,ap_opts_reserv:290,decis:493,krb5_init_creds_get:753,krb5_padata_get_from_typed_data:523,sourc:[836,126,855],string:[450,712,557,453,164,672,120,632,879,72,428,69,690,479,590,535,874,264,108,756,597,432,603,781,489,549],krb5_cybersafe_secureid:250,krb5_domain_x500_compress:828,krb5_responder_pkinit_ident:771,administr:[44,427,895,162],iter:684,cooki:563,enctype_aes256_cts_hmac_sha1_96:52,krb5_cc_move:611,sign:[403,765],krb5_keyusage_gss_tok_wrap_integ:864,ktremov:[70,794],port:[625,493],krb5_cc_dup:629,krb5_get_init_creds_opt_set_proxi:706,current:[740,502],krb5_appdefault_str:428,va_list:[811,140,331],deriv:349,gener:[377,298,256,648,504,876,580,4,143,28,397,586,701,346],modif:[237,257],address:[256,536,723,693,875,287,394,555,399,371],krb5_responder_otp_set_answ:831,krb5_tc_openclos:268,krb5_kt_free_entri:329,krb5_padata_otp_request:528,krb5_authdata_win2k_pac:498,commonli:452,modul:[328,764,662],krb5_responder_question_password:559,krb5kdc:45,instal:[895,228,452,437,203,792],krb5_copy_authent:507,memori:277,krb5_pwd_data:443,krb5_free_unparsed_nam:557,krb5_get_init_creds_opt_renew_lif:127,krb5_mk_req_extend:1,krb5_cc_close:738,krb5_pac_get_buff:420,krb5_k_verify_checksum:631,ap_opts_use_session_kei:541,prepar:[133,684],uniqu:671,krb5_kt_client_default:200,krb5_keyusage_fast_enc:289,krb5_authent:[507,727,178],topic:95,krb5_kei:[251,868,359,78],krb5_respons:583,contribut:776,krb5_get_error_messag:[397,51],krb5_keyusage_krb_priv_encpart:659,krb5_cc_retrieve_cr:686,krb5_pa_server_referral_data:220,krb5_keyusage_pa_sam_challenge_trackid:15,krb5_is_config_princip:71,map:493,krb5_us_timeofdai:852,usabl:91,date:[176,44],krb5_padata_pk_as_rep:53,data:[49,840,555,291,114,403,298,242,349,409,182,251,885,887,759,628,131,820,373,39,436,274,842,791,669],krb5_unparse_name_ext:479,man:126,krb5_expand_hostnam:188,inform:[812,44,330,27,794],"switch":[895,494],cannot:147,combin:72,krb5_get_init_creds_opt_init:142,krb5_keyusage_ap_req_auth_cksum:758,krb5_auth_con_getrecvsubkei:653,krb5_timestamp:909,krb5_prompt_type_new_password:679,krb5_padata_pw_salt:379,krb5_auth_con_getlocalsubkei:210,polici:44,krb5_responder_get_challeng:242,krb5_rd_safe:821,mail:23,krb5_init_context_profil:737,krb5_cccol_unlock:340,krb5_rcach:807,synopsi:[562,566,25,63,724,70,132,437,484,646,918,423,138,814,689,540,45,518,640,386],krb5_set_kdc_send_hook:623,krb5_tkt_authent:837,initi:[796,798,725,107,761,229,556,55,743,407,17,412,185,74,357,753,817,519,520,417,521,823,644,81,421,827,245,197,371,532,204,706,907,537,841,575,147,745,606,787,316,911,280],krb5_auth_con_get_checksum_func:151,krb5_init_creds_step_flag_continu:343,krb5_padata_fx_error:225,krb5_nt_unknown:813,name:[853,614,452,453,620,671,672,171,509,493,701,17,632,877,473,129,125,188,818,191,708,235,374,429,535,207,341,292],config:[540,748],revers:473,krb5_authdatatyp:299,separ:203,krb5_responder_otp_format_alphanumer:367,get_polici:[70,44],krb5_padata_sam_respons:602,list_princip:[70,44],replai:[458,586,27,543],krb5_nt_srv_hst:260,unlock:[70,716],prompter:521,krb5_c_encrypt_iov:131,krb5_k_create_kei:251,storag:[409,722],krb5_padata_referr:552,krb5_last_req_entri:503,profil:[920,737,334,662,815],lr_type_interpretation_mask:888,krb5_parse_nam:672,correct:794,krb5_const_princip:485,krb5_cc_resolv:620,krb5_pac_credentials_info:497,"byte":[648,580,876,346,604],synchron:735,refus:147,place:[131,791,759,820],change_password:[70,44],view:[104,484],frequent:[147,181],oper:[820,114,759,600,744,39,131,631,247,840,385,44,648,444,791,310,505,669],directli:181,arrai:[320,600,435,409,247,148,149,555,591,385,732,22,310,723],open:586,size:365,krb5_address:499,given:242,krb5_tkt_creds_fre:62,krb5_auth_context_generate_local_addr:174,conveni:181,read_kt:138,krb5_c_padding_length:651,krb5_keyusage_as_req:196,tkt_flg_enc_pa_rep:7,copi:[230,359,146,627,507,726,111,734,141,508,102,723,887,658],specifi:[853,389,871,412,510,421,287,604,812,399,400,372,344,737,671,88,686],krb5_tkt_creds_context:172,krb5_as_rep:634,krb5_as_req:633,kinit:[640,104],optimist:796,krb5_verify_init_creds_opt_ap_req_nofail:233,seri:243,pre:623,prf:[346,349],enctype_rsa_env:416,krb5_init_creds_init:357,ani:[163,257],krb5_cc_destroi:859,dbdefault:10,krb5_responder_otp_format_decim:661,advic:[100,473],destroi:[423,44,859,104,484],note:386,kdc_opt_renew:[512,315],channel:23,enctype_rsa_es_oaep_env:775,trace:[853,147,372],stashsrvpw:484,buffer:[420,595,148],krb5_lrq_one_last_renew:733,krb5_get_init_creds_opt_set_anonym:725,krb5_encrypt:261,whitepap:713,krb5_auth_con_fre:166,krb5_decode_ticket:190,enctype_unknown:622,krb5_gc_cach:442,krb5_keyusage_enc_challenge_cli:0,destroy_polici:484,krb5_524_convert_cr:345,krb5_get_init_creds_opt:829,addrtype_iso:106,krb5_get_init_creds_opt_alloc:107,onli:641,krb5_c_crypto_length:551,cksumtype_hmac_sha256_128_aes128:873,variou:713,get:[794,615,51,30,292,739,524,249,185,151,74,517,521,422,318,591,374,110,703,841,207,711,491,147,606,825],krb5_crypto_type_stream:478,krb5_kt_dup:293,ssh:473,"import":17,krb5_build_principal_alloc_va:877,requir:[572,437],krb5_authdata_auth_ind:908,krb5_prompt_typ:898,krb5_sname_to_princip:701,krb5_int16_min:201,krb5_cccol_cursor:221,passwd_phrase_el:889,wiki:23,ap_opts_wire_mask:21,krb5_c_decrypt:669,krb5_transit:496,krb5_auth_con_setsendsubkei:483,krb5_responder_otp_challeng:514,krb5_c_random_make_octet:580,between:449,enctype_aes256_cts_hmac_sha384_192:894,krb5_principal_unparse_displai:116,add_polici:[70,44],krb5_free_checksum:348,krb5_keyusage_krb_safe_cksum:680,tutori:713,krb5_finish_random_kei:856,krb5_princ_set_realm_data:231,krb5_c_encrypt_length:182,krb5_cc_default:125,overview:44,featur:[576,452],krb5_kpasswd_accessdeni:281,krb5_k_key_enctyp:868,krb5_tc_match_is_skei:173,skew:[794,502],procedur:73,krb5_c_verify_checksum:444,enctype_arcfour_hmac_exp:295,krb5_kt_cursor:790,interoper:576,krb5_padata_sam_challenge_2:391,krb5_lrq_all_last_tgt_issu:707,krb5_keyusage_tgs_rep_encpart_sesskei:465,krb5_error_cod:773,ktutil:138,modify_polici:[70,44,484],develop:[155,328,17],author:[504,373,628,436,274,437,662,863,291,608,885,887,403],binari:203,epoch:852,pac:[258,37,420,148,765,718,901,688,595],pad:[651,874,149],document:[176,61,776,126],finish:243,krb5_unparse_name_flags_ext:108,openldap:515,krb5_eblock_enctyp:819,krb5_c_decrypt_iov:791,krb5_string_to_deltat:712,macro:2,krb5_c_enctype_compar:411,without:126,krb5_responder_list_quest:341,execut:437,krb5_gic_opt_pa_data:878,krb5_free_ap_rep_enc_part:882,struct:[649,47],enctype_arcfour_hmac:337,krb5_get_init_creds_opt_set_fast_flag:229,krb5_padata_s4u_x509_us:805,kdc_opt_forward:[720,175],krb5_cc_get_flag:447,read:[914,133,254],get_str:70,enctype_des_cbc_raw:804,krb5_lrq_one_last_tgt:553,server:[794,695,393,226,147,100,73,234,586],krb5_nt_ms_principal_and_id:691,output:[825,874,532],manag:[119,104],krb5_padata_fx_fast:626,krb5_tc_noticket:779,krb5_kpasswd_softerror:152,krb5_free_data_cont:842,krb5_aname_to_localnam:129,krb5_principal_parse_enterpris:469,krb5_pre_send_fn:59,keytab:[794,895,412,302,159,135,100,293,473,621,519],krb5_copy_keyblock_cont:734,refer:[228,845,98,126,855,103],enctype_camellia128_cts_cmac:246,krb5_keyusage_tgs_rep_encpart_subkei:729,krb5_auth_context_ret_tim:667,krb5_keyusage_app_data_encrypt:654,krb5_data:[230,842,194,596],krb5_timestamp_to_sfstr:874,acl:[895,32],krb5_get_credentials_valid:697,aead:[131,791,17,759,820],backup:56,krb5_padata_pk_as_req_old:849,list_mkei:423,krb5_authdata_if_relev:471,your:[794,119],log:[863,10,147],clpreauth:[812,413],krb5_copy_ticket:102,start:[895,40],interfac:[764,608,223,815,875,226,181,455,812,413,850,698,687,885],krb5_encrypt_s:530,addrtype_ddp:487,krb5_auth_con_getaddr:536,krb5_crypto_type_trail:408,krb_ap_req:[363,1,568],krb5_responder_otp_get_challeng:[157,47],krb5_pac_get_typ:148,krb5_enctype_to_str:597,possibl:[639,188,51],"default":[614,207,491,200,159,27,662,818,28,137,308,73,191,125,344,429,415,208,120],krb5_get_init_creds_keytab:841,krb5_sam_use_sad_as_kei:670,krb5_init_creds_step:185,krb5_init_creds_get_tim:761,creat:[504,641,1,855,745,895,737,363,484,147,671,423,251,862,357,718,44,739,437],ad_type_extern:581,gssapi:[17,764,662],krb5_cksumtype_to_str:756,file:[562,476,641,918,63,613,853,646,302,165,748,812,44,100,386,323,10,895,792,640],fill:[600,310,149],osconf:746,krb5_padata_non:288,dbmodul:10,krb5_auth_con_init:745,krb5_cc_default_nam:191,field:[461,536,551,842,881,115,625],valid:[871,247,422,385,510,254],collis:584,krb5_free_keytab_entry_cont:276,krb5_keyusage_cammac:880,salt_type_afs_length:283,krb524_init_et:338,krb5_auth_con_getauthent:872,kdcdefault:10,krb5_tc_match_flags_exact:683,krb5_authdata_and_or:617,krb5_k_prf:648,krb5_get_init_creds_opt_set_expire_callback:907,pkinit:[521,10,812,504],directori:[836,203,452],descript:[724,566,562,184,814,689,32,640,25,63,70,132,518,646,423,138,484,437,783,386,45,540,918],enctype_nul:585,unset:[706,725,743,537,280],purge_mkei:423,represent:[557,549],all:875,krb5_get_in_tkt_with_password:224,krb5_allow_weak_crypto:920,krb5_get_in_tkt_with_keytab:657,krb5_init_creds_set_servic:421,krb5_copy_authdata:887,krb5_tc_match_authdata:13,krb5_server_decrypt_ticket_keytab:389,program:[427,452],krb5_tc_match_times_exact:763,krb5_kpasswd_malform:58,util:836,krb5_make_authdata_kdc_issu:403,mechan:[764,662],enctype_des3_cbc_raw:673,ticket:[121,389,190,798,761,37,30,520,44,739,144,104],krb5_cc_next_cr:610,krb5_prompter_fct:752,list:[628,105,576,484,147,877,341,138,399,44,10,887,91,23],adjust:740,getdat:176,enctype_dsa_sha1_cm:326,krb5_auth_con_getrcach:458,krb5_rd_priv:215,zero:[842,845],proxi:275,deleg:17,clock:[794,502],sun:44,section:[812,10,124,428],delet:44,abbrevi:176,version:[563,234],krb5_cccol_cursor_new:684,krb5_auth_con_getrecvsubkey_k:406,full:[509,701],krb5_keyusage_gss_tok_m:186,krb5_verify_init_creds_opt:6,enctype_des_hmac_sha1:84,krb5_authdata_kdc_issu:41,strong:73,modifi:[44,484],valu:[712,524,420,164,124,428,77,157,269],search:399,krb5_cred_enc_part:189,cksumtype_md5_hmac_arcfour:236,krb5_finish_kei:419,krb5_cc_select:393,cksumtype_hmac_sha1_des3:199,krb5_pac_upn_dns_info:891,via:349,deprec:[2,181],krb5_sam_send_encrypted_sad:770,decrement:845,krb5_prepend_error_messag:211,krb5_nt_x500_princip:492,select:[393,248,698],krb5_deltat_to_str:164,two:[411,628,130,394,368,72,265,511],krb5_set_trace_callback:372,krb5_init_random_kei:526,krb5_lrq_all_last_renew:506,krb5_get_init_creds_opt_set_salt:796,krb5_padata_as_checksum:777,krb5_auth_con_setuseruserkei:11,krb5_tkt_creds_get:735,flag:[706,817,743,537,725,632,511,229,916,115,108,266,489,447,280],krb5_copy_error_messag:508,krb5_get_init_creds_opt_set_address_list:371,known:[257,684],cach:[614,237,3,393,620,340,671,112,556,342,509,458,738,823,243,65,716,463,352,517,125,77,575,818,686,890,257,586,133,27,698,323,88,532,708,205,524,146,491,684,163,859,916,494,611,191,610,543,447],krb5_auth_context_permit_al:858,krb5_auth_context:[266,513,115,166],histori:[70,44,73],krb5_c_make_checksum_iov:310,krb5_calculate_checksum:401,archiv:23,get_init_cr:521,krb5_keyusage_as_req_pa_enc_t:682,krb5:[895,641,2,36,540,181,862,812,124,264,737,624,428],ap_opts_use_subkei:46,get_princip:[70,44],prompt:[848,591,743],challeng:242,krb5_get_init_creds_opt_set_fast_ccache_nam:827,krb5_free_cr:666,krb5_get_init_creds_opt_set_forward:537,krb5_get_init_creds_opt_get_fast_flag:817,krb5_cred:[336,742,627,801,666,793],secur:[100,437,563,473,56],anoth:508,krb5_k_verify_checksum_iov:385,reject:147,krb5_k_make_checksum_iov:600,simpl:[126,2],resourc:23,krb5_keyusage_pa_pkinit_kx:314,kdc_opt_disable_transited_check:700,krb5_get_init_creds_opt_canonic:468,krb524_convert_creds_kdc:90,krb5_set_real_tim:461,krb5_k_encrypt_iov:820,stash:[423,44,613],krb5_encode_authdata_contain:274,callback:[521,784,907,151,372],sendauth:[695,147,642,234],purgekei:70,krb5_keytab_entri:847,krb5_string_to_kei:609,paramet:[812,603,234],krb5_keyusage_fast_req_chksum:193,krb5_auth_con_getsendsubkey_k:921,alter:614,"return":[91,49,237,257,105,875,287,551,148,365,604,674,191,835,279,651,269,157,120],timestamp:[237,502,781,879,874,257],krb5_get_init_creds_opt_salt:607,krb5_authdata:360,krb5_prompt_type_password:886,krb5_free_authent:178,krb5_fwd_tgt_cred:318,troubleshoot:[713,147],authent:[745,409,437,147,872,321,44],token:[208,17],krb5_keyusage_ad_mt:99,krb5_keyusage_fast_rep:747,krb_error:565,trailer:149,krb5_anonymous_realm:49,krb5_padata_sam_redirect:601,krb5_pointer:60,krb_ap_rep:[384,364,917,569],krb5_princ_nam:906,connect:[256,147],krb5_keyusag:317,krb5_responder_otp_tokeninfo:897,event:[853,372],authdata:885,krb5_anonymous_princstr:14,krb5_get_profil:334,krb5_auth_context_ret_sequ:16,iov:[600,17,247,149,385,310],tkt_flg_proxi:445,krb5_authdata_mandatory_for_kdc:20,krb5_keyblock:[525,89,94,316],advanc:95,krb5_lrq_one_last_req:187,quick:576,krb5_tgs_name_s:797,krb5_principal_data:425,ask:37,krb5_keyusage_gss_tok_wrap_priv:350,asn:190,krb5_get_init_creds_opt_set_in_ccach:556,krb5_string_to_salttyp:432,krb5_free_enctyp:22,lifetim:[520,798],assign:[409,722],localauth:[812,608],exchang:[615,147],number:[377,651,312,85],krb5_mk_ncred:732,krb5_pac_verifi:258,differ:[44,38,140,449],addrtype_chao:786,interact:521,krb5_roundup:441,store:[555,463,77],schema:855,option:[796,798,452,725,107,229,556,55,10,562,743,407,566,70,689,817,575,520,640,521,25,63,644,81,132,827,646,423,371,874,484,532,204,706,812,907,537,437,916,386,787,44,45,540,918,280],krb5_ticket_tim:660,pars:[731,917,568,569],remot:[693,312,625],remov:[794,158,73,65],krb5_merge_authdata:628,krb5_int32_max:571,krb5_padata_encrypted_challeng:438,comput:[182,72,505,744],packag:[126,452],allow_weak_crypto:920,expir:[907,147],"null":535,del_str:70,krb5_auth_context_generate_remote_addr:306,built:912,lib:836,krb5_princ_typ:160,krb5_recvauth_vers:234,also:[724,566,10,562,184,814,689,32,640,25,63,70,132,518,646,812,138,484,423,540,783,386,45,918],build:[535,855,453,26,227,877,126,203],enctype_des_cbc_md5:356,enctype_des_cbc_md4:355,krb5_lrq_all_pw_exptim:785,tkt_flg_pre_auth:313,krb5_auth_context_do_sequ:788,krb5_lrq_one_acct_exptim:616,krb5_lrq_none:558,krb5_auth_context_generate_remote_full_addr:664,most:[452,508],krb5_realm_branch_char:79,krb5_cc_set_default_nam:818,krb5_nt_uid:67,clear:9,krb5_enc_kdc_rep_part:324,clean:203,kswitch:918,enctyp:[298,648,876,248,143,251,868],krb5_unparse_nam:549,msec_dirbit:892,session:[105,11,915,248,369],krb5_copy_checksum:658,find:[436,88],tkt_flg_renew:333,krb5_c_prfplu:346,firewal:794,copyright:462,krb5_lrq_one_last_tgt_issu:668,krb5_cc_cursor:501,ktadd:[70,794],krb5_change_password:362,hit:845,krb5_x:598,krb5_padata_osf_dc:43,krb5_responder_question_otp:[831,433,47],krb5_verify_init_cr:519,hin:746,krb5_init_creds_set_password:417,krb5_auth_con_set_req_cksumtyp:272,krb5_free_authdata:409,kdc_opt_allow_postd:464,common:814,krb5_nt_ent_principal_and_id:846,certif:[718,504,147],set:[796,855,798,725,110,167,556,400,623,11,625,774,461,743,916,881,827,572,575,520,417,55,522,115,787,644,693,322,137,483,699,240,229,532,706,890,907,537,272,818,784,331,920,371,543,280],dump:[423,44],krb5_mk_req_checksum_func:376,krb5_get_permitted_enctyp:105,see:[724,566,10,562,184,814,689,32,640,25,63,70,132,518,646,812,138,484,423,540,783,386,45,918],sec:852,close:[738,206],ark:423,ap_opts_mutual_requir:822,krb5_crypto_type_data:652,krb5_keyusage_tgs_req_auth_cksum:692,max_keytab_name_len:109,krb5_set_kdc_recv_hook:167,krb5_copy_cr:627,salt_type_no_length:612,krb5_anonymous_realmstr:883,krb5_cc_support_switch:494,last:[237,257,74],context:[483,508,736,860,312,862,9,341,737,344,458,62,624,121,406,11,739,242,745,625,334,369,151,74,357,753,256,761,693,322,872,591,85,245,699,235,653,774,536,272,735,911,437,915,740,784,641,279,921,543],krb5_kt_have_cont:135,load:423,tgt:318,header:[149,323],krb5_principal_compar:265,suppli:[81,1],krb5_os_localaddr:875,backend:855,krb5_cc_get_princip:491,krb5_tkt_creds_step:615,kproplog:566,empti:[718,316],krb5_cc_get_typ:3,krb5_c_init_st:[300,197],add_princip:[70,44],krb5_get_renewed_cr:703,krb5_padata_enc_unix_tim:495,krb5_copy_princip:726,krb5_pac_privsvr_checksum:353,krb5_pac_client_info:665,krb5_mk_priv:267,durat:176,"while":147,krb5_free_cred_cont:801,read_st:138,behavior:473,error:[811,508,147,51,211,903,168,140,331,74,9,240,38,397,814],anonym:[521,504,49,227,725],propag:[28,895,493,44],krb5_magic:490,krb5_timestamp_to_str:879,krb5_recvauth_skip_vers:696,krb5_keyusage_enc_challenge_kdc:19,krb5_mk_rep_dc:384,grant:[739,119],krb5_kvno:843,krb5_cc_set_config:77,krb5_cccol_lock:112,decod:[649,903,190,47],krb5_mk_error:565,krb5_principal_unparse_short:128,krb5_princip:[900,632,479,672,108,549,489],krb5_decode_authdata_contain:291,krb5_int32:546,user:[521,361,762,748,863,848],enctype_aes128_cts_hmac_sha1_96:728,recent:508,kdc_opt_valid:214,entri:[158,243,276,135,302,40,395,711,323,803,610],krb5_free_keyblock_cont:89,pwqual:[812,455],krb5_c_prf_length:825,krb5_kdc_req:34,krb5_kdc_rep:35,addrtype_inet6:156,krb5_get_validated_cr:422,krb5_c_keyed_checksum_typ:91,input:[914,556,349],kdc_opt_enc_tkt_in_skei:202,krb5_auth_context_generate_local_full_addr:768,checksum:[600,272,435,756,584,631,247,590,784,385,505,151,744,674,91,510,310,358,444],krb5_crypto_type_empti:548,kprop:[132,147],cksumtype_rsa_md4_d:766,ad_type_regist:396,msec_val_mask:705,krb5_keyusage_pa_s4u_x509_user_request:547,enctype_camellia256_cts_cmac:404,krb5_vwrap_error_messag:140,resolv:[620,415,200,125],collect:[614,684,639,352,163,342,517],princip:[794,722,557,453,632,393,227,863,731,672,400,12,511,895,726,18,877,71,881,473,129,890,130,421,368,323,265,701,88,429,535,434,491,217,44],api:[449,98,181,126],krb5_get_credentials_renew:307,krb5_get_init_creds_password:606,krb5_pac:54,some:[100,349],back:[515,56],krb5_read_error:168,sampl:[812,10],krb5_c_random_se:922,machin:792,krb5_padata_sesam:303,krb5_principal_compare_utf8:593,prerequisit:[26,855],krb5_auth_con_getsendsubkei:736,valid_int_bit:380,block:365,krb5_referral_realm:[678,789],krb5_keyusage_pa_sam_respons:213,within:[203,502],krb5_padata_ap_req:113,krb5_c_make_random_kei:143,krb5_rd_rep:569,krb5_rd_req:568,tkt_flg_forward:[605,335],krb5_responder_pkinit_flags_token_user_pin_count_low:925,krb5_nt_smtp_name:816,question:[521,242,286,341,831,235],fast:[817,827,575,229],krb5_get_init_creds_opt_set_pac_request:37,krb5_get_init_creds_opt_set_respond:787,includ:37,forward:[537,318],krb5_enc_tkt_part:826,krb5_mk_safe:832,link:713,delta:712,line:[423,484],krb5_crypto_type_sign_onli:474,krb5_responder_pkinit_flags_token_user_pin_final_tri:685,krb5_crypto_type_pad:402,krb5_kt_get_typ:835,addrtype_is_loc:431,krb5_free_address:555,tkt_flg_ok_as_deleg:170,kdcissu:[403,373],krb5_nt_enterprise_princip:714,krb5_get_init_creds_opt_set_change_password_prompt:743,sequenti:[133,40,243],krb5_keyusage_pa_fx_cooki:475,delete_entri:138,krb5_vprepend_error_messag:811,krb5_cred_info:544,lucid:855,krb5_kpasswd_initial_flag_need:239,krb5_padata_etype_info:33,krb5_kt_read_service_kei:730,krb5_free_keyblock:94,krb5_k_free_kei:845,krb5_context:[137,461,630,141],cksumtype_hmac_sha384_192_aes256:50,pluggabl:885,code:[811,211,51,140,331,240,38],krb5_princ_realm:799,krb5_copy_context:141,krb5_rd_rep_dc:917,send:[736,483,623,921,774],valid_uint_bit:392,krb5_kt_close:206,lndir:203,krb5_build_principal_va:577,write_st:138,krb5_lrq_all_acct_exptim:754,kadm5_hook:[812,223],krb5_tgs_req:76,krb5_tgs_rep:75,krb5_princ_set_realm_length:574,krb5_init_context_secur:382,krb5_padata_fx_cooki:219,compat:248,compar:[411,130,394,368,265,511],fine:452,krb5_keyusage_kdc_rep_ticket:893,access:119,krb5_get_prompt_typ:591,enctype_md5_rsa_cm:195,krb5_priv:709,ubuntu:855,cf2:72,sinc:852,convert:[450,603,164,672,171,345,12,69,632,879,129,690,479,590,874,108,756,597,429,432,712,781,217,489,549],cert:147,chang:[362,44,743,119,110],configur:[794,476,641,515,855,434,452,504,815,208,248,662,792,275,71,323,895,77,493,334,524],krb5_padata_afs3_salt:594,krb5_ui_2:810,krb5_ui_4:809,from:[794,158,855,508,860,312,369,730,736,458,739,701,121,406,524,65,334,761,124,251,73,151,74,126,817,686,256,298,420,639,422,245,872,591,921,44,803,266,653,703,428,536,359,711,914,915,279,85,610,447],upgrad:73,next:[803,615,610,185,517],kdc_opt_proxi:[398,844],krb5_padata_use_specified_kvno:183,krb5_decrypt:222,krb5_padata_tgs_req:710,mismatch:473,krb5_ap_req:[259,57],krb5_ap_rep:[636,390],account:[362,434,119],retriev:[3,860,730,736,509,458,868,121,406,242,334,369,124,686,817,312,761,420,245,872,921,44,803,266,653,428,708,536,359,40,915,740,308,852,85,610,447],krb5_kuserok:863,alia:171,use_mkei:423,proof:584,krb5_keyusage_as_rep_encpart:347,process:[821,243,215],lock:[70,112,205,340],tarbal:126,addrtype_addrport:778,krb5_pvno:500,rename_princip:70,krb5_k_key_keyblock:359,krb5_keyusage_tgs_req_auth:782,krb5_set_trace_filenam:853,kdb5_util:423,krb5_find_authdata:436,krb5_init_creds_context:650,krb5_cc_new_uniqu:671,alloc:[107,277,168,264,300],enctype_rc2_cbc_env:899,element:[436,385,247,310,600],issu:27,allow:[920,55,502],krb5_get_init_creds_opt_chg_pwd_prmpt:262,move:611,krb5_cc_set_flag:916,krb5_kt_default_nam:207,krb5_pac_pars:901,krb5_tkt_creds_step_flag_continu:68,krb5_keyusage_pa_sam_challenge_cksum:694,krb5_error:[238,457],krb5_get_host_realm:[292,277],krb5_appdefault_boolean:124,handl:[206,148,249,718,293,901,629,688,595,738],dai:852,auth:[312,736,458,11,625,406,85,151,256,369,693,322,872,483,699,653,774,536,272,915,784,921,543],krb5_free_cksumtyp:435,krb5_c_make_checksum:505,krb5_pac_logon_info:538,krb5_timeofdai:740,edit:895,krb5_recvauth_badauthv:867,enctype_des3_cbc_sha:244,variabl:[273,248,452,877],rfc:[346,349],krb5_init_creds_get_cr:245,armor:[575,827],rel:164,krb5_cc_remove_cr:65,krb5_keyusage_ap_rep_encpart:589,krb5_set_error_messag:240,krb5_post_recv_fn:857,unpars:901,releas:[126,340,621],krb5_get_init_creds_opt_set_preauth_list:644,proxiabl:706,krb5_random_kei:910,addrtype_inet:383,length:[453,551,479,604,182,674,149,825],krb5_gc_user_us:588,krb5_princ_compon:439,softwar:26,krb5_responder_fn:919,qualiti:[119,455],kerbero:[794,449,855,576,394,12,292,56,345,510,61,871,493,885,895,362,26,28,579,515,776,912,330,217,44,104],licens:330,system:[28,852,452],messag:[1,508,551,51,110,397,732,9,565,17,568,569,814,38,254,267,522,821,215,363,364,318,832,140,903,240,811,211,384,917,331],termin:535,tkt_flg_transit_policy_check:459,shell:[437,473],view_polici:484,krb5_set_password:400,tkt_flg_hw_auth:866,krb5_auth_con_getlocalseqnumb:85,structur:[107,194,166,507,842,672,115,10,868,461,178,627,882,204,489,479,348,812,137,320,141,108,266,486,658,89,359,36,94,801,666,102,549,447],krb5_rd_error:903,krb5_authdata_osf_dc:554,krb5_keyusage_ad_it:460,krb5_crypto_iov:924,krb5_tc_match_srv_nameonli:870,krb5_responder_otp_flags_separate_pin:482,set_str:70,tabl:[158,389,206,841,207,276,40,395,249,730,711,200,835,803,374,415],tkt_flg_invalid:354,modify_princip:[70,44],krb5_c_string_to_key_with_param:603,mic:17,krb5_principal_parse_require_realm:833,mit:[61,776,449,576,28,330,44],singl:[522,203],krb5_cccol_last_change_tim:257,cipher:[300,365,197],krb5_cksumtyp:387,krb5_c_random_add_entropi:377,krb5_cc_switch:352,krb5_responder_question_pkinit:[649,286,118],request:[121,615,735,860,248,185,62],determin:[863,494],delete_princip:[70,44],constrain:17,krb5_trace_callback:136,fact:576,krb5_ap_rep_enc_part:[904,882],krb5_salttype_to_str:690,trivial:563,krb5_keytab:582,ksu:437,locat:[226,662,827],should:181,local:[693,863,85,129,608,625],krb5_verify_init_creds_opt_set_ap_req_nofail:572,krb5_verify_checksum:282,krb5_responder_otp_format_hexadecim:446,krb5_kpasswd_success:599,krb5_rd_cred:254,keysalt:10,krb5_kpasswd_harderror:82,krb5_kpasswd_autherror:284,krb5_ticket:[309,102],organ:836,krb5_xc:741,kadmind:689,contain:[274,341,135,163],krb5_get_init_creds_opt_etype_list:839,legaci:[73,181],krb5_free_tgt_cr:320,krb5_padata_enc_sandia_securid:592,krb5_nt_wellknown:311,domain_realm:812,krb5_principal_compare_casefold:424,enctype_des3_cbc_env:150,state:[300,434,197],krb5_use_enctyp:896,addrtype_netbio:405,k5ident:783,kei:[158,389,603,648,915,105,840,730,114,11,69,298,349,302,369,248,249,143,251,73,415,358,845,759,72,744,631,200,835,803,374,600,820,206,841,207,276,39,40,395,604,711,385,44,91,103,669],krbtgt:[44,73],krb5_get_init_creds_opt_forward:834,addit:[603,228,511,30],krb5_padata_otp_challeng:271,plugin:[328,812,662,4],admin:[493,147],instanc:208,enctype_des_cbc_crc:913,krb5_pa_svr_referral_data:304,krb5_cccol_cursor_fre:342,rpc:[384,917],quit:[70,138],krb5_vset_error_messag:331,krb5_keyusage_tgs_req_ad_subkei:80,krb5_padata_sam_response_2:542,krb5_init_creds_fre:911,compon:368,krb5_principal_parse_no_realm:216,krb5_recvauth:695,otp:[10,208],replic:434,krb5_authdata_initial_verified_ca:751,cursor:[621,342],defin:208,krb5_crypto_type_head:645,side:437,site:126,krb5_get_init_creds_opt_anonym:66,krb5_auth_con_getremoteseqnumb:312,addrtype_xn:270,krb5_keyusage_ap_req_auth:366,krb5_lrq_all_last_initi:795,cross:44,member:[336,503,727,6,457,900,425,514,878,304,525,904,635,309,755,189,889,360,583,259,636,897,647,829,319,370,139,29,771,485,837,324,31,34,35,596,660,826,767,924,544,496,443,154,847,220,793,499],krb5_fast_requir:456,slave:[28,493,895],hostnam:[493,188],expans:812,effect:437,krb5_free_data:194,ap_opts_etype_negoti:800,krb5_preauthtyp:466,interpos:764,krb5_padata_svr_referral_info:218,exampl:[521,794,452,540,783,138,184,44,32,45],command:[70,423,361,138,484],krb5_pac_add_buff:595,choos:248,krb5_padata_enc_timestamp:769,krb5_cccol_cursor_next:517,"boolean":124,obtain:[735,26,104],kdc_opt_canonic:297,krb5_authdata_signticket:285,krb5_padata_sam_challeng:564,web:[126,23],krb5_read_password:914,list_polici:[70,44,484],add:[377,895,811,395,211,140,595,38],krb5_clear_error_messag:9,match:[789,18],krb5_copy_keyblock:111,krb5_keyusage_krb_cred_encpart:854,password:[521,890,743,606,362,603,110,69,914,848,400,44,455,119,417],krb5_int16_max:806,lr_type_this_server_onli:145,krb5_address_ord:287,like:28,krb5_auth_con_setport:625,krb5_free_default_realm:120,krb5_padata_pac_request:24,page:[126,23],krb5_responder_otp_flags_collect_token:539,krb5_addrtyp:865,krb5_msgtype:101,krb5_check_clockskew:502,kdb:885,kdc:[504,615,434,895,37,147,422,662,167,28,563,850,73,74,10,623,739,493,703,185],"export":17,krb5_k_decrypt_iov:759,librari:[737,641,624,912,862],krb5_get_init_creds_opt_fre:407,krb5_gc_no_stor:451,octet:651,krb5_tc_match_2nd_tkt:327,sequenc:[312,85],krb5_get_time_offset:279,krb5_c_valid_cksumtyp:510,pepper:72,krb5_string_to_timestamp:781,dce:[384,917],usag:73,host:[895,875,147,662,292,100,56,687],offset:[740,279,461],krb5_lrq_all_last_tgt:440,krb5_padata_pk_as_rep_old:332,krb5_int16:153,about:[44,100],rare:181,socket:256,http:275,kdc_opt_request_anonym:470,krb5_string_to_enctyp:450,krb5_crypto_type_checksum:253,krb:[267,522,821,318,732,72,832,215,903,254],krb5_auth_con_getremotesubkei:179,capath:812,krb5_authdata_sesam:638,merg:628,krb5_get_init_creds_opt_address_list:675,"function":[234,695,167,787,264,372,623,825,642],krb5_lrq_all_last_req:388,unwrap:[291,373],krb5_kt_default:415,tkt_flg_anonym:8,count:[845,103,453],whether:[18,912,584,71,494,572,358],krb5_c_verify_checksum_iov:247,krb5_free_error_messag:397,krb5_c_free_stat:300,krb5_enctyp:531,krb5_cc_initi:823,krb5_responder_otp_challenge_fre:157,krb5_get_init_creds_opt_set_out_ccach:532,pin:521,dure:147,krb5_kt_add_entri:395,kpropd:63,krb5_free_context:624,other:208,krb5_responder_pkinit_challenge_fre:269,krb5_ccach:339,krb5_lrq_one_last_initi:169,krb5_octet:923,kdb5_ldap_util:484,appdefault:[812,124,428],krb5_responder_pkinit_set_answ:286,k5srvutil:724,krb5_principal2salt:429}})
\ No newline at end of file
+Search.setIndex({envversion:42,terms:{libdefault:[798,10],req:[506,34,911,365,1,571,249,816,57],entropi:182,preauth_list_length:[833,648],"0x0011":[732,518],untrust:17,both:[506,825,911,816,517,71,465,209,17,249,4,535,276,495,331,818,216,666,44,204,439],localstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],krb5_auth_con_setflag:[749,182],principalnam:579,reboot:[616,899],four:[566,436,439,768,816,324],prefix:[816,10,676,495,182],dirnam:816,forget:[44,899,822,486],krb5_free_str:[511,189,182,111],whose:[523,899,486,277,303,17,798,816,71,185,475,56,324,44,32,45,89,105],string2kei:74,krb5_cc_get_config:182,"const":[451,3,455,880,675,231,676,496,487,12,225,17,248,250,885,589,259,482,236,705,31,707,712,275,278,723,49,727,819,287,288,51,509,292,293,738,59,748,301,73,756,78,38,311,763,82,529,319,243,538,815,332,103,795,667,918,111,112,343,283,346,348,70,568,351,571,572,125,914,831,822,580,825,823,132,623,365,137,138,835,836,141,839,241,598,662,379,380,844,845,39,769,606,387,609,612,857,391,115,860,396,867,399,401,402,405,527,634,635,881,364,252,891,189,419,268,894,191,192,631,423,424,198,905,907,852,793,430,824,661,375,630,438,861,212,921,216,446,507,673],krb5_sname_match:[735,571,182],aug:[71,44],sysadv6:717,cybersaf:[251,331],g_process_context:331,heimdal:[17,717],allow_renew:[71,44],salttyp:[425,10,249,694],ndnhnmn:177,concret:127,context_handl:[17,768],swap:[899,495],container_reference_dn:[44,486],under:[816,517,71,465,579,486,27,425,331,475,44,10,78,45,204],krb5_get_init_creds_opt_set_pa:182,keylist:[798,139],sha256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],worth:101,krb5_build_principal_ext:[735,182],merchant:331,digit:177,joeadmin:[44,32,101,185],everi:[899,182,816,101,44,10],risk:[523,249,27,74],downstream:[44,579],localhostnam:17,kvno:[798,425,363,566,899,71,766,148,249,276,715,139,322,74,101,44,310,521,372],userpkcs12:517,gssapi_ext:17,krb5_kt_cursor:[807,624,40,36],upstream:[44,579,454],slave_host:133,affect:[379,606,249,666,816,693,10,32,742,644],g_rel_buff:331,krb5_cc_set_flag:182,trailer:[17,182],look:[798,475,780,64,454,495,439,17,4,816,666,644,44,10,705,204,105,818],upn:[579,383,816,10,855,339,513],krb5_responder_context:[523,243,36,287,653,343,835,236,47,158,270],krb5_get_init_creds_opt_set_canonic:182,sclient:[766,363,818],supported_enctyp:[10,579,899,74,249],verif:[816,10,899],sequence_count:445,modtim:425,x86_64:[579,454],repres:[899,566,160,71,17,816,913,718],abil:[653,185,74,47],krb5_principal_compare_enterpris:513,miller:331,direct:[517,148,666,816,182,44],"10d":177,histor:[718,666,796],yacc:454,second:[451,424,288,396,51,797,374,10,495,513,463,413,303,17,18,690,29,718,644,506,856,631,131,71,27,319,816,913,918,324,266,908,34,370,209,328,666,177,190,280,44,45,439,105],krb5_auth_con_setrcach:182,"_passwd_phrase_el":893,krb5_enc_data:[337,115,844,39,260,640,36,673],krb5_address_search:182,even:[899,911,816,17,18,27,666,177,331,74,44,10,495,718,644,475],subsequ:[618,569,331,74,192,359,45,186],hide:[71,44,644],neg:[913,303,666],linkdn:[71,44],requisit:127,ptr:[745,860,830,17,529,601,475,905,310,325,914],krb5_auth_con_setrecvsubkey_k:182,ticket_flag:[44,486,797,324],krb5_get_init_creds_opt_set_renew_lif:182,conduct:276,"new":[778,506,859,728,436,899,71,17,148,249,182,425,74,703,44,10,816,798],dumptyp:425,topolog:693,metadata:425,krb5_kt_remove_entri:182,elimin:74,subtre:[71,10,517,486,44],algid:435,abov:[523,506,517,816,454,899,691,439,17,148,249,768,425,331,74,101,324,44,32,105],displai:[523,506,798,911,728,331,71,579,160,84,569,565,139,324,44,486,520,644],never:[798,824,763,436,132,51,816,71,120,74,56,44,10,32,795,105],etyp:[33,425,138,650,579],authorit:[62,395,227,611,816,702,691,32],here:[523,816,780,436,454,17,148,4,177,666,798,120,44,10,32,105],renew_til:[664,830,547,324],met:[439,331],krb5_cc_gen_new:182,cksum:[283,446,507,748,634],pepper2:73,path:[899,816,64,454,274,495,693,571,666,276,44,10,486,204,127],service_loc:227,interpret:[523,911,71,623,209,17,650,768,439,644],dry:425,hdata:660,alg_id:901,clientauth:816,krb5_verify_authdata_kdc_issu:182,krb5_set_default_tgs_enctyp:[106,182],precis:796,krb5_get_init_creds_opt_set_fast_ccach:182,krb5_cc_set_default_nam:[192,182],permit:[71,209,182,816,44,10,32,189,535],krb5_pac_credentials_info:598,krb5_chpw_messag:182,ovsec_adm_import:[425,44],portabl:617,krb5_enctype_to_nam:182,service_nam:644,gssrpc:331,inittab:899,get_cooki:[579,854],realm_try_domain:816,unix:[798,816,229,666,425,10],krb5_string_to_enctyp:182,brg:331,mic_token:17,txt:[425,899,495],unit:[177,331,105,454],highli:[26,579],subjectaltnam:506,describ:[798,819,459,836,899,17,415,74,718,506,646,71,768,816,101,322,324,777,780,439,666,329,331,928,44,552,105],would:[616,579,56,10,495,120,899,17,185,74,475,523,506,768,816,101,322,425,274,543,666,44,105],ldap_kadmind_sasl_authcid:[10,486,44],init:[62,611,224,227,638,415,854,702,691,45,693,929],"0x02000000":[812,412],suit:[840,899,579,204,454],datadir:454,call:[523,899,17,666,816,322,74,44,10],clockskew:[816,798,571,644,819],recommend:[899,816,454,495,26,17,425,101,105,56,44,10,486,204,23,388],krb5_free_ticket:[103,182],difficulti:475,type:[71,425,45,728,486],until:[816,617,454,71,579,17,27,425,113,74,44,718,105],gss_inquire_nam:17,krb5_expire_callback_func:[911,36],unescap:425,maxtktlif:[44,486],krb5_auth_con_setport:[451,182],krb5_c_derive_prfplu:182,relat:[425,517,816,436,506,579,666,111,276,331,693,10,495,797],notic:[10,331,56,899],toolkit:840,warn:[899,911,859,71,579,331,44,10,127],exce:[177,718],"0x00400000":353,free_str:[819,611],loss:[44,331],hole:[899,303,101,495],"0x00000100":590,unpack:26,must:[816,3,880,228,4,30,10,590,454,687,17,250,690,691,25,26,481,484,236,757,276,44,47,49,728,729,819,844,51,854,495,899,62,748,435,303,74,32,79,523,506,313,763,64,765,71,767,768,101,86,324,653,542,328,331,192,795,796,105,798,806,558,348,119,120,70,122,321,571,831,359,824,583,132,133,134,140,142,839,13,377,39,606,611,439,617,115,652,579,623,825,866,174,178,411,635,874,638,186,891,268,645,646,631,650,425,906,807,204,909,517,749,436,438,915,209,666,507,216,836,929,928,673],inputlen:183,g_compare_nam:331,word:[899,105],err:10,restor:[425,56],neglig:331,setup:[44,899],work:[71,425,728,693],krb5_verify_init_creds_opt_init:[523,521,182],server_kei:769,krb5_get_server_rcach:182,krb5_random_kei:182,rctmpdir:750,root:[798,616,64,454,899,439,816,101,185,74,56,10,32,787,120,818],"_krb5_cred_info":547,overrid:[816,71,209,425,74,44,10,45],defer:[62,17,611,691],renew_lifetim:816,bourn:899,give:[566,611,666,425,105,331,74,324,44,204,120,475],synchron:[798,899,569,148,182,816,74,757],kpasswd:[798,816,363,71,579,693,796,276,74,44,10,766,120],smtp:820,min_ver:4,indic:[71,425,74],fqdn:276,g_inquire_context:331,"0x0019":247,caution:71,unavail:[44,495,899],want:[899,71,439,227,591,666,105,44,444,204,120],pa_config_data:324,unsign:[618,455,456,554,881,639,186,718,580,362,528,651,481,918,109,376,655,599,379,538,847,102,155,92,501],krb5_keyblock:[880,844,112,738,740,11,348,70,299,180,301,248,182,144,351,73,311,371,132,323,198,485,657,606,211,673,795,507,446],crypto_test:331,enc:[798,71,579,425,886,44,10,797],end:[425,10,816,859],manipul:[44,156,517],quot:[177,71,425,676,44,552,491],ordinari:[579,204,74],keylength:607,how:[506,454,899,26,17,249,666,30,816,101,74,44,575,10,495],cname:[899,495,796,475],env:[274,506,816,148],answer:[523,816,343,182],verifi:[506,899,17,816,44,486,10],negoti:[10,579,324],krb5_mk_rep_dc:182,config:[363,859,527,454,741,579,768,816,28,138,44,840,10,78,766],client_cert:506,bindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],updat:[816,859,64,728,517,569,425,74,693,10],krb5_tc_match_flag:690,krb5_const:2,recogn:[506,71,148,816,10,787,644],outsid:[798,617],"_krb5_kt":585,x509:[506,579,644],rassen:331,after:[616,617,859,728,579,864,51,168,120,899,303,74,693,718,818,506,64,71,246,425,913,324,204,436,439,150,788,192,44,45,796,105],modprinc:[71,44,62,436,506],thisfunct:423,befor:[451,224,728,616,854,10,626,495,71,415,74,693,78,644,506,763,517,132,27,425,140,486,705,204,824,816,436,148,150,177,331,928,44,795,105],wrong:[506,439,331,436,105],krb5_cryptotyp:[554,928,36],retain:[62,728,71,638,331,185,74,44,10],core:[889,819,415,854,23],law:331,iprop_port:[10,44],sserver:429,demonstr:[74,818],krb5_principal_unparse_no_realm:491,renew_lif:[802,833],attempt:[425,780,747,436,71,521,439,17,816,276,44,559,324,10,495,643],third:[506,209,666,816,331,324],krb5_cc_last_change_tim:182,fallback_realm:691,opaqu:[252,182],bootstrap:816,credenti:[798,506,859,436,274,666,816,71,322,818,44,10,796],exclud:[425,579,101,56],alias:[798,517,71,579,139,475,44,495],maintain:[798,780,454,569,44,10,204],environ:71,incorpor:[10,780],enter:[506,899,71,768,105,918,836,74,486,44,45,120],exclus:[71,439,331],mechan:[517,71,816,322,44,10],order:[523,506,517,816,436,899,71,17,182,796,425,101,322,74,56,44,10,32,693],g10:331,origin:[523,454,71,17,768,331,74,44,495],belong:[354,796],feedback:780,softwar:[523,798,717,666,816,74],krb5_octet:[528,155,362,501,36],krb5_c_valid_enctyp:182,over:[798,10,495,899,17,880,249,182,73,74,78,311,475,523,816,101,780,209,666,44,45,507],govern:[44,331,25],becaus:[617,224,454,819,854,56,10,495,120,303,17,185,475,32,644,523,506,259,425,324,204,535,816,436,148,44],addit:[478,816,517,71,249,276,44,10,32],krb5_config:[899,64,274,133,579,816,28,45],privileg:[71,798,32],gss_c_nt_user_nam:17,keyboard:[425,44,45,182,693],enckrbcredpart:547,flexibl:[816,475],vari:[798,26,28,388,796,644],"_krb5_cccol_cursor":222,digest:[10,331],fip:579,directli:[523,478,816,899,71,17,276,44,10],clearpolici:[71,44,32],krb5_responder_set_answ:[523,343,182],fix:[425,579],krb5_cccol_lock:182,arg_keytab:[661,845],better:[44,79],krb5_deltat:[165,802,845,36,716,609,359,522],iprop:[10,579,331,64,693],krb5_responder_question_pkinit:[523,182],hidden:[523,852,140],solaris9ab:717,cred:[523,66,364,465,182,690,613],easier:[780,74],descend:617,krb5_get_init_creds_opt_set_tkt_lif:[523,182],them:[798,617,454,819,579,4,676,10,743,495,899,628,1,697,74,475,523,506,71,768,484,204,517,37,148,276,331,388,101,44,105],thei:[798,617,454,579,854,10,495,120,899,569,17,752,74,718,79,475,523,646,71,425,484,324,204,816,160,148,666,44,796,105],"0x0017":338,proce:439,safe:[816,268,666,182],slave_dumpfil:64,"break":[616,101,454],krb5_c_checksum_length:182,glorifi:4,uid_t:17,interrupt:[331,74,609],krb5_cc_lock:182,ccache_typ:816,gss_import_nam:[17,768],choic:[523,17,816,559,475,644],hhmmss:177,pkinit_dh_min_bit:[816,10],wrfile:74,newpw:[364,894,402],cb_data:[137,374],dumpfil:[425,44,454],accommod:523,lockout:[71,10,163,44],timeout:[10,209,74],each:[798,816,64,728,71,249,666,425,44,10,32,45,796],debug:[64,71,133,26,10,569],went:105,higher:[127,579,17,617],preferred_preauth_typ:816,side:[517,17,646,699,27,44],mean:[523,506,616,71,439,750,816,331,74,44,10,899,204,796,105,818],prohibit:[71,44,331],xconsortium:204,symmetri:10,autohead:204,resum:44,tlyu:[71,44],kcm_socket:816,appdata:816,lnsl:454,krb5_trace_nosupp:[857,374],nii:439,kdc_opt_renewable_ok:816,cusec:[908,731,459],service_passwd:[44,486],eku:[816,10],extract:[798,899,71,579,160,44,32],krb5_responder_pkinit_challeng:[523,653,270,36],otherrealm:816,krb5_init_creds_get_error:182,network:[798,454,56,495,175,120,899,17,185,307,475,523,646,71,772,816,101,840,276,668,609,44,45,105],log_:10,newli:[506,617,699,142,748,71,365,606,571,1,425,73,235,44,70,204,579,507,646],krb5_decode_authdata_contain:182,kdc_principal_seq:506,krb5plugin_service_locate_ft:227,content:[780,859,569,425,74,818],rewrit:27,kdb5_util_prog:64,reader:816,gov:[816,331],forth:816,wst:139,onlin:74,krb5_free_host_realm:182,inop:74,ignore_acceptor_hostnam:[816,17,475],krb5_address:[380,539,727,225,36,697,879,288,396,558,661,373,401,628],getrandom:579,situat:[10,495,650,74,666],ntt:331,free:[523,735,12,182],standard:[506,569,160,71,543,17,148,425,331,74,44,10,579],jennif:[71,44,120,105],"_krb5_pa_pac_req":771,"_krb5_responder_otp_tokeninfo":901,md4:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],md5:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],orig_hostnam:189,semfiajf42:10,workaround:475,libedit:454,argument:[523,451,538,71,693,182,425,788,74,152,44,10,45],openssh:[475,666],default_kdc_enctyp:750,openssl:[816,506,579,454,517],filter:[816,10],shrubberi:717,renew:[816,71,182,425,44,486,10],krb5_int32:[267,731,116,235,459,680,869,463,777,483,190,694,313,300,699,534,86,908,705,325,487,434,36,721,389,280,856],iso:26,unabl:[816,44,56],unknown:[98,148,818,324],regress:204,"_krb5_crypto_iov":928,onto:[816,899,101,56],licens:[26,464,454,579],user:[798,859,10,495,899,17,74,32,475,506,64,517,71,425,322,486,816,780,436,209,148,44,796],gss_ctx_id_t:[17,768],kfw:579,rang:644,entrycsn:859,render:[204,74],krb5_mk_rep:182,krb5_mk_req:[788,273,182],independ:[911,454,688,249,816,294,632],lockdown_kei:[71,44,32,579],thereof:331,restrict:[71,182,30,816,74,486,44,32],hook:182,unlik:[617,579,74,105],alreadi:[299,617,517,454,899,209,425,74,127,44,598,204,439,644],messag:[71,64],wasn:451,name_str:506,needchang:[71,44,486],agre:331,primari:[71,44,182,493],permitted_enctyp:[816,249],krb5_get_fallback_host_realm:182,krb5_auth_con_initivector:182,gss_mech_interpos:768,top:[617,204,26,127,45,495],krb5_rd_priv:[873,182],kern:10,evolut:579,noout:506,fiction:4,travers:[425,44],krb5_kt_get_entri:182,master:[859,64,71,133,569,486,425,693,45],too:[824,763,208,132,795,424,71,130,44,348],krb5_realm_compar:[735,182],similarli:[798,676,119,105],krb5_cc_copy_cr:182,recent:[258,728,17,249,182,425,56],dict_fil:[10,693,457],outag:495,listen:[899,64,579,693,10,45,495],consol:10,randkei:[899,506,71,579,74,44],krb5_ldif:859,gss_c_buffer_flag_alloc:17,tool:[425,44,517],keytab_fil:644,noninfring:331,an2ln:[816,611],task:[523,538,74],somewhat:[506,27],nokei:[71,44,506],clpreauth_mymech_initvt:4,keyid:506,target:[899,617,579,17,816,324,32],keyword:[177,816],generalstr:506,provid:[798,617,454,718,287,819,495,120,899,17,571,249,638,475,693,889,521,579,523,506,71,643,816,101,204,517,780,439,148,666,150,276,331,44,45,929],verto:[331,454],gic_opt:415,krb5_address_compar:182,tree:[44,780,517,859,899],krb5_pac_server_checksum:598,cppflag:454,project:[780,454,579,4,331,304],matter:[816,56],nctx_out:142,getprinc:[436,71,579,425,74,44],krb5_checksum:[403,507,182,446],conf_keyfil:[44,486],minut:[816,825,486,27,177,105,216,44,10,120],krb5_encrypt_block:[223,421,36,723,262,529,900,860,914,612,823],userprincipalnam:10,lawyer:331,close:[460,101,89,546,182],boston:495,pass:[857,115,454,227,51,168,736,559,402,10,626,204,17,186,359,757,644,74,645,844,763,132,768,653,374,31,824,816,39,915,209,666,317,47,795,439,673],eventu:495,keyinfo:425,compon:[523,506,455,17,635,182,319,816,881,676,666,589,32,475],raw:[10,204],seed:[403,643,283,836],manner:331,increment:[64,569,74,693,10,32],"_krb5_pa_server_referral_data":221,slaptest:859,incompat:[889,816,204,454],minu:10,gss_krb5_get_cred_imperson:[579,17],krb5_replay_data:[268,524,825,36,736,836,216,255],pkinit_eku:816,realm:[798,859,64,71,133,486,425,322,74,693,32,45,818],pkinit_anchor:[506,71,816,44,10,644],delegated_cred_handl:17,new_mkey_fil:[425,44],latter:[517,18],thorough:495,kpasswd_serv:[276,816,495],contact:[816,617,64,609,71,133,520,276,702,44,10,495,23,74],krb5_set_principal_realm:[735,182],krb5_copy_address:182,output_cr:17,get_cr:523,expens:436,safe_checksum_typ:816,sock_dgram:227,though:[204,74,105],usernam:[506,867,899,71,209,17,816,105,576,44,644,818],kdb_log:331,glob:[71,44,425,798],object:[517,425,71,816,486,10],what:[816,543,17,27,4,457,425,415,854,74,44,10,32,120,249,105,475],last_success:425,regular:[506,899,439,17,816,74],letter:[899,495,105],eavesdropp:27,phase:439,choos:[517,74],authdatum:375,tradit:[425,436],cksumtyp:[603,273,248,387,748,678,92,311,507,760],ad_typ:[438,362,324],don:[617,454,439,818,117,204,120],krb5_auth_con_set_checksum_func:182,"0x00000004":[792,178,772],unpleas:74,"0x00000008":[203,668,767,16],lose:[425,44],lpr:10,doe:[798,617,454,819,623,496,10,348,705,120,899,17,635,74,130,691,521,475,523,506,646,64,71,136,768,425,878,376,204,816,712,439,160,331,611,44,45,105],declar:17,probabl:[899,425,74,44,204,818],wildcard:[787,10,32,579],krb5_auth_con_setaddr:[451,182],left:[816,10,4,317],sunwaadm:717,profile_vt:819,gss_get_mic_iov:17,random:[798,899,816,71,182,425,74,44,10],radiu:[10,209,579],pkc:[816,119],kerber:[899,439,74,796],krb5_anonymous_princip:182,kdc_err_more_preauth_data_requir:579,addr1:[288,396],protocol:[816,728,71,17,182,276,74,831,44,495],priv:182,involv:[816,854],consolid:780,arcfour:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],layout:[28,17],acquir:[71,44,17,425,182],rcach:[524,736,836,589,460,546],delet:[798,816,728,71,425,139,486,32],tty04:10,maxfailur:[71,44,436],configur:[71,569,486,693],bind_dn:71,krb5_checksum_s:182,auth_gssapi:[71,44],busi:331,ldap:[71,693,425,96,486,45],krb5_c_is_keyed_cksum:182,folder:816,pwservic:10,serv:[816,44,579,693],incorrect:[436,689,105,526,495,120],klein:331,likewis:439,stop:[45,4,693],compli:331,pcred:524,krb5_copy_data:182,db_module_dir:[10,517],cryptographi:74,report:[579,27,425,475,644,840,23],pa_hardwar:854,net:[816,331,717,23],qop_stat:17,bar:[425,816],g_export_nam:331,relianc:816,krb5_principal_compare_any_realm:[735,182],baz:816,"_krb5_responder_pkinit_ident":775,cleanli:579,bad:[899,822,126],pkinit_kdc_hostnam:[816,506],max_renew_lif:425,krb5_k_make_checksum:[507,182],gss_c_both:17,testdir:148,krb5_build_princip:[523,735,182],respond:693,policy_nam:[44,486],human:[177,579,111],krb524:816,output_nam:768,padl:331,securid:[579,595],krb5_is_thread_saf:182,datatyp:156,num:569,mandatori:[603,748,634,248,387,311,507,446],result:[523,299,780,17,859,506,712,134,148,844,182,816,517,73,74,44,880,495,822,798,673],krb5_process_kei:182,respons:[618,392,854,345,239,562,637,69,572,364,415,186,693,76,644,523,506,586,71,640,520,27,34,911,691,331,44,546],corrupt:[425,44,579,56],themselv:[425,44],db_librari:[10,859,517],best:[899,74,475],subject:[506,780,816,331,44,10],awar:324,iterator_fre:819,stashfilenam:[425,44,486],authto:509,krb5_crypto_type_data:[387,248,311,603],remote_port:628,databas:728,krb5_verify_init_creds_opt:[523,575,521,205,36],krb5_set_default_realm:[451,182],discoveri:[899,796],gss_c_nt_machine_uid_nam:17,fail_count:425,xvm:74,simplest:[617,17,204,666],allow_tgs_req:[71,44],awai:[120,148,74,105],krb5_kdcpreauth_modreq:854,approach:17,include_pac:771,attribut:[506,569,859,517,71,209,486,249,425,322,44,10,32,816],accord:[566,504,71,209,395,650,768,816,28,324,44,32,439],extend:[816,10,859,182,506],krb5_pac_fre:182,change_tim:[451,238,258],ccach:[71,148,182,126,44,89],weak:[816,10,148,74,249],sysdoc:717,extens:[506,579,17,768,831,127,495],harvard:331,preprocessor:454,extent:[579,331],entryuuid:859,toler:816,pkinit_ident:[816,10,506],k5login:[766,752,666,816,439,120],krb5_init_secure_context:[627,182,866],protect:[798,506,268,749,436,579,17,249,27,425,101,836,831,119,79],g_imp_sec_context:331,expos:[523,71,439,425,528,74,44,644],ss_lib:454,howev:[101,506,816,436,71,495,425,331,74,56,44,10,204,796,105],encrypted_challenge_ind:[10,579],krb5_responder_pkinit_get_challeng:[523,182],against:[523,899,825,699,375,728,259,634,571,182,816,74,216,666,10,495,446],krb5_tc_match_srv_nameonli:690,krb5_auth_con_getkey_k:182,logic:495,countri:331,mkeyvno:[425,44,486],com:[859,148,569,10,495,120,566,185,475,579,506,517,71,816,139,322,425,436,717,666,787,331,44,105],compromis:[616,617,816,101,74,56],server_str:111,rcommand:261,default_realm:[899,819,666,816,691,796],data_length:655,foobar:[495,185,454],int32_t:549,iterator_cr:819,loader:454,krb5_cc_store_cr:182,written:[331,71,160,851,693,78],exemplari:331,guid:[798,163],assum:[565,299,451,922,26,17,249,816,73,74,644,10,78,899,495,209,105,388],summar:565,sclogin:10,duplic:182,reciev:1,krb5_string_to_timestamp:182,byacc:454,failuretim:[71,44],krb5_enctyp:[452,225,106,554,734,55,172,607,872,70,299,533,875,351,144,183,22,759,823,661,900,367,138,372,413,600,380,36,715,606,150,317,655,92,829],fri:569,three:[646,436,579,249,74,324,495,105],been:[565,299,617,816,436,579,752,768,27,425,331,74,44,889,10,105,818],beep:[388,105],anl:816,keyspac:74,interest:[816,27,436,750],realmnam:[523,506],token_id:901,gss_krb5_nt_principal_nam:17,allow_dup_skei:[71,44],nofail:523,krb5_cccol_have_cont:182,life:[71,44,32,644,486],rather:[101,816,617,618,798,71,495,693,768,425,566,186,130,44,10,486,45,204,644,475],krb5_princ_nomatch:[424,319],krb5_auth_con_getkei:182,encourag:816,suppress:[454,71,439,650,425,388,44,10,579],s4uself:10,worker:45,search:[816,10,486,182,44],telnet:[816,261,439],anywher:120,pkinit_require_crl_check:[816,10],krb5_prompt_type_preauth:594,ldif:859,krb5_unparse_name_flag:[735,182],krb5_const_point:[403,262,223,283,36],sender:[268,825,836,216,190],krb5_425_conv_princip:182,ident:[71,10],appl_vers:[699,646],gnu:[579,331,204,475,454],servic:[728,64,71,818,486,45],properti:[816,766,331],commerci:[816,506,331],session_enctyp:[71,44],krb5_no_2nd_tkt:424,vagu:454,anchor:[816,10,644],keytyp:45,spawn:693,ulog:[10,44],kadmind_port:[10,899,693],printabl:[236,243],mexico:331,kdcproxi:276,tabl:[71,44,425,182],userpolici:[44,486],iov_count:17,disjoint:780,gssapistrictacceptorcheck:475,krb5_cc_select:182,conf:[798,478,780,859,64,728,71,133,569,486,96,425,139,322,74,56,693,429,32,45,818],module_nam:816,sever:[798,506,617,454,71,495,27,816,44,322,324,840,10,204],krb5_kt_start_seq_get:[624,182],disabl:[454,579,249,168,10,626,495,899,752,74,242,475,506,71,816,374,204,274,148,666,329,44],intact:331,target_princip:32,incorrectli:105,perform:[899,816,517,71,693,425,818,486,44,10,32],suggest:[780,911],make:[798,859,56,10,495,899,17,249,182,74,818,506,517,71,425,101,816,780,436,148,666,607,44,796],camellia:[10,579],bunni:495,default_tkt_enctyp:[816,249],krb5_principal2salt:182,disable_lockout:[10,436,517],krb5_princ_set_realm:2,complex:579,split:[71,579,495],big:[303,566,768,324],gss_unwrap_iov:17,return_pwd:918,complet:[122,17,816,646,765,864,134,571,246,425,74,44,10,486,156,495],uninterrupt:74,unlockit:[71,10,44],evid:17,rfc4120:276,krb5_k_reference_kei:182,keydata:425,pick:[10,204,506],hand:[44,74,899],idea:475,"0x0101":753,"0x0100":[782,263],"0x3":776,tune:495,squar:[816,10,666],gss_verify_mic_iov:17,g_glue:331,kept:[71,10,101,56,44],krb5_init_creds_set_keytab:182,scenario:[579,74],kprop:[425,429,693],thu:[44,439,27,454],default_profile_path:750,inherit:[439,120],krb5_boolean:[18,587,867,496,401,172,512,513,413,875,634,248,72,360,131,396,370,266,36,37,916,387,924,793,446],client:[798,478,517,274,249,666,816,71,322,74,44,10,818],shortli:[796,120],rekei:74,thi:[816,455,228,231,881,9,460,12,413,244,730,465,17,248,249,250,690,589,569,257,258,634,697,643,485,703,486,707,488,558,712,273,37,274,280,44,45,49,504,728,506,844,51,509,846,736,738,56,10,740,899,742,495,299,747,749,66,1,71,73,74,693,32,70,311,523,524,313,763,64,82,350,101,86,246,778,90,780,95,192,655,103,795,796,798,800,106,108,342,111,112,113,720,652,348,727,568,351,335,729,125,818,359,863,578,822,475,371,132,365,366,925,145,662,379,603,845,39,606,148,150,387,609,613,546,614,115,859,414,195,167,891,169,172,624,405,628,408,627,179,527,411,880,182,183,886,186,757,189,419,268,134,748,648,424,323,425,924,657,430,824,517,911,630,436,438,915,209,805,666,919,920,670,218,836,446,507,673],gss_inquire_cr:17,programm:543,preauthent:[163,71,666,816,322,44,10],krb5_is_referral_realm:182,gss_c_buffer_type_mic_token:17,"0x00080000":461,unchang:[71,798,439,74],lr_type:505,identifi:[268,816,45,364,589,665,666,250,734,331,797,693,325,79],just:[798,899,617,816,647,750,439,17,425,415,185,74,44,10,268,204,796,105],krb5_bad_enctyp:[655,252],"_kerbero":495,via:[523,899,780,816,64,436,71,182,425,44,10],addent:[579,139],krb5_auth_con_setsendsubkey_k:182,yet:[899,617,816,454,425,475,889,44,105],previous:[71,44,17,425,182],"0x00000010":[816,687,862,865],easi:[105,436,74,56],krb5_principal_parse_require_realm:635,interfer:204,krb5kdc_err_key_exp:609,had:[899,666,425,185,105,44,120],admcil:32,"0x00010000":[298,7],newest:44,els:[439,120,105,4,899],save:[506,566,671,16,579,854,116,267],hat:331,opt:[800,802,729,108,230,559,55,747,409,831,821,578,522,523,648,82,373,143,535,710,911,540,37,543,791,281],applic:[780,818],rev:[425,44],preserv:[425,44,331],donat:[44,331],vaniti:475,filesytem:506,euid:[816,28],database_nam:[10,899,44],krb5_tkt_creds_init:[739,182],krb5_get_init_creds_opt_set_etype_list:182,measur:718,daemon:[229,64,816,44,10,32],herebi:331,ctime:[908,731,459],specif:[478,517,899,71,693,249,816,74,44,10,32,45],arbitrari:[71,44,17],uint16_t:814,moira:331,manual:[899,780,454,425,44,45,204,796],unstabl:224,krb5_ccselect_moddata:702,krb5_c_keylength:182,v4_instance_convert:816,unnecessari:44,krb5_mk_1cred:182,kdc_max_dgram_reply_s:10,underli:17,www:[517,579,717],right:[824,763,464,132,486,331,44,10,32,795,928],old:[798,506,747,728,899,71,579,816,212,27,425,74,44,10,38,120],deal:[617,331],interv:[899,64,436,71,177,44,718],krb5_principal_compare_flag:[735,182],intern:[484,209,73,148],kadm5:[71,425,693,478],indirect:331,successfulli:[523,911,436,71,17,861,425,818,575,44,59],"0x80000000":[674,291],krb5_no_tkt_suppli:[424,319],transmiss:56,insensit:[177,426,495,513],abort:[601,745,227],wicker_foot:4,normal:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],krb5_auth_con_setrecvsubkei:[451,182],dbname:[71,44,45,425],buffer:[165,130,208,17,182,150,39,836,186,172,44,760,348,600,673],krb5_k_encrypt:182,equal:[798,303,439,579],krb5_prompt_type_new_password_again:594,icr:17,timestampp:785,foo:[71,425,816,798],localhost:798,gss_iov_buffer_type_data:17,krb5_princ_siz:[441,2],gss_s_unavail:17,insecur:[101,17,495,74,660],pose:74,delold:[74,728],key_exp:325,krb5_cc_cache_match:182,promot:[331,74],repositori:127,krb5_typed_data:36,post:182,timeret:744,plug:331,krb5_kt_get_nam:182,sshd:816,sasl_authzid:71,alexand:331,unpars:[17,182],seqnumb:[313,86],slightli:454,appplic:182,simul:439,gss_accept_sec_context:[579,17,768],canonic:[816,798,796,517],cipher:[816,74,182,249],keyprocarg:734,commit:[569,331,224],krb5_auth_con_getremotesubkei:182,krbprincipalnam:517,free_valu:819,krb5_c_block_siz:182,telephon:331,almeida:331,authfrom:509,preauth:[33,579,882,415,854,324,10],krb5_tkt_creds_get_cr:[739,182],init_cr:523,deploi:[506,209,204,475],encod:[523,275,816,182],default_principal_expir:[177,10],libev:331,down:[495,27],creativ:331,ad_kdcissu:[405,375],formerli:286,wrap:44,info2:579,storag:[523,49,697,465,165,228,182,172,628,600,760],compile_et:454,accordingli:204,allowedkeysalt:[71,44],wai:[617,606,454,108,559,495,120,787,17,889,127,718,523,646,579,816,160,666,177,331,611,44,105],support:[71,425,45,693],transform:454,disable_last_success:[10,436,517],avail:[816,71,425,139,74,10,818],reli:[798,899,454],krb5_pac_init:182,editor:780,krb5_c_random_add_entropi:182,telegraph:331,fork:[899,439,45],head:816,iprop_resync_timeout:[10,44],disallow_forward:[44,486],form:[798,616,617,579,623,10,495,565,899,17,250,820,644,268,71,530,816,836,236,705,787,780,274,666,276,331,388,44,922],offer:454,forc:[64,436,71,569,486,816,74,192,44,10,32,495],x509_anchor:[816,644],refcount:579,back:859,krb5_k_create_kei:182,k5login_directori:[816,666],admin_serv:[899,64,71,816,44,10,495],krb5_init_context:[627,182],"true":[569,396,867,496,401,172,10,512,513,413,875,17,18,249,72,185,74,575,360,475,506,131,731,816,370,587,771,266,517,911,436,209,148,916,44,793,796,797],freenod:23,reset:[523,436,71,579,920,374,44,569],absent:644,attr:[82,517,882],ldap_kdc_sasl_authcid:[10,486,44],wicker_slat:4,inquir:[71,44,32,798],passwd_phrase_el:[445,36],maximum:[523,816,798,71,486,796,425,105,918,854,74,44,10,376,45,495,718,644],tell:[543,105,693,45,204,120],inaccur:816,gss_export_cr:17,fermi:331,absenc:[523,10],mitiys4k5:899,distclean:204,autoconf:840,retir:96,"30m":177,trim:[39,673],later:[831,566,718,303,17,148,249,611,44,331,475,192,691,10,32,495,119,796],alongsid:899,hardcod:[819,617,160],chrand:[71,44],decrypt:[436,71,17,182,44,873],sale:331,outcr:630,ipropd_svc:331,exist:[523,899,780,816,728,436,517,71,17,182,425,666,101,74,486,44,10,78,863,798,827],krb5_cc_get_nam:182,request:[798,816,64,517,71,569,693,425,322,74,44,10,32,45],getusershel:439,check:[506,666,899,17,182,816,125,818,44,10,430,690],maxpathlen:110,courtesan:331,vista:[579,249],gss_c_no_credenti:17,encrypt:[798,728,71,425,74,56],kadm5_pass_q_:457,inauthdat1:631,krb5_get_in_tkt_with_skei:182,when:[224,454,455,457,231,676,10,12,730,17,249,250,690,691,255,23,74,699,27,28,702,705,30,715,493,40,749,276,309,317,722,44,45,727,819,51,509,293,738,56,511,743,495,899,748,435,609,1,562,144,519,693,491,523,506,64,71,768,322,324,89,816,538,543,160,546,787,192,103,552,105,798,800,106,108,111,112,559,119,120,70,565,568,569,571,572,818,359,475,825,371,365,589,918,925,142,127,662,734,845,606,148,386,852,388,611,92,613,209,617,579,395,864,866,740,919,873,408,527,879,635,881,252,891,189,644,645,366,646,631,648,422,650,769,246,425,905,907,657,660,517,630,876,438,439,688,666,796,836,507],actor:32,database_modul:[10,859,517],krb5_free_error:182,test:[71,569,816,74,44,45,818],krb5_c_crypto_length_iov:182,roll:44,"0x40000000":[544,336,724,774],realiti:780,krb5_get_default_realm:182,bullopensourc:717,intend:[523,71,439,17,148,852,44,45],krb5_plugin_vt:4,kdcpreauth_plugin:854,g_dup_nam:331,center:[840,45,331],outreach:74,krb5_pac_sign:182,muse:331,consid:[780,454,259,148,27,816,74,324,495,796],easili:[899,579,204,74],krb5_c_random_to_kei:182,"_krb5_respons":586,camellia128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],lsocket:454,lastpwd:425,modpol:[71,44],longer:[454,455,30,231,676,12,730,17,250,690,589,255,699,876,705,715,493,40,309,317,722,44,727,734,293,738,511,743,495,748,749,688,1,144,519,32,491,89,538,103,796,105,106,108,111,112,70,568,571,572,359,825,371,365,366,836,142,509,630,606,386,92,613,395,864,866,740,919,408,527,879,635,881,252,891,189,644,645,646,631,422,769,246,905,907,657,660,662,438,552,925,507],furthermor:[331,74,911],libldap2:859,krb5_k_decrypt:182,pseudo:182,flag:[523,816,257,728,436,517,71,17,182,425,666,74,486,44,924,10,32,495,796],krb5_c_fx_cf2_simpl:182,krb5ccname:[565,617,274,922,439,650,388,192,644],pathnam:[506,816,64,750,160,666,276,693,44,204],srvtab:[139,160],time:[798,451,859,728,569,10,495,899,17,74,32,506,517,71,425,486,816,780,436,209,148,666,44,45],g_delete_sec_context:331,backward:[816,899,650,249,64],daili:74,krb5_string_to_cksumtyp:182,iprop_slave_pol:[10,64,44],mydomain:10,relai:45,chain:[816,10],krb5_get_credenti:182,skip:[575,44,521,454,506],krb5_kpasswd_autherror:364,global:[517,527,274,486,182,816,44,10,78,32],newprinc:[71,44],gss_c_deleg_policy_flag:579,signific:436,supplement:10,netbsd:[579,331],extendedkeyusag:506,hierarch:[816,579,693],decid:[899,911,495,105],hold:[617,165,749,71,17,883,878,172,600,760],depend:[523,606,243,454,26,17,4,457,28,120,236,530,495,119,105,796],zone:[177,495,74],pem:[276,506,816,322,517],decim:[425,17,324],readabl:[798,616,816,579,160,111,177,101],lkrb5:543,krb5_wrap_error_messag:[141,182],decis:163,umich:331,"0x000f":[151,581],downtim:74,"0x000d":418,"0x000e":779,aspx:717,"0x000c":[903,200],oid:[579,17,768,666],keyindex:425,iakerb:579,sourc:[780,45],string:[523,506,816,899,71,209,17,249,182,425,322,666,486,44,10,32,495,798],impend:523,krb5_kdc_rep:[380,661,225,36],auth_to_loc:[816,666,611],krb5_salttype_to_str:182,netlib:454,feasibl:899,implicitli:816,condit:[506,439,331,395,579],ok_as_deleg:[71,44],exact:[517,26],local_realm:439,krb5_responder_pkinit_ident:[320,36],"0x00000020":[834,13,704],hour:[439,486,177,105,44,10,32,796,120],"0x0008":[306,484,622,85],"0x0009":[659,327],did:[899,319,424,105,259],mkeynam:[425,44,45],"0x0004":[416,808,84,838],"0x0005":[790,245],"0x0002":[93,385,357,871,906,128],"0x0003":[770,358],"0x0000":588,"0x0001":[917,302,700,458,234,428,542],item:[37,517,484,854],unsupport:[506,454],representaton:640,team:23,cooki:477,drop:579,libkdb5:929,round:[579,854],dir:[565,506,617,454,274,922,816,28,388,10,644],in_data:[365,1,646],prevent:[5,816,224,728,792,71,579,1,27,249,276,331,644,44,10,32,45,120,475],slower:74,yyyi:177,size_return:918,desir:[583,227,454,365,17,666,535,559,74,44,348,439],krb5_cc_move:182,"_krb5_get_init_cr":833,plu:[10,439,105],sign:[506,71,17,148,182,816,101,44,10,32],"_krb5_last_req_entri":505,no_host_referr:[10,495],kadm5_auth_restrict:62,containerref:[44,486],btree:[425,44],port:[798,899,64,274,133,209,693,816,71,818,44,10,45],master_key_typ:[899,425,44,74,486,10],pw_expir:425,portnum:45,appear:[523,506,899,148,4,331,74,324,10,495],often:[517,204,160,666,475,44,889,10,495,796],krb5_cc_dup:182,repli:[618,249,168,800,854,626,59,566,572,415,73,186,921,644,818,523,424,84,911,140,35,861,852],krb5_get_init_creds_opt_set_proxi:182,systest:[71,44],remain:[451,617,911,224,71,303,17,193,718,425,331,854,74,44,693,10,439],krb5_get_init_creds_opt_alloc:[523,182],current:[816,728,666,517,71,569,182,425,192,139,74,64,44,10,495,475],sinc:[798,506,517,71,1,182,816,818,56,44,74],wors:816,subdomain:[787,495],krb5_appdefault_str:[125,182],an2ln_typ:611,va_list:[580,182,881],myrealm:523,deriv:[182,425,74,44,10,795,673],pkinit_allow_upn:[816,10],gener:[798,728,436,569,249,816,101,74,56,44,10,32,818],krb5_responder_context_st:530,satisfi:204,explicitli:[451,62,224,454,899,37,579,666,71,638,74,44,32,105],modif:[899,816,569,182,425,32],address:[798,451,780,182,816,475,44,10,495,796],k5srvutil:429,along:[780,209,928,617,454],krb5_responder_otp_set_answ:[523,182],wait:[10,495,64,44],box:209,krb5_kt_free_entri:182,susec:459,rlogin:439,checksum:[816,17,182],sscope:[44,486],master_key_nam:[425,10,44],queue:[10,331],kcm_mach_servic:816,behav:[454,71,17,481,575,718],krb5_chpw_fail:609,extrem:71,bob:[439,185],output_payload_buff:17,commonli:[148,64],semant:523,regardless:[425,816,32,17],stduser:44,extra:[44,26,495,110,32],modul:[71,425,693],prefer:[160,71,108,17,816,475,691,44,579],expdat:[71,44],leav:[71,666,101,74,44,495,796],krb5_responder_question_password:523,fake:[523,816],marker:324,instal:[798,859,163,666,816,818,56,44,74],krb5_copy_authent:182,random_data:299,password_changing_servic:[71,44],old_cod:[38,141],memori:[17,148,449,182,455],sake:439,wicker:4,athent:609,univers:331,visit:105,live:[425,4],book:[798,579],criteria:[506,617],msg:399,scope:[44,486],strdup:819,kbd5_util:44,challeng:[523,10,816,182],tightli:[616,101,74,666],athena:[798,899,454,71,819,486,666,816,331,105,101,44,10,32,120,74],krb5_mk_req_extend:[365,182],gssi_:768,log_daemon:10,afford:101,peopl:10,rlen:[538,881,580,455],ctype:[725,283,587,403,512,360],src_ctx:510,krb5_pac_get_buff:182,prototyp:[840,4],examin:[816,506,415,854],"_krb5_pwd_data":445,ap_opts_use_session_kei:1,libpam:717,allow_tix:[71,44],subschema:517,default_kdb_fil:750,"_krb5_pa_svr_referral_data":305,runstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],prepar:[873,182],ldap_kerberos_container_dn:[10,859,517],uniqu:[71,798,182],cat:425,descriptor:[257,699,646,235],krb5_responder_pkinit_flags_token_:119,preauth_plugin:[415,854],old_princip:71,can:[224,454,227,4,457,233,10,17,249,130,691,259,26,27,702,486,705,30,32,274,676,276,44,45,728,638,294,56,743,59,899,62,752,74,693,757,521,523,506,64,71,768,530,101,322,324,425,780,160,177,192,796,105,798,569,343,120,566,475,575,127,632,139,836,374,478,148,611,854,439,617,859,579,395,495,415,889,718,644,648,816,204,517,436,664,739,209,861,666,218,929],inadequ:148,purpos:[899,454,249,816,331,520,10,45],logon:[10,598,541],krbdev:23,sighup:[45,148],cred_usag:17,stream:[899,64,209,17,818,10],krb5_kt_client_default:182,curri:798,krb5_authent:[876,182],backslash:676,topic:780,spi:768,keyusag:506,kdclist:899,host_realm:691,surround:666,sharp:32,krb5_kei:[778,408,182,919,925,703],k5_random_kei:[144,299],krb5_respons:36,krb5_get_error_messag:182,alwai:[798,451,167,116,10,460,347,495,243,244,303,475,152,78,74,816,324,267,919,213,788,924,44,45,449],lxml:127,multipl:[798,617,579,4,854,10,495,899,17,74,644,523,506,71,27,768,816,322,204,517,436,274,209,666,787,79,44,45],strlen:[523,17],krb5_pa_server_referral_data:36,ch06s05:717,modulenam:816,sharealik:331,write:[899,617,517,816,64,436,857,819,579,27,666,425,139,852,780,44,10,45,535],till:34,anyon:[185,120],krb5_keyusage_pa_sam_challenge_trackid:550,aklog:924,eight:796,krb5_verify_checksum:182,krb5_is_config_princip:[735,182],map:[816,899,796,666],product:[899,331],krb5_kt_end:807,prof_no_rel:819,krb5_us_timeofdai:182,southern:331,usabl:182,sni:579,appnam:[125,430],membership:523,keyfilenam:816,xore:[816,571],mai:[798,1,922,224,454,729,571,579,51,30,168,439,800,854,475,10,626,495,120,565,899,62,750,31,303,17,18,249,861,415,73,74,691,889,32,521,79,388,523,506,646,64,517,71,643,27,768,425,484,819,324,705,204,787,379,816,911,436,39,274,638,209,606,148,666,796,177,438,331,23,644,44,45,923,335,105,673],underscor:[816,331],mcred:690,krb5_unparse_name_ext:182,man:[71,816,780,27,454],for_us:650,regularli:[495,56],gethostnam:[17,475],practic:[523,39,579,816,74,673],rep_cksum:221,failurecountinterv:[71,44,436],stdin:852,explicit:[517,666,816,74,32,495],kldap:[10,859],krb5_expand_hostnam:182,inform:[859,71,133,569,425,693],"switch":[229,74,666],preced:[439,816,74,45,495,303],combin:[798,64,71,17,249,182,44,10],block:[10,74,182],anoth:[351,71,148,182,816,101,56,44,9,10,495],outaddr:727,untest:454,ordinarili:[911,728],talk:27,ssh:[798,796],krb5_get_init_cr:[380,559,535],denot:[177,425,32,566],"_krb5_typed_data":651,anticip:[495,796],krb5_auth_con_getrecvsubkei:182,changeov:899,acl_fil:[10,32,899,64,693],pkinit_revok:[816,10],krb5_timestamp:[451,238,504,505,731,459,258,463,883,279,586,259,769,878,29,908,325,34,36,664,785,744,851,190,280,156,221,856],opensc:816,lss:454,key_stash_fil:[425,10,899,44],size_t:[725,223,165,283,678,172,403,150,533,248,883,183,311,694,763,132,262,367,835,878,905,600,824,603,829,149,607,387,317,655,760,795],still:[741,899,816,436,71,495,439,650,614,796,425,101,74,693,44,45,204,579,644],pointer:[451,1,224,227,4,457,558,293,854,802,62,321,243,411,335,17,572,415,126,756,310,523,524,192,631,481,594,702,374,325,891,660,538,277,785,399,547,343,879,928,929],keysalt:[71,798,728],dynam:[329,816,62,4,819],entiti:[17,331],fsanit:454,conjunct:650,unswapp:617,group:331,krb5_auth_con_getlocalsubkei:182,cygnu:[597,331],polici:[816,71,486,425,322,693,10,32],default_tgs_enctyp:[816,249],othernam:506,slotid:816,kadmin:[429,728],handle_out_of_space_error:17,platform:[617,454,26,718,913,204,579],window:[768,816,617,894,819,579,249,4,27,276,402,840,666,24,855,339,105,219],krb5_rd_safe:182,mail:[10,617],krb5_init_context_profil:182,main:[274,653,23,47],gss_c_null_oid:17,krb5_cccol_unlock:[113,182],krb5_error:[907,169,646,568,75],krb5_ticket:182,non:[451,115,1,728,729,248,579,844,30,734,559,402,741,303,634,571,18,71,74,78,644,506,763,646,748,259,132,643,816,324,32,824,894,911,39,439,861,796,387,44,446,795,543,507,673],within:[798,899,395,436,274,495,17,182,816,71,44,10,89],g_acquire_cr:331,krb5_set_kdc_send_hook:182,krb5_tkt_authent:36,supersed:[45,74],initi:[899,436,517,71,249,816,818,486,44,74],nation:331,underneath:517,therebi:185,krb5_auth_con_get_checksum_func:182,nlgilman:818,now:[506,845,64,899,84,74,359,495,105,609],discuss:[889,899,331,27,23],nor:[565,816,439,331],possess:105,outweigh:27,sequenti:182,term:[506,617,71,579,160,148,249,415,331,854,74,44,562],subkei:182,x509_user_ident:[816,322,644],krb5_cc_notfound:[164,395,89],simpl:[99,73,818,56,486,44],didn:[818,666],krb5_authdatatyp:[292,275,362,438,36],crypto:[379,583,533,454,579,816,331,74,840],separ:[816,780,517,274,38,486,212,666,425,71,676,484,322,44,218,10,32,45,495],krb5_auth_con_getflag:182,rock:[415,854],januari:[177,44,718],princ_tktpolici:425,ters:[71,44],compil:[780,454,750,543,579,439,331,204,26],failov:495,domain:[798,506,899,209,796,816,818,10,495,579,105],replai:[274,17,182],minclass:[71,44],regener:127,replac:[223,859,454,860,900,899,533,225,180,303,415,308,580,823,421,661,71,262,529,816,701,486,914,380,926,211,666,331,644,44,723],individu:[10,569,331,105],krb5_nt_srv_hst:[705,319],continu:[899,566,728,439,425,331,56,579],lookasid:454,ensur:[523,506,517,611,899,691,861,113,74,56,44,9,10,798,59,105],"0x4000":584,krb5_c_encrypt_iov:182,year:156,distributor:331,happen:[899,71,148,56,44,10,495,105],in_length:[403,283],g_seal:331,shown:[816,10,617],accomplish:44,gss_release_iov_buff:17,"0x0018":[296,157],space:[506,583,115,844,208,71,38,26,39,880,212,481,177,918,322,475,130,10,652,348,673],profit:331,precomput:182,krb5_prompter_fct:[359,609,36],bindpwd:71,krb5_last_req_entri:[325,36],"0x0010":[97,681,489,843],"0x0013":[532,877],"0x0012":[52,181],profil:[816,10,478],setstr:[71,322],"void":[726,49,560,802,692,819,374,228,805,168,846,169,800,510,55,9,626,63,59,121,60,558,627,747,179,409,411,17,488,125,886,430,152,279,22,756,378,38,522,399,575,523,227,332,648,195,729,482,137,321,373,141,265,359,350,241,143,145,205,270,710,90,905,911,540,437,915,916,95,861,212,849,788,815,852,609,791,670,923,104,158,281],internet:475,libkrb5:[816,17,718,666],krb5_parse_nam:[523,735,182],correct:[45,74,693],krb5_const_princip:[571,228,405,513,527,730,259,18,72,130,78,491,131,481,769,370,109,266,431,36,715,218,552],she:[185,105],earlier:[899,249,30,816,611,10],krb5_kdcpreauth_moddata:854,"goto":523,pwexpir:[71,44,32],migrat:[44,579,148,74],chl_out:653,krb5cc_ttypa:105,envelop:[151,779,418,903],krb5_cc_resolv:[712,182],request_tim:586,return_padata:854,california:331,lab:[44,331,486],gss_c_no_nam:17,org:[517,579,717,816,331,185,486,44,204,127,23],"byte":[523,17,182,183,10,673],sunw_dbprop_master_ulogs:44,card:[71,10,816,44],care:[71,17,666,74,889,44,32],from_mast:[28,64],suffici:[71,44,74,454,486],g_inquire_nam:331,where:[798,617,454,579,4,56,10,495,566,17,250,74,693,718,644,523,64,517,71,133,26,27,425,705,204,816,439,160,666,44,105],sysconfdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],refus:[899,74,818],recov:[425,44,415,579],turn:[798,436,64,439,816,918,852,454,796],gssi_import_sec_context_by_mech:768,place:[523,451,64,728,506,17,249,182,816,101,74,693,666,45,495,796],reject_bad_transit:10,principl:471,"0x001a":406,imposs:[44,436],frequent:[475,495,74,796],first:[451,618,454,455,569,288,396,51,374,800,475,10,495,513,899,566,413,303,17,249,638,186,691,127,32,818,506,25,631,131,71,589,27,87,425,370,918,322,324,266,204,816,517,439,160,666,787,331,928,192,611,44,105,929],oper:[798,517,728,71,569,486,816,74,693,10,32,45],redhat:579,carri:71,onc:[523,899,617,227,816,224,749,71,17,27,425,918,74,44,798,204,120,526],arrai:[71,523,209,17,182],tokeninfo:[516,835,435],yourself:105,acquisit:[17,743],rpcbind:44,fast:[816,10,209,182,506],yarrow:579,oppos:506,custom:[816,28,579,127,929],open:[523,425,182,816,218,44],predefin:495,size:[506,569,148,182,816,44,10],ret_as_repli:[380,225,661],given:[728,10,495,299,12,182,250,125,74,126,475,523,64,71,365,425,486,430,816,209,148,666,44,45],"_krb5_ccach":341,breviti:566,silent:565,convent:[819,495,552],local_port:628,teardown:204,fmt:[815,212,141,332,241,38],parallel:[495,579,45,204],krb5_tkt_creds_fre:182,citi:331,necessarili:74,draft:[393,579,555,545],userinfo:717,krb5_auth_context_generate_local_addr:257,conveni:523,friend:105,includ:[798,859,569,10,495,899,17,182,183,475,32,506,643,425,101,322,517,712,816,44,796,673],attach:579,krb5_c_padding_length:182,allow_svr:[71,44,436],grant:[523,506,845,436,899,71,17,249,182,424,816,666,74,44,10,32,30,495,707,609],especi:[798,899,579,475],copi:[798,506,859,899,17,148,249,323,276,101,485,182,56,44],specifi:[798,478,64,71,133,569,486,425,322,74,693,10,32,45],test2:[71,44,177],kdc_default_opt:816,enclos:[177,10,816],pnl:816,mostli:454,gss_iov_buffer_desc_struct:17,krb5_tkt_creds_context:[122,618,743,36,739,864,63],e19253:717,holder:331,than:[798,617,618,475,186,579,288,10,495,120,566,303,17,249,415,818,130,693,32,644,74,506,646,71,27,768,425,101,486,204,660,816,436,666,44,45],royal:331,ckfrom:662,wide:[276,816,209],ciphertext:[824,566,763,39,132,640,844,115,183,372,795,673],sasl_realm:71,sasl_mech:71,gss_get_name_attribut:17,exampl:[71,425,569,486],kinit:[523,177,617,517,816,436,506,274,766,148,666,276,71,415,322,818,44,899,796],temporarili:71,posix:[425,913,566,718],balanc:[495,74,475],were:[798,899,617,579,17,816,331,74,521,240,105],posit:[436,303,666,425,913,32],new_message_out:59,worcest:331,kdc_princip:506,seri:[475,182],pre:[517,699,538,646,365,17,571,1,182,168,322,609,235,10,780],lowest:816,sai:27,prf:182,san:[816,10,579],sam:[579,567,604,605],keyblock:182,"_krb5_prompt":140,slat:4,krb5_init_creds_init:[915,757,182],ani:[798,475,569,395,56,10,495,899,17,182,74,130,32,822,690,523,506,827,64,71,425,101,322,863,816,780,209,148,666,44,45],ank:[71,44],dash:816,userconfig:816,properli:[506,454,899,148,276,718],krb5_cc_destroi:182,result_str:[364,894,402,111],bitwis:[119,66],engin:495,techniqu:523,advic:229,certauth_plugin:929,krb5_tc_match_ktyp:690,shadowlastchang:517,consortium:23,x509_proxy_ca:816,note:[15,326,425,729,71,395,249,177,214,101,854,74,486,44,10,550,899,204,816,105,911],krb5_ccache_conf_data:324,ideal:[523,44,204,798,899],includedir:[816,454],take:[451,391,224,579,736,10,495,120,299,17,249,74,32,523,816,484,702,538,439,606,148,666,177,101,928,44,45,105],advis:[331,74],"_krb5_error":459,hwauth:10,outptr:[262,223],noth:[27,64],channel:[523,209,17,74],begin:[824,816,115,763,39,132,819,209,324,844,666,425,691,787,44,743,795,693,673],sure:[798,517,71,486,148,105,74,644,44,796,120,818],eblock:[223,421,860,723,262,529,900,914,612,823],trace:274,stashsrvpw:71,multipli:436,g_accept_sec_context:331,compress:26,statu:[565,71,439,650,768,331,777,579,929],default_domain:816,krb5_kt_resolv:182,beta:[425,44],mk_req:378,krb5_get_init_creds_opt_set_anonym:[523,182],sublicens:331,pair:[816,859,249,882,425,10],time_rec:[579,17],america:331,krb5_encrypt:182,unalloc:317,renam:[71,44,579,224,454],ccachenam:454,adopt:816,drive:204,krb5_copy_checksum:182,aes128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],krb5_rc_requir:[524,736],sbindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],runtim:[274,28],subtag:816,krb5_decode_ticket:182,ckf_:119,salt:[798,728,71,606,182,425,139,44,10,70],hmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],gracefulli:768,recipi:[331,190],krb5_gc_cach:30,krb5_pa_data:[34,35,325,36],krb5_prop:[798,899,148],show:[565,617,728,148,425,28,140,127,10,105],german:579,"0x54800000":828,pkinit_ind:[10,322],ldapuri:[71,44,486],krb5_524_convert_cr:182,bin:[899,454,439,28,127,204],subprocess:45,"3h30m":105,tkt:797,"0x1fff":621,krb5_get_init_creds_opt:[800,802,729,108,230,559,55,747,409,831,359,821,578,522,523,648,82,373,143,535,710,911,540,845,36,37,609,791,281],permiss:[798,478,617,827,899,71,465,579,17,331,44,10,32,863,105],krb5_kdcrep_skew:424,threshold:44,kerberosnf:717,etype_list:[55,833],tend:798,unfinish:854,gss_wrapex:579,help:[506,454,819,543,27,23,579,105],xml:127,userdata:[268,836],onli:[798,816,729,569,51,30,401,10,495,899,17,249,182,74,693,32,311,690,523,64,517,71,425,101,478,911,436,148,666,44,45,796],slow:27,fenc:4,input_payload_buff:17,krb5_c_crypto_length:182,g_dsp_statu:331,activ:[506,816,64,111,425,388,44,74],state:[425,10,569,74,899],dict:[71,44,816],overwritten:[10,928],inaddr:727,krb5_free_checksum_cont:[507,182],nearli:71,variou:[74,163],get:[71,859,74,818],wicker_brac:4,clang:579,secondari:899,ssl:[276,506,517],cannot:[71,44,798,436,506],om_uint32:[17,768],"import":[798,899,816,436,425,74,56,486,44,32],krb5_build_principal_alloc_va:[735,538,182],pipermail:23,requir:[798,268,506,108,729,230,736,475,836,10,607,495,899,569,17,880,249,182,818,693,255,74,523,524,825,64,517,71,831,425,101,322,655,379,816,436,209,666,150,216,44],krb5_use_enctyp:182,input_message_buff:17,ldopt:454,requires_hwauth:[71,44,854],krb5_prompt_typ:[594,36],delprinc:[71,44],krb5_sname_to_princip:[735,182],borrow:105,yield:854,across:[899,62,224,17,816,638,56,10,120],"_krb5_responder_otp_challeng":516,bison:454,krb5_key_st:79,krb5_cccol_cursor:[688,344,519,36],kpclientauth:10,check_tg:638,summari:[569,64],wiki:[579,204],kernel:[840,579,617],caller:[618,652,1,3,819,579,844,343,115,854,460,741,348,243,17,880,132,186,691,521,718,523,583,763,82,918,911,836,839,807,824,712,39,192,795,546,928,673],kiprop:[44,64,693],tekniska:331,nfsv4:717,ap_req_authdata:438,placehold:[840,26],keepold:[71,44,579,74],change_password_for:[894,402],krb5_transit:[830,36],krb5_auth_con_setsendsubkei:[451,182],krb5_responder_otp_challeng:[523,47,158,36],minlif:[71,44],request_init:415,krb5_c_random_make_octet:182,concern:[331,436,105],detect:[524,64,454,27,768,425,736,836,74,44],review:26,enumer:74,label:[816,331],enough:[115,504,39,71,844,110,44,673],listinfo:23,between:[899,816,436,71,569,148,276,44,10],kdc_cert:506,pwchang:10,qop_req:17,krb5_cksumtyp:[725,283,603,273,36,587,437,248,678,593,387,507,403,748,155,92,512,311,360,760],krb5_principal_unparse_displai:491,oeap:779,kdb5_err:331,sname:[705,650],august:331,parent:[816,28,617,495],screen:105,krb5_free_checksum:[662,182],style:[695,815,71,816,850,141,332,44,495],tktpolici:[71,44,486],no_auth_data_requir:[71,44],cycl:579,sparc:579,kdb5_util_path:693,in_tkt_servic:[845,424,707,609],uncondition:[51,454],substhtml:127,come:[523,26,571,816,204,120],valid:[299,17,587,182,816,44,116,267,10,495],"0x00000040":874,krb524_krb4_disabl:347,fit:[376,331],"0x0020":679,pertain:[45,331],contract:331,enable_onli:[816,666],jqpublic:439,present:[635,343,10,240,565,899,243,922,303,17,18,842,74,819,255,644,523,506,64,27,816,322,837,236,598,204,517,911,664,274,209,160,736,666,388,217,44,105],krb5_finish_random_kei:182,mani:[436,71,148,666,816,56,889,44,495,105],krb5_princ_set_realm_data:2,stime:459,unrecogn:454,among:523,krb5_c_encrypt_length:[844,182],gss_c_buffer_type_data:17,krb5_cc_default:182,locate_plugin:227,output_message_buff:17,period:[816,64,436,425,105,56,44,10,644,74],dispatch:768,pol:[71,44,32],featur:[276,653,47],colon:[676,274,38,623,212,666,816,44,486,10,495],libdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],allow_forward:[71,44,486],supervisor:45,poll:[10,579,693,64,44],einval:[452,434,785,593,609,236],krb5_lname_notran:130,resynchron:569,krb5_k_key_enctyp:182,input_name_typ:768,marc:331,krb5_tc_match_is_skei:690,rebuild:[127,454],invers:303,mark:[899,259,71,425,331,44,10],krb5_invalid_princip:218,skei:[10,797],krb5cc_320:105,krb5_c_valid_cksumtyp:182,certifi:816,crawford:331,"abstract":[62,224,457,415,854,702],procedur:425,cipher_st:[824,115,763,39,132,844,795,673],manual_test:204,keyexchang:73,resolut:[798,439,17,796,475,579,660],gss_c_nt_string_uid_nam:17,krb5_c_verify_checksum:[507,182],optimist:[182,648],wake:798,rememb:[506,899,324],preauth_requir:[415,854],andrea:331,krb5_sendauth:182,those:[798,454,579,854,495,899,62,303,17,415,185,74,889,127,32,523,71,650,768,816,425,331,44],outcksum:403,"case":[617,1,728,4,854,10,495,513,787,17,571,415,74,889,32,575,523,25,646,71,317,27,425,426,705,816,911,438,439,160,666,177,331,611,44],ivec:[262,223],interoper:[506,617,402,894],principal_seq:506,enc_errbuf:907,gss_s_cred_unavail:17,cast:[62,224,227,638,4,457,913,415,854,702,718],invok:[523,569,611,25,64,439,227,768,816,788,139,854,818,192,374,44,693,644,911],db_lib:454,testus:[71,44],del_polici:[71,44],region:[603,17,248,387,311,928],setuid:[274,148],advantag:[816,101,74,249],stdout:[274,852,148],krb5_error_cod:[748,452,223,225,455,880,699,230,231,676,678,235,236,460,11,12,598,241,463,413,244,685,465,900,248,115,250,885,690,417,589,255,694,257,258,278,259,697,891,643,75,136,481,876,485,703,267,705,30,707,262,361,273,36,37,275,366,716,40,744,277,720,309,493,280,723,47,283,504,688,287,844,51,509,292,293,294,511,741,734,607,646,299,631,749,66,92,1,736,144,73,519,308,852,78,70,521,311,491,523,524,313,763,527,82,317,529,319,722,86,246,109,89,535,911,778,653,538,539,815,147,829,730,785,926,330,788,856,791,675,655,103,795,552,878,238,857,106,108,831,554,342,111,112,113,559,344,116,346,348,727,122,630,568,351,335,354,571,572,715,914,126,359,863,821,578,822,580,583,395,130,371,132,623,365,134,367,593,138,38,925,141,142,374,375,376,866,760,600,662,379,380,603,845,39,769,606,149,150,739,386,387,609,738,612,613,546,614,159,391,618,652,414,860,164,165,864,825,167,397,740,701,402,172,624,403,405,628,742,827,408,743,180,632,879,634,635,881,873,883,183,252,186,152,918,757,189,419,268,894,645,191,332,421,422,423,424,323,198,364,924,807,201,905,907,657,765,660,431,824,661,434,206,207,208,438,301,211,212,919,920,835,921,507,216,218,836,446,449,673],henc:818,krb5_deltat_badformat:716,worri:[517,204],ktutil:[429,728],gss_add_cr:768,authtim:[664,259,769,324],texinfo:780,krb5_pac_data:54,time_t:[425,913,718],inquiri:32,krb5_randsourc:379,author:[71,10,32,816],media:[816,44,486],same:[798,617,454,757,579,288,396,51,4,112,559,294,9,10,495,120,413,66,17,18,513,73,186,693,359,78,644,818,131,71,632,27,768,816,370,486,266,32,517,538,915,209,351,666,79,192,44,45,439],trip:[579,854],binari:[816,101],epoch:182,pac:[71,10,182,44],pad:[17,182],timestamp:[816,182,425,74,267,116],autolock:331,grain:17,hxx:331,pam:796,week:[44,486],exhaust:101,default_ccache_nam:[816,617,192],finish:182,krb5_unparse_name_flags_ext:182,bb463167:717,"_krb5_verify_init_creds_opt":6,confidenti:[579,17,249],someon:[816,899,120,105,56],companion:209,krbcanonicalnam:517,capabl:[579,101,120],openldap:[71,859,486],common_appdata:816,preiniti:[652,583,880,348],improv:[780,436,579,816,74,10,23],extern:[10,17,859,324],kreen:331,cartoon:899,krb5_eblock_enctyp:182,krb5_c_decrypt_iov:182,krb5_string_to_deltat:182,macro:99,markup:[127,780],krb5_clear_error_messag:182,without:[617,454,10,742,59,899,17,74,32,506,64,71,480,816,101,204,653,436,209,666,44,47],krb5_auth_context_do_tim:[268,825,749,836,116,216,267],pktinfo:45,gain:[899,62,74,105,638],disassoci:[45,693],krb5_responder_list_quest:[523,182],inauthdat2:631,comment:[798,780],trust:[816,506,17,866,276,10,644],requires_pwchang:[44,486],authorization_data:[731,34,830],execut:[523,425,517,454,899,71,26,168,543],addrlist:401,extfil:506,krb5_free_princip:[523,538,455,493,395,182,735,881,12,730],acceler:331,rest:[666,454],krb5_free_ap_rep_enc_part:182,host_based_servic:[10,495],krb5_plugin_no_handl:[62,227,611,691],helpdesk:74,kill:899,invalid:[565,816,244,734,74,192,644,218,44,822,105,609],aspect:[889,798,666],flavor:[71,44],getstr:71,speed:517,subtree_dn_list:[44,486],samba:666,gss_buffer_desc:17,stai:[71,798],hint:[71,10,675,44],krb5_tc_match_tim:690,html_subst:127,krb5_auth_con_fre:182,except:[798,71,365,17,579,816,331,44,10,32,495,439],param:[3,9,63,12,18,22,37,40,47,49,51,55,11,66,72,73,75,78,82,86,89,90,612,95,103,104,106,108,111,112,113,618,116,70,122,125,126,131,132,134,138,925,141,142,143,145,149,150,158,159,164,165,167,168,169,172,179,527,183,252,186,189,191,791,323,198,878,205,375,180,208,364,211,212,216,218,223,225,228,230,231,235,243,244,248,250,255,257,258,259,262,265,266,267,270,273,275,744,277,280,281,283,287,288,292,293,294,299,301,308,311,491,313,319,109,147,330,332,201,342,343,344,346,347,348,351,335,354,359,360,414,365,366,367,370,373,374,206,376,207,379,380,386,387,546,391,395,396,399,401,402,403,405,408,409,411,685,417,419,421,422,423,424,430,431,434,437,739,673,449,452,455,30,460,463,465,130,136,481,876,485,236,488,361,493,309,317,504,509,511,512,513,519,521,522,524,529,413,535,538,539,540,655,552,554,558,720,560,568,860,571,572,831,575,578,580,583,864,632,593,594,241,598,600,603,39,606,607,609,92,613,614,115,623,626,627,628,630,634,635,645,646,631,648,653,657,660,661,662,397,670,446,675,676,496,678,533,730,690,589,692,694,697,643,699,701,703,705,707,710,712,715,716,559,722,723,725,726,727,729,734,846,736,738,740,741,742,743,747,749,1,144,757,121,38,760,763,765,350,769,778,785,788,192,793,795,800,238,802,805,807,278,321,815,914,863,821,822,823,825,844,827,371,835,836,839,845,849,438,852,829,856,857,652,510,195,587,866,867,624,872,873,875,879,880,881,883,885,886,152,891,268,894,748,900,246,905,907,824,911,915,916,688,918,919,920,921,924,926,507],desktop:523,identif:[579,331],gss:[840,579,768,666,324],princ_look_ahead:439,ricciardi:717,treatment:495,versa:[506,579],db_arg:[71,44,45,693],vulner:[523,579,101,74,44,23],disrupt:74,princ_meta:425,microsystem:331,earli:74,"_krb5_context":[633,822,126],around:[44,454],krb5_c_is_coll_proof_cksum:182,read:[523,506,517,816,436,899,274,569,486,182,425,71,139,666,44,10],address1:324,address2:324,zephyr:[331,74],ap_req_opt:[365,1,571,646],inetd:[899,148,818,64],traffic:276,insist:439,grammar:[303,324],yyyymmddhhmmss:177,presum:27,fortuna:[579,331,454],gss_c_nt_hostbased_servic:17,intel:331,whitespac:[71,10,816,44],unimpl:4,apputil:840,integ:[798,506,566,71,209,718,816,44,324,10,303],server:[64,728,71,133,569,486,425,818,693,45],benefit:495,"0x20000000":[909,826,608,176],either:[798,451,617,4,10,743,59,122,62,17,249,185,506,899,366,481,816,484,836,204,517,911,436,37,765,209,148,438,331,611,44,439,105],rcmd:816,krb5_principal_compare_utf8:513,output:[798,899,71,844,351,132,880,569,17,148,182,425,274,73,44,10,795,673],iran:331,rollov:[425,44],manag:[819,766,579,486,44,32,796],iprop_listen:10,sbin:[64,28,818,454,899],my_cach:439,maj_ver:4,default_client_keytab_nam:[816,160],sha384:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],legitim:[523,439,27],ldap_conns_per_serv:[10,517],krb5_kpasswd_softerror:364,adequ:27,krb5_free_data_cont:[527,182],authent:[798,859,71,425,74,486,45,818],respect:[899,71,30,177,697,676,331,628,120],load_dump:[425,44],krb5_set_password_using_ccach:[735,182],krb5_aname_to_localnam:182,constitut:331,err_fmt:[816,579],af_unspec:227,nonzero:[816,650,30],basic:819,krb5_pre_send_fn:[626,36],keytab:[64,728,71,133,139,74,818],confirm:[728,71,579,248,425,387,486,44],sudan:331,krb5_copy_keyblock_cont:182,highest:[798,734,816,71,425,715,74,521],definit:[62,638,331,322,840,10,45],token:[816,10,322],legal:[439,317],randsourc:379,"0x00100000":870,exit:[565,617,64,71,579,650,139,44,45,105],g_rel_oid_set:331,keyfil:[425,10,517,44],damag:[617,331],notabl:44,dbmatch:816,refer:[71,486],kdc_tcp_port:10,power:[579,495],krb5_realm_cant_resolv:609,inspect:[62,861,168,638,322,626,59],gratitud:331,openvis:[71,331],broken:[74,454],pressvr:74,fulli:[523,899,798,816,436,71,276,101,44,32,644],regexp:816,referr:[579,555,816,293,660,691,10,682,495,705,105,219],krb5_auth_context_ret_tim:[268,825,736,836,116,216,267,255],appli:[478,62,911,816,436,71,439,17,148,752,644,331,854,74,44,9,10,32,45,105],unicod:331,basch:331,src:[859,454,331,127,204,614],central:780,krb5_data:[49,844,111,673,348,70,299,527,301,880,182,364,125,78,583,132,198,430,379,926,351,606,795,507,446],krb5_timestamp_to_sfstr:182,acl:[71,478,64,693],addition:[816,209,45,638,105],krb5_get_credentials_valid:182,srv:[816,899,579,495,796],stand:899,act:[32,45,27,579],"_tcp":495,tape:101,routin:[816,140],cflag:[543,454],krb5_c_:[223,533,421,860,262,529,926,900,914,723,823],gss_import_cr:[17,768],multihom:816,surviv:617,krb5_kt_notfound:136,quietli:388,trademark:331,"01am":44,your:[780,818],willi:74,zanarotti:523,log:[569,64],her:[495,185,105],area:[523,899],heim_org:816,dec_error:907,brute:[44,74,436],overwrit:[425,44,885,388],krb5_copy_ticket:182,start:[798,816,780,859,64,517,71,693,229,249,425,74,44,10,32,45],interfac:[71,139,74,10,32,45],ipv4:475,lot:495,ipv6:[816,579,475],besid:816,strictli:899,restrict_anonymous_to_tgt:[10,506],unam:666,krb5_principal_compare_ignore_realm:513,resiz:481,krb5_encrypt_s:182,tupl:[71,44],bundl:[816,331],regard:331,jul:177,krb5_auth_con_getaddr:[451,182],krb5_cc_get_full_nam:182,preselect:644,krb_ap_req:182,krb5_responder_otp_get_challeng:[523,182],src_name:17,cryptograph:[579,17,74,331],krb_ap_rep:182,faster:[495,617,204],tripl:[10,579,74],immedi:[816,579,425,854,74,44,495],krb5_rd_cred:[736,182],possibl:[523,506,517,816,436,455,71,17,249,182,425,101,74,56,44,10,486,899,495,798,475],ovsec_adm_export:[425,44],spnego_mech:331,krb5_get_init_creds_keytab:[661,182],unusu:[506,666],mkey_convert:[425,44],krb5_init_creds_step:[359,246,182,765],sasl_authcid:71,krb5_init_creds_get_tim:182,connect:[899,64,71,693,44,101,818,486,10,475],cbc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],proxy_imperson:324,uid:[617,439,17,816,28,185],creat:[71,693],certain:[454,108,650,101,331,44],todd:331,gssapi:[816,10,322],fellow:331,krb5_cksumtype_to_str:182,decreas:[816,160],file:[71,133,486,425,693],krb5_pa_pac_req:36,yymmddhhmmss:177,encompass:17,fill:[218,523,130,182],workdai:796,again:[768,899,27,666,105,44,776,796,120,74],gss_import_sec_context:768,adminjohndoefoo:816,osconf:26,kadm5_auth:32,dbmodul:[71,859],reforward:105,krb5_cc_default_nam:[182,126],prepend:[38,495,212,454],field:[523,451,816,436,506,71,209,182,425,44,10,495],cleanup:[523,819],collis:182,gss_c_dce_styl:17,writabl:[819,159,899],ignor:[741,798,645,258,845,259,274,423,17,635,424,182,816,71,609,666,10,32,707],you:[798,616,859,454,233,56,10,495,120,899,750,818,693,127,23,506,71,26,816,101,322,486,204,517,780,436,439,148,666,177,331,388,44,45,796,105],intermedi:[579,17,30,816,44,324,10,105],krb524_init_et:2,adminhost:[71,44],kadm5_auth_modinfo:62,kdcdefault:45,symbol:[26,4,425,28,676,768,127,204],krb5_tc_match_flags_exact:690,drift:798,mkei:425,andrew:[44,486],ansi:26,track:[436,71,569,27,425,44,23],krb5_k_prf:182,krb5_kt_next_entri:182,pool:74,reduc:[824,763,454,132,795,816,74,44,204,796],gss_iov_buffer_type_sign_onli:17,pkinit:[71,322],mkey_fil:[425,44],directori:[506,617,859,259,274,486,27,666,111,816,818,44,10,899,796],noaddress:816,mask:[267,920,116,449,690],out_flag:821,password:[798,816,859,517,71,569,486,425,139,322,74,56,693,10,32,45],potenti:[523,616,101,74,899],cpp:454,escap:117,enctype_nul:351,kprop_path:693,dst:614,unset:[9,816,17,182],cpw:[71,44,74],pto:103,represent:[816,17,182],all:[798,816,728,475,569,56,10,899,688,17,249,182,74,32,690,523,506,645,517,71,425,101,478,780,436,274,666,796,276,44,519],entri:[798,859,569,10,495,899,818,17,182,74,32,475,523,506,64,71,816,139,517,436,148,101,44],dist:26,krb5_get_in_tkt_with_password:182,gss_c_buffer_type_head:17,alg:454,lack:[506,138,579],pluggabl:[329,816,579,666,4],month:[177,579],krb5krb_err_response_too_big:[618,186],krb5_get_in_tkt_with_keytab:182,krb5_init_creds_set_servic:182,ldap_kdc_dn:[10,517,486,859,44],pty:[840,331],krb5_copy_authdata:182,follow:[798,617,859,454,543,635,579,51,4,230,676,388,10,787,495,705,120,565,177,566,728,750,922,303,17,571,752,185,74,819,889,32,569,23,491,506,257,64,899,71,133,650,27,768,425,594,911,324,840,598,204,249,816,517,436,274,209,160,918,666,276,331,852,644,44,45,439,105],disk:[523,616,617,899,26,486,27,425,101,56,693,44,798],krb5_tc_match_authdata:690,unansw:923,krb5_kt_dup:182,seed_length:[403,283],uint8_t:927,laboratori:331,strptime:331,nt_wellknown:87,former:18,krb5_server_decrypt_ticket_keytab:182,tail:899,ap_req_nofail:[575,6],dest_ctx:510,gss_iov_buffer_type_pad:17,hist_kvno:425,introduc:[224,274,611,816,71,638,691,10,929],requires_preauth:[506,436,71,74,486,44],cachenam:[617,922],liter:4,masquerad:[120,105,56],r13:[425,44],song:331,fals:[396,867,496,401,172,10,495,513,413,875,512,18,249,72,185,74,575,360,475,506,131,587,816,370,266,911,209,666,916,44,793,796],subcommand:74,krb5_kpasswd_malform:364,offlin:[74,644],util:[44,495,899,859,735],krb5_make_authdata_kdc_issu:182,candid:439,worst:74,gss_add_cred_from:768,failur:[579,227,457,348,465,248,74,491,523,634,71,481,816,109,425,436,715,331,387,609,44,446],veri:[819,27,816,74,44,10],ticket:[798,816,728,517,71,425,322,74,486,10,32,818],hostrealm_plugin:691,krb5_cc_next_cr:[244,182],krb5_cc_retrieve_cr:[182,66],k5login_authorit:[816,185,666],quux:816,list:[71,780,728,693],krb5_c_string_to_kei:182,kpasswd_listen:10,krb5_free_context:[192,182,142],adjust:[824,899,763,506,132,182,276,74,795,796],"_krb5_encrypt_block":759,cosin:859,stderr:10,small:130,getdat:[71,44,32,425,486],anam:[439,130],krb5_pac_delegation_info:598,pid_fil:[45,64,693],enterpris:[471,635,475,644],krb5_auth_con_getrcach:182,gss_c_nt_anonym:17,ten:[796,105],krb5_prompter_posix:[523,182],handi:899,edu:[798,819,579,10,120,899,74,32,23,818,71,26,816,101,486,780,439,717,666,331,44,105],past:[71,44,23],syslog:[816,10,899],zero:[451,71,643,17,248,182,816,495,446],design:[523,899,617,27,666,734],v4_realm:816,changepw:[798,911,71,364,74,44,402],further:[899,45,185,27],tls_cacert:517,max_renewable_lif:[10,899],kdb:[859,436,579,329,331,693,840,44],krb5_init_context_kdc:741,subjectalternativenam:816,last_req:325,get_princ:[71,44],abc:454,sub:[816,44,840,486],richard:331,defin:[899,71,816,818,10,796],gss_get_mic_iov_length:17,abi:913,section:[71,32,45],abl:[798,616,617,816,436,899,439,276,322,105,44,10,32,495,120],brief:[889,840,101],pppcred:255,credentials_cach:[71,44],"public":816,version:[798,451,728,569,51,734,10,17,182,74,831,78,475,71,699,425,486,816,780,715,276,44,45],intersect:249,krb5_cccol_cursor_new:[344,182],osf:43,option2:816,krb5_auth_con_getrecvsubkey_k:182,option1:816,g_context_tim:331,full:[64,569,182,44,74,693,10,495],hash:[425,44,579,816,506],berkelei:[331,454],vtabl:[819,415,854,4],keepkvno:71,unmodifi:[439,331],sophist:523,modular:579,tkt_life:[522,833],middl:27,solari:[229,579,204,454],excess:204,variad:[538,141,815],method:[62,227,224,819,324,638,4,457,816,415,611,702,691,660,854,495,644,929],fred:666,modifi:71,invoc:[425,17,148],valu:[798,859,10,495,899,17,249,182,74,32,523,506,517,71,425,322,486,816,274,209,666,44,45,796],krb5_cc_unlock:[206,182],getpwuid:[71,44],krb5_cred_enc_part:[337,36],naval:331,krb5_finish_kei:182,krb5_fences_vt:4,principal_out:[676,635],observ:[276,436],prior:[64,17,148,425,331,192,44,10],out_cr:[701,30,646,308],krb5_clpreauth_moddata:415,krb5_pac_upn_dns_info:598,action:[224,27,425,331,74,693],diffi:[816,10,644],krb5_gc:743,rkt:139,mkvno:425,marko:331,depart:331,sprecif:26,reiniti:614,transit:[565,830,809,571,576,650,832,816,242,105,498,10,644],krb5_recvauth_vers:182,deprec:10,acceptor_cred_handl:17,famili:[262,533,421,860,559,227,529,926,900,223,914,10,723,535,823],heurist:[787,439,395,816,702,660],decrement:182,krb5_prepend_error_messag:182,handle_error:17,select:[425,44,816,74],yflag:454,hexadecim:[425,579],paus:44,proceed:44,gss_iov_buffer_desc:17,krb5_deltat_to_str:182,generalizedtim:566,regist:[329,816,90,95,666,744,169,331,350,693,44,495,552,488,431],pa_typ:[639,324],coverag:204,ldap_kadmind_sasl_authzid:10,krb5_set_trace_callback:182,krb5_init_random_kei:182,command_opt:[425,44,486],formul:816,morn:796,ldap_serv:[10,859,517],krb5_cc_start_seq_get:[613,244,182],standart:859,upstreamhostnam:44,krb5_get_init_creds_opt_set_salt:[182,648],minor:[768,17,26,227,27,4,74,579],more:[798,617,618,454,475,579,676,854,345,10,495,119,120,899,435,750,335,17,69,74,691,32,23,186,523,506,517,27,425,101,840,31,816,436,160,148,276,44],flat:617,mellon:331,door:717,flagnam:32,canon:[798,517,62,693,475,172,611,44,495],krb5_auth_con_setuseruserkei:182,gss_oid:[17,768],krb5_tkt_creds_get:182,update_rel:819,"0x0040":253,krb5_copy_error_messag:182,krb5_get_init_creds_opt_set_address_list:182,krb5_init_creds_get:182,cacert:[276,506,517],compani:105,destin:[101,204],new_princip:71,cach:[798,451,274,17,182,816,71,74,666,44],interface_module_initvt:4,dictat:44,none:[506,49,207,517,274,209,916,228,27,249,816,71,44,835,439,75,10,89,287],endpoint:[257,331],nonc:[34,325,921,579,190],krb5_trace_info:[137,374,36],valuabl:[523,331],"0x000b":563,der:[566,854,929],outlin:[276,780],krb5_auth_context:182,dev:[274,10,859,816,148],krb5_c_make_checksum_iov:182,actual_mech:17,krb5_calculate_checksum:182,kdcpreauth_mymech_initvt:4,learn:798,dec:[177,44,436,899],gss_iov_buffer_type_mic_token:17,krb5:[798,859,728,569,56,10,96,74,693,32,818,64,71,133,425,139,322,486,429,478,780,45],krb4:579,ap_opts_use_subkei:1,prompt:[523,899,728,71,182,425,486,44],ap_opt:[260,365,1,841,646],tr_type:498,registr:816,share:[523,780,454,819,1,4,816,768,74,666,44,120],krb5_kdcrep_modifi:424,krb5_get_init_creds_opt_set_fast_ccache_nam:[578,182],krb5_free_cr:[630,182],tabular:[425,579],minimum:[71,10,796,44],resync:[44,579,569,693],gss_oid_set:[17,768],incom:[10,475],phrase:893,krb5_get_init_creds_opt_get_fast_flag:182,krb5_cred:[523,66,364,465,182,690,347,613],tr_content:498,cours:56,newlin:[676,852],secur:[71,133,74,798],programmat:523,ascii:[425,44,495,324],isi:439,altogeth:10,krb5_k_verify_checksum_iov:[248,603,182],subsess:[1,46,249],krb5_k_make_checksum_iov:[311,182],csv:[425,579],input_assoc_buff:17,sign_onli:17,isn:[27,331,44,10,598,204],trace_log:148,"_krb5_get_init_creds_opt":833,resourc:[523,61,17,204,717],redwood:331,referenc:[517,331,324],flip:74,variant:[44,579,768,454],reflect:[824,899,566,763,132,335,836,192,44,795],okai:[71,44,105,565],des_crc_session_support:[10,249],offset:[45,182],krb524_convert_creds_kdc:2,unlink:[425,44],associ:[617,476,436,71,569,17,27,816,44,331,475,324,10,32,693],maxlif:[71,44,32],kdc_port:10,circumst:[10,506],"short":[208,160,148,816,74,32],krb5_set_real_tim:182,confus:331,krb5_k_encrypt_iov:[132,763,182],stash:[71,486],krb5_encode_authdata_contain:[292,182],caus:[506,816,436,899,274,17,182,425,71,74,44,10,495,693,475],suncc:454,stash_fil:[425,44],is_last_req:[911,279],alphabet:177,"0x00000080":328,seq:29,g_canon_nam:331,sunw_dbprop_slave_pol:44,iprop_master_ulogs:[10,44],ldap_kadmind_sasl_mech:10,sendauth:[899,818],rotat:475,concatent:768,soon:[44,64],held:[565,331],cache_nam:[71,44,388,644,565],createtimestamp:859,through:[798,857,224,579,324,10,495,120,899,575,523,645,816,322,374,660,436,666,276,44,796,105],delstr:71,gss_acquire_cred_impersonate_nam:17,krb5_ktname:[274,28,17,160],krb5_keytab_entri:[159,330,277,36,397,715,807],krb5_string_to_kei:182,paramet:[425,10,45],member:10,typedef:[222,456,6,459,680,17,468,260,640,482,29,487,31,34,35,492,721,830,190,498,794,337,503,505,731,54,59,60,515,427,516,305,483,756,310,759,79,528,318,534,320,771,775,325,777,547,102,549,501,797,341,811,813,814,378,362,585,586,901,833,913,372,140,841,599,847,664,851,154,155,869,173,633,882,639,279,893,300,651,902,654,904,908,137,389,861,530,923,445,927,221,928],get_valu:819,extra_address:816,relev:[438,899,566,475,749],html:[517,780,26,717,127,579],rapidli:798,famou:899,component1:[303,324],"0x00800000":[514,334],krb5_auth_con_getsendsubkey_k:182,might:[899,436,454,495,17,4,276,666,331,74,56,324,44,204,120,475],alter:[506,74],"0x00020000":199,kpkdc:816,good:[798,899,643,331,105,44,120,818],"return":[523,517,64,71,569,17,396,182,816,818,44,218,10,475],lowercas:44,sentenc:899,component2:[303,324],message_out:111,framework:[579,17,331],casio:74,krb5_authdata:[375,631,36,438,411,292,275,891,405],sign1:17,sign2:17,foot:4,krb5_prompt_type_password:594,detach:64,krb5_free_authent:[509,876,182],getpol:[71,44],krb5_fwd_tgt_cred:182,administr:780,troubleshoot:[899,163],level:[506,71,495,17,486,44,819,45,204,127],userid:[816,454],instruct:[44,899,23,454,506],refresh:[17,324],"0x0006":[271,677],slave_datatrans_hostnam:44,val:[726,195,560,179,437,411,95,805,350,558,846,169,886,265,670,22,145,488],"0x0007":[107,94],ceas:[425,44,780],found:[899,922,454,66,430,133,439,395,571,690,734,438,125,120,44,10,45,495,816,105,818],intervent:74,krb_error:182,truncat:105,krb5_mk_ncred:[524,182],subsystem:454,krb5_anonymous_realm:182,cost:[276,44,331,454],weight:495,tryagain:415,unkei:523,referred_realm:221,krb5_pointer:[503,223,646,36,262,529,699,734,860,235,914,794],padata:[34,35,854,415],krb5_c_random_os_entropi:182,krb5_princ_nam:2,iter:[71,10,182,44],gennadi:439,http:[816,517],energi:331,beyond:[889,415,854],todo:120,event:[495,182],http_anchor:[276,816],ftp:[899,101],authdata:[375,631,275,30,329,292,324,405,797],krb5_anonymous_princstr:228,krb5cc_p11795:105,usec:[459,731,190,29],krb5_allow_weak_crypto:182,publish:[331,475],research:331,krb5_auth_context_ret_sequ:[268,825,366,736,836,116,216,267,255],enomem:[524,397,319,293,736,348],print:[64,71,133,439,650,579,425,918,44,543],occurr:9,wicker_construct:4,clpreauth_plugin:415,qualifi:[71,44,32,816,798],kdcpolici:[329,579],add_auth_ind:[579,854],proxi:[816,10],danilo:331,ldapadd:859,differ:[798,816,517,71,425,818],asc:26,krb5_generate_seq_numb:366,reason:[259,439,666,796,816,331,120,56,324,495,718,105,74],base:[617,652,880,579,457,854,10,495,899,12,17,18,415,125,475,589,889,127,644,523,506,257,71,816,28,430,517,780,150,787,331,44,105],krb5_init_context_secur:741,ask:[425,523,495,182,506],earliest:[425,690],workstat:523,lag:439,basi:[44,495,74,478],krb5_db_entri:929,db_185:454,thread:[617,579,79,454],daisi:495,krb5_get_init_creds_opt_set_in_ccach:182,omit:[517,129,819,303,666,213,324,491],krb5_string_to_salttyp:182,krb5_cccol:702,gss_cred_id_t:[17,768],perhap:[71,10,74,44],iprop_hdr:331,krb5_free_enctyp:182,syria:331,lifetim:[816,71,182,425,74,44,690],assign:[899,71,628,182,697,44,10,32,495],major:[26,17,4],unrestrict:[616,101],get_tgt_via_passwd:439,notifi:23,kdb_convert:331,binddn:71,exchang:899,more_preauth_data_requir:415,number:[798,728,569,10,495,182,74,693,32,818,523,506,64,71,816,139,486,267,425,436,209,44,45],sometim:[44,475,644],"3de":74,pop:101,smaller:[816,303],done:[899,617,859,64,454,517,819,439,415,101,854,44,495],krb5_524_conv_princip:182,stdlib:819,blank:787,krb5_pac_verifi:182,stabl:[638,62,224,579,457],verify_ap_req_nofail:816,miss:[127,424],gpl:331,guess:[816,899,579],guest:[71,44,816],vararg:538,interact:[71,44,816,495,728],gpg:26,least:[798,899,62,115,526,39,303,844,481,101,690,611,44,377,495,673],dfl:[274,27],writeabl:397,accept:[819,579,227,10,495,899,66,249,74,693,644,475,64,71,768,816,322,702,705,204,160,148,177,331,44,105],natur:475,krb5_roundup:2,scheme:495,kadm5_hook_modinfo:224,store:[798,728,844,56,10,899,17,249,182,71,74,693,523,506,64,517,132,816,486,425,788,44,795,673],krb5_lname_no_tran:611,memset:523,your_realmnam:506,relationship:[816,611],behind:[74,666],iprop_logfil:[10,44],krbnfs_howto_v3:717,appropri:[523,425,395,816,506,439,17,666,565,276,638,883,854,74,236,44,899,495,644,702],pars:[798,523,71,17,666,156],modbi:425,fall:[617,495,27],crypto_entri:759,gss_error:17,grace:644,krb5_get_init_creds_opt_set_fast_flag:[182,831],test_html:127,kind:[617,413,17,27,768,415,331,854,475],pwexpdat:[71,44],contrari:[523,17],prebuilt:204,krb5_get_init_creds_opt_init:182,whenev:523,remot:[798,257,539,71,133,17,182,796,475,44,10,693],gotten:105,remov:[71,425,859,728],sunw_dbprop_en:44,kkdcp:[276,579,331,495],"_krb5_address":501,unconfigur:[127,495],admcilsp:32,str:17,arrang:44,"_krb5_cred_enc_part":190,toward:[44,780],master_kdc:[816,495],randomli:[249,728],ktid:250,comput:[523,451,538,816,17,182,276,74,10],deleg:[71,10,44],strengthen:74,well:[523,899,454,475,579,17,816,312,691,840,44,74],clientkei:506,beforehand:17,krb5_config_cantopen:218,packag:[276,859,204,899],local0:10,allow_weak_crypto:[148,249,182,816,74,10],expir:[506,816,728,71,425,44,10,32,796],service2:650,service1:650,"null":[523,451,539,17,182,816,401,32],option:728,principal_databas:64,krb5_auth_context_generate_remote_addr:257,dec_err:568,onlyrealm:[10,74],equival:[364,894,209,402,579],remote_addr:[697,451,539,571],krb5_free_keyblock_cont:[144,606,738,182,70],cfr:331,self:[816,517],s_address:190,nktype:34,luser:867,norandkei:[71,798],add_rel:819,schema_convert:859,brace:4,krb5_auth_context_do_sequ:[268,313,366,825,86,116,216,836,267],krb5_ticket_tim:[122,765,36,830,547,325,797],krb5_responder_otp_tokeninfo:[516,36],distribut:[859,454,750,26,331,840,45,204,579,105],exec:[439,543,454],vno:[71,734,715,851,74,44],previou:[451,780,618,506,106,816,71,559,885,186,324,44,899,38,822,141],reach:[816,807,519],krb5_auth_context_generate_remote_full_addr:257,react:747,most:[506,395,816,258,728,899,17,148,249,182,425,666,56,44,10,495,796],spnego:[579,331],plan:44,profile_releas:335,maco:[617,259,579,816,331,840],kdc_listen:[10,899],dump_fil:693,ppcred:736,addr:[380,225,661,879,401,547,325,797],allow_proxi:[71,44],hereaft:331,x11r6:204,krb5_prompt:[852,36],clear:[523,798,71,209,182,425,139,192,44,822],lehman:331,cover:796,krb5_enc_kdc_rep_part:36,enctypep:452,auth_to_local_nam:[816,666],part:[337,616,617,830,676,566,571,249,72,885,886,74,819,310,475,423,424,768,816,101,324,707,35,439,148,331,44],exp:[798,506,71,249,816,10],add:[798,816,229,517,71,569,425,139,74,44,10,32,796,818],kswitch:[617,363,766],enctyp:[816,425,139,74,44,10],krb5_unparse_nam:[735,182],usual:[523,506,617,160,436,454,39,71,17,650,825,324,816,818,216,44,10,45,495,105,673],microsoft:[816,579,17,717,249,276,402,237,10],sector:[425,44],wsgi:276,afs3:[10,74],"0x8000":[433,784,896,146],your_princnam:506,carefulli:506,hostnam:[798,506,899,71,816,818,44,10,796,475],consult:[816,611],krb5_magic:[337,505,731,487,459,528,759,190,362,260,640,372,908,325,599,34,35,36,830,851,547,155,797,501],gss_name_t:[17,768],python:[276,127],fini:[62,611,224,227,638,415,854,702,691,929],modifiersnam:859,session:[798,71,816,74,44,10],passwd:[893,439,331,486,44,796],tmpbuild:204,krb5_cccol_cursor_next:[344,182,688],fine:[17,495],find:[17,182,816,818,218,44,495],privsvr:259,impact:436,krb5_c_prfplu:182,kprop_port:[274,28,693],kadm:543,copyright:[840,26],"0x0200":470,ticket_lifetim:[816,796],solut:899,local_addr:[697,451,539],krb5_cc_cursor:[134,613,244,36],gssapi_err_gener:331,couldn:818,templat:840,krb5_gic_opt_pa_data:36,log_info:10,iec:26,ckto:662,krb5_libos_badpwdmatch:[918,609],krb5_change_password:182,hit:182,unus:[852,646,675],krb5_x:2,luke:495,lehmann:331,express:[71,44,331,816,177],last_fail:425,nativ:[796,454,303,718,653,28,324,579,47],mainten:[71,44,425],r_address:190,authoriaz:731,gss_inquire_cred_by_oid:[579,17],liabl:331,krb5_responder_question_otp:[523,182],krb5_verify_init_cr:[523,182],hin:26,think:[120,4,475],establish:[506,17,27],krb5_init_creds_set_password:182,crt:[816,10],synthet:[168,324],synthes:[626,861],krb5_auth_con_set_req_cksumtyp:182,rfc:[17,182,816,74,10,495],crc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],salttypep:434,encrypted_timestamp:816,crl:[816,10],reply_out:59,certif:[276,10,816,71,517],set:[71,425,780,486,693],dump:693,tokenid:435,slavehostnam:64,pid:[579,45,64,693],startup:[899,579],krb5_get_permitted_enctyp:182,decompos:480,mutabl:79,emac:454,sed:454,sec:182,arg:[745,815,454,71,439,601,141,332,44],reserv:[331,464],delpol:[71,44],unqualifi:796,whatsoev:331,analog:798,encrypted_challeng:816,gss_iov_buffer_flag_alloc:17,simultan:79,gladman:331,"_krb5_responder_pkinit_challeng":320,someth:[10,818,27,475,74],particip:[816,899],nopw:[71,44],reus:44,mutex:79,recv_hook:168,kth:331,netlogon:237,experi:[780,579,495,74],krb5_merge_authdata:182,altern:[506,64,454,899,719,579,17,666,816,28,331,10,204,644],krb5_set_kdc_recv_hook:182,korea:331,plugin_base_dir:816,syntact:816,numer:[565,425,894,899,364,579,177,402],g_init_sec_context:331,ebaa:717,isol:495,disallow:32,krb5_anonymous_realmstr:49,krb5_flag:[225,230,741,743,325,66,1,571,690,308,821,646,661,260,365,701,30,380,36,830,920,449,547,797],fundsxpress:331,succeed:[899,818],outfil:425,oid_op:331,local7:10,enc_err:568,stale:[816,780,249],struct:[347,741,335,17,182],disclaim:331,fail:[798,816,728,71,425,74,44,10],last:[451,436,71,569,182,425,44,10],delimit:[816,376],mandir:454,db_header:454,alon:[899,4],dns_lookup_kdc:816,unspecifi:[816,495,27],vopt:523,context:[523,451,288,396,17,148,182,816,924,125,401,167,130,218,347,12,430],pdf:[780,717],prng:[379,583,454,579,331,643],pkinit_san:816,require_auth:[71,579,322],krb5_kt_have_cont:182,regent:331,simpli:[523,506,209,17,666,768,105,204,562,120],reject:[798,899,816,322,818,10],tgt:[523,506,321,249,182,74,44,10],point:[798,616,617,1,454,899,71,928,579,17,481,816,101,74,44,521,23],schedul:[44,74],ret_valu:[125,430],cryptosystem:74,krb5_crypto_typ:[554,928],residu:[565,617,274,922,623,250,816,388,611,819,495,644],header:[425,816,17,182],fashion:[276,439,331],realm1:45,smard:816,realm3:45,linux:[579,617,454],cakei:506,krb5_os_localaddr:182,bridg:579,mission:439,krb5rcachetyp:[274,27],etype_list_length:[55,833],backend:96,authz:34,krb5_cc_get_princip:[735,182],outbuf:[268,825,366,365,1,319,386,836,216],krb5_get_init_creds_opt_set_forward:182,stamp:[425,569],krb5_fcc_intern:126,devic:[71,10,816,523,44],due:[44,32,148,27,74],empti:[523,816,455,71,209,17,182,425,293,186,44,10,32],implicit:10,have_getusershel:439,whom:[331,120],secret:[523,71,209,17,816,851,10,120],libverto:[854,454],krb5_c_init_st:182,dup:10,name_s:208,krb5_get_renewed_cr:[182,308],krb5_plugin_ver_notsupp:4,nonexist:579,address_list:833,kdc_tcp_listen:[10,899,506],"_krb5_checksum":155,modern:[798,44,74,475],brother:331,nrl:331,fire:495,clariti:439,buflen:[165,883,878,172,694,600,760],consequenti:331,coordin:768,nonrepudi:506,understand:523,krb5_copy_princip:[735,182],func:[788,152],demand:521,input_ccach:644,educ:796,enc_part:[337,640,310,35],imap:[787,475,454],"_krb5_init_creds_context":654,acount:666,krb5_pac_privsvr_checksum:598,creativecommon:331,stolen:105,datarootdir:454,nofork:693,kdc_tcp_listen_backlog:10,krb5_mk_priv:[873,182],erron:148,rep_result:646,durat:[71,10,664,816,44],camellia256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],norealm:[10,74],"while":[899,436,71,816,322,818,44,10,74],gss_init_sec_context:17,match:[798,728,30,10,348,66,17,182,125,690,32,475,506,71,424,319,425,430,816,780,438,666,276,44,796],behavior:[71,74],error:[71,64],krb5rcachedir:[274,28,27],input_name_buff:768,pepper1:73,robin:798,subsect:[506,816,436,517,666,276,322,10],propag:[816,64,133,425,74,56,693,10,32],malloc:819,ldname:454,readi:[425,899],g_userok:331,krb5_timestamp_to_str:182,influenc:475,readm:[840,26],confound:183,revers:[425,44,816,796,798],itself:[798,616,617,95,689,195,558,846,169,854,10,179,411,17,886,74,693,692,523,64,71,768,816,350,145,488,90,160,805,666,797,670,44,45,105],cred_handl:[17,768],dget_tgt_via_passwd:439,limit:[899,439,331,44,10,495],yourdir:899,illinoi:717,rcptr:589,dedic:899,"_krb5_ticket":310,ccselect_plugin:[702,4],gs2:579,my_respond:523,minim:[425,44,74],error_t:331,mistakenli:9,new_reply_out:[861,59],krb5_kvno:[715,734,372,851,36],serverauth:816,krb5_cc_set_config:[451,182],shorter:816,libc:475,lengthi:579,decod:[523,292,816,182,465],krb5_mk_error:182,viola:798,sqlite3:425,wicker_materi:4,swig:331,conflict:[15,326,571,666,214,768,550],krb5_principal_unparse_short:491,sell:331,k5user:439,"0x00200000":314,x86:[579,454],g_inquire_cr:331,optim:454,nersc:816,cppopt:454,alert:10,strength:579,temporari:[899,859,71,160,27,816,28,44],glossolalia:74,enctype_aes128_cts_hmac_sha1_96:581,enctype_aes256_cts_hmac_sha1_96:97,transitori:74,built:[523,816,666,182],sha2:[10,579],lower:[787,25,71,819,17,816,44,32,660],sha1:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],is_skei:[174,690,797,324],ktype:[380,34,875,225,661,106],older:[44,579,854,74],data_set:17,krb5_princ_typ:2,keytab_nam:565,harm:27,honor:[148,105],www7:717,person:[899,120,331,105,56],medvinski:439,krb5_cc_end_seq_get:182,uint32_t:[913,813,718],"0x10000000":[761,400],ppdata:[524,736],mon:[71,44,436],ldb:454,construct:[523,780,618,861,365,17,650,4,186,59,579,419],krb5_kdc_req:36,dejagnu:[204,454],gss_c_accept:17,anonym:[71,10,666,44],ba548_90007:717,mslsa:617,outprinc:730,envvar:816,emailprotect:816,krb5_get_validated_cr:[701,182],"76cho3000":331,administ:[798,899,693],question:[10,780,495],g_verifi:331,myremotetokentyp:10,priorit:495,confvalid:840,cut:495,restructuredtext:780,lockouttim:[71,44],forbid:[71,44],ldap_kdc_sasl_realm:10,hostaccount:666,win:331,input:[795,17,182,44,12,673],gss_buffer_t:[17,768],slave:[798,816,229,64,133,569,693,425,101,74,56,44,10],approxim:26,useless:74,passcod:595,vendor:[543,901,435],authdata2:324,authdata1:324,format:[425,780,71,816,10,32],princ1:[266,370,506,513,131],princ2:[266,370,506,513,131],allow_postd:[71,44,486],transmit:[618,579,17,854,186,44],apt:859,step:[798,506,859,899,439,425,74,44],resid:[523,616,787,331,185,495,798],gss_iov_buffer_t:17,inetcomperson:859,account_expir:[911,279],krb5_c_prf:182,redirect:[816,899],g_exp_sec_context:331,success:[452,455,880,457,231,676,678,235,10,11,12,598,463,413,730,465,248,250,885,690,130,691,602,255,694,257,258,278,259,697,891,589,699,27,876,485,703,705,230,707,712,273,277,275,716,40,744,715,720,309,493,280,44,760,504,844,509,292,293,738,740,134,607,299,748,749,301,1,736,144,73,519,75,852,78,70,521,311,491,523,524,313,763,64,765,71,317,319,722,86,246,109,89,778,425,538,539,147,829,785,856,675,655,103,795,552,878,106,108,554,342,111,112,113,115,344,346,348,727,122,568,30,777,335,354,571,572,481,126,575,359,863,821,822,583,827,371,132,623,365,366,367,593,138,925,142,376,600,662,379,734,603,845,39,606,149,150,386,387,609,92,613,546,614,159,391,618,652,414,165,864,825,866,402,172,624,628,742,408,743,527,879,634,635,881,873,883,183,415,252,186,918,757,417,643,419,268,894,645,191,646,631,422,423,650,424,323,198,364,807,201,905,907,657,431,824,434,206,630,436,208,739,439,688,397,920,921,507,216,218,836,446,449,673],authdata_plugin:889,lnsize_in:130,signal:45,threadsaf:916,krb5_vwrap_error_messag:182,resolv:[798,796,182],elaps:[71,44],collect:[274,816,17,182],princip:[64,728,71,133,569,486,425,139,74,693,45,818],"boolean":[209,182,425,44,924,10],wicker_appear:4,"0x0080":610,fnal:331,popular:899,krb5_get_credentials_renew:182,"1foo":816,two:[451,436,478,71,506,249,182,816,666,44,10,899,475],signedpath:[71,10,44],krb5_get_init_creds_password:[523,911,747,225,182],encount:[565,899,816],krb5_pac:[259,422,36,149,769,722,905,692,598],simplifi:535,acknowledg:331,creation:[816,44,566,74,506],some:[425,229,728,274,816,666,276,71,74,44,10],gen_sym:439,listpol:[71,44],kdc1:495,strongest:[643,249],krb5_read_error:182,sampl:[798,818],referral_valid_until:221,cacheconf:324,structuralobjectclass:859,sizeof:[523,819,17],surpris:74,modulepath:816,certlabel:816,krb5_c_random_se:182,"0x2000":398,charg:331,issueraltnam:506,"0x01000000":356,per:[617,816,224,819,569,227,457,854,10,495,62,17,249,415,74,691,523,71,425,702,478,209,666,611,44,45],gss_qop_t:17,recognit:[579,331],substitut:[816,506,331,899],retri:[10,209,495],larg:[523,899,763,795,132,348,209,495,824,44,10,204],slash:676,numwork:45,necessari:[857,506,517,859,899,71,17,481,4,816,415,74,889,44,120,495,796,105,609],reproduc:331,datebas:693,machin:[798,478,229,64,517,816,101,74,56,693,818],krb5_c_enctype_compar:182,run:[798,617,859,454,579,10,495,565,899,249,74,693,127,569,818,506,64,517,71,26,425,28,101,204,816,439,148,666,388,44,45,796],refresh_tim:324,winbind:666,pa_type_list:[415,854],agreement:331,unport:331,fulvio:717,"0x00000001":[5,269,215,175,377,46],kdc2:495,ap_req_checksum_typ:816,from:[780,64,728,71,133,569,486,425,139,693,45],krb5_auth_con_getsendsubkei:[211,182],impos:62,cmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],krb5_get_profil:182,usa:331,constraint:[787,331],coexist:32,mechglu:[331,768],materi:[523,331,74,4],prove:[523,415,854],gss_krb5_cred_no_ci_flags_x:579,dns_uri_lookup:[816,495],strcmp:819,disclosur:[32,579],argv_pars:331,gss_create_empty_oid_set:768,userok:611,loadabl:[816,10,768],"5h30m":644,fulfil:439,hesiod:[816,331,454],timeofdai:856,real:[816,463,439,383,513],primarili:[924,520],krb5_referral_realm:182,krb5_keyusage_pa_sam_respons:326,canonhost_out:189,"_krb5_data":599,target_user_login_nam:439,bsd:[579,331],krb5_rd_rep:182,krb5_rd_req:182,mydir:617,contributor:[331,464],chang:[798,816,728,517,71,569,425,74,10,32],nss:331,inclus:331,institut:[331,464],fictiti:105,carnegi:331,megabyt:26,krb5_pwd_data:36,"long":[617,819,579,110,343,854,495,562,243,17,249,415,74,475,506,71,39,160,148,331,44,673],krb5_get_init_creds_opt_set_pac_request:182,krb5_get_init_creds_opt_set_respond:[523,182],prompt2:918,krb5_tc_supported_ktyp:690,pocoo:127,krb5_chpw_pwdnull:609,forward:[798,899,71,209,17,182,816,475,44,10,796],crit:10,mach:[816,331],usr:[127,899,859,64,454,439,486,816,28,818,44,10,543],"0x00000002":[783,671,804,316,307,174],krb5_enc_tkt_part:36,gss_iov_buffer_type_stream:17,vprintf:[815,141,332],krb5_mk_safe:[268,182],server1:[44,486],krb5_cc_nosupp:66,pwd:204,screensav:105,link:[899,780,517,163,816,44],translat:[816,579,130],newer:[454,425,475,44,10,74],krb5_free_unparsed_nam:182,line:[71,780],mitig:[523,579,27],krb5_crypto_type_sign_onli:[387,603,248,311,150],info:[33,899,895,162,579,137,669,10,325,797],concaten:[484,566,768],gss_wrap_iov:17,utf:[523,243,579,331,596,236,513],consist:[611,26,160,324,816,676,691,495],princ_stringattr:425,confusingli:523,checkout:127,dns_lookup_realm:[816,495],infd:257,fdii:105,redistribut:331,doc:[127,717,517],readlin:454,gssapiv2:17,similar:[652,635,579,227,4,235,413,815,17,248,881,578,311,491,268,763,748,634,132,365,481,425,370,141,824,816,603,439,606,276,387,507,795,105,446],impl:454,krb5krb_ap_err_skew:504,kaduk:74,gss_c_buffer_type_trail:17,constant:[523,49,228,665,487,682],curs:454,user_dn:[44,486],flush:819,doesn:[617,728,354,27,425,44,120],unauthent:101,"char":[451,452,225,455,675,676,496,12,3,17,250,130,694,699,481,265,236,705,31,707,712,716,309,491,819,287,51,293,511,745,516,73,756,78,38,760,523,82,319,109,775,243,538,785,332,192,552,111,343,278,346,121,815,125,430,831,822,580,364,365,593,918,835,140,141,839,241,376,599,600,845,852,609,857,560,165,623,867,399,402,172,527,635,881,882,883,885,189,419,894,646,423,901,424,878,660,434,208,212,218],container_dn:[71,44],incomplet:816,int_max:382,openldap_ldapconf:10,home:[787,439,752,666,816,185,486,44,120],krb5_free_address:[727,182],enc_padata:325,integr:[523,268,825,26,17,249,796,28,331,836,216,840,579,105],kdcissu:182,unifi:780,krb5_get_init_creds_opt_set_change_password_prompt:182,krb5_principal_parse_enterpris:635,"0x0400":67,pre_auth_typ:[380,225,661],ticket_authdata:438,bracket:[816,10,666],krb5_ccselect_vt:4,nat:[816,44],krb5_cc_close:[89,182],addpol:[71,44,436],"0xfffffff0":21,krb5_kt_nowrit:[159,397],particular:[523,506,728,454,17,250,816,120,331,322,74,56,10,32,204,105],interface_modname_initvt:4,krb5_pwqual_moddata:457,krb5_cred_info:[190,36],clean:[741,44,866,374],lucid:96,meaning:[71,44],search_scop:[44,486],libtool:4,refrain:768,mymodul:666,gss_acquire_cr:[579,17],true_principal_nam:221,infrequ:579,algorithm:[454,439,606,249,331,74],vice:[506,579],krb5_kt_read_service_kei:182,krb5_free_keyblock:[112,740,657,182,371],ldap_kdc_sasl_mech:10,namelen:376,delta:[10,182],krb5_k_free_kei:[408,252,925,182,919],inout:[824,115,763,603,646,39,132,365,699,571,481,150,844,1,918,235,795,311,673],"_krb5_auth_context":515,far:506,fresh:[798,439,780,56],creatorsnam:859,krb5_context:[451,3,455,675,496,678,881,9,460,11,12,413,244,685,465,248,690,130,632,257,258,697,643,876,485,703,267,712,273,493,725,504,288,509,511,742,607,299,749,66,144,73,519,78,70,311,523,313,86,89,778,538,539,147,829,164,788,192,655,795,238,554,342,111,113,720,344,116,347,348,727,351,354,125,126,863,822,580,583,844,827,371,132,623,134,367,925,662,379,606,150,92,613,546,614,395,396,167,740,401,403,628,873,408,180,880,182,183,152,891,323,198,364,924,657,430,926,206,527,301,211,688,919,920,507,218,446,449,673],endtim:[664,30,324],realmlist:278,getaddrinfo:475,code:[455,30,231,678,881,9,10,11,12,413,730,465,17,248,690,130,257,258,697,643,876,485,703,675,273,277,493,278,309,275,44,727,844,509,292,738,740,742,607,299,749,66,144,73,519,78,311,760,523,313,319,86,778,816,780,538,539,147,829,103,795,554,342,111,112,113,720,344,348,70,354,126,822,583,395,827,371,132,134,367,925,142,600,662,379,606,148,150,92,613,546,614,165,623,172,628,873,408,630,880,182,183,891,191,323,198,364,657,206,527,301,688,920,507,218,673,449,446],partial:[523,32,74],autodoc:127,queri:[523,71,579,17,44,495],makedepend:840,keytabl:851,recomput:192,jimi:818,edt:[71,44],krb5_princ_realm:2,oldcc:331,cmd_path:439,krb5_copy_context:182,issuer:[816,506,405,375],proponli:[44,693],privat:[506,713,454,579,816,23],procur:[506,331],krb5_rd_rep_dc:182,ac02:331,slot:[816,139],sensit:559,krb5srv:495,elsewher:56,friendli:579,send:[798,899,780,274,693,148,249,182,816,101,44,10],cachetyp:579,nippon:331,behalf:650,krb5_kt_close:182,aris:331,fatal:395,sent:[566,646,204,209,17,148,27,425,854,44,10,626,59,579,105],deactiv:10,lndir:840,alphanumer:816,rollback:74,whichev:798,kcm:[816,579,331,617],rout:899,hierarchi:44,krbtest:[566,436,148,787,322,44],disast:495,max_renewable_ticket_lif:[44,486],spoof:[816,495],krb5_build_principal_va:182,tri:[451,571,816,691,10,521],portmapp:44,magic:[337,505,731,904,459,427,528,908,639,126,310,759,822,190,893,362,586,260,640,651,372,445,487,841,325,599,34,35,830,851,547,498,155,797,501],complic:[506,454],"try":[454,436,439,17,148,816,101,475,44,495,579,120],ctx:[618,703,287,864,51,740,343,241,9,63,122,408,743,243,815,246,923,17,186,75,359,757,38,399,419,765,414,423,323,653,835,925,141,142,236,657,270,778,739,915,212,332,485,158,47],krb5_princ_set_realm_length:2,addr2:[288,396],freed:[451,726,49,560,3,195,228,51,167,558,169,59,121,179,749,301,411,335,886,22,350,653,692,265,839,145,243,90,712,437,277,95,861,343,192,670,546,47],modifytimestamp:859,proof:182,pleas:[798,10,780,435,23],malici:[71,44,523],impli:[331,644],"0x8":842,kdcpolicy_plugin:638,"0x2":[213,450,683,837],"0x1":[129,69,384,345,217,890],kadm5_hook_plugin:224,pkcs11:[816,331],pkcs12:816,"0x4":[471,117,297],cron:[10,495,56,899],krb5_prog_etype_nosupp:138,gmbh:331,name_typ:506,download:[331,717,64],aprepencpart:640,odd:105,click:899,append:[857,454,71,160,44,10],krb5_vprepend_error_messag:182,compat:[816,10,64],index:[425,517,26,717,276,835],compar:[735,182],chicago:331,tmppolici:[44,486],resembl:119,"_krb5_ticket_tim":664,access:[798,616,617,579,854,56,10,495,899,62,17,638,415,74,693,889,32,569,523,506,64,517,71,766,816,101,204,478,436,666,276,611,44,796],gss_c_buffer_type_sign_onli:17,rhost:319,princ_nam:506,udp_preference_limit:816,addprinc:[899,62,506,71,177,44],trillium:[798,101,105],whatev:495,krb5_auth_context_generate_local_full_addr:257,ldap_service_password_fil:[10,859,517],krb5_kdc_unreach:609,krb5_auth_con_genaddr:182,leg:579,krb5_kdcpolicy_moddata:638,len:[829,149,905,818],target_principal_nam:439,bodi:[34,854],intercept:[768,666],logout:[388,105],ubuntu:96,safer:120,becom:[425,780,816,192,845,899,439,644,74,56,359,44,495,120,609],cf2:182,krb5_cc_get_typ:182,rtime:34,great:[32,377,424,690],produc:[523,299,816,26,565,425,183,415,854,691,44,543],convers:[816,566],krbadmin:[10,517],larger:[506,303,101,579,718],technolog:[331,464],autoreconf:204,dsa:327,cert:[816,506,322,517],uint_max:[615,394,284],typic:[798,224,4,457,854,10,495,62,17,249,415,475,589,127,523,693,816,28,702,37,150,796],rdn:[816,798,17,796,475],inptr:[262,223],explain:899,revoc:[816,10],writer:780,starttim:[664,324],danger:[439,56],revok:[816,10,436],realloc:451,g_initi:331,dprinc_look_ahead:439,foundat:331,princ_out:395,"8h30":177,expect:[899,259,769,148,84,424,816,415,74,889,127,105],auth_context:[313,167,736,116,235,740,460,11,628,873,836,788,408,180,1,571,572,152,825,255,268,524,257,699,646,371,697,365,366,319,876,925,267,657,539,749,273,211,919,386,921,216,86,546],krb5_ui_2:36,krb5_c_encrypt:182,asan:454,getnameinfo:475,gss_wrap_aead:17,oldest_kvno_to_keep:71,fee:331,feb:569,tar:[26,204],eperm:[62,611],commun:[506,617,517,816,899,17,861,780,276,331,702,840,44,23],client1:506,client2:506,doubl:177,chl:[523,270,158,47],kpasswd_port:10,g_dsp_name:331,next:[379,899,436,132,844,182,425,71,56,44,795,673],krb5_trace:[274,857,148,374],few:[120,454],gss_add_oid_set_memb:768,gss_c_qop_default:17,krb5_decrypt:182,db_princ_arg:[71,44],gssi_import_cred_by_mech:768,stage:[74,224],remaind:816,sort:475,armor_ccach:644,addrtyp:[433,501,324],comparison:816,factor:816,gss_export_nam:17,trail:[10,439],keytab_out:201,rabbit:495,actual:[523,824,115,763,748,436,39,132,507,634,27,150,425,74,844,44,446,795,249,105,673],free_ind:929,socket:[816,10,209,182],high:[322,27,74],account:[816,10,163,666,44],schneier:579,retriev:[71,425],krb5_kuserok:[735,182],augment:768,alia:[712,3,71,182,139,44],ride:10,alic:[787,139,185,666],critic:[523,23],inprinc:730,subregion:17,obvious:101,endian:[303,566,768,324],meet:787,adtyp:362,"0x08000000":[447,848],fetch:[816,527,693,425,460,486,44,45,521],client_kei:579,control:[798,618,454,475,819,579,227,457,10,899,747,750,17,752,638,74,691,889,32,521,186,523,506,517,693,816,702,249,478,209,148,666,329,611],sqlite:425,malform:[364,58,319,324],contempl:331,process:[523,899,816,64,71,569,17,182,425,74,192,44,10,45,693,798],pcreddata:255,sudo:859,mech_typ:768,krbcontain:[10,859,517],"_krb5_ap_req":260,"_krb5_ap_rep":[640,908],tag:[816,10,899,324],proprietari:209,"_profile_t":[741,335],tab:[71,44,579,425,676],krb5_kdc_profil:[899,64,274,579,28,10,45,569],addrtype_addrport:[825,216],serial:[569,17],krb5_clpreauth_modreq:415,krb5_principal_parse_ignore_realm:635,repl:572,"function":[485,49,455,844,228,313,167,881,740,460,12,899,408,413,749,351,628,17,880,182,183,125,73,74,311,523,257,371,132,71,323,425,924,925,703,44,657,655,430,778,436,273,697,919,276,218,86,795,546,507,673],delai:[454,579,27,44,495,644],pkinit_pool:[816,10],aes256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],friendlier:579,deltatp:716,minlength:[71,44],krb5_k_key_keyblock:182,occur:[238,749,259,71,569,27,425,374,44],local_appdata:816,brian:331,kbuild:840,"05pm":177,commonconfig:816,krb5_set_trace_filenam:182,subdirectori:[816,28,840,666,127],pwqual_plugin:457,instead:[454,579,676,854,10,59,565,899,815,185,74,693,578,475,523,506,64,259,71,423,768,425,141,143,816,439,330,331,44],kdb5_util:[429,693],unenc_authdata:34,keyencipher:[816,506],circular:44,msdn:579,klau:331,overridden:[728,579,27,816,32,45],"0x7fff":[892,709],roam:816,gcc:454,"_krb5_enc_data":372,conf_stat:17,inst:218,request_fini:415,krb5_init_creds_context:[36,414,915,423,765,246,186,75,359,757,419],dbutil:331,krb5_cc_new_uniqu:182,krb5_pac_client_info:598,alloc:[523,844,749,455,132,17,182,150,167,795,673],check_a:638,essenti:10,pkinit_eku_check:[816,10,506],amount:[583,115,436,495,26,844,816,918,10,348],counter:[71,44,436],interprocess_token:768,element:[523,17,182],issu:[523,506,375,728,436,664,71,209,17,249,276,101,74,44,10,405,495,816],winbind_krb5_loc:666,unaccept:27,allow:[798,816,728,475,56,10,899,17,249,182,74,693,32,818,523,506,64,71,425,101,322,486,478,436,209,148,666,276,44,45,796],tamper:17,delent:139,krb5_k:79,fallback:[523,71,579,816,691,44],default_keytab_nam:[816,160,750],retval:[452,455,880,230,231,676,496,678,235,236,460,11,12,598,463,413,244,730,465,248,250,885,690,130,589,255,694,257,258,278,259,697,891,643,699,136,481,876,485,703,266,267,705,30,707,273,277,275,716,40,744,715,720,309,493,280,760,504,688,288,509,292,293,738,740,134,607,513,299,748,749,66,1,736,144,73,519,75,852,78,70,521,311,491,524,313,763,765,317,319,722,86,246,109,89,778,538,539,147,829,785,788,856,675,655,103,795,552,878,857,106,108,554,342,111,112,113,115,344,116,346,347,727,122,371,630,568,335,354,571,572,126,359,863,821,822,583,844,827,131,132,623,365,366,367,593,370,138,925,142,376,600,662,379,734,603,845,39,606,149,150,386,387,609,92,613,546,614,159,391,618,652,414,164,165,864,825,167,866,867,402,172,624,628,742,408,743,527,879,634,635,881,873,883,183,252,186,152,918,757,417,419,268,894,645,191,646,631,422,423,424,323,198,364,924,807,201,905,907,657,431,824,434,206,207,208,739,916,301,397,919,920,921,507,216,218,836,446,449,673],krb5lib:899,houston:495,krb5_cc_get_flag:182,h5l:[816,451],"h\u00f6gskola":331,move:[10,182,899],mkeytyp:[425,44,486],imperson:579,tcl:[204,454],comma:[816,71,425,44,10,45],reload:44,defktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],cbdata:819,bunch:44,gss_c_nt_export_nam:17,key_data:[252,361],krb5_kt_default_nam:182,gss_acquire_cred_with_password:579,krb5_pac_pars:182,mypreauth:666,krb5_tkt_creds_step_flag_continu:618,chosen:[523,787,26,17,249,816,28,322,702,579],banner:[523,756,852],"_krb5_ap_rep_enc_part":908,whether:[523,816,413,64,436,209,17,249,182,425,666,74,693,10,45],restart:[506,899,148,74,44,10,32,818],krb5_preauth_fail:609,total:[10,439,644],purg:[71,425,579,27,74],lockout_polici:436,therefor:[44,854,517,495,324],wellknown:[523,506,887,87],minor_statu:[17,768],"_krb5_enc_kdc_rep_part":325,krb5_get_host_realm:182,crash:[816,899,56],krb5_appdefault_boolean:182,dal:889,auto:579,sid:[816,850,855],dai:[506,816,71,182,744,486,44],auth:[517,17,182,322,167,10,495],krb5_free_cksumtyp:[92,182],mention:[10,331,517],krb5_end_seq_get:613,facilit:579,front:[10,676],krb5_pac_logon_info:598,krb5_timeofdai:182,gss_unwrap_aead:17,anyth:[816,506],edit:[229,139,859,818,728],unlimit:331,new_stat:198,uidnumb:617,dugsong:331,ietf:579,februari:718,capath:10,mode:[425,64,454,917,71,439,148,84,151,903,357,74,44,10,579,644,358],ldap_kadmind_sasl_realm:10,tmpdir:27,verifier_cred_handl:768,subset:[840,495,454],usc:439,chunk:[311,603],relinguish:546,consum:[889,718],localfr:666,keyagr:506,"static":[523,819,4],krb5_c_prf_length:[880,182],awk:425,our:[840,10,209,331,204],patch:44,iprop_en:[10,693,64,44],token_flag:775,special:[768,617,436,579,17,27,666,331,312,44,10,117,644,491],out:[452,454,455,880,30,231,676,678,235,460,12,413,730,17,248,250,690,130,589,660,254,255,694,258,634,643,699,876,267,705,675,707,715,275,366,716,40,744,309,493,280,44,760,47,727,506,844,509,292,293,294,511,741,743,299,748,749,609,1,736,144,73,519,75,491,524,313,64,765,71,317,319,722,86,109,89,535,778,816,538,539,147,829,785,331,655,103,552,201,238,106,108,554,111,112,807,115,348,120,70,122,568,351,335,571,572,125,818,126,359,821,583,395,371,364,623,365,134,367,593,918,925,142,376,600,662,734,845,39,919,769,606,148,149,607,386,387,388,738,92,613,856,617,618,652,165,864,825,866,740,402,172,624,404,405,408,527,410,632,879,635,881,883,183,252,186,152,891,189,268,894,645,191,646,631,422,649,650,424,246,198,653,878,905,907,656,657,430,431,434,375,630,436,208,438,209,417,688,796,921,507,216,218,836,446,449,673],variabl:[798,816,64,71,133,569,693,425,322,486,44,10,32,45],krb5_free_authdata:[438,891,182],matt:331,krb5_init_creds_get_cr:[757,182],intrud:105,contigu:17,twice:[899,25,224,71,324,44,120],krb5_responder_pkinit_set_answ:[523,182],defend:27,develop:780,kdestroi:[617,766,796],send_hook:626,ret:[523,431],kdc_princ_nam:506,guarante:74,suitabl:[454,579,425,331,204,105],rel:[816,10,182],inaccess:495,hardwar:[523,565,899,71,854,44,10,105],krb5_cc_remove_cr:182,result_cod:[364,894,402],red:331,clarifi:506,krb5_set_error_messag:182,experiment:579,insid:[438,798,579,249],workflow:74,bleep:[71,44,139,185,105],krb5_post_recv_fn:[168,36],cleartext:[908,325,190],receiv:[64,71,569,17,148,182,816,74,44,10,495,693],standalon:[579,148,64],"_krb5_authdata":362,dictionari:[899,816,436,457,276,10,644],releas:[395,113,10,628,70,408,688,17,249,182,697,475,693,32,523,506,64,71,425,925,44,816,780,436,274,606,148,919,322,796,507],likelihood:44,afterward:[44,224],shortest:172,maxrenewlif:[71,44,32,486],postdat:[565,71,424,105,44,10,32,644],gssapiauthent:666,krb5_get_init_creds_opt_set_preauth_list:182,proxiabl:[71,10,816,182,44],backspac:676,unquot:425,could:[899,780,436,439,27,4,796,816,105,322,74,56,666,495,579,120],put:[908,676,45,899,693],mac:840,keep:[798,436,71,26,27,44,204,569,120],counterpart:[32,796],conf_req_flag:17,length:[523,538,71,17,182,881,44,10,796],krb5_gc_user_us:30,ksu_opt:439,ltd:331,"_krb5_trace_info":31,ret_princ:705,distinguish:[816,44,331,486],krb5_princ_compon:2,krb5_find_authdata:182,endors:331,suffix:[666,454],krb5_responder_fn:[530,791,36],krb5_tc_match_times_exact:690,qualiti:[329,816,579,666],lcurs:454,echo:[918,852],date:[71,10,816,425,64],gssapip_spnego:331,certid:816,submit:[17,249],pgp:[26,23],lib:506,owner:331,"_krb5_tkt_authent":841,facil:[798,10,579,17,693],princ:[798,910,706,566,161,455,71,441,816,18,881,425,232,538,803,218,295,577,12,580],g_rel_cr:331,prioriti:[617,74,10,495,660,702],renewable_lif:644,strict:331,data:[523,451,816,517,71,569,17,249,182,425,101,74,44,10],annot:[209,322,579],enckdcreppart:325,mkdir:204,system:[798,894,111,402,10,744,463,17,182,74,130,32,475,523,506,645,827,899,71,643,425,101,816,436,274,209,148,276,192,44,45,796],wrapper:31,basicconstraint:506,hotp:71,attack:[523,816,728,436,579,27,276,101,836,74,44,644],appl:[840,331],physic:[101,495],lockit:71,termin:[45,182,693],"final":[816,32,134,204,607],rpath:[543,204,454],prone:579,kpserverauth:[816,506],udp:[798,816,618,579,227,276,186,10,45,495],shell:[71,44,899,486],krb5_ui_4:[36,422,29,731,149,921,459,908,598],eavesdrop:17,krb5_mk_req_checksum_func:[788,152,36],juli:177,rsa:[506,196,816,563,779,331,357,358,10,418,644],v5cred:347,biggest:74,krb5_set_password:[735,182,111],shall:331,krb5_address_ord:182,rst:[127,139],exactli:[899,439,481,767,816,690,174,687],krb5_auth_con_getlocalseqnumb:182,haven:454,securecooki:566,cacreateseri:506,krb5_free_cred_cont:[523,613,690,182],slack:495,particularli:[274,543,74,56,495,120],charact:[899,25,71,816,676,878,44,10,117,495,32,491],claim:331,sweden:331,crawdad:331,bind:[517,71,543,44,486,10,495,579],lrealm:[346,309,121],krb5_crypto_iov:[824,763,603,36,132,248,150,387,795,311],start_tim:[845,359,609,644],unencrypt:[337,34,35,731,101,216],asn:182,dbadmin:32,krb5_tkt_creds_get_tim:182,plaintext:[655,656],linker:454,initvt:4,correspond:[523,451,911,816,224,259,506,17,623,4,425,594,130,664,127,32,579],tom:71,mk_cmd:454,have:[798,617,224,728,475,579,227,4,457,854,56,10,495,120,122,62,566,351,303,17,752,415,185,74,889,127,32,644,818,523,506,825,64,899,71,26,27,768,425,101,702,324,204,249,660,816,780,690,436,765,439,666,331,216,44,45,796,105],ari:439,need:[454,455,30,231,676,235,10,12,730,17,250,690,691,255,23,74,26,699,876,705,715,493,40,309,317,722,44,727,506,819,844,509,293,738,511,743,495,899,748,749,688,1,69,119,144,519,693,32,491,523,524,763,768,101,89,816,538,539,543,177,103,795,552,105,798,800,106,108,111,112,115,345,562,120,70,566,568,571,572,818,359,825,371,132,365,589,925,142,127,840,662,734,39,606,148,736,386,611,92,613,617,618,579,395,864,866,740,919,408,527,879,635,881,252,186,889,891,189,644,268,645,366,646,631,422,769,246,425,905,907,657,204,660,824,517,630,436,438,796,216,836,507,673],chpass:[71,44,224],k5_gic_opt:[609,845],krb5_c_string_to_key_with_param:182,verbatim:331,min:[71,44,32,177],mic:859,cksumtypep:593,r18:[425,44],mix:105,localedir:454,initiator_cred_handl:17,which:[798,891,617,606,859,224,454,543,819,287,227,1,4,457,343,559,854,475,787,10,486,495,899,62,566,750,303,17,571,638,415,185,74,693,889,32,579,818,523,506,825,258,64,517,71,133,26,650,27,768,425,913,139,836,702,324,840,204,816,660,796,653,569,911,664,436,28,274,715,209,160,148,666,718,276,438,331,216,317,44,45,439,105,47],gss_:768,htmlsrc:127,ncsa:717,singl:[523,506,780,666,899,71,275,17,249,182,816,101,74,44,10,405,495],uppercas:[816,611],happi:331,unless:[616,728,579,249,734,10,495,899,17,752,74,575,32,521,71,425,101,374,816,439,666,611,44],deploy:[506,74],gss_c_buffer_type_pad:17,lk5crypto:543,who:[506,780,899,44,322,105,486,10,120],oracl:[331,717],presid:331,ldap_kadmind_dn:[10,517,486,859,44],kungliga:331,krb5_cccol_last_change_tim:[451,182],ap_opts_mutual_requir:[1,571,646],g_imp_nam:331,"_krb5_transit":498,pa_real:415,segment:495,kerboro:478,gss_add_cred_with_password:768,pa_replaces_kei:854,krb5_cc_switch:182,marshal:[579,566,324],placement:27,won:[816,506,105],url:[276,10,495],hopefulli:436,stronger:[816,322,74,249],uri:[899,71,579,816,44,486,10,495,796],issuanc:[71,44],inde:105,deni:[62,436,71,439,666,611,44,32],furnish:331,determin:[899,257,395,413,64,274,880,17,816,844,182,425,71,666,192,44,10,693],occasion:[899,27],constrain:[71,44],krb5_trace_callback:[374,36],"_krb5_enc_tkt_part":830,gss_cred_usage_t:17,krb5_ap_rep_enc_part:182,source_us:439,krb5_keytab_entry_st:851,"12h":[10,899],text:[523,506,566,243,209,666,111,425,140,459,44,543,928],verbos:[798,71,425,44,204,644],tty:[44,486],lcom_err:543,localauth_plugin:611,visibl:[44,579,74],anywai:[523,10,1,495],krb5_keytab:[159,391,294,235,624,571,250,521,414,699,136,201,839,807,376,661,207,845,36,715,417,40,397],subjectkeyidentifi:506,ksu:[363,331,766],kadmin5:101,krb5_kt_default:182,locat:[517,64,274,133,816,693,10,32,45],launchpad:717,much:[475,74,120,690],klist:[798,617,766,160,74,796],forev:[71,44],incident:331,should:[798,859,728,475,56,10,495,899,17,249,74,693,818,523,506,517,71,425,101,486,816,780,666,276,44,45,796],resubmit:644,suppos:[185,105],execprefix:454,libkdb_ldap:859,local:[523,899,859,64,666,71,209,17,182,816,101,74,44,10,486,495,798,818],hope:331,meant:105,count:[778,71,182,425,703,44],keyr:[579,617],aesni:[331,454],krb5_verify_init_creds_opt_set_ap_req_nofail:[523,521,182],armor:[10,182,506],cuba:331,password_expir:[911,279],convert:[816,17,859,74,182],michigan:331,kdckei:506,krb5_pac_get_typ:182,autom:[579,204],krb5_kpasswd_success:[364,402],g_store_cr:331,theori:331,increas:[132,329,824,763,795],krb5_enctype_to_str:182,db3:454,db2:[436,71,579,28,44,840,10],krb5_kpasswd_harderror:364,result_code_str:[364,894,402],k5_vic_opt:[575,205],krb5_rcach:[460,589,546,36],source_cache_nam:439,my_proxi:816,princnam:[523,617,436],enabl:[798,617,454,10,495,899,749,17,74,693,506,64,71,26,27,816,836,517,439,148,666,329,924,44,209,929],"0x00040000":171,upper:[71,44,32,25,495],krb5_xc:2,s4u2proxi:[17,324],admin23:517,sha:[816,10,579,74],kadmind:[71,429],des3:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],gss_c_sec_context_sasl_ssf:579,partit:495,contain:[798,569,395,623,401,740,10,495,899,17,182,693,32,523,506,64,371,71,425,486,657,816,517,148,666,276,44,796],nist:816,dnsname:816,conform:[816,26,25,579],listprinc:[71,44],krb5_rc_st:811,unimport:324,signatur:[196,375,327,819,26,768,563],persist:617,frame:324,knowledg:[780,415,854,74,56,521],veto:638,packet:[10,209,45,854,1],dcmd_path:439,krb5_prompt_type_new_password:594,p27:717,krb5_free_tgt_cr:182,int16_t:154,troubl:717,krb5_copy_cr:182,krb5_principal_data:[735,487,904,36],krb5_principal_compare_casefold:513,correctli:[579,17,861,818,59,718,120],pattern:[425,816,787,666],dll:[768,819,666,4],cache_out:[395,89],slapd:[517,859],time_req:17,krbcore:23,progress:[10,74],neither:[565,71,439,17,816,331,44],num_prompt:[756,852],email:[820,780,120],auto_to_loc:816,perfect:27,krb5_c_decrypt:182,sole:816,nowait:[899,818,64],k5ident:[816,766,752,666],kei:[859,728,71,569,425,139,818,486,45],enc_part2:[337,310,35,391],krbtgt:71,gss_inquire_sec_context_by_oid:579,top_srcdir:127,job:[899,495,64,56],entir:[71,480,854,74,324,495],crc32:816,mailbox:27,lawsuit:331,embed:525,convei:[777,579,54,74,331,44,495],david:[798,44,120,105],doxygen:[127,780],plugin:[71,10,859],admin:[798,899,859,64,517,71,486,816,322,74,693,44,32],goal:523,modnam:[816,666],g_sign:331,krb5_cc_support_switch:182,etc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],instanc:[436,274,666,816,44,32,796],sesam:[523,304],kv5m_context:[822,126],ccapi:[840,331],gssd_pname_to_uid:331,free_restrict:62,freeli:331,krb5_responder_otp_challenge_fre:[523,182],krb5cc_1984:439,krb5_pa_svr_referral_data:36,krb5kdc:[780,64,728,71,133,569,693,425,486,429],gss_display_statu:768,krb5_cccol_cursor_fre:182,cc246091:579,kpropd_rpc:331,arriv:27,walk:[425,44,120],vnder:74,rpc:[816,10,17,182,44],ucb:439,commenc:899,hellman:[816,10,644],advertis:[816,331],msg_type:[34,35,325],krb5_vset_error_messag:182,mailman:23,gssi_import_name_by_mech:768,tort:331,target_nam:17,"_krb5_kdc_req":34,"_krb5_kdc_rep":35,krb5_init_creds_fre:182,e_data:[854,459],insuffici:[524,454,736,397,293,319],g_unseal:331,json:[523,435,71,209,653,324,119,47],krb5kdc_err_more_preauth_data_requir:854,treat:[259,71,209,17,650,816,913,401,513,324,644,596],krb5_fences_vtable_v2:4,addresssanit:579,foreground:[64,693],popul:[451,74,614],infrastructur:[816,840,204],bit:[523,506,267,303,17,571,690,579,718,913,920,116,324,10,439,449,74],searchscop:[44,486],caddr:[325,830,547],presenc:324,sock_stream:227,assert:[10,579,17,854,324],krb5_principal_parse_no_realm:635,krb5_recvauth:182,srcdir:127,otp:[71,322],presens:816,profile_module_init_fn:819,kdc_timesync:816,gss_wrap_iov_length:17,replic:[899,64],multi:[506,579,436],novel:331,requested_principal_nam:221,virtual:[816,798],plain:566,krb5_libos_pwdintr:609,cursor:[134,613,244,182],pkinit_cert_match:[71,506,579,816],realmsp:[293,660],in_cr:[701,30,646,1,308],wild:[71,44],kdc_option:34,cve:579,krb5_kt_end_seq_get:182,layer:[889,579,768],c89:26,blocksiz:367,cell:74,cultur:331,kdc:[859,64,71,569,693,425,486,45],site:[798,44,495,899],archiv:26,default_valu:[125,430],substanti:331,lightweight:840,krb5_auth_con_getremoteseqnumb:182,headernam:454,revis:331,wkt:139,greater:288,incr:630,denial:816,let:[227,185,39,673],portiion:331,parti:[209,17,666,331],cc246071:579,num_data:[824,763,603,132,248,150,387,795,311],cross:[816,10],bjaspan:[71,44],himself:105,handl:[71,209,17,182,425,74,460,44,32,89],incc:147,krb5_fast_requir:230,largest:436,fubar:816,com_err:[777,454],principal_nam:506,difficult:436,v4cred:347,massachusett:[331,464],krb5_keyusag:[824,115,763,603,748,36,132,634,39,248,844,198,387,446,795,311,507,673],digitalsignatur:[816,506],api:[780,17,148,74],upon:[425,44,439,64,454],effect:[617,816,484,74,44,10,32,495],krb5_free_data:[231,182],krb5_int16:36,uucp:10,tortiou:331,"83final":717,dealloc:[611,881,691],login:[274,10,816],expand:816,audit:579,krb5_preauthtyp:[380,225,648,36,833,639,661],johndo:816,mech:[579,768,666],off:[798,436,666,816,918,852,495,796],"0x04000000":[210,466],client_princ:523,krb5_k_verify_checksum:[182,446],interpos:666,whole:[44,78,506,527,259],authoritykeyidentifi:506,concis:819,theodor:331,set_cooki:[579,854],krb5_c_make_checksum:182,krb5_pac_add_buff:182,filesystem:[10,44,506,899,28],undefin:[439,134],undertaken:780,sandia:331,gss_iov_buffer_type_head:17,piec:[436,589],latest:[899,664,579,30,204,105],test1:[71,44,177],test3:[71,44,177],krb5_auth_con_init:[182,167],deltat:165,test4:177,librari:[3,455,675,231,496,678,881,9,460,11,12,413,244,730,465,17,248,249,690,130,632,257,258,697,643,876,485,703,267,488,558,712,273,493,717,276,275,504,288,509,292,738,10,511,742,607,299,749,66,144,73,519,78,70,311,523,313,71,350,86,89,778,816,538,539,147,829,164,788,192,655,103,795,798,238,554,342,111,112,113,720,344,116,348,727,351,354,125,475,126,863,822,583,844,827,371,132,623,134,367,925,142,662,379,478,606,148,150,92,613,546,614,510,395,396,167,740,401,628,873,408,179,527,411,880,182,183,886,152,891,189,323,198,364,924,657,430,206,630,437,438,301,688,919,920,507,218,446,449,673],less:[798,617,71,303,288,10,204,579],cheetah:127,boot:[616,899],obtain:[800,728,56,10,899,1,571,249,182,475,126,757,523,506,646,765,71,365,816,322,660,788,44,796],tcp:[798,506,618,816,64,899,579,227,276,818,44,10,495,186],ok_to_auth_as_deleg:[71,44,17],token_len:17,fullname_out:511,est:[177,44,436],heavili:27,glue:840,taken:[425,911,495,74],tclpath:454,web:[899,26,617],desired_object:17,krb5_init_creds_step_flag_continu:186,krb5_read_password:182,in_authdat:891,makefil:[127,204,454],technet:717,krb5_nt_unknown:705,script:[899,454,71,579,693,840,44,45,204],kproplog:[429,64],jellinghau:331,edata:854,adm:[10,495,517],rctx:[523,243,923,287,653,343,835,236,47,158,270],smart:[816,10],gmt:177,e2big:348,fences_wicker_initvt:4,renprinc:71,krb5_rc_close:589,rename_sect:819,hard:[10,44],containerdn:[71,44],krb5_copy_keyblock:182,punctuat:[71,44,816,25,899],five:[899,825,25,224,71,816,27,177,216,44],know:[506,454,436,27,768,816,796,105],dns_canonicalize_hostnam:816,kdc_req_checksum_typ:816,recurs:[425,44,579],gssapi_krb5:17,krb5_c_keyed_checksum_typ:182,name:[798,859,728,163,10,899,74,693,32,818,506,64,517,71,425,101,322,486,816,274,209,666,276,44,45,796],insert:[325,547],s4u2self:[17,650],outcc:147,like:[798,616,617,454,475,172,495,899,17,74,127,32,818,506,64,71,27,816,101,204,425,148,44,796],lost:[331,204,56],safest:105,corpor:331,outauthdat:631,princ_lockout:425,slave_datatran:[28,899,133],ldflag:454,krb5_principal_compar:[735,182],krb5_free_default_realm:182,princ_flag:425,"_krb5_pa_data":639,desired_nam:17,expected_nonc:586,architectur:[204,454],page:[71,816,26,780,454],krb5_addrtyp:[501,36],titl:[840,331],retransmit:454,krb5_msgtype:[537,34,35,713,36,636,637,746,392,57,76,77,239,325],fast_avail:324,t1417:717,suppli:[523,911,258,71,17,182,319],krb5_check_clockskew:182,krb5_auth_con_getauthent:182,destdir:204,mit1:566,k5wiki:[579,204,23],"export":[10,899],ldap_kdc_sasl_authzid:10,unencapsul:579,mistak:120,proper:[506,859,571,818,44,204],krb5_k_decrypt_iov:[795,182],transport:[44,618,495,186],tmp:[798,899,859,750,71,439,27,816,28,105],krb5_get_init_creds_opt_fre:[523,108,182],desired_mech:[17,768],"_krb5_gic_opt_pa_data":882,gss_store_cr:579,lead:[10,439],sphinx_arg:127,ticket_info:190,avoid:[523,911,859,454,71,579,74,32,105,475],octet:182,interface_plugin:4,outgo:798,jeremi:331,krb5_tc_match_2nd_tkt:690,server_port:818,sequenc:[267,182,506],krb5_get_time_offset:182,preauth_list:[833,648],lockoutdur:[71,44,436],stockholm:331,pepper:182,investig:454,kadm5_auth_plugin:62,liabil:331,krb5_responder_get_challeng:[523,182],mssclogin:816,krb5_get_prompt_typ:[523,182],"0x00000200":806,host:[798,64,71,133,322,74,693,818],although:[160,457,331,105,691,495,120],krb5_kt_name_toolong:376,gss_iov:579,"0x00008000":[472,8],keytabnam:454,flag_rsa_protocol:644,microsecond:[463,324,856,29,280,908,190],expiri:[579,911,74],"_kpasswd":495,unprint:[71,44],about:[780,10,32,74,517],ntlm:579,rare:506,interven:44,krb5_ccach:[238,225,894,395,623,30,559,511,742,743,827,3,244,66,465,354,707,685,519,308,78,521,690,126,646,661,365,134,424,319,701,675,89,535,380,712,206,527,147,36,493,578,863,920,720,614,632,613,449],column:425,krb5_cc_badnam:319,eytab:[71,798],krb5_tkt_creds_step:[122,743,864,182],"_krb5_authent":731,statement:[331,650],rule:[798,787,395,71,439,17,650,666,816,185,44,32,495],krb5_crypto_type_checksum:[387,248,311,603],krb:[816,182],fast_ccache_nam:831,krb5_client_ktnam:[274,28,160],gss_buffer_set_t:17,zonetest:74,kadmind_listen:10,profile_tcl:331,own:[768,899,780,475,71,439,4,457,816,798,185,105,44,10,626,120,929],generic_trusted_ca:[816,10],absolut:[816,10,718],builtin:[579,331,454],automat:[616,617,64,899,71,439,160,425,388,56,693,44,204,579,105],warranti:331,automak:4,guard:27,outdata:[268,524,825,231,736,836,216,255],req_pac:37,sspi:579,checksum_typ:155,inbuf:[921,825,571,572,216],dug:331,gss_iov_buffer_type_trail:17,merg:[10,182,478],"_udp":495,krb5_c_make_random_kei:182,defccnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],explcit:331,haddl:546,transfer:[506,693],profile_module_init:819,trigger:27,mgluep:331,ldapi:[10,517,486,859,44],"0x01ff":625,"var":[506,859,64,454,899,750,486,27,816,28,44,10],groff:780,userpassword:517,cancel:44,target_us:439,krb5_parse_name_flag:[735,182],krb5_get_init_creds_opt_set_expire_callback:182,north:331,unwrap:[17,182],seq_numb:[908,731],subscrib:23,message_typ:586,wed:44,unambigu:911,krb5_config_notenufspac:[130,208],eas:209,ear:331,bug:[780,717,475,840,44,204,23],g_rel_nam:331,realm2:45,succe:[523,899,17,816,10,521],made:[899,617,224,64,37,148,816,138,331,192,741,889,44,922],defcktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929],temp:[816,27],rc4:[10,579],wish:[899,454,750,559,495,26,17,768,457,816,331,322,105,204,120],daffodil:[798,105],"_krb5_cred":[337,797],krb5_c_verify_checksum_iov:[311,182],rc2:903,krb5_free_error_messag:182,asynchron:[743,854],record:[899,816,303,27,796,425,475,44,45,495,579],below:[816,517,209,666,425,439,331,44,840,10,119],devicenam:10,genrsa:506,vpath:[26,204],dce:[816,17,182],lynx:859,krb5_c_free_stat:182,otherwis:[452,454,880,230,231,678,235,10,11,12,463,413,730,17,248,690,589,255,519,257,25,258,259,697,643,699,876,485,703,266,30,707,273,277,275,716,276,720,317,280,44,727,844,509,292,736,738,740,134,607,495,513,299,748,749,301,1,144,72,73,74,75,757,521,311,760,506,313,763,765,71,722,86,246,778,816,539,147,829,785,916,331,655,103,795,796,105,798,106,18,108,554,617,342,112,113,115,344,70,565,122,371,568,571,572,359,821,360,583,131,132,864,365,366,367,593,370,918,925,694,598,600,379,603,845,39,606,149,150,739,386,387,609,92,613,546,391,618,652,414,165,396,825,867,439,401,172,628,873,408,743,630,879,634,635,883,183,638,252,186,891,644,419,268,191,646,631,899,422,423,424,323,198,425,878,905,907,657,793,431,824,434,206,662,438,209,364,688,920,921,507,216,836,446,449,673],problem:[859,579,1,27,74,44,23,475],strategi:436,time_offset:45,display:111,krb5_cc_initi:[493,182],netbio:401,firm:331,default_principal_flag:[10,32,579],krb5_get_init_creds_opt_set_out_ccach:182,cb_ret:819,evalu:816,x509_proxi:816,"int":[618,455,288,554,362,4,6,402,347,513,747,881,17,635,481,528,125,639,894,186,130,575,756,580,491,55,710,257,456,648,364,643,651,319,918,140,833,109,92,376,655,599,379,34,538,540,208,847,852,445,102,155,281,729,501],dure:[899,64,436,274,693,71,56,44,10],indata:231,filenam:[857,506,816,64,728,899,274,133,209,17,148,425,71,44,10,486],max_lif:[425,10,899],gss_add_cred_impersonate_nam:768,strip_realm:[10,209],max_ticket_lif:[44,486],implement:[451,617,224,454,819,579,227,4,457,854,402,10,347,348,62,66,495,303,17,415,74,691,889,23,523,894,748,27,768,816,702,324,204,780,209,666,276,331,507,611,44,439,105,929],ini:816,remotehost:520,regul:331,kpropd:[133,693,429],inc:[331,105],mutual:[899,826,646,640,439,1,392],"0x000a":196,"_krb5_tkt_creds_context":173,countermeasur:101,t_mddriver:331,privsvr_kei:769,krb5_princip:[726,455,395,867,735,881,12,730,182,359,580,523,827,424,319,89,707,734,538,845,493,609],detail:[617,224,819,579,227,457,840,854,899,62,435,335,249,638,74,691,26,702,415,439,666,796,611,45,209,929],free_modreq:854,lname:[439,130],"default":[64,728,71,133,486,425,818,693,45],other:[798,899,816,436,71,693,249,666,425,74,44,10,32,45],lookup:[503,454,189,579,227,816,475,495,796],futur:[506,17,51,691,44,31,822],sick:331,varieti:249,getopt:840,krb5cc_:[28,439],gss_c_buffer_type_stream:17,known:[523,623,249,182,425,475,44,10],repeat:[899,816,768,425,324,10,79],second_ticket:[34,797,324],"class":[71,44,25],reconf:840,h71000:717,krb5_kt_get_typ:182,unser:17,beeblebrox:899,uncommon:27,sasl:[71,579,17,44,486,10],strlcpy:331,olcschemaconfig:859,krb5_rd_error:182,debian:[579,229],krb5_free_keytab_entry_cont:182,kdb5_ldap_util:[71,429,693],free_list:691,multithread:182,experienc:[780,227],maxnumb:[71,44],sphinx:127,fund:331,krb5_kt_add_entri:182,krb5_init_keyblock:182,g_util:331,portion:[463,856,209,29,731,250,816,874,331,690,459,280,908,190],emerg:10,krb5_responder_pkinit_challenge_fre:182,"0x0014":[50,898,407],keybyt:607,"_krb5_keyblock":528,recvauth:[699,646],rep:[191,640,366,572,386,35,886,771,921,325]},objtypes:{"0":"c:function","1":"c:member","2":"c:type","3":"py:data"},objnames:{"0":["c","function","C function"],"1":["c","member","C member"],"2":["c","type","C type"],"3":["py","data","Python data"]},filenames:["appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","appdev/refs/api/krb5_mk_req_extended","appdev/refs/macros/index","appdev/refs/api/krb5_cc_get_type","plugindev/general","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME","appdev/refs/types/krb5_verify_init_creds_opt","appdev/refs/macros/TKT_FLG_ENC_PA_REP","appdev/refs/macros/TKT_FLG_ANONYMOUS","appdev/refs/api/krb5_clear_error_message","admin/conf_files/kdc_conf","appdev/refs/api/krb5_auth_con_setuseruserkey","appdev/refs/api/krb5_425_conv_principal","appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA","appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE","appdev/gssapi","appdev/refs/api/krb5_sname_match","appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC","appdev/refs/macros/AP_OPTS_WIRE_MASK","appdev/refs/api/krb5_free_enctypes","resources","appdev/refs/macros/KRB5_PADATA_PAC_REQUEST","user/user_commands/kpasswd","build/index","basic/rcache_def","mitK5defaults","appdev/refs/types/krb5_replay_data","appdev/refs/api/krb5_get_credentials","appdev/refs/types/krb5_trace_info","admin/conf_files/kadm5_acl","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO","appdev/refs/types/krb5_kdc_req","appdev/refs/types/krb5_kdc_rep","appdev/refs/types/index","appdev/refs/api/krb5_get_init_creds_opt_set_pac_request","appdev/refs/api/krb5_wrap_error_message","appdev/refs/api/krb5_k_decrypt","appdev/refs/api/krb5_kt_start_seq_get","appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED","appdev/refs/macros/KRB5_AUTHDATA_CAMMAC","appdev/refs/macros/KRB5_PADATA_OSF_DCE","admin/database","admin/admin_commands/krb5kdc","appdev/refs/macros/AP_OPTS_USE_SUBKEY","appdev/refs/api/krb5_responder_otp_get_challenge","appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME","appdev/refs/api/krb5_anonymous_realm","appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256","appdev/refs/api/krb5_get_error_message","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96","appdev/refs/macros/KRB5_PADATA_PK_AS_REP","appdev/refs/types/krb5_pac","appdev/refs/api/krb5_get_init_creds_opt_set_etype_list","admin/backup_host","appdev/refs/macros/KRB5_AP_REQ","appdev/refs/macros/KRB5_KPASSWD_MALFORMED","appdev/refs/types/krb5_pre_send_fn","appdev/refs/types/krb5_pointer","index","plugindev/kadm5_auth","appdev/refs/api/krb5_tkt_creds_free","admin/admin_commands/kpropd","appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR","appdev/refs/api/krb5_cc_remove_cred","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","appdev/refs/macros/KRB5_NT_UID","appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/api/krb5_c_string_to_key","admin/admin_commands/kadmin_local","appdev/refs/api/krb5_is_config_principal","appdev/refs/api/krb5_c_fx_cf2_simple","admin/advanced/retiring-des","appdev/refs/api/krb5_init_creds_get_error","appdev/refs/macros/KRB5_TGS_REP","appdev/refs/macros/KRB5_TGS_REQ","appdev/refs/api/krb5_cc_set_config","appdev/refs/types/krb5_key","appdev/refs/macros/KRB5_REALM_BRANCH_CHAR","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","appdev/refs/api/krb5_get_init_creds_opt_set_pa","appdev/refs/macros/KRB5_KPASSWD_HARDERROR","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1","appdev/refs/api/krb5_auth_con_getlocalseqnumber","appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR","appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR","appdev/refs/api/krb5_cc_cache_match","appdev/refs/api/krb5_free_keyblock_contents","appdev/refs/macros/krb524_convert_creds_kdc","appdev/refs/api/krb5_c_keyed_checksum_types","appdev/refs/macros/CKSUMTYPE_RSA_MD4","appdev/refs/macros/CKSUMTYPE_RSA_MD5","appdev/refs/api/krb5_free_keyblock","admin/advanced/index","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256","appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION","appdev/refs/index","appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE","admin/install_appl_srv","appdev/refs/types/krb5_msgtype","appdev/refs/api/krb5_copy_ticket","appdev/refs/api/krb5_k_reference_key","user/tkt_mgmt","appdev/refs/api/krb5_get_permitted_enctypes","appdev/refs/macros/ADDRTYPE_ISO","appdev/refs/api/krb5_get_init_creds_opt_alloc","appdev/refs/api/krb5_unparse_name_flags_ext","appdev/refs/macros/MAX_KEYTAB_NAME_LEN","appdev/refs/api/krb5_chpw_message","appdev/refs/api/krb5_copy_keyblock","appdev/refs/api/krb5_cccol_lock","appdev/refs/macros/KRB5_PADATA_AP_REQ","appdev/refs/api/krb5_k_encrypt","appdev/refs/api/krb5_auth_con_setflags","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY","appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT","user/pwd_mgmt","appdev/refs/api/krb5_free_default_realm","appdev/refs/api/krb5_tkt_creds_get_times","appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE","appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP","appdev/refs/api/krb5_appdefault_boolean","appdev/refs/api/krb5_cc_default","build_this","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT","appdev/refs/api/krb5_aname_to_localname","appdev/refs/api/krb5_realm_compare","appdev/refs/api/krb5_c_encrypt_iov","admin/admin_commands/kprop","appdev/refs/api/krb5_cc_start_seq_get","appdev/refs/macros/KRB5_INT32_MIN","appdev/refs/api/krb5_kt_have_content","appdev/refs/types/krb5_trace_callback","appdev/refs/api/krb5_set_default_tgs_enctypes","admin/admin_commands/ktutil","appdev/refs/types/krb5_prompt","appdev/refs/api/krb5_vwrap_error_message","appdev/refs/api/krb5_copy_context","appdev/refs/api/krb5_get_init_creds_opt_init","appdev/refs/api/krb5_c_make_random_key","appdev/refs/api/krb5_free_ticket","appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY","appdev/refs/api/krb5_cc_copy_creds","admin/troubleshoot","appdev/refs/api/krb5_pac_get_types","appdev/refs/api/krb5_c_crypto_length_iov","appdev/refs/macros/ENCTYPE_DES3_CBC_ENV","appdev/refs/api/krb5_auth_con_get_checksum_func","appdev/refs/macros/KRB5_KPASSWD_SOFTERROR","appdev/refs/types/krb5_int16","appdev/refs/types/krb5_checksum","appdev/index","appdev/refs/macros/ADDRTYPE_INET6","appdev/refs/api/krb5_responder_otp_challenge_free","appdev/refs/api/krb5_kt_remove_entry","basic/keytab_def","appdev/refs/macros/krb5_princ_type","appdev/refs/macros/KRB5_PAC_DELEGATION_INFO","admin/index","appdev/refs/api/krb5_cccol_have_content","appdev/refs/api/krb5_deltat_to_string","formats/index","appdev/refs/api/krb5_auth_con_free","appdev/refs/api/krb5_set_kdc_recv_hook","appdev/refs/api/krb5_free_error","appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL","appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE","appdev/refs/api/krb5_enctype_to_name","appdev/refs/types/krb5_tkt_creds_context","appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","appdev/refs/macros/KDC_OPT_FORWARDED","basic/date_format","appdev/refs/macros/KRB5_TC_MATCH_FLAGS","appdev/refs/api/krb5_free_authenticator","appdev/refs/api/krb5_auth_con_getremotesubkey","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256","appdev/refs/api/index","appdev/refs/api/krb5_c_encrypt_length","appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO","user/user_config/k5login","appdev/refs/api/krb5_init_creds_step","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC","appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ","appdev/refs/api/krb5_expand_hostname","appdev/refs/types/krb5_cred_enc_part","appdev/refs/api/krb5_decode_ticket","appdev/refs/api/krb5_cc_default_name","appdev/refs/macros/KRB5_NT_SRV_XHST","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM","appdev/refs/api/krb5_free_data","appdev/refs/macros/ENCTYPE_MD5_RSA_CMS","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ","appdev/refs/api/krb5_c_init_state","appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3","appdev/refs/api/krb5_kt_client_default","appdev/refs/macros/KRB5_INT16_MIN","appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY","build/doing_build","appdev/refs/api/krb5_verify_init_creds_opt_init","appdev/refs/api/krb5_cc_lock","appdev/refs/api/krb5_kt_close","appdev/refs/api/krb5_kt_default_name","admin/otp","appdev/refs/macros/TKT_FLG_MAY_POSTDATE","appdev/refs/api/krb5_auth_con_getlocalsubkey","appdev/refs/api/krb5_prepend_error_message","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE","appdev/refs/macros/KDC_OPT_VALIDATE","appdev/refs/api/krb5_rd_priv","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM","appdev/refs/api/krb5_524_conv_principal","appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO","appdev/refs/macros/KRB5_PADATA_FX_COOKIE","appdev/refs/types/krb5_pa_server_referral_data","appdev/refs/types/krb5_cccol_cursor","appdev/refs/api/krb5_decrypt","plugindev/kadm5_hook","appdev/refs/api/krb5_get_in_tkt_with_password","appdev/refs/macros/KRB5_PADATA_FX_ERROR","plugindev/locate","appdev/refs/api/krb5_anonymous_principal","admin/install","appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags","appdev/refs/api/krb5_copy_data","appdev/refs/macros/krb5_princ_set_realm_data","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","appdev/refs/api/krb5_recvauth_version","appdev/refs/api/krb5_responder_set_answer","appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR","appdev/refs/api/krb5_cc_last_change_time","appdev/refs/macros/KRB5_ERROR","appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED","appdev/refs/api/krb5_set_error_message","appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK","appdev/refs/api/krb5_responder_get_challenge","appdev/refs/api/krb5_cc_end_seq_get","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA","appdev/refs/api/krb5_init_creds_get_creds","appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC","appdev/refs/api/krb5_c_verify_checksum_iov","admin/enctypes","appdev/refs/api/krb5_kt_resolve","appdev/refs/macros/KRB5_CYBERSAFE_SECUREID","appdev/refs/api/krb5_k_create_key","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM","appdev/refs/api/krb5_rd_cred","appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED","appdev/refs/api/krb5_auth_con_genaddrs","appdev/refs/api/krb5_cccol_last_change_time","appdev/refs/api/krb5_pac_verify","appdev/refs/types/krb5_ap_req","appdev/refs/macros/KRB5_NT_SRV_HST","appdev/refs/api/krb5_encrypt","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","appdev/refs/macros/KRB5_PADATA_PKINIT_KX","appdev/refs/api/krb5_free_string","appdev/refs/api/krb5_principal_compare","appdev/refs/api/krb5_auth_con_getflags","appdev/refs/api/krb5_mk_priv","appdev/refs/macros/KRB5_TC_OPENCLOSE","appdev/refs/api/krb5_responder_pkinit_challenge_free","appdev/refs/macros/ADDRTYPE_XNS","appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE","appdev/refs/api/krb5_auth_con_set_req_cksumtype","admin/env_variables","appdev/refs/api/krb5_encode_authdata_container","admin/https","appdev/refs/api/krb5_free_keytab_entry_contents","appdev/refs/api/krb5_free_host_realm","appdev/refs/types/krb5_expire_callback_func","appdev/refs/api/krb5_get_time_offsets","appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize","appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED","appdev/refs/api/krb5_verify_checksum","appdev/refs/macros/SALT_TYPE_AFS_LENGTH","appdev/refs/macros/KRB5_KPASSWD_AUTHERROR","appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET","appdev/refs/api/krb5_responder_pkinit_set_answer","appdev/refs/api/krb5_address_order","appdev/refs/macros/KRB5_PADATA_NONE","appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC","appdev/refs/macros/AP_OPTS_RESERVED","appdev/refs/api/krb5_decode_authdata_container","appdev/refs/api/krb5_get_host_realm","appdev/refs/api/krb5_kt_dup","appdev/refs/macros/krb5_princ_set_realm","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP","appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH","appdev/refs/macros/KDC_OPT_CANONICALIZE","appdev/refs/api/krb5_c_random_to_key","appdev/refs/types/krb5_authdatatype","appdev/refs/api/krb5_c_free_state","appdev/refs/macros/CKSUMTYPE_CRC32","formats/keytab_file_format","appdev/refs/macros/KRB5_PADATA_SESAME","appdev/refs/types/krb5_pa_svr_referral_data","appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","appdev/refs/api/krb5_get_credentials_renew","appdev/refs/api/krb5_get_default_realm","appdev/refs/types/krb5_ticket","appdev/refs/api/krb5_c_make_checksum_iov","appdev/refs/macros/KRB5_NT_WELLKNOWN","appdev/refs/api/krb5_auth_con_getremoteseqnumber","appdev/refs/macros/TKT_FLG_PRE_AUTH","appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX","appdev/refs/macros/KDC_OPT_RENEW","appdev/refs/api/krb5_init_keyblock","appdev/refs/types/krb5_keyusage","appdev/refs/api/krb5_fwd_tgt_creds","appdev/refs/types/krb5_responder_pkinit_challenge","appdev/refs/api/krb5_free_tgt_creds","admin/auth_indicator","appdev/refs/api/krb5_auth_con_setrecvsubkey","formats/ccache_file_format","appdev/refs/types/krb5_enc_kdc_rep_part","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS","appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT","plugindev/index","appdev/refs/api/krb5_kt_free_entry","mitK5license","appdev/refs/api/krb5_vset_error_message","appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD","appdev/refs/macros/TKT_FLG_RENEWABLE","appdev/refs/api/krb5_get_profile","appdev/refs/macros/TKT_FLG_FORWARDABLE","appdev/refs/types/krb5_cred","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC","appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL","appdev/refs/macros/krb524_init_ets","appdev/refs/types/krb5_ccache","appdev/refs/api/krb5_cccol_unlock","appdev/refs/api/krb5_responder_list_questions","appdev/refs/api/krb5_cccol_cursor_free","appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/api/krb5_set_default_realm","appdev/refs/api/krb5_524_convert_creds","appdev/refs/api/krb5_c_prfplus","appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART","appdev/refs/api/krb5_free_checksum","appdev/refs/api/krb5_c_derive_prfplus","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","appdev/refs/macros/TKT_FLG_INITIAL","appdev/refs/api/krb5_cc_switch","appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM","appdev/refs/macros/TKT_FLG_INVALID","appdev/refs/macros/ENCTYPE_DES_CBC_MD4","appdev/refs/macros/ENCTYPE_DES_CBC_MD5","appdev/refs/api/krb5_init_creds_init","appdev/refs/api/krb5_c_is_keyed_cksum","appdev/refs/api/krb5_k_key_keyblock","appdev/refs/types/krb5_authdata","user/user_commands/index","appdev/refs/api/krb5_change_password","appdev/refs/api/krb5_mk_req","appdev/refs/api/krb5_mk_rep","appdev/refs/api/krb5_c_block_size","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","appdev/refs/api/krb5_principal_compare_any_realm","appdev/refs/api/krb5_auth_con_getkey","appdev/refs/types/krb5_enc_data","appdev/refs/api/krb5_get_init_creds_opt_set_address_list","appdev/refs/api/krb5_set_trace_callback","appdev/refs/api/krb5_verify_authdata_kdc_issued","appdev/refs/api/krb5_kt_get_name","appdev/refs/macros/KRB5_TC_MATCH_TIMES","appdev/refs/types/krb5_mk_req_checksum_func","appdev/refs/api/krb5_c_random_add_entropy","appdev/refs/api/krb5_get_in_tkt_with_skey","appdev/refs/macros/KRB5_PADATA_PW_SALT","appdev/refs/macros/VALID_INT_BITS","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE","appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE","appdev/refs/macros/ADDRTYPE_INET","appdev/refs/api/krb5_mk_rep_dce","appdev/refs/api/krb5_k_verify_checksum_iov","user/user_commands/kdestroy","appdev/refs/types/krb5_cksumtype","appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ","appdev/refs/api/krb5_server_decrypt_ticket_keytab","appdev/refs/macros/KRB5_AP_REP","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2","appdev/refs/macros/VALID_UINT_BITS","appdev/refs/api/krb5_cc_select","appdev/refs/api/krb5_address_compare","appdev/refs/api/krb5_kt_add_entry","appdev/refs/macros/AD_TYPE_REGISTERED","appdev/refs/api/krb5_free_error_message","appdev/refs/macros/KDC_OPT_PROXIABLE","appdev/refs/api/krb5_address_search","appdev/refs/api/krb5_set_password","appdev/refs/api/krb5_calculate_checksum","appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING","appdev/refs/api/krb5_make_authdata_kdc_issued","appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC","appdev/refs/macros/ADDRTYPE_NETBIOS","appdev/refs/api/krb5_auth_con_getrecvsubkey_k","appdev/refs/api/krb5_get_init_creds_opt_free","appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER","appdev/refs/api/krb5_free_authdata","appdev/refs/macros/TKT_FLG_POSTDATED","appdev/refs/api/krb5_c_enctype_compare","appdev/refs/api/krb5_init_creds_set_keytab","plugindev/clpreauth","appdev/refs/macros/CKSUMTYPE_DESCBC","appdev/refs/api/krb5_kt_default","appdev/refs/macros/ENCTYPE_RSA_ENV","appdev/refs/api/krb5_init_creds_set_password","appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH","appdev/refs/api/krb5_finish_key","appdev/refs/api/krb5_pac_get_buffer","appdev/refs/api/krb5_init_creds_set_service","appdev/refs/api/krb5_get_validated_creds","admin/admin_commands/kdb5_util","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD","appdev/refs/types/krb5_principal_data","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","admin/admin_commands/index","appdev/refs/api/krb5_appdefault_string","appdev/refs/api/krb5_principal2salt","appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION","appdev/refs/macros/ADDRTYPE_IS_LOCAL","appdev/refs/api/krb5_string_to_salttype","appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP","admin/lockout","appdev/refs/api/krb5_free_cksumtypes","appdev/refs/api/krb5_find_authdata","user/user_commands/ksu","appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE","appdev/refs/macros/krb5_princ_component","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT","appdev/refs/macros/krb5_roundup","appdev/refs/macros/KRB5_GC_CACHED","appdev/refs/types/krb5_pwd_data","appdev/refs/api/krb5_c_verify_checksum","appdev/refs/macros/TKT_FLG_PROXY","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","appdev/refs/api/krb5_cc_get_flags","appdev/refs/macros/KRB5_INIT_CONTEXT_KDC","appdev/h5l_mit_apidiff","appdev/refs/api/krb5_string_to_enctype","appdev/refs/macros/KRB5_GC_NO_STORE","build/options2configure","appdev/refs/api/krb5_build_principal_ext","appdev/refs/types/krb5_boolean","plugindev/pwqual","appdev/refs/macros/KRB5_FAST_REQUIRED","appdev/refs/types/krb5_error","appdev/refs/api/krb5_auth_con_getrcache","appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED","appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE","appdev/refs/api/krb5_set_real_time","copyright","appdev/refs/api/krb5_cc_store_cred","appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","appdev/refs/types/krb5_preauthtype","appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE","appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS","appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","admin/princ_dns","appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY","appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE","admin/conf_files/index","appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED","appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM","appdev/refs/api/krb5_unparse_name_ext","appdev/refs/types/krb5_const_pointer","appdev/refs/types/krb5_flags","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","appdev/refs/api/krb5_auth_con_setsendsubkey","admin/admin_commands/kdb5_ldap_util","appdev/refs/types/krb5_const_principal","appdev/refs/api/krb5_free_checksum_contents","appdev/refs/macros/ADDRTYPE_DDP","appdev/refs/macros/KRB5_NT_SRV_INST","appdev/refs/api/krb5_unparse_name_flags","appdev/refs/types/krb5_magic","appdev/refs/api/krb5_cc_get_principal","appdev/refs/macros/KRB5_NT_X500_PRINCIPAL","admin/realm_config","appdev/refs/api/krb5_cc_support_switch","appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME","appdev/refs/types/krb5_transited","appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO","appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC","appdev/refs/types/krb5_address","appdev/refs/macros/KRB5_PVNO","appdev/refs/types/krb5_cc_cursor","appdev/refs/api/krb5_check_clockskew","appdev/refs/types/krb5_last_req_entry","admin/pkinit","appdev/refs/api/krb5_c_make_checksum","appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL","appdev/refs/api/krb5_copy_authenticator","appdev/refs/api/krb5_copy_error_message","appdev/refs/api/krb5_cc_get_full_name","appdev/refs/api/krb5_c_valid_cksumtype","appdev/refs/api/krb5_principal_compare_flags","appdev/refs/macros/KDC_OPT_RENEWABLE","appdev/refs/types/krb5_auth_context","appdev/refs/types/krb5_responder_otp_challenge","admin/conf_ldap","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128","appdev/refs/api/krb5_cccol_cursor_next","user/user_commands/sclient","appdev/refs/api/krb5_verify_init_creds","appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life","appdev/init_creds","appdev/refs/api/krb5_mk_1cred","appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW","appdev/refs/api/krb5_cc_get_config","appdev/refs/types/krb5_keyblock","appdev/refs/api/krb5_init_random_key","appdev/refs/types/krb5_responder_context","appdev/refs/macros/KRB5_PADATA_OTP_REQUEST","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128","appdev/refs/api/krb5_encrypt_size","appdev/refs/types/krb5_enctype","appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache","appdev/refs/macros/KRB5_GC_CANONICALIZE","appdev/refs/macros/KRB5_SAFE","appdev/refs/api/krb5_build_principal","appdev/refs/api/krb5_auth_con_getaddrs","appdev/refs/api/krb5_get_init_creds_opt_set_forwardable","appdev/refs/macros/KRB5_PAC_LOGON_INFO","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","user/user_commands/krb5-config","appdev/refs/macros/AP_OPTS_USE_SESSION_KEY","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2","appdev/refs/api/krb5_auth_con_setrcache","appdev/refs/types/krb5_cred_info","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM","appdev/refs/types/krb5_int32","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY","appdev/refs/api/krb5_unparse_name","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2","appdev/refs/api/krb5_c_crypto_length","appdev/refs/macros/KRB5_PADATA_REFERRAL","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT","appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE","appdev/refs/api/krb5_free_addresses","appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache","appdev/refs/api/krb5_free_unparsed_name","appdev/refs/macros/KRB5_LRQ_NONE","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD","appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS","appdev/refs/macros/KRB5_GC_FORWARDABLE","user/user_commands/klist","formats/cookie","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE","appdev/refs/api/krb5_mk_error","admin/admin_commands/kproplog","appdev/refs/macros/KRB5_TGS_NAME","appdev/refs/api/krb5_rd_req","appdev/refs/api/krb5_rd_rep","appdev/refs/macros/THREEPARAMOPEN","appdev/refs/macros/KRB5_INT32_MAX","appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail","appdev/refs/macros/KRB5_PADATA_FOR_USER","appdev/refs/macros/krb5_princ_set_realm_length","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache","mitK5features","appdev/refs/api/krb5_build_principal_va","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128","basic/index","appdev/refs/api/krb5_c_random_make_octets","appdev/refs/macros/AD_TYPE_EXTERNAL","appdev/refs/types/krb5_keytab","appdev/refs/types/krb5_response","appdev/refs/api/krb5_c_is_coll_proof_cksum","appdev/refs/macros/ENCTYPE_NULL","appdev/refs/api/krb5_get_server_rcache","appdev/refs/macros/KRB5_TC_MATCH_KTYPE","appdev/refs/macros/KRB5_GC_USER_USER","appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART","appdev/refs/api/krb5_string_to_cksumtype","appdev/refs/api/krb5_get_prompt_types","appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8","appdev/refs/macros/KRB5_PADATA_AFS3_SALT","appdev/refs/api/krb5_pac_add_buffer","appdev/refs/types/krb5_data","appdev/refs/api/krb5_enctype_to_string","appdev/refs/macros/krb5_x","appdev/refs/macros/KRB5_KPASSWD_SUCCESS","appdev/refs/api/krb5_k_make_checksum_iov","appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE","appdev/refs/api/krb5_c_string_to_key_with_params","appdev/refs/api/krb5_c_keylengths","appdev/refs/macros/TKT_FLG_FORWARDED","appdev/refs/api/krb5_get_init_creds_password","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT","plugindev/localauth","appdev/refs/api/krb5_string_to_key","appdev/refs/api/krb5_cc_next_cred","appdev/refs/api/krb5_cc_move","appdev/refs/macros/SALT_TYPE_NO_LENGTH","basic/stash_file_def","basic/ccache_def","appdev/refs/api/krb5_tkt_creds_step","appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME","appdev/refs/macros/KRB5_AUTHDATA_AND_OR","appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE","appdev/refs/api/krb5_cc_resolve","appdev/refs/api/krb5_kt_end_seq_get","appdev/refs/macros/ENCTYPE_UNKNOWN","appdev/refs/api/krb5_set_kdc_send_hook","appdev/refs/api/krb5_free_context","appdev/refs/api/krb5_auth_con_setports","appdev/refs/macros/KRB5_PADATA_FX_FAST","appdev/refs/api/krb5_copy_creds","appdev/refs/api/krb5_merge_authdata","appdev/refs/api/krb5_cc_dup","appdev/refs/types/krb5_context","appdev/refs/api/krb5_k_verify_checksum","appdev/refs/api/krb5_parse_name_flags","appdev/refs/macros/KRB5_AS_REQ","appdev/refs/macros/KRB5_AS_REP","plugindev/kdcpolicy","appdev/refs/types/krb5_pa_data","appdev/refs/types/krb5_ap_rep","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ","appdev/refs/macros/KRB5_AUTHDATA_SESAME","appdev/refs/api/krb5_c_random_os_entropy","user/user_commands/kinit","appdev/refs/api/krb5_init_secure_context","appdev/refs/api/krb5_sendauth","appdev/refs/macros/KRB5_NT_PRINCIPAL","appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list","appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER","user/user_commands/kvno","appdev/refs/types/krb5_typed_data","appdev/refs/api/krb5_k_prf","appdev/refs/api/krb5_responder_pkinit_get_challenge","appdev/refs/types/krb5_init_creds_context","appdev/refs/api/krb5_c_padding_length","appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA","appdev/refs/api/krb5_auth_con_getrecvsubkey","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT","appdev/refs/macros/CKSUMTYPE_NIST_SHA","appdev/refs/api/krb5_get_fallback_host_realm","appdev/refs/api/krb5_get_in_tkt_with_keytab","appdev/refs/api/krb5_copy_checksum","appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART","appdev/refs/types/krb5_ticket_times","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL","admin/host_config","appdev/refs/macros/krb5_const","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","appdev/refs/macros/KRB5_PAC_CLIENT_INFO","appdev/refs/api/krb5_free_creds","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED","appdev/refs/api/krb5_c_decrypt","appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY","appdev/refs/api/krb5_cc_new_unique","appdev/refs/api/krb5_parse_name","appdev/refs/macros/ENCTYPE_DES3_CBC_RAW","appdev/refs/api/krb5_c_checksum_length","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","appdev/refs/types/krb5_deltat","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1","appdev/refs/macros/KRB5_REFERRAL_REALM","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD","appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM","appdev/refs/api/krb5_cc_gen_new","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT","appdev/refs/api/krb5_cccol_cursor_new","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","appdev/refs/api/krb5_cc_retrieve_cred","plugindev/hostrealm","appdev/refs/api/krb5_pac_free","admin/admin_commands/kadmind","appdev/refs/api/krb5_salttype_to_string","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","appdev/refs/api/krb5_auth_con_setaddrs","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","appdev/refs/api/krb5_recvauth","appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION","appdev/refs/api/krb5_get_credentials_validate","plugindev/ccselect","appdev/refs/api/krb5_auth_con_setrecvsubkey_k","appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK","appdev/refs/api/krb5_sname_to_principal","appdev/refs/macros/krb5_princ_size","appdev/refs/api/krb5_get_renewed_creds","appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM","appdev/refs/macros/MSEC_VAL_MASK","appdev/refs/api/krb5_get_init_creds_opt_set_proxiable","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED","appdev/refs/api/krb5_cc_get_name","appdev/refs/macros/KRB5_PRIV","appdev/refs/macros/KRB5_PADATA_TGS_REQ","appdev/refs/api/krb5_kt_get_entry","appdev/refs/api/krb5_string_to_deltat","admin/various_envs","appdev/y2038","appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","appdev/refs/api/krb5_cc_unlock","appdev/refs/types/krb5_cryptotype","appdev/refs/api/krb5_pac_init","appdev/refs/api/krb5_process_key","appdev/refs/macros/KDC_OPT_FORWARDABLE","appdev/refs/api/krb5_checksum_size","appdev/refs/api/krb5_free_principal","appdev/refs/api/krb5_copy_addresses","admin/admin_commands/k5srvutil","appdev/refs/api/krb5_get_init_creds_opt_set_anonymous","appdev/refs/api/krb5_copy_principal","appdev/refs/types/krb5_authenticator","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","appdev/refs/api/krb5_kt_read_service_key","appdev/princ_handle","appdev/refs/api/krb5_mk_ncred","appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL","appdev/refs/api/krb5_copy_keyblock_contents","appdev/refs/api/krb5_tkt_creds_get","appdev/refs/api/krb5_auth_con_getsendsubkey","appdev/refs/api/krb5_init_context_profile","appdev/refs/api/krb5_cc_close","appdev/refs/api/krb5_tkt_creds_init","appdev/refs/api/krb5_timeofday","appdev/refs/macros/krb5_xc","appdev/refs/macros/KRB5_CRED","appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt","appdev/refs/api/krb5_k_make_checksum","appdev/refs/api/krb5_auth_con_init","build/osconf","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP","user/user_config/index","appdev/refs/macros/ADDRTYPE_IPPORT","appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST","appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","appdev/refs/types/krb5_prompter_fct","appdev/refs/api/krb5_init_creds_get","appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME","appdev/refs/types/krb5_encrypt_block","appdev/refs/api/krb5_cksumtype_to_string","appdev/refs/macros/TKT_FLG_PROXIABLE","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","appdev/refs/api/krb5_k_decrypt_iov","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","appdev/refs/api/krb5_init_creds_get_times","user/index","appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT","plugindev/gssapi","appdev/refs/api/krb5_pac_sign","appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES","appdev/refs/types/krb5_pa_pac_req","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP","appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD","appdev/refs/types/krb5_responder_pkinit_identity","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","appdev/refs/types/krb5_error_code","appdev/refs/api/krb5_auth_con_setsendsubkey_k","appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV","about","appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM","appdev/refs/macros/ADDRTYPE_ADDRPORT","appdev/refs/macros/KRB5_TC_NOTICKET","appdev/refs/macros/AD_TYPE_RESERVED","appdev/refs/api/krb5_string_to_timestamp","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH","user/user_config/k5identity","appdev/refs/api/krb5_auth_con_set_checksum_func","appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME","appdev/refs/macros/ADDRTYPE_CHAOS","appdev/refs/api/krb5_get_init_creds_opt_set_responder","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE","appdev/refs/api/krb5_is_referral_realm","appdev/refs/types/krb5_kt_cursor","appdev/refs/api/krb5_c_decrypt_iov","admin/install_clients","appdev/refs/types/krb5_creds","admin/appl_servers","appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL","appdev/refs/api/krb5_get_init_creds_opt_set_salt","appdev/refs/macros/KRB5_TGS_NAME_SIZE","appdev/refs/api/krb5_get_init_creds_opt_set_renew_life","appdev/refs/macros/krb5_princ_realm","appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION","appdev/refs/api/krb5_free_cred_contents","appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES","appdev/refs/api/krb5_kt_next_entry","appdev/refs/macros/ENCTYPE_DES_CBC_RAW","appdev/refs/macros/KRB5_PADATA_S4U_X509_USER","appdev/refs/macros/KRB5_INT16_MAX","appdev/refs/types/krb5_rcache","appdev/refs/macros/KDC_OPT_POSTDATED","appdev/refs/types/krb5_ui_4","appdev/refs/types/krb5_ui_2","appdev/refs/api/krb5_vprepend_error_message","admin/conf_files/krb5_conf","appdev/refs/macros/KRB5_NT_UNKNOWN","admin/admin_commands/sserver","plugindev/profile","appdev/refs/macros/KRB5_NT_SMTP_NAME","appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags","appdev/refs/api/krb5_cc_set_default_name","appdev/refs/api/krb5_eblock_enctype","appdev/refs/api/krb5_k_encrypt_iov","appdev/refs/api/krb5_rd_safe","appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED","appdev/refs/api/krb5_cc_initialize","appdev/refs/macros/KDC_TKT_COMMON_MASK","appdev/refs/api/krb5_c_prf_length","appdev/refs/types/krb5_enc_tkt_part","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name","appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS","appdev/refs/types/krb5_get_init_creds_opt","appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY","appdev/refs/api/krb5_responder_otp_set_answer","appdev/refs/api/krb5_mk_safe","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","appdev/refs/api/krb5_kt_get_type","build/directory_org","appdev/refs/types/krb5_tkt_authent","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","appdev/refs/api/krb5_c_encrypt","appdev/refs/api/krb5_get_init_creds_keytab","appdev/refs/api/krb5_free_data_contents","appdev/refs/types/krb5_kvno","appdev/refs/macros/KDC_OPT_PROXY","appdev/refs/api/krb5_k_free_key","appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID","appdev/refs/types/krb5_keytab_entry","appdev/refs/api/krb5_prompter_posix","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD","plugindev/kdcpreauth","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL","appdev/refs/api/krb5_us_timeofday","appdev/refs/api/krb5_set_trace_filename","appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART","admin/advanced/ldapbackend","appdev/refs/api/krb5_finish_random_key","appdev/refs/types/krb5_post_recv_fn","appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL","appdev/refs/api/krb5_cc_destroy","appdev/refs/api/krb5_tkt_creds_get_creds","appdev/refs/macros/KDC_OPT_RENEWABLE_OK","appdev/refs/api/krb5_init_context","appdev/refs/api/krb5_kuserok","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","appdev/refs/types/krb5_addrtype","appdev/refs/macros/TKT_FLG_HW_AUTH","appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS","appdev/refs/api/krb5_k_key_enctype","appdev/refs/api/krb5_auth_con_initivector","appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY","appdev/refs/api/krb5_c_valid_enctype","appdev/refs/api/krb5_auth_con_getauthenticator","appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128","appdev/refs/api/krb5_timestamp_to_sfstring","appdev/refs/api/krb5_os_localaddr","appdev/refs/api/krb5_c_prf","appdev/refs/api/krb5_build_principal_alloc_va","appdev/refs/types/krb5_gic_opt_pa_data","appdev/refs/api/krb5_timestamp_to_string","appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC","appdev/refs/api/krb5_set_principal_realm","appdev/refs/api/krb5_free_ap_rep_enc_part","appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR","appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM","plugindev/internal","appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD","appdev/refs/api/krb5_copy_authdata","appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK","appdev/refs/types/passwd_phrase_element","appdev/refs/api/krb5_set_password_using_ccache","appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO","appdev/refs/macros/MSEC_DIRBIT","appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192","admin/install_kdc","appdev/refs/api/krb5_use_enctype","appdev/refs/types/krb5_responder_otp_tokeninfo","appdev/refs/types/krb5_prompt_type","appdev/refs/macros/ENCTYPE_RC2_CBC_ENV","appdev/refs/types/krb5_principal","appdev/refs/api/krb5_pac_parse","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","appdev/refs/api/krb5_rd_error","appdev/refs/types/krb5_ap_rep_enc_part","appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD","appdev/refs/macros/krb5_princ_name","appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback","appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR","appdev/refs/types/krb5_timestamp","appdev/refs/api/krb5_random_key","appdev/refs/api/krb5_init_creds_free","appdev/refs/api/krb5_is_thread_safe","appdev/refs/macros/ENCTYPE_DES_CBC_CRC","appdev/refs/api/krb5_read_password","appdev/refs/api/krb5_auth_con_getkey_k","appdev/refs/api/krb5_cc_set_flags","appdev/refs/api/krb5_rd_rep_dce","user/user_commands/kswitch","appdev/refs/types/krb5_responder_fn","appdev/refs/api/krb5_allow_weak_crypto","appdev/refs/api/krb5_auth_con_getsendsubkey_k","appdev/refs/api/krb5_c_random_seed","appdev/refs/types/krb5_octet","appdev/refs/types/krb5_crypto_iov","plugindev/certauth"],titles:["KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","krb5_mk_req_extended -  Create a KRB_AP_REQ message using supplied credentials.","krb5 simple macros","krb5_cc_get_type -  Retrieve the type of a credential cache.","General plugin concepts","KRB5_AUTH_CONTEXT_DO_TIME","krb5_verify_init_creds_opt","TKT_FLG_ENC_PA_REP","TKT_FLG_ANONYMOUS","krb5_clear_error_message -  Clear the extended error message in a context.","kdc.conf","krb5_auth_con_setuseruserkey -  Set the session key in an auth context.","krb5_425_conv_principal -  Convert a Kerberos V4 principal to a Kerberos V5 principal.","KRB5_TC_MATCH_AUTHDATA","KRB5_ANONYMOUS_PRINCSTR","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","KRB5_AUTH_CONTEXT_RET_SEQUENCE","Developing with GSSAPI","krb5_sname_match -  Test whether a principal matches a matching principal.","KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","KRB5_AUTHDATA_MANDATORY_FOR_KDC","AP_OPTS_WIRE_MASK","krb5_free_enctypes -  Free an array of encryption types.","Resources","KRB5_PADATA_PAC_REQUEST","kpasswd","Building Kerberos V5","replay cache","MIT Kerberos defaults","krb5_replay_data","krb5_get_credentials -  Get an additional ticket.","krb5_trace_info","kadm5.acl","KRB5_PADATA_ETYPE_INFO","krb5_kdc_req","krb5_kdc_rep","krb5 types and structures","krb5_get_init_creds_opt_set_pac_request -  Ask the KDC to include or not include a PAC in the ticket.","krb5_wrap_error_message -  Add a prefix to a different error code&#8217;s message.","krb5_k_decrypt -  Decrypt data using a key (operates on opaque key).","krb5_kt_start_seq_get -  Start a sequential retrieval of key table entries.","KRB5_AUTHDATA_KDC_ISSUED","KRB5_AUTHDATA_CAMMAC","KRB5_PADATA_OSF_DCE","Database administration","krb5kdc","AP_OPTS_USE_SUBKEY","krb5_responder_otp_get_challenge -  Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.","KRB5_LRQ_ONE_PW_EXPTIME","krb5_anonymous_realm -  Return an anonymous realm data.","CKSUMTYPE_HMAC_SHA384_192_AES256","krb5_get_error_message -  Get the (possibly extended) error message for a code.","ENCTYPE_AES256_CTS_HMAC_SHA1_96","KRB5_PADATA_PK_AS_REP","krb5_pac","krb5_get_init_creds_opt_set_etype_list -  Set allowable encryption types in initial credential options.","Backups of secure hosts","KRB5_AP_REQ","KRB5_KPASSWD_MALFORMED","krb5_pre_send_fn","krb5_pointer","MIT Kerberos Documentation (1.16)","kadmin authorization interface (kadm5_auth)","krb5_tkt_creds_free -  Free a TGS request context.","kpropd","CKSUMTYPE_HMAC_MD5_ARCFOUR","krb5_cc_remove_cred -  Remove credentials from a credential cache.","KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","KRB5_NT_UID","KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","krb5_c_string_to_key -  Convert a string (such a password) to a key.","kadmin","krb5_is_config_principal -  Test whether a principal is a configuration principal.","krb5_c_fx_cf2_simple -  Compute the KRB-FX-CF2 combination of two keys and pepper strings.","Retiring DES","krb5_init_creds_get_error -  Get the last error from KDC from an initial credentials context.","KRB5_TGS_REP","KRB5_TGS_REQ","krb5_cc_set_config -  Store a configuration value in a credential cache.","krb5_key","KRB5_REALM_BRANCH_CHAR","KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","krb5_get_init_creds_opt_set_pa -  Supply options for preauthentication in initial credential options.","KRB5_KPASSWD_HARDERROR","KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","ENCTYPE_DES_HMAC_SHA1","krb5_auth_con_getlocalseqnumber -  Retrieve the local sequence number from an auth context.","KRB5_WELLKNOWN_NAMESTR","KRB5_AUTHDATA_FX_ARMOR","krb5_cc_cache_match -  Find a credential cache with a specified client principal.","krb5_free_keyblock_contents -  Free the contents of a krb5_keyblock structure.","krb524_convert_creds_kdc","krb5_c_keyed_checksum_types -  Return a list of keyed checksum types usable with an encryption type.","CKSUMTYPE_RSA_MD4","CKSUMTYPE_RSA_MD5","krb5_free_keyblock -  Free a krb5_keyblock structure.","Advanced topics","CKSUMTYPE_HMAC_SHA1_96_AES256","KRB5_KPASSWD_BAD_VERSION","Complete reference - API and datatypes","KRB5_KEYUSAGE_AD_MTE","UNIX Application Servers","krb5_msgtype","krb5_copy_ticket -  Copy a krb5_ticket structure.","krb5_k_reference_key -  Increment the reference count on a key.","Ticket management","krb5_get_permitted_enctypes -  Return a list of encryption types permitted for session keys.","ADDRTYPE_ISO","krb5_get_init_creds_opt_alloc -  Allocate a new initial credential options structure.","krb5_unparse_name_flags_ext -  Convert krb5_principal structure to string format with flags.","MAX_KEYTAB_NAME_LEN","krb5_chpw_message -  Get a result message for changing or setting a password.","krb5_copy_keyblock -  Copy a keyblock.","krb5_cccol_lock -  Acquire a global lock for credential caches.","KRB5_PADATA_AP_REQ","krb5_k_encrypt -  Encrypt data using a key (operates on opaque key).","krb5_auth_con_setflags -  Set a flags field in a krb5_auth_context structure.","KRB5_PRINCIPAL_UNPARSE_DISPLAY","KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","KRB5_RESPONDER_QUESTION_PKINIT","Password management","krb5_free_default_realm -  Free a default realm string returned by krb5_get_default_realm() .","krb5_tkt_creds_get_times -  Retrieve ticket times from a TGS request context.","KRB5_PADATA_OTP_PIN_CHANGE","KRB5_ENCPADATA_REQ_ENC_PA_REP","krb5_appdefault_boolean -  Retrieve a boolean value from the appdefaults section of krb5.conf.","krb5_cc_default -  Resolve the default credential cache name.","How to build this documentation from the source","KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","KRB5_PRINCIPAL_UNPARSE_SHORT","krb5_aname_to_localname -  Convert a principal name to a local name.","krb5_realm_compare -  Compare the realms of two principals.","krb5_c_encrypt_iov -  Encrypt data in place supporting AEAD (operates on keyblock).","kprop","krb5_cc_start_seq_get -  Prepare to sequentially read every credential in a credential cache.","KRB5_INT32_MIN","krb5_kt_have_content -  Check if a keytab exists and contains entries.","krb5_trace_callback","krb5_set_default_tgs_enctypes -  Set default TGS encryption types in a krb5_context structure.","ktutil","krb5_prompt","krb5_vwrap_error_message -  Add a prefix to a different error code&#8217;s message using a va_list.","krb5_copy_context -  Copy a krb5_context structure.","krb5_get_init_creds_opt_init","krb5_c_make_random_key -  Generate an enctype-specific random encryption key.","krb5_free_ticket -  Free a ticket.","LR_TYPE_THIS_SERVER_ONLY","krb5_cc_copy_creds -  Copy a credential cache.","Troubleshooting","krb5_pac_get_types -  Return an array of buffer types in a PAC handle.","krb5_c_crypto_length_iov -  Fill in lengths for header, trailer and padding in a IOV array.","ENCTYPE_DES3_CBC_ENV","krb5_auth_con_get_checksum_func -  Get the checksum callback from an auth context.","KRB5_KPASSWD_SOFTERROR","krb5_int16","krb5_checksum","For application developers","ADDRTYPE_INET6","krb5_responder_otp_challenge_free -  Free the value returned by krb5_responder_otp_get_challenge() .","krb5_kt_remove_entry -  Remove an entry from a key table.","keytab","krb5_princ_type","KRB5_PAC_DELEGATION_INFO","For administrators","krb5_cccol_have_content -  Check if the credential cache collection contains any credentials.","krb5_deltat_to_string -  Convert a relative time value to a string.","Protocols and file formats","krb5_auth_con_free -  Free a krb5_auth_context structure.","krb5_set_kdc_recv_hook -  Set a KDC post-receive hook function.","krb5_free_error -  Free an error allocated by krb5_read_error() or krb5_sendauth() .","KRB5_LRQ_ONE_LAST_INITIAL","TKT_FLG_OK_AS_DELEGATE","krb5_enctype_to_name -  Convert an encryption type to a name or alias.","krb5_tkt_creds_context","KRB5_TC_MATCH_IS_SKEY","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","KDC_OPT_FORWARDED","Supported date and time formats","KRB5_TC_MATCH_FLAGS","krb5_free_authenticator -  Free a krb5_authenticator structure.","krb5_auth_con_getremotesubkey","CKSUMTYPE_CMAC_CAMELLIA256","krb5 API","krb5_c_encrypt_length -  Compute encrypted data length.","KRB5_PADATA_USE_SPECIFIED_KVNO",".k5login","krb5_init_creds_step -  Get the next KDC request for acquiring initial credentials.","KRB5_KEYUSAGE_GSS_TOK_MIC","KRB5_LRQ_ONE_LAST_REQ","krb5_expand_hostname -  Canonicalize a hostname, possibly using name service.","krb5_cred_enc_part","krb5_decode_ticket -  Decode an ASN.1-formatted ticket.","krb5_cc_default_name -  Return the name of the default credential cache.","KRB5_NT_SRV_XHST","KRB5_KEYUSAGE_FAST_REQ_CHKSUM","krb5_free_data -  Free a krb5_data structure.","ENCTYPE_MD5_RSA_CMS","KRB5_KEYUSAGE_AS_REQ","krb5_c_init_state -  Initialize a new cipher state.","KDC_OPT_CNAME_IN_ADDL_TKT","CKSUMTYPE_HMAC_SHA1_DES3","krb5_kt_client_default -  Resolve the default client key table.","KRB5_INT16_MIN","KDC_OPT_ENC_TKT_IN_SKEY","Doing the build","krb5_verify_init_creds_opt_init -  Initialize a credential verification options structure.","krb5_cc_lock -  Lock a credential cache.","krb5_kt_close -  Close a key table handle.","krb5_kt_default_name -  Get the default key table name.","OTP Preauthentication","TKT_FLG_MAY_POSTDATE","krb5_auth_con_getlocalsubkey","krb5_prepend_error_message -  Add a prefix to the message for an error code.","KRB5_PRINCIPAL_UNPARSE_NO_REALM","KRB5_KEYUSAGE_PA_SAM_RESPONSE","KDC_OPT_VALIDATE","krb5_rd_priv -  Process a KRB-PRIV message.","KRB5_PRINCIPAL_PARSE_NO_REALM","krb5_524_conv_principal -  Convert a Kerberos V5 principal to a Kerberos V4 principal.","KRB5_PADATA_SVR_REFERRAL_INFO","KRB5_PADATA_FX_COOKIE","krb5_pa_server_referral_data","krb5_cccol_cursor","krb5_decrypt","KADM5 hook interface (kadm5_hook)","krb5_get_in_tkt_with_password","KRB5_PADATA_FX_ERROR","Server location interface (locate)","krb5_anonymous_principal -  Build an anonymous principal.","Installation guide","krb5_get_init_creds_opt_set_fast_flags -  Set FAST flags in initial credential options.","krb5_copy_data -  Copy a krb5_data object.","krb5_princ_set_realm_data","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","krb5_recvauth_version -  Server function for sendauth protocol with version parameter.","krb5_responder_set_answer -  Answer a named question in the responder context.","CKSUMTYPE_MD5_HMAC_ARCFOUR","krb5_cc_last_change_time -  Return a timestamp of the last modification to a credential cache.","KRB5_ERROR","KRB5_KPASSWD_INITIAL_FLAG_NEEDED","krb5_set_error_message -  Set an extended error message for an error code.","KRB5_GC_NO_TRANSIT_CHECK","krb5_responder_get_challenge -  Retrieve the challenge data for a given question in the responder context.","krb5_cc_end_seq_get -  Finish a series of sequential processing credential cache entries.","ENCTYPE_DES3_CBC_SHA","krb5_init_creds_get_creds -  Retrieve acquired credentials from an initial credentials context.","ENCTYPE_CAMELLIA128_CTS_CMAC","krb5_c_verify_checksum_iov -  Validate a checksum element in IOV array (operates on keyblock).","Encryption types","krb5_kt_resolve -  Get a handle for a key table.","KRB5_CYBERSAFE_SECUREID","krb5_k_create_key -  Create a krb5_key from the enctype and key data in a keyblock.","KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","KRB5_CRYPTO_TYPE_CHECKSUM","krb5_rd_cred -  Read and validate a KRB-CRED message.","KRB5_KEYUSAGE_FAST_FINISHED","krb5_auth_con_genaddrs -  Generate auth context addresses from a connected socket.","krb5_cccol_last_change_time -  Return a timestamp of the last modification of any known credential cache.","krb5_pac_verify -  Verify a PAC.","krb5_ap_req","KRB5_NT_SRV_HST","krb5_encrypt","KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","KRB5_PADATA_PKINIT_KX","krb5_free_string -  Free a string allocated by a krb5 function.","krb5_principal_compare -  Compare two principals.","krb5_auth_con_getflags -  Retrieve flags from a krb5_auth_context structure.","krb5_mk_priv -  Format a KRB-PRIV message.","KRB5_TC_OPENCLOSE","krb5_responder_pkinit_challenge_free -  Free the value returned by krb5_responder_pkinit_get_challenge() .","ADDRTYPE_XNS","KRB5_PADATA_OTP_CHALLENGE","krb5_auth_con_set_req_cksumtype -  Set checksum type in an an auth context.","Environment variables","krb5_encode_authdata_container -  Wrap authorization data in a container.","HTTPS proxy configuration","krb5_free_keytab_entry_contents -  Free the contents of a key table entry.","krb5_free_host_realm -  Free the memory allocated by krb5_get_host_realm() .","krb5_expire_callback_func","krb5_get_time_offsets -  Return the time offsets from the os context.","krb5_get_init_creds_opt_set_canonicalize -  Set or unset the canonicalize flag in initial credential options.","KRB5_KPASSWD_ACCESSDENIED","krb5_verify_checksum","SALT_TYPE_AFS_LENGTH","KRB5_KPASSWD_AUTHERROR","KRB5_AUTHDATA_SIGNTICKET","krb5_responder_pkinit_set_answer -  Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.","krb5_address_order -  Return an ordering of the specified addresses.","KRB5_PADATA_NONE","KRB5_KEYUSAGE_FAST_ENC","AP_OPTS_RESERVED","krb5_decode_authdata_container -  Unwrap authorization data.","krb5_get_host_realm -  Get the Kerberos realm names for a host.","krb5_kt_dup -  Duplicate keytab handle.","krb5_princ_set_realm","ENCTYPE_ARCFOUR_HMAC_EXP","KRB5_PROMPT_TYPE_PREAUTH","KDC_OPT_CANONICALIZE","krb5_c_random_to_key -  Generate an enctype-specific key from random data.","krb5_authdatatype","krb5_c_free_state -  Free a cipher state previously allocated by krb5_c_init_state() .","CKSUMTYPE_CRC32","Keytab file format","KRB5_PADATA_SESAME","krb5_pa_svr_referral_data","CKSUMTYPE_RSA_MD5_DES","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","krb5_get_credentials_renew","krb5_get_default_realm -  Retrieve the default realm.","krb5_ticket","krb5_c_make_checksum_iov -  Fill in a checksum element in IOV array (operates on keyblock)","KRB5_NT_WELLKNOWN","krb5_auth_con_getremoteseqnumber -  Retrieve the remote sequence number from an auth context.","TKT_FLG_PRE_AUTH","KRB5_KEYUSAGE_PA_PKINIT_KX","KDC_OPT_RENEW","krb5_init_keyblock -  Initialize an empty krb5_keyblock .","krb5_keyusage","krb5_fwd_tgt_creds -  Get a forwarded TGT and format a KRB-CRED message.","krb5_responder_pkinit_challenge","krb5_free_tgt_creds -  Free an array of credential structures.","Authentication indicators","krb5_auth_con_setrecvsubkey -  Set the receiving subkey in an auth context with a keyblock.","Credential cache file format","krb5_enc_kdc_rep_part","KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","ENCTYPE_DSA_SHA1_CMS","KRB5_TC_MATCH_2ND_TKT","For plugin module developers","krb5_kt_free_entry","MIT Kerberos License information","krb5_vset_error_message -  Set an extended error message for an error code using a va_list.","KRB5_PADATA_PK_AS_REP_OLD","TKT_FLG_RENEWABLE","krb5_get_profile -  Retrieve configuration profile from the context.","TKT_FLG_FORWARDABLE","krb5_cred","ENCTYPE_ARCFOUR_HMAC","KRB5_NT_ENTERPRISE_PRINCIPAL","krb524_init_ets","krb5_ccache","krb5_cccol_unlock -  Release a global lock for credential caches.","krb5_responder_list_questions -  List the question names contained in the responder context.","krb5_cccol_cursor_free -  Free a credential cache collection cursor.","KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","krb5_set_default_realm -  Override the default realm for the specified context.","krb5_524_convert_creds -  Convert a Kerberos V5 credentials to a Kerberos V4 credentials.","krb5_c_prfplus -  Generate pseudo-random bytes using RFC 6113 PRF+.","KRB5_KEYUSAGE_AS_REP_ENCPART","krb5_free_checksum -  Free a krb5_checksum structure.","krb5_c_derive_prfplus -  Derive a key using some input data (via RFC 6113 PRF+).","KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","TKT_FLG_INITIAL","krb5_cc_switch -  Make a credential cache the primary cache for its collection.","KRB5_PAC_PRIVSVR_CHECKSUM","TKT_FLG_INVALID","ENCTYPE_DES_CBC_MD4","ENCTYPE_DES_CBC_MD5","krb5_init_creds_init -  Create a context for acquiring initial credentials.","krb5_c_is_keyed_cksum -  Test whether a checksum type is keyed.","krb5_k_key_keyblock -  Retrieve a copy of the keyblock from a krb5_key structure.","krb5_authdata","User commands","krb5_change_password -  Change a password for an existing Kerberos account.","krb5_mk_req -  Create a KRB_AP_REQ message.","krb5_mk_rep -  Format and encrypt a KRB_AP_REP message.","krb5_c_block_size -  Return cipher block size.","KRB5_KEYUSAGE_AP_REQ_AUTH","KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","krb5_principal_compare_any_realm -  Compare two principals ignoring realm components.","krb5_auth_con_getkey -  Retrieve the session key from an auth context as a keyblock.","krb5_enc_data","krb5_get_init_creds_opt_set_address_list -  Set address restrictions in initial credential options.","krb5_set_trace_callback -  Specify a callback function for trace events.","krb5_verify_authdata_kdc_issued -  Unwrap and verify AD-KDCIssued authorization data.","krb5_kt_get_name -  Get a key table name.","KRB5_TC_MATCH_TIMES","krb5_mk_req_checksum_func","krb5_c_random_add_entropy -  Add entropy to the pseudo-random number generator.","krb5_get_in_tkt_with_skey","KRB5_PADATA_PW_SALT","VALID_INT_BITS","KRB5_PRINCIPAL_COMPARE_ENTERPRISE","KRB5_INIT_CONTEXT_SECURE","ADDRTYPE_INET","krb5_mk_rep_dce -  Format and encrypt a KRB_AP_REP message for DCE RPC.","krb5_k_verify_checksum_iov -  Validate a checksum element in IOV array (operates on opaque key).","kdestroy","krb5_cksumtype","KRB5_LRQ_ALL_LAST_REQ","krb5_server_decrypt_ticket_keytab -  Decrypt a ticket using the specified key table.","KRB5_AP_REP","KRB5_PADATA_SAM_CHALLENGE_2","VALID_UINT_BITS","krb5_cc_select -  Select a credential cache to use with a server principal.","krb5_address_compare -  Compare two Kerberos addresses.","krb5_kt_add_entry -  Add a new entry to a key table.","AD_TYPE_REGISTERED","krb5_free_error_message -  Free an error message generated by krb5_get_error_message() .","KDC_OPT_PROXIABLE","krb5_address_search -  Search a list of addresses for a specified address.","krb5_set_password -  Set a password for a principal using specified credentials.","krb5_calculate_checksum","KRB5_CRYPTO_TYPE_PADDING","krb5_make_authdata_kdc_issued -  Encode and sign AD-KDCIssued authorization data.","ENCTYPE_CAMELLIA256_CTS_CMAC","ADDRTYPE_NETBIOS","krb5_auth_con_getrecvsubkey_k -  Retrieve the receiving subkey from an auth context as a keyblock.","krb5_get_init_creds_opt_free -  Free initial credential options.","KRB5_CRYPTO_TYPE_TRAILER","krb5_free_authdata -  Free the storage assigned to array of authentication data.","TKT_FLG_POSTDATED","krb5_c_enctype_compare -  Compare two encryption types.","krb5_init_creds_set_keytab -  Specify a keytab to use for acquiring initial credentials.","Client preauthentication interface (clpreauth)","CKSUMTYPE_DESCBC","krb5_kt_default -  Resolve the default key table.","ENCTYPE_RSA_ENV","krb5_init_creds_set_password -  Set a password for acquiring initial credentials.","KRB5_KEYUSAGE_AD_SIGNEDPATH","krb5_finish_key","krb5_pac_get_buffer -  Retrieve a buffer value from a PAC.","krb5_init_creds_set_service -  Specify a service principal for acquiring initial credentials.","krb5_get_validated_creds -  Get validated credentials from the KDC.","kdb5_util","KRB5_PRINCIPAL_COMPARE_CASEFOLD","krb5_principal_data","KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","Administration  programs","krb5_appdefault_string -  Retrieve a string value from the appdefaults section of krb5.conf.","krb5_principal2salt -  Convert a principal name into the default salt for that principal.","KRB5_GC_CONSTRAINED_DELEGATION","ADDRTYPE_IS_LOCAL","krb5_string_to_salttype -  Convert a string to a salt type.","KRB5_RESPONDER_QUESTION_OTP","Account lockout","krb5_free_cksumtypes -  Free an array of checksum types.","krb5_find_authdata -  Find authorization data elements.","ksu","KRB5_PADATA_ENCRYPTED_CHALLENGE","krb5_princ_component","KRB5_LRQ_ALL_LAST_TGT","krb5_roundup","KRB5_GC_CACHED","krb5_pwd_data","krb5_c_verify_checksum -  Verify a checksum (operates on keyblock).","TKT_FLG_PROXY","KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","krb5_cc_get_flags -  Retrieve flags from a credential cache structure.","KRB5_INIT_CONTEXT_KDC","Differences between Heimdal and MIT Kerberos API","krb5_string_to_enctype -  Convert a string to an encryption type.","KRB5_GC_NO_STORE","Options to <em>configure</em>","krb5_build_principal_ext -  Build a principal name using length-counted strings.","krb5_boolean","Password quality interface (pwqual)","KRB5_FAST_REQUIRED","krb5_error","krb5_auth_con_getrcache -  Retrieve the replay cache from an auth context.","TKT_FLG_TRANSIT_POLICY_CHECKED","KRB5_KEYUSAGE_AD_ITE","krb5_set_real_time -  Set time offset field in a krb5_context structure.","Copyright","krb5_cc_store_cred -  Store credentials in a credential cache.","KDC_OPT_ALLOW_POSTDATE","KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","krb5_preauthtype","KRB5_AUTHDATA_ETYPE_NEGOTIATION","KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","KRB5_PRINCIPAL_PARSE_ENTERPRISE","KDC_OPT_REQUEST_ANONYMOUS","KRB5_AUTHDATA_IF_RELEVANT","KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","Principal names and DNS","KRB5_CRYPTO_TYPE_SIGN_ONLY","KRB5_KEYUSAGE_PA_FX_COOKIE","Configuration Files","KRB5_KEYUSAGE_IAKERB_FINISHED","KRB5_CRYPTO_TYPE_STREAM","krb5_unparse_name_ext -  Convert krb5_principal structure to string and length.","krb5_const_pointer","krb5_flags","KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","krb5_auth_con_setsendsubkey -  Set the send subkey in an auth context with a keyblock.","kdb5_ldap_util","krb5_const_principal","krb5_free_checksum_contents -  Free the contents of a krb5_checksum structure.","ADDRTYPE_DDP","KRB5_NT_SRV_INST","krb5_unparse_name_flags -  Convert krb5_principal structure to a string with flags.","krb5_magic","krb5_cc_get_principal -  Get the default principal of a credential cache.","KRB5_NT_X500_PRINCIPAL","Realm configuration decisions","krb5_cc_support_switch -  Determine whether a credential cache type supports switching.","KRB5_PADATA_ENC_UNIX_TIME","krb5_transited","KRB5_PAC_CREDENTIALS_INFO","KRB5_AUTHDATA_WIN2K_PAC","krb5_address","KRB5_PVNO","krb5_cc_cursor","krb5_check_clockskew -  Check if a timestamp is within the allowed clock skew of the current time.","krb5_last_req_entry","PKINIT configuration","krb5_c_make_checksum -  Compute a checksum (operates on keyblock).","KRB5_LRQ_ALL_LAST_RENEWAL","krb5_copy_authenticator -  Copy a krb5_authenticator structure.","krb5_copy_error_message -  Copy the most recent extended error message from one context to another.","krb5_cc_get_full_name -  Retrieve the full name of a credential cache.","krb5_c_valid_cksumtype -  Verify that specified checksum type is a valid Kerberos checksum type.","krb5_principal_compare_flags -  Compare two principals with additional flags.","KDC_OPT_RENEWABLE","krb5_auth_context","krb5_responder_otp_challenge","Configuring Kerberos with OpenLDAP back-end","CKSUMTYPE_CMAC_CAMELLIA128","krb5_cccol_cursor_next -  Get the next credential cache in the collection.","sclient","krb5_verify_init_creds -  Verify initial credentials against a keytab.","krb5_get_init_creds_opt_set_tkt_life -  Set the ticket lifetime in initial credential options.","Initial credentials","krb5_mk_1cred -  Format a KRB-CRED message for a single set of credentials.","KRB5_PADATA_GET_FROM_TYPED_DATA","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW","krb5_cc_get_config -  Get a configuration value from a credential cache.","krb5_keyblock","krb5_init_random_key","krb5_responder_context","KRB5_PADATA_OTP_REQUEST","ENCTYPE_AES128_CTS_HMAC_SHA256_128","krb5_encrypt_size","krb5_enctype","krb5_get_init_creds_opt_set_out_ccache -  Set an output credential cache in initial credential options.","KRB5_GC_CANONICALIZE","KRB5_SAFE","krb5_build_principal -  Build a principal name using null-terminated strings.","krb5_auth_con_getaddrs -  Retrieve address fields from an auth context.","krb5_get_init_creds_opt_set_forwardable -  Set or unset the forwardable flag in initial credential options.","KRB5_PAC_LOGON_INFO","KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","krb5-config","AP_OPTS_USE_SESSION_KEY","KRB5_PADATA_SAM_RESPONSE_2","krb5_auth_con_setrcache -  Set the replay cache in an auth context.","krb5_cred_info","KRB5_KEYUSAGE_APP_DATA_CKSUM","krb5_int32","KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","KRB5_CRYPTO_TYPE_EMPTY","krb5_unparse_name -  Convert a krb5_principal structure to a string representation.","KRB5_PADATA_ETYPE_INFO2","krb5_c_crypto_length -  Return a length of a message field specific to the encryption type.","KRB5_PADATA_REFERRAL","KRB5_LRQ_ONE_LAST_TGT","KRB5_AUTHDATA_OSF_DCE","krb5_free_addresses -  Free the data stored in array of addresses.","krb5_get_init_creds_opt_set_in_ccache -  Set an input credential cache in initial credential options.","krb5_free_unparsed_name -  Free a string representation of a principal.","KRB5_LRQ_NONE","KRB5_RESPONDER_QUESTION_PASSWORD","ENCTYPE_SHA1_RSA_CMS","KRB5_GC_FORWARDABLE","klist","KDC cookie format","KRB5_PADATA_SAM_CHALLENGE","krb5_mk_error -  Format and encode a KRB_ERROR message.","kproplog","KRB5_TGS_NAME","krb5_rd_req -  Parse and decrypt a KRB_AP_REQ message.","krb5_rd_rep -  Parse and decrypt a KRB_AP_REP message.","THREEPARAMOPEN","KRB5_INT32_MAX","krb5_verify_init_creds_opt_set_ap_req_nofail -  Set whether credential verification is required.","KRB5_PADATA_FOR_USER","krb5_princ_set_realm_length","krb5_get_init_creds_opt_set_fast_ccache -  Set FAST armor cache in initial credential options.","MIT Kerberos features","krb5_build_principal_va","CKSUMTYPE_HMAC_SHA1_96_AES128","Kerberos V5 concepts","krb5_c_random_make_octets -  Generate pseudo-random bytes.","AD_TYPE_EXTERNAL","krb5_keytab","krb5_response","krb5_c_is_coll_proof_cksum -  Test whether a checksum type is collision-proof.","ENCTYPE_NULL","krb5_get_server_rcache -  Generate a replay cache object for server use and open it.","KRB5_TC_MATCH_KTYPE","KRB5_GC_USER_USER","KRB5_KEYUSAGE_AP_REP_ENCPART","krb5_string_to_cksumtype -  Convert a string to a checksum type.","krb5_get_prompt_types -  Get prompt types array from a context.","KRB5_PADATA_ENC_SANDIA_SECURID","KRB5_PRINCIPAL_COMPARE_UTF8","KRB5_PADATA_AFS3_SALT","krb5_pac_add_buffer -  Add a buffer to a PAC handle.","krb5_data","krb5_enctype_to_string -  Convert an encryption type to a string.","krb5_x","KRB5_KPASSWD_SUCCESS","krb5_k_make_checksum_iov -  Fill in a checksum element in IOV array (operates on opaque key)","KRB5_PADATA_SAM_REDIRECT","KRB5_PADATA_SAM_RESPONSE","krb5_c_string_to_key_with_params -  Convert a string (such as a password) to a key with additional parameters.","krb5_c_keylengths -  Return length of the specified key in bytes.","TKT_FLG_FORWARDED","krb5_get_init_creds_password -  Get initial credentials using a password.","KRB5_GET_INIT_CREDS_OPT_SALT","Local authorization interface (localauth)","krb5_string_to_key","krb5_cc_next_cred -  Retrieve the next entry from the credential cache.","krb5_cc_move -  Move a credential cache.","SALT_TYPE_NO_LENGTH","stash file","Credential cache","krb5_tkt_creds_step -  Get the next KDC request in a TGS exchange.","KRB5_LRQ_ONE_ACCT_EXPTIME","KRB5_AUTHDATA_AND_OR","AD_TYPE_FIELD_TYPE_MASK","KRB5_GET_INIT_CREDS_OPT_PROXIABLE","krb5_cc_resolve -  Resolve a credential cache name.","krb5_kt_end_seq_get -  Release a keytab cursor.","ENCTYPE_UNKNOWN","krb5_set_kdc_send_hook -  Set a KDC pre-send hook function.","krb5_free_context -  Free a krb5 library context.","krb5_auth_con_setports -  Set local and remote port fields in an auth context.","KRB5_PADATA_FX_FAST","krb5_copy_creds -  Copy a krb5_creds structure.","krb5_merge_authdata -  Merge two authorization data lists into a new list.","krb5_cc_dup -  Duplicate ccache handle.","krb5_context","krb5_k_verify_checksum -  Verify a checksum (operates on opaque key).","krb5_parse_name_flags -  Convert a string principal name to a krb5_principal with flags.","KRB5_AS_REQ","KRB5_AS_REP","KDC policy interface (kdcpolicy)","krb5_pa_data","krb5_ap_rep","KRB5_PADATA_PK_AS_REQ","KRB5_AUTHDATA_SESAME","krb5_c_random_os_entropy -  Collect entropy from the OS if possible.","kinit","krb5_init_secure_context -  Create a krb5 library context using only configuration files.","krb5_sendauth -  Client function for sendauth protocol.","KRB5_NT_PRINCIPAL","krb5_get_init_creds_opt_set_preauth_list -  Set preauthentication types in initial credential options.","KRB5_CRYPTO_TYPE_HEADER","kvno","krb5_typed_data","krb5_k_prf -  Generate enctype-specific pseudo-random bytes (operates on opaque key).","krb5_responder_pkinit_get_challenge -  Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.","krb5_init_creds_context","krb5_c_padding_length -  Return a number of padding octets.","KRB5_CRYPTO_TYPE_DATA","krb5_auth_con_getrecvsubkey -  Retrieve the receiving subkey from an auth context as a keyblock.","KRB5_KEYUSAGE_APP_DATA_ENCRYPT","CKSUMTYPE_NIST_SHA","krb5_get_fallback_host_realm","krb5_get_in_tkt_with_keytab","krb5_copy_checksum -  Copy a krb5_checksum structure.","KRB5_KEYUSAGE_KRB_PRIV_ENCPART","krb5_ticket_times","KRB5_RESPONDER_OTP_FORMAT_DECIMAL","Host configuration","krb5_const","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","KRB5_PAC_CLIENT_INFO","krb5_free_creds -  Free a krb5_creds structure.","KRB5_AUTH_CONTEXT_RET_TIME","KRB5_LRQ_ONE_LAST_TGT_ISSUED","krb5_c_decrypt -  Decrypt data using a key (operates on keyblock).","KRB5_SAM_USE_SAD_AS_KEY","krb5_cc_new_unique -  Create a new credential cache of the specified type with a unique name.","krb5_parse_name -  Convert a string principal name to a krb5_principal structure.","ENCTYPE_DES3_CBC_RAW","krb5_c_checksum_length -  Return the length of checksums for a checksum type.","KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","krb5_deltat","ENCTYPE_DES3_CBC_SHA1","KRB5_REFERRAL_REALM","KRB5_PROMPT_TYPE_NEW_PASSWORD","KRB5_KEYUSAGE_KRB_SAFE_CKSUM","krb5_cc_gen_new","KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","KRB5_TC_MATCH_FLAGS_EXACT","krb5_cccol_cursor_new -  Prepare to iterate over the collection of known credential caches.","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","krb5_cc_retrieve_cred -  Retrieve a specified credentials from a credential cache.","Host-to-realm interface (hostrealm)","krb5_pac_free -  Free a PAC handle.","kadmind","krb5_salttype_to_string -  Convert a salt type to a string.","KRB5_NT_MS_PRINCIPAL_AND_ID","KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","krb5_auth_con_setaddrs -  Set the local and remote addresses in an auth context.","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","krb5_recvauth -  Server function for sendauth protocol.","KRB5_RECVAUTH_SKIP_VERSION","krb5_get_credentials_validate","Credential cache selection interface (ccselect)","krb5_auth_con_setrecvsubkey_k -  Set the receiving subkey in an auth context.","KDC_OPT_DISABLE_TRANSITED_CHECK","krb5_sname_to_principal -  Generate a full principal name from a service name.","krb5_princ_size","krb5_get_renewed_creds -  Get renewed credential from KDC using an existing credential.","KRB5_KEYUSAGE_KRB_ERROR_CKSUM","MSEC_VAL_MASK","krb5_get_init_creds_opt_set_proxiable -  Set or unset the proxiable flag in initial credential options.","KRB5_LRQ_ALL_LAST_TGT_ISSUED","krb5_cc_get_name -  Retrieve the name, but not type of a credential cache.","KRB5_PRIV","KRB5_PADATA_TGS_REQ","krb5_kt_get_entry -  Get an entry from a key table.","krb5_string_to_deltat -  Convert a string to a delta time value.","Various links","Year 2038 considerations for uses of krb5_timestamp","KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","krb5_cc_unlock -  Unlock a credential cache.","krb5_cryptotype","krb5_pac_init -  Create an empty Privilege Attribute Certificate (PAC) handle.","krb5_process_key","KDC_OPT_FORWARDABLE","krb5_checksum_size","krb5_free_principal -  Free the storage assigned to a principal.","krb5_copy_addresses -  Copy an array of addresses.","k5srvutil","krb5_get_init_creds_opt_set_anonymous -  Set or unset the anonymous flag in initial credential options.","krb5_copy_principal -  Copy a principal.","krb5_authenticator","ENCTYPE_AES128_CTS_HMAC_SHA1_96","KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","krb5_kt_read_service_key -  Retrieve a service key from a key table.","Principal manipulation and parsing","krb5_mk_ncred -  Format a KRB-CRED message for an array of credentials.","KRB5_LRQ_ONE_LAST_RENEWAL","krb5_copy_keyblock_contents -  Copy the contents of a keyblock.","krb5_tkt_creds_get -  Synchronously obtain credentials using a TGS request context.","krb5_auth_con_getsendsubkey -  Retrieve the send subkey from an auth context as a keyblock.","krb5_init_context_profile -  Create a krb5 library context using a specified profile.","krb5_cc_close -  Close a credential cache handle.","krb5_tkt_creds_init -  Create a context to get credentials from a KDC&#8217;s Ticket Granting Service.","krb5_timeofday -  Retrieve the current time with context specific time offset adjustment.","krb5_xc","KRB5_CRED","krb5_get_init_creds_opt_set_change_password_prompt -  Set or unset change-password-prompt flag in initial credential options.","krb5_k_make_checksum -  Compute a checksum (operates on opaque key).","krb5_auth_con_init -  Create and initialize an authentication context.","osconf.hin","KRB5_KEYUSAGE_FAST_REP","User config files","ADDRTYPE_IPPORT","KRB5_KEYUSAGE_PA_OTP_REQUEST","KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","krb5_prompter_fct","krb5_init_creds_get -  Acquire credentials using an initial credentials context.","KRB5_LRQ_ALL_ACCT_EXPTIME","krb5_encrypt_block","krb5_cksumtype_to_string -  Convert a checksum type to a string.","TKT_FLG_PROXIABLE","KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","krb5_k_decrypt_iov -  Decrypt data in place supporting AEAD (operates on opaque key).","KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","krb5_init_creds_get_times -  Retrieve ticket times from an initial credentials context.","For users","KRB5_TC_MATCH_TIMES_EXACT","GSSAPI mechanism interface","krb5_pac_sign -  Sign a PAC.","CKSUMTYPE_RSA_MD4_DES","krb5_pa_pac_req","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","KRB5_PADATA_ENC_TIMESTAMP","KRB5_SAM_SEND_ENCRYPTED_SAD","krb5_responder_pkinit_identity","KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","krb5_error_code","krb5_auth_con_setsendsubkey_k -  Set the send subkey in an auth context.","ENCTYPE_RSA_ES_OAEP_ENV","Contributing to the MIT Kerberos Documentation","KRB5_PADATA_AS_CHECKSUM","ADDRTYPE_ADDRPORT","KRB5_TC_NOTICKET","AD_TYPE_RESERVED","krb5_string_to_timestamp -  Convert a string to a timestamp.","KRB5_KEYUSAGE_TGS_REQ_AUTH",".k5identity","krb5_auth_con_set_checksum_func -  Set a checksum callback in an auth context.","KRB5_LRQ_ALL_PW_EXPTIME","ADDRTYPE_CHAOS","krb5_get_init_creds_opt_set_responder -  Set the responder function in initial credential options.","KRB5_AUTH_CONTEXT_DO_SEQUENCE","krb5_is_referral_realm -  Check for a match with KRB5_REFERRAL_REALM.","krb5_kt_cursor","krb5_c_decrypt_iov -  Decrypt data in place supporting AEAD (operates on keyblock).","Installing and configuring UNIX client machines","krb5_creds","Application servers","KRB5_LRQ_ALL_LAST_INITIAL","krb5_get_init_creds_opt_set_salt -  Set salt for optimistic preauthentication in initial credential options.","KRB5_TGS_NAME_SIZE","krb5_get_init_creds_opt_set_renew_life -  Set the ticket renewal lifetime in initial credential options.","krb5_princ_realm","AP_OPTS_ETYPE_NEGOTIATION","krb5_free_cred_contents -  Free the contents of a krb5_creds structure.","KRB5_TC_SUPPORTED_KTYPES","krb5_kt_next_entry -  Retrieve the next entry from the key table.","ENCTYPE_DES_CBC_RAW","KRB5_PADATA_S4U_X509_USER","KRB5_INT16_MAX","krb5_rcache","KDC_OPT_POSTDATED","krb5_ui_4","krb5_ui_2","krb5_vprepend_error_message -  Add a prefix to the message for an error code using a va_list.","krb5.conf","KRB5_NT_UNKNOWN","sserver","Configuration interface (profile)","KRB5_NT_SMTP_NAME","krb5_get_init_creds_opt_get_fast_flags -  Retrieve FAST flags from initial credential options.","krb5_cc_set_default_name -  Set the default credential cache name.","krb5_eblock_enctype","krb5_k_encrypt_iov -  Encrypt data in place supporting AEAD (operates on opaque key).","krb5_rd_safe -  Process KRB-SAFE message.","AP_OPTS_MUTUAL_REQUIRED","krb5_cc_initialize -  Initialize a credential cache.","KDC_TKT_COMMON_MASK","krb5_c_prf_length -  Get the output length of pseudo-random functions for an encryption type.","krb5_enc_tkt_part","krb5_get_init_creds_opt_set_fast_ccache_name -  Set location of FAST armor ccache in initial credential options.","KRB5_DOMAIN_X500_COMPRESS","krb5_get_init_creds_opt","KRB5_AUTH_CONTEXT_USE_SUBKEY","krb5_responder_otp_set_answer -  Answer the KRB5_RESPONDER_QUESTION_OTP question.","krb5_mk_safe -  Format a KRB-SAFE message.","KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","krb5_kt_get_type -  Return the type of a key table.","Organization of the source directory","krb5_tkt_authent","KRB5_PRINCIPAL_PARSE_IGNORE_REALM","KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","krb5_c_encrypt -  Encrypt data using a key (operates on keyblock).","krb5_get_init_creds_keytab -  Get initial credentials using a key table.","krb5_free_data_contents -  Free the contents of a krb5_data structure and zero the data field.","krb5_kvno","KDC_OPT_PROXY","krb5_k_free_key -  Decrement the reference count on a key and free it if it hits zero.","KRB5_NT_ENT_PRINCIPAL_AND_ID","krb5_keytab_entry","krb5_prompter_posix -  Prompt user for password.","KRB5_PADATA_PK_AS_REQ_OLD","KDC preauthentication interface (kdcpreauth)","KRB5_NT_MS_PRINCIPAL","krb5_us_timeofday -  Retrieve the system time of day, in sec and ms, since the epoch.","krb5_set_trace_filename -  Specify a file name for directing trace events.","KRB5_KEYUSAGE_KRB_CRED_ENCPART","LDAP backend on Ubuntu 10.4 (lucid)","krb5_finish_random_key","krb5_post_recv_fn","KRB5_AUTH_CONTEXT_PERMIT_ALL","krb5_cc_destroy -  Destroy a credential cache.","krb5_tkt_creds_get_creds -  Retrieve acquired credentials from a TGS request context.","KDC_OPT_RENEWABLE_OK","krb5_init_context -  Create a krb5 library context.","krb5_kuserok -  Determine if a principal is authorized to log in as a local user.","KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","krb5_addrtype","TKT_FLG_HW_AUTH","KRB5_RECVAUTH_BADAUTHVERS","krb5_k_key_enctype -  Retrieve the enctype of a krb5_key structure.","krb5_auth_con_initivector -  Cause an auth context to use cipher state.","KRB5_TC_MATCH_SRV_NAMEONLY","krb5_c_valid_enctype -  Verify that a specified encryption type is a valid Kerberos encryption type.","krb5_auth_con_getauthenticator -  Retrieve the authenticator from an auth context.","CKSUMTYPE_HMAC_SHA256_128_AES128","krb5_timestamp_to_sfstring -  Convert a timestamp to a string, with optional output padding.","krb5_os_localaddr -  Return all interface addresses for this host.","krb5_c_prf -  Generate enctype-specific pseudo-random bytes.","krb5_build_principal_alloc_va -  Build a principal name, using a precomputed variable argument list.","krb5_gic_opt_pa_data","krb5_timestamp_to_string -  Convert a timestamp to a string.","KRB5_KEYUSAGE_CAMMAC","krb5_set_principal_realm -  Set the realm field of a principal.","krb5_free_ap_rep_enc_part -  Free a krb5_ap_rep_enc_part structure.","KRB5_ANONYMOUS_REALMSTR","KRB5_PAC_SERVER_CHECKSUM","Internal pluggable interfaces","KRB5_PROMPT_TYPE_PASSWORD","krb5_copy_authdata -  Copy an authorization data list.","LR_TYPE_INTERPRETATION_MASK","passwd_phrase_element","krb5_set_password_using_ccache -  Set a password for a principal using cached credentials.","KRB5_PAC_UPN_DNS_INFO","MSEC_DIRBIT","KRB5_KEYUSAGE_KDC_REP_TICKET","ENCTYPE_AES256_CTS_HMAC_SHA384_192","Installing KDCs","krb5_use_enctype","krb5_responder_otp_tokeninfo","krb5_prompt_type","ENCTYPE_RC2_CBC_ENV","krb5_principal","krb5_pac_parse -  Unparse an encoded PAC into a new handle.","KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","krb5_rd_error -  Decode a KRB-ERROR message.","krb5_ap_rep_enc_part","KRB5_SAM_MUST_PK_ENCRYPT_SAD","krb5_princ_name","krb5_get_init_creds_opt_set_expire_callback -  Set an expiration callback in initial credential options.","KRB5_AUTHDATA_AUTH_INDICATOR","krb5_timestamp","krb5_random_key","krb5_init_creds_free -  Free an initial credentials context.","krb5_is_thread_safe -  Test whether the Kerberos library was built with multithread support.","ENCTYPE_DES_CBC_CRC","krb5_read_password -  Read a password from keyboard input.","krb5_auth_con_getkey_k -  Retrieve the session key from an auth context.","krb5_cc_set_flags -  Set options flags on a credential cache.","krb5_rd_rep_dce -  Parse and decrypt a KRB_AP_REP message for DCE RPC.","kswitch","krb5_responder_fn","krb5_allow_weak_crypto -  Allow the appplication to override the profile&#8217;s allow_weak_crypto setting.","krb5_auth_con_getsendsubkey_k -  Retrieve the send subkey from an auth context.","krb5_c_random_seed","krb5_octet","krb5_crypto_iov","PKINIT certificate authorization interface (certauth)"],objects:{"":{krb5_c_string_to_key:[70,0,1,"c.krb5_c_string_to_key"],KRB5_LRQ_ALL_LAST_TGT_ISSUED:[711,3,1,""],krb5_get_in_tkt_with_password:[225,0,1,"c.krb5_get_in_tkt_with_password"],KRB5_TGS_NAME:[570,3,1,""],KRB5_INT32_MIN:[135,3,1,""],KRB5_KEYUSAGE_AD_SIGNEDPATH:[420,3,1,""],krb5_get_in_tkt_with_keytab:[661,0,1,"c.krb5_get_in_tkt_with_keytab"],krb5_pac_parse:[905,0,1,"c.krb5_pac_parse"],krb5_copy_authdata:[891,0,1,"c.krb5_copy_authdata"],krb5_address_compare:[396,0,1,"c.krb5_address_compare"],krb5_copy_context:[142,0,1,"c.krb5_copy_context"],krb5_cc_get_config:[527,0,1,"c.krb5_cc_get_config"],KRB5_AUTHDATA_KDC_ISSUED:[41,3,1,""],krb5_sname_match:[18,0,1,"c.krb5_sname_match"],KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:[345,3,1,""],ENCTYPE_DES_HMAC_SHA1:[85,3,1,""],krb5_transited:[498,2,1,"c.krb5_transited"],krb5_kt_remove_entry:[159,0,1,"c.krb5_kt_remove_entry"],krb5_server_decrypt_ticket_keytab:[391,0,1,"c.krb5_server_decrypt_ticket_keytab"],krb5_free_ticket:[145,0,1,"c.krb5_free_ticket"],krb5_kt_close:[207,0,1,"c.krb5_kt_close"],krb5_get_init_creds_opt_set_pa:[82,0,1,"c.krb5_get_init_creds_opt_set_pa"],MSEC_VAL_MASK:[709,3,1,""],ENCTYPE_DES3_CBC_SHA1:[681,3,1,""],KRB5_KPASSWD_ACCESSDENIED:[282,3,1,""],krb5_build_principal_ext:[455,0,1,"c.krb5_build_principal_ext"],TKT_FLG_FORWARDED:[608,3,1,""],krb5_c_free_state:[301,0,1,"c.krb5_c_free_state"],krb5_free_cksumtypes:[437,0,1,"c.krb5_free_cksumtypes"],KRB5_PADATA_SAM_REDIRECT:[604,3,1,""],CKSUMTYPE_HMAC_SHA1_96_AES256:[97,3,1,""],KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:[776,3,1,""],krb5_build_principal_va:[580,0,1,"c.krb5_build_principal_va"],krb5_prompter_fct:[756,2,1,"c.krb5_prompter_fct"],krb5_k_key_enctype:[872,0,1,"c.krb5_k_key_enctype"],KRB5_PADATA_PK_AS_REQ_OLD:[853,3,1,""],krb5_eblock_enctype:[823,0,1,"c.krb5_eblock_enctype"],krb5_get_init_creds_opt_set_fast_ccache_name:[831,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache_name"],krb5_responder_pkinit_get_challenge:[653,0,1,"c.krb5_responder_pkinit_get_challenge"],KRB5_PAC_SERVER_CHECKSUM:[888,3,1,""],KRB5_CRYPTO_TYPE_DATA:[656,3,1,""],krb5_keyblock:[528,2,1,"c.krb5_keyblock"],KRB5_PAC_UPN_DNS_INFO:[895,3,1,""],krb5_princ_realm:[803,3,1,""],krb5_principal_data:[427,2,1,"c.krb5_principal_data"],krb5_c_derive_prfplus:[351,0,1,"c.krb5_c_derive_prfplus"],ENCTYPE_UNKNOWN:[625,3,1,""],krb5_tkt_creds_get_creds:[864,0,1,"c.krb5_tkt_creds_get_creds"],krb5_cc_store_cred:[465,0,1,"c.krb5_cc_store_cred"],krb5_rd_priv:[216,0,1,"c.krb5_rd_priv"],KRB5_KEYUSAGE_PA_FX_COOKIE:[477,3,1,""],krb5_cc_move:[614,0,1,"c.krb5_cc_move"],krb5_verify_authdata_kdc_issued:[375,0,1,"c.krb5_verify_authdata_kdc_issued"],krb5_aname_to_localname:[130,0,1,"c.krb5_aname_to_localname"],KRB5_AP_REQ:[57,3,1,""],KRB5_AP_REP:[392,3,1,""],krb5_enc_data:[372,2,1,"c.krb5_enc_data"],krb5_address_search:[401,0,1,"c.krb5_address_search"],krb5_free_authenticator:[179,0,1,"c.krb5_free_authenticator"],krb5_get_permitted_enctypes:[106,0,1,"c.krb5_get_permitted_enctypes"],krb5_c_random_make_octets:[583,0,1,"c.krb5_c_random_make_octets"],KRB5_KEYUSAGE_GSS_TOK_MIC:[187,3,1,""],krb5_cc_dup:[632,0,1,"c.krb5_cc_dup"],KRB5_PRIV:[713,3,1,""],KRB5_PADATA_OTP_CHALLENGE:[272,3,1,""],TKT_FLG_PROXIABLE:[761,3,1,""],krb5_auth_con_setrecvsubkey_k:[703,0,1,"c.krb5_auth_con_setrecvsubkey_k"],krb5_cccol_cursor_new:[688,0,1,"c.krb5_cccol_cursor_new"],krb5_auth_con_getrecvsubkey_k:[408,0,1,"c.krb5_auth_con_getrecvsubkey_k"],krb5_verify_init_creds_opt:[6,2,1,"c.krb5_verify_init_creds_opt"],KRB5_PADATA_AP_REQ:[114,3,1,""],KRB5_KEYUSAGE_AS_REQ:[197,3,1,""],krb5_cc_gen_new:[685,0,1,"c.krb5_cc_gen_new"],KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:[733,3,1,""],krb5_auth_con_getrcache:[460,0,1,"c.krb5_auth_con_getrcache"],KRB5_PADATA_PK_AS_REP:[53,3,1,""],KRB5_PADATA_PK_AS_REQ:[641,3,1,""],AD_TYPE_EXTERNAL:[584,3,1,""],krb5_cc_unlock:[720,0,1,"c.krb5_cc_unlock"],krb5_cred_enc_part:[190,2,1,"c.krb5_cred_enc_part"],passwd_phrase_element:[893,2,1,"c.passwd_phrase_element"],KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:[263,3,1,""],krb5_flags:[483,2,1,"c.krb5_flags"],krb5_cc_select:[395,0,1,"c.krb5_cc_select"],krb5_mk_req_extended:[1,0,1,"c.krb5_mk_req_extended"],krb5_kt_free_entry:[330,0,1,"c.krb5_kt_free_entry"],KRB5_AUTHDATA_IF_RELEVANT:[473,3,1,""],krb5_finish_key:[421,0,1,"c.krb5_finish_key"],krb5_creds:[797,2,1,"c.krb5_creds"],krb5_boolean:[456,2,1,"c.krb5_boolean"],krb5_responder_pkinit_identity:[775,2,1,"c.krb5_responder_pkinit_identity"],krb524_convert_creds_kdc:[91,3,1,""],KRB5_NT_SRV_HST:[261,3,1,""],krb5_get_init_creds_opt_free:[409,0,1,"c.krb5_get_init_creds_opt_free"],KRB5_AUTHDATA_AND_OR:[620,3,1,""],KRB5_CRYPTO_TYPE_HEADER:[649,3,1,""],KRB5_PRINCIPAL_UNPARSE_DISPLAY:[117,3,1,""],KRB5_NT_WELLKNOWN:[312,3,1,""],krb5_get_init_creds_opt_set_proxiable:[710,0,1,"c.krb5_get_init_creds_opt_set_proxiable"],krb5_ui_4:[813,2,1,"c.krb5_ui_4"],KRB5_NT_ENTERPRISE_PRINCIPAL:[339,3,1,""],krb5_cc_get_flags:[449,0,1,"c.krb5_cc_get_flags"],KRB5_KPASSWD_MALFORMED:[58,3,1,""],KRB5_AS_REP:[637,3,1,""],KRB5_AS_REQ:[636,3,1,""],krb5_init_random_key:[529,0,1,"c.krb5_init_random_key"],KRB5_CRYPTO_TYPE_PADDING:[404,3,1,""],krb5_k_create_key:[252,0,1,"c.krb5_k_create_key"],ENCTYPE_RC2_CBC_ENV:[903,3,1,""],krb5_rd_rep_dce:[921,0,1,"c.krb5_rd_rep_dce"],KRB5_PADATA_ETYPE_INFO2:[553,3,1,""],krb5_set_trace_callback:[374,0,1,"c.krb5_set_trace_callback"],krb5_key:[79,2,1,"c.krb5_key"],krb5_pwd_data:[445,2,1,"c.krb5_pwd_data"],KRB5_PAC_CREDENTIALS_INFO:[499,3,1,""],KRB5_PADATA_OTP_REQUEST:[531,3,1,""],krb5_cc_start_seq_get:[134,0,1,"c.krb5_cc_start_seq_get"],krb5_copy_error_message:[510,0,1,"c.krb5_copy_error_message"],KRB5_TGS_NAME_SIZE:[801,3,1,""],krb5_expire_callback_func:[279,2,1,"c.krb5_expire_callback_func"],krb5_realm_compare:[131,0,1,"c.krb5_realm_compare"],KDC_OPT_CANONICALIZE:[298,3,1,""],krb5_c_fx_cf2_simple:[73,0,1,"c.krb5_c_fx_cf2_simple"],krb5_cc_close:[742,0,1,"c.krb5_cc_close"],krb5_tkt_creds_get:[739,0,1,"c.krb5_tkt_creds_get"],CKSUMTYPE_HMAC_SHA1_DES3:[200,3,1,""],krb5_auth_con_setaddrs:[697,0,1,"c.krb5_auth_con_setaddrs"],krb5_get_init_creds_opt_set_address_list:[373,0,1,"c.krb5_get_init_creds_opt_set_address_list"],krb5_k_verify_checksum:[634,0,1,"c.krb5_k_verify_checksum"],krb5_init_creds_get:[757,0,1,"c.krb5_init_creds_get"],krb5_ap_req:[260,2,1,"c.krb5_ap_req"],krb5_ap_rep:[640,2,1,"c.krb5_ap_rep"],KDC_OPT_POSTDATED:[812,3,1,""],CKSUMTYPE_RSA_MD5_DES:[306,3,1,""],MSEC_DIRBIT:[896,3,1,""],krb5_get_init_creds_opt_set_out_ccache:[535,0,1,"c.krb5_get_init_creds_opt_set_out_ccache"],CKSUMTYPE_HMAC_SHA384_192_AES256:[50,3,1,""],krb5_kuserok:[867,0,1,"c.krb5_kuserok"],KRB5_TC_MATCH_KTYPE:[590,3,1,""],TKT_FLG_MAY_POSTDATE:[210,3,1,""],krb5_auth_context:[515,2,1,"c.krb5_auth_context"],AP_OPTS_USE_SESSION_KEY:[544,3,1,""],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:[233,3,1,""],krb5_c_make_checksum_iov:[311,0,1,"c.krb5_c_make_checksum_iov"],krb5_verify_init_creds_opt_init:[205,0,1,"c.krb5_verify_init_creds_opt_init"],krb5_calculate_checksum:[403,0,1,"c.krb5_calculate_checksum"],KRB5_WELLKNOWN_NAMESTR:[87,3,1,""],THREEPARAMOPEN:[573,3,1,""],KRB5_RESPONDER_QUESTION_PKINIT:[119,3,1,""],krb5_kt_get_name:[376,0,1,"c.krb5_kt_get_name"],MAX_KEYTAB_NAME_LEN:[110,3,1,""],KDC_OPT_PROXY:[848,3,1,""],KRB5_KEYUSAGE_KRB_ERROR_CKSUM:[708,3,1,""],KRB5_TC_MATCH_TIMES:[377,3,1,""],krb5_kt_client_default:[201,0,1,"c.krb5_kt_client_default"],krb5_principal:[904,2,1,"c.krb5_principal"],KRB5_NT_SRV_XHST:[193,3,1,""],krb5_encode_authdata_container:[275,0,1,"c.krb5_encode_authdata_container"],KRB5_TC_MATCH_AUTHDATA:[13,3,1,""],krb5_cred:[337,2,1,"c.krb5_cred"],krb5_authenticator:[731,2,1,"c.krb5_authenticator"],krb5_k_key_keyblock:[361,0,1,"c.krb5_k_key_keyblock"],krb5_pa_server_referral_data:[221,2,1,"c.krb5_pa_server_referral_data"],KRB5_CRYPTO_TYPE_SIGN_ONLY:[476,3,1,""],krb5_cc_last_change_time:[238,0,1,"c.krb5_cc_last_change_time"],KRB5_PRINCIPAL_PARSE_IGNORE_REALM:[842,3,1,""],krb5_init_creds_get_times:[765,0,1,"c.krb5_init_creds_get_times"],KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:[253,3,1,""],krb5_cccol_unlock:[342,0,1,"c.krb5_cccol_unlock"],KRB5_AUTHDATA_SIGNTICKET:[286,3,1,""],krb5_c_init_state:[198,0,1,"c.krb5_c_init_state"],krb5_auth_con_get_checksum_func:[152,0,1,"c.krb5_auth_con_get_checksum_func"],krb5_free_principal:[726,0,1,"c.krb5_free_principal"],KRB5_GC_CANONICALIZE:[536,3,1,""],krb5_responder_otp_set_answer:[835,0,1,"c.krb5_responder_otp_set_answer"],krb5_const:[667,3,1,""],ADDRTYPE_IPPORT:[753,3,1,""],krb5_vwrap_error_message:[141,0,1,"c.krb5_vwrap_error_message"],KRB5_PADATA_ENC_TIMESTAMP:[773,3,1,""],ADDRTYPE_IS_LOCAL:[433,3,1,""],TKT_FLG_HW_AUTH:[870,3,1,""],ENCTYPE_NULL:[588,3,1,""],krb5_verify_init_creds:[521,0,1,"c.krb5_verify_init_creds"],krb5_set_real_time:[463,0,1,"c.krb5_set_real_time"],krb5_find_authdata:[438,0,1,"c.krb5_find_authdata"],krb5_init_creds_context:[654,2,1,"c.krb5_init_creds_context"],krb5_us_timeofday:[856,0,1,"c.krb5_us_timeofday"],krb5_c_keylengths:[607,0,1,"c.krb5_c_keylengths"],krb5_unparse_name_ext:[481,0,1,"c.krb5_unparse_name_ext"],KRB5_PADATA_FX_FAST:[629,3,1,""],KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:[719,3,1,""],krb5_error_code:[777,2,1,"c.krb5_error_code"],krb5_free_enctypes:[22,0,1,"c.krb5_free_enctypes"],krb5_k_encrypt_iov:[824,0,1,"c.krb5_k_encrypt_iov"],krb5_auth_con_setrcache:[546,0,1,"c.krb5_auth_con_setrcache"],krb5_fwd_tgt_creds:[319,0,1,"c.krb5_fwd_tgt_creds"],krb5_prompt:[140,2,1,"c.krb5_prompt"],KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:[467,3,1,""],krb5_copy_addresses:[727,0,1,"c.krb5_copy_addresses"],krb5_get_init_creds_opt_init:[143,0,1,"c.krb5_get_init_creds_opt_init"],krb5_get_renewed_creds:[707,0,1,"c.krb5_get_renewed_creds"],krb5_anonymous_principal:[228,0,1,"c.krb5_anonymous_principal"],krb5_c_make_random_key:[144,0,1,"c.krb5_c_make_random_key"],krb5_cc_initialize:[827,0,1,"c.krb5_cc_initialize"],KDC_TKT_COMMON_MASK:[828,3,1,""],krb5_c_valid_cksumtype:[512,0,1,"c.krb5_c_valid_cksumtype"],krb5_string_to_key:[612,0,1,"c.krb5_string_to_key"],krb5_get_in_tkt_with_skey:[380,0,1,"c.krb5_get_in_tkt_with_skey"],krb5_auth_con_setports:[628,0,1,"c.krb5_auth_con_setports"],krb5_timestamp:[913,2,1,"c.krb5_timestamp"],krb5_ticket_times:[664,2,1,"c.krb5_ticket_times"],KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:[175,3,1,""],krb5_auth_con_getrecvsubkey:[657,0,1,"c.krb5_auth_con_getrecvsubkey"],KDC_OPT_VALIDATE:[215,3,1,""],ENCTYPE_DES3_CBC_SHA:[245,3,1,""],KRB5_SAFE:[537,3,1,""],krb5_copy_creds:[630,0,1,"c.krb5_copy_creds"],krb5_k_make_checksum_iov:[603,0,1,"c.krb5_k_make_checksum_iov"],krb5_princ_name:[910,3,1,""],KRB5_AUTH_CONTEXT_DO_SEQUENCE:[792,3,1,""],TKT_FLG_POSTDATED:[412,3,1,""],AP_OPTS_ETYPE_NEGOTIATION:[804,3,1,""],KRB5_NT_SMTP_NAME:[820,3,1,""],krb5_princ_set_realm:[295,3,1,""],KRB5_GC_USER_USER:[591,3,1,""],krb5_pac_verify:[259,0,1,"c.krb5_pac_verify"],krb5_deltat:[680,2,1,"c.krb5_deltat"],krb5_rd_safe:[825,0,1,"c.krb5_rd_safe"],krb5_auth_con_getlocalsubkey:[211,0,1,"c.krb5_auth_con_getlocalsubkey"],krb5_enctype:[534,2,1,"c.krb5_enctype"],krb5_sendauth:[646,0,1,"c.krb5_sendauth"],krb5_auth_con_getsendsubkey_k:[925,0,1,"c.krb5_auth_con_getsendsubkey_k"],KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:[352,3,1,""],krb5_k_verify_checksum_iov:[387,0,1,"c.krb5_k_verify_checksum_iov"],krb5_get_host_realm:[293,0,1,"c.krb5_get_host_realm"],KRB5_CRYPTO_TYPE_TRAILER:[410,3,1,""],krb5_appdefault_boolean:[125,0,1,"c.krb5_appdefault_boolean"],krb5_set_kdc_send_hook:[626,0,1,"c.krb5_set_kdc_send_hook"],KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:[448,3,1,""],krb5_unparse_name:[552,0,1,"c.krb5_unparse_name"],krb5_timeofday:[744,0,1,"c.krb5_timeofday"],krb5_c_checksum_length:[678,0,1,"c.krb5_c_checksum_length"],krb5_c_make_checksum:[507,0,1,"c.krb5_c_make_checksum"],krb5_authdata:[362,2,1,"c.krb5_authdata"],KRB5_SAM_SEND_ENCRYPTED_SAD:[774,3,1,""],krb5_set_kdc_recv_hook:[168,0,1,"c.krb5_set_kdc_recv_hook"],krb5_cc_lock:[206,0,1,"c.krb5_cc_lock"],KRB5_GC_NO_STORE:[453,3,1,""],krb5_responder_otp_get_challenge:[47,0,1,"c.krb5_responder_otp_get_challenge"],krb5_responder_context:[530,2,1,"c.krb5_responder_context"],krb5_c_is_coll_proof_cksum:[587,0,1,"c.krb5_c_is_coll_proof_cksum"],KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:[762,3,1,""],KRB5_PADATA_ETYPE_INFO:[33,3,1,""],krb5_cc_get_principal:[493,0,1,"c.krb5_cc_get_principal"],KRB5_PADATA_TGS_REQ:[714,3,1,""],CKSUMTYPE_CMAC_CAMELLIA128:[518,3,1,""],krb5_rd_req:[571,0,1,"c.krb5_rd_req"],KRB5_CRED:[746,3,1,""],krb5_responder_otp_challenge:[516,2,1,"c.krb5_responder_otp_challenge"],krb5_unparse_name_flags:[491,0,1,"c.krb5_unparse_name_flags"],krb5_anonymous_realm:[49,0,1,"c.krb5_anonymous_realm"],krb5_auth_con_free:[167,0,1,"c.krb5_auth_con_free"],KRB5_KEYUSAGE_KRB_PRIV_ENCPART:[663,3,1,""],CKSUMTYPE_DESCBC:[416,3,1,""],KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:[764,3,1,""],krb5_timestamp_to_sfstring:[878,0,1,"c.krb5_timestamp_to_sfstring"],krb5_pointer:[60,2,1,"c.krb5_pointer"],VALID_INT_BITS:[382,3,1,""],KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:[837,3,1,""],krb5_init_creds_step:[186,0,1,"c.krb5_init_creds_step"],krb5_get_init_creds_opt_set_responder:[791,0,1,"c.krb5_get_init_creds_opt_set_responder"],KRB5_PROMPT_TYPE_NEW_PASSWORD:[683,3,1,""],krb5_pa_pac_req:[771,2,1,"c.krb5_pa_pac_req"],krb5_get_server_rcache:[589,0,1,"c.krb5_get_server_rcache"],krb5_responder_otp_tokeninfo:[901,2,1,"c.krb5_responder_otp_tokeninfo"],krb5_init_creds_get_error:[75,0,1,"c.krb5_init_creds_get_error"],KRB5_PADATA_SESAME:[304,3,1,""],KDC_OPT_ENC_TKT_IN_SKEY:[203,3,1,""],KRB5_CRYPTO_TYPE_STREAM:[480,3,1,""],ADDRTYPE_INET:[385,3,1,""],krb5_allow_weak_crypto:[924,0,1,"c.krb5_allow_weak_crypto"],KRB5_KEYUSAGE_FAST_ENC:[290,3,1,""],krb5_last_req_entry:[505,2,1,"c.krb5_last_req_entry"],KRB5_PAC_PRIVSVR_CHECKSUM:[355,3,1,""],krb5_free_host_realm:[278,0,1,"c.krb5_free_host_realm"],krb5_cccol_have_content:[164,0,1,"c.krb5_cccol_have_content"],krb5_auth_con_getauthenticator:[876,0,1,"c.krb5_auth_con_getauthenticator"],krb5_princ_set_realm_length:[577,3,1,""],KRB5_SAM_USE_SAD_AS_KEY:[674,3,1,""],krb5_post_recv_fn:[861,2,1,"c.krb5_post_recv_fn"],krb5_cc_default_name:[192,0,1,"c.krb5_cc_default_name"],KRB5_PVNO:[502,3,1,""],KRB5_PRINCIPAL_PARSE_NO_REALM:[217,3,1,""],krb5_get_fallback_host_realm:[660,0,1,"c.krb5_get_fallback_host_realm"],krb5_checksum_size:[725,0,1,"c.krb5_checksum_size"],ENCTYPE_DES3_CBC_RAW:[677,3,1,""],KRB5_AUTH_CONTEXT_RET_TIME:[671,3,1,""],LR_TYPE_THIS_SERVER_ONLY:[146,3,1,""],KRB5_NT_ENT_PRINCIPAL_AND_ID:[850,3,1,""],KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:[0,3,1,""],krb5_auth_con_getlocalseqnumber:[86,0,1,"c.krb5_auth_con_getlocalseqnumber"],KRB5_RESPONDER_OTP_FORMAT_DECIMAL:[665,3,1,""],KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:[307,3,1,""],krb5_get_init_creds_opt_set_preauth_list:[648,0,1,"c.krb5_get_init_creds_opt_set_preauth_list"],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:[689,3,1,""],KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:[550,3,1,""],KRB5_ENCPADATA_REQ_ENC_PA_REP:[124,3,1,""],CKSUMTYPE_RSA_MD4_DES:[770,3,1,""],KRB5_TC_MATCH_FLAGS_EXACT:[687,3,1,""],krb5_random_key:[914,0,1,"c.krb5_random_key"],krb5_free_keytab_entry_contents:[277,0,1,"c.krb5_free_keytab_entry_contents"],ENCTYPE_AES256_CTS_HMAC_SHA1_96:[52,3,1,""],krb5_responder_fn:[923,2,1,"c.krb5_responder_fn"],krb5_mk_rep:[366,0,1,"c.krb5_mk_rep"],krb5_mk_req:[365,0,1,"c.krb5_mk_req"],KRB5_FAST_REQUIRED:[458,3,1,""],KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:[668,3,1,""],krb5_clear_error_message:[9,0,1,"c.krb5_clear_error_message"],CKSUMTYPE_CMAC_CAMELLIA256:[181,3,1,""],krb5_mk_ncred:[736,0,1,"c.krb5_mk_ncred"],krb5_wrap_error_message:[38,0,1,"c.krb5_wrap_error_message"],ENCTYPE_DES_CBC_MD5:[358,3,1,""],ENCTYPE_DES_CBC_MD4:[357,3,1,""],krb5_get_init_creds_opt_set_pac_request:[37,0,1,"c.krb5_get_init_creds_opt_set_pac_request"],krb5_string_to_salttype:[434,0,1,"c.krb5_string_to_salttype"],krb5_address:[501,2,1,"c.krb5_address"],KRB5_PRINCIPAL_UNPARSE_SHORT:[129,3,1,""],krb5_kt_get_entry:[715,0,1,"c.krb5_kt_get_entry"],krb5_get_init_creds_opt_set_in_ccache:[559,0,1,"c.krb5_get_init_creds_opt_set_in_ccache"],krb5_auth_con_initivector:[873,0,1,"c.krb5_auth_con_initivector"],krb5_c_random_os_entropy:[643,0,1,"c.krb5_c_random_os_entropy"],ADDRTYPE_XNS:[271,3,1,""],KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:[843,3,1,""],krb5_prompter_posix:[852,0,1,"c.krb5_prompter_posix"],krb5_const_pointer:[482,2,1,"c.krb5_const_pointer"],AD_TYPE_REGISTERED:[398,3,1,""],krb5_keyusage:[318,2,1,"c.krb5_keyusage"],KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:[15,3,1,""],KRB5_PROMPT_TYPE_PASSWORD:[890,3,1,""],ENCTYPE_DES_CBC_CRC:[917,3,1,""],KRB5_PAC_DELEGATION_INFO:[162,3,1,""],KDC_OPT_PROXIABLE:[400,3,1,""],krb5_c_random_seed:[926,0,1,"c.krb5_c_random_seed"],KRB5_TC_SUPPORTED_KTYPES:[806,3,1,""],KRB5_NT_SRV_INST:[490,3,1,""],krb5_kt_have_content:[136,0,1,"c.krb5_kt_have_content"],KRB5_LRQ_NONE:[561,3,1,""],krb5_set_password:[402,0,1,"c.krb5_set_password"],KRB5_PADATA_ENC_UNIX_TIME:[497,3,1,""],krb5_tkt_creds_context:[173,2,1,"c.krb5_tkt_creds_context"],krb5_addrtype:[869,2,1,"c.krb5_addrtype"],krb5_init_creds_get_creds:[246,0,1,"c.krb5_init_creds_get_creds"],KRB5_AUTHDATA_AUTH_INDICATOR:[912,3,1,""],krb5_c_encrypt:[844,0,1,"c.krb5_c_encrypt"],krb5_use_enctype:[900,0,1,"c.krb5_use_enctype"],KRB5_PADATA_SVR_REFERRAL_INFO:[219,3,1,""],KRB5_KEYUSAGE_PA_PKINIT_KX:[315,3,1,""],krb5_get_init_creds_opt_set_fast_flags:[230,0,1,"c.krb5_get_init_creds_opt_set_fast_flags"],krb5_enctype_to_string:[600,0,1,"c.krb5_enctype_to_string"],krb5_get_validated_creds:[424,0,1,"c.krb5_get_validated_creds"],krb5_merge_authdata:[631,0,1,"c.krb5_merge_authdata"],krb5_checksum:[155,2,1,"c.krb5_checksum"],krb5_crypto_iov:[928,2,1,"c.krb5_crypto_iov"],krb5_encrypt_block:[759,2,1,"c.krb5_encrypt_block"],krb5_cc_destroy:[863,0,1,"c.krb5_cc_destroy"],KRB5_KEYUSAGE_AD_ITE:[462,3,1,""],KRB5_AUTH_CONTEXT_USE_SUBKEY:[834,3,1,""],krb5_init_creds_init:[359,0,1,"c.krb5_init_creds_init"],krb5_c_padding_length:[655,0,1,"c.krb5_c_padding_length"],TKT_FLG_ENC_PA_REP:[7,3,1,""],KDC_OPT_RENEWABLE:[514,3,1,""],KRB5_RESPONDER_QUESTION_PASSWORD:[562,3,1,""],krb5_responder_otp_challenge_free:[158,0,1,"c.krb5_responder_otp_challenge_free"],KRB5_PADATA_PAC_REQUEST:[24,3,1,""],TKT_FLG_PRE_AUTH:[314,3,1,""],krb5_cksumtype:[389,2,1,"c.krb5_cksumtype"],krb5_replay_data:[29,2,1,"c.krb5_replay_data"],krb5_responder_list_questions:[343,0,1,"c.krb5_responder_list_questions"],KDC_OPT_REQUEST_ANONYMOUS:[472,3,1,""],krb5_salttype_to_string:[694,0,1,"c.krb5_salttype_to_string"],KDC_OPT_DISABLE_TRANSITED_CHECK:[704,3,1,""],krb5_copy_keyblock_contents:[738,0,1,"c.krb5_copy_keyblock_contents"],ENCTYPE_SHA1_RSA_CMS:[563,3,1,""],CKSUMTYPE_NIST_SHA:[659,3,1,""],krb5_set_principal_realm:[885,0,1,"c.krb5_set_principal_realm"],KRB5_TC_MATCH_IS_SKEY:[174,3,1,""],krb5_init_keyblock:[317,0,1,"c.krb5_init_keyblock"],KRB5_KPASSWD_AUTHERROR:[285,3,1,""],ADDRTYPE_ADDRPORT:[782,3,1,""],CKSUMTYPE_HMAC_MD5_ARCFOUR:[65,3,1,""],KRB5_AUTHDATA_SESAME:[642,3,1,""],krb5_enctype_to_name:[172,0,1,"c.krb5_enctype_to_name"],krb5_encrypt_size:[533,0,1,"c.krb5_encrypt_size"],krb5_rcache:[811,2,1,"c.krb5_rcache"],KRB5_PRINCIPAL_COMPARE_UTF8:[596,3,1,""],krb5_tkt_creds_get_times:[122,0,1,"c.krb5_tkt_creds_get_times"],krb5_free_string:[265,0,1,"c.krb5_free_string"],krb5_free_keyblock_contents:[90,0,1,"c.krb5_free_keyblock_contents"],krb5_encrypt:[262,0,1,"c.krb5_encrypt"],krb5_cc_switch:[354,0,1,"c.krb5_cc_switch"],ADDRTYPE_NETBIOS:[407,3,1,""],krb5_auth_con_set_checksum_func:[788,0,1,"c.krb5_auth_con_set_checksum_func"],krb5_princ_type:[161,3,1,""],krb5_k_decrypt_iov:[763,0,1,"c.krb5_k_decrypt_iov"],krb5_auth_con_set_req_cksumtype:[273,0,1,"c.krb5_auth_con_set_req_cksumtype"],KRB5_PADATA_NONE:[289,3,1,""],krb5_roundup:[443,3,1,""],krb5_enc_kdc_rep_part:[325,2,1,"c.krb5_enc_kdc_rep_part"],ENCTYPE_AES256_CTS_HMAC_SHA384_192:[898,3,1,""],krb5_decode_ticket:[191,0,1,"c.krb5_decode_ticket"],krb5_trace_callback:[137,2,1,"c.krb5_trace_callback"],krb5_ap_rep_enc_part:[908,2,1,"c.krb5_ap_rep_enc_part"],krb5_pa_data:[639,2,1,"c.krb5_pa_data"],KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:[84,3,1,""],AP_OPTS_WIRE_MASK:[21,3,1,""],krb5_cc_copy_creds:[147,0,1,"c.krb5_cc_copy_creds"],KRB5_LRQ_ONE_LAST_RENEWAL:[737,3,1,""],KRB5_INT16_MIN:[202,3,1,""],krb5_get_profile:[335,0,1,"c.krb5_get_profile"],KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:[81,3,1,""],krb5_get_init_creds_opt:[833,2,1,"c.krb5_get_init_creds_opt"],krb5_cccol_cursor_next:[519,0,1,"c.krb5_cccol_cursor_next"],krb5_copy_checksum:[662,0,1,"c.krb5_copy_checksum"],krb5_get_init_creds_opt_alloc:[108,0,1,"c.krb5_get_init_creds_opt_alloc"],krb5_keytab:[585,2,1,"c.krb5_keytab"],krb5_init_creds_set_service:[423,0,1,"c.krb5_init_creds_set_service"],KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:[484,3,1,""],krb5_cccol_cursor_free:[344,0,1,"c.krb5_cccol_cursor_free"],krb5_c_crypto_length:[554,0,1,"c.krb5_c_crypto_length"],krb5_get_error_message:[51,0,1,"c.krb5_get_error_message"],krb5_cc_cursor:[503,2,1,"c.krb5_cc_cursor"],krb5_make_authdata_kdc_issued:[405,0,1,"c.krb5_make_authdata_kdc_issued"],ADDRTYPE_ISO:[107,3,1,""],krb5_c_is_keyed_cksum:[360,0,1,"c.krb5_c_is_keyed_cksum"],KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:[696,3,1,""],KDC_OPT_CNAME_IN_ADDL_TKT:[199,3,1,""],krb5_ccache:[341,2,1,"c.krb5_ccache"],krb5_change_password:[364,0,1,"c.krb5_change_password"],krb5_verify_init_creds_opt_set_ap_req_nofail:[575,0,1,"c.krb5_verify_init_creds_opt_set_ap_req_nofail"],krb5_x:[601,3,1,""],KRB5_PADATA_AFS3_SALT:[597,3,1,""],krb5_verify_checksum:[283,0,1,"c.krb5_verify_checksum"],KRB5_GC_CACHED:[444,3,1,""],krb5_keytab_entry:[851,2,1,"c.krb5_keytab_entry"],krb5_copy_data:[231,0,1,"c.krb5_copy_data"],krb5_kt_dup:[294,0,1,"c.krb5_kt_dup"],CKSUMTYPE_HMAC_SHA1_96_AES128:[581,3,1,""],krb5_free_addresses:[558,0,1,"c.krb5_free_addresses"],krb5_build_principal_alloc_va:[881,0,1,"c.krb5_build_principal_alloc_va"],KRB5_INT32_MAX:[574,3,1,""],KRB5_LRQ_ALL_LAST_INITIAL:[799,3,1,""],krb5_ticket:[310,2,1,"c.krb5_ticket"],KRB5_ANONYMOUS_REALMSTR:[887,3,1,""],krb5_init_creds_set_password:[419,0,1,"c.krb5_init_creds_set_password"],krb5_principal_compare_any_realm:[370,0,1,"c.krb5_principal_compare_any_realm"],KRB5_PADATA_SAM_RESPONSE:[605,3,1,""],krb5_free_authdata:[411,0,1,"c.krb5_free_authdata"],krb5_cccol_cursor:[222,2,1,"c.krb5_cccol_cursor"],KRB5_TC_MATCH_FLAGS:[178,3,1,""],krb5_k_make_checksum:[748,0,1,"c.krb5_k_make_checksum"],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:[526,3,1,""],krb5_is_config_principal:[72,0,1,"c.krb5_is_config_principal"],krb5_prompt_type:[902,2,1,"c.krb5_prompt_type"],TKT_FLG_OK_AS_DELEGATE:[171,3,1,""],krb5_expand_hostname:[189,0,1,"c.krb5_expand_hostname"],krb5_process_key:[723,0,1,"c.krb5_process_key"],krb5_auth_con_setsendsubkey:[485,0,1,"c.krb5_auth_con_setsendsubkey"],KDC_OPT_ALLOW_POSTDATE:[466,3,1,""],krb5_mk_req_checksum_func:[378,2,1,"c.krb5_mk_req_checksum_func"],KRB5_KEYUSAGE_KDC_REP_TICKET:[897,3,1,""],KRB5_PADATA_FX_COOKIE:[220,3,1,""],krb5_set_trace_filename:[857,0,1,"c.krb5_set_trace_filename"],KRB5_DOMAIN_X500_COMPRESS:[832,3,1,""],krb5_sname_to_principal:[705,0,1,"c.krb5_sname_to_principal"],KRB5_KEYUSAGE_KRB_SAFE_CKSUM:[684,3,1,""],SALT_TYPE_AFS_LENGTH:[284,3,1,""],krb5_free_checksum_contents:[488,0,1,"c.krb5_free_checksum_contents"],krb5_kt_default_name:[208,0,1,"c.krb5_kt_default_name"],KRB5_KPASSWD_SOFTERROR:[153,3,1,""],krb5_preauthtype:[468,2,1,"c.krb5_preauthtype"],krb5_set_default_realm:[346,0,1,"c.krb5_set_default_realm"],krb5_free_cred_contents:[805,0,1,"c.krb5_free_cred_contents"],KRB5_AUTHDATA_OSF_DCE:[557,3,1,""],krb5_cc_retrieve_cred:[690,0,1,"c.krb5_cc_retrieve_cred"],KRB5_AUTHDATA_MANDATORY_FOR_KDC:[20,3,1,""],krb5_responder_set_answer:[236,0,1,"c.krb5_responder_set_answer"],krb5_c_keyed_checksum_types:[92,0,1,"c.krb5_c_keyed_checksum_types"],KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:[474,3,1,""],KRB5_KPASSWD_HARDERROR:[83,3,1,""],KRB5_LRQ_ONE_LAST_TGT:[556,3,1,""],krb5_cksumtype_to_string:[760,0,1,"c.krb5_cksumtype_to_string"],KRB5_AUTH_CONTEXT_RET_SEQUENCE:[16,3,1,""],krb5_c_decrypt:[673,0,1,"c.krb5_c_decrypt"],KRB5_PRINCIPAL_COMPARE_CASEFOLD:[426,3,1,""],KRB5_LRQ_ALL_ACCT_EXPTIME:[758,3,1,""],KRB5_NT_UID:[68,3,1,""],krb5_free_checksum:[350,0,1,"c.krb5_free_checksum"],TKT_FLG_ANONYMOUS:[8,3,1,""],krb5_cc_support_switch:[496,0,1,"c.krb5_cc_support_switch"],KRB5_KPASSWD_BAD_VERSION:[98,3,1,""],KRB5_CRYPTO_TYPE_EMPTY:[551,3,1,""],CKSUMTYPE_HMAC_SHA256_128_AES128:[877,3,1,""],KRB5_KEYUSAGE_FAST_REP:[751,3,1,""],krb5_init_secure_context:[645,0,1,"c.krb5_init_secure_context"],krb5_get_init_creds_opt_set_anonymous:[729,0,1,"c.krb5_get_init_creds_opt_set_anonymous"],krb5_principal_compare:[266,0,1,"c.krb5_principal_compare"],krb5_finish_random_key:[860,0,1,"c.krb5_finish_random_key"],KRB5_PAC_CLIENT_INFO:[669,3,1,""],krb5_auth_con_setflags:[116,0,1,"c.krb5_auth_con_setflags"],krb5_kt_end_seq_get:[624,0,1,"c.krb5_kt_end_seq_get"],krb5_responder_get_challenge:[243,0,1,"c.krb5_responder_get_challenge"],KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:[698,3,1,""],KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:[542,3,1,""],krb5_auth_con_getkey_k:[919,0,1,"c.krb5_auth_con_getkey_k"],KRB5_INIT_CONTEXT_SECURE:[384,3,1,""],KRB5_LRQ_ALL_LAST_TGT:[442,3,1,""],krb5_get_init_creds_opt_set_canonicalize:[281,0,1,"c.krb5_get_init_creds_opt_set_canonicalize"],krb5_princ_set_realm_data:[232,3,1,""],KRB5_AUTH_CONTEXT_PERMIT_ALL:[862,3,1,""],krb5_pa_svr_referral_data:[305,2,1,"c.krb5_pa_svr_referral_data"],TKT_FLG_INITIAL:[353,3,1,""],KRB5_AUTHDATA_ETYPE_NEGOTIATION:[469,3,1,""],KRB5_AUTH_CONTEXT_DO_TIME:[5,3,1,""],krb5_c_encrypt_length:[183,0,1,"c.krb5_c_encrypt_length"],KRB5_GET_INIT_CREDS_OPT_PROXIABLE:[622,3,1,""],AP_OPTS_RESERVED:[291,3,1,""],krb5_cc_default:[126,0,1,"c.krb5_cc_default"],TKT_FLG_TRANSIT_POLICY_CHECKED:[461,3,1,""],krb5_init_creds_free:[915,0,1,"c.krb5_init_creds_free"],KRB5_GET_INIT_CREDS_OPT_SALT:[610,3,1,""],KRB5_REALM_BRANCH_CHAR:[80,3,1,""],krb5_const_principal:[487,2,1,"c.krb5_const_principal"],krb5_os_localaddr:[879,0,1,"c.krb5_os_localaddr"],krb5_k_encrypt:[115,0,1,"c.krb5_k_encrypt"],krb5_string_to_timestamp:[785,0,1,"c.krb5_string_to_timestamp"],ENCTYPE_ARCFOUR_HMAC_EXP:[296,3,1,""],krb5_cccol_last_change_time:[258,0,1,"c.krb5_cccol_last_change_time"],CKSUMTYPE_MD5_HMAC_ARCFOUR:[237,3,1,""],krb5_tkt_creds_step:[618,0,1,"c.krb5_tkt_creds_step"],KRB5_TC_NOTICKET:[783,3,1,""],krb524_init_ets:[340,3,1,""],AD_TYPE_RESERVED:[784,3,1,""],KDC_OPT_FORWARDED:[176,3,1,""],KRB5_LRQ_ALL_PW_EXPTIME:[789,3,1,""],KRB5_KEYUSAGE_APP_DATA_ENCRYPT:[658,3,1,""],krb5_get_init_creds_opt_get_fast_flags:[821,0,1,"c.krb5_get_init_creds_opt_get_fast_flags"],krb5_error:[459,2,1,"c.krb5_error"],KRB5_KEYUSAGE_PA_SAM_RESPONSE:[214,3,1,""],krb5_responder_pkinit_set_answer:[287,0,1,"c.krb5_responder_pkinit_set_answer"],CKSUMTYPE_CRC32:[302,3,1,""],ADDRTYPE_INET6:[157,3,1,""],KRB5_LRQ_ONE_PW_EXPTIME:[48,3,1,""],KRB5_GC_NO_TRANSIT_CHECK:[242,3,1,""],KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:[906,3,1,""],krb5_c_verify_checksum:[446,0,1,"c.krb5_c_verify_checksum"],krb5_rd_error:[907,0,1,"c.krb5_rd_error"],krb5_cc_set_default_name:[822,0,1,"c.krb5_cc_set_default_name"],krb5_recvauth:[699,0,1,"c.krb5_recvauth"],KRB5_TC_MATCH_SRV_NAMEONLY:[874,3,1,""],krb5_auth_con_getkey:[371,0,1,"c.krb5_auth_con_getkey"],KRB5_AUTHDATA_WIN2K_PAC:[500,3,1,""],KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:[19,3,1,""],krb5_kt_cursor:[794,2,1,"c.krb5_kt_cursor"],krb5_cryptotype:[721,2,1,"c.krb5_cryptotype"],krb5_mk_priv:[268,0,1,"c.krb5_mk_priv"],ENCTYPE_DSA_SHA1_CMS:[327,3,1,""],CKSUMTYPE_RSA_MD4:[93,3,1,""],KRB5_PADATA_OTP_PIN_CHANGE:[123,3,1,""],TKT_FLG_FORWARDABLE:[336,3,1,""],TKT_FLG_INVALID:[356,3,1,""],KRB5_RESPONDER_QUESTION_OTP:[435,3,1,""],krb5_magic:[492,2,1,"c.krb5_magic"],krb5_get_init_creds_opt_set_salt:[800,0,1,"c.krb5_get_init_creds_opt_set_salt"],ENCTYPE_DES_CBC_RAW:[808,3,1,""],krb5_tkt_creds_free:[63,0,1,"c.krb5_tkt_creds_free"],KRB5_KEYUSAGE_FAST_REQ_CHKSUM:[194,3,1,""],ENCTYPE_CAMELLIA256_CTS_CMAC:[406,3,1,""],krb5_kt_start_seq_get:[40,0,1,"c.krb5_kt_start_seq_get"],krb5_auth_con_getflags:[267,0,1,"c.krb5_auth_con_getflags"],KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:[369,3,1,""],krb5_get_init_creds_opt_set_tkt_life:[522,0,1,"c.krb5_get_init_creds_opt_set_tkt_life"],KRB5_NT_PRINCIPAL:[647,3,1,""],krb5_kvno:[847,2,1,"c.krb5_kvno"],krb5_auth_con_getaddrs:[539,0,1,"c.krb5_auth_con_getaddrs"],ENCTYPE_CAMELLIA128_CTS_CMAC:[247,3,1,""],krb5_cc_set_config:[78,0,1,"c.krb5_cc_set_config"],krb5_chpw_message:[111,0,1,"c.krb5_chpw_message"],krb5_cccol_lock:[113,0,1,"c.krb5_cccol_lock"],KRB5_PADATA_ENC_SANDIA_SECURID:[595,3,1,""],krb5_mk_error:[568,0,1,"c.krb5_mk_error"],krb5_princ_component:[441,3,1,""],krb5_425_conv_principal:[12,0,1,"c.krb5_425_conv_principal"],krb5_unparse_name_flags_ext:[109,0,1,"c.krb5_unparse_name_flags_ext"],KRB5_KEYUSAGE_KRB_CRED_ENCPART:[858,3,1,""],KRB5_PADATA_REFERRAL:[555,3,1,""],TKT_FLG_PROXY:[447,3,1,""],KRB5_LRQ_ONE_LAST_REQ:[188,3,1,""],krb5_free_data:[195,0,1,"c.krb5_free_data"],krb5_int16:[154,2,1,"c.krb5_int16"],krb5_int32:[549,2,1,"c.krb5_int32"],KRB5_PRINCIPAL_COMPARE_ENTERPRISE:[383,3,1,""],krb5_k_reference_key:[104,0,1,"c.krb5_k_reference_key"],KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:[679,3,1,""],KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:[470,3,1,""],krb5_string_to_enctype:[452,0,1,"c.krb5_string_to_enctype"],krb5_init_creds_set_keytab:[414,0,1,"c.krb5_init_creds_set_keytab"],krb5_c_decrypt_iov:[795,0,1,"c.krb5_c_decrypt_iov"],krb5_string_to_deltat:[716,0,1,"c.krb5_string_to_deltat"],krb5_timestamp_to_string:[883,0,1,"c.krb5_timestamp_to_string"],krb5_kt_get_type:[839,0,1,"c.krb5_kt_get_type"],krb5_cc_end_seq_get:[244,0,1,"c.krb5_cc_end_seq_get"],KRB5_CYBERSAFE_SECUREID:[251,3,1,""],ENCTYPE_AES128_CTS_HMAC_SHA1_96:[732,3,1,""],krb5_is_referral_realm:[793,0,1,"c.krb5_is_referral_realm"],KRB5_PADATA_PW_SALT:[381,3,1,""],krb5_c_prf_length:[829,0,1,"c.krb5_c_prf_length"],krb5_authdatatype:[300,2,1,"c.krb5_authdatatype"],ENCTYPE_DES3_CBC_ENV:[151,3,1,""],krb5_kdc_req:[34,2,1,"c.krb5_kdc_req"],krb5_kdc_rep:[35,2,1,"c.krb5_kdc_rep"],krb5_get_init_creds_opt_set_fast_ccache:[578,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache"],krb5_gic_opt_pa_data:[882,2,1,"c.krb5_gic_opt_pa_data"],krb5_string_to_cksumtype:[593,0,1,"c.krb5_string_to_cksumtype"],krb5_free_ap_rep_enc_part:[886,0,1,"c.krb5_free_ap_rep_enc_part"],KRB5_ERROR:[239,3,1,""],KRB5_PADATA_USE_SPECIFIED_KVNO:[184,3,1,""],KRB5_LRQ_ONE_LAST_TGT_ISSUED:[672,3,1,""],krb5_auth_con_setsendsubkey_k:[778,0,1,"c.krb5_auth_con_setsendsubkey_k"],KRB5_KEYUSAGE_CAMMAC:[884,3,1,""],krb5_get_init_creds_opt_set_renew_life:[802,0,1,"c.krb5_get_init_creds_opt_set_renew_life"],KRB5_PADATA_ENCRYPTED_CHALLENGE:[440,3,1,""],KRB5_PADATA_SAM_CHALLENGE_2:[393,3,1,""],ENCTYPE_RSA_ES_OAEP_ENV:[779,3,1,""],krb5_read_password:[918,0,1,"c.krb5_read_password"],KRB5_PRINCIPAL_PARSE_ENTERPRISE:[471,3,1,""],krb5_prepend_error_message:[212,0,1,"c.krb5_prepend_error_message"],krb5_appdefault_string:[430,0,1,"c.krb5_appdefault_string"],KRB5_PAC_LOGON_INFO:[541,3,1,""],KRB5_INT16_MAX:[810,3,1,""],KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:[67,3,1,""],krb5_cc_remove_cred:[66,0,1,"c.krb5_cc_remove_cred"],KRB5_KEYUSAGE_APP_DATA_CKSUM:[548,3,1,""],KDC_OPT_FORWARDABLE:[724,3,1,""],LR_TYPE_INTERPRETATION_MASK:[892,3,1,""],krb5_build_principal:[538,0,1,"c.krb5_build_principal"],krb5_524_conv_principal:[218,0,1,"c.krb5_524_conv_principal"],krb5_copy_keyblock:[112,0,1,"c.krb5_copy_keyblock"],krb5_pac_get_buffer:[422,0,1,"c.krb5_pac_get_buffer"],KRB5_RECVAUTH_SKIP_VERSION:[700,3,1,""],KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:[868,3,1,""],krb5_tkt_creds_init:[743,0,1,"c.krb5_tkt_creds_init"],krb5_c_prf:[880,0,1,"c.krb5_c_prf"],KRB5_PRINCIPAL_UNPARSE_NO_REALM:[213,3,1,""],krb5_get_init_creds_opt_set_etype_list:[55,0,1,"c.krb5_get_init_creds_opt_set_etype_list"],krb5_get_prompt_types:[594,0,1,"c.krb5_get_prompt_types"],KRB5_ANONYMOUS_PRINCSTR:[14,3,1,""],KRB5_GC_CONSTRAINED_DELEGATION:[432,3,1,""],KRB5_PADATA_PKINIT_KX:[264,3,1,""],krb5_524_convert_creds:[347,0,1,"c.krb5_524_convert_creds"],krb5_auth_con_genaddrs:[257,0,1,"c.krb5_auth_con_genaddrs"],KRB5_KPASSWD_SUCCESS:[602,3,1,""],krb5_ui_2:[814,2,1,"c.krb5_ui_2"],krb5_free_default_realm:[121,0,1,"c.krb5_free_default_realm"],krb5_get_credentials_renew:[308,0,1,"c.krb5_get_credentials_renew"],KRB5_SAM_MUST_PK_ENCRYPT_SAD:[909,3,1,""],KRB5_CRYPTO_TYPE_CHECKSUM:[254,3,1,""],krb5_mk_1cred:[524,0,1,"c.krb5_mk_1cred"],krb5_get_init_creds_password:[609,0,1,"c.krb5_get_init_creds_password"],KRB5_GC_FORWARDABLE:[564,3,1,""],krb5_pac:[54,2,1,"c.krb5_pac"],krb5_msgtype:[102,2,1,"c.krb5_msgtype"],KRB5_LRQ_ONE_ACCT_EXPTIME:[619,3,1,""],krb5_c_valid_enctype:[875,0,1,"c.krb5_c_valid_enctype"],SALT_TYPE_NO_LENGTH:[615,3,1,""],KRB5_LRQ_ONE_LAST_INITIAL:[170,3,1,""],KRB5_KEYUSAGE_TGS_REQ_AUTH:[786,3,1,""],krb5_recvauth_version:[235,0,1,"c.krb5_recvauth_version"],krb5_mk_rep_dce:[386,0,1,"c.krb5_mk_rep_dce"],KRB5_REFERRAL_REALM:[682,3,1,""],krb5_pre_send_fn:[59,2,1,"c.krb5_pre_send_fn"],KRB5_KPASSWD_INITIAL_FLAG_NEEDED:[240,3,1,""],ENCTYPE_AES128_CTS_HMAC_SHA256_128:[532,3,1,""],krb5_vset_error_message:[332,0,1,"c.krb5_vset_error_message"],KRB5_LRQ_ALL_LAST_REQ:[390,3,1,""],KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:[128,3,1,""],krb5_pac_get_types:[149,0,1,"c.krb5_pac_get_types"],KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:[838,3,1,""],krb5_auth_con_setrecvsubkey:[323,0,1,"c.krb5_auth_con_setrecvsubkey"],krb5_set_error_message:[241,0,1,"c.krb5_set_error_message"],KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:[772,3,1,""],KRB5_RECVAUTH_BADAUTHVERS:[871,3,1,""],KRB5_PADATA_GET_FROM_TYPED_DATA:[525,3,1,""],krb5_auth_con_getsendsubkey:[740,0,1,"c.krb5_auth_con_getsendsubkey"],krb5_free_data_contents:[846,0,1,"c.krb5_free_data_contents"],KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:[428,3,1,""],KRB5_KEYUSAGE_AS_REP_ENCPART:[349,3,1,""],krb5_cc_cache_match:[89,0,1,"c.krb5_cc_cache_match"],krb5_typed_data:[651,2,1,"c.krb5_typed_data"],krb5_free_error_message:[399,0,1,"c.krb5_free_error_message"],krb5_c_random_add_entropy:[379,0,1,"c.krb5_c_random_add_entropy"],krb5_free_creds:[670,0,1,"c.krb5_free_creds"],KRB5_NT_UNKNOWN:[817,3,1,""],AP_OPTS_MUTUAL_REQUIRED:[826,3,1,""],ENCTYPE_RSA_ENV:[418,3,1,""],krb5_auth_con_setuseruserkey:[11,0,1,"c.krb5_auth_con_setuseruserkey"],krb5_data:[599,2,1,"c.krb5_data"],KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:[118,3,1,""],KRB5_AUTHDATA_FX_ARMOR:[88,3,1,""],KRB5_PADATA_SAM_RESPONSE_2:[545,3,1,""],KRB5_TC_MATCH_2ND_TKT:[328,3,1,""],krb5_c_block_size:[367,0,1,"c.krb5_c_block_size"],KRB5_PADATA_PK_AS_REP_OLD:[333,3,1,""],ENCTYPE_MD5_RSA_CMS:[196,3,1,""],KRB5_PADATA_FOR_USER:[576,3,1,""],krb5_responder_pkinit_challenge_free:[270,0,1,"c.krb5_responder_pkinit_challenge_free"],krb5_auth_con_getremotesubkey:[180,0,1,"c.krb5_auth_con_getremotesubkey"],krb5_address_order:[288,0,1,"c.krb5_address_order"],krb5_set_default_tgs_enctypes:[138,0,1,"c.krb5_set_default_tgs_enctypes"],krb5_kt_resolve:[250,0,1,"c.krb5_kt_resolve"],KRB5_PADATA_SAM_CHALLENGE:[567,3,1,""],krb5_tkt_authent:[841,2,1,"c.krb5_tkt_authent"],krb5_princ_size:[706,3,1,""],krb5_trace_info:[31,2,1,"c.krb5_trace_info"],krb5_rd_rep:[572,0,1,"c.krb5_rd_rep"],krb5_cc_get_type:[3,0,1,"c.krb5_cc_get_type"],KRB5_PADATA_OSF_DCE:[43,3,1,""],KRB5_NT_MS_PRINCIPAL_AND_ID:[695,3,1,""],KDC_OPT_RENEW:[316,3,1,""],KRB5_PADATA_FX_ERROR:[226,3,1,""],KRB5_LRQ_ALL_LAST_RENEWAL:[508,3,1,""],ADDRTYPE_CHAOS:[790,3,1,""],krb5_copy_ticket:[103,0,1,"c.krb5_copy_ticket"],krb5_pac_init:[722,0,1,"c.krb5_pac_init"],krb5_parse_name:[676,0,1,"c.krb5_parse_name"],krb5_copy_principal:[730,0,1,"c.krb5_copy_principal"],KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:[755,3,1,""],KRB5_TC_MATCH_TIMES_EXACT:[767,3,1,""],krb5_enc_tkt_part:[830,2,1,"c.krb5_enc_tkt_part"],krb5_mk_safe:[836,0,1,"c.krb5_mk_safe"],KRB5_KEYUSAGE_FAST_FINISHED:[256,3,1,""],krb5_check_clockskew:[504,0,1,"c.krb5_check_clockskew"],KRB5_AUTHDATA_CAMMAC:[42,3,1,""],KRB5_KEYUSAGE_AP_REQ_AUTH:[368,3,1,""],KRB5_TC_OPENCLOSE:[269,3,1,""],krb5_pac_add_buffer:[598,0,1,"c.krb5_pac_add_buffer"],krb5_get_credentials_validate:[701,0,1,"c.krb5_get_credentials_validate"],krb5_init_context:[866,0,1,"c.krb5_init_context"],krb5_cc_new_unique:[675,0,1,"c.krb5_cc_new_unique"],krb5_kt_default:[417,0,1,"c.krb5_kt_default"],krb5_is_thread_safe:[916,0,1,"c.krb5_is_thread_safe"],krb5_cc_resolve:[623,0,1,"c.krb5_cc_resolve"],krb5_rd_cred:[255,0,1,"c.krb5_rd_cred"],krb5_decrypt:[223,0,1,"c.krb5_decrypt"],krb5_xc:[745,3,1,""],ADDRTYPE_DDP:[489,3,1,""],krb5_c_enctype_compare:[413,0,1,"c.krb5_c_enctype_compare"],krb5_c_verify_checksum_iov:[248,0,1,"c.krb5_c_verify_checksum_iov"],krb5_get_init_creds_opt_set_forwardable:[540,0,1,"c.krb5_get_init_creds_opt_set_forwardable"],krb5_get_init_creds_keytab:[845,0,1,"c.krb5_get_init_creds_keytab"],CKSUMTYPE_RSA_MD5:[94,3,1,""],KRB5_NT_X500_PRINCIPAL:[494,3,1,""],KDC_OPT_RENEWABLE_OK:[865,3,1,""],krb5_auth_con_getremoteseqnumber:[313,0,1,"c.krb5_auth_con_getremoteseqnumber"],KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:[234,3,1,""],krb5_free_unparsed_name:[560,0,1,"c.krb5_free_unparsed_name"],krb5_k_decrypt:[39,0,1,"c.krb5_k_decrypt"],krb5_cc_get_name:[712,0,1,"c.krb5_cc_get_name"],krb5_c_encrypt_iov:[132,0,1,"c.krb5_c_encrypt_iov"],krb5_deltat_to_string:[165,0,1,"c.krb5_deltat_to_string"],krb5_copy_authenticator:[509,0,1,"c.krb5_copy_authenticator"],krb5_vprepend_error_message:[815,0,1,"c.krb5_vprepend_error_message"],krb5_get_time_offsets:[280,0,1,"c.krb5_get_time_offsets"],KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:[326,3,1,""],krb5_parse_name_flags:[635,0,1,"c.krb5_parse_name_flags"],KRB5_KEYUSAGE_IAKERB_FINISHED:[479,3,1,""],krb5_cc_get_full_name:[511,0,1,"c.krb5_cc_get_full_name"],krb5_init_context_profile:[741,0,1,"c.krb5_init_context_profile"],KRB5_KEYUSAGE_AD_MTE:[100,3,1,""],krb5_c_string_to_key_with_params:[606,0,1,"c.krb5_c_string_to_key_with_params"],krb5_response:[586,2,1,"c.krb5_response"],krb5_get_init_creds_opt_set_change_password_prompt:[747,0,1,"c.krb5_get_init_creds_opt_set_change_password_prompt"],KRB5_PADATA_AS_CHECKSUM:[781,3,1,""],krb5_free_context:[627,0,1,"c.krb5_free_context"],krb5_auth_con_init:[749,0,1,"c.krb5_auth_con_init"],ENCTYPE_ARCFOUR_HMAC:[338,3,1,""],krb5_pac_free:[692,0,1,"c.krb5_pac_free"],krb5_set_password_using_ccache:[894,0,1,"c.krb5_set_password_using_ccache"],AP_OPTS_USE_SUBKEY:[46,3,1,""],krb5_free_error:[169,0,1,"c.krb5_free_error"],krb5_c_crypto_length_iov:[150,0,1,"c.krb5_c_crypto_length_iov"],KRB5_INIT_CONTEXT_KDC:[450,3,1,""],VALID_UINT_BITS:[394,3,1,""],krb5_free_tgt_creds:[321,0,1,"c.krb5_free_tgt_creds"],krb5_get_default_realm:[309,0,1,"c.krb5_get_default_realm"],krb5_cred_info:[547,2,1,"c.krb5_cred_info"],krb5_c_random_to_key:[299,0,1,"c.krb5_c_random_to_key"],KRB5_NT_MS_PRINCIPAL:[855,3,1,""],TKT_FLG_RENEWABLE:[334,3,1,""],krb5_pac_sign:[769,0,1,"c.krb5_pac_sign"],KRB5_PADATA_S4U_X509_USER:[809,3,1,""],KRB5_TGS_REQ:[77,3,1,""],KRB5_TGS_REP:[76,3,1,""],KRB5_PROMPT_TYPE_PREAUTH:[297,3,1,""],krb5_k_prf:[652,0,1,"c.krb5_k_prf"],krb5_kt_read_service_key:[734,0,1,"c.krb5_kt_read_service_key"],krb5_octet:[927,2,1,"c.krb5_octet"],krb5_principal_compare_flags:[513,0,1,"c.krb5_principal_compare_flags"],krb5_get_init_creds_opt_set_expire_callback:[911,0,1,"c.krb5_get_init_creds_opt_set_expire_callback"],krb5_k_free_key:[849,0,1,"c.krb5_k_free_key"],krb5_kt_next_entry:[807,0,1,"c.krb5_kt_next_entry"],krb5_free_keyblock:[95,0,1,"c.krb5_free_keyblock"],KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:[686,3,1,""],krb5_get_credentials:[30,0,1,"c.krb5_get_credentials"],krb5_decode_authdata_container:[292,0,1,"c.krb5_decode_authdata_container"],KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:[69,3,1,""],AD_TYPE_FIELD_TYPE_MASK:[621,3,1,""],krb5_cc_set_flags:[920,0,1,"c.krb5_cc_set_flags"],krb5_cc_next_cred:[613,0,1,"c.krb5_cc_next_cred"],krb5_principal2salt:[431,0,1,"c.krb5_principal2salt"],krb5_c_prfplus:[348,0,1,"c.krb5_c_prfplus"],krb5_responder_pkinit_challenge:[320,2,1,"c.krb5_responder_pkinit_challenge"],krb5_context:[633,2,1,"c.krb5_context"],KRB5_KEYUSAGE_PA_OTP_REQUEST:[754,3,1,""],krb5_kt_add_entry:[397,0,1,"c.krb5_kt_add_entry"],KRB5_KEYUSAGE_AP_REP_ENCPART:[592,3,1,""]},krb5_responder_pkinit_identity:{token_flags:[775,1,1,"c.krb5_responder_pkinit_identity.token_flags"],identity:[775,1,1,"c.krb5_responder_pkinit_identity.identity"]},krb5_kdc_req:{rtime:[34,1,1,"c.krb5_kdc_req.rtime"],nonce:[34,1,1,"c.krb5_kdc_req.nonce"],authorization_data:[34,1,1,"c.krb5_kdc_req.authorization_data"],addresses:[34,1,1,"c.krb5_kdc_req.addresses"],msg_type:[34,1,1,"c.krb5_kdc_req.msg_type"],from:[34,1,1,"c.krb5_kdc_req.from"],kdc_options:[34,1,1,"c.krb5_kdc_req.kdc_options"],unenc_authdata:[34,1,1,"c.krb5_kdc_req.unenc_authdata"],server:[34,1,1,"c.krb5_kdc_req.server"],nktypes:[34,1,1,"c.krb5_kdc_req.nktypes"],till:[34,1,1,"c.krb5_kdc_req.till"],client:[34,1,1,"c.krb5_kdc_req.client"],second_ticket:[34,1,1,"c.krb5_kdc_req.second_ticket"],ktype:[34,1,1,"c.krb5_kdc_req.ktype"],magic:[34,1,1,"c.krb5_kdc_req.magic"],padata:[34,1,1,"c.krb5_kdc_req.padata"]},krb5_kdc_rep:{magic:[35,1,1,"c.krb5_kdc_rep.magic"],msg_type:[35,1,1,"c.krb5_kdc_rep.msg_type"],enc_part2:[35,1,1,"c.krb5_kdc_rep.enc_part2"],padata:[35,1,1,"c.krb5_kdc_rep.padata"],client:[35,1,1,"c.krb5_kdc_rep.client"],ticket:[35,1,1,"c.krb5_kdc_rep.ticket"],enc_part:[35,1,1,"c.krb5_kdc_rep.enc_part"]},krb5_gic_opt_pa_data:{attr:[882,1,1,"c.krb5_gic_opt_pa_data.attr"],value:[882,1,1,"c.krb5_gic_opt_pa_data.value"]},krb5_tkt_authent:{authenticator:[841,1,1,"c.krb5_tkt_authent.authenticator"],ticket:[841,1,1,"c.krb5_tkt_authent.ticket"],magic:[841,1,1,"c.krb5_tkt_authent.magic"],ap_options:[841,1,1,"c.krb5_tkt_authent.ap_options"]},krb5_keytab_entry:{vno:[851,1,1,"c.krb5_keytab_entry.vno"],timestamp:[851,1,1,"c.krb5_keytab_entry.timestamp"],magic:[851,1,1,"c.krb5_keytab_entry.magic"],key:[851,1,1,"c.krb5_keytab_entry.key"],principal:[851,1,1,"c.krb5_keytab_entry.principal"]},krb5_get_init_creds_opt:{proxiable:[833,1,1,"c.krb5_get_init_creds_opt.proxiable"],forwardable:[833,1,1,"c.krb5_get_init_creds_opt.forwardable"],preauth_list_length:[833,1,1,"c.krb5_get_init_creds_opt.preauth_list_length"],renew_life:[833,1,1,"c.krb5_get_init_creds_opt.renew_life"],tkt_life:[833,1,1,"c.krb5_get_init_creds_opt.tkt_life"],flags:[833,1,1,"c.krb5_get_init_creds_opt.flags"],preauth_list:[833,1,1,"c.krb5_get_init_creds_opt.preauth_list"],etype_list:[833,1,1,"c.krb5_get_init_creds_opt.etype_list"],salt:[833,1,1,"c.krb5_get_init_creds_opt.salt"],etype_list_length:[833,1,1,"c.krb5_get_init_creds_opt.etype_list_length"],address_list:[833,1,1,"c.krb5_get_init_creds_opt.address_list"]},krb5_const_principal:{type:[487,1,1,"c.krb5_const_principal.type"],length:[487,1,1,"c.krb5_const_principal.length"],magic:[487,1,1,"c.krb5_const_principal.magic"],realm:[487,1,1,"c.krb5_const_principal.realm"],data:[487,1,1,"c.krb5_const_principal.data"]},krb5_pa_pac_req:{include_pac:[771,1,1,"c.krb5_pa_pac_req.include_pac"]},krb5_responder_otp_tokeninfo:{vendor:[901,1,1,"c.krb5_responder_otp_tokeninfo.vendor"],format:[901,1,1,"c.krb5_responder_otp_tokeninfo.format"],challenge:[901,1,1,"c.krb5_responder_otp_tokeninfo.challenge"],length:[901,1,1,"c.krb5_responder_otp_tokeninfo.length"],flags:[901,1,1,"c.krb5_responder_otp_tokeninfo.flags"],token_id:[901,1,1,"c.krb5_responder_otp_tokeninfo.token_id"],alg_id:[901,1,1,"c.krb5_responder_otp_tokeninfo.alg_id"]},krb5_enc_data:{ciphertext:[372,1,1,"c.krb5_enc_data.ciphertext"],magic:[372,1,1,"c.krb5_enc_data.magic"],kvno:[372,1,1,"c.krb5_enc_data.kvno"],enctype:[372,1,1,"c.krb5_enc_data.enctype"]},krb5_cred:{tickets:[337,1,1,"c.krb5_cred.tickets"],magic:[337,1,1,"c.krb5_cred.magic"],enc_part:[337,1,1,"c.krb5_cred.enc_part"],enc_part2:[337,1,1,"c.krb5_cred.enc_part2"]},krb5_pa_data:{length:[639,1,1,"c.krb5_pa_data.length"],pa_type:[639,1,1,"c.krb5_pa_data.pa_type"],magic:[639,1,1,"c.krb5_pa_data.magic"],contents:[639,1,1,"c.krb5_pa_data.contents"]},krb5_address:{addrtype:[501,1,1,"c.krb5_address.addrtype"],length:[501,1,1,"c.krb5_address.length"],magic:[501,1,1,"c.krb5_address.magic"],contents:[501,1,1,"c.krb5_address.contents"]},krb5_response:{magic:[586,1,1,"c.krb5_response.magic"],message_type:[586,1,1,"c.krb5_response.message_type"],response:[586,1,1,"c.krb5_response.response"],expected_nonce:[586,1,1,"c.krb5_response.expected_nonce"],request_time:[586,1,1,"c.krb5_response.request_time"]},krb5_authenticator:{magic:[731,1,1,"c.krb5_authenticator.magic"],ctime:[731,1,1,"c.krb5_authenticator.ctime"],checksum:[731,1,1,"c.krb5_authenticator.checksum"],seq_number:[731,1,1,"c.krb5_authenticator.seq_number"],client:[731,1,1,"c.krb5_authenticator.client"],subkey:[731,1,1,"c.krb5_authenticator.subkey"],cusec:[731,1,1,"c.krb5_authenticator.cusec"],authorization_data:[731,1,1,"c.krb5_authenticator.authorization_data"]},krb5_pa_server_referral_data:{true_principal_name:[221,1,1,"c.krb5_pa_server_referral_data.true_principal_name"],requested_principal_name:[221,1,1,"c.krb5_pa_server_referral_data.requested_principal_name"],referral_valid_until:[221,1,1,"c.krb5_pa_server_referral_data.referral_valid_until"],rep_cksum:[221,1,1,"c.krb5_pa_server_referral_data.rep_cksum"],referred_realm:[221,1,1,"c.krb5_pa_server_referral_data.referred_realm"]},krb5_transited:{tr_contents:[498,1,1,"c.krb5_transited.tr_contents"],tr_type:[498,1,1,"c.krb5_transited.tr_type"],magic:[498,1,1,"c.krb5_transited.magic"]},krb5_pwd_data:{sequence_count:[445,1,1,"c.krb5_pwd_data.sequence_count"],magic:[445,1,1,"c.krb5_pwd_data.magic"],element:[445,1,1,"c.krb5_pwd_data.element"]},krb5_error:{magic:[459,1,1,"c.krb5_error.magic"],ctime:[459,1,1,"c.krb5_error.ctime"],susec:[459,1,1,"c.krb5_error.susec"],text:[459,1,1,"c.krb5_error.text"],e_data:[459,1,1,"c.krb5_error.e_data"],server:[459,1,1,"c.krb5_error.server"],client:[459,1,1,"c.krb5_error.client"],stime:[459,1,1,"c.krb5_error.stime"],cusec:[459,1,1,"c.krb5_error.cusec"],error:[459,1,1,"c.krb5_error.error"]},krb5_principal:{data:[904,1,1,"c.krb5_principal.data"],length:[904,1,1,"c.krb5_principal.length"],magic:[904,1,1,"c.krb5_principal.magic"],realm:[904,1,1,"c.krb5_principal.realm"],type:[904,1,1,"c.krb5_principal.type"]},krb5_last_req_entry:{lr_type:[505,1,1,"c.krb5_last_req_entry.lr_type"],magic:[505,1,1,"c.krb5_last_req_entry.magic"],value:[505,1,1,"c.krb5_last_req_entry.value"]},krb5_enc_tkt_part:{caddrs:[830,1,1,"c.krb5_enc_tkt_part.caddrs"],magic:[830,1,1,"c.krb5_enc_tkt_part.magic"],transited:[830,1,1,"c.krb5_enc_tkt_part.transited"],times:[830,1,1,"c.krb5_enc_tkt_part.times"],session:[830,1,1,"c.krb5_enc_tkt_part.session"],flags:[830,1,1,"c.krb5_enc_tkt_part.flags"],client:[830,1,1,"c.krb5_enc_tkt_part.client"],authorization_data:[830,1,1,"c.krb5_enc_tkt_part.authorization_data"]},krb5_cred_info:{caddrs:[547,1,1,"c.krb5_cred_info.caddrs"],magic:[547,1,1,"c.krb5_cred_info.magic"],times:[547,1,1,"c.krb5_cred_info.times"],session:[547,1,1,"c.krb5_cred_info.session"],flags:[547,1,1,"c.krb5_cred_info.flags"],client:[547,1,1,"c.krb5_cred_info.client"],server:[547,1,1,"c.krb5_cred_info.server"]},krb5_keyblock:{length:[528,1,1,"c.krb5_keyblock.length"],magic:[528,1,1,"c.krb5_keyblock.magic"],contents:[528,1,1,"c.krb5_keyblock.contents"],enctype:[528,1,1,"c.krb5_keyblock.enctype"]},krb5_replay_data:{timestamp:[29,1,1,"c.krb5_replay_data.timestamp"],usec:[29,1,1,"c.krb5_replay_data.usec"],seq:[29,1,1,"c.krb5_replay_data.seq"]},krb5_authdata:{length:[362,1,1,"c.krb5_authdata.length"],magic:[362,1,1,"c.krb5_authdata.magic"],ad_type:[362,1,1,"c.krb5_authdata.ad_type"],contents:[362,1,1,"c.krb5_authdata.contents"]},krb5_typed_data:{data:[651,1,1,"c.krb5_typed_data.data"],length:[651,1,1,"c.krb5_typed_data.length"],magic:[651,1,1,"c.krb5_typed_data.magic"],type:[651,1,1,"c.krb5_typed_data.type"]},krb5_ticket_times:{endtime:[664,1,1,"c.krb5_ticket_times.endtime"],renew_till:[664,1,1,"c.krb5_ticket_times.renew_till"],starttime:[664,1,1,"c.krb5_ticket_times.starttime"],authtime:[664,1,1,"c.krb5_ticket_times.authtime"]},krb5_ap_req:{authenticator:[260,1,1,"c.krb5_ap_req.authenticator"],ticket:[260,1,1,"c.krb5_ap_req.ticket"],magic:[260,1,1,"c.krb5_ap_req.magic"],ap_options:[260,1,1,"c.krb5_ap_req.ap_options"]},krb5_ap_rep:{enc_part:[640,1,1,"c.krb5_ap_rep.enc_part"],magic:[640,1,1,"c.krb5_ap_rep.magic"]},krb5_verify_init_creds_opt:{flags:[6,1,1,"c.krb5_verify_init_creds_opt.flags"],ap_req_nofail:[6,1,1,"c.krb5_verify_init_creds_opt.ap_req_nofail"]},krb5_ticket:{enc_part:[310,1,1,"c.krb5_ticket.enc_part"],server:[310,1,1,"c.krb5_ticket.server"],magic:[310,1,1,"c.krb5_ticket.magic"],enc_part2:[310,1,1,"c.krb5_ticket.enc_part2"]},krb5_cred_enc_part:{nonce:[190,1,1,"c.krb5_cred_enc_part.nonce"],magic:[190,1,1,"c.krb5_cred_enc_part.magic"],s_address:[190,1,1,"c.krb5_cred_enc_part.s_address"],ticket_info:[190,1,1,"c.krb5_cred_enc_part.ticket_info"],timestamp:[190,1,1,"c.krb5_cred_enc_part.timestamp"],usec:[190,1,1,"c.krb5_cred_enc_part.usec"],r_address:[190,1,1,"c.krb5_cred_enc_part.r_address"]},krb5_trace_info:{message:[31,1,1,"c.krb5_trace_info.message"]},passwd_phrase_element:{passwd:[893,1,1,"c.passwd_phrase_element.passwd"],phrase:[893,1,1,"c.passwd_phrase_element.phrase"],magic:[893,1,1,"c.passwd_phrase_element.magic"]},krb5_crypto_iov:{data:[928,1,1,"c.krb5_crypto_iov.data"],flags:[928,1,1,"c.krb5_crypto_iov.flags"]},krb5_data:{data:[599,1,1,"c.krb5_data.data"],length:[599,1,1,"c.krb5_data.length"],magic:[599,1,1,"c.krb5_data.magic"]},krb5_enc_kdc_rep_part:{nonce:[325,1,1,"c.krb5_enc_kdc_rep_part.nonce"],caddrs:[325,1,1,"c.krb5_enc_kdc_rep_part.caddrs"],magic:[325,1,1,"c.krb5_enc_kdc_rep_part.magic"],msg_type:[325,1,1,"c.krb5_enc_kdc_rep_part.msg_type"],last_req:[325,1,1,"c.krb5_enc_kdc_rep_part.last_req"],times:[325,1,1,"c.krb5_enc_kdc_rep_part.times"],key_exp:[325,1,1,"c.krb5_enc_kdc_rep_part.key_exp"],session:[325,1,1,"c.krb5_enc_kdc_rep_part.session"],flags:[325,1,1,"c.krb5_enc_kdc_rep_part.flags"],server:[325,1,1,"c.krb5_enc_kdc_rep_part.server"],enc_padata:[325,1,1,"c.krb5_enc_kdc_rep_part.enc_padata"]},krb5_encrypt_block:{crypto_entry:[759,1,1,"c.krb5_encrypt_block.crypto_entry"],magic:[759,1,1,"c.krb5_encrypt_block.magic"],key:[759,1,1,"c.krb5_encrypt_block.key"]},krb5_prompt:{reply:[140,1,1,"c.krb5_prompt.reply"],hidden:[140,1,1,"c.krb5_prompt.hidden"],prompt:[140,1,1,"c.krb5_prompt.prompt"]},krb5_checksum:{checksum_type:[155,1,1,"c.krb5_checksum.checksum_type"],length:[155,1,1,"c.krb5_checksum.length"],magic:[155,1,1,"c.krb5_checksum.magic"],contents:[155,1,1,"c.krb5_checksum.contents"]},krb5_principal_data:{realm:[427,1,1,"c.krb5_principal_data.realm"],length:[427,1,1,"c.krb5_principal_data.length"],magic:[427,1,1,"c.krb5_principal_data.magic"],data:[427,1,1,"c.krb5_principal_data.data"],type:[427,1,1,"c.krb5_principal_data.type"]},krb5_responder_pkinit_challenge:{identities:[320,1,1,"c.krb5_responder_pkinit_challenge.identities"]},krb5_responder_otp_challenge:{tokeninfo:[516,1,1,"c.krb5_responder_otp_challenge.tokeninfo"],service:[516,1,1,"c.krb5_responder_otp_challenge.service"]},krb5_creds:{authdata:[797,1,1,"c.krb5_creds.authdata"],magic:[797,1,1,"c.krb5_creds.magic"],addresses:[797,1,1,"c.krb5_creds.addresses"],keyblock:[797,1,1,"c.krb5_creds.keyblock"],server:[797,1,1,"c.krb5_creds.server"],client:[797,1,1,"c.krb5_creds.client"],ticket_flags:[797,1,1,"c.krb5_creds.ticket_flags"],second_ticket:[797,1,1,"c.krb5_creds.second_ticket"],is_skey:[797,1,1,"c.krb5_creds.is_skey"],ticket:[797,1,1,"c.krb5_creds.ticket"],times:[797,1,1,"c.krb5_creds.times"]},krb5_pa_svr_referral_data:{principal:[305,1,1,"c.krb5_pa_svr_referral_data.principal"]},krb5_ap_rep_enc_part:{seq_number:[908,1,1,"c.krb5_ap_rep_enc_part.seq_number"],magic:[908,1,1,"c.krb5_ap_rep_enc_part.magic"],subkey:[908,1,1,"c.krb5_ap_rep_enc_part.subkey"],cusec:[908,1,1,"c.krb5_ap_rep_enc_part.cusec"],ctime:[908,1,1,"c.krb5_ap_rep_enc_part.ctime"]}},titleterms:{libdefault:816,entropi:[379,643],kdc_tkt_common_mask:828,krb5_auth_con_setflag:116,prefix:[38,141,815,212],consider:[209,718],krb5_free_str:265,krb5_cc_get_config:527,krb5_sname_match:18,heimdal:451,krb5_free_ticket:145,krb5_get_init_creds_opt_set_pa:82,krb5_build_principal_ext:455,everi:134,kadmin:[71,44,62],kvno:650,krb5_responder_context:530,krb5_get_init_creds_opt_set_canonic:281,sclient:520,verif:[575,148,205,120],krb5_principal_compare_enterpris:383,direct:857,krb5_auth_con_setrcach:546,krb5_enc_data:372,krb5_nt_ms_princip:855,krb5_address_search:401,krb5_auth_con_setaddr:697,krb5_auth_con_setrecvsubkey_k:703,krb5_get_init_creds_opt_set_renew_lif:802,"new":[631,108,397,675,905,198,439],krb5_kt_remove_entri:159,manipul:735,krb5_auth_context_do_tim:5,krb5_cc_gen_new:685,path:28,krb5_tgs_name:570,acceptor:17,krb5_keyusage_app_data_cksum:548,krb5_verify_authdata_kdc_issu:375,krb5_set_default_tgs_enctyp:138,krb5_get_init_creds_opt_set_fast_ccach:578,cksumtype_hmac_sha1_96_aes128:581,permit:106,krb5_chpw_messag:111,krb5_boolean:456,kdc_opt_cname_in_addl_tkt:199,krb5_enctype_to_nam:172,unix:[28,101,796],subkei:[778,408,323,485,703,740,925,657],krb5_responder_otp_flags_nextotp:84,call:182,krb5_sam_must_pk_encrypt_sad:909,type:[452,3,106,554,617,675,496,678,55,172,10,512,594,413,454,17,249,74,22,360,694,648,587,27,593,138,712,839,760,600,875,434,273,36,209,437,148,149,92,829],krb5_expire_callback_func:279,krb5_c_derive_prfplu:351,restor:44,setup:436,work:798,krb5_verify_init_creds_opt_init:205,krb5_get_server_rcach:589,overrid:[346,924,475],krb5_responder_pkinit_flags_token_user_pin_lock:233,kpasswd:25,krb5_lrq_one_pw_exptim:48,indic:322,end:517,krb5_padata_pk_as_req:641,cksumtype_rsa_md5:94,cksumtype_rsa_md4:93,krb5_string_to_cksumtyp:593,how:127,answer:[236,287,835],verifi:[523,375,875,634,521,259,512,446],enctype_des3_cbc_sha1:681,krb5_auth_con_getflag:267,updat:[44,127],krb5_tc_match_flag:178,krb5_const:667,krb5_gc_forward:564,krb5_cryptotyp:721,sserver:818,krb5_cc_last_change_tim:238,opaqu:[824,115,763,603,748,634,39,387,652],credenti:[3,230,496,78,244,465,17,690,258,702,675,707,710,712,493,720,281,729,736,55,511,742,743,747,66,1,519,75,757,521,522,523,524,765,82,324,89,535,540,147,164,192,800,238,802,108,342,113,559,344,347,831,321,354,126,575,359,863,821,578,822,827,414,623,134,373,845,148,609,613,614,617,395,864,402,527,186,419,894,791,648,423,424,246,205,911,206,409,739,915,688,920,449],receiv:[168,408,703,657,323],environ:[565,922,64,454,274,133,569,650,388,45,644],krb5_prompt:140,krb5_kt_resolv:250,order:288,over:688,krb5_free_checksum_cont:488,privileg:[722,44],keyboard:918,krb5_parse_name_flag:635,krb5_responder_set_answ:236,tkt_flg_initi:353,krb5_keyusage_tgs_req_ad_sesskei:474,s4u:17,krb5_deltat:680,create_polici:486,krb5_sendauth:[169,646],krb5_auth_con_genaddr:257,cred:[524,736,255,319],krb5_get_init_creds_opt_set_tkt_lif:522,ccselect:[816,702],safe:[825,836],krb5_c_checksum_length:678,krb5_cc_lock:206,krb5_tc_match_tim:377,krb5_c_is_coll_proof_cksum:587,lockout:436,each:899,krb5_safe:537,cksumtype_hmac_md5_arcfour:65,krb5_principal_compare_ignore_realm:764,kdc_opt_renewable_ok:865,krb5_pa_pac_req:771,krb5_responder_pkinit_challeng:320,krb5_init_creds_get_error:75,content:[90,229,478,277,26,805,329,846,738,488],krb5_free_host_realm:278,krb5_init_context_kdc:450,krb5_wellknown_namestr:87,free:[726,560,195,167,805,558,846,399,278,344,63,121,627,179,409,301,411,886,22,350,692,321,265,145,488,270,90,437,277,915,95,169,849,670,158],krb5_trace_info:31,krb5_pac_delegation_info:162,renew:[707,802],krb5_padata_for_us:576,onto:495,krb5_mk_rep:366,krb5_mk_req:365,krb5_authdata_cammac:42,restrict:373,hook:[168,626,224],instruct:439,klist:[565,105],primari:354,krb5_get_fallback_host_realm:660,krb5_auth_con_initivector:873,krb5_prompter_posix:852,krb5_524_conv_princip:218,krb5_kt_get_entri:715,master:[44,74,899],krb5_realm_compar:131,krb5_c_random_os_entropi:643,krb5_keyusage_pa_s4u_x509_user_repli:326,krb5_cc_copy_cr:147,tool:617,krb5_tc_supported_ktyp:806,target:439,krb5_c_encrypt:844,krb5_get_init_creds_opt_proxi:622,krb5_address_compar:396,tree:204,krb5_pac_server_checksum:888,cksumtype_hmac_sha1_96_aes256:97,krb5_checksum:[350,155,662,488],krb5_flag:483,krb5_encrypt_block:759,provis:475,krb5_padata_otp_pin_chang:123,increment:[44,104,899],seen:148,krb5_replay_data:29,krb5_responder_otp_flags_collect_pin:906,realm:[49,131,293,666,816,370,44,885,309,691,346,10,495,121],cksumtype_descbc:416,krb5_set_principal_realm:885,krb5_copy_address:727,krb5_init_keyblock:317,krb5_cc_end_seq_get:244,object:[231,44,589],krb5_auth_con_set_checksum_func:788,declar:[222,456,6,459,680,468,260,640,482,29,487,31,34,35,492,721,830,190,498,794,337,503,505,731,54,59,60,515,427,516,305,483,756,310,759,79,528,318,534,320,771,775,325,777,547,102,549,501,797,341,811,813,814,378,362,585,586,901,833,913,372,140,841,599,847,664,851,154,155,869,173,633,882,639,279,893,300,651,902,654,904,908,137,389,861,530,923,445,927,221,928],random:[379,299,583,652,829,880,144,348],syntax:32,krb5_anonymous_princip:228,tkt_flg_may_postd:210,priv:[268,216],absolut:177,acquir:[414,423,864,246,113,186,359,757,419],rcach:27,kdestroi:[388,105],krb5_checksum_s:725,ldap:[44,859],krb5_c_is_keyed_cksum:360,krb5_copy_data:231,krb5_principal_compare_any_realm:370,"public":[2,182,36],krb5_k_make_checksum:748,krb5_build_princip:538,respond:[523,236,343,243,791],krb5_is_thread_saf:916,datatyp:99,result:111,krb5_process_kei:723,krb5_nt_srv_xhst:193,fail:[899,148],databas:[899,859,71,74,56,889,44,495],krb5_set_default_realm:346,discoveri:495,cksumtype_cmac_camellia128:518,krb5_kpasswd_bad_vers:98,irc:23,attribut:[722,17],tkt_flg_proxiabl:761,extend:[9,241,51,332,510],ccach:[617,632,831],tkt_flg_postdat:412,krb5_get_init_creds_opt_preauth_list:253,k5login:185,krb5_init_secure_context:645,krb5_kt_end_seq_get:624,cksumtype_rsa_md5_d:306,krb5_responder_pkinit_get_challeng:[653,270],against:521,tabdump:425,cksumtype_nist_sha:659,krb5_auth_con_getkey_k:919,login:666,addrtype_ipport:753,krb5_cc_store_cr:465,guid:229,krb5_k_encrypt:115,duplic:[294,632],krb5_wrap_error_messag:38,krb5_tkt_creds_get_tim:122,list_request:[71,139],clear_list:139,keyblock:[408,361,371,132,844,248,323,112,252,485,740,738,657,446,795,311,507,673],krb5_encpadata_req_enc_pa_rep:124,add_mkei:425,krb5_cccol_have_cont:164,krb5_auth_con_getkei:371,krb5_cc_unlock:720,argument:881,multithread:916,krb5_prompt_type_preauth:297,krb5_unparse_name_flag:491,krb5_const_point:482,krb5_425_conv_princip:12,ident:[816,287],ad_type_reserv:784,servic:[189,423,249,734,74,44,705,743,495,475],properti:105,conf:[816,10,125,430,899],krb5_cc_get_full_nam:511,krb5_kt_start_seq_get:40,krb5_principal_unparse_no_realm:213,perform:[27,436],make:354,format:[268,524,566,568,303,109,166,736,319,177,386,191,836,324,44,366],krb5_c_valid_enctyp:875,krb5_princ_set_realm:295,complet:99,krb5_k_reference_kei:104,krb5_get_init_creds_opt_tkt_lif:428,tune:454,krb5_init_creds_set_keytab:414,client:[506,646,160,276,415,201,89,796],thi:[177,127,879],krb5_tc_match_ktyp:590,preauthent:[800,648,82,209,415,854],krb5_is_referral_realm:793,rout:148,update_princ_encrypt:425,protocol:[699,166,646,235],cksumtype_crc32:302,krb5_auth_con_setsendsubkey_k:778,krb5_principal_parse_ignore_realm:842,previous:301,krb5_pac_fre:692,krb5_c_prf:880,krb5_keyusage_iakerb_finish:479,krb5_padata_etype_info2:553,applic:[798,156,74,101,475],krb5_authdata_etype_negoti:469,background:[780,27],krb5_tkt_creds_init:743,krb5_get_init_creds_opt_set_etype_list:55,add_entri:139,daemon:899,specif:[299,652,880,554,744,475,144],krb5_authdata_fx_armor:88,krb5_int32_min:135,threeparamopen:573,krb5_c_keylength:607,kdc_opt_postd:812,write_kt:139,krb5_mk_1cred:524,krb5_keyusage_ad_kdcissued_cksum:118,krb5_principal_compare_flag:513,krb5_nt_srv_inst:490,intern:[889,36],kadm5:[32,224],krb5_keyusage_pa_otp_request:754,enctype_sha1_rsa_cm:563,krb5_keyusage_krb_error_cksum:708,krb5_auth_con_setrecvsubkei:323,krb5_prompt_type_new_password_again:776,krb5_princ_siz:706,krb5_cc_cache_match:89,krb5_typed_data:651,post:168,delete_polici:[71,44],krb5_kt_get_nam:376,appplic:924,canonic:[189,475,281],krb5_c_block_siz:367,krb5_gc_constrained_deleg:432,krb5_tkt_creds_get_cr:864,encod:[405,905,568],wrap:[275,17],precomput:881,support:[824,763,132,916,148,177,496,74,795],krb5_gc_no_transit_check:242,avail:44,cksumtype_cmac_camellia256:181,krb5_pac_init:722,krb5_keyusage_fast_finish:256,kdcpreauth:[816,854],krb5_padata_pkinit_kx:264,krb5_cc_start_seq_get:134,krb5_init_context:866,hostrealm:[816,691],enctype_aes128_cts_hmac_sha256_128:532,autoconf:204,retir:74,krb5_altauth_att_challenge_respons:719,decrypt:[391,763,39,571,572,921,795,673],ad_type_field_type_mask:621,exist:[364,136,707],krb5_cc_get_nam:712,check:[164,793,136,504],encrypt:[452,115,106,844,554,55,172,10,413,875,249,144,183,22,132,366,138,600,824,148,386,92,829],krb5_get_in_tkt_with_skei:380,krb5_free_princip:726,krb5_keyusage_ad_signedpath:420,krb5_free_error:169,test:[436,18,916,587,72,204,360],krb5_c_crypto_length_iov:150,krb5_auth_context_use_subkei:834,krb5_nt_princip:647,krb5_get_default_realm:[309,121],krb5_set_password_using_ccach:894,krb5_pac_sign:769,krb5_c_random_to_kei:299,salt:[800,694,434,431],krb5_k_decrypt:39,pseudo:[379,583,652,348,880,829],krb5_c_fx_cf2_simpl:73,ignor:370,time:[523,122,463,504,765,165,716,744,280,177,856],krb5_kt_next_entri:807,concept:[582,4],chain:148,krb5_get_credenti:30,global:[113,342],krb5_c_string_to_kei:70,krb5_pa_data:639,krb5_gc_canonic:536,ap_opts_reserv:291,decis:495,krb5_init_creds_get:757,krb5_padata_get_from_typed_data:525,sourc:[840,127,859],string:[452,716,560,455,165,676,121,635,883,73,430,70,694,481,593,538,878,265,109,760,600,434,606,785,491,552],krb5_cybersafe_secureid:251,krb5_domain_x500_compress:832,krb5_responder_pkinit_ident:775,administr:[44,429,899,163],iter:688,cooki:566,enctype_aes256_cts_hmac_sha1_96:52,krb5_cc_move:614,sign:[405,769],krb5_keyusage_gss_tok_wrap_integ:868,ktremov:[71,798],port:[628,495],krb5_cc_dup:632,krb5_get_init_creds_opt_set_proxi:710,current:[744,504],krb5_appdefault_str:430,va_list:[815,141,332],deriv:351,gener:[379,299,257,652,506,880,583,4,144,28,399,589,705,348],modif:[238,258],address:[257,539,727,697,879,288,396,558,401,373],krb5_responder_otp_set_answ:835,krb5_tc_openclos:269,krb5_kt_free_entri:330,krb5_padata_otp_request:531,krb5_authdata_win2k_pac:500,commonli:454,modul:[329,32,768,666],krb5_responder_question_password:562,krb5kdc:45,instal:[899,229,454,439,204,796],krb5_copy_authent:509,memori:278,krb5_pwd_data:445,krb5_free_unparsed_nam:560,krb5_get_init_creds_opt_renew_lif:128,krb5_mk_req_extend:1,krb5_cc_close:742,krb5_pac_get_buff:422,krb5_k_verify_checksum:634,ap_opts_use_session_kei:544,prepar:[134,688],uniqu:675,krb5_kt_client_default:201,krb5_keyusage_fast_enc:290,krb5_authent:[509,731,179],topic:96,krb5_kei:[252,872,361,79],krb5_respons:586,contribut:780,krb5_get_error_messag:[399,51],krb5_keyusage_krb_priv_encpart:663,krb5_cc_retrieve_cr:690,krb5_pa_server_referral_data:221,krb5_keyusage_pa_sam_challenge_trackid:15,krb5_is_config_princip:72,map:495,krb5_us_timeofdai:856,usabl:92,date:[177,44],krb5_padata_pk_as_rep:53,data:[49,844,558,292,115,405,299,243,351,411,183,252,889,891,763,631,132,824,375,39,438,275,846,795,673],krb5_unparse_name_ext:481,man:127,krb5_expand_hostnam:189,inform:[816,44,331,27,798],"switch":[899,496],cannot:148,combin:73,krb5_get_init_creds_opt_init:143,krb5_keyusage_ap_req_auth_cksum:762,krb5_auth_con_getrecvsubkei:657,krb5_timestamp:[913,718],krb5_prompt_type_new_password:683,krb5_padata_pw_salt:381,krb5_auth_con_getlocalsubkei:211,polici:[44,638],krb5_responder_get_challeng:243,krb5_rd_safe:825,mail:23,krb5_init_context_profil:741,krb5_cccol_unlock:342,krb5_rcach:811,synopsi:[565,569,25,64,728,71,133,439,486,650,922,425,139,818,693,543,45,520,644,388],krb5_set_kdc_send_hook:626,krb5_tkt_authent:841,initi:[800,802,729,108,765,230,559,55,747,409,17,414,186,75,359,757,821,521,522,419,523,827,648,82,423,831,246,198,373,535,205,710,911,540,845,578,148,749,609,791,317,915,281],krb5_auth_con_get_checksum_func:152,krb5_init_creds_step_flag_continu:345,krb5_padata_fx_error:226,krb5_nt_unknown:817,name:[857,617,454,455,623,675,676,172,511,495,705,17,635,881,475,130,126,189,822,192,712,236,376,431,538,208,343,293],config:[543,752],revers:475,krb5_authdatatyp:300,separ:204,krb5_responder_otp_format_alphanumer:369,get_polici:[71,44],krb5_padata_sam_respons:605,list_princip:[71,44],replai:[460,589,27,546],krb5_nt_srv_hst:261,unlock:[71,720],prompter:523,krb5_c_encrypt_iov:132,year:718,krb5_k_create_kei:252,storag:[411,726],krb5_padata_referr:555,krb5_last_req_entri:505,profil:[924,741,335,666,819],lr_type_interpretation_mask:892,krb5_parse_nam:676,correct:798,krb5_const_princip:487,krb5_cc_resolv:623,krb5_pac_credentials_info:499,"byte":[652,583,880,348,607],synchron:739,refus:148,place:[132,795,763,824],change_password:[71,44],view:[105,486],frequent:[148,182],oper:[824,115,763,603,748,39,132,634,248,844,387,44,652,446,795,311,507,673],directli:182,arrai:[321,603,437,411,248,149,150,558,594,387,736,22,311,727],open:589,size:367,krb5_address:501,given:243,krb5_tkt_creds_fre:63,krb5_auth_context_generate_local_addr:175,conveni:182,read_kt:139,krb5_c_padding_length:655,krb5_keyusage_as_req:197,tkt_flg_enc_pa_rep:7,copi:[231,361,147,630,509,730,112,738,142,510,103,727,891,662],specifi:[857,391,875,414,512,423,288,607,816,401,402,374,346,741,675,89,690],krb5_tkt_creds_context:173,krb5_as_rep:637,krb5_as_req:636,kinit:[644,105],optimist:800,krb5_verify_init_creds_opt_ap_req_nofail:234,seri:244,pre:626,prf:[348,351],enctype_rsa_env:418,krb5_init_creds_init:359,ani:[164,258],krb5_cc_destroi:863,dbdefault:10,krb5_responder_otp_format_decim:665,advic:[101,475],destroi:[425,44,863,105,486],note:388,kdc_opt_renew:[514,316],channel:23,enctype_rsa_es_oaep_env:779,trace:[857,148,374],stashsrvpw:486,buffer:[422,598,149],krb5_lrq_one_last_renew:737,krb5_get_init_creds_opt_set_anonym:729,krb5_encrypt:262,whitepap:717,krb5_auth_con_fre:167,krb5_decode_ticket:191,enctype_unknown:625,krb5_gc_cach:444,krb5_keyusage_enc_challenge_cli:0,destroy_polici:486,krb5_524_convert_cr:347,krb5_get_init_creds_opt:833,addrtype_iso:107,krb5_get_init_creds_opt_alloc:108,onli:645,krb5_c_crypto_length:554,cksumtype_hmac_sha256_128_aes128:877,variou:717,get:[798,618,51,30,293,743,527,250,186,152,75,519,523,424,319,594,376,111,707,845,208,715,493,148,609,829],krb5_crypto_type_stream:480,krb5_kt_dup:294,ssh:475,"import":17,krb5_build_principal_alloc_va:881,requir:[575,439],krb5_authdata_auth_ind:912,krb5_prompt_typ:902,krb5_sname_to_princip:705,krb5_int16_min:202,krb5_cccol_cursor:222,passwd_phrase_el:893,wiki:23,ap_opts_wire_mask:21,krb5_c_decrypt:673,krb5_transit:498,krb5_auth_con_setsendsubkei:485,krb5_responder_otp_challeng:516,krb5_c_random_make_octet:583,between:451,enctype_aes256_cts_hmac_sha384_192:898,krb5_principal_unparse_displai:117,add_polici:[71,44],krb5_free_checksum:350,krb5_keyusage_krb_safe_cksum:684,tutori:717,krb5_finish_random_kei:860,krb5_princ_set_realm_data:232,krb5_c_encrypt_length:183,krb5_cc_default:126,overview:44,featur:[579,454],krb5_kpasswd_accessdeni:282,krb5_k_key_enctyp:872,krb5_tc_match_is_skei:174,skew:[798,504],procedur:74,krb5_c_verify_checksum:446,enctype_arcfour_hmac_exp:296,krb5_kt_cursor:794,interoper:579,krb5_padata_sam_challenge_2:393,krb5_lrq_all_last_tgt_issu:711,krb5_keyusage_tgs_rep_encpart_sesskei:467,krb5_error_cod:777,ktutil:139,modify_polici:[71,44,486],develop:[156,329,17],author:[506,62,375,631,438,275,439,666,867,292,611,889,891,405,929],binari:204,epoch:856,pac:[259,37,422,149,769,722,905,692,598],pad:[655,878,150],document:[177,61,780,127],finish:244,krb5_unparse_name_flags_ext:109,openldap:517,krb5_eblock_enctyp:823,krb5_c_decrypt_iov:795,krb5_string_to_deltat:716,macro:2,krb5_c_enctype_compar:413,without:127,krb5_responder_list_quest:343,execut:439,krb5_gic_opt_pa_data:882,krb5_free_ap_rep_enc_part:886,struct:[653,47],enctype_arcfour_hmac:338,krb5_get_init_creds_opt_set_fast_flag:230,krb5_padata_s4u_x509_us:809,kdc_opt_forward:[724,176],krb5_cc_get_flag:449,read:[918,134,255],get_str:71,enctype_des_cbc_raw:808,krb5_lrq_one_last_tgt:556,server:[798,699,395,227,148,101,74,235,589],krb5_nt_ms_principal_and_id:695,output:[829,878,535],manag:[120,105],krb5_padata_fx_fast:629,krb5_tc_noticket:783,krb5_kpasswd_softerror:153,krb5_free_data_cont:846,krb5_aname_to_localnam:130,krb5_principal_parse_enterpris:471,krb5_pre_send_fn:59,keytab:[798,899,414,303,160,136,101,294,475,624,521],krb5_copy_keyblock_cont:738,refer:[229,849,99,127,859,104],enctype_camellia128_cts_cmac:247,krb5_keyusage_tgs_rep_encpart_subkei:733,krb5_auth_context_ret_tim:671,krb5_keyusage_app_data_encrypt:658,krb5_data:[231,846,195,599],krb5_timestamp_to_sfstr:878,acl:[899,32],krb5_get_credentials_valid:701,aead:[132,795,17,763,824],backup:56,krb5_padata_pk_as_req_old:853,list_mkei:425,krb5_authdata_if_relev:473,your:[798,120],log:[867,10,148],clpreauth:[816,415],krb5_copy_ticket:103,start:[899,40],interfac:[768,62,611,224,819,879,227,638,182,457,816,415,854,702,691,889,929],krb5_encrypt_s:533,addrtype_ddp:489,krb5_auth_con_getaddr:539,krb5_crypto_type_trail:410,krb_ap_req:[365,1,571],krb5_responder_otp_get_challeng:[158,47],krb5_pac_get_typ:149,krb5_enctype_to_str:600,possibl:[643,189,51],"default":[617,208,493,201,160,27,666,822,28,138,309,74,192,126,346,431,417,209,121],krb5_get_init_creds_keytab:845,krb5_sam_use_sad_as_kei:674,krb5_init_creds_step:186,krb5_init_creds_get_tim:765,creat:[506,645,1,859,749,899,741,365,486,148,675,425,252,866,359,722,44,743,439],ad_type_extern:584,gssapi:[17,768,666],krb5_cksumtype_to_str:760,file:[565,478,645,922,64,616,857,650,303,166,752,816,44,101,388,324,10,899,796,644],fill:[603,311,150],osconf:750,krb5_padata_non:289,dbmodul:10,krb5_auth_con_init:749,krb5_cc_default_nam:192,field:[463,539,554,846,885,116,628],valid:[875,248,424,387,512,255],collis:587,krb5_free_keytab_entry_cont:277,krb5_keyusage_cammac:884,salt_type_afs_length:284,krb524_init_et:340,krb5_auth_con_getauthent:876,kdcdefault:10,krb5_tc_match_flags_exact:687,krb5_authdata_and_or:620,krb5_k_prf:652,krb5_get_init_creds_opt_set_expire_callback:911,pkinit:[523,10,506,816,929],directori:[840,204,454],descript:[728,569,565,185,818,693,32,644,25,64,71,133,520,650,425,139,486,439,787,388,45,543,922],enctype_nul:588,unset:[710,729,747,540,281],purge_mkei:425,represent:[560,552],all:879,krb5_get_in_tkt_with_password:225,krb5_allow_weak_crypto:924,krb5_get_in_tkt_with_keytab:661,krb5_init_creds_set_servic:423,krb5_copy_authdata:891,krb5_tc_match_authdata:13,krb5_server_decrypt_ticket_keytab:391,program:[429,454],krb5_tc_match_times_exact:767,krb5_kpasswd_malform:58,util:840,krb5_make_authdata_kdc_issu:405,mechan:[768,666],enctype_des3_cbc_raw:677,ticket:[122,391,191,802,765,37,30,522,44,743,145,105],krb5_cc_next_cr:613,krb5_prompter_fct:756,list:[631,106,579,486,148,881,343,139,401,44,10,891,92,23],adjust:744,getdat:177,enctype_dsa_sha1_cm:327,krb5_auth_con_getrcach:460,krb5_rd_priv:216,zero:[846,849],proxi:276,deleg:17,clock:[798,504],sun:44,section:[816,10,125,430],delet:44,abbrevi:177,version:[566,235],krb5_cccol_cursor_new:688,krb5_auth_con_getrecvsubkey_k:408,full:[511,705],krb5_keyusage_gss_tok_m:187,krb5_verify_init_creds_opt:6,enctype_des_hmac_sha1:85,krb5_authdata_kdc_issu:41,strong:74,modifi:[44,486],valu:[716,527,422,165,125,430,78,158,270],search:401,krb5_cred_enc_part:190,cksumtype_md5_hmac_arcfour:237,krb5_finish_kei:421,krb5_cc_select:395,cksumtype_hmac_sha1_des3:200,krb5_pac_upn_dns_info:895,via:351,deprec:[2,182],krb5_sam_send_encrypted_sad:774,decrement:849,krb5_prepend_error_messag:212,krb5_nt_x500_princip:494,select:[395,249,702],krb5_deltat_to_str:165,two:[413,631,131,396,370,73,266,513],krb5_set_trace_callback:374,krb5_init_random_kei:529,krb5_lrq_all_last_renew:508,krb5_get_init_creds_opt_set_salt:800,krb5_padata_as_checksum:781,krb5_auth_con_setuseruserkei:11,krb5_tkt_creds_get:739,flag:[710,821,747,540,729,635,513,230,920,116,109,267,491,449,281],krb5_copy_error_messag:510,krb5_get_init_creds_opt_set_address_list:373,known:[258,688],cach:[617,238,3,395,623,342,675,113,559,344,511,460,742,827,244,66,720,465,354,519,126,78,578,822,690,894,258,589,134,27,702,324,89,535,712,206,527,147,493,688,164,863,920,496,614,192,613,546,449],krb5_auth_context_permit_al:862,krb5_auth_context:[267,515,116,167],histori:[71,44,74],krb5_c_make_checksum_iov:311,krb5_calculate_checksum:403,archiv:23,get_init_cr:523,krb5_keyusage_as_req_pa_enc_t:686,krb5:[899,645,2,36,543,182,866,816,125,265,741,627,430],ap_opts_use_subkei:46,get_princip:[71,44],prompt:[852,594,747],challeng:243,krb5_get_init_creds_opt_set_fast_ccache_nam:831,krb5_free_cr:670,krb5_get_init_creds_opt_set_forward:540,krb5_get_init_creds_opt_get_fast_flag:821,krb5_cred:[337,746,630,805,670,797],secur:[101,439,566,475,56],anoth:510,krb5_k_verify_checksum_iov:387,reject:148,krb5_k_make_checksum_iov:603,simpl:[127,2],resourc:23,krb5_keyusage_pa_pkinit_kx:315,kdc_opt_disable_transited_check:704,krb5_get_init_creds_opt_canonic:470,krb524_convert_creds_kdc:91,krb5_set_real_tim:463,krb5_k_encrypt_iov:824,stash:[425,44,616],krb5_encode_authdata_contain:275,caus:873,callback:[523,788,911,152,374],sendauth:[699,148,646,235],purgekei:71,krb5_keytab_entri:851,krb5_string_to_kei:612,paramet:[816,606,235],krb5_keyusage_fast_req_chksum:194,krb5_auth_con_getsendsubkey_k:925,alter:617,"return":[92,49,238,258,106,879,288,554,149,367,607,678,192,839,280,655,270,158,121],timestamp:[238,504,785,883,878,258],krb5_get_init_creds_opt_salt:610,krb5_authdata:362,krb5_prompt_type_password:890,krb5_free_authent:179,krb5_fwd_tgt_cred:319,troubleshoot:[717,148],authent:[749,411,439,148,876,322,44],token:[209,17],krb5_keyusage_ad_mt:100,krb5_keyusage_fast_rep:751,krb_error:568,trailer:150,krb5_anonymous_realm:49,krb5_padata_sam_redirect:604,krb5_pointer:60,krb_ap_rep:[386,366,921,572],krb5_princ_nam:910,connect:[257,148],krb5_keyusag:318,krb5_responder_otp_tokeninfo:901,event:[857,374],authdata:889,krb5_anonymous_princstr:14,krb5_get_profil:335,krb5_auth_context_ret_sequ:16,iov:[603,17,248,150,387,311],tkt_flg_proxi:447,krb5_authdata_mandatory_for_kdc:20,kdcpolici:638,krb5_keyblock:[528,90,95,317],advanc:96,krb5_lrq_one_last_req:188,quick:579,krb5_tgs_name_s:801,krb5_principal_data:427,ask:37,krb5_keyusage_gss_tok_wrap_priv:352,asn:191,krb5_get_init_creds_opt_set_in_ccach:559,krb5_string_to_salttyp:434,krb5_free_enctyp:22,lifetim:[522,802],assign:[411,726],localauth:[816,611],exchang:[618,148],number:[379,655,313,86],krb5_mk_ncred:736,krb5_pac_verifi:259,differ:[44,38,141,451],addrtype_chao:790,interact:523,krb5_roundup:443,store:[558,465,78],schema:859,option:[800,802,454,729,108,230,559,55,10,565,747,409,569,71,693,821,578,522,644,523,25,64,648,82,133,831,650,425,373,878,486,535,205,710,816,911,540,439,920,388,791,44,45,543,922,281],krb5_ticket_tim:664,pars:[735,921,571,572],remot:[697,313,628],remov:[798,159,74,66],krb5_merge_authdata:631,krb5_int32_max:574,krb5_padata_encrypted_challeng:440,comput:[183,73,507,748],packag:[127,454],allow_weak_crypto:924,expir:[911,148],"null":538,del_str:71,krb5_auth_context_generate_remote_addr:307,built:916,lib:840,krb5_princ_typ:161,krb5_recvauth_vers:235,also:[728,569,10,565,185,818,693,32,644,25,64,71,133,520,650,816,139,486,425,543,787,388,45,922],build:[538,859,455,26,228,881,127,204],enctype_des_cbc_md5:358,enctype_des_cbc_md4:357,krb5_lrq_all_pw_exptim:789,tkt_flg_pre_auth:314,krb5_auth_context_do_sequ:792,krb5_lrq_one_acct_exptim:619,krb5_lrq_none:561,krb5_auth_context_generate_remote_full_addr:668,most:[454,510],krb5_realm_branch_char:80,krb5_cc_set_default_nam:822,krb5_nt_uid:68,clear:9,krb5_enc_kdc_rep_part:325,clean:204,kswitch:922,enctyp:[299,652,880,249,144,252,872],krb5_unparse_nam:552,msec_dirbit:896,session:[106,11,919,249,371],krb5_copy_checksum:662,find:[438,89],tkt_flg_renew:334,krb5_c_prfplu:348,firewal:798,copyright:464,krb5_lrq_one_last_tgt_issu:672,krb5_cc_cursor:503,ktadd:[71,798],krb5_change_password:364,hit:849,krb5_x:601,krb5_padata_osf_dc:43,krb5_responder_question_otp:[835,435,47],krb5_verify_init_cr:521,hin:750,krb5_init_creds_set_password:419,krb5_auth_con_set_req_cksumtyp:273,krb5_free_authdata:411,kdc_opt_allow_postd:466,common:818,krb5_nt_ent_principal_and_id:850,certif:[722,506,148,929],set:[800,859,802,729,111,168,559,402,626,11,628,778,463,747,920,885,831,575,578,522,419,55,524,116,791,648,697,323,138,485,703,241,230,535,710,894,911,540,273,822,788,332,924,373,546,281],dump:[425,44],krb5_mk_req_checksum_func:378,krb5_get_permitted_enctyp:106,see:[728,569,10,565,185,818,693,32,644,25,64,71,133,520,650,816,139,486,425,543,787,388,45,922],sec:856,close:[742,207],ark:425,ap_opts_mutual_requir:826,krb5_crypto_type_data:656,krb5_keyusage_tgs_req_auth_cksum:696,max_keytab_name_len:110,krb5_set_kdc_recv_hook:168,krb5_copy_cr:630,salt_type_no_length:615,krb5_anonymous_realmstr:887,krb5_cc_support_switch:496,last:[238,258,75],context:[485,510,740,864,313,866,9,343,741,346,460,63,627,873,122,408,11,743,243,749,628,335,371,152,75,359,757,257,765,697,323,876,594,86,246,703,236,657,778,539,273,739,915,439,919,744,788,645,280,925,546],krb5_kt_have_cont:136,load:425,tgt:319,header:[150,324],krb5_principal_compar:266,suppli:[82,1],krb5_os_localaddr:879,backend:859,krb5_cc_get_princip:493,krb5_tkt_creds_step:618,kproplog:569,empti:[722,317],krb5_cc_get_typ:3,krb5_c_init_st:[301,198],add_princip:[71,44],krb5_get_renewed_cr:707,krb5_padata_enc_unix_tim:497,krb5_copy_princip:730,krb5_pac_privsvr_checksum:355,krb5_pac_client_info:669,krb5_mk_priv:268,durat:177,"while":148,krb5_free_cred_cont:805,read_st:139,behavior:[32,475],error:[815,510,148,51,212,907,169,141,332,75,9,241,38,399,818],anonym:[523,506,49,228,729],propag:[28,899,495,44],krb5_magic:492,krb5_timestamp_to_str:883,krb5_recvauth_skip_vers:700,krb5_keyusage_enc_challenge_kdc:19,krb5_mk_rep_dc:386,grant:[743,120],krb5_kvno:847,krb5_cc_set_config:78,krb5_cccol_lock:113,decod:[653,907,191,47],krb5_mk_error:568,krb5_principal_unparse_short:129,krb5_princip:[904,635,481,676,109,552,491],krb5_decode_authdata_contain:292,krb5_int32:549,user:[523,363,766,752,867,852],enctype_aes128_cts_hmac_sha1_96:732,recent:510,kdc_opt_valid:215,entri:[159,244,277,136,303,40,397,715,324,807,613],krb5_free_keyblock_cont:90,pwqual:[816,457],krb5_c_prf_length:829,krb5_kdc_req:34,krb5_kdc_rep:35,addrtype_inet6:157,krb5_get_validated_cr:424,krb5_c_keyed_checksum_typ:92,input:[918,559,351],kdc_opt_enc_tkt_in_skei:203,krb5_auth_context_generate_local_full_addr:772,checksum:[603,273,437,760,587,634,248,593,788,387,507,152,748,678,92,512,311,360,446],krb5_crypto_type_empti:551,kprop:[133,148],cksumtype_rsa_md4_d:770,ad_type_regist:398,msec_val_mask:709,krb5_keyusage_pa_s4u_x509_user_request:550,enctype_camellia256_cts_cmac:406,krb5_vwrap_error_messag:141,resolv:[623,417,201,126],collect:[617,688,643,354,164,344,519],princip:[798,726,560,455,635,395,228,867,735,676,402,12,513,899,730,18,881,72,885,475,130,894,131,423,370,324,266,705,89,431,538,436,493,218,44],api:[451,99,182,127],krb5_get_credentials_renew:308,krb5_get_init_creds_password:609,krb5_pac:54,some:[101,351],back:[517,56],krb5_read_error:169,sampl:[816,10],krb5_c_random_se:926,machin:796,krb5_padata_sesam:304,krb5_principal_compare_utf8:596,prerequisit:[26,859],krb5_auth_con_getsendsubkei:740,valid_int_bit:382,block:367,krb5_referral_realm:[682,793],krb5_keyusage_pa_sam_respons:214,within:[204,504],krb5_padata_ap_req:114,krb5_c_make_random_kei:144,krb5_rd_rep:572,krb5_rd_req:571,tkt_flg_forward:[608,336],krb5_responder_pkinit_flags_token_user_pin_count_low:526,krb5_nt_smtp_name:820,question:[523,243,287,343,835,236],fast:[821,831,578,230],krb5_get_init_creds_opt_set_pac_request:37,krb5_get_init_creds_opt_set_respond:791,includ:37,forward:[540,319],krb5_enc_tkt_part:830,krb5_mk_safe:836,link:717,delta:716,line:[425,486],krb5_crypto_type_sign_onli:476,krb5_responder_pkinit_flags_token_user_pin_final_tri:689,krb5_crypto_type_pad:404,krb5_kt_get_typ:839,addrtype_is_loc:433,krb5_free_address:558,tkt_flg_ok_as_deleg:171,kdcissu:[405,375],krb5_nt_enterprise_princip:339,krb5_get_init_creds_opt_set_change_password_prompt:747,sequenti:[134,40,244],krb5_keyusage_pa_fx_cooki:477,delete_entri:139,krb5_vprepend_error_messag:815,krb5_cred_info:547,lucid:859,krb5_kpasswd_initial_flag_need:240,krb5_padata_etype_info:33,krb5_kt_read_service_kei:734,krb5_free_keyblock:95,kadm5_auth:[816,62],krb5_k_free_kei:849,krb5_context:[138,463,633,142],cksumtype_hmac_sha384_192_aes256:50,pluggabl:889,code:[815,212,51,141,332,241,38],krb5_princ_realm:803,krb5_copy_context:142,krb5_rd_rep_dc:921,send:[740,485,626,925,778],valid_uint_bit:394,krb5_kt_close:207,lndir:204,krb5_build_principal_va:580,write_st:139,krb5_lrq_all_acct_exptim:758,kadm5_hook:[816,224],krb5_tgs_req:77,krb5_tgs_rep:76,krb5_princ_set_realm_length:577,krb5_init_context_secur:384,krb5_padata_fx_cooki:220,compat:249,compar:[413,131,396,370,266,513],fine:454,krb5_keyusage_kdc_rep_ticket:897,access:120,dce:[386,921],enctype_md5_rsa_cm:196,krb5_priv:713,ubuntu:859,cf2:73,sinc:856,convert:[452,606,165,676,172,347,12,70,635,883,130,694,481,593,878,109,760,600,431,434,716,785,218,491,552],cert:148,chang:[364,44,747,120,111],configur:[798,478,645,517,859,436,454,506,819,209,249,666,796,276,72,324,899,78,495,335,527],krb5_padata_afs3_salt:597,krb5_ui_2:814,krb5_ui_4:813,from:[798,159,859,510,864,313,371,734,740,460,743,705,122,408,527,66,335,765,125,252,74,152,75,127,821,690,257,299,422,643,424,246,876,594,925,44,807,267,657,707,430,539,361,715,918,919,280,86,613,449],upgrad:74,next:[807,618,613,186,519],kdc_opt_proxi:[400,848],krb5_padata_use_specified_kvno:184,krb5_decrypt:223,krb5_padata_tgs_req:714,mismatch:475,krb5_ap_req:[260,57],krb5_ap_rep:[640,392],account:[364,436,120],retriev:[3,864,734,740,511,460,872,122,408,243,335,371,125,690,821,313,765,422,246,876,925,44,807,267,657,430,712,539,361,40,919,744,309,856,86,613,449],krb5_kuserok:867,alia:172,use_mkei:425,proof:587,krb5_keyusage_as_rep_encpart:349,process:[825,244,216],lock:[71,113,206,342],tarbal:127,addrtype_addrport:782,krb5_pvno:502,rename_princip:71,krb5_k_key_keyblock:361,krb5_keyusage_tgs_req_auth:786,krb5_set_trace_filenam:857,kdb5_util:425,krb5_find_authdata:438,krb5_init_creds_context:654,krb5_cc_new_uniqu:675,alloc:[108,278,169,265,301],enctype_rc2_cbc_env:903,element:[438,387,248,311,603],issu:27,allow:[924,55,504],krb5_get_init_creds_opt_chg_pwd_prmpt:263,move:614,krb5_cc_set_flag:920,krb5_kt_default_nam:208,krb5_pac_pars:905,krb5_tkt_creds_step_flag_continu:69,krb5_keyusage_pa_sam_challenge_cksum:698,krb5_error:[239,459],krb5_get_host_realm:[293,278],krb5_appdefault_boolean:125,handl:[207,149,250,722,294,905,632,692,598,742],dai:856,auth:[313,740,460,11,628,873,408,86,152,257,371,697,323,876,485,703,657,778,539,273,919,788,925,546],krb5_free_cksumtyp:437,krb5_c_make_checksum:507,krb5_pac_logon_info:541,krb5_timeofdai:744,edit:899,krb5_recvauth_badauthv:871,enctype_des3_cbc_sha:245,variabl:[274,249,454,881],rfc:[348,351],krb5_init_creds_get_cr:246,armor:[578,831],rel:165,krb5_cc_remove_cr:66,krb5_keyusage_ap_rep_encpart:592,krb5_set_error_messag:241,krb5_post_recv_fn:861,unpars:905,releas:[127,342,624],krb5_get_init_creds_opt_set_preauth_list:648,proxiabl:710,krb5_random_kei:914,addrtype_inet:385,length:[455,554,481,607,183,678,150,829],krb5_gc_user_us:591,krb5_princ_compon:441,softwar:26,krb5_responder_fn:923,qualiti:[120,457],kerbero:[798,451,859,579,396,12,293,56,347,512,61,875,495,889,899,364,26,28,582,517,780,916,331,218,44,105],licens:331,system:[28,856,454],messag:[1,510,554,51,111,399,736,9,568,17,571,572,818,38,255,268,524,825,216,365,366,319,836,141,907,241,815,212,386,921,332],termin:538,tkt_flg_transit_policy_check:461,shell:[439,475],view_polici:486,krb5_set_password:402,tkt_flg_hw_auth:870,krb5_auth_con_getlocalseqnumb:86,structur:[108,195,167,509,846,676,116,10,872,463,179,630,886,205,491,481,350,816,138,321,142,109,267,488,662,90,361,36,95,805,670,103,552,449],krb5_rd_error:907,krb5_authdata_osf_dc:557,krb5_keyusage_ad_it:462,krb5_crypto_iov:928,krb5_tc_match_srv_nameonli:874,krb5_responder_otp_flags_separate_pin:484,set_str:71,tabl:[159,391,207,845,208,277,40,397,250,734,715,201,839,807,376,417],tkt_flg_invalid:356,modify_princip:[71,44],krb5_c_string_to_key_with_param:606,mic:17,krb5_principal_parse_require_realm:837,mit:[61,780,451,579,28,331,44],singl:[524,204],krb5_cccol_last_change_tim:258,cipher:[301,873,367,198],krb5_cksumtyp:389,krb5_c_random_add_entropi:379,krb5_cc_switch:354,krb5_responder_question_pkinit:[653,287,119],request:[122,618,739,864,249,186,63],determin:[867,496],delete_princip:[71,44],constrain:17,krb5_trace_callback:137,fact:579,krb5_ap_rep_enc_part:[908,886],krb5_salttype_to_str:694,trivial:566,krb5_keytab:585,ksu:439,locat:[227,666,831],should:182,local:[697,867,86,130,611,628],krb5_verify_init_creds_opt_set_ap_req_nofail:575,krb5_verify_checksum:283,krb5_responder_otp_format_hexadecim:448,krb5_kpasswd_success:602,krb5_rd_cred:255,keysalt:10,krb5_kpasswd_harderror:83,krb5_kpasswd_autherror:285,krb5_ticket:[310,103],organ:840,krb5_xc:745,kadmind:693,contain:[275,343,136,164],krb5_get_init_creds_opt_etype_list:843,legaci:[74,182],krb5_free_tgt_cr:321,krb5_padata_enc_sandia_securid:595,krb5_nt_wellknown:312,domain_realm:816,krb5_principal_compare_casefold:426,enctype_des3_cbc_env:151,state:[301,873,436,198],krb5_use_enctyp:900,addrtype_netbio:407,k5ident:787,kei:[159,391,606,652,919,106,844,734,115,11,70,299,351,303,371,249,250,144,252,74,417,360,849,763,73,748,634,201,839,807,376,603,824,207,845,208,277,39,40,397,607,715,387,44,92,104,673],krbtgt:[44,74],krb5_get_init_creds_opt_forward:838,addit:[606,229,513,30],krb5_padata_otp_challeng:272,plugin:[329,816,666,4],admin:[495,148],instanc:209,enctype_des_cbc_crc:917,krb5_pa_svr_referral_data:305,krb5_cccol_cursor_fre:344,rpc:[386,921],quit:[71,139],krb5_vset_error_messag:332,krb5_keyusage_tgs_req_ad_subkei:81,krb5_padata_sam_response_2:545,krb5_init_creds_fre:915,compon:370,krb5_principal_parse_no_realm:217,krb5_recvauth:699,otp:[10,209],replic:436,krb5_authdata_initial_verified_ca:755,cursor:[624,344],defin:209,krb5_crypto_type_head:649,side:439,site:127,krb5_get_init_creds_opt_anonym:67,krb5_auth_con_getremoteseqnumb:313,addrtype_xn:271,certauth:[816,929],krb5_keyusage_ap_req_auth:368,krb5_lrq_all_last_initi:799,cross:44,member:[337,505,731,6,459,904,427,516,882,305,528,908,639,310,759,190,893,362,586,260,640,901,651,833,320,372,140,29,775,487,841,325,31,34,35,599,664,830,771,928,547,498,445,155,851,221,797,501],krb5_fast_requir:458,slave:[28,495,899],hostnam:[495,189],expans:816,effect:439,krb5_free_data:195,ap_opts_etype_negoti:804,krb5_preauthtyp:468,interpos:768,krb5_padata_svr_referral_info:219,exampl:[523,798,454,543,787,139,185,44,32,45],command:[71,425,363,139,486],krb5_pac_add_buff:598,choos:249,krb5_padata_enc_timestamp:773,krb5_cccol_cursor_next:519,"boolean":125,obtain:[739,26,105],kdc_opt_canonic:298,krb5_authdata_signticket:286,krb5_padata_sam_challeng:567,web:[127,23],krb5_read_password:918,list_polici:[71,44,486],add:[379,899,815,397,212,141,598,38],krb5_clear_error_messag:9,match:[793,18],krb5_copy_keyblock:112,krb5_keyusage_krb_cred_encpart:858,password:[523,894,747,609,364,606,111,70,918,852,402,44,457,120,419],krb5_int16_max:810,lr_type_this_server_onli:146,krb5_address_ord:288,like:28,krb5_auth_con_setport:628,krb5_free_default_realm:121,krb5_padata_pac_request:24,page:[127,23],krb5_responder_otp_flags_collect_token:542,krb5_addrtyp:869,krb5_msgtype:102,krb5_check_clockskew:504,kdb:889,kdc:[506,618,436,899,37,148,424,666,168,28,638,566,854,74,75,10,626,743,495,707,186],"export":17,krb5_k_decrypt_iov:763,librari:[741,645,627,916,866],krb5_get_init_creds_opt_fre:409,krb5_gc_no_stor:453,octet:655,krb5_tc_match_2nd_tkt:328,sequenc:[313,86],krb5_get_time_offset:280,krb5_c_valid_cksumtyp:512,pepper:73,krb5_string_to_timestamp:785,krb5_get_prompt_typ:594,usag:74,host:[899,879,148,666,293,101,56,691],offset:[744,280,463],krb5_lrq_all_last_tgt:442,krb5_padata_pk_as_rep_old:333,krb5_int16:154,about:[44,101],rare:182,socket:257,http:276,kdc_opt_request_anonym:472,krb5_string_to_enctyp:452,krb5_crypto_type_checksum:254,krb:[268,524,825,319,736,73,836,216,907,255],krb5_auth_con_getremotesubkei:180,capath:816,krb5_authdata_sesam:642,merg:631,krb5_get_init_creds_opt_address_list:679,"function":[235,699,168,791,265,374,626,829,646],krb5_lrq_all_last_req:390,unwrap:[292,375],krb5_kt_default:417,tkt_flg_anonym:8,count:[849,104,455],whether:[18,916,587,72,496,575,360],krb5_c_verify_checksum_iov:248,krb5_free_error_messag:399,krb5_c_free_stat:301,krb5_enctyp:534,krb5_cc_initi:827,krb5_responder_otp_challenge_fre:158,krb5_get_init_creds_opt_set_out_ccach:535,pin:523,dure:148,krb5_kt_add_entri:397,kpropd:64,krb5_free_context:627,other:209,krb5_responder_pkinit_challenge_fre:270,krb5_ccach:341,krb5_lrq_one_last_initi:170,krb5_octet:927,kdb5_ldap_util:486,appdefault:[816,125,430],krb5_responder_pkinit_set_answ:287,k5srvutil:728,krb5_principal2salt:431}})
\ No newline at end of file
diff --git a/doc/html/user/index.html b/doc/html/user/index.html
index 6e28dc4840d5..9f3731a10d39 100644
--- a/doc/html/user/index.html
+++ b/doc/html/user/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="next" title="Password management" href="pwd_mgmt.html" />
-    <link rel="prev" title="MIT Kerberos Documentation (1.15.1)" href="../index.html" /> 
+    <link rel="prev" title="MIT Kerberos Documentation (1.16)" href="../index.html" /> 
   </head>
   <body>
     <div class="header-wrapper">
@@ -41,7 +41,7 @@
                 
         <a href="../index.html" title="Full Table of Contents"
             accesskey="C">Contents</a> |
-        <a href="../index.html" title="MIT Kerberos Documentation (1.15.1)"
+        <a href="../index.html" title="MIT Kerberos Documentation (1.16)"
             accesskey="P">previous</a> |
         <a href="pwd_mgmt.html" title="Password management"
             accesskey="N">next</a> |
@@ -149,14 +149,14 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
                 
         <a href="../index.html" title="Full Table of Contents"
             >Contents</a> |
-        <a href="../index.html" title="MIT Kerberos Documentation (1.15.1)"
+        <a href="../index.html" title="MIT Kerberos Documentation (1.16)"
             >previous</a> |
         <a href="pwd_mgmt.html" title="Password management"
             >next</a> |
diff --git a/doc/html/user/pwd_mgmt.html b/doc/html/user/pwd_mgmt.html
index 5da8eed16a15..5eb6d0942c1b 100644
--- a/doc/html/user/pwd_mgmt.html
+++ b/doc/html/user/pwd_mgmt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -215,7 +215,7 @@ type the root password over the network.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/tkt_mgmt.html b/doc/html/user/tkt_mgmt.html
index e53d41cd43db..b9edfb4905ea 100644
--- a/doc/html/user/tkt_mgmt.html
+++ b/doc/html/user/tkt_mgmt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -435,7 +435,7 @@ shell%
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/index.html b/doc/html/user/user_commands/index.html
index fa23226e0770..2c363b631787 100644
--- a/doc/html/user/user_commands/index.html
+++ b/doc/html/user/user_commands/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -140,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/kdestroy.html b/doc/html/user/user_commands/kdestroy.html
index beb7ca0c3e7a..c38e9d7685dd 100644
--- a/doc/html/user/user_commands/kdestroy.html
+++ b/doc/html/user/user_commands/kdestroy.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -199,7 +199,7 @@ to be present in the collection.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/kinit.html b/doc/html/user/user_commands/kinit.html
index 0b877cc2763e..e1dad27e9c59 100644
--- a/doc/html/user/user_commands/kinit.html
+++ b/doc/html/user/user_commands/kinit.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -330,7 +330,7 @@ in the collection.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/klist.html b/doc/html/user/user_commands/klist.html
index 631af750ace8..0dfb589d1cc6 100644
--- a/doc/html/user/user_commands/klist.html
+++ b/doc/html/user/user_commands/klist.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -244,7 +244,7 @@ to be present in the collection.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/kpasswd.html b/doc/html/user/user_commands/kpasswd.html
index 41e453f6f520..824cae0dac3b 100644
--- a/doc/html/user/user_commands/kpasswd.html
+++ b/doc/html/user/user_commands/kpasswd.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -162,7 +162,7 @@ identity of the user invoking the kpasswd command.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/krb5-config.html b/doc/html/user/user_commands/krb5-config.html
index e25f22e8ad18..6a8b44c4dfc3 100644
--- a/doc/html/user/user_commands/krb5-config.html
+++ b/doc/html/user/user_commands/krb5-config.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -214,7 +214,7 @@ the following output:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/ksu.html b/doc/html/user/user_commands/ksu.html
index 894576304b8d..fe58258b985d 100644
--- a/doc/html/user/user_commands/ksu.html
+++ b/doc/html/user/user_commands/ksu.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -483,7 +483,7 @@ file must be in an appropriate location.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/kswitch.html b/doc/html/user/user_commands/kswitch.html
index 49187fdeb6b1..c141ef3eb6c3 100644
--- a/doc/html/user/user_commands/kswitch.html
+++ b/doc/html/user/user_commands/kswitch.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -180,7 +180,7 @@ to be present in the collection.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/kvno.html b/doc/html/user/user_commands/kvno.html
index e5588d3cc7ca..99f37f9ff0cd 100644
--- a/doc/html/user/user_commands/kvno.html
+++ b/doc/html/user/user_commands/kvno.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -205,7 +205,7 @@ credentials cache client principal.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_commands/sclient.html b/doc/html/user/user_commands/sclient.html
index ab04fc54be4a..141ff0aaef1d 100644
--- a/doc/html/user/user_commands/sclient.html
+++ b/doc/html/user/user_commands/sclient.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -147,7 +147,7 @@ the server&#8217;s response.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_config/index.html b/doc/html/user/user_config/index.html
index d075b2f61fa7..2d3bdd742bbc 100644
--- a/doc/html/user/user_config/index.html
+++ b/doc/html/user/user_config/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -129,7 +129,7 @@ been disabled by your host&#8217;s configuration):</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_config/k5identity.html b/doc/html/user/user_config/k5identity.html
index 914154b510d3..d1155590d7bc 100644
--- a/doc/html/user/user_config/k5identity.html
+++ b/doc/html/user/user_config/k5identity.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -178,7 +178,7 @@ alice/mail@EXAMPLE.COM  host=mail.example.com service=imap
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/user/user_config/k5login.html b/doc/html/user/user_config/k5login.html
index 4f75af623724..f46db5c5f513 100644
--- a/doc/html/user/user_config/k5login.html
+++ b/doc/html/user/user_config/k5login.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -169,7 +169,7 @@ password.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index b4e4b8b9b780..9df7e34d65be 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -19,8 +19,8 @@ Quick facts
 License - :ref:`mitK5license`
 
 Releases:
-    - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/
-    - Supported: http://web.mit.edu/kerberos/krb5-1.14/
+    - Latest stable: http://web.mit.edu/kerberos/krb5-1.16/
+    - Supported: http://web.mit.edu/kerberos/krb5-1.15/
     - Release cycle: 9 -- 12 months
 
 Supported platforms \/ OS distributions:
@@ -162,7 +162,7 @@ Release 1.13
  -   Add client support for the Kerberos Cache Manager protocol. If
      the host is running a Heimdal kcm daemon, caches served by the
      daemon can be accessed with the KCM: cache type.
- -   When built on OS X 10.7 and higher, use "KCM:" as the default
+ -   When built on macOS 10.7 and higher, use "KCM:" as the default
      cachetype, unless overridden by command-line options or
      krb5-config values.
  -   Add support for doing unlocked database dumps for the DB2 KDC
@@ -309,6 +309,95 @@ Release 1.15
   - Add support for the AES-SHA2 enctypes, which allows sites to
     conform to Suite B crypto requirements.
 
+Release 1.16
+
+* Administrator experience:
+
+  - The KDC can match PKINIT client certificates against the
+    "pkinit_cert_match" string attribute on the client principal
+    entry, using the same syntax as the existing "pkinit_cert_match"
+    profile option.
+
+  - The ktutil addent command supports the "-k 0" option to ignore the
+    key version, and the "-s" option to use a non-default salt string.
+
+  - kpropd supports a --pid-file option to write a pid file at
+    startup, when it is run in standalone mode.
+
+  - The "encrypted_challenge_indicator" realm option can be used to
+    attach an authentication indicator to tickets obtained using FAST
+    encrypted challenge pre-authentication.
+
+  - Localization support can be disabled at build time with the
+    --disable-nls configure option.
+
+* Developer experience:
+
+  - The kdcpolicy pluggable interface allows modules control whether
+    tickets are issued by the KDC.
+
+  - The kadm5_auth pluggable interface allows modules to control
+    whether kadmind grants access to a kadmin request.
+
+  - The certauth pluggable interface allows modules to control which
+    PKINIT client certificates can authenticate to which client
+    principals.
+
+  - KDB modules can use the client and KDC interface IP addresses to
+    determine whether to allow an AS request.
+
+  - GSS applications can query the bit strength of a krb5 GSS context
+    using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+    gss_inquire_sec_context_by_oid().
+
+  - GSS applications can query the impersonator name of a krb5 GSS
+    credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+    gss_inquire_cred_by_oid().
+
+  - kdcpreauth modules can query the KDC for the canonicalized
+    requested client principal name, or match a principal name against
+    the requested client principal name with canonicalization.
+
+* Protocol evolution:
+
+  - The client library will continue to try pre-authentication
+    mechanisms after most failure conditions.
+
+  - The KDC will issue trivially renewable tickets (where the
+    renewable lifetime is equal to or less than the ticket lifetime)
+    if requested by the client, to be friendlier to scripts.
+
+  - The client library will use a random nonce for TGS requests
+    instead of the current system time.
+
+  - For the RC4 string-to-key or PAC operations, UTF-16 is supported
+    (previously only UCS-2 was supported).
+
+  - When matching PKINIT client certificates, UPN SANs will be matched
+    correctly as UPNs, with canonicalization.
+
+* User experience:
+
+  - Dates after the year 2038 are accepted (provided that the platform
+    time facilities support them), through the year 2106.
+
+  - Automatic credential cache selection based on the client realm
+    will take into account the fallback realm and the service
+    hostname.
+
+  - Referral and alternate cross-realm TGTs will not be cached,
+    avoiding some scenarios where they can be added to the credential
+    cache multiple times.
+
+  - A German translation has been added.
+
+* Code quality:
+
+  - The build is warning-clean under clang with the configured warning
+    options.
+
+  - The automated test suite runs cleanly under AddressSanitizer.
+
 `Pre-authentication mechanisms`
 
 - PW-SALT                                         :rfc:`4120#section-5.2.7.3`
diff --git a/doc/notice.rst b/doc/notice.rst
index e8cb4b439f41..26011550be55 100644
--- a/doc/notice.rst
+++ b/doc/notice.rst
@@ -561,7 +561,7 @@ Marked test programs in src/lib/krb5/krb have the following copyright:
 
 -------------------
 
-The KCM Mach RPC definition file used on OS X has the following copyright:
+The KCM Mach RPC definition file used on macOS has the following copyright:
 
     | Copyright |copy| 2009 Kungliga Tekniska Högskola
     | (Royal Institute of Technology, Stockholm, Sweden).
diff --git a/doc/pdf/admin.pdf b/doc/pdf/admin.pdf
index 5e55aece3f2b..7811bec8d037 100644
Binary files a/doc/pdf/admin.pdf and b/doc/pdf/admin.pdf differ
diff --git a/doc/pdf/admin.tex b/doc/pdf/admin.tex
index 1cf190826169..62ce0e0358b8 100644
--- a/doc/pdf/admin.tex
+++ b/doc/pdf/admin.tex
@@ -15,7 +15,7 @@
 
 \title{Kerberos Administration Guide}
 \date{ }
-\release{1.15.1}
+\release{1.16}
 \author{MIT}
 \newcommand{\sphinxlogo}{}
 \renewcommand{\releasename}{Release}
@@ -939,9 +939,10 @@ includedir DIRNAME
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ''.conf'' are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ''.conf'' are also included, unless the
+name begins with ''.''.  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
 
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -1075,7 +1076,7 @@ the client should request when making a TGS-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
 commas or whitespace.  See {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in
 {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the accepted values for this tag.
-The default value is \code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types
+The default value is \code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types
 will be implicitly removed from this list if the value of
 \textbf{allow\_weak\_crypto} is false.
 
@@ -1089,7 +1090,7 @@ Identifies the supported list of session key encryption types that
 the client should request when making an AS-REQ, in order of
 preference from highest to lowest.  The format is the same as for
 default\_tgs\_enctypes.  The default value for this tag is
-\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly
+\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly
 removed from this list if the value of \textbf{allow\_weak\_crypto} is
 false.
 
@@ -1171,7 +1172,7 @@ For security reasons, .k5login files must be owned by
 the local user or by root.
 
 \item[{\textbf{kcm\_mach\_service}}] \leavevmode
-On OS X only, determines the name of the bootstrap service used to
+On macOS only, determines the name of the bootstrap service used to
 contact the KCM daemon for the KCM credential cache type.  If the
 value is \code{-}, Mach RPC will not be used to contact the KCM
 daemon.  The default value is \code{org.h5l.kcm}.
@@ -1263,7 +1264,7 @@ used across NATs.  The default value is true.
 \item[{\textbf{permitted\_enctypes}}] \leavevmode
 Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
-\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly
+\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly
 removed from this list if the value of \textbf{allow\_weak\_crypto} is
 false.
 
@@ -1699,6 +1700,10 @@ client principal
 Uses the service realm to guess an appropriate cache from the
 collection
 
+\item[{\textbf{hostname}}] \leavevmode
+If the service principal is host-based, uses the service hostname
+to guess an appropriate cache from the collection
+
 \end{description}
 
 
@@ -1731,6 +1736,26 @@ principal creation, modification, password changes and deletion.  This
 interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.
+
+
+\subparagraph{kadm5\_auth interface}
+\label{admin/conf_files/krb5_conf:kadm5-auth-interface}\label{admin/conf_files/krb5_conf:kadm5-auth}
+The kadm5\_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:
+\begin{description}
+\item[{\textbf{acl}}] \leavevmode
+This module reads the {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} file, and authorizes
+operations which are allowed according to the rules in the file.
+
+\item[{\textbf{self}}] \leavevmode
+This module authorizes self-service operations including password
+changes, creation of new random keys, fetching the client's
+principal record or string attributes, and fetching the policy
+record associated with the client principal.
+
+\end{description}
 \phantomsection\label{admin/conf_files/krb5_conf:clpreauth}
 
 \subparagraph{clpreauth and kdcpreauth interfaces}
@@ -1812,6 +1837,32 @@ principal name maps to the local account name.
 \end{description}
 
 
+\subparagraph{certauth interface}
+\label{admin/conf_files/krb5_conf:certauth}\label{admin/conf_files/krb5_conf:certauth-interface}
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built-in modules exist for this interface:
+\begin{description}
+\item[{\textbf{pkinit\_san}}] \leavevmode
+This module authorizes the certificate if it contains a PKINIT
+Subject Alternative Name for the requested client principal, or a
+Microsoft UPN SAN matching the principal if \textbf{pkinit\_allow\_upn}
+is set to true for the realm.
+
+\item[{\textbf{pkinit\_eku}}] \leavevmode
+This module rejects the certificate if it does not contain an
+Extended Key Usage attribute consistent with the
+\textbf{pkinit\_eku\_checking} value for the realm.
+
+\item[{\textbf{dbmatch}}] \leavevmode
+This module authorizes or rejects the certificate according to
+whether it matches the \textbf{pkinit\_cert\_match} string attribute on
+the client principal, if that attribute is present.
+
+\end{description}
+
+
 \subsubsection{PKINIT options}
 \label{admin/conf_files/krb5_conf:pkinit-options}
 \begin{notice}{note}{Note:}
@@ -2345,9 +2396,10 @@ The following tags may be specified in a {[}realms{]} subsection:
 \item[{\textbf{acl\_file}}] \leavevmode
 (String.)  Location of the access control list file that
 {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} uses to determine which principals are allowed
-which permissions on the Kerberos database.  The default value is
-{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}.  For more information on Kerberos ACL
-file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}.
+which permissions on the Kerberos database.  To operate without an
+ACL file, set this relation to the empty string with \code{acl\_file =
+""}.  The default value is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}.  For more
+information on Kerberos ACL file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}.
 
 \item[{\textbf{database\_module}}] \leavevmode
 (String.)  This relation indicates the name of the configuration
@@ -2459,6 +2511,11 @@ per line, with no additional whitespace.  If none is specified or
 if there is no policy assigned to the principal, no dictionary
 checks of passwords will be performed.
 
+\item[{\textbf{encrypted\_challenge\_indicator}}] \leavevmode
+(String.)  Specifies the authentication indicator value that the KDC
+asserts into tickets obtained using FAST encrypted challenge
+pre-authentication.  New in 1.16.
+
 \item[{\textbf{host\_based\_services}}] \leavevmode
 (Whitespace- or comma-separated list.)  Lists services which will
 get host-based referral processing even if the server principal is
@@ -3073,9 +3130,6 @@ Specifies an authentication indicator to include in the ticket if
 pkinit is used to authenticate.  This option may be specified
 multiple times.  (New in release 1.14.)
 
-\item[{\textbf{pkinit\_kdc\_ocsp}}] \leavevmode
-Specifies the location of the KDC's OCSP.
-
 \item[{\textbf{pkinit\_pool}}] \leavevmode
 Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client's
@@ -3203,7 +3257,7 @@ The triple DES family: des3-cbc-sha1
 \hline
 aes
  & 
-The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 \\
 \hline
 rc4
@@ -3523,16 +3577,17 @@ joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       \PYGZsh{} line 3
 sms@ATHENA.MIT.EDU        x   * \PYGZhy{}maxlife 9h \PYGZhy{}postdateable \PYGZsh{} line 6
 \end{Verbatim}
 
-(line 1) Any principal in the \code{ATHENA.MIT.EDU} realm with
-an \code{admin} instance has all administrative privileges.
+(line 1) Any principal in the \code{ATHENA.MIT.EDU} realm with an
+\code{admin} instance has all administrative privileges except extracting
+keys.
 
-(lines 1-3) The user \code{joeadmin} has all permissions with his
-\code{admin} instance, \code{joeadmin/admin@ATHENA.MIT.EDU} (matches line
-1).  He has no permissions at all with his null instance,
-\code{joeadmin@ATHENA.MIT.EDU} (matches line 2).  His \code{root} and other
-non-\code{admin}, non-null instances (e.g., \code{extra} or \code{dbadmin}) have
-inquire permissions with any principal that has the instance \code{root}
-(matches line 3).
+(lines 1-3) The user \code{joeadmin} has all permissions except
+extracting keys with his \code{admin} instance,
+\code{joeadmin/admin@ATHENA.MIT.EDU} (matches line 1).  He has no
+permissions at all with his null instance, \code{joeadmin@ATHENA.MIT.EDU}
+(matches line 2).  His \code{root} and other non-\code{admin}, non-null
+instances (e.g., \code{extra} or \code{dbadmin}) have inquire permissions
+with any principal that has the instance \code{root} (matches line 3).
 
 (line 4) Any \code{root} principal in \code{ATHENA.MIT.EDU} can inquire
 or change the password of their null instance, but not any other
@@ -3546,9 +3601,22 @@ permission can only be granted globally, not to specific target
 principals.
 
 (line 6) Finally, the Service Management System principal
-\code{sms@ATHENA.MIT.EDU} has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+\code{sms@ATHENA.MIT.EDU} has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+
+
+\subsubsection{MODULE BEHAVIOR}
+\label{admin/conf_files/kadm5_acl:module-behavior}
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the {\hyperref[admin/conf_files/krb5_conf:kadm5-auth]{\emph{kadm5\_auth interface}}} section of
+{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the \emph{acl\_file} variable in
+{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} to the empty string with \code{acl\_file = ""}.
 
 
 \subsubsection{SEE ALSO}
@@ -3787,7 +3855,7 @@ convey more information about a realm's KDCs with a single query.
 The client performs a query for the following URI records:
 \begin{itemize}
 \item {} 
-\code{\_kerberos.REALM} for fiding KDCs.
+\code{\_kerberos.REALM} for finding KDCs.
 
 \item {} 
 \code{\_kerberos-adm.REALM} for finding kadmin services.
@@ -7002,6 +7070,29 @@ time as follows:
 kadmin \PYGZhy{}q \PYGZsq{}add\PYGZus{}principal +requires\PYGZus{}preauth \PYGZhy{}nokey YOUR\PYGZus{}PRINCNAME\PYGZsq{}
 \end{Verbatim}
 
+By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT.  Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+\textbf{pkinit\_cert\_match} string attribute on each client principal entry.
+For example:
+
+\begin{Verbatim}[commandchars=\\\{\}]
+kadmin set\PYGZus{}string user@REALM pkinit\PYGZus{}cert\PYGZus{}match \PYGZdq{}\PYGZlt{}SUBJECT\PYGZgt{}CN=user@REALM\PYGZdl{}\PYGZdq{}
+\end{Verbatim}
+
+The \textbf{pkinit\_cert\_match} string attribute follows the syntax used by
+the {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} \textbf{pkinit\_cert\_match} relation.  To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the \textbf{pkinit\_eku\_checking} relation;
+for example:
+
+\begin{Verbatim}[commandchars=\\\{\}]
+[kdcdefaults]
+    pkinit\PYGZus{}eku\PYGZus{}checking = none
+\end{Verbatim}
+
 
 \section{Configuring the clients}
 \label{admin/pkinit:configuring-the-clients}
@@ -8328,6 +8419,13 @@ Enables One Time Passwords (OTP) preauthentication for a client
 \emph{principal}.  The \emph{value} is a JSON string representing an array
 of objects, each having optional \code{type} and \code{username} fields.
 
+\item[{\textbf{pkinit\_cert\_match}}] \leavevmode
+Specifies a matching expression that defines the certificate
+attributes required for the client certificate used by the
+principal during PKINIT authentication.  The matching expression
+is in the same format as those used by the \textbf{pkinit\_cert\_match}
+option in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}.  (New in release 1.16.)
+
 \end{description}
 
 This command requires the \textbf{modify} privilege.
@@ -9992,6 +10090,7 @@ Specifies the location of the keytab file.
 {[}\textbf{-F} \emph{principal\_database}{]}
 {[}\textbf{-p} \emph{kdb5\_util\_prog}{]}
 {[}\textbf{-P} \emph{port}{]}
+{[}\textbf{--pid-file}=\emph{pid\_file}{]}
 {[}\textbf{-d}{]}
 {[}\textbf{-t}{]}
 
@@ -10081,6 +10180,10 @@ is only useful in combination with the \textbf{-S} option.
 Allows the user to specify the path to the kpropd.acl file; by
 default the path used is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kpropd.acl}.
 
+\item[{\textbf{--pid-file}=\emph{pid\_file}}] \leavevmode
+In standalone mode, write the process ID of the daemon into
+\emph{pid\_file}.
+
 \end{description}
 
 
@@ -10299,7 +10402,7 @@ Alias: \textbf{delent}
 \label{admin/admin_commands/ktutil:add-entry}\begin{quote}
 
 \textbf{add\_entry} \{\textbf{-key}\textbar{}\textbf{-password}\} \textbf{-p} \emph{principal}
-\textbf{-k} \emph{kvno} \textbf{-e} \emph{enctype}
+\textbf{-k} \emph{kvno} \textbf{-e} \emph{enctype} {[}\textbf{-s} \emph{salt}{]}
 \end{quote}
 
 Add \emph{principal} to keylist using key or password.
@@ -10623,7 +10726,7 @@ Default {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{keysalt list}}
 \hline
 Permitted enctypes
  & 
-\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}
+\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}
  & \\
 \hline
 KDC default port
diff --git a/doc/pdf/appdev.pdf b/doc/pdf/appdev.pdf
index 58b6eab4334c..75ddae5f75e7 100644
Binary files a/doc/pdf/appdev.pdf and b/doc/pdf/appdev.pdf differ
diff --git a/doc/pdf/appdev.tex b/doc/pdf/appdev.tex
index 947b8106d84e..9d49457ffce0 100644
--- a/doc/pdf/appdev.tex
+++ b/doc/pdf/appdev.tex
@@ -15,7 +15,7 @@
 
 \title{Kerberos Application Developer Guide}
 \date{ }
-\release{1.15.1}
+\release{1.16}
 \author{MIT}
 \newcommand{\sphinxlogo}{}
 \renewcommand{\releasename}{Release}
@@ -443,6 +443,27 @@ issue a ticket from the client to the target service.  The GSSAPI
 library will then use this ticket to authenticate to the target
 service.
 
+If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the \textbf{GSS\_KRB5\_GET\_CRED\_IMPERSONATOR} OID
+(new in release 1.16, declared in \code{\textless{}gssapi/gssapi\_krb5.h\textgreater{}}) using
+the gss\_inquire\_cred\_by\_oid extension (declared in
+\code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}):
+
+\begin{Verbatim}[commandchars=\\\{\}]
+OM\PYGZus{}uint32 gss\PYGZus{}inquire\PYGZus{}cred\PYGZus{}by\PYGZus{}oid(OM\PYGZus{}uint32 *minor\PYGZus{}status,
+                                  const gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t cred\PYGZus{}handle,
+                                  gss\PYGZus{}OID desired\PYGZus{}object,
+                                  gss\PYGZus{}buffer\PYGZus{}set\PYGZus{}t *data\PYGZus{}set);
+\end{Verbatim}
+
+If the call succeeds and \emph{cred\_handle} is a proxy credential,
+\emph{data\_set} will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service.  If \emph{cred\_handle}
+is not a proxy credential, \emph{data\_set} will be set to an empty buffer
+set.  If the library does not support the query,
+gss\_inquire\_cred\_by\_oid will return \textbf{GSS\_S\_UNAVAILABLE}.
+
 
 \section{AEAD message wrapping}
 \label{appdev/gssapi:aead-message-wrapping}
@@ -763,6 +784,37 @@ if (GSS\PYGZus{}ERROR(major))
 \end{Verbatim}
 
 
+\chapter{Year 2038 considerations for uses of krb5\_timestamp}
+\label{appdev/y2038::doc}\label{appdev/y2038:year-2038-considerations-for-uses-of-krb5-timestamp}
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038.  This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{\code{krb5\_timestamp}}} type.  For historical reasons, krb5\_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values.  To behave properly for time
+values after January 2038, calling code should cast krb5\_timestamp
+values to uint32\_t, and then to time\_t:
+
+\begin{Verbatim}[commandchars=\\\{\}]
+(time\PYGZus{}t)(uint32\PYGZus{}t)timestamp
+\end{Verbatim}
+
+Used in this way, krb5\_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time\_t type.  This usage will also remain safe if a later
+version of MIT krb5 changes krb5\_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times.  Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.
+
+
 \chapter{Differences between Heimdal and MIT Kerberos API}
 \label{appdev/h5l_mit_apidiff:differences-between-heimdal-and-mit-kerberos-api}\label{appdev/h5l_mit_apidiff::doc}
 \begin{tabulary}{\linewidth}{|l|l|}
@@ -1832,7 +1884,7 @@ This function frees a \emph{context} that was created by {\hyperref[appdev/refs/
 \label{appdev/refs/api/krb5_fwd_tgt_creds:krb5-fwd-tgt-creds-get-a-forwarded-tgt-and-format-a-krb-cred-message}\label{appdev/refs/api/krb5_fwd_tgt_creds::doc}\index{krb5\_fwd\_tgt\_creds (C function)}
 
 \begin{fulllineitems}
-\phantomsection\label{appdev/refs/api/krb5_fwd_tgt_creds:c.krb5_fwd_tgt_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_fwd\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, char *\emph{ rhost}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cc}, int\emph{ forwardable}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{}
+\phantomsection\label{appdev/refs/api/krb5_fwd_tgt_creds:c.krb5_fwd_tgt_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_fwd\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const char *\emph{ rhost}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cc}, int\emph{ forwardable}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{}
 \end{fulllineitems}
 
 \begin{quote}\begin{description}
@@ -7274,6 +7326,10 @@ Create a context structure, optionally using a specified profile and initializat
 \textbf{{[}in{]}} \textbf{ctx} - Initial credentials context
 
 \end{description}\end{quote}
+\begin{quote}
+
+\emph{context} must be the same as the one passed to {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} for this initial credentials context.
+\end{quote}
 
 
 \subsubsection{krb5\_init\_creds\_get -  Acquire credentials using an initial credentials context.}
@@ -7300,6 +7356,10 @@ Create a context structure, optionally using a specified profile and initializat
 \end{description}\end{quote}
 
 This function synchronously obtains credentials using a context created by {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} . On successful return, the credentials can be retrieved with {\hyperref[appdev/refs/api/krb5_init_creds_get_creds:c.krb5_init_creds_get_creds]{\code{krb5\_init\_creds\_get\_creds()}}} .
+\begin{quote}
+
+\emph{context} must be the same as the one passed to {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} for this initial credentials context.
+\end{quote}
 
 
 \subsubsection{krb5\_init\_creds\_get\_creds -  Retrieve acquired credentials from an initial credentials context.}
@@ -7419,6 +7479,8 @@ The initial credentials context must have completed obtaining credentials via ei
 
 This function creates a new context for acquiring initial credentials. Use {\hyperref[appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free]{\code{krb5\_init\_creds\_free()}}} to free \emph{ctx} when it is no longer needed.
 
+Any subsequent calls to {\hyperref[appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step]{\code{krb5\_init\_creds\_step()}}} , {\hyperref[appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get]{\code{krb5\_init\_creds\_get()}}} , or {\hyperref[appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free]{\code{krb5\_init\_creds\_free()}}} for this initial credentials context must use the same \emph{context} argument as the one passed to this function.
+
 
 \subsubsection{krb5\_init\_creds\_set\_keytab -  Specify a keytab to use for acquiring initial credentials.}
 \label{appdev/refs/api/krb5_init_creds_set_keytab:krb5-init-creds-set-keytab-specify-a-keytab-to-use-for-acquiring-initial-credentials}\label{appdev/refs/api/krb5_init_creds_set_keytab::doc}\index{krb5\_init\_creds\_set\_keytab (C function)}
@@ -7501,7 +7563,7 @@ This function supplies a password to be used to construct the client key for an
 
 \end{description}\end{quote}
 
-This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. \emph{service} is parsed as a principal name; any realm part is ignored.
+Thisfunction supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. \emph{service} is parsed as a principal name; any realm part is ignored.
 
 
 \subsubsection{krb5\_init\_creds\_step -  Get the next KDC request for acquiring initial credentials.}
@@ -7540,6 +7602,10 @@ This function constructs the next KDC request in an initial credential exchange,
 If more requests are needed, \emph{flags} will be set to {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and the next request will be placed in \emph{out} . If no more requests are needed, \emph{flags} will not contain {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and \emph{out} will be empty.
 
 If this function returns \textbf{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed.
+\begin{quote}
+
+\emph{context} must be the same as the one passed to {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} for this initial credentials context.
+\end{quote}
 
 
 \subsubsection{krb5\_init\_keyblock -  Initialize an empty krb5\_keyblock .}
@@ -8194,7 +8260,7 @@ Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents
 \label{appdev/refs/api/krb5_mk_req:krb5-mk-req-create-a-krb-ap-req-message}\label{appdev/refs/api/krb5_mk_req::doc}\index{krb5\_mk\_req (C function)}
 
 \begin{fulllineitems}
-\phantomsection\label{appdev/refs/api/krb5_mk_req:c.krb5_mk_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, char *\emph{ service}, char *\emph{ hostname}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{}
+\phantomsection\label{appdev/refs/api/krb5_mk_req:c.krb5_mk_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, const char *\emph{ service}, const char *\emph{ hostname}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{}
 \end{fulllineitems}
 
 \begin{quote}\begin{description}
@@ -8616,7 +8682,7 @@ This function validates \emph{pac} against the supplied \emph{server} , \emph{pr
 If successful, \emph{pac} is marked as verified.
 
 \begin{notice}{note}{Note:}
-A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
+A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
 \end{notice}
 
 
@@ -11882,8 +11948,8 @@ DEPRECATED Replaced by krb5\_auth\_con\_getsendsubkey() .
 DEPRECATED Replaced by krb5\_auth\_con\_getrecvsubkey() .
 
 
-\subsubsection{krb5\_auth\_con\_initivector}
-\label{appdev/refs/api/krb5_auth_con_initivector:krb5-auth-con-initivector}\label{appdev/refs/api/krb5_auth_con_initivector::doc}\index{krb5\_auth\_con\_initivector (C function)}
+\subsubsection{krb5\_auth\_con\_initivector -  Cause an auth context to use cipher state.}
+\label{appdev/refs/api/krb5_auth_con_initivector::doc}\label{appdev/refs/api/krb5_auth_con_initivector:krb5-auth-con-initivector-cause-an-auth-context-to-use-cipher-state}\index{krb5\_auth\_con\_initivector (C function)}
 
 \begin{fulllineitems}
 \phantomsection\label{appdev/refs/api/krb5_auth_con_initivector:c.krb5_auth_con_initivector}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_initivector}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}}{}
@@ -11891,15 +11957,21 @@ DEPRECATED Replaced by krb5\_auth\_con\_getrecvsubkey() .
 
 \begin{quote}\begin{description}
 \item[{param}] \leavevmode
-\textbf{context}
+\textbf{{[}in{]}} \textbf{context} - Library context
 
-\textbf{auth\_context}
+\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context
 
 \end{description}\end{quote}
+\begin{quote}\begin{description}
+\item[{retval}] \leavevmode\begin{itemize}
+\item {} 
+0   Success; otherwise - Kerberos error codes
 
-DEPRECATED Not replaced.
+\end{itemize}
 
-RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API.
+\end{description}\end{quote}
+
+Prepare \emph{auth\_context} to use cipher state when {\hyperref[appdev/refs/api/krb5_mk_priv:c.krb5_mk_priv]{\code{krb5\_mk\_priv()}}} or {\hyperref[appdev/refs/api/krb5_rd_priv:c.krb5_rd_priv]{\code{krb5\_rd\_priv()}}} encrypt or decrypt data.
 
 
 \subsubsection{krb5\_build\_principal\_va}
@@ -15186,6 +15258,10 @@ Latest time at which renewal of ticket can be valid.
 \end{fulllineitems}
 
 
+Represents a timestamp in seconds since the POSIX epoch.
+
+This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32\_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time\_t.
+
 
 \paragraph{Declaration}
 \label{appdev/refs/types/krb5_timestamp:declaration}
diff --git a/doc/pdf/basic.pdf b/doc/pdf/basic.pdf
index 65aa43c9fe4f..c2128707986c 100644
Binary files a/doc/pdf/basic.pdf and b/doc/pdf/basic.pdf differ
diff --git a/doc/pdf/basic.tex b/doc/pdf/basic.tex
index d13762e98d6d..aaffd29f368f 100644
--- a/doc/pdf/basic.tex
+++ b/doc/pdf/basic.tex
@@ -15,7 +15,7 @@
 
 \title{Kerberos Concepts}
 \date{ }
-\release{1.15.1}
+\release{1.16}
 \author{MIT}
 \newcommand{\sphinxlogo}{}
 \renewcommand{\releasename}{Release}
@@ -188,7 +188,7 @@ where \emph{uid} is the effective user ID of the running process.
 
 KCM client support is new in release 1.13.  A KCM daemon has not
 yet been implemented in MIT krb5, but the client will interoperate
-with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
 provides a KCM daemon as part of the operating system, and the
 \textbf{KCM} cache type is used as the default cache on that platform in
 a default build.
diff --git a/doc/pdf/build.pdf b/doc/pdf/build.pdf
index 4313a70dca43..beb6800c4d51 100644
Binary files a/doc/pdf/build.pdf and b/doc/pdf/build.pdf differ
diff --git a/doc/pdf/build.tex b/doc/pdf/build.tex
index 43c9d606edb1..a7036e38b711 100644
--- a/doc/pdf/build.tex
+++ b/doc/pdf/build.tex
@@ -15,7 +15,7 @@
 
 \title{Building MIT Kerberos}
 \date{ }
-\release{1.15.1}
+\release{1.16}
 \author{MIT}
 \newcommand{\sphinxlogo}{}
 \renewcommand{\releasename}{Release}
@@ -888,10 +888,6 @@ Use specified PRNG algorithm.  For example, to use the OS native
 prng specify \code{-{-}with-prng-alg=os}.  The default is \code{fortuna}.
 (See \emph{mitK5features})
 
-\item[{\textbf{-}\textbf{-with-pkinit-crypto-impl=}\emph{IMPL}}] \leavevmode
-Use the specified pkinit crypto implementation \emph{IMPL}.
-Defaults to using OpenSSL.
-
 \item[{\textbf{-}\textbf{-without-libedit}}] \leavevmode
 Do not compile and link against libedit.  Some utilities will no
 longer offer command history or completion in interactive mode if
diff --git a/doc/pdf/plugindev.pdf b/doc/pdf/plugindev.pdf
index 12756fcca9b4..8ade8c1052cf 100644
Binary files a/doc/pdf/plugindev.pdf and b/doc/pdf/plugindev.pdf differ
diff --git a/doc/pdf/plugindev.tex b/doc/pdf/plugindev.tex
index 4e3b805923ac..474b00c80cbf 100644
--- a/doc/pdf/plugindev.tex
+++ b/doc/pdf/plugindev.tex
@@ -15,7 +15,7 @@
 
 \title{Kerberos Plugin Module Developer Guide}
 \date{ }
-\release{1.15.1}
+\release{1.16}
 \author{MIT}
 \newcommand{\sphinxlogo}{}
 \renewcommand{\releasename}{Release}
@@ -451,6 +451,40 @@ interface (which is explicitly unstable), it may not remain as stable
 across versions as other public pluggable interfaces.
 
 
+\section{kadmin authorization interface (kadm5\_auth)}
+\label{plugindev/kadm5_auth:kadm5-auth-plugin}\label{plugindev/kadm5_auth:kadmin-authorization-interface-kadm5-auth}\label{plugindev/kadm5_auth::doc}
+The kadm5\_auth interface (new in release 1.16) allows modules to
+determine whether a client principal is authorized to perform an
+operation in the kadmin protocol, and to apply restrictions to
+principal operations.  For a detailed description of the kadm5\_auth
+interface, see the header file \code{\textless{}krb5/kadm5\_auth\_plugin.h\textgreater{}}.
+
+A module can create and destroy per-process state objects by
+implementing the \textbf{init} and \textbf{fini} methods.  State objects have
+the type kadm5\_auth\_modinfo, which is an abstract pointer type.  A
+module should typically cast this to an internal type for the state
+object.
+
+The kadm5\_auth interface has one method for each kadmin operation,
+with parameters specific to the operation.  Each method can return
+either 0 to authorize access, KRB5\_PLUGIN\_NO\_HANDLE to defer the
+decision to other modules, or another error (canonically EPERM) to
+authoritatively deny access.  Access is granted if at least one module
+grants access and no module authoritatively denies access.
+
+The \textbf{addprinc} and \textbf{modprinc} methods can also impose restrictions
+on the principal operation by returning a \code{struct
+kadm5\_auth\_restrictions} object.  The module should also implement
+the \textbf{free\_restrictions} method if it dynamically allocates
+restrictions objects for principal operations.
+
+kadm5\_auth modules can optionally inspect principal or policy objects.
+To do this, the module must also include \code{\textless{}kadm5/admin.h\textgreater{}} to gain
+access to the structure definitions for those objects.  As the kadmin
+interface is explicitly not as stable as other public interfaces,
+modules which do this may not retain compatibility across releases.
+
+
 \section{Host-to-realm interface (hostrealm)}
 \label{plugindev/hostrealm:hostrealm-plugin}\label{plugindev/hostrealm::doc}\label{plugindev/hostrealm:host-to-realm-interface-hostrealm}
 The host-to-realm interface was first introduced in release 1.12.  It
@@ -795,6 +829,55 @@ defined in the header file \code{\textless{}krb5/authdata\_plugin.h\textgreater{
 installed by the build.
 
 
+\section{PKINIT certificate authorization interface (certauth)}
+\label{plugindev/certauth:certauth-plugin}\label{plugindev/certauth::doc}\label{plugindev/certauth:pkinit-certificate-authorization-interface-certauth}
+The certauth interface was first introduced in release 1.16.  It
+allows customization of the X.509 certificate attribute requirements
+placed on certificates used by PKINIT enabled clients.  For a detailed
+description of the certauth interface, see the header file
+\code{\textless{}krb5/certauth\_plugin.h\textgreater{}}
+
+A certauth module implements the \textbf{authorize} method to determine
+whether a client's certificate is authorized to authenticate a client
+principal.  \textbf{authorize} receives the DER-encoded certificate, the
+requested client principal, and a pointer to the client's
+krb5\_db\_entry (for modules that link against libkdb5).  It returns the
+authorization status and optionally outputs a list of authentication
+indicator strings to be added to the ticket.  A module must use its
+own internal or library-provided ASN.1 certificate decoder.
+
+A module can optionally create and destroy module data with the
+\textbf{init} and \textbf{fini} methods.  Module data objects last for the
+lifetime of the KDC process.
+
+If a module allocates and returns a list of authentication indicators
+from \textbf{authorize}, it must also implement the \textbf{free\_ind} method
+to free the list.
+
+
+\section{KDC policy interface (kdcpolicy)}
+\label{plugindev/kdcpolicy:kdcpolicy-plugin}\label{plugindev/kdcpolicy::doc}\label{plugindev/kdcpolicy:kdc-policy-interface-kdcpolicy}
+The kdcpolicy interface was first introduced in release 1.16.  It
+allows modules to veto otherwise valid AS and TGS requests or restrict
+the lifetime and renew time of the resulting ticket.  For a detailed
+description of the kdcpolicy interface, see the header file
+\code{\textless{}krb5/kdcpolicy\_plugin.h\textgreater{}}.
+
+The optional \textbf{check\_as} and \textbf{check\_tgs} functions allow the module
+to perform access control.  Additionally, a module can create and
+destroy module data with the \textbf{init} and \textbf{fini} methods.  Module
+data objects last for the lifetime of the KDC process, and are
+provided to all other methods.  The data has the type
+krb5\_kdcpolicy\_moddata, which should be cast to the appropriate
+internal type.
+
+kdcpolicy modules can optionally inspect principal entries.  To do
+this, the module must also include \code{\textless{}kdb.h\textgreater{}} to gain access to the
+principal entry structure definition.  As the KDB interface is
+explicitly not as stable as other public interfaces, modules which do
+this may not retain compatibility across releases.
+
+
 
 \renewcommand{\indexname}{Index}
 \printindex
diff --git a/doc/pdf/user.pdf b/doc/pdf/user.pdf
index ee40d417d3e7..06bec04b3a05 100644
Binary files a/doc/pdf/user.pdf and b/doc/pdf/user.pdf differ
diff --git a/doc/pdf/user.tex b/doc/pdf/user.tex
index ffe97ebf4ca3..15bd75167e60 100644
--- a/doc/pdf/user.tex
+++ b/doc/pdf/user.tex
@@ -15,7 +15,7 @@
 
 \title{Kerberos User Guide}
 \date{ }
-\release{1.15.1}
+\release{1.16}
 \author{MIT}
 \newcommand{\sphinxlogo}{}
 \renewcommand{\releasename}{Release}
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
new file mode 100644
index 000000000000..8a7f7c5ebad6
--- /dev/null
+++ b/doc/plugindev/certauth.rst
@@ -0,0 +1,27 @@
+.. _certauth_plugin:
+
+PKINIT certificate authorization interface (certauth)
+=====================================================
+
+The certauth interface was first introduced in release 1.16.  It
+allows customization of the X.509 certificate attribute requirements
+placed on certificates used by PKINIT enabled clients.  For a detailed
+description of the certauth interface, see the header file
+``<krb5/certauth_plugin.h>``
+
+A certauth module implements the **authorize** method to determine
+whether a client's certificate is authorized to authenticate a client
+principal.  **authorize** receives the DER-encoded certificate, the
+requested client principal, and a pointer to the client's
+krb5_db_entry (for modules that link against libkdb5).  It returns the
+authorization status and optionally outputs a list of authentication
+indicator strings to be added to the ticket.  A module must use its
+own internal or library-provided ASN.1 certificate decoder.
+
+A module can optionally create and destroy module data with the
+**init** and **fini** methods.  Module data objects last for the
+lifetime of the KDC process.
+
+If a module allocates and returns a list of authentication indicators
+from **authorize**, it must also implement the **free_ind** method
+to free the list.
diff --git a/doc/plugindev/index.rst b/doc/plugindev/index.rst
index 3fb921778cb5..5e7834635f42 100644
--- a/doc/plugindev/index.rst
+++ b/doc/plugindev/index.rst
@@ -25,11 +25,14 @@ Contents
    ccselect.rst
    pwqual.rst
    kadm5_hook.rst
+   kadm5_auth.rst
    hostrealm.rst
    localauth.rst
    locate.rst
    profile.rst
    gssapi.rst
    internal.rst
+   certauth.rst
+   kdcpolicy.rst
 
 .. TODO: GSSAPI mechanism plugins
diff --git a/doc/plugindev/kadm5_auth.rst b/doc/plugindev/kadm5_auth.rst
new file mode 100644
index 000000000000..b4839617bd2f
--- /dev/null
+++ b/doc/plugindev/kadm5_auth.rst
@@ -0,0 +1,35 @@
+.. _kadm5_auth_plugin:
+
+kadmin authorization interface (kadm5_auth)
+===========================================
+
+The kadm5_auth interface (new in release 1.16) allows modules to
+determine whether a client principal is authorized to perform an
+operation in the kadmin protocol, and to apply restrictions to
+principal operations.  For a detailed description of the kadm5_auth
+interface, see the header file ``<krb5/kadm5_auth_plugin.h>``.
+
+A module can create and destroy per-process state objects by
+implementing the **init** and **fini** methods.  State objects have
+the type kadm5_auth_modinfo, which is an abstract pointer type.  A
+module should typically cast this to an internal type for the state
+object.
+
+The kadm5_auth interface has one method for each kadmin operation,
+with parameters specific to the operation.  Each method can return
+either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the
+decision to other modules, or another error (canonically EPERM) to
+authoritatively deny access.  Access is granted if at least one module
+grants access and no module authoritatively denies access.
+
+The **addprinc** and **modprinc** methods can also impose restrictions
+on the principal operation by returning a ``struct
+kadm5_auth_restrictions`` object.  The module should also implement
+the **free_restrictions** method if it dynamically allocates
+restrictions objects for principal operations.
+
+kadm5_auth modules can optionally inspect principal or policy objects.
+To do this, the module must also include ``<kadm5/admin.h>`` to gain
+access to the structure definitions for those objects.  As the kadmin
+interface is explicitly not as stable as other public interfaces,
+modules which do this may not retain compatibility across releases.
diff --git a/doc/plugindev/kdcpolicy.rst b/doc/plugindev/kdcpolicy.rst
new file mode 100644
index 000000000000..74f21f08fbf4
--- /dev/null
+++ b/doc/plugindev/kdcpolicy.rst
@@ -0,0 +1,24 @@
+.. _kdcpolicy_plugin:
+
+KDC policy interface (kdcpolicy)
+================================
+
+The kdcpolicy interface was first introduced in release 1.16.  It
+allows modules to veto otherwise valid AS and TGS requests or restrict
+the lifetime and renew time of the resulting ticket.  For a detailed
+description of the kdcpolicy interface, see the header file
+``<krb5/kdcpolicy_plugin.h>``.
+
+The optional **check_as** and **check_tgs** functions allow the module
+to perform access control.  Additionally, a module can create and
+destroy module data with the **init** and **fini** methods.  Module
+data objects last for the lifetime of the KDC process, and are
+provided to all other methods.  The data has the type
+krb5_kdcpolicy_moddata, which should be cast to the appropriate
+internal type.
+
+kdcpolicy modules can optionally inspect principal entries.  To do
+this, the module must also include ``<kdb.h>`` to gain access to the
+principal entry structure definition.  As the KDB interface is
+explicitly not as stable as other public interfaces, modules which do
+this may not retain compatibility across releases.
diff --git a/src/Makefile.in b/src/Makefile.in
index 2ebf2fb4d0c2..ac9a2a060485 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -12,14 +12,17 @@ SUBDIRS=util include lib \
 	plugins/audit/test \
 	@audit_plugin@ \
 	plugins/kadm5_hook/test \
+	plugins/kadm5_auth/test \
 	plugins/hostrealm/test \
 	plugins/localauth/test \
 	plugins/pwqual/test \
 	plugins/authdata/greet_server \
 	plugins/authdata/greet_client \
+	plugins/certauth/test \
 	plugins/kdb/db2 \
 	@ldap_plugin_dir@ \
 	plugins/kdb/test \
+	plugins/kdcpolicy/test \
 	plugins/preauth/otp \
 	plugins/preauth/pkinit \
 	plugins/preauth/test \
@@ -501,7 +504,7 @@ check-pytests-no: check-postrecurse
 		$(SKIPTESTS)
 
 check-cmocka-no: check-postrecurse
-	@echo 'Skipped cmocka tests due to missing library or header file' >> \
+	@echo 'Skipped cmocka tests: cmocka library or header not found' >> \
 		$(SKIPTESTS)
 
 # Create a test realm and spawn a shell in an environment pointing to it.
@@ -520,6 +523,7 @@ pyrunenv.vals: Makefile
 	done > $@
 	echo "tls_impl = '$(TLS_IMPL)'" >> $@
 	echo "have_sasl = '$(HAVE_SASL)'" >> $@
+	echo "sizeof_time_t = $(SIZEOF_TIME_T)" >> $@
 
 runenv.py: pyrunenv.vals
 	echo 'env = {}' > $@
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 9c46da4b5956..d6d1279c3f4f 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -169,7 +169,7 @@ if test "$enable_thread_support" = yes ; then
 fi
 dnl Maybe this should be inside the conditional above?  Doesn't cache....
 if test "$enable_thread_support" = yes; then
-  ACX_PTHREAD(,[AC_MSG_ERROR([cannot determine options for enabling thread support; try --disable-thread-support])])
+  AX_PTHREAD(,[AC_MSG_ERROR([cannot determine options for enabling thread support; try --disable-thread-support])])
   AC_MSG_NOTICE(PTHREAD_CC = $PTHREAD_CC)
   AC_MSG_NOTICE(PTHREAD_CFLAGS = $PTHREAD_CFLAGS)
   AC_MSG_NOTICE(PTHREAD_LIBS = $PTHREAD_LIBS)
@@ -450,13 +450,13 @@ krb5_ac_warn_cflags_set=${WARN_CFLAGS+set}
 krb5_ac_warn_cxxflags_set=${WARN_CXXFLAGS+set}
 ])
 dnl
-AC_DEFUN(TRY_WARN_CC_FLAG,[dnl
+AC_DEFUN(TRY_WARN_CC_FLAG_1,[dnl
   cachevar=`echo "krb5_cv_cc_flag_$1" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[[^a-zA-Z0-9_]]/_/g`
   AC_CACHE_CHECK([if C compiler supports $1], [$cachevar],
   [# first try without, then with
   AC_TRY_COMPILE([], 1;,
     [old_cflags="$CFLAGS"
-     CFLAGS="$CFLAGS $1"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags $1"
      AC_TRY_COMPILE([], 1;, eval $cachevar=yes, eval $cachevar=no)
      CFLAGS="$old_cflags"],
     [AC_MSG_ERROR(compiling simple test program with $CFLAGS failed)])])
@@ -466,6 +466,21 @@ AC_DEFUN(TRY_WARN_CC_FLAG,[dnl
   eval flag_supported='${'$cachevar'}'
 ])dnl
 dnl
+dnl Are additional flags needed to make unsupported warning options
+dnl get reported as errors?
+AC_DEFUN(CHECK_CC_WARNING_TEST_FLAGS,[dnl
+  cflags_warning_test_flags=
+  TRY_WARN_CC_FLAG_1(-Werror=unknown-warning-option)
+  if test $flag_supported = yes; then
+    cflags_warning_test_flags=-Werror=unknown-warning-option
+  fi
+])dnl
+dnl
+AC_DEFUN(TRY_WARN_CC_FLAG,[dnl
+AC_REQUIRE([CHECK_CC_WARNING_TEST_FLAGS])dnl
+TRY_WARN_CC_FLAG_1($1)dnl
+])dnl
+dnl
 AC_DEFUN(WITH_CC,[dnl
 AC_REQUIRE([KRB5_AC_CHECK_FOR_CFLAGS])dnl
 AC_REQUIRE([AC_PROG_CC])dnl
@@ -528,7 +543,7 @@ if test "$GCC" = yes ; then
     TRY_WARN_CC_FLAG(-Wno-format-zero-length)
     # Other flags here may not be supported on some versions of
     # gcc that people want to use.
-    for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers ; do
+    for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized no-maybe-uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers error=implicit-int ; do
       TRY_WARN_CC_FLAG(-W$flag)
     done
     #  old-style-definition? generates many, many warnings
@@ -615,8 +630,16 @@ else
     # works, but it also means that declaration-in-code warnings won't
     # be issued.
     # -v -fd -errwarn=E_DECLARATION_IN_CODE ...
-    WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED"
-    WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64"
+    if test "x$krb5_ac_warn_cflags_set" = xset ; then
+      AC_MSG_NOTICE(not adding extra warning flags because WARN_CFLAGS was set)
+    else
+      WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED"
+    fi
+    if test "x$krb5_ac_warn_cxxflags_set" = xset ; then
+      AC_MSG_NOTICE(not adding extra warning flags because WARN_CXXFLAGS was set)
+    else
+      WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64"
+    fi
   fi
 fi
 AC_SUBST(WARN_CFLAGS)
@@ -1352,7 +1375,6 @@ dnl =============================================================
 dnl Internal function for testing for getpeername prototype
 dnl
 AC_DEFUN([KRB5_GETPEERNAME_ARGS],[
-AC_DEFINE([GETPEERNAME_ARG2_TYPE],GETSOCKNAME_ARG2_TYPE,[Type of getpeername second argument.])
 AC_DEFINE([GETPEERNAME_ARG3_TYPE],GETSOCKNAME_ARG3_TYPE,[Type of getpeername second argument.])
 ])
 dnl
@@ -1397,7 +1419,6 @@ if test "$sock_set" = no; then
 fi
 res1=`echo "$res1" | tr -d '*' | sed -e 's/ *$//'`
 res2=`echo "$res2" | tr -d '*' | sed -e 's/ *$//'`
-AC_DEFINE_UNQUOTED([GETSOCKNAME_ARG2_TYPE],$res1,[Type of pointer target for argument 2 to getsockname])
 AC_DEFINE_UNQUOTED([GETSOCKNAME_ARG3_TYPE],$res2,[Type of pointer target for argument 3 to getsockname])
 ])
 dnl
@@ -1634,8 +1655,8 @@ if test $krb5_cv_pragma_weak_ref = yes ; then
 fi])
 dnl
 dnl
-m4_include(config/ac-archive/acx_pthread.m4)
-m4_include(config/ac-archive/relpaths.m4)
+m4_include(config/ac-archive/ax_pthread.m4)
+m4_include(config/ac-archive/ax_recursive_eval.m4)
 dnl
 dnl
 dnl
diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py
index 8a6b0304f890..0299e45904b8 100755
--- a/src/appl/gss-sample/t_gss_sample.py
+++ b/src/appl/gss-sample/t_gss_sample.py
@@ -31,22 +31,20 @@ gss_server = os.path.join(appdir, 'gss-server')
 # Run a gss-server process and a gss-client process, with additional
 # gss-client flags given by options and additional gss-server flags
 # given by server_options.  Return the output of gss-client.
-def run_client_server(realm, options, server_options, expected_code=0):
+def run_client_server(realm, options, server_options, **kwargs):
     portstr = str(realm.server_port())
     server_args = [gss_server, '-export', '-port', portstr]
     server_args += server_options + ['host']
     server = realm.start_server(server_args, 'starting...')
-    out = realm.run([gss_client, '-port', portstr] + options +
-                    [hostname, 'host', 'testmsg'], expected_code=expected_code)
+    realm.run([gss_client, '-port', portstr] + options +
+              [hostname, 'host', 'testmsg'], **kwargs)
     stop_daemon(server)
-    return out
 
 # Run a gss-server and gss-client process, and verify that gss-client
 # displayed the expected output for a successful negotiation.
 def server_client_test(realm, options, server_options):
-    out = run_client_server(realm, options, server_options)
-    if 'Signature verified.' not in out:
-        fail('Expected message not seen in gss-client output')
+    run_client_server(realm, options, server_options,
+                      expected_msg='Signature verified.')
 
 # Make up a filename to hold user's initial credentials.
 def ccache_savefile(realm):
@@ -81,10 +79,10 @@ def pw_test(realm, options, server_options=[]):
 # IAKERB, gss_aqcuire_cred_with_password() otherwise).
 def wrong_pw_test(realm, options, server_options=[], iakerb=False):
     options = options + ['-user', realm.user_princ, '-pass', 'wrongpw']
-    out = run_client_server(realm, options, server_options, expected_code=1)
     failed_op = 'initializing context' if iakerb else 'acquiring creds'
-    if 'GSS-API error ' + failed_op not in out:
-        fail('Expected error not seen in gss-client output')
+    msg = 'GSS-API error ' + failed_op
+    run_client_server(realm, options, server_options, expected_code=1,
+                      expected_msg=msg)
 
 # Perform a test of the server and client with initial credentials
 # obtained with the client keytab
diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c
index bd3c38c72aa7..cda7d220c406 100644
--- a/src/appl/simple/client/sim_client.c
+++ b/src/appl/simple/client/sim_client.c
@@ -62,7 +62,7 @@ int
 main(int argc, char *argv[])
 {
     int sock, i;
-    unsigned int len;
+    socklen_t len;
     int flags = 0;                      /* flags for sendto() */
     struct servent *serv;
     struct hostent *host;
diff --git a/src/appl/simple/server/sim_server.c b/src/appl/simple/server/sim_server.c
index fce5a9c6fd69..f09489c35d30 100644
--- a/src/appl/simple/server/sim_server.c
+++ b/src/appl/simple/server/sim_server.c
@@ -33,6 +33,7 @@
  */
 
 #include "krb5.h"
+#include "port-sockets.h"
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
@@ -64,7 +65,7 @@ int
 main(int argc, char *argv[])
 {
     int sock, i;
-    unsigned int len;
+    socklen_t len;
     int flags = 0;                      /* for recvfrom() */
     int on = 1;
     struct servent *serv;
diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py
index 8bdef8e07b90..2a7d03f8dc87 100755
--- a/src/appl/user_user/t_user2user.py
+++ b/src/appl/user_user/t_user2user.py
@@ -10,9 +10,9 @@ for realm in multipass_realms():
     else:
         srv_output = realm.start_server(['./uuserver', '9999'], 'Server started')
 
-    output = realm.run(['./uuclient', hostname, 'testing message', '9999'])
-    if 'uu-client: server says \"Hello, other end of connection.\"' not in output:
-        fail('Message not echoed back.')
+    msg = 'uu-client: server says "Hello, other end of connection."'
+    realm.run(['./uuclient', hostname, 'testing message', '9999'],
+              expected_msg=msg)
 
 
 success('User-2-user test programs')
diff --git a/src/ccapi/server/mac/ccs_os_pipe.c b/src/ccapi/server/mac/ccs_os_pipe.c
index 67f90307a230..5d9fff20755d 100644
--- a/src/ccapi/server/mac/ccs_os_pipe.c
+++ b/src/ccapi/server/mac/ccs_os_pipe.c
@@ -27,7 +27,7 @@
 #include "ccs_os_pipe.h"
 #include <mach/port.h>
 
-/* On Mac OS X ccs_pipe_t is a mach_port_t */
+/* On macOS ccs_pipe_t is a mach_port_t */
 
 /* ------------------------------------------------------------------------ */
 
@@ -73,7 +73,7 @@ cc_int32 ccs_os_pipe_release (ccs_pipe_t io_pipe)
 {
     cc_int32 err = 0;
 
-    /* Nothing to do here on Mac OS X */
+    /* Nothing to do here on macOS */
 
     return cci_check_error (err);
 }
diff --git a/src/clients/kcpytkt/kcpytkt.c b/src/clients/kcpytkt/kcpytkt.c
index 47147cdc3207..0b8802261e9e 100644
--- a/src/clients/kcpytkt/kcpytkt.c
+++ b/src/clients/kcpytkt/kcpytkt.c
@@ -7,26 +7,29 @@
 #include "k5-platform.h"
 
 static char *prog;
+static int quiet = 0;
 
-static void xusage()
+static void
+xusage()
 {
-    fprintf(stderr, "xusage: %s [-c from_ccache] [-e etype] [-f flags] dest_ccache service1 service2 ...\n", prog);
+    fprintf(stderr, "xusage: %s [-c from_ccache] [-e etype] [-f flags] "
+            "dest_ccache service1 service2 ...\n", prog);
     exit(1);
 }
 
-int quiet = 0;
+static void
+do_kcpytkt(int argc, char *argv[], char *fromccachestr, char *etypestr,
+           int flags);
 
-static void do_kcpytkt (int argc, char *argv[], char *fromccachestr, char *etypestr, int flags);
-
-int main(int argc, char *argv[])
+int
+main(int argc, char *argv[])
 {
     int option;
-    char *etypestr = 0;
-    char *fromccachestr = 0;
+    char *etypestr = NULL, *fromccachestr = NULL;
     int flags = 0;
 
     prog = strrchr(argv[0], '/');
-    prog = prog ? (prog + 1) : argv[0];
+    prog = (prog != NULL) ? prog + 1 : argv[0];
 
     while ((option = getopt(argc, argv, "c:e:f:hq")) != -1) {
         switch (option) {
@@ -49,25 +52,24 @@ int main(int argc, char *argv[])
         }
     }
 
-    if ((argc - optind) < 2)
+    if (argc - optind < 2)
         xusage();
 
     do_kcpytkt(argc - optind, argv + optind, fromccachestr, etypestr, flags);
     return 0;
 }
 
-static void do_kcpytkt (int count, char *names[],
-                        char *fromccachestr, char *etypestr, int flags)
+static void
+do_kcpytkt(int count, char *names[], const char *fromccachestr, char *etypestr,
+           int flags)
 {
     krb5_context context;
     krb5_error_code ret;
-    int i, errors;
     krb5_enctype etype;
-    krb5_ccache fromccache;
-    krb5_ccache destccache;
+    krb5_ccache fromccache, destccache;
     krb5_principal me;
     krb5_creds in_creds, out_creds;
-    int retflags;
+    int i, errors, retflags;
     char *princ;
 
     ret = krb5_init_context(&context);
@@ -75,8 +77,7 @@ static void do_kcpytkt (int count, char *names[],
         com_err(prog, ret, "while initializing krb5 library");
         exit(1);
     }
-
-    if (etypestr) {
+    if (etypestr != NULL) {
         ret = krb5_string_to_enctype(etypestr, &etype);
         if (ret) {
             com_err(prog, ret, "while converting etype");
@@ -88,7 +89,7 @@ static void do_kcpytkt (int count, char *names[],
         retflags = KRB5_TC_MATCH_SRV_NAMEONLY;
     }
 
-    if (fromccachestr)
+    if (fromccachestr != NULL)
         ret = krb5_cc_resolve(context, fromccachestr, &fromccache);
     else
         ret = krb5_cc_default(context, &fromccache);
@@ -118,9 +119,10 @@ static void do_kcpytkt (int count, char *names[],
 
         ret = krb5_parse_name(context, names[i], &in_creds.server);
         if (ret) {
-            if (!quiet)
+            if (!quiet) {
                 fprintf(stderr, "%s: %s while parsing principal name\n",
                         names[i], error_message(ret));
+            }
             errors++;
             continue;
         }
@@ -140,24 +142,18 @@ static void do_kcpytkt (int count, char *names[],
         if (ret) {
             fprintf(stderr, "%s: %s while retrieving credentials\n",
                     princ, error_message(ret));
-
             krb5_free_unparsed_name(context, princ);
-
             errors++;
             continue;
         }
 
         ret = krb5_cc_store_cred(context, destccache, &out_creds);
-
         krb5_free_principal(context, in_creds.server);
-
         if (ret) {
             fprintf(stderr, "%s: %s while removing credentials\n",
                     princ, error_message(ret));
-
             krb5_free_cred_contents(context, &out_creds);
             krb5_free_unparsed_name(context, princ);
-
             errors++;
             continue;
         }
diff --git a/src/clients/kdeltkt/kdeltkt.c b/src/clients/kdeltkt/kdeltkt.c
index 9c7a549f970b..cd0bf637db69 100644
--- a/src/clients/kdeltkt/kdeltkt.c
+++ b/src/clients/kdeltkt/kdeltkt.c
@@ -7,26 +7,28 @@
 #include "k5-platform.h"
 
 static char *prog;
+static int quiet = 0;
 
-static void xusage()
+static void
+xusage()
 {
-    fprintf(stderr, "xusage: %s [-c ccache] [-e etype] [-f flags] service1 service2 ...\n", prog);
+    fprintf(stderr, "xusage: %s [-c ccache] [-e etype] [-f flags] service1 "
+            "service2 ...\n", prog);
     exit(1);
 }
 
-int quiet = 0;
+static void
+do_kdeltkt(int argc, char *argv[], char *ccachestr, char *etypestr, int flags);
 
-static void do_kdeltkt (int argc, char *argv[], char *ccachestr, char *etypestr, int flags);
-
-int main(int argc, char *argv[])
+int
+main(int argc, char *argv[])
 {
     int option;
-    char *etypestr = 0;
-    char *ccachestr = 0;
+    char *etypestr = NULL, *ccachestr = NULL;
     int flags = 0;
 
     prog = strrchr(argv[0], '/');
-    prog = prog ? (prog + 1) : argv[0];
+    prog = (prog != NULL) ? prog + 1 : argv[0];
 
     while ((option = getopt(argc, argv, "c:e:f:hq")) != -1) {
         switch (option) {
@@ -49,15 +51,16 @@ int main(int argc, char *argv[])
         }
     }
 
-    if ((argc - optind) < 1)
+    if (argc - optind < 1)
         xusage();
 
     do_kdeltkt(argc - optind, argv + optind, ccachestr, etypestr, flags);
     return 0;
 }
 
-static void do_kdeltkt (int count, char *names[],
-                        char *ccachestr, char *etypestr, int flags)
+static void
+do_kdeltkt(int count, char *names[], const char *ccachestr, char *etypestr,
+           int flags)
 {
     krb5_context context;
     krb5_error_code ret;
@@ -75,7 +78,7 @@ static void do_kdeltkt (int count, char *names[],
         exit(1);
     }
 
-    if (etypestr) {
+    if (etypestr != NULL) {
         ret = krb5_string_to_enctype(etypestr, &etype);
         if (ret) {
             com_err(prog, ret, "while converting etype");
@@ -111,9 +114,10 @@ static void do_kdeltkt (int count, char *names[],
 
         ret = krb5_parse_name(context, names[i], &in_creds.server);
         if (ret) {
-            if (!quiet)
+            if (!quiet) {
                 fprintf(stderr, "%s: %s while parsing principal name\n",
                         names[i], error_message(ret));
+            }
             errors++;
             continue;
         }
@@ -133,9 +137,7 @@ static void do_kdeltkt (int count, char *names[],
         if (ret) {
             fprintf(stderr, "%s: %s while retrieving credentials\n",
                     princ, error_message(ret));
-
             krb5_free_unparsed_name(context, princ);
-
             errors++;
             continue;
         }
@@ -147,14 +149,11 @@ static void do_kdeltkt (int count, char *names[],
         if (ret) {
             fprintf(stderr, "%s: %s while removing credentials\n",
                     princ, error_message(ret));
-
             krb5_free_cred_contents(context, &out_creds);
             krb5_free_unparsed_name(context, princ);
-
             errors++;
             continue;
         }
-
         krb5_free_unparsed_name(context, princ);
         krb5_free_cred_contents(context, &out_creds);
     }
diff --git a/src/clients/kdestroy/kdestroy.c b/src/clients/kdestroy/kdestroy.c
index f95554903ece..0bf83586c14f 100644
--- a/src/clients/kdestroy/kdestroy.c
+++ b/src/clients/kdestroy/kdestroy.c
@@ -41,7 +41,7 @@ extern int optind;
 extern char *optarg;
 
 #ifndef _WIN32
-#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
+#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/') + 1 : (x))
 #else
 #define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
 #endif
@@ -49,10 +49,9 @@ extern char *optarg;
 char *progname;
 
 
-static void usage()
+static void
+usage()
 {
-#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
-
     fprintf(stderr, _("Usage: %s [-A] [-q] [-c cache_name]\n"), progname);
     fprintf(stderr, _("\t-A destroy all credential caches in collection\n"));
     fprintf(stderr, _("\t-q quiet mode\n"));
@@ -64,18 +63,18 @@ static void usage()
 static void
 print_remaining_cc_warning(krb5_context context)
 {
-    krb5_error_code retval;
+    krb5_error_code ret;
     krb5_ccache cache;
     krb5_cccol_cursor cursor;
 
-    retval = krb5_cccol_cursor_new(context, &cursor);
-    if (retval) {
-        com_err(progname, retval, _("while listing credential caches"));
+    ret = krb5_cccol_cursor_new(context, &cursor);
+    if (ret) {
+        com_err(progname, ret, _("while listing credential caches"));
         exit(1);
     }
 
-    retval = krb5_cccol_cursor_next(context, cursor, &cache);
-    if (retval == 0 && cache != NULL) {
+    ret = krb5_cccol_cursor_next(context, cursor, &cache);
+    if (ret == 0 && cache != NULL) {
         fprintf(stderr,
                 _("Other credential caches present, use -A to destroy all\n"));
         krb5_cc_close(context, cache);
@@ -85,20 +84,14 @@ print_remaining_cc_warning(krb5_context context)
 }
 
 int
-main(argc, argv)
-    int argc;
-    char **argv;
+main(int argc, char *argv[])
 {
-    krb5_context kcontext;
-    krb5_error_code retval;
-    int c;
+    krb5_context context;
+    krb5_error_code ret;
     krb5_ccache cache = NULL;
     krb5_cccol_cursor cursor;
     char *cache_name = NULL;
-    int code = 0;
-    int errflg = 0;
-    int quiet = 0;
-    int all = 0;
+    int code = 0, errflg = 0, quiet = 0, all = 0, c;
 
     setlocale(LC_ALL, "");
     progname = GET_PROGNAME(argv[0]);
@@ -135,62 +128,61 @@ main(argc, argv)
     if (optind != argc)
         errflg++;
 
-    if (errflg) {
+    if (errflg)
         usage();
-    }
 
-    retval = krb5_init_context(&kcontext);
-    if (retval) {
-        com_err(progname, retval, _("while initializing krb5"));
+    ret = krb5_init_context(&context);
+    if (ret) {
+        com_err(progname, ret, _("while initializing krb5"));
         exit(1);
     }
 
+    if (cache_name != NULL) {
+        code = krb5_cc_set_default_name(context, cache_name);
+        if (code) {
+            com_err(progname, code, _("while setting default cache name"));
+            exit(1);
+        }
+    }
+
     if (all) {
-        code = krb5_cccol_cursor_new(kcontext, &cursor);
+        code = krb5_cccol_cursor_new(context, &cursor);
         if (code) {
             com_err(progname, code, _("while listing credential caches"));
             exit(1);
         }
-        while ((code = krb5_cccol_cursor_next(kcontext, cursor,
-                                              &cache)) == 0 && cache != NULL) {
-            code = krb5_cc_get_full_name(kcontext, cache, &cache_name);
+        while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 &&
+               cache != NULL) {
+            code = krb5_cc_get_full_name(context, cache, &cache_name);
             if (code) {
                 com_err(progname, code, _("composing ccache name"));
                 exit(1);
             }
-            code = krb5_cc_destroy(kcontext, cache);
+            code = krb5_cc_destroy(context, cache);
             if (code && code != KRB5_FCC_NOFILE) {
                 com_err(progname, code, _("while destroying cache %s"),
                         cache_name);
             }
-            krb5_free_string(kcontext, cache_name);
+            krb5_free_string(context, cache_name);
         }
-        krb5_cccol_cursor_free(kcontext, &cursor);
-        krb5_free_context(kcontext);
+        krb5_cccol_cursor_free(context, &cursor);
+        krb5_free_context(context);
         return 0;
     }
 
-    if (cache_name) {
-        code = krb5_cc_resolve (kcontext, cache_name, &cache);
-        if (code != 0) {
-            com_err(progname, code, _("while resolving %s"), cache_name);
-            exit(1);
-        }
-    } else {
-        code = krb5_cc_default(kcontext, &cache);
-        if (code) {
-            com_err(progname, code, _("while getting default ccache"));
-            exit(1);
-        }
+    code = krb5_cc_default(context, &cache);
+    if (code) {
+        com_err(progname, code, _("while resolving ccache"));
+        exit(1);
     }
 
-    code = krb5_cc_destroy (kcontext, cache);
+    code = krb5_cc_destroy(context, cache);
     if (code != 0) {
-        com_err (progname, code, _("while destroying cache"));
+        com_err(progname, code, _("while destroying cache"));
         if (code != KRB5_FCC_NOFILE) {
-            if (quiet)
+            if (quiet) {
                 fprintf(stderr, _("Ticket cache NOT destroyed!\n"));
-            else {
+            } else {
                 fprintf(stderr, _("Ticket cache %cNOT%c destroyed!\n"),
                         BELL_CHAR, BELL_CHAR);
             }
@@ -199,8 +191,9 @@ main(argc, argv)
     }
 
     if (!quiet && !errflg)
-        print_remaining_cc_warning(kcontext);
+        print_remaining_cc_warning(context);
+
+    krb5_free_context(context);
 
-    krb5_free_context(kcontext);
     return errflg;
 }
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index f1cd1b73db60..a518284ea568 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -26,7 +26,7 @@
 
 #include "autoconf.h"
 #include <k5-int.h>
-#include "k5-platform.h"        /* for asprintf and getopt */
+#include "k5-platform.h"        /* For asprintf and getopt */
 #include <krb5.h>
 #include "extern.h"
 #include <locale.h>
@@ -37,40 +37,41 @@
 #include <com_err.h>
 
 #ifndef _WIN32
-#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
+#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/') + 1 : (x))
 #else
 #define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
 #endif
 
 #ifdef HAVE_PWD_H
 #include <pwd.h>
-static
-char * get_name_from_os()
+static char *
+get_name_from_os()
 {
     struct passwd *pw;
-    if ((pw = getpwuid((int) getuid())))
-        return pw->pw_name;
-    return 0;
+
+    pw = getpwuid(getuid());
+    return (pw != NULL) ? pw->pw_name : NULL;
 }
 #else /* HAVE_PWD_H */
 #ifdef _WIN32
-static
-char * get_name_from_os()
+static char *
+get_name_from_os()
 {
     static char name[1024];
     DWORD name_size = sizeof(name);
+
     if (GetUserName(name, &name_size)) {
-        name[sizeof(name)-1] = 0; /* Just to be extra safe */
+        name[sizeof(name) - 1] = '\0'; /* Just to be extra safe */
         return name;
     } else {
-        return 0;
+        return NULL;
     }
 }
 #else /* _WIN32 */
-static
-char * get_name_from_os()
+static char *
+get_name_from_os()
 {
-    return 0;
+    return NULL;
 }
 #endif /* _WIN32 */
 #endif /* HAVE_PWD_H */
@@ -81,7 +82,7 @@ typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type;
 
 struct k_opts
 {
-    /* in seconds */
+    /* In seconds */
     krb5_deltat starttime;
     krb5_deltat lifetime;
     krb5_deltat rlife;
@@ -99,11 +100,11 @@ struct k_opts
 
     int verbose;
 
-    char* principal_name;
-    char* service_name;
-    char* keytab_name;
-    char* k5_in_cache_name;
-    char* k5_out_cache_name;
+    char *principal_name;
+    char *service_name;
+    char *keytab_name;
+    char *k5_in_cache_name;
+    char *k5_out_cache_name;
     char *armor_ccache;
 
     action_type action;
@@ -121,46 +122,39 @@ struct k5_data
     krb5_context ctx;
     krb5_ccache in_cc, out_cc;
     krb5_principal me;
-    char* name;
+    char *name;
     krb5_boolean switch_to_cache;
 };
 
-/* if struct[2] == NULL, then long_getopt acts as if the short flag
-   struct[3] was specified.  If struct[2] != NULL, then struct[3] is
-   stored in *(struct[2]), the array index which was specified is
-   stored in *index, and long_getopt() returns 0. */
-
+/*
+ * If struct[2] == NULL, then long_getopt acts as if the short flag struct[3]
+ * were specified.  If struct[2] != NULL, then struct[3] is stored in
+ * *(struct[2]), the array index which was specified is stored in *index, and
+ * long_getopt() returns 0.
+ */
 const char *shopts = "r:fpFPn54aAVl:s:c:kit:T:RS:vX:CEI:";
 
+#define USAGE_BREAK "\n\t"
+
 static void
 usage()
 {
-#define USAGE_BREAK "\n\t"
-
-#define USAGE_LONG_FORWARDABLE  " | --forwardable | --noforwardable"
-#define USAGE_LONG_PROXIABLE    " | --proxiable | --noproxiable"
-#define USAGE_LONG_ADDRESSES    " | --addresses | --noaddresses"
-#define USAGE_LONG_CANONICALIZE " | --canonicalize"
-#define USAGE_LONG_ENTERPRISE   " | --enterprise"
-#define USAGE_LONG_REQUESTPAC   "--request-pac | --no-request-pac"
-#define USAGE_BREAK_LONG       USAGE_BREAK
-
     fprintf(stderr, "Usage: %s [-V] "
             "[-l lifetime] [-s start_time] "
             USAGE_BREAK
             "[-r renewable_life] "
-            "[-f | -F" USAGE_LONG_FORWARDABLE "] "
-            USAGE_BREAK_LONG
-            "[-p | -P" USAGE_LONG_PROXIABLE "] "
-            USAGE_BREAK_LONG
+            "[-f | -F | --forwardable | --noforwardable] "
+            USAGE_BREAK
+            "[-p | -P | --proxiable | --noproxiable] "
+            USAGE_BREAK
             "-n "
-            "[-a | -A" USAGE_LONG_ADDRESSES "] "
-            USAGE_BREAK_LONG
-            "[" USAGE_LONG_REQUESTPAC "] "
-            USAGE_BREAK_LONG
-            "[-C" USAGE_LONG_CANONICALIZE "] "
+            "[-a | -A | --addresses | --noaddresses] "
             USAGE_BREAK
-            "[-E" USAGE_LONG_ENTERPRISE "] "
+            "[--request-pac | --no-request-pac] "
+            USAGE_BREAK
+            "[-C | --canonicalize] "
+            USAGE_BREAK
+            "[-E | --enterprise] "
             USAGE_BREAK
             "[-v] [-R] "
             "[-k [-i|-t keytab_file]] "
@@ -199,15 +193,17 @@ usage()
 }
 
 static krb5_context errctx;
-static void extended_com_err_fn (const char *myprog, errcode_t code,
-                                 const char *fmt, va_list args)
+static void
+extended_com_err_fn(const char *myprog, errcode_t code, const char *fmt,
+                    va_list args)
 {
     const char *emsg;
-    emsg = krb5_get_error_message (errctx, code);
-    fprintf (stderr, "%s: %s ", myprog, emsg);
-    krb5_free_error_message (errctx, emsg);
-    vfprintf (stderr, fmt, args);
-    fprintf (stderr, "\n");
+
+    emsg = krb5_get_error_message(errctx, code);
+    fprintf(stderr, "%s: %s ", myprog, emsg);
+    krb5_free_error_message(errctx, emsg);
+    vfprintf(stderr, fmt, args);
+    fprintf(stderr, "\n");
 }
 
 static int
@@ -215,18 +211,13 @@ add_preauth_opt(struct k_opts *opts, char *av)
 {
     char *sep, *v;
     krb5_gic_opt_pa_data *p, *x;
+    size_t newsize = (opts->num_pa_opts + 1) * sizeof(*opts->pa_opts);
+
+    x = realloc(opts->pa_opts, newsize);
+    if (x == NULL)
+        return ENOMEM;
+    opts->pa_opts = x;
 
-    if (opts->num_pa_opts == 0) {
-        opts->pa_opts = malloc(sizeof(krb5_gic_opt_pa_data));
-        if (opts->pa_opts == NULL)
-            return ENOMEM;
-    } else {
-        size_t newsize = (opts->num_pa_opts + 1) * sizeof(krb5_gic_opt_pa_data);
-        x = realloc(opts->pa_opts, newsize);
-        if (x == NULL)
-            return ENOMEM;
-        opts->pa_opts = x;
-    }
     p = &opts->pa_opts[opts->num_pa_opts];
     sep = strchr(av, '=');
     if (sep) {
@@ -242,10 +233,7 @@ add_preauth_opt(struct k_opts *opts, char *av)
 }
 
 static char *
-parse_options(argc, argv, opts)
-    int argc;
-    char **argv;
-    struct k_opts* opts;
+parse_options(int argc, char **argv, struct k_opts *opts)
 {
     struct option long_options[] = {
         { "noforwardable", 0, NULL, 'F' },
@@ -260,7 +248,7 @@ parse_options(argc, argv, opts)
         { "no-request-pac", 0, &opts->not_request_pac, 1 },
         { NULL, 0, NULL, 0 }
     };
-    krb5_error_code code;
+    krb5_error_code ret;
     int errflg = 0;
     int i;
 
@@ -271,16 +259,16 @@ parse_options(argc, argv, opts)
             break;
         case 'l':
             /* Lifetime */
-            code = krb5_string_to_deltat(optarg, &opts->lifetime);
-            if (code != 0 || opts->lifetime == 0) {
+            ret = krb5_string_to_deltat(optarg, &opts->lifetime);
+            if (ret || opts->lifetime == 0) {
                 fprintf(stderr, _("Bad lifetime value %s\n"), optarg);
                 errflg++;
             }
             break;
         case 'r':
             /* Renewable Time */
-            code = krb5_string_to_deltat(optarg, &opts->rlife);
-            if (code != 0 || opts->rlife == 0) {
+            ret = krb5_string_to_deltat(optarg, &opts->rlife);
+            if (ret || opts->rlife == 0) {
                 fprintf(stderr, _("Bad lifetime value %s\n"), optarg);
                 errflg++;
             }
@@ -307,18 +295,18 @@ parse_options(argc, argv, opts)
             opts->no_addresses = 1;
             break;
         case 's':
-            code = krb5_string_to_deltat(optarg, &opts->starttime);
-            if (code != 0 || opts->starttime == 0) {
+            ret = krb5_string_to_deltat(optarg, &opts->starttime);
+            if (ret || opts->starttime == 0) {
                 /* Parse as an absolute time; intentionally undocumented
                  * but left for backwards compatibility. */
                 krb5_timestamp abs_starttime;
 
-                code = krb5_string_to_timestamp(optarg, &abs_starttime);
-                if (code != 0 || abs_starttime == 0) {
+                ret = krb5_string_to_timestamp(optarg, &abs_starttime);
+                if (ret || abs_starttime == 0) {
                     fprintf(stderr, _("Bad start time value %s\n"), optarg);
                     errflg++;
                 } else {
-                    opts->starttime = abs_starttime - time(0);
+                    opts->starttime = ts_delta(abs_starttime, time(NULL));
                 }
             }
             break;
@@ -332,8 +320,7 @@ parse_options(argc, argv, opts)
             opts->use_client_keytab = 1;
             break;
         case 't':
-            if (opts->keytab_name)
-            {
+            if (opts->keytab_name != NULL) {
                 fprintf(stderr, _("Only one -t option allowed.\n"));
                 errflg++;
             } else {
@@ -341,10 +328,12 @@ parse_options(argc, argv, opts)
             }
             break;
         case 'T':
-            if (opts->armor_ccache) {
+            if (opts->armor_ccache != NULL) {
                 fprintf(stderr, _("Only one armor_ccache\n"));
                 errflg++;
-            } else opts->armor_ccache = optarg;
+            } else {
+                opts->armor_ccache = optarg;
+            }
             break;
         case 'R':
             opts->action = RENEW;
@@ -353,8 +342,7 @@ parse_options(argc, argv, opts)
             opts->action = VALIDATE;
             break;
         case 'c':
-            if (opts->k5_out_cache_name)
-            {
+            if (opts->k5_out_cache_name != NULL) {
                 fprintf(stderr, _("Only one -c option allowed\n"));
                 errflg++;
             } else {
@@ -362,7 +350,7 @@ parse_options(argc, argv, opts)
             }
             break;
         case 'I':
-            if (opts->k5_in_cache_name) {
+            if (opts->k5_in_cache_name != NULL) {
                 fprintf(stderr, _("Only one -I option allowed\n"));
                 errflg++;
             } else {
@@ -370,10 +358,9 @@ parse_options(argc, argv, opts)
             }
             break;
         case 'X':
-            code = add_preauth_opt(opts, optarg);
-            if (code)
-            {
-                com_err(progname, code, _("while adding preauth option"));
+            ret = add_preauth_opt(opts, optarg);
+            if (ret) {
+                com_err(progname, ret, _("while adding preauth option"));
                 errflg++;
             }
             break;
@@ -398,59 +385,49 @@ parse_options(argc, argv, opts)
         }
     }
 
-    if (opts->forwardable && opts->not_forwardable)
-    {
+    if (opts->forwardable && opts->not_forwardable) {
         fprintf(stderr, _("Only one of -f and -F allowed\n"));
         errflg++;
     }
-    if (opts->proxiable && opts->not_proxiable)
-    {
+    if (opts->proxiable && opts->not_proxiable) {
         fprintf(stderr, _("Only one of -p and -P allowed\n"));
         errflg++;
     }
-    if (opts->request_pac && opts->not_request_pac)
-    {
+    if (opts->request_pac && opts->not_request_pac) {
         fprintf(stderr, _("Only one of --request-pac and --no-request-pac "
                           "allowed\n"));
         errflg++;
     }
-    if (opts->addresses && opts->no_addresses)
-    {
+    if (opts->addresses && opts->no_addresses) {
         fprintf(stderr, _("Only one of -a and -A allowed\n"));
         errflg++;
     }
-    if (opts->keytab_name != NULL && opts->use_client_keytab == 1)
-    {
+    if (opts->keytab_name != NULL && opts->use_client_keytab == 1) {
         fprintf(stderr, _("Only one of -t and -i allowed\n"));
         errflg++;
     }
     if ((opts->keytab_name != NULL || opts->use_client_keytab == 1) &&
-        opts->action != INIT_KT)
-    {
+        opts->action != INIT_KT) {
         opts->action = INIT_KT;
         fprintf(stderr, _("keytab specified, forcing -k\n"));
     }
-
     if (argc - optind > 1) {
         fprintf(stderr, _("Extra arguments (starting with \"%s\").\n"),
-                argv[optind+1]);
+                argv[optind + 1]);
         errflg++;
     }
 
-    if (errflg) {
+    if (errflg)
         usage();
-    }
 
-    opts->principal_name = (optind == argc-1) ? argv[optind] : 0;
+    opts->principal_name = (optind == argc - 1) ? argv[optind] : 0;
     return opts->principal_name;
 }
 
 static int
-k5_begin(opts, k5)
-    struct k_opts* opts;
-    struct k5_data* k5;
+k5_begin(struct k_opts *opts, struct k5_data *k5)
 {
-    krb5_error_code code = 0;
+    krb5_error_code ret;
     int success = 0;
     int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0;
     krb5_ccache defcache = NULL;
@@ -459,17 +436,17 @@ k5_begin(opts, k5)
     const char *deftype = NULL;
     char *defrealm, *name;
 
-    code = krb5_init_context(&k5->ctx);
-    if (code) {
-        com_err(progname, code, _("while initializing Kerberos 5 library"));
+    ret = krb5_init_context(&k5->ctx);
+    if (ret) {
+        com_err(progname, ret, _("while initializing Kerberos 5 library"));
         return 0;
     }
     errctx = k5->ctx;
 
     if (opts->k5_out_cache_name) {
-        code = krb5_cc_resolve(k5->ctx, opts->k5_out_cache_name, &k5->out_cc);
-        if (code != 0) {
-            com_err(progname, code, _("resolving ccache %s"),
+        ret = krb5_cc_resolve(k5->ctx, opts->k5_out_cache_name, &k5->out_cc);
+        if (ret) {
+            com_err(progname, ret, _("resolving ccache %s"),
                     opts->k5_out_cache_name);
             goto cleanup;
         }
@@ -480,9 +457,9 @@ k5_begin(opts, k5)
     } else {
         /* Resolve the default ccache and get its type and default principal
          * (if it is initialized). */
-        code = krb5_cc_default(k5->ctx, &defcache);
-        if (code) {
-            com_err(progname, code, _("while getting default ccache"));
+        ret = krb5_cc_default(k5->ctx, &defcache);
+        if (ret) {
+            com_err(progname, ret, _("while getting default ccache"));
             goto cleanup;
         }
         deftype = krb5_cc_get_type(k5->ctx, defcache);
@@ -493,59 +470,58 @@ k5_begin(opts, k5)
     /* Choose a client principal name. */
     if (opts->principal_name != NULL) {
         /* Use the specified principal name. */
-        code = krb5_parse_name_flags(k5->ctx, opts->principal_name, flags,
-                                     &k5->me);
-        if (code) {
-            com_err(progname, code, _("when parsing name %s"),
+        ret = krb5_parse_name_flags(k5->ctx, opts->principal_name, flags,
+                                    &k5->me);
+        if (ret) {
+            com_err(progname, ret, _("when parsing name %s"),
                     opts->principal_name);
             goto cleanup;
         }
     } else if (opts->anonymous) {
         /* Use the anonymous principal for the local realm. */
-        code = krb5_get_default_realm(k5->ctx, &defrealm);
-        if (code) {
-            com_err(progname, code, _("while getting default realm"));
+        ret = krb5_get_default_realm(k5->ctx, &defrealm);
+        if (ret) {
+            com_err(progname, ret, _("while getting default realm"));
             goto cleanup;
         }
-        code = krb5_build_principal_ext(k5->ctx, &k5->me,
-                                        strlen(defrealm), defrealm,
-                                        strlen(KRB5_WELLKNOWN_NAMESTR),
-                                        KRB5_WELLKNOWN_NAMESTR,
-                                        strlen(KRB5_ANONYMOUS_PRINCSTR),
-                                        KRB5_ANONYMOUS_PRINCSTR,
-                                        0);
+        ret = krb5_build_principal_ext(k5->ctx, &k5->me,
+                                       strlen(defrealm), defrealm,
+                                       strlen(KRB5_WELLKNOWN_NAMESTR),
+                                       KRB5_WELLKNOWN_NAMESTR,
+                                       strlen(KRB5_ANONYMOUS_PRINCSTR),
+                                       KRB5_ANONYMOUS_PRINCSTR, 0);
         krb5_free_default_realm(k5->ctx, defrealm);
-        if (code) {
-            com_err(progname, code, _("while building principal"));
+        if (ret) {
+            com_err(progname, ret, _("while building principal"));
             goto cleanup;
         }
     } else if (opts->action == INIT_KT && opts->use_client_keytab) {
         /* Use the first entry from the client keytab. */
-        code = krb5_kt_client_default(k5->ctx, &keytab);
-        if (code) {
-            com_err(progname, code,
+        ret = krb5_kt_client_default(k5->ctx, &keytab);
+        if (ret) {
+            com_err(progname, ret,
                     _("When resolving the default client keytab"));
             goto cleanup;
         }
-        code = k5_kt_get_principal(k5->ctx, keytab, &k5->me);
+        ret = k5_kt_get_principal(k5->ctx, keytab, &k5->me);
         krb5_kt_close(k5->ctx, keytab);
-        if (code) {
-            com_err(progname, code,
+        if (ret) {
+            com_err(progname, ret,
                     _("When determining client principal name from keytab"));
             goto cleanup;
         }
     } else if (opts->action == INIT_KT) {
         /* Use the default host/service name. */
-        code = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST,
-                                       &k5->me);
-        if (code) {
-            com_err(progname, code,
+        ret = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST,
+                                      &k5->me);
+        if (ret) {
+            com_err(progname, ret,
                     _("when creating default server principal name"));
             goto cleanup;
         }
         if (k5->me->realm.data[0] == 0) {
-            code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
-            if (code == 0) {
+            ret = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
+            if (ret == 0) {
                 com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
                         _("(principal %s)"), k5->name);
             } else {
@@ -574,23 +550,22 @@ k5_begin(opts, k5)
             fprintf(stderr, _("Unable to identify user\n"));
             goto cleanup;
         }
-        code = krb5_parse_name_flags(k5->ctx, name, flags, &k5->me);
-        if (code) {
-            com_err(progname, code, _("when parsing name %s"),
-                    name);
+        ret = krb5_parse_name_flags(k5->ctx, name, flags, &k5->me);
+        if (ret) {
+            com_err(progname, ret, _("when parsing name %s"), name);
             goto cleanup;
         }
     }
 
     if (k5->out_cc == NULL && krb5_cc_support_switch(k5->ctx, deftype)) {
         /* Use an existing cache for the client principal if we can. */
-        code = krb5_cc_cache_match(k5->ctx, k5->me, &k5->out_cc);
-        if (code != 0 && code != KRB5_CC_NOTFOUND) {
-            com_err(progname, code, _("while searching for ccache for %s"),
+        ret = krb5_cc_cache_match(k5->ctx, k5->me, &k5->out_cc);
+        if (ret && ret != KRB5_CC_NOTFOUND) {
+            com_err(progname, ret, _("while searching for ccache for %s"),
                     opts->principal_name);
             goto cleanup;
         }
-        if (code == 0) {
+        if (!ret) {
             if (opts->verbose) {
                 fprintf(stderr, _("Using existing cache: %s\n"),
                         krb5_cc_get_name(k5->ctx, k5->out_cc));
@@ -599,9 +574,9 @@ k5_begin(opts, k5)
         } else if (defcache_princ != NULL) {
             /* Create a new cache to avoid overwriting the initialized default
              * cache. */
-            code = krb5_cc_new_unique(k5->ctx, deftype, NULL, &k5->out_cc);
-            if (code) {
-                com_err(progname, code, _("while generating new ccache"));
+            ret = krb5_cc_new_unique(k5->ctx, deftype, NULL, &k5->out_cc);
+            if (ret) {
+                com_err(progname, ret, _("while generating new ccache"));
                 goto cleanup;
             }
             if (opts->verbose) {
@@ -623,9 +598,9 @@ k5_begin(opts, k5)
     }
 
     if (opts->k5_in_cache_name) {
-        code = krb5_cc_resolve(k5->ctx, opts->k5_in_cache_name, &k5->in_cc);
-        if (code != 0) {
-            com_err(progname, code, _("resolving ccache %s"),
+        ret = krb5_cc_resolve(k5->ctx, opts->k5_in_cache_name, &k5->in_cc);
+        if (ret) {
+            com_err(progname, ret, _("resolving ccache %s"),
                     opts->k5_in_cache_name);
             goto cleanup;
         }
@@ -635,10 +610,9 @@ k5_begin(opts, k5)
         }
     }
 
-
-    code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
-    if (code) {
-        com_err(progname, code, _("when unparsing name"));
+    ret = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
+    if (ret) {
+        com_err(progname, ret, _("when unparsing name"));
         goto cleanup;
     }
     if (opts->verbose)
@@ -656,33 +630,22 @@ cleanup:
 }
 
 static void
-k5_end(k5)
-    struct k5_data* k5;
+k5_end(struct k5_data *k5)
 {
-    if (k5->name)
-        krb5_free_unparsed_name(k5->ctx, k5->name);
-    if (k5->me)
-        krb5_free_principal(k5->ctx, k5->me);
-    if (k5->in_cc)
+    krb5_free_unparsed_name(k5->ctx, k5->name);
+    krb5_free_principal(k5->ctx, k5->me);
+    if (k5->in_cc != NULL)
         krb5_cc_close(k5->ctx, k5->in_cc);
-    if (k5->out_cc)
+    if (k5->out_cc != NULL)
         krb5_cc_close(k5->ctx, k5->out_cc);
-    if (k5->ctx)
-        krb5_free_context(k5->ctx);
+    krb5_free_context(k5->ctx);
     errctx = NULL;
     memset(k5, 0, sizeof(*k5));
 }
 
-static krb5_error_code
-KRB5_CALLCONV
-kinit_prompter(
-    krb5_context ctx,
-    void *data,
-    const char *name,
-    const char *banner,
-    int num_prompts,
-    krb5_prompt prompts[]
-)
+static krb5_error_code KRB5_CALLCONV
+kinit_prompter(krb5_context ctx, void *data, const char *name,
+               const char *banner, int num_prompts, krb5_prompt prompts[])
 {
     krb5_boolean *pwprompt = data;
     krb5_prompt_type *ptypes;
@@ -694,34 +657,27 @@ kinit_prompter(
         if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
             *pwprompt = TRUE;
     }
-
     return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
 }
 
 static int
-k5_kinit(opts, k5)
-    struct k_opts* opts;
-    struct k5_data* k5;
+k5_kinit(struct k_opts *opts, struct k5_data *k5)
 {
     int notix = 1;
     krb5_keytab keytab = 0;
     krb5_creds my_creds;
-    krb5_error_code code = 0;
+    krb5_error_code ret;
     krb5_get_init_creds_opt *options = NULL;
     krb5_boolean pwprompt = FALSE;
+    krb5_address **addresses = NULL;
     int i;
 
     memset(&my_creds, 0, sizeof(my_creds));
 
-    code = krb5_get_init_creds_opt_alloc(k5->ctx, &options);
-    if (code)
+    ret = krb5_get_init_creds_opt_alloc(k5->ctx, &options);
+    if (ret)
         goto cleanup;
 
-    /*
-      From this point on, we can goto cleanup because my_creds is
-      initialized.
-    */
-
     if (opts->lifetime)
         krb5_get_init_creds_opt_set_tkt_life(options, opts->lifetime);
     if (opts->rlife)
@@ -738,63 +694,61 @@ k5_kinit(opts, k5)
         krb5_get_init_creds_opt_set_canonicalize(options, 1);
     if (opts->anonymous)
         krb5_get_init_creds_opt_set_anonymous(options, 1);
-    if (opts->addresses)
-    {
-        krb5_address **addresses = NULL;
-        code = krb5_os_localaddr(k5->ctx, &addresses);
-        if (code != 0) {
-            com_err(progname, code, _("getting local addresses"));
+    if (opts->addresses) {
+        ret = krb5_os_localaddr(k5->ctx, &addresses);
+        if (ret) {
+            com_err(progname, ret, _("getting local addresses"));
             goto cleanup;
         }
         krb5_get_init_creds_opt_set_address_list(options, addresses);
     }
     if (opts->no_addresses)
         krb5_get_init_creds_opt_set_address_list(options, NULL);
-    if (opts->armor_ccache)
-        krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache);
+    if (opts->armor_ccache != NULL) {
+        krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options,
+                                                     opts->armor_ccache);
+    }
     if (opts->request_pac)
         krb5_get_init_creds_opt_set_pac_request(k5->ctx, options, TRUE);
     if (opts->not_request_pac)
         krb5_get_init_creds_opt_set_pac_request(k5->ctx, options, FALSE);
 
 
-    if ((opts->action == INIT_KT) && opts->keytab_name)
-    {
+    if (opts->action == INIT_KT && opts->keytab_name != NULL) {
 #ifndef _WIN32
         if (strncmp(opts->keytab_name, "KDB:", 4) == 0) {
-            code = kinit_kdb_init(&k5->ctx,
-                                  krb5_princ_realm(k5->ctx, k5->me)->data);
-            if (code != 0) {
-                com_err(progname, code,
+            ret = kinit_kdb_init(&k5->ctx, k5->me->realm.data);
+            if (ret) {
+                com_err(progname, ret,
                         _("while setting up KDB keytab for realm %s"),
-                        krb5_princ_realm(k5->ctx, k5->me)->data);
+                        k5->me->realm.data);
                 goto cleanup;
             }
         }
 #endif
 
-        code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
-        if (code != 0) {
-            com_err(progname, code, _("resolving keytab %s"),
+        ret = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
+        if (ret) {
+            com_err(progname, ret, _("resolving keytab %s"),
                     opts->keytab_name);
             goto cleanup;
         }
         if (opts->verbose)
             fprintf(stderr, _("Using keytab: %s\n"), opts->keytab_name);
     } else if (opts->action == INIT_KT && opts->use_client_keytab) {
-        code = krb5_kt_client_default(k5->ctx, &keytab);
-        if (code != 0) {
-            com_err(progname, code, _("resolving default client keytab"));
+        ret = krb5_kt_client_default(k5->ctx, &keytab);
+        if (ret) {
+            com_err(progname, ret, _("resolving default client keytab"));
             goto cleanup;
         }
     }
 
     for (i = 0; i < opts->num_pa_opts; i++) {
-        code = krb5_get_init_creds_opt_set_pa(k5->ctx, options,
-                                              opts->pa_opts[i].attr,
-                                              opts->pa_opts[i].value);
-        if (code != 0) {
-            com_err(progname, code, _("while setting '%s'='%s'"),
+        ret = krb5_get_init_creds_opt_set_pa(k5->ctx, options,
+                                             opts->pa_opts[i].attr,
+                                             opts->pa_opts[i].value);
+        if (ret) {
+            com_err(progname, ret, _("while setting '%s'='%s'"),
                     opts->pa_opts[i].attr, opts->pa_opts[i].value);
             goto cleanup;
         }
@@ -804,43 +758,39 @@ k5_kinit(opts, k5)
         }
     }
     if (k5->in_cc) {
-        code = krb5_get_init_creds_opt_set_in_ccache(k5->ctx, options,
-                                                     k5->in_cc);
-        if (code)
+        ret = krb5_get_init_creds_opt_set_in_ccache(k5->ctx, options,
+                                                    k5->in_cc);
+        if (ret)
             goto cleanup;
     }
-    code = krb5_get_init_creds_opt_set_out_ccache(k5->ctx, options,
-                                                  k5->out_cc);
-    if (code)
+    ret = krb5_get_init_creds_opt_set_out_ccache(k5->ctx, options, k5->out_cc);
+    if (ret)
         goto cleanup;
 
     switch (opts->action) {
     case INIT_PW:
-        code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
-                                            0, kinit_prompter, &pwprompt,
-                                            opts->starttime,
-                                            opts->service_name,
-                                            options);
+        ret = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, 0,
+                                           kinit_prompter, &pwprompt,
+                                           opts->starttime, opts->service_name,
+                                           options);
         break;
     case INIT_KT:
-        code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me,
-                                          keytab,
-                                          opts->starttime,
-                                          opts->service_name,
-                                          options);
+        ret = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me, keytab,
+                                         opts->starttime, opts->service_name,
+                                         options);
         break;
     case VALIDATE:
-        code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->out_cc,
-                                        opts->service_name);
+        ret = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->out_cc,
+                                       opts->service_name);
         break;
     case RENEW:
-        code = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->out_cc,
-                                      opts->service_name);
+        ret = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->out_cc,
+                                     opts->service_name);
         break;
     }
 
-    if (code) {
-        char *doing = 0;
+    if (ret) {
+        char *doing = NULL;
         switch (opts->action) {
         case INIT_PW:
         case INIT_KT:
@@ -856,41 +806,40 @@ k5_kinit(opts, k5)
 
         /* If reply decryption failed, or if pre-authentication failed and we
          * were prompted for a password, assume the password was wrong. */
-        if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
-            (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
+        if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+            (pwprompt && ret == KRB5KDC_ERR_PREAUTH_FAILED)) {
             fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
                     doing);
         } else {
-            com_err(progname, code, _("while %s"), doing);
+            com_err(progname, ret, _("while %s"), doing);
         }
         goto cleanup;
     }
 
-    if ((opts->action != INIT_PW) && (opts->action != INIT_KT)) {
-        code = krb5_cc_initialize(k5->ctx, k5->out_cc, opts->canonicalize ?
-                                  my_creds.client : k5->me);
-        if (code) {
-            com_err(progname, code, _("when initializing cache %s"),
-                    opts->k5_out_cache_name?opts->k5_out_cache_name:"");
+    if (opts->action != INIT_PW && opts->action != INIT_KT) {
+        ret = krb5_cc_initialize(k5->ctx, k5->out_cc, opts->canonicalize ?
+                                 my_creds.client : k5->me);
+        if (ret) {
+            com_err(progname, ret, _("when initializing cache %s"),
+                    opts->k5_out_cache_name ? opts->k5_out_cache_name : "");
             goto cleanup;
         }
         if (opts->verbose)
             fprintf(stderr, _("Initialized cache\n"));
 
-        code = krb5_cc_store_cred(k5->ctx, k5->out_cc, &my_creds);
-        if (code) {
-            com_err(progname, code, _("while storing credentials"));
+        ret = krb5_cc_store_cred(k5->ctx, k5->out_cc, &my_creds);
+        if (ret) {
+            com_err(progname, ret, _("while storing credentials"));
             goto cleanup;
         }
         if (opts->verbose)
             fprintf(stderr, _("Stored credentials\n"));
     }
     notix = 0;
-
     if (k5->switch_to_cache) {
-        code = krb5_cc_switch(k5->ctx, k5->out_cc);
-        if (code) {
-            com_err(progname, code, _("while switching to new ccache"));
+        ret = krb5_cc_switch(k5->ctx, k5->out_cc);
+        if (ret) {
+            com_err(progname, ret, _("while switching to new ccache"));
             goto cleanup;
         }
     }
@@ -901,24 +850,21 @@ cleanup:
 #endif
     if (options)
         krb5_get_init_creds_opt_free(k5->ctx, options);
-    if (my_creds.client == k5->me) {
+    if (my_creds.client == k5->me)
         my_creds.client = 0;
-    }
     if (opts->pa_opts) {
         free(opts->pa_opts);
         opts->pa_opts = NULL;
         opts->num_pa_opts = 0;
     }
     krb5_free_cred_contents(k5->ctx, &my_creds);
-    if (keytab)
+    if (keytab != NULL)
         krb5_kt_close(k5->ctx, keytab);
-    return notix?0:1;
+    return notix ? 0 : 1;
 }
 
 int
-main(argc, argv)
-    int argc;
-    char **argv;
+main(int argc, char *argv[])
 {
     struct k_opts opts;
     struct k5_data k5;
@@ -928,11 +874,11 @@ main(argc, argv)
     progname = GET_PROGNAME(argv[0]);
 
     /* Ensure we can be driven from a pipe */
-    if(!isatty(fileno(stdin)))
+    if (!isatty(fileno(stdin)))
         setvbuf(stdin, 0, _IONBF, 0);
-    if(!isatty(fileno(stdout)))
+    if (!isatty(fileno(stdout)))
         setvbuf(stdout, 0, _IONBF, 0);
-    if(!isatty(fileno(stderr)))
+    if (!isatty(fileno(stderr)))
         setvbuf(stderr, 0, _IONBF, 0);
 
     memset(&opts, 0, sizeof(opts));
@@ -940,7 +886,7 @@ main(argc, argv)
 
     memset(&k5, 0, sizeof(k5));
 
-    set_com_err_hook (extended_com_err_fn);
+    set_com_err_hook(extended_com_err_fn);
 
     parse_options(argc, argv, &opts);
 
diff --git a/src/clients/kinit/kinit_kdb.c b/src/clients/kinit/kinit_kdb.c
index 47baf9010a7b..fbd174bf0c45 100644
--- a/src/clients/kinit/kinit_kdb.c
+++ b/src/clients/kinit/kinit_kdb.c
@@ -36,38 +36,36 @@
 #include <kdb.h>
 #include "extern.h"
 
-/** Server handle */
+/* Server handle */
 static void *server_handle;
 
-/**
- * @internal  Initialize KDB for given realm
- * @param context pointer to context that will be re-initialized
- * @@param realm name of realm to initialize
- */
+/* Free and reinitialize *pcontext with the KDB opened to the given realm, so
+ * that it can be used with the KDB keytab type. */
 krb5_error_code
 kinit_kdb_init(krb5_context *pcontext, char *realm)
 {
     kadm5_config_params config;
-    krb5_error_code retval = 0;
+    krb5_error_code ret;
 
     if (*pcontext) {
         krb5_free_context(*pcontext);
         *pcontext = NULL;
     }
     memset(&config, 0, sizeof config);
-    retval = kadm5_init_krb5_context(pcontext);
-    if (retval)
-        return retval;
+
+    ret = kadm5_init_krb5_context(pcontext);
+    if (ret)
+        return ret;
+
     config.mask = KADM5_CONFIG_REALM;
     config.realm = realm;
-    retval = kadm5_init(*pcontext, "kinit", NULL /*pass*/,
-                        "kinit", &config,
-                        KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL,
-                        &server_handle);
-    if (retval)
-        return retval;
-    retval = krb5_db_register_keytab(*pcontext);
-    return retval;
+    ret = kadm5_init(*pcontext, "kinit", NULL, "kinit", &config,
+                     KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL,
+                     &server_handle);
+    if (ret)
+        return ret;
+
+    return krb5_db_register_keytab(*pcontext);
 }
 
 void
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index ba19788a25c4..e9e76d8f3be6 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -32,13 +32,14 @@
 #include <string.h>
 #include <stdio.h>
 #include <time.h>
+
 /* Need definition of INET6 before network headers, for IRIX.  */
 #if defined(HAVE_ARPA_INET_H)
 #include <arpa/inet.h>
 #endif
 
 #ifndef _WIN32
-#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
+#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/') + 1 : (x))
 #else
 #define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
 #endif
@@ -56,34 +57,33 @@ int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
 int show_config = 0;
 char *defname;
 char *progname;
-krb5_int32 now;
+krb5_timestamp now;
 unsigned int timestamp_width;
 
-krb5_context kcontext;
+krb5_context context;
 
-krb5_boolean is_local_tgt (krb5_principal princ, krb5_data *realm);
-char * etype_string (krb5_enctype );
-void show_credential (krb5_creds *);
+static krb5_boolean is_local_tgt(krb5_principal princ, krb5_data *realm);
+static char *etype_string(krb5_enctype );
+static void show_credential(krb5_creds *);
 
-void list_all_ccaches (void);
-int list_ccache (krb5_ccache);
-void show_all_ccaches (void);
-void do_ccache_name (char *);
-int show_ccache (krb5_ccache);
-int check_ccache (krb5_ccache);
-void do_keytab (char *);
-void printtime (time_t);
-void one_addr (krb5_address *);
-void fillit (FILE *, unsigned int, int);
+static void list_all_ccaches(void);
+static int list_ccache(krb5_ccache);
+static void show_all_ccaches(void);
+static void do_ccache(void);
+static int show_ccache(krb5_ccache);
+static int check_ccache(krb5_ccache);
+static void do_keytab(const char *);
+static void printtime(krb5_timestamp);
+static void one_addr(krb5_address *);
+static void fillit(FILE *, unsigned int, int);
 
 #define DEFAULT 0
 #define CCACHE 1
 #define KEYTAB 2
 
-static void usage()
+static void
+usage()
 {
-#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
-
     fprintf(stderr, _("Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] "
                       "[-a [-n]]] [-k [-t] [-K]] [name]\n"), progname);
     fprintf(stderr, _("\t-c specifies credentials cache\n"));
@@ -114,21 +114,19 @@ extended_com_err_fn(const char *prog, errcode_t code, const char *fmt,
 {
     const char *msg;
 
-    msg = krb5_get_error_message(kcontext, code);
+    msg = krb5_get_error_message(context, code);
     fprintf(stderr, "%s: %s%s", prog, msg, (*fmt == '\0') ? "" : " ");
-    krb5_free_error_message(kcontext, msg);
+    krb5_free_error_message(context, msg);
     vfprintf(stderr, fmt, args);
     fprintf(stderr, "\n");
 }
 
 int
-main(argc, argv)
-    int argc;
-    char **argv;
+main(int argc, char *argv[])
 {
-    int c;
-    char *name;
-    int mode;
+    krb5_error_code ret;
+    char *name, tmp[BUFSIZ];
+    int c, mode;
 
     setlocale(LC_ALL, "");
     progname = GET_PROGNAME(argv[0]);
@@ -136,7 +134,7 @@ main(argc, argv)
 
     name = NULL;
     mode = DEFAULT;
-    /* V=version so v can be used for verbose later if desired.  */
+    /* V = version so v can be used for verbose later if desired. */
     while ((c = getopt(argc, argv, "dfetKsnacki45lAVC")) != -1) {
         switch (c) {
         case 'd':
@@ -164,11 +162,13 @@ main(argc, argv)
             show_addresses = 1;
             break;
         case 'c':
-            if (mode != DEFAULT) usage();
+            if (mode != DEFAULT)
+                usage();
             mode = CCACHE;
             break;
         case 'k':
-            if (mode != DEFAULT) usage();
+            if (mode != DEFAULT)
+                usage();
             mode = KEYTAB;
             break;
         case 'i':
@@ -198,9 +198,8 @@ main(argc, argv)
         }
     }
 
-    if (no_resolve && !show_addresses) {
+    if (no_resolve && !show_addresses)
         usage();
-    }
 
     if (mode == DEFAULT || mode == CCACHE) {
         if (show_time || show_keys)
@@ -215,7 +214,7 @@ main(argc, argv)
 
     if (argc - optind > 1) {
         fprintf(stderr, _("Extra arguments (starting with \"%s\").\n"),
-                argv[optind+1]);
+                argv[optind + 1]);
         usage();
     }
 
@@ -228,77 +227,82 @@ main(argc, argv)
         exit(0);
     }
 
-    name = (optind == argc-1) ? argv[optind] : 0;
-
+    name = (optind == argc - 1) ? argv[optind] : NULL;
     now = time(0);
-    {
-        char tmp[BUFSIZ];
 
-        if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) ||
-            !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp),
-                                        (char *) NULL))
-            timestamp_width = (int) strlen(tmp);
-        else
-            timestamp_width = 15;
+    if (!krb5_timestamp_to_sfstring(now, tmp, 20, NULL) ||
+        !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), NULL))
+        timestamp_width = (int)strlen(tmp);
+    else
+        timestamp_width = 15;
+
+    ret = krb5_init_context(&context);
+    if (ret) {
+        com_err(progname, ret, _("while initializing krb5"));
+        exit(1);
     }
 
-    {
-        krb5_error_code retval;
-        retval = krb5_init_context(&kcontext);
-        if (retval) {
-            com_err(progname, retval, _("while initializing krb5"));
+    if (name != NULL && mode != KEYTAB) {
+        ret = krb5_cc_set_default_name(context, name);
+        if (ret) {
+            com_err(progname, ret, _("while setting default cache name"));
             exit(1);
         }
-
-        if (list_all)
-            list_all_ccaches();
-        else if (show_all)
-            show_all_ccaches();
-        else if (mode == DEFAULT || mode == CCACHE)
-            do_ccache_name(name);
-        else
-            do_keytab(name);
     }
 
+    if (list_all)
+        list_all_ccaches();
+    else if (show_all)
+        show_all_ccaches();
+    else if (mode == DEFAULT || mode == CCACHE)
+        do_ccache();
+    else
+        do_keytab(name);
     return 0;
 }
 
-void do_keytab(name)
-    char *name;
+static void
+do_keytab(const char *name)
 {
+    krb5_error_code ret;
     krb5_keytab kt;
     krb5_keytab_entry entry;
     krb5_kt_cursor cursor;
-    char buf[BUFSIZ]; /* hopefully large enough for any type */
+    unsigned int i;
+    char buf[BUFSIZ]; /* Hopefully large enough for any type */
     char *pname;
-    int code;
 
     if (name == NULL && use_client_keytab) {
-        if ((code = krb5_kt_client_default(kcontext, &kt))) {
-            com_err(progname, code, _("while getting default client keytab"));
+        ret = krb5_kt_client_default(context, &kt);
+        if (ret) {
+            com_err(progname, ret, _("while getting default client keytab"));
             exit(1);
         }
     } else if (name == NULL) {
-        if ((code = krb5_kt_default(kcontext, &kt))) {
-            com_err(progname, code, _("while getting default keytab"));
+        ret = krb5_kt_default(context, &kt);
+        if (ret) {
+            com_err(progname, ret, _("while getting default keytab"));
             exit(1);
         }
     } else {
-        if ((code = krb5_kt_resolve(kcontext, name, &kt))) {
-            com_err(progname, code, _("while resolving keytab %s"), name);
+        ret = krb5_kt_resolve(context, name, &kt);
+        if (ret) {
+            com_err(progname, ret, _("while resolving keytab %s"), name);
             exit(1);
         }
     }
 
-    if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) {
-        com_err(progname, code, _("while getting keytab name"));
+    ret = krb5_kt_get_name(context, kt, buf, BUFSIZ);
+    if (ret) {
+        com_err(progname, ret, _("while getting keytab name"));
         exit(1);
     }
 
     printf("Keytab name: %s\n", buf);
 
-    if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) {
-        com_err(progname, code, _("while starting keytab scan"));
+    ret = krb5_kt_start_seq_get(context, kt, &cursor);
+    if (ret) {
+        com_err(progname, ret, _("while starting keytab scan"));
         exit(1);
     }
 
@@ -314,12 +318,14 @@ void do_keytab(name)
         printf("\n");
     } else {
         printf("KVNO Principal\n");
-        printf("---- --------------------------------------------------------------------------\n");
+        printf("---- ------------------------------------------------"
+               "--------------------------\n");
     }
 
-    while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) {
-        if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) {
-            com_err(progname, code, _("while unparsing principal name"));
+    while ((ret = krb5_kt_next_entry(context, kt, &entry, &cursor)) == 0) {
+        ret = krb5_unparse_name(context, entry.principal, &pname);
+        if (ret) {
+            com_err(progname, ret, _("while unparsing principal name"));
             exit(1);
         }
         printf("%4d ", entry.vno);
@@ -332,40 +338,38 @@ void do_keytab(name)
             printf(" (%s) " , etype_string(entry.key.enctype));
         if (show_keys) {
             printf(" (0x");
-            {
-                unsigned int i;
-                for (i = 0; i < entry.key.length; i++)
-                    printf("%02x", entry.key.contents[i]);
-            }
+            for (i = 0; i < entry.key.length; i++)
+                printf("%02x", entry.key.contents[i]);
             printf(")");
         }
         printf("\n");
-        krb5_free_unparsed_name(kcontext, pname);
-        krb5_free_keytab_entry_contents(kcontext, &entry);
+        krb5_free_unparsed_name(context, pname);
+        krb5_free_keytab_entry_contents(context, &entry);
     }
-    if (code && code != KRB5_KT_END) {
-        com_err(progname, code, _("while scanning keytab"));
+    if (ret && ret != KRB5_KT_END) {
+        com_err(progname, ret, _("while scanning keytab"));
         exit(1);
     }
-    if ((code = krb5_kt_end_seq_get(kcontext, kt, &cursor))) {
-        com_err(progname, code, _("while ending keytab scan"));
+    ret = krb5_kt_end_seq_get(context, kt, &cursor);
+    if (ret) {
+        com_err(progname, ret, _("while ending keytab scan"));
         exit(1);
     }
     exit(0);
 }
 
-void
-list_all_ccaches(void)
+static void
+list_all_ccaches()
 {
-    krb5_error_code code;
+    krb5_error_code ret;
     krb5_ccache cache;
     krb5_cccol_cursor cursor;
     int exit_status;
 
-    code = krb5_cccol_cursor_new(kcontext, &cursor);
-    if (code) {
+    ret = krb5_cccol_cursor_new(context, &cursor);
+    if (ret) {
         if (!status_only)
-            com_err(progname, code, _("while listing ccache collection"));
+            com_err(progname, ret, _("while listing ccache collection"));
         exit(1);
     }
 
@@ -373,31 +377,31 @@ list_all_ccaches(void)
     printf("%-30s %s\n", "Principal name", "Cache name");
     printf("%-30s %s\n", "--------------", "----------");
     exit_status = 1;
-    while (!(code = krb5_cccol_cursor_next(kcontext, cursor, &cache)) &&
+    while ((ret = krb5_cccol_cursor_next(context, cursor, &cache)) == 0 &&
            cache != NULL) {
         exit_status = list_ccache(cache) && exit_status;
-        krb5_cc_close(kcontext, cache);
+        krb5_cc_close(context, cache);
     }
-    krb5_cccol_cursor_free(kcontext, &cursor);
+    krb5_cccol_cursor_free(context, &cursor);
     exit(exit_status);
 }
 
-int
+static int
 list_ccache(krb5_ccache cache)
 {
-    krb5_error_code code;
+    krb5_error_code ret;
     krb5_principal princ = NULL;
     char *princname = NULL, *ccname = NULL;
     int expired, status = 1;
 
-    code = krb5_cc_get_principal(kcontext, cache, &princ);
-    if (code)                   /* Uninitialized cache file, probably. */
+    ret = krb5_cc_get_principal(context, cache, &princ);
+    if (ret)                    /* Uninitialized cache file, probably. */
         goto cleanup;
-    code = krb5_unparse_name(kcontext, princ, &princname);
-    if (code)
+    ret = krb5_unparse_name(context, princ, &princname);
+    if (ret)
         goto cleanup;
-    code = krb5_cc_get_full_name(kcontext, cache, &ccname);
-    if (code)
+    ret = krb5_cc_get_full_name(context, cache, &ccname);
+    if (ret)
         goto cleanup;
 
     expired = check_ccache(cache);
@@ -408,87 +412,82 @@ list_ccache(krb5_ccache cache)
     printf("\n");
 
     status = 0;
+
 cleanup:
-    krb5_free_principal(kcontext, princ);
-    krb5_free_unparsed_name(kcontext, princname);
-    krb5_free_string(kcontext, ccname);
+    krb5_free_principal(context, princ);
+    krb5_free_unparsed_name(context, princname);
+    krb5_free_string(context, ccname);
     return status;
 }
 
-void
+static void
 show_all_ccaches(void)
 {
-    krb5_error_code code;
+    krb5_error_code ret;
     krb5_ccache cache;
     krb5_cccol_cursor cursor;
     krb5_boolean first;
     int exit_status, st;
 
-    code = krb5_cccol_cursor_new(kcontext, &cursor);
-    if (code) {
+    ret = krb5_cccol_cursor_new(context, &cursor);
+    if (ret) {
         if (!status_only)
-            com_err(progname, code, _("while listing ccache collection"));
+            com_err(progname, ret, _("while listing ccache collection"));
         exit(1);
     }
     exit_status = 1;
     first = TRUE;
-    while (!(code = krb5_cccol_cursor_next(kcontext, cursor, &cache)) &&
+    while ((ret = krb5_cccol_cursor_next(context, cursor, &cache)) == 0 &&
            cache != NULL) {
         if (!status_only && !first)
             printf("\n");
         first = FALSE;
         st = status_only ? check_ccache(cache) : show_ccache(cache);
         exit_status = st && exit_status;
-        krb5_cc_close(kcontext, cache);
+        krb5_cc_close(context, cache);
     }
-    krb5_cccol_cursor_free(kcontext, &cursor);
+    krb5_cccol_cursor_free(context, &cursor);
     exit(exit_status);
 }
 
-void
-do_ccache_name(char *name)
+static void
+do_ccache()
 {
-    krb5_error_code code;
+    krb5_error_code ret;
     krb5_ccache cache;
 
-    if (name == NULL) {
-        if ((code = krb5_cc_default(kcontext, &cache))) {
-            if (!status_only)
-                com_err(progname, code, _("while getting default ccache"));
-            exit(1);
-        }
-    } else {
-        if ((code = krb5_cc_resolve(kcontext, name, &cache))) {
-            if (!status_only)
-                com_err(progname, code, _("while resolving ccache %s"),
-                        name);
-            exit(1);
-        }
+    ret = krb5_cc_default(context, &cache);
+    if (ret) {
+        if (!status_only)
+            com_err(progname, ret, _("while resolving ccache"));
+        exit(1);
     }
     exit(status_only ? check_ccache(cache) : show_ccache(cache));
 }
 
 /* Display the contents of cache. */
-int
+static int
 show_ccache(krb5_ccache cache)
 {
     krb5_cc_cursor cur;
     krb5_creds creds;
     krb5_principal princ;
-    krb5_error_code code;
+    krb5_error_code ret;
 
-    if ((code = krb5_cc_get_principal(kcontext, cache, &princ))) {
-        com_err(progname, code, "");
+    ret = krb5_cc_get_principal(context, cache, &princ);
+    if (ret) {
+        com_err(progname, ret, "");
         return 1;
     }
-    if ((code = krb5_unparse_name(kcontext, princ, &defname))) {
-        com_err(progname, code, _("while unparsing principal name"));
+    ret = krb5_unparse_name(context, princ, &defname);
+    if (ret) {
+        com_err(progname, ret, _("while unparsing principal name"));
         return 1;
     }
 
     printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"),
-           krb5_cc_get_type(kcontext, cache),
-           krb5_cc_get_name(kcontext, cache), defname);
+           krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache),
+           defname);
     /* XXX Translating would disturb table alignment; skip for now. */
     fputs("Valid starting", stdout);
     fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' ');
@@ -496,32 +495,34 @@ show_ccache(krb5_ccache cache)
     fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' ');
     fputs("Service principal\n", stdout);
 
-    if ((code = krb5_cc_start_seq_get(kcontext, cache, &cur))) {
-        com_err(progname, code, _("while starting to retrieve tickets"));
+    ret = krb5_cc_start_seq_get(context, cache, &cur);
+    if (ret) {
+        com_err(progname, ret, _("while starting to retrieve tickets"));
         return 1;
     }
-    while (!(code = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {
-        if (show_config || !krb5_is_config_principal(kcontext, creds.server))
+    while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
+        if (show_config || !krb5_is_config_principal(context, creds.server))
             show_credential(&creds);
-        krb5_free_cred_contents(kcontext, &creds);
+        krb5_free_cred_contents(context, &creds);
     }
-    krb5_free_principal(kcontext, princ);
-    krb5_free_unparsed_name(kcontext, defname);
+    krb5_free_principal(context, princ);
+    krb5_free_unparsed_name(context, defname);
     defname = NULL;
-    if (code == KRB5_CC_END) {
-        if ((code = krb5_cc_end_seq_get(kcontext, cache, &cur))) {
-            com_err(progname, code, _("while finishing ticket retrieval"));
+    if (ret == KRB5_CC_END) {
+        ret = krb5_cc_end_seq_get(context, cache, &cur);
+        if (ret) {
+            com_err(progname, ret, _("while finishing ticket retrieval"));
             return 1;
         }
         return 0;
     } else {
-        com_err(progname, code, _("while retrieving a ticket"));
+        com_err(progname, ret, _("while retrieving a ticket"));
         return 1;
     }
 }
 
 /* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */
-int
+static int
 check_ccache(krb5_ccache cache)
 {
     krb5_error_code ret;
@@ -530,26 +531,26 @@ check_ccache(krb5_ccache cache)
     krb5_principal princ;
     krb5_boolean found_tgt, found_current_tgt, found_current_cred;
 
-    if (krb5_cc_get_principal(kcontext, cache, &princ) != 0)
+    if (krb5_cc_get_principal(context, cache, &princ) != 0)
         return 1;
-    if (krb5_cc_start_seq_get(kcontext, cache, &cur) != 0)
+    if (krb5_cc_start_seq_get(context, cache, &cur) != 0)
         return 1;
     found_tgt = found_current_tgt = found_current_cred = FALSE;
-    while (!(ret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {
+    while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
         if (is_local_tgt(creds.server, &princ->realm)) {
             found_tgt = TRUE;
-            if (creds.times.endtime > now)
+            if (ts_after(creds.times.endtime, now))
                 found_current_tgt = TRUE;
-        } else if (!krb5_is_config_principal(kcontext, creds.server) &&
-                   creds.times.endtime > now) {
+        } else if (!krb5_is_config_principal(context, creds.server) &&
+                   ts_after(creds.times.endtime, now)) {
             found_current_cred = TRUE;
         }
-        krb5_free_cred_contents(kcontext, &creds);
+        krb5_free_cred_contents(context, &creds);
     }
-    krb5_free_principal(kcontext, princ);
+    krb5_free_principal(context, princ);
     if (ret != KRB5_CC_END)
         return 1;
-    if (krb5_cc_end_seq_get(kcontext, cache, &cur) != 0)
+    if (krb5_cc_end_seq_get(context, cache, &cur) != 0)
         return 1;
 
     /* If the cache contains at least one local TGT, require that it be
@@ -560,7 +561,7 @@ check_ccache(krb5_ccache cache)
 }
 
 /* Return true if princ is the local krbtgt principal for local_realm. */
-krb5_boolean
+static krb5_boolean
 is_local_tgt(krb5_principal princ, krb5_data *realm)
 {
     return princ->length == 2 && data_eq(princ->realm, *realm) &&
@@ -568,24 +569,20 @@ is_local_tgt(krb5_principal princ, krb5_data *realm)
         data_eq(princ->data[1], *realm);
 }
 
-char *
-etype_string(enctype)
-    krb5_enctype enctype;
+static char *
+etype_string(krb5_enctype enctype)
 {
     static char buf[100];
-    krb5_error_code retval;
+    krb5_error_code ret;
 
-    if ((retval = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf)))) {
-        /* XXX if there's an error != EINVAL, I should probably report it */
+    ret = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf));
+    if (ret)
         snprintf(buf, sizeof(buf), "etype %d", enctype);
-    }
-
     return buf;
 }
 
 static char *
-flags_string(cred)
-    register krb5_creds *cred;
+flags_string(krb5_creds *cred)
 {
     static char buf[32];
     int i = 0;
@@ -615,27 +612,21 @@ flags_string(cred)
     if (cred->ticket_flags & TKT_FLG_TRANSIT_POLICY_CHECKED)
         buf[i++] = 'T';
     if (cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)
-        buf[i++] = 'O';         /* D/d are taken.  Use short strings?  */
+        buf[i++] = 'O';         /* D/d are taken.  Use short strings? */
     if (cred->ticket_flags & TKT_FLG_ANONYMOUS)
         buf[i++] = 'a';
     buf[i] = '\0';
-    return(buf);
+    return buf;
 }
 
-void
-printtime(tv)
-    time_t tv;
+static void
+printtime(krb5_timestamp ts)
 {
-    char timestring[BUFSIZ];
-    char fill;
-
-    fill = ' ';
-    if (!krb5_timestamp_to_sfstring((krb5_timestamp) tv,
-                                    timestring,
-                                    timestamp_width+1,
-                                    &fill)) {
+    char timestring[BUFSIZ], fill = ' ';
+
+    if (!krb5_timestamp_to_sfstring(ts, timestring, timestamp_width + 1,
+                                    &fill))
         printf("%s", timestring);
-    }
 }
 
 static void
@@ -663,35 +654,35 @@ print_config_data(int col, krb5_data *data)
         putchar('\n');
 }
 
-void
-show_credential(cred)
-    register krb5_creds * cred;
+static void
+show_credential(krb5_creds *cred)
 {
-    krb5_error_code retval;
+    krb5_error_code ret;
     krb5_ticket *tkt;
     char *name, *sname, *flags;
     int extra_field = 0, ccol = 0, i;
 
-    retval = krb5_unparse_name(kcontext, cred->client, &name);
-    if (retval) {
-        com_err(progname, retval, _("while unparsing client name"));
+    ret = krb5_unparse_name(context, cred->client, &name);
+    if (ret) {
+        com_err(progname, ret, _("while unparsing client name"));
         return;
     }
-    retval = krb5_unparse_name(kcontext, cred->server, &sname);
-    if (retval) {
-        com_err(progname, retval, _("while unparsing server name"));
-        krb5_free_unparsed_name(kcontext, name);
+    ret = krb5_unparse_name(context, cred->server, &sname);
+    if (ret) {
+        com_err(progname, ret, _("while unparsing server name"));
+        krb5_free_unparsed_name(context, name);
         return;
     }
     if (!cred->times.starttime)
         cred->times.starttime = cred->times.authtime;
 
-    if (!krb5_is_config_principal(kcontext, cred->server)) {
+    if (!krb5_is_config_principal(context, cred->server)) {
         printtime(cred->times.starttime);
-        putchar(' '); putchar(' ');
+        putchar(' ');
+        putchar(' ');
         printtime(cred->times.endtime);
-        putchar(' '); putchar(' ');
-
+        putchar(' ');
+        putchar(' ');
         printf("%s\n", sname);
     } else {
         fputs("config: ", stdout);
@@ -712,7 +703,7 @@ show_credential(cred)
         extra_field++;
     }
 
-    if (krb5_is_config_principal(kcontext, cred->server))
+    if (krb5_is_config_principal(context, cred->server))
         print_config_data(ccol, &cred->ticket);
 
     if (cred->times.renew_till) {
@@ -748,8 +739,8 @@ show_credential(cred)
     }
 
     if (show_etype) {
-        retval = krb5_decode_ticket(&cred->ticket, &tkt);
-        if (retval)
+        ret = krb5_decode_ticket(&cred->ticket, &tkt);
+        if (ret)
             goto err_tkt;
 
         if (!extra_field)
@@ -758,13 +749,12 @@ show_credential(cred)
             fputs(", ",stdout);
         printf(_("Etype (skey, tkt): %s, "),
                etype_string(cred->keyblock.enctype));
-        printf("%s ",
-               etype_string(tkt->enc_part.enctype));
+        printf("%s ", etype_string(tkt->enc_part.enctype));
         extra_field++;
 
     err_tkt:
         if (tkt != NULL)
-            krb5_free_ticket(kcontext, tkt);
+            krb5_free_ticket(context, tkt);
     }
 
     if (show_adtype) {
@@ -783,19 +773,18 @@ show_credential(cred)
         }
     }
 
-    /* if any additional info was printed, extra_field is non-zero */
+    /* If any additional info was printed, extra_field is non-zero. */
     if (extra_field)
         putchar('\n');
 
-
     if (show_addresses) {
-        if (!cred->addresses || !cred->addresses[0]) {
+        if (cred->addresses == NULL || cred->addresses[0] == NULL) {
             printf(_("\tAddresses: (none)\n"));
         } else {
             printf(_("\tAddresses: "));
             one_addr(cred->addresses[0]);
 
-            for (i=1; cred->addresses[i]; i++) {
+            for (i = 1; cred->addresses[i] != NULL; i++) {
                 printf(", ");
                 one_addr(cred->addresses[i]);
             }
@@ -804,45 +793,45 @@ show_credential(cred)
         }
     }
 
-    krb5_free_unparsed_name(kcontext, name);
-    krb5_free_unparsed_name(kcontext, sname);
+    krb5_free_unparsed_name(context, name);
+    krb5_free_unparsed_name(context, sname);
 }
 
 #include "port-sockets.h"
-#include "socket-utils.h" /* for ss2sin etc */
+#include "socket-utils.h" /* For ss2sin etc. */
 #include "fake-addrinfo.h"
 
-void one_addr(a)
-    krb5_address *a;
+static void
+one_addr(krb5_address *a)
 {
     struct sockaddr_storage ss;
+    struct sockaddr_in *sinp;
+    struct sockaddr_in6 *sin6p;
     int err;
     char namebuf[NI_MAXHOST];
 
-    memset (&ss, 0, sizeof (ss));
+    memset(&ss, 0, sizeof(ss));
 
     switch (a->addrtype) {
     case ADDRTYPE_INET:
         if (a->length != 4) {
-        broken:
             printf(_("broken address (type %d length %d)"),
                    a->addrtype, a->length);
             return;
         }
-        {
-            struct sockaddr_in *sinp = ss2sin (&ss);
-            sinp->sin_family = AF_INET;
-            memcpy (&sinp->sin_addr, a->contents, 4);
-        }
+        sinp = ss2sin(&ss);
+        sinp->sin_family = AF_INET;
+        memcpy(&sinp->sin_addr, a->contents, 4);
         break;
     case ADDRTYPE_INET6:
-        if (a->length != 16)
-            goto broken;
-        {
-            struct sockaddr_in6 *sin6p = ss2sin6 (&ss);
-            sin6p->sin6_family = AF_INET6;
-            memcpy (&sin6p->sin6_addr, a->contents, 16);
+        if (a->length != 16) {
+            printf(_("broken address (type %d length %d)"),
+                   a->addrtype, a->length);
+            return;
         }
+        sin6p = ss2sin6(&ss);
+        sin6p->sin6_family = AF_INET6;
+        memcpy(&sin6p->sin6_addr, a->contents, 16);
         break;
     default:
         printf(_("unknown addrtype %d"), a->addrtype);
@@ -850,25 +839,22 @@ void one_addr(a)
     }
 
     namebuf[0] = 0;
-    err = getnameinfo (ss2sa (&ss), sa_socklen (ss2sa (&ss)),
-                       namebuf, sizeof (namebuf), 0, 0,
-                       no_resolve ? NI_NUMERICHOST : 0U);
+    err = getnameinfo(ss2sa(&ss), sa_socklen(ss2sa(&ss)), namebuf,
+                      sizeof(namebuf), 0, 0,
+                      no_resolve ? NI_NUMERICHOST : 0U);
     if (err) {
         printf(_("unprintable address (type %d, error %d %s)"), a->addrtype,
-               err, gai_strerror (err));
+               err, gai_strerror(err));
         return;
     }
-    printf ("%s", namebuf);
+    printf("%s", namebuf);
 }
 
-void
-fillit(f, num, c)
-    FILE                *f;
-    unsigned int        num;
-    int                 c;
+static void
+fillit(FILE *f, unsigned int num, int c)
 {
     unsigned int i;
 
-    for (i=0; i<num; i++)
+    for (i = 0; i < num; i++)
         fputc(c, f);
 }
diff --git a/src/clients/kpasswd/Makefile.in b/src/clients/kpasswd/Makefile.in
index bd4a08cc1daf..294851802af6 100644
--- a/src/clients/kpasswd/Makefile.in
+++ b/src/clients/kpasswd/Makefile.in
@@ -1,16 +1,12 @@
 mydir=clients$(S)kpasswd
 BUILDTOP=$(REL)..$(S)..
 
-SRCS=kpasswd.c ksetpwd.c
+SRCS=kpasswd.c
 
 kpasswd: kpasswd.o $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o kpasswd kpasswd.o $(KRB5_BASE_LIBS)
 
-ksetpwd: ksetpwd.o $(KRB5_BASE_DEPLIBS)
-	$(CC_LINK) -o ksetpwd ksetpwd.o $(KRB5_BASE_LIBS)
-
 kpasswd.o:	$(srcdir)/kpasswd.c
-ksetpwd.o:	$(srcdir)/ksetpwd.c
 
 ##WIN32##VERSIONRC = $(BUILDTOP)\windows\version.rc
 ##WIN32##RCFLAGS=$(CPPFLAGS) -I$(top_srcdir) -D_WIN32 -DRES_ONLY
@@ -22,10 +18,10 @@ ksetpwd.o:	$(srcdir)/ksetpwd.c
 ##WIN32##$(EXERES): $(VERSIONRC)
 ##WIN32##        $(RC) $(RCFLAGS) -DKPASSWD_APP -fo $@ -r $**
 
-all-unix: kpasswd ksetpwd
+all-unix: kpasswd
 
 clean-unix::
-	$(RM) kpasswd.o kpasswd ksetpwd.o ksetpwd
+	$(RM) kpasswd.o kpasswd
 
 install-all install-kdc install-server install-client install-unix:
 	$(INSTALL_PROGRAM) kpasswd $(DESTDIR)$(CLIENT_BINDIR)/`echo kpasswd|sed '$(transform)'`
diff --git a/src/clients/kpasswd/deps b/src/clients/kpasswd/deps
index 0c01c30cc12e..360b6d73fc62 100644
--- a/src/clients/kpasswd/deps
+++ b/src/clients/kpasswd/deps
@@ -5,7 +5,3 @@ $(OUTPRE)kpasswd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
   kpasswd.c
-$(OUTPRE)ksetpwd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
-  ksetpwd.c
diff --git a/src/clients/kpasswd/kpasswd.c b/src/clients/kpasswd/kpasswd.c
index efc596edf7ce..8dbe611c4fa3 100644
--- a/src/clients/kpasswd/kpasswd.c
+++ b/src/clients/kpasswd/kpasswd.c
@@ -1,4 +1,5 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+
 #include "k5-platform.h"
 #include <locale.h>
 #include <sys/types.h>
@@ -15,18 +16,18 @@
 #ifdef HAVE_PWD_H
 #include <pwd.h>
 
-static
-void get_name_from_passwd_file(program_name, kcontext, me)
-    char * program_name;
-    krb5_context kcontext;
-    krb5_principal * me;
+static void
+get_name_from_passwd_file(char *program_name, krb5_context context,
+                          krb5_principal *me)
 {
     struct passwd *pw;
-    krb5_error_code code;
-    if ((pw = getpwuid(getuid()))) {
-        if ((code = krb5_parse_name(kcontext, pw->pw_name, me))) {
-            com_err(program_name, code, _("when parsing name %s"),
-                    pw->pw_name);
+    krb5_error_code ret;
+
+    pw = getpwuid(getuid());
+    if (pw != NULL) {
+        ret = krb5_parse_name(context, pw->pw_name, me);
+        if (ret) {
+            com_err(program_name, ret, _("when parsing name %s"), pw->pw_name);
             exit(1);
         }
     } else {
@@ -35,9 +36,8 @@ void get_name_from_passwd_file(program_name, kcontext, me)
     }
 }
 #else /* HAVE_PWD_H */
-void get_name_from_passwd_file(kcontext, me)
-    krb5_context kcontext;
-    krb5_principal * me;
+static void
+get_name_from_passwd_file(krb5_context context, krb5_principal *me)
 {
     fprintf(stderr, _("Unable to identify user\n"));
     exit(1);
@@ -49,13 +49,11 @@ int main(int argc, char *argv[])
     krb5_error_code ret;
     krb5_context context;
     krb5_principal princ = NULL;
-    char *pname;
+    char *pname, *message;
+    char pw[1024];
     krb5_ccache ccache;
     krb5_get_init_creds_opt *opts = NULL;
     krb5_creds creds;
-    char *message;
-
-    char pw[1024];
     unsigned int pwlen;
     int result_code;
     krb5_data result_code_string, result_string;
@@ -73,48 +71,48 @@ int main(int argc, char *argv[])
         com_err(argv[0], ret, _("initializing kerberos library"));
         exit(1);
     }
-    if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
+    ret = krb5_get_init_creds_opt_alloc(context, &opts);
+    if (ret) {
         com_err(argv[0], ret, _("allocating krb5_get_init_creds_opt"));
         exit(1);
     }
 
-    /* in order, use the first of:
-       - a name specified on the command line
-       - the principal name from an existing ccache
-       - the name corresponding to the ruid of the process
-
-       otherwise, it's an error.
-       We always attempt to open the default ccache in order to use FAST if
-       possible.
-    */
+    /*
+     * In order, use the first of:
+     * - A name specified on the command line
+     * - The principal name from an existing ccache
+     * - The name corresponding to the ruid of the process
+     *
+     * Otherwise, it's an error.
+     * We always attempt to open the default ccache in order to use FAST if
+     * possible.
+     */
     ret = krb5_cc_default(context, &ccache);
-    if (ret != 0) {
+    if (ret) {
         com_err(argv[0], ret, _("opening default ccache"));
         exit(1);
     }
     ret = krb5_cc_get_principal(context, ccache, &princ);
-    if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
+    if (ret && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
         com_err(argv[0], ret, _("getting principal from ccache"));
         exit(1);
-    } else {
-        if (princ != NULL) {
-            ret = krb5_get_init_creds_opt_set_fast_ccache(context, opts,
-                                                          ccache);
-            if (ret) {
-                com_err(argv[0], ret, _("while setting FAST ccache"));
-                exit(1);
-            }
+    } else if (princ != NULL) {
+        ret = krb5_get_init_creds_opt_set_fast_ccache(context, opts, ccache);
+        if (ret) {
+            com_err(argv[0], ret, _("while setting FAST ccache"));
+            exit(1);
         }
     }
     ret = krb5_cc_close(context, ccache);
-    if (ret != 0) {
+    if (ret) {
         com_err(argv[0], ret, _("closing ccache"));
         exit(1);
     }
-    if (pname) {
+    if (pname != NULL) {
         krb5_free_principal(context, princ);
         princ = NULL;
-        if ((ret = krb5_parse_name(context, pname, &princ))) {
+        ret = krb5_parse_name(context, pname, &princ);
+        if (ret) {
             com_err(argv[0], ret, _("parsing client name"));
             exit(1);
         }
@@ -122,33 +120,37 @@ int main(int argc, char *argv[])
     if (princ == NULL)
         get_name_from_passwd_file(argv[0], context, &princ);
 
-    krb5_get_init_creds_opt_set_tkt_life(opts, 5*60);
+    krb5_get_init_creds_opt_set_tkt_life(opts, 5 * 60);
     krb5_get_init_creds_opt_set_renew_life(opts, 0);
     krb5_get_init_creds_opt_set_forwardable(opts, 0);
     krb5_get_init_creds_opt_set_proxiable(opts, 0);
 
-    if ((ret = krb5_get_init_creds_password(context, &creds, princ, NULL,
-                                            krb5_prompter_posix, NULL,
-                                            0, "kadmin/changepw", opts))) {
-        if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+    ret = krb5_get_init_creds_password(context, &creds, princ, NULL,
+                                       krb5_prompter_posix, NULL, 0,
+                                       "kadmin/changepw", opts);
+    if (ret) {
+        if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
             com_err(argv[0], 0,
                     _("Password incorrect while getting initial ticket"));
-        else
+        } else {
             com_err(argv[0], ret, _("getting initial ticket"));
+        }
+
         krb5_get_init_creds_opt_free(context, opts);
         exit(1);
     }
 
     pwlen = sizeof(pw);
-    if ((ret = krb5_read_password(context, P1, P2, pw, &pwlen))) {
+    ret = krb5_read_password(context, P1, P2, pw, &pwlen);
+    if (ret) {
         com_err(argv[0], ret, _("while reading password"));
         krb5_get_init_creds_opt_free(context, opts);
         exit(1);
     }
 
-    if ((ret = krb5_change_password(context, &creds, pw,
-                                    &result_code, &result_code_string,
-                                    &result_string))) {
+    ret = krb5_change_password(context, &creds, pw, &result_code,
+                               &result_code_string, &result_string);
+    if (ret) {
         com_err(argv[0], ret, _("changing password"));
         krb5_get_init_creds_opt_free(context, opts);
         exit(1);
@@ -158,17 +160,15 @@ int main(int argc, char *argv[])
         if (krb5_chpw_message(context, &result_string, &message) != 0)
             message = NULL;
         printf("%.*s%s%s\n",
-               (int) result_code_string.length, result_code_string.data,
+               (int)result_code_string.length, result_code_string.data,
                message ? ": " : "", message ? message : NULL);
         krb5_free_string(context, message);
         krb5_get_init_creds_opt_free(context, opts);
         exit(2);
     }
 
-    if (result_string.data != NULL)
-        free(result_string.data);
-    if (result_code_string.data != NULL)
-        free(result_code_string.data);
+    free(result_string.data);
+    free(result_code_string.data);
     krb5_get_init_creds_opt_free(context, opts);
 
     printf(_("Password changed.\n"));
diff --git a/src/clients/kpasswd/ksetpwd.c b/src/clients/kpasswd/ksetpwd.c
deleted file mode 100644
index 2aafb6cedeb0..000000000000
--- a/src/clients/kpasswd/ksetpwd.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-#include <k5-platform.h>
-#include <krb5.h>
-#include <unistd.h>
-#include <time.h>
-
-#define TKTTIMELEFT     60*10   /* ten minutes */
-
-static int verify_creds()
-{
-    krb5_context    kcontext;
-    krb5_ccache             ccache;
-    krb5_error_code kres;
-
-    kres = krb5_init_context(&kcontext);
-    if( kres == 0 )
-    {
-        kres = krb5_cc_default( kcontext, &ccache );
-        if( kres == 0 )
-        {
-            krb5_principal  user_princ;
-
-            kres = krb5_cc_get_principal( kcontext, ccache, &user_princ );
-            if( kres == 0 )
-                krb5_free_principal( kcontext, user_princ );
-            krb5_cc_close( kcontext, ccache );
-        }
-        krb5_free_context(kcontext);
-    }
-    return kres;
-}
-
-static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions )
-{
-    krb5_preauthtype    preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
-    krb5_enctype        etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC};
-    krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
-    krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) );
-    krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );
-}
-
-typedef void * kbrccache_t;
-#define CCACHE_PREFIX_DEFAULT "MEMORY:C_"
-
-static kbrccache_t userinitcontext(
-    const char * user, const char * domain, const char * passwd, const char * cachename, int initialize,
-    int * outError )
-{
-    krb5_context    kcontext = 0;
-    krb5_ccache             kcache = 0;
-    krb5_creds              kcreds;
-    krb5_principal  kme = 0;
-    krb5_error_code kres;
-    char *                  pPass = strdup( passwd );
-    char *                  pName = NULL;
-    char *                  pCacheName = NULL;
-    int                             numCreds = 0;
-
-    memset( &kcreds, 0, sizeof(kcreds) );
-    kres = krb5_init_context( &kcontext );
-    if( kres )
-        goto return_error;
-    if( domain )
-        kres = krb5_build_principal( kcontext, &kme, strlen(domain), domain, user, (char *) 0 );
-    else
-        kres = krb5_parse_name( kcontext, user, &kme );
-    if( kres )
-        goto fail;
-    krb5_unparse_name( kcontext, kme, &pName );
-    if( cachename )
-    {
-        if (asprintf(&pCacheName, "%s%s", cachename, pName) < 0)
-        {
-            kres = KRB5_CC_NOMEM;
-            goto fail;
-        }
-        kres = krb5_cc_resolve( kcontext, pCacheName, &kcache );
-        if( kres )
-        {
-            kres = krb5_cc_resolve( kcontext, CCACHE_PREFIX_DEFAULT, &kcache );
-            if( kres == 0 )
-                pCacheName = strdup(CCACHE_PREFIX_DEFAULT);
-        }
-    }
-    else
-    {
-        kres = krb5_cc_default( kcontext, &kcache );
-        pCacheName = strdup( krb5_cc_get_name( kcontext, kcache ) );
-    }
-    if( kres )
-    {
-        krb5_free_context(kcontext);
-        goto return_error;
-    }
-    if( initialize )
-        krb5_cc_initialize( kcontext, kcache, kme );
-    if( kres == 0 && user && passwd )
-    {
-        long timeneeded = time(0L) +TKTTIMELEFT;
-        int have_credentials = 0;
-        krb5_cc_cursor cc_curs = NULL;
-        numCreds = 0;
-        if( (kres=krb5_cc_start_seq_get(kcontext, kcache, &cc_curs)) >= 0 )
-        {
-            while( (kres=krb5_cc_next_cred(kcontext, kcache, &cc_curs, &kcreds))== 0)
-            {
-                numCreds++;
-                if( krb5_principal_compare( kcontext, kme, kcreds.client ) )
-                {
-                    if( kcreds.ticket_flags & TKT_FLG_INITIAL && kcreds.times.endtime>timeneeded )
-                        have_credentials = 1;
-                }
-                krb5_free_cred_contents( kcontext, &kcreds );
-                if( have_credentials )
-                    break;
-            }
-            krb5_cc_end_seq_get( kcontext, kcache, &cc_curs );
-        }
-        else
-        {
-            const char * errmsg = error_message(kres);
-            fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg );
-        }
-        if( kres != 0 || have_credentials == 0 )
-        {
-            krb5_get_init_creds_opt *options = NULL;
-            kres = krb5_get_init_creds_opt_alloc(kcontext, &options);
-            if ( kres == 0 )
-            {
-                get_init_creds_opt_init(options);
-/*
-** no valid credentials - get new ones
-*/
-                kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass,
-                                                     NULL /*prompter*/,
-                                                     NULL /*data*/,
-                                                     0 /*starttime*/,
-                                                     0 /*in_tkt_service*/,
-                                                     options /*options*/ );
-            }
-            if( kres == 0 )
-            {
-                if( numCreds <= 0 )
-                    kres = krb5_cc_initialize( kcontext, kcache, kme );
-                if( kres == 0 )
-                    kres = krb5_cc_store_cred( kcontext, kcache, &kcreds );
-                if( kres == 0 )
-                    have_credentials = 1;
-            }
-            krb5_get_init_creds_opt_free(kcontext, options);
-        }
-#ifdef NOTUSED
-        if( have_credentials )
-        {
-            int mstat;
-            kres = gss_krb5_ccache_name( &mstat, pCacheName, NULL );
-            if( getenv( ENV_DEBUG_LDAPKERB ) )
-                fprintf( stderr, "gss credentials cache set to %s(%d)\n", pCacheName, kres );
-        }
-#endif
-        krb5_cc_close( kcontext, kcache );
-    }
-fail:
-    if( kres )
-    {
-        const char * errmsg = error_message(kres);
-        fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg );
-    }
-    krb5_free_principal( kcontext, kme );
-    krb5_free_cred_contents( kcontext, &kcreds );
-    if( pName )
-        free( pName );
-    free(pPass);
-    krb5_free_context(kcontext);
-
-return_error:
-    if( kres )
-    {
-        if( pCacheName )
-        {
-            free(pCacheName);
-            pCacheName = NULL;
-        }
-    }
-    if( outError )
-        *outError = kres;
-    return pCacheName;
-}
-
-static int init_creds()
-{
-    char user[512];
-    char * password = NULL;
-    int result;
-
-    user[0] = 0;
-    result = -1;
-
-    for(;;)
-    {
-        while( user[0] == 0 )
-        {
-            int userlen;
-            printf( "Username: ");
-            fflush(stdout);
-            if( fgets( user, sizeof(user), stdin ) == NULL )
-                return -1;
-            userlen = strlen( user);
-            if( userlen < 2 )
-                continue;
-            user[userlen-1] = 0;    /* get rid of the newline */
-            break;
-        }
-        {
-            kbrccache_t usercontext;
-            password = getpass( "Password: ");
-            if( ! password )
-                return -1;
-            result = 0;
-            usercontext = userinitcontext( user, NULL, password, NULL, 1, &result );
-            if( usercontext )
-                break;
-        }
-    }
-    return result;
-}
-
-int main( int argc, char ** argv )
-{
-    char * new_password;
-    char * new_password2;
-    krb5_context    kcontext;
-    krb5_error_code kerr;
-    krb5_principal  target_principal;
-
-
-    if( argc < 2 )
-    {
-        fprintf( stderr, "Usage: setpass user@REALM\n");
-        exit(1);
-    }
-
-/*
-** verify credentials -
-*/
-    if( verify_creds() )
-        init_creds();
-    if( verify_creds() )
-    {
-        fprintf( stderr, "No user credentials available\n");
-        exit(1);
-    }
-/*
-** check the principal name -
-*/
-    krb5_init_context(&kcontext);
-    kerr = krb5_parse_name( kcontext, argv[1], &target_principal );
-
-    {
-        char * pname = NULL;
-        kerr = krb5_unparse_name( kcontext, target_principal, &pname );
-        printf( "Changing password for %s:\n", pname);
-        fflush( stdout );
-        free( pname );
-    }
-/*
-** get the new password -
-*/
-    for (;;)
-    {
-        new_password = getpass("Enter new password: ");
-        new_password2 = getpass("Verify new password: ");
-        if( strcmp( new_password, new_password2 ) == 0)
-            break;
-        printf("Passwords do not match\n");
-        free( new_password );
-        free( new_password2 );
-    }
-/*
-** change the password -
-*/
-    {
-        int pw_result;
-        krb5_ccache ccache;
-        krb5_data       pw_res_string, res_string;
-
-        kerr = krb5_cc_default( kcontext, &ccache );
-        if( kerr == 0 )
-        {
-            kerr = krb5_set_password_using_ccache(kcontext, ccache, new_password, target_principal,
-                                                  &pw_result, &pw_res_string, &res_string );
-            if( kerr )
-                fprintf( stderr, "Failed: %s\n", error_message(kerr) );
-            else
-            {
-                if( pw_result )
-                {
-                    fprintf( stderr, "Failed(%d)", pw_result );
-                    if( pw_res_string.length > 0 )
-                        fprintf( stderr, ": %s", pw_res_string.data);
-                    if( res_string.length > 0 )
-                        fprintf( stderr, " %s", res_string.data);
-                    fprintf( stderr, "\n");
-                }
-            }
-        }
-    }
-    return(0);
-}
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index a0736f2daad7..2a99521d4b2b 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -278,11 +278,11 @@ krb5_error_code krb5_check_exp(context, tkt_time)
                 context->clockskew);
 
         fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n",
-                (currenttime - tkt_time.endtime ));
+                ts_delta(currenttime, tkt_time.endtime));
 
     }
 
-    if (currenttime - tkt_time.endtime > context->clockskew){
+    if (ts_after(currenttime, ts_incr(tkt_time.endtime, context->clockskew))) {
         retval = KRB5KRB_AP_ERR_TKT_EXPIRED ;
         return retval;
     }
@@ -323,21 +323,11 @@ char *flags_string(cred)
     return(buf);
 }
 
-void printtime(tv)
-    time_t tv;
+void printtime(krb5_timestamp ts)
 {
-    char fmtbuf[18];
-    char fill;
-    krb5_timestamp tstamp;
-
-    /* XXXX ASSUMES sizeof(krb5_timestamp) >= sizeof(time_t) */
-    (void) localtime((time_t *)&tv);
-    tstamp = tv;
-    fill = ' ';
-    if (!krb5_timestamp_to_sfstring(tstamp,
-                                    fmtbuf,
-                                    sizeof(fmtbuf),
-                                    &fill))
+    char fmtbuf[18], fill = ' ';
+
+    if (!krb5_timestamp_to_sfstring(ts, fmtbuf, sizeof(fmtbuf), &fill))
         printf("%s", fmtbuf);
 }
 
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index ee8e9d6a0f79..3bf0bd438449 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -150,7 +150,7 @@ extern krb5_boolean krb5_find_princ_in_cred_list
 extern krb5_error_code krb5_find_princ_in_cache
 (krb5_context, krb5_ccache, krb5_principal, krb5_boolean *);
 
-extern void printtime (time_t);
+extern void printtime (krb5_timestamp);
 
 /* authorization.c */
 extern krb5_boolean fowner (FILE *, uid_t);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 28342c2d7736..7ff676ca728b 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -932,7 +932,7 @@ int standard_shell(sh)
 
 static char * ontty()
 {
-    char *p, *ttyname();
+    char *p;
     static char buf[MAXPATHLEN + 5];
     int result;
 
diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c
index 80bee59e2337..77a128d5db82 100644
--- a/src/clients/kvno/kvno.c
+++ b/src/clients/kvno/kvno.c
@@ -36,8 +36,10 @@ extern int optind;
 extern char *optarg;
 
 static char *prog;
+static int quiet = 0;
 
-static void xusage()
+static void
+xusage()
 {
     fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog);
     fprintf(stderr, _("\t[-k keytab] [-S sname] [-U for_user [-P]]\n"));
@@ -45,18 +47,16 @@ static void xusage()
     exit(1);
 }
 
-int quiet = 0;
-
-static void do_v5_kvno (int argc, char *argv[],
-                        char *ccachestr, char *etypestr, char *keytab_name,
-                        char *sname, int canon, int unknown,
-                        char *for_user, int proxy);
+static void do_v5_kvno(int argc, char *argv[], char *ccachestr, char *etypestr,
+                       char *keytab_name, char *sname, int canon, int unknown,
+                       char *for_user, int proxy);
 
 #include <com_err.h>
-static void extended_com_err_fn (const char *, errcode_t, const char *,
-                                 va_list);
+static void extended_com_err_fn(const char *myprog, errcode_t code,
+                                const char *fmt, va_list args);
 
-int main(int argc, char *argv[])
+int
+main(int argc, char *argv[])
 {
     int option;
     char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL;
@@ -64,7 +64,7 @@ int main(int argc, char *argv[])
     int canon = 0, unknown = 0, proxy = 0;
 
     setlocale(LC_ALL, "");
-    set_com_err_hook (extended_com_err_fn);
+    set_com_err_hook(extended_com_err_fn);
 
     prog = strrchr(argv[0], '/');
     prog = prog ? (prog + 1) : argv[0];
@@ -94,7 +94,7 @@ int main(int argc, char *argv[])
             break;
         case 'S':
             sname = optarg;
-            if (unknown == 1){
+            if (unknown == 1) {
                 fprintf(stderr,
                         _("Options -u and -S are mutually exclusive\n"));
                 xusage();
@@ -102,7 +102,7 @@ int main(int argc, char *argv[])
             break;
         case 'u':
             unknown = 1;
-            if (sname){
+            if (sname != NULL) {
                 fprintf(stderr,
                         _("Options -u and -S are mutually exclusive\n"));
                 xusage();
@@ -129,39 +129,150 @@ int main(int argc, char *argv[])
         }
     }
 
-    if ((argc - optind) < 1)
+    if (argc - optind < 1)
         xusage();
 
-    do_v5_kvno(argc - optind, argv + optind,
-               ccachestr, etypestr, keytab_name, sname,
-               canon, unknown, for_user, proxy);
+    do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name,
+               sname, canon, unknown, for_user, proxy);
     return 0;
 }
 
 #include <k5-int.h>
 static krb5_context context;
-static void extended_com_err_fn (const char *myprog, errcode_t code,
-                                 const char *fmt, va_list args)
+static void extended_com_err_fn(const char *myprog, errcode_t code,
+                                const char *fmt, va_list args)
 {
     const char *emsg;
-    emsg = krb5_get_error_message (context, code);
-    fprintf (stderr, "%s: %s ", myprog, emsg);
-    krb5_free_error_message (context, emsg);
-    vfprintf (stderr, fmt, args);
-    fprintf (stderr, "\n");
+
+    emsg = krb5_get_error_message(context, code);
+    fprintf(stderr, "%s: %s ", myprog, emsg);
+    krb5_free_error_message(context, emsg);
+    vfprintf(stderr, fmt, args);
+    fprintf(stderr, "\n");
+}
+
+/* Request a single service ticket and display its status (unless quiet is
+ * set).  On failure, display an error message and return non-zero. */
+static krb5_error_code
+kvno(const char *name, krb5_ccache ccache, krb5_principal me,
+     krb5_enctype etype, krb5_keytab keytab, const char *sname,
+     krb5_flags options, int unknown, krb5_principal for_user_princ, int proxy)
+{
+    krb5_error_code ret;
+    krb5_principal server = NULL;
+    krb5_ticket *ticket = NULL;
+    krb5_creds in_creds, *out_creds = NULL;
+    char *princ = NULL;
+
+    memset(&in_creds, 0, sizeof(in_creds));
+
+    if (sname != NULL) {
+        ret = krb5_sname_to_principal(context, name, sname, KRB5_NT_SRV_HST,
+                                      &server);
+    } else {
+        ret = krb5_parse_name(context, name, &server);
+    }
+    if (ret) {
+        if (!quiet)
+            com_err(prog, ret, _("while parsing principal name %s"), name);
+        goto cleanup;
+    }
+    if (unknown)
+        krb5_princ_type(context, server) = KRB5_NT_UNKNOWN;
+
+    ret = krb5_unparse_name(context, server, &princ);
+    if (ret) {
+        com_err(prog, ret, _("while formatting parsed principal name for "
+                             "'%s'"), name);
+        goto cleanup;
+    }
+
+    in_creds.keyblock.enctype = etype;
+
+    if (for_user_princ != NULL) {
+        if (!proxy && !krb5_principal_compare(context, me, server)) {
+            ret = EINVAL;
+            com_err(prog, ret,
+                    _("client and server principal names must match"));
+            goto cleanup;
+        }
+
+        in_creds.client = for_user_princ;
+        in_creds.server = me;
+        ret = krb5_get_credentials_for_user(context, options, ccache,
+                                            &in_creds, NULL, &out_creds);
+    } else {
+        in_creds.client = me;
+        in_creds.server = server;
+        ret = krb5_get_credentials(context, options, ccache, &in_creds,
+                                   &out_creds);
+    }
+
+    if (ret) {
+        com_err(prog, ret, _("while getting credentials for %s"), princ);
+        goto cleanup;
+    }
+
+    /* We need a native ticket. */
+    ret = krb5_decode_ticket(&out_creds->ticket, &ticket);
+    if (ret) {
+        com_err(prog, ret, _("while decoding ticket for %s"), princ);
+        goto cleanup;
+    }
+
+    if (keytab != NULL) {
+        ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket);
+        if (ret) {
+            if (!quiet) {
+                fprintf(stderr, "%s: kvno = %d, keytab entry invalid\n", princ,
+                        ticket->enc_part.kvno);
+            }
+            com_err(prog, ret, _("while decrypting ticket for %s"), princ);
+            goto cleanup;
+        }
+        if (!quiet) {
+            printf(_("%s: kvno = %d, keytab entry valid\n"), princ,
+                   ticket->enc_part.kvno);
+        }
+        if (proxy) {
+            krb5_free_creds(context, out_creds);
+            out_creds = NULL;
+
+            in_creds.client = ticket->enc_part2->client;
+            in_creds.server = server;
+
+            ret = krb5_get_credentials_for_proxy(context, KRB5_GC_CANONICALIZE,
+                                                 ccache, &in_creds, ticket,
+                                                 &out_creds);
+            if (ret) {
+                com_err(prog, ret, _("%s: constrained delegation failed"),
+                        princ);
+                goto cleanup;
+            }
+        }
+    } else {
+        if (!quiet)
+            printf(_("%s: kvno = %d\n"), princ, ticket->enc_part.kvno);
+    }
+
+cleanup:
+    krb5_free_principal(context, server);
+    krb5_free_ticket(context, ticket);
+    krb5_free_creds(context, out_creds);
+    krb5_free_unparsed_name(context, princ);
+    return ret;
 }
 
-static void do_v5_kvno (int count, char *names[],
-                        char * ccachestr, char *etypestr, char *keytab_name,
-                        char *sname, int canon, int unknown, char *for_user,
-                        int proxy)
+static void
+do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
+           char *keytab_name, char *sname, int canon, int unknown,
+           char *for_user, int proxy)
 {
     krb5_error_code ret;
     int i, errors;
     krb5_enctype etype;
     krb5_ccache ccache;
     krb5_principal me;
-    krb5_creds in_creds;
     krb5_keytab keytab = NULL;
     krb5_principal for_user_princ = NULL;
     krb5_flags options;
@@ -191,7 +302,7 @@ static void do_v5_kvno (int count, char *names[],
         exit(1);
     }
 
-    if (keytab_name) {
+    if (keytab_name != NULL) {
         ret = krb5_kt_resolve(context, keytab_name, &keytab);
         if (ret) {
             com_err(prog, ret, _("resolving keytab %s"), keytab_name);
@@ -215,132 +326,16 @@ static void do_v5_kvno (int count, char *names[],
         exit(1);
     }
 
-    errors = 0;
-
-    options = 0;
-    if (canon)
-        options |= KRB5_GC_CANONICALIZE;
+    options = canon ? KRB5_GC_CANONICALIZE : 0;
 
+    errors = 0;
     for (i = 0; i < count; i++) {
-        krb5_principal server = NULL;
-        krb5_ticket *ticket = NULL;
-        krb5_creds *out_creds = NULL;
-        char *princ = NULL;
-
-        memset(&in_creds, 0, sizeof(in_creds));
-
-        if (sname != NULL) {
-            ret = krb5_sname_to_principal(context, names[i],
-                                          sname, KRB5_NT_SRV_HST,
-                                          &server);
-        } else {
-            ret = krb5_parse_name(context, names[i], &server);
-        }
-        if (ret) {
-            if (!quiet) {
-                com_err(prog, ret, _("while parsing principal name %s"),
-                        names[i]);
-            }
-            goto error;
-        }
-        if (unknown == 1) {
-            krb5_princ_type(context, server) = KRB5_NT_UNKNOWN;
-        }
-
-        ret = krb5_unparse_name(context, server, &princ);
-        if (ret) {
-            com_err(prog, ret, _("while formatting parsed principal name for "
-                                 "'%s'"), names[i]);
-            goto error;
-        }
-
-        in_creds.keyblock.enctype = etype;
-
-        if (for_user) {
-            if (!proxy &&
-                !krb5_principal_compare(context, me, server)) {
-                com_err(prog, EINVAL,
-                        _("client and server principal names must match"));
-                goto error;
-            }
-
-            in_creds.client = for_user_princ;
-            in_creds.server = me;
-
-            ret = krb5_get_credentials_for_user(context, options, ccache,
-                                                &in_creds, NULL, &out_creds);
-        } else {
-            in_creds.client = me;
-            in_creds.server = server;
-            ret = krb5_get_credentials(context, options, ccache,
-                                       &in_creds, &out_creds);
-        }
-
-        if (ret) {
-            com_err(prog, ret, _("while getting credentials for %s"), princ);
-            goto error;
-        }
-
-        /* we need a native ticket */
-        ret = krb5_decode_ticket(&out_creds->ticket, &ticket);
-        if (ret) {
-            com_err(prog, ret, _("while decoding ticket for %s"), princ);
-            goto error;
-        }
-
-        if (keytab) {
-            ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket);
-            if (ret) {
-                if (!quiet) {
-                    fprintf(stderr, "%s: kvno = %d, keytab entry invalid\n",
-                            princ, ticket->enc_part.kvno);
-                }
-                com_err(prog, ret, _("while decrypting ticket for %s"), princ);
-                goto error;
-            }
-            if (!quiet) {
-                printf(_("%s: kvno = %d, keytab entry valid\n"),
-                       princ, ticket->enc_part.kvno);
-            }
-            if (proxy) {
-                krb5_free_creds(context, out_creds);
-                out_creds = NULL;
-
-                in_creds.client = ticket->enc_part2->client;
-                in_creds.server = server;
-
-                ret = krb5_get_credentials_for_proxy(context,
-                                                     KRB5_GC_CANONICALIZE,
-                                                     ccache,
-                                                     &in_creds,
-                                                     ticket,
-                                                     &out_creds);
-                if (ret) {
-                    com_err(prog, ret,
-                            _("%s: constrained delegation failed"), princ);
-                    goto error;
-                }
-            }
-        } else {
-            if (!quiet)
-                printf(_("%s: kvno = %d\n"), princ, ticket->enc_part.kvno);
-        }
-
-        continue;
-
-    error:
-        if (server != NULL)
-            krb5_free_principal(context, server);
-        if (ticket != NULL)
-            krb5_free_ticket(context, ticket);
-        if (out_creds != NULL)
-            krb5_free_creds(context, out_creds);
-        if (princ != NULL)
-            krb5_free_unparsed_name(context, princ);
-        errors++;
+        if (kvno(names[i], ccache, me, etype, keytab, sname, options, unknown,
+                 for_user_princ, proxy) != 0)
+            errors++;
     }
 
-    if (keytab)
+    if (keytab != NULL)
         krb5_kt_close(context, keytab);
     krb5_free_principal(context, me);
     krb5_free_principal(context, for_user_princ);
diff --git a/src/config/ac-archive/README b/src/config/ac-archive/README
index 7bc626eb56c3..409d4b3c8f3d 100644
--- a/src/config/ac-archive/README
+++ b/src/config/ac-archive/README
@@ -1,51 +1,9 @@
 -*- text -*-
 
 These macros are taken from the autoconf archive at
-ac-archive.sourceforge.net.  Unless otherwise noted, they are under
-this modified version of the GNU General Public License version 2
-(also copied from ac-archive.sourceforge.net):
+https://www.gnu.org/software/autoconf-archive/ .  They are licensed
+under a modified version of the GNU General Public License as noted in
+the comments near the top of each file.
 
-    Every Autoconf macro presented on this web site is free software;
-    you can redistribute it and/or modify it under the terms of the
-    GNU General Public License as published by the Free Software
-    Foundation; either version 2, or (at your option) any later
-    version.
-
-    They are distributed in the hope that they will be useful, but
-    WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-    General Public License for more details. (You should have received
-    a copy of the GNU General Public License along with this program;
-    if not, write to the Free Software Foundation, Inc., 59 Temple
-    Place -- Suite 330, Boston, MA 02111-1307, USA.)
-
-    As a special exception, the Free Software Foundation gives
-    unlimited permission to copy, distribute and modify the configure
-    scripts that are the output of Autoconf. You need not follow the
-    terms of the GNU General Public License when using or distributing
-    such scripts, even though portions of the text of Autoconf appear
-    in them. The GNU General Public License (GPL) does govern all
-    other use of the material that constitutes the Autoconf program.
-
-    Certain portions of the Autoconf source text are designed to be
-    copied (in certain cases, depending on the input) into the output
-    of Autoconf. We call these the "data" portions. The rest of the
-    Autoconf source text consists of comments plus executable code
-    that decides which of the data portions to output in any given
-    case. We call these comments and executable code the "non-data"
-    portions. Autoconf never copies any of the non-data portions into
-    its output.
-
-    This special exception to the GPL applies to versions of Autoconf
-    released by the Free Software Foundation. When you make and
-    distribute a modified version of Autoconf, you may extend this
-    special exception to the GPL to apply to your modified version as
-    well, *unless* your modified version has the potential to copy
-    into its output some of the text that was the non-data portion of
-    the version that you started with. (In other words, unless your
-    change moves or copies text from the non-data portions to the data
-    portions.) If your modification has such potential, you must
-    delete any notice of this special exception to the GPL from your
-    modified version.
-
-acx_pthread.m4 version 1.5 2004/03/01
+ax_pthread.m4 serial 24 2017-02-06
+ax_recursive_eval.m4 serial 1 2017-01-05
diff --git a/src/config/ac-archive/acx_pthread.m4 b/src/config/ac-archive/acx_pthread.m4
deleted file mode 100644
index 6a1537d474fa..000000000000
--- a/src/config/ac-archive/acx_pthread.m4
+++ /dev/null
@@ -1,239 +0,0 @@
-dnl @synopsis ACX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
-dnl
-dnl This macro figures out how to build C programs using POSIX
-dnl threads.  It sets the PTHREAD_LIBS output variable to the threads
-dnl library and linker flags, and the PTHREAD_CFLAGS output variable
-dnl to any special C compiler flags that are needed.  (The user can also
-dnl force certain compiler flags/libs to be tested by setting these
-dnl environment variables.)
-dnl
-dnl Also sets PTHREAD_CC to any special C compiler that is needed for
-dnl multi-threaded programs (defaults to the value of CC otherwise).
-dnl (This is necessary on AIX to use the special cc_r compiler alias.)
-dnl
-dnl NOTE: You are assumed to not only compile your program with these
-dnl flags, but also link it with them as well.  e.g. you should link
-dnl with $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
-dnl
-dnl If you are only building threads programs, you may wish to
-dnl use these variables in your default LIBS, CFLAGS, and CC:
-dnl
-dnl        LIBS="$PTHREAD_LIBS $LIBS"
-dnl        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-dnl        CC="$PTHREAD_CC"
-dnl
-dnl In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute
-dnl constant has a nonstandard name, defines PTHREAD_CREATE_JOINABLE
-dnl to that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
-dnl
-dnl ACTION-IF-FOUND is a list of shell commands to run if a threads
-dnl library is found, and ACTION-IF-NOT-FOUND is a list of commands
-dnl to run it if it is not found.  If ACTION-IF-FOUND is not specified,
-dnl the default action will define HAVE_PTHREAD.
-dnl
-dnl Please let the authors know if this macro fails on any platform,
-dnl or if you have any other suggestions or comments.  This macro was
-dnl based on work by SGJ on autoconf scripts for FFTW (www.fftw.org)
-dnl (with help from M. Frigo), as well as ac_pthread and hb_pthread
-dnl macros posted by AFC to the autoconf macro repository.  We are also
-dnl grateful for the helpful feedback of numerous users.
-dnl
-dnl @version $Id: acx_pthread.m4,v 1.5 2004/03/01 19:28:29 guidod Exp $
-dnl @author Steven G. Johnson <stevenj@alum.mit.edu> and Alejandro Forero Cuervo <bachue@bachue.com>
-
-AC_DEFUN([ACX_PTHREAD], [
-AC_REQUIRE([AC_CANONICAL_HOST])
-AC_LANG_SAVE
-AC_LANG_C
-acx_pthread_ok=no
-
-# We used to check for pthread.h first, but this fails if pthread.h
-# requires special compiler flags (e.g. on True64 or Sequent).
-# It gets checked for in the link test anyway.
-
-# First of all, check if the user has set any of the PTHREAD_LIBS,
-# etcetera environment variables, and if threads linking works using
-# them:
-if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
-        save_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-        save_LIBS="$LIBS"
-        LIBS="$PTHREAD_LIBS $LIBS"
-        AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
-        AC_TRY_LINK_FUNC(pthread_join, acx_pthread_ok=yes)
-        AC_MSG_RESULT($acx_pthread_ok)
-        if test x"$acx_pthread_ok" = xno; then
-                PTHREAD_LIBS=""
-                PTHREAD_CFLAGS=""
-        fi
-        LIBS="$save_LIBS"
-        CFLAGS="$save_CFLAGS"
-fi
-
-# We must check for the threads library under a number of different
-# names; the ordering is very important because some systems
-# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
-# libraries is broken (non-POSIX).
-
-# Create a list of thread flags to try.  Items starting with a "-" are
-# C compiler flags, and other items are library names, except for "none"
-# which indicates that we try without any flags at all, and "pthread-config"
-# which is a program returning the flags for the Pth emulation library.
-
-acx_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
-
-# The ordering *is* (sometimes) important.  Some notes on the
-# individual items follow:
-
-# pthreads: AIX (must check this before -lpthread)
-# none: in case threads are in libc; should be tried before -Kthread and
-#       other compiler flags to prevent continual compiler warnings
-# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
-# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
-# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
-# -pthreads: Solaris/gcc
-# -mthreads: Mingw32/gcc, Lynx/gcc
-# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
-#      doesn't hurt to check since this sometimes defines pthreads too;
-#      also defines -D_REENTRANT)
-# pthread: Linux, etcetera
-# --thread-safe: KAI C++
-# pthread-config: use pthread-config program (for GNU Pth library)
-
-case "${host_cpu}-${host_os}" in
-        *solaris*)
-
-        # On Solaris (at least, for some versions), libc contains stubbed
-        # (non-functional) versions of the pthreads routines, so link-based
-        # tests will erroneously succeed.  (We need to link with -pthread or
-        # -lpthread.)  (The stubs are missing pthread_cleanup_push, or rather
-        # a function called by this macro, so we could check for that, but
-        # who knows whether they'll stub that too in a future libc.)  So,
-        # we'll just look for -pthreads and -lpthread first:
-
-        acx_pthread_flags="-pthread -pthreads pthread -mt $acx_pthread_flags"
-        ;;
-esac
-
-if test x"$acx_pthread_ok" = xno; then
-for flag in $acx_pthread_flags; do
-
-        case $flag in
-                none)
-                AC_MSG_CHECKING([whether pthreads work without any flags])
-                ;;
-
-                -*)
-                AC_MSG_CHECKING([whether pthreads work with $flag])
-                PTHREAD_CFLAGS="$flag"
-                ;;
-
-		pthread-config)
-		AC_CHECK_PROG(acx_pthread_config, pthread-config, yes, no)
-		if test x"$acx_pthread_config" = xno; then continue; fi
-		PTHREAD_CFLAGS="`pthread-config --cflags`"
-		PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
-		;;
-
-                *)
-                AC_MSG_CHECKING([for the pthreads library -l$flag])
-                PTHREAD_LIBS="-l$flag"
-                ;;
-        esac
-
-        save_LIBS="$LIBS"
-        save_CFLAGS="$CFLAGS"
-        LIBS="$PTHREAD_LIBS $LIBS"
-        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-
-        # Check for various functions.  We must include pthread.h,
-        # since some functions may be macros.  (On the Sequent, we
-        # need a special flag -Kthread to make this header compile.)
-        # We check for pthread_join because it is in -lpthread on IRIX
-        # while pthread_create is in libc.  We check for pthread_attr_init
-        # due to DEC craziness with -lpthreads.  We check for
-        # pthread_cleanup_push because it is one of the few pthread
-        # functions on Solaris that doesn't have a non-functional libc stub.
-        # We try pthread_create on general principles.
-        AC_TRY_LINK([#include <pthread.h>],
-                    [pthread_t th; pthread_join(th, 0);
-                     pthread_attr_init(0); pthread_cleanup_push(0, 0);
-                     pthread_create(0,0,0,0); pthread_cleanup_pop(0); ],
-                    [acx_pthread_ok=yes])
-
-        LIBS="$save_LIBS"
-        CFLAGS="$save_CFLAGS"
-
-        AC_MSG_RESULT($acx_pthread_ok)
-        if test "x$acx_pthread_ok" = xyes; then
-                break;
-        fi
-
-        PTHREAD_LIBS=""
-        PTHREAD_CFLAGS=""
-done
-fi
-
-# Various other checks:
-if test "x$acx_pthread_ok" = xyes; then
-        save_LIBS="$LIBS"
-        LIBS="$PTHREAD_LIBS $LIBS"
-        save_CFLAGS="$CFLAGS"
-        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-
-        # Detect AIX lossage: threads are created detached by default
-        # and the JOINABLE attribute has a nonstandard name (UNDETACHED).
-        AC_MSG_CHECKING([for joinable pthread attribute])
-        AC_TRY_LINK([#include <pthread.h>],
-                    [int attr=PTHREAD_CREATE_JOINABLE;],
-                    ok=PTHREAD_CREATE_JOINABLE, ok=unknown)
-        if test x"$ok" = xunknown; then
-                AC_TRY_LINK([#include <pthread.h>],
-                            [int attr=PTHREAD_CREATE_UNDETACHED;],
-                            ok=PTHREAD_CREATE_UNDETACHED, ok=unknown)
-        fi
-        if test x"$ok" != xPTHREAD_CREATE_JOINABLE; then
-                AC_DEFINE(PTHREAD_CREATE_JOINABLE, $ok,
-                          [Define to the necessary symbol if this constant
-                           uses a non-standard name on your system.])
-        fi
-        AC_MSG_RESULT(${ok})
-        if test x"$ok" = xunknown; then
-                AC_MSG_WARN([we do not know how to create joinable pthreads])
-        fi
-
-        AC_MSG_CHECKING([if more special flags are required for pthreads])
-        flag=no
-        case "${host_cpu}-${host_os}" in
-                *-aix* | *-freebsd*)     flag="-D_THREAD_SAFE";;
-                *solaris* | *-osf* | *-hpux*) flag="-D_REENTRANT";;
-        esac
-        AC_MSG_RESULT(${flag})
-        if test "x$flag" != xno; then
-                PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
-        fi
-
-        LIBS="$save_LIBS"
-        CFLAGS="$save_CFLAGS"
-
-        # More AIX lossage: must compile with cc_r
-        AC_CHECK_PROG(PTHREAD_CC, cc_r, cc_r, ${CC})
-else
-        PTHREAD_CC="$CC"
-fi
-
-AC_SUBST(PTHREAD_LIBS)
-AC_SUBST(PTHREAD_CFLAGS)
-AC_SUBST(PTHREAD_CC)
-
-# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
-if test x"$acx_pthread_ok" = xyes; then
-        ifelse([$1],,AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.]),[$1])
-        :
-else
-        acx_pthread_ok=no
-        $2
-fi
-AC_LANG_RESTORE
-])dnl ACX_PTHREAD
diff --git a/src/config/ac-archive/ax_pthread.m4 b/src/config/ac-archive/ax_pthread.m4
new file mode 100644
index 000000000000..5fbf9fe0d686
--- /dev/null
+++ b/src/config/ac-archive/ax_pthread.m4
@@ -0,0 +1,485 @@
+# ===========================================================================
+#        https://www.gnu.org/software/autoconf-archive/ax_pthread.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
+#
+# DESCRIPTION
+#
+#   This macro figures out how to build C programs using POSIX threads. It
+#   sets the PTHREAD_LIBS output variable to the threads library and linker
+#   flags, and the PTHREAD_CFLAGS output variable to any special C compiler
+#   flags that are needed. (The user can also force certain compiler
+#   flags/libs to be tested by setting these environment variables.)
+#
+#   Also sets PTHREAD_CC to any special C compiler that is needed for
+#   multi-threaded programs (defaults to the value of CC otherwise). (This
+#   is necessary on AIX to use the special cc_r compiler alias.)
+#
+#   NOTE: You are assumed to not only compile your program with these flags,
+#   but also to link with them as well. For example, you might link with
+#   $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
+#
+#   If you are only building threaded programs, you may wish to use these
+#   variables in your default LIBS, CFLAGS, and CC:
+#
+#     LIBS="$PTHREAD_LIBS $LIBS"
+#     CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+#     CC="$PTHREAD_CC"
+#
+#   In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
+#   has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to
+#   that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
+#
+#   Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
+#   PTHREAD_PRIO_INHERIT symbol is defined when compiling with
+#   PTHREAD_CFLAGS.
+#
+#   ACTION-IF-FOUND is a list of shell commands to run if a threads library
+#   is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
+#   is not found. If ACTION-IF-FOUND is not specified, the default action
+#   will define HAVE_PTHREAD.
+#
+#   Please let the authors know if this macro fails on any platform, or if
+#   you have any other suggestions or comments. This macro was based on work
+#   by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
+#   from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
+#   Alejandro Forero Cuervo to the autoconf macro repository. We are also
+#   grateful for the helpful feedback of numerous users.
+#
+#   Updated for Autoconf 2.68 by Daniel Richard G.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
+#   Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 24
+
+AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
+AC_DEFUN([AX_PTHREAD], [
+AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_SED])
+AC_LANG_PUSH([C])
+ax_pthread_ok=no
+
+# We used to check for pthread.h first, but this fails if pthread.h
+# requires special compiler flags (e.g. on Tru64 or Sequent).
+# It gets checked for in the link test anyway.
+
+# First of all, check if the user has set any of the PTHREAD_LIBS,
+# etcetera environment variables, and if threads linking works using
+# them:
+if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then
+        ax_pthread_save_CC="$CC"
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"])
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+        AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS])
+        AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes])
+        AC_MSG_RESULT([$ax_pthread_ok])
+        if test "x$ax_pthread_ok" = "xno"; then
+                PTHREAD_LIBS=""
+                PTHREAD_CFLAGS=""
+        fi
+        CC="$ax_pthread_save_CC"
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+fi
+
+# We must check for the threads library under a number of different
+# names; the ordering is very important because some systems
+# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
+# libraries is broken (non-POSIX).
+
+# Create a list of thread flags to try.  Items starting with a "-" are
+# C compiler flags, and other items are library names, except for "none"
+# which indicates that we try without any flags at all, and "pthread-config"
+# which is a program returning the flags for the Pth emulation library.
+
+ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+
+# The ordering *is* (sometimes) important.  Some notes on the
+# individual items follow:
+
+# pthreads: AIX (must check this before -lpthread)
+# none: in case threads are in libc; should be tried before -Kthread and
+#       other compiler flags to prevent continual compiler warnings
+# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64
+#           (Note: HP C rejects this with "bad form for `-t' option")
+# -pthreads: Solaris/gcc (Note: HP C also rejects)
+# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
+#      doesn't hurt to check since this sometimes defines pthreads and
+#      -D_REENTRANT too), HP C (must be checked before -lpthread, which
+#      is present but should not be used directly; and before -mthreads,
+#      because the compiler interprets this as "-mt" + "-hreads")
+# -mthreads: Mingw32/gcc, Lynx/gcc
+# pthread: Linux, etcetera
+# --thread-safe: KAI C++
+# pthread-config: use pthread-config program (for GNU Pth library)
+
+case $host_os in
+
+        freebsd*)
+
+        # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+        # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+
+        ax_pthread_flags="-kthread lthread $ax_pthread_flags"
+        ;;
+
+        hpux*)
+
+        # From the cc(1) man page: "[-mt] Sets various -D flags to enable
+        # multi-threading and also sets -lpthread."
+
+        ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags"
+        ;;
+
+        openedition*)
+
+        # IBM z/OS requires a feature-test macro to be defined in order to
+        # enable POSIX threads at all, so give the user a hint if this is
+        # not set. (We don't define these ourselves, as they can affect
+        # other portions of the system API in unpredictable ways.)
+
+        AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING],
+            [
+#            if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS)
+             AX_PTHREAD_ZOS_MISSING
+#            endif
+            ],
+            [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])])
+        ;;
+
+        solaris*)
+
+        # On Solaris (at least, for some versions), libc contains stubbed
+        # (non-functional) versions of the pthreads routines, so link-based
+        # tests will erroneously succeed. (N.B.: The stubs are missing
+        # pthread_cleanup_push, or rather a function called by this macro,
+        # so we could check for that, but who knows whether they'll stub
+        # that too in a future libc.)  So we'll check first for the
+        # standard Solaris way of linking pthreads (-mt -lpthread).
+
+        ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags"
+        ;;
+esac
+
+# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC)
+
+AS_IF([test "x$GCC" = "xyes"],
+      [ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"])
+
+# The presence of a feature test macro requesting re-entrant function
+# definitions is, on some systems, a strong hint that pthreads support is
+# correctly enabled
+
+case $host_os in
+        darwin* | hpux* | linux* | osf* | solaris*)
+        ax_pthread_check_macro="_REENTRANT"
+        ;;
+
+        aix*)
+        ax_pthread_check_macro="_THREAD_SAFE"
+        ;;
+
+        *)
+        ax_pthread_check_macro="--"
+        ;;
+esac
+AS_IF([test "x$ax_pthread_check_macro" = "x--"],
+      [ax_pthread_check_cond=0],
+      [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"])
+
+# Are we compiling with Clang?
+
+AC_CACHE_CHECK([whether $CC is Clang],
+    [ax_cv_PTHREAD_CLANG],
+    [ax_cv_PTHREAD_CLANG=no
+     # Note that Autoconf sets GCC=yes for Clang as well as GCC
+     if test "x$GCC" = "xyes"; then
+        AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG],
+            [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */
+#            if defined(__clang__) && defined(__llvm__)
+             AX_PTHREAD_CC_IS_CLANG
+#            endif
+            ],
+            [ax_cv_PTHREAD_CLANG=yes])
+     fi
+    ])
+ax_pthread_clang="$ax_cv_PTHREAD_CLANG"
+
+ax_pthread_clang_warning=no
+
+# Clang needs special handling, because older versions handle the -pthread
+# option in a rather... idiosyncratic way
+
+if test "x$ax_pthread_clang" = "xyes"; then
+
+        # Clang takes -pthread; it has never supported any other flag
+
+        # (Note 1: This will need to be revisited if a system that Clang
+        # supports has POSIX threads in a separate library.  This tends not
+        # to be the way of modern systems, but it's conceivable.)
+
+        # (Note 2: On some systems, notably Darwin, -pthread is not needed
+        # to get POSIX threads support; the API is always present and
+        # active.  We could reasonably leave PTHREAD_CFLAGS empty.  But
+        # -pthread does define _REENTRANT, and while the Darwin headers
+        # ignore this macro, third-party headers might not.)
+
+        PTHREAD_CFLAGS="-pthread"
+        PTHREAD_LIBS=
+
+        ax_pthread_ok=yes
+
+        # However, older versions of Clang make a point of warning the user
+        # that, in an invocation where only linking and no compilation is
+        # taking place, the -pthread option has no effect ("argument unused
+        # during compilation").  They expect -pthread to be passed in only
+        # when source code is being compiled.
+        #
+        # Problem is, this is at odds with the way Automake and most other
+        # C build frameworks function, which is that the same flags used in
+        # compilation (CFLAGS) are also used in linking.  Many systems
+        # supported by AX_PTHREAD require exactly this for POSIX threads
+        # support, and in fact it is often not straightforward to specify a
+        # flag that is used only in the compilation phase and not in
+        # linking.  Such a scenario is extremely rare in practice.
+        #
+        # Even though use of the -pthread flag in linking would only print
+        # a warning, this can be a nuisance for well-run software projects
+        # that build with -Werror.  So if the active version of Clang has
+        # this misfeature, we search for an option to squash it.
+
+        AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread],
+            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG],
+            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown
+             # Create an alternate version of $ac_link that compiles and
+             # links in two steps (.c -> .o, .o -> exe) instead of one
+             # (.c -> exe), because the warning occurs only in the second
+             # step
+             ax_pthread_save_ac_link="$ac_link"
+             ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g'
+             ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"`
+             ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)"
+             ax_pthread_save_CFLAGS="$CFLAGS"
+             for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do
+                AS_IF([test "x$ax_pthread_try" = "xunknown"], [break])
+                CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS"
+                ac_link="$ax_pthread_save_ac_link"
+                AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
+                    [ac_link="$ax_pthread_2step_ac_link"
+                     AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
+                         [break])
+                    ])
+             done
+             ac_link="$ax_pthread_save_ac_link"
+             CFLAGS="$ax_pthread_save_CFLAGS"
+             AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no])
+             ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try"
+            ])
+
+        case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in
+                no | unknown) ;;
+                *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;;
+        esac
+
+fi # $ax_pthread_clang = yes
+
+if test "x$ax_pthread_ok" = "xno"; then
+for ax_pthread_try_flag in $ax_pthread_flags; do
+
+        case $ax_pthread_try_flag in
+                none)
+                AC_MSG_CHECKING([whether pthreads work without any flags])
+                ;;
+
+                -mt,pthread)
+                AC_MSG_CHECKING([whether pthreads work with -mt -lpthread])
+                PTHREAD_CFLAGS="-mt"
+                PTHREAD_LIBS="-lpthread"
+                ;;
+
+                -*)
+                AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag])
+                PTHREAD_CFLAGS="$ax_pthread_try_flag"
+                ;;
+
+                pthread-config)
+                AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
+                AS_IF([test "x$ax_pthread_config" = "xno"], [continue])
+                PTHREAD_CFLAGS="`pthread-config --cflags`"
+                PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+                ;;
+
+                *)
+                AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag])
+                PTHREAD_LIBS="-l$ax_pthread_try_flag"
+                ;;
+        esac
+
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Check for various functions.  We must include pthread.h,
+        # since some functions may be macros.  (On the Sequent, we
+        # need a special flag -Kthread to make this header compile.)
+        # We check for pthread_join because it is in -lpthread on IRIX
+        # while pthread_create is in libc.  We check for pthread_attr_init
+        # due to DEC craziness with -lpthreads.  We check for
+        # pthread_cleanup_push because it is one of the few pthread
+        # functions on Solaris that doesn't have a non-functional libc stub.
+        # We try pthread_create on general principles.
+
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
+#                       if $ax_pthread_check_cond
+#                        error "$ax_pthread_check_macro must be defined"
+#                       endif
+                        static void routine(void *a) { a = 0; }
+                        static void *start_routine(void *a) { return a; }],
+                       [pthread_t th; pthread_attr_t attr;
+                        pthread_create(&th, 0, start_routine, 0);
+                        pthread_join(th, 0);
+                        pthread_attr_init(&attr);
+                        pthread_cleanup_push(routine, 0);
+                        pthread_cleanup_pop(0) /* ; */])],
+            [ax_pthread_ok=yes],
+            [])
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        AC_MSG_RESULT([$ax_pthread_ok])
+        AS_IF([test "x$ax_pthread_ok" = "xyes"], [break])
+
+        PTHREAD_LIBS=""
+        PTHREAD_CFLAGS=""
+done
+fi
+
+# Various other checks:
+if test "x$ax_pthread_ok" = "xyes"; then
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
+        AC_CACHE_CHECK([for joinable pthread attribute],
+            [ax_cv_PTHREAD_JOINABLE_ATTR],
+            [ax_cv_PTHREAD_JOINABLE_ATTR=unknown
+             for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+                 AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
+                                                 [int attr = $ax_pthread_attr; return attr /* ; */])],
+                                [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break],
+                                [])
+             done
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \
+               test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \
+               test "x$ax_pthread_joinable_attr_defined" != "xyes"],
+              [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE],
+                                  [$ax_cv_PTHREAD_JOINABLE_ATTR],
+                                  [Define to necessary symbol if this constant
+                                   uses a non-standard name on your system.])
+               ax_pthread_joinable_attr_defined=yes
+              ])
+
+        AC_CACHE_CHECK([whether more special flags are required for pthreads],
+            [ax_cv_PTHREAD_SPECIAL_FLAGS],
+            [ax_cv_PTHREAD_SPECIAL_FLAGS=no
+             case $host_os in
+             solaris*)
+             ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS"
+             ;;
+             esac
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \
+               test "x$ax_pthread_special_flags_added" != "xyes"],
+              [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS"
+               ax_pthread_special_flags_added=yes])
+
+        AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
+            [ax_cv_PTHREAD_PRIO_INHERIT],
+            [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
+                                             [[int i = PTHREAD_PRIO_INHERIT;]])],
+                            [ax_cv_PTHREAD_PRIO_INHERIT=yes],
+                            [ax_cv_PTHREAD_PRIO_INHERIT=no])
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \
+               test "x$ax_pthread_prio_inherit_defined" != "xyes"],
+              [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])
+               ax_pthread_prio_inherit_defined=yes
+              ])
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        # More AIX lossage: compile with *_r variant
+        if test "x$GCC" != "xyes"; then
+            case $host_os in
+                aix*)
+                AS_CASE(["x/$CC"],
+                    [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
+                    [#handle absolute path differently from PATH based program lookup
+                     AS_CASE(["x$CC"],
+                         [x/*],
+                         [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
+                         [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
+                ;;
+            esac
+        fi
+fi
+
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+
+AC_SUBST([PTHREAD_LIBS])
+AC_SUBST([PTHREAD_CFLAGS])
+AC_SUBST([PTHREAD_CC])
+
+# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
+if test "x$ax_pthread_ok" = "xyes"; then
+        ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
+        :
+else
+        ax_pthread_ok=no
+        $2
+fi
+AC_LANG_POP
+])dnl AX_PTHREAD
diff --git a/src/config/ac-archive/ax_recursive_eval.m4 b/src/config/ac-archive/ax_recursive_eval.m4
new file mode 100644
index 000000000000..0625aca2255d
--- /dev/null
+++ b/src/config/ac-archive/ax_recursive_eval.m4
@@ -0,0 +1,56 @@
+# ===========================================================================
+#    https://www.gnu.org/software/autoconf-archive/ax_recursive_eval.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_RECURSIVE_EVAL(VALUE, RESULT)
+#
+# DESCRIPTION
+#
+#   Interpolate the VALUE in loop until it doesn't change, and set the
+#   result to $RESULT. WARNING: It's easy to get an infinite loop with some
+#   unsane input.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Alexandre Duret-Lutz <adl@gnu.org>
+#
+#   This program is free software; you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation; either version 2 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 1
+
+AC_DEFUN([AX_RECURSIVE_EVAL],
+[_lcl_receval="$1"
+$2=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix"
+     test "x$exec_prefix" = xNONE && exec_prefix="${prefix}"
+     _lcl_receval_old=''
+     while test "[$]_lcl_receval_old" != "[$]_lcl_receval"; do
+       _lcl_receval_old="[$]_lcl_receval"
+       eval _lcl_receval="\"[$]_lcl_receval\""
+     done
+     echo "[$]_lcl_receval")`])
diff --git a/src/config/ac-archive/relpaths.m4 b/src/config/ac-archive/relpaths.m4
deleted file mode 100644
index 15f24b3347e2..000000000000
--- a/src/config/ac-archive/relpaths.m4
+++ /dev/null
@@ -1,155 +0,0 @@
-dnl @synopsis adl_COMPUTE_RELATIVE_PATHS(PATH_LIST)
-dnl
-dnl PATH_LIST is a space-separated list of colon-separated triplets of
-dnl the form 'FROM:TO:RESULT'. This function iterates over these
-dnl triplets and set $RESULT to the relative path from $FROM to $TO.
-dnl Note that $FROM and $TO needs to be absolute filenames for this
-dnl macro to success.
-dnl
-dnl For instance,
-dnl
-dnl    first=/usr/local/bin
-dnl    second=/usr/local/share
-dnl    adl_COMPUTE_RELATIVE_PATHS([first:second:fs second:first:sf])
-dnl    # $fs is set to ../share
-dnl    # $sf is set to ../bin
-dnl
-dnl $FROM and $TO are both eval'ed recursively and normalized, this
-dnl means that you can call this macro with autoconf's dirnames like
-dnl `prefix' or `datadir'. For example:
-dnl
-dnl    adl_COMPUTE_RELATIVE_PATHS([bindir:datadir:bin_to_data])
-dnl
-dnl adl_COMPUTE_RELATIVE_PATHS should also works with DOS filenames.
-dnl
-dnl You may want to use this macro in order to make your package
-dnl relocatable. Instead of hardcoding $datadir into your programs just
-dnl encode $bin_to_data and try to determine $bindir at run-time.
-dnl
-dnl This macro requires adl_NORMALIZE_PATH.
-dnl
-dnl @category Misc
-dnl @author Alexandre Duret-Lutz <duret_g@epita.fr>
-dnl @version 2001-05-25
-dnl @license GPLWithACException
-
-AC_DEFUN([adl_COMPUTE_RELATIVE_PATHS],
-[for _lcl_i in $1; do
-  _lcl_from=\[$]`echo "[$]_lcl_i" | sed 's,:.*$,,'`
-  _lcl_to=\[$]`echo "[$]_lcl_i" | sed 's,^[[^:]]*:,,' | sed 's,:[[^:]]*$,,'`
-  _lcl_result_var=`echo "[$]_lcl_i" | sed 's,^.*:,,'`
-  adl_RECURSIVE_EVAL([[$]_lcl_from], [_lcl_from])
-  adl_RECURSIVE_EVAL([[$]_lcl_to], [_lcl_to])
-  _lcl_notation="$_lcl_from$_lcl_to"
-  adl_NORMALIZE_PATH([_lcl_from],['/'])
-  adl_NORMALIZE_PATH([_lcl_to],['/'])
-  adl_COMPUTE_RELATIVE_PATH([_lcl_from], [_lcl_to], [_lcl_result_tmp])
-  adl_NORMALIZE_PATH([_lcl_result_tmp],["[$]_lcl_notation"])
-  eval $_lcl_result_var='[$]_lcl_result_tmp'
-done])
-
-## Note:
-## *****
-## The following helper macros are too fragile to be used out
-## of adl_COMPUTE_RELATIVE_PATHS (mainly because they assume that
-## paths are normalized), that's why I'm keeping them in the same file.
-## Still, some of them maybe worth to reuse.
-
-dnl adl_COMPUTE_RELATIVE_PATH(FROM, TO, RESULT)
-dnl ===========================================
-dnl Compute the relative path to go from $FROM to $TO and set the value
-dnl of $RESULT to that value.  This function work on raw filenames
-dnl (for instead it will considerate /usr//local and /usr/local as
-dnl two distinct paths), you should really use adl_COMPUTE_REALTIVE_PATHS
-dnl instead to have the paths sanitized automatically.
-dnl
-dnl For instance:
-dnl    first_dir=/somewhere/on/my/disk/bin
-dnl    second_dir=/somewhere/on/another/disk/share
-dnl    adl_COMPUTE_RELATIVE_PATH(first_dir, second_dir, first_to_second)
-dnl will set $first_to_second to '../../../another/disk/share'.
-AC_DEFUN([adl_COMPUTE_RELATIVE_PATH],
-[adl_COMPUTE_COMMON_PATH([$1], [$2], [_lcl_common_prefix])
-adl_COMPUTE_BACK_PATH([$1], [_lcl_common_prefix], [_lcl_first_rel])
-adl_COMPUTE_SUFFIX_PATH([$2], [_lcl_common_prefix], [_lcl_second_suffix])
-$3="[$]_lcl_first_rel[$]_lcl_second_suffix"])
-
-dnl adl_COMPUTE_COMMON_PATH(LEFT, RIGHT, RESULT)
-dnl ============================================
-dnl Compute the common path to $LEFT and $RIGHT and set the result to $RESULT.
-dnl
-dnl For instance:
-dnl    first_path=/somewhere/on/my/disk/bin
-dnl    second_path=/somewhere/on/another/disk/share
-dnl    adl_COMPUTE_COMMON_PATH(first_path, second_path, common_path)
-dnl will set $common_path to '/somewhere/on'.
-AC_DEFUN([adl_COMPUTE_COMMON_PATH],
-[$3=''
-_lcl_second_prefix_match=''
-while test "[$]_lcl_second_prefix_match" != 0; do
-  _lcl_first_prefix=`expr "x[$]$1" : "x\([$]$3/*[[^/]]*\)"`
-  _lcl_second_prefix_match=`expr "x[$]$2" : "x[$]_lcl_first_prefix"`
-  if test "[$]_lcl_second_prefix_match" != 0; then
-    if test "[$]_lcl_first_prefix" != "[$]$3"; then
-      $3="[$]_lcl_first_prefix"
-    else
-      _lcl_second_prefix_match=0
-    fi
-  fi
-done])
-
-dnl adl_COMPUTE_SUFFIX_PATH(PATH, SUBPATH, RESULT)
-dnl ==============================================
-dnl Substrack $SUBPATH from $PATH, and set the resulting suffix
-dnl (or the empty string if $SUBPATH is not a subpath of $PATH)
-dnl to $RESULT.
-dnl
-dnl For instace:
-dnl    first_path=/somewhere/on/my/disk/bin
-dnl    second_path=/somewhere/on
-dnl    adl_COMPUTE_SUFFIX_PATH(first_path, second_path, common_path)
-dnl will set $common_path to '/my/disk/bin'.
-AC_DEFUN([adl_COMPUTE_SUFFIX_PATH],
-[$3=`expr "x[$]$1" : "x[$]$2/*\(.*\)"`])
-
-dnl adl_COMPUTE_BACK_PATH(PATH, SUBPATH, RESULT)
-dnl ============================================
-dnl Compute the relative path to go from $PATH to $SUBPATH, knowing that
-dnl $SUBPATH is a subpath of $PATH (any other words, only repeated '../'
-dnl should be needed to move from $PATH to $SUBPATH) and set the value
-dnl of $RESULT to that value.  If $SUBPATH is not a subpath of PATH,
-dnl set $RESULT to the empty string.
-dnl
-dnl For instance:
-dnl    first_path=/somewhere/on/my/disk/bin
-dnl    second_path=/somewhere/on
-dnl    adl_COMPUTE_BACK_PATH(first_path, second_path, back_path)
-dnl will set $back_path to '../../../'.
-AC_DEFUN([adl_COMPUTE_BACK_PATH],
-[adl_COMPUTE_SUFFIX_PATH([$1], [$2], [_lcl_first_suffix])
-$3=''
-_lcl_tmp='xxx'
-while test "[$]_lcl_tmp" != ''; do
-  _lcl_tmp=`expr "x[$]_lcl_first_suffix" : "x[[^/]]*/*\(.*\)"`
-  if test "[$]_lcl_first_suffix" != ''; then
-     _lcl_first_suffix="[$]_lcl_tmp"
-     $3="../[$]$3"
-  fi
-done])
-
-
-dnl adl_RECURSIVE_EVAL(VALUE, RESULT)
-dnl =================================
-dnl Interpolate the VALUE in loop until it doesn't change,
-dnl and set the result to $RESULT.
-dnl WARNING: It's easy to get an infinite loop with some unsane input.
-AC_DEFUN([adl_RECURSIVE_EVAL],
-[_lcl_receval="$1"
-$2=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix"
-     test "x$exec_prefix" = xNONE && exec_prefix="${prefix}"
-     _lcl_receval_old=''
-     while test "[$]_lcl_receval_old" != "[$]_lcl_receval"; do
-       _lcl_receval_old="[$]_lcl_receval"
-       eval _lcl_receval="\"[$]_lcl_receval\""
-     done
-     echo "[$]_lcl_receval")`])
diff --git a/src/config/config.guess b/src/config/config.guess
index c4bd827a7bed..31e01efec3e3 100755
--- a/src/config/config.guess
+++ b/src/config/config.guess
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright 1992-2016 Free Software Foundation, Inc.
+#   Copyright 1992-2017 Free Software Foundation, Inc.
 
-timestamp='2016-05-15'
+timestamp='2017-11-07'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -15,7 +15,7 @@ timestamp='2016-05-15'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -27,7 +27,7 @@ timestamp='2016-05-15'
 # Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
 #
 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
+# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
 #
 # Please send patches to <config-patches@gnu.org>.
 
@@ -39,7 +39,7 @@ Usage: $0 [OPTION]
 
 Output the configuration name of the system \`$me' is run on.
 
-Operation modes:
+Options:
   -h, --help         print this help, then exit
   -t, --time-stamp   print date of last modification, then exit
   -v, --version      print version number, then exit
@@ -50,7 +50,7 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright 1992-2016 Free Software Foundation, Inc.
+Copyright 1992-2017 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -244,6 +244,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
 	echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
 	exit ;;
+    *:MidnightBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-midnightbsd${UNAME_RELEASE}
+	exit ;;
     *:ekkoBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
 	exit ;;
@@ -259,6 +262,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     *:Sortix:*:*)
 	echo ${UNAME_MACHINE}-unknown-sortix
 	exit ;;
+    *:Redox:*:*)
+	echo ${UNAME_MACHINE}-unknown-redox
+	exit ;;
     alpha:OSF1:*:*)
 	case $UNAME_RELEASE in
 	*4.0)
@@ -315,15 +321,6 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	exitcode=$?
 	trap '' 0
 	exit $exitcode ;;
-    Alpha\ *:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# Should we change UNAME_MACHINE based on the output of uname instead
-	# of the specific Alpha model?
-	echo alpha-pc-interix
-	exit ;;
-    21064:Windows_NT:50:3)
-	echo alpha-dec-winnt3.5
-	exit ;;
     Amiga*:UNIX_System_V:4.0:*)
 	echo m68k-unknown-sysv4
 	exit ;;
@@ -485,13 +482,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 #endif
 	#if defined (host_mips) && defined (MIPSEB)
 	#if defined (SYSTYPE_SYSV)
-	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	  printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0);
 	#endif
 	#if defined (SYSTYPE_SVR4)
-	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	  printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0);
 	#endif
 	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
-	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	  printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0);
 	#endif
 	#endif
 	  exit (-1);
@@ -614,7 +611,7 @@ EOF
     *:AIX:*:*)
 	echo rs6000-ibm-aix
 	exit ;;
-    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+    ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*)
 	echo romp-ibm-bsd4.4
 	exit ;;
     ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
@@ -635,8 +632,8 @@ EOF
     9000/[34678]??:HP-UX:*:*)
 	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
 	case "${UNAME_MACHINE}" in
-	    9000/31? )            HP_ARCH=m68000 ;;
-	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/31?)            HP_ARCH=m68000 ;;
+	    9000/[34]??)         HP_ARCH=m68k ;;
 	    9000/[678][0-9][0-9])
 		if [ -x /usr/bin/getconf ]; then
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
@@ -749,7 +746,7 @@ EOF
 		{ echo "$SYSTEM_NAME"; exit; }
 	echo unknown-hitachi-hiuxwe2
 	exit ;;
-    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*)
 	echo hppa1.1-hp-bsd
 	exit ;;
     9000/8??:4.3bsd:*:*)
@@ -758,7 +755,7 @@ EOF
     *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
 	echo hppa1.0-hp-mpeix
 	exit ;;
-    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*)
 	echo hppa1.1-hp-osf
 	exit ;;
     hp8??:OSF1:*:*)
@@ -837,10 +834,11 @@ EOF
 	UNAME_PROCESSOR=`/usr/bin/uname -p`
 	case ${UNAME_PROCESSOR} in
 	    amd64)
-		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
-	    *)
-		echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+		UNAME_PROCESSOR=x86_64 ;;
+	    i386)
+		UNAME_PROCESSOR=i586 ;;
 	esac
+	echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit ;;
     i*:CYGWIN*:*)
 	echo ${UNAME_MACHINE}-pc-cygwin
@@ -854,10 +852,6 @@ EOF
     *:MSYS*:*)
 	echo ${UNAME_MACHINE}-pc-msys
 	exit ;;
-    i*:windows32*:*)
-	# uname -m includes "-pc" on this system.
-	echo ${UNAME_MACHINE}-mingw32
-	exit ;;
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
@@ -873,27 +867,12 @@ EOF
 		echo ia64-unknown-interix${UNAME_RELEASE}
 		exit ;;
 	esac ;;
-    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
-	echo i${UNAME_MACHINE}-pc-mks
-	exit ;;
-    8664:Windows_NT:*)
-	echo x86_64-pc-mks
-	exit ;;
-    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
-	# UNAME_MACHINE based on the output of uname instead of i386?
-	echo i586-pc-interix
-	exit ;;
     i*:UWIN*:*)
 	echo ${UNAME_MACHINE}-pc-uwin
 	exit ;;
     amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
 	echo x86_64-unknown-cygwin
 	exit ;;
-    p*:CYGWIN*:*)
-	echo powerpcle-unknown-cygwin
-	exit ;;
     prep*:SunOS:5.*:*)
 	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
 	exit ;;
@@ -1000,6 +979,9 @@ EOF
 	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
 	;;
+    mips64el:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
     openrisc*:Linux:*:*)
 	echo or1k-unknown-linux-${LIBC}
 	exit ;;
@@ -1032,6 +1014,9 @@ EOF
     ppcle:Linux:*:*)
 	echo powerpcle-unknown-linux-${LIBC}
 	exit ;;
+    riscv32:Linux:*:* | riscv64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
     s390:Linux:*:* | s390x:Linux:*:*)
 	echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
 	exit ;;
@@ -1090,7 +1075,7 @@ EOF
     i*86:*DOS:*:*)
 	echo ${UNAME_MACHINE}-pc-msdosdjgpp
 	exit ;;
-    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+    i*86:*:4.*:*)
 	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
 	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
 		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
@@ -1297,14 +1282,21 @@ EOF
 	if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
 	    if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
 		if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
-		    (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
-		    grep IS_64BIT_ARCH >/dev/null
+		       (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
+		       grep IS_64BIT_ARCH >/dev/null
 		then
 		    case $UNAME_PROCESSOR in
 			i386) UNAME_PROCESSOR=x86_64 ;;
 			powerpc) UNAME_PROCESSOR=powerpc64 ;;
 		    esac
 		fi
+		# On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc
+		if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \
+		       (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
+		       grep IS_PPC >/dev/null
+		then
+		    UNAME_PROCESSOR=powerpc
+		fi
 	    fi
 	elif test "$UNAME_PROCESSOR" = i386 ; then
 	    # Avoid executing cc on OS X 10.9, as it ships with a stub
@@ -1328,15 +1320,18 @@ EOF
     *:QNX:*:4*)
 	echo i386-pc-qnx
 	exit ;;
-    NEO-?:NONSTOP_KERNEL:*:*)
+    NEO-*:NONSTOP_KERNEL:*:*)
 	echo neo-tandem-nsk${UNAME_RELEASE}
 	exit ;;
     NSE-*:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
-    NSR-?:NONSTOP_KERNEL:*:*)
+    NSR-*:NONSTOP_KERNEL:*:*)
 	echo nsr-tandem-nsk${UNAME_RELEASE}
 	exit ;;
+    NSX-*:NONSTOP_KERNEL:*:*)
+	echo nsx-tandem-nsk${UNAME_RELEASE}
+	exit ;;
     *:NonStop-UX:*:*)
 	echo mips-compaq-nonstopux
 	exit ;;
@@ -1408,16 +1403,28 @@ EOF
 	exit ;;
 esac
 
+echo "$0: unable to guess system type" >&2
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}" in
+    mips:Linux | mips64:Linux)
+	# If we got here on MIPS GNU/Linux, output extra information.
+	cat >&2 <<EOF
+
+NOTE: MIPS GNU/Linux systems require a C compiler to fully recognize
+the system type. Please install a C compiler and try again.
+EOF
+	;;
+esac
+
 cat >&2 <<EOF
-$0: unable to guess system type
 
 This script (version $timestamp), has failed to recognize the
-operating system you are using. If your script is old, overwrite
-config.guess and config.sub with the latest versions from:
+operating system you are using. If your script is old, overwrite *all*
+copies of config.guess and config.sub with the latest versions from:
 
-  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
+  https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
 and
-  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
+  https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
 
 If $0 has already been updated, send the following data and any
 information you think might be pertinent to config-patches@gnu.org to
@@ -1449,7 +1456,7 @@ EOF
 exit 1
 
 # Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
+# eval: (add-hook 'write-file-functions 'time-stamp)
 # time-stamp-start: "timestamp='"
 # time-stamp-format: "%:y-%02m-%02d"
 # time-stamp-end: "'"
diff --git a/src/config/config.sub b/src/config/config.sub
index a1f8229449d2..00f68b8e5f3d 100755
--- a/src/config/config.sub
+++ b/src/config/config.sub
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Configuration validation subroutine script.
-#   Copyright 1992-2016 Free Software Foundation, Inc.
+#   Copyright 1992-2017 Free Software Foundation, Inc.
 
-timestamp='2016-08-25'
+timestamp='2017-11-23'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -15,7 +15,7 @@ timestamp='2016-08-25'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -33,7 +33,7 @@ timestamp='2016-08-25'
 # Otherwise, we print the canonical config type on stdout and succeed.
 
 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
+# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
 
 # This file is supposed to be the same for all GNU packages
 # and recognize all the CPU types, system types and aliases
@@ -57,7 +57,7 @@ Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
 
 Canonicalize a configuration name.
 
-Operation modes:
+Options:
   -h, --help         print this help, then exit
   -t, --time-stamp   print date of last modification, then exit
   -v, --version      print version number, then exit
@@ -67,7 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright 1992-2016 Free Software Foundation, Inc.
+Copyright 1992-2017 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -117,7 +117,7 @@ case $maybe_os in
   nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
   linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
   knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
-  kopensolaris*-gnu* | \
+  kopensolaris*-gnu* | cloudabi*-eabi* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
@@ -229,9 +229,6 @@ case $os in
 	-ptx*)
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
 		;;
-	-windowsnt*)
-		os=`echo $os | sed -e 's/windowsnt/winnt/'`
-		;;
 	-psos*)
 		os=-psos
 		;;
@@ -263,7 +260,7 @@ case $basic_machine in
 	| fido | fr30 | frv | ft32 \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| hexagon \
-	| i370 | i860 | i960 | ia64 \
+	| i370 | i860 | i960 | ia16 | ia64 \
 	| ip2k | iq2000 \
 	| k1om \
 	| le32 | le64 \
@@ -301,6 +298,7 @@ case $basic_machine in
 	| open8 | or1k | or1knd | or32 \
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle \
+	| pru \
 	| pyramid \
 	| riscv32 | riscv64 \
 	| rl78 | rx \
@@ -314,7 +312,7 @@ case $basic_machine in
 	| ubicom32 \
 	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
 	| visium \
-	| we32k \
+	| wasm32 \
 	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
@@ -387,7 +385,7 @@ case $basic_machine in
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| hexagon-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
+	| i*86-* | i860-* | i960-* | ia16-* | ia64-* \
 	| ip2k-* | iq2000-* \
 	| k1om-* \
 	| le32-* | le64-* \
@@ -428,6 +426,7 @@ case $basic_machine in
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
+	| pru-* \
 	| pyramid-* \
 	| riscv32-* | riscv64-* \
 	| rl78-* | romp-* | rs6000-* | rx-* \
@@ -444,6 +443,7 @@ case $basic_machine in
 	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
 	| vax-* \
 	| visium-* \
+	| wasm32-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
@@ -639,7 +639,7 @@ case $basic_machine in
 		basic_machine=rs6000-bull
 		os=-bosx
 		;;
-	dpx2* | dpx2*-bull)
+	dpx2*)
 		basic_machine=m68k-bull
 		os=-sysv3
 		;;
@@ -901,7 +901,7 @@ case $basic_machine in
 		basic_machine=v70-nec
 		os=-sysv
 		;;
-	next | m*-next )
+	next | m*-next)
 		basic_machine=m68k-next
 		case $os in
 		    -nextstep* )
@@ -946,6 +946,9 @@ case $basic_machine in
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
+	nsx-tandem)
+		basic_machine=nsx-tandem
+		;;
 	op50n-* | op60c-*)
 		basic_machine=hppa1.1-oki
 		os=-proelf
@@ -1241,6 +1244,9 @@ case $basic_machine in
 		basic_machine=a29k-wrs
 		os=-vxworks
 		;;
+	wasm32)
+		basic_machine=wasm32-unknown
+		;;
 	w65*)
 		basic_machine=w65-wdc
 		os=-none
@@ -1249,6 +1255,9 @@ case $basic_machine in
 		basic_machine=hppa1.1-winbond
 		os=-proelf
 		;;
+	x64)
+		basic_machine=x86_64-pc
+		;;
 	xbox)
 		basic_machine=i686-pc
 		os=-mingw32
@@ -1356,8 +1365,8 @@ esac
 if [ x"$os" != x"" ]
 then
 case $os in
-	# First match some system type aliases
-	# that might get confused with valid system types.
+	# First match some system type aliases that might get confused
+	# with valid system types.
 	# -solaris* is a basic system type, with this one exception.
 	-auroraux)
 		os=-auroraux
@@ -1377,9 +1386,9 @@ case $os in
 	-gnu/linux*)
 		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
 		;;
-	# First accept the basic system types.
+	# Now accept the basic system types.
 	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
+	# Each alternative MUST end in a * to match a version number.
 	# -sysv* is not here because it comes later, after sysvr4.
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
 	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
@@ -1395,7 +1404,7 @@ case $os in
 	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* | -cegcc* \
+	      | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \
 	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
 	      | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
 	      | -linux-newlib* | -linux-musl* | -linux-uclibc* \
@@ -1407,7 +1416,7 @@ case $os in
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
 	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
-	      | -onefs* | -tirtos* | -phoenix*)
+	      | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@@ -1482,7 +1491,7 @@ case $os in
 	-nova*)
 		os=-rtmk-nova
 		;;
-	-ns2 )
+	-ns2)
 		os=-nextstep2
 		;;
 	-nsk*)
@@ -1537,6 +1546,19 @@ case $os in
 	-dicos*)
 		os=-dicos
 		;;
+	-pikeos*)
+		# Until real need of OS specific support for
+		# particular features comes up, bare metal
+		# configurations are quite functional.
+		case $basic_machine in
+		    arm*)
+			os=-eabi
+			;;
+		    *)
+			os=-elf
+			;;
+		esac
+		;;
 	-nacl*)
 		;;
 	-ios)
@@ -1636,6 +1658,9 @@ case $basic_machine in
 	sparc-* | *-sun)
 		os=-sunos4.1.1
 		;;
+	pru-*)
+		os=-elf
+		;;
 	*-be)
 		os=-beos
 		;;
@@ -1681,7 +1706,7 @@ case $basic_machine in
 	m88k-omron*)
 		os=-luna
 		;;
-	*-next )
+	*-next)
 		os=-nextstep
 		;;
 	*-sequent)
@@ -1816,7 +1841,7 @@ echo $basic_machine$os
 exit
 
 # Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
+# eval: (add-hook 'write-file-functions 'time-stamp)
 # time-stamp-start: "timestamp='"
 # time-stamp-format: "%:y-%02m-%02d"
 # time-stamp-end: "'"
diff --git a/src/config/post.in b/src/config/post.in
index 77a9bffdf3ed..3643abad1ce0 100644
--- a/src/config/post.in
+++ b/src/config/post.in
@@ -156,7 +156,7 @@ clean: clean-$(WHAT)
 
 clean-unix::
 	$(RM) $(OBJS) $(DEPTARGETS_CLEAN) $(EXTRA_FILES)
-	$(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog
+	$(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog testtrace
 	-$(RM) -r testdir
 
 clean-windows::
@@ -185,7 +185,7 @@ $(top_srcdir)/configure: @MAINT@ \
 		$(top_srcdir)/patchlevel.h \
 		$(top_srcdir)/aclocal.m4
 	(cd $(top_srcdir) && \
-		$(AUTOCONF) --include=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS))
+		$(AUTOCONF) -f --include=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS))
 
 RECURSE_TARGETS=all-recurse clean-recurse distclean-recurse install-recurse \
 	generate-files-mac-recurse \
diff --git a/src/config/pre.in b/src/config/pre.in
index e0626320c6e7..3f267eb1fec6 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -7,7 +7,7 @@
 #  srcdir=@srcdir@
 #  top_srcdir=@top_srcdir@
 # but these are only set by autoconf 2.53, and thus not useful to us on
-# Mac OS X yet (as of 10.2):
+# macOS yet (as of 10.2):
 #  abs_srcdir=@abs_srcdir@
 #  abs_top_srcdir=@abs_top_srcdir@
 #  builddir=@builddir@
@@ -402,10 +402,10 @@ HESIOD_LIBS	= @HESIOD_LIBS@
 KRB5_BASE_LIBS	= $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
 KDB5_LIBS	= $(KDB5_LIB) $(GSSRPC_LIBS)
 GSS_LIBS	= $(GSS_KRB5_LIB)
-# needs fixing if ever used on Mac OS X!
+# needs fixing if ever used on macOS!
 GSSRPC_LIBS	= -lgssrpc $(GSS_LIBS)
 KADM_COMM_LIBS	= $(GSSRPC_LIBS)
-# need fixing if ever used on Mac OS X!
+# need fixing if ever used on macOS!
 KADMSRV_LIBS	= -lkadm5srv_mit $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS)
 KADMCLNT_LIBS	= -lkadm5clnt_mit $(KADM_COMM_LIBS)
 
@@ -435,11 +435,6 @@ TCL_INCLUDES	= @TCL_INCLUDES@
 CRYPTO_IMPL	= @CRYPTO_IMPL@
 PRNG_ALG	= @PRNG_ALG@
 
-# Crypto back-end selection and flags for PKINIT
-PKINIT_CRYPTO_IMPL		= @PKINIT_CRYPTO_IMPL@
-PKINIT_CRYPTO_IMPL_CFLAGS	= @PKINIT_CRYPTO_IMPL_CFLAGS@
-PKINIT_CRYPTO_IMPL_LIBS		= @PKINIT_CRYPTO_IMPL_LIBS@
-
 # TLS implementation selection
 TLS_IMPL	= @TLS_IMPL@
 TLS_IMPL_CFLAGS = @TLS_IMPL_CFLAGS@
@@ -451,6 +446,8 @@ HAVE_SASL = @HAVE_SASL@
 # Whether we have libresolv 1.1.5 for URI discovery tests
 HAVE_RESOLV_WRAPPER = @HAVE_RESOLV_WRAPPER@
 
+SIZEOF_TIME_T = @SIZEOF_TIME_T@
+
 # error table rules
 #
 ### /* these are invoked as $(...) foo.et, which works, but could be better */
diff --git a/src/configure b/src/configure
index 347016811691..dcb7bd72f350 100755
--- a/src/configure
+++ b/src/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Kerberos 5 1.15.1.
+# Generated by GNU Autoconf 2.69 for Kerberos 5 1.16.
 #
 # Report bugs to <krb5-bugs@mit.edu>.
 #
@@ -584,8 +584,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='Kerberos 5'
 PACKAGE_TARNAME='krb5'
-PACKAGE_VERSION='1.15.1'
-PACKAGE_STRING='Kerberos 5 1.15.1'
+PACKAGE_VERSION='1.16'
+PACKAGE_STRING='Kerberos 5 1.16'
 PACKAGE_BUGREPORT='krb5-bugs@mit.edu'
 PACKAGE_URL=''
 
@@ -681,6 +681,7 @@ SH5
 SH
 DO_TCL
 KRB5_RCTMPDIR
+SIZEOF_TIME_T
 SETENVOBJ
 KSU_LIBS
 EXTRA_SUPPORT_SYMS
@@ -701,9 +702,6 @@ YASM
 TLS_IMPL_LIBS
 TLS_IMPL_CFLAGS
 TLS_IMPL
-PKINIT_CRYPTO_IMPL_LIBS
-PKINIT_CRYPTO_IMPL_CFLAGS
-PKINIT_CRYPTO_IMPL
 PRNG_ALG
 CRYPTO_IMPL_LIBS
 CRYPTO_IMPL_CFLAGS
@@ -774,14 +772,15 @@ TCL_LIBPATH
 TCL_LIBS
 TCL_INCLUDES
 KRB5_VERSION
-EGREP
-GREP
 DL_LIB
 THREAD_SUPPORT
 PTHREAD_CFLAGS
 PTHREAD_LIBS
 PTHREAD_CC
-acx_pthread_config
+ax_pthread_config
+EGREP
+GREP
+SED
 krb5_cv_host
 host_os
 host_vendor
@@ -886,11 +885,11 @@ enable_rpath
 enable_profiled
 with_tcl
 enable_athena
+enable_nls
 with_vague_errors
 enable_audit_plugin
 with_crypto_impl
 with_prng_alg
-with_pkinit_crypto_impl
 with_tls_impl
 enable_aesni
 enable_kdc_lookaside_cache
@@ -1462,7 +1461,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Kerberos 5 1.15.1 to adapt to many kinds of systems.
+\`configure' configures Kerberos 5 1.16 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1532,7 +1531,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Kerberos 5 1.15.1:";;
+     short | recursive ) echo "Configuration of Kerberos 5 1.16:";;
    esac
   cat <<\_ACEOF
 
@@ -1551,6 +1550,7 @@ Optional Features:
 
   --disable-rpath         suppress run path flags in link lines
   --enable-athena         build with MIT Project Athena configuration
+  --disable-nls           disable native language support
   --enable-audit-plugin=IMPL
                           use audit plugin [ do not use audit ]
   --disable-aesni         Do not build with AES-NI support
@@ -1575,8 +1575,6 @@ Optional Packages:
   --with-vague-errors     Do not [do] send helpful errors to client
   --with-crypto-impl=IMPL use specified crypto implementation [builtin]
   --with-prng-alg=ALG     use specified PRNG algorithm. [fortuna]
-  --with-pkinit-crypto-impl=IMPL
-                          use specified pkinit crypto implementation [openssl]
   --with-tls-impl=IMPL    use specified TLS implementation [auto]
   --without-libedit       do not compile with libedit
   --with-readline         compile with GNU Readline
@@ -1674,7 +1672,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Kerberos 5 configure 1.15.1
+Kerberos 5 configure 1.16
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2238,11 +2236,194 @@ $as_echo "$ac_res" >&6; }
   eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_decl
+
+# ac_fn_c_compute_int LINENO EXPR VAR INCLUDES
+# --------------------------------------------
+# Tries to find the compile-time value of EXPR in a program that includes
+# INCLUDES, setting VAR accordingly. Returns whether the value could be
+# computed
+ac_fn_c_compute_int ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if test "$cross_compiling" = yes; then
+    # Depending upon the size, compute the lo and hi bounds.
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) >= 0)];
+test_array [0] = 0;
+return test_array [0];
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_lo=0 ac_mid=0
+  while :; do
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+test_array [0] = 0;
+return test_array [0];
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_hi=$ac_mid; break
+else
+  as_fn_arith $ac_mid + 1 && ac_lo=$as_val
+			if test $ac_lo -le $ac_mid; then
+			  ac_lo= ac_hi=
+			  break
+			fi
+			as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  done
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) < 0)];
+test_array [0] = 0;
+return test_array [0];
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_hi=-1 ac_mid=-1
+  while :; do
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) >= $ac_mid)];
+test_array [0] = 0;
+return test_array [0];
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_lo=$ac_mid; break
+else
+  as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val
+			if test $ac_mid -le $ac_hi; then
+			  ac_lo= ac_hi=
+			  break
+			fi
+			as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  done
+else
+  ac_lo= ac_hi=
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+# Binary search between lo and hi bounds.
+while test "x$ac_lo" != "x$ac_hi"; do
+  as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+test_array [0] = 0;
+return test_array [0];
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_hi=$ac_mid
+else
+  as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+done
+case $ac_lo in #((
+?*) eval "$3=\$ac_lo"; ac_retval=0 ;;
+'') ac_retval=1 ;;
+esac
+  else
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+static long int longval () { return $2; }
+static unsigned long int ulongval () { return $2; }
+#include <stdio.h>
+#include <stdlib.h>
+int
+main ()
+{
+
+  FILE *f = fopen ("conftest.val", "w");
+  if (! f)
+    return 1;
+  if (($2) < 0)
+    {
+      long int i = longval ();
+      if (i != ($2))
+	return 1;
+      fprintf (f, "%ld", i);
+    }
+  else
+    {
+      unsigned long int i = ulongval ();
+      if (i != ($2))
+	return 1;
+      fprintf (f, "%lu", i);
+    }
+  /* Do not output a trailing newline, as this causes \r\n confusion
+     on some platforms.  */
+  return ferror (f) || fclose (f) != 0;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  echo >>conftest.val; read $3 <conftest.val; ac_retval=0
+else
+  ac_retval=1
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+rm -f conftest.val
+
+  fi
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_compute_int
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Kerberos 5 $as_me 1.15.1, which was
+It was created by Kerberos 5 $as_me 1.16, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3704,6 +3885,63 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
+  cflags_warning_test_flags=
+    cachevar=`echo "krb5_cv_cc_flag_-Werror=unknown-warning-option" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g`
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -Werror=unknown-warning-option" >&5
+$as_echo_n "checking if C compiler supports -Werror=unknown-warning-option... " >&6; }
+if eval \${$cachevar+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  # first try without, then with
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+1;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  old_cflags="$CFLAGS"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags -Werror=unknown-warning-option"
+     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+1;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval $cachevar=yes
+else
+  eval $cachevar=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+     CFLAGS="$old_cflags"
+else
+  as_fn_error $? "compiling simple test program with $CFLAGS failed" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$cachevar
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  if eval test '"${'$cachevar'}"' = yes; then
+    WARN_CFLAGS="$WARN_CFLAGS -Werror=unknown-warning-option"
+  fi
+  eval flag_supported='${'$cachevar'}'
+
+  if test $flag_supported = yes; then
+    cflags_warning_test_flags=-Werror=unknown-warning-option
+  fi
+
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -3923,6 +4161,75 @@ IFS=$ac_save_IFS
 case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5
+$as_echo_n "checking for a sed that does not truncate output... " >&6; }
+if ${ac_cv_path_SED+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+            ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
+     for ac_i in 1 2 3 4 5 6 7; do
+       ac_script="$ac_script$as_nl$ac_script"
+     done
+     echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed
+     { ac_script=; unset ac_script;}
+     if test -z "$SED"; then
+  ac_path_SED_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
+      as_fn_executable_p "$ac_path_SED" || continue
+# Check for GNU ac_path_SED and select it if it is found.
+  # Check for GNU $ac_path_SED
+case `"$ac_path_SED" --version 2>&1` in
+*GNU*)
+  ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo '' >> "conftest.nl"
+    "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
+    if test $ac_count -gt ${ac_path_SED_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_SED="$ac_path_SED"
+      ac_path_SED_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+      $ac_path_SED_found && break 3
+    done
+  done
+  done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_SED"; then
+    as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5
+  fi
+else
+  ac_cv_path_SED=$SED
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5
+$as_echo "$ac_cv_path_SED" >&6; }
+ SED="$ac_cv_path_SED"
+  rm -f conftest.sed
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
 $as_echo_n "checking for grep that handles long lines and -e... " >&6; }
 if ${ac_cv_path_GREP+:} false; then :
@@ -4289,7 +4596,7 @@ main ()
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   old_cflags="$CFLAGS"
-     CFLAGS="$CFLAGS -Wno-format-zero-length"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags -Wno-format-zero-length"
      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -4323,7 +4630,7 @@ $as_echo "$ac_res" >&6; }
 
     # Other flags here may not be supported on some versions of
     # gcc that people want to use.
-    for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers ; do
+    for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized no-maybe-uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers error=implicit-int ; do
         cachevar=`echo "krb5_cv_cc_flag_-W$flag" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g`
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -W$flag" >&5
 $as_echo_n "checking if C compiler supports -W$flag... " >&6; }
@@ -4344,7 +4651,7 @@ main ()
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   old_cflags="$CFLAGS"
-     CFLAGS="$CFLAGS -W$flag"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags -W$flag"
      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -4411,7 +4718,7 @@ main ()
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   old_cflags="$CFLAGS"
-     CFLAGS="$CFLAGS -Werror=$flag"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags -Werror=$flag"
      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -4464,7 +4771,7 @@ main ()
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   old_cflags="$CFLAGS"
-     CFLAGS="$CFLAGS -W$flag"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags -W$flag"
      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -4525,7 +4832,7 @@ main ()
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   old_cflags="$CFLAGS"
-     CFLAGS="$CFLAGS -Werror-implicit-function-declaration"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags -Werror-implicit-function-declaration"
      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -4578,7 +4885,7 @@ main ()
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   old_cflags="$CFLAGS"
-     CFLAGS="$CFLAGS -Werror=implicit-function-declaration"
+     CFLAGS="$CFLAGS $cflags_warning_test_flags -Werror=implicit-function-declaration"
      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -4668,8 +4975,18 @@ $as_echo "$as_me: adding -O for inline thread-support function elimination" >&6;
     # works, but it also means that declaration-in-code warnings won't
     # be issued.
     # -v -fd -errwarn=E_DECLARATION_IN_CODE ...
-    WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED"
-    WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64"
+    if test "x$krb5_ac_warn_cflags_set" = xset ; then
+      { $as_echo "$as_me:${as_lineno-$LINENO}: not adding extra warning flags because WARN_CFLAGS was set" >&5
+$as_echo "$as_me: not adding extra warning flags because WARN_CFLAGS was set" >&6;}
+    else
+      WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED"
+    fi
+    if test "x$krb5_ac_warn_cxxflags_set" = xset ; then
+      { $as_echo "$as_me:${as_lineno-$LINENO}: not adding extra warning flags because WARN_CXXFLAGS was set" >&5
+$as_echo "$as_me: not adding extra warning flags because WARN_CXXFLAGS was set" >&6;}
+    else
+      WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64"
+    fi
   fi
 fi
 
@@ -5808,28 +6125,33 @@ if test "$enable_thread_support" = yes; then
 
 
 
+
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-acx_pthread_ok=no
+ax_pthread_ok=no
 
 # We used to check for pthread.h first, but this fails if pthread.h
-# requires special compiler flags (e.g. on True64 or Sequent).
+# requires special compiler flags (e.g. on Tru64 or Sequent).
 # It gets checked for in the link test anyway.
 
 # First of all, check if the user has set any of the PTHREAD_LIBS,
 # etcetera environment variables, and if threads linking works using
 # them:
-if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
-        save_CFLAGS="$CFLAGS"
+if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then
+        ax_pthread_save_CC="$CC"
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        if test "x$PTHREAD_CC" != "x"; then :
+  CC="$PTHREAD_CC"
+fi
         CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-        save_LIBS="$LIBS"
         LIBS="$PTHREAD_LIBS $LIBS"
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS" >&5
-$as_echo_n "checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS" >&5
+$as_echo_n "checking for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS... " >&6; }
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -5849,18 +6171,19 @@ return pthread_join ();
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  acx_pthread_ok=yes
+  ax_pthread_ok=yes
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: $acx_pthread_ok" >&5
-$as_echo "$acx_pthread_ok" >&6; }
-        if test x"$acx_pthread_ok" = xno; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5
+$as_echo "$ax_pthread_ok" >&6; }
+        if test "x$ax_pthread_ok" = "xno"; then
                 PTHREAD_LIBS=""
                 PTHREAD_CFLAGS=""
         fi
-        LIBS="$save_LIBS"
-        CFLAGS="$save_CFLAGS"
+        CC="$ax_pthread_save_CC"
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
 fi
 
 # We must check for the threads library under a number of different
@@ -5873,7 +6196,7 @@ fi
 # which indicates that we try without any flags at all, and "pthread-config"
 # which is a program returning the flags for the Pth emulation library.
 
-acx_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
 
 # The ordering *is* (sometimes) important.  Some notes on the
 # individual items follow:
@@ -5882,58 +6205,269 @@ acx_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -m
 # none: in case threads are in libc; should be tried before -Kthread and
 #       other compiler flags to prevent continual compiler warnings
 # -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
-# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
-# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
-# -pthreads: Solaris/gcc
-# -mthreads: Mingw32/gcc, Lynx/gcc
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64
+#           (Note: HP C rejects this with "bad form for `-t' option")
+# -pthreads: Solaris/gcc (Note: HP C also rejects)
 # -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
-#      doesn't hurt to check since this sometimes defines pthreads too;
-#      also defines -D_REENTRANT)
+#      doesn't hurt to check since this sometimes defines pthreads and
+#      -D_REENTRANT too), HP C (must be checked before -lpthread, which
+#      is present but should not be used directly; and before -mthreads,
+#      because the compiler interprets this as "-mt" + "-hreads")
+# -mthreads: Mingw32/gcc, Lynx/gcc
 # pthread: Linux, etcetera
 # --thread-safe: KAI C++
 # pthread-config: use pthread-config program (for GNU Pth library)
 
-case "${host_cpu}-${host_os}" in
-        *solaris*)
+case $host_os in
+
+        freebsd*)
+
+        # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+        # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+
+        ax_pthread_flags="-kthread lthread $ax_pthread_flags"
+        ;;
+
+        hpux*)
+
+        # From the cc(1) man page: "[-mt] Sets various -D flags to enable
+        # multi-threading and also sets -lpthread."
+
+        ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags"
+        ;;
+
+        openedition*)
+
+        # IBM z/OS requires a feature-test macro to be defined in order to
+        # enable POSIX threads at all, so give the user a hint if this is
+        # not set. (We don't define these ourselves, as they can affect
+        # other portions of the system API in unpredictable ways.)
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#            if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS)
+             AX_PTHREAD_ZOS_MISSING
+#            endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "AX_PTHREAD_ZOS_MISSING" >/dev/null 2>&1; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support." >&5
+$as_echo "$as_me: WARNING: IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support." >&2;}
+fi
+rm -f conftest*
+
+        ;;
+
+        solaris*)
 
         # On Solaris (at least, for some versions), libc contains stubbed
         # (non-functional) versions of the pthreads routines, so link-based
-        # tests will erroneously succeed.  (We need to link with -pthread or
-        # -lpthread.)  (The stubs are missing pthread_cleanup_push, or rather
-        # a function called by this macro, so we could check for that, but
-        # who knows whether they'll stub that too in a future libc.)  So,
-        # we'll just look for -pthreads and -lpthread first:
+        # tests will erroneously succeed. (N.B.: The stubs are missing
+        # pthread_cleanup_push, or rather a function called by this macro,
+        # so we could check for that, but who knows whether they'll stub
+        # that too in a future libc.)  So we'll check first for the
+        # standard Solaris way of linking pthreads (-mt -lpthread).
+
+        ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags"
+        ;;
+esac
+
+# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC)
+
+if test "x$GCC" = "xyes"; then :
+  ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"
+fi
+
+# The presence of a feature test macro requesting re-entrant function
+# definitions is, on some systems, a strong hint that pthreads support is
+# correctly enabled
 
-        acx_pthread_flags="-pthread -pthreads pthread -mt $acx_pthread_flags"
+case $host_os in
+        darwin* | hpux* | linux* | osf* | solaris*)
+        ax_pthread_check_macro="_REENTRANT"
+        ;;
+
+        aix*)
+        ax_pthread_check_macro="_THREAD_SAFE"
+        ;;
+
+        *)
+        ax_pthread_check_macro="--"
         ;;
 esac
+if test "x$ax_pthread_check_macro" = "x--"; then :
+  ax_pthread_check_cond=0
+else
+  ax_pthread_check_cond="!defined($ax_pthread_check_macro)"
+fi
 
-if test x"$acx_pthread_ok" = xno; then
-for flag in $acx_pthread_flags; do
+# Are we compiling with Clang?
 
-        case $flag in
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC is Clang" >&5
+$as_echo_n "checking whether $CC is Clang... " >&6; }
+if ${ax_cv_PTHREAD_CLANG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_CLANG=no
+     # Note that Autoconf sets GCC=yes for Clang as well as GCC
+     if test "x$GCC" = "xyes"; then
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+/* Note: Clang 2.7 lacks __clang_[a-z]+__ */
+#            if defined(__clang__) && defined(__llvm__)
+             AX_PTHREAD_CC_IS_CLANG
+#            endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "AX_PTHREAD_CC_IS_CLANG" >/dev/null 2>&1; then :
+  ax_cv_PTHREAD_CLANG=yes
+fi
+rm -f conftest*
+
+     fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_CLANG" >&5
+$as_echo "$ax_cv_PTHREAD_CLANG" >&6; }
+ax_pthread_clang="$ax_cv_PTHREAD_CLANG"
+
+ax_pthread_clang_warning=no
+
+# Clang needs special handling, because older versions handle the -pthread
+# option in a rather... idiosyncratic way
+
+if test "x$ax_pthread_clang" = "xyes"; then
+
+        # Clang takes -pthread; it has never supported any other flag
+
+        # (Note 1: This will need to be revisited if a system that Clang
+        # supports has POSIX threads in a separate library.  This tends not
+        # to be the way of modern systems, but it's conceivable.)
+
+        # (Note 2: On some systems, notably Darwin, -pthread is not needed
+        # to get POSIX threads support; the API is always present and
+        # active.  We could reasonably leave PTHREAD_CFLAGS empty.  But
+        # -pthread does define _REENTRANT, and while the Darwin headers
+        # ignore this macro, third-party headers might not.)
+
+        PTHREAD_CFLAGS="-pthread"
+        PTHREAD_LIBS=
+
+        ax_pthread_ok=yes
+
+        # However, older versions of Clang make a point of warning the user
+        # that, in an invocation where only linking and no compilation is
+        # taking place, the -pthread option has no effect ("argument unused
+        # during compilation").  They expect -pthread to be passed in only
+        # when source code is being compiled.
+        #
+        # Problem is, this is at odds with the way Automake and most other
+        # C build frameworks function, which is that the same flags used in
+        # compilation (CFLAGS) are also used in linking.  Many systems
+        # supported by AX_PTHREAD require exactly this for POSIX threads
+        # support, and in fact it is often not straightforward to specify a
+        # flag that is used only in the compilation phase and not in
+        # linking.  Such a scenario is extremely rare in practice.
+        #
+        # Even though use of the -pthread flag in linking would only print
+        # a warning, this can be a nuisance for well-run software projects
+        # that build with -Werror.  So if the active version of Clang has
+        # this misfeature, we search for an option to squash it.
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether Clang needs flag to prevent \"argument unused\" warning when linking with -pthread" >&5
+$as_echo_n "checking whether Clang needs flag to prevent \"argument unused\" warning when linking with -pthread... " >&6; }
+if ${ax_cv_PTHREAD_CLANG_NO_WARN_FLAG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown
+             # Create an alternate version of $ac_link that compiles and
+             # links in two steps (.c -> .o, .o -> exe) instead of one
+             # (.c -> exe), because the warning occurs only in the second
+             # step
+             ax_pthread_save_ac_link="$ac_link"
+             ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g'
+             ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"`
+             ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)"
+             ax_pthread_save_CFLAGS="$CFLAGS"
+             for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do
+                if test "x$ax_pthread_try" = "xunknown"; then :
+  break
+fi
+                CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS"
+                ac_link="$ax_pthread_save_ac_link"
+                cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int main(void){return 0;}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_link="$ax_pthread_2step_ac_link"
+                     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int main(void){return 0;}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  break
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+             done
+             ac_link="$ax_pthread_save_ac_link"
+             CFLAGS="$ax_pthread_save_CFLAGS"
+             if test "x$ax_pthread_try" = "x"; then :
+  ax_pthread_try=no
+fi
+             ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try"
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" >&5
+$as_echo "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" >&6; }
+
+        case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in
+                no | unknown) ;;
+                *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;;
+        esac
+
+fi # $ax_pthread_clang = yes
+
+if test "x$ax_pthread_ok" = "xno"; then
+for ax_pthread_try_flag in $ax_pthread_flags; do
+
+        case $ax_pthread_try_flag in
                 none)
                 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work without any flags" >&5
 $as_echo_n "checking whether pthreads work without any flags... " >&6; }
                 ;;
 
+                -mt,pthread)
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with -mt -lpthread" >&5
+$as_echo_n "checking whether pthreads work with -mt -lpthread... " >&6; }
+                PTHREAD_CFLAGS="-mt"
+                PTHREAD_LIBS="-lpthread"
+                ;;
+
                 -*)
-                { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with $flag" >&5
-$as_echo_n "checking whether pthreads work with $flag... " >&6; }
-                PTHREAD_CFLAGS="$flag"
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with $ax_pthread_try_flag" >&5
+$as_echo_n "checking whether pthreads work with $ax_pthread_try_flag... " >&6; }
+                PTHREAD_CFLAGS="$ax_pthread_try_flag"
                 ;;
 
-		pthread-config)
-		# Extract the first word of "pthread-config", so it can be a program name with args.
+                pthread-config)
+                # Extract the first word of "pthread-config", so it can be a program name with args.
 set dummy pthread-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_acx_pthread_config+:} false; then :
+if ${ac_cv_prog_ax_pthread_config+:} false; then :
   $as_echo_n "(cached) " >&6
 else
-  if test -n "$acx_pthread_config"; then
-  ac_cv_prog_acx_pthread_config="$acx_pthread_config" # Let the user override the test.
+  if test -n "$ax_pthread_config"; then
+  ac_cv_prog_ax_pthread_config="$ax_pthread_config" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -5942,7 +6476,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
   if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_acx_pthread_config="yes"
+    ac_cv_prog_ax_pthread_config="yes"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -5950,35 +6484,37 @@ done
   done
 IFS=$as_save_IFS
 
-  test -z "$ac_cv_prog_acx_pthread_config" && ac_cv_prog_acx_pthread_config="no"
+  test -z "$ac_cv_prog_ax_pthread_config" && ac_cv_prog_ax_pthread_config="no"
 fi
 fi
-acx_pthread_config=$ac_cv_prog_acx_pthread_config
-if test -n "$acx_pthread_config"; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $acx_pthread_config" >&5
-$as_echo "$acx_pthread_config" >&6; }
+ax_pthread_config=$ac_cv_prog_ax_pthread_config
+if test -n "$ax_pthread_config"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_config" >&5
+$as_echo "$ax_pthread_config" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
 
-		if test x"$acx_pthread_config" = xno; then continue; fi
-		PTHREAD_CFLAGS="`pthread-config --cflags`"
-		PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
-		;;
+                if test "x$ax_pthread_config" = "xno"; then :
+  continue
+fi
+                PTHREAD_CFLAGS="`pthread-config --cflags`"
+                PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+                ;;
 
                 *)
-                { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the pthreads library -l$flag" >&5
-$as_echo_n "checking for the pthreads library -l$flag... " >&6; }
-                PTHREAD_LIBS="-l$flag"
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the pthreads library -l$ax_pthread_try_flag" >&5
+$as_echo_n "checking for the pthreads library -l$ax_pthread_try_flag... " >&6; }
+                PTHREAD_LIBS="-l$ax_pthread_try_flag"
                 ;;
         esac
 
-        save_LIBS="$LIBS"
-        save_CFLAGS="$CFLAGS"
-        LIBS="$PTHREAD_LIBS $LIBS"
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
         CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
 
         # Check for various functions.  We must include pthread.h,
         # since some functions may be macros.  (On the Sequent, we
@@ -5989,33 +6525,42 @@ $as_echo_n "checking for the pthreads library -l$flag... " >&6; }
         # pthread_cleanup_push because it is one of the few pthread
         # functions on Solaris that doesn't have a non-functional libc stub.
         # We try pthread_create on general principles.
+
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <pthread.h>
+#                       if $ax_pthread_check_cond
+#                        error "$ax_pthread_check_macro must be defined"
+#                       endif
+                        static void routine(void *a) { a = 0; }
+                        static void *start_routine(void *a) { return a; }
 int
 main ()
 {
-pthread_t th; pthread_join(th, 0);
-                     pthread_attr_init(0); pthread_cleanup_push(0, 0);
-                     pthread_create(0,0,0,0); pthread_cleanup_pop(0);
+pthread_t th; pthread_attr_t attr;
+                        pthread_create(&th, 0, start_routine, 0);
+                        pthread_join(th, 0);
+                        pthread_attr_init(&attr);
+                        pthread_cleanup_push(routine, 0);
+                        pthread_cleanup_pop(0) /* ; */
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  acx_pthread_ok=yes
+  ax_pthread_ok=yes
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 
-        LIBS="$save_LIBS"
-        CFLAGS="$save_CFLAGS"
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
 
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: $acx_pthread_ok" >&5
-$as_echo "$acx_pthread_ok" >&6; }
-        if test "x$acx_pthread_ok" = xyes; then
-                break;
-        fi
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5
+$as_echo "$ax_pthread_ok" >&6; }
+        if test "x$ax_pthread_ok" = "xyes"; then :
+  break
+fi
 
         PTHREAD_LIBS=""
         PTHREAD_CFLAGS=""
@@ -6023,85 +6568,130 @@ done
 fi
 
 # Various other checks:
-if test "x$acx_pthread_ok" = xyes; then
-        save_LIBS="$LIBS"
-        LIBS="$PTHREAD_LIBS $LIBS"
-        save_CFLAGS="$CFLAGS"
+if test "x$ax_pthread_ok" = "xyes"; then
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
         CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
 
-        # Detect AIX lossage: threads are created detached by default
-        # and the JOINABLE attribute has a nonstandard name (UNDETACHED).
+        # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for joinable pthread attribute" >&5
 $as_echo_n "checking for joinable pthread attribute... " >&6; }
-        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+if ${ax_cv_PTHREAD_JOINABLE_ATTR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_JOINABLE_ATTR=unknown
+             for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+                 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <pthread.h>
 int
 main ()
 {
-int attr=PTHREAD_CREATE_JOINABLE;
+int attr = $ax_pthread_attr; return attr /* ; */
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ok=PTHREAD_CREATE_JOINABLE
-else
-  ok=unknown
+  ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-        if test x"$ok" = xunknown; then
-                cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+             done
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_JOINABLE_ATTR" >&5
+$as_echo "$ax_cv_PTHREAD_JOINABLE_ATTR" >&6; }
+        if test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \
+               test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \
+               test "x$ax_pthread_joinable_attr_defined" != "xyes"; then :
+
+cat >>confdefs.h <<_ACEOF
+#define PTHREAD_CREATE_JOINABLE $ax_cv_PTHREAD_JOINABLE_ATTR
+_ACEOF
+
+               ax_pthread_joinable_attr_defined=yes
+
+fi
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether more special flags are required for pthreads" >&5
+$as_echo_n "checking whether more special flags are required for pthreads... " >&6; }
+if ${ax_cv_PTHREAD_SPECIAL_FLAGS+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_SPECIAL_FLAGS=no
+             case $host_os in
+             solaris*)
+             ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS"
+             ;;
+             esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_SPECIAL_FLAGS" >&5
+$as_echo "$ax_cv_PTHREAD_SPECIAL_FLAGS" >&6; }
+        if test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \
+               test "x$ax_pthread_special_flags_added" != "xyes"; then :
+  PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS"
+               ax_pthread_special_flags_added=yes
+fi
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PTHREAD_PRIO_INHERIT" >&5
+$as_echo_n "checking for PTHREAD_PRIO_INHERIT... " >&6; }
+if ${ax_cv_PTHREAD_PRIO_INHERIT+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <pthread.h>
 int
 main ()
 {
-int attr=PTHREAD_CREATE_UNDETACHED;
+int i = PTHREAD_PRIO_INHERIT;
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ok=PTHREAD_CREATE_UNDETACHED
+  ax_cv_PTHREAD_PRIO_INHERIT=yes
 else
-  ok=unknown
+  ax_cv_PTHREAD_PRIO_INHERIT=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-        fi
-        if test x"$ok" != xPTHREAD_CREATE_JOINABLE; then
 
-$as_echo "#define PTHREAD_CREATE_JOINABLE \$ok" >>confdefs.h
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_PRIO_INHERIT" >&5
+$as_echo "$ax_cv_PTHREAD_PRIO_INHERIT" >&6; }
+        if test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \
+               test "x$ax_pthread_prio_inherit_defined" != "xyes"; then :
+
+$as_echo "#define HAVE_PTHREAD_PRIO_INHERIT 1" >>confdefs.h
 
-        fi
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${ok}" >&5
-$as_echo "${ok}" >&6; }
-        if test x"$ok" = xunknown; then
-                { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: we do not know how to create joinable pthreads" >&5
-$as_echo "$as_me: WARNING: we do not know how to create joinable pthreads" >&2;}
-        fi
+               ax_pthread_prio_inherit_defined=yes
 
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking if more special flags are required for pthreads" >&5
-$as_echo_n "checking if more special flags are required for pthreads... " >&6; }
-        flag=no
-        case "${host_cpu}-${host_os}" in
-                *-aix* | *-freebsd*)     flag="-D_THREAD_SAFE";;
-                *solaris* | *-osf* | *-hpux*) flag="-D_REENTRANT";;
-        esac
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${flag}" >&5
-$as_echo "${flag}" >&6; }
-        if test "x$flag" != xno; then
-                PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
-        fi
+fi
 
-        LIBS="$save_LIBS"
-        CFLAGS="$save_CFLAGS"
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
 
-        # More AIX lossage: must compile with cc_r
-        # Extract the first word of "cc_r", so it can be a program name with args.
-set dummy cc_r; ac_word=$2
+        # More AIX lossage: compile with *_r variant
+        if test "x$GCC" != "xyes"; then
+            case $host_os in
+                aix*)
+                case "x/$CC" in #(
+  x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6) :
+    #handle absolute path differently from PATH based program lookup
+                     case "x$CC" in #(
+  x/*) :
+    if as_fn_executable_p ${CC}_r; then :
+  PTHREAD_CC="${CC}_r"
+fi ;; #(
+  *) :
+    for ac_prog in ${CC}_r
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
 if ${ac_cv_prog_PTHREAD_CC+:} false; then :
@@ -6117,7 +6707,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
   if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_PTHREAD_CC="cc_r"
+    ac_cv_prog_PTHREAD_CC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -6125,7 +6715,6 @@ done
   done
 IFS=$as_save_IFS
 
-  test -z "$ac_cv_prog_PTHREAD_CC" && ac_cv_prog_PTHREAD_CC="${CC}"
 fi
 fi
 PTHREAD_CC=$ac_cv_prog_PTHREAD_CC
@@ -6138,22 +6727,33 @@ $as_echo "no" >&6; }
 fi
 
 
-else
-        PTHREAD_CC="$CC"
+  test -n "$PTHREAD_CC" && break
+done
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+ ;;
+esac ;; #(
+  *) :
+     ;;
+esac
+                ;;
+            esac
+        fi
 fi
 
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+
 
 
 
 
 # Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
-if test x"$acx_pthread_ok" = xyes; then
+if test "x$ax_pthread_ok" = "xyes"; then
 
 $as_echo "#define HAVE_PTHREAD 1" >>confdefs.h
 
         :
 else
-        acx_pthread_ok=no
+        ax_pthread_ok=no
         as_fn_error $? "cannot determine options for enabling thread support; try --disable-thread-support" "$LINENO" 5
 fi
 ac_ext=c
@@ -6463,7 +7063,7 @@ done
 
 
 
-KRB5_VERSION=1.15.1
+KRB5_VERSION=1.16
 
 
 
@@ -7754,11 +8354,6 @@ fi
 res1=`echo "$res1" | tr -d '*' | sed -e 's/ *$//'`
 res2=`echo "$res2" | tr -d '*' | sed -e 's/ *$//'`
 
-cat >>confdefs.h <<_ACEOF
-#define GETSOCKNAME_ARG2_TYPE $res1
-_ACEOF
-
-
 cat >>confdefs.h <<_ACEOF
 #define GETSOCKNAME_ARG3_TYPE $res2
 _ACEOF
@@ -7766,9 +8361,6 @@ _ACEOF
 
 
 
-$as_echo "#define GETPEERNAME_ARG2_TYPE GETSOCKNAME_ARG2_TYPE" >>confdefs.h
-
-
 $as_echo "#define GETPEERNAME_ARG3_TYPE GETSOCKNAME_ARG3_TYPE" >>confdefs.h
 
 
@@ -7813,10 +8405,20 @@ fi
 
 
 
-ac_fn_c_check_header_mongrel "$LINENO" "libintl.h" "ac_cv_header_libintl_h" "$ac_includes_default"
+# Determine if NLS is desired and supported.
+po=
+# Check whether --enable-nls was given.
+if test "${enable_nls+set}" = set; then :
+  enableval=$enable_nls;
+else
+  enable_nls=check
+fi
+
+if test "$enable_nls" != no; then
+  ac_fn_c_check_header_mongrel "$LINENO" "libintl.h" "ac_cv_header_libintl_h" "$ac_includes_default"
 if test "x$ac_cv_header_libintl_h" = xyes; then :
 
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dgettext" >&5
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dgettext" >&5
 $as_echo_n "checking for library containing dgettext... " >&6; }
 if ${ac_cv_search_dgettext+:} false; then :
   $as_echo_n "(cached) " >&6
@@ -7873,13 +8475,14 @@ if test "$ac_res" != no; then :
 
 $as_echo "#define ENABLE_NLS 1" >>confdefs.h
 
+      nls_enabled=yes
 fi
 
 fi
 
 
 
-# Extract the first word of "msgfmt", so it can be a program name with args.
+  # Extract the first word of "msgfmt", so it can be a program name with args.
 set dummy msgfmt; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
@@ -7916,9 +8519,16 @@ $as_echo "no" >&6; }
 fi
 
 
-po=
-if test x"$MSGFMT" != x; then
-	po=po
+  if test x"$MSGFMT" != x; then
+    po=po
+  fi
+
+  # Error out if --enable-nls was explicitly requested but can't be enabled.
+  if test "$enable_nls" = yes; then
+    if test "$nls_enabled" != yes -o "x$po" = x; then
+      as_fn_error $? "NLS support requested but cannot be built" "$LINENO" 5
+    fi
+  fi
 fi
 
 
@@ -8543,147 +9153,6 @@ $as_echo "#define FORTUNA 1" >>confdefs.h
 
 fi
 
-# WITH_PKINIT_CRYPTO_IMPL
-
-PKINIT_CRYPTO_IMPL="$CRYPTO_IMPL"
-
-# Check whether --with-pkinit-crypto-impl was given.
-if test "${with_pkinit_crypto_impl+set}" = set; then :
-  withval=$with_pkinit_crypto_impl; PKINIT_CRYPTO_IMPL=$withval
-{ $as_echo "$as_me:${as_lineno-$LINENO}: pkinit will use '$withval'" >&5
-$as_echo "$as_me: pkinit will use '$withval'" >&6;}
-
-else
-  withval=$PKINIT_CRYPTO_IMPL
-fi
-
-case "$withval" in
-builtin|openssl)
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS7_get_signer_info in -lcrypto" >&5
-$as_echo_n "checking for PKCS7_get_signer_info in -lcrypto... " >&6; }
-if ${ac_cv_lib_crypto_PKCS7_get_signer_info+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lcrypto  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char PKCS7_get_signer_info ();
-int
-main ()
-{
-return PKCS7_get_signer_info ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_crypto_PKCS7_get_signer_info=yes
-else
-  ac_cv_lib_crypto_PKCS7_get_signer_info=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_PKCS7_get_signer_info" >&5
-$as_echo "$ac_cv_lib_crypto_PKCS7_get_signer_info" >&6; }
-if test "x$ac_cv_lib_crypto_PKCS7_get_signer_info" = xyes; then :
-  PKINIT_CRYPTO_IMPL_LIBS=-lcrypto
-fi
-
-  PKINIT_CRYPTO_IMPL=openssl
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CMS_get0_content in -lcrypto" >&5
-$as_echo_n "checking for CMS_get0_content in -lcrypto... " >&6; }
-if ${ac_cv_lib_crypto_CMS_get0_content+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lcrypto  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char CMS_get0_content ();
-int
-main ()
-{
-return CMS_get0_content ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_crypto_CMS_get0_content=yes
-else
-  ac_cv_lib_crypto_CMS_get0_content=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_CMS_get0_content" >&5
-$as_echo "$ac_cv_lib_crypto_CMS_get0_content" >&6; }
-if test "x$ac_cv_lib_crypto_CMS_get0_content" = xyes; then :
-
-$as_echo "#define HAVE_OPENSSL_CMS 1" >>confdefs.h
-
-fi
-
-  ;;
-nss)
-  if test "${PKINIT_CRYPTO_IMPL_CFLAGS+set}" != set; then
-    PKINIT_CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss`
-  fi
-  if test "${PKINIT_CRYPTO_IMPL_LIBS+set}" != set; then
-    PKINIT_CRYPTO_IMPL_LIBS=`pkg-config --libs nss`
-  fi
-
-$as_echo "#define PKINIT_CRYPTO_IMPL_NSS 1" >>confdefs.h
-
-  save_CFLAGS=$CFLAGS
-  CFLAGS="$CFLAGS $PKINIT_CRYPTO_IMPL_CFLAGS"
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <nss.h>
-#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 12)
-#error
-#elif NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH < 11
-#error
-#endif
-
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
-else
-  as_fn_error $? "NSS version 3.12.11 or later required." "$LINENO" 5
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-  CFLAGS=$save_CFLAGS
-  ;;
-*)
-  as_fn_error $? "Unknown crypto implementation $withval" "$LINENO" 5
-  ;;
-esac
-ac_config_commands="$ac_config_commands PKINIT_CRYPTO_IMPL"
-
-
-
-
-
 # WITH_TLS_IMPL
 
 
@@ -10801,6 +11270,41 @@ _ACEOF
 
 fi
 
+# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of time_t" >&5
+$as_echo_n "checking size of time_t... " >&6; }
+if ${ac_cv_sizeof_time_t+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (time_t))" "ac_cv_sizeof_time_t"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_time_t" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (time_t)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_time_t=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_time_t" >&5
+$as_echo "$ac_cv_sizeof_time_t" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_TIME_T $ac_cv_sizeof_time_t
+_ACEOF
+
+
+SIZEOF_TIME_T=$ac_cv_sizeof_time_t
+
 
 # Determine where to put the replay cache.
 
@@ -12174,6 +12678,48 @@ if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || t
 
 
   PKINIT=yes
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CMS_get0_content in -lcrypto" >&5
+$as_echo_n "checking for CMS_get0_content in -lcrypto... " >&6; }
+if ${ac_cv_lib_crypto_CMS_get0_content+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcrypto  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char CMS_get0_content ();
+int
+main ()
+{
+return CMS_get0_content ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_crypto_CMS_get0_content=yes
+else
+  ac_cv_lib_crypto_CMS_get0_content=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_CMS_get0_content" >&5
+$as_echo "$ac_cv_lib_crypto_CMS_get0_content" >&6; }
+if test "x$ac_cv_lib_crypto_CMS_get0_content" = xyes; then :
+
+$as_echo "#define HAVE_OPENSSL_CMS 1" >>confdefs.h
+
+fi
+
 elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then
   as_fn_error $? "Version of OpenSSL is too old; cannot enable PKINIT." "$LINENO" 5
 else
@@ -12319,6 +12865,9 @@ fi
 if test "$HAVE_CMOCKA_LIB" = yes && test "$HAVE_CMOCKA_H" = yes; then
     HAVE_CMOCKA=yes
     CMOCKA_LIBS='-lcmocka'
+
+$as_echo "#define HAVE_CMOCKA 1" >>confdefs.h
+
 fi
 
 
@@ -12437,9 +12986,9 @@ fi
 
 done
 
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_init in -lldap" >&5
-$as_echo_n "checking for ldap_init in -lldap... " >&6; }
-if ${ac_cv_lib_ldap_ldap_init+:} false; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_str2dn in -lldap" >&5
+$as_echo_n "checking for ldap_str2dn in -lldap... " >&6; }
+if ${ac_cv_lib_ldap_ldap_str2dn+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -12453,47 +13002,32 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char ldap_init ();
+char ldap_str2dn ();
 int
 main ()
 {
-return ldap_init ();
+return ldap_str2dn ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_ldap_ldap_init=yes
+  ac_cv_lib_ldap_ldap_str2dn=yes
 else
-  ac_cv_lib_ldap_ldap_init=no
+  ac_cv_lib_ldap_ldap_str2dn=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_init" >&5
-$as_echo "$ac_cv_lib_ldap_ldap_init" >&6; }
-if test "x$ac_cv_lib_ldap_ldap_init" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_str2dn" >&5
+$as_echo "$ac_cv_lib_ldap_ldap_str2dn" >&6; }
+if test "x$ac_cv_lib_ldap_ldap_str2dn" = xyes; then :
   :
 else
-  as_fn_error $? "libldap not found or missing ldap_init" "$LINENO" 5
-fi
-
-  old_LIBS="$LIBS"
-  LIBS="$LIBS -lldap"
-  for ac_func in ldap_initialize ldap_url_parse_nodn ldap_unbind_ext_s ldap_str2dn ldap_explode_dn
-do :
-  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
+  as_fn_error $? "libldap not found or missing ldap_str2dn" "$LINENO" 5
 fi
-done
 
-  LIBS="$old_LIBS"
 
   BER_OKAY=0
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ber_init in -lldap" >&5
@@ -12911,7 +13445,7 @@ if test "${localedir+set}" != set; then
 fi
 
 
-# For KCM lib/krb5/ccache to build KCM Mach RPC support for OS X only.
+# For KCM lib/krb5/ccache to build KCM Mach RPC support for macOS only.
 case $host in
 *-*-darwin* | *-*-rhapsody*) OSX=osx ;;
 *)                           OSX=no ;;
@@ -12948,10 +13482,10 @@ fi
 if test "${DEFCCNAME+set}" != set; then
 	case $host in
 	*-*-darwin[0-9].* | *-*-darwin10.*)
-		# Use the normal default for OS X 10.6 (Darwin 10) and prior.
+		# Use the normal default for macOS 10.6 (Darwin 10) and prior.
 		;;
 	*-*-darwin*)
-		# For OS X 10.7 (Darwin 11) and later, the native ccache uses
+		# For macOS 10.7 (Darwin 11) and later, the native ccache uses
 		# the KCM daemon.
 		DEFCCNAME=KCM:
 		;;
@@ -13052,9 +13586,11 @@ ac_config_files="$ac_config_files build-tools/kadm-server.pc build-tools/kadm-cl
  ac_config_files="$ac_config_files man/Makefile:$srcdir/./config/pre.in:man/Makefile.in:man/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files doc/Makefile:$srcdir/./config/pre.in:doc/Makefile.in:doc/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files include/Makefile:$srcdir/./config/pre.in:include/Makefile.in:include/deps:$srcdir/./config/post.in"
+ ac_config_files="$ac_config_files plugins/certauth/test/Makefile:$srcdir/./config/pre.in:plugins/certauth/test/Makefile.in:plugins/certauth/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/hostrealm/test/Makefile:$srcdir/./config/pre.in:plugins/hostrealm/test/Makefile.in:plugins/hostrealm/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/localauth/test/Makefile:$srcdir/./config/pre.in:plugins/localauth/test/Makefile.in:plugins/localauth/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/kadm5_hook/test/Makefile:$srcdir/./config/pre.in:plugins/kadm5_hook/test/Makefile.in:plugins/kadm5_hook/test/deps:$srcdir/./config/post.in"
+ ac_config_files="$ac_config_files plugins/kadm5_auth/test/Makefile:$srcdir/./config/pre.in:plugins/kadm5_auth/test/Makefile.in:plugins/kadm5_auth/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/pwqual/test/Makefile:$srcdir/./config/pre.in:plugins/pwqual/test/Makefile.in:plugins/pwqual/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/audit/Makefile:$srcdir/./config/pre.in:plugins/audit/Makefile.in:plugins/audit/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/audit/test/Makefile:$srcdir/./config/pre.in:plugins/audit/test/Makefile.in:plugins/audit/test/deps:$srcdir/./config/post.in"
@@ -13067,6 +13603,7 @@ ac_config_files="$ac_config_files build-tools/kadm-server.pc build-tools/kadm-cl
  ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/recno/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/recno/Makefile.in:plugins/kdb/db2/libdb2/recno/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/test/Makefile.in:plugins/kdb/db2/libdb2/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/kdb/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/test/Makefile.in:plugins/kdb/test/deps:$srcdir/./config/post.in"
+ ac_config_files="$ac_config_files plugins/kdcpolicy/test/Makefile:$srcdir/./config/pre.in:plugins/kdcpolicy/test/Makefile.in:plugins/kdcpolicy/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/preauth/otp/Makefile:$srcdir/./config/pre.in:plugins/preauth/otp/Makefile.in:plugins/preauth/otp/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/preauth/test/Makefile:$srcdir/./config/pre.in:plugins/preauth/test/Makefile.in:plugins/preauth/test/deps:$srcdir/./config/post.in"
  ac_config_files="$ac_config_files plugins/authdata/greet_client/Makefile:$srcdir/./config/pre.in:plugins/authdata/greet_client/Makefile.in:plugins/authdata/greet_client/deps:$srcdir/./config/post.in"
@@ -13617,7 +14154,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Kerberos 5 $as_me 1.15.1, which was
+This file was extended by Kerberos 5 $as_me 1.16, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -13683,7 +14220,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Kerberos 5 config.status 1.15.1
+Kerberos 5 config.status 1.16
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -13803,7 +14340,6 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 #
 CRYPTO_IMPL=$CRYPTO_IMPL
 PRNG_ALG=$PRNG_ALG
-PKINIT_CRYPTO_IMPL=$PKINIT_CRYPTO_IMPL
 
 _ACEOF
 
@@ -13816,7 +14352,6 @@ do
     "plugins/audit/simple/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/audit/simple/Makefile:$srcdir/./config/pre.in:plugins/audit/simple/Makefile.in:plugins/audit/simple/deps:$srcdir/./config/post.in" ;;
     "CRYPTO_IMPL") CONFIG_COMMANDS="$CONFIG_COMMANDS CRYPTO_IMPL" ;;
     "PRNG_ALG") CONFIG_COMMANDS="$CONFIG_COMMANDS PRNG_ALG" ;;
-    "PKINIT_CRYPTO_IMPL") CONFIG_COMMANDS="$CONFIG_COMMANDS PKINIT_CRYPTO_IMPL" ;;
     "include/autoconf.h") CONFIG_HEADERS="$CONFIG_HEADERS include/autoconf.h" ;;
     "kadmin/testing/scripts/env-setup.sh") CONFIG_FILES="$CONFIG_FILES kadmin/testing/scripts/env-setup.sh:kadmin/testing/scripts/env-setup.shin" ;;
     "include/gssrpc/types.h") CONFIG_FILES="$CONFIG_FILES include/gssrpc/types.h:include/gssrpc/types.hin" ;;
@@ -13886,9 +14421,11 @@ do
     "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile:$srcdir/./config/pre.in:man/Makefile.in:man/deps:$srcdir/./config/post.in" ;;
     "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile:$srcdir/./config/pre.in:doc/Makefile.in:doc/deps:$srcdir/./config/post.in" ;;
     "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile:$srcdir/./config/pre.in:include/Makefile.in:include/deps:$srcdir/./config/post.in" ;;
+    "plugins/certauth/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/certauth/test/Makefile:$srcdir/./config/pre.in:plugins/certauth/test/Makefile.in:plugins/certauth/test/deps:$srcdir/./config/post.in" ;;
     "plugins/hostrealm/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/hostrealm/test/Makefile:$srcdir/./config/pre.in:plugins/hostrealm/test/Makefile.in:plugins/hostrealm/test/deps:$srcdir/./config/post.in" ;;
     "plugins/localauth/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/localauth/test/Makefile:$srcdir/./config/pre.in:plugins/localauth/test/Makefile.in:plugins/localauth/test/deps:$srcdir/./config/post.in" ;;
     "plugins/kadm5_hook/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kadm5_hook/test/Makefile:$srcdir/./config/pre.in:plugins/kadm5_hook/test/Makefile.in:plugins/kadm5_hook/test/deps:$srcdir/./config/post.in" ;;
+    "plugins/kadm5_auth/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kadm5_auth/test/Makefile:$srcdir/./config/pre.in:plugins/kadm5_auth/test/Makefile.in:plugins/kadm5_auth/test/deps:$srcdir/./config/post.in" ;;
     "plugins/pwqual/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/pwqual/test/Makefile:$srcdir/./config/pre.in:plugins/pwqual/test/Makefile.in:plugins/pwqual/test/deps:$srcdir/./config/post.in" ;;
     "plugins/audit/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/audit/Makefile:$srcdir/./config/pre.in:plugins/audit/Makefile.in:plugins/audit/deps:$srcdir/./config/post.in" ;;
     "plugins/audit/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/audit/test/Makefile:$srcdir/./config/pre.in:plugins/audit/test/Makefile.in:plugins/audit/test/deps:$srcdir/./config/post.in" ;;
@@ -13901,6 +14438,7 @@ do
     "plugins/kdb/db2/libdb2/recno/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/recno/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/recno/Makefile.in:plugins/kdb/db2/libdb2/recno/deps:$srcdir/./config/post.in" ;;
     "plugins/kdb/db2/libdb2/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/test/Makefile.in:plugins/kdb/db2/libdb2/test/deps:$srcdir/./config/post.in" ;;
     "plugins/kdb/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/test/Makefile.in:plugins/kdb/test/deps:$srcdir/./config/post.in" ;;
+    "plugins/kdcpolicy/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdcpolicy/test/Makefile:$srcdir/./config/pre.in:plugins/kdcpolicy/test/Makefile.in:plugins/kdcpolicy/test/deps:$srcdir/./config/post.in" ;;
     "plugins/preauth/otp/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/preauth/otp/Makefile:$srcdir/./config/pre.in:plugins/preauth/otp/Makefile.in:plugins/preauth/otp/deps:$srcdir/./config/post.in" ;;
     "plugins/preauth/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/preauth/test/Makefile:$srcdir/./config/pre.in:plugins/preauth/test/Makefile.in:plugins/preauth/test/deps:$srcdir/./config/post.in" ;;
     "plugins/authdata/greet_client/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/authdata/greet_client/Makefile:$srcdir/./config/pre.in:plugins/authdata/greet_client/Makefile.in:plugins/authdata/greet_client/deps:$srcdir/./config/post.in" ;;
diff --git a/src/configure.in b/src/configure.in
index 037c9f316149..10f45eb12e16 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -118,15 +118,29 @@ LIBUTIL=-lutil
 ])
 AC_SUBST(LIBUTIL)
 
-AC_CHECK_HEADER(libintl.h, [
-	AC_SEARCH_LIBS(dgettext, intl, [
-		AC_DEFINE(ENABLE_NLS, 1,
-			[Define if translation functions should be used.])])])
-
-AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
+# Determine if NLS is desired and supported.
 po=
-if test x"$MSGFMT" != x; then
-	po=po
+AC_ARG_ENABLE([nls],
+AC_HELP_STRING([--disable-nls], [disable native language support]),
+              [], [enable_nls=check])
+if test "$enable_nls" != no; then
+  AC_CHECK_HEADER(libintl.h, [
+    AC_SEARCH_LIBS(dgettext, intl, [
+      AC_DEFINE(ENABLE_NLS, 1,
+                [Define if translation functions should be used.])
+      nls_enabled=yes])])
+
+  AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
+  if test x"$MSGFMT" != x; then
+    po=po
+  fi
+
+  # Error out if --enable-nls was explicitly requested but can't be enabled.
+  if test "$enable_nls" = yes; then
+    if test "$nls_enabled" != yes -o "x$po" = x; then
+      AC_MSG_ERROR([NLS support requested but cannot be built])
+    fi
+  fi
 fi
 AC_SUBST(po)
 
@@ -264,51 +278,6 @@ if test "$PRNG_ALG" = fortuna; then
 	AC_DEFINE(FORTUNA,1,[Define if Fortuna PRNG is selected])
 fi
 
-# WITH_PKINIT_CRYPTO_IMPL
-
-PKINIT_CRYPTO_IMPL="$CRYPTO_IMPL"
-AC_ARG_WITH([pkinit-crypto-impl],
-AC_HELP_STRING([--with-pkinit-crypto-impl=IMPL], [use specified pkinit crypto implementation @<:@openssl@:>@]),
-[PKINIT_CRYPTO_IMPL=$withval
-AC_MSG_NOTICE(pkinit will use '$withval')
-], withval=$PKINIT_CRYPTO_IMPL)
-case "$withval" in
-builtin|openssl)
-  AC_CHECK_LIB(crypto, PKCS7_get_signer_info, PKINIT_CRYPTO_IMPL_LIBS=-lcrypto)
-  PKINIT_CRYPTO_IMPL=openssl
-  AC_CHECK_LIB(crypto, CMS_get0_content,
-               [AC_DEFINE([HAVE_OPENSSL_CMS], 1,
-                          [Define if OpenSSL supports cms.])])
-  ;;
-nss)
-  if test "${PKINIT_CRYPTO_IMPL_CFLAGS+set}" != set; then
-    PKINIT_CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss`
-  fi
-  if test "${PKINIT_CRYPTO_IMPL_LIBS+set}" != set; then
-    PKINIT_CRYPTO_IMPL_LIBS=`pkg-config --libs nss`
-  fi
-  AC_DEFINE(PKINIT_CRYPTO_IMPL_NSS,1,[Define if pkinit crypto implementation is NSS])
-  save_CFLAGS=$CFLAGS
-  CFLAGS="$CFLAGS $PKINIT_CRYPTO_IMPL_CFLAGS"
-  AC_COMPILE_IFELSE([AC_LANG_SOURCE([
-#include <nss.h>
-#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 12)
-#error
-#elif NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH < 11
-#error
-#endif
-  ])], [], [AC_MSG_ERROR([NSS version 3.12.11 or later required.])])
-  CFLAGS=$save_CFLAGS
-  ;;
-*)
-  AC_MSG_ERROR([Unknown crypto implementation $withval])
-  ;;
-esac
-AC_CONFIG_COMMANDS(PKINIT_CRYPTO_IMPL,,PKINIT_CRYPTO_IMPL=$PKINIT_CRYPTO_IMPL)
-AC_SUBST(PKINIT_CRYPTO_IMPL)
-AC_SUBST(PKINIT_CRYPTO_IMPL_CFLAGS)
-AC_SUBST(PKINIT_CRYPTO_IMPL_LIBS)
-
 # WITH_TLS_IMPL
 
 AC_ARG_WITH([tls-impl],
@@ -744,6 +713,9 @@ fi
 
 AC_HEADER_TIME
 AC_CHECK_TYPE(time_t, long)
+AC_CHECK_SIZEOF(time_t)
+SIZEOF_TIME_T=$ac_cv_sizeof_time_t
+AC_SUBST(SIZEOF_TIME_T)
 
 # Determine where to put the replay cache.
 
@@ -1085,6 +1057,7 @@ fi
 if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then
   K5_GEN_MAKEFILE(plugins/preauth/pkinit)
   PKINIT=yes
+  AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])])
 elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then
   AC_MSG_ERROR([Version of OpenSSL is too old; cannot enable PKINIT.])
 else
@@ -1131,6 +1104,7 @@ AC_CHECK_LIB(cmocka, _cmocka_run_group_tests, [HAVE_CMOCKA_LIB=yes])
 if test "$HAVE_CMOCKA_LIB" = yes && test "$HAVE_CMOCKA_H" = yes; then
     HAVE_CMOCKA=yes
     CMOCKA_LIBS='-lcmocka'
+    AC_DEFINE([HAVE_CMOCKA],1,[Define if cmocka library is available.])
 fi
 AC_SUBST(HAVE_CMOCKA)
 AC_SUBST(CMOCKA_LIBS)
@@ -1213,11 +1187,7 @@ ldap_plugin_dir=""
 ldap_lib=""
 if test -n "$OPENLDAP_PLUGIN"; then
   AC_CHECK_HEADERS(ldap.h lber.h, :, [AC_MSG_ERROR($ac_header not found)])
-  AC_CHECK_LIB(ldap, ldap_init, :, [AC_MSG_ERROR(libldap not found or missing ldap_init)])
-  old_LIBS="$LIBS"
-  LIBS="$LIBS -lldap"
-  AC_CHECK_FUNCS(ldap_initialize ldap_url_parse_nodn ldap_unbind_ext_s ldap_str2dn ldap_explode_dn)
-  LIBS="$old_LIBS"
+  AC_CHECK_LIB(ldap, ldap_str2dn, :, [AC_MSG_ERROR(libldap not found or missing ldap_str2dn)])
 
   BER_OKAY=0
   AC_CHECK_LIB(ldap, ber_init, [BER_OKAY=1])
@@ -1342,7 +1312,7 @@ if test "${localedir+set}" != set; then
 fi
 AC_SUBST(localedir)
 
-# For KCM lib/krb5/ccache to build KCM Mach RPC support for OS X only.
+# For KCM lib/krb5/ccache to build KCM Mach RPC support for macOS only.
 case $host in
 *-*-darwin* | *-*-rhapsody*) OSX=osx ;;
 *)                           OSX=no ;;
@@ -1376,10 +1346,10 @@ dnl brackets in the glob patterns.
 if test "${DEFCCNAME+set}" != set; then
 	[case $host in
 	*-*-darwin[0-9].* | *-*-darwin10.*)
-		# Use the normal default for OS X 10.6 (Darwin 10) and prior.
+		# Use the normal default for macOS 10.6 (Darwin 10) and prior.
 		;;
 	*-*-darwin*)
-		# For OS X 10.7 (Darwin 11) and later, the native ccache uses
+		# For macOS 10.7 (Darwin 11) and later, the native ccache uses
 		# the KCM daemon.
 		DEFCCNAME=KCM:
 		;;
@@ -1392,7 +1362,7 @@ if test "${DEFKTNAME+set}" != set; then
 	DEFKTNAME=FILE:/etc/krb5.keytab
 fi
 if test "${DEFCKTNAME+set}" != set; then
-	adl_RECURSIVE_EVAL($localstatedir, exp_localstatedir)
+	AX_RECURSIVE_EVAL($localstatedir, exp_localstatedir)
 	DEFCKTNAME=FILE:$exp_localstatedir/krb5/user/%{euid}/client.keytab
 fi
 AC_MSG_NOTICE([Default ccache name: $DEFCCNAME])
@@ -1447,9 +1417,11 @@ dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
 
 	kdc slave config-files build-tools man doc include
 
+	plugins/certauth/test
 	plugins/hostrealm/test
 	plugins/localauth/test
 	plugins/kadm5_hook/test
+	plugins/kadm5_auth/test
 	plugins/pwqual/test
 	plugins/audit
 	plugins/audit/test
@@ -1462,6 +1434,7 @@ dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
 	plugins/kdb/db2/libdb2/recno
 	plugins/kdb/db2/libdb2/test
 	plugins/kdb/test
+	plugins/kdcpolicy/test
 	plugins/preauth/otp
 	plugins/preauth/test
 	plugins/authdata/greet_client
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index f5b921833071..cfa5794b72bf 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -140,15 +140,18 @@ install-headers-unix install: krb5/krb5.h profile.h
 	$(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h
 	$(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h
 	$(INSTALL_DATA) krb5/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)krb5.h
+	$(INSTALL_DATA) $(srcdir)/krb5/certauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)certauth_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/ccselect_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)ccselect_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/clpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)clpreauth_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/hostrealm_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)hostrealm_plugin.h
+	$(INSTALL_DATA) $(srcdir)/krb5/kdcpolicy_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpolicy_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/kdcpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpreauth_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/localauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)localauth_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/preauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)preauth_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/pwqual_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)pwqual_plugin.h
+	$(INSTALL_DATA) $(srcdir)/krb5/kadm5_auth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kadm5_auth_plugin.h
 	$(INSTALL_DATA) $(srcdir)/krb5/kadm5_hook_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kadm5_hook_plugin.h
 	$(INSTALL_DATA) profile.h $(DESTDIR)$(KRB5_INCDIR)$(S)profile.h
 	$(INSTALL_DATA) $(srcdir)/gssapi.h $(DESTDIR)$(KRB5_INCDIR)$(S)gssapi.h
diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in
index b33c5222325e..3dfc128e67bd 100644
--- a/src/include/autoconf.h.in
+++ b/src/include/autoconf.h.in
@@ -61,9 +61,6 @@
 /* Define if gethostbyname_r returns int rather than struct hostent * */
 #undef GETHOSTBYNAME_R_RETURNS_INT
 
-/* Type of getpeername second argument. */
-#undef GETPEERNAME_ARG2_TYPE
-
 /* Type of getpeername second argument. */
 #undef GETPEERNAME_ARG3_TYPE
 
@@ -81,9 +78,6 @@
 /* Define if getservbyname_r returns int rather than struct servent * */
 #undef GETSERVBYNAME_R_RETURNS_INT
 
-/* Type of pointer target for argument 2 to getsockname */
-#undef GETSOCKNAME_ARG2_TYPE
-
 /* Type of pointer target for argument 3 to getsockname */
 #undef GETSOCKNAME_ARG3_TYPE
 
@@ -124,6 +118,9 @@
 /* Define to 1 if you have the `chmod' function. */
 #undef HAVE_CHMOD
 
+/* Define if cmocka library is available. */
+#undef HAVE_CMOCKA
+
 /* Define to 1 if you have the `compile' function. */
 #undef HAVE_COMPILE
 
@@ -240,24 +237,9 @@
 /* Define to 1 if you have the <lber.h> header file. */
 #undef HAVE_LBER_H
 
-/* Define to 1 if you have the `ldap_explode_dn' function. */
-#undef HAVE_LDAP_EXPLODE_DN
-
 /* Define to 1 if you have the <ldap.h> header file. */
 #undef HAVE_LDAP_H
 
-/* Define to 1 if you have the `ldap_initialize' function. */
-#undef HAVE_LDAP_INITIALIZE
-
-/* Define to 1 if you have the `ldap_str2dn' function. */
-#undef HAVE_LDAP_STR2DN
-
-/* Define to 1 if you have the `ldap_unbind_ext_s' function. */
-#undef HAVE_LDAP_UNBIND_EXT_S
-
-/* Define to 1 if you have the `ldap_url_parse_nodn' function. */
-#undef HAVE_LDAP_URL_PARSE_NODN
-
 /* Define to 1 if you have the `crypto' library (-lcrypto). */
 #undef HAVE_LIBCRYPTO
 
@@ -333,6 +315,9 @@
 /* Define to 1 if you have the `pthread_once' function. */
 #undef HAVE_PTHREAD_ONCE
 
+/* Have PTHREAD_PRIO_INHERIT. */
+#undef HAVE_PTHREAD_PRIO_INHERIT
+
 /* Define to 1 if you have the `pthread_rwlock_init' function. */
 #undef HAVE_PTHREAD_RWLOCK_INIT
 
@@ -657,9 +642,6 @@
 /* Define to the version of this package. */
 #undef PACKAGE_VERSION
 
-/* Define if pkinit crypto implementation is NSS */
-#undef PKINIT_CRYPTO_IMPL_NSS
-
 /* Define if setjmp indicates POSIX interface */
 #undef POSIX_SETJMP
 
@@ -672,7 +654,7 @@
 /* Define if termios.h exists and tcsetattr exists */
 #undef POSIX_TERMIOS
 
-/* Define to the necessary symbol if this constant uses a non-standard name on
+/* Define to necessary symbol if this constant uses a non-standard name on
    your system. */
 #undef PTHREAD_CREATE_JOINABLE
 
@@ -682,6 +664,9 @@
 /* Define as return type of setrpcent */
 #undef SETRPCENT_TYPE
 
+/* The size of `time_t', as computed by sizeof. */
+#undef SIZEOF_TIME_T
+
 /* Define for static plugin linkage */
 #undef STATIC_PLUGINS
 
diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h
index 03666a0aaaa7..80ca9f8dfd23 100644
--- a/src/include/fake-addrinfo.h
+++ b/src/include/fake-addrinfo.h
@@ -52,7 +52,7 @@
    the data structures and flag values locally.
 
 
-   On Mac OS X, getaddrinfo results aren't cached (though
+   On macOS, getaddrinfo results aren't cached (though
    gethostbyname results are), so we need to build a cache here.  Now
    things are getting really messy.  Because the cache is in use, we
    use getservbyname, and throw away thread safety.  (Not that the
diff --git a/src/include/k5-cmocka.h b/src/include/k5-cmocka.h
new file mode 100644
index 000000000000..c35b10be0736
--- /dev/null
+++ b/src/include/k5-cmocka.h
@@ -0,0 +1,16 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* include/k5-cmocka.h - indirect header file for cmocka test programs */
+
+/*
+ * This header conditionally includes cmocka.h, so that "make depend" can work
+ * on cmocka test programs when cmocka isn't available.  It also includes the
+ * three system headers required for cmocka.h.
+ */
+
+#include "autoconf.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#ifdef HAVE_CMOCKA
+#include <cmocka.h>
+#endif
diff --git a/src/include/k5-input.h b/src/include/k5-input.h
index d42ebce8f271..9f47fa7ab903 100644
--- a/src/include/k5-input.h
+++ b/src/include/k5-input.h
@@ -33,7 +33,7 @@
 #ifndef K5_INPUT_H
 #define K5_INPUT_H
 
-#include "k5-int.h"
+#include "k5-platform.h"
 
 /*
  * The k5input module defines helpers for safely consuming a fixed-sized block
@@ -45,7 +45,7 @@
 struct k5input {
     const unsigned char *ptr;
     size_t len;
-    krb5_error_code status;
+    int32_t status;
 };
 
 static inline void
@@ -59,7 +59,7 @@ k5_input_init(struct k5input *in, const void *ptr, size_t len)
 /* Only set the status value of in if it hasn't already been set, so status
  * reflects the first thing to go wrong. */
 static inline void
-k5_input_set_status(struct k5input *in, krb5_error_code status)
+k5_input_set_status(struct k5input *in, int32_t status)
 {
     if (!in->status)
         in->status = status;
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 64991738a3e2..e1b1cb040d5e 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -212,6 +212,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_DNS_URI_LOOKUP               "dns_uri_lookup"
 #define KRB5_CONF_DOMAIN_REALM                 "domain_realm"
 #define KRB5_CONF_ENABLE_ONLY                  "enable_only"
+#define KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR "encrypted_challenge_indicator"
 #define KRB5_CONF_ERR_FMT                      "err_fmt"
 #define KRB5_CONF_EXTRA_ADDRESSES              "extra_addresses"
 #define KRB5_CONF_FORWARDABLE                  "forwardable"
@@ -720,7 +721,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
                                                  const krb5_keyblock *from,
                                                  krb5_keyblock *to);
 
-krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
+krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
 
 /*
  * End "los-proto.h"
@@ -1155,7 +1156,10 @@ struct plugin_interface {
 #define PLUGIN_INTERFACE_AUDIT       7
 #define PLUGIN_INTERFACE_TLS         8
 #define PLUGIN_INTERFACE_KDCAUTHDATA 9
-#define PLUGIN_NUM_INTERFACES        10
+#define PLUGIN_INTERFACE_CERTAUTH    10
+#define PLUGIN_INTERFACE_KADM5_AUTH  11
+#define PLUGIN_INTERFACE_KDCPOLICY   12
+#define PLUGIN_NUM_INTERFACES        13
 
 /* Retrieve the plugin module of type interface_id and name modname,
  * storing the result into module. */
@@ -1194,7 +1198,7 @@ k5_plugin_free_context(krb5_context context);
 struct _kdb5_dal_handle;        /* private, in kdb5.h */
 typedef struct _kdb5_dal_handle kdb5_dal_handle;
 struct _kdb_log_context;
-typedef struct krb5_preauth_context_st krb5_preauth_context;
+typedef struct krb5_preauth_context_st *krb5_preauth_context;
 struct ccselect_module_handle;
 struct localauth_module_handle;
 struct hostrealm_module_handle;
@@ -1231,7 +1235,7 @@ struct _krb5_context {
     struct plugin_dir_handle libkrb5_plugins;
 
     /* preauth module stuff */
-    krb5_preauth_context *preauth_context;
+    krb5_preauth_context preauth_context;
 
     /* cache module stuff */
     struct ccselect_module_handle **ccselect_handles;
@@ -2112,6 +2116,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
 krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
 
 krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
+krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out);
 
 krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
                                           krb5_const_pointer, krb5_kdc_rep *);
@@ -2350,6 +2355,44 @@ k5memdup0(const void *in, size_t len, krb5_error_code *code)
     return ptr;
 }
 
+/* Convert a krb5_timestamp to a time_t value, treating the negative range of
+ * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */
+static inline time_t
+ts2tt(krb5_timestamp timestamp)
+{
+    return (time_t)(uint32_t)timestamp;
+}
+
+/* Return the delta between two timestamps (a - b) as a signed 32-bit value,
+ * without relying on undefined behavior. */
+static inline krb5_deltat
+ts_delta(krb5_timestamp a, krb5_timestamp b)
+{
+    return (krb5_deltat)((uint32_t)a - (uint32_t)b);
+}
+
+/* Increment a timestamp by a signed 32-bit interval, without relying on
+ * undefined behavior. */
+static inline krb5_timestamp
+ts_incr(krb5_timestamp ts, krb5_deltat delta)
+{
+    return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta);
+}
+
+/* Return true if a comes after b. */
+static inline krb5_boolean
+ts_after(krb5_timestamp a, krb5_timestamp b)
+{
+    return (uint32_t)a > (uint32_t)b;
+}
+
+/* Return true if a and b are within d seconds. */
+static inline krb5_boolean
+ts_within(krb5_timestamp a, krb5_timestamp b, krb5_deltat d)
+{
+    return !ts_after(a, ts_incr(b, d)) && !ts_after(b, ts_incr(a, d));
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
                               krb5_ccache ccache,
diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h
index 994f46323cb0..548c0486d567 100644
--- a/src/include/k5-platform.h
+++ b/src/include/k5-platform.h
@@ -71,6 +71,13 @@
 #define CAN_COPY_VA_LIST
 #endif
 
+/* This attribute prevents unused function warnings in gcc and clang. */
+#ifdef __GNUC__
+#define UNUSED __attribute__((__unused__))
+#else
+#define UNUSED
+#endif
+
 #if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
 #include <TargetConditionals.h>
 #endif
@@ -354,19 +361,7 @@ typedef struct { int error; unsigned char did_run; } k5_init_t;
 
 
 
-#if !defined(SHARED) && !defined(_WIN32)
-
-/*
- * In this case, we just don't care about finalization.
- *
- * The code will still define the function, but we won't do anything
- * with it.  Annoying: This may generate unused-function warnings.
- */
-
-# define MAKE_FINI_FUNCTION(NAME)               \
-        static void NAME(void)
-
-#elif defined(USE_LINKER_FINI_OPTION) || defined(_WIN32)
+#if defined(USE_LINKER_FINI_OPTION) || defined(_WIN32)
 /* If we're told the linker option will be used, it doesn't really
    matter what compiler we're using.  Do it the same way
    regardless.  */
@@ -400,6 +395,15 @@ typedef struct { int error; unsigned char did_run; } k5_init_t;
 
 # endif
 
+#elif !defined(SHARED)
+
+/*
+ * In this case, we just don't care about finalization.  The code will still
+ * define the function, but we won't do anything with it.
+ */
+# define MAKE_FINI_FUNCTION(NAME)               \
+        static void NAME(void) UNUSED
+
 #elif defined(__GNUC__) && defined(DESTRUCTOR_ATTR_WORKS)
 /* If we're using gcc, if the C++ support works, the compiler should
    build executables and shared libraries that support the use of
@@ -508,7 +512,7 @@ typedef struct { int error; unsigned char did_run; } k5_init_t;
 
    Linux: byteswap.h, bswap_16 etc.
    Solaris 10: none
-   Mac OS X: machine/endian.h or byte_order.h, NXSwap{Short,Int,LongLong}
+   macOS: machine/endian.h or byte_order.h, NXSwap{Short,Int,LongLong}
    NetBSD: sys/bswap.h, bswap16 etc.  */
 
 #if defined(HAVE_BYTESWAP_H) && defined(HAVE_BSWAP_16)
diff --git a/src/include/k5-thread.h b/src/include/k5-thread.h
index 3e3901d6e8fb..a3101239d8a5 100644
--- a/src/include/k5-thread.h
+++ b/src/include/k5-thread.h
@@ -134,6 +134,10 @@
      More to be added, perhaps.  */
 
 #include <assert.h>
+#ifndef NDEBUG
+#include <stdio.h>
+#include <string.h>
+#endif
 
 /* The mutex structure we use, k5_mutex_t, is defined to some
    OS-specific bits.  The use of multiple layers of typedefs are an
@@ -363,12 +367,24 @@ static inline int k5_mutex_finish_init(k5_mutex_t *m)
 static inline void k5_mutex_lock(k5_mutex_t *m)
 {
     int r = k5_os_mutex_lock(m);
+#ifndef NDEBUG
+    if (r != 0) {
+        fprintf(stderr, "k5_mutex_lock: Received error %d (%s)\n",
+                r, strerror(r));
+    }
+#endif
     assert(r == 0);
 }
 
 static inline void k5_mutex_unlock(k5_mutex_t *m)
 {
     int r = k5_os_mutex_unlock(m);
+#ifndef NDEBUG
+    if (r != 0) {
+        fprintf(stderr, "k5_mutex_unlock: Received error %d (%s)\n",
+                r, strerror(r));
+    }
+#endif
     assert(r == 0);
 }
 
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index c75e264e04f2..390a8b7d6fc7 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -155,6 +155,20 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
     TRACE(c, "ccselect choosing default cache {ccache} for server " \
           "principal {princ}", cache, server)
 
+#define TRACE_DNS_SRV_ANS(c, host, port, prio, weight)                \
+    TRACE(c, "SRV answer: {int} {int} {int} \"{str}\"", prio, weight, \
+          port, host)
+#define TRACE_DNS_SRV_NOTFOUND(c)               \
+    TRACE(c, "No SRV records found")
+#define TRACE_DNS_SRV_SEND(c, domain)                   \
+    TRACE(c, "Sending DNS SRV query for {str}", domain)
+#define TRACE_DNS_URI_ANS(c, uri, prio, weight)                         \
+    TRACE(c, "URI answer: {int} {int} \"{str}\"", prio, weight, uri)
+#define TRACE_DNS_URI_NOTFOUND(c)               \
+    TRACE(c, "No URI records found")
+#define TRACE_DNS_URI_SEND(c, domain)                   \
+    TRACE(c, "Sending DNS URI query for {str}", domain)
+
 #define TRACE_FAST_ARMOR_CCACHE(c, ccache_name)         \
     TRACE(c, "FAST armor ccache: {str}", ccache_name)
 #define TRACE_FAST_ARMOR_CCACHE_KEY(c, keyblock)                \
@@ -213,8 +227,19 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
     TRACE(c, "Looked up etypes in keytab: {etypes}", etypes)
 #define TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(c, code)          \
     TRACE(c, "Couldn't lookup etypes in keytab: {kerr}", code)
+#define TRACE_INIT_CREDS_PREAUTH(c)                     \
+    TRACE(c, "Preauthenticating using KDC method data")
 #define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code)                  \
     TRACE(c, "Decrypt with preauth AS key failed: {kerr}", code)
+#define TRACE_INIT_CREDS_PREAUTH_MORE(c, patype)                \
+    TRACE(c, "Continuing preauth mech {int}", (int)patype)
+#define TRACE_INIT_CREDS_PREAUTH_NONE(c)        \
+    TRACE(c, "Sending unauthenticated request")
+#define TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(c)  \
+    TRACE(c, "Attempting optimistic preauth")
+#define TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(c, patype, code)              \
+    TRACE(c, "Recovering from KDC error {int} using preauth mech {int}", \
+          (int)patype, (int)code)
 #define TRACE_INIT_CREDS_RESTART_FAST(c)        \
     TRACE(c, "Restarting to upgrade to FAST")
 #define TRACE_INIT_CREDS_RESTART_PREAUTH_FAILED(c)                      \
@@ -228,6 +253,13 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
 #define TRACE_INIT_CREDS_SERVICE(c, service)                    \
     TRACE(c, "Setting initial creds service to {str}", service)
 
+#define TRACE_KADM5_AUTH_VTINIT_FAIL(c, ret)                            \
+    TRACE(c, "kadm5_auth module failed to init vtable: {kerr}", ret)
+#define TRACE_KADM5_AUTH_INIT_FAIL(c, name, ret)                        \
+    TRACE(c, "kadm5_auth module {str} failed to init: {kerr}", ret)
+#define TRACE_KADM5_AUTH_INIT_SKIP(c, name)                             \
+    TRACE(c, "kadm5_auth module {str} declined to initialize", name)
+
 #define TRACE_KT_GET_ENTRY(c, keytab, princ, vno, enctype, err)         \
     TRACE(c, "Retrieving {princ} from {keytab} (vno {int}, enctype {etype}) " \
           "with result: {kerr}", princ, keytab, (int) vno, enctype, err)
@@ -287,10 +319,16 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
 #define TRACE_PREAUTH_SKIP(c, name, patype)                           \
     TRACE(c, "Skipping previously used preauth module {str} ({int})", \
           name, (int) patype)
-#define TRACE_PREAUTH_TRYAGAIN_INPUT(c, padata)                 \
-    TRACE(c, "Preauth tryagain input types: {patypes}", padata)
+#define TRACE_PREAUTH_TRYAGAIN_INPUT(c, patype, padata)                 \
+    TRACE(c, "Preauth tryagain input types ({int}): {patypes}", patype, padata)
+#define TRACE_PREAUTH_TRYAGAIN(c, name, patype, code)                   \
+    TRACE(c, "Preauth module {str} ({int}) tryagain returned: {kerr}",  \
+          name, (int)patype, code)
 #define TRACE_PREAUTH_TRYAGAIN_OUTPUT(c, padata)                        \
     TRACE(c, "Followup preauth for next request: {patypes}", padata)
+#define TRACE_PREAUTH_WRONG_CONTEXT(c)                                  \
+    TRACE(c, "Wrong context passed to krb5_init_creds_free(); leaking " \
+          "modreq objects")
 
 #define TRACE_PROFILE_ERR(c,subsection, section, retval)             \
     TRACE(c, "Bad value of {str} from [{str}] in conf file: {kerr}", \
@@ -454,4 +492,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
 #define TRACE_GET_CRED_VIA_TKT_EXT_RETURN(c, ret) \
     TRACE(c, "Got cred; {kerr}", ret)
 
+#define TRACE_KDCPOLICY_VTINIT_FAIL(c, ret)                             \
+    TRACE(c, "KDC policy module failed to init vtable: {kerr}", ret)
+#define TRACE_KDCPOLICY_INIT_SKIP(c, name)                              \
+    TRACE(c, "kadm5_auth module {str} declined to initialize", name)
+
 #endif /* K5_TRACE_H */
diff --git a/src/include/k5-utf8.h b/src/include/k5-utf8.h
index 22f433c8e981..e2f20d45028f 100644
--- a/src/include/k5-utf8.h
+++ b/src/include/k5-utf8.h
@@ -73,57 +73,28 @@
 typedef uint16_t krb5_ucs2;
 typedef uint32_t krb5_ucs4;
 
-#define KRB5_MAX_UTF8_LEN   (sizeof(krb5_ucs2) * 3/2)
-
 int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out);
 size_t krb5int_ucs2_to_utf8(krb5_ucs2 c, char *buf);
 
 int krb5int_utf8_to_ucs4(const char *p, krb5_ucs4 *out);
 size_t krb5int_ucs4_to_utf8(krb5_ucs4 c, char *buf);
 
-int
-krb5int_ucs2s_to_utf8s(const krb5_ucs2 *ucs2s,
-                       char **utf8s,
-                       size_t *utf8slen);
-
-int
-krb5int_ucs2cs_to_utf8s(const krb5_ucs2 *ucs2s,
-                        size_t ucs2slen,
-                        char **utf8s,
-                        size_t *utf8slen);
-
-int
-krb5int_ucs2les_to_utf8s(const unsigned char *ucs2les,
-                         char **utf8s,
-                         size_t *utf8slen);
-
-int
-krb5int_ucs2lecs_to_utf8s(const unsigned char *ucs2les,
-                          size_t ucs2leslen,
-                          char **utf8s,
-                          size_t *utf8slen);
-
-int
-krb5int_utf8s_to_ucs2s(const char *utf8s,
-                       krb5_ucs2 **ucs2s,
-                       size_t *ucs2chars);
-
-int
-krb5int_utf8cs_to_ucs2s(const char *utf8s,
-                        size_t utf8slen,
-                        krb5_ucs2 **ucs2s,
-                        size_t *ucs2chars);
-
-int
-krb5int_utf8s_to_ucs2les(const char *utf8s,
-                         unsigned char **ucs2les,
-                         size_t *ucs2leslen);
-
-int
-krb5int_utf8cs_to_ucs2les(const char *utf8s,
-                          size_t utf8slen,
-                          unsigned char **ucs2les,
-                          size_t *ucs2leslen);
+/*
+ * Convert a little-endian UTF-16 string to an allocated null-terminated UTF-8
+ * string.  nbytes is the length of ucs2bytes in bytes, and must be an even
+ * number.  Return EINVAL on invalid input, ENOMEM on out of memory, or 0 on
+ * success.
+ */
+int k5_utf16le_to_utf8(const uint8_t *utf16bytes, size_t nbytes,
+                       char **utf8_out);
+
+/*
+ * Convert a UTF-8 string to an allocated little-endian UTF-16 string.  The
+ * resulting length is in bytes and will always be even.  Return EINVAL on
+ * invalid input, ENOMEM on out of memory, or 0 on success.
+ */
+int k5_utf8_to_utf16le(const char *utf8, uint8_t **utf16_out,
+                       size_t *nbytes_out);
 
 /* returns the number of bytes in the UTF-8 string */
 size_t krb5int_utf8_bytes(const char *);
diff --git a/src/include/kdb.h b/src/include/kdb.h
index da04724fcedb..5615329c0bb3 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -69,7 +69,7 @@
 
 /* This version will be incremented when incompatible changes are made to the
  * KDB API, and will be kept in sync with the libkdb major version. */
-#define KRB5_KDB_API_VERSION 8
+#define KRB5_KDB_API_VERSION 9
 
 /* Salt types */
 #define KRB5_KDB_SALTTYPE_NORMAL        0
@@ -695,6 +695,8 @@ krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext,
                                          krb5_pa_data ***e_data);
 
 void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+                          const krb5_address *local_addr,
+                          const krb5_address *remote_addr,
                           krb5_db_entry *client, krb5_db_entry *server,
                           krb5_timestamp authtime, krb5_error_code error_code);
 
@@ -865,7 +867,7 @@ krb5_error_code krb5_db_register_keytab(krb5_context context);
  * This number indicates the date of the last incompatible change to the DAL.
  * The maj_ver field of the module's vtable structure must match this version.
  */
-#define KRB5_KDB_DAL_MAJOR_VERSION 6
+#define KRB5_KDB_DAL_MAJOR_VERSION 7
 
 /*
  * A krb5_context can hold one database object.  Modules should use
@@ -1356,6 +1358,8 @@ typedef struct _kdb_vftabl {
      * AS request.
      */
     void (*audit_as_req)(krb5_context kcontext, krb5_kdc_req *request,
+                         const krb5_address *local_addr,
+                         const krb5_address *remote_addr,
                          krb5_db_entry *client, krb5_db_entry *server,
                          krb5_timestamp authtime, krb5_error_code error_code);
 
diff --git a/src/include/kdb_log.h b/src/include/kdb_log.h
index 25b823674a9f..4239575659a3 100644
--- a/src/include/kdb_log.h
+++ b/src/include/kdb_log.h
@@ -21,9 +21,8 @@ extern "C" {
 /*
  * DB macros
  */
-#define INDEX(ulog, i) (kdb_ent_header_t *)((char *)(ulog) +            \
-                                            sizeof(kdb_hlog_t) +        \
-                                            (i) * ulog->kdb_block)
+#define INDEX(ulog, i) (kdb_ent_header_t *)(void *)                     \
+    ((char *)(ulog) + sizeof(kdb_hlog_t) + (i) * ulog->kdb_block)
 
 /*
  * Current DB version #
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h
new file mode 100644
index 000000000000..3074790f8745
--- /dev/null
+++ b/src/include/krb5/certauth_plugin.h
@@ -0,0 +1,128 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* include/krb5/certauth_plugin.h - certauth plugin header. */
+/*
+ * Copyright (C) 2017 by Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Declarations for certauth plugin module implementors.
+ *
+ * The certauth pluggable interface currently has only one supported major
+ * version, which is 1.  Major version 1 has a current minor version number of
+ * 1.
+ *
+ * certauth plugin modules should define a function named
+ * certauth_<modulename>_initvt, matching the signature:
+ *
+ *   krb5_error_code
+ *   certauth_modname_initvt(krb5_context context, int maj_ver, int min_ver,
+ *                           krb5_plugin_vtable vtable);
+ *
+ * The initvt function should:
+ *
+ * - Check that the supplied maj_ver number is supported by the module, or
+ *   return KRB5_PLUGIN_VER_NOTSUPP if it is not.
+ *
+ * - Cast the vtable pointer as appropriate for maj_ver:
+ *     maj_ver == 1: Cast to krb5_certauth_vtable
+ *
+ * - Initialize the methods of the vtable, stopping as appropriate for the
+ *   supplied min_ver.  Optional methods may be left uninitialized.
+ *
+ * Memory for the vtable is allocated by the caller, not by the module.
+ */
+
+#ifndef KRB5_CERTAUTH_PLUGIN_H
+#define KRB5_CERTAUTH_PLUGIN_H
+
+#include <krb5/krb5.h>
+#include <krb5/plugin.h>
+
+/* Abstract module data type. */
+typedef struct krb5_certauth_moddata_st *krb5_certauth_moddata;
+
+/* A module can optionally include <kdb.h> to inspect the client principal
+ * entry when authorizing a request. */
+struct _krb5_db_entry_new;
+
+/*
+ * Optional: Initialize module data.
+ */
+typedef krb5_error_code
+(*krb5_certauth_init_fn)(krb5_context context,
+                         krb5_certauth_moddata *moddata_out);
+
+/*
+ * Optional: Clean up the module data.
+ */
+typedef void
+(*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata);
+
+/*
+ * Mandatory:
+ * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by
+ * princ; otherwise return one of the following error codes:
+ * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value
+ * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU
+ * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error
+ * - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert
+ *
+ * - opts is used by built-in modules to receive internal data, and must be
+ *   ignored by other modules.
+ * - db_entry receives the client principal database entry, and can be ignored
+ *   by modules that do not link with libkdb5.
+ * - *authinds_out optionally returns a null-terminated list of authentication
+ *   indicator strings upon KRB5_PLUGIN_NO_HANDLE or accepted authorization.
+ */
+typedef krb5_error_code
+(*krb5_certauth_authorize_fn)(krb5_context context,
+                              krb5_certauth_moddata moddata,
+                              const uint8_t *cert, size_t cert_len,
+                              krb5_const_principal princ, const void *opts,
+                              const struct _krb5_db_entry_new *db_entry,
+                              char ***authinds_out);
+
+/*
+ * Free indicators allocated by a module.  Mandatory if authorize returns
+ * authentication indicators.
+ */
+typedef void
+(*krb5_certauth_free_indicator_fn)(krb5_context context,
+                                   krb5_certauth_moddata moddata,
+                                   char **authinds);
+
+typedef struct krb5_certauth_vtable_st {
+    const char *name;
+    krb5_certauth_init_fn init;
+    krb5_certauth_fini_fn fini;
+    krb5_certauth_authorize_fn authorize;
+    krb5_certauth_free_indicator_fn free_ind;
+} *krb5_certauth_vtable;
+
+#endif /* KRB5_CERTAUTH_PLUGIN_H */
diff --git a/src/include/krb5/kadm5_auth_plugin.h b/src/include/krb5/kadm5_auth_plugin.h
new file mode 100644
index 000000000000..d514e99beb93
--- /dev/null
+++ b/src/include/krb5/kadm5_auth_plugin.h
@@ -0,0 +1,306 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Declarations for kadm5_auth plugin module implementors.
+ *
+ * The kadm5_auth pluggable interface currently has only one supported major
+ * version, which is 1.  Major version 1 has a current minor version number of
+ * 1.
+ *
+ * kadm5_auth plugin modules should define a function named
+ * kadm5_auth_<modulename>_initvt, matching the signature:
+ *
+ *   krb5_error_code
+ *   kadm5_auth_modname_initvt(krb5_context context, int maj_ver, int min_ver,
+ *                             krb5_plugin_vtable vtable);
+ *
+ * The initvt function should:
+ *
+ * - Check that the supplied maj_ver number is supported by the module, or
+ *   return KRB5_PLUGIN_VER_NOTSUPP if it is not.
+ *
+ * - Cast the vtable pointer as appropriate for maj_ver:
+ *     maj_ver == 1: Cast to krb5_kadm5_auth_vtable
+ *
+ * - Initialize the methods of the vtable, stopping as appropriate for the
+ *   supplied min_ver.  Optional methods may be left uninitialized.
+ *
+ * Memory for the vtable is allocated by the caller, not by the module.
+ */
+
+#ifndef KRB5_KADM5_AUTH_PLUGIN_H
+#define KRB5_KADM5_AUTH_PLUGIN_H
+
+#include <krb5/krb5.h>
+#include <krb5/plugin.h>
+
+/* An abstract type for kadm5_auth module data. */
+typedef struct kadm5_auth_moddata_st *kadm5_auth_moddata;
+
+/*
+ * A module can optionally include <kadm5/admin.h> to inspect principal or
+ * policy records from requests that add or modify principals or policies.
+ * Note that fields of principal and policy structures are only valid if the
+ * corresponding bit is set in the accompanying mask parameter.
+ */
+struct _kadm5_principal_ent_t;
+struct _kadm5_policy_ent_t;
+
+/*
+ * A module can optionally generate restrictions when checking permissions for
+ * adding or modifying a principal entry.  Restriction fields will only be
+ * honored if the corresponding mask bit is set.  The operable mask bits are
+ * defined in <kadmin/admin.h> and are:
+ *
+ * - KADM5_ATTRIBUTES for require_attrs, forbid_attrs
+ * - KADM5_POLICY for policy
+ * - KADM5_POLICY_CLR to require that policy be unset
+ * - KADM5_PRINC_EXPIRE_TIME for princ_lifetime
+ * - KADM5_PW_EXPIRATION for pw_lifetime
+ * - KADM5_MAX_LIFE for max_life
+ * - KADM5_MAX_RLIFE for max_renewable_life
+ */
+struct kadm5_auth_restrictions {
+    long mask;
+    krb5_flags require_attrs;
+    krb5_flags forbid_attrs;
+    krb5_deltat princ_lifetime;
+    krb5_deltat pw_lifetime;
+    krb5_deltat max_life;
+    krb5_deltat max_renewable_life;
+    char *policy;
+};
+
+/*** Method type declarations ***/
+
+/*
+ * Optional: Initialize module data.  acl_file is the realm's configured ACL
+ * file, or NULL if none was configured.  Return 0 on success,
+ * KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for
+ * example), and any other error code to abort kadmind startup.  Optionally set
+ * *data_out to a module data object to be passed to future calls.
+ */
+typedef krb5_error_code
+(*kadm5_auth_init_fn)(krb5_context context, const char *acl_file,
+                      kadm5_auth_moddata *data_out);
+
+/* Optional: Release resources used by module data. */
+typedef void
+(*kadm5_auth_fini_fn)(krb5_context context, kadm5_auth_moddata data);
+
+/*
+ * Each check method below should return 0 to explicitly authorize the request,
+ * KRB5_PLUGIN_NO_HANDLE to neither authorize nor deny the request, and any
+ * other error code (such as EPERM) to explicitly deny the request.  If a check
+ * method is not defined, the module will neither authorize nor deny the
+ * request.  A request succeeds if at least one kadm5_auth module explicitly
+ * authorizes the request and none of the modules explicitly deny it.
+ */
+
+/* Optional: authorize an add-principal operation, and optionally generate
+ * restrictions. */
+typedef krb5_error_code
+(*kadm5_auth_addprinc_fn)(krb5_context context, kadm5_auth_moddata data,
+                          krb5_const_principal client,
+                          krb5_const_principal target,
+                          const struct _kadm5_principal_ent_t *ent, long mask,
+                          struct kadm5_auth_restrictions **rs_out);
+
+/* Optional: authorize a modify-principal operation, and optionally generate
+ * restrictions. */
+typedef krb5_error_code
+(*kadm5_auth_modprinc_fn)(krb5_context context, kadm5_auth_moddata data,
+                          krb5_const_principal client,
+                          krb5_const_principal target,
+                          const struct _kadm5_principal_ent_t *ent, long mask,
+                          struct kadm5_auth_restrictions **rs_out);
+
+/* Optional: authorize a set-string operation. */
+typedef krb5_error_code
+(*kadm5_auth_setstr_fn)(krb5_context context, kadm5_auth_moddata data,
+                        krb5_const_principal client,
+                        krb5_const_principal target,
+                        const char *key, const char *value);
+
+/* Optional: authorize a change-password operation. */
+typedef krb5_error_code
+(*kadm5_auth_cpw_fn)(krb5_context context, kadm5_auth_moddata data,
+                     krb5_const_principal client, krb5_const_principal target);
+
+/* Optional: authorize a randomize-keys operation. */
+typedef krb5_error_code
+(*kadm5_auth_chrand_fn)(krb5_context context, kadm5_auth_moddata data,
+                        krb5_const_principal client,
+                        krb5_const_principal target);
+
+/* Optional: authorize a set-key operation. */
+typedef krb5_error_code
+(*kadm5_auth_setkey_fn)(krb5_context context, kadm5_auth_moddata data,
+                        krb5_const_principal client,
+                        krb5_const_principal target);
+
+/* Optional: authorize a purgekeys operation. */
+typedef krb5_error_code
+(*kadm5_auth_purgekeys_fn)(krb5_context context, kadm5_auth_moddata data,
+                           krb5_const_principal client,
+                           krb5_const_principal target);
+
+/* Optional: authorize a delete-principal operation. */
+typedef krb5_error_code
+(*kadm5_auth_delprinc_fn)(krb5_context context, kadm5_auth_moddata data,
+                          krb5_const_principal client,
+                          krb5_const_principal target);
+
+/* Optional: authorize a rename-principal operation. */
+typedef krb5_error_code
+(*kadm5_auth_renprinc_fn)(krb5_context context, kadm5_auth_moddata data,
+                          krb5_const_principal client,
+                          krb5_const_principal src,
+                          krb5_const_principal dest);
+
+/* Optional: authorize a get-principal operation. */
+typedef krb5_error_code
+(*kadm5_auth_getprinc_fn)(krb5_context context, kadm5_auth_moddata data,
+                          krb5_const_principal client,
+                          krb5_const_principal target);
+
+/* Optional: authorize a get-strings operation. */
+typedef krb5_error_code
+(*kadm5_auth_getstrs_fn)(krb5_context context, kadm5_auth_moddata data,
+                         krb5_const_principal client,
+                         krb5_const_principal target);
+
+/* Optional: authorize an extract-keys operation. */
+typedef krb5_error_code
+(*kadm5_auth_extract_fn)(krb5_context context, kadm5_auth_moddata data,
+                         krb5_const_principal client,
+                         krb5_const_principal target);
+
+/* Optional: authorize a list-principals operation. */
+typedef krb5_error_code
+(*kadm5_auth_listprincs_fn)(krb5_context context, kadm5_auth_moddata data,
+                            krb5_const_principal client);
+
+/* Optional: authorize an add-policy operation. */
+typedef krb5_error_code
+(*kadm5_auth_addpol_fn)(krb5_context context, kadm5_auth_moddata data,
+                        krb5_const_principal client, const char *policy,
+                        const struct _kadm5_policy_ent_t *ent, long mask);
+
+/* Optional: authorize a modify-policy operation. */
+typedef krb5_error_code
+(*kadm5_auth_modpol_fn)(krb5_context context, kadm5_auth_moddata data,
+                        krb5_const_principal client, const char *policy,
+                        const struct _kadm5_policy_ent_t *ent, long mask);
+
+/* Optional: authorize a delete-policy operation. */
+typedef krb5_error_code
+(*kadm5_auth_delpol_fn)(krb5_context context, kadm5_auth_moddata data,
+                        krb5_const_principal client, const char *policy);
+
+/* Optional: authorize a get-policy operation.  client_policy is the client
+ * principal's policy name, or NULL if it does not have one. */
+typedef krb5_error_code
+(*kadm5_auth_getpol_fn)(krb5_context context, kadm5_auth_moddata data,
+                        krb5_const_principal client, const char *policy,
+                        const char *client_policy);
+
+/* Optional: authorize a list-policies operation. */
+typedef krb5_error_code
+(*kadm5_auth_listpols_fn)(krb5_context context, kadm5_auth_moddata data,
+                          krb5_const_principal client);
+
+/* Optional: authorize an iprop operation. */
+typedef krb5_error_code
+(*kadm5_auth_iprop_fn)(krb5_context context, kadm5_auth_moddata data,
+                       krb5_const_principal client);
+
+/*
+ * Optional: receive a notification that the most recent authorized operation
+ * has ended.  If a kadm5_auth module is also a KDB module, it can assume that
+ * all KDB methods invoked between a kadm5_auth authorization method invocation
+ * and a kadm5_auth end invocation are performed as part of the authorized
+ * operation.
+ *
+ * The end method may be invoked without a preceding authorization method in
+ * some cases; the module must be prepared to ignore such calls.
+ */
+typedef void
+(*kadm5_auth_end_fn)(krb5_context context, kadm5_auth_moddata data);
+
+/*
+ * Optional: free a restrictions object.  This method does not need to be
+ * defined if the module does not generate restrictions objects, or if it
+ * returns aliases to restrictions objects contained from within the module
+ * data.
+ */
+typedef void
+(*kadm5_auth_free_restrictions_fn)(krb5_context context,
+                                   kadm5_auth_moddata data,
+                                   struct kadm5_auth_restrictions *rs);
+
+/* kadm5_auth vtable for major version 1. */
+typedef struct kadm5_auth_vtable_st {
+    const char *name;           /* Mandatory: name of module. */
+    kadm5_auth_init_fn init;
+    kadm5_auth_fini_fn fini;
+
+    kadm5_auth_addprinc_fn addprinc;
+    kadm5_auth_modprinc_fn modprinc;
+    kadm5_auth_setstr_fn setstr;
+    kadm5_auth_cpw_fn cpw;
+    kadm5_auth_chrand_fn chrand;
+    kadm5_auth_setkey_fn setkey;
+    kadm5_auth_purgekeys_fn purgekeys;
+    kadm5_auth_delprinc_fn delprinc;
+    kadm5_auth_renprinc_fn renprinc;
+
+    kadm5_auth_getprinc_fn getprinc;
+    kadm5_auth_getstrs_fn getstrs;
+    kadm5_auth_extract_fn extract;
+    kadm5_auth_listprincs_fn listprincs;
+
+    kadm5_auth_addpol_fn addpol;
+    kadm5_auth_modpol_fn modpol;
+    kadm5_auth_delpol_fn delpol;
+    kadm5_auth_getpol_fn getpol;
+    kadm5_auth_listpols_fn listpols;
+
+    kadm5_auth_iprop_fn iprop;
+
+    kadm5_auth_end_fn end;
+
+    kadm5_auth_free_restrictions_fn free_restrictions;
+    /* Minor version 1 ends here. */
+} *kadm5_auth_vtable;
+
+#endif /* KRB5_KADM5_AUTH_PLUGIN_H */
diff --git a/src/include/krb5/kdcpolicy_plugin.h b/src/include/krb5/kdcpolicy_plugin.h
new file mode 100644
index 000000000000..c7592c5dba78
--- /dev/null
+++ b/src/include/krb5/kdcpolicy_plugin.h
@@ -0,0 +1,128 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */
+/*
+ * Copyright (C) 2017 by Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Declarations for kdcpolicy plugin module implementors.
+ *
+ * The kdcpolicy pluggable interface currently has only one supported major
+ * version, which is 1.  Major version 1 has a current minor version number of
+ * 1.
+ *
+ * kdcpolicy plugin modules should define a function named
+ * kdcpolicy_<modulename>_initvt, matching the signature:
+ *
+ *   krb5_error_code
+ *   kdcpolicy_modname_initvt(krb5_context context, int maj_ver, int min_ver,
+ *                            krb5_plugin_vtable vtable);
+ *
+ * The initvt function should:
+ *
+ * - Check that the supplied maj_ver number is supported by the module, or
+ *   return KRB5_PLUGIN_VER_NOTSUPP if it is not.
+ *
+ * - Cast the vtable pointer as appropriate for maj_ver:
+ *   maj_ver == 1: Cast to krb5_kdcpolicy_vtable
+ *
+ * - Initialize the methods of the vtable, stopping as appropriate for the
+ *   supplied min_ver.  Optional methods may be left uninitialized.
+ *
+ * Memory for the vtable is allocated by the caller, not by the module.
+ */
+
+#ifndef KRB5_POLICY_PLUGIN_H
+#define KRB5_POLICY_PLUGIN_H
+
+#include <krb5/krb5.h>
+
+/* Abstract module datatype. */
+typedef struct krb5_kdcpolicy_moddata_st *krb5_kdcpolicy_moddata;
+
+/* A module can optionally include kdb.h to inspect principal entries when
+ * authorizing requests. */
+struct _krb5_db_entry_new;
+
+/*
+ * Optional: Initialize module data.  Return 0 on success,
+ * KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for
+ * example), and any other error code to abort KDC startup.  Optionally set
+ * *data_out to a module data object to be passed to future calls.
+ */
+typedef krb5_error_code
+(*krb5_kdcpolicy_init_fn)(krb5_context context,
+                          krb5_kdcpolicy_moddata *data_out);
+
+/* Optional: Clean up module data. */
+typedef krb5_error_code
+(*krb5_kdcpolicy_fini_fn)(krb5_context context,
+                          krb5_kdcpolicy_moddata moddata);
+
+/*
+ * Optional: return an error code and set status to an appropriate string
+ * literal to deny an AS request; otherwise return 0.  lifetime_out, if set,
+ * restricts the ticket lifetime.  renew_lifetime_out, if set, restricts the
+ * ticket renewable lifetime.
+ */
+typedef krb5_error_code
+(*krb5_kdcpolicy_check_as_fn)(krb5_context context,
+                              krb5_kdcpolicy_moddata moddata,
+                              const krb5_kdc_req *request,
+                              const struct _krb5_db_entry_new *client,
+                              const struct _krb5_db_entry_new *server,
+                              const char *const *auth_indicators,
+                              const char **status, krb5_deltat *lifetime_out,
+                              krb5_deltat *renew_lifetime_out);
+
+/*
+ * Optional: return an error code and set status to an appropriate string
+ * literal to deny a TGS request; otherwise return 0.  lifetime_out, if set,
+ * restricts the ticket lifetime.  renew_lifetime_out, if set, restricts the
+ * ticket renewable lifetime.
+ */
+typedef krb5_error_code
+(*krb5_kdcpolicy_check_tgs_fn)(krb5_context context,
+                               krb5_kdcpolicy_moddata moddata,
+                               const krb5_kdc_req *request,
+                               const struct _krb5_db_entry_new *server,
+                               const krb5_ticket *ticket,
+                               const char *const *auth_indicators,
+                               const char **status, krb5_deltat *lifetime_out,
+                               krb5_deltat *renew_lifetime_out);
+
+typedef struct krb5_kdcpolicy_vtable_st {
+    const char *name;
+    krb5_kdcpolicy_init_fn init;
+    krb5_kdcpolicy_fini_fn fini;
+    krb5_kdcpolicy_check_as_fn check_as;
+    krb5_kdcpolicy_check_tgs_fn check_tgs;
+} *krb5_kdcpolicy_vtable;
+
+#endif /* KRB5_POLICY_PLUGIN_H */
diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index f455effaecdb..f388200999ef 100644
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -34,7 +34,7 @@
  * Declarations for kdcpreauth plugin module implementors.
  *
  * The kdcpreauth interface has a single supported major version, which is 1.
- * Major version 1 has a current minor version of 3.  kdcpreauth modules should
+ * Major version 1 has a current minor version of 2.  kdcpreauth modules should
  * define a function named kdcpreauth_<modulename>_initvt, matching the
  * signature:
  *
@@ -221,6 +221,25 @@ typedef struct krb5_kdcpreauth_callbacks_st {
 
     /* End of version 3 kdcpreauth callbacks. */
 
+    /*
+     * Return true if princ matches the principal named in the request or the
+     * client principal (possibly canonicalized).  If princ does not match,
+     * attempt a database lookup of princ with aliases allowed and compare the
+     * result to the client principal, returning true if it matches.
+     * Otherwise, return false.
+     */
+    krb5_boolean (*match_client)(krb5_context context,
+                                 krb5_kdcpreauth_rock rock,
+                                 krb5_principal princ);
+
+    /*
+     * Get an alias to the client DB entry principal (possibly canonicalized).
+     */
+    krb5_principal (*client_name)(krb5_context context,
+                                  krb5_kdcpreauth_rock rock);
+
+    /* End of version 4 kdcpreauth callbacks. */
+
 } *krb5_kdcpreauth_callbacks;
 
 /* Optional: preauth plugin initialization function. */
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index ac22f4c55098..c86e78274484 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -181,7 +181,16 @@ typedef krb5_int32 krb5_cryptotype;
 
 typedef krb5_int32      krb5_preauthtype; /* This may change, later on */
 typedef krb5_int32      krb5_flags;
+
+/**
+ * Represents a timestamp in seconds since the POSIX epoch.  This legacy type
+ * is used frequently in the ABI, but cannot represent timestamps after 2038 as
+ * a positive number.  Code which uses this type should cast values of it to
+ * uint32_t so that negative values are treated as timestamps between 2038 and
+ * 2106 on platforms with 64-bit time_t.
+ */
 typedef krb5_int32      krb5_timestamp;
+
 typedef krb5_int32      krb5_deltat;
 
 /**
@@ -3221,8 +3230,9 @@ krb5_get_credentials_renew(krb5_context context, krb5_flags options,
  */
 krb5_error_code KRB5_CALLCONV
 krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
-            krb5_flags ap_req_options, char *service, char *hostname,
-            krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf);
+            krb5_flags ap_req_options, const char *service,
+            const char *hostname, krb5_data *in_data, krb5_ccache ccache,
+            krb5_data *outbuf);
 
 /**
  * Create a @c KRB_AP_REQ message using supplied credentials.
@@ -5615,8 +5625,9 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
  */
 krb5_error_code KRB5_CALLCONV
 krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
-                   char *rhost, krb5_principal client, krb5_principal server,
-                   krb5_ccache cc, int forwardable, krb5_data *outbuf);
+                   const char *rhost, krb5_principal client,
+                   krb5_principal server, krb5_ccache cc, int forwardable,
+                   krb5_data *outbuf);
 
 /**
  * Create and initialize an authentication context.
@@ -6000,15 +6011,19 @@ krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context,
                                  krb5_int32 *seqnumber);
 
-#if KRB5_DEPRECATED
-/** @deprecated Not replaced.
+/**
+ * Cause an auth context to use cipher state.
+ *
+ * @param [in]  context         Library context
+ * @param [in]  auth_context    Authentication context
  *
- * RFC 4120 doesn't have anything like the initvector concept;
- * only really old protocols may need this API.
+ * Prepare @a auth_context to use cipher state when krb5_mk_priv() or
+ * krb5_rd_priv() encrypt or decrypt data.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
  */
-KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);
-#endif
 
 /**
  * Set the replay cache in an auth context.
@@ -7306,6 +7321,9 @@ typedef struct _krb5_init_creds_context *krb5_init_creds_context;
  *
  * @param [in] context          Library context
  * @param [in] ctx              Initial credentials context
+ *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
  */
 void KRB5_CALLCONV
 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
@@ -7320,6 +7338,9 @@ krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
  * krb5_init_creds_init().  On successful return, the credentials can be
  * retrieved with krb5_init_creds_get_creds().
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7370,6 +7391,10 @@ krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx,
  * This function creates a new context for acquiring initial credentials.  Use
  * krb5_init_creds_free() to free @a ctx when it is no longer needed.
  *
+ * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or
+ * krb5_init_creds_free() for this initial credentials context must use the
+ * same @a context argument as the one passed to this function.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7419,6 +7444,9 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx,
  * transmit the next request using TCP rather than UDP.  If this function
  * returns any other error, the initial credential exchange has failed.
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -8229,9 +8257,9 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
  * If successful, @a pac is marked as verified.
  *
  * @note A checksum mismatch can occur if the PAC was copied from a cross-realm
- * TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of
- * 10.6) generates PACs with no server checksum at all.  One should consider
- * not failing the whole authentication because of this reason, but, instead,
+ * TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6)
+ * generates PACs with no server checksum at all.  One should consider not
+ * failing the whole authentication because of this reason, but, instead,
  * treating the ticket as if it did not contain a PAC or marking the PAC
  * information as non-verified.
  *
diff --git a/src/include/net-server.h b/src/include/net-server.h
index 37721e7f17a0..e5edcc49d5a1 100644
--- a/src/include/net-server.h
+++ b/src/include/net-server.h
@@ -86,7 +86,7 @@ void loop_free(verto_ctx *ctx);
  */
 typedef void (*loop_respond_fn)(void *arg, krb5_error_code code,
                                 krb5_data *response);
-void dispatch(void *handle, struct sockaddr *local_addr,
+void dispatch(void *handle, const krb5_fulladdr *local_addr,
               const krb5_fulladdr *remote_addr, krb5_data *request,
               int is_tcp, verto_ctx *vctx, loop_respond_fn respond, void *arg);
 krb5_error_code make_toolong_error (void *handle, krb5_data **);
diff --git a/src/include/socket-utils.h b/src/include/socket-utils.h
index 156663683047..e1f33aa31763 100644
--- a/src/include/socket-utils.h
+++ b/src/include/socket-utils.h
@@ -119,6 +119,17 @@ sa_is_inet(struct sockaddr *sa)
     return sa->sa_family == AF_INET || sa->sa_family == AF_INET6;
 }
 
+/* Return true if sa is an IPv4 or IPv6 wildcard address. */
+static inline int
+sa_is_wildcard(struct sockaddr *sa)
+{
+    if (sa->sa_family == AF_INET6)
+        return IN6_IS_ADDR_UNSPECIFIED(&sa2sin6(sa)->sin6_addr);
+    else if (sa->sa_family == AF_INET)
+        return sa2sin(sa)->sin_addr.s_addr == INADDR_ANY;
+    return 0;
+}
+
 /* Return the length of an IPv4 or IPv6 socket structure; abort if it is
  * neither. */
 static inline socklen_t
diff --git a/src/include/win-mac.h b/src/include/win-mac.h
index 1994388b71d3..c3744ed14ee6 100644
--- a/src/include/win-mac.h
+++ b/src/include/win-mac.h
@@ -225,9 +225,7 @@ typedef _W64 int         ssize_t;
 
 HINSTANCE get_lib_instance(void);
 
-#define GETSOCKNAME_ARG2_TYPE   struct sockaddr
 #define GETSOCKNAME_ARG3_TYPE   size_t
-#define GETPEERNAME_ARG2_TYPE   GETSOCKNAME_ARG2_TYPE
 #define GETPEERNAME_ARG3_TYPE   GETSOCKNAME_ARG3_TYPE
 
 #endif /* !RES_ONLY */
diff --git a/src/kadmin/cli/deps b/src/kadmin/cli/deps
index a9c997b395ab..a5873fc79443 100644
--- a/src/kadmin/cli/deps
+++ b/src/kadmin/cli/deps
@@ -5,14 +5,21 @@ $(OUTPRE)kadmin.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
   $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
   $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \
   $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
   $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
   $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
   $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
-  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \
-  $(top_srcdir)/include/krb5.h kadmin.c kadmin.h
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  kadmin.c kadmin.h
 $(OUTPRE)kadmin_ct.$(OBJEXT): $(COM_ERR_DEPS) $(SS_DEPS) \
   kadmin_ct.c
 $(OUTPRE)ss_wrapper.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y
index 4f0c56f7eb20..059f112da13a 100644
--- a/src/kadmin/cli/getdate.y
+++ b/src/kadmin/cli/getdate.y
@@ -6,7 +6,7 @@
 **  <rsalz@bbn.com> and Jim Berets <jberets@bbn.com> in August, 1990;
 **  send any email to Rich.
 **
-**  This grammar has nine shift/reduce conflicts.
+**  This grammar has four shift/reduce conflicts.
 **
 **  This code is in the public domain and has no copyright.
 */
@@ -118,7 +118,7 @@ static int getdate_yyerror (char *);
 
 
 #define EPOCH		1970
-#define EPOCH_END	2038 /* assumes 32 bits */
+#define EPOCH_END	2106 /* assumes unsigned 32-bit range */
 #define HOUR(x)		((time_t)(x) * 60)
 #define SECSPERDAY	(24L * 60L * 60L)
 
@@ -176,6 +176,9 @@ static time_t	yyRelSeconds;
 
 %}
 
+/* Mute shift/reduce warning as per header comment. */
+%expect 4
+
 %union {
     time_t		Number;
     enum _MERIDIAN	Meridian;
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index c53c677a82d0..aee5c83b9546 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -31,8 +31,7 @@
  * library */
 
 /* for "_" macro */
-#include "k5-platform.h"
-#include <krb5.h>
+#include "k5-int.h"
 #include <kadm5/admin.h>
 #include <adm_proto.h>
 #include <errno.h>
@@ -144,8 +143,8 @@ strdate(krb5_timestamp when)
 {
     struct tm *tm;
     static char out[40];
+    time_t lcltim = ts2tt(when);
 
-    time_t lcltim = when;
     tm = localtime(&lcltim);
     strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm);
     return out;
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index f7889bd234f5..aca136f0b62f 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -370,11 +370,12 @@ k5beta7_common(krb5_context context, krb5_db_entry *entry,
     fprintf(fp, "princ\t%d\t%lu\t%d\t%d\t%d\t%s\t", (int)entry->len,
             (unsigned long)strlen(name), counter, (int)entry->n_key_data,
             (int)entry->e_length, name);
-    fprintf(fp, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", entry->attributes,
-            entry->max_life, entry->max_renewable_life, entry->expiration,
-            entry->pw_expiration,
-            omit_nra ? 0 : entry->last_success,
-            omit_nra ? 0 : entry->last_failed,
+    fprintf(fp, "%d\t%d\t%d\t%u\t%u\t%u\t%u\t%d", entry->attributes,
+            entry->max_life, entry->max_renewable_life,
+            (unsigned int)entry->expiration,
+            (unsigned int)entry->pw_expiration,
+            (unsigned int)(omit_nra ? 0 : entry->last_success),
+            (unsigned int)(omit_nra ? 0 : entry->last_failed),
             omit_nra ? 0 : entry->fail_auth_count);
 
     /* Write out tagged data. */
@@ -688,6 +689,10 @@ process_tl_data(const char *fname, FILE *filep, int lineno,
                      _("cannot read tagged data type and length"));
             return EINVAL;
         }
+        if (i1 < INT16_MIN || i1 > INT16_MAX || u1 > UINT16_MAX) {
+            load_err(fname, lineno, _("data type or length overflowed"));
+            return EINVAL;
+        }
         tl->tl_data_type = i1;
         tl->tl_data_length = u1;
         if (read_octets_or_minus1(filep, tl->tl_data_length,
@@ -708,7 +713,7 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
 {
     int retval, nread, i, j;
     krb5_db_entry *dbentry;
-    int t1, t2, t3, t4, t5, t6, t7;
+    int t1, t2, t3, t4;
     unsigned int u1, u2, u3, u4, u5;
     char *name = NULL;
     krb5_key_data *kp = NULL, *kd;
@@ -735,6 +740,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
         goto fail;
 
     /* Get memory for and form tagged data linked list */
+    if (u3 > UINT16_MAX) {
+        load_err(fname, *linenop, _("cannot allocate tl_data (too large)"));
+        goto fail;
+    }
     if (alloc_tl_data(u3, &dbentry->tl_data))
         goto fail;
     dbentry->n_tl_data = u3;
@@ -764,8 +773,8 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
     }
 
     /* Get the fixed principal attributes */
-    nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",
-                   &t1, &t2, &t3, &t4, &t5, &t6, &t7, &u1);
+    nread = fscanf(filep, "%d\t%d\t%d\t%u\t%u\t%d\t%d\t%d\t",
+                   &t1, &t2, &t3, &u1, &u2, &u3, &u4, &u5);
     if (nread != 8) {
         load_err(fname, *linenop, _("cannot read principal attributes"));
         goto fail;
@@ -773,11 +782,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
     dbentry->attributes = t1;
     dbentry->max_life = t2;
     dbentry->max_renewable_life = t3;
-    dbentry->expiration = t4;
-    dbentry->pw_expiration = t5;
-    dbentry->last_success = t6;
-    dbentry->last_failed = t7;
-    dbentry->fail_auth_count = u1;
+    dbentry->expiration = u1;
+    dbentry->pw_expiration = u2;
+    dbentry->last_success = u3;
+    dbentry->last_failed = u4;
+    dbentry->fail_auth_count = u5;
     dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
         KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
         KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |
@@ -823,13 +832,17 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
             load_err(fname, *linenop, _("cannot read key size and version"));
             goto fail;
         }
+        if (t1 > KRB5_KDB_V1_KEY_DATA_ARRAY) {
+            load_err(fname, *linenop, _("unsupported key_data_ver version"));
+            goto fail;
+        }
 
         kd->key_data_ver = t1;
         kd->key_data_kvno = t2;
 
         for (j = 0; j < t1; j++) {
             nread = fscanf(filep, "%d\t%d\t", &t3, &t4);
-            if (nread != 2) {
+            if (nread != 2 || t4 < 0) {
                 load_err(fname, *linenop,
                          _("cannot read key type and length"));
                 goto fail;
diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
index 7df8cbc83f21..2efe3176e81b 100644
--- a/src/kadmin/dbutil/kdb5_mkey.c
+++ b/src/kadmin/dbutil/kdb5_mkey.c
@@ -44,8 +44,8 @@ static char *strdate(krb5_timestamp when)
 {
     struct tm *tm;
     static char out[40];
+    time_t lcltim = ts2tt(when);
 
-    time_t lcltim = when;
     tm = localtime(&lcltim);
     strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm);
     return out;
@@ -481,7 +481,7 @@ kdb5_use_mkey(int argc, char *argv[])
                  cur_actkvno != NULL;
                  prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {
 
-                if (new_actkvno->act_time < cur_actkvno->act_time) {
+                if (ts_after(cur_actkvno->act_time, new_actkvno->act_time)) {
                     if (prev_actkvno) {
                         prev_actkvno->next = new_actkvno;
                         new_actkvno->next = cur_actkvno;
@@ -499,7 +499,7 @@ kdb5_use_mkey(int argc, char *argv[])
         }
     }
 
-    if (actkvno_list->act_time > now) {
+    if (ts_after(actkvno_list->act_time, now)) {
         com_err(progname, EINVAL,
                 _("there must be one master key currently active"));
         exit_status++;
diff --git a/src/kadmin/dbutil/tabdump.c b/src/kadmin/dbutil/tabdump.c
index 69a3482ec935..fb36b060ac96 100644
--- a/src/kadmin/dbutil/tabdump.c
+++ b/src/kadmin/dbutil/tabdump.c
@@ -148,7 +148,7 @@ write_date_iso(struct rec_args *args, krb5_timestamp when)
     struct tm *tm = NULL;
     struct rechandle *h = args->rh;
 
-    t = when;
+    t = ts2tt(when);
     tm = gmtime(&t);
     if (tm == NULL) {
         errno = EINVAL;
diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c
index ef16d37a5693..6a8586da8207 100644
--- a/src/kadmin/ktutil/ktutil.c
+++ b/src/kadmin/ktutil/ktutil.c
@@ -140,7 +140,8 @@ void ktutil_add_entry(argc, argv)
     char *princ = NULL;
     char *enctype = NULL;
     krb5_kvno kvno = 0;
-    int use_pass = 0, use_key = 0, i;
+    int use_pass = 0, use_key = 0, use_kvno = 0, i;
+    char *salt = NULL;
 
     for (i = 1; i < argc; i++) {
         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -149,6 +150,7 @@ void ktutil_add_entry(argc, argv)
         }
         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
             kvno = (krb5_kvno) atoi(argv[++i]);
+            use_kvno++;
             continue;
         }
         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -163,15 +165,22 @@ void ktutil_add_entry(argc, argv)
             use_key++;
             continue;
         }
+        if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-s", 2)) {
+            salt = argv[++i];
+            continue;
+        }
     }
 
-    if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
+    if (!((argc == 8 && princ && use_kvno && enctype) ||
+          (argc == 10 && princ && use_kvno && enctype && salt)) ||
+        use_pass + use_key != 1) {
         fprintf(stderr, _("usage: %s (-key | -password) -p principal "
-                          "-k kvno -e enctype\n"), argv[0]);
+                          "-k kvno -e enctype [-s salt]\n"), argv[0]);
         return;
     }
 
-    retval = ktutil_add(kcontext, &ktlist, princ, kvno, enctype, use_pass);
+    retval = ktutil_add(kcontext, &ktlist, princ, kvno, enctype, use_pass,
+                        salt);
     if (retval)
         com_err(argv[0], retval, _("while adding new entry"));
 }
diff --git a/src/kadmin/ktutil/ktutil.h b/src/kadmin/ktutil/ktutil.h
index c4839ff12aa8..8bf491525095 100644
--- a/src/kadmin/ktutil/ktutil.h
+++ b/src/kadmin/ktutil/ktutil.h
@@ -38,7 +38,8 @@ krb5_error_code ktutil_add (krb5_context,
                             char *,
                             krb5_kvno,
                             char *,
-                            int);
+                            int,
+                            char *);
 
 krb5_error_code ktutil_read_keytab (krb5_context,
                                     char *,
diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c
index 20a348c80582..7a3aa0dcad59 100644
--- a/src/kadmin/ktutil/ktutil_funcs.c
+++ b/src/kadmin/ktutil/ktutil_funcs.c
@@ -87,13 +87,14 @@ krb5_error_code ktutil_delete(context, list, idx)
  * one first.
  */
 krb5_error_code ktutil_add(context, list, princ_str, kvno,
-                           enctype_str, use_pass)
+                           enctype_str, use_pass, salt_str)
     krb5_context context;
     krb5_kt_list *list;
     char *princ_str;
     krb5_kvno kvno;
     char *enctype_str;
     int use_pass;
+    char *salt_str;
 {
     krb5_keytab_entry *entry;
     krb5_kt_list lp = NULL, prev = NULL;
@@ -101,7 +102,7 @@ krb5_error_code ktutil_add(context, list, princ_str, kvno,
     krb5_enctype enctype;
     krb5_timestamp now;
     krb5_error_code retval;
-    krb5_data password, salt;
+    krb5_data password, salt, defsalt = empty_data();
     krb5_keyblock key;
     char buf[BUFSIZ];
     char promptstr[1024];
@@ -165,9 +166,14 @@ krb5_error_code ktutil_add(context, list, princ_str, kvno,
                                     &password.length);
         if (retval)
             goto cleanup;
-        retval = krb5_principal2salt(context, princ, &salt);
-        if (retval)
-            goto cleanup;
+        if (salt_str != NULL) {
+            salt = string2data(salt_str);
+        } else {
+            retval = krb5_principal2salt(context, princ, &defsalt);
+            if (retval)
+                goto cleanup;
+            salt = defsalt;
+        }
         retval = krb5_c_string_to_key(context, enctype, &password,
                                       &salt, &key);
         if (retval)
@@ -225,6 +231,7 @@ cleanup:
     if (prev)
         prev->next = NULL;
     ktutil_free_kt_list(context, lp);
+    krb5_free_data_contents(context, &defsalt);
     return retval;
 }
 
diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in
index 3a013a4d4e15..16d5cc54aa4c 100644
--- a/src/kadmin/server/Makefile.in
+++ b/src/kadmin/server/Makefile.in
@@ -7,8 +7,10 @@ LOCALINCLUDES = -I$(top_srcdir)/lib/gssapi/generic \
 	-I$(BUILDTOP)/lib/gssapi/krb5 -I$(top_srcdir)/lib/kadm5/srv
 
 PROG = kadmind
-OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o ipropd_svc.o
-SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c
+OBJS = auth.o auth_acl.o auth_self.o kadm_rpc_svc.o server_stubs.o \
+	ovsec_kadmd.o schpw.o misc.o ipropd_svc.o
+SRCS = auth.o auth_acl.c auth_self.c kadm_rpc_svc.c server_stubs.c \
+	ovsec_kadmd.c schpw.c misc.c ipropd_svc.c
 
 all: $(PROG)
 
diff --git a/src/kadmin/server/auth.c b/src/kadmin/server/auth.c
new file mode 100644
index 000000000000..081b20a8b678
--- /dev/null
+++ b/src/kadmin/server/auth.c
@@ -0,0 +1,314 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* kadmin/server/auth.c - kadm5_auth pluggable interface consumer */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include <kadm5/admin.h>
+#include <krb5/kadm5_auth_plugin.h>
+#include "auth.h"
+
+typedef struct {
+    struct kadm5_auth_vtable_st vt;
+    kadm5_auth_moddata data;
+} *auth_handle;
+
+static auth_handle *handles;
+
+void
+auth_fini(krb5_context context)
+{
+    auth_handle *hp, h;
+
+    if (handles == NULL)
+        return;
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.fini != NULL)
+            h->vt.fini(context, h->data);
+        free(h);
+    }
+    free(handles);
+    handles = NULL;
+}
+
+krb5_error_code
+auth_init(krb5_context context, const char *acl_file)
+{
+    krb5_error_code ret;
+    krb5_plugin_initvt_fn *modules = NULL, *mod;
+    size_t count;
+    auth_handle h = NULL;
+    const int intf = PLUGIN_INTERFACE_KADM5_AUTH;
+
+    ret = k5_plugin_register(context, intf, "acl", kadm5_auth_acl_initvt);
+    if (ret)
+        goto cleanup;
+    ret = k5_plugin_register(context, intf, "self", kadm5_auth_self_initvt);
+    if (ret)
+        goto cleanup;
+    ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KADM5_AUTH, &modules);
+    if (ret)
+        goto cleanup;
+
+    /* Allocate a large enough list of handles. */
+    for (count = 0; modules[count] != NULL; count++);
+    handles = k5calloc(count + 1, sizeof(*handles), &ret);
+    if (handles == NULL)
+        goto cleanup;
+
+    /* For each module, allocate a handle, initialize its vtable, and
+     * initialize its module data. */
+    count = 0;
+    for (mod = modules; *mod != NULL; mod++) {
+        h = k5alloc(sizeof(*h), &ret);
+        if (h == NULL)
+            goto cleanup;
+        ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
+        if (ret) {              /* Failed vtable init is non-fatal. */
+            TRACE_KADM5_AUTH_VTINIT_FAIL(context, ret);
+            free(h);
+            h = NULL;
+            continue;
+        }
+        h->data = NULL;
+        if (h->vt.init != NULL) {
+            ret = h->vt.init(context, acl_file, &h->data);
+            if (ret == KRB5_PLUGIN_NO_HANDLE) {
+                TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
+                free(h);
+                h = NULL;
+                continue;
+            }
+            if (ret) {
+                TRACE_KADM5_AUTH_INIT_FAIL(context, h->vt.name, ret);
+                goto cleanup;
+            }
+        }
+        handles[count++] = h;
+        handles[count] = NULL;
+        h = NULL;
+    }
+
+    ret = 0;
+
+cleanup:
+    if (ret)
+        auth_fini(context);
+    free(h);
+    k5_plugin_free_modules(context, modules);
+    return ret;
+}
+
+/* Invoke the appropriate method from h->vt for opcode, passing client and the
+ * correct subset of p1, p2, s1, s2, polent, and mask for the method. */
+static krb5_error_code
+call_module(krb5_context context, auth_handle h, int opcode,
+            krb5_const_principal client, krb5_const_principal p1,
+            krb5_const_principal p2, const char *s1, const char *s2,
+            const kadm5_policy_ent_rec *polent, long mask)
+{
+    /* addprinc and modprinc are handled through auth_restrict(). */
+    assert(opcode != OP_ADDPRINC && opcode != OP_MODPRINC);
+
+    if (opcode == OP_SETSTR && h->vt.setstr != NULL)
+        return h->vt.setstr(context, h->data, client, p1, s1, s2);
+    else if (opcode == OP_CPW && h->vt.cpw != NULL)
+        return h->vt.cpw(context, h->data, client, p1);
+    else if (opcode == OP_CHRAND && h->vt.chrand != NULL)
+        return h->vt.chrand(context, h->data, client, p1);
+    else if (opcode == OP_SETKEY && h->vt.setkey != NULL)
+        return h->vt.setkey(context, h->data, client, p1);
+    else if (opcode == OP_PURGEKEYS && h->vt.purgekeys != NULL)
+        return h->vt.purgekeys(context, h->data, client, p1);
+    else if (opcode == OP_DELPRINC && h->vt.delprinc != NULL)
+        return h->vt.delprinc(context, h->data, client, p1);
+    else if (opcode == OP_RENPRINC && h->vt.renprinc != NULL)
+        return h->vt.renprinc(context, h->data, client, p1, p2);
+    else if (opcode == OP_GETPRINC && h->vt.getprinc != NULL)
+        return h->vt.getprinc(context, h->data, client, p1);
+    else if (opcode == OP_GETSTRS && h->vt.getstrs != NULL)
+        return h->vt.getstrs(context, h->data, client, p1);
+    else if (opcode == OP_EXTRACT && h->vt.extract != NULL)
+        return h->vt.extract(context, h->data, client, p1);
+    else if (opcode == OP_LISTPRINCS && h->vt.listprincs != NULL)
+        return h->vt.listprincs(context, h->data, client);
+    else if (opcode == OP_ADDPOL && h->vt.addpol != NULL)
+        return h->vt.addpol(context, h->data, client, s1, polent, mask);
+    else if (opcode == OP_MODPOL && h->vt.modpol != NULL)
+        return h->vt.modpol(context, h->data, client, s1, polent, mask);
+    else if (opcode == OP_DELPOL && h->vt.delpol != NULL)
+        return h->vt.delpol(context, h->data, client, s1);
+    else if (opcode == OP_GETPOL && h->vt.getpol != NULL)
+        return h->vt.getpol(context, h->data, client, s1, s2);
+    else if (opcode == OP_LISTPOLS && h->vt.listpols != NULL)
+        return h->vt.listpols(context, h->data, client);
+    else if (opcode == OP_IPROP && h->vt.iprop != NULL)
+        return h->vt.iprop(context, h->data, client);
+
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+krb5_boolean
+auth(krb5_context context, int opcode, krb5_const_principal client,
+     krb5_const_principal p1, krb5_const_principal p2, const char *s1,
+     const char *s2, const kadm5_policy_ent_rec *polent, long mask)
+{
+    krb5_error_code ret;
+    krb5_boolean authorized = FALSE;
+    auth_handle *hp, h;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+
+        ret = call_module(context, h, opcode, client, p1, p2, s1, s2,
+                          polent, mask);
+        if (!ret)
+            authorized = TRUE;
+        else if (ret != KRB5_PLUGIN_NO_HANDLE)
+            return FALSE;
+    }
+
+    return authorized;
+}
+
+/* Impose restrictions, modifying *ent and *mask. */
+static krb5_error_code
+impose_restrictions(krb5_context context,
+                    const struct kadm5_auth_restrictions *rs,
+                    kadm5_principal_ent_t ent, long *mask)
+{
+    krb5_error_code ret;
+    krb5_timestamp now;
+
+    if (rs == NULL)
+        return 0;
+    if (rs->mask & (KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION)) {
+        ret = krb5_timeofday(context, &now);
+        if (ret)
+            return ret;
+    }
+
+    if (rs->mask & KADM5_ATTRIBUTES) {
+        ent->attributes |= rs->require_attrs;
+        ent->attributes &= rs->forbid_attrs;
+        *mask |= KADM5_ATTRIBUTES;
+    }
+    if (rs->mask & KADM5_POLICY_CLR) {
+        *mask &= ~KADM5_POLICY;
+        *mask |= KADM5_POLICY_CLR;
+    } else if (rs->mask & KADM5_POLICY) {
+        if (ent->policy != NULL && strcmp(ent->policy, rs->policy) != 0) {
+            free(ent->policy);
+            ent->policy = NULL;
+        }
+        if (ent->policy == NULL) {
+            ent->policy = strdup(rs->policy);
+            if (ent->policy == NULL)
+                return ENOMEM;
+        }
+        *mask |= KADM5_POLICY;
+    }
+    if (rs->mask & KADM5_PRINC_EXPIRE_TIME) {
+        if (!(*mask & KADM5_PRINC_EXPIRE_TIME) ||
+            ts_after(ent->princ_expire_time, ts_incr(now, rs->princ_lifetime)))
+            ent->princ_expire_time = now + rs->princ_lifetime;
+        *mask |= KADM5_PRINC_EXPIRE_TIME;
+    }
+    if (rs->mask & KADM5_PW_EXPIRATION) {
+        if (!(*mask & KADM5_PW_EXPIRATION) ||
+            ts_after(ent->pw_expiration, ts_incr(now, rs->pw_lifetime)))
+            ent->pw_expiration = now + rs->pw_lifetime;
+        *mask |= KADM5_PW_EXPIRATION;
+    }
+    if (rs->mask & KADM5_MAX_LIFE) {
+        if (!(*mask & KADM5_MAX_LIFE) || ent->max_life > rs->max_life)
+            ent->max_life = rs->max_life;
+        *mask |= KADM5_MAX_LIFE;
+    }
+    if (rs->mask & KADM5_MAX_RLIFE) {
+        if (!(*mask & KADM5_MAX_RLIFE) ||
+            ent->max_renewable_life > rs->max_renewable_life)
+            ent->max_renewable_life = rs->max_renewable_life;
+        *mask |= KADM5_MAX_RLIFE;
+    }
+    return 0;
+}
+
+krb5_boolean
+auth_restrict(krb5_context context, int opcode, krb5_const_principal client,
+              kadm5_principal_ent_t ent, long *mask)
+{
+    auth_handle *hp, h;
+    krb5_boolean authorized = FALSE;
+    krb5_error_code ret, rs_ret;
+    krb5_const_principal target = ent->principal;
+    struct kadm5_auth_restrictions *rs;
+
+    assert(opcode == OP_ADDPRINC || opcode == OP_MODPRINC);
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+
+        ret = KRB5_PLUGIN_NO_HANDLE;
+        rs = NULL;
+        if (opcode == OP_ADDPRINC && h->vt.addprinc != NULL) {
+            ret = h->vt.addprinc(context, h->data, client, target, ent, *mask,
+                                 &rs);
+        } else if (opcode == OP_MODPRINC && h->vt.modprinc != NULL) {
+            ret = h->vt.modprinc(context, h->data, client, target, ent, *mask,
+                                 &rs);
+        }
+        if (rs != NULL) {
+            rs_ret = impose_restrictions(context, rs, ent, mask);
+            if (h->vt.free_restrictions != NULL)
+                h->vt.free_restrictions(context, h->data, rs);
+            if (rs_ret)
+                return FALSE;
+        }
+        if (!ret)
+            authorized = TRUE;
+        else if (ret != KRB5_PLUGIN_NO_HANDLE)
+            return FALSE;
+    }
+
+    return authorized;
+}
+
+void
+auth_end(krb5_context context)
+{
+    auth_handle *hp, h;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.end != NULL)
+            h->vt.end(context, h->data);
+    }
+}
diff --git a/src/kadmin/server/auth.h b/src/kadmin/server/auth.h
new file mode 100644
index 000000000000..4d265add7c0d
--- /dev/null
+++ b/src/kadmin/server/auth.h
@@ -0,0 +1,85 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* kadmin/server/auth.h - kadmin authorization declarations */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef AUTH_H
+#define AUTH_H
+
+#define OP_ADDPRINC     1
+#define OP_MODPRINC     2
+#define OP_SETSTR       3
+#define OP_CPW          4
+#define OP_CHRAND       5
+#define OP_SETKEY       6
+#define OP_PURGEKEYS    7
+#define OP_DELPRINC     8
+#define OP_RENPRINC     9
+#define OP_GETPRINC    10
+#define OP_GETSTRS     11
+#define OP_EXTRACT     12
+#define OP_LISTPRINCS  13
+#define OP_ADDPOL      14
+#define OP_MODPOL      15
+#define OP_DELPOL      16
+#define OP_GETPOL      17
+#define OP_LISTPOLS    18
+#define OP_IPROP       19
+
+/* Initialize all authorization modules. */
+krb5_error_code auth_init(krb5_context context, const char *acl_file);
+
+/* Release authorization module state. */
+void auth_fini(krb5_context context);
+
+/* Authorize the operation given by opcode, using the appropriate subset of p1,
+ * p2, s1, s2, polent, and mask. */
+krb5_boolean auth(krb5_context context, int opcode,
+                  krb5_const_principal client, krb5_const_principal p1,
+                  krb5_const_principal p2, const char *s1, const char *s2,
+                  const kadm5_policy_ent_rec *polent, long mask);
+
+/* Authorize an add-principal or modify-principal operation, and apply
+ * restrictions to ent and mask if any modules supply them. */
+krb5_boolean auth_restrict(krb5_context context, int opcode,
+                           krb5_const_principal client,
+                           kadm5_principal_ent_t ent, long *mask);
+
+/* Notify modules that the most recent authorized operation has ended. */
+void auth_end(krb5_context context);
+
+/* initvt declarations for built-in modules */
+
+krb5_error_code kadm5_auth_acl_initvt(krb5_context context, int maj_ver,
+                                      int min_ver, krb5_plugin_vtable vtable);
+krb5_error_code kadm5_auth_self_initvt(krb5_context context, int maj_ver,
+                                       int min_ver, krb5_plugin_vtable vtable);
+
+#endif /* AUTH_H */
diff --git a/src/kadmin/server/auth_acl.c b/src/kadmin/server/auth_acl.c
new file mode 100644
index 000000000000..efe9c6961bbb
--- /dev/null
+++ b/src/kadmin/server/auth_acl.c
@@ -0,0 +1,755 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* kadmin/server/auth_acl.c - ACL kadm5_auth module */
+/*
+ * Copyright 1995-2004, 2007, 2008, 2017 by the Massachusetts Institute of
+ * Technology.  All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include <syslog.h>
+#include <kadm5/admin.h>
+#include <krb5/kadm5_auth_plugin.h>
+#include "adm_proto.h"
+#include <ctype.h>
+#include "auth.h"
+
+/*
+ * Access control bits.
+ */
+#define ACL_ADD                 1
+#define ACL_DELETE              2
+#define ACL_MODIFY              4
+#define ACL_CHANGEPW            8
+/* #define ACL_CHANGE_OWN_PW    16 */
+#define ACL_INQUIRE             32
+#define ACL_EXTRACT             64
+#define ACL_LIST                128
+#define ACL_SETKEY              256
+#define ACL_IPROP               512
+
+#define ACL_ALL_MASK            (ACL_ADD        |       \
+                                 ACL_DELETE     |       \
+                                 ACL_MODIFY     |       \
+                                 ACL_CHANGEPW   |       \
+                                 ACL_INQUIRE    |       \
+                                 ACL_LIST       |       \
+                                 ACL_IPROP      |       \
+                                 ACL_SETKEY)
+
+struct acl_op_table {
+    char op;
+    uint32_t mask;
+};
+
+struct acl_entry {
+    struct acl_entry *next;
+    krb5_principal client;
+    uint32_t op_allowed;
+    krb5_principal target;
+    struct kadm5_auth_restrictions *rs;
+};
+
+static const struct acl_op_table acl_op_table[] = {
+    { 'a', ACL_ADD },
+    { 'd', ACL_DELETE },
+    { 'm', ACL_MODIFY },
+    { 'c', ACL_CHANGEPW },
+    { 'i', ACL_INQUIRE },
+    { 'l', ACL_LIST },
+    { 'p', ACL_IPROP },
+    { 's', ACL_SETKEY },
+    { 'x', ACL_ALL_MASK },
+    { '*', ACL_ALL_MASK },
+    { 'e', ACL_EXTRACT },
+    { '\0', 0 }
+};
+
+struct wildstate {
+    int nwild;
+    const krb5_data *backref[9];
+};
+
+struct acl_state {
+    struct acl_entry *list;
+};
+
+/*
+ * Get a line from the ACL file.  Lines ending with \ are continued on the next
+ * line.  The caller should set *lineno to 1 and *incr to 0 before the first
+ * call.  On successful return, *lineno will be the line number of the line
+ * read.  Return a pointer to the line on success, or NULL on end of file or
+ * read failure.
+ */
+static char *
+get_line(FILE *fp, const char *fname, int *lineno, int *incr)
+{
+    const int chunksize = 128;
+    struct k5buf buf;
+    size_t old_len;
+    char *p;
+
+    /* Increment *lineno by the number of newlines from the last line. */
+    *lineno += *incr;
+    *incr = 0;
+
+    k5_buf_init_dynamic(&buf);
+    for (;;) {
+        /* Read at least part of a line into the buffer. */
+        old_len = buf.len;
+        p = k5_buf_get_space(&buf, chunksize);
+        if (p == NULL)
+            return NULL;
+
+        if (fgets(p, chunksize, fp) == NULL) {
+            /* We reached the end.  Return a final unterminated line, if there
+             * is one and it's not a comment. */
+            k5_buf_truncate(&buf, old_len);
+            if (buf.len > 0 && *(char *)buf.data != '#')
+                return buf.data;
+            k5_buf_free(&buf);
+            return NULL;
+        }
+
+        /* Set the buffer length based on the actual amount read. */
+        k5_buf_truncate(&buf, old_len + strlen(p));
+
+        p = buf.data;
+        if (buf.len > 0 && p[buf.len - 1] == '\n') {
+            /* We have a complete raw line in the buffer. */
+            (*incr)++;
+            k5_buf_truncate(&buf, buf.len - 1);
+            if (buf.len > 0 && p[buf.len - 1] == '\\') {
+                /* This line has a continuation marker; keep reading. */
+                k5_buf_truncate(&buf, buf.len - 1);
+            } else if (buf.len == 0 || *p == '#') {
+                /* This line is empty or a comment.  Start over. */
+                *lineno += *incr;
+                *incr = 0;
+                k5_buf_truncate(&buf, 0);
+            } else {
+                return buf.data;
+            }
+        }
+    }
+}
+
+/*
+ * Parse a restrictions field.  Return NULL on failure.
+ *
+ * Allowed restrictions are:
+ *      [+-]flagname            (recognized by krb5_flagspec_to_mask)
+ *                              flag is forced to indicated value
+ *      -clearpolicy            policy is forced clear
+ *      -policy pol             policy is forced to be "pol"
+ *      -{expire,pwexpire,maxlife,maxrenewlife} deltat
+ *                              associated value will be forced to
+ *                              MIN(deltat, requested value)
+ */
+static struct kadm5_auth_restrictions *
+parse_restrictions(const char *str, const char *fname)
+{
+    char *copy = NULL, *token, *arg, *save;
+    const char *delims = "\t\n\f\v\r ,";
+    krb5_deltat delta;
+    struct kadm5_auth_restrictions *rs;
+
+    copy = strdup(str);
+    if (copy == NULL)
+        return NULL;
+
+    rs = calloc(1, sizeof(*rs));
+    if (rs == NULL) {
+        free(copy);
+        return NULL;
+    }
+
+    rs->forbid_attrs = ~(krb5_flags)0;
+    for (token = strtok_r(copy, delims, &save); token != NULL;
+         token = strtok_r(NULL, delims, &save)) {
+
+        if (krb5_flagspec_to_mask(token, &rs->require_attrs,
+                                  &rs->forbid_attrs) == 0) {
+            rs->mask |= KADM5_ATTRIBUTES;
+            continue;
+        }
+
+        if (strcmp(token, "-clearpolicy") == 0) {
+            rs->mask |= KADM5_POLICY_CLR;
+            continue;
+        }
+
+        /* Everything else needs an argument. */
+        arg = strtok_r(NULL, delims, &save);
+        if (arg == NULL)
+            goto error;
+
+        if (strcmp(token, "-policy") == 0) {
+            if (rs->policy != NULL)
+                goto error;
+            rs->policy = strdup(arg);
+            if (rs->policy == NULL)
+                goto error;
+            rs->mask |= KADM5_POLICY;
+            continue;
+        }
+
+        /* All other arguments must be a deltat. */
+        if (krb5_string_to_deltat(arg, &delta) != 0)
+            goto error;
+
+        if (strcmp(token, "-expire") == 0) {
+            rs->princ_lifetime = delta;
+            rs->mask |= KADM5_PRINC_EXPIRE_TIME;
+        } else if (strcmp(token, "-pwexpire") == 0) {
+            rs->pw_lifetime = delta;
+            rs->mask |= KADM5_PW_EXPIRATION;
+        } else if (strcmp(token, "-maxlife") == 0) {
+            rs->max_life = delta;
+            rs->mask |= KADM5_MAX_LIFE;
+        } else if (strcmp(token, "-maxrenewlife") == 0) {
+            rs->max_renewable_life = delta;
+            rs->mask |= KADM5_MAX_RLIFE;
+        } else {
+            goto error;
+        }
+    }
+
+    free(copy);
+    return rs;
+
+error:
+    krb5_klog_syslog(LOG_ERR, _("%s: invalid restrictions: %s"), fname, str);
+    free(copy);
+    free(rs->policy);
+    free(rs);
+    return NULL;
+}
+
+static void
+free_acl_entry(struct acl_entry *entry)
+{
+    krb5_free_principal(NULL, entry->client);
+    krb5_free_principal(NULL, entry->target);
+    if (entry->rs != NULL) {
+        free(entry->rs->policy);
+        free(entry->rs);
+    }
+    free(entry);
+}
+
+/* Parse the four fields of an ACL entry and return a structure representing
+ * it.  Log a message and return NULL on error. */
+static struct acl_entry *
+parse_entry(krb5_context context, const char *client, const char *ops,
+            const char *target, const char *rs, const char *line,
+            const char *fname)
+{
+    struct acl_entry *entry;
+    const char *op;
+    char rop;
+    int t;
+
+    entry = calloc(1, sizeof(*entry));
+    if (entry == NULL)
+        return NULL;
+
+    for (op = ops; *op; op++) {
+        rop = isupper((unsigned char)*op) ? tolower((unsigned char)*op) : *op;
+        for (t = 0; acl_op_table[t].op; t++) {
+            if (rop == acl_op_table[t].op) {
+                if (rop == *op)
+                    entry->op_allowed |= acl_op_table[t].mask;
+                else
+                    entry->op_allowed &= ~acl_op_table[t].mask;
+                break;
+            }
+        }
+        if (!acl_op_table[t].op) {
+            krb5_klog_syslog(LOG_ERR,
+                             _("Unrecognized ACL operation '%c' in %s"),
+                             *op, line);
+            goto error;
+        }
+    }
+
+    if (strcmp(client, "*") != 0) {
+        if (krb5_parse_name(context, client, &entry->client) != 0) {
+            krb5_klog_syslog(LOG_ERR, _("Cannot parse client principal '%s'"),
+                             client);
+            goto error;
+        }
+    }
+
+    if (target != NULL && strcmp(target, "*") != 0) {
+        if (krb5_parse_name(context, target, &entry->target) != 0) {
+            krb5_klog_syslog(LOG_ERR, _("Cannot parse target principal '%s'"),
+                             target);
+            goto error;
+        }
+    }
+
+    if (rs != NULL) {
+        entry->rs = parse_restrictions(rs, fname);
+        if (entry->rs == NULL)
+            goto error;
+    }
+
+    return entry;
+
+error:
+    free_acl_entry(entry);
+    return NULL;
+}
+
+/* Parse the contents of an ACL line. */
+static struct acl_entry *
+parse_line(krb5_context context, const char *line, const char *fname)
+{
+    struct acl_entry *entry = NULL;
+    char *copy;
+    char *client, *client_end, *ops, *ops_end, *target, *target_end, *rs, *end;
+    const char *ws = "\t\n\f\v\r ,";
+
+    /*
+     * Format:
+     *  entry ::= [<whitespace>] <principal> <whitespace> <opstring>
+     *            [<whitespace> <target> [<whitespace> <restrictions>
+     *                                    [<whitespace>]]]
+     */
+
+    /* Make a copy and remove any trailing whitespace. */
+    copy = strdup(line);
+    if (copy == NULL)
+        return NULL;
+    end = copy + strlen(copy);
+    while (end > copy && isspace(end[-1]))
+        *--end = '\0';
+
+    /* Find the beginning and end of each field.  The end of restrictions is
+     * the end of copy. */
+    client = copy + strspn(copy, ws);
+    client_end = client + strcspn(client, ws);
+    ops = client_end + strspn(client_end, ws);
+    ops_end = ops + strcspn(ops, ws);
+    target = ops_end + strspn(ops_end, ws);
+    target_end = target + strcspn(target, ws);
+    rs = target_end + strspn(target_end, ws);
+
+    /* Terminate the first three fields. */
+    *client_end = *ops_end = *target_end = '\0';
+
+    /* The last two fields are optional; represent them as NULL if not present.
+     * The first two fields are required. */
+    if (*target == '\0')
+        target = NULL;
+    if (*rs == '\0')
+        rs = NULL;
+    if (*client != '\0' && *ops != '\0')
+        entry = parse_entry(context, client, ops, target, rs, line, fname);
+    free(copy);
+    return entry;
+}
+
+/* Free all ACL entries. */
+static void
+free_acl_entries(struct acl_state *state)
+{
+    struct acl_entry *entry, *next;
+
+    for (entry = state->list; entry != NULL; entry = next) {
+        next = entry->next;
+        free_acl_entry(entry);
+    }
+    state->list = NULL;
+}
+
+/* Open and parse the ACL file. */
+static krb5_error_code
+load_acl_file(krb5_context context, const char *fname, struct acl_state *state)
+{
+    krb5_error_code ret;
+    FILE *fp;
+    char *line;
+    struct acl_entry **entry_slot;
+    int lineno, incr;
+
+    state->list = NULL;
+
+    /* Open the ACL file for reading. */
+    fp = fopen(fname, "r");
+    if (fp == NULL) {
+        krb5_klog_syslog(LOG_ERR, _("%s while opening ACL file %s"),
+                         error_message(errno), fname);
+        ret = errno;
+        k5_setmsg(context, errno, _("Cannot open %s: %s"), fname,
+                  error_message(ret));
+        return ret;
+    }
+
+    set_cloexec_file(fp);
+    lineno = 1;
+    incr = 0;
+    entry_slot = &state->list;
+
+    /* Get a non-comment line. */
+    while ((line = get_line(fp, fname, &lineno, &incr)) != NULL) {
+        /* Parse it.  Fail out on syntax error. */
+        *entry_slot = parse_line(context, line, fname);
+        if (*entry_slot == NULL) {
+            krb5_klog_syslog(LOG_ERR,
+                             _("%s: syntax error at line %d <%.10s...>"),
+                             fname, lineno, line);
+            k5_setmsg(context, EINVAL,
+                      _("%s: syntax error at line %d <%.10s...>"),
+                      fname, lineno, line);
+            free_acl_entries(state);
+            free(line);
+            fclose(fp);
+            return EINVAL;
+        }
+        entry_slot = &(*entry_slot)->next;
+        free(line);
+    }
+
+    fclose(fp);
+    return 0;
+}
+
+/*
+ * See if two data entries match.  If e1 is a wildcard (matching a whole
+ * component only) and targetflag is false, save an alias to e2 into
+ * ws->backref.  If e1 is a back-reference and targetflag is true, compare the
+ * appropriate entry in ws->backref to e2.  If ws is NULL, do not store or
+ * match back-references.
+ */
+static krb5_boolean
+match_data(const krb5_data *e1, const krb5_data *e2, krb5_boolean targetflag,
+           struct wildstate *ws)
+{
+    int n;
+
+    if (data_eq_string(*e1, "*")) {
+        if (ws != NULL && !targetflag) {
+            if (ws->nwild < 9)
+                ws->backref[ws->nwild++] = e2;
+        }
+        return TRUE;
+    }
+
+    if (ws != NULL && targetflag && e1->length == 2 && e1->data[0] == '*' &&
+        e1->data[1] >= '1' && e1->data[1] <= '9') {
+        n = e1->data[1] - '1';
+        if (n >= ws->nwild)
+            return FALSE;
+        return data_eq(*e2, *ws->backref[n]);
+    } else {
+        return data_eq(*e2, *e1);
+    }
+}
+
+/* Return true if p1 matches p2.  p1 may contain wildcards if targetflag is
+ * false, or backreferences if it is true. */
+static krb5_boolean
+match_princ(krb5_const_principal p1, krb5_const_principal p2,
+            krb5_boolean targetflag, struct wildstate *ws)
+{
+    int i;
+
+    /* The principals must be of the same length. */
+    if (p1->length != p2->length)
+        return FALSE;
+
+    /* The realm must match, and does not interact with wildcard state. */
+    if (!match_data(&p1->realm, &p2->realm, targetflag, NULL))
+        return FALSE;
+
+    /* All components of the principals must match. */
+    for (i = 0; i < p1->length; i++) {
+        if (!match_data(&p1->data[i], &p2->data[i], targetflag, ws))
+            return FALSE;
+    }
+
+    return TRUE;
+}
+
+/* Find an ACL entry matching principal and target_principal.  Return NULL if
+ * none is found. */
+static struct acl_entry *
+find_entry(struct acl_state *state, krb5_const_principal client,
+           krb5_const_principal target)
+{
+    struct acl_entry *entry;
+    struct wildstate ws;
+
+    for (entry = state->list; entry != NULL; entry = entry->next) {
+        memset(&ws, 0, sizeof(ws));
+        if (entry->client != NULL) {
+            if (!match_princ(entry->client, client, FALSE, &ws))
+                continue;
+        }
+
+        if (entry->target != NULL) {
+            if (target == NULL)
+                continue;
+            if (!match_princ(entry->target, target, TRUE, &ws))
+                continue;
+        }
+
+        return entry;
+    }
+
+    return NULL;
+}
+
+/* Return true if op is permitted for this principal.  Set *rs_out (if not
+ * NULL) according to any restrictions in the ACL entry. */
+static krb5_error_code
+acl_check(kadm5_auth_moddata data, uint32_t op, krb5_const_principal client,
+          krb5_const_principal target, struct kadm5_auth_restrictions **rs_out)
+{
+    struct acl_entry *entry;
+
+    if (rs_out != NULL)
+        *rs_out = NULL;
+
+    entry = find_entry((struct acl_state *)data, client, target);
+    if (entry == NULL)
+        return KRB5_PLUGIN_NO_HANDLE;
+    if (!(entry->op_allowed & op))
+        return KRB5_PLUGIN_NO_HANDLE;
+
+    if (rs_out != NULL && entry->rs != NULL && entry->rs->mask)
+        *rs_out = entry->rs;
+
+    return 0;
+}
+
+static krb5_error_code
+acl_init(krb5_context context, const char *acl_file,
+         kadm5_auth_moddata *data_out)
+{
+    krb5_error_code ret;
+    struct acl_state *state;
+
+    *data_out = NULL;
+    if (acl_file == NULL)
+        return KRB5_PLUGIN_NO_HANDLE;
+    state = malloc(sizeof(*state));
+    state->list = NULL;
+    ret = load_acl_file(context, acl_file, state);
+    if (ret) {
+        free(state);
+        return ret;
+    }
+    *data_out = (kadm5_auth_moddata)state;
+    return 0;
+}
+
+static void
+acl_fini(krb5_context context, kadm5_auth_moddata data)
+{
+    if (data == NULL)
+        return;
+    free_acl_entries((struct acl_state *)data);
+    free(data);
+}
+
+static krb5_error_code
+acl_addprinc(krb5_context context, kadm5_auth_moddata data,
+             krb5_const_principal client, krb5_const_principal target,
+             const struct _kadm5_principal_ent_t *ent, long mask,
+             struct kadm5_auth_restrictions **rs_out)
+{
+    return acl_check(data, ACL_ADD, client, target, rs_out);
+}
+
+static krb5_error_code
+acl_modprinc(krb5_context context, kadm5_auth_moddata data,
+             krb5_const_principal client, krb5_const_principal target,
+             const struct _kadm5_principal_ent_t *ent, long mask,
+             struct kadm5_auth_restrictions **rs_out)
+{
+    return acl_check(data, ACL_MODIFY, client, target, rs_out);
+}
+
+static krb5_error_code
+acl_setstr(krb5_context context, kadm5_auth_moddata data,
+           krb5_const_principal client, krb5_const_principal target,
+           const char *key, const char *value)
+{
+    return acl_check(data, ACL_MODIFY, client, target, NULL);
+}
+
+static krb5_error_code
+acl_cpw(krb5_context context, kadm5_auth_moddata data,
+        krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_CHANGEPW, client, target, NULL);
+}
+
+static krb5_error_code
+acl_chrand(krb5_context context, kadm5_auth_moddata data,
+           krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_CHANGEPW, client, target, NULL);
+}
+
+static krb5_error_code
+acl_setkey(krb5_context context, kadm5_auth_moddata data,
+           krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_SETKEY, client, target, NULL);
+}
+
+static krb5_error_code
+acl_purgekeys(krb5_context context, kadm5_auth_moddata data,
+              krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_MODIFY, client, target, NULL);
+}
+
+static krb5_error_code
+acl_delprinc(krb5_context context, kadm5_auth_moddata data,
+             krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_DELETE, client, target, NULL);
+}
+
+static krb5_error_code
+acl_renprinc(krb5_context context, kadm5_auth_moddata data,
+             krb5_const_principal client, krb5_const_principal src,
+             krb5_const_principal dest)
+{
+    struct kadm5_auth_restrictions *rs;
+
+    if (acl_check(data, ACL_DELETE, client, src, NULL) == 0 &&
+        acl_check(data, ACL_ADD, client, dest, &rs) == 0 && rs == NULL)
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+static krb5_error_code
+acl_getprinc(krb5_context context, kadm5_auth_moddata data,
+             krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_INQUIRE, client, target, NULL);
+}
+
+static krb5_error_code
+acl_getstrs(krb5_context context, kadm5_auth_moddata data,
+            krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_INQUIRE, client, target, NULL);
+}
+
+static krb5_error_code
+acl_extract(krb5_context context, kadm5_auth_moddata data,
+            krb5_const_principal client, krb5_const_principal target)
+{
+    return acl_check(data, ACL_EXTRACT, client, target, NULL);
+}
+
+static krb5_error_code
+acl_listprincs(krb5_context context, kadm5_auth_moddata data,
+               krb5_const_principal client)
+{
+    return acl_check(data, ACL_LIST, client, NULL, NULL);
+}
+
+static krb5_error_code
+acl_addpol(krb5_context context, kadm5_auth_moddata data,
+           krb5_const_principal client, const char *policy,
+           const struct _kadm5_policy_ent_t *ent, long mask)
+{
+    return acl_check(data, ACL_ADD, client, NULL, NULL);
+}
+
+static krb5_error_code
+acl_modpol(krb5_context context, kadm5_auth_moddata data,
+           krb5_const_principal client, const char *policy,
+           const struct _kadm5_policy_ent_t *ent, long mask)
+{
+    return acl_check(data, ACL_MODIFY, client, NULL, NULL);
+}
+
+static krb5_error_code
+acl_delpol(krb5_context context, kadm5_auth_moddata data,
+           krb5_const_principal client, const char *policy)
+{
+    return acl_check(data, ACL_DELETE, client, NULL, NULL);
+}
+
+static krb5_error_code
+acl_getpol(krb5_context context, kadm5_auth_moddata data,
+           krb5_const_principal client, const char *policy,
+           const char *client_policy)
+{
+    return acl_check(data, ACL_INQUIRE, client, NULL, NULL);
+}
+
+static krb5_error_code
+acl_listpols(krb5_context context, kadm5_auth_moddata data,
+             krb5_const_principal client)
+{
+    return acl_check(data, ACL_LIST, client, NULL, NULL);
+}
+
+static krb5_error_code
+acl_iprop(krb5_context context, kadm5_auth_moddata data,
+          krb5_const_principal client)
+{
+    return acl_check(data, ACL_IPROP, client, NULL, NULL);
+}
+
+krb5_error_code
+kadm5_auth_acl_initvt(krb5_context context, int maj_ver, int min_ver,
+                      krb5_plugin_vtable vtable)
+{
+    kadm5_auth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (kadm5_auth_vtable)vtable;
+    vt->name = "acl";
+    vt->init = acl_init;
+    vt->fini = acl_fini;
+    vt->addprinc = acl_addprinc;
+    vt->modprinc = acl_modprinc;
+    vt->setstr = acl_setstr;
+    vt->cpw = acl_cpw;
+    vt->chrand = acl_chrand;
+    vt->setkey = acl_setkey;
+    vt->purgekeys = acl_purgekeys;
+    vt->delprinc = acl_delprinc;
+    vt->renprinc = acl_renprinc;
+    vt->getprinc = acl_getprinc;
+    vt->getstrs = acl_getstrs;
+    vt->extract = acl_extract;
+    vt->listprincs = acl_listprincs;
+    vt->addpol = acl_addpol;
+    vt->modpol = acl_modpol;
+    vt->delpol = acl_delpol;
+    vt->getpol = acl_getpol;
+    vt->listpols = acl_listpols;
+    vt->iprop = acl_iprop;
+    return 0;
+}
diff --git a/src/kadmin/server/auth_self.c b/src/kadmin/server/auth_self.c
new file mode 100644
index 000000000000..253d4bc596ae
--- /dev/null
+++ b/src/kadmin/server/auth_self.c
@@ -0,0 +1,77 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* kadmin/server/auth_self.c - self-service kadm5_auth module */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include <kadm5/admin.h>
+#include <krb5/kadm5_auth_plugin.h>
+#include "auth.h"
+
+/* Authorize a principal to operate on itself.  Applies to cpw, chrand,
+ * purgekeys, getprinc, and getstrs. */
+static krb5_error_code
+self_compare(krb5_context context, kadm5_auth_moddata data,
+             krb5_const_principal client, krb5_const_principal target)
+{
+    if (krb5_principal_compare(context, client, target))
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* Authorize a principal to get the policy record for its own policy. */
+static krb5_error_code
+self_getpol(krb5_context context, kadm5_auth_moddata data,
+            krb5_const_principal client, const char *policy,
+            const char *client_policy)
+{
+    if (client_policy != NULL && strcmp(policy, client_policy) == 0)
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+krb5_error_code
+kadm5_auth_self_initvt(krb5_context context, int maj_ver, int min_ver,
+                       krb5_plugin_vtable vtable)
+{
+    kadm5_auth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (kadm5_auth_vtable)vtable;
+    vt->name = "self";
+    vt->cpw = self_compare;
+    vt->chrand = self_compare;
+    vt->purgekeys = self_compare;
+    vt->getprinc = self_compare;
+    vt->getstrs = self_compare;
+    vt->getpol = self_getpol;
+    return 0;
+}
diff --git a/src/kadmin/server/deps b/src/kadmin/server/deps
index 44311af19af7..99aef7500e00 100644
--- a/src/kadmin/server/deps
+++ b/src/kadmin/server/deps
@@ -1,6 +1,44 @@
 #
 # Generated makefile dependencies follow.
 #
+$(OUTPRE)auth_acl.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_auth_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h auth.h auth_acl.c
+$(OUTPRE)auth_self.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_auth_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h auth.h auth_self.c
 $(OUTPRE)kadm_rpc_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
   $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/types.h \
@@ -29,28 +67,27 @@ $(OUTPRE)server_stubs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
   $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
-  $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_acl.h \
-  $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/adm_proto.h \
-  $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \
-  $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \
-  $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \
-  $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \
-  $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \
-  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  misc.h server_stubs.c
+  $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_internal.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
+  $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h auth.h misc.h \
+  server_stubs.c
 $(OUTPRE)ovsec_kadmd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_alloc.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
   $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
-  $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_acl.h \
-  $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \
+  $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_internal.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \
   $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(COM_ERR_DEPS) \
   $(VERTO_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \
   $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_gssapi.h \
@@ -71,7 +108,7 @@ $(OUTPRE)ovsec_kadmd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/lib/gssapi/generic/gssapiP_generic.h \
   $(top_srcdir)/lib/gssapi/generic/gssapi_ext.h $(top_srcdir)/lib/gssapi/generic/gssapi_generic.h \
   $(top_srcdir)/lib/gssapi/krb5/gssapiP_krb5.h $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h \
-  misc.h ovsec_kadmd.c
+  auth.h misc.h ovsec_kadmd.c
 $(OUTPRE)schpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
@@ -97,23 +134,23 @@ $(OUTPRE)misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
   $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
-  $(BUILDTOP)/include/kadm5/server_acl.h $(BUILDTOP)/include/kadm5/server_internal.h \
-  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
-  $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \
-  $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \
-  $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \
-  $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \
-  $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  misc.c misc.h
+  $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h auth.h misc.c \
+  misc.h
 $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
   $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
@@ -131,5 +168,5 @@ $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \
   $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \
   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \
-  $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \
+  $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h auth.h \
   ipropd_svc.c misc.h
diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c
index bce668f4221a..e6e190136f88 100644
--- a/src/kadmin/server/ipropd_svc.c
+++ b/src/kadmin/server/ipropd_svc.c
@@ -16,7 +16,6 @@
 #include <kadm5/admin.h>
 #include <kadm5/kadm_rpc.h>
 #include <kadm5/server_internal.h>
-#include <server_acl.h>
 #include <adm_proto.h>
 #include <string.h>
 #include <gssapi_krb5.h>
@@ -25,6 +24,7 @@
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <kdb_log.h>
+#include "auth.h"
 #include "misc.h"
 #include "osconf.h"
 
@@ -129,6 +129,20 @@ buf_to_string(gss_buffer_desc *b)
     return s;
 }
 
+static krb5_boolean
+iprop_acl_check(krb5_context context, const char *client_name)
+{
+    krb5_principal client_princ;
+    krb5_boolean result;
+
+    if (krb5_parse_name(context, client_name, &client_princ) != 0)
+	return FALSE;
+    result = auth(context, OP_IPROP, client_princ,
+		  NULL, NULL, NULL, NULL, NULL, 0);
+    krb5_free_principal(context, client_princ);
+    return result;
+}
+
 kdb_incr_result_t *
 iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp)
 {
@@ -174,11 +188,7 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp)
     DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", whoami, client_name,
 	   service_name);
 
-    if (!kadm5int_acl_check(handle->context,
-			    rqst2name(rqstp),
-			    ACL_IPROP,
-			    NULL,
-			    NULL)) {
+    if (!iprop_acl_check(handle->context, client_name)) {
 	ret.ret = UPDATE_PERM_DENIED;
 
 	DPRINT("%s: PERMISSION DENIED: clprinc=`%s'\n\tsvcprinc=`%s'\n",
@@ -301,11 +311,7 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp)
     DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n",
 	    whoami, client_name, service_name);
 
-    if (!kadm5int_acl_check(handle->context,
-			    rqst2name(rqstp),
-			    ACL_IPROP,
-			    NULL,
-			    NULL)) {
+    if (!iprop_acl_check(handle->context, client_name)) {
 	ret.ret = UPDATE_PERM_DENIED;
 
 	DPRINT("%s: Permission denied\n", whoami);
@@ -532,9 +538,9 @@ krb5_iprop_prog_1(struct svc_req *rqstp,
     union {
 	kdb_last_t iprop_get_updates_1_arg;
     } argument;
-    char *result;
+    void *result;
     bool_t (*_xdr_argument)(), (*_xdr_result)();
-    char *(*local)(/* union XXX *, struct svc_req * */);
+    void *(*local)(/* union XXX *, struct svc_req * */);
     char *whoami = "krb5_iprop_prog_1";
 
     if (!check_iprop_rpcsec_auth(rqstp)) {
@@ -555,19 +561,19 @@ krb5_iprop_prog_1(struct svc_req *rqstp,
     case IPROP_GET_UPDATES:
 	_xdr_argument = xdr_kdb_last_t;
 	_xdr_result = xdr_kdb_incr_result_t;
-	local = (char *(*)()) iprop_get_updates_1_svc;
+	local = (void *(*)()) iprop_get_updates_1_svc;
 	break;
 
     case IPROP_FULL_RESYNC:
 	_xdr_argument = xdr_void;
 	_xdr_result = xdr_kdb_fullresync_result_t;
-	local = (char *(*)()) iprop_full_resync_1_svc;
+	local = (void *(*)()) iprop_full_resync_1_svc;
 	break;
 
     case IPROP_FULL_RESYNC_EXT:
 	_xdr_argument = xdr_u_int32;
 	_xdr_result = xdr_kdb_fullresync_result_t;
-	local = (char *(*)()) iprop_full_resync_ext_1_svc;
+	local = (void *(*)()) iprop_full_resync_ext_1_svc;
 	break;
 
     default:
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 27a6376af6b1..6b258a6a056e 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -7,96 +7,9 @@
 #include    <k5-int.h>
 #include    <kdb.h>
 #include    <kadm5/server_internal.h>
-#include    <kadm5/server_acl.h>
 #include    "misc.h"
+#include    "auth.h"
 #include    "net-server.h"
-
-/*
- * Function: chpass_principal_wrapper_3
- *
- * Purpose: wrapper to kadm5_chpass_principal that checks to see if
- *          pw_min_life has been reached. if not it returns an error.
- *          otherwise it calls kadm5_chpass_principal
- *
- * Arguments:
- *      principal       (input) krb5_principals whose password we are
- *                              changing
- *      keepold         (input) whether to preserve old keys
- *      n_ks_tuple      (input) the number of key-salt tuples in ks_tuple
- *      ks_tuple        (input) array of tuples indicating the caller's
- *                              requested enctypes/salttypes
- *      password        (input) password we are going to change to.
- *      <return value>  0 on success error code on failure.
- *
- * Requires:
- *      kadm5_init to have been run.
- *
- * Effects:
- *      calls kadm5_chpass_principal which changes the kdb and the
- *      the admin db.
- *
- */
-kadm5_ret_t
-chpass_principal_wrapper_3(void *server_handle,
-                           krb5_principal principal,
-                           krb5_boolean keepold,
-                           int n_ks_tuple,
-                           krb5_key_salt_tuple *ks_tuple,
-                           char *password)
-{
-    kadm5_ret_t                 ret;
-
-    ret = check_min_life(server_handle, principal, NULL, 0);
-    if (ret)
-        return ret;
-
-    return kadm5_chpass_principal_3(server_handle, principal,
-                                    keepold, n_ks_tuple, ks_tuple,
-                                    password);
-}
-
-
-/*
- * Function: randkey_principal_wrapper_3
- *
- * Purpose: wrapper to kadm5_randkey_principal which checks the
- *          password's min. life.
- *
- * Arguments:
- *      principal           (input) krb5_principal whose password we are
- *                                  changing
- *      keepold         (input) whether to preserve old keys
- *      n_ks_tuple      (input) the number of key-salt tuples in ks_tuple
- *      ks_tuple        (input) array of tuples indicating the caller's
- *                              requested enctypes/salttypes
- *      key                 (output) new random key
- *      <return value>      0, error code on error.
- *
- * Requires:
- *      kadm5_init       needs to be run
- *
- * Effects:
- *      calls kadm5_randkey_principal
- *
- */
-kadm5_ret_t
-randkey_principal_wrapper_3(void *server_handle,
-                            krb5_principal principal,
-                            krb5_boolean keepold,
-                            int n_ks_tuple,
-                            krb5_key_salt_tuple *ks_tuple,
-                            krb5_keyblock **keys, int *n_keys)
-{
-    kadm5_ret_t                 ret;
-
-    ret = check_min_life(server_handle, principal, NULL, 0);
-    if (ret)
-        return ret;
-    return kadm5_randkey_principal_3(server_handle, principal,
-                                     keepold, n_ks_tuple, ks_tuple,
-                                     keys, n_keys);
-}
-
 kadm5_ret_t
 schpw_util_wrapper(void *server_handle,
                    krb5_principal client,
@@ -107,8 +20,6 @@ schpw_util_wrapper(void *server_handle,
 {
     kadm5_ret_t                 ret;
     kadm5_server_handle_t       handle = server_handle;
-    krb5_boolean                access_granted;
-    krb5_boolean                self;
 
     /*
      * If no target is explicitly provided, then the target principal
@@ -117,32 +28,22 @@ schpw_util_wrapper(void *server_handle,
     if (target == NULL)
         target = client;
 
-    /*
-     * A principal can always change its own password, as long as it
-     * has an initial ticket and meets the minimum password lifetime
-     * requirement.
-     */
-    self = krb5_principal_compare(handle->context, client, target);
-    if (self) {
+    /* If the client is changing its own password, require it to use an initial
+     * ticket, and enforce the policy min_life. */
+    if (krb5_principal_compare(handle->context, client, target)) {
+        if (!initial_flag) {
+            strlcpy(msg_ret, "Ticket must be derived from a password",
+                    msg_len);
+            return KADM5_AUTH_INITIAL;
+        }
+
         ret = check_min_life(server_handle, target, msg_ret, msg_len);
         if (ret != 0)
             return ret;
-
-        access_granted = initial_flag;
-    } else
-        access_granted = FALSE;
-
-    if (!access_granted &&
-        kadm5int_acl_check_krb(handle->context, client,
-                               ACL_CHANGEPW, target, NULL)) {
-        /*
-         * Otherwise, principals with appropriate privileges can change
-         * any password
-         */
-        access_granted = TRUE;
     }
 
-    if (access_granted) {
+    if (auth(handle->context, OP_CPW, client, target,
+             NULL, NULL, NULL, NULL, 0)) {
         ret = kadm5_chpass_principal_util(server_handle,
                                           target,
                                           new_pw, ret_pw,
@@ -159,7 +60,7 @@ kadm5_ret_t
 check_min_life(void *server_handle, krb5_principal principal,
                char *msg_ret, unsigned int msg_len)
 {
-    krb5_int32                  now;
+    krb5_timestamp              now;
     kadm5_ret_t                 ret;
     kadm5_policy_ent_rec        pol;
     kadm5_principal_ent_rec     princ;
@@ -184,7 +85,7 @@ check_min_life(void *server_handle, krb5_principal principal,
             (void) kadm5_free_principal_ent(handle->lhandle, &princ);
             return (ret == KADM5_UNK_POLICY) ? 0 : ret;
         }
-        if((now - princ.last_pwd_change) < pol.pw_min_life &&
+        if(ts_delta(now, princ.last_pwd_change) < pol.pw_min_life &&
            !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
             if (msg_ret != NULL) {
                 time_t until;
diff --git a/src/kadmin/server/misc.h b/src/kadmin/server/misc.h
index ea0fc7d2217a..3a112a0b7b2e 100644
--- a/src/kadmin/server/misc.h
+++ b/src/kadmin/server/misc.h
@@ -13,23 +13,6 @@ int
 setup_gss_names(struct svc_req *, gss_buffer_desc *,
                 gss_buffer_desc *);
 
-
-kadm5_ret_t
-chpass_principal_wrapper_3(void *server_handle,
-                           krb5_principal principal,
-                           krb5_boolean keepold,
-                           int n_ks_tuple,
-                           krb5_key_salt_tuple *ks_tuple,
-                           char *password);
-
-kadm5_ret_t
-randkey_principal_wrapper_3(void *server_handle,
-                            krb5_principal principal,
-                            krb5_boolean keepold,
-                            int n_ks_tuple,
-                            krb5_key_salt_tuple *ks_tuple,
-                            krb5_keyblock **keys, int *n_keys);
-
 kadm5_ret_t
 schpw_util_wrapper(void *server_handle, krb5_principal client,
                    krb5_principal target, krb5_boolean initial_flag,
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index a3edd3b00169..6c875901a976 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -51,7 +51,6 @@
 #include <gssrpc/auth_gssapi.h>
 #include <kadm5/admin.h>
 #include <kadm5/kadm_rpc.h>
-#include <kadm5/server_acl.h>
 #include <adm_proto.h>
 #include "kdb_kt.h"  /* for krb5_ktkdb_set_context */
 #include <string.h>
@@ -59,6 +58,7 @@
 #include <kdb_log.h>
 
 #include "misc.h"
+#include "auth.h"
 
 #if defined(NEED_DAEMON_PROTO)
 int daemon(int, int);
@@ -356,6 +356,7 @@ main(int argc, char *argv[])
     verto_ctx *vctx;
     const char *pid_file = NULL;
     char **db_args = NULL, **tmpargs;
+    const char *acl_file;
     int ret, i, db_args_size = 0, strong_random = 1, proponly = 0;
 
     setlocale(LC_ALL, "");
@@ -505,7 +506,8 @@ main(int argc, char *argv[])
     if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE)
         fail_to_start(0, _("Cannot initialize GSSAPI service name"));
 
-    ret = kadm5int_acl_init(context, 0, params.acl_file);
+    acl_file = (*params.acl_file != '\0') ? params.acl_file : NULL;
+    ret = auth_init(context, acl_file);
     if (ret)
         fail_to_start(ret, _("initializing ACL file"));
 
@@ -550,7 +552,7 @@ main(int argc, char *argv[])
     svcauth_gssapi_unset_names();
     kadm5_destroy(global_server_handle);
     loop_free(vctx);
-    kadm5int_acl_finish(context, 0);
+    auth_fini(context);
     (void)gss_release_name(&minor_status, &gss_changepw_name);
     (void)gss_release_name(&minor_status, &gss_oldchangepw_name);
     for (i = 0; i < 4; i++)
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index 900adf7a0997..491cba91aa1a 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -18,8 +18,8 @@
 
 static krb5_error_code
 process_chpw_request(krb5_context context, void *server_handle, char *realm,
-                     krb5_keytab keytab, const krb5_fulladdr *local_faddr,
-                     const krb5_fulladdr *remote_faddr, krb5_data *req,
+                     krb5_keytab keytab, const krb5_fulladdr *local_addr,
+                     const krb5_fulladdr *remote_addr, krb5_data *req,
                      krb5_data *rep)
 {
     krb5_error_code ret;
@@ -42,7 +42,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
     struct sockaddr_storage ss;
     socklen_t salen;
     char addrbuf[100];
-    krb5_address *addr = remote_faddr->address;
+    krb5_address *addr = remote_addr->address;
 
     *rep = empty_data();
 
@@ -205,15 +205,6 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
         goto chpwfail;
     }
 
-    /* for cpw, verify that this is an AS_REQ ticket */
-    if (vno == 1 &&
-        (ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) {
-        numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
-        strlcpy(strresult, "Ticket must be derived from a password",
-                sizeof(strresult));
-        goto chpwfail;
-    }
-
     /* change the password */
 
     ptr = k5memdup0(clear.data, clear.length, &ret);
@@ -237,7 +228,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
 
         sin->sin_family = AF_INET;
         memcpy(&sin->sin_addr, addr->contents, addr->length);
-        sin->sin_port = htons(remote_faddr->port);
+        sin->sin_port = htons(remote_addr->port);
         salen = sizeof(*sin);
         break;
     }
@@ -246,7 +237,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
 
         sin6->sin6_family = AF_INET6;
         memcpy(&sin6->sin6_addr, addr->contents, addr->length);
-        sin6->sin6_port = htons(remote_faddr->port);
+        sin6->sin6_port = htons(remote_addr->port);
         salen = sizeof(*sin6);
         break;
     }
@@ -292,6 +283,9 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm,
     case KADM5_AUTH_CHANGEPW:
         numresult = KRB5_KPASSWD_ACCESSDENIED;
         break;
+    case KADM5_AUTH_INITIAL:
+        numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
+        break;
     case KADM5_PASS_Q_TOOSHORT:
     case KADM5_PASS_REUSE:
     case KADM5_PASS_Q_CLASS:
@@ -326,7 +320,7 @@ chpwfail:
 
     if (ap_rep.length) {
         ret = krb5_auth_con_setaddrs(context, auth_context,
-                                     local_faddr->address, NULL);
+                                     local_addr->address, NULL);
         if (ret) {
             numresult = KRB5_KPASSWD_HARDERROR;
             strlcpy(strresult,
@@ -366,7 +360,7 @@ chpwfail:
            to mk_error do. */
         krberror.error = ret;
         krberror.error -= ERROR_TABLE_BASE_krb5;
-        if (krberror.error < 0 || krberror.error > KRB_ERR_MAX)
+        if (krberror.error > KRB_ERR_MAX)
             krberror.error = KRB_ERR_GENERIC;
 
         krberror.client = NULL;
@@ -436,29 +430,15 @@ bailout:
 
 /* Dispatch routine for set/change password */
 void
-dispatch(void *handle, struct sockaddr *local_saddr,
-         const krb5_fulladdr *remote_faddr, krb5_data *request, int is_tcp,
+dispatch(void *handle, const krb5_fulladdr *local_addr,
+         const krb5_fulladdr *remote_addr, krb5_data *request, int is_tcp,
          verto_ctx *vctx, loop_respond_fn respond, void *arg)
 {
     krb5_error_code ret;
     krb5_keytab kt = NULL;
     kadm5_server_handle_t server_handle = (kadm5_server_handle_t)handle;
-    krb5_fulladdr local_faddr;
-    krb5_address **local_kaddrs = NULL, local_kaddr_buf;
     krb5_data *response = NULL;
 
-    if (local_saddr == NULL) {
-        ret = krb5_os_localaddr(server_handle->context, &local_kaddrs);
-        if (ret != 0)
-            goto egress;
-
-        local_faddr.address = local_kaddrs[0];
-        local_faddr.port = 0;
-    } else {
-        local_faddr.address = &local_kaddr_buf;
-        init_addr(&local_faddr, local_saddr);
-    }
-
     ret = krb5_kt_resolve(server_handle->context, "KDB:", &kt);
     if (ret != 0) {
         krb5_klog_syslog(LOG_ERR, _("chpw: Couldn't open admin keytab %s"),
@@ -474,14 +454,13 @@ dispatch(void *handle, struct sockaddr *local_saddr,
                                handle,
                                server_handle->params.realm,
                                kt,
-                               &local_faddr,
-                               remote_faddr,
+                               local_addr,
+                               remote_addr,
                                request,
                                response);
 egress:
     if (ret)
         krb5_free_data(server_handle->context, response);
-    krb5_free_addresses(server_handle->context, local_kaddrs);
     krb5_kt_close(server_handle->context, kt);
     (*respond)(arg, ret, ret == 0 ? response : NULL);
 }
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 86c162590e4b..cfef97fec147 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -12,10 +12,10 @@
 #include <kadm5/admin.h>
 #include <kadm5/kadm_rpc.h>
 #include <kadm5/server_internal.h>
-#include <kadm5/server_acl.h>
 #include <syslog.h>
 #include <adm_proto.h>  /* krb5_klog_syslog */
 #include "misc.h"
+#include "auth.h"
 
 extern gss_name_t                       gss_changepw_name;
 extern gss_name_t                       gss_oldchangepw_name;
@@ -216,19 +216,6 @@ static gss_name_t acceptor_name(gss_ctx_id_t context)
     return name;
 }
 
-static int cmp_gss_krb5_name(kadm5_server_handle_t handle,
-                             gss_name_t gss_name, krb5_principal princ)
-{
-    krb5_principal princ2;
-    int status;
-
-    if (! gss_to_krb5_name(handle, gss_name, &princ2))
-        return 0;
-    status = krb5_principal_compare(handle->context, princ, princ2);
-    krb5_free_principal(handle->context, princ2);
-    return status;
-}
-
 static int gss_to_krb5_name(kadm5_server_handle_t handle,
                             gss_name_t gss_name, krb5_principal *princ)
 {
@@ -314,12 +301,76 @@ stub_cleanup(kadm5_server_handle_t handle, char *princ_str,
 {
     OM_uint32 minor_stat;
 
+    auth_end(handle->context);
     free_server_handle(handle);
     free(princ_str);
     gss_release_buffer(&minor_stat, client_name);
     gss_release_buffer(&minor_stat, service_name);
 }
 
+static krb5_boolean
+stub_auth(kadm5_server_handle_t handle, int opcode, krb5_const_principal p1,
+          krb5_const_principal p2, const char *s1, const char *s2)
+{
+    return auth(handle->context, opcode, handle->current_caller, p1, p2,
+                s1, s2, NULL, 0);
+}
+
+static krb5_boolean
+stub_auth_pol(kadm5_server_handle_t handle, int opcode, const char *policy,
+              const kadm5_policy_ent_rec *polent, long mask)
+{
+    return auth(handle->context, opcode, handle->current_caller, NULL, NULL,
+                policy, NULL, polent, mask);
+}
+
+static krb5_boolean
+stub_auth_restrict(kadm5_server_handle_t handle, int opcode,
+                   kadm5_principal_ent_t ent, long *mask)
+{
+    return auth_restrict(handle->context, opcode, handle->current_caller,
+                         ent, mask);
+}
+
+/* Return true if the client authenticated to kadmin/changepw and princ is not
+ * the client principal. */
+static krb5_boolean
+changepw_not_self(kadm5_server_handle_t handle, struct svc_req *rqstp,
+                  krb5_const_principal princ)
+{
+    return CHANGEPW_SERVICE(rqstp) &&
+        !krb5_principal_compare(handle->context, handle->current_caller,
+                                princ);
+}
+
+static krb5_boolean
+ticket_is_initial(struct svc_req *rqstp)
+{
+    OM_uint32 status, minor_stat;
+    krb5_flags flags;
+
+    status = gss_krb5_get_tkt_flags(&minor_stat, rqstp->rq_svccred, &flags);
+    if (status != GSS_S_COMPLETE)
+        return 0;
+    return (flags & TKT_FLG_INITIAL) != 0;
+}
+
+/* If a key change request is for the client's own principal, verify that the
+ * client used an initial ticket and enforce the policy min_life. */
+static kadm5_ret_t
+check_self_keychange(kadm5_server_handle_t handle, struct svc_req *rqstp,
+                     krb5_principal princ)
+{
+    if (!krb5_principal_compare(handle->context, handle->current_caller,
+                                princ))
+        return 0;
+
+    if (!ticket_is_initial(rqstp))
+        return KADM5_AUTH_INITIAL;
+
+    return check_min_life(handle, princ, NULL, 0);
+}
+
 static int
 log_unauth(
     char *op,
@@ -387,7 +438,6 @@ create_principal_2_svc(cprinc_arg *arg, generic_ret *ret,
     gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
     kadm5_server_handle_t       handle;
-    restriction_t               *rp;
     const char                  *errmsg = NULL;
 
     ret->code = stub_setup(arg->api_version, rqstp, arg->rec.principal,
@@ -396,11 +446,8 @@ create_principal_2_svc(cprinc_arg *arg, generic_ret *ret,
     if (ret->code)
         goto exit_func;
 
-    if (CHANGEPW_SERVICE(rqstp)
-        || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
-                               arg->rec.principal, &rp)
-        || kadm5int_acl_impose_restrictions(handle->context,
-                                            &arg->rec, &arg->mask, rp)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth_restrict(handle, OP_ADDPRINC, &arg->rec, &arg->mask)) {
         ret->code = KADM5_AUTH_ADD;
         log_unauth("kadm5_create_principal", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -431,7 +478,6 @@ create_principal3_2_svc(cprinc3_arg *arg, generic_ret *ret,
     gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
     kadm5_server_handle_t       handle;
-    restriction_t               *rp;
     const char                  *errmsg = NULL;
 
     ret->code = stub_setup(arg->api_version, rqstp, arg->rec.principal,
@@ -440,11 +486,8 @@ create_principal3_2_svc(cprinc3_arg *arg, generic_ret *ret,
     if (ret->code)
         goto exit_func;
 
-    if (CHANGEPW_SERVICE(rqstp)
-        || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
-                               arg->rec.principal, &rp)
-        || kadm5int_acl_impose_restrictions(handle->context,
-                                            &arg->rec, &arg->mask, rp)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth_restrict(handle, OP_ADDPRINC, &arg->rec, &arg->mask)) {
         ret->code = KADM5_AUTH_ADD;
         log_unauth("kadm5_create_principal", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -498,9 +541,8 @@ delete_principal_2_svc(dprinc_arg *arg, generic_ret *ret,
     if (ret->code)
         goto exit_func;
 
-    if (CHANGEPW_SERVICE(rqstp)
-        || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
-                               arg->princ, NULL)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_DELPRINC, arg->princ, NULL, NULL, NULL)) {
         ret->code = KADM5_AUTH_DELETE;
         log_unauth("kadm5_delete_principal", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -540,7 +582,6 @@ modify_principal_2_svc(mprinc_arg *arg, generic_ret *ret,
     gss_buffer_desc                 client_name = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc                 service_name = GSS_C_EMPTY_BUFFER;
     kadm5_server_handle_t           handle;
-    restriction_t                   *rp;
     const char                      *errmsg = NULL;
 
     ret->code = stub_setup(arg->api_version, rqstp, arg->rec.principal,
@@ -549,11 +590,8 @@ modify_principal_2_svc(mprinc_arg *arg, generic_ret *ret,
     if (ret->code)
         goto exit_func;
 
-    if (CHANGEPW_SERVICE(rqstp)
-        || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
-                               arg->rec.principal, &rp)
-        || kadm5int_acl_impose_restrictions(handle->context,
-                                            &arg->rec, &arg->mask, rp)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth_restrict(handle, OP_MODPRINC, &arg->rec, &arg->mask)) {
         ret->code = KADM5_AUTH_MODIFY;
         log_unauth("kadm5_modify_principal", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -592,7 +630,6 @@ rename_principal_2_svc(rprinc_arg *arg, generic_ret *ret,
     gss_buffer_desc             client_name = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc             service_name = GSS_C_EMPTY_BUFFER;
     kadm5_server_handle_t       handle;
-    restriction_t               *rp;
     const char                  *errmsg = NULL;
     size_t                      tlen1, tlen2, clen, slen;
     char                        *tdots1, *tdots2, *cdots, *sdots;
@@ -617,29 +654,19 @@ rename_principal_2_svc(rprinc_arg *arg, generic_ret *ret,
     slen = service_name.length;
     trunc_name(&slen, &sdots);
 
-    ret->code = KADM5_OK;
-    if (! CHANGEPW_SERVICE(rqstp)) {
-        if (!kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                                ACL_DELETE, arg->src, NULL))
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_RENPRINC, arg->src, arg->dest, NULL, NULL)) {
+        ret->code = KADM5_AUTH_INSUFFICIENT;
+        log_unauth("kadm5_rename_principal", prime_arg1, &client_name,
+                   &service_name, rqstp);
+    } else {
+        ret->code = check_lockdown_keys(handle, arg->src);
+        if (ret->code == KADM5_PROTECT_KEYS) {
+            log_unauth("kadm5_rename_principal", prime_arg1, &client_name,
+                       &service_name, rqstp);
             ret->code = KADM5_AUTH_DELETE;
-        /* any restrictions at all on the ADD kills the RENAME */
-        if (!kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                                ACL_ADD, arg->dest, &rp) || rp) {
-            if (ret->code == KADM5_AUTH_DELETE)
-                ret->code = KADM5_AUTH_INSUFFICIENT;
-            else
-                ret->code = KADM5_AUTH_ADD;
-        }
-        if (ret->code == KADM5_OK) {
-            ret->code = check_lockdown_keys(handle, arg->src);
-            if (ret->code == KADM5_PROTECT_KEYS) {
-                log_unauth("kadm5_rename_principal", prime_arg1, &client_name,
-                           &service_name, rqstp);
-                ret->code = KADM5_AUTH_DELETE;
-            }
         }
-    } else
-        ret->code = KADM5_AUTH_INSUFFICIENT;
+    }
     if (ret->code != KADM5_OK) {
         /* okay to cast lengths to int because trunc_name limits max value */
         krb5_klog_syslog(LOG_NOTICE,
@@ -696,12 +723,8 @@ get_principal_2_svc(gprinc_arg *arg, gprinc_ret *ret, struct svc_req *rqstp)
 
     funcname = "kadm5_get_principal";
 
-    if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
-        (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                        rqst2name(rqstp),
-                                                        ACL_INQUIRE,
-                                                        arg->princ,
-                                                        NULL))) {
+    if (changepw_not_self(handle, rqstp, arg->princ) ||
+        !stub_auth(handle, OP_GETPRINC, arg->princ, NULL, NULL, NULL)) {
         ret->code = KADM5_AUTH_GET;
         log_unauth(funcname, prime_arg,
                    &client_name, &service_name, rqstp);
@@ -743,11 +766,8 @@ get_princs_2_svc(gprincs_arg *arg, gprincs_ret *ret, struct svc_req *rqstp)
     if (prime_arg == NULL)
         prime_arg = "*";
 
-    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_LIST,
-                                                       NULL,
-                                                       NULL)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_LISTPRINCS, NULL, NULL, NULL, NULL)) {
         ret->code = KADM5_AUTH_LIST;
         log_unauth("kadm5_get_principals", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -793,17 +813,15 @@ chpass_principal_2_svc(chpass_arg *arg, generic_ret *ret,
                        &service_name, rqstp);
             ret->code = KADM5_AUTH_CHANGEPW;
         }
-    } else if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
-        ret->code = chpass_principal_wrapper_3(handle, arg->princ, FALSE, 0,
-                                               NULL, arg->pass);
-    } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-               kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                                  ACL_CHANGEPW, arg->princ, NULL)) {
-        ret->code = kadm5_chpass_principal(handle, arg->princ, arg->pass);
-    } else {
+    } else if (changepw_not_self(handle, rqstp, arg->princ) ||
+               !stub_auth(handle, OP_CPW, arg->princ, NULL, NULL, NULL)) {
+        ret->code = KADM5_AUTH_CHANGEPW;
         log_unauth("kadm5_chpass_principal", prime_arg,
                    &client_name, &service_name, rqstp);
-        ret->code = KADM5_AUTH_CHANGEPW;
+    } else {
+        ret->code = check_self_keychange(handle, rqstp, arg->princ);
+        if (!ret->code)
+            ret->code = kadm5_chpass_principal(handle, arg->princ, arg->pass);
     }
 
     if (ret->code != KADM5_AUTH_CHANGEPW) {
@@ -845,20 +863,18 @@ chpass_principal3_2_svc(chpass3_arg *arg, generic_ret *ret,
                        &service_name, rqstp);
             ret->code = KADM5_AUTH_CHANGEPW;
         }
-    } else if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
-        ret->code = chpass_principal_wrapper_3(handle, arg->princ,
-                                               arg->keepold, arg->n_ks_tuple,
-                                               arg->ks_tuple, arg->pass);
-    } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-               kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                                  ACL_CHANGEPW, arg->princ, NULL)) {
-        ret->code = kadm5_chpass_principal_3(handle, arg->princ, arg->keepold,
-                                             arg->n_ks_tuple, arg->ks_tuple,
-                                             arg->pass);
-    } else {
+    } else if (changepw_not_self(handle, rqstp, arg->princ) ||
+               !stub_auth(handle, OP_CPW, arg->princ, NULL, NULL, NULL)) {
+        ret->code = KADM5_AUTH_CHANGEPW;
         log_unauth("kadm5_chpass_principal", prime_arg,
                    &client_name, &service_name, rqstp);
-        ret->code = KADM5_AUTH_CHANGEPW;
+    } else  {
+        ret->code = check_self_keychange(handle, rqstp, arg->princ);
+        if (!ret->code) {
+            ret->code = kadm5_chpass_principal_3(handle, arg->princ,
+                                                 arg->keepold, arg->n_ks_tuple,
+                                                 arg->ks_tuple, arg->pass);
+        }
     }
 
     if (ret->code != KADM5_AUTH_CHANGEPW) {
@@ -901,8 +917,7 @@ setv4key_principal_2_svc(setv4key_arg *arg, generic_ret *ret,
             ret->code = KADM5_AUTH_SETKEY;
         }
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-        kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                           ACL_SETKEY, arg->princ, NULL)) {
+               stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) {
         ret->code = kadm5_setv4key_principal(handle, arg->princ,
                                              arg->keyblock);
     } else {
@@ -952,8 +967,7 @@ setkey_principal_2_svc(setkey_arg *arg, generic_ret *ret,
             ret->code = KADM5_AUTH_SETKEY;
         }
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-        kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                           ACL_SETKEY, arg->princ, NULL)) {
+               stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) {
         ret->code = kadm5_setkey_principal(handle, arg->princ, arg->keyblocks,
                                            arg->n_keys);
     } else {
@@ -1002,8 +1016,7 @@ setkey_principal3_2_svc(setkey3_arg *arg, generic_ret *ret,
             ret->code = KADM5_AUTH_SETKEY;
         }
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-        kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                           ACL_SETKEY, arg->princ, NULL)) {
+               stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) {
         ret->code = kadm5_setkey_principal_3(handle, arg->princ, arg->keepold,
                                              arg->n_ks_tuple, arg->ks_tuple,
                                              arg->keyblocks, arg->n_keys);
@@ -1053,8 +1066,7 @@ setkey_principal4_2_svc(setkey4_arg *arg, generic_ret *ret,
             ret->code = KADM5_AUTH_SETKEY;
         }
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-        kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                           ACL_SETKEY, arg->princ, NULL)) {
+               stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) {
         ret->code = kadm5_setkey_principal_4(handle, arg->princ, arg->keepold,
                                              arg->key_data, arg->n_key_data);
     } else {
@@ -1079,8 +1091,8 @@ exit_func:
     return TRUE;
 }
 
-/* Empty out *keys/*nkeys if princ is protected with the lockdown attribute, or
- * if we fail to check. */
+/* Empty out *keys / *nkeys if princ is protected with the lockdown
+ * attribute, or if we fail to check. */
 static kadm5_ret_t
 chrand_check_lockdown(kadm5_server_handle_t handle, krb5_principal princ,
                       krb5_keyblock **keys, int *nkeys)
@@ -1119,17 +1131,17 @@ chrand_principal_2_svc(chrand_arg *arg, chrand_ret *ret, struct svc_req *rqstp)
 
     funcname = "kadm5_randkey_principal";
 
-    if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
-        ret->code = randkey_principal_wrapper_3(handle, arg->princ, FALSE, 0,
-                                                NULL, &k, &nkeys);
-    } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-               kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                                  ACL_CHANGEPW, arg->princ, NULL)) {
-        ret->code = kadm5_randkey_principal(handle, arg->princ, &k, &nkeys);
-    } else {
+    if (changepw_not_self(handle, rqstp, arg->princ) ||
+        !stub_auth(handle, OP_CHRAND, arg->princ, NULL, NULL, NULL)) {
+        ret->code = KADM5_AUTH_CHANGEPW;
         log_unauth(funcname, prime_arg,
                    &client_name, &service_name, rqstp);
-        ret->code = KADM5_AUTH_CHANGEPW;
+    } else {
+        ret->code = check_self_keychange(handle, rqstp, arg->princ);
+        if (!ret->code) {
+            ret->code = kadm5_randkey_principal(handle, arg->princ,
+                                                &k, &nkeys);
+        }
     }
 
     if (ret->code == KADM5_OK) {
@@ -1176,20 +1188,19 @@ chrand_principal3_2_svc(chrand3_arg *arg, chrand_ret *ret,
 
     funcname = "kadm5_randkey_principal";
 
-    if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
-        ret->code = randkey_principal_wrapper_3(handle, arg->princ,
-                                                arg->keepold, arg->n_ks_tuple,
-                                                arg->ks_tuple, &k, &nkeys);
-    } else if (!(CHANGEPW_SERVICE(rqstp)) &&
-               kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                                  ACL_CHANGEPW, arg->princ, NULL)) {
-        ret->code = kadm5_randkey_principal_3(handle, arg->princ, arg->keepold,
-                                              arg->n_ks_tuple, arg->ks_tuple,
-                                              &k, &nkeys);
-    } else {
+    if (changepw_not_self(handle, rqstp, arg->princ) ||
+        !stub_auth(handle, OP_CHRAND, arg->princ, NULL, NULL, NULL)) {
+        ret->code = KADM5_AUTH_CHANGEPW;
         log_unauth(funcname, prime_arg,
                    &client_name, &service_name, rqstp);
-        ret->code = KADM5_AUTH_CHANGEPW;
+    } else {
+        ret->code = check_self_keychange(handle, rqstp, arg->princ);
+        if (!ret->code) {
+            ret->code = kadm5_randkey_principal_3(handle, arg->princ,
+                                                  arg->keepold,
+                                                  arg->n_ks_tuple,
+                                                  arg->ks_tuple, &k, &nkeys);
+        }
     }
 
     if (ret->code == KADM5_OK) {
@@ -1233,9 +1244,9 @@ create_policy_2_svc(cpol_arg *arg, generic_ret *ret, struct svc_req *rqstp)
 
     prime_arg = arg->rec.policy;
 
-    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_ADD, NULL, NULL)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth_pol(handle, OP_ADDPOL, arg->rec.policy,
+                       &arg->rec, arg->mask)) {
         ret->code = KADM5_AUTH_ADD;
         log_unauth("kadm5_create_policy", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -1275,9 +1286,8 @@ delete_policy_2_svc(dpol_arg *arg, generic_ret *ret, struct svc_req *rqstp)
 
     prime_arg = arg->name;
 
-    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_DELETE, NULL, NULL)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_DELPOL, NULL, NULL, arg->name, NULL)) {
         log_unauth("kadm5_delete_policy", prime_arg,
                    &client_name, &service_name, rqstp);
         ret->code = KADM5_AUTH_DELETE;
@@ -1316,9 +1326,9 @@ modify_policy_2_svc(mpol_arg *arg, generic_ret *ret, struct svc_req *rqstp)
 
     prime_arg = arg->rec.policy;
 
-    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_MODIFY, NULL, NULL)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth_pol(handle, OP_MODPOL, arg->rec.policy,
+                       &arg->rec, arg->mask)) {
         log_unauth("kadm5_modify_policy", prime_arg,
                    &client_name, &service_name, rqstp);
         ret->code = KADM5_AUTH_MODIFY;
@@ -1349,7 +1359,9 @@ get_policy_2_svc(gpol_arg *arg, gpol_ret *ret, struct svc_req *rqstp)
     kadm5_ret_t         ret2;
     kadm5_principal_ent_rec     caller_ent;
     kadm5_server_handle_t       handle;
-    const char                  *errmsg = NULL;
+    const char                  *errmsg = NULL, *cpolicy = NULL;
+
+    memset(&caller_ent, 0, sizeof(caller_ent));
 
     ret->code = stub_setup(arg->api_version, rqstp, NULL, &handle,
                            &ret->api_version, &client_name, &service_name,
@@ -1361,31 +1373,20 @@ get_policy_2_svc(gpol_arg *arg, gpol_ret *ret, struct svc_req *rqstp)
 
     prime_arg = arg->name;
 
-    ret->code = KADM5_AUTH_GET;
-    if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_INQUIRE, NULL, NULL))
-        ret->code = KADM5_OK;
-    else {
-        ret->code = kadm5_get_principal(handle->lhandle,
-                                        handle->current_caller, &caller_ent,
-                                        KADM5_PRINCIPAL_NORMAL_MASK);
-        if (ret->code == KADM5_OK) {
-            if (caller_ent.aux_attributes & KADM5_POLICY &&
-                strcmp(caller_ent.policy, arg->name) == 0) {
-                ret->code = KADM5_OK;
-            } else {
-                ret->code = KADM5_AUTH_GET;
-            }
-            ret2 = kadm5_free_principal_ent(handle->lhandle,
-                                            &caller_ent);
-            ret->code = ret->code ? ret->code : ret2;
-        }
-    }
+    /* Look up the client principal's policy value. */
+    ret2 = kadm5_get_principal(handle->lhandle, handle->current_caller,
+                               &caller_ent, KADM5_PRINCIPAL_NORMAL_MASK);
+    if (ret2 == KADM5_OK && (caller_ent.aux_attributes & KADM5_POLICY))
+        cpolicy = caller_ent.policy;
 
-    if (ret->code == KADM5_OK) {
+    ret->code = KADM5_AUTH_GET;
+    if ((CHANGEPW_SERVICE(rqstp) &&
+         (cpolicy == NULL || strcmp(cpolicy, arg->name) != 0)) ||
+        !stub_auth(handle, OP_GETPOL, NULL, NULL, arg->name, cpolicy)) {
+        ret->code = KADM5_AUTH_GET;
+        log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp);
+    } else {
         ret->code = kadm5_get_policy(handle, arg->name, &ret->rec);
-
         if (ret->code != 0)
             errmsg = krb5_get_error_message(handle->context, ret->code);
 
@@ -1394,13 +1395,10 @@ get_policy_2_svc(gpol_arg *arg, gpol_ret *ret, struct svc_req *rqstp)
                  &client_name, &service_name, rqstp);
         if (errmsg != NULL)
             krb5_free_error_message(handle->context, errmsg);
-
-    } else {
-        log_unauth(funcname, prime_arg,
-                   &client_name, &service_name, rqstp);
     }
 
 exit_func:
+    (void)kadm5_free_principal_ent(handle->lhandle, &caller_ent);
     stub_cleanup(handle, NULL, &client_name, &service_name);
     return TRUE;
 }
@@ -1424,9 +1422,8 @@ get_pols_2_svc(gpols_arg *arg, gpols_ret *ret, struct svc_req *rqstp)
     if (prime_arg == NULL)
         prime_arg = "*";
 
-    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_LIST, NULL, NULL)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_LISTPOLS, NULL, NULL, NULL, NULL)) {
         ret->code = KADM5_AUTH_LIST;
         log_unauth("kadm5_get_policies", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -1494,10 +1491,8 @@ purgekeys_2_svc(purgekeys_arg *arg, generic_ret *ret, struct svc_req *rqstp)
 
     funcname = "kadm5_purgekeys";
 
-    if (!cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
-        (CHANGEPW_SERVICE(rqstp)
-         || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
-                                arg->princ, NULL))) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_PURGEKEYS, arg->princ, NULL, NULL, NULL)) {
         ret->code = KADM5_AUTH_MODIFY;
         log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp);
     } else {
@@ -1532,12 +1527,8 @@ get_strings_2_svc(gstrings_arg *arg, gstrings_ret *ret, struct svc_req *rqstp)
     if (ret->code)
         goto exit_func;
 
-    if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
-        (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                        rqst2name(rqstp),
-                                                        ACL_INQUIRE,
-                                                        arg->princ,
-                                                        NULL))) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_GETSTRS, arg->princ, NULL, NULL, NULL)) {
         ret->code = KADM5_AUTH_GET;
         log_unauth("kadm5_get_strings", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -1574,9 +1565,9 @@ set_string_2_svc(sstring_arg *arg, generic_ret *ret, struct svc_req *rqstp)
     if (ret->code)
         goto exit_func;
 
-    if (CHANGEPW_SERVICE(rqstp)
-        || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
-                               arg->princ, NULL)) {
+    if (CHANGEPW_SERVICE(rqstp) ||
+        !stub_auth(handle, OP_SETSTR, arg->princ, NULL,
+                   arg->key, arg->value)) {
         ret->code = KADM5_AUTH_MODIFY;
         log_unauth("kadm5_mod_strings", prime_arg,
                    &client_name, &service_name, rqstp);
@@ -1665,8 +1656,7 @@ get_principal_keys_2_svc(getpkeys_arg *arg, getpkeys_ret *ret,
         goto exit_func;
 
     if (!(CHANGEPW_SERVICE(rqstp)) &&
-        kadm5int_acl_check(handle->context, rqst2name(rqstp),
-                           ACL_EXTRACT, arg->princ, NULL)) {
+        stub_auth(handle, OP_EXTRACT, arg->princ, NULL, NULL, NULL)) {
         ret->code = kadm5_get_principal_keys(handle, arg->princ, arg->kvno,
                                              &ret->key_data, &ret->n_key_data);
     } else {
diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
index a4997c60ca04..9dde579ef397 100644
--- a/src/kadmin/testing/util/tcl_kadm5.c
+++ b/src/kadmin/testing/util/tcl_kadm5.c
@@ -697,13 +697,13 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,
     } else
         Tcl_DStringAppendElement(str, "null");
 
-    sprintf(buf, "%d", princ->princ_expire_time);
+    sprintf(buf, "%u", (unsigned int)princ->princ_expire_time);
     Tcl_DStringAppendElement(str, buf);
 
-    sprintf(buf, "%d", princ->last_pwd_change);
+    sprintf(buf, "%u", (unsigned int)princ->last_pwd_change);
     Tcl_DStringAppendElement(str, buf);
 
-    sprintf(buf, "%d", princ->pw_expiration);
+    sprintf(buf, "%u", (unsigned int)princ->pw_expiration);
     Tcl_DStringAppendElement(str, buf);
 
     sprintf(buf, "%d", princ->max_life);
@@ -722,7 +722,7 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,
     } else
         Tcl_DStringAppendElement(str, "null");
 
-    sprintf(buf, "%d", princ->mod_date);
+    sprintf(buf, "%u", (unsigned int)princ->mod_date);
     Tcl_DStringAppendElement(str, buf);
 
     if (mask & KADM5_ATTRIBUTES) {
@@ -758,10 +758,10 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,
     sprintf(buf, "%d", princ->max_renewable_life);
     Tcl_DStringAppendElement(str, buf);
 
-    sprintf(buf, "%d", princ->last_success);
+    sprintf(buf, "%u", (unsigned int)princ->last_success);
     Tcl_DStringAppendElement(str, buf);
 
-    sprintf(buf, "%d", princ->last_failed);
+    sprintf(buf, "%u", (unsigned int)princ->last_failed);
     Tcl_DStringAppendElement(str, buf);
 
     sprintf(buf, "%d", princ->fail_auth_count);
diff --git a/src/kdc/deps b/src/kdc/deps
index b5257c715f88..6bc00f7a938c 100644
--- a/src/kdc/deps
+++ b/src/kdc/deps
@@ -171,20 +171,22 @@ $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \
   $(top_srcdir)/include/socket-utils.h extern.h kdc5_err.h \
-  kdc_audit.h kdc_util.h main.c realm_data.h reqstate.h
+  kdc_audit.h kdc_util.h main.c policy.h realm_data.h \
+  reqstate.h
 $(OUTPRE)policy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpolicy_plugin.h \
   $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \
   $(top_srcdir)/include/socket-utils.h extern.h kdc_util.h \
-  policy.c realm_data.h reqstate.h
+  policy.c policy.h realm_data.h reqstate.h
 $(OUTPRE)extern.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
@@ -279,14 +281,14 @@ $(OUTPRE)kdc_log.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
 $(OUTPRE)t_replay.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
-  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  extern.h kdc_util.h realm_data.h replay.c reqstate.h \
-  t_replay.c
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-cmocka.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-queue.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h extern.h kdc_util.h \
+  realm_data.h replay.c reqstate.h t_replay.c
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index 3a169ebc7f40..3867ff952e49 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -94,8 +94,8 @@ static void
 reseed_random(krb5_context kdc_err_context)
 {
     krb5_error_code retval;
-    krb5_int32 now, now_usec;
-    krb5_int32 usec_difference;
+    krb5_timestamp now;
+    krb5_int32 now_usec, usec_difference;
     krb5_data data;
 
     retval = krb5_crypto_us_timeofday(&now, &now_usec);
@@ -104,7 +104,7 @@ reseed_random(krb5_context kdc_err_context)
         if (last_os_random == 0)
             last_os_random = now;
         /* Grab random data from OS every hour*/
-        if (now-last_os_random >= 60 * 60) {
+        if (ts_delta(now, last_os_random) >= 60 * 60) {
             krb5_c_random_os_entropy(kdc_err_context, 0, NULL);
             last_os_random = now;
         }
@@ -119,8 +119,8 @@ reseed_random(krb5_context kdc_err_context)
 }
 
 void
-dispatch(void *cb, struct sockaddr *local_saddr,
-         const krb5_fulladdr *from, krb5_data *pkt, int is_tcp,
+dispatch(void *cb, const krb5_fulladdr *local_addr,
+         const krb5_fulladdr *remote_addr, krb5_data *pkt, int is_tcp,
          verto_ctx *vctx, loop_respond_fn respond, void *arg)
 {
     krb5_error_code retval;
@@ -150,8 +150,8 @@ dispatch(void *cb, struct sockaddr *local_saddr,
         const char *name = 0;
         char buf[46];
 
-        name = inet_ntop (ADDRTYPE2FAMILY (from->address->addrtype),
-                          from->address->contents, buf, sizeof (buf));
+        name = inet_ntop(ADDRTYPE2FAMILY(remote_addr->address->addrtype),
+                         remote_addr->address->contents, buf, sizeof(buf));
         if (name == 0)
             name = "[unknown address type]";
         if (response)
@@ -177,7 +177,7 @@ dispatch(void *cb, struct sockaddr *local_saddr,
     /* try TGS_REQ first; they are more common! */
 
     if (krb5_is_tgs_req(pkt)) {
-        retval = process_tgs_req(handle, pkt, from, &response);
+        retval = process_tgs_req(handle, pkt, remote_addr, &response);
     } else if (krb5_is_as_req(pkt)) {
         if (!(retval = decode_krb5_as_req(pkt, &as_req))) {
             /*
@@ -187,7 +187,8 @@ dispatch(void *cb, struct sockaddr *local_saddr,
              */
             state->active_realm = setup_server_realm(handle, as_req->server);
             if (state->active_realm != NULL) {
-                process_as_req(as_req, pkt, from, state->active_realm, vctx,
+                process_as_req(as_req, pkt, local_addr, remote_addr,
+                               state->active_realm, vctx,
                                finish_dispatch_cache, state);
                 return;
             } else {
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 712ccb794680..7c8da63e1861 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -87,7 +87,7 @@ get_key_exp(krb5_db_entry *entry)
         return entry->pw_expiration;
     if (entry->pw_expiration == 0)
         return entry->expiration;
-    return min(entry->expiration, entry->pw_expiration);
+    return ts_min(entry->expiration, entry->pw_expiration);
 }
 
 /*
@@ -160,7 +160,8 @@ struct as_req_state {
     struct kdc_request_state *rstate;
     char *sname, *cname;
     void *pa_context;
-    const krb5_fulladdr *from;
+    const krb5_fulladdr *local_addr;
+    const krb5_fulladdr *remote_addr;
     krb5_data **auth_indicators;
 
     krb5_error_code preauth_err;
@@ -207,6 +208,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
 
     state->ticket_reply.enc_part2 = &state->enc_tkt_reply;
 
+    errcode = check_kdcpolicy_as(kdc_context, state->request, state->client,
+                                 state->server, state->auth_indicators,
+                                 state->kdc_time, &state->enc_tkt_reply.times,
+                                 &state->status);
+    if (errcode)
+        goto egress;
+
     /*
      * Find the server key
      */
@@ -239,10 +247,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
     state->reply.ticket = &state->ticket_reply;
     state->reply_encpart.session = &state->session_key;
     if ((errcode = fetch_last_req_info(state->client,
-                                       &state->reply_encpart.last_req))) {
-        state->status = "FETCH_LAST_REQ";
+                                       &state->reply_encpart.last_req)))
         goto egress;
-    }
     state->reply_encpart.nonce = state->request->nonce;
     state->reply_encpart.key_exp = get_key_exp(state->client);
     state->reply_encpart.flags = state->enc_tkt_reply.flags;
@@ -300,27 +306,21 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
 
     errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock,
                                     &state->ticket_reply);
-    if (errcode) {
-        state->status = "ENCRYPT_TICKET";
+    if (errcode)
         goto egress;
-    }
 
     errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply,
                               &au_state->tkt_out_id);
-    if (errcode) {
-        state->status = "GENERATE_TICKET_ID";
+    if (errcode)
         goto egress;
-    }
 
     state->ticket_reply.enc_part.kvno = server_key->key_data_kvno;
     errcode = kdc_fast_response_handle_padata(state->rstate,
                                               state->request,
                                               &state->reply,
                                               state->client_keyblock.enctype);
-    if (errcode) {
-        state->status = "MAKE_FAST_RESPONSE";
+    if (errcode)
         goto egress;
-    }
 
     /* now encode/encrypt the response */
 
@@ -328,10 +328,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
 
     errcode = kdc_fast_handle_reply_key(state->rstate, &state->client_keyblock,
                                         &as_encrypting_key);
-    if (errcode) {
-        state->status = "MAKE_FAST_REPLY_KEY";
+    if (errcode)
         goto egress;
-    }
     errcode = return_enc_padata(kdc_context, state->req_pkt, state->request,
                                 as_encrypting_key, state->server,
                                 &state->reply_encpart, FALSE);
@@ -348,10 +346,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
                                   &state->reply, &response);
     if (state->client_key != NULL)
         state->reply.enc_part.kvno = state->client_key->key_data_kvno;
-    if (errcode) {
-        state->status = "ENCODE_KDC_REP";
+    if (errcode)
         goto egress;
-    }
 
     /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
        can use them in raw form if needed.  But, we don't... */
@@ -359,14 +355,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
            state->reply.enc_part.ciphertext.length);
     free(state->reply.enc_part.ciphertext.data);
 
-    log_as_req(kdc_context, state->from, state->request, &state->reply,
-               state->client, state->cname, state->server,
-               state->sname, state->authtime, 0, 0, 0);
+    log_as_req(kdc_context, state->local_addr, state->remote_addr,
+               state->request, &state->reply, state->client, state->cname,
+               state->server, state->sname, state->authtime, 0, 0, 0);
     did_log = 1;
 
 egress:
-    if (errcode != 0)
-        assert (state->status != 0);
+    if (errcode != 0 && state->status == NULL)
+        state->status = "UNKNOWN_REASON";
 
     au_state->status = state->status;
     au_state->reply = &state->reply;
@@ -381,8 +377,8 @@ egress:
         emsg = krb5_get_error_message(kdc_context, errcode);
 
     if (state->status) {
-        log_as_req(kdc_context,
-                   state->from, state->request, &state->reply, state->client,
+        log_as_req(kdc_context, state->local_addr, state->remote_addr,
+                   state->request, &state->reply, state->client,
                    state->cname, state->server, state->sname, state->authtime,
                    state->status, errcode, emsg);
         did_log = 1;
@@ -492,7 +488,8 @@ finish_preauth(void *arg, krb5_error_code code)
 /*ARGSUSED*/
 void
 process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
-               const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm,
+               const krb5_fulladdr *local_addr,
+               const krb5_fulladdr *remote_addr, kdc_realm_t *kdc_active_realm,
                verto_ctx *vctx, loop_respond_fn respond, void *arg)
 {
     krb5_error_code errcode;
@@ -511,7 +508,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->arg = arg;
     state->request = request;
     state->req_pkt = req_pkt;
-    state->from = from;
+    state->local_addr = local_addr;
+    state->remote_addr = remote_addr;
     state->active_realm = kdc_active_realm;
 
     errcode = kdc_make_rstate(kdc_active_realm, &state->rstate);
@@ -522,7 +520,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
 
     /* Initialize audit state. */
-    errcode = kau_init_kdc_req(kdc_context, state->request, from, &au_state);
+    errcode = kau_init_kdc_req(kdc_context, state->request, remote_addr,
+                               &au_state);
     if (errcode) {
         (*respond)(arg, errcode, NULL);
         kdc_free_rstate(state->rstate);
@@ -543,7 +542,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     if (fetch_asn1_field((unsigned char *) req_pkt->data,
                          1, 4, &encoded_req_body) != 0) {
         errcode = ASN1_BAD_ID;
-        state->status = "FETCH_REQ_BODY";
         goto errout;
     }
     errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL,
@@ -556,10 +554,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         /* Not a FAST request; copy the encoded request body. */
         errcode = krb5_copy_data(kdc_context, &encoded_req_body,
                                  &state->inner_body);
-        if (errcode) {
-            state->status = "COPY_REQ_BODY";
+        if (errcode)
             goto errout;
-        }
     }
     au_state->request = state->request;
     state->rock.request = state->request;
@@ -574,10 +570,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
     if ((errcode = krb5_unparse_name(kdc_context,
                                      state->request->client,
-                                     &state->cname))) {
-        state->status = "UNPARSE_CLIENT";
+                                     &state->cname)))
         goto errout;
-    }
     limit_string(state->cname);
 
     if (!state->request->server) {
@@ -587,10 +581,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
     if ((errcode = krb5_unparse_name(kdc_context,
                                      state->request->server,
-                                     &state->sname))) {
-        state->status = "UNPARSE_SERVER";
+                                     &state->sname)))
         goto errout;
-    }
     limit_string(state->sname);
 
     /*
@@ -670,18 +662,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     au_state->stage = VALIDATE_POL;
 
-    if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) {
-        state->status = "TIMEOFDAY";
+    if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time)))
         goto errout;
-    }
     state->authtime = state->kdc_time; /* for audit_as_request() */
 
     if ((errcode = validate_as_request(kdc_active_realm,
                                        state->request, *state->client,
                                        *state->server, state->kdc_time,
                                        &state->status, &state->e_data))) {
-        if (!state->status)
-            state->status = "UNKNOWN_REASON";
         errcode += ERROR_TABLE_BASE_krb5;
         goto errout;
     }
@@ -701,10 +689,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
 
     if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
-                                          &state->session_key))) {
-        state->status = "MAKE_RANDOM_KEY";
+                                          &state->session_key)))
         goto errout;
-    }
 
     /*
      * Canonicalization is only effective if we are issuing a TGT
@@ -785,10 +771,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         state->request->client = NULL;
         errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
                                       &state->request->client);
-        if (errcode) {
-            state->status = "COPY_ANONYMOUS_PRINCIPAL";
+        if (errcode)
             goto errout;
-        }
         state->enc_tkt_reply.client = state->request->client;
         setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
     }
@@ -841,6 +825,8 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
     kdc_realm_t *kdc_active_realm = rstate->realm_data;
     size_t count;
 
+    errpkt.magic = KV5M_ERROR;
+
     if (e_data_in != NULL) {
         /* Add a PA-FX-COOKIE to e_data_in.  e_data is a shallow copy
          * containing aliases. */
@@ -854,7 +840,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
         e_data[count] = cookie;
     }
 
-    errpkt.ctime = request->nonce;
+    errpkt.ctime = 0;
     errpkt.cusec = 0;
 
     retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 547a41441767..cc5a6923629a 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -195,15 +195,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
     if (!header_ticket) {
         errcode = KRB5_NO_TKT_SUPPLIED;        /* XXX? */
-        status="UNEXPECTED NULL in header_ticket";
         goto cleanup;
     }
     errcode = kau_make_tkt_id(kdc_context, header_ticket,
                               &au_state->tkt_in_id);
-    if (errcode) {
-        status = "GENERATE_TICKET_ID";
+    if (errcode)
         goto cleanup;
-    }
 
     scratch.length = pa_tgs_req->length;
     scratch.data = (char *) pa_tgs_req->contents;
@@ -264,16 +261,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
     au_state->stage = VALIDATE_POL;
 
-    if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
-        status = "TIME_OF_DAY";
+    if ((errcode = krb5_timeofday(kdc_context, &kdc_time)))
         goto cleanup;
-    }
 
     if ((retval = validate_tgs_request(kdc_active_realm,
                                        request, *server, header_ticket,
                                        kdc_time, &status, &e_data))) {
-        if (!status)
-            status = "UNKNOWN_REASON";
         if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION)
             au_state->violation = PROT_CONSTRAINT;
         errcode = retval + ERROR_TABLE_BASE_krb5;
@@ -340,7 +333,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx],
                                   &au_state->evid_tkt_id);
         if (retval) {
-            status = "GENERATE_TICKET_ID";
             errcode = retval;
             goto cleanup;
         }
@@ -500,12 +492,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
         old_starttime = enc_tkt_reply.times.starttime ?
             enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime;
-        old_life = enc_tkt_reply.times.endtime - old_starttime;
+        old_life = ts_delta(enc_tkt_reply.times.endtime, old_starttime);
 
         enc_tkt_reply.times.starttime = kdc_time;
         enc_tkt_reply.times.endtime =
-            min(header_ticket->enc_part2->times.renew_till,
-                kdc_time + old_life);
+            ts_min(header_ticket->enc_part2->times.renew_till,
+                   ts_incr(kdc_time, old_life));
     } else {
         /* not a renew request */
         enc_tkt_reply.times.starttime = kdc_time;
@@ -518,6 +510,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client,
                              server, &enc_tkt_reply);
 
+    errcode = check_kdcpolicy_tgs(kdc_context, request, server, header_ticket,
+                                  auth_indicators, kdc_time,
+                                  &enc_tkt_reply.times, &status);
+    if (errcode)
+        goto cleanup;
+
     /*
      * Set authtime to be the same as header or evidence ticket's
      */
@@ -723,10 +721,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                                     &ticket_reply);
     if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
         krb5_free_keyblock_contents(kdc_context, &encrypting_key);
-    if (errcode) {
-        status = "ENCRYPT_TICKET";
+    if (errcode)
         goto cleanup;
-    }
     ticket_reply.enc_part.kvno = ticket_kvno;
     /* Start assembling the response */
     au_state->stage = ENCR_REP;
@@ -740,10 +736,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                                         s4u_x509_user,
                                         &reply,
                                         &reply_encpart);
-        if (errcode) {
-            status = "MAKE_S4U2SELF_PADATA";
+        if (errcode)
             au_state->status = status;
-        }
         kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
         if (errcode)
             goto cleanup;
@@ -775,16 +769,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         header_ticket->enc_part2->session->enctype;
     errcode  = kdc_fast_response_handle_padata(state, request, &reply,
                                                subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
-    if (errcode !=0 ) {
-        status = "MAKE_FAST_RESPONSE";
+    if (errcode)
         goto cleanup;
-    }
     errcode =kdc_fast_handle_reply_key(state,
                                        subkey?subkey:header_ticket->enc_part2->session, &reply_key);
-    if (errcode) {
-        status  = "MAKE_FAST_REPLY_KEY";
+    if (errcode)
         goto cleanup;
-    }
     errcode = return_enc_padata(kdc_context, pkt, request,
                                 reply_key, server, &reply_encpart,
                                 is_referral &&
@@ -796,10 +786,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     }
 
     errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id);
-    if (errcode) {
-        status = "GENERATE_TICKET_ID";
+    if (errcode)
         goto cleanup;
-    }
 
     if (kdc_fast_hide_client(state))
         reply.client = (krb5_principal)krb5_anonymous_principal();
@@ -807,11 +795,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                                   subkey ? 1 : 0,
                                   reply_key,
                                   &reply, response);
-    if (errcode) {
-        status = "ENCODE_KDC_REP";
-    } else {
+    if (!errcode)
         status = "ISSUE";
-    }
 
     memset(ticket_reply.enc_part.ciphertext.data, 0,
            ticket_reply.enc_part.ciphertext.length);
@@ -823,7 +808,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     free(reply.enc_part.ciphertext.data);
 
 cleanup:
-    assert(status != NULL);
+    if (status == NULL)
+        status = "UNKNOWN_REASON";
     if (reply_key)
         krb5_free_keyblock(kdc_context, reply_key);
     if (errcode)
@@ -909,7 +895,8 @@ prepare_error_tgs (struct kdc_request_state *state,
     krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL;
     kdc_realm_t *kdc_active_realm = state->realm_data;
 
-    errpkt.ctime = request->nonce;
+    errpkt.magic = KV5M_ERROR;
+    errpkt.ctime = 0;
     errpkt.cusec = 0;
 
     if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
@@ -1052,7 +1039,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
         retval = get_2ndtkt_enctype(kdc_active_realm, req, &useenctype,
                                     status);
         if (retval != 0)
-            goto cleanup;
+            return retval;
     }
     if (useenctype == 0) {
         useenctype = select_session_keytype(kdc_active_realm, server,
@@ -1062,17 +1049,10 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
     if (useenctype == 0) {
         /* unsupported ktype */
         *status = "BAD_ENCRYPTION_TYPE";
-        retval = KRB5KDC_ERR_ETYPE_NOSUPP;
-        goto cleanup;
-    }
-    retval = krb5_c_make_random_key(kdc_context, useenctype, skey);
-    if (retval != 0) {
-        /* random key failed */
-        *status = "MAKE_RANDOM_KEY";
-        goto cleanup;
+        return KRB5KDC_ERR_ETYPE_NOSUPP;
     }
-cleanup:
-    return retval;
+
+    return krb5_c_make_random_key(kdc_context, useenctype, skey);
 }
 
 /*
diff --git a/src/kdc/extern.c b/src/kdc/extern.c
index fe627494b8d3..84b5c6ad5d1c 100644
--- a/src/kdc/extern.c
+++ b/src/kdc/extern.c
@@ -37,6 +37,8 @@
 kdc_realm_t     **kdc_realmlist = (kdc_realm_t **) NULL;
 int             kdc_numrealms = 0;
 krb5_data empty_string = {0, 0, ""};
-krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */
 krb5_keyblock   psr_key;
 krb5_int32      max_dgram_reply_size = MAX_DGRAM_SIZE;
+
+/* With ts_after(), this is the largest timestamp value. */
+krb5_timestamp kdc_infinity = -1;
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 9df940219cd8..e05107ef328d 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -607,7 +607,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state,
     ret = krb5_timeofday(context, &now);
     if (ret)
         goto cleanup;
-    if (now - COOKIE_LIFETIME > cookie->time) {
+    if (ts2tt(now) > cookie->time + COOKIE_LIFETIME) {
         /* Don't accept the cookie contents.  Only return an error if the
          * cookie is relevant to the request. */
         if (is_relevant(cookie->data, req->padata))
@@ -700,7 +700,7 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,
     ret = krb5_timeofday(context, &now);
     if (ret)
         goto cleanup;
-    cookie.time = now;
+    cookie.time = ts2tt(now);
     cookie.data = contents;
     ret = encode_krb5_secure_cookie(&cookie, &der_cookie);
     if (ret)
diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c
index 94a2a1c87c91..7e8733980a41 100644
--- a/src/kdc/kdc_log.c
+++ b/src/kdc/kdc_log.c
@@ -54,7 +54,9 @@
 /* Someday, pass local address/port as well.  */
 /* Currently no info about name canonicalization is logged.  */
 void
-log_as_req(krb5_context context, const krb5_fulladdr *from,
+log_as_req(krb5_context context,
+           const krb5_fulladdr *local_addr,
+           const krb5_fulladdr *remote_addr,
            krb5_kdc_req *request, krb5_kdc_rep *reply,
            krb5_db_entry *client, const char *cname,
            krb5_db_entry *server, const char *sname,
@@ -67,8 +69,8 @@ log_as_req(krb5_context context, const krb5_fulladdr *from,
     const char *cname2 = cname ? cname : "<unknown client>";
     const char *sname2 = sname ? sname : "<unknown server>";
 
-    fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype),
-                           from->address->contents,
+    fromstring = inet_ntop(ADDRTYPE2FAMILY(remote_addr->address->addrtype),
+                           remote_addr->address->contents,
                            fromstringbuf, sizeof(fromstringbuf));
     if (!fromstring)
         fromstring = "<unknown>";
@@ -79,9 +81,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *from,
         /* success */
         char rep_etypestr[128];
         rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
-        krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %d, %s, "
+        krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, "
                                      "%s for %s"),
-                         ktypestr, fromstring, authtime,
+                         ktypestr, fromstring, (unsigned int)authtime,
                          rep_etypestr, cname2, sname2);
     } else {
         /* fail */
@@ -89,14 +91,15 @@ log_as_req(krb5_context context, const krb5_fulladdr *from,
                          ktypestr, fromstring, status,
                          cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
     }
-    krb5_db_audit_as_req(context, request, client, server, authtime,
-                         errcode);
+    krb5_db_audit_as_req(context, request,
+                         local_addr->address, remote_addr->address,
+                         client, server, authtime, errcode);
 #if 0
     /* Sun (OpenSolaris) version would probably something like this.
        The client and server names passed can be null, unlike in the
        logging routines used above.  Note that a struct in_addr is
        used, but the real address could be an IPv6 address.  */
-    audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0,
+    audit_krb5kdc_as_req(some in_addr *, (in_port_t)remote_addr->port, 0,
                          cname, sname, errcode);
 #endif
 }
@@ -156,10 +159,10 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
        name (useful), and doesn't log ktypestr (probably not
        important).  */
     if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) {
-        krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %d, %s%s "
+        krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s "
                                      "%s for %s%s%s"),
-                         ktypestr, fromstring, status, authtime, rep_etypestr,
-                         !errcode ? "," : "", logcname, logsname,
+                         ktypestr, fromstring, status, (unsigned int)authtime,
+                         rep_etypestr, !errcode ? "," : "", logcname, logsname,
                          errcode ? ", " : "", errcode ? emsg : "");
         if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
             krb5_klog_syslog(LOG_INFO,
@@ -171,9 +174,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
                              logaltcname);
 
     } else
-        krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %d, %s for %s, "
+        krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %u, %s for %s, "
                                      "2nd tkt client %s"),
-                         fromstring, status, authtime,
+                         fromstring, status, (unsigned int)authtime,
                          logcname, logsname, logaltcname);
 
     /* OpenSolaris: audit_krb5kdc_tgs_req(...)  or
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 605fcb7addc6..81d0b8cffd39 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -568,8 +568,37 @@ set_cookie(krb5_context context, krb5_kdcpreauth_rock rock,
     return kdc_fast_set_cookie(rock->rstate, pa_type, data);
 }
 
+static krb5_boolean
+match_client(krb5_context context, krb5_kdcpreauth_rock rock,
+             krb5_principal princ)
+{
+    krb5_db_entry *ent;
+    krb5_boolean match = FALSE;
+    krb5_principal req_client = rock->request->client;
+    krb5_principal client = rock->client->princ;
+
+    /* Check for a direct match against the request principal or
+     * the post-canon client principal. */
+    if (krb5_principal_compare_flags(context, princ, req_client,
+                                     KRB5_PRINCIPAL_COMPARE_ENTERPRISE) ||
+        krb5_principal_compare(context, princ, client))
+        return TRUE;
+
+    if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent))
+        return FALSE;
+    match = krb5_principal_compare(context, ent->princ, client);
+    krb5_db_free_principal(context, ent);
+    return match;
+}
+
+static krb5_principal
+client_name(krb5_context context, krb5_kdcpreauth_rock rock)
+{
+    return rock->client->princ;
+}
+
 static struct krb5_kdcpreauth_callbacks_st callbacks = {
-    3,
+    4,
     max_time_skew,
     client_keys,
     free_keys,
@@ -583,7 +612,9 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
     client_keyblock,
     add_auth_indicator,
     get_cookie,
-    set_cookie
+    set_cookie,
+    match_client,
+    client_name
 };
 
 static krb5_error_code
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index feef3683141c..7e636b3f9fed 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -56,7 +56,6 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
           krb5_kdcpreauth_verify_respond_fn respond, void *arg)
 {
     krb5_error_code retval = 0;
-    krb5_timestamp now;
     krb5_enc_data *enc = NULL;
     krb5_data scratch, plain;
     krb5_keyblock *armor_key = cb->fast_armor(context, rock);
@@ -66,6 +65,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     krb5_keyblock *kdc_challenge_key;
     krb5_kdcpreauth_modreq modreq = NULL;
     int i = 0;
+    char *ai = NULL, *realmstr = NULL;
+    krb5_data realm = request->server->realm;
 
     plain.data = NULL;
 
@@ -84,6 +85,15 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         if (plain.data == NULL)
             retval = ENOMEM;
     }
+
+    /* Check for a configured FAST ec auth indicator. */
+    realmstr = k5memdup0(realm.data, realm.length, &retval);
+    if (realmstr != NULL)
+        retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+                                    realmstr,
+                                    KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR,
+                                    NULL, &ai);
+
     if (retval == 0)
         retval = cb->client_keys(context, rock, &client_keys);
     if (retval == 0) {
@@ -113,21 +123,20 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     if (retval == 0)
         retval = decode_krb5_pa_enc_ts(&plain, &ts);
     if (retval == 0)
-        retval = krb5_timeofday(context, &now);
+        retval = krb5_check_clockskew(context, ts->patimestamp);
     if (retval == 0) {
-        if (labs(now-ts->patimestamp) < context->clockskew) {
-            enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
-            /*
-             * If this fails, we won't generate a reply to the client.  That
-             * may cause the client to fail, but at this point the KDC has
-             * considered this a success, so the return value is ignored.
-             */
-            if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
-                                     &client_keys[i], "challengelongterm",
-                                     &kdc_challenge_key) == 0)
-                modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
-        } else { /*skew*/
-            retval = KRB5KRB_AP_ERR_SKEW;
+        enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+        /*
+         * If this fails, we won't generate a reply to the client.  That may
+         * cause the client to fail, but at this point the KDC has considered
+         * this a success, so the return value is ignored.
+         */
+        if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
+                                 &client_keys[i], "challengelongterm",
+                                 &kdc_challenge_key) == 0) {
+            modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
+            if (ai != NULL)
+                cb->add_auth_indicator(context, rock, ai);
         }
     }
     cb->free_keys(context, rock, client_keys);
@@ -137,6 +146,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         krb5_free_enc_data(context, enc);
     if (ts)
         krb5_free_pa_enc_ts(context, ts);
+    free(realmstr);
+    free(ai);
 
     (*respond)(arg, retval, modreq, NULL, NULL);
 }
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index e80dc12a8cf3..25fc784576ef 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -58,7 +58,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     krb5_keyblock               key;
     krb5_key_data *             client_key;
     krb5_int32                  start;
-    krb5_timestamp              timenow;
 
     scratch.data = (char *)pa->contents;
     scratch.length = pa->length;
@@ -95,14 +94,10 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
         goto cleanup;
 
-    if ((retval = krb5_timeofday(context, &timenow)) != 0)
+    retval = krb5_check_clockskew(context, pa_enc->patimestamp);
+    if (retval)
         goto cleanup;
 
-    if (labs(timenow - pa_enc->patimestamp) > context->clockskew) {
-        retval = KRB5KRB_AP_ERR_SKEW;
-        goto cleanup;
-    }
-
     setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH);
 
     retval = 0;
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 29f9dbbf07eb..754570c01310 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -642,7 +642,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
                     krb5_db_entry server, krb5_timestamp kdc_time,
                     const char **status, krb5_pa_data ***e_data)
 {
-    int errcode;
     krb5_error_code ret;
 
     /*
@@ -654,7 +653,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
     }
 
     /* The client must not be expired */
-    if (client.expiration && client.expiration < kdc_time) {
+    if (client.expiration && ts_after(kdc_time, client.expiration)) {
         *status = "CLIENT EXPIRED";
         if (vague_errors)
             return(KRB_ERR_GENERIC);
@@ -664,7 +663,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
 
     /* The client's password must not be expired, unless the server is
        a KRB5_KDC_PWCHANGE_SERVICE. */
-    if (client.pw_expiration && client.pw_expiration < kdc_time &&
+    if (client.pw_expiration && ts_after(kdc_time, client.pw_expiration) &&
         !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
         *status = "CLIENT KEY EXPIRED";
         if (vague_errors)
@@ -674,7 +673,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
     }
 
     /* The server must not be expired */
-    if (server.expiration && server.expiration < kdc_time) {
+    if (server.expiration && ts_after(kdc_time, server.expiration)) {
         *status = "SERVICE EXPIRED";
         return(KDC_ERR_SERVICE_EXP);
     }
@@ -750,12 +749,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
     if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
         return errcode_to_protocol(ret);
 
-    /* Check against local policy. */
-    errcode = against_local_policy_as(request, client, server,
-                                      kdc_time, status, e_data);
-    if (errcode)
-        return errcode;
-
     return 0;
 }
 
@@ -1220,8 +1213,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
     req_data.data = (char *)pa_data->contents;
 
     code = decode_krb5_pa_for_user(&req_data, &for_user);
-    if (code)
+    if (code) {
+        *status = "DECODE_PA_FOR_USER";
         return code;
+    }
 
     code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
     if (code) {
@@ -1320,8 +1315,10 @@ kdc_process_s4u_x509_user(krb5_context context,
     req_data.data = (char *)pa_data->contents;
 
     code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
-    if (code)
+    if (code) {
+        *status = "DECODE_PA_S4U_X509_USER";
         return code;
+    }
 
     code = verify_s4u_x509_user_checksum(context,
                                          tgs_subkey ? tgs_subkey :
@@ -1624,6 +1621,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
      * that is validated previously in validate_tgs_request().
      */
     if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
+        *status = "INVALID_S4U2PROXY_OPTIONS";
         return KRB5KDC_ERR_BADOPTION;
     }
 
@@ -1631,6 +1629,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
     if (!krb5_principal_compare(kdc_context,
                                 server->princ, /* after canon */
                                 server_princ)) {
+        *status = "EVIDENCE_TICKET_MISMATCH";
         return KRB5KDC_ERR_SERVER_NOMATCH;
     }
 
@@ -1760,14 +1759,19 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
                        krb5_db_entry *server,
                        krb5_timestamp *out_endtime)
 {
-    krb5_timestamp until, life;
+    krb5_timestamp until;
+    krb5_deltat life;
 
     if (till == 0)
         till = kdc_infinity;
 
-    until = min(till, endtime);
+    until = ts_min(till, endtime);
 
-    life = until - starttime;
+    /* Determine the requested lifetime, capped at the maximum valid time
+     * interval. */
+    life = ts_delta(until, starttime);
+    if (ts_after(until, starttime) && life < 0)
+        life = INT32_MAX;
 
     if (client != NULL && client->max_life != 0)
         life = min(life, client->max_life);
@@ -1776,7 +1780,7 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
     if (kdc_active_realm->realm_maxlife != 0)
         life = min(life, kdc_active_realm->realm_maxlife);
 
-    *out_endtime = starttime + life;
+    *out_endtime = ts_incr(starttime, life);
 }
 
 /*
@@ -1791,6 +1795,7 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request,
 {
     krb5_timestamp rtime, max_rlife;
 
+    clear(tkt->flags, TKT_FLG_RENEWABLE);
     tkt->times.renew_till = 0;
 
     /* Don't issue renewable tickets if the client or server don't allow it,
@@ -1806,25 +1811,27 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request,
     if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE))
         rtime = request->rtime ? request->rtime : kdc_infinity;
     else if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
-             tkt->times.endtime < request->till)
+             ts_after(request->till, tkt->times.endtime))
         rtime = request->till;
     else
         return;
 
     /* Truncate it to the allowable renewable time. */
     if (tgt != NULL)
-        rtime = min(rtime, tgt->times.renew_till);
+        rtime = ts_min(rtime, tgt->times.renew_till);
     max_rlife = min(server->max_renewable_life, realm->realm_maxrlife);
     if (client != NULL)
         max_rlife = min(max_rlife, client->max_renewable_life);
-    rtime = min(rtime, tkt->times.starttime + max_rlife);
+    rtime = ts_min(rtime, ts_incr(tkt->times.starttime, max_rlife));
 
-    /* Make the ticket renewable if the truncated requested time is larger than
-     * the ticket end time. */
-    if (rtime > tkt->times.endtime) {
-        setflag(tkt->flags, TKT_FLG_RENEWABLE);
-        tkt->times.renew_till = rtime;
-    }
+    /* If the client only specified renewable-ok, don't issue a renewable
+     * ticket unless the truncated renew time exceeds the ticket end time. */
+    if (!isflagset(request->kdc_options, KDC_OPT_RENEWABLE) &&
+        !ts_after(rtime, tkt->times.endtime))
+        return;
+
+    setflag(tkt->flags, TKT_FLG_RENEWABLE);
+    tkt->times.renew_till = rtime;
 }
 
 /**
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index bcf05fc2779f..f99efcf505d1 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -140,7 +140,7 @@ cammac_check_kdcver(krb5_context context, krb5_cammac *cammac,
 /* do_as_req.c */
 void
 process_as_req (krb5_kdc_req *, krb5_data *,
-                const krb5_fulladdr *, kdc_realm_t *,
+                const krb5_fulladdr *, const krb5_fulladdr *, kdc_realm_t *,
                 verto_ctx *, loop_respond_fn, void *);
 
 /* do_tgs_req.c */
@@ -151,7 +151,7 @@ process_tgs_req (struct server_handle *, krb5_data *,
 /* dispatch.c */
 void
 dispatch (void *,
-          struct sockaddr *,
+          const krb5_fulladdr *,
           const krb5_fulladdr *,
           krb5_data *,
           int,
@@ -166,17 +166,6 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...)
 #endif
     ;
 
-/* policy.c */
-int
-against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
-                         krb5_db_entry, krb5_timestamp,
-                         const char **, krb5_pa_data ***);
-
-int
-against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
-                          krb5_ticket *, const char **,
-                          krb5_pa_data ***);
-
 /* kdc_preauth.c */
 krb5_boolean
 enctype_requires_etype_info_2(krb5_enctype enctype);
@@ -346,7 +335,9 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request,
                          krb5_db_entry *server, krb5_enc_tkt_part *tkt);
 
 void
-log_as_req(krb5_context context, const krb5_fulladdr *from,
+log_as_req(krb5_context context,
+           const krb5_fulladdr *local_addr,
+           const krb5_fulladdr *remote_addr,
            krb5_kdc_req *request, krb5_kdc_rep *reply,
            krb5_db_entry *client, const char *cname,
            krb5_db_entry *server, const char *sname,
@@ -452,6 +443,8 @@ struct krb5_kdcpreauth_rock_st {
 #define max(a, b)       ((a) > (b) ? (a) : (b))
 #endif
 
+#define ts_min(a, b) (ts_after(a, b) ? (b) : (a))
+
 #define ADDRTYPE2FAMILY(X)                                              \
     ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
 
diff --git a/src/kdc/main.c b/src/kdc/main.c
index ebc852bba2e9..f2226da2597f 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -31,6 +31,7 @@
 #include "kdc_util.h"
 #include "kdc_audit.h"
 #include "extern.h"
+#include "policy.h"
 #include "kdc5_err.h"
 #include "kdb_kt.h"
 #include "net-server.h"
@@ -986,6 +987,12 @@ int main(int argc, char **argv)
 
     load_preauth_plugins(&shandle, kcontext, ctx);
     load_authdata_plugins(kcontext);
+    retval = load_kdcpolicy_plugins(kcontext);
+    if (retval) {
+        kdc_err(kcontext, retval, _("while loading KDC policy plugin"));
+        finish_realms();
+        return 1;
+    }
 
     retval = setup_sam();
     if (retval) {
@@ -1068,6 +1075,7 @@ int main(int argc, char **argv)
     krb5_klog_syslog(LOG_INFO, _("shutting down"));
     unload_preauth_plugins(kcontext);
     unload_authdata_plugins(kcontext);
+    unload_kdcpolicy_plugins(kcontext);
     unload_audit_modules(kcontext);
     krb5_klog_close(kcontext);
     finish_realms();
diff --git a/src/kdc/policy.c b/src/kdc/policy.c
index 6cba4303f81d..26c16f97cb53 100644
--- a/src/kdc/policy.c
+++ b/src/kdc/policy.c
@@ -1,67 +1,246 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 /* kdc/policy.c - Policy decision routines for KDC */
 /*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2017 by Red Hat, Inc.
+ * All rights reserved.
  *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "k5-int.h"
 #include "kdc_util.h"
 #include "extern.h"
+#include "policy.h"
+#include "adm_proto.h"
+#include <krb5/kdcpolicy_plugin.h>
+#include <syslog.h>
+
+typedef struct kdcpolicy_handle_st {
+    struct krb5_kdcpolicy_vtable_st vt;
+    krb5_kdcpolicy_moddata moddata;
+} *kdcpolicy_handle;
+
+static kdcpolicy_handle *handles;
+
+static void
+free_indicators(char **ais)
+{
+    size_t i;
 
-int
-against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client,
-                        krb5_db_entry server, krb5_timestamp kdc_time,
-                        const char **status, krb5_pa_data ***e_data)
+    if (ais == NULL)
+        return;
+    for (i = 0; ais[i] != NULL; i++)
+        free(ais[i]);
+    free(ais);
+}
+
+/* Convert inds to a null-terminated list of C strings. */
+static krb5_error_code
+authind_strings(krb5_data *const *inds, char ***strs_out)
 {
-#if 0
-    /* An AS request must include the addresses field */
-    if (request->addresses == 0) {
-        *status = "NO ADDRESS";
-        return KRB5KDC_ERR_POLICY;
+    krb5_error_code ret;
+    char **list = NULL;
+    size_t i, count;
+
+    *strs_out = NULL;
+
+    for (count = 0; inds != NULL && inds[count] != NULL; count++);
+    list = k5calloc(count + 1, sizeof(*list), &ret);
+    if (list == NULL)
+        goto error;
+
+    for (i = 0; i < count; i++) {
+        list[i] = k5memdup0(inds[i]->data, inds[i]->length, &ret);
+        if (list[i] == NULL)
+            goto error;
     }
-#endif
 
-    return 0;                   /* not against policy */
+    *strs_out = list;
+    return 0;
+
+error:
+    free_indicators(list);
+    return ret;
+}
+
+/* Constrain times->endtime to life and times->renew_till to rlife, relative to
+ * now. */
+static void
+update_ticket_times(krb5_ticket_times *times, krb5_timestamp now,
+                    krb5_deltat life, krb5_deltat rlife)
+{
+    if (life)
+        times->endtime = ts_min(ts_incr(now, life), times->endtime);
+    if (rlife)
+        times->renew_till = ts_min(ts_incr(now, rlife), times->renew_till);
+}
+
+/* Check an AS request against kdcpolicy modules, updating times with any
+ * module endtime constraints.  Set an appropriate status string on error. */
+krb5_error_code
+check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
+                   const krb5_db_entry *client, const krb5_db_entry *server,
+                   krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
+                   krb5_ticket_times *times, const char **status)
+{
+    krb5_deltat life, rlife;
+    krb5_error_code ret;
+    kdcpolicy_handle *hp, h;
+    char **ais = NULL;
+
+    *status = NULL;
+
+    ret = authind_strings(auth_indicators, &ais);
+    if (ret)
+        goto done;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.check_as == NULL)
+            continue;
+
+        ret = h->vt.check_as(context, h->moddata, request, client, server,
+                             (const char **)ais, status, &life, &rlife);
+        if (ret)
+            goto done;
+
+        update_ticket_times(times, kdc_time, life, rlife);
+    }
+
+done:
+    free_indicators(ais);
+    return ret;
 }
 
 /*
- * This is where local policy restrictions for the TGS should placed.
+ * Check the TGS request against the local TGS policy.  Accepts an
+ * authentication indicator for the module policy decisions.  Returns 0 and a
+ * NULL status string on success.
  */
 krb5_error_code
-against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server,
-                         krb5_ticket *ticket, const char **status,
-                         krb5_pa_data ***e_data)
+check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
+                    const krb5_db_entry *server, const krb5_ticket *ticket,
+                    krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
+                    krb5_ticket_times *times, const char **status)
 {
-#if 0
-    /*
-     * For example, if your site wants to disallow ticket forwarding,
-     * you might do something like this:
-     */
-
-    if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
-        *status = "FORWARD POLICY";
-        return KRB5KDC_ERR_POLICY;
+    krb5_deltat life, rlife;
+    krb5_error_code ret;
+    kdcpolicy_handle *hp, h;
+    char **ais = NULL;
+
+    *status = NULL;
+
+    ret = authind_strings(auth_indicators, &ais);
+    if (ret)
+        goto done;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.check_tgs == NULL)
+            continue;
+
+        ret = h->vt.check_tgs(context, h->moddata, request, server, ticket,
+                              (const char **)ais, status, &life, &rlife);
+        if (ret)
+            goto done;
+
+        update_ticket_times(times, kdc_time, life, rlife);
     }
-#endif
 
-    return 0;                           /* not against policy */
+done:
+    free_indicators(ais);
+    return ret;
+}
+
+void
+unload_kdcpolicy_plugins(krb5_context context)
+{
+    kdcpolicy_handle *hp, h;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.fini != NULL)
+            h->vt.fini(context, h->moddata);
+        free(h);
+    }
+    free(handles);
+    handles = NULL;
+}
+
+krb5_error_code
+load_kdcpolicy_plugins(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_plugin_initvt_fn *modules = NULL, *mod;
+    kdcpolicy_handle h;
+    size_t count;
+
+    ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPOLICY, &modules);
+    if (ret)
+        goto cleanup;
+
+    for (count = 0; modules[count] != NULL; count++);
+    handles = k5calloc(count + 1, sizeof(*handles), &ret);
+    if (handles == NULL)
+        goto cleanup;
+
+    count = 0;
+    for (mod = modules; *mod != NULL; mod++) {
+        h = k5calloc(1, sizeof(*h), &ret);
+        if (h == NULL)
+            goto cleanup;
+
+        ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
+        if (ret) {              /* Version mismatch. */
+            TRACE_KDCPOLICY_VTINIT_FAIL(context, ret);
+            free(h);
+            continue;
+        }
+        if (h->vt.init != NULL) {
+            ret = h->vt.init(context, &h->moddata);
+            if (ret == KRB5_PLUGIN_NO_HANDLE) {
+                TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
+                free(h);
+                continue;
+            }
+            if (ret) {
+                kdc_err(context, ret, _("while loading policy module %s"),
+                        h->vt.name);
+                free(h);
+                goto cleanup;
+            }
+        }
+        handles[count++] = h;
+    }
+
+    ret = 0;
+
+cleanup:
+    if (ret)
+        unload_kdcpolicy_plugins(context);
+    k5_plugin_free_modules(context, modules);
+    return ret;
 }
diff --git a/src/kdc/policy.h b/src/kdc/policy.h
index 6b000dc90346..2a57b0a01683 100644
--- a/src/kdc/policy.h
+++ b/src/kdc/policy.h
@@ -26,11 +26,22 @@
 #ifndef __KRB5_KDC_POLICY__
 #define __KRB5_KDC_POLICY__
 
-extern int against_postdate_policy (krb5_timestamp);
+krb5_error_code
+load_kdcpolicy_plugins(krb5_context context);
 
-extern int against_flag_policy_as (const krb5_kdc_req *);
+void
+unload_kdcpolicy_plugins(krb5_context context);
 
-extern int against_flag_policy_tgs (const krb5_kdc_req *,
-                                    const krb5_ticket *);
+krb5_error_code
+check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
+                   const krb5_db_entry *client, const krb5_db_entry *server,
+                   krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
+                   krb5_ticket_times *times, const char **status);
+
+krb5_error_code
+check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
+                    const krb5_db_entry *server, const krb5_ticket *ticket,
+                    krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
+                    krb5_ticket_times *times, const char **status);
 
 #endif /* __KRB5_KDC_POLICY__ */
diff --git a/src/kdc/replay.c b/src/kdc/replay.c
index 8da7ac19aef3..caca783bf1ab 100644
--- a/src/kdc/replay.c
+++ b/src/kdc/replay.c
@@ -61,7 +61,7 @@ static size_t total_size = 0;
 static krb5_ui_4 seed;
 
 #define STALE_TIME      (2*60)            /* two minutes */
-#define STALE(ptr, now) (abs((ptr)->timein - (now)) >= STALE_TIME)
+#define STALE(ptr, now) (ts_after(now, ts_incr((ptr)->timein, STALE_TIME)))
 
 /* Return x rotated to the left by r bits. */
 static inline krb5_ui_4
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
index 8f7717a011c2..2d0432e338ac 100755
--- a/src/kdc/t_emptytgt.py
+++ b/src/kdc/t_emptytgt.py
@@ -2,7 +2,6 @@
 from k5test import *
 
 realm = K5Realm(create_host=False)
-output = realm.run([kvno, 'krbtgt/'], expected_code=1)
-if 'not found in Kerberos database' not in output:
-    fail('TGT lookup for empty realm failed in unexpected way')
+realm.run([kvno, 'krbtgt/'], expected_code=1,
+          expected_msg='not found in Kerberos database')
 success('Empty tgt lookup.')
diff --git a/src/kdc/t_replay.c b/src/kdc/t_replay.c
index 1442e0e8ceee..00bb39012680 100644
--- a/src/kdc/t_replay.c
+++ b/src/kdc/t_replay.c
@@ -36,10 +36,7 @@
 
 #ifndef NOCACHE
 
-#include <stdarg.h>
-#include <stddef.h>
-#include <setjmp.h>
-#include <cmocka.h>
+#include "k5-cmocka.h"
 
 /* For wrapping functions */
 #include "k5-int.h"
@@ -623,6 +620,8 @@ test_kdc_check_lookaside_hit(void **state)
     assert_true(data_eq(rep, *result_data));
     assert_int_equal(hits, 1);
     assert_int_equal(e->num_hits, 1);
+
+    krb5_free_data(context, result_data);
 }
 
 static void
@@ -700,6 +699,8 @@ test_kdc_check_lookaside_hit_multiple(void **state)
     assert_int_equal(e1->num_hits, 1);
     assert_int_equal(e2->num_hits, 0);
 
+    krb5_free_data(context, result_data);
+
     /* Set result_data so we can verify that it is reset to NULL. */
     result_data = &req1;
     result = kdc_check_lookaside(context, &req2, &result_data);
@@ -733,6 +734,8 @@ test_kdc_check_lookaside_hit_hash_collision(void **state)
     assert_int_equal(e1->num_hits, 1);
     assert_int_equal(e2->num_hits, 0);
 
+    krb5_free_data(context, result_data);
+
     /* Set result_data so we can verify that it is reset to NULL. */
     result_data = &req1;
     result = kdc_check_lookaside(context, &req2, &result_data);
@@ -903,7 +906,7 @@ test_kdc_insert_lookaside_cache_expire(void **state)
     assert_non_null(e);
     e->num_hits = 5;
 
-    time_return(STALE_TIME, 0);
+    time_return(STALE_TIME + 1, 0);
     kdc_insert_lookaside(context, &req2, NULL);
 
     assert_null(K5_LIST_FIRST(&hash_table[req_hash1]));
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index a30cacc665a1..33cfbcd8184f 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -186,7 +186,7 @@ static int
 check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt,
                    krb5_timestamp kdc_time, const char **status)
 {
-    if (server.expiration && server.expiration < kdc_time) {
+    if (server.expiration && ts_after(kdc_time, server.expiration)) {
         *status = "SERVICE EXPIRED";
         return KDC_ERR_SERVICE_EXP;
     }
@@ -222,7 +222,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
        KDC time. */
     if (req->kdc_options & KDC_OPT_VALIDATE) {
         starttime = times->starttime ? times->starttime : times->authtime;
-        if (starttime > kdc_time) {
+        if (ts_after(starttime, kdc_time)) {
             *status = "NOT_YET_VALID";
             return KRB_AP_ERR_TKT_NYV;
         }
@@ -231,7 +231,8 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
      * Check the renew_till time.  The endtime was already
      * been checked in the initial authentication check.
      */
-    if ((req->kdc_options & KDC_OPT_RENEW) && times->renew_till < kdc_time) {
+    if ((req->kdc_options & KDC_OPT_RENEW) &&
+        ts_after(kdc_time, times->renew_till)) {
         *status = "TKT_EXPIRED";
         return KRB_AP_ERR_TKT_EXPIRED;
     }
@@ -374,11 +375,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
     if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
         return errcode_to_protocol(ret);
 
-    /* Check local policy. */
-    errcode = against_local_policy_tgs(request, server, ticket,
-                                       status, e_data);
-    if (errcode)
-        return errcode;
-
     return 0;
 }
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index 29ec84a15b22..a40da927ef16 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -105,17 +105,6 @@ paddr(struct sockaddr *sa)
     return buf;
 }
 
-/* Return true if sa is an IPv4 or IPv6 wildcard address. */
-static int
-is_wildcard(struct sockaddr *sa)
-{
-    if (sa->sa_family == AF_INET6)
-        return IN6_IS_ADDR_UNSPECIFIED(&sa2sin6(sa)->sin6_addr);
-    else if (sa->sa_family == AF_INET)
-        return sa2sin(sa)->sin_addr.s_addr == INADDR_ANY;
-    return 0;
-}
-
 /* KDC data.  */
 
 enum conn_type {
@@ -142,8 +131,8 @@ struct connection {
     struct sockaddr_storage addr_s;
     socklen_t addrlen;
     char addrbuf[56];
-    krb5_fulladdr faddr;
-    krb5_address kaddr;
+    krb5_address remote_addr_buf;
+    krb5_fulladdr remote_addr;
 
     /* Incoming data (TCP) */
     size_t bufsiz;
@@ -451,14 +440,6 @@ loop_add_rpc_service(int default_port, const char *addresses, u_long prognum,
 #define SOCKET_ERRNO errno
 #include "foreachaddr.h"
 
-struct socksetup {
-    verto_ctx *ctx;
-    void *handle;
-    const char *prog;
-    krb5_error_code retval;
-    int listen_backlog;
-};
-
 static void
 free_connection(struct connection *conn)
 {
@@ -533,7 +514,7 @@ free_socket(verto_ctx *ctx, verto_ev *ev)
 
 static verto_ev *
 make_event(verto_ctx *ctx, verto_ev_flag flags, verto_callback callback,
-           int sock, struct connection *conn, int addevent)
+           int sock, struct connection *conn)
 {
     verto_ev *ev;
     void *tmp;
@@ -544,45 +525,44 @@ make_event(verto_ctx *ctx, verto_ev_flag flags, verto_callback callback,
         return NULL;
     }
 
-    if (addevent) {
-        if (!ADD(events, ev, tmp)) {
-            com_err(conn->prog, ENOMEM, _("cannot save event"));
-            verto_del(ev);
-            return NULL;
-        }
+    if (!ADD(events, ev, tmp)) {
+        com_err(conn->prog, ENOMEM, _("cannot save event"));
+        verto_del(ev);
+        return NULL;
     }
 
     verto_set_private(ev, conn, free_socket);
     return ev;
 }
 
-static verto_ev *
-add_fd(struct socksetup *data, int sock, enum conn_type conntype,
-       verto_ev_flag flags, verto_callback callback, int addevent)
+static krb5_error_code
+add_fd(int sock, enum conn_type conntype, verto_ev_flag flags, void *handle,
+       const char *prog, verto_ctx *ctx, verto_callback callback,
+       verto_ev **ev_out)
 {
     struct connection *newconn;
 
+    *ev_out = NULL;
+
 #ifndef _WIN32
     if (sock >= FD_SETSIZE) {
-        data->retval = EMFILE;  /* XXX */
-        com_err(data->prog, 0,
-                _("file descriptor number %d too high"), sock);
-        return 0;
+        com_err(prog, 0, _("file descriptor number %d too high"), sock);
+        return EMFILE;
     }
 #endif
     newconn = malloc(sizeof(*newconn));
     if (newconn == NULL) {
-        data->retval = ENOMEM;
-        com_err(data->prog, ENOMEM,
+        com_err(prog, ENOMEM,
                 _("cannot allocate storage for connection info"));
-        return 0;
+        return ENOMEM;
     }
     memset(newconn, 0, sizeof(*newconn));
-    newconn->handle = data->handle;
-    newconn->prog = data->prog;
+    newconn->handle = handle;
+    newconn->prog = prog;
     newconn->type = conntype;
 
-    return make_event(data->ctx, flags, callback, sock, newconn, addevent);
+    *ev_out = make_event(ctx, flags, callback, sock, newconn);
+    return 0;
 }
 
 static void process_packet(verto_ctx *ctx, verto_ev *ev);
@@ -592,77 +572,62 @@ static void process_tcp_connection_write(verto_ctx *ctx, verto_ev *ev);
 static void accept_rpc_connection(verto_ctx *ctx, verto_ev *ev);
 static void process_rpc_connection(verto_ctx *ctx, verto_ev *ev);
 
-static verto_ev *
-add_tcp_read_fd(struct socksetup *data, int sock)
-{
-    return add_fd(data, sock, CONN_TCP,
-                  VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST,
-                  process_tcp_connection_read, 1);
-}
-
 /*
  * Create a socket and bind it to addr.  Ensure the socket will work with
  * select().  Set the socket cloexec, reuseaddr, and if applicable v6-only.
- * Does not call listen().  Returns -1 on failure after logging an error.
+ * Does not call listen().  On failure, log an error and return an error code.
  */
-static int
-create_server_socket(struct socksetup *data, struct sockaddr *addr, int type)
+static krb5_error_code
+create_server_socket(struct sockaddr *addr, int type, const char *prog,
+                     int *fd_out)
 {
-    int sock;
+    int sock, e;
+
+    *fd_out = -1;
 
     sock = socket(addr->sa_family, type, 0);
     if (sock == -1) {
-        data->retval = errno;
-        com_err(data->prog, errno, _("Cannot create TCP server socket on %s"),
+        e = errno;
+        com_err(prog, e, _("Cannot create TCP server socket on %s"),
                 paddr(addr));
-        return -1;
+        return e;
     }
     set_cloexec_fd(sock);
 
 #ifndef _WIN32                  /* Windows FD_SETSIZE is a count. */
     if (sock >= FD_SETSIZE) {
         close(sock);
-        com_err(data->prog, 0, _("TCP socket fd number %d (for %s) too high"),
+        com_err(prog, 0, _("TCP socket fd number %d (for %s) too high"),
                 sock, paddr(addr));
-        return -1;
+        return EMFILE;
     }
 #endif
 
-    if (setreuseaddr(sock, 1) < 0) {
-        com_err(data->prog, errno,
-                _("Cannot enable SO_REUSEADDR on fd %d"), sock);
-    }
+    if (setreuseaddr(sock, 1) < 0)
+        com_err(prog, errno, _("Cannot enable SO_REUSEADDR on fd %d"), sock);
 
     if (addr->sa_family == AF_INET6) {
 #ifdef IPV6_V6ONLY
-        if (setv6only(sock, 1))
-            com_err(data->prog, errno,
-                    _("setsockopt(%d,IPV6_V6ONLY,1) failed"), sock);
-        else
-            com_err(data->prog, 0, _("setsockopt(%d,IPV6_V6ONLY,1) worked"),
+        if (setv6only(sock, 1)) {
+            com_err(prog, errno, _("setsockopt(%d,IPV6_V6ONLY,1) failed"),
                     sock);
+        } else {
+            com_err(prog, 0, _("setsockopt(%d,IPV6_V6ONLY,1) worked"), sock);
+        }
 #else
         krb5_klog_syslog(LOG_INFO, _("no IPV6_V6ONLY socket option support"));
 #endif /* IPV6_V6ONLY */
     }
 
     if (bind(sock, addr, sa_socklen(addr)) == -1) {
-        data->retval = errno;
-        com_err(data->prog, errno, _("Cannot bind server socket on %s"),
-                paddr(addr));
+        e = errno;
+        com_err(prog, e, _("Cannot bind server socket on %s"), paddr(addr));
         close(sock);
-        return -1;
+        return e;
     }
 
-    return sock;
-}
-
-static verto_ev *
-add_rpc_data_fd(struct socksetup *data, int sock)
-{
-    return add_fd(data, sock, CONN_RPC,
-                  VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST,
-                  process_rpc_connection, 1);
+    *fd_out = sock;
+    return 0;
 }
 
 static const int one = 1;
@@ -716,12 +681,13 @@ static const enum conn_type bind_conn_types[] =
  *      The conn_type of this socket.
  */
 static krb5_error_code
-setup_socket(struct socksetup *data, struct bind_address *ba,
-             struct sockaddr *sock_address, verto_callback vcb,
-             enum conn_type ctype)
+setup_socket(struct bind_address *ba, struct sockaddr *sock_address,
+             void *handle, const char *prog, verto_ctx *ctx,
+             int tcp_listen_backlog, verto_callback vcb, enum conn_type ctype)
 {
     krb5_error_code ret;
     struct connection *conn;
+    verto_ev_flag flags;
     verto_ev *ev = NULL;
     int sock = -1;
 
@@ -729,18 +695,16 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
                      bind_type_names[ba->type], paddr(sock_address));
 
     /* Create the socket. */
-    sock = create_server_socket(data, sock_address, bind_socktypes[ba->type]);
-    if (sock == -1) {
-        ret = data->retval;
+    ret = create_server_socket(sock_address, bind_socktypes[ba->type], prog,
+                               &sock);
+    if (ret)
         goto cleanup;
-    }
 
     /* Listen for backlogged connections on TCP sockets.  (For RPC sockets this
      * will be done by svc_register().) */
-    if (ba->type == TCP && listen(sock, data->listen_backlog) != 0) {
+    if (ba->type == TCP && listen(sock, tcp_listen_backlog) != 0) {
         ret = errno;
-        com_err(data->prog, errno,
-                _("Cannot listen on %s server socket on %s"),
+        com_err(prog, errno, _("Cannot listen on %s server socket on %s"),
                 bind_type_names[ba->type], paddr(sock_address));
         goto cleanup;
     }
@@ -748,7 +712,7 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
     /* Set non-blocking I/O for UDP and TCP listener sockets. */
     if (ba->type != RPC && setnbio(sock) != 0) {
         ret = errno;
-        com_err(data->prog, errno,
+        com_err(prog, errno,
                 _("cannot set listening %s socket on %s non-blocking"),
                 bind_type_names[ba->type], paddr(sock_address));
         goto cleanup;
@@ -757,19 +721,18 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
     /* Turn off the linger option for TCP sockets. */
     if (ba->type == TCP && setnolinger(sock) != 0) {
         ret = errno;
-        com_err(data->prog, errno,
-                _("cannot set SO_LINGER on %s socket on %s"),
+        com_err(prog, errno, _("cannot set SO_LINGER on %s socket on %s"),
                 bind_type_names[ba->type], paddr(sock_address));
         goto cleanup;
     }
 
     /* Try to turn on pktinfo for UDP wildcard sockets. */
-    if (ba->type == UDP && is_wildcard(sock_address)) {
+    if (ba->type == UDP && sa_is_wildcard(sock_address)) {
         krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"),
                          paddr(sock_address));
         ret = set_pktinfo(sock, sock_address->sa_family);
         if (ret) {
-            com_err(data->prog, ret,
+            com_err(prog, ret,
                     _("Cannot request packet info for UDP socket address "
                       "%s port %d"), paddr(sock_address), ba->port);
             krb5_klog_syslog(LOG_INFO, _("System does not support pktinfo yet "
@@ -780,13 +743,11 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
     }
 
     /* Add the socket to the event loop. */
-    ev = add_fd(data, sock, ctype,
-                VERTO_EV_FLAG_IO_READ |
-                VERTO_EV_FLAG_PERSIST |
-                VERTO_EV_FLAG_REINITIABLE, vcb, 1);
-    if (ev == NULL) {
+    flags = VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST |
+        VERTO_EV_FLAG_REINITIABLE;
+    ret = add_fd(sock, ctype, flags, handle, prog, ctx, vcb, &ev);
+    if (ret) {
         krb5_klog_syslog(LOG_ERR, _("Error attempting to add verto event"));
-        ret = data->retval;
         goto cleanup;
     }
 
@@ -829,13 +790,10 @@ cleanup:
  * This function uses getaddrinfo to figure out all the addresses. This will
  * automatically figure out which socket families that should be used on the
  * host making it useful even for wildcard addresses.
- *
- * Arguments:
- * - data
- *      A pointer to the socksetup data.
  */
 static krb5_error_code
-setup_addresses(struct socksetup *data)
+setup_addresses(verto_ctx *ctx, void *handle, const char *prog,
+                int tcp_listen_backlog)
 {
     /* An bind_type enum map for the verto callback functions. */
     static verto_callback *const verto_callbacks[] = {
@@ -896,8 +854,8 @@ setup_addresses(struct socksetup *data)
             /* Set the real port number. */
             sa_setport(ai->ai_addr, addr.port);
 
-            ret = setup_socket(data, &addr, ai->ai_addr,
-                               verto_callbacks[addr.type],
+            ret = setup_socket(&addr, ai->ai_addr, handle, prog, ctx,
+                               tcp_listen_backlog, verto_callbacks[addr.type],
                                bind_conn_types[addr.type]);
             if (ret) {
                 krb5_klog_syslog(LOG_ERR,
@@ -929,9 +887,9 @@ krb5_error_code
 loop_setup_network(verto_ctx *ctx, void *handle, const char *prog,
                    int tcp_listen_backlog)
 {
-    struct socksetup setup_data;
+    krb5_error_code ret;
     verto_ev *ev;
-    int i, ret;
+    int i;
 
     /* Check to make sure that at least one address was added to the loop. */
     if (bind_addresses.n == 0)
@@ -942,15 +900,9 @@ loop_setup_network(verto_ctx *ctx, void *handle, const char *prog,
         verto_del(ev);
     events.n = 0;
 
-    setup_data.ctx = ctx;
-    setup_data.handle = handle;
-    setup_data.prog = prog;
-    setup_data.retval = 0;
-    setup_data.listen_backlog = tcp_listen_backlog;
-
     krb5_klog_syslog(LOG_INFO, _("setting up network..."));
-    ret = setup_addresses(&setup_data);
-    if (ret != 0) {
+    ret = setup_addresses(ctx, handle, prog, tcp_listen_backlog);
+    if (ret) {
         com_err(prog, ret, _("Error setting up network"));
         exit(1);
     }
@@ -999,8 +951,10 @@ struct udp_dispatch_state {
     void *handle;
     const char *prog;
     int port_fd;
-    krb5_address addr;
-    krb5_fulladdr faddr;
+    krb5_address remote_addr_buf;
+    krb5_fulladdr remote_addr;
+    krb5_address local_addr_buf;
+    krb5_fulladdr local_addr;
     socklen_t saddr_len;
     socklen_t daddr_len;
     struct sockaddr_storage saddr;
@@ -1132,10 +1086,15 @@ process_packet(verto_ctx *ctx, verto_ev *ev)
 
     state->request.length = cc;
     state->request.data = state->pktbuf;
-    state->faddr.address = &state->addr;
-    init_addr(&state->faddr, ss2sa(&state->saddr));
+
+    state->remote_addr.address = &state->remote_addr_buf;
+    init_addr(&state->remote_addr, ss2sa(&state->saddr));
+
+    state->local_addr.address = &state->local_addr_buf;
+    init_addr(&state->local_addr, ss2sa(&state->daddr));
+
     /* This address is in net order. */
-    dispatch(state->handle, ss2sa(&state->daddr), &state->faddr,
+    dispatch(state->handle, &state->local_addr, &state->remote_addr,
              &state->request, 0, ctx, process_packet_response, state);
 }
 
@@ -1186,9 +1145,9 @@ accept_tcp_connection(verto_ctx *ctx, verto_ev *ev)
     struct sockaddr_storage addr_s;
     struct sockaddr *addr = (struct sockaddr *)&addr_s;
     socklen_t addrlen = sizeof(addr_s);
-    struct socksetup sockdata;
     struct connection *newconn, *conn;
     char tmpbuf[10];
+    verto_ev_flag flags;
     verto_ev *newev;
 
     conn = verto_get_private(ev);
@@ -1204,13 +1163,9 @@ accept_tcp_connection(verto_ctx *ctx, verto_ev *ev)
 #endif
     setnbio(s), setnolinger(s), setkeepalive(s);
 
-    sockdata.ctx = ctx;
-    sockdata.handle = conn->handle;
-    sockdata.prog = conn->prog;
-    sockdata.retval = 0;
-
-    newev = add_tcp_read_fd(&sockdata, s);
-    if (newev == NULL) {
+    flags = VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST;
+    if (add_fd(s, CONN_TCP, flags, conn->handle, conn->prog, ctx,
+               process_tcp_connection_read, &newev) != 0) {
         close(s);
         return;
     }
@@ -1253,14 +1208,16 @@ accept_tcp_connection(verto_ctx *ctx, verto_ev *ev)
         return;
     }
     newconn->offset = 0;
-    newconn->faddr.address = &newconn->kaddr;
-    init_addr(&newconn->faddr, ss2sa(&newconn->addr_s));
+    newconn->remote_addr.address = &newconn->remote_addr_buf;
+    init_addr(&newconn->remote_addr, ss2sa(&newconn->addr_s));
     SG_SET(&newconn->sgbuf[0], newconn->lenbuf, 4);
     SG_SET(&newconn->sgbuf[1], 0, 0);
 }
 
 struct tcp_dispatch_state {
     struct sockaddr_storage local_saddr;
+    krb5_address local_addr_buf;
+    krb5_fulladdr local_addr;
     struct connection *conn;
     krb5_data request;
     verto_ctx *ctx;
@@ -1288,7 +1245,7 @@ process_tcp_response(void *arg, krb5_error_code code, krb5_data *response)
     state->conn->sgnum = 2;
 
     ev = make_event(state->ctx, VERTO_EV_FLAG_IO_WRITE | VERTO_EV_FLAG_PERSIST,
-                    process_tcp_connection_write, state->sock, state->conn, 1);
+                    process_tcp_connection_write, state->sock, state->conn);
     if (ev) {
         free(state);
         return;
@@ -1381,7 +1338,6 @@ process_tcp_connection_read(verto_ctx *ctx, verto_ev *ev)
     } else {
         /* msglen known. */
         socklen_t local_saddrlen = sizeof(struct sockaddr_storage);
-        struct sockaddr *local_saddrp = NULL;
 
         len = conn->msglen - (conn->offset - 4);
         nread = SOCKET_READ(verto_get_fd(ev),
@@ -1403,10 +1359,14 @@ process_tcp_connection_read(verto_ctx *ctx, verto_ev *ev)
         state->request.data = conn->buffer + 4;
 
         if (getsockname(verto_get_fd(ev), ss2sa(&state->local_saddr),
-                        &local_saddrlen) == 0)
-            local_saddrp = ss2sa(&state->local_saddr);
-
-        dispatch(state->conn->handle, local_saddrp, &conn->faddr,
+                        &local_saddrlen) < 0) {
+            krb5_klog_syslog(LOG_ERR, _("getsockname failed: %s"),
+                             error_message(errno));
+            goto kill_tcp_connection;
+        }
+        state->local_addr.address = &state->local_addr_buf;
+        init_addr(&state->local_addr, ss2sa(&state->local_saddr));
+        dispatch(state->conn->handle, &state->local_addr, &conn->remote_addr,
                  &state->request, 1, ctx, process_tcp_response, state);
     }
 
@@ -1489,18 +1449,13 @@ have_event_for_fd(int fd)
 static void
 accept_rpc_connection(verto_ctx *ctx, verto_ev *ev)
 {
-    struct socksetup sockdata;
+    verto_ev_flag flags;
     struct connection *conn;
     fd_set fds;
     register int s;
 
     conn = verto_get_private(ev);
 
-    sockdata.ctx = ctx;
-    sockdata.handle = conn->handle;
-    sockdata.prog = conn->prog;
-    sockdata.retval = 0;
-
     /* Service the woken RPC listener descriptor. */
     FD_ZERO(&fds);
     FD_SET(verto_get_fd(ev), &fds);
@@ -1519,8 +1474,9 @@ accept_rpc_connection(verto_ctx *ctx, verto_ev *ev)
         if (!FD_ISSET(s, &svc_fdset) || have_event_for_fd(s))
             continue;
 
-        newev = add_rpc_data_fd(&sockdata, s);
-        if (newev == NULL)
+        flags = VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST;
+        if (add_fd(s, CONN_RPC, flags, conn->handle, conn->prog, ctx,
+                   process_rpc_connection, &newev) != 0)
             continue;
         newconn = verto_get_private(newev);
 
@@ -1559,8 +1515,8 @@ accept_rpc_connection(verto_ctx *ctx, verto_ev *ev)
         if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections)
             kill_lru_tcp_or_rpc_connection(newconn->handle, newev);
 
-        newconn->faddr.address = &newconn->kaddr;
-        init_addr(&newconn->faddr, ss2sa(&newconn->addr_s));
+        newconn->remote_addr.address = &newconn->remote_addr_buf;
+        init_addr(&newconn->remote_addr, ss2sa(&newconn->addr_s));
     }
 }
 
diff --git a/src/lib/apputils/udppktinfo.c b/src/lib/apputils/udppktinfo.c
index bc7ad09b070c..c096c12b7e61 100644
--- a/src/lib/apputils/udppktinfo.c
+++ b/src/lib/apputils/udppktinfo.c
@@ -141,19 +141,17 @@ is_socket_bound_to_wildcard(int sock)
 {
     struct sockaddr_storage bound_addr;
     socklen_t bound_addr_len = sizeof(bound_addr);
+    struct sockaddr *sa = ss2sa(&bound_addr);
 
-    if (getsockname(sock, ss2sa(&bound_addr), &bound_addr_len) < 0)
+    if (getsockname(sock, sa, &bound_addr_len) < 0)
         return -1;
 
-    switch (ss2sa(&bound_addr)->sa_family) {
-    case AF_INET:
-        return ss2sin(&bound_addr)->sin_addr.s_addr == INADDR_ANY;
-    case AF_INET6:
-        return IN6_IS_ADDR_UNSPECIFIED(&ss2sin6(&bound_addr)->sin6_addr);
-    default:
+    if (!sa_is_inet(sa)) {
         errno = EINVAL;
         return -1;
     }
+
+    return sa_is_wildcard(sa);
 }
 
 #ifdef HAVE_IP_PKTINFO
@@ -402,7 +400,7 @@ set_msg_from_ipv6_pktinfo(struct msghdr *msg, struct cmsghdr *cmsgptr,
     /*
      * Because of the possibility of asymmetric routing, we
      * normally don't want to specify an interface.  However,
-     * Mac OS X doesn't like sending from a link-local address
+     * macOS doesn't like sending from a link-local address
      * (which can come up in testing at least, if you wind up
      * with a "foo.local" name) unless we do specify the
      * interface.
diff --git a/src/lib/apputils/udppktinfo.h b/src/lib/apputils/udppktinfo.h
index b0c7ea36b7b9..ff5759ab7ad3 100644
--- a/src/lib/apputils/udppktinfo.h
+++ b/src/lib/apputils/udppktinfo.h
@@ -32,7 +32,7 @@
  * This holds whatever additional information might be needed to
  * properly send back to the client from the correct local address.
  *
- * In this case, we only need one datum so far: On Mac OS X, the
+ * In this case, we only need one datum so far: On macOS, the
  * kernel doesn't seem to like sending from link-local addresses
  * unless we specify the correct interface.
  */
diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h
index 0801cb5828c9..67e40a19ca32 100644
--- a/src/lib/crypto/builtin/des/des_int.h
+++ b/src/lib/crypto/builtin/des/des_int.h
@@ -74,7 +74,7 @@
 #endif /* defined(__MACH__) && defined(__APPLE__) */
 
 /* Macro to add deprecated attribute to DES types and functions */
-/* Currently only defined on Mac OS X 10.5 and later.           */
+/* Currently only defined on macOS 10.5 and later.              */
 #ifndef KRB5INT_DES_DEPRECATED
 #define KRB5INT_DES_DEPRECATED
 #endif
diff --git a/src/lib/crypto/builtin/des/destest.c b/src/lib/crypto/builtin/des/destest.c
index 6eeb070d867f..dd2f68ec4032 100644
--- a/src/lib/crypto/builtin/des/destest.c
+++ b/src/lib/crypto/builtin/des/destest.c
@@ -52,6 +52,7 @@
 /* Test a DES implementation against known inputs & outputs. */
 
 #include "des_int.h"
+#include <ctype.h>
 #include <stdio.h>
 
 void convert (char *, unsigned char []);
@@ -160,7 +161,7 @@ convert(text, cblock)
 {
     register int i;
     for (i = 0; i < 8; i++) {
-        if (text[i*2] < 0 || text[i*2] >= 128)
+        if (!isascii((unsigned char)text[i * 2]))
             abort ();
         if (value[(int) text[i*2]] == -1 || value[(int) text[i*2+1]] == -1) {
             printf("Bad value byte %d in %s\n", i, text);
diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c
index 3776f80715ab..df710489eaf0 100644
--- a/src/lib/crypto/builtin/enc_provider/rc4.c
+++ b/src/lib/crypto/builtin/enc_provider/rc4.c
@@ -113,7 +113,7 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
         return KRB5_BAD_MSIZE;
 
     if (state != NULL) {
-        cipher_state = (ArcFourCipherState *)state->data;
+        cipher_state = (ArcFourCipherState *)(void *)state->data;
         arcfour_ctx = &cipher_state->ctx;
         if (cipher_state->initialized == 0) {
             ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
diff --git a/src/lib/crypto/builtin/sha2/sha256.c b/src/lib/crypto/builtin/sha2/sha256.c
index e34bed575c5f..2b5cbe480503 100644
--- a/src/lib/crypto/builtin/sha2/sha256.c
+++ b/src/lib/crypto/builtin/sha2/sha256.c
@@ -211,14 +211,14 @@ k5_sha256_update(SHA256_CTX *m, const void *v, size_t len)
 #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
 	    int i;
 	    uint32_t current[16];
-	    struct x32 *u = (struct x32*)m->save;
+	    struct x32 *u = (struct x32*)(void*)m->save;
 	    for(i = 0; i < 8; i++){
 		current[2*i+0] = swap_uint32_t(u[i].a);
 		current[2*i+1] = swap_uint32_t(u[i].b);
 	    }
 	    calc(m, current);
 #else
-	    calc(m, (uint32_t*)m->save);
+	    calc(m, (uint32_t*)(void*)m->save);
 #endif
 	    offset = 0;
 	}
diff --git a/src/lib/crypto/builtin/sha2/sha512.c b/src/lib/crypto/builtin/sha2/sha512.c
index 8f0ce894033f..6130655576c9 100644
--- a/src/lib/crypto/builtin/sha2/sha512.c
+++ b/src/lib/crypto/builtin/sha2/sha512.c
@@ -217,14 +217,14 @@ k5_sha512_update (SHA512_CTX *m, const void *v, size_t len)
 #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
 	    int i;
 	    uint64_t current[16];
-	    struct x64 *us = (struct x64*)m->save;
+	    struct x64 *us = (struct x64*)(void*)m->save;
 	    for(i = 0; i < 8; i++){
 		current[2*i+0] = swap_uint64_t(us[i].a);
 		current[2*i+1] = swap_uint64_t(us[i].b);
 	    }
 	    calc(m, current);
 #else
-	    calc(m, (uint64_t*)m->save);
+	    calc(m, (uint64_t*)(void*)m->save);
 #endif
 	    offset = 0;
 	}
diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in
index c5660c5fe1fa..fc01a2ced4ae 100644
--- a/src/lib/crypto/krb/Makefile.in
+++ b/src/lib/crypto/krb/Makefile.in
@@ -212,7 +212,7 @@ depend: $(SRCS)
 
 check-unix: t_fortuna
 	if [ $(PRNG_ALG) = fortuna ]; then \
-		$(RUN_TEST) ./t_fortuna > t_fortuna.output; \
+		$(RUN_TEST) ./t_fortuna > t_fortuna.output && \
 		cmp t_fortuna.output $(srcdir)/t_fortuna.expected; \
 	fi
 
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index d75b49c693f0..e5099291e309 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -111,6 +111,7 @@ struct krb5_keytypes {
     prf_func prf;
     krb5_cksumtype required_ctype;
     krb5_flags flags;
+    unsigned int ssf;
 };
 
 #define ETYPE_WEAK 1
diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
index 0ed74bd6ebde..b1b40e7ecd6e 100644
--- a/src/lib/crypto/krb/enctype_util.c
+++ b/src/lib/crypto/krb/enctype_util.c
@@ -131,3 +131,19 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
         return ENOMEM;
     return 0;
 }
+
+/* The security of a mechanism cannot be summarized with a simple integer
+ * value, but we provide a per-enctype value for Cyrus SASL's SSF. */
+krb5_error_code
+k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out)
+{
+    const struct krb5_keytypes *ktp;
+
+    *ssf_out = 0;
+
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+        return EINVAL;
+    *ssf_out = ktp->ssf;
+    return 0;
+}
diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c
index 0e5e977d418a..53d4a5c79b47 100644
--- a/src/lib/crypto/krb/etypes.c
+++ b/src/lib/crypto/krb/etypes.c
@@ -42,7 +42,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_des_string_to_key, k5_rand2key_des,
       krb5int_des_prf,
       CKSUMTYPE_RSA_MD5_DES,
-      ETYPE_WEAK },
+      ETYPE_WEAK, 56 },
     { ENCTYPE_DES_CBC_MD4,
       "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4",
       &krb5int_enc_des, &krb5int_hash_md4,
@@ -51,7 +51,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_des_string_to_key, k5_rand2key_des,
       krb5int_des_prf,
       CKSUMTYPE_RSA_MD4_DES,
-      ETYPE_WEAK },
+      ETYPE_WEAK, 56 },
     { ENCTYPE_DES_CBC_MD5,
       "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5",
       &krb5int_enc_des, &krb5int_hash_md5,
@@ -60,7 +60,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_des_string_to_key, k5_rand2key_des,
       krb5int_des_prf,
       CKSUMTYPE_RSA_MD5_DES,
-      ETYPE_WEAK },
+      ETYPE_WEAK, 56 },
     { ENCTYPE_DES_CBC_RAW,
       "des-cbc-raw", { 0 }, "DES cbc mode raw",
       &krb5int_enc_des, NULL,
@@ -69,7 +69,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_des_string_to_key, k5_rand2key_des,
       krb5int_des_prf,
       0,
-      ETYPE_WEAK },
+      ETYPE_WEAK, 56 },
     { ENCTYPE_DES3_CBC_RAW,
       "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw",
       &krb5int_enc_des3, NULL,
@@ -78,7 +78,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_dk_string_to_key, k5_rand2key_des3,
       NULL, /*PRF*/
       0,
-      ETYPE_WEAK },
+      ETYPE_WEAK, 112 },
 
     { ENCTYPE_DES3_CBC_SHA1,
       "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" },
@@ -89,7 +89,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_dk_string_to_key, k5_rand2key_des3,
       krb5int_dk_prf,
       CKSUMTYPE_HMAC_SHA1_DES3,
-      0 /*flags*/ },
+      0 /*flags*/, 112 },
 
     { ENCTYPE_DES_HMAC_SHA1,
       "des-hmac-sha1", { 0 }, "DES with HMAC/sha1",
@@ -99,7 +99,10 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_dk_string_to_key, k5_rand2key_des,
       NULL, /*PRF*/
       0,
-      ETYPE_WEAK },
+      ETYPE_WEAK, 56 },
+
+    /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we
+     * consider its strength degraded and assign it an SSF value of 64. */
     { ENCTYPE_ARCFOUR_HMAC,
       "arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" },
       "ArcFour with HMAC/md5",
@@ -110,7 +113,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
       k5_rand2key_direct, krb5int_arcfour_prf,
       CKSUMTYPE_HMAC_MD5_ARCFOUR,
-      0 /*flags*/ },
+      0 /*flags*/, 64 },
     { ENCTYPE_ARCFOUR_HMAC_EXP,
       "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" },
       "Exportable ArcFour with HMAC/md5",
@@ -121,7 +124,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
       k5_rand2key_direct, krb5int_arcfour_prf,
       CKSUMTYPE_HMAC_MD5_ARCFOUR,
-      ETYPE_WEAK
+      ETYPE_WEAK, 40
     },
 
     { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -133,7 +136,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_aes_string_to_key, k5_rand2key_direct,
       krb5int_dk_prf,
       CKSUMTYPE_HMAC_SHA1_96_AES128,
-      0 /*flags*/ },
+      0 /*flags*/, 128 },
     { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
       "aes256-cts-hmac-sha1-96", { "aes256-cts", "aes256-sha1" },
       "AES-256 CTS mode with 96-bit SHA-1 HMAC",
@@ -143,7 +146,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_aes_string_to_key, k5_rand2key_direct,
       krb5int_dk_prf,
       CKSUMTYPE_HMAC_SHA1_96_AES256,
-      0 /*flags*/ },
+      0 /*flags*/, 256 },
 
     { ENCTYPE_CAMELLIA128_CTS_CMAC,
       "camellia128-cts-cmac", { "camellia128-cts" },
@@ -155,7 +158,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_camellia_string_to_key, k5_rand2key_direct,
       krb5int_dk_cmac_prf,
       CKSUMTYPE_CMAC_CAMELLIA128,
-      0 /*flags*/ },
+      0 /*flags*/, 128 },
     { ENCTYPE_CAMELLIA256_CTS_CMAC,
       "camellia256-cts-cmac", { "camellia256-cts" },
       "Camellia-256 CTS mode with CMAC",
@@ -166,7 +169,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_camellia_string_to_key, k5_rand2key_direct,
       krb5int_dk_cmac_prf,
       CKSUMTYPE_CMAC_CAMELLIA256,
-      0 /*flags */ },
+      0 /*flags */, 256 },
 
     { ENCTYPE_AES128_CTS_HMAC_SHA256_128,
       "aes128-cts-hmac-sha256-128", { "aes128-sha2" },
@@ -177,7 +180,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_aes2_string_to_key, k5_rand2key_direct,
       krb5int_aes2_prf,
       CKSUMTYPE_HMAC_SHA256_128_AES128,
-      0 /*flags*/ },
+      0 /*flags*/, 128 },
     { ENCTYPE_AES256_CTS_HMAC_SHA384_192,
       "aes256-cts-hmac-sha384-192", { "aes256-sha2" },
       "AES-256 CTS mode with 192-bit SHA-384 HMAC",
@@ -187,7 +190,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_aes2_string_to_key, k5_rand2key_direct,
       krb5int_aes2_prf,
       CKSUMTYPE_HMAC_SHA384_192_AES256,
-      0 /*flags*/ },
+      0 /*flags*/, 256 },
 };
 
 const int krb5int_enctypes_length =
diff --git a/src/lib/crypto/krb/s2k_des.c b/src/lib/crypto/krb/s2k_des.c
index 31a613bebc61..d5c29befcb2e 100644
--- a/src/lib/crypto/krb/s2k_des.c
+++ b/src/lib/crypto/krb/s2k_des.c
@@ -509,7 +509,7 @@ des_s2k(const krb5_data *pw, const krb5_data *salt, unsigned char *key_out)
 #define FETCH4(VAR, IDX)        VAR = temp.ui[IDX/4]
 #define PUT4(VAR, IDX)          temp.ui[IDX/4] = VAR
 
-    copylen = pw->length + (salt ? salt->length : 0);
+    copylen = pw->length + salt->length;
     /* Don't need NUL termination, at this point we're treating it as
        a byte array, not a string.  */
     copy = malloc(copylen);
@@ -517,7 +517,7 @@ des_s2k(const krb5_data *pw, const krb5_data *salt, unsigned char *key_out)
         return ENOMEM;
     if (pw->length > 0)
         memcpy(copy, pw->data, pw->length);
-    if (salt != NULL && salt->length > 0)
+    if (salt->length > 0)
         memcpy(copy + pw->length, salt->data, salt->length);
 
     memset(&temp, 0, sizeof(temp));
diff --git a/src/lib/crypto/krb/s2k_pbkdf2.c b/src/lib/crypto/krb/s2k_pbkdf2.c
index ec5856c2be79..1fea03408c76 100644
--- a/src/lib/crypto/krb/s2k_pbkdf2.c
+++ b/src/lib/crypto/krb/s2k_pbkdf2.c
@@ -47,7 +47,7 @@ krb5int_dk_string_to_key(const struct krb5_keytypes *ktp,
     keybytes = ktp->enc->keybytes;
     keylength = ktp->enc->keylength;
 
-    concatlen = string->length + (salt ? salt->length : 0);
+    concatlen = string->length + salt->length;
 
     concat = k5alloc(concatlen, &ret);
     if (ret != 0)
@@ -63,7 +63,7 @@ krb5int_dk_string_to_key(const struct krb5_keytypes *ktp,
 
     if (string->length > 0)
         memcpy(concat, string->data, string->length);
-    if (salt != NULL && salt->length > 0)
+    if (salt->length > 0)
         memcpy(concat + string->length, salt->data, salt->length);
 
     krb5int_nfold(concatlen*8, concat, keybytes*8, foldstring);
diff --git a/src/lib/crypto/krb/s2k_rc4.c b/src/lib/crypto/krb/s2k_rc4.c
index 49ad89d323b0..081a91217c69 100644
--- a/src/lib/crypto/krb/s2k_rc4.c
+++ b/src/lib/crypto/krb/s2k_rc4.c
@@ -10,6 +10,7 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp,
     krb5_error_code err = 0;
     krb5_crypto_iov iov;
     krb5_data hash_out;
+    char *utf8;
     unsigned char *copystr;
     size_t copystrlen;
 
@@ -20,8 +21,11 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp,
         return (KRB5_BAD_MSIZE);
 
     /* We ignore salt per the Microsoft spec. */
-    err = krb5int_utf8cs_to_ucs2les(string->data, string->length, &copystr,
-                                    &copystrlen);
+    utf8 = k5memdup0(string->data, string->length, &err);
+    if (utf8 == NULL)
+        return err;
+    err = k5_utf8_to_utf16le(utf8, &copystr, &copystrlen);
+    free(utf8);
     if (err)
         return err;
 
diff --git a/src/lib/crypto/krb/string_to_key.c b/src/lib/crypto/krb/string_to_key.c
index b55ee75d2f34..352a8e8dcce2 100644
--- a/src/lib/crypto/krb/string_to_key.c
+++ b/src/lib/crypto/krb/string_to_key.c
@@ -43,6 +43,7 @@ krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype,
                                  const krb5_data *params, krb5_keyblock *key)
 {
     krb5_error_code ret;
+    krb5_data empty = empty_data();
     const struct krb5_keytypes *ktp;
     size_t keylength;
 
@@ -51,8 +52,12 @@ krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype,
         return KRB5_BAD_ENCTYPE;
     keylength = ktp->enc->keylength;
 
+    /* For compatibility with past behavior, treat a null salt as empty. */
+    if (salt == NULL)
+        salt = &empty;
+
     /* Fail gracefully if someone is using the old AFS string-to-key hack. */
-    if (salt != NULL && salt->length == SALT_TYPE_AFS_LENGTH)
+    if (salt->length == SALT_TYPE_AFS_LENGTH)
         return EINVAL;
 
     key->contents = malloc(keylength);
diff --git a/src/lib/crypto/krb/t_fortuna.c b/src/lib/crypto/krb/t_fortuna.c
index 4f25bee62cb5..508ffcf915c7 100644
--- a/src/lib/crypto/krb/t_fortuna.c
+++ b/src/lib/crypto/krb/t_fortuna.c
@@ -85,7 +85,7 @@ head_tail_test(struct fortuna_state *st)
 {
     static unsigned char buffer[1024 * 1024];
     unsigned char c;
-    size_t i, len = sizeof(buffer);
+    int i, len = sizeof(buffer);
     int bit, bits[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
     double res;
 
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
index 447e45644453..82eb5f30c031 100644
--- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports
@@ -108,3 +108,4 @@ krb5int_nfold
 k5_allow_weak_pbkdf2iter
 krb5_c_prfplus
 krb5_c_derive_prfplus
+k5_enctype_to_ssf
diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
index 9ad44216d05e..9d3a7e736736 100644
--- a/src/lib/gssapi/generic/gssapi_ext.h
+++ b/src/lib/gssapi/generic/gssapi_ext.h
@@ -575,4 +575,15 @@ gss_import_cred(
 }
 #endif
 
+/*
+ * When used with gss_inquire_sec_context_by_oid(), return a buffer set with
+ * the first member containing an unsigned 32-bit integer in network byte
+ * order.  This is the Security Strength Factor (SSF) associated with the
+ * secure channel established by the security context.  NOTE: This value is
+ * made available solely as an indication for use by APIs like Cyrus SASL that
+ * classify the strength of a secure channel via this number.  The strength of
+ * a channel cannot necessarily be represented by a simple number.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_SEC_CONTEXT_SASL_SSF;
+
 #endif /* GSSAPI_EXT_H_ */
diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c
index 5496aa33582c..fa144c2bf9cc 100644
--- a/src/lib/gssapi/generic/gssapi_generic.c
+++ b/src/lib/gssapi/generic/gssapi_generic.c
@@ -157,6 +157,13 @@ static const gss_OID_desc const_oids[] = {
     {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x19"},
     {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1a"},
     {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1b"},
+
+    /*
+     * GSS_SEC_CONTEXT_SASL_SSF_OID 1.2.840.113554.1.2.2.5.15
+     * iso(1) member-body(2) United States(840) mit(113554)
+     * infosys(1) gssapi(2) krb5(2) krb5-gssapi-ext(5) sasl-ssf(15)
+     */
+    {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"},
 };
 
 /* Here are the constants which point to the static structure above.
@@ -218,6 +225,8 @@ GSS_DLLIMP gss_const_OID GSS_C_MA_PFS               = oids+33;
 GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS          = oids+34;
 GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS         = oids+35;
 
+GSS_DLLIMP gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = oids+36;
+
 static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+9 };
 gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc;
 
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 580d08cbf53e..06967aa2753a 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -351,8 +351,10 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
     if (mech_type)
         *mech_type = ctx->mech_used;
 
-    if (time_rec)
-        *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now;
+    if (time_rec) {
+        *time_rec = ts_delta(ctx->krb_times.endtime, now) +
+            ctx->k5_context->clockskew;
+    }
 
     /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
      * delegation yet. */
@@ -1146,7 +1148,7 @@ kg_accept_krb5(minor_status, context_handle,
     /* Add the maximum allowable clock skew as a grace period for context
      * expiration, just as we do for the ticket. */
     if (time_rec)
-        *time_rec = ctx->krb_times.endtime + context->clockskew - now;
+        *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew;
 
     if (ret_flags)
         *ret_flags = ctx->gss_flags;
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 03ee25ec1861..362ba9d86a42 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -550,7 +550,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
     char buf[128];
     krb5_data d;
 
-    snprintf(buf, sizeof(buf), "%ld", (long)refresh_time);
+    snprintf(buf, sizeof(buf), "%u", (unsigned int)ts2tt(refresh_time));
     d = string2data(buf);
     (void)krb5_cc_set_config(context, ccache, NULL, KRB5_CC_CONF_REFRESH_TIME,
                              &d);
@@ -566,8 +566,9 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
 
     if (krb5_timeofday(context, &now))
         return FALSE;
-    if (cred->refresh_time != 0 && now >= cred->refresh_time) {
-        set_refresh_time(context, cred->ccache, cred->refresh_time + 30);
+    if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
+        set_refresh_time(context, cred->ccache,
+                         ts_incr(cred->refresh_time, 30));
         return TRUE;
     }
     return FALSE;
@@ -586,7 +587,8 @@ kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred,
         return;
 
     /* Make a note to refresh these when they are halfway to expired. */
-    refresh = times->starttime + (times->endtime - times->starttime) / 2;
+    refresh = ts_incr(times->starttime,
+                      ts_delta(times->endtime, times->starttime) / 2);
     set_refresh_time(context, cred->ccache, refresh);
 }
 
@@ -848,7 +850,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
                                   GSS_C_NO_NAME);
             if (GSS_ERROR(ret))
                 goto error_out;
-            *time_rec = (cred->expire > now) ? (cred->expire - now) : 0;
+            *time_rec = ts_after(cred->expire, now) ?
+                ts_delta(cred->expire, now) : 0;
             k5_mutex_unlock(&cred->lock);
         }
     }
diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
index a18cfb05b743..1fdb5a16f2b4 100644
--- a/src/lib/gssapi/krb5/context_time.c
+++ b/src/lib/gssapi/krb5/context_time.c
@@ -51,7 +51,10 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
         return(GSS_S_FAILURE);
     }
 
-    if ((lifetime = ctx->krb_times.endtime - now) <= 0) {
+    lifetime = ts_delta(ctx->krb_times.endtime, now);
+    if (!ctx->initiate)
+        lifetime += ctx->k5_context->clockskew;
+    if (lifetime <= 0) {
         *time_rec = 0;
         *minor_status = 0;
         return(GSS_S_CONTEXT_EXPIRED);
diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c
index f3d7666135cd..027ed4847476 100644
--- a/src/lib/gssapi/krb5/copy_ccache.c
+++ b/src/lib/gssapi/krb5/copy_ccache.c
@@ -8,8 +8,6 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status,
                         const gss_buffer_t value)
 {
     krb5_gss_cred_id_t k5creds;
-    krb5_cc_cursor cursor;
-    krb5_creds creds;
     krb5_error_code code;
     krb5_context context;
     krb5_ccache out_ccache;
@@ -37,7 +35,7 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status,
         return GSS_S_FAILURE;
     }
 
-    code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor);
+    code = krb5_cc_copy_creds(context, k5creds->ccache, out_ccache);
     if (code) {
         k5_mutex_unlock(&k5creds->lock);
         *minor_status = code;
@@ -45,12 +43,6 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status,
         krb5_free_context(context);
         return(GSS_S_FAILURE);
     }
-    while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor,
-                                       &creds)) {
-        code = krb5_cc_store_cred(context, out_ccache, &creds);
-        krb5_free_cred_contents(context, &creds);
-    }
-    krb5_cc_end_seq_get(context, k5creds->ccache, &cursor);
     k5_mutex_unlock(&k5creds->lock);
     *minor_status = code;
     if (code)
diff --git a/src/lib/gssapi/krb5/export_cred.c b/src/lib/gssapi/krb5/export_cred.c
index 652b2604bda3..8054e4a77011 100644
--- a/src/lib/gssapi/krb5/export_cred.c
+++ b/src/lib/gssapi/krb5/export_cred.c
@@ -410,10 +410,11 @@ json_kgcred(krb5_context context, krb5_gss_cred_id_t cred,
     if (ret)
         goto cleanup;
 
-    ret = k5_json_array_fmt(&array, "ivvbbvvvvbiivs", cred->usage, name, imp,
+    ret = k5_json_array_fmt(&array, "ivvbbvvvvbLLvs", cred->usage, name, imp,
                             cred->default_identity, cred->iakerb_mech, keytab,
                             rcache, ccache, ckeytab, cred->have_tgt,
-                            cred->expire, cred->refresh_time, etypes,
+                            (long long)ts2tt(cred->expire),
+                            (long long)ts2tt(cred->refresh_time), etypes,
                             cred->password);
     if (ret)
         goto cleanup;
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index d7bdef7e28a3..e92be88b4730 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -1144,6 +1144,12 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *,
                                               const gss_OID,
                                               gss_buffer_set_t *);
 
+#define GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH 11
+#define GET_SEC_CONTEXT_SASL_SSF_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"
+OM_uint32
+gss_krb5int_sec_context_sasl_ssf(OM_uint32 *, const gss_ctx_id_t,
+                                 const gss_OID, gss_buffer_set_t *);
+
 #define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11
 #define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d"
 
@@ -1425,4 +1431,10 @@ iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
  * the format changes. */
 #define CRED_EXPORT_MAGIC "K5C1"
 
+OM_uint32
+gss_krb5int_get_cred_impersonator(OM_uint32 *minor_status,
+                                  const gss_cred_id_t cred_handle,
+                                  const gss_OID desired_object,
+                                  gss_buffer_set_t *data_set);
+
 #endif /* _GSSAPIP_KRB5_H_ */
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index 99092ccab16b..43930dd61aa6 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -126,6 +126,8 @@
 
 #define NO_CI_FLAGS_X_OID_LENGTH 6
 #define NO_CI_FLAGS_X_OID "\x2a\x85\x70\x2b\x0d\x1d"
+#define GET_CRED_IMPERSONATOR_OID_LENGTH 11
+#define GET_CRED_IMPERSONATOR_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0e"
 
 const gss_OID_desc krb5_gss_oid_array[] = {
     /* this is the official, rfc-specified OID */
@@ -148,6 +150,8 @@ const gss_OID_desc krb5_gss_oid_array[] = {
     /* gss_nt_krb5_principal.  Object identifier for a krb5_principal. Do not use. */
     {10, "\052\206\110\206\367\022\001\002\002\002"},
     {NO_CI_FLAGS_X_OID_LENGTH, NO_CI_FLAGS_X_OID},
+    /* this is an inquire cred OID */
+    {GET_CRED_IMPERSONATOR_OID_LENGTH, GET_CRED_IMPERSONATOR_OID},
     { 0, 0 }
 };
 
@@ -164,6 +168,7 @@ const gss_OID gss_nt_krb5_principal             = &kg_oids[6];
 const gss_OID GSS_KRB5_NT_PRINCIPAL_NAME        = &kg_oids[5];
 
 const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X       = &kg_oids[7];
+const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR    = &kg_oids[8];
 
 static const gss_OID_set_desc oidsets[] = {
     {1, &kg_oids[0]}, /* RFC OID */
@@ -352,6 +357,10 @@ static struct {
     {
         {GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID},
         gss_krb5int_extract_authtime_from_sec_context
+    },
+    {
+        {GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH, GET_SEC_CONTEXT_SASL_SSF_OID},
+        gss_krb5int_sec_context_sasl_ssf
     }
 };
 
@@ -400,13 +409,16 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
 /*
  * gss_inquire_cred_by_oid() methods
  */
-#if 0
+
 static struct {
     gss_OID_desc oid;
     OM_uint32 (*func)(OM_uint32 *, const gss_cred_id_t, const gss_OID, gss_buffer_set_t *);
 } krb5_gss_inquire_cred_by_oid_ops[] = {
+    {
+        {GET_CRED_IMPERSONATOR_OID_LENGTH, GET_CRED_IMPERSONATOR_OID},
+        gss_krb5int_get_cred_impersonator
+    }
 };
-#endif
 
 static OM_uint32 KRB5_CALLCONV
 krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status,
@@ -415,9 +427,7 @@ krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status,
                              gss_buffer_set_t *data_set)
 {
     OM_uint32 major_status = GSS_S_FAILURE;
-#if 0
     size_t i;
-#endif
 
     if (minor_status == NULL)
         return GSS_S_CALL_INACCESSIBLE_WRITE;
@@ -440,7 +450,6 @@ krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status,
     if (GSS_ERROR(major_status))
         return major_status;
 
-#if 0
     for (i = 0; i < sizeof(krb5_gss_inquire_cred_by_oid_ops)/
              sizeof(krb5_gss_inquire_cred_by_oid_ops[0]); i++) {
         if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_cred_by_oid_ops[i].oid)) {
@@ -450,7 +459,6 @@ krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status,
                                                                data_set);
         }
     }
-#endif
 
     *minor_status = EINVAL;
 
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h
index 390b00032cce..e145eec3b44c 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.h
+++ b/src/lib/gssapi/krb5/gssapi_krb5.h
@@ -96,6 +96,15 @@ GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
  */
 GSS_DLLIMP extern const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
 
+/*
+ * This OID can be used with gss_inquire_cred_by_oid(0 to retrieve the
+ * impersonator name (if any).
+ *
+ * iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5-gssapi-ext(5) get-cred-impersonator(14)
+ */
+GSS_DLLIMP extern const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR;
+
 #define gss_krb5_nt_general_name        gss_nt_krb5_name
 #define gss_krb5_nt_principal           gss_nt_krb5_principal
 #define gss_krb5_nt_service_name        gss_nt_service_name
@@ -169,6 +178,11 @@ OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags(
     gss_ctx_id_t context_handle,
     krb5_flags *ticket_flags);
 
+/*
+ * Copy krb5 creds from cred_handle into out_ccache, which must already be
+ * initialized.  Use gss_store_cred_into() (new in krb5 1.11) instead, if
+ * possible.
+ */
 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache(
     OM_uint32 *minor_status,
     gss_cred_id_t cred_handle,
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 2dc4d0c1a4d5..bb1072fe4ac7 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -494,7 +494,7 @@ iakerb_tkt_creds_ctx(iakerb_ctx_id_t ctx,
         if (code != 0)
             goto cleanup;
 
-        creds.times.endtime = now + time_req;
+        creds.times.endtime = ts_incr(now, time_req);
     }
 
     if (cred->name->ad_context != NULL) {
@@ -669,7 +669,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
         if (code != 0)
             goto cleanup;
 
-        in_creds.times.endtime = now + time_req;
+        in_creds.times.endtime = ts_incr(now, time_req);
     }
 
     /* Make an AS request if we have no creds or it's time to refresh them. */
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 70f7955ae1ae..1be1b5878400 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -214,7 +214,8 @@ static krb5_error_code get_credentials(context, cred, server, now,
      * boundaries) because accept_sec_context code is also similarly
      * non-forgiving.
      */
-    if (!krb5_gss_dbg_client_expcreds && result_creds->times.endtime < now) {
+    if (!krb5_gss_dbg_client_expcreds &&
+        ts_after(now, result_creds->times.endtime)) {
         code = KRB5KRB_AP_ERR_TKT_EXPIRED;
         goto cleanup;
     }
@@ -355,9 +356,6 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
     TWRITE_STR(ptr, data->md5.contents, data->md5.length);
     TWRITE_INT(ptr, data->ctx->gss_flags, 0);
 
-    /* done with this, free it */
-    xfree(data->md5.contents);
-
     if (credmsg.data) {
         TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0);
         TWRITE_INT16(ptr, credmsg.length, 0);
@@ -429,6 +427,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, ad_context,
     code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags,
                                 NULL, k_cred, &ap_req);
     krb5_auth_con_set_authdata_context(context, ctx->auth_context, NULL);
+    krb5_free_checksum_contents(context, &cksum_struct.md5);
     krb5_free_data_contents(context, &cksum_struct.checksum_data);
     if (code)
         goto cleanup;
@@ -575,7 +574,7 @@ kg_new_connection(
     if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
         ctx->krb_times.endtime = 0;
     } else {
-        ctx->krb_times.endtime = now + time_req;
+        ctx->krb_times.endtime = ts_incr(now, time_req);
     }
 
     if ((code = kg_duplicate_name(context, cred->name, &ctx->here)))
@@ -659,7 +658,7 @@ kg_new_connection(
     if (time_rec) {
         if ((code = krb5_timeofday(context, &now)))
             goto cleanup;
-        *time_rec = ctx->krb_times.endtime - now;
+        *time_rec = ts_delta(ctx->krb_times.endtime, now);
     }
 
     /* set the other returns */
@@ -873,7 +872,7 @@ mutual_auth(
     if (time_rec) {
         if ((code = krb5_timeofday(context, &now)))
             goto fail;
-        *time_rec = ctx->krb_times.endtime - now;
+        *time_rec = ts_delta(ctx->krb_times.endtime, now);
     }
 
     if (ret_flags)
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
index 9024b3c7ea9c..cac024da1f01 100644
--- a/src/lib/gssapi/krb5/inq_context.c
+++ b/src/lib/gssapi/krb5/inq_context.c
@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
 
         /* Add the maximum allowable clock skew as a grace period for context
          * expiration, just as we do for the ticket during authentication. */
-        lifetime = ctx->krb_times.endtime - now;
+        lifetime = ts_delta(ctx->krb_times.endtime, now);
         if (!ctx->initiate)
             lifetime += context->clockskew;
         if (lifetime < 0)
@@ -310,3 +310,30 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *minor_status,
 
     return generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
 }
+
+OM_uint32
+gss_krb5int_sec_context_sasl_ssf(OM_uint32 *minor_status,
+                                 const gss_ctx_id_t context_handle,
+                                 const gss_OID desired_object,
+                                 gss_buffer_set_t *data_set)
+{
+    krb5_gss_ctx_id_rec *ctx;
+    krb5_key key;
+    krb5_error_code code;
+    gss_buffer_desc ssfbuf;
+    unsigned int ssf;
+    uint8_t buf[4];
+
+    ctx = (krb5_gss_ctx_id_rec *)context_handle;
+    key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
+
+    code = k5_enctype_to_ssf(key->keyblock.enctype, &ssf);
+    if (code)
+        return GSS_S_FAILURE;
+
+    store_32_be(ssf, buf);
+    ssfbuf.value = buf;
+    ssfbuf.length = sizeof(buf);
+
+    return generic_gss_add_buffer_set_member(minor_status, &ssfbuf, data_set);
+}
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index 4e35a056316f..3a73417c083d 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -130,8 +130,9 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
         goto fail;
     }
 
-    if (cred->expire > 0) {
-        if ((lifetime = cred->expire - now) < 0)
+    if (cred->expire != 0) {
+        lifetime = ts_delta(cred->expire, now);
+        if (lifetime < 0)
             lifetime = 0;
     }
     else
@@ -245,3 +246,44 @@ krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
     }
     return(mstat);
 }
+
+OM_uint32
+gss_krb5int_get_cred_impersonator(OM_uint32 *minor_status,
+                                  const gss_cred_id_t cred_handle,
+                                  const gss_OID desired_object,
+                                  gss_buffer_set_t *data_set)
+{
+    krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)cred_handle;
+    gss_buffer_desc rep = GSS_C_EMPTY_BUFFER;
+    krb5_context context = NULL;
+    char *impersonator = NULL;
+    krb5_error_code ret;
+    OM_uint32 major;
+
+    *data_set = GSS_C_NO_BUFFER_SET;
+
+    /* Return an empty buffer set if no impersonator is present */
+    if (cred->impersonator == NULL)
+        return generic_gss_create_empty_buffer_set(minor_status, data_set);
+
+    ret = krb5_gss_init_context(&context);
+    if (ret) {
+        *minor_status = ret;
+        return GSS_S_FAILURE;
+    }
+
+    ret = krb5_unparse_name(context, cred->impersonator, &impersonator);
+    if (ret) {
+        krb5_free_context(context);
+        *minor_status = ret;
+        return GSS_S_FAILURE;
+    }
+
+    rep.value = impersonator;
+    rep.length = strlen(impersonator);
+    major = generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
+
+    krb5_free_unparsed_name(context, impersonator);
+    krb5_free_context(context);
+    return major;
+}
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index 1a5c14c2713b..25d9f2711825 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -110,6 +110,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
         krb5_data plain;
         krb5_enc_data cipher;
         size_t ec_max;
+        size_t encrypt_size;
 
         /* 300: Adds some slop.  */
         if (SIZE_MAX - 300 < message->length)
@@ -128,7 +129,12 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
             return err;
 
         /* Get size of ciphertext.  */
-        bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype);
+        encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
+        if (encrypt_size > SIZE_MAX / 2) {
+            err = ENOMEM;
+            goto error;
+        }
+        bufsize = 16 + encrypt_size;
         /* Allocate space for header plus encrypted data.  */
         outbuf = gssalloc_malloc(bufsize);
         if (outbuf == NULL) {
@@ -301,7 +307,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
                             int *conf_state, gss_qop_t *qop_state, int toktype)
 {
     krb5_context context = *contextptr;
-    krb5_data plain;
+    krb5_data plain = empty_data();
     uint64_t seqnum;
     size_t ec, rrc;
     int key_usage;
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 26a2d33e7a2c..57720c2eab98 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -219,7 +219,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
         plainlen = tmsglen;
 
         conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
-        if (tmsglen < conflen) {
+        if (tmsglen < (size_t)conflen) {
             if (sealalg != 0xffff)
                 xfree(plain);
             *minor_status = 0;
diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c
index 6062a6dd8052..5f00efe346e3 100644
--- a/src/lib/gssapi/krb5/naming_exts.c
+++ b/src/lib/gssapi/krb5/naming_exts.c
@@ -261,8 +261,7 @@ krb5_gss_inquire_name(OM_uint32 *minor_status,
     krb5_gss_name_t kname;
     krb5_data *kattrs = NULL;
 
-    if (minor_status != NULL)
-        *minor_status = 0;
+    *minor_status = 0;
 
     if (attrs != NULL)
         *attrs = GSS_C_NO_BUFFER_SET;
@@ -319,11 +318,10 @@ krb5_gss_get_name_attribute(OM_uint32 *minor_status,
     krb5_data kattr;
     krb5_boolean kauthenticated;
     krb5_boolean kcomplete;
-    krb5_data kvalue;
-    krb5_data kdisplay_value;
+    krb5_data kvalue = empty_data();
+    krb5_data kdisplay_value = empty_data();
 
-    if (minor_status != NULL)
-        *minor_status = 0;
+    *minor_status = 0;
 
     code = krb5_gss_init_context(&context);
     if (code != 0) {
@@ -355,8 +353,8 @@ krb5_gss_get_name_attribute(OM_uint32 *minor_status,
                                        &kattr,
                                        &kauthenticated,
                                        &kcomplete,
-                                       value ? &kvalue : NULL,
-                                       display_value ? &kdisplay_value : NULL,
+                                       &kvalue,
+                                       &kdisplay_value,
                                        more);
     if (code == 0) {
         if (value != NULL)
@@ -367,14 +365,13 @@ krb5_gss_get_name_attribute(OM_uint32 *minor_status,
         if (complete != NULL)
             *complete = kcomplete;
 
-        if (display_value != NULL) {
-            if (code == 0)
-                code = data_to_gss(&kdisplay_value, display_value);
-            else
-                free(kdisplay_value.data);
-        }
+        if (display_value != NULL && code == 0)
+            code = data_to_gss(&kdisplay_value, display_value);
     }
 
+    free(kdisplay_value.data);
+    free(kvalue.data);
+
     k5_mutex_unlock(&kname->lock);
     krb5_free_context(context);
 
@@ -394,8 +391,7 @@ krb5_gss_set_name_attribute(OM_uint32 *minor_status,
     krb5_data kattr;
     krb5_data kvalue;
 
-    if (minor_status != NULL)
-        *minor_status = 0;
+    *minor_status = 0;
 
     code = krb5_gss_init_context(&context);
     if (code != 0) {
@@ -444,8 +440,7 @@ krb5_gss_delete_name_attribute(OM_uint32 *minor_status,
     krb5_gss_name_t kname;
     krb5_data kattr;
 
-    if (minor_status != NULL)
-        *minor_status = 0;
+    *minor_status = 0;
 
     code = krb5_gss_init_context(&context);
     if (code != 0) {
@@ -491,8 +486,7 @@ krb5_gss_map_name_to_any(OM_uint32 *minor_status,
     krb5_gss_name_t kname;
     char *kmodule;
 
-    if (minor_status != NULL)
-        *minor_status = 0;
+    *minor_status = 0;
 
     code = krb5_gss_init_context(&context);
     if (code != 0) {
@@ -543,8 +537,7 @@ krb5_gss_release_any_name_mapping(OM_uint32 *minor_status,
     krb5_gss_name_t kname;
     char *kmodule;
 
-    if (minor_status != NULL)
-        *minor_status = 0;
+    *minor_status = 0;
 
     code = krb5_gss_init_context(&context);
     if (code != 0) {
@@ -599,8 +592,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status,
     unsigned char *cp;
     size_t princlen;
 
-    if (minor_status != NULL)
-        *minor_status = 0;
+    *minor_status = 0;
 
     code = krb5_gss_init_context(&context);
     if (code != 0) {
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
index ff1c310bce5e..10848c1df810 100644
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -284,7 +284,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
         if (code != 0)
             goto cleanup;
 
-        *time_rec = cred->expire - now;
+        *time_rec = ts_delta(cred->expire, now);
     }
 
     major_status = GSS_S_COMPLETE;
diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports
index 9facb3f42671..b07f69fd1572 100644
--- a/src/lib/gssapi/libgssapi_krb5.exports
+++ b/src/lib/gssapi/libgssapi_krb5.exports
@@ -10,6 +10,7 @@ GSS_C_NT_STRING_UID_NAME
 GSS_C_NT_USER_NAME
 GSS_KRB5_NT_PRINCIPAL_NAME
 GSS_KRB5_CRED_NO_CI_FLAGS_X
+GSS_KRB5_GET_CRED_IMPERSONATOR
 GSS_C_MA_MECH_CONCRETE
 GSS_C_MA_MECH_PSEUDO
 GSS_C_MA_MECH_COMPOSITE
@@ -37,6 +38,7 @@ GSS_C_MA_CBINDINGS
 GSS_C_MA_PFS
 GSS_C_MA_COMPRESS
 GSS_C_MA_CTX_TRANS
+GSS_C_SEC_CONTEXT_SASL_SSF
 gss_accept_sec_context
 gss_acquire_cred
 gss_acquire_cred_with_password
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index ddaf87412e9e..f28e2b14a903 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -216,6 +216,8 @@ gss_cred_id_t *		d_cred;
     } else {
 	union_ctx_id = (gss_union_ctx_id_t)*context_handle;
 	selected_mech = union_ctx_id->mech_type;
+	if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
+	    return (GSS_S_NO_CONTEXT);
     }
 
     /* Now create a new context if we didn't get one. */
@@ -234,9 +236,6 @@ gss_cred_id_t *		d_cred;
 	    free(union_ctx_id);
 	    return (status);
 	}
-
-	/* set the new context handle to caller's data */
-	*context_handle = (gss_ctx_id_t)union_ctx_id;
     }
 
     /*
@@ -277,8 +276,10 @@ gss_cred_id_t *		d_cred;
 					d_cred ? &tmp_d_cred : NULL);
 
 	    /* If there's more work to do, keep going... */
-	    if (status == GSS_S_CONTINUE_NEEDED)
+	    if (status == GSS_S_CONTINUE_NEEDED) {
+		*context_handle = (gss_ctx_id_t)union_ctx_id;
 		return GSS_S_CONTINUE_NEEDED;
+	    }
 
 	    /* if the call failed, return with failure */
 	    if (status != GSS_S_COMPLETE) {
@@ -364,14 +365,22 @@ gss_cred_id_t *		d_cred;
 		*mech_type = gssint_get_public_oid(actual_mech);
 	    if (ret_flags != NULL)
 		*ret_flags = temp_ret_flags;
-	    return	(status);
+	    *context_handle = (gss_ctx_id_t)union_ctx_id;
+	    return GSS_S_COMPLETE;
     } else {
 
 	status = GSS_S_BAD_MECH;
     }
 
 error_out:
-    if (union_ctx_id) {
+	/*
+	 * RFC 2744 5.1 requires that we not create a context on a failed first
+	 * call to accept, and recommends that on a failed subsequent call we
+	 * make the caller responsible for calling gss_delete_sec_context.
+	 * Even if the mech deleted its context, keep the union context around
+	 * for the caller to delete.
+	 */
+    if (union_ctx_id && *context_handle == GSS_C_NO_CONTEXT) {
 	if (union_ctx_id->mech_type) {
 	    if (union_ctx_id->mech_type->elements)
 		free(union_ctx_id->mech_type->elements);
@@ -384,7 +393,6 @@ error_out:
 					 GSS_C_NO_BUFFER);
 	}
 	free(union_ctx_id);
-	*context_handle = GSS_C_NO_CONTEXT;
     }
 
     if (src_name)
diff --git a/src/lib/gssapi/mechglue/g_complete_auth_token.c b/src/lib/gssapi/mechglue/g_complete_auth_token.c
index 91815513017f..4bcb47e84b90 100644
--- a/src/lib/gssapi/mechglue/g_complete_auth_token.c
+++ b/src/lib/gssapi/mechglue/g_complete_auth_token.c
@@ -52,6 +52,8 @@ gss_complete_auth_token (OM_uint32 *minor_status,
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech != NULL) {
diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c
index 2ff8d0996ef0..c947e7646c10 100644
--- a/src/lib/gssapi/mechglue/g_context_time.c
+++ b/src/lib/gssapi/mechglue/g_context_time.c
@@ -58,6 +58,8 @@ OM_uint32 *		time_rec;
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c
index 4bf0dec5ce33..574ff02944b0 100644
--- a/src/lib/gssapi/mechglue/g_delete_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c
@@ -87,12 +87,14 @@ gss_buffer_t		output_token;
     if (GSSINT_CHK_LOOP(ctx))
 	return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT);
 
-    status = gssint_delete_internal_sec_context(minor_status,
-						ctx->mech_type,
-						&ctx->internal_ctx_id,
-						output_token);
-    if (status)
-	return status;
+    if (ctx->internal_ctx_id != GSS_C_NO_CONTEXT) {
+	status = gssint_delete_internal_sec_context(minor_status,
+						    ctx->mech_type,
+						    &ctx->internal_ctx_id,
+						    output_token);
+	if (status)
+	    return status;
+    }
 
     /* now free up the space for the union context structure */
     free(ctx->mech_type->elements);
diff --git a/src/lib/gssapi/mechglue/g_dup_name.c b/src/lib/gssapi/mechglue/g_dup_name.c
index 85306fcc1913..cc824fdf99b8 100644
--- a/src/lib/gssapi/mechglue/g_dup_name.c
+++ b/src/lib/gssapi/mechglue/g_dup_name.c
@@ -126,7 +126,7 @@ allocation_failure:
 		if (dest_union->external_name) {
 			if (dest_union->external_name->value)
 				free(dest_union->external_name->value);
-				free(dest_union->external_name);
+			free(dest_union->external_name);
 		}
 		if (dest_union->name_type)
 			(void) generic_gss_release_oid(minor_status,
diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
index b63745299f64..1d7990b1ca28 100644
--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -95,6 +95,8 @@ gss_buffer_t		interprocess_token;
      */
 
     ctx = (gss_union_ctx_id_t) *context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
     if (!mech)
 	return GSS_S_BAD_MECH;
diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c
index 4aa3591a0d06..4cd2e8f8eb8c 100644
--- a/src/lib/gssapi/mechglue/g_glue.c
+++ b/src/lib/gssapi/mechglue/g_glue.c
@@ -189,7 +189,7 @@ OM_uint32 gssint_get_mech_type_oid(OID, token)
     gss_buffer_t	token;
 {
     unsigned char * buffer_ptr;
-    int length;
+    size_t buflen, lenbytes, length, oidlen;
 
     /*
      * This routine reads the prefix of "token" in order to determine
@@ -223,25 +223,33 @@ OM_uint32 gssint_get_mech_type_oid(OID, token)
     /* Skip past the APP/Sequnce byte and the token length */
 
     buffer_ptr = (unsigned char *) token->value;
+    buflen = token->length;
 
-    if (*(buffer_ptr++) != 0x60)
+    if (buflen < 2 || *buffer_ptr++ != 0x60)
 	return (GSS_S_DEFECTIVE_TOKEN);
     length = *buffer_ptr++;
+    buflen -= 2;
 
 	/* check if token length is null */
 	if (length == 0)
 	    return (GSS_S_DEFECTIVE_TOKEN);
 
     if (length & 0x80) {
-	if ((length & 0x7f) > 4)
+	lenbytes = length & 0x7f;
+	if (lenbytes > 4 || lenbytes > buflen)
 	    return (GSS_S_DEFECTIVE_TOKEN);
-	buffer_ptr += length & 0x7f;
+	buffer_ptr += lenbytes;
+	buflen -= lenbytes;
     }
 
-    if (*(buffer_ptr++) != 0x06)
+    if (buflen < 2 || *buffer_ptr++ != 0x06)
+	return (GSS_S_DEFECTIVE_TOKEN);
+    oidlen = *buffer_ptr++;
+    buflen -= 2;
+    if (oidlen > 0x7f || oidlen > buflen)
 	return (GSS_S_DEFECTIVE_TOKEN);
 
-    OID->length = (OM_uint32) *(buffer_ptr++);
+    OID->length = oidlen;
     OID->elements = (void *) buffer_ptr;
     return (GSS_S_COMPLETE);
 }
diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c
index 9f154b8936d0..e2df1ce261d7 100644
--- a/src/lib/gssapi/mechglue/g_init_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_init_sec_context.c
@@ -192,8 +192,13 @@ OM_uint32 *		time_rec;
 
 	/* copy the supplied context handle */
 	union_ctx_id->internal_ctx_id = GSS_C_NO_CONTEXT;
-    } else
+    } else {
 	union_ctx_id = (gss_union_ctx_id_t)*context_handle;
+	if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) {
+	    status = GSS_S_NO_CONTEXT;
+	    goto end;
+	}
+    }
 
     /*
      * get the appropriate cred handle from the union cred struct.
@@ -224,15 +229,13 @@ OM_uint32 *		time_rec;
 
     if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) {
 	/*
-	 * The spec says the preferred method is to delete all context info on
-	 * the first call to init, and on all subsequent calls make the caller
-	 * responsible for calling gss_delete_sec_context.  However, if the
-	 * mechanism decided to delete the internal context, we should also
-	 * delete the union context.
+	 * RFC 2744 5.19 requires that we not create a context on a failed
+	 * first call to init, and recommends that on a failed subsequent call
+	 * we make the caller responsible for calling gss_delete_sec_context.
+	 * Even if the mech deleted its context, keep the union context around
+	 * for the caller to delete.
 	 */
 	map_error(minor_status, mech);
-	if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT)
-	    *context_handle = GSS_C_NO_CONTEXT;
 	if (*context_handle == GSS_C_NO_CONTEXT) {
 	    free(union_ctx_id->mech_type->elements);
 	    free(union_ctx_id->mech_type);
diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c
index 6f1c71eede9d..6c0d98dd3348 100644
--- a/src/lib/gssapi/mechglue/g_inq_context.c
+++ b/src/lib/gssapi/mechglue/g_inq_context.c
@@ -104,6 +104,8 @@ gss_inquire_context(
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (!mech || !mech->gss_inquire_context || !mech->gss_display_name ||
diff --git a/src/lib/gssapi/mechglue/g_inq_cred_oid.c b/src/lib/gssapi/mechglue/g_inq_cred_oid.c
index 4c23dfcbd364..df51b44e9a5b 100644
--- a/src/lib/gssapi/mechglue/g_inq_cred_oid.c
+++ b/src/lib/gssapi/mechglue/g_inq_cred_oid.c
@@ -85,11 +85,6 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status,
 
     union_cred = (gss_union_cred_t) cred_handle;
 
-    status = gss_create_empty_buffer_set(minor_status, &ret_set);
-    if (status != GSS_S_COMPLETE) {
-	return status;
-    }
-
     status = GSS_S_UNAVAILABLE;
 
     for (i = 0; i < union_cred->count; i++) {
diff --git a/src/lib/gssapi/mechglue/g_prf.c b/src/lib/gssapi/mechglue/g_prf.c
index fcca3e44c4c0..9e168adfe0d6 100644
--- a/src/lib/gssapi/mechglue/g_prf.c
+++ b/src/lib/gssapi/mechglue/g_prf.c
@@ -59,6 +59,8 @@ gss_pseudo_random (OM_uint32 *minor_status,
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech != NULL) {
diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c
index bc260aeb10b2..3968b5d9c675 100644
--- a/src/lib/gssapi/mechglue/g_process_context.c
+++ b/src/lib/gssapi/mechglue/g_process_context.c
@@ -61,6 +61,8 @@ gss_buffer_t		token_buffer;
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_seal.c b/src/lib/gssapi/mechglue/g_seal.c
index f17241c90891..3db1ee095b39 100644
--- a/src/lib/gssapi/mechglue/g_seal.c
+++ b/src/lib/gssapi/mechglue/g_seal.c
@@ -92,6 +92,8 @@ gss_wrap( OM_uint32 *minor_status,
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+        return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
@@ -226,6 +228,8 @@ gss_wrap_size_limit(OM_uint32  *minor_status,
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+        return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (!mech)
diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c
index 86d641aa2e28..03fbd8c01f36 100644
--- a/src/lib/gssapi/mechglue/g_sign.c
+++ b/src/lib/gssapi/mechglue/g_sign.c
@@ -94,6 +94,8 @@ gss_buffer_t		msg_token;
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c
index 3e8053c6e9af..c208635b676a 100644
--- a/src/lib/gssapi/mechglue/g_unseal.c
+++ b/src/lib/gssapi/mechglue/g_unseal.c
@@ -76,6 +76,8 @@ gss_qop_t *		qop_state;
      * call it.
      */
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c
index e78bff2d3289..0682bd899820 100644
--- a/src/lib/gssapi/mechglue/g_unwrap_aead.c
+++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c
@@ -186,6 +186,8 @@ gss_qop_t		*qop_state;
      * call it.
      */
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (!mech)
diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c
index c0dd314b1be8..599be2c7b2fc 100644
--- a/src/lib/gssapi/mechglue/g_unwrap_iov.c
+++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c
@@ -89,6 +89,8 @@ int			iov_count;
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
@@ -128,6 +130,8 @@ gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
 
     /* Select the approprate underlying mechanism routine and call it. */
     ctx = (gss_union_ctx_id_t)context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
     mech = gssint_get_mechanism(ctx->mech_type);
     if (mech == NULL)
 	return GSS_S_BAD_MECH;
diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c
index 1578ae111092..8996fce8d596 100644
--- a/src/lib/gssapi/mechglue/g_verify.c
+++ b/src/lib/gssapi/mechglue/g_verify.c
@@ -65,6 +65,8 @@ gss_qop_t *		qop_state;
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c
index 96cdf3ce6ab8..7fe3b7b35bda 100644
--- a/src/lib/gssapi/mechglue/g_wrap_aead.c
+++ b/src/lib/gssapi/mechglue/g_wrap_aead.c
@@ -256,6 +256,8 @@ gss_buffer_t		output_message_buffer;
      * call it.
      */
     ctx = (gss_union_ctx_id_t)context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
     if (!mech)
 	return (GSS_S_BAD_MECH);
diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c
index 40cd98fc91cd..14447c4ee1ad 100644
--- a/src/lib/gssapi/mechglue/g_wrap_iov.c
+++ b/src/lib/gssapi/mechglue/g_wrap_iov.c
@@ -93,6 +93,8 @@ int			iov_count;
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
@@ -151,6 +153,8 @@ int			iov_count;
      */
 
     ctx = (gss_union_ctx_id_t) context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return (GSS_S_NO_CONTEXT);
     mech = gssint_get_mechanism (ctx->mech_type);
 
     if (mech) {
@@ -190,6 +194,8 @@ gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
 
     /* Select the approprate underlying mechanism routine and call it. */
     ctx = (gss_union_ctx_id_t)context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
     mech = gssint_get_mechanism(ctx->mech_type);
     if (mech == NULL)
 	return GSS_S_BAD_MECH;
@@ -218,6 +224,8 @@ gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
 
     /* Select the approprate underlying mechanism routine and call it. */
     ctx = (gss_union_ctx_id_t)context_handle;
+    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
     mech = gssint_get_mechanism(ctx->mech_type);
     if (mech == NULL)
 	return GSS_S_BAD_MECH;
diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def
index 362b9bce848f..842f3d52f3cd 100644
--- a/src/lib/gssapi32.def
+++ b/src/lib/gssapi32.def
@@ -182,3 +182,6 @@ EXPORTS
 	gss_verify_mic_iov				@146
 ; Added in 1.14
 	GSS_KRB5_CRED_NO_CI_FLAGS_X			@147	DATA
+; Added in 1.16
+	GSS_KRB5_GET_CRED_IMPERSONATOR			@148	DATA
+	GSS_C_SEC_CONTEXT_SASL_SSF			@149	DATA
diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c
index 408b0eb31fac..1680a5504922 100644
--- a/src/lib/kadm5/chpass_util.c
+++ b/src/lib/kadm5/chpass_util.c
@@ -4,15 +4,11 @@
  */
 
 
-#include "autoconf.h"
-#include <stdio.h>
-#include <time.h>
-#include <string.h>
+#include "k5-int.h"
 
 #include <kadm5/admin.h>
 #include "admin_internal.h"
 
-#include <krb5.h>
 
 #define string_text error_message
 
@@ -218,7 +214,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
         time_t until;
         char *time_string, *ptr;
 
-        until = princ_ent.last_pwd_change + policy_ent.pw_min_life;
+        until = ts_incr(princ_ent.last_pwd_change, policy_ent.pw_min_life);
 
         time_string = ctime(&until);
         if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
diff --git a/src/lib/kadm5/deps b/src/lib/kadm5/deps
index c9f0cbfdb7e2..3585f08f6442 100644
--- a/src/lib/kadm5/deps
+++ b/src/lib/kadm5/deps
@@ -42,13 +42,21 @@ chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
   $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
-  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
   $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
   $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
   $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
   $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
-  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
-  $(top_srcdir)/include/krb5.h admin_internal.h chpass_util.c
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  admin_internal.h chpass_util.c
 alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et
index 71b053460117..892a6fac1053 100644
--- a/src/lib/kadm5/kadm_err.et
+++ b/src/lib/kadm5/kadm_err.et
@@ -66,4 +66,5 @@ error_code KADM5_BAD_KEYSALTS, "Invalid key/salt tuples"
 error_code KADM5_SETKEY_BAD_KVNO, "Invalid multiple or duplicate kvnos in setkey operation"
 error_code KADM5_AUTH_EXTRACT, "Operation requires ``extract-keys'' privilege"
 error_code KADM5_PROTECT_KEYS, "Principal keys are locked down"
+error_code KADM5_AUTH_INITIAL, "Operation requires initial ticket"
 end
diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
index f4b5b5b6a06d..617d6566665f 100644
--- a/src/lib/kadm5/srv/Makefile.in
+++ b/src/lib/kadm5/srv/Makefile.in
@@ -32,7 +32,6 @@ SRCS =	$(srcdir)/pwqual.c \
 	$(srcdir)/pwqual_princ.c \
 	$(srcdir)/svr_policy.c \
 	$(srcdir)/svr_principal.c \
-	$(srcdir)/server_acl.c \
 	$(srcdir)/server_kdb.c \
 	$(srcdir)/server_misc.c \
 	$(srcdir)/server_init.c \
@@ -48,7 +47,6 @@ OBJS =	pwqual.$(OBJEXT) \
 	kadm5_hook.$(OBJEXT) \
 	svr_policy.$(OBJEXT) \
 	svr_principal.$(OBJEXT) \
-	server_acl.$(OBJEXT) \
 	server_kdb.$(OBJEXT) \
 	server_misc.$(OBJEXT) \
 	server_init.$(OBJEXT) \
@@ -65,7 +63,6 @@ STLIBOBJS = \
 	kadm5_hook.o \
 	svr_policy.o \
 	svr_principal.o \
-	server_acl.o \
 	server_kdb.o \
 	server_misc.o \
 	server_init.o \
@@ -73,23 +70,10 @@ STLIBOBJS = \
 	svr_chpass_util.o \
 	adb_xdr.o
 
-all-unix: includes
 all-unix: all-liblinks
 all-windows: $(OBJS)
 
-generate-files-mac: includes darwin.exports
-
-includes: server_acl.h
-	if cmp $(srcdir)/server_acl.h \
-	$(BUILDTOP)/include/kadm5/server_acl.h >/dev/null 2>&1; then :; \
-	else \
-		(set -x; $(RM) $(BUILDTOP)/include/kadm5/server_acl.h; \
-		 $(CP) $(srcdir)/server_acl.h \
-			$(BUILDTOP)/include/kadm5/server_acl.h) ; \
-	fi
-
-clean-unix::
-	$(RM) $(BUILDTOP)/include/kadm5/server_acl.h
+generate-files-mac: darwin.exports
 
 check-windows:
 
@@ -104,8 +88,6 @@ install-unix:
 	(cd $(DESTDIR)$(KRB5_LIBDIR) && $(LN_S) lib$(LIBBASE)$(DEPLIBEXT) \
 		libkadm5srv$(DEPLIBEXT))
 
-depend: includes
-
 @lib_frag@
 @libobj_frag@
 
diff --git a/src/lib/kadm5/srv/deps b/src/lib/kadm5/srv/deps
index 20df4e9b8205..01080d56053e 100644
--- a/src/lib/kadm5/srv/deps
+++ b/src/lib/kadm5/srv/deps
@@ -150,27 +150,6 @@ svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): \
   $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_hook_plugin.h \
   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
   $(top_srcdir)/include/socket-utils.h svr_principal.c
-server_acl.so server_acl.po $(OUTPRE)server_acl.$(OBJEXT): \
-  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
-  $(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssrpc/types.h \
-  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
-  $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
-  $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \
-  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
-  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
-  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
-  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
-  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
-  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
-  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
-  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
-  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  server_acl.c server_acl.h
 server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports
index aedfdd7f5813..804eba16abb8 100644
--- a/src/lib/kadm5/srv/libkadm5srv_mit.exports
+++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports
@@ -1,10 +1,5 @@
 _kadm5_check_handle
 _kadm5_chpass_principal_util
-kadm5int_acl_check
-kadm5int_acl_check_krb
-kadm5int_acl_finish
-kadm5int_acl_impose_restrictions
-kadm5int_acl_init
 hist_princ
 kadm5_set_use_password_server
 kadm5_chpass_principal
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
deleted file mode 100644
index 59ed0b975472..000000000000
--- a/src/lib/kadm5/srv/server_acl.c
+++ /dev/null
@@ -1,823 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/kadm5/srv/server_acl.c */
-/*
- * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include <syslog.h>
-#include <sys/param.h>
-#include <gssapi/gssapi_generic.h>
-#include <kadm5/server_internal.h>
-#include <kadm5/admin.h>
-#include "adm_proto.h"
-#include "server_acl.h"
-#include <ctype.h>
-
-typedef struct _acl_op_table {
-    char        ao_op;
-    krb5_int32  ao_mask;
-} aop_t;
-
-typedef struct _acl_entry {
-    struct _acl_entry   *ae_next;
-    char                *ae_name;
-    krb5_boolean        ae_name_bad;
-    krb5_principal      ae_principal;
-    krb5_int32          ae_op_allowed;
-    char                *ae_target;
-    krb5_boolean        ae_target_bad;
-    krb5_principal      ae_target_princ;
-    char                *ae_restriction_string;
-    /* eg: "-maxlife 3h -service +proxiable" */
-    krb5_boolean        ae_restriction_bad;
-    restriction_t       *ae_restrictions;
-} aent_t;
-
-static const aop_t acl_op_table[] = {
-    { 'a',      ACL_ADD },
-    { 'd',      ACL_DELETE },
-    { 'm',      ACL_MODIFY },
-    { 'c',      ACL_CHANGEPW },
-    { 'i',      ACL_INQUIRE },
-    { 'l',      ACL_LIST },
-    { 'p',      ACL_IPROP },
-    { 's',      ACL_SETKEY },
-    { 'x',      ACL_ALL_MASK },
-    { '*',      ACL_ALL_MASK },
-    { 'e',      ACL_EXTRACT },
-    { '\0',     0 }
-};
-
-typedef struct _wildstate {
-    int nwild;
-    const krb5_data *backref[9];
-} wildstate_t;
-
-static aent_t   *acl_list_head = (aent_t *) NULL;
-static aent_t   *acl_list_tail = (aent_t *) NULL;
-
-static const char *acl_acl_file = (char *) NULL;
-static int acl_inited = 0;
-static int acl_debug_level = 0;
-/*
- * This is the catchall entry.  If nothing else appropriate is found, or in
- * the case where the ACL file is not present, this entry controls what can
- * be done.
- */
-static const char *acl_catchall_entry = NULL;
-
-static const char *acl_line2long_msg = N_("%s: line %d too long, truncated");
-static const char *acl_op_bad_msg = N_("Unrecognized ACL operation '%c' in "
-                                       "%s");
-static const char *acl_syn_err_msg = N_("%s: syntax error at line %d "
-                                        "<%10s...>");
-static const char *acl_cantopen_msg = N_("%s while opening ACL file %s");
-
-/*
- * kadm5int_acl_get_line() - Get a line from the ACL file.
- *                      Lines ending with \ are continued on the next line
- */
-static char *
-kadm5int_acl_get_line(fp, lnp)
-    FILE        *fp;
-    int         *lnp;           /* caller should set to 1 before first call */
-{
-    int         i, domore;
-    static int  line_incr = 0;
-    static char acl_buf[BUFSIZ];
-
-    *lnp += line_incr;
-    line_incr = 0;
-    for (domore = 1; domore && !feof(fp); ) {
-        /* Copy in the line, with continuations */
-        for (i = 0; ((i < BUFSIZ) && !feof(fp)); i++) {
-            int byte;
-            byte = fgetc(fp);
-            acl_buf[i] = byte;
-            if (byte == EOF) {
-                if (i > 0 && acl_buf[i-1] == '\\')
-                    i--;
-                break;          /* it gets nulled-out below */
-            }
-            else if (acl_buf[i] == '\n') {
-                if (i == 0 || acl_buf[i-1] != '\\')
-                    break;      /* empty line or normal end of line */
-                else {
-                    i -= 2;     /* back up over "\\\n" and continue */
-                    line_incr++;
-                }
-            }
-        }
-        /* Check if we exceeded our buffer size */
-        if (i == sizeof acl_buf && (i--, !feof(fp))) {
-            int c1 = acl_buf[i], c2;
-
-            krb5_klog_syslog(LOG_ERR, _(acl_line2long_msg), acl_acl_file,
-                             *lnp);
-            while ((c2 = fgetc(fp)) != EOF) {
-                if (c2 == '\n') {
-                    if (c1 != '\\')
-                        break;
-                    line_incr++;
-                }
-                c1 = c2;
-            }
-        }
-        acl_buf[i] = '\0';
-        if (acl_buf[0] == (char) EOF)   /* ptooey */
-            acl_buf[0] = '\0';
-        else
-            line_incr++;
-        if ((acl_buf[0] != '#') && (acl_buf[0] != '\0'))
-            domore = 0;
-    }
-    if (domore || (strlen(acl_buf) == 0))
-        return((char *) NULL);
-    else
-        return(acl_buf);
-}
-
-/*
- * kadm5int_acl_parse_line() - Parse the contents of an ACL line.
- */
-static aent_t *
-kadm5int_acl_parse_line(lp)
-    const char *lp;
-{
-    static char acle_principal[BUFSIZ];
-    static char acle_ops[BUFSIZ];
-    static char acle_object[BUFSIZ];
-    static char acle_restrictions[BUFSIZ];
-    aent_t      *acle;
-    char        *op;
-    int         t, found, opok, nmatch;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("* kadm5int_acl_parse_line(line=%20s)\n", lp));
-    /*
-     * Format is still simple:
-     *  entry ::= [<whitespace>] <principal> <whitespace> <opstring>
-     *            [<whitespace> <target> [<whitespace> <restrictions>
-     *                                    [<whitespace>]]]
-     */
-    acle = (aent_t *) NULL;
-    acle_object[0] = '\0';
-    nmatch = sscanf(lp, "%s %s %s %[^\n]", acle_principal, acle_ops,
-                    acle_object, acle_restrictions);
-    if (nmatch >= 2) {
-        acle = (aent_t *) malloc(sizeof(aent_t));
-        if (acle) {
-            acle->ae_next = (aent_t *) NULL;
-            acle->ae_op_allowed = (krb5_int32) 0;
-            acle->ae_target =
-                (nmatch >= 3) ? strdup(acle_object) : (char *) NULL;
-            acle->ae_target_bad = 0;
-            acle->ae_target_princ = (krb5_principal) NULL;
-            opok = 1;
-            for (op=acle_ops; *op; op++) {
-                char rop;
-
-                rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op;
-                found = 0;
-                for (t=0; acl_op_table[t].ao_op; t++) {
-                    if (rop == acl_op_table[t].ao_op) {
-                        found = 1;
-                        if (rop == *op)
-                            acle->ae_op_allowed |= acl_op_table[t].ao_mask;
-                        else
-                            acle->ae_op_allowed &= ~acl_op_table[t].ao_mask;
-                    }
-                }
-                if (!found) {
-                    krb5_klog_syslog(LOG_ERR, _(acl_op_bad_msg), *op, lp);
-                    opok = 0;
-                }
-            }
-            if (opok) {
-                acle->ae_name = strdup(acle_principal);
-                if (acle->ae_name) {
-                    acle->ae_principal = (krb5_principal) NULL;
-                    acle->ae_name_bad = 0;
-                    DPRINT(DEBUG_ACL, acl_debug_level,
-                           ("A ACL entry %s -> opmask %x\n",
-                            acle->ae_name, acle->ae_op_allowed));
-                }
-                else {
-                    if (acle->ae_target)
-                        free(acle->ae_target);
-                    free(acle);
-                    acle = (aent_t *) NULL;
-                }
-            }
-            else {
-                if (acle->ae_target)
-                    free(acle->ae_target);
-                free(acle);
-                acle = (aent_t *) NULL;
-            }
-
-            if (acle) {
-                if ( nmatch >= 4 ) {
-                    char        *trailing;
-
-                    trailing = &acle_restrictions[strlen(acle_restrictions)-1];
-                    while ( isspace((int) *trailing) )
-                        trailing--;
-                    trailing[1] = '\0';
-                    acle->ae_restriction_string =
-                        strdup(acle_restrictions);
-                }
-                else {
-                    acle->ae_restriction_string = (char *) NULL;
-                }
-                acle->ae_restriction_bad = 0;
-                acle->ae_restrictions = (restriction_t *) NULL;
-            }
-        }
-    }
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("X kadm5int_acl_parse_line() = %x\n", (long) acle));
-    return(acle);
-}
-
-/*
- * kadm5int_acl_parse_restrictions() - Parse optional restrictions field
- *
- * Allowed restrictions are:
- *      [+-]flagname            (recognized by krb5_flagspec_to_mask)
- *                              flag is forced to indicated value
- *      -clearpolicy            policy is forced clear
- *      -policy pol             policy is forced to be "pol"
- *      -{expire,pwexpire,maxlife,maxrenewlife} deltat
- *                              associated value will be forced to
- *                              MIN(deltat, requested value)
- *
- * Returns: 0 on success, or system errors
- */
-static krb5_error_code
-kadm5int_acl_parse_restrictions(s, rpp)
-    char                *s;
-    restriction_t       **rpp;
-{
-    char                *sp = NULL, *tp, *ap, *save;
-    static const char   *delims = "\t\n\f\v\r ,";
-    krb5_deltat         dt;
-    krb5_error_code     code;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp));
-
-    *rpp = (restriction_t *) NULL;
-    code = 0;
-    if (s) {
-        if (!(sp = strdup(s))   /* Don't munge the original */
-            || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) {
-            code = ENOMEM;
-        } else {
-            memset(*rpp, 0, sizeof(**rpp));
-            (*rpp)->forbid_attrs = ~(krb5_flags)0;
-            for (tp = strtok_r(sp, delims, &save); tp;
-                 tp = strtok_r(NULL, delims, &save)) {
-                if (!krb5_flagspec_to_mask(tp, &(*rpp)->require_attrs,
-                                           &(*rpp)->forbid_attrs)) {
-                    (*rpp)->mask |= KADM5_ATTRIBUTES;
-                } else if (!strcmp(tp, "-clearpolicy")) {
-                    (*rpp)->mask |= KADM5_POLICY_CLR;
-                } else {
-                    /* everything else needs an argument ... */
-                    if (!(ap = strtok_r(NULL, delims, &save))) {
-                        code = EINVAL;
-                        break;
-                    }
-                    if (!strcmp(tp, "-policy")) {
-                        if (!((*rpp)->policy = strdup(ap))) {
-                            code = ENOMEM;
-                            break;
-                        }
-                        (*rpp)->mask |= KADM5_POLICY;
-                    } else {
-                        /* all other arguments must be a deltat ... */
-                        if (krb5_string_to_deltat(ap, &dt)) {
-                            code = EINVAL;
-                            break;
-                        }
-                        if (!strcmp(tp, "-expire")) {
-                            (*rpp)->princ_lifetime = dt;
-                            (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME;
-                        } else if (!strcmp(tp, "-pwexpire")) {
-                            (*rpp)->pw_lifetime = dt;
-                            (*rpp)->mask |= KADM5_PW_EXPIRATION;
-                        } else if (!strcmp(tp, "-maxlife")) {
-                            (*rpp)->max_life = dt;
-                            (*rpp)->mask |= KADM5_MAX_LIFE;
-                        } else if (!strcmp(tp, "-maxrenewlife")) {
-                            (*rpp)->max_renewable_life = dt;
-                            (*rpp)->mask |= KADM5_MAX_RLIFE;
-                        } else {
-                            code = EINVAL;
-                            break;
-                        }
-                    }
-                }
-            }
-            if (code) {
-                krb5_klog_syslog(LOG_ERR, _("%s: invalid restrictions: %s"),
-                                 acl_acl_file, s);
-            }
-        }
-    }
-    if (sp)
-        free(sp);
-    if (*rpp && code) {
-        if ((*rpp)->policy)
-            free((*rpp)->policy);
-        free(*rpp);
-        *rpp = (restriction_t *) NULL;
-    }
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n",
-            code, (*rpp) ? (*rpp)->mask : 0));
-    return code;
-}
-
-/*
- * kadm5int_acl_impose_restrictions()   - impose restrictions, modifying *recp, *maskp
- *
- * Returns: 0 on success;
- *          malloc or timeofday errors
- */
-krb5_error_code
-kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
-    krb5_context               kcontext;
-    kadm5_principal_ent_rec    *recp;
-    long                       *maskp;
-    restriction_t              *rp;
-{
-    krb5_error_code     code;
-    krb5_int32          now;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
-            *maskp, (long)rp));
-    if (!rp)
-        return 0;
-    if (rp->mask & (KADM5_PRINC_EXPIRE_TIME|KADM5_PW_EXPIRATION))
-        if ((code = krb5_timeofday(kcontext, &now)))
-            return code;
-
-    if (rp->mask & KADM5_ATTRIBUTES) {
-        recp->attributes |= rp->require_attrs;
-        recp->attributes &= rp->forbid_attrs;
-        *maskp |= KADM5_ATTRIBUTES;
-    }
-    if (rp->mask & KADM5_POLICY_CLR) {
-        *maskp &= ~KADM5_POLICY;
-        *maskp |= KADM5_POLICY_CLR;
-    } else if (rp->mask & KADM5_POLICY) {
-        if (recp->policy && strcmp(recp->policy, rp->policy)) {
-            free(recp->policy);
-            recp->policy = (char *) NULL;
-        }
-        if (!recp->policy) {
-            recp->policy = strdup(rp->policy);  /* XDR will free it */
-            if (!recp->policy)
-                return ENOMEM;
-        }
-        *maskp |= KADM5_POLICY;
-    }
-    if (rp->mask & KADM5_PRINC_EXPIRE_TIME) {
-        if (!(*maskp & KADM5_PRINC_EXPIRE_TIME)
-            || (recp->princ_expire_time > (now + rp->princ_lifetime)))
-            recp->princ_expire_time = now + rp->princ_lifetime;
-        *maskp |= KADM5_PRINC_EXPIRE_TIME;
-    }
-    if (rp->mask & KADM5_PW_EXPIRATION) {
-        if (!(*maskp & KADM5_PW_EXPIRATION)
-            || (recp->pw_expiration > (now + rp->pw_lifetime)))
-            recp->pw_expiration = now + rp->pw_lifetime;
-        *maskp |= KADM5_PW_EXPIRATION;
-    }
-    if (rp->mask & KADM5_MAX_LIFE) {
-        if (!(*maskp & KADM5_MAX_LIFE)
-            || (recp->max_life > rp->max_life))
-            recp->max_life = rp->max_life;
-        *maskp |= KADM5_MAX_LIFE;
-    }
-    if (rp->mask & KADM5_MAX_RLIFE) {
-        if (!(*maskp & KADM5_MAX_RLIFE)
-            || (recp->max_renewable_life > rp->max_renewable_life))
-            recp->max_renewable_life = rp->max_renewable_life;
-        *maskp |= KADM5_MAX_RLIFE;
-    }
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp));
-    return 0;
-}
-
-/*
- * kadm5int_acl_free_entries() - Free all ACL entries.
- */
-static void
-kadm5int_acl_free_entries()
-{
-    aent_t      *ap;
-    aent_t      *np;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n"));
-    for (ap=acl_list_head; ap; ap = np) {
-        if (ap->ae_name)
-            free(ap->ae_name);
-        if (ap->ae_principal)
-            krb5_free_principal((krb5_context) NULL, ap->ae_principal);
-        if (ap->ae_target)
-            free(ap->ae_target);
-        if (ap->ae_target_princ)
-            krb5_free_principal((krb5_context) NULL, ap->ae_target_princ);
-        if (ap->ae_restriction_string)
-            free(ap->ae_restriction_string);
-        if (ap->ae_restrictions) {
-            if (ap->ae_restrictions->policy)
-                free(ap->ae_restrictions->policy);
-            free(ap->ae_restrictions);
-        }
-        np = ap->ae_next;
-        free(ap);
-    }
-    acl_list_head = acl_list_tail = (aent_t *) NULL;
-    acl_inited = 0;
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n"));
-}
-
-/*
- * kadm5int_acl_load_acl_file() - Open and parse the ACL file.
- */
-static int
-kadm5int_acl_load_acl_file()
-{
-    FILE        *afp;
-    char        *alinep;
-    aent_t      **aentpp;
-    int         alineno;
-    int         retval = 1;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n"));
-    /* Open the ACL file for read */
-    afp = fopen(acl_acl_file, "r");
-    if (afp) {
-        set_cloexec_file(afp);
-        alineno = 1;
-        aentpp = &acl_list_head;
-
-        /* Get a non-comment line */
-        while ((alinep = kadm5int_acl_get_line(afp, &alineno))) {
-            /* Parse it */
-            *aentpp = kadm5int_acl_parse_line(alinep);
-            /* If syntax error, then fall out */
-            if (!*aentpp) {
-                krb5_klog_syslog(LOG_ERR, _(acl_syn_err_msg),
-                                 acl_acl_file, alineno, alinep);
-                retval = 0;
-                break;
-            }
-            acl_list_tail = *aentpp;
-            aentpp = &(*aentpp)->ae_next;
-        }
-
-        fclose(afp);
-
-        if (acl_catchall_entry) {
-            *aentpp = kadm5int_acl_parse_line(acl_catchall_entry);
-            if (*aentpp) {
-                acl_list_tail = *aentpp;
-            }
-            else {
-                retval = 0;
-                DPRINT(DEBUG_OPERATION, acl_debug_level,
-                       ("> catchall acl entry (%s) load failed\n",
-                        acl_catchall_entry));
-            }
-        }
-    }
-    else {
-        krb5_klog_syslog(LOG_ERR, _(acl_cantopen_msg),
-                         error_message(errno), acl_acl_file);
-        if (acl_catchall_entry &&
-            (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) {
-            acl_list_tail = acl_list_head;
-        }
-        else {
-            retval = 0;
-            DPRINT(DEBUG_OPERATION, acl_debug_level,
-                   ("> catchall acl entry (%s) load failed\n",
-                    acl_catchall_entry));
-        }
-    }
-
-    if (!retval) {
-        kadm5int_acl_free_entries();
-    }
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("X kadm5int_acl_load_acl_file() = %d\n", retval));
-    return(retval);
-}
-
-/*
- * kadm5int_acl_match_data()    - See if two data entries match.
- *
- * Wildcarding is only supported for a whole component.
- */
-static krb5_boolean
-kadm5int_acl_match_data(const krb5_data *e1, const krb5_data *e2,
-                        int targetflag, wildstate_t *ws)
-{
-    krb5_boolean        retval;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
-    retval = 0;
-    if (!strncmp(e1->data, "*", e1->length)) {
-        retval = 1;
-        if (ws && !targetflag) {
-            if (ws->nwild >= 9) {
-                DPRINT(DEBUG_ACL, acl_debug_level,
-                       ("Too many wildcards in ACL entry.\n"));
-            }
-            else
-                ws->backref[ws->nwild++] = e2;
-        }
-    }
-    else if (ws && targetflag && (e1->length == 2) && (e1->data[0] == '*') &&
-             (e1->data[1] >= '1') && (e1->data[1] <= '9')) {
-        int     n = e1->data[1] - '1';
-        if (n >= ws->nwild) {
-            DPRINT(DEBUG_ACL, acl_debug_level,
-                   ("Too many backrefs in ACL entry.\n"));
-        }
-        else if ((ws->backref[n]->length == e2->length) &&
-                 (!strncmp(ws->backref[n]->data, e2->data, e2->length)))
-            retval = 1;
-
-    }
-    else {
-        if ((e1->length == e2->length) &&
-            (!strncmp(e1->data, e2->data, e1->length)))
-            retval = 1;
-    }
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval));
-    return(retval);
-}
-
-/*
- * kadm5int_acl_find_entry()    - Find a matching entry.
- */
-static aent_t *
-kadm5int_acl_find_entry(krb5_context kcontext, krb5_const_principal principal,
-                        krb5_const_principal dest_princ)
-{
-    aent_t              *entry;
-    krb5_error_code     kret;
-    int                 i;
-    int                 matchgood;
-    wildstate_t         state;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
-    for (entry=acl_list_head; entry; entry = entry->ae_next) {
-        memset(&state, 0, sizeof(state));
-        if (entry->ae_name_bad)
-            continue;
-        if (!strcmp(entry->ae_name, "*")) {
-            DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n"));
-            matchgood = 1;
-        }
-        else {
-            if (!entry->ae_principal && !entry->ae_name_bad) {
-                kret = krb5_parse_name(kcontext,
-                                       entry->ae_name,
-                                       &entry->ae_principal);
-                if (kret)
-                    entry->ae_name_bad = 1;
-            }
-            if (entry->ae_name_bad) {
-                DPRINT(DEBUG_ACL, acl_debug_level,
-                       ("Bad ACL entry %s\n", entry->ae_name));
-                continue;
-            }
-            matchgood = 0;
-            if (kadm5int_acl_match_data(&entry->ae_principal->realm,
-                                        &principal->realm, 0, (wildstate_t *)0) &&
-                (entry->ae_principal->length == principal->length)) {
-                matchgood = 1;
-                for (i=0; i<principal->length; i++) {
-                    if (!kadm5int_acl_match_data(&entry->ae_principal->data[i],
-                                                 &principal->data[i], 0, &state)) {
-                        matchgood = 0;
-                        break;
-                    }
-                }
-            }
-        }
-        if (!matchgood)
-            continue;
-
-        /* We've matched the principal.  If we have a target, then try it */
-        if (entry->ae_target && strcmp(entry->ae_target, "*")) {
-            if (!entry->ae_target_princ && !entry->ae_target_bad) {
-                kret = krb5_parse_name(kcontext, entry->ae_target,
-                                       &entry->ae_target_princ);
-                if (kret)
-                    entry->ae_target_bad = 1;
-            }
-            if (entry->ae_target_bad) {
-                DPRINT(DEBUG_ACL, acl_debug_level,
-                       ("Bad target in ACL entry for %s\n", entry->ae_name));
-                entry->ae_name_bad = 1;
-                continue;
-            }
-            if (!dest_princ)
-                matchgood = 0;
-            else if (entry->ae_target_princ && dest_princ) {
-                if (kadm5int_acl_match_data(&entry->ae_target_princ->realm,
-                                            &dest_princ->realm, 1, (wildstate_t *)0) &&
-                    (entry->ae_target_princ->length == dest_princ->length)) {
-                    for (i=0; i<dest_princ->length; i++) {
-                        if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i],
-                                                     &dest_princ->data[i], 1, &state)) {
-                            matchgood = 0;
-                            break;
-                        }
-                    }
-                }
-                else
-                    matchgood = 0;
-            }
-        }
-        if (!matchgood)
-            continue;
-
-        if (entry->ae_restriction_string
-            && !entry->ae_restriction_bad
-            && !entry->ae_restrictions
-            && kadm5int_acl_parse_restrictions(entry->ae_restriction_string,
-                                               &entry->ae_restrictions)) {
-            DPRINT(DEBUG_ACL, acl_debug_level,
-                   ("Bad restrictions in ACL entry for %s\n", entry->ae_name));
-            entry->ae_restriction_bad = 1;
-        }
-        if (entry->ae_restriction_bad) {
-            entry->ae_name_bad = 1;
-            continue;
-        }
-        break;
-    }
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry));
-    return(entry);
-}
-
-/*
- * kadm5int_acl_init()  - Initialize ACL context.
- */
-krb5_error_code
-kadm5int_acl_init(kcontext, debug_level, acl_file)
-    krb5_context        kcontext;
-    int                 debug_level;
-    char                *acl_file;
-{
-    krb5_error_code     kret;
-
-    kret = 0;
-    acl_debug_level = debug_level;
-    DPRINT(DEBUG_CALLS, acl_debug_level,
-           ("* kadm5int_acl_init(afile=%s)\n",
-            ((acl_file) ? acl_file : "(null)")));
-    acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL;
-    acl_inited = kadm5int_acl_load_acl_file();
-
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret));
-    return(kret);
-}
-
-/*
- * kadm5int_acl_finish  - Terminate ACL context.
- */
-void
-kadm5int_acl_finish(kcontext, debug_level)
-    krb5_context        kcontext;
-    int                 debug_level;
-{
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n"));
-    kadm5int_acl_free_entries();
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n"));
-}
-
-/*
- * kadm5int_acl_check_krb()     - Is this operation permitted for this principal?
- */
-krb5_boolean
-kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions)
-    krb5_context         kcontext;
-    krb5_const_principal caller_princ;
-    krb5_int32           opmask;
-    krb5_const_principal principal;
-    restriction_t        **restrictions;
-{
-    krb5_boolean        retval;
-    aent_t              *aentry;
-
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
-
-    retval = FALSE;
-
-    aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
-    if (aentry) {
-        if ((aentry->ae_op_allowed & opmask) == opmask) {
-            retval = TRUE;
-            if (restrictions) {
-                *restrictions =
-                    (aentry->ae_restrictions && aentry->ae_restrictions->mask)
-                    ? aentry->ae_restrictions
-                    : (restriction_t *) NULL;
-            }
-        }
-    }
-
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
-                                          retval));
-    return retval;
-}
-
-/*
- * kadm5int_acl_check() - Is this operation permitted for this principal?
- *                      this code used not to be based on gssapi.  In order
- *                      to minimize porting hassles, I've put all the
- *                      gssapi hair in this function.  This might not be
- *                      the best medium-term solution.  (The best long-term
- *                      solution is, of course, a real authorization service.)
- */
-krb5_boolean
-kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions)
-    krb5_context        kcontext;
-    gss_name_t          caller;
-    krb5_int32          opmask;
-    krb5_principal      principal;
-    restriction_t       **restrictions;
-{
-    krb5_boolean        retval;
-    gss_buffer_desc     caller_buf;
-    gss_OID             caller_oid;
-    OM_uint32           emin;
-    krb5_error_code     code;
-    krb5_principal      caller_princ;
-
-    if (GSS_ERROR(gss_display_name(&emin, caller, &caller_buf, &caller_oid)))
-        return FALSE;
-
-    code = krb5_parse_name(kcontext, (char *) caller_buf.value,
-                           &caller_princ);
-
-    gss_release_buffer(&emin, &caller_buf);
-
-    if (code != 0)
-        return FALSE;
-
-    retval = kadm5int_acl_check_krb(kcontext, caller_princ,
-                                    opmask, principal, restrictions);
-
-    krb5_free_principal(kcontext, caller_princ);
-
-    return retval;
-}
-
-kadm5_ret_t
-kadm5_get_privs(void *server_handle, long *privs)
-{
-    CHECK_HANDLE(server_handle);
-
-    /* this is impossible to do with the current interface.  For now,
-       return all privs, which will confuse some clients, but not
-       deny any access to users of "smart" clients which try to cache */
-
-    *privs = ~0;
-
-    return KADM5_OK;
-}
diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h
deleted file mode 100644
index d8db2f75b087..000000000000
--- a/src/lib/kadm5/srv/server_acl.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/kadm5/srv/server_acl.h */
-/*
- * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef SERVER_ACL_H__
-#define SERVER_ACL_H__
-
-/*
- * Debug definitions.
- */
-#define DEBUG_SPROC     1
-#define DEBUG_OPERATION 2
-#define DEBUG_HOST      4
-#define DEBUG_REALM     8
-#define DEBUG_REQUESTS  16
-#define DEBUG_ACL       32
-#define DEBUG_PROTO     64
-#define DEBUG_CALLS     128
-#define DEBUG_NOSLAVES  256
-#ifdef  DEBUG
-#define DPRINT(l1, cl, al)      if ((cl & l1) != 0) printf al
-#else   /* DEBUG */
-#define DPRINT(l1, cl, al)
-#endif  /* DEBUG */
-
-/*
- * Access control bits.
- */
-#define ACL_ADD                 1
-#define ACL_DELETE              2
-#define ACL_MODIFY              4
-#define ACL_CHANGEPW            8
-/* #define ACL_CHANGE_OWN_PW    16 */
-#define ACL_INQUIRE             32
-#define ACL_EXTRACT             64
-#define ACL_LIST                128
-#define ACL_SETKEY              256
-#define ACL_IPROP               512
-#define ACL_RENAME              (ACL_ADD+ACL_DELETE)
-
-#define ACL_ALL_MASK            (ACL_ADD        |       \
-                                 ACL_DELETE     |       \
-                                 ACL_MODIFY     |       \
-                                 ACL_CHANGEPW   |       \
-                                 ACL_INQUIRE    |       \
-                                 ACL_LIST       |       \
-                                 ACL_IPROP      |       \
-                                 ACL_SETKEY)
-
-typedef struct _restriction {
-    long                mask;
-    krb5_flags          require_attrs;
-    krb5_flags          forbid_attrs;
-    krb5_deltat         princ_lifetime;
-    krb5_deltat         pw_lifetime;
-    krb5_deltat         max_life;
-    krb5_deltat         max_renewable_life;
-    long                aux_attributes;
-    char                *policy;
-} restriction_t;
-
-krb5_error_code kadm5int_acl_init(krb5_context, int, char *);
-void kadm5int_acl_finish(krb5_context, int);
-krb5_boolean kadm5int_acl_check(krb5_context,
-                                gss_name_t,
-                                krb5_int32,
-                                krb5_principal,
-                                restriction_t **);
-krb5_boolean kadm5int_acl_check_krb(krb5_context,
-                                    krb5_const_principal,
-                                    krb5_int32,
-                                    krb5_const_principal,
-                                    restriction_t **);
-krb5_error_code kadm5int_acl_impose_restrictions(krb5_context,
-                                                 kadm5_principal_ent_rec *,
-                                                 long *,
-                                                 restriction_t *);
-#endif  /* SERVER_ACL_H__ */
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 612553ba3e19..f4b8aef2bde1 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle,
               krb5_db_entry *kdb, osa_princ_ent_rec *adb)
 {
     krb5_error_code ret;
-    krb5_int32 now;
+    krb5_timestamp now;
     XDR xdrs;
     krb5_tl_data tl_data;
 
diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c
index b361847bd553..87e97c9f8a2f 100644
--- a/src/lib/kadm5/srv/server_misc.c
+++ b/src/lib/kadm5/srv/server_misc.c
@@ -142,3 +142,17 @@ destroy_pwqual(kadm5_server_handle_t handle)
     k5_pwqual_free_handles(handle->context, handle->qual_handles);
     handle->qual_handles = NULL;
 }
+
+kadm5_ret_t
+kadm5_get_privs(void *server_handle, long *privs)
+{
+    CHECK_HANDLE(server_handle);
+
+    /* this is impossible to do with the current interface.  For now,
+       return all privs, which will confuse some clients, but not
+       deny any access to users of "smart" clients which try to cache */
+
+    *privs = ~0;
+
+    return KADM5_OK;
+}
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 0640b47c40d4..2420f2c2bebb 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle,
     osa_princ_ent_rec           adb;
     kadm5_policy_ent_rec        polent;
     krb5_boolean                have_polent = FALSE;
-    krb5_int32                  now;
+    krb5_timestamp              now;
     krb5_tl_data                *tl_data_tail;
     unsigned int                ret;
     kadm5_server_handle_t handle = server_handle;
@@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle,
     kdb->pw_expiration = 0;
     if (have_polent) {
         if(polent.pw_max_life)
-            kdb->pw_expiration = now + polent.pw_max_life;
+            kdb->pw_expiration = ts_incr(now, polent.pw_max_life);
         else
             kdb->pw_expiration = 0;
     }
@@ -612,7 +612,7 @@ kadm5_modify_principal(void *server_handle,
                                                   &(kdb->pw_expiration));
             if (ret)
                 goto done;
-            kdb->pw_expiration += pol.pw_max_life;
+            kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life);
         } else {
             kdb->pw_expiration = 0;
         }
@@ -1322,11 +1322,11 @@ kadm5_chpass_principal_3(void *server_handle,
                          int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
                          char *password)
 {
-    krb5_int32                  now;
+    krb5_timestamp              now;
     kadm5_policy_ent_rec        pol;
     osa_princ_ent_rec           adb;
     krb5_db_entry               *kdb;
-    int                         ret, ret2, last_pwd, hist_added;
+    int                         ret, ret2, hist_added;
     krb5_boolean                have_pol = FALSE;
     kadm5_server_handle_t       handle = server_handle;
     osa_pw_hist_ent             hist;
@@ -1399,24 +1399,6 @@ kadm5_chpass_principal_3(void *server_handle,
     if ((adb.aux_attributes & KADM5_POLICY)) {
         /* the policy was loaded before */
 
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
-        if (ret)
-            goto done;
-
-#if 0
-        /*
-         * The spec says this check is overridden if the caller has
-         * modify privilege.  The admin server therefore makes this
-         * check itself (in chpass_principal_wrapper, misc.c). A
-         * local caller implicitly has all authorization bits.
-         */
-        if ((now - last_pwd) < pol.pw_min_life &&
-            !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
-            ret = KADM5_PASS_TOOSOON;
-            goto done;
-        }
-#endif
-
         ret = check_pw_reuse(handle->context, hist_keyblocks,
                              kdb->n_key_data, kdb->key_data,
                              1, &hist);
@@ -1445,7 +1427,7 @@ kadm5_chpass_principal_3(void *server_handle,
         }
 
         if (pol.pw_max_life)
-            kdb->pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
         else
             kdb->pw_expiration = 0;
     } else {
@@ -1544,9 +1526,9 @@ kadm5_randkey_principal_3(void *server_handle,
 {
     krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
-    krb5_int32                  now;
+    krb5_timestamp              now;
     kadm5_policy_ent_rec        pol;
-    int                         ret, last_pwd, n_new_keys;
+    int                         ret, n_new_keys;
     krb5_boolean                have_pol = FALSE;
     kadm5_server_handle_t       handle = server_handle;
     krb5_keyblock               *act_mkey;
@@ -1605,26 +1587,8 @@ kadm5_randkey_principal_3(void *server_handle,
             goto done;
     }
     if (have_pol) {
-        ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
-        if (ret)
-            goto done;
-
-#if 0
-        /*
-         * The spec says this check is overridden if the caller has
-         * modify privilege.  The admin server therefore makes this
-         * check itself (in chpass_principal_wrapper, misc.c).  A
-         * local caller implicitly has all authorization bits.
-         */
-        if((now - last_pwd) < pol.pw_min_life &&
-           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
-            ret = KADM5_PASS_TOOSOON;
-            goto done;
-        }
-#endif
-
         if (pol.pw_max_life)
-            kdb->pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
         else
             kdb->pw_expiration = 0;
     } else {
@@ -1686,14 +1650,11 @@ kadm5_setv4key_principal(void *server_handle,
 {
     krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
-    krb5_int32                  now;
+    krb5_timestamp              now;
     kadm5_policy_ent_rec        pol;
     krb5_keysalt                keysalt;
     int                         i, kvno, ret;
     krb5_boolean                have_pol = FALSE;
-#if 0
-    int                         last_pwd;
-#endif
     kadm5_server_handle_t       handle = server_handle;
     krb5_key_data               tmp_key_data;
     krb5_keyblock               *act_mkey;
@@ -1756,25 +1717,8 @@ kadm5_setv4key_principal(void *server_handle,
             goto done;
     }
     if (have_pol) {
-#if 0
-        /*
-         * The spec says this check is overridden if the caller has
-         * modify privilege.  The admin server therefore makes this
-         * check itself (in chpass_principal_wrapper, misc.c).  A
-         * local caller implicitly has all authorization bits.
-         */
-        if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
-                                                  kdb, &last_pwd))
-            goto done;
-        if((now - last_pwd) < pol.pw_min_life &&
-           !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
-            ret = KADM5_PASS_TOOSOON;
-            goto done;
-        }
-#endif
-
         if (pol.pw_max_life)
-            kdb->pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
         else
             kdb->pw_expiration = 0;
     } else {
@@ -1788,6 +1732,9 @@ kadm5_setv4key_principal(void *server_handle,
     /* unlock principal on this KDC */
     kdb->fail_auth_count = 0;
 
+    /* key data changed, let the database provider know */
+    kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+
     if ((ret = kdb_put_entry(handle, kdb, &adb)))
         goto done;
 
@@ -1888,7 +1835,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
 {
     krb5_db_entry *kdb;
     osa_princ_ent_rec adb;
-    krb5_int32 now;
+    krb5_timestamp now;
     kadm5_policy_ent_rec pol;
     krb5_key_data *new_key_data = NULL;
     int i, j, ret, n_new_key_data = 0;
@@ -2024,7 +1971,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
     }
     if (have_pol) {
         if (pol.pw_max_life)
-            kdb->pw_expiration = now + pol.pw_max_life;
+            kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
         else
             kdb->pw_expiration = 0;
     } else {
@@ -2038,6 +1985,9 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
     /* Unlock principal on this KDC. */
     kdb->fail_auth_count = 0;
 
+    /* key data changed, let the database provider know */
+    kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+
     ret = kdb_put_entry(handle, kdb, &adb);
     if (ret)
         goto done;
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c
index 60be9e85d5d3..0431653bff44 100644
--- a/src/lib/kadm5/unit-test/setkey-test.c
+++ b/src/lib/kadm5/unit-test/setkey-test.c
@@ -69,7 +69,8 @@ main(int argc, char **argv)
     char *whoami, *principal, *authprinc, *authpwd;
     krb5_data pwdata;
     void *handle;
-    int ret, i, test, encnum;
+    int ret, test, encnum;
+    unsigned int i;
 
     whoami = argv[0];
 
diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index 5da22dfd51c1..b77bf496d6a2 100644
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -5,7 +5,7 @@ LOCALINCLUDES= -I.
 
 # Keep LIBMAJOR in sync with KRB5_KDB_API_VERSION in include/kdb.h.
 LIBBASE=kdb5
-LIBMAJOR=8
+LIBMAJOR=9
 LIBMINOR=0
 LIBINITFUNC=kdb_init_lock_list
 LIBFINIFUNC=kdb_fini_lock_list
diff --git a/src/lib/kdb/deps b/src/lib/kdb/deps
index c2ce27ff7cd8..152ef7fceee2 100644
--- a/src/lib/kdb/deps
+++ b/src/lib/kdb/deps
@@ -153,5 +153,6 @@ t_ulog.so t_ulog.po $(OUTPRE)t_ulog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
   $(top_srcdir)/include/socket-utils.h t_ulog.c
 t_sort_key_data.so t_sort_key_data.po $(OUTPRE)t_sort_key_data.$(OBJEXT): \
-  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/kdb.h \
+  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-cmocka.h $(top_srcdir)/include/kdb.h \
   $(top_srcdir)/include/krb5.h t_sort_key_data.c
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index 4adf0fcbb201..da5332217fef 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -322,12 +322,7 @@ copy_vtable(const kdb_vftabl *in, kdb_vftabl *out)
     out->audit_as_req = in->audit_as_req;
     out->refresh_config = in->refresh_config;
     out->check_allowed_to_delegate = in->check_allowed_to_delegate;
-
-    /* Copy fields for minor version 1 (major version 6). */
-    assert(KRB5_KDB_DAL_MAJOR_VERSION == 6);
-    out->free_principal_e_data = NULL;
-    if (in->min_ver >= 1)
-        out->free_principal_e_data = in->free_principal_e_data;
+    out->free_principal_e_data = in->free_principal_e_data;
 
     /* Set defaults for optional fields. */
     if (out->fetch_master_key == NULL)
@@ -1220,11 +1215,12 @@ krb5_db_fetch_mkey(krb5_context context, krb5_principal mname,
             krb5_db_entry *master_entry;
 
             rc = krb5_db_get_principal(context, mname, 0, &master_entry);
-            if (rc == 0) {
+            if (rc == 0 && master_entry->n_key_data > 0)
                 *kvno = (krb5_kvno) master_entry->key_data->key_data_kvno;
-                krb5_db_free_principal(context, master_entry);
-            } else
+            else
                 *kvno = 1;
+            if (rc == 0)
+                krb5_db_free_principal(context, master_entry);
         }
 
         if (!salt)
@@ -1296,7 +1292,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now)
      * are in the future, we will return the first node; if all are in the
      * past, we will return the last node.
      */
-    while (list->next != NULL && list->next->act_time <= now)
+    while (list->next != NULL && !ts_after(list->next->act_time, now))
         list = list->next;
     return list->act_kvno;
 }
@@ -2677,8 +2673,10 @@ krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request,
 
 void
 krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
-                     krb5_db_entry *client, krb5_db_entry *server,
-                     krb5_timestamp authtime, krb5_error_code error_code)
+                     const krb5_address *local_addr,
+                     const krb5_address *remote_addr, krb5_db_entry *client,
+                     krb5_db_entry *server, krb5_timestamp authtime,
+                     krb5_error_code error_code)
 {
     krb5_error_code status;
     kdb_vftabl *v;
@@ -2686,7 +2684,8 @@ krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
     status = get_vftabl(kcontext, &v);
     if (status || v->audit_as_req == NULL)
         return;
-    v->audit_as_req(kcontext, request, client, server, authtime, error_code);
+    v->audit_as_req(kcontext, request, local_addr, remote_addr,
+                    client, server, authtime, error_code);
 }
 
 void
diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c
index 8172e9d6ba16..691635ec752b 100644
--- a/src/lib/kdb/kdb_convert.c
+++ b/src/lib/kdb/kdb_convert.c
@@ -228,7 +228,7 @@ conv_princ_2ulog(krb5_principal princ, kdb_incr_update_t *upd,
 static void
 set_from_utf8str(krb5_data *d, utf8str_t u)
 {
-    if (u.utf8str_t_len > INT_MAX-1 || u.utf8str_t_len >= SIZE_MAX-1) {
+    if (u.utf8str_t_len > INT_MAX - 1) {
         d->data = NULL;
         return;
     }
@@ -419,7 +419,7 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
             break;
 
         case AT_FAIL_AUTH_COUNT:
-            if (!exclude_nra && entry->fail_auth_count >= (krb5_kvno)0) {
+            if (!exclude_nra) {
                 ULOG_ENTRY_TYPE(update, ++final).av_type =
                     AT_FAIL_AUTH_COUNT;
                 ULOG_ENTRY(update, final).av_fail_auth_count =
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 7a751487ce27..a1021f13a493 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -282,7 +282,7 @@ krb5_db_def_fetch_mkey_stash(krb5_context   context,
     key->length = keylength;
 #endif
 
-    if (!key->length || ((int) key->length) < 0) {
+    if (!key->length || key->length > 1024) {
         retval = KRB5_KDB_BADSTORED_MKEY;
         goto errout;
     }
diff --git a/src/lib/kdb/t_sort_key_data.c b/src/lib/kdb/t_sort_key_data.c
index d03d507a1c33..ffd1a156ac3d 100644
--- a/src/lib/kdb/t_sort_key_data.c
+++ b/src/lib/kdb/t_sort_key_data.c
@@ -30,10 +30,7 @@
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include <stdarg.h>
-#include <stddef.h>
-#include <setjmp.h>
-#include <cmocka.h>
+#include "k5-cmocka.h"
 #include "kdb.h"
 
 #define KEY(kvno) {                                             \
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index a827ca6083e8..889460989f70 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -158,8 +158,7 @@ static asn1_error_code
 encode_kerberos_time(asn1buf *buf, const void *p, taginfo *rettag,
                      size_t *len_out)
 {
-    /* Range checking for time_t vs krb5_timestamp?  */
-    time_t val = *(krb5_timestamp *)p;
+    time_t val = ts2tt(*(krb5_timestamp *)p);
     rettag->asn1class = UNIVERSAL;
     rettag->construction = PRIMITIVE;
     rettag->tagnum = ASN1_GENERALTIME;
diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
index 5ac870728d9d..f84cf793e0db 100644
--- a/src/lib/krb5/ccache/Makefile.in
+++ b/src/lib/krb5/ccache/Makefile.in
@@ -34,6 +34,7 @@ STLIBOBJS= \
 	ccdefops.o \
 	ccmarshal.o \
 	ccselect.o \
+	ccselect_hostname.o \
 	ccselect_k5identity.o \
 	ccselect_realm.o \
 	cc_dir.o \
@@ -52,6 +53,7 @@ OBJS=	$(OUTPRE)ccbase.$(OBJEXT) \
 	$(OUTPRE)ccdefops.$(OBJEXT) \
 	$(OUTPRE)ccmarshal.$(OBJEXT) \
 	$(OUTPRE)ccselect.$(OBJEXT) \
+	$(OUTPRE)ccselect_hostname.$(OBJEXT) \
 	$(OUTPRE)ccselect_k5identity.$(OBJEXT) \
 	$(OUTPRE)ccselect_realm.$(OBJEXT) \
 	$(OUTPRE)cc_dir.$(OBJEXT) \
@@ -70,6 +72,7 @@ SRCS=	$(srcdir)/ccbase.c \
 	$(srcdir)/ccdefops.c \
 	$(srcdir)/ccmarshal.c \
 	$(srcdir)/ccselect.c \
+	$(srcdir)/ccselect_hostname.c \
 	$(srcdir)/ccselect_k5identity.c \
 	$(srcdir)/ccselect_realm.c \
 	$(srcdir)/cc_dir.c \
diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h
index ee9b5e0e97a1..d920367cea97 100644
--- a/src/lib/krb5/ccache/cc-int.h
+++ b/src/lib/krb5/ccache/cc-int.h
@@ -123,6 +123,10 @@ k5_cccol_force_unlock(void);
 krb5_error_code
 krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id);
 
+krb5_error_code
+ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver,
+                         krb5_plugin_vtable vtable);
+
 krb5_error_code
 ccselect_realm_initvt(krb5_context context, int maj_ver, int min_ver,
                       krb5_plugin_vtable vtable);
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
index a889e67b4492..b621ed33b3e7 100644
--- a/src/lib/krb5/ccache/cc_kcm.c
+++ b/src/lib/krb5/ccache/cc_kcm.c
@@ -32,7 +32,7 @@
 
 /*
  * This cache type contacts a daemon for each cache operation, using Heimdal's
- * KCM protocol.  On OS X, the preferred transport is Mach RPC; on other
+ * KCM protocol.  On macOS, the preferred transport is Mach RPC; on other
  * Unix-like platforms or if the daemon is not available via RPC, Unix domain
  * sockets are used instead.
  */
@@ -360,7 +360,7 @@ kcmio_connect(krb5_context context, struct kcmio **io_out)
         return ENOMEM;
     io->fd = -1;
 
-    /* Try Mach RPC (OS X only), then fall back to Unix domain sockets */
+    /* Try Mach RPC (macOS only), then fall back to Unix domain sockets */
     ret = kcmio_mach_connect(context, io);
     if (ret)
         ret = kcmio_unix_socket_connect(context, io);
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index 4fe3f0d6f1f2..fba710b1b651 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -751,7 +751,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)
     for (;;) {
         if (krcc_next_cred(context, id, &cursor, &creds) != 0)
             break;
-        if (creds.times.endtime > endtime)
+        if (ts_after(creds.times.endtime, endtime))
             endtime = creds.times.endtime;
         krb5_free_cred_contents(context, &creds);
     }
@@ -765,7 +765,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)
 
     /* Setting the timeout to zero would reset the timeout, so we set it to one
      * second instead if creds are already expired. */
-    timeout = (endtime > now) ? endtime - now : 1;
+    timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1;
     (void)keyctl_set_timeout(data->cache_id, timeout);
 }
 
@@ -1316,8 +1316,10 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
     if (ret)
         goto errout;
 
-    if (creds->times.endtime > now)
-        (void)keyctl_set_timeout(cred_key, creds->times.endtime - now);
+    if (ts_after(creds->times.endtime, now)) {
+        (void)keyctl_set_timeout(cred_key,
+                                 ts_delta(creds->times.endtime, now));
+    }
 
     update_keyring_expiration(context, id);
 
@@ -1680,8 +1682,8 @@ static void
 krcc_update_change_time(krcc_data *data)
 {
     krb5_timestamp now_time = time(NULL);
-    data->changetime = (data->changetime >= now_time) ?
-        data->changetime + 1 : now_time;
+    data->changetime = ts_after(now_time, data->changetime) ?
+        now_time : ts_incr(data->changetime, 1);
 }
 
 /*
diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
index 0354575c5c16..c5425eb3ae7a 100644
--- a/src/lib/krb5/ccache/cc_memory.c
+++ b/src/lib/krb5/ccache/cc_memory.c
@@ -720,8 +720,8 @@ static void
 update_mcc_change_time(krb5_mcc_data *d)
 {
     krb5_timestamp now_time = time(NULL);
-    d->changetime = (d->changetime >= now_time) ?
-        d->changetime + 1 : now_time;
+    d->changetime = ts_after(now_time, d->changetime) ?
+        now_time : ts_incr(d->changetime, 1);
 }
 
 static krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 7a8047023716..c741a5099ae6 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -1553,6 +1553,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
     data->LogonHandle = LogonHandle;
     data->PackageId = PackageId;
     data->princ = NULL;
+    data->flags = 0;
 
     data->cc_name = (char *)malloc(strlen(residual)+1);
     if (data->cc_name == NULL) {
diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
index 1314d24bd68d..e8a20fe36001 100644
--- a/src/lib/krb5/ccache/cc_retr.c
+++ b/src/lib/krb5/ccache/cc_retr.c
@@ -46,11 +46,11 @@ static krb5_boolean
 times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2)
 {
     if (t1->renew_till) {
-        if (t1->renew_till > t2->renew_till)
+        if (ts_after(t1->renew_till, t2->renew_till))
             return FALSE;               /* this one expires too late */
     }
     if (t1->endtime) {
-        if (t1->endtime > t2->endtime)
+        if (ts_after(t1->endtime, t2->endtime))
             return FALSE;               /* this one expires too late */
     }
     /* only care about expiration on a times_match */
@@ -211,7 +211,6 @@ krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id,
         int pref;
     } fetched, best;
     int have_creds = 0;
-    krb5_flags oflags = 0;
 #define fetchcreds (fetched.creds)
 
     kret = krb5_cc_start_seq_get(context, id, &cursor);
diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c
index 9f44af3d087c..6092ee432222 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc_util.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c
@@ -16,8 +16,8 @@
 #include <malloc.h>
 #endif
 
+#include "k5-int.h"
 #include "stdcc_util.h"
-#include "krb5.h"
 #ifdef _WIN32                   /* it's part of krb5.h everywhere else */
 #include "kv5m_err.h"
 #endif
@@ -321,10 +321,10 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context,
         keyblock_contents = NULL;
 
         /* copy times */
-        out_creds->times.authtime   = cv5->authtime     + offset_seconds;
-        out_creds->times.starttime  = cv5->starttime    + offset_seconds;
-        out_creds->times.endtime    = cv5->endtime      + offset_seconds;
-        out_creds->times.renew_till = cv5->renew_till   + offset_seconds;
+        out_creds->times.authtime   = ts_incr(cv5->authtime, offset_seconds);
+        out_creds->times.starttime  = ts_incr(cv5->starttime, offset_seconds);
+        out_creds->times.endtime    = ts_incr(cv5->endtime, offset_seconds);
+        out_creds->times.renew_till = ts_incr(cv5->renew_till, offset_seconds);
         out_creds->is_skey          = cv5->is_skey;
         out_creds->ticket_flags     = cv5->ticket_flags;
 
@@ -451,11 +451,11 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context,
         cv5->keyblock.data = keyblock_data;
         keyblock_data = NULL;
 
-        cv5->authtime     = in_creds->times.authtime   - offset_seconds;
-        cv5->starttime    = in_creds->times.starttime  - offset_seconds;
-        cv5->endtime      = in_creds->times.endtime    - offset_seconds;
-        cv5->renew_till   = in_creds->times.renew_till - offset_seconds;
-        cv5->is_skey      = in_creds->is_skey;
+        cv5->authtime = ts_incr(in_creds->times.authtime, -offset_seconds);
+        cv5->starttime = ts_incr(in_creds->times.starttime, -offset_seconds);
+        cv5->endtime = ts_incr(in_creds->times.endtime, -offset_seconds);
+        cv5->renew_till = ts_incr(in_creds->times.renew_till, -offset_seconds);
+        cv5->is_skey = in_creds->is_skey;
         cv5->ticket_flags = in_creds->ticket_flags;
 
         if (in_creds->ticket.data) {
@@ -732,10 +732,10 @@ void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest)
     err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
     if (err) return;
 #endif
-    dest->times.authtime   = src->authtime     + offset_seconds;
-    dest->times.starttime  = src->starttime    + offset_seconds;
-    dest->times.endtime    = src->endtime      + offset_seconds;
-    dest->times.renew_till = src->renew_till   + offset_seconds;
+    dest->times.authtime   = ts_incr(src->authtime, offset_seconds);
+    dest->times.starttime  = ts_incr(src->starttime, offset_seconds);
+    dest->times.endtime    = ts_incr(src->endtime, offset_seconds);
+    dest->times.renew_till = ts_incr(src->renew_till, offset_seconds);
     dest->is_skey          = src->is_skey;
     dest->ticket_flags     = src->ticket_flags;
 
@@ -804,10 +804,10 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu)
     err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
     if (err) return;
 #endif
-    c->authtime     = creds->times.authtime   - offset_seconds;
-    c->starttime    = creds->times.starttime  - offset_seconds;
-    c->endtime      = creds->times.endtime    - offset_seconds;
-    c->renew_till   = creds->times.renew_till - offset_seconds;
+    c->authtime     = ts_incr(creds->times.authtime, -offset_seconds);
+    c->starttime    = ts_incr(creds->times.starttime, -offset_seconds);
+    c->endtime      = ts_incr(creds->times.endtime, -offset_seconds);
+    c->renew_till   = ts_incr(creds->times.renew_till, -offset_seconds);
     c->is_skey      = creds->is_skey;
     c->ticket_flags = creds->ticket_flags;
 
@@ -925,11 +925,11 @@ times_match(t1, t2)
     register const krb5_ticket_times *t2;
 {
     if (t1->renew_till) {
-        if (t1->renew_till > t2->renew_till)
+        if (ts_after(t1->renew_till, t2->renew_till))
             return FALSE;               /* this one expires too late */
     }
     if (t1->endtime) {
-        if (t1->endtime > t2->endtime)
+        if (ts_after(t1->endtime, t2->endtime))
             return FALSE;               /* this one expires too late */
     }
     /* only care about expiration on a times_match */
diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
index c31a3f5f0b87..506a27c1b969 100644
--- a/src/lib/krb5/ccache/cccursor.c
+++ b/src/lib/krb5/ccache/cccursor.c
@@ -159,7 +159,7 @@ krb5_cccol_last_change_time(krb5_context context,
         ret = krb5_cccol_cursor_next(context, c, &ccache);
         if (ccache) {
             ret = krb5_cc_last_change_time(context, ccache, &last_time);
-            if (!ret && last_time > max_change_time) {
+            if (!ret && ts_after(last_time, max_change_time)) {
                 max_change_time = last_time;
             }
             ret = 0;
@@ -230,14 +230,37 @@ save_first_error(krb5_context context, krb5_error_code code,
         k5_save_ctx_error(context, code, errsave);
 }
 
+/* Return 0 if cache contains any non-config credentials.  Return KRB5_CC_END
+ * if it does not, or another error if we failed to read through it. */
+static krb5_error_code
+has_content(krb5_context context, krb5_ccache cache)
+{
+    krb5_error_code ret;
+    krb5_boolean found = FALSE;
+    krb5_cc_cursor cache_cursor;
+    krb5_creds creds;
+
+    ret = krb5_cc_start_seq_get(context, cache, &cache_cursor);
+    if (ret)
+        return ret;
+    while (!found) {
+        ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds);
+        if (ret)
+            break;
+        if (!krb5_is_config_principal(context, creds.server))
+            found = TRUE;
+        krb5_free_cred_contents(context, &creds);
+    }
+    krb5_cc_end_seq_get(context, cache, &cache_cursor);
+    return ret;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_cccol_have_content(krb5_context context)
 {
     krb5_error_code ret;
     krb5_cccol_cursor col_cursor;
-    krb5_cc_cursor cache_cursor;
     krb5_ccache cache;
-    krb5_creds creds;
     krb5_boolean found = FALSE;
     struct errinfo errsave = EMPTY_ERRINFO;
     const char *defname;
@@ -252,24 +275,10 @@ krb5_cccol_have_content(krb5_context context)
         save_first_error(context, ret, &errsave);
         if (ret || cache == NULL)
             break;
-
-        ret = krb5_cc_start_seq_get(context, cache, &cache_cursor);
+        ret = has_content(context, cache);
         save_first_error(context, ret, &errsave);
-        if (ret) {
-            krb5_cc_close(context, cache);
-            continue;
-        }
-        while (!found) {
-            ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds);
-            save_first_error(context, ret, &errsave);
-            if (ret)
-                break;
-
-            if (!krb5_is_config_principal(context, creds.server))
-                found = TRUE;
-            krb5_free_cred_contents(context, &creds);
-        }
-        krb5_cc_end_seq_get(context, cache, &cache_cursor);
+        if (!ret)
+            found = TRUE;
         krb5_cc_close(context, cache);
     }
     krb5_cccol_cursor_free(context, &col_cursor);
diff --git a/src/lib/krb5/ccache/ccmarshal.c b/src/lib/krb5/ccache/ccmarshal.c
index bd6d309d1d4e..ae634ccab0d2 100644
--- a/src/lib/krb5/ccache/ccmarshal.c
+++ b/src/lib/krb5/ccache/ccmarshal.c
@@ -100,8 +100,8 @@
  * second value when reading it.
  */
 
-#include "k5-input.h"
 #include "cc-int.h"
+#include "k5-input.h"
 
 /* Read a 16-bit integer in host byte order for versions 1 and 2, or in
  * big-endian byte order for later versions.*/
diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
index 2f3071a272a2..6c360e1002ec 100644
--- a/src/lib/krb5/ccache/ccselect.c
+++ b/src/lib/krb5/ccache/ccselect.c
@@ -71,6 +71,11 @@ load_modules(krb5_context context)
     if (ret != 0)
         goto cleanup;
 
+    ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "hostname",
+                             ccselect_hostname_initvt);
+    if (ret != 0)
+        goto cleanup;
+
     ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CCSELECT, &modules);
     if (ret != 0)
         goto cleanup;
@@ -115,14 +120,6 @@ cleanup:
     return ret;
 }
 
-static krb5_error_code
-choose(krb5_context context, struct ccselect_module_handle *h,
-       krb5_principal server, krb5_ccache *cache_out,
-       krb5_principal *princ_out)
-{
-    return h->vt.choose(context, h->data, server, cache_out, princ_out);
-}
-
 krb5_error_code KRB5_CALLCONV
 krb5_cc_select(krb5_context context, krb5_principal server,
                krb5_ccache *cache_out, krb5_principal *princ_out)
@@ -132,6 +129,8 @@ krb5_cc_select(krb5_context context, krb5_principal server,
     struct ccselect_module_handle **hp, *h;
     krb5_ccache cache;
     krb5_principal princ;
+    krb5_principal srvcp = NULL;
+    char **fbrealms = NULL;
 
     *cache_out = NULL;
     *princ_out = NULL;
@@ -139,7 +138,27 @@ krb5_cc_select(krb5_context context, krb5_principal server,
     if (context->ccselect_handles == NULL) {
         ret = load_modules(context);
         if (ret)
-            return ret;
+            goto cleanup;
+    }
+
+    /* Try to use the fallback host realm for the server if there is no
+     * authoritative realm. */
+    if (krb5_is_referral_realm(&server->realm) &&
+        server->type == KRB5_NT_SRV_HST && server->length == 2) {
+        ret = krb5_get_fallback_host_realm(context, &server->data[1],
+                                           &fbrealms);
+        if (ret)
+            goto cleanup;
+
+        /* Make a copy with the first fallback realm. */
+        ret = krb5_copy_principal(context, server, &srvcp);
+        if (ret)
+            goto cleanup;
+        ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]);
+        if (ret)
+            goto cleanup;
+
+        server = srvcp;
     }
 
     /* Consult authoritative modules first, then heuristic ones. */
@@ -149,26 +168,31 @@ krb5_cc_select(krb5_context context, krb5_principal server,
             h = *hp;
             if (h->priority != priority)
                 continue;
-            ret = choose(context, h, server, &cache, &princ);
+            ret = h->vt.choose(context, h->data, server, &cache, &princ);
             if (ret == 0) {
                 TRACE_CCSELECT_MODCHOICE(context, h->vt.name, server, cache,
                                          princ);
                 *cache_out = cache;
                 *princ_out = princ;
-                return 0;
+                goto cleanup;
             } else if (ret == KRB5_CC_NOTFOUND) {
                 TRACE_CCSELECT_MODNOTFOUND(context, h->vt.name, server, princ);
                 *princ_out = princ;
-                return ret;
+                goto cleanup;
             } else if (ret != KRB5_PLUGIN_NO_HANDLE) {
                 TRACE_CCSELECT_MODFAIL(context, h->vt.name, ret, server);
-                return ret;
+                goto cleanup;
             }
         }
     }
 
     TRACE_CCSELECT_NOTFOUND(context, server);
-    return KRB5_CC_NOTFOUND;
+    ret = KRB5_CC_NOTFOUND;
+
+cleanup:
+    krb5_free_principal(context, srvcp);
+    krb5_free_host_realm(context, fbrealms);
+    return ret;
 }
 
 void
diff --git a/src/lib/krb5/ccache/ccselect_hostname.c b/src/lib/krb5/ccache/ccselect_hostname.c
new file mode 100644
index 000000000000..475cfabaefd7
--- /dev/null
+++ b/src/lib/krb5/ccache/ccselect_hostname.c
@@ -0,0 +1,146 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/ccache/ccselect_hostname.c - hostname ccselect module */
+/*
+ * Copyright (C) 2017 by Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "cc-int.h"
+#include <ctype.h>
+#include <krb5/ccselect_plugin.h>
+
+/* Swap a and b, using tmp as an intermediate. */
+#define SWAP(a, b, tmp)                         \
+    tmp = a;                                    \
+    a = b;                                      \
+    b = tmp;
+
+static krb5_error_code
+hostname_init(krb5_context context, krb5_ccselect_moddata *data_out,
+              int *priority_out)
+{
+    *data_out = NULL;
+    *priority_out = KRB5_CCSELECT_PRIORITY_HEURISTIC;
+    return 0;
+}
+
+static krb5_error_code
+hostname_choose(krb5_context context, krb5_ccselect_moddata data,
+                krb5_principal server, krb5_ccache *ccache_out,
+                krb5_principal *princ_out)
+{
+    krb5_error_code ret;
+    char *p, *host = NULL;
+    size_t hostlen;
+    krb5_cccol_cursor col_cursor;
+    krb5_ccache ccache, tmp_ccache, best_ccache = NULL;
+    krb5_principal princ, tmp_princ, best_princ = NULL;
+    krb5_data domain;
+
+    *ccache_out = NULL;
+    *princ_out = NULL;
+
+    if (server->type != KRB5_NT_SRV_HST || server->length < 2)
+        return KRB5_PLUGIN_NO_HANDLE;
+
+    /* Compute upper-case hostname. */
+    hostlen = server->data[1].length;
+    host = k5memdup0(server->data[1].data, hostlen, &ret);
+    if (host == NULL)
+        return ret;
+    for (p = host; *p != '\0'; p++) {
+        if (islower(*p))
+            *p = toupper(*p);
+    }
+
+    /* Scan the collection for a cache with a client principal whose realm is
+     * the longest tail of the server hostname. */
+    ret = krb5_cccol_cursor_new(context, &col_cursor);
+    if (ret)
+        goto done;
+
+    for (ret = krb5_cccol_cursor_next(context, col_cursor, &ccache);
+         ret == 0 && ccache != NULL;
+         ret = krb5_cccol_cursor_next(context, col_cursor, &ccache)) {
+        ret = krb5_cc_get_principal(context, ccache, &princ);
+        if (ret) {
+            krb5_cc_close(context, ccache);
+            break;
+        }
+
+        /* Check for a longer match than we have. */
+        domain = make_data(host, hostlen);
+        while (best_princ == NULL ||
+               best_princ->realm.length < domain.length) {
+            if (data_eq(princ->realm, domain)) {
+                SWAP(best_ccache, ccache, tmp_ccache);
+                SWAP(best_princ, princ, tmp_princ);
+                break;
+            }
+
+            /* Try the next parent domain. */
+            p = memchr(domain.data, '.', domain.length);
+            if (p == NULL)
+                break;
+            domain = make_data(p + 1, hostlen - (p + 1 - host));
+        }
+
+        if (ccache != NULL)
+            krb5_cc_close(context, ccache);
+        krb5_free_principal(context, princ);
+    }
+
+    krb5_cccol_cursor_free(context, &col_cursor);
+
+    if (best_ccache != NULL) {
+        *ccache_out = best_ccache;
+        *princ_out = best_princ;
+    } else {
+        ret = KRB5_PLUGIN_NO_HANDLE;
+    }
+
+done:
+    free(host);
+    return ret;
+}
+
+krb5_error_code
+ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver,
+                         krb5_plugin_vtable vtable)
+{
+    krb5_ccselect_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_ccselect_vtable)vtable;
+    vt->name = "hostname";
+    vt->init = hostname_init;
+    vt->choose = hostname_choose;
+    return 0;
+}
diff --git a/src/lib/krb5/ccache/deps b/src/lib/krb5/ccache/deps
index 9cd2e00d456c..6732f75548ce 100644
--- a/src/lib/krb5/ccache/deps
+++ b/src/lib/krb5/ccache/deps
@@ -78,6 +78,17 @@ ccselect.so ccselect.po $(OUTPRE)ccselect.$(OBJEXT): \
   $(top_srcdir)/include/krb5/ccselect_plugin.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
   cc-int.h ccselect.c
+ccselect_hostname.so ccselect_hostname.po $(OUTPRE)ccselect_hostname.$(OBJEXT): \
+  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/ccselect_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h cc-int.h ccselect_hostname.c
 ccselect_k5identity.so ccselect_k5identity.po $(OUTPRE)ccselect_k5identity.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 6a42f267df7d..091f2c43fa3a 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -264,9 +264,11 @@ more_recent(const krb5_keytab_entry *k1, const krb5_keytab_entry *k2)
      * limitations (8-bit kvno storage), pre-1.14 kadmin protocol limitations
      * (8-bit kvno marshalling), or KDB limitations (16-bit kvno storage).
      */
-    if (k1->timestamp >= k2->timestamp && k1->vno < 128 && k2->vno > 240)
+    if (!ts_after(k2->timestamp, k1->timestamp) &&
+        k1->vno < 128 && k2->vno > 240)
         return TRUE;
-    if (k1->timestamp <= k2->timestamp && k1->vno > 240 && k2->vno < 128)
+    if (!ts_after(k1->timestamp, k2->timestamp) &&
+        k1->vno > 240 && k2->vno < 128)
         return FALSE;
 
     /* Otherwise do a simple version comparison. */
@@ -357,7 +359,7 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
 
         }
 
-        if (kvno == IGNORE_VNO) {
+        if (kvno == IGNORE_VNO || new_entry.vno == IGNORE_VNO) {
             /* If this entry is more recent (or the first match), free the
              * current and keep the new.  Otherwise, free the new. */
             if (cur_entry.principal == NULL ||
diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c
index e89fdcb4dc99..8824adf50826 100644
--- a/src/lib/krb5/keytab/kt_memory.c
+++ b/src/lib/krb5/keytab/kt_memory.c
@@ -403,7 +403,7 @@ krb5_mkt_get_entry(krb5_context context, krb5_keytab id,
                 continue;
         }
 
-        if (kvno == IGNORE_VNO) {
+        if (kvno == IGNORE_VNO || entry->vno == IGNORE_VNO) {
             if (match == NULL)
                 match = entry;
             else if (entry->vno > match->vno)
diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c
index caa0158ecc2b..bbfaadfc298c 100644
--- a/src/lib/krb5/keytab/kt_srvtab.c
+++ b/src/lib/krb5/keytab/kt_srvtab.c
@@ -205,7 +205,7 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip
     while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) {
         ent.key.enctype = enctype;
         if (krb5_principal_compare(context, principal, ent.principal)) {
-            if (kvno == IGNORE_VNO) {
+            if (kvno == IGNORE_VNO || ent.vno == IGNORE_VNO) {
                 if (!best_entry.principal || (best_entry.vno < ent.vno)) {
                     krb5_kt_free_entry(context, &best_entry);
                     best_entry = ent;
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 0fe02a95d09e..55f82b147d8c 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -364,6 +364,7 @@ SRCS=	$(srcdir)/addr_comp.c	\
 	$(srcdir)/t_in_ccache.c	\
 	$(srcdir)/t_response_items.c \
 	$(srcdir)/t_sname_match.c \
+	$(srcdir)/t_valid_times.c \
 	$(srcdir)/t_vfy_increds.c
 
 # Someday, when we have a "maintainer mode", do this right:
@@ -457,9 +458,12 @@ t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
 t_sname_match: t_sname_match.o sname_match.o $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ t_sname_match.o sname_match.o $(KRB5_BASE_LIBS)
 
+t_valid_times: t_valid_times.o valid_times.o $(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o $@ t_valid_times.o valid_times.o $(KRB5_BASE_LIBS)
+
 TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
-	t_in_ccache t_cc_config t_copy_context \
-	t_princ t_etypes t_vfy_increds t_response_items t_sname_match
+	t_in_ccache t_cc_config t_copy_context t_princ t_etypes t_vfy_increds \
+	t_response_items t_sname_match t_valid_times
 
 check-unix: $(TEST_PROGS)
 	$(RUN_TEST_LOCAL_CONF) ./t_kerb \
@@ -496,6 +500,7 @@ check-unix: $(TEST_PROGS)
 	$(RUN_TEST) ./t_response_items
 	$(RUN_TEST) ./t_copy_context
 	$(RUN_TEST) ./t_sname_match
+	$(RUN_TEST) ./t_valid_times
 
 check-pytests: t_expire_warn t_vfy_increds
 	$(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
@@ -522,8 +527,9 @@ clean:
 	$(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
 	$(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
 	$(OUTPRE)t_response_items$(EXEEXT) \
-	$(OUTPRE)t_response_items.$(OBJEXT) $(OUTPRE)t_sname_match$(EXEEXT) \
-	$(OUTPRE)t_sname_match.$(OBJEXT) \
+	$(OUTPRE)t_response_items.$(OBJEXT) \
+	$(OUTPRE)t_sname_match$(EXEEXT) $(OUTPRE)t_sname_match.$(OBJEXT) \
+	$(OUTPRE)t_valid_times$(EXEEXT) $(OUTPRE)t_valid_times.$(OBJECT) \
 	$(OUTPRE)t_parse_host_string$(EXEEXT) \
 	$(OUTPRE)t_parse_host_string.$(OBJEXT)
 
diff --git a/src/lib/krb5/krb/deltat.c b/src/lib/krb5/krb/deltat.c
index 2c8b90b54ce3..6e6616e99ff8 100644
--- a/src/lib/krb5/krb/deltat.c
+++ b/src/lib/krb5/krb/deltat.c
@@ -72,7 +72,6 @@
 #ifdef __GNUC__
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wuninitialized"
-#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
 #endif
 
 #include "k5-int.h"
@@ -153,7 +152,7 @@ static int mylex(int *intp, struct param *tmv);
 static int yyparse(struct param *);
 
 
-#line 157 "deltat.c" /* yacc.c:339  */
+#line 156 "deltat.c" /* yacc.c:339  */
 
 # ifndef YY_NULLPTR
 #  if defined __cplusplus && 201103L <= __cplusplus
@@ -197,10 +196,10 @@ extern int yydebug;
 typedef union YYSTYPE YYSTYPE;
 union YYSTYPE
 {
-#line 129 "x-deltat.y" /* yacc.c:355  */
+#line 128 "x-deltat.y" /* yacc.c:355  */
 int val;
 
-#line 204 "deltat.c" /* yacc.c:355  */
+#line 203 "deltat.c" /* yacc.c:355  */
 };
 # define YYSTYPE_IS_TRIVIAL 1
 # define YYSTYPE_IS_DECLARED 1
@@ -214,7 +213,7 @@ int yyparse (struct param *tmv);
 
 /* Copy the second part of user declarations.  */
 
-#line 218 "deltat.c" /* yacc.c:358  */
+#line 217 "deltat.c" /* yacc.c:358  */
 
 #ifdef short
 # undef short
@@ -512,9 +511,9 @@ static const yytype_uint8 yytranslate[] =
   /* YYRLINE[YYN] -- Source line where rule number YYN was defined.  */
 static const yytype_uint8 yyrline[] =
 {
-       0,   143,   143,   144,   144,   145,   145,   146,   146,   147,
-     148,   150,   151,   152,   153,   154,   155,   156,   157,   162,
-     163,   166,   167,   170,   171
+       0,   142,   142,   143,   143,   144,   144,   145,   145,   146,
+     147,   149,   150,   151,   152,   153,   154,   155,   156,   161,
+     162,   165,   166,   169,   170
 };
 #endif
 
@@ -1310,93 +1309,93 @@ yyreduce:
   switch (yyn)
     {
         case 6:
-#line 145 "x-deltat.y" /* yacc.c:1646  */
+#line 144 "x-deltat.y" /* yacc.c:1646  */
     { (yyval.val) = - (yyvsp[0].val); }
-#line 1316 "deltat.c" /* yacc.c:1646  */
+#line 1315 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 9:
-#line 147 "x-deltat.y" /* yacc.c:1646  */
+#line 146 "x-deltat.y" /* yacc.c:1646  */
     { (yyval.val) = (yyvsp[0].val); }
-#line 1322 "deltat.c" /* yacc.c:1646  */
+#line 1321 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 10:
-#line 148 "x-deltat.y" /* yacc.c:1646  */
+#line 147 "x-deltat.y" /* yacc.c:1646  */
     { YYERROR; }
-#line 1328 "deltat.c" /* yacc.c:1646  */
+#line 1327 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 11:
-#line 150 "x-deltat.y" /* yacc.c:1646  */
+#line 149 "x-deltat.y" /* yacc.c:1646  */
     { DO ((yyvsp[-2].val),  0,  0, (yyvsp[0].val)); }
-#line 1334 "deltat.c" /* yacc.c:1646  */
+#line 1333 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 12:
-#line 151 "x-deltat.y" /* yacc.c:1646  */
+#line 150 "x-deltat.y" /* yacc.c:1646  */
     { DO ( 0, (yyvsp[-2].val),  0, (yyvsp[0].val)); }
-#line 1340 "deltat.c" /* yacc.c:1646  */
+#line 1339 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 13:
-#line 152 "x-deltat.y" /* yacc.c:1646  */
+#line 151 "x-deltat.y" /* yacc.c:1646  */
     { DO ( 0,  0, (yyvsp[-2].val), (yyvsp[0].val)); }
-#line 1346 "deltat.c" /* yacc.c:1646  */
+#line 1345 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 14:
-#line 153 "x-deltat.y" /* yacc.c:1646  */
+#line 152 "x-deltat.y" /* yacc.c:1646  */
     { DO ( 0,  0,  0, (yyvsp[-1].val)); }
-#line 1352 "deltat.c" /* yacc.c:1646  */
+#line 1351 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 15:
-#line 154 "x-deltat.y" /* yacc.c:1646  */
+#line 153 "x-deltat.y" /* yacc.c:1646  */
     { DO ((yyvsp[-6].val), (yyvsp[-4].val), (yyvsp[-2].val), (yyvsp[0].val)); }
-#line 1358 "deltat.c" /* yacc.c:1646  */
+#line 1357 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 16:
-#line 155 "x-deltat.y" /* yacc.c:1646  */
+#line 154 "x-deltat.y" /* yacc.c:1646  */
     { DO ( 0, (yyvsp[-4].val), (yyvsp[-2].val), (yyvsp[0].val)); }
-#line 1364 "deltat.c" /* yacc.c:1646  */
+#line 1363 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 17:
-#line 156 "x-deltat.y" /* yacc.c:1646  */
+#line 155 "x-deltat.y" /* yacc.c:1646  */
     { DO ( 0, (yyvsp[-2].val), (yyvsp[0].val),  0); }
-#line 1370 "deltat.c" /* yacc.c:1646  */
+#line 1369 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 18:
-#line 157 "x-deltat.y" /* yacc.c:1646  */
+#line 156 "x-deltat.y" /* yacc.c:1646  */
     { DO ( 0,  0,  0, (yyvsp[0].val)); }
-#line 1376 "deltat.c" /* yacc.c:1646  */
+#line 1375 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 20:
-#line 163 "x-deltat.y" /* yacc.c:1646  */
+#line 162 "x-deltat.y" /* yacc.c:1646  */
     { if (HOUR_NOT_OK((yyvsp[-2].val))) YYERROR;
 	                                  DO_SUM((yyval.val), (yyvsp[-2].val) * 3600, (yyvsp[0].val)); }
-#line 1383 "deltat.c" /* yacc.c:1646  */
+#line 1382 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 22:
-#line 167 "x-deltat.y" /* yacc.c:1646  */
+#line 166 "x-deltat.y" /* yacc.c:1646  */
     { if (MIN_NOT_OK((yyvsp[-2].val))) YYERROR;
 	                                  DO_SUM((yyval.val), (yyvsp[-2].val) * 60, (yyvsp[0].val)); }
-#line 1390 "deltat.c" /* yacc.c:1646  */
+#line 1389 "deltat.c" /* yacc.c:1646  */
     break;
 
   case 23:
-#line 170 "x-deltat.y" /* yacc.c:1646  */
+#line 169 "x-deltat.y" /* yacc.c:1646  */
     { (yyval.val) = 0; }
-#line 1396 "deltat.c" /* yacc.c:1646  */
+#line 1395 "deltat.c" /* yacc.c:1646  */
     break;
 
 
-#line 1400 "deltat.c" /* yacc.c:1646  */
+#line 1399 "deltat.c" /* yacc.c:1646  */
       default: break;
     }
   /* User semantic actions sometimes alter yychar, and that requires
@@ -1624,7 +1623,7 @@ yyreturn:
 #endif
   return yyresult;
 }
-#line 173 "x-deltat.y" /* yacc.c:1906  */
+#line 172 "x-deltat.y" /* yacc.c:1906  */
 
 
 #ifdef __GNUC__
diff --git a/src/lib/krb5/krb/deps b/src/lib/krb5/krb/deps
index 6919eaf717aa..f78b47e766e1 100644
--- a/src/lib/krb5/krb/deps
+++ b/src/lib/krb5/krb/deps
@@ -1236,8 +1236,15 @@ t_walk_rtree.so t_walk_rtree.po $(OUTPRE)t_walk_rtree.$(OBJEXT): \
   $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
   t_walk_rtree.c
 t_kerb.so t_kerb.po $(OUTPRE)t_kerb.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
-  t_kerb.c
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h t_kerb.c
 t_ser.so t_ser.po $(OUTPRE)t_ser.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
@@ -1283,14 +1290,14 @@ t_pac.so t_pac.po $(OUTPRE)t_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
 t_parse_host_string.so t_parse_host_string.po $(OUTPRE)t_parse_host_string.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  t_parse_host_string.c
+  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-cmocka.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h t_parse_host_string.c
 t_princ.so t_princ.po $(OUTPRE)t_princ.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
@@ -1389,6 +1396,17 @@ t_sname_match.so t_sname_match.po $(OUTPRE)t_sname_match.$(OBJEXT): \
   $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
   t_sname_match.c
+t_valid_times.so t_valid_times.po $(OUTPRE)t_valid_times.$(OBJEXT): \
+  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  int-proto.h t_valid_times.c
 t_vfy_increds.so t_vfy_increds.po $(OUTPRE)t_vfy_increds.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index a217d4c24001..87f63b6bc4c8 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -37,8 +37,9 @@
 /* Get a TGT for use at the remote host */
 krb5_error_code KRB5_CALLCONV
 krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
-                   char *rhost, krb5_principal client, krb5_principal server,
-                   krb5_ccache cc, int forwardable, krb5_data *outbuf)
+                   const char *rhost, krb5_principal client,
+                   krb5_principal server, krb5_ccache cc, int forwardable,
+                   krb5_data *outbuf)
 /* Should forwarded TGT also be forwardable? */
 {
     krb5_replay_data replaydata;
@@ -48,8 +49,8 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
     krb5_creds creds, tgt;
     krb5_creds *pcreds;
     krb5_flags kdcoptions;
-    int close_cc = 0;
-    int free_rhost = 0;
+    krb5_ccache defcc = NULL;
+    char *def_rhost = NULL;
     krb5_enctype enctype = 0;
     krb5_keyblock *session_key;
     krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
@@ -58,9 +59,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
     memset(&tgt, 0, sizeof(creds));
 
     if (cc == 0) {
-        if ((retval = krb5int_cc_default(context, &cc)))
+        if ((retval = krb5int_cc_default(context, &defcc)))
             goto errout;
-        close_cc = 1;
+        cc = defcc;
     }
     retval = krb5_auth_con_getkey (context, auth_context, &session_key);
     if (retval)
@@ -131,11 +132,11 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
                 goto errout;
             }
 
-            rhost = k5memdup0(server->data[1].data, server->data[1].length,
-                              &retval);
-            if (rhost == NULL)
+            def_rhost = k5memdup0(server->data[1].data, server->data[1].length,
+                                  &retval);
+            if (def_rhost == NULL)
                 goto errout;
-            free_rhost = 1;
+            rhost = def_rhost;
         }
 
         retval = k5_os_hostaddr(context, rhost, &addrs);
@@ -176,10 +177,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
 errout:
     if (addrs)
         krb5_free_addresses(context, addrs);
-    if (close_cc)
-        krb5_cc_close(context, cc);
-    if (free_rhost)
-        free(rhost);
+    if (defcc)
+        krb5_cc_close(context, defcc);
+    free(def_rhost);
     krb5_free_cred_contents(context, &creds);
     krb5_free_cred_contents(context, &tgt);
     return retval;
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index 4c0a1a46120a..5b9bb9573e27 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -287,26 +287,27 @@ krb5int_process_tgs_reply(krb5_context context,
         retval = KRB5_KDCREP_MODIFIED;
 
     if ((in_cred->times.endtime != 0) &&
-        (dec_rep->enc_part2->times.endtime > in_cred->times.endtime))
+        ts_after(dec_rep->enc_part2->times.endtime, in_cred->times.endtime))
         retval = KRB5_KDCREP_MODIFIED;
 
     if ((kdcoptions & KDC_OPT_RENEWABLE) &&
         (in_cred->times.renew_till != 0) &&
-        (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till))
+        ts_after(dec_rep->enc_part2->times.renew_till,
+                 in_cred->times.renew_till))
         retval = KRB5_KDCREP_MODIFIED;
 
     if ((kdcoptions & KDC_OPT_RENEWABLE_OK) &&
         (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
         (in_cred->times.endtime != 0) &&
-        (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime))
+        ts_after(dec_rep->enc_part2->times.renew_till, in_cred->times.endtime))
         retval = KRB5_KDCREP_MODIFIED;
 
     if (retval != 0)
         goto cleanup;
 
     if (!in_cred->times.starttime &&
-        !in_clock_skew(dec_rep->enc_part2->times.starttime,
-                       timestamp)) {
+        !ts_within(dec_rep->enc_part2->times.starttime, timestamp,
+                   context->clockskew)) {
         retval = KRB5_KDCREP_SKEW;
         goto cleanup;
     }
diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c
index 61f36aa3665f..bc2c46d30c22 100644
--- a/src/lib/krb5/krb/gen_save_subkey.c
+++ b/src/lib/krb5/krb/gen_save_subkey.c
@@ -38,7 +38,8 @@ k5_generate_and_save_subkey(krb5_context context,
        to guarantee randomness, but to make it less likely that multiple
        sessions could pick the same subkey.  */
     struct {
-        krb5_int32 sec, usec;
+        krb5_timestamp sec;
+        krb5_int32 usec;
     } rnd_data;
     krb5_data d;
     krb5_error_code retval;
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 110abeb2b1bd..69900adfa046 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -576,14 +576,6 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
     }
 
     if (ctx->referral_count == 1) {
-        /* Cache the referral TGT only if it's from the local realm.
-         * Make sure to note the associated authdata, if any. */
-        code = krb5_copy_authdata(context, ctx->authdata,
-                                  &ctx->reply_creds->authdata);
-        if (code != 0)
-            return code;
-        (void) krb5_cc_store_cred(context, ctx->ccache, ctx->reply_creds);
-
         /* The authdata in this TGT will be copied into subsequent TGTs or the
          * final credentials, so we don't need to request it again. */
         krb5_free_authdata(context, ctx->in_creds->authdata);
@@ -816,7 +808,7 @@ get_cached_local_tgt(krb5_context context, krb5_tkt_creds_context ctx,
         return code;
 
     /* Check if the TGT is expired before bothering the KDC with it. */
-    if (now > tgt->times.endtime) {
+    if (ts_after(now, tgt->times.endtime)) {
         krb5_free_creds(context, tgt);
         return KRB5KRB_AP_ERR_TKT_EXPIRED;
     }
@@ -934,8 +926,9 @@ step_get_tgt(krb5_context context, krb5_tkt_creds_context ctx)
         /* See where we wound up on the path (or off it). */
         path_realm = find_realm_in_path(context, ctx, tgt_realm);
         if (path_realm != NULL) {
-            /* We got a realm on the expected path, so we can cache it. */
-            (void) krb5_cc_store_cred(context, ctx->ccache, ctx->cur_tgt);
+            /* Only cache the TGT if we asked for it, to avoid duplicates. */
+            if (path_realm == ctx->next_realm)
+                (void)krb5_cc_store_cred(context, ctx->ccache, ctx->cur_tgt);
             if (path_realm == ctx->last_realm) {
                 /* We received a TGT for the target realm. */
                 TRACE_TKT_CREDS_TARGET_TGT(context, ctx->cur_tgt->server);
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 54badbbc32f8..47a00bf2c702 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -39,24 +39,6 @@ static krb5_error_code sort_krb5_padata_sequence(krb5_context context,
                                                  krb5_data *realm,
                                                  krb5_pa_data **padata);
 
-/*
- * This function performs 32 bit bounded addition so we can generate
- * lifetimes without overflowing krb5_int32
- */
-static krb5_int32
-krb5int_addint32 (krb5_int32 x, krb5_int32 y)
-{
-    if ((x > 0) && (y > (KRB5_INT32_MAX - x))) {
-        /* sum will be be greater than KRB5_INT32_MAX */
-        return KRB5_INT32_MAX;
-    } else if ((x < 0) && (y < (KRB5_INT32_MIN - x))) {
-        /* sum will be less than KRB5_INT32_MIN */
-        return KRB5_INT32_MIN;
-    }
-
-    return x + y;
-}
-
 /*
  * Decrypt the AS reply in ctx, populating ctx->reply->enc_part2.  If
  * strengthen_key is not null, combine it with the reply key as specified in
@@ -267,28 +249,28 @@ verify_as_reply(krb5_context            context,
             (request->from != 0) &&
             (request->from != as_reply->enc_part2->times.starttime))
         || ((request->till != 0) &&
-            (as_reply->enc_part2->times.endtime > request->till))
+            ts_after(as_reply->enc_part2->times.endtime, request->till))
         || ((request->kdc_options & KDC_OPT_RENEWABLE) &&
             (request->rtime != 0) &&
-            (as_reply->enc_part2->times.renew_till > request->rtime))
+            ts_after(as_reply->enc_part2->times.renew_till, request->rtime))
         || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
             !(request->kdc_options & KDC_OPT_RENEWABLE) &&
             (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
             (request->till != 0) &&
-            (as_reply->enc_part2->times.renew_till > request->till))
+            ts_after(as_reply->enc_part2->times.renew_till, request->till))
     ) {
         return KRB5_KDCREP_MODIFIED;
     }
 
     if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) {
-        time_offset = as_reply->enc_part2->times.authtime - time_now;
+        time_offset = ts_delta(as_reply->enc_part2->times.authtime, time_now);
         retval = krb5_set_time_offsets(context, time_offset, 0);
         if (retval)
             return retval;
     } else {
         if ((request->from == 0) &&
-            (labs(as_reply->enc_part2->times.starttime - time_now)
-             > context->clockskew))
+            !ts_within(as_reply->enc_part2->times.starttime, time_now,
+                       context->clockskew))
             return (KRB5_KDCREP_SKEW);
     }
     return 0;
@@ -583,7 +565,7 @@ krb5_init_creds_free(krb5_context context,
     k5_response_items_free(ctx->rctx.items);
     free(ctx->in_tkt_service);
     zapfree(ctx->gakpw.storage.data, ctx->gakpw.storage.length);
-    k5_preauth_request_context_fini(context);
+    k5_preauth_request_context_fini(context, ctx);
     krb5_free_error(context, ctx->err_reply);
     krb5_free_pa_data(context, ctx->err_padata);
     krb5_free_cred_contents(context, &ctx->cred);
@@ -593,7 +575,9 @@ krb5_init_creds_free(krb5_context context,
     krb5_free_data(context, ctx->inner_request_body);
     krb5_free_data(context, ctx->encoded_previous_request);
     krb5int_fast_free_state(context, ctx->fast_state);
-    krb5_free_pa_data(context, ctx->preauth_to_use);
+    krb5_free_pa_data(context, ctx->optimistic_padata);
+    krb5_free_pa_data(context, ctx->method_padata);
+    krb5_free_pa_data(context, ctx->more_padata);
     krb5_free_data_contents(context, &ctx->salt);
     krb5_free_data_contents(context, &ctx->s2kparams);
     krb5_free_keyblock_contents(context, &ctx->as_key);
@@ -760,23 +744,6 @@ k5_init_creds_current_time(krb5_context context, krb5_init_creds_context ctx,
     }
 }
 
-/* Choose a random nonce for ctx->request. */
-static krb5_error_code
-pick_nonce(krb5_context context, krb5_init_creds_context ctx)
-{
-    krb5_error_code code = 0;
-    unsigned char random_buf[4];
-    krb5_data random_data = make_data(random_buf, 4);
-
-    /* We incorrectly encode this as signed, so make sure we use an unsigned
-     * value to avoid interoperability issues. */
-    code = krb5_c_random_make_octets(context, &random_data);
-    if (code != 0)
-        return code;
-    ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
-    return 0;
-}
-
 /* Set the timestamps for ctx->request based on the desired lifetimes. */
 static krb5_error_code
 set_request_times(krb5_context context, krb5_init_creds_context ctx)
@@ -790,16 +757,16 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx)
         return code;
 
     /* Omit request start time unless the caller explicitly asked for one. */
-    from = krb5int_addint32(now, ctx->start_time);
+    from = ts_incr(now, ctx->start_time);
     if (ctx->start_time != 0)
         ctx->request->from = from;
 
-    ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
+    ctx->request->till = ts_incr(from, ctx->tkt_life);
 
     if (ctx->renew_life > 0) {
         /* Don't ask for a smaller renewable time than the lifetime. */
-        ctx->request->rtime = krb5int_addint32(from, ctx->renew_life);
-        if (ctx->request->rtime < ctx->request->till)
+        ctx->request->rtime = ts_incr(from, ctx->renew_life);
+        if (ts_after(ctx->request->till, ctx->request->rtime))
             ctx->request->rtime = ctx->request->till;
         ctx->request->kdc_options &= ~KDC_OPT_RENEWABLE_OK;
     } else {
@@ -809,6 +776,31 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx)
     return 0;
 }
 
+static void
+read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_error_code ret;
+    krb5_data config;
+    char *tmp, *p;
+    krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt);
+
+    ctx->allowed_preauth_type = KRB5_PADATA_NONE;
+    if (in_ccache == NULL)
+        return;
+    memset(&config, 0, sizeof(config));
+    if (krb5_cc_get_config(context, in_ccache, ctx->request->server,
+                           KRB5_CC_CONF_PA_TYPE, &config) != 0)
+        return;
+    tmp = k5memdup0(config.data, config.length, &ret);
+    krb5_free_data_contents(context, &config);
+    if (tmp == NULL)
+        return;
+    ctx->allowed_preauth_type = strtol(tmp, &p, 10);
+    if (p == NULL || *p != '\0')
+        ctx->allowed_preauth_type = KRB5_PADATA_NONE;
+    free(tmp);
+}
+
 /**
  * Throw away any pre-authentication realm state and begin with a
  * unauthenticated or optimistically authenticated request.  If fast_upgrade is
@@ -820,11 +812,15 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
 {
     krb5_error_code code = 0;
 
-    krb5_free_pa_data(context, ctx->preauth_to_use);
+    krb5_free_pa_data(context, ctx->optimistic_padata);
+    krb5_free_pa_data(context, ctx->method_padata);
+    krb5_free_pa_data(context, ctx->more_padata);
     krb5_free_pa_data(context, ctx->err_padata);
     krb5_free_error(context, ctx->err_reply);
-    ctx->preauth_to_use = ctx->err_padata = NULL;
+    ctx->optimistic_padata = ctx->method_padata = ctx->more_padata = NULL;
+    ctx->err_padata = NULL;
     ctx->err_reply = NULL;
+    ctx->selected_preauth_type = KRB5_PADATA_NONE;
 
     krb5int_fast_free_state(context, ctx->fast_state);
     ctx->fast_state = NULL;
@@ -834,14 +830,14 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
     if (fast_upgrade)
         ctx->fast_state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
 
-    k5_preauth_request_context_fini(context);
-    k5_preauth_request_context_init(context);
+    k5_preauth_request_context_fini(context, ctx);
+    k5_preauth_request_context_init(context, ctx);
     krb5_free_data(context, ctx->outer_request_body);
     ctx->outer_request_body = NULL;
     if (ctx->opt->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) {
         code = make_preauth_list(context, ctx->opt->preauth_list,
                                  ctx->opt->preauth_list_length,
-                                 &ctx->preauth_to_use);
+                                 &ctx->optimistic_padata);
         if (code)
             goto cleanup;
     }
@@ -867,6 +863,11 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
                                       &ctx->outer_request_body);
     if (code != 0)
         goto cleanup;
+
+    /* Read the allowed preauth type for this server principal from the input
+     * ccache, if the application supplied one. */
+    read_allowed_preauth_type(context, ctx);
+
 cleanup:
     return code;
 }
@@ -1172,31 +1173,6 @@ init_creds_validate_reply(krb5_context context,
     return 0;
 }
 
-static void
-read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx)
-{
-    krb5_error_code ret;
-    krb5_data config;
-    char *tmp, *p;
-    krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt);
-
-    ctx->allowed_preauth_type = KRB5_PADATA_NONE;
-    if (in_ccache == NULL)
-        return;
-    memset(&config, 0, sizeof(config));
-    if (krb5_cc_get_config(context, in_ccache, ctx->request->server,
-                           KRB5_CC_CONF_PA_TYPE, &config) != 0)
-        return;
-    tmp = k5memdup0(config.data, config.length, &ret);
-    krb5_free_data_contents(context, &config);
-    if (tmp == NULL)
-        return;
-    ctx->allowed_preauth_type = strtol(tmp, &p, 10);
-    if (p == NULL || *p != '\0')
-        ctx->allowed_preauth_type = KRB5_PADATA_NONE;
-    free(tmp);
-}
-
 static krb5_error_code
 save_selected_preauth_type(krb5_context context, krb5_ccache ccache,
                            krb5_init_creds_context ctx)
@@ -1313,6 +1289,9 @@ init_creds_step_request(krb5_context context,
                         krb5_data *out)
 {
     krb5_error_code code;
+    krb5_preauthtype pa_type;
+    struct errinfo save = EMPTY_ERRINFO;
+    uint32_t rcode = (ctx->err_reply == NULL) ? 0 : ctx->err_reply->error;
 
     if (ctx->loopcount >= MAX_IN_TKT_LOOPS) {
         code = KRB5_GET_IN_TKT_LOOP;
@@ -1320,7 +1299,7 @@ init_creds_step_request(krb5_context context,
     }
 
     /* RFC 6113 requires a new nonce for the inner request on each try. */
-    code = pick_nonce(context, ctx);
+    code = k5_generate_nonce(context, &ctx->request->nonce);
     if (code != 0)
         goto cleanup;
 
@@ -1335,11 +1314,6 @@ init_creds_step_request(krb5_context context,
     if (code)
         goto cleanup;
 
-    /* Read the allowed patype for this server principal from the in_ccache,
-     * if the application supplied one. */
-    read_allowed_preauth_type(context, ctx);
-    ctx->selected_preauth_type = KRB5_PADATA_NONE;
-
     /*
      * Read cached preauth configuration data for this server principal from
      * the in_ccache, if the application supplied one, and delete any that was
@@ -1348,32 +1322,65 @@ init_creds_step_request(krb5_context context,
     read_cc_config_in_data(context, ctx);
     clear_cc_config_out_data(context, ctx);
 
-    if (ctx->err_reply == NULL) {
-        /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED
-         * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */
-        code = k5_preauth(context, ctx, ctx->preauth_to_use,
-                          ctx->preauth_required, &ctx->request->padata,
-                          &ctx->selected_preauth_type);
-        if (code != 0)
-            goto cleanup;
-    } else {
-        if (ctx->preauth_to_use != NULL) {
-            /*
-             * Retry after an error other than PREAUTH_NEEDED,
-             * using ctx->err_padata to figure out what to change.
-             */
-            code = k5_preauth_tryagain(context, ctx, ctx->preauth_to_use,
-                                       &ctx->request->padata);
-        } else {
-            /* No preauth supplied, so can't query the plugins. */
-            code = KRB5KRB_ERR_GENERIC;
+    ctx->request->padata = NULL;
+    if (ctx->optimistic_padata != NULL) {
+        /* Our first attempt, using an optimistic padata list. */
+        TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(context);
+        code = k5_preauth(context, ctx, ctx->optimistic_padata, TRUE,
+                          &ctx->request->padata, &ctx->selected_preauth_type);
+        krb5_free_pa_data(context, ctx->optimistic_padata);
+        ctx->optimistic_padata = NULL;
+        if (code) {
+            /* Make an unauthenticated request, and possibly try again using
+             * the same mechanisms as we tried optimistically. */
+            k5_reset_preauth_types_tried(ctx);
+            krb5_clear_error_message(context);
+            code = 0;
         }
-        if (code != 0) {
-            /* couldn't come up with anything better */
+    } if (ctx->more_padata != NULL) {
+        /* Continuing after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */
+        TRACE_INIT_CREDS_PREAUTH_MORE(context, ctx->selected_preauth_type);
+        code = k5_preauth(context, ctx, ctx->more_padata, TRUE,
+                          &ctx->request->padata, &pa_type);
+    } else if (rcode == KDC_ERR_PREAUTH_FAILED) {
+        /* Report the KDC-side failure code if we can't try another mech. */
+        code = KRB5KDC_ERR_PREAUTH_FAILED;
+    } else if (rcode && rcode != KDC_ERR_PREAUTH_REQUIRED) {
+        /* Retrying after an error (possibly mechanism-specific), using error
+         * padata to figure out what to change. */
+        TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(context, ctx->err_reply->error,
+                                          ctx->selected_preauth_type);
+        code = k5_preauth_tryagain(context, ctx, ctx->selected_preauth_type,
+                                   ctx->err_reply, ctx->err_padata,
+                                   &ctx->request->padata);
+        if (code) {
+            krb5_clear_error_message(context);
             code = ctx->err_reply->error + ERROR_TABLE_BASE_krb5;
+        }
+    }
+    /* Don't continue after a keyboard interrupt. */
+    if (code == KRB5_LIBOS_PWDINTR)
+        goto cleanup;
+    if (code) {
+        /* See if we can try a different preauth mech before giving up. */
+        k5_save_ctx_error(context, code, &save);
+        ctx->selected_preauth_type = KRB5_PADATA_NONE;
+    }
+
+    if (ctx->request->padata == NULL && ctx->method_padata != NULL) {
+        /* Retrying after KDC_ERR_PREAUTH_REQUIRED, or trying again with a
+         * different mechanism after a failure. */
+        TRACE_INIT_CREDS_PREAUTH(context);
+        code = k5_preauth(context, ctx, ctx->method_padata, TRUE,
+                          &ctx->request->padata, &ctx->selected_preauth_type);
+        if (code) {
+            if (save.code != 0)
+                code = k5_restore_ctx_error(context, &save);
             goto cleanup;
         }
     }
+    if (ctx->request->padata == NULL)
+        TRACE_INIT_CREDS_PREAUTH_NONE(context);
 
     /* Remember when we sent this request (after any preauth delay). */
     ctx->request_time = time(NULL);
@@ -1382,8 +1389,6 @@ init_creds_step_request(krb5_context context,
         krb5_free_data(context, ctx->encoded_previous_request);
         ctx->encoded_previous_request = NULL;
     }
-    if (ctx->request->padata)
-        ctx->sent_nontrivial_preauth = TRUE;
     if (ctx->enc_pa_rep_permitted) {
         code = add_padata(&ctx->request->padata, KRB5_ENCPADATA_REQ_ENC_PA_REP,
                           NULL, 0);
@@ -1411,6 +1416,7 @@ init_creds_step_request(krb5_context context,
 cleanup:
     krb5_free_pa_data(context, ctx->request->padata);
     ctx->request->padata = NULL;
+    k5_clear_error(&save);
     return code;
 }
 
@@ -1438,7 +1444,7 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
 
     if (k5_time_with_offset(0, 0, &now, &usec) != 0)
         return;
-    ctx->pa_offset = kdc_time - now;
+    ctx->pa_offset = ts_delta(kdc_time, now);
     ctx->pa_offset_usec = kdc_usec - usec;
     ctx->pa_offset_state = (ctx->fast_state->armor_key != NULL) ?
         AUTH_OFFSET : UNAUTH_OFFSET;
@@ -1463,6 +1469,18 @@ is_referral(krb5_context context, krb5_error *err, krb5_principal client)
     return !krb5_realm_compare(context, err->client, client);
 }
 
+/* Transfer error padata to method data in ctx and sort it according to
+ * configuration. */
+static krb5_error_code
+accept_method_data(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_free_pa_data(context, ctx->method_padata);
+    ctx->method_padata = ctx->err_padata;
+    ctx->err_padata = NULL;
+    return sort_krb5_padata_sequence(context, &ctx->request->client->realm,
+                                     ctx->method_padata);
+}
+
 static krb5_error_code
 init_creds_step_reply(krb5_context context,
                       krb5_init_creds_context ctx,
@@ -1492,8 +1510,9 @@ init_creds_step_reply(krb5_context context,
         ctx->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL;
 
     if (ctx->err_reply != NULL) {
+        krb5_free_pa_data(context, ctx->more_padata);
         krb5_free_pa_data(context, ctx->err_padata);
-        ctx->err_padata = NULL;
+        ctx->more_padata = ctx->err_padata = NULL;
         code = krb5int_fast_process_error(context, ctx->fast_state,
                                           &ctx->err_reply, &ctx->err_padata,
                                           &retry);
@@ -1508,7 +1527,7 @@ init_creds_step_reply(krb5_context context,
             ctx->restarted = TRUE;
             code = restart_init_creds_loop(context, ctx, TRUE);
         } else if (!ctx->restarted && reply_code == KDC_ERR_PREAUTH_FAILED &&
-                   !ctx->sent_nontrivial_preauth) {
+                   ctx->selected_preauth_type == KRB5_PADATA_NONE) {
             /* The KDC didn't like our informational padata (probably a pre-1.7
              * MIT krb5 KDC).  Retry without it. */
             ctx->enc_pa_rep_permitted = FALSE;
@@ -1519,23 +1538,30 @@ init_creds_step_reply(krb5_context context,
              * FAST upgrade. */
             ctx->restarted = FALSE;
             code = restart_init_creds_loop(context, ctx, FALSE);
-        } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
-                    reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
-            /* reset the list of preauth types to try */
-            k5_reset_preauth_types_tried(context);
-            krb5_free_pa_data(context, ctx->preauth_to_use);
-            ctx->preauth_to_use = ctx->err_padata;
-            ctx->err_padata = NULL;
+        } else if (reply_code == KDC_ERR_PREAUTH_REQUIRED && retry) {
             note_req_timestamp(context, ctx, ctx->err_reply->stime,
                                ctx->err_reply->susec);
-            /* This will trigger a new call to k5_preauth(). */
-            krb5_free_error(context, ctx->err_reply);
-            ctx->err_reply = NULL;
-            code = sort_krb5_padata_sequence(context,
-                                             &ctx->request->client->realm,
-                                             ctx->preauth_to_use);
-            ctx->preauth_required = TRUE;
-
+            code = accept_method_data(context, ctx);
+        } else if (reply_code == KDC_ERR_PREAUTH_FAILED && retry) {
+            note_req_timestamp(context, ctx, ctx->err_reply->stime,
+                               ctx->err_reply->susec);
+            if (ctx->method_padata == NULL) {
+                /* Optimistic preauth failed on the KDC.  Allow all mechanisms
+                 * to be tried again using method data. */
+                k5_reset_preauth_types_tried(ctx);
+            } else {
+                /* Don't try again with the mechanism that failed. */
+                code = k5_preauth_note_failed(ctx, ctx->selected_preauth_type);
+                if (code)
+                    goto cleanup;
+            }
+            ctx->selected_preauth_type = KRB5_PADATA_NONE;
+            /* Accept or update method data if the KDC sent it. */
+            if (ctx->err_padata != NULL)
+                code = accept_method_data(context, ctx);
+        } else if (reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED && retry) {
+            ctx->more_padata = ctx->err_padata;
+            ctx->err_padata = NULL;
         } else if (canon_flag && is_referral(context, ctx->err_reply,
                                              ctx->request->client)) {
             TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm);
@@ -1548,14 +1574,13 @@ init_creds_step_reply(krb5_context context,
                 goto cleanup;
             /* Reset per-realm negotiation state. */
             ctx->restarted = FALSE;
-            ctx->sent_nontrivial_preauth = FALSE;
             ctx->enc_pa_rep_permitted = TRUE;
             code = restart_init_creds_loop(context, ctx, FALSE);
         } else {
-            if (retry) {
+            if (retry && ctx->selected_preauth_type != KRB5_PADATA_NONE) {
                 code = 0;
             } else {
-                /* error + no hints = give up */
+                /* error + no hints (or no preauth mech) = give up */
                 code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5;
             }
         }
@@ -1573,7 +1598,6 @@ init_creds_step_reply(krb5_context context,
         goto cleanup;
 
     /* process any preauth data in the as_reply */
-    k5_reset_preauth_types_tried(context);
     code = krb5int_fast_process_response(context, ctx->fast_state,
                                          ctx->reply, &strengthen_key);
     if (code != 0)
@@ -1658,7 +1682,7 @@ init_creds_step_reply(krb5_context context,
             k5_prependmsg(context, code, _("Failed to store credentials"));
     }
 
-    k5_preauth_request_context_fini(context);
+    k5_preauth_request_context_fini(context, ctx);
 
     /* success */
     ctx->complete = TRUE;
@@ -1685,7 +1709,7 @@ krb5_init_creds_step(krb5_context context,
                      krb5_data *realm,
                      unsigned int *flags)
 {
-    krb5_error_code code = 0, code2;
+    krb5_error_code code, code2;
 
     *flags = 0;
 
@@ -1698,6 +1722,10 @@ krb5_init_creds_step(krb5_context context,
     if (ctx->complete)
         return EINVAL;
 
+    code = k5_preauth_check_context(context, ctx);
+    if (code)
+        return code;
+
     if (in->length != 0) {
         code = init_creds_step_reply(context, ctx, in);
         if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) {
@@ -1806,7 +1834,8 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
                     krb5_creds *creds)
 {
     int i;
-    krb5_int32 starttime;
+    krb5_timestamp starttime;
+    krb5_deltat lifetime;
     krb5_get_init_creds_opt *opt;
     krb5_error_code retval;
 
@@ -1838,7 +1867,8 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
         if (retval)
             goto cleanup;
         if (creds->times.starttime) starttime = creds->times.starttime;
-        krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime);
+        lifetime = ts_delta(creds->times.endtime, starttime);
+        krb5_get_init_creds_opt_set_tkt_life(opt, lifetime);
     }
     *out = opt;
     return 0;
diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index 3be44d5cd756..ccbe1a65fa5a 100644
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -12,7 +12,7 @@
 #include <TargetConditionals.h>
 #endif
 
-/* Match struct packing of krb5_get_init_creds_opt on MacOS X. */
+/* Match struct packing of krb5_get_init_creds_opt on macOS. */
 #if TARGET_OS_MAC
 #pragma pack(push,2)
 #endif
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 6f3a29f2c423..3565a7c4c77a 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -211,7 +211,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
     if (ret != 0)
         return;
     if (!is_last_req &&
-        (pw_exp < now || (pw_exp - now) > 7 * 24 * 60 * 60))
+        (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))
         return;
 
     if (!prompter)
@@ -221,7 +221,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
     if (ret != 0)
         return;
 
-    delta = pw_exp - now;
+    delta = ts_delta(pw_exp, now);
     if (delta < 3600) {
         snprintf(banner, sizeof(banner),
                  _("Warning: Your password will expire in less than one hour "
diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h
index 38c01c775b6f..fe769685ba09 100644
--- a/src/lib/krb5/krb/init_creds_ctx.h
+++ b/src/lib/krb5/krb/init_creds_ctx.h
@@ -6,6 +6,8 @@
 #include "k5-json.h"
 #include "int-proto.h"
 
+typedef struct krb5_preauth_req_context_st *krb5_preauth_req_context;
+
 struct krb5_responder_context_st {
     k5_response_items *items;
 };
@@ -48,7 +50,9 @@ struct _krb5_init_creds_context {
     krb5_data *inner_request_body; /**< For preauth */
     krb5_data *encoded_previous_request;
     struct krb5int_fast_request_state *fast_state;
-    krb5_pa_data **preauth_to_use;
+    krb5_pa_data **optimistic_padata; /* from gic options */
+    krb5_pa_data **method_padata; /* from PREAUTH_REQUIRED or PREAUTH_FAILED */
+    krb5_pa_data **more_padata; /* from MORE_PREAUTH_DATA_REQUIRED */
     krb5_boolean default_salt;
     krb5_data salt;
     krb5_data s2kparams;
@@ -56,8 +60,6 @@ struct _krb5_init_creds_context {
     krb5_enctype etype;
     krb5_boolean enc_pa_rep_permitted;
     krb5_boolean restarted;
-    krb5_boolean sent_nontrivial_preauth;
-    krb5_boolean preauth_required;
     struct krb5_responder_context_st rctx;
     krb5_preauthtype selected_preauth_type;
     krb5_preauthtype allowed_preauth_type;
@@ -67,6 +69,7 @@ struct _krb5_init_creds_context {
     krb5_timestamp pa_offset;
     krb5_int32 pa_offset_usec;
     enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state;
+    krb5_preauth_req_context preauth_reqctx;
 };
 
 krb5_error_code
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index cf226fdbabc0..4246c5dd274f 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -139,7 +139,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
     krb5_context ctx = 0;
     krb5_error_code retval;
     struct {
-        krb5_int32 now, now_usec;
+        krb5_timestamp now;
+        krb5_int32 now_usec;
         long pid;
     } seed_data;
     krb5_data seed;
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 6da74858e210..cda9010e34a3 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -83,8 +83,6 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
                                  krb5_creds *in_creds, krb5_creds *mcreds,
                                  krb5_flags *fields);
 
-#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
-
 #define IS_TGS_PRINC(p) ((p)->length == 2 &&                            \
                          data_eq_string((p)->data[0], KRB5_TGS_NAME))
 
@@ -101,6 +99,9 @@ krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt,
                           krb5_pa_data ***enc_padata, krb5_creds **out_cred,
                           krb5_keyblock **out_subkey);
 
+krb5_error_code
+k5_generate_nonce(krb5_context context, int32_t *out);
+
 krb5_error_code
 k5_make_tgs_req(krb5_context context, struct krb5int_fast_request_state *,
                 krb5_creds *tkt, krb5_flags kdcoptions,
@@ -187,7 +188,8 @@ k5_preauth(krb5_context context, krb5_init_creds_context ctx,
 
 krb5_error_code
 k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
-                    krb5_pa_data **in_padata, krb5_pa_data ***padata_out);
+                    krb5_preauthtype pa_type, krb5_error *err,
+                    krb5_pa_data **err_padata, krb5_pa_data ***padata_out);
 
 void
 k5_init_preauth_context(krb5_context context);
@@ -196,17 +198,25 @@ void
 k5_free_preauth_context(krb5_context context);
 
 void
-k5_reset_preauth_types_tried(krb5_context context);
+k5_reset_preauth_types_tried(krb5_init_creds_context ctx);
+
+krb5_error_code
+k5_preauth_note_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type);
 
 void
 k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt,
                            krb5_kdc_req *request);
 
 void
-k5_preauth_request_context_init(krb5_context context);
+k5_preauth_request_context_init(krb5_context context,
+                                krb5_init_creds_context ctx);
 
 void
-k5_preauth_request_context_fini(krb5_context context);
+k5_preauth_request_context_fini(krb5_context context,
+                                krb5_init_creds_context ctx);
+
+krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx);
 
 krb5_error_code
 k5_response_items_new(k5_response_items **ri_out);
diff --git a/src/lib/krb5/krb/mk_req.c b/src/lib/krb5/krb/mk_req.c
index 542ef6d4aee5..162c05b5cbd9 100644
--- a/src/lib/krb5/krb/mk_req.c
+++ b/src/lib/krb5/krb/mk_req.c
@@ -48,8 +48,9 @@
 
 krb5_error_code KRB5_CALLCONV
 krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
-            krb5_flags ap_req_options, char *service, char *hostname,
-            krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf)
+            krb5_flags ap_req_options, const char *service,
+            const char *hostname, krb5_data *in_data, krb5_ccache ccache,
+            krb5_data *outbuf)
 {
     krb5_error_code       retval;
     krb5_principal        server;
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 9098927b5acf..0eb19e6bb464 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -378,7 +378,7 @@ k5_time_to_seconds_since_1970(int64_t ntTime, krb5_timestamp *elapsedSeconds)
 
     abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime;
 
-    if (abstime > KRB5_INT32_MAX)
+    if (abstime > UINT32_MAX)
         return ERANGE;
 
     *elapsedSeconds = abstime;
@@ -436,8 +436,7 @@ k5_pac_validate_client(krb5_context context,
         pac_princname_length % 2)
         return ERANGE;
 
-    ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2,
-                                    &pac_princname, NULL);
+    ret = k5_utf16le_to_utf8(p, pac_princname_length, &pac_princname);
     if (ret != 0)
         return ret;
 
@@ -792,8 +791,8 @@ mspac_verify(krb5_context kcontext,
      * If the above verification failed, don't fail the whole authentication,
      * just don't mark the PAC as verified.  A checksum mismatch can occur if
      * the PAC was copied from a cross-realm TGT by an ignorant KDC, and Apple
-     * Mac OS X Server Open Directory (as of 10.6) generates PACs with no
-     * server checksum at all.
+     * macOS Server Open Directory (as of 10.6) generates PACs with no server
+     * checksum at all.
      */
     return 0;
 }
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
index d40df45f99e8..c94899c96a79 100644
--- a/src/lib/krb5/krb/pac_sign.c
+++ b/src/lib/krb5/krb/pac_sign.c
@@ -38,8 +38,8 @@ k5_insert_client_info(krb5_context context,
     krb5_error_code ret;
     krb5_data client_info;
     char *princ_name_utf8 = NULL;
-    unsigned char *princ_name_ucs2 = NULL, *p;
-    size_t princ_name_ucs2_len = 0;
+    unsigned char *princ_name_utf16 = NULL, *p;
+    size_t princ_name_utf16_len = 0;
     uint64_t nt_authtime;
 
     /* If we already have a CLIENT_INFO buffer, then just validate it */
@@ -54,13 +54,12 @@ k5_insert_client_info(krb5_context context,
     if (ret != 0)
         goto cleanup;
 
-    ret = krb5int_utf8s_to_ucs2les(princ_name_utf8,
-                                   &princ_name_ucs2,
-                                   &princ_name_ucs2_len);
+    ret = k5_utf8_to_utf16le(princ_name_utf8, &princ_name_utf16,
+                             &princ_name_utf16_len);
     if (ret != 0)
         goto cleanup;
 
-    client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len;
+    client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_utf16_len;
     client_info.data = NULL;
 
     ret = k5_pac_add_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
@@ -75,16 +74,16 @@ k5_insert_client_info(krb5_context context,
     store_64_le(nt_authtime, p);
     p += 8;
 
-    /* copy in number of UCS-2 characters in principal name */
-    store_16_le(princ_name_ucs2_len, p);
+    /* copy in number of UTF-16 bytes in principal name */
+    store_16_le(princ_name_utf16_len, p);
     p += 2;
 
     /* copy in principal name */
-    memcpy(p, princ_name_ucs2, princ_name_ucs2_len);
+    memcpy(p, princ_name_utf16, princ_name_utf16_len);
 
 cleanup:
-    if (princ_name_ucs2 != NULL)
-        free(princ_name_ucs2);
+    if (princ_name_utf16 != NULL)
+        free(princ_name_utf16);
     krb5_free_unparsed_name(context, princ_name_utf8);
 
     return ret;
diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c
index 7d64b7c7eda9..31aaf661d9af 100644
--- a/src/lib/krb5/krb/plugin.c
+++ b/src/lib/krb5/krb/plugin.c
@@ -57,7 +57,10 @@ const char *interface_names[] = {
     "hostrealm",
     "audit",
     "tls",
-    "kdcauthdata"
+    "kdcauthdata",
+    "certauth",
+    "kadm5_auth",
+    "kdcpolicy",
 };
 
 /* Return the context's interface structure for id, or NULL if invalid. */
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index ca26fb0e3fa5..6b96fa135e1a 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -46,14 +46,18 @@
 typedef struct {
     struct krb5_clpreauth_vtable_st vt;
     krb5_clpreauth_moddata data;
-    krb5_clpreauth_modreq req;
 } *clpreauth_handle;
 
 struct krb5_preauth_context_st {
-    krb5_preauthtype *tried;
     clpreauth_handle *handles;
 };
 
+struct krb5_preauth_req_context_st {
+    krb5_context orig_context;
+    krb5_preauthtype *failed;
+    krb5_clpreauth_modreq *modreqs;
+};
+
 /* Release the memory used by a list of handles. */
 static void
 free_handles(krb5_context context, clpreauth_handle *handles)
@@ -71,21 +75,44 @@ free_handles(krb5_context context, clpreauth_handle *handles)
     free(handles);
 }
 
-/* Find the handle in handles which can process pa_type. */
-static clpreauth_handle
-find_module(clpreauth_handle *handles, krb5_preauthtype pa_type)
+/* Return an index into handles which can process pa_type, or -1 if none is
+ * found found. */
+static int
+search_module_list(clpreauth_handle *handles, krb5_preauthtype pa_type)
 {
-    clpreauth_handle *hp, h;
-    krb5_preauthtype *tp;
+    clpreauth_handle h;
+    int i, j;
 
-    for (hp = handles; *hp != NULL; hp++) {
-        h = *hp;
-        for (tp = h->vt.pa_type_list; *tp != 0; tp++) {
-            if (*tp == pa_type)
-                return h;
+    for (i = 0; handles[i] != NULL; i++) {
+        h = handles[i];
+        for (j = 0; h->vt.pa_type_list[j] != 0; j++) {
+            if (h->vt.pa_type_list[j] == pa_type)
+                return i;
         }
     }
-    return FALSE;
+    return -1;
+}
+
+/* Find the handle which can process pa_type, or NULL if none is found.  On
+ * success, set *modreq_out to the corresponding per-request module data. */
+static clpreauth_handle
+find_module(krb5_context context, krb5_init_creds_context ctx,
+            krb5_preauthtype pa_type, krb5_clpreauth_modreq *modreq_out)
+{
+    krb5_preauth_context pctx = context->preauth_context;
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+    int i;
+
+    *modreq_out = NULL;
+    if (pctx == NULL || reqctx == NULL)
+        return NULL;
+
+    i = search_module_list(pctx->handles, pa_type);
+    if (i == -1)
+        return NULL;
+
+    *modreq_out = reqctx->modreqs[i];
+    return pctx->handles[i];
 }
 
 /* Initialize the preauth state for a krb5 context. */
@@ -93,7 +120,8 @@ void
 k5_init_preauth_context(krb5_context context)
 {
     krb5_plugin_initvt_fn *modules = NULL, *mod;
-    clpreauth_handle *list = NULL, h, h2;
+    clpreauth_handle *list = NULL, h;
+    int i;
     size_t count;
     krb5_preauthtype *tp;
 
@@ -140,9 +168,10 @@ k5_init_preauth_context(krb5_context context)
 
         /* Check for a preauth type conflict with an existing module. */
         for (tp = h->vt.pa_type_list; *tp != 0; tp++) {
-            h2 = find_module(list, *tp);
-            if (h2 != NULL) {
-                TRACE_PREAUTH_CONFLICT(context, h->vt.name, h2->vt.name, *tp);
+            i = search_module_list(list, *tp);
+            if (i != -1) {
+                TRACE_PREAUTH_CONFLICT(context, h->vt.name, list[i]->vt.name,
+                                       *tp);
                 break;
             }
         }
@@ -161,10 +190,9 @@ k5_init_preauth_context(krb5_context context)
     list[count] = NULL;
 
     /* Place the constructed preauth context into the krb5 context. */
-    context->preauth_context = malloc(sizeof(struct krb5_preauth_context_st));
+    context->preauth_context = malloc(sizeof(*context->preauth_context));
     if (context->preauth_context == NULL)
         goto cleanup;
-    context->preauth_context->tried = NULL;
     context->preauth_context->handles = list;
     list = NULL;
 
@@ -173,22 +201,35 @@ cleanup:
     free_handles(context, list);
 }
 
-/*
- * Reset the memory of which preauth types we have already tried, because we
- * are entering a new phase of padata processing (such as the padata in an
- * AS-REP).
- */
+/* Reset the memory of which preauth types we have already tried. */
 void
-k5_reset_preauth_types_tried(krb5_context context)
+k5_reset_preauth_types_tried(krb5_init_creds_context ctx)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
 
-    if (pctx == NULL)
+    if (reqctx == NULL)
         return;
-    free(pctx->tried);
-    pctx->tried = NULL;
+    free(reqctx->failed);
+    reqctx->failed = NULL;
 }
 
+/* Add pa_type to the list of types which has previously failed. */
+krb5_error_code
+k5_preauth_note_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type)
+{
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+    krb5_preauthtype *newptr;
+    size_t i;
+
+    for (i = 0; reqctx->failed != NULL && reqctx->failed[i] != 0; i++);
+    newptr = realloc(reqctx->failed, (i + 2) * sizeof(*newptr));
+    if (newptr == NULL)
+        return ENOMEM;
+    reqctx->failed = newptr;
+    reqctx->failed[i] = pa_type;
+    reqctx->failed[i + 1] = 0;
+    return 0;
+}
 
 /* Free the per-krb5_context preauth_context. This means clearing any
  * plugin-specific context which may have been created, and then
@@ -196,11 +237,10 @@ k5_reset_preauth_types_tried(krb5_context context)
 void
 k5_free_preauth_context(krb5_context context)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
+    krb5_preauth_context pctx = context->preauth_context;
 
     if (pctx == NULL)
         return;
-    free(pctx->tried);
     free_handles(context, pctx->handles);
     free(pctx);
     context->preauth_context = NULL;
@@ -209,10 +249,13 @@ k5_free_preauth_context(krb5_context context)
 /* Initialize the per-AS-REQ context. This means calling the client_req_init
  * function to give the plugin a chance to allocate a per-request context. */
 void
-k5_preauth_request_context_init(krb5_context context)
+k5_preauth_request_context_init(krb5_context context,
+                                krb5_init_creds_context ctx)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
-    clpreauth_handle *hp, h;
+    krb5_preauth_context pctx = context->preauth_context;
+    clpreauth_handle h;
+    krb5_preauth_req_context reqctx;
+    size_t count, i;
 
     if (pctx == NULL) {
         k5_init_preauth_context(context);
@@ -220,30 +263,63 @@ k5_preauth_request_context_init(krb5_context context)
         if (pctx == NULL)
             return;
     }
-    k5_reset_preauth_types_tried(context);
-    for (hp = pctx->handles; *hp != NULL; hp++) {
-        h = *hp;
+
+    reqctx = calloc(1, sizeof(*reqctx));
+    if (reqctx == NULL)
+        return;
+    reqctx->orig_context = context;
+
+    /* Create an array of per-request module data objects corresponding to the
+     * preauth context's array of handles. */
+    for (count = 0; pctx->handles[count] != NULL; count++);
+    reqctx->modreqs = calloc(count, sizeof(*reqctx->modreqs));
+    for (i = 0; i < count; i++) {
+        h = pctx->handles[i];
         if (h->vt.request_init != NULL)
-            h->vt.request_init(context, h->data, &h->req);
+            h->vt.request_init(context, h->data, &reqctx->modreqs[i]);
     }
+    ctx->preauth_reqctx = reqctx;
 }
 
 /* Free the per-AS-REQ context. This means clearing any request-specific
  * context which the plugin may have created. */
 void
-k5_preauth_request_context_fini(krb5_context context)
+k5_preauth_request_context_fini(krb5_context context,
+                                krb5_init_creds_context ctx)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
-    clpreauth_handle *hp, h;
+    krb5_preauth_context pctx = context->preauth_context;
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+    size_t i;
+    clpreauth_handle h;
 
-    if (pctx == NULL)
+    if (reqctx == NULL)
         return;
-    for (hp = pctx->handles; *hp != NULL; hp++) {
-        h = *hp;
-        if (h->req != NULL && h->vt.request_fini != NULL)
-            h->vt.request_fini(context, h->data, h->req);
-        h->req = NULL;
+    if (reqctx->orig_context == context && pctx != NULL) {
+        for (i = 0; pctx->handles[i] != NULL; i++) {
+            h = pctx->handles[i];
+            if (reqctx->modreqs[i] != NULL && h->vt.request_fini != NULL)
+                h->vt.request_fini(context, h->data, reqctx->modreqs[i]);
+        }
+    } else {
+        TRACE_PREAUTH_WRONG_CONTEXT(context);
+    }
+    free(reqctx->modreqs);
+    free(reqctx->failed);
+    free(reqctx);
+    ctx->preauth_reqctx = NULL;
+}
+
+krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+
+    if (reqctx != NULL && reqctx->orig_context != context) {
+        k5_setmsg(context, EINVAL,
+                  _("krb5_init_creds calls must use same library context"));
+        return EINVAL;
     }
+    return 0;
 }
 
 /* Return 1 if pa_type is a real preauthentication mechanism according to the
@@ -259,6 +335,7 @@ clpreauth_is_real(krb5_context context, clpreauth_handle h,
 
 static krb5_error_code
 clpreauth_prep_questions(krb5_context context, clpreauth_handle h,
+                         krb5_clpreauth_modreq modreq,
                          krb5_get_init_creds_opt *opt,
                          krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
                          krb5_kdc_req *req, krb5_data *req_body,
@@ -266,35 +343,35 @@ clpreauth_prep_questions(krb5_context context, clpreauth_handle h,
 {
     if (h->vt.prep_questions == NULL)
         return 0;
-    return h->vt.prep_questions(context, h->data, h->req, opt, cb, rock, req,
+    return h->vt.prep_questions(context, h->data, modreq, opt, cb, rock, req,
                                 req_body, prev_req, pa_data);
 }
 
 static krb5_error_code
 clpreauth_process(krb5_context context, clpreauth_handle h,
-                  krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb,
-                  krb5_clpreauth_rock rock, krb5_kdc_req *req,
-                  krb5_data *req_body, krb5_data *prev_req,
+                  krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
+                  krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
+                  krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req,
                   krb5_pa_data *pa_data, krb5_prompter_fct prompter,
                   void *prompter_data, krb5_pa_data ***pa_data_out)
 {
-    return h->vt.process(context, h->data, h->req, opt, cb, rock, req,
+    return h->vt.process(context, h->data, modreq, opt, cb, rock, req,
                          req_body, prev_req, pa_data, prompter, prompter_data,
                          pa_data_out);
 }
 
 static krb5_error_code
 clpreauth_tryagain(krb5_context context, clpreauth_handle h,
-                   krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb,
-                   krb5_clpreauth_rock rock, krb5_kdc_req *req,
-                   krb5_data *req_body, krb5_data *prev_req,
+                   krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
+                   krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
+                   krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req,
                    krb5_preauthtype pa_type, krb5_error *error,
                    krb5_pa_data **error_padata, krb5_prompter_fct prompter,
                    void *prompter_data, krb5_pa_data ***pa_data_out)
 {
     if (h->vt.tryagain == NULL)
         return 0;
-    return h->vt.tryagain(context, h->data, h->req, opt, cb, rock, req,
+    return h->vt.tryagain(context, h->data, modreq, opt, cb, rock, req,
                           req_body, prev_req, pa_type, error, error_padata,
                           prompter, prompter_data, pa_data_out);
 }
@@ -420,7 +497,7 @@ responder_get_answer(krb5_context context, krb5_clpreauth_rock rock,
     krb5_init_creds_context ctx = (krb5_init_creds_context)rock;
 
     /* Don't let plugins get the raw password. */
-    if (question && strcmp(KRB5_RESPONDER_QUESTION_PASSWORD, question) == 0)
+    if (strcmp(KRB5_RESPONDER_QUESTION_PASSWORD, question) == 0)
         return NULL;
     return k5_response_items_get_answer(ctx->rctx.items, question);
 }
@@ -495,7 +572,7 @@ void
 k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt,
                            krb5_kdc_req *req)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
+    krb5_preauth_context pctx = context->preauth_context;
     clpreauth_handle *hp, h;
     krb5_enctype *ep;
 
@@ -548,28 +625,17 @@ pa_type_allowed(krb5_init_creds_context ctx, krb5_preauthtype pa_type)
         pa_type == ctx->allowed_preauth_type;
 }
 
-/*
- * If pa_type has already been tried as a real preauth type for this
- * authentication, return true.  Otherwise ass pa_type to the list of tried
- * types and return false.
- */
+/* Return true if pa_type previously failed during this authentication. */
 static krb5_boolean
-already_tried(krb5_context context, krb5_preauthtype pa_type)
+previously_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
-    size_t count;
-    krb5_preauthtype *newptr;
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+    size_t i;
 
-    for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) {
-        if (pctx->tried[count] == pa_type)
+    for (i = 0; reqctx->failed != NULL && reqctx->failed[i] != 0; i++) {
+        if (reqctx->failed[i] == pa_type)
             return TRUE;
     }
-    newptr = realloc(pctx->tried, (count + 2) * sizeof(*newptr));
-    if (newptr == NULL)
-        return FALSE;
-    pctx->tried = newptr;
-    pctx->tried[count] = pa_type;
-    pctx->tried[count + 1] = ENCTYPE_NULL;
     return FALSE;
 }
 
@@ -580,16 +646,13 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
                 krb5_pa_data ***out_pa_list, int *out_pa_list_size,
                 krb5_preauthtype *out_type)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
     struct errinfo save = EMPTY_ERRINFO;
     krb5_pa_data *pa, **pa_ptr, **mod_pa;
     krb5_error_code ret = 0;
+    krb5_clpreauth_modreq modreq;
     clpreauth_handle h;
     int real, i;
 
-    if (pctx == NULL)
-        return ENOENT;
-
     /* Process all informational padata types, then the first real preauth type
      * we succeed on. */
     for (real = 0; real <= 1; real++) {
@@ -598,17 +661,17 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
             /* Restrict real mechanisms to the chosen one if we have one. */
             if (real && !pa_type_allowed(ctx, pa->pa_type))
                 continue;
-            h = find_module(pctx->handles, pa->pa_type);
+            h = find_module(context, ctx, pa->pa_type, &modreq);
             if (h == NULL)
                 continue;
             /* Make sure this type is for the current pass. */
             if (clpreauth_is_real(context, h, pa->pa_type) != real)
                 continue;
-            /* Only try a real mechanism once per authentication. */
-            if (real && already_tried(context, pa->pa_type))
+            /* Don't try a real mechanism again after failure. */
+            if (real && previously_failed(ctx, pa->pa_type))
                 continue;
             mod_pa = NULL;
-            ret = clpreauth_process(context, h, ctx->opt, &callbacks,
+            ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks,
                                     (krb5_clpreauth_rock)ctx, ctx->request,
                                     ctx->inner_request_body,
                                     ctx->encoded_previous_request, pa,
@@ -625,6 +688,9 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
                 }
                 free(mod_pa);
             }
+            /* Don't continue to try mechanisms after a keyboard interrupt. */
+            if (ret == KRB5_LIBOS_PWDINTR)
+                goto cleanup;
             if (ret == 0 && real) {
                 /* Stop now and record which real padata type we answered. */
                 *out_type = pa->pa_type;
@@ -633,6 +699,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
                 /* Save the first error we get from a real preauth type. */
                 k5_save_ctx_error(context, ret, &save);
             }
+            if (real && ret) {
+                /* Don't try this mechanism again for this authentication. */
+                ret = k5_preauth_note_failed(ctx, pa->pa_type);
+                if (ret)
+                    goto cleanup;
+            }
         }
     }
 
@@ -850,45 +922,54 @@ add_s4u_x509_user_padata(krb5_context context, krb5_s4u_userid *userid,
 }
 
 /*
- * If one of the modules can adjust its AS_REQ data using the contents of the
- * err_reply, return 0.  If it's the sort of correction which requires that we
- * ask the user another question, we let the calling application deal with it.
+ * If the module for pa_type can adjust its AS_REQ data using the contents of
+ * err and err_padata, return 0 with *padata_out set to a padata list for the
+ * next request.  If it's the sort of correction which requires that we ask the
+ * user another question, we let the calling application deal with it.
  */
 krb5_error_code
 k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
-                    krb5_pa_data **in_padata, krb5_pa_data ***padata_out)
+                    krb5_preauthtype pa_type, krb5_error *err,
+                    krb5_pa_data **err_padata, krb5_pa_data ***padata_out)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
     krb5_error_code ret;
     krb5_pa_data **mod_pa;
+    krb5_clpreauth_modreq modreq;
     clpreauth_handle h;
-    int i;
+    int count;
 
     *padata_out = NULL;
-    if (pctx == NULL)
-        return KRB5KRB_ERR_GENERIC;
 
-    TRACE_PREAUTH_TRYAGAIN_INPUT(context, in_padata);
+    TRACE_PREAUTH_TRYAGAIN_INPUT(context, pa_type, err_padata);
 
-    for (i = 0; in_padata[i] != NULL; i++) {
-        h = find_module(pctx->handles, in_padata[i]->pa_type);
-        if (h == NULL)
-            continue;
-        mod_pa = NULL;
-        ret = clpreauth_tryagain(context, h, ctx->opt, &callbacks,
-                                 (krb5_clpreauth_rock)ctx, ctx->request,
-                                 ctx->inner_request_body,
-                                 ctx->encoded_previous_request,
-                                 in_padata[i]->pa_type,
-                                 ctx->err_reply, ctx->err_padata,
-                                 ctx->prompter, ctx->prompter_data, &mod_pa);
-        if (ret == 0 && mod_pa != NULL) {
-            TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa);
-            *padata_out = mod_pa;
-            return 0;
-        }
+    h = find_module(context, ctx, pa_type, &modreq);
+    if (h == NULL)
+        return KRB5KRB_ERR_GENERIC;
+    mod_pa = NULL;
+    ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks,
+                             (krb5_clpreauth_rock)ctx, ctx->request,
+                             ctx->inner_request_body,
+                             ctx->encoded_previous_request, pa_type, err,
+                             err_padata, ctx->prompter, ctx->prompter_data,
+                             &mod_pa);
+    TRACE_PREAUTH_TRYAGAIN(context, h->vt.name, pa_type, ret);
+    if (!ret && mod_pa == NULL)
+        ret = KRB5KRB_ERR_GENERIC;
+    if (ret) {
+        k5_preauth_note_failed(ctx, pa_type);
+        return ret;
     }
-    return KRB5KRB_ERR_GENERIC;
+
+    for (count = 0; mod_pa[count] != NULL; count++);
+    ret = copy_cookie(context, err_padata, &mod_pa, &count);
+    if (ret) {
+        krb5_free_pa_data(context, mod_pa);
+        return ret;
+    }
+
+    TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa);
+    *padata_out = mod_pa;
+    return 0;
 }
 
 /* Compile the set of response items for in_padata by invoke each module's
@@ -897,9 +978,9 @@ static krb5_error_code
 fill_response_items(krb5_context context, krb5_init_creds_context ctx,
                     krb5_pa_data **in_padata)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
     krb5_error_code ret;
     krb5_pa_data *pa;
+    krb5_clpreauth_modreq modreq;
     clpreauth_handle h;
     int i;
 
@@ -908,11 +989,11 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx,
         pa = in_padata[i];
         if (!pa_type_allowed(ctx, pa->pa_type))
             continue;
-        h = find_module(pctx->handles, pa->pa_type);
+        h = find_module(context, ctx, pa->pa_type, &modreq);
         if (h == NULL)
             continue;
-        ret = clpreauth_prep_questions(context, h, ctx->opt, &callbacks,
-                                       (krb5_clpreauth_rock)ctx,
+        ret = clpreauth_prep_questions(context, h, modreq, ctx->opt,
+                                       &callbacks, (krb5_clpreauth_rock)ctx,
                                        ctx->request, ctx->inner_request_body,
                                        ctx->encoded_previous_request, pa);
         if (ret)
@@ -1004,7 +1085,7 @@ krb5_preauth_supply_preauth_data(krb5_context context,
                                  krb5_get_init_creds_opt *opt,
                                  const char *attr, const char *value)
 {
-    struct krb5_preauth_context_st *pctx = context->preauth_context;
+    krb5_preauth_context pctx = context->preauth_context;
     clpreauth_handle *hp, h;
     krb5_error_code ret;
 
diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c
index b1978336a063..c1aa9090fb6c 100644
--- a/src/lib/krb5/krb/preauth_ec.c
+++ b/src/lib/krb5/krb/preauth_ec.c
@@ -58,6 +58,8 @@ ec_process(krb5_context context, krb5_clpreauth_moddata moddata,
     krb5_keyblock *challenge_key = NULL, *armor_key, *as_key;
 
     armor_key = cb->fast_armor(context, rock);
+    if (armor_key == NULL)
+        return ENOENT;
     retval = cb->get_as_key(context, rock, &as_key);
     if (retval == 0 && padata->length) {
         krb5_enc_data *enc = NULL;
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index f6fdf68d4725..e43a5cc5b135 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -28,6 +28,25 @@
 #include "int-proto.h"
 #include "fast.h"
 
+/* Choose a random nonce for an AS or TGS request. */
+krb5_error_code
+k5_generate_nonce(krb5_context context, int32_t *out)
+{
+    krb5_error_code ret;
+    unsigned char random_buf[4];
+    krb5_data random_data = make_data(random_buf, 4);
+
+    *out = 0;
+
+    /* We and Heimdal incorrectly encode nonces as signed, so make sure we use
+     * a non-negative value to avoid interoperability issues. */
+    ret = krb5_c_random_make_octets(context, &random_data);
+    if (ret)
+        return ret;
+    *out = 0x7FFFFFFF & load_32_n(random_buf);
+    return 0;
+}
+
 /* Construct an AP-REQ message for a TGS request. */
 static krb5_error_code
 tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data,
@@ -156,10 +175,13 @@ k5_make_tgs_req(krb5_context context,
     req.till = desired->times.endtime ? desired->times.endtime :
         tgt->times.endtime;
     req.rtime = desired->times.renew_till;
+    ret = k5_generate_nonce(context, &req.nonce);
+    if (ret)
+        return ret;
+    *nonce_out = req.nonce;
     ret = krb5_timeofday(context, &time_now);
     if (ret)
         return ret;
-    *nonce_out = req.nonce = (krb5_int32)time_now;
     *timestamp_out = time_now;
 
     req.addresses = (krb5_address **)addrs;
diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c
index f7e6777411aa..149e25dd7362 100644
--- a/src/lib/krb5/krb/sendauth.c
+++ b/src/lib/krb5/krb/sendauth.c
@@ -131,22 +131,21 @@ krb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
            This isn't strong cryptographically; the point here is
            not to guarantee randomness, but to make it less likely
            that multiple sessions could pick the same subkey.  */
-        char rnd_data[1024];
+        struct sockaddr_storage rnd_data;
         GETPEERNAME_ARG3_TYPE len2;
-        krb5_data d;
-        d.length = sizeof (rnd_data);
-        d.data = rnd_data;
-        len2 = sizeof (rnd_data);
-        if (getpeername (*(int*)fd, (GETPEERNAME_ARG2_TYPE *) rnd_data,
-                         &len2) == 0) {
+        krb5_data d = make_data(&rnd_data, sizeof(rnd_data));
+
+        len2 = sizeof(rnd_data);
+        if (getpeername(*(int *)fd, ss2sa(&rnd_data), &len2) == 0) {
             d.length = len2;
-            (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d);
+            (void)krb5_c_random_add_entropy(
+                context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d);
         }
-        len2 = sizeof (rnd_data);
-        if (getsockname (*(int*)fd, (GETSOCKNAME_ARG2_TYPE *) rnd_data,
-                         &len2) == 0) {
+        len2 = sizeof(rnd_data);
+        if (getsockname(*(int *)fd, ss2sa(&rnd_data), &len2) == 0) {
             d.length = len2;
-            (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d);
+            (void)krb5_c_random_add_entropy(
+                context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d);
         }
     }
 
diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c
index 3ab7eacac1c0..f0a2ae20bab5 100644
--- a/src/lib/krb5/krb/str_conv.c
+++ b/src/lib/krb5/krb/str_conv.c
@@ -207,7 +207,7 @@ krb5_error_code KRB5_CALLCONV
 krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen)
 {
     size_t ret;
-    time_t timestamp2 = timestamp;
+    time_t timestamp2 = ts2tt(timestamp);
     struct tm tmbuf;
     const char *fmt = "%c"; /* This is to get around gcc -Wall warning that
                                the year returned might be two digits */
@@ -229,7 +229,7 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen
     struct tm   *tmp;
     size_t i;
     size_t      ndone;
-    time_t timestamp2 = timestamp;
+    time_t timestamp2 = ts2tt(timestamp);
     struct tm tmbuf;
 
     static const char * const sftime_format_table[] = {
diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py
index e021379ab1cf..aed39e3995ab 100755
--- a/src/lib/krb5/krb/t_expire_warn.py
+++ b/src/lib/krb5/krb/t_expire_warn.py
@@ -39,15 +39,10 @@ realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days'])
 output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0'])
 if output:
     fail('Unexpected output for noexpire')
-output = realm.run(['./t_expire_warn', 'minutes', 'pass', '0'])
-if ' less than one hour on ' not in output:
-    fail('Expected warning not seen for minutes')
-output = realm.run(['./t_expire_warn', 'hours', 'pass', '0'])
-if ' hours on ' not in output:
-    fail('Expected warning not seen for hours')
-output = realm.run(['./t_expire_warn', 'days', 'pass', '0'])
-if ' days on ' not in output:
-    fail('Expected warning not seen for days')
+realm.run(['./t_expire_warn', 'minutes', 'pass', '0'],
+          expected_msg=' less than one hour on ')
+realm.run(['./t_expire_warn', 'hours', 'pass', '0'], expected_msg=' hours on ')
+realm.run(['./t_expire_warn', 'days', 'pass', '0'], expected_msg=' days on ')
 
 # Check for expected expire callback behavior.  These tests are
 # carefully agnostic about whether the KDC supports last_req fields,
diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c
index 60cfb5b15115..74ac14d9ab64 100644
--- a/src/lib/krb5/krb/t_kerb.c
+++ b/src/lib/krb5/krb/t_kerb.c
@@ -5,16 +5,8 @@
  */
 
 #include "autoconf.h"
-#include "krb5.h"
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <unistd.h>
+#include "k5-int.h"
 #include <time.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
 
 #include "com_err.h"
 
@@ -37,7 +29,7 @@ test_string_to_timestamp(krb5_context ctx, char *ktime)
         com_err("krb5_string_to_timestamp", retval, 0);
         return;
     }
-    t = (time_t) timestamp;
+    t = ts2tt(timestamp);
     printf("Parsed time was %s", ctime(&t));
 }
 
diff --git a/src/lib/krb5/krb/t_parse_host_string.c b/src/lib/krb5/krb/t_parse_host_string.c
index 76dd20f817b0..001b77389555 100644
--- a/src/lib/krb5/krb/t_parse_host_string.c
+++ b/src/lib/krb5/krb/t_parse_host_string.c
@@ -31,10 +31,7 @@
  */
 
 #include "k5-int.h"
-#include <stdarg.h>
-#include <stddef.h>
-#include <setjmp.h>
-#include <cmocka.h>
+#include "k5-cmocka.h"
 #include <malloc.h>
 
 /* Call k5_parse_host_string() and check the result against the expected code,
diff --git a/src/lib/krb5/krb/t_valid_times.c b/src/lib/krb5/krb/t_valid_times.c
new file mode 100644
index 000000000000..1b469ffc252f
--- /dev/null
+++ b/src/lib/krb5/krb/t_valid_times.c
@@ -0,0 +1,109 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/krb/t_valid_times.c - test program for krb5int_validate_times() */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "int-proto.h"
+
+#define BOUNDARY (uint32_t)INT32_MIN
+
+int
+main()
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ticket_times times = { 0, 0, 0, 0 };
+
+    ret = krb5_init_context(&context);
+    assert(!ret);
+
+    /* Current time is within authtime and end time. */
+    ret = krb5_set_debugging_time(context, 1000, 0);
+    times.authtime = 500;
+    times.endtime = 1500;
+    ret = krb5int_validate_times(context, &times);
+    assert(!ret);
+
+    /* Current time is before starttime, but within clock skew. */
+    times.starttime = 1100;
+    ret = krb5int_validate_times(context, &times);
+    assert(!ret);
+
+    /* Current time is before starttime by more than clock skew. */
+    times.starttime = 1400;
+    ret = krb5int_validate_times(context, &times);
+    assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
+
+    /* Current time is after end time, but within clock skew. */
+    times.starttime = 500;
+    times.endtime = 800;
+    ret = krb5int_validate_times(context, &times);
+    assert(!ret);
+
+    /* Current time is after end time by more than clock skew. */
+    times.endtime = 600;
+    ret = krb5int_validate_times(context, &times);
+    assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
+
+    /* Current time is within starttime and endtime; current time and
+     * endtime are across y2038 boundary. */
+    ret = krb5_set_debugging_time(context, BOUNDARY - 100, 0);
+    assert(!ret);
+    times.starttime = BOUNDARY - 200;
+    times.endtime = BOUNDARY + 500;
+    ret = krb5int_validate_times(context, &times);
+    assert(!ret);
+
+    /* Current time is before starttime, but by less than clock skew. */
+    times.starttime = BOUNDARY + 100;
+    ret = krb5int_validate_times(context, &times);
+    assert(!ret);
+
+    /* Current time is before starttime by more than clock skew. */
+    times.starttime = BOUNDARY + 250;
+    ret = krb5int_validate_times(context, &times);
+    assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
+
+    /* Current time is after endtime, but by less than clock skew. */
+    ret = krb5_set_debugging_time(context, BOUNDARY + 100, 0);
+    assert(!ret);
+    times.starttime = BOUNDARY - 1000;
+    times.endtime = BOUNDARY - 100;
+    ret = krb5int_validate_times(context, &times);
+    assert(!ret);
+
+    /* Current time is after endtime by more than clock skew. */
+    times.endtime = BOUNDARY - 300;
+    ret = krb5int_validate_times(context, &times);
+    assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
+
+    return 0;
+}
diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c
index d63122183eff..294761a882c5 100644
--- a/src/lib/krb5/krb/valid_times.c
+++ b/src/lib/krb5/krb/valid_times.c
@@ -47,10 +47,10 @@ krb5int_validate_times(krb5_context context, krb5_ticket_times *times)
     else
         starttime = times->authtime;
 
-    if (starttime - currenttime > context->clockskew)
+    if (ts_after(starttime, ts_incr(currenttime, context->clockskew)))
         return KRB5KRB_AP_ERR_TKT_NYV;  /* ticket not yet valid */
 
-    if ((currenttime - times->endtime) > context->clockskew)
+    if (ts_after(currenttime, ts_incr(times->endtime, context->clockskew)))
         return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
 
     return 0;
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 9786d63b5cb1..b4878ba3852e 100644
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -120,7 +120,7 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
         ret = krb5_timeofday(context, &in_creds.times.endtime);
         if (ret)
             goto cleanup;
-        in_creds.times.endtime += 5*60;
+        in_creds.times.endtime = ts_incr(in_creds.times.endtime, 5 * 60);
         ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds);
         if (ret)
             goto cleanup;
diff --git a/src/lib/krb5/krb/x-deltat.y b/src/lib/krb5/krb/x-deltat.y
index f9cc2bb46959..da11b88077aa 100644
--- a/src/lib/krb5/krb/x-deltat.y
+++ b/src/lib/krb5/krb/x-deltat.y
@@ -44,7 +44,6 @@
 #ifdef __GNUC__
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wuninitialized"
-#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
 #endif
 
 #include "k5-int.h"
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
index efa82e22f35e..5d2fcb5be8fa 100644
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -225,7 +225,7 @@ check-unix-locate: t_locate_kdc
 		$(RUN_TEST) ./t_locate_kdc $(LOCREALM); \
 	    else \
 		echo '*** WARNING: skipped t_locate_kdc test: known DNS name not found'; \
-		echo 'Skipped t_locate_kdc test: known DNS name found' >> $(SKIPTESTS); \
+		echo 'Skipped t_locate_kdc test: known DNS name not found' >> $(SKIPTESTS); \
 	    fi; \
 	else \
 		echo '*** WARNING: skipped t_locate_kdc test: OFFLINE'; \
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index df63b14faa56..11552ef42c08 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -30,11 +30,14 @@
 
 /* If this trick gets used elsewhere, move it to k5-platform.h.  */
 #ifndef DESIGNATED_INITIALIZERS
-#define DESIGNATED_INITIALIZERS                         \
-    /* ANSI/ISO C 1999 supports this...  */             \
-    (__STDC_VERSION__ >= 199901L                        \
-     /* ...as does GCC, since version 2.something.  */  \
-     || (!defined __cplusplus && __GNUC__ >= 3))
+/* ANSI/ISO C 1999 supports this...  */
+#if __STDC_VERSION__ >= 199901L                       \
+    /* ...as does GCC, since version 2.something.  */ \
+    || (!defined __cplusplus && __GNUC__ >= 3)
+#define DESIGNATED_INITIALIZERS 1
+#else
+#define DESIGNATED_INITIALIZERS 0
+#endif
 #endif
 
 krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index 871d72183007..f69f2ea4c332 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -29,7 +29,10 @@
 
 k5_mutex_t krb5int_us_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
 
-struct time_now { krb5_int32 sec, usec; };
+struct time_now {
+    krb5_timestamp sec;
+    krb5_int32 usec;
+};
 
 #if defined(_WIN32)
 
@@ -73,7 +76,7 @@ get_time_now(struct time_now *n)
 static struct time_now last_time;
 
 krb5_error_code
-krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
+krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
 {
     struct time_now now;
     krb5_error_code err;
@@ -102,17 +105,17 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
        putting now.sec in the past.  But don't just use '<' because we
        need to properly handle the case where the administrator intentionally
        adjusted time backwards. */
-    if ((now.sec == last_time.sec-1) ||
-        ((now.sec == last_time.sec) && (now.usec <= last_time.usec))) {
+    if (now.sec == ts_incr(last_time.sec, -1) ||
+        (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) {
         /* Correct 'now' to be exactly one microsecond later than 'last_time'.
            Note that _because_ we perform this hack, 'now' may be _earlier_
            than 'last_time', even though the system time is monotonically
            increasing. */
 
         now.sec = last_time.sec;
-        now.usec = ++last_time.usec;
+        now.usec = ts_incr(last_time.usec, 1);
         if (now.usec >= 1000000) {
-            ++now.sec;
+            now.sec = ts_incr(now.sec, 1);
             now.usec = 0;
         }
     }
diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c
index 1a259b399eba..e29066d74bc5 100644
--- a/src/lib/krb5/os/dnsglue.c
+++ b/src/lib/krb5/os/dnsglue.c
@@ -73,7 +73,7 @@ static int initparse(struct krb5int_dns_state *);
 
 #if defined(__APPLE__)
 
-/* Use the OS X interfaces dns_open, dns_search, and dns_free. */
+/* Use the macOS interfaces dns_open, dns_search, and dns_free. */
 #define DECLARE_HANDLE(h) dns_handle_t h
 #define INIT_HANDLE(h) ((h = dns_open(NULL)) != NULL)
 #define SEARCH(h, n, c, t, a, l) dns_search(h, n, c, t, a, l, NULL, NULL)
diff --git a/src/lib/krb5/os/dnsglue.h b/src/lib/krb5/os/dnsglue.h
index 27147a6cab51..e7844049db72 100644
--- a/src/lib/krb5/os/dnsglue.h
+++ b/src/lib/krb5/os/dnsglue.h
@@ -33,9 +33,9 @@
  * BIND 4 doesn't have the ns_initparse() API, so we need to do some
  * manual parsing via the HEADER struct.  BIND 8 does have
  * ns_initparse(), but has enums for the various protocol constants
- * rather than the BIND 4 macros.  BIND 9 (at least on Mac OS X
- * Panther) appears to disable res_nsearch() if BIND_8_COMPAT is
- * defined (which is necessary to obtain the HEADER struct).
+ * rather than the BIND 4 macros.  BIND 9 (at least on macOS 10.3)
+ * appears to disable res_nsearch() if BIND_8_COMPAT is defined
+ * (which is necessary to obtain the HEADER struct).
  *
  * We use ns_initparse() if available at all, and never define
  * BIND_8_COMPAT.  If there is no ns_initparse(), we do manual parsing
@@ -167,15 +167,16 @@ struct srv_dns_entry {
     char *host;
 };
 
-krb5_error_code krb5int_make_srv_query_realm(const krb5_data *realm,
-                                             const char *service,
-                                             const char *protocol,
-                                             struct srv_dns_entry **answers);
+krb5_error_code
+krb5int_make_srv_query_realm(krb5_context context, const krb5_data *realm,
+                             const char *service, const char *protocol,
+                             struct srv_dns_entry **answers);
+
 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
 
 krb5_error_code
-k5_make_uri_query(const krb5_data *realm, const char *service,
-                  struct srv_dns_entry **answers);
+k5_make_uri_query(krb5_context context, const krb5_data *realm,
+                  const char *service, struct srv_dns_entry **answers);
 
 #endif /* KRB5_DNS_LOOKUP */
 #endif /* !defined(KRB5_DNSGLUE_H) */
diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c
index 76f5b63a1774..d66a8f99a0af 100644
--- a/src/lib/krb5/os/dnssrv.c
+++ b/src/lib/krb5/os/dnssrv.c
@@ -104,8 +104,8 @@ place_srv_entry(struct srv_dns_entry **head, struct srv_dns_entry *new)
 
 /* Query the URI RR, collecting weight, priority, and target. */
 krb5_error_code
-k5_make_uri_query(const krb5_data *realm, const char *service,
-                  struct srv_dns_entry **answers)
+k5_make_uri_query(krb5_context context, const krb5_data *realm,
+                  const char *service, struct srv_dns_entry **answers)
 {
     const unsigned char *p = NULL, *base = NULL;
     char host[MAXDNAME];
@@ -121,6 +121,8 @@ k5_make_uri_query(const krb5_data *realm, const char *service,
     if (ret)
         return 0;
 
+    TRACE_DNS_URI_SEND(context, host);
+
     size = krb5int_dns_init(&ds, host, C_IN, T_URI);
     if (size < 0)
         goto out;
@@ -148,6 +150,7 @@ k5_make_uri_query(const krb5_data *realm, const char *service,
             goto out;
         }
 
+        TRACE_DNS_URI_ANS(context, uri->host, uri->priority, uri->weight);
         place_srv_entry(&head, uri);
     }
 
@@ -165,9 +168,8 @@ out:
  */
 
 krb5_error_code
-krb5int_make_srv_query_realm(const krb5_data *realm,
-                             const char *service,
-                             const char *protocol,
+krb5int_make_srv_query_realm(krb5_context context, const krb5_data *realm,
+                             const char *service, const char *protocol,
                              struct srv_dns_entry **answers)
 {
     const unsigned char *p = NULL, *base = NULL;
@@ -192,9 +194,7 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
     if (ret)
         return 0;
 
-#ifdef TEST
-    fprintf(stderr, "sending DNS SRV query for %s\n", host);
-#endif
+    TRACE_DNS_SRV_SEND(context, host);
 
     size = krb5int_dns_init(&ds, host, C_IN, T_SRV);
     if (size < 0)
@@ -239,6 +239,8 @@ krb5int_make_srv_query_realm(const krb5_data *realm,
             goto out;
         }
 
+        TRACE_DNS_SRV_ANS(context, srv->host, srv->port, srv->priority,
+                          srv->weight);
         place_srv_entry(&head, srv);
     }
 
diff --git a/src/lib/krb5/os/expand_path.c b/src/lib/krb5/os/expand_path.c
index a8a14f4bb28b..61fb234594e6 100644
--- a/src/lib/krb5/os/expand_path.c
+++ b/src/lib/krb5/os/expand_path.c
@@ -351,7 +351,7 @@ expand_null(krb5_context context, PTYPE param, const char *postfix, char **ret)
     return 0;
 }
 
-static const struct token {
+static const struct {
     const char *tok;
     PTYPE param;
     const char *postfix;
diff --git a/src/lib/krb5/os/genaddrs.c b/src/lib/krb5/os/genaddrs.c
index 5ef7af5a339f..c818fdb6d79d 100644
--- a/src/lib/krb5/os/genaddrs.c
+++ b/src/lib/krb5/os/genaddrs.c
@@ -79,8 +79,8 @@ krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int
     ssize = sizeof(struct sockaddr_storage);
     if ((flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) ||
         (flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR)) {
-        if ((retval = getsockname(fd, (GETSOCKNAME_ARG2_TYPE *) &lsaddr,
-                                  &ssize)))
+        retval = getsockname(fd, ss2sa(&lsaddr), &ssize);
+        if (retval)
             return retval;
 
         if (cvtaddr (&lsaddr, &laddrs)) {
@@ -99,8 +99,8 @@ krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int
     ssize = sizeof(struct sockaddr_storage);
     if ((flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) ||
         (flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR)) {
-        if ((retval = getpeername(fd, (GETPEERNAME_ARG2_TYPE *) &rsaddr,
-                                  &ssize)))
+        retval = getpeername(fd, ss2sa(&rsaddr), &ssize);
+        if (retval)
             return errno;
 
         if (cvtaddr (&rsaddr, &raddrs)) {
diff --git a/src/lib/krb5/os/hostaddr.c b/src/lib/krb5/os/hostaddr.c
index 22f6ad6d48b9..d7a4a763012d 100644
--- a/src/lib/krb5/os/hostaddr.c
+++ b/src/lib/krb5/os/hostaddr.c
@@ -83,12 +83,12 @@ k5_os_hostaddr(krb5_context context, const char *name,
         switch (aip->ai_addr->sa_family) {
         case AF_INET:
             addrlen = sizeof (struct in_addr);
-            ptr = &((struct sockaddr_in *)aip->ai_addr)->sin_addr;
+            ptr = &sa2sin(aip->ai_addr)->sin_addr;
             atype = ADDRTYPE_INET;
             break;
         case AF_INET6:
             addrlen = sizeof (struct in6_addr);
-            ptr = &((struct sockaddr_in6 *)aip->ai_addr)->sin6_addr;
+            ptr = &sa2sin6(aip->ai_addr)->sin6_addr;
             atype = ADDRTYPE_INET6;
             break;
         default:
diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
index 9f7765254467..58443f6e354a 100644
--- a/src/lib/krb5/os/localaddr.c
+++ b/src/lib/krb5/os/localaddr.c
@@ -181,11 +181,11 @@ is_loopback_address(struct sockaddr *sa)
 {
     switch (sa->sa_family) {
     case AF_INET: {
-        struct sockaddr_in *s4 = (struct sockaddr_in *)sa;
+        struct sockaddr_in *s4 = sa2sin(sa);
         return s4->sin_addr.s_addr == htonl(INADDR_LOOPBACK);
     }
     case AF_INET6: {
-        struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)sa;
+        struct sockaddr_in6 *s6 = sa2sin6(sa);
         return IN6_IS_ADDR_LOOPBACK(&s6->sin6_addr);
     }
     default:
@@ -239,16 +239,17 @@ printifaddr(struct ifaddrs *ifp)
 #include <stdlib.h>
 
 static int
-addr_eq (const struct sockaddr *s1, const struct sockaddr *s2)
+addr_eq (struct sockaddr *s1, struct sockaddr *s2)
 {
     if (s1->sa_family != s2->sa_family)
         return 0;
-#define CMPTYPE(T,F) (!memcmp(&((const T*)s1)->F,&((const T*)s2)->F,sizeof(((const T*)s1)->F)))
     switch (s1->sa_family) {
     case AF_INET:
-        return CMPTYPE (struct sockaddr_in, sin_addr);
+        return !memcmp(&sa2sin(s1)->sin_addr, &sa2sin(s2)->sin_addr,
+                       sizeof(sa2sin(s1)->sin_addr));
     case AF_INET6:
-        return CMPTYPE (struct sockaddr_in6, sin6_addr);
+        return !memcmp(&sa2sin6(s1)->sin6_addr, &sa2sin6(s2)->sin6_addr,
+                       sizeof(sa2sin6(s1)->sin6_addr));
     default:
         /* Err on side of duplicate listings.  */
         return 0;
@@ -861,6 +862,9 @@ get_ifreq_array(char **bufp, size_t *np, int s)
     int numifs = -1;
 #endif
 
+    *bufp = NULL;
+    *np = 0;
+
     /* At least on NetBSD, an ifreq can hold an IPv4 address, but
        isn't big enough for an IPv6 or ethernet address.  So add a
        little more space.  */
@@ -937,9 +941,9 @@ foreach_localaddr (/*@null@*/ void *data,
 #endif
 {
     struct ifreq *ifr, ifreq, *ifr2;
-    int s, code;
+    int s;
     char *buf = 0;
-    size_t size, n, i, j;
+    size_t n, i, j;
     int retval = 0;
 #ifdef LINUX_IPV6_HACK
     struct linux_ipv6_addr_list *linux_ipv6_addrs = get_linux_ipv6_addrs ();
@@ -1183,14 +1187,14 @@ add_addr (void *P_data, struct sockaddr *a)
 #ifdef HAVE_NETINET_IN_H
     case AF_INET:
         address = make_addr (ADDRTYPE_INET, sizeof (struct in_addr),
-                             &((const struct sockaddr_in *) a)->sin_addr);
+                             &sa2sin(a)->sin_addr);
         if (address == NULL)
             data->mem_err++;
         break;
 
     case AF_INET6:
     {
-        const struct sockaddr_in6 *in = (const struct sockaddr_in6 *) a;
+        const struct sockaddr_in6 *in = sa2sin6(a);
 
         if (IN6_IS_ADDR_LINKLOCAL (&in->sin6_addr))
             break;
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 014ec6ecb902..b9edecc7a910 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -313,14 +313,16 @@ krb5_locate_srv_conf(krb5_context context, const krb5_data *realm,
 
 #ifdef KRB5_DNS_LOOKUP
 static krb5_error_code
-locate_srv_dns_1(const krb5_data *realm, const char *service,
-                 const char *protocol, struct serverlist *serverlist)
+locate_srv_dns_1(krb5_context context, const krb5_data *realm,
+                 const char *service, const char *protocol,
+                 struct serverlist *serverlist)
 {
     struct srv_dns_entry *head = NULL, *entry = NULL;
     krb5_error_code code = 0;
     k5_transport transport;
 
-    code = krb5int_make_srv_query_realm(realm, service, protocol, &head);
+    code = krb5int_make_srv_query_realm(context, realm, service, protocol,
+                                        &head);
     if (code)
         return 0;
 
@@ -598,9 +600,10 @@ parse_uri_fields(const char *uri, k5_transport *transport_out,
  * and transport type.  Problematic entries are skipped.
  */
 static krb5_error_code
-locate_uri(const krb5_data *realm, const char *req_service,
-           struct serverlist *serverlist, k5_transport req_transport,
-           int default_port, krb5_boolean master_only)
+locate_uri(krb5_context context, const krb5_data *realm,
+           const char *req_service, struct serverlist *serverlist,
+           k5_transport req_transport, int default_port,
+           krb5_boolean master_only)
 {
     krb5_error_code ret;
     k5_transport transport, host_trans;
@@ -609,7 +612,7 @@ locate_uri(const krb5_data *realm, const char *req_service,
     const char *host_field, *path;
     int port, def_port, master;
 
-    ret = k5_make_uri_query(realm, req_service, &answers);
+    ret = k5_make_uri_query(context, realm, req_service, &answers);
     if (ret || answers == NULL)
         return ret;
 
@@ -688,10 +691,11 @@ dns_locate_server_uri(krb5_context context, const krb5_data *realm,
         return 0;
     }
 
-    ret = locate_uri(realm, svcname, serverlist, transport, def_port,
+    ret = locate_uri(context, realm, svcname, serverlist, transport, def_port,
                      find_master);
-    if (ret)
-        Tprintf("dns URI lookup returned error %d\n", ret);
+
+    if (serverlist->nservers == 0)
+        TRACE_DNS_URI_NOTFOUND(context);
 
     return ret;
 }
@@ -729,16 +733,15 @@ dns_locate_server_srv(krb5_context context, const krb5_data *realm,
     }
 
     code = 0;
-    if (transport == UDP || transport == TCP_OR_UDP) {
-        code = locate_srv_dns_1(realm, dnsname, "_udp", serverlist);
-        if (code)
-            Tprintf("dns udp lookup returned error %d\n", code);
-    }
-    if ((transport == TCP || transport == TCP_OR_UDP) && code == 0) {
-        code = locate_srv_dns_1(realm, dnsname, "_tcp", serverlist);
-        if (code)
-            Tprintf("dns tcp lookup returned error %d\n", code);
-    }
+    if (transport == UDP || transport == TCP_OR_UDP)
+        code = locate_srv_dns_1(context, realm, dnsname, "_udp", serverlist);
+
+    if ((transport == TCP || transport == TCP_OR_UDP) && code == 0)
+        code = locate_srv_dns_1(context, realm, dnsname, "_tcp", serverlist);
+
+    if (serverlist->nservers == 0)
+        TRACE_DNS_SRV_NOTFOUND(context);
+
     return code;
 }
 #endif /* KRB5_DNS_LOOKUP */
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index fffe0262f6bb..e8bc0ad6e2f5 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -253,7 +253,7 @@ cm_get_ssflags(struct select_state *selstate, int fd)
     struct pollfd *pfd = find_pollfd(selstate, fd);
 
     /*
-     * OS X sets POLLHUP without POLLOUT on connection error.  Catch this as
+     * macOS sets POLLHUP without POLLOUT on connection error.  Catch this as
      * well as other error events such as POLLNVAL, but only if POLLIN and
      * POLLOUT aren't set, as we can get POLLHUP along with POLLIN with TCP
      * data still to be read.
@@ -1372,8 +1372,7 @@ get_endtime(time_ms endtime, struct conn_state *conns)
     struct conn_state *state;
 
     for (state = conns; state != NULL; state = state->next) {
-        if (state->addr.transport == TCP &&
-            (state->state == READING || state->state == WRITING) &&
+        if ((state->state == READING || state->state == WRITING) &&
             state->endtime > endtime)
             endtime = state->endtime;
     }
diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c
index 6414b8e92d79..7a53c842a80e 100644
--- a/src/lib/krb5/os/t_locate_kdc.c
+++ b/src/lib/krb5/os/t_locate_kdc.c
@@ -127,7 +127,7 @@ main (int argc, char *argv[])
         break;
 
     case LOOKUP_DNS:
-        err = locate_srv_dns_1(&realm, "_kerberos", "_udp", &sl);
+        err = locate_srv_dns_1(ctx, &realm, "_kerberos", "_udp", &sl);
         break;
 
     case LOOKUP_WHATEVER:
diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c
index fddb1214296f..d4e36b1c7572 100644
--- a/src/lib/krb5/os/timeofday.c
+++ b/src/lib/krb5/os/timeofday.c
@@ -60,7 +60,7 @@ krb5_check_clockskew(krb5_context context, krb5_timestamp date)
     retval = krb5_timeofday(context, &currenttime);
     if (retval)
         return retval;
-    if (!(labs((date)-currenttime) < context->clockskew))
+    if (!ts_within(date, currenttime, context->clockskew))
         return KRB5KRB_AP_ERR_SKEW;
 
     return 0;
diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
index 456193a41aed..4bbcdde52812 100644
--- a/src/lib/krb5/os/toffset.c
+++ b/src/lib/krb5/os/toffset.c
@@ -40,14 +40,15 @@ krb5_error_code KRB5_CALLCONV
 krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds)
 {
     krb5_os_context os_ctx = &context->os_context;
-    krb5_int32 sec, usec;
+    krb5_timestamp sec;
+    krb5_int32 usec;
     krb5_error_code retval;
 
     retval = krb5_crypto_us_timeofday(&sec, &usec);
     if (retval)
         return retval;
 
-    os_ctx->time_offset = seconds - sec;
+    os_ctx->time_offset = ts_delta(seconds, sec);
     os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0;
 
     os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) |
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 83c8d4db876a..e97ce5fe5d66 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -173,7 +173,7 @@ trace_format(krb5_context context, const char *fmt, va_list ap)
             p = va_arg(ap, const char *);
             if (p == NULL && len != 0)
                 k5_buf_add(&buf, "(null)");
-            else
+            else if (p != NULL)
                 buf_add_printable_len(&buf, p, len);
         } else if (strcmp(tmpbuf, "hexlenstr") == 0) {
             len = va_arg(ap, size_t);
@@ -340,7 +340,8 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
     va_list ap;
     krb5_trace_info info;
     char *str = NULL, *msg = NULL;
-    krb5_int32 sec, usec;
+    krb5_timestamp sec;
+    krb5_int32 usec;
 
     if (context == NULL || context->trace_callback == NULL)
         return;
@@ -350,7 +351,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
         goto cleanup;
     if (krb5_crypto_us_timeofday(&sec, &usec) != 0)
         goto cleanup;
-    if (asprintf(&msg, "[%d] %d.%d: %s\n", (int) getpid(), (int) sec,
+    if (asprintf(&msg, "[%d] %u.%d: %s\n", (int) getpid(), (unsigned int) sec,
                  (int) usec, str) < 0)
         goto cleanup;
     info.message = msg;
diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c
index 056357683456..a80fdf68ca48 100644
--- a/src/lib/krb5/os/ustime.c
+++ b/src/lib/krb5/os/ustime.c
@@ -40,7 +40,8 @@ krb5_error_code
 k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec,
                     krb5_timestamp *time_out, krb5_int32 *usec_out)
 {
-    krb5_int32 sec, usec;
+    krb5_timestamp sec;
+    krb5_int32 usec;
     krb5_error_code retval;
 
     retval = krb5_crypto_us_timeofday(&sec, &usec);
@@ -49,13 +50,13 @@ k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec,
     usec += offset_usec;
     if (usec > 1000000) {
         usec -= 1000000;
-        sec++;
+        sec = ts_incr(sec, 1);
     }
     if (usec < 0) {
         usec += 1000000;
-        sec--;
+        sec = ts_incr(sec, -1);
     }
-    sec += offset;
+    sec = ts_incr(sec, offset);
 
     *time_out = sec;
     *usec_out = usec;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index c4d2c744da40..1e0cb22c94e2 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -93,12 +93,11 @@ cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t)
 }
 
 static int
-alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t)
+alive(krb5_timestamp mytime, krb5_donot_replay *new1, krb5_deltat t)
 {
     if (mytime == 0)
         return CMP_HOHUM; /* who cares? */
-    /* I hope we don't have to worry about overflow */
-    if (new1->ctime + t < mytime)
+    if (ts_after(mytime, ts_incr(new1->ctime, t)))
         return CMP_EXPIRED;
     return CMP_HOHUM;
 }
@@ -130,7 +129,7 @@ struct authlist
 
 static int
 rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep,
-         krb5_int32 now, krb5_boolean fromfile)
+         krb5_timestamp now, krb5_boolean fromfile)
 {
     struct dfl_data *t = (struct dfl_data *)id->data;
     unsigned int rephash;
@@ -517,7 +516,7 @@ errout:
         free(rep->server);
     if (rep->msghash)
         free(rep->msghash);
-    rep->client = rep->server = 0;
+    rep->client = rep->server = rep->msghash = NULL;
     return retval;
 }
 
@@ -537,7 +536,7 @@ krb5_rc_dfl_recover_locked(krb5_context context, krb5_rcache id)
     krb5_error_code retval;
     long max_size;
     int expired_entries = 0;
-    krb5_int32 now;
+    krb5_timestamp now;
 
     if ((retval = krb5_rc_io_open(context, &t->d, t->name))) {
         return retval;
@@ -707,7 +706,7 @@ krb5_rc_dfl_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep)
 {
     krb5_error_code ret;
     struct dfl_data *t;
-    krb5_int32 now;
+    krb5_timestamp now;
 
     ret = krb5_timeofday(context, &now);
     if (ret)
@@ -763,7 +762,7 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
     struct authlist **qt;
     struct authlist *r;
     struct authlist *rt;
-    krb5_int32 now;
+    krb5_timestamp now;
 
     if (krb5_timestamp(context, &now))
         now = 0;
diff --git a/src/lib/krb5/rcache/ser_rc.c b/src/lib/krb5/rcache/ser_rc.c
index 556af21e5e48..5c537f08a1cc 100644
--- a/src/lib/krb5/rcache/ser_rc.c
+++ b/src/lib/krb5/rcache/ser_rc.c
@@ -72,7 +72,7 @@ krb5_rcache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
          *      krb5_int32      for KV5M_RCACHE
          */
         required = sizeof(krb5_int32) * 3;
-        if (rcache->ops && rcache->ops->type)
+        if (rcache->ops)
             required += (strlen(rcache->ops->type)+1);
 
         /*
diff --git a/src/lib/krb5/rcache/t_replay.c b/src/lib/krb5/rcache/t_replay.c
index db273ec2f221..b99cdf1abb8e 100644
--- a/src/lib/krb5/rcache/t_replay.c
+++ b/src/lib/krb5/rcache/t_replay.c
@@ -110,7 +110,7 @@ store(krb5_context ctx, char *rcspec, char *client, char *server, char *msg,
     krb5_donot_replay rep;
     krb5_data d;
 
-    if (now_timestamp > 0)
+    if (now_timestamp != 0)
         krb5_set_debugging_time(ctx, now_timestamp, now_usec);
     if ((retval = krb5_rc_resolve_full(ctx, &rc, rcspec)))
         goto cleanup;
@@ -221,13 +221,13 @@ main(int argc, char **argv)
             msg = (**argv) ? *argv : NULL;
             argc--; argv++;
             if (!argc) usage(progname);
-            timestamp = (krb5_timestamp) atol(*argv);
+            timestamp = (krb5_timestamp) atoll(*argv);
             argc--; argv++;
             if (!argc) usage(progname);
             usec = (krb5_int32) atol(*argv);
             argc--; argv++;
             if (!argc) usage(progname);
-            now_timestamp = (krb5_timestamp) atol(*argv);
+            now_timestamp = (krb5_timestamp) atoll(*argv);
             argc--; argv++;
             if (!argc) usage(progname);
             now_usec = (krb5_int32) atol(*argv);
@@ -249,7 +249,7 @@ main(int argc, char **argv)
             rcspec = *argv;
             argc--; argv++;
             if (!argc) usage(progname);
-            now_timestamp = (krb5_timestamp) atol(*argv);
+            now_timestamp = (krb5_timestamp) atoll(*argv);
             argc--; argv++;
             if (!argc) usage(progname);
             now_usec = (krb5_int32) atol(*argv);
diff --git a/src/lib/krb5/unicode/ure/ure.c b/src/lib/krb5/unicode/ure/ure.c
index d1cfd8af945e..23a03d94ffa2 100644
--- a/src/lib/krb5/unicode/ure/ure.c
+++ b/src/lib/krb5/unicode/ure/ure.c
@@ -421,7 +421,7 @@ _ure_prop_list(ucs2_t *pp, unsigned long limit, unsigned long *mask,
           b->error = _URE_INVALID_PROPERTY;
     }
 
-    if (n != 0)
+    if (b->error == _URE_OK && n != 0)
       m |= cclass_flags[n];
 
     /*
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index e5b560dfcb26..f7b428e16928 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -470,3 +470,6 @@ EXPORTS
 	krb5_get_init_creds_opt_set_pac_request		@435
 	krb5int_trace					@436 ; PRIVATE GSSAPI
 	krb5_expand_hostname				@437
+
+; new in 1.16
+	k5_enctype_to_ssf				@438 ; PRIVATE GSSAPI
diff --git a/src/lib/rpc/deps b/src/lib/rpc/deps
index 3c5af2f795bd..f57b831d9c65 100644
--- a/src/lib/rpc/deps
+++ b/src/lib/rpc/deps
@@ -180,7 +180,8 @@ pmap_rmt.so pmap_rmt.po $(OUTPRE)pmap_rmt.$(OBJEXT): \
   $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \
   $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \
   $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/port-sockets.h pmap_rmt.c
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  pmap_rmt.c
 rpc_prot.so rpc_prot.po $(OUTPRE)rpc_prot.$(OBJEXT): \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
index cd0b3095ae4f..4829e3ff06c3 100644
--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)pmap_rmt.c 1.21 87/08/27 Copyr 1984 Sun Micro";
 #include <arpa/inet.h>
 #define MAX_BROADCAST_SIZE 1400
 #include <port-sockets.h>
+#include "socket-utils.h"
 
 static struct timeval timeout = { 3, 0 };
 
@@ -208,12 +209,11 @@ getbroadcastnets(
 			if (ioctl(sock, SIOCGIFBRDADDR, (char *)&ifreq) < 0) {
 				addrs[i++].s_addr = INADDR_ANY;
 			} else {
-				addrs[i++] = ((struct sockaddr_in*)
-				  &ifreq.ifr_addr)->sin_addr;
+				addrs[i++] = sa2sin(&ifreq.ifr_addr)->sin_addr;
 			}
 #else /* 4.2 BSD */
 			struct sockaddr_in *sockin;
-			sockin = (struct sockaddr_in *)&ifr->ifr_addr;
+			sockin = sa2sin(&ifr->ifr_addr);
 			addrs[i++] = inet_makeaddr(inet_netof
 			  (sockin->sin_addr.s_addr), INADDR_ANY);
 #endif
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index 48866b8e9521..ec4bda4dd7ff 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5IDENTITY" "5" " " "1.15.1" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
 .
diff --git a/src/man/k5login.man b/src/man/k5login.man
index f6a1706be8b6..fea5c230dbed 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5LOGIN" "5" " " "1.15.1" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
 .
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 066a99118f3b..1830476c05a7 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5SRVUTIL" "1" " " "1.15.1" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
 .
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 9043775f84c6..fe9b61170038 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADM5.ACL" "5" " " "1.15.1" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
 .
@@ -230,16 +230,17 @@ sms@ATHENA.MIT.EDU        x   * \-maxlife 9h \-postdateable # line 6
 .UNINDENT
 .UNINDENT
 .sp
-(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with
-an \fBadmin\fP instance has all administrative privileges.
+(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with an
+\fBadmin\fP instance has all administrative privileges except extracting
+keys.
 .sp
-(lines 1\-3) The user \fBjoeadmin\fP has all permissions with his
-\fBadmin\fP instance, \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line
-1).  He has no permissions at all with his null instance,
-\fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2).  His \fBroot\fP and other
-non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have
-inquire permissions with any principal that has the instance \fBroot\fP
-(matches line 3).
+(lines 1\-3) The user \fBjoeadmin\fP has all permissions except
+extracting keys with his \fBadmin\fP instance,
+\fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line 1).  He has no
+permissions at all with his null instance, \fBjoeadmin@ATHENA.MIT.EDU\fP
+(matches line 2).  His \fBroot\fP and other non\-\fBadmin\fP, non\-null
+instances (e.g., \fBextra\fP or \fBdbadmin\fP) have inquire permissions
+with any principal that has the instance \fBroot\fP (matches line 3).
 .sp
 (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
 or change the password of their null instance, but not any other
@@ -253,9 +254,20 @@ permission can only be granted globally, not to specific target
 principals.
 .sp
 (line 6) Finally, the Service Management System principal
-\fBsms@ATHENA.MIT.EDU\fP has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+\fBsms@ATHENA.MIT.EDU\fP has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+.SH MODULE BEHAVIOR
+.sp
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the \fIkadm5_auth\fP section of
+\fIkrb5.conf(5)\fP\&.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+.sp
+To operate without an ACL file, set the \fIacl_file\fP variable in
+\fIkdc.conf(5)\fP to the empty string with \fBacl_file = ""\fP\&.
 .SH SEE ALSO
 .sp
 \fIkdc.conf(5)\fP, \fIkadmind(8)\fP
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 5105eca28e76..008d9bf5df98 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADMIN" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
 .
@@ -705,6 +705,13 @@ accepted values.
 Enables One Time Passwords (OTP) preauthentication for a client
 \fIprincipal\fP\&.  The \fIvalue\fP is a JSON string representing an array
 of objects, each having optional \fBtype\fP and \fBusername\fP fields.
+.TP
+.B \fBpkinit_cert_match\fP
+Specifies a matching expression that defines the certificate
+attributes required for the client certificate used by the
+principal during PKINIT authentication.  The matching expression
+is in the same format as those used by the \fBpkinit_cert_match\fP
+option in \fIkrb5.conf(5)\fP\&.  (New in release 1.16.)
 .UNINDENT
 .sp
 This command requires the \fBmodify\fP privilege.
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 65647f97c797..6d592a0e8faa 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADMIND" "8" " " "1.15.1" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kadmind \- KADM5 administration server
 .
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 83591a70c12c..001c797ab20e 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDB5_LDAP_UTIL" "8" " " "1.15.1" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kdb5_ldap_util \- Kerberos configuration utility
 .
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index cb637cbb0015..66bf6f856af0 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDB5_UTIL" "8" " " "1.15.1" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
 .
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 10b333c38d29..440ce3b96dc8 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDC.CONF" "5" " " "1.15.1" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
@@ -145,9 +145,10 @@ The following tags may be specified in a [realms] subsection:
 .B \fBacl_file\fP
 (String.)  Location of the access control list file that
 \fIkadmind(8)\fP uses to determine which principals are allowed
-which permissions on the Kerberos database.  The default value is
-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.  For more information on Kerberos ACL
-file see \fIkadm5.acl(5)\fP\&.
+which permissions on the Kerberos database.  To operate without an
+ACL file, set this relation to the empty string with \fBacl_file =
+""\fP\&.  The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&.  For more
+information on Kerberos ACL file see \fIkadm5.acl(5)\fP\&.
 .TP
 .B \fBdatabase_module\fP
 (String.)  This relation indicates the name of the configuration
@@ -259,6 +260,11 @@ per line, with no additional whitespace.  If none is specified or
 if there is no policy assigned to the principal, no dictionary
 checks of passwords will be performed.
 .TP
+.B \fBencrypted_challenge_indicator\fP
+(String.)  Specifies the authentication indicator value that the KDC
+asserts into tickets obtained using FAST encrypted challenge
+pre\-authentication.  New in 1.16.
+.TP
 .B \fBhost_based_services\fP
 (Whitespace\- or comma\-separated list.)  Lists services which will
 get host\-based referral processing even if the server principal is
@@ -886,9 +892,6 @@ Specifies an authentication indicator to include in the ticket if
 pkinit is used to authenticate.  This option may be specified
 multiple times.  (New in release 1.14.)
 .TP
-.B \fBpkinit_kdc_ocsp\fP
-Specifies the location of the KDC\(aqs OCSP.
-.TP
 .B \fBpkinit_pool\fP
 Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client\(aqs
@@ -1031,7 +1034,7 @@ _
 T{
 aes
 T}	T{
-The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96
+The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128
 T}
 _
 T{
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 47e1e369423e..08019948755b 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDESTROY" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 kdestroy \- destroy Kerberos tickets
 .
diff --git a/src/man/kinit.man b/src/man/kinit.man
index e257bd25ef91..24a6f968b826 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KINIT" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 kinit \- obtain and cache Kerberos ticket-granting ticket
 .
diff --git a/src/man/klist.man b/src/man/klist.man
index 3080640dd97d..c73a88dedf67 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KLIST" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 klist \- list cached Kerberos tickets
 .
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index b7bb0a32fc5a..89bdc96a93b7 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPASSWD" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 kpasswd \- change a user's Kerberos password
 .
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 9d3e2033c38c..45ceaaf6d217 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPROP" "8" " " "1.15.1" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kprop \- propagate a Kerberos V5 principal database to a slave server
 .
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 9048f8fd5d92..a40e542dae9e 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPROPD" "8" " " "1.15.1" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kpropd \- Kerberos V5 slave KDC update server
 .
@@ -40,6 +40,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-F\fP \fIprincipal_database\fP]
 [\fB\-p\fP \fIkdb5_util_prog\fP]
 [\fB\-P\fP \fIport\fP]
+[\fB\-\-pid\-file\fP=\fIpid_file\fP]
 [\fB\-d\fP]
 [\fB\-t\fP]
 .SH DESCRIPTION
@@ -131,6 +132,10 @@ is only useful in combination with the \fB\-S\fP option.
 .B \fB\-a\fP \fIacl_file\fP
 Allows the user to specify the path to the kpropd.acl file; by
 default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&.
+.TP
+.B \fB\-\-pid\-file\fP=\fIpid_file\fP
+In standalone mode, write the process ID of the daemon into
+\fIpid_file\fP\&.
 .UNINDENT
 .SH ENVIRONMENT
 .sp
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index eaf6a21954bc..7bdf17da52db 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPROPLOG" "8" " " "1.15.1" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kproplog \- display the contents of the Kerberos principal update log
 .
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index c9d2724ac1bd..2899808d19be 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KRB5-CONFIG" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 krb5-config \- tool for linking against MIT Kerberos libraries
 .
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 4e350bd72351..3d12254797d3 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KRB5.CONF" "5" " " "1.15.1" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 krb5.conf \- Kerberos configuration file
 .
@@ -112,9 +112,10 @@ includedir DIRNAME
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ".conf" are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".".  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
 .sp
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -257,7 +258,7 @@ the client should request when making a TGS\-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
 commas or whitespace.  See \fIEncryption_types\fP in
 \fIkdc.conf(5)\fP for a list of the accepted values for this tag.
-The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
+The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
 will be implicitly removed from this list if the value of
 \fBallow_weak_crypto\fP is false.
 .sp
@@ -271,7 +272,7 @@ Identifies the supported list of session key encryption types that
 the client should request when making an AS\-REQ, in order of
 preference from highest to lowest.  The format is the same as for
 default_tgs_enctypes.  The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .sp
@@ -353,7 +354,7 @@ For security reasons, .k5login files must be owned by
 the local user or by root.
 .TP
 .B \fBkcm_mach_service\fP
-On OS X only, determines the name of the bootstrap service used to
+On macOS only, determines the name of the bootstrap service used to
 contact the KCM daemon for the KCM credential cache type.  If the
 value is \fB\-\fP, Mach RPC will not be used to contact the KCM
 daemon.  The default value is \fBorg.h5l.kcm\fP\&.
@@ -454,7 +455,7 @@ used across NATs.  The default value is true.
 .B \fBpermitted_enctypes\fP
 Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
 removed from this list if the value of \fBallow_weak_crypto\fP is
 false.
 .TP
@@ -908,6 +909,10 @@ client principal
 .B \fBrealm\fP
 Uses the service realm to guess an appropriate cache from the
 collection
+.TP
+.B \fBhostname\fP
+If the service principal is host\-based, uses the service hostname
+to guess an appropriate cache from the collection
 .UNINDENT
 .SS pwqual interface
 .sp
@@ -936,6 +941,24 @@ principal creation, modification, password changes and deletion.  This
 interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.
+.SS kadm5_auth interface
+.sp
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBacl\fP
+This module reads the \fIkadm5.acl(5)\fP file, and authorizes
+operations which are allowed according to the rules in the file.
+.TP
+.B \fBself\fP
+This module authorizes self\-service operations including password
+changes, creation of new random keys, fetching the client\(aqs
+principal record or string attributes, and fetching the policy
+record associated with the client principal.
+.UNINDENT
 .SS clpreauth and kdcpreauth interfaces
 .sp
 The clpreauth and kdcpreauth interfaces allow plugin modules to
@@ -1009,6 +1032,30 @@ the account\(aqs \fI\&.k5login(5)\fP file.
 This module authorizes a principal to a local account if the
 principal name maps to the local account name.
 .UNINDENT
+.SS certauth interface
+.sp
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBpkinit_san\fP
+This module authorizes the certificate if it contains a PKINIT
+Subject Alternative Name for the requested client principal, or a
+Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP
+is set to true for the realm.
+.TP
+.B \fBpkinit_eku\fP
+This module rejects the certificate if it does not contain an
+Extended Key Usage attribute consistent with the
+\fBpkinit_eku_checking\fP value for the realm.
+.TP
+.B \fBdbmatch\fP
+This module authorizes or rejects the certificate according to
+whether it matches the \fBpkinit_cert_match\fP string attribute on
+the client principal, if that attribute is present.
+.UNINDENT
 .SH PKINIT OPTIONS
 .sp
 \fBNOTE:\fP
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 873014650b27..cf3de31b284e 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KRB5KDC" "8" " " "1.15.1" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 krb5kdc \- Kerberos V5 KDC
 .
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 2a0328e8435c..d885b8f10d58 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KSU" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KSU" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 ksu \- Kerberized super-user
 .
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index d8d925cbceac..0c38aff575aa 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KSWITCH" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 kswitch \- switch primary ticket cache
 .
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 6a119e7550ad..3498b65d6fd3 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KTUTIL" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 ktutil \- Kerberos keytab file maintenance utility
 .
@@ -113,7 +113,7 @@ Alias: \fBdelent\fP
 .INDENT 0.0
 .INDENT 3.5
 \fBadd_entry\fP {\fB\-key\fP|\fB\-password\fP} \fB\-p\fP \fIprincipal\fP
-\fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP
+\fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP [\fB\-s\fP \fIsalt\fP]
 .UNINDENT
 .UNINDENT
 .sp
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 4d510ca51f21..a62a73378f42 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KVNO" "1" " " "1.15.1" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 kvno \- print key version numbers of Kerberos principals
 .
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 1d5c4c5e7048..c8228ad020c7 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "SCLIENT" "1" " " "1.15.1" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 sclient \- sample Kerberos version 5 client
 .
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 514128018c36..f871e4e7638a 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "SSERVER" "8" " " "1.15.1" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 sserver \- sample Kerberos version 5 server
 .
diff --git a/src/patchlevel.h b/src/patchlevel.h
index d1016b8c6fe8..502b0ed82f60 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -50,8 +50,8 @@
  * organization.
  */
 #define KRB5_MAJOR_RELEASE 1
-#define KRB5_MINOR_RELEASE 15
-#define KRB5_PATCHLEVEL 1
+#define KRB5_MINOR_RELEASE 16
+#define KRB5_PATCHLEVEL 0
 /* #undef KRB5_RELTAIL */
-#define KRB5_RELDATE "20170302"
-#define KRB5_RELTAG "krb5-1.15.1-final"
+#define KRB5_RELDATE "20171205"
+#define KRB5_RELTAG "krb5-1.16-final"
diff --git a/src/plugins/audit/kdc_j_encode.c b/src/plugins/audit/kdc_j_encode.c
index e24f4d851066..265e95bc4eab 100755
--- a/src/plugins/audit/kdc_j_encode.c
+++ b/src/plugins/audit/kdc_j_encode.c
@@ -861,22 +861,19 @@ tkt_to_value(krb5_ticket *tkt, k5_json_object obj,
         ret = int32_to_value(part2->session->enctype, tmp, AU_SESS_ETYPE);
         if (ret)
             goto error;
-        if (&part2->times) {
-            ret = int32_to_value(part2->times.starttime, tmp, AU_START);
-            if (ret)
-                goto error;
-            ret = int32_to_value(part2->times.endtime, tmp, AU_END);
-            if (ret)
-                goto error;
-            ret = int32_to_value(part2->times.renew_till, tmp, AU_RENEW_TILL);
-            if (ret)
-                goto error;
-            ret = int32_to_value(part2->times.authtime, tmp, AU_AUTHTIME);
-            if (ret)
-                goto error;
-        }
-        if (&part2->transited && &part2->transited.tr_contents &&
-            part2->transited.tr_contents.length > 0) {
+        ret = int32_to_value(part2->times.starttime, tmp, AU_START);
+        if (ret)
+            goto error;
+        ret = int32_to_value(part2->times.endtime, tmp, AU_END);
+        if (ret)
+            goto error;
+        ret = int32_to_value(part2->times.renew_till, tmp, AU_RENEW_TILL);
+        if (ret)
+            goto error;
+        ret = int32_to_value(part2->times.authtime, tmp, AU_AUTHTIME);
+        if (ret)
+            goto error;
+        if (part2->transited.tr_contents.length > 0) {
             ret = data_to_value(&part2->transited.tr_contents,
                                tmp, AU_TR_CONTENTS);
             if (ret)
diff --git a/src/plugins/certauth/test/Makefile.in b/src/plugins/certauth/test/Makefile.in
new file mode 100644
index 000000000000..d3524084c120
--- /dev/null
+++ b/src/plugins/certauth/test/Makefile.in
@@ -0,0 +1,20 @@
+mydir=plugins$(S)certauth$(S)test
+BUILDTOP=$(REL)..$(S)..$(S)..
+
+LIBBASE=certauth_test
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../plugins/certauth/test
+SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
+
+STLIBOBJS=main.o
+
+SRCS=$(srcdir)/main.c
+
+all-unix: all-libs
+install-unix:
+clean-unix:: clean-libs clean-libobjs
+
+@libnover_frag@
+@libobj_frag@
diff --git a/src/plugins/certauth/test/certauth_test.exports b/src/plugins/certauth/test/certauth_test.exports
new file mode 100644
index 000000000000..1c8cd24e2b93
--- /dev/null
+++ b/src/plugins/certauth/test/certauth_test.exports
@@ -0,0 +1,2 @@
+certauth_test1_initvt
+certauth_test2_initvt
diff --git a/src/plugins/certauth/test/deps b/src/plugins/certauth/test/deps
new file mode 100644
index 000000000000..2974b3b57e2a
--- /dev/null
+++ b/src/plugins/certauth/test/deps
@@ -0,0 +1,14 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/certauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  main.c
diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c
new file mode 100644
index 000000000000..77641230c402
--- /dev/null
+++ b/src/plugins/certauth/test/main.c
@@ -0,0 +1,211 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/certauth/main.c - certauth plugin test modules. */
+/*
+ * Copyright (C) 2017 by Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <k5-int.h>
+#include "krb5/certauth_plugin.h"
+
+struct krb5_certauth_moddata_st {
+    int initialized;
+};
+
+/* Test module 1 returns OK with an indicator. */
+static krb5_error_code
+test1_authorize(krb5_context context, krb5_certauth_moddata moddata,
+                const uint8_t *cert, size_t cert_len,
+                krb5_const_principal princ, const void *opts,
+                const struct _krb5_db_entry_new *db_entry,
+                char ***authinds_out)
+{
+    char **ais = NULL;
+
+    ais = calloc(2, sizeof(*ais));
+    assert(ais != NULL);
+    ais[0] = strdup("test1");
+    assert(ais[0] != NULL);
+    *authinds_out = ais;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+static void
+test_free_ind(krb5_context context, krb5_certauth_moddata moddata,
+              char **authinds)
+{
+    size_t i;
+
+    if (authinds == NULL)
+        return;
+    for (i = 0; authinds[i] != NULL; i++)
+        free(authinds[i]);
+    free(authinds);
+}
+
+/* A basic moddata test. */
+static krb5_error_code
+test2_init(krb5_context context, krb5_certauth_moddata *moddata_out)
+{
+    krb5_certauth_moddata mod;
+
+    mod = calloc(1, sizeof(*mod));
+    assert(mod != NULL);
+    mod->initialized = 1;
+    *moddata_out = mod;
+    return 0;
+}
+
+static void
+test2_fini(krb5_context context, krb5_certauth_moddata moddata)
+{
+    free(moddata);
+}
+
+/* Return true if cert appears to contain the CN name, based on a search of the
+ * DER encoding. */
+static krb5_boolean
+has_cn(krb5_context context, const uint8_t *cert, size_t cert_len,
+       const char *name)
+{
+    krb5_boolean match = FALSE;
+    uint8_t name_len, cntag[5] = "\x06\x03\x55\x04\x03";
+    const uint8_t *c;
+    struct k5buf buf;
+    size_t c_left;
+
+    /* Construct a DER search string of the CN AttributeType encoding followed
+     * by a UTF8String encoding containing name as the AttributeValue. */
+    k5_buf_init_dynamic(&buf);
+    k5_buf_add_len(&buf, cntag, sizeof(cntag));
+    k5_buf_add(&buf, "\x0C");
+    assert(strlen(name) < 128);
+    name_len = strlen(name);
+    k5_buf_add_len(&buf, &name_len, 1);
+    k5_buf_add_len(&buf, name, name_len);
+    assert(k5_buf_status(&buf) == 0);
+
+    /* Check for the CN needle in the certificate haystack. */
+    c_left = cert_len;
+    c = memchr(cert, *cntag, c_left);
+    while (c != NULL) {
+        c_left = cert_len - (c - cert);
+        if (buf.len > c_left)
+            break;
+        if (memcmp(c, buf.data, buf.len) == 0) {
+            match = TRUE;
+            break;
+        }
+        assert(c_left >= 1);
+        c = memchr(c + 1, *cntag, c_left - 1);
+    }
+
+    k5_buf_free(&buf);
+    return match;
+}
+
+/*
+ * Test module 2 returns OK if princ matches the CN part of the subject name,
+ * and returns indicators of the module name and princ.
+ */
+static krb5_error_code
+test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
+                const uint8_t *cert, size_t cert_len,
+                krb5_const_principal princ, const void *opts,
+                const struct _krb5_db_entry_new *db_entry,
+                char ***authinds_out)
+{
+    krb5_error_code ret;
+    char *name = NULL, **ais = NULL;
+
+    *authinds_out = NULL;
+
+    assert(moddata != NULL && moddata->initialized);
+
+    ret = krb5_unparse_name_flags(context, princ,
+                                  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
+    if (ret)
+        goto cleanup;
+
+    if (!has_cn(context, cert, cert_len, name)) {
+        ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+        goto cleanup;
+    }
+
+    /* Create an indicator list with the module name and CN. */
+    ais = calloc(3, sizeof(*ais));
+    assert(ais != NULL);
+    ais[0] = strdup("test2");
+    ais[1] = strdup(name);
+    assert(ais[0] != NULL && ais[1] != NULL);
+    *authinds_out = ais;
+
+    ais = NULL;
+
+cleanup:
+    krb5_free_unparsed_name(context, name);
+    return ret;
+}
+
+krb5_error_code
+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver,
+                      krb5_plugin_vtable vtable);
+krb5_error_code
+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver,
+                      krb5_plugin_vtable vtable)
+{
+    krb5_certauth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_certauth_vtable)vtable;
+    vt->name = "test1";
+    vt->authorize = test1_authorize;
+    vt->free_ind = test_free_ind;
+    return 0;
+}
+
+krb5_error_code
+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver,
+                      krb5_plugin_vtable vtable);
+krb5_error_code
+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver,
+                      krb5_plugin_vtable vtable)
+{
+    krb5_certauth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_certauth_vtable)vtable;
+    vt->name = "test2";
+    vt->authorize = test2_authorize;
+    vt->init = test2_init;
+    vt->fini = test2_fini;
+    vt->free_ind = test_free_ind;
+    return 0;
+}
diff --git a/src/plugins/kadm5_auth/test/Makefile.in b/src/plugins/kadm5_auth/test/Makefile.in
new file mode 100644
index 000000000000..825c4aea8b82
--- /dev/null
+++ b/src/plugins/kadm5_auth/test/Makefile.in
@@ -0,0 +1,20 @@
+mydir=plugins$(S)kadm5_auth$(S)test
+BUILDTOP=$(REL)..$(S)..$(S)..
+
+LIBBASE=kadm5_auth_test
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../plugins/kadm5_auth/test
+SHLIB_EXPDEPS=$(KDB5_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+SHLIB_EXPLIBS=$(KDB5_LIBS) $(KRB5_BASE_LIBS) $(LIBS)
+
+STLIBOBJS=main.o
+
+SRCS=$(srcdir)/main.c
+
+all-unix: all-libs
+install-unix:
+clean-unix:: clean-libs clean-libobjs
+
+@libnover_frag@
+@libobj_frag@
diff --git a/src/plugins/kadm5_auth/test/deps b/src/plugins/kadm5_auth/test/deps
new file mode 100644
index 000000000000..a2b74c21d1c1
--- /dev/null
+++ b/src/plugins/kadm5_auth/test/deps
@@ -0,0 +1,22 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_auth_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h main.c
diff --git a/src/plugins/kadm5_auth/test/kadm5_auth_test.exports b/src/plugins/kadm5_auth/test/kadm5_auth_test.exports
new file mode 100644
index 000000000000..31319af2a9d8
--- /dev/null
+++ b/src/plugins/kadm5_auth/test/kadm5_auth_test.exports
@@ -0,0 +1,2 @@
+kadm5_auth_welcomer_initvt
+kadm5_auth_bouncer_initvt
diff --git a/src/plugins/kadm5_auth/test/main.c b/src/plugins/kadm5_auth/test/main.c
new file mode 100644
index 000000000000..6899f22e9edb
--- /dev/null
+++ b/src/plugins/kadm5_auth/test/main.c
@@ -0,0 +1,305 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/kadm5_auth/test/main.c - test modules for kadm5_auth interface */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file implements two testing kadm5_auth modules, the welcomer and the
+ * bouncer.  The welcomer implements permissive behavior, while the bouncer
+ * implements restrictive behavior.
+ *
+ * Module data objects and restrictions are adequately tested by the acl
+ * module, so we do not test them here.  Focus instead on the ability to
+ * examine principal and policy objects and to perform DB operations.
+ */
+
+#include "k5-int.h"
+#include <kadm5/admin.h>
+#include <krb5/kadm5_auth_plugin.h>
+
+krb5_error_code
+kadm5_auth_welcomer_initvt(krb5_context context, int maj_ver, int min_ver,
+                           krb5_plugin_vtable vtable);
+krb5_error_code
+kadm5_auth_bouncer_initvt(krb5_context context, int maj_ver, int min_ver,
+                          krb5_plugin_vtable vtable);
+
+/* The welcomer authorizes all getprinc operations, since kadmin uses them as a
+ * precursor to modprinc. */
+static krb5_error_code
+welcomer_getprinc(krb5_context context, kadm5_auth_moddata data,
+                  krb5_const_principal client, krb5_const_principal target)
+{
+    return 0;
+}
+
+/* The welcomer authorizes addprinc operations which set a policy "VIP". */
+static krb5_error_code
+welcomer_addprinc(krb5_context context, kadm5_auth_moddata data,
+                  krb5_const_principal client, krb5_const_principal target,
+                  const struct _kadm5_principal_ent_t *ent, long mask,
+                  struct kadm5_auth_restrictions **rs_out)
+{
+    if ((mask & KADM5_POLICY) && strcmp(ent->policy, "VIP") == 0)
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies addprinc operations which include a maximum lifetime. */
+static krb5_error_code
+bouncer_addprinc(krb5_context context, kadm5_auth_moddata data,
+                 krb5_const_principal client, krb5_const_principal target,
+                 const struct _kadm5_principal_ent_t *ent, long mask,
+                 struct kadm5_auth_restrictions **rs_out)
+{
+    return (mask & KADM5_MAX_LIFE) ? EPERM : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The welcomer authorizes modprinc operations which only set maxrenewlife. */
+static krb5_error_code
+welcomer_modprinc(krb5_context context, kadm5_auth_moddata data,
+                  krb5_const_principal client, krb5_const_principal target,
+                  const struct _kadm5_principal_ent_t *ent, long mask,
+                  struct kadm5_auth_restrictions **rs_out)
+{
+    return (mask == KADM5_MAX_RLIFE) ? 0 : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies modprinc operations if the target principal has an even
+ * number of components. */
+static krb5_error_code
+bouncer_modprinc(krb5_context context, kadm5_auth_moddata data,
+                 krb5_const_principal client, krb5_const_principal target,
+                 const struct _kadm5_principal_ent_t *ent, long mask,
+                 struct kadm5_auth_restrictions **rs_out)
+{
+    return (target->length % 2 == 0) ? EPERM : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The welcomer authorizes setstr operations for the attribute "note". */
+static krb5_error_code
+welcomer_setstr(krb5_context context, kadm5_auth_moddata data,
+                krb5_const_principal client, krb5_const_principal target,
+                const char *key, const char *value)
+{
+    return (strcmp(key, "note") == 0) ? 0 : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies setstr operations if the value is more than 10 bytes. */
+static krb5_error_code
+bouncer_setstr(krb5_context context, kadm5_auth_moddata data,
+               krb5_const_principal client, krb5_const_principal target,
+               const char *key, const char *value)
+{
+    return (strlen(value) > 10) ? EPERM : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The welcomer authorizes delprinc operations if the target principal starts
+ * with "d". */
+static krb5_error_code
+welcomer_delprinc(krb5_context context, kadm5_auth_moddata data,
+                  krb5_const_principal client, krb5_const_principal target)
+{
+    if (target->length > 0 && target->data[0].length > 0 &&
+        *target->data[0].data == 'd')
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies delprinc operations if the target principal has the
+ * "nodelete" string attribute. */
+static krb5_error_code
+bouncer_delprinc(krb5_context context, kadm5_auth_moddata data,
+                 krb5_const_principal client, krb5_const_principal target)
+{
+    krb5_error_code ret;
+    krb5_db_entry *ent;
+    char *val = NULL;
+
+    if (krb5_db_get_principal(context, target, 0, &ent) != 0)
+        return EPERM;
+    ret = krb5_dbe_get_string(context, ent, "nodelete", &val);
+    krb5_db_free_principal(context, ent);
+    ret = (ret != 0 || val != NULL) ? EPERM : KRB5_PLUGIN_NO_HANDLE;
+    krb5_dbe_free_string(context, val);
+    return ret;
+}
+
+/* The welcomer authorizes rename operations if the first components of the
+ * principals have the same length. */
+static krb5_error_code
+welcomer_renprinc(krb5_context context, kadm5_auth_moddata data,
+                  krb5_const_principal client, krb5_const_principal src,
+                  krb5_const_principal dest)
+{
+    if (src->length > 0 && dest->length > 0 &&
+        src->data[0].length == dest->data[0].length)
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies rename operations if the source principal starts with
+ * "a". */
+static krb5_error_code
+bouncer_renprinc(krb5_context context, kadm5_auth_moddata data,
+                 krb5_const_principal client, krb5_const_principal src,
+                 krb5_const_principal dest)
+{
+    if (src->length > 0 && src->data[0].length > 0 &&
+        *src->data[0].data == 'a')
+        return EPERM;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The welcomer authorizes addpol operations which set a minlength of 3. */
+static krb5_error_code
+welcomer_addpol(krb5_context context, kadm5_auth_moddata data,
+                krb5_const_principal client, const char *policy,
+                const struct _kadm5_policy_ent_t *ent, long mask)
+{
+    if ((mask & KADM5_PW_MIN_LENGTH) && ent->pw_min_length == 3)
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies addpol operations if the name is 3 bytes or less. */
+static krb5_error_code
+bouncer_addpol(krb5_context context, kadm5_auth_moddata data,
+               krb5_const_principal client, const char *policy,
+               const struct _kadm5_policy_ent_t *ent, long mask)
+{
+    return (strlen(policy) <= 3) ? EPERM : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The welcomer authorizes modpol operations which only change min_life. */
+static krb5_error_code
+welcomer_modpol(krb5_context context, kadm5_auth_moddata data,
+                krb5_const_principal client, const char *policy,
+                const struct _kadm5_policy_ent_t *ent, long mask)
+{
+    return (mask == KADM5_PW_MIN_LIFE) ? 0 : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies modpol operations which set pw_min_life above 10. */
+static krb5_error_code
+bouncer_modpol(krb5_context context, kadm5_auth_moddata data,
+               krb5_const_principal client, const char *policy,
+               const struct _kadm5_policy_ent_t *ent, long mask)
+{
+    if ((mask & KADM5_PW_MIN_LIFE) && ent->pw_min_life > 10)
+        return EPERM;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The welcomer authorizes getpol operations if the policy and client principal
+ * policy have the same length. */
+static krb5_error_code
+welcomer_getpol(krb5_context context, kadm5_auth_moddata data,
+                krb5_const_principal client, const char *policy,
+                const char *client_policy)
+{
+    if (client_policy != NULL && strlen(policy) == strlen(client_policy))
+        return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The bouncer denies getpol operations if the policy name begins with 'x'. */
+static krb5_error_code
+bouncer_getpol(krb5_context context, kadm5_auth_moddata data,
+               krb5_const_principal client, const char *policy,
+               const char *client_policy)
+{
+    return (*policy == 'x') ? EPERM : KRB5_PLUGIN_NO_HANDLE;
+}
+
+/* The welcomer counts end calls by incrementing the "ends" string attribute on
+ * the "opcount" principal, if it exists. */
+static void
+welcomer_end(krb5_context context, kadm5_auth_moddata data)
+{
+    krb5_principal princ = NULL;
+    krb5_db_entry *ent = NULL;
+    char *val = NULL, buf[10];
+
+    if (krb5_parse_name(context, "opcount", &princ) != 0)
+        goto cleanup;
+    if (krb5_db_get_principal(context, princ, 0, &ent) != 0)
+        goto cleanup;
+    if (krb5_dbe_get_string(context, ent, "ends", &val) != 0 || val == NULL)
+        goto cleanup;
+    snprintf(buf, sizeof(buf), "%d", atoi(val) + 1);
+    if (krb5_dbe_set_string(context, ent, "ends", buf) != 0)
+        goto cleanup;
+    ent->mask = KADM5_TL_DATA;
+    krb5_db_put_principal(context, ent);
+
+cleanup:
+    krb5_dbe_free_string(context, val);
+    krb5_db_free_principal(context, ent);
+    krb5_free_principal(context, princ);
+}
+
+krb5_error_code
+kadm5_auth_welcomer_initvt(krb5_context context, int maj_ver, int min_ver,
+                           krb5_plugin_vtable vtable)
+{
+    kadm5_auth_vtable vt = (kadm5_auth_vtable)vtable;
+
+    vt->name = "welcomer";
+    vt->addprinc = welcomer_addprinc;
+    vt->modprinc = welcomer_modprinc;
+    vt->setstr = welcomer_setstr;
+    vt->delprinc = welcomer_delprinc;
+    vt->renprinc = welcomer_renprinc;
+    vt->getprinc = welcomer_getprinc;
+    vt->addpol = welcomer_addpol;
+    vt->modpol = welcomer_modpol;
+    vt->getpol = welcomer_getpol;
+    vt->end = welcomer_end;
+    return 0;
+}
+
+krb5_error_code
+kadm5_auth_bouncer_initvt(krb5_context context, int maj_ver, int min_ver,
+                          krb5_plugin_vtable vtable)
+{
+    kadm5_auth_vtable vt = (kadm5_auth_vtable)vtable;
+
+    vt->name = "bouncer";
+    vt->addprinc = bouncer_addprinc;
+    vt->modprinc = bouncer_modprinc;
+    vt->setstr = bouncer_setstr;
+    vt->delprinc = bouncer_delprinc;
+    vt->renprinc = bouncer_renprinc;
+    vt->addpol = bouncer_addpol;
+    vt->modpol = bouncer_modpol;
+    vt->getpol = bouncer_getpol;
+    return 0;
+}
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c
index 1a41481f9fae..4d905db77487 100644
--- a/src/plugins/kdb/db2/db2_exp.c
+++ b/src/plugins/kdb/db2/db2_exp.c
@@ -167,9 +167,12 @@ WRAP_K (krb5_db2_check_policy_as,
 
 WRAP_VOID (krb5_db2_audit_as_req,
            (krb5_context kcontext, krb5_kdc_req *request,
+            const krb5_address *local_addr,
+            const krb5_address *remote_addr,
             krb5_db_entry *client, krb5_db_entry *server,
             krb5_timestamp authtime, krb5_error_code error_code),
-           (kcontext, request, client, server, authtime, error_code));
+           (kcontext, request, local_addr, remote_addr, client, server,
+            authtime, error_code));
 
 static krb5_error_code
 hack_init (void)
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 4c4036eb4714..d23587a59790 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -1314,13 +1314,6 @@ krb5_db2_delete_policy(krb5_context context, char *policy)
     return osa_adb_destroy_policy(dbc->policy_db, policy);
 }
 
-void
-krb5_db2_free_policy(krb5_context context, osa_policy_ent_t entry)
-{
-    osa_free_policy_ent(entry);
-}
-
-
 /*
  * Merge non-replicated attributes from src into dst, setting
  * changed to non-zero if dst was changed.
@@ -1558,8 +1551,10 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
 
 void
 krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
-                      krb5_db_entry *client, krb5_db_entry *server,
-                      krb5_timestamp authtime, krb5_error_code error_code)
+                      const krb5_address *local_addr,
+                      const krb5_address *remote_addr, krb5_db_entry *client,
+                      krb5_db_entry *server, krb5_timestamp authtime,
+                      krb5_error_code error_code)
 {
     (void) krb5_db2_lockout_audit(kcontext, client, authtime, error_code);
 }
diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h
index b1b50c8286d6..349244dd92d7 100644
--- a/src/plugins/kdb/db2/kdb_db2.h
+++ b/src/plugins/kdb/db2/kdb_db2.h
@@ -134,7 +134,10 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
 
 void
 krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+                      const krb5_address *local_addr,
+                      const krb5_address *remote_addr,
                       krb5_db_entry *client, krb5_db_entry *server,
-                      krb5_timestamp authtime, krb5_error_code error_code);
+                      krb5_timestamp authtime,
+                      krb5_error_code error_code);
 
 #endif /* KRB5_KDB_DB2_H */
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 76f5d470932e..862dbb164080 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -103,26 +103,15 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
 	DB *dbp;
 	DBT mpool_key;
 	HTAB *hashp;
-	int32_t bpages, csize, new_table, save_errno, specified_file;
+	int32_t bpages, csize, new_table, save_errno;
 
-	if ((flags & O_ACCMODE) == O_WRONLY) {
+	if (!file || (flags & O_ACCMODE) == O_WRONLY) {
 		errno = EINVAL;
 		return (NULL);
 	}
 	if (!(hashp = (HTAB *)calloc(1, sizeof(HTAB))))
 		return (NULL);
 	hashp->fp = -1;
-
-	/* set this now, before file goes away... */
-	specified_file = (file != NULL);
-	if (!file) {
-		file = tmpnam(NULL);
-		/* store the file name so that we can unlink it later */
-		hashp->fname = file;
-#ifdef DEBUG
-		fprintf(stderr, "Using file name %s.\n", file);
-#endif
-	}
 	/*
 	 * Even if user wants write only, we need to be able to read
 	 * the actual file, so we need to open it read/write. But, the
@@ -130,7 +119,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
 	 * we can check accesses.
 	 */
 	hashp->flags = flags;
-	hashp->save_file = specified_file && (hashp->flags & O_RDWR);
+	hashp->save_file = hashp->flags & O_RDWR;
 
 	new_table = 0;
 	if (!file || (flags & O_TRUNC) ||
@@ -542,8 +531,6 @@ hdestroy(hashp)
 		/* we need to chmod the file to allow it to be deleted... */
 		chmod(hashp->fname, 0700);
 		unlink(hashp->fname);
-		/* destroy the temporary name */
-		tmpnam(NULL);
 	}
 	free(hashp);
 
diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
index 7d151b55b35a..3a4f41821837 100644
--- a/src/plugins/kdb/db2/lockout.c
+++ b/src/plugins/kdb/db2/lockout.c
@@ -100,7 +100,7 @@ locked_check_p(krb5_context context,
 
     /* If the entry was unlocked since the last failure, it's not locked. */
     if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
-        entry->last_failed <= unlock_time)
+        !ts_after(entry->last_failed, unlock_time))
         return FALSE;
 
     if (max_fail == 0 || entry->fail_auth_count < max_fail)
@@ -109,7 +109,7 @@ locked_check_p(krb5_context context,
     if (lockout_duration == 0)
         return TRUE; /* principal permanently locked */
 
-    return (stamp < entry->last_failed + lockout_duration);
+    return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp);
 }
 
 krb5_error_code
@@ -200,13 +200,13 @@ krb5_db2_lockout_audit(krb5_context context,
                 status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
         if (krb5_dbe_lookup_last_admin_unlock(context, entry,
                                               &unlock_time) == 0 &&
-            entry->last_failed <= unlock_time) {
+            !ts_after(entry->last_failed, unlock_time)) {
             /* Reset fail_auth_count after administrative unlock. */
             entry->fail_auth_count = 0;
         }
 
         if (failcnt_interval != 0 &&
-            stamp > entry->last_failed + failcnt_interval) {
+            ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) {
             /* Reset fail_auth_count after failcnt_interval. */
             entry->fail_auth_count = 0;
         }
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
index 7ba8075cb849..4fbf898965c2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -277,8 +277,10 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
 
 void
 krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
-                       krb5_db_entry *client, krb5_db_entry *server,
-                       krb5_timestamp authtime, krb5_error_code error_code)
+                       const krb5_address *local_addr,
+                       const krb5_address *remote_addr, krb5_db_entry *client,
+                       krb5_db_entry *server, krb5_timestamp authtime,
+                       krb5_error_code error_code)
 {
     (void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code);
 }
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 06b477537d5a..535a1f309e29 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -171,7 +171,6 @@ typedef struct _krb5_ldap_server_info krb5_ldap_server_info;
 typedef struct  _krb5_ldap_server_handle {
     int                              msgid;
     LDAP                             *ldap_handle;
-    krb5_boolean                     server_info_update_pending;
     krb5_ldap_server_info            *server_info;
     struct _krb5_ldap_server_handle  *next;
 } krb5_ldap_server_handle;
@@ -282,8 +281,10 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
 
 void
 krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
-                       krb5_db_entry *client, krb5_db_entry *server,
-                       krb5_timestamp authtime, krb5_error_code error_code);
+                       const krb5_address *local_addr,
+                       const krb5_address *remote_addr, krb5_db_entry *client,
+                       krb5_db_entry *server, krb5_timestamp authtime,
+                       krb5_error_code error_code);
 
 krb5_error_code
 krb5_ldap_check_allowed_to_delegate(krb5_context context,
@@ -300,15 +301,6 @@ krb5_ldap_lock( krb5_context, int );
 krb5_error_code
 krb5_ldap_unlock( krb5_context );
 
-#ifndef HAVE_LDAP_INITIALIZE
-int
-ldap_initialize(LDAP **, char *);
-#endif
-#ifndef HAVE_LDAP_UNBIND_EXT_S
-int
-ldap_unbind_ext_s(LDAP *, LDAPControl **, LDAPControl **);
-#endif
-
 /* lockout.c */
 krb5_error_code
 krb5_ldap_lockout_check_policy(krb5_context context,
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index d904c9933b2e..cee4b7b8d30e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -193,7 +193,6 @@ initialize_server(krb5_ldap_context *ldap_context, krb5_ldap_server_info *info)
         return ret;
     }
 
-    server->server_info_update_pending = FALSE;
     server->next = info->ldap_server_handles;
     info->ldap_server_handles = server;
     info->num_conns++;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif
new file mode 100644
index 000000000000..830277d738ca
--- /dev/null
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif
@@ -0,0 +1,68 @@
+# This LDIF version of the Kerberos schema can be loaded into an
+# OpenLDAP database.  It was originally converted semi-automatically
+# from kerberos.schema using slaptest.
+
+dn: cn=kerberos,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: kerberos
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn )
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
index 77d8f810dbad..2f5d3d9e03d2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
@@ -30,62 +30,6 @@
 
 #include "ldap_main.h"
 
-
-#ifdef ASYNC_BIND
-
-/*
- * Update the server info structure. In case of an asynchronous bind,
- * this function is called to check the bind status. A flag
- * server_info_upate_pending is refered before calling this function.
- * This function sets the server_status to either ON or OFF and
- * sets the server_info_udpate_pending to OFF.
- * Do not lock the mutex here. The caller should lock it
- */
-
-static krb5_error_code
-krb5_update_server_info(krb5_ldap_server_handle *ldap_server_handle,
-                        krb5_ldap_server_info *server_info)
-{
-    krb5_error_code            st=0;
-    struct timeval             ztime={0, 0};
-    LDAPMessage                *result=NULL;
-
-    if (ldap_server_handle == NULL || server_info == NULL)
-        return -1;
-
-    while (st == 0) {
-        st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid,
-                         LDAP_MSG_ALL, &ztime, &result);
-        switch (st) {
-        case -1:
-            server_info->server_status = OFF;
-            time(&server_info->downtime);
-            break;
-
-        case 0:
-            continue;
-            break;
-
-        case LDAP_RES_BIND:
-            if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) {
-                server_info->server_status = ON;
-            } else {
-                server_info->server_status = OFF;
-                time(&server_info->downtime);
-            }
-            ldap_msgfree(result);
-            break;
-        default:
-            ldap_msgfree(result);
-            continue;
-            break;
-        }
-    }
-    ldap_server_handle->server_info_update_pending = FALSE;
-    return 0;
-}
-#endif
-
 /*
  * Return ldap server handle from the pool. If the pool is exhausted return NULL.
  * Do not lock the mutex, caller should lock it
@@ -105,18 +49,6 @@ krb5_get_ldap_handle(krb5_ldap_context *ldap_context)
                 ldap_server_handle = ldap_server_info->ldap_server_handles;
                 ldap_server_info->ldap_server_handles = ldap_server_handle->next;
                 break;
-#ifdef ASYNC_BIND
-                if (ldap_server_handle->server_info_update_pending == TRUE) {
-                    krb5_update_server_info(context, ldap_server_handle,
-                                            ldap_server_info);
-                }
-
-                if (ldap_server_info->server_status == ON) {
-                    ldap_server_info->ldap_server_handles = ldap_server_handle->next;
-                    break;
-                } else
-                    ldap_server_handle = NULL;
-#endif
             }
         }
         ++cnt;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 32efc4f54ad0..5b9d1e9fa67c 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1231,6 +1231,8 @@ krb5_ldap_policydn_to_name(krb5_context context, const char *policy_dn,
     kdb5_dal_handle *dal_handle;
     krb5_ldap_context *ldap_context;
     const char *realmdn;
+    char *rdn;
+    LDAPDN dn;
 
     *name_out = NULL;
     SETUP_CONTEXT();
@@ -1248,46 +1250,22 @@ krb5_ldap_policydn_to_name(krb5_context context, const char *policy_dn,
     if (policy_dn[plen] != ',' || strcmp(realmdn, policy_dn + plen + 1) != 0)
         return EINVAL;
 
-#if defined HAVE_LDAP_STR2DN
-    {
-        char *rdn;
-        LDAPDN dn;
-
-        rdn = k5memdup0(policy_dn, plen, &ret);
-        if (rdn == NULL)
-            return ret;
-        ret = ldap_str2dn(rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC);
-        free(rdn);
-        if (ret)
-            return EINVAL;
-        if (dn[0] == NULL || dn[1] != NULL ||
-            dn[0][0]->la_attr.bv_len != 2 ||
-            strncasecmp(dn[0][0]->la_attr.bv_val, "cn", 2) != 0) {
-            ret = EINVAL;
-        } else {
-            *name_out = k5memdup0(dn[0][0]->la_value.bv_val,
-                                  dn[0][0]->la_value.bv_len, &ret);
-        }
-        ldap_dnfree(dn);
+    rdn = k5memdup0(policy_dn, plen, &ret);
+    if (rdn == NULL)
         return ret;
+    ret = ldap_str2dn(rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC);
+    free(rdn);
+    if (ret)
+        return EINVAL;
+    if (dn[0] == NULL || dn[1] != NULL || dn[0][0]->la_attr.bv_len != 2 ||
+        strncasecmp(dn[0][0]->la_attr.bv_val, "cn", 2) != 0) {
+        ret = EINVAL;
+    } else {
+        *name_out = k5memdup0(dn[0][0]->la_value.bv_val,
+                              dn[0][0]->la_value.bv_len, &ret);
     }
-#elif defined HAVE_LDAP_EXPLODE_DN
-    {
-        char **parsed_dn;
-
-        /* 1 = return DN components without type prefix */
-        parsed_dn = ldap_explode_dn(policy_dn, 1);
-        if (parsed_dn == NULL)
-            return EINVAL;
-        *name_out = strdup(parsed_dn[0]);
-        if (*name_out == NULL)
-            return ENOMEM;
-        ldap_value_free(parsed_dn);
-        return 0;
-    }
-#else
-    return EINVAL;
-#endif
+    ldap_dnfree(dn);
+    return ret;
 }
 
 /* Compute the policy DN for the given policy name. */
@@ -1699,47 +1677,3 @@ cleanup:
     free_princ_ent_contents(&princ_ent);
     return ret;
 }
-
-/* Solaris libldap does not provide the following functions which are in
- * OpenLDAP. */
-#ifndef HAVE_LDAP_INITIALIZE
-int
-ldap_initialize(LDAP **ldp, char *url)
-{
-    int rc = 0;
-    LDAP *ld = NULL;
-    LDAPURLDesc *ludp = NULL;
-
-    /*
-     * For now, we don't use any DN that may be provided.  And on Solaris
-     * (based on Mozilla's LDAP client code), we need the _nodn form to parse
-     * "ldap://host" without a trailing slash.
-     *
-     * Also, this version won't handle an input string which contains multiple
-     * URLs, unlike the OpenLDAP ldap_initialize.  See
-     * https://bugzilla.mozilla.org/show_bug.cgi?id=353336#c1 .
-     */
-#ifdef HAVE_LDAP_URL_PARSE_NODN
-    rc = ldap_url_parse_nodn(url, &ludp);
-#else
-    rc = ldap_url_parse(url, &ludp);
-#endif
-    if (rc == 0) {
-        ld = ldap_init(ludp->lud_host, ludp->lud_port);
-        if (ld != NULL)
-            *ldp = ld;
-        else
-            rc = KRB5_KDB_ACCESS_ERROR;
-        ldap_free_urldesc(ludp);
-    }
-    return rc;
-}
-#endif /* HAVE_LDAP_INITIALIZE */
-
-#ifndef HAVE_LDAP_UNBIND_EXT_S
-int
-ldap_unbind_ext_s(LDAP *ld, LDAPControl **sctrls, LDAPControl **cctrls)
-{
-    return ldap_unbind_ext(ld, sctrls, cctrls);
-}
-#endif /* HAVE_LDAP_UNBIND_EXT_S */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 7ba53f959ce4..88a17049503e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -1734,7 +1734,7 @@ getstringtime(krb5_timestamp epochtime)
 {
     struct tm           tme;
     char                *strtime=NULL;
-    time_t              posixtime = epochtime;
+    time_t              posixtime = ts2tt(epochtime);
 
     strtime = calloc (50, 1);
     if (strtime == NULL)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
index f5c6ab8cd376..4193b4adccae 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
@@ -431,7 +431,7 @@ krb5_ldap_list(krb5_context context, char ***list, char *objectclass,
 {
     char                        *filter=NULL, *dn=NULL;
     krb5_error_code             st=0, tempst=0;
-    int                         i=0, count=0, filterlen=0;
+    int                         count=0, filterlen=0;
     LDAP                        *ld=NULL;
     LDAPMessage                 *result=NULL,*ent=NULL;
     kdb5_dal_handle             *dal_handle=NULL;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
index 0fc56c2fe7bd..1088ecc5ad0b 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
@@ -93,7 +93,7 @@ locked_check_p(krb5_context context,
 
     /* If the entry was unlocked since the last failure, it's not locked. */
     if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
-        entry->last_failed <= unlock_time)
+        !ts_after(entry->last_failed, unlock_time))
         return FALSE;
 
     if (max_fail == 0 || entry->fail_auth_count < max_fail)
@@ -102,7 +102,7 @@ locked_check_p(krb5_context context,
     if (lockout_duration == 0)
         return TRUE; /* principal permanently locked */
 
-    return (stamp < entry->last_failed + lockout_duration);
+    return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp);
 }
 
 krb5_error_code
@@ -196,14 +196,14 @@ krb5_ldap_lockout_audit(krb5_context context,
                 status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
         if (krb5_dbe_lookup_last_admin_unlock(context, entry,
                                               &unlock_time) == 0 &&
-            entry->last_failed <= unlock_time) {
+            !ts_after(entry->last_failed, unlock_time)) {
             /* Reset fail_auth_count after administrative unlock. */
             entry->fail_auth_count = 0;
             entry->mask |= KADM5_FAIL_AUTH_COUNT;
         }
 
         if (failcnt_interval != 0 &&
-            stamp > entry->last_failed + failcnt_interval) {
+            ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) {
             /* Reset fail_auth_count after failcnt_interval */
             entry->fail_auth_count = 0;
             entry->mask |= KADM5_FAIL_AUTH_COUNT;
diff --git a/src/plugins/kdcpolicy/test/Makefile.in b/src/plugins/kdcpolicy/test/Makefile.in
new file mode 100644
index 000000000000..ea3484e13e64
--- /dev/null
+++ b/src/plugins/kdcpolicy/test/Makefile.in
@@ -0,0 +1,20 @@
+mydir=plugins$(S)kdcpolicy$(S)test
+BUILDTOP=$(REL)..$(S)..$(S)..
+
+LIBBASE=kdcpolicy_test
+LIBMAJOR=0
+LIBMINOR=0
+RELDIR=../plugins/kdcpolicy/test
+SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
+
+STLIBOBJS=main.o
+
+SRCS=$(srcdir)/main.c
+
+all-unix: all-libs
+install-unix:
+clean-unix:: clean-libs clean-libobjs
+
+@libnover_frag@
+@libobj_frag@
diff --git a/src/plugins/kdcpolicy/test/deps b/src/plugins/kdcpolicy/test/deps
new file mode 100644
index 000000000000..4ecf533f3ff2
--- /dev/null
+++ b/src/plugins/kdcpolicy/test/deps
@@ -0,0 +1,14 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpolicy_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h main.c
diff --git a/src/plugins/kdcpolicy/test/kdcpolicy_test.exports b/src/plugins/kdcpolicy/test/kdcpolicy_test.exports
new file mode 100644
index 000000000000..9682ec74f75c
--- /dev/null
+++ b/src/plugins/kdcpolicy/test/kdcpolicy_test.exports
@@ -0,0 +1 @@
+kdcpolicy_test_initvt
diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c
new file mode 100644
index 000000000000..86c808958dc5
--- /dev/null
+++ b/src/plugins/kdcpolicy/test/main.c
@@ -0,0 +1,111 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */
+/*
+ * Copyright (C) 2017 by Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "kdb.h"
+#include <krb5/kdcpolicy_plugin.h>
+
+static krb5_error_code
+output_from_indicator(const char *const *auth_indicators, int divisor,
+                      krb5_deltat *lifetime_out,
+                      krb5_deltat *renew_lifetime_out,
+                      const char **status)
+{
+    if (auth_indicators[0] == NULL) {
+        *status = NULL;
+        return 0;
+    }
+
+    if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) {
+        *lifetime_out = 3600 / divisor;
+        *renew_lifetime_out = *lifetime_out * 2;
+        return 0;
+    } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) {
+        *lifetime_out = 7 * 3600 / divisor;
+        *renew_lifetime_out = *lifetime_out * 2;
+        return 0;
+    }
+
+    *status = "LOCAL_POLICY";
+    return KRB5KDC_ERR_POLICY;
+}
+
+static krb5_error_code
+test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
+              const krb5_kdc_req *request, const krb5_db_entry *client,
+              const krb5_db_entry *server, const char *const *auth_indicators,
+              const char **status, krb5_deltat *lifetime_out,
+              krb5_deltat *renew_lifetime_out)
+{
+    if (request->client != NULL && request->client->length >= 1 &&
+        data_eq_string(request->client->data[0], "fail")) {
+        *status = "LOCAL_POLICY";
+        return KRB5KDC_ERR_POLICY;
+    }
+    return output_from_indicator(auth_indicators, 1, lifetime_out,
+                                 renew_lifetime_out, status);
+}
+
+static krb5_error_code
+test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
+               const krb5_kdc_req *request, const krb5_db_entry *server,
+               const krb5_ticket *ticket, const char *const *auth_indicators,
+               const char **status, krb5_deltat *lifetime_out,
+               krb5_deltat *renew_lifetime_out)
+{
+    if (request->server != NULL && request->server->length >= 1 &&
+        data_eq_string(request->server->data[0], "fail")) {
+        *status = "LOCAL_POLICY";
+        return KRB5KDC_ERR_POLICY;
+    }
+    return output_from_indicator(auth_indicators, 2, lifetime_out,
+                                 renew_lifetime_out, status);
+}
+
+krb5_error_code
+kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver,
+                      krb5_plugin_vtable vtable);
+krb5_error_code
+kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver,
+                      krb5_plugin_vtable vtable)
+{
+    krb5_kdcpolicy_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+
+    vt = (krb5_kdcpolicy_vtable)vtable;
+    vt->name = "test";
+    vt->check_as = test_check_as;
+    vt->check_tgs = test_check_tgs;
+    return 0;
+}
diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
index 2649e9a90d40..a1b681682405 100644
--- a/src/plugins/preauth/otp/main.c
+++ b/src/plugins/preauth/otp/main.c
@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
 
     /* Send the request. */
     otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
-                     request->client, config, req, on_response, rs);
+                     cb->client_name(context, rock), config, req, on_response,
+                     rs);
     cb->free_string(context, rock, config);
 
     k5_free_pa_otp_req(context, req);
diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in
index 3bb88d8e922f..d8b9398180ef 100644
--- a/src/plugins/preauth/pkinit/Makefile.in
+++ b/src/plugins/preauth/pkinit/Makefile.in
@@ -1,7 +1,6 @@
 mydir=plugins$(S)preauth$(S)pkinit
 BUILDTOP=$(REL)..$(S)..$(S)..
 MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
-LOCALINCLUDES = $(PKINIT_CRYPTO_IMPL_CFLAGS)
 
 LIBBASE=pkinit
 LIBMAJOR=0
@@ -11,8 +10,7 @@ RELDIR=../plugins/preauth/pkinit
 SHLIB_EXPDEPS = \
 	$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
 	$(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(PKINIT_CRYPTO_IMPL_LIBS) $(DL_LIB) $(SUPPORT_LIB) $(LIBS)
-DEFINES=-DPKINIT_DYNOBJEXT=\""$(PKINIT_DYNOBJEXT)"\"
+SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto -lcrypto $(DL_LIB) $(SUPPORT_LIB) $(LIBS)
 
 STLIBOBJS= \
 	pkinit_accessor.o \
@@ -23,7 +21,7 @@ STLIBOBJS= \
 	pkinit_profile.o \
 	pkinit_identity.o \
 	pkinit_matching.o \
-	pkinit_crypto_$(PKINIT_CRYPTO_IMPL).o
+	pkinit_crypto_openssl.o
 
 SRCS= \
 	$(srcdir)/pkinit_accessor.c \
@@ -35,7 +33,7 @@ SRCS= \
 	$(srcdir)/pkinit_profile.c \
 	$(srcdir)/pkinit_identity.c \
 	$(srcdir)/pkinit_matching.c \
-	$(srcdir)/pkinit_crypto_$(PKINIT_CRYPTO_IMPL).c
+	$(srcdir)/pkinit_crypto_openssl.c
 
 all-unix: all-liblinks
 install-unix: install-libs
diff --git a/src/plugins/preauth/pkinit/deps b/src/plugins/preauth/pkinit/deps
index 75276b66491c..57116db1618c 100644
--- a/src/plugins/preauth/pkinit/deps
+++ b/src/plugins/preauth/pkinit/deps
@@ -20,11 +20,12 @@ pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \
   $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
   $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/clpreauth_plugin.h \
-  $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
-  pkinit_accessor.h pkinit_crypto.h pkinit_srv.c pkinit_trace.h
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/certauth_plugin.h \
+  $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
+  pkinit_srv.c pkinit_trace.h
 pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 876db94c32f8..f3de9ad7a15d 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -73,6 +73,7 @@
 #define KRB5_CONF_PKINIT_IDENTITIES             "pkinit_identities"
 #define KRB5_CONF_PKINIT_IDENTITY               "pkinit_identity"
 #define KRB5_CONF_PKINIT_KDC_HOSTNAME           "pkinit_kdc_hostname"
+/* pkinit_kdc_ocsp has been removed */
 #define KRB5_CONF_PKINIT_KDC_OCSP               "pkinit_kdc_ocsp"
 #define KRB5_CONF_PKINIT_POOL                   "pkinit_pool"
 #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING   "pkinit_require_crl_checking"
@@ -173,7 +174,6 @@ typedef struct _pkinit_identity_opts {
     char **anchors;
     char **intermediates;
     char **crls;
-    char *ocsp;
     int  idtype;
     char *cert_filename;
     char *key_filename;
@@ -209,6 +209,7 @@ struct _pkinit_req_context {
     pkinit_identity_opts *idopts;
     int do_identity_matching;
     krb5_preauthtype pa_type;
+    int rfc4556_kdc;
     int rfc6112_kdc;
     int identity_initialized;
     int identity_prompted;
@@ -292,6 +293,13 @@ krb5_error_code pkinit_cert_matching
 	pkinit_identity_crypto_context id_cryptoctx,
 	krb5_principal princ);
 
+krb5_error_code pkinit_client_cert_match
+	(krb5_context context,
+	pkinit_plg_crypto_context plgctx,
+	pkinit_req_crypto_context reqctx,
+	const char *match_rule,
+	krb5_boolean *matched);
+
 /*
  * Client's list of identities for which it needs PINs or passwords
  */
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index e73ad53e99df..f1bc6b21dc47 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1175,15 +1175,22 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
         reqctx->rfc6112_kdc = 1;
         return 0;
     case KRB5_PADATA_PK_AS_REQ:
+        reqctx->rfc4556_kdc = 1;
         pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n");
         processing_request = 1;
         break;
 
     case KRB5_PADATA_PK_AS_REP:
+        reqctx->rfc4556_kdc = 1;
         pkiDebug("processing KRB5_PADATA_PK_AS_REP\n");
         break;
     case KRB5_PADATA_PK_AS_REP_OLD:
     case KRB5_PADATA_PK_AS_REQ_OLD:
+        /* Don't fall back to draft9 code if the KDC supports RFC 4556. */
+        if (reqctx->rfc4556_kdc) {
+            TRACE_PKINIT_CLIENT_NO_DRAFT9(context);
+            return KRB5KDC_ERR_PREAUTH_FAILED;
+        }
         if (in_padata->length == 0) {
             pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n");
             in_padata->pa_type = KRB5_PADATA_PK_AS_REQ_OLD;
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index b483affed6f7..2d3733bbc8dd 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -59,9 +59,6 @@ enum cms_msg_types {
 #define IDTYPE_PKCS11   3
 #define IDTYPE_ENVVAR   4
 #define IDTYPE_PKCS12   5
-#ifdef PKINIT_CRYPTO_IMPL_NSS
-#define IDTYPE_NSS      6
-#endif
 
 /*
  * ca/crl types
@@ -96,7 +93,6 @@ typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle;
 #define PKINIT_ITER_NO_MORE	0x11111111  /* XXX */
 
 typedef struct _pkinit_cert_matching_data {
-    pkinit_cert_handle ch;  /* cert handle for this certificate */
     char *subject_dn;	    /* rfc2253-style subject name string */
     char *issuer_dn;	    /* rfc2253-style issuer name string */
     unsigned int ku_bits;   /* key usage information */
@@ -458,68 +454,38 @@ krb5_error_code crypto_free_cert_info
 
 
 /*
- * Get number of certificates available after crypto_load_certs()
+ * Get a null-terminated list of certificate matching data objects for the
+ * certificates loaded in id_cryptoctx.
  */
-krb5_error_code crypto_cert_get_count
-	(krb5_context context,				/* IN */
-	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
-	pkinit_req_crypto_context req_cryptoctx,	/* IN */
-	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
-	int *cert_count);				/* OUT */
-
-/*
- * Begin iteration over the certs loaded in crypto_load_certs()
- */
-krb5_error_code crypto_cert_iteration_begin
-	(krb5_context context,				/* IN */
-	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
-	pkinit_req_crypto_context req_cryptoctx,	/* IN */
-	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
-	pkinit_cert_iter_handle *iter_handle);		/* OUT */
-
-/*
- * End iteration over the certs loaded in crypto_load_certs()
- */
-krb5_error_code crypto_cert_iteration_end
-	(krb5_context context,				/* IN */
-	pkinit_cert_iter_handle iter_handle);		/* IN */
-
-/*
- * Get next certificate handle
- */
-krb5_error_code crypto_cert_iteration_next
-	(krb5_context context,				/* IN */
-	pkinit_cert_iter_handle iter_handle,		/* IN */
-	pkinit_cert_handle *cert_handle);		/* OUT */
-
-/*
- * Release cert handle
- */
-krb5_error_code crypto_cert_release
-	(krb5_context context,				/* IN */
-	pkinit_cert_handle cert_handle);		/* IN */
+krb5_error_code
+crypto_cert_get_matching_data(krb5_context context,
+			      pkinit_plg_crypto_context plg_cryptoctx,
+			      pkinit_req_crypto_context req_cryptoctx,
+			      pkinit_identity_crypto_context id_cryptoctx,
+			      pkinit_cert_matching_data ***md_out);
 
 /*
- * Get certificate matching information
+ * Free a matching data object.
  */
-krb5_error_code crypto_cert_get_matching_data
-	(krb5_context context,				/* IN */
-	pkinit_cert_handle cert_handle,			/* IN */
-	pkinit_cert_matching_data **ret_data);		/* OUT */
+void
+crypto_cert_free_matching_data(krb5_context context,
+			       pkinit_cert_matching_data *md);
 
 /*
- * Free certificate information
+ * Free a list of matching data objects.
  */
-krb5_error_code crypto_cert_free_matching_data
-	(krb5_context context,				/* IN */
-	pkinit_cert_matching_data *data);		/* IN */
+void
+crypto_cert_free_matching_data_list(krb5_context context,
+				    pkinit_cert_matching_data **matchdata);
 
 /*
- * Make the given certificate "the chosen one"
+ * Choose one of the certificates loaded in idctx to use for PKINIT client
+ * operations.  cred_index must be an index into the array of matching objects
+ * returned by crypto_cert_get_matching_data().
  */
-krb5_error_code crypto_cert_select
-	(krb5_context context,				/* IN */
-	pkinit_cert_matching_data *data);		/* IN */
+krb5_error_code
+crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx,
+		   size_t cred_index);
 
 /*
  * Select the default certificate as "the chosen one"
@@ -664,4 +630,14 @@ extern const size_t  krb5_pkinit_sha512_oid_len;
  */
 extern krb5_data const * const supported_kdf_alg_ids[];
 
+krb5_error_code
+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
+		       uint8_t **der_out, size_t *der_len);
+
+krb5_error_code
+crypto_req_cert_matching_data(krb5_context context,
+			      pkinit_plg_crypto_context plgctx,
+			      pkinit_req_crypto_context reqctx,
+			      pkinit_cert_matching_data **md_out);
+
 #endif	/* _PKINIT_CRYPTO_H */
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
deleted file mode 100644
index c849f8736508..000000000000
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ /dev/null
@@ -1,5800 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- *  Copyright (c) 2006,2007,2010,2011 Red Hat, Inc.
- *  All Rights Reserved.
- *
- *  Redistribution and use in source and binary forms, with or without
- *  modification, are permitted provided that the following conditions
- *  are met:
- *
- *  * Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- *  * Redistributions in binary form must reproduce the above
- *    copyright notice, this list of conditions and the following
- *    disclaimer in the documentation and/or other materials provided
- *    with the distribution.
- *
- *  * Neither the name of Red Hat, Inc., nor the names of its
- *    contributors may be used to endorse or promote products derived
- *    from this software without specific prior written permission.
- *
- *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- *  IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- *  TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- *  PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- *  OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- *  EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- *  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- *  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "k5-platform.h"
-#include "k5-buf.h"
-#include "k5-utf8.h"
-#include "krb5.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <dirent.h>
-#include <errno.h>
-
-#include <prerror.h>
-#include <prmem.h>
-#include <prprf.h>
-#include <nss.h>
-#include <cert.h>
-#include <certdb.h>
-#include <ciferfam.h>
-#include <cms.h>
-#include <keyhi.h>
-#include <nssb64.h>
-#include <ocsp.h>
-#include <p12plcy.h>
-#include <p12.h>
-#include <pk11pub.h>
-#include <pkcs12.h>
-#include <secerr.h>
-#include <secmodt.h>
-#include <secmod.h>
-#include <secoidt.h>
-#include <secoid.h>
-
-/* Avoid including our local copy of "pkcs11.h" from one of the local headers,
- * since the definitions we want to use are going to be the ones that NSS
- * provides. */
-
-#define PKCS11_H
-#include "pkinit.h"
-#include "pkinit_crypto.h"
-
-/* We should probably avoid using the default location for certificate trusts,
- * unless we can be sure that the list of trusted roots isn't being shared
- * with general-purpose SSL/TLS configuration, even though we're leaning on
- * SSL/TLS trust settings. */
-#define DEFAULT_CONFIGDIR "/etc/pki/nssdb"
-
-/* #define DEBUG_DER "/usr/lib64/nss/unsupported-tools/derdump" */
-/* #define DEBUG_SENSITIVE */
-
-/* Define to create a temporary on-disk database when we need to import PKCS12
- * identities. */
-#define PKCS12_HACK
-
-/* Prefix to mark the nicknames we make up for pkcs12 bundles that don't
- * include a friendly name. */
-#define PKCS12_PREFIX "pkinit-pkcs12"
-
-/* The library name of the NSSPEM module. */
-#define PEM_MODULE "nsspem"
-
-/* Forward declaration. */
-static krb5_error_code cert_retrieve_cert_sans(krb5_context context,
-                                               CERTCertificate *cert,
-                                               krb5_principal **pkinit_sans,
-                                               krb5_principal **upn_sans,
-                                               unsigned char ***kdc_hostname);
-static void crypto_update_signer_identity(krb5_context,
-                                          pkinit_identity_crypto_context);
-
-/* DomainParameters: RFC 2459, 7.3.2. */
-struct domain_parameters {
-    SECItem p, g, q, j;
-    struct validation_parms *validation_parms;
-};
-
-/* Plugin and request state. */
-struct _pkinit_plg_crypto_context {
-    PLArenaPool *pool;
-    NSSInitContext *ncontext;
-};
-
-struct _pkinit_req_crypto_context {
-    PLArenaPool *pool;
-    SECKEYPrivateKey *client_dh_privkey;        /* used by clients */
-    SECKEYPublicKey *client_dh_pubkey;  /* used by clients */
-    struct domain_parameters client_dh_params;  /* used by KDCs */
-    CERTCertificate *peer_cert; /* the other party */
-};
-
-struct _pkinit_identity_crypto_context {
-    PLArenaPool *pool;
-    const char *identity;
-    SECMODModule *pem_module;   /* used for FILE: and DIR: */
-    struct _pkinit_identity_crypto_module {
-        char *name;
-        char *spec;
-        SECMODModule *module;
-    } **id_modules;             /* used for PKCS11: */
-    struct _pkinit_identity_crypto_userdb {
-        char *name;
-        PK11SlotInfo *userdb;
-    } **id_userdbs;             /* used for NSS: */
-    struct _pkinit_identity_crypto_p12slot {
-        char *p12name;
-        PK11SlotInfo *slot;
-    } id_p12_slot;             /* used for PKCS12: */
-    struct _pkinit_identity_crypto_file {
-        char *name;
-        PK11GenericObject *obj;
-        CERTCertificate *cert;
-    } **id_objects;             /* used with FILE: and DIR: */
-    SECItem **id_crls;
-    CERTCertList *id_certs, *ca_certs;
-    CERTCertificate *id_cert;
-    struct {
-        krb5_context context;
-        krb5_prompter_fct prompter;
-        void *prompter_data;
-        const char *identity;
-    } pwcb_args;
-    krb5_boolean defer_id_prompt;
-    pkinit_deferred_id *deferred_ids;
-    krb5_boolean defer_with_dummy_password;
-};
-
-struct _pkinit_cert_info {      /* aka _pkinit_cert_handle */
-    PLArenaPool *pool;
-    struct _pkinit_identity_crypto_context *id_cryptoctx;
-    CERTCertificate *cert;
-};
-
-struct _pkinit_cert_iter_info { /* aka _pkinit_cert_iter_handle */
-    PLArenaPool *pool;
-    struct _pkinit_identity_crypto_context *id_cryptoctx;
-    CERTCertListNode *node;
-};
-
-/* Protocol elements that we need to encode or decode. */
-
-/* DH parameters: draft-ietf-cat-kerberos-pk-init-08.txt, 3.1.2.2. */
-struct dh_parameters {
-    SECItem p, g, private_value_length;
-};
-static const SEC_ASN1Template dh_parameters_template[] = {
-    {
-        SEC_ASN1_SEQUENCE,
-        0,
-        NULL,
-        sizeof(struct dh_parameters),
-    },
-    {
-        SEC_ASN1_INTEGER,
-        offsetof(struct dh_parameters, p),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INTEGER,
-        offsetof(struct dh_parameters, g),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL,
-        offsetof(struct dh_parameters, private_value_length),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {0, 0, NULL, 0}
-};
-
-/* ValidationParms: RFC 2459, 7.3.2. */
-struct validation_parms {
-    SECItem seed, pgen_counter;
-};
-static const SEC_ASN1Template validation_parms_template[] = {
-    {
-        SEC_ASN1_SEQUENCE,
-        0,
-        NULL,
-        sizeof(struct validation_parms),
-    },
-    {
-        SEC_ASN1_BIT_STRING,
-        offsetof(struct validation_parms, seed),
-        &SEC_BitStringTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INTEGER,
-        offsetof(struct validation_parms, pgen_counter),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {0, 0, NULL, 0}
-};
-
-/* DomainParameters: RFC 2459, 7.3.2. */
-struct domain_parameters;
-static const SEC_ASN1Template domain_parameters_template[] = {
-    {
-        SEC_ASN1_SEQUENCE,
-        0,
-        NULL,
-        sizeof(struct domain_parameters),
-    },
-    {
-        SEC_ASN1_INTEGER,
-        offsetof(struct domain_parameters, p),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INTEGER,
-        offsetof(struct domain_parameters, g),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INTEGER,
-        offsetof(struct domain_parameters, q),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL,
-        offsetof(struct domain_parameters, j),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INLINE | SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL,
-        offsetof(struct domain_parameters, validation_parms),
-        &validation_parms_template,
-        sizeof(struct validation_parms *),
-    },
-    {0, 0, NULL, 0}
-};
-
-/* IssuerAndSerialNumber: RFC 3852, 10.2.4. */
-struct issuer_and_serial_number {
-    SECItem issuer;
-    SECItem serial;
-};
-static const SEC_ASN1Template issuer_and_serial_number_template[] = {
-    {
-        SEC_ASN1_SEQUENCE,
-        0,
-        NULL,
-        sizeof(struct issuer_and_serial_number),
-    },
-    {
-        SEC_ASN1_ANY,
-        offsetof(struct issuer_and_serial_number, issuer),
-        &SEC_AnyTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_INTEGER,
-        offsetof(struct issuer_and_serial_number, serial),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {0, 0, NULL, 0}
-};
-
-/* KerberosString: RFC 4120, 5.2.1. */
-static const SEC_ASN1Template kerberos_string_template[] = {
-    {
-        SEC_ASN1_GENERAL_STRING,
-        0,
-        NULL,
-        sizeof(SECItem),
-    }
-};
-
-/* Realm: RFC 4120, 5.2.2. */
-struct realm {
-    SECItem name;
-};
-static const SEC_ASN1Template realm_template[] = {
-    {
-        SEC_ASN1_GENERAL_STRING,
-        0,
-        NULL,
-        sizeof(SECItem),
-    }
-};
-
-/* PrincipalName: RFC 4120, 5.2.2. */
-static const SEC_ASN1Template sequence_of_kerberos_string_template[] = {
-    {
-        SEC_ASN1_SEQUENCE_OF,
-        0,
-        &kerberos_string_template,
-        0,
-    }
-};
-
-struct principal_name {
-    SECItem name_type;
-    SECItem **name_string;
-};
-static const SEC_ASN1Template principal_name_template[] = {
-    {
-        SEC_ASN1_SEQUENCE,
-        0,
-        NULL,
-        sizeof(struct principal_name),
-    },
-    {
-        SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT,
-        offsetof(struct principal_name, name_type),
-        &SEC_IntegerTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT,
-        offsetof(struct principal_name, name_string),
-        sequence_of_kerberos_string_template,
-        sizeof(struct SECItem **),
-    },
-    {0, 0, NULL, 0},
-};
-
-/* KRB5PrincipalName: RFC 4556, 3.2.2. */
-struct kerberos_principal_name {
-    SECItem realm;
-    struct principal_name principal_name;
-};
-static const SEC_ASN1Template kerberos_principal_name_template[] = {
-    {
-        SEC_ASN1_SEQUENCE,
-        0,
-        NULL,
-        sizeof(struct kerberos_principal_name),
-    },
-    {
-        SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT,
-        offsetof(struct kerberos_principal_name, realm),
-        &realm_template,
-        sizeof(struct realm),
-    },
-    {
-        SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT,
-        offsetof(struct kerberos_principal_name, principal_name),
-        &principal_name_template,
-        sizeof(struct principal_name),
-    },
-    {0, 0, NULL, 0}
-};
-
-/* ContentInfo: RFC 3852, 3. */
-struct content_info {
-    SECItem content_type, content;
-};
-static const SEC_ASN1Template content_info_template[] = {
-    {
-        SEC_ASN1_SEQUENCE,
-        0,
-        NULL,
-        sizeof(struct content_info),
-    },
-    {
-        SEC_ASN1_OBJECT_ID,
-        offsetof(struct content_info, content_type),
-        &SEC_ObjectIDTemplate,
-        sizeof(SECItem),
-    },
-    {
-        SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT,
-        offsetof(struct content_info, content),
-        &SEC_OctetStringTemplate,
-        sizeof(SECItem),
-    },
-    {0, 0, NULL, 0}
-};
-
-/* OIDs. */
-static unsigned char oid_pkinit_key_purpose_client_bytes[] = {
-    0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x04
-};
-static SECItem pkinit_kp_client = {
-    siDEROID,
-    oid_pkinit_key_purpose_client_bytes,
-    7,
-};
-static unsigned char oid_pkinit_key_purpose_kdc_bytes[] = {
-    0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x05
-};
-static SECItem pkinit_kp_kdc = {
-    siDEROID,
-    oid_pkinit_key_purpose_kdc_bytes,
-    7,
-};
-static unsigned char oid_ms_sc_login_key_purpose_bytes[] = {
-    0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x02
-};
-static SECItem pkinit_kp_mssclogin = {
-    siDEROID,
-    oid_ms_sc_login_key_purpose_bytes,
-    10,
-};
-static unsigned char oid_pkinit_name_type_principal_bytes[] = {
-    0x2b, 0x06, 0x01, 0x05, 0x02, 0x02
-};
-static SECItem pkinit_nt_principal = {
-    siDEROID,
-    oid_pkinit_name_type_principal_bytes,
-    6,
-};
-static unsigned char oid_pkinit_name_type_upn_bytes[] = {
-    0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03
-};
-static SECItem pkinit_nt_upn = {
-    siDEROID,
-    oid_pkinit_name_type_upn_bytes,
-    10,
-};
-
-static SECOidTag
-get_pkinit_data_auth_data_tag(void)
-{
-    static unsigned char oid_pkinit_auth_data_bytes[] = {
-        0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x01
-    };
-    static SECOidData oid_pkinit_auth_data = {
-        {
-            siDEROID,
-            oid_pkinit_auth_data_bytes,
-            7,
-        },
-        SEC_OID_UNKNOWN,
-        "PKINIT Client Authentication Data",
-        CKM_INVALID_MECHANISM,
-        UNSUPPORTED_CERT_EXTENSION,
-    };
-    if (oid_pkinit_auth_data.offset == SEC_OID_UNKNOWN)
-        oid_pkinit_auth_data.offset = SECOID_AddEntry(&oid_pkinit_auth_data);
-    return oid_pkinit_auth_data.offset;
-}
-
-static SECOidTag
-get_pkinit_data_auth_data9_tag(void)
-{
-    static unsigned char oid_pkinit_auth_data9_bytes[] =
-        { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 };
-    static SECOidData oid_pkinit_auth_data9 = {
-        {
-            siDEROID,
-            oid_pkinit_auth_data9_bytes,
-            9,
-        },
-        SEC_OID_UNKNOWN,
-        "PKINIT Client Authentication Data (Draft 9)",
-        CKM_INVALID_MECHANISM,
-        UNSUPPORTED_CERT_EXTENSION,
-    };
-    if (oid_pkinit_auth_data9.offset == SEC_OID_UNKNOWN)
-        oid_pkinit_auth_data9.offset = SECOID_AddEntry(&oid_pkinit_auth_data9);
-    return oid_pkinit_auth_data9.offset;
-}
-
-static SECOidTag
-get_pkinit_data_rkey_data_tag(void)
-{
-    static unsigned char oid_pkinit_rkey_data_bytes[] = {
-        0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x03
-    };
-    static SECOidData oid_pkinit_rkey_data = {
-        {
-            siDEROID,
-            oid_pkinit_rkey_data_bytes,
-            7,
-        },
-        SEC_OID_UNKNOWN,
-        "PKINIT Reply Key Data",
-        CKM_INVALID_MECHANISM,
-        UNSUPPORTED_CERT_EXTENSION,
-    };
-    if (oid_pkinit_rkey_data.offset == SEC_OID_UNKNOWN)
-        oid_pkinit_rkey_data.offset = SECOID_AddEntry(&oid_pkinit_rkey_data);
-    return oid_pkinit_rkey_data.offset;
-}
-
-static SECOidTag
-get_pkinit_data_dhkey_data_tag(void)
-{
-    static unsigned char oid_pkinit_dhkey_data_bytes[] = {
-        0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x02
-    };
-    static SECOidData oid_pkinit_dhkey_data = {
-        {
-            siDEROID,
-            oid_pkinit_dhkey_data_bytes,
-            7,
-        },
-        SEC_OID_UNKNOWN,
-        "PKINIT DH Reply Key Data",
-        CKM_INVALID_MECHANISM,
-        UNSUPPORTED_CERT_EXTENSION,
-    };
-    if (oid_pkinit_dhkey_data.offset == SEC_OID_UNKNOWN)
-        oid_pkinit_dhkey_data.offset = SECOID_AddEntry(&oid_pkinit_dhkey_data);
-    return oid_pkinit_dhkey_data.offset;
-}
-
-static SECItem *
-get_oid_from_tag(SECOidTag tag)
-{
-    SECOidData *data;
-    data = SECOID_FindOIDByTag(tag);
-    if (data != NULL)
-        return &data->oid;
-    else
-        return NULL;
-}
-
-#ifdef DEBUG_DER
-static void
-derdump(unsigned char *data, unsigned int length)
-{
-    FILE *p;
-
-    p = popen(DEBUG_DER, "w");
-    if (p != NULL) {
-        fwrite(data, 1, length, p);
-        pclose(p);
-    }
-}
-#endif
-#ifdef DEBUG_CMS
-static void
-cmsdump(unsigned char *data, unsigned int length)
-{
-    FILE *p;
-
-    p = popen(DEBUG_CMS, "w");
-    if (p != NULL) {
-        fwrite(data, 1, length, p);
-        pclose(p);
-    }
-}
-#endif
-
-/* A password-prompt callback for NSS that calls the libkrb5 callback. */
-static char *
-crypto_pwfn(const char *what, PRBool is_hardware, CK_FLAGS token_flags,
-            PRBool retry, void *arg)
-{
-    int ret;
-    pkinit_identity_crypto_context id;
-    krb5_prompt prompt;
-    krb5_prompt_type prompt_types[2];
-    krb5_data reply;
-    char *text, *answer;
-    const char *warning, *password;
-    size_t text_size;
-    void *data;
-
-    /* We only want to be called once. */
-    if (retry)
-        return NULL;
-    /* We need our callback arguments. */
-    if (arg == NULL)
-        return NULL;
-    id = arg;
-
-    /* If we need to warn about the PIN, figure out the text. */
-    if (token_flags & CKF_USER_PIN_LOCKED)
-        warning = "PIN locked";
-    else if (token_flags & CKF_USER_PIN_FINAL_TRY)
-        warning = "PIN final try";
-    else if (token_flags & CKF_USER_PIN_COUNT_LOW)
-        warning = "PIN count low";
-    else
-        warning = NULL;
-
-    /*
-     * If we have the name of an identity here, then we're either supposed to
-     * save its name, or attempt to use a password, if one was supplied.
-     */
-    if (id->pwcb_args.identity != NULL) {
-        if (id->defer_id_prompt) {
-            /* If we're in the defer-prompts step, just save the identity name
-             * and "fail". */
-            if (!is_hardware)
-                token_flags = 0;
-            pkinit_set_deferred_id(&id->deferred_ids, id->pwcb_args.identity,
-                                   token_flags, NULL);
-            if (id->defer_with_dummy_password) {
-                /* Return a useless result. */
-                answer = PR_Malloc(1);
-                if (answer != NULL) {
-                    *answer = '\0';
-                    return answer;
-                }
-            }
-        } else {
-            /* Check if we already have a password for this identity.  If so,
-             * just return a copy of it. */
-            password = pkinit_find_deferred_id(id->deferred_ids,
-                                               id->pwcb_args.identity);
-            if (password != NULL) {
-                /* The result will be freed with PR_Free, so return a copy. */
-                text_size = strlen(password) + 1;
-                answer = PR_Malloc(text_size);
-                if (answer != NULL) {
-                    memcpy(answer, password, text_size);
-                    pkiDebug("%s: returning %ld-char answer\n", __FUNCTION__,
-                             (long)strlen(answer));
-                    return answer;
-                }
-            }
-        }
-    }
-
-    if (id->pwcb_args.prompter == NULL)
-        return NULL;
-
-    /* Set up the prompt. */
-    text_size = strlen(what) + 100;
-    text = PORT_ArenaZAlloc(id->pool, text_size);
-    if (text == NULL) {
-        pkiDebug("out of memory");
-        return NULL;
-    }
-    if (is_hardware) {
-        if (warning != NULL)
-            snprintf(text, text_size, "%s PIN (%s)", what, warning);
-        else
-            snprintf(text, text_size, "%s PIN", what);
-    } else {
-        snprintf(text, text_size, "%s %s", _("Pass phrase for"), what);
-    }
-    memset(&prompt, 0, sizeof(prompt));
-    prompt.prompt = text;
-    prompt.hidden = 1;
-    prompt.reply = &reply;
-    reply.length = 256;
-    data = malloc(reply.length);
-    reply.data = data;
-    what = NULL;
-    answer = NULL;
-
-    /* Call the prompter callback. */
-    prompt_types[0] = KRB5_PROMPT_TYPE_PREAUTH;
-    prompt_types[1] = 0;
-    (*k5int_set_prompt_types)(id->pwcb_args.context, prompt_types);
-    fflush(NULL);
-    ret = (*id->pwcb_args.prompter)(id->pwcb_args.context,
-                                    id->pwcb_args.prompter_data,
-                                    what, answer, 1, &prompt);
-    (*k5int_set_prompt_types)(id->pwcb_args.context, NULL);
-    answer = NULL;
-    if ((ret == 0) && (reply.data != NULL)) {
-        /* The result will be freed with PR_Free, so return a copy. */
-        answer = PR_Malloc(reply.length + 1);
-        memcpy(answer, reply.data, reply.length);
-        answer[reply.length] = '\0';
-        answer[strcspn(answer, "\r\n")] = '\0';
-#ifdef DEBUG_SENSITIVE
-        pkiDebug("%s: returning \"%s\"\n", __FUNCTION__, answer);
-#else
-        pkiDebug("%s: returning %ld-char answer\n", __FUNCTION__,
-                 (long) strlen(answer));
-#endif
-    }
-
-    if (reply.data == data)
-        free(reply.data);
-
-    return answer;
-}
-
-/* A password-prompt callback for NSS that calls the libkrb5 callback. */
-static char *
-crypto_pwcb(PK11SlotInfo *slot, PRBool retry, void *arg)
-{
-    pkinit_identity_crypto_context id;
-    const char *what = NULL;
-    CK_TOKEN_INFO tinfo;
-    CK_FLAGS tflags;
-
-    if (PK11_GetTokenInfo(slot, &tinfo) == SECSuccess)
-        tflags = tinfo.flags;
-    else
-        tflags = 0;
-    if (arg != NULL) {
-        id = arg;
-        what = id->pwcb_args.identity;
-    }
-    return crypto_pwfn((what != NULL) ? what : PK11_GetTokenName(slot),
-                       PK11_IsHW(slot), tflags, retry, arg);
-}
-
-/*
- * Make sure we're using our callback, and set up the callback data.
- */
-static void *
-crypto_pwcb_prep(pkinit_identity_crypto_context id_cryptoctx,
-                 const char *identity, krb5_context context)
-{
-    PK11_SetPasswordFunc(crypto_pwcb);
-    id_cryptoctx->pwcb_args.context = context;
-    id_cryptoctx->pwcb_args.identity = identity;
-    return id_cryptoctx;
-}
-
-krb5_error_code
-pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx)
-{
-    PLArenaPool *pool;
-    pkinit_identity_crypto_context id;
-
-    pkiDebug("%s\n", __FUNCTION__);
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-    id = PORT_ArenaZAlloc(pool, sizeof(*id));
-    if (id == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    id->pool = pool;
-    id->id_certs = CERT_NewCertList();
-    id->ca_certs = CERT_NewCertList();
-    if ((id->id_certs != NULL) && (id->ca_certs != NULL)) {
-        *id_cryptoctx = id;
-        return 0;
-    }
-    if (id->ca_certs != NULL)
-        CERT_DestroyCertList(id->ca_certs);
-    if (id->id_certs != NULL)
-        CERT_DestroyCertList(id->id_certs);
-    PORT_FreeArena(pool, PR_TRUE);
-    return ENOMEM;
-}
-
-/* Return the slot which we'll use for holding imported PKCS12 certificates
- * and keys.  Open the module if we need to, first. */
-static PK11SlotInfo *
-crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id)
-{
-    char *configdir, *spec;
-    size_t spec_size;
-    int attempts;
-
-    if (id->id_p12_slot.slot == NULL) {
-        configdir = DEFAULT_CONFIGDIR;
-#ifdef PKCS12_HACK
-        /* Figure out where to put the temporary userdb. */
-        attempts = 0;
-        while ((attempts < TMP_MAX) &&
-               (spec = tempnam(NULL, "pk12-")) != NULL) {
-            if (spec != NULL) {
-                if (mkdir(spec, S_IRWXU) == 0) {
-                    configdir = spec;
-                    break;
-                } else {
-                    free(spec);
-                    if (errno != EEXIST)
-                        break;
-                }
-                attempts++;
-            }
-        }
-#endif
-        spec_size = strlen("configDir='' flags=readOnly") +
-            strlen(configdir) + 1;
-        spec = PORT_ArenaZAlloc(id->pool, spec_size);
-        if (spec != NULL) {
-            if (strcmp(configdir, DEFAULT_CONFIGDIR) != 0)
-                snprintf(spec, spec_size, "configDir='%s'", configdir);
-            else
-                snprintf(spec, spec_size, "configDir='%s' flags=readOnly",
-                         configdir);
-            id->id_p12_slot.slot = SECMOD_OpenUserDB(spec);
-        }
-#ifdef PKCS12_HACK
-        if (strcmp(configdir, DEFAULT_CONFIGDIR) != 0) {
-            DIR *dir;
-            struct dirent *ent;
-            char *path;
-            /* First, initialize the slot. */
-            if (id->id_p12_slot.slot != NULL)
-                if (PK11_NeedUserInit(id->id_p12_slot.slot))
-                    PK11_InitPin(id->id_p12_slot.slot, "", "");
-            /* Scan the directory, deleting all of the contents. */
-            dir = opendir(configdir);
-            if (dir == NULL)
-                pkiDebug("%s: error removing directory \"%s\": %s\n",
-                         __FUNCTION__, configdir, strerror(errno));
-            else {
-                while ((ent = readdir(dir)) != NULL) {
-                    if ((strcmp(ent->d_name, ".") == 0) ||
-                        (strcmp(ent->d_name, "..") == 0)) {
-                        continue;
-                    }
-                    if (k5_path_join(configdir, ent->d_name, &path) == 0) {
-                        remove(path);
-                        free(path);
-                    }
-                }
-                closedir(dir);
-            }
-            /* Remove the directory itself. */
-            rmdir(configdir);
-            free(configdir);
-        }
-    }
-#endif
-    return id->id_p12_slot.slot;
-}
-
-/* Close the slot which we've been using for holding imported PKCS12
- * certificates and keys. */
-static void
-crypto_close_p12_slot(struct _pkinit_identity_crypto_context *id)
-{
-    PK11_FreeSlot(id->id_p12_slot.slot);
-    id->id_p12_slot.slot = NULL;
-}
-
-void
-pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx)
-{
-    int i;
-
-    pkiDebug("%s\n", __FUNCTION__);
-    /* The order of cleanup here is intended to ensure that nothing gets
-     * freed before anything that might have a reference to it. */
-    if (id_cryptoctx->deferred_ids != NULL)
-        pkinit_free_deferred_ids(id_cryptoctx->deferred_ids);
-    if (id_cryptoctx->id_cert != NULL)
-        CERT_DestroyCertificate(id_cryptoctx->id_cert);
-    CERT_DestroyCertList(id_cryptoctx->ca_certs);
-    CERT_DestroyCertList(id_cryptoctx->id_certs);
-    if (id_cryptoctx->id_objects != NULL)
-        for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) {
-            if (id_cryptoctx->id_objects[i]->cert != NULL)
-                CERT_DestroyCertificate(id_cryptoctx->id_objects[i]->cert);
-            PK11_DestroyGenericObject(id_cryptoctx->id_objects[i]->obj);
-        }
-    if (id_cryptoctx->id_p12_slot.slot != NULL)
-        crypto_close_p12_slot(id_cryptoctx);
-    if (id_cryptoctx->id_userdbs != NULL)
-        for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++)
-            PK11_FreeSlot(id_cryptoctx->id_userdbs[i]->userdb);
-    if (id_cryptoctx->id_modules != NULL) {
-        for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) {
-            if (id_cryptoctx->id_modules[i]->module != NULL)
-                SECMOD_DestroyModule(id_cryptoctx->id_modules[i]->module);
-        }
-    }
-    if (id_cryptoctx->id_crls != NULL)
-        for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++)
-            CERT_UncacheCRL(CERT_GetDefaultCertDB(), id_cryptoctx->id_crls[i]);
-    if (id_cryptoctx->pem_module != NULL)
-        SECMOD_DestroyModule(id_cryptoctx->pem_module);
-    PORT_FreeArena(id_cryptoctx->pool, PR_TRUE);
-}
-
-static SECStatus
-crypto_register_any(SECOidTag tag)
-{
-    if (NSS_CMSType_RegisterContentType(tag,
-                                        NULL,
-                                        0,
-                                        NULL,
-                                        NULL,
-                                        NULL,
-                                        NULL,
-                                        NULL,
-                                        NULL, NULL, PR_TRUE) != SECSuccess)
-        return ENOMEM;
-    return 0;
-}
-
-krb5_error_code
-pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx)
-{
-    PLArenaPool *pool;
-    SECOidTag tag;
-
-    pkiDebug("%s\n", __FUNCTION__);
-    pool = PORT_NewArena(sizeof(double));
-    if (pool != NULL) {
-        *plg_cryptoctx = PORT_ArenaZAlloc(pool, sizeof(**plg_cryptoctx));
-        if (*plg_cryptoctx != NULL) {
-            (*plg_cryptoctx)->pool = pool;
-            (*plg_cryptoctx)->ncontext = NSS_InitContext(DEFAULT_CONFIGDIR,
-                                                         NULL,
-                                                         NULL,
-                                                         NULL,
-                                                         NULL,
-                                                         NSS_INIT_READONLY |
-                                                         NSS_INIT_NOCERTDB |
-                                                         NSS_INIT_NOMODDB |
-                                                         NSS_INIT_FORCEOPEN |
-                                                         NSS_INIT_NOROOTINIT |
-                                                         NSS_INIT_PK11RELOAD);
-            if ((*plg_cryptoctx)->ncontext != NULL) {
-                tag = get_pkinit_data_auth_data9_tag();
-                if (crypto_register_any(tag) != SECSuccess) {
-                    PORT_FreeArena(pool, PR_TRUE);
-                    return ENOMEM;
-                }
-                tag = get_pkinit_data_auth_data_tag();
-                if (crypto_register_any(tag) != SECSuccess) {
-                    PORT_FreeArena(pool, PR_TRUE);
-                    return ENOMEM;
-                }
-                tag = get_pkinit_data_rkey_data_tag();
-                if (crypto_register_any(tag) != SECSuccess) {
-                    PORT_FreeArena(pool, PR_TRUE);
-                    return ENOMEM;
-                }
-                tag = get_pkinit_data_dhkey_data_tag();
-                if (crypto_register_any(tag) != SECSuccess) {
-                    PORT_FreeArena(pool, PR_TRUE);
-                    return ENOMEM;
-                }
-                return 0;
-            }
-        }
-        PORT_FreeArena(pool, PR_TRUE);
-    }
-    return ENOMEM;
-}
-
-void
-pkinit_fini_plg_crypto(pkinit_plg_crypto_context plg_cryptoctx)
-{
-    pkiDebug("%s\n", __FUNCTION__);
-    if (plg_cryptoctx == NULL)
-        return;
-    if (NSS_ShutdownContext(plg_cryptoctx->ncontext) != SECSuccess)
-        pkiDebug("%s: error shutting down context\n", __FUNCTION__);
-    PORT_FreeArena(plg_cryptoctx->pool, PR_TRUE);
-}
-
-krb5_error_code
-pkinit_init_req_crypto(pkinit_req_crypto_context *req_cryptoctx)
-{
-    PLArenaPool *pool;
-
-    pkiDebug("%s\n", __FUNCTION__);
-    pool = PORT_NewArena(sizeof(double));
-    if (pool != NULL) {
-        *req_cryptoctx = PORT_ArenaZAlloc(pool, sizeof(**req_cryptoctx));
-        if (*req_cryptoctx != NULL) {
-            (*req_cryptoctx)->pool = pool;
-            return 0;
-        }
-        PORT_FreeArena(pool, PR_TRUE);
-    }
-    return ENOMEM;
-}
-
-void
-pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx)
-{
-    pkiDebug("%s\n", __FUNCTION__);
-    if (req_cryptoctx->client_dh_privkey != NULL)
-        SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey);
-    if (req_cryptoctx->client_dh_pubkey != NULL)
-        SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey);
-    if (req_cryptoctx->peer_cert != NULL)
-        CERT_DestroyCertificate(req_cryptoctx->peer_cert);
-    PORT_FreeArena(req_cryptoctx->pool, PR_TRUE);
-}
-
-/* Duplicate the memory from the SECItem into a malloc()d buffer. */
-static int
-secitem_to_buf_len(SECItem *item, unsigned char **out, unsigned int *len)
-{
-    *out = malloc(item->len);
-    if (*out == NULL)
-        return ENOMEM;
-    memcpy(*out, item->data, item->len);
-    *len = item->len;
-    return 0;
-}
-
-/* Encode the raw buffer as an unsigned integer.  If the first byte in the
- * buffer has its high bit set, we need to prepend a zero byte to make sure it
- * isn't treated as a negative value. */
-static int
-secitem_to_dh_pubval(SECItem *item, unsigned char **out, unsigned int *len)
-{
-    PLArenaPool *pool;
-    SECItem *uval, uinteger;
-    int i;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-
-    if (item->data[0] & 0x80) {
-        uval = SECITEM_AllocItem(pool, NULL, item->len + 1);
-        if (uval == NULL) {
-            PORT_FreeArena(pool, PR_TRUE);
-            return ENOMEM;
-        }
-        uval->data[0] = '\0';
-        memcpy(uval->data + 1, item->data, item->len);
-    } else {
-        uval = item;
-    }
-
-    memset(&uinteger, 0, sizeof(uinteger));
-    if (SEC_ASN1EncodeItem(pool, &uinteger, uval,
-                           SEC_ASN1_GET(SEC_IntegerTemplate)) != &uinteger) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    i = secitem_to_buf_len(&uinteger, out, len);
-
-    PORT_FreeArena(pool, PR_TRUE);
-    return i;
-}
-
-/* Decode a DER unsigned integer, and return just the bits that make up that
- * integer. */
-static int
-secitem_from_dh_pubval(PLArenaPool *pool,
-                       unsigned char *dh_pubkey, unsigned int dh_pubkey_len,
-                       SECItem *bits_out)
-{
-    SECItem tmp;
-
-    tmp.data = dh_pubkey;
-    tmp.len = dh_pubkey_len;
-    memset(bits_out, 0, sizeof(*bits_out));
-    if (SEC_ASN1DecodeItem(pool, bits_out,
-                           SEC_ASN1_GET(SEC_IntegerTemplate),
-                           &tmp) != SECSuccess)
-        return ENOMEM;
-    return 0;
-}
-
-/* Load the contents of a file into a SECitem.  If it looks like a PEM-wrapped
- * item, maybe try to undo the base64 encoding. */
-enum secitem_from_file_type {
-    secitem_from_file_plain,
-    secitem_from_file_decode
-};
-static int
-secitem_from_file(PLArenaPool *pool, const char *filename,
-                  enum secitem_from_file_type secitem_from_file_type,
-                  SECItem *item_out)
-{
-    SECItem tmp, *decoded;
-    struct stat st;
-    int fd, i, n;
-    const char *encoded, *p;
-    char *what, *q;
-
-    memset(item_out, 0, sizeof(*item_out));
-    fd = open(filename, O_RDONLY);
-    if (fd == -1)
-        return errno;
-    if (fstat(fd, &st) == -1) {
-        i = errno;
-        close(fd);
-        return i;
-    }
-    memset(&tmp, 0, sizeof(tmp));
-    tmp.data = PORT_ArenaZAlloc(pool, st.st_size + 1);
-    if (tmp.data == NULL) {
-        close(fd);
-        return ENOMEM;
-    }
-    n = 0;
-    while (n < st.st_size) {
-        i = read(fd, tmp.data + n, st.st_size - n);
-        if (i <= 0)
-            break;
-        n += i;
-    }
-    close(fd);
-    if (n < st.st_size)
-        return ENOMEM;
-    tmp.data[n] = '\0';
-    tmp.len = n;
-    encoded = (const char *) tmp.data;
-    if ((secitem_from_file_type == secitem_from_file_decode) &&
-        (tmp.len > 11) &&
-        ((strncmp(encoded, "-----BEGIN ", 11) == 0) ||
-         ((encoded = strstr((char *)tmp.data, "\n-----BEGIN")) != NULL))) {
-        if (encoded[0] == '\n')
-            encoded++;
-        /* find the beginning of the next line */
-        p = encoded;
-        p += strcspn(p, "\r\n");
-        p += strspn(p, "\r\n");
-        q = NULL;
-        what = PORT_ArenaZAlloc(pool, p - (encoded + 2) + 1);
-        if (what != NULL) {
-            /* construct the matching end-of-item and look for it */
-            memcpy(what, "-----END ", 9);
-            memcpy(what + 9, encoded + 11, p - (encoded + 11));
-            what[p - (encoded + 2)] = '\0';
-            q = strstr(p, what);
-        }
-        if (q != NULL) {
-            *q = '\0';
-            decoded = NSSBase64_DecodeBuffer(pool, NULL, p, q - p);
-            if (decoded != NULL)
-                tmp = *decoded;
-        }
-    }
-    *item_out = tmp;
-    return 0;
-}
-
-static struct oakley_group
-{
-    int identifier;
-    int bits;                   /* shortest prime first, so that a
-                                 * sequential search for a set with a
-                                 * length that exceeds the minimum will
-                                 * find the entry with the shortest
-                                 * suitable prime */
-    char name[32];
-    char prime[4096];           /* large enough to hold that prime */
-    long generator;             /* note: oakley_parse_group() assumes that this
-                                 * number fits into a long */
-    char subprime[4096];        /* large enough to hold its subprime
-                                 * ((p-1)/2) */
-} oakley_groups[] = {
-    {
-        1, 768,
-        "Oakley MODP Group 1",
-        "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
-        "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
-        "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
-        "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF",
-        2,
-        "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68"
-        "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E"
-        "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122"
-        "F242DABB 312F3F63 7A262174 D31D1B10 7FFFFFFF FFFFFFFF",
-    },
-    {
-        2, 1024,
-        "Oakley MODP Group 2",
-        "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
-        "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
-        "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
-        "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED"
-        "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381"
-        "FFFFFFFF FFFFFFFF",
-        2,
-        "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68"
-        "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E"
-        "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122"
-        "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6"
-        "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F67329C0"
-        "FFFFFFFF FFFFFFFF",
-    },
-    {
-        5, 1536,
-        "Oakley MODP Group 5",
-        "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
-        "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
-        "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
-        "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED"
-        "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D"
-        "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F"
-        "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D"
-        "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF",
-        2,
-        "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68"
-        "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E"
-        "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122"
-        "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6"
-        "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E"
-        "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF"
-        "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36"
-        "B3861AA7 255E4C02 78BA3604 6511B993 FFFFFFFF FFFFFFFF",
-    },
-    {
-        14, 2048,
-        "Oakley MODP Group 14",
-        "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
-        "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
-        "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
-        "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED"
-        "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D"
-        "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F"
-        "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D"
-        "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B"
-        "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9"
-        "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510"
-        "15728E5A 8AACAA68 FFFFFFFF FFFFFFFF",
-        2,
-        "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68"
-        "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E"
-        "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122"
-        "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6"
-        "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E"
-        "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF"
-        "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36"
-        "B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D"
-        "F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964"
-        "EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288"
-        "0AB9472D 45565534 7FFFFFFF FFFFFFFF",
-    },
-    {
-        15, 3072,
-        "Oakley MODP Group 15",
-        "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
-        "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
-        "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
-        "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED"
-        "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D"
-        "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F"
-        "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D"
-        "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B"
-        "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9"
-        "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510"
-        "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64"
-        "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7"
-        "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B"
-        "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C"
-        "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31"
-        "43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF",
-        2,
-        "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68"
-        "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E"
-        "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122"
-        "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6"
-        "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E"
-        "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF"
-        "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36"
-        "B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D"
-        "F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964"
-        "EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288"
-        "0AB9472D 45556216 D6998B86 82283D19 D42A90D5 EF8E5D32"
-        "767DC282 2C6DF785 457538AB AE83063E D9CB87C2 D370F263"
-        "D5FAD746 6D8499EB 8F464A70 2512B0CE E771E913 0D697735"
-        "F897FD03 6CC50432 6C3B0139 9F643532 290F958C 0BBD9006"
-        "5DF08BAB BD30AEB6 3B84C460 5D6CA371 047127D0 3A72D598"
-        "A1EDADFE 707E8847 25C16890 549D6965 7FFFFFFF FFFFFFFF",
-    },
-    {
-        16, 4096,
-        "Oakley MODP Group 16",
-        "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
-        "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
-        "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
-        "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED"
-        "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D"
-        "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F"
-        "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D"
-        "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B"
-        "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9"
-        "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510"
-        "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64"
-        "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7"
-        "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B"
-        "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C"
-        "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31"
-        "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7"
-        "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA"
-        "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6"
-        "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED"
-        "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9"
-        "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199"
-        "FFFFFFFF FFFFFFFF",
-        2,
-        "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68"
-        "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E"
-        "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122"
-        "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6"
-        "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E"
-        "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF"
-        "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36"
-        "B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D"
-        "F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964"
-        "EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288"
-        "0AB9472D 45556216 D6998B86 82283D19 D42A90D5 EF8E5D32"
-        "767DC282 2C6DF785 457538AB AE83063E D9CB87C2 D370F263"
-        "D5FAD746 6D8499EB 8F464A70 2512B0CE E771E913 0D697735"
-        "F897FD03 6CC50432 6C3B0139 9F643532 290F958C 0BBD9006"
-        "5DF08BAB BD30AEB6 3B84C460 5D6CA371 047127D0 3A72D598"
-        "A1EDADFE 707E8847 25C16890 54908400 8D391E09 53C3F36B"
-        "C438CD08 5EDD2D93 4CE1938C 357A711E 0D4A341A 5B0A85ED"
-        "12C1F4E5 156A2674 6DDDE16D 826F477C 97477E0A 0FDF6553"
-        "143E2CA3 A735E02E CCD94B27 D04861D1 119DD0C3 28ADF3F6"
-        "8FB094B8 67716BD7 DC0DEEBB 10B8240E 68034893 EAD82D54"
-        "C9DA754C 46C7EEE0 C37FDBEE 48536047 A6FA1AE4 9A0318CC"
-        "FFFFFFFF FFFFFFFF",
-    }
-};
-
-/* Convert a string of hexadecimal characters to a binary integer. */
-static SECItem *
-hex_to_secitem(const char *hex, SECItem *item)
-{
-    int count, i;
-    unsigned int j;
-    unsigned char c, acc;
-
-    j = 0;
-    c = hex[0];
-    /* If the high bit would be set, prepend a zero byte to keep the result
-     * from being negative. */
-    if ((c == '8') ||
-        (c == '9') ||
-        ((c >= 'a') && (c <= 'f')) || ((c >= 'A') && (c <= 'F'))) {
-        item->data[j] = 0;
-        j++;
-    }
-    count = 0;
-    acc = 0;
-    for (i = 0; hex[i] != '\0'; i++) {
-        if ((count % 2) == 0)
-            acc = 0;
-        c = hex[i];
-        if ((c >= '0') && (c <= '9'))
-            acc = (acc << 4) | (c - '0');
-        else if ((c >= 'a') && (c <= 'f'))
-            acc = (acc << 4) | (c - 'a' + 10);
-        else if ((c >= 'A') && (c <= 'F'))
-            acc = (acc << 4) | (c - 'A' + 10);
-        else
-            continue;
-        count++;
-        if ((count % 2) == 0) {
-            item->data[j] = acc & 0xff;
-            acc = 0;
-            j++;
-        }
-        if (j >= item->len) {
-            /* overrun */
-            return NULL;
-            break;
-        }
-    }
-    if (hex[i] != '\0')     /* unused bytes? */
-        return NULL;
-    item->len = j;
-    return item;
-}
-
-static int
-oakley_parse_group(PLArenaPool *pool, struct oakley_group *group,
-                   struct domain_parameters **domain_params_out)
-{
-    unsigned int bytes;
-    struct domain_parameters *params;
-    SECItem *t;
-
-    params = PORT_ArenaZAlloc(pool, sizeof(*params));
-    if (params == NULL)
-        return ENOMEM;
-
-    /* Allocate more memory than we'll probably need. */
-    bytes = group->bits;
-
-    /* Encode the prime (p). */
-    t = SECITEM_AllocItem(pool, NULL, bytes);
-    if (t == NULL)
-        return ENOMEM;
-    if (hex_to_secitem(group->prime, t) != t)
-        return ENOMEM;
-    params->p = *t;
-    /* Encode the generator. */
-    if (SEC_ASN1EncodeInteger(pool, &params->g,
-                              group->generator) != &params->g)
-        return ENOMEM;
-    /* Encode the subprime. */
-    t = SECITEM_AllocItem(pool, NULL, bytes);
-    if (t == NULL)
-        return ENOMEM;
-    if (hex_to_secitem(group->subprime, t) != t)
-        return ENOMEM;
-    params->q = *t;
-    *domain_params_out = params;
-    return 0;
-}
-
-static struct domain_parameters *
-oakley_get_group(PLArenaPool *pool, int minimum_prime_size)
-{
-    unsigned int i;
-    struct domain_parameters *params;
-
-    params = PORT_ArenaZAlloc(pool, sizeof(*params));
-    if (params == NULL)
-        return NULL;
-    for (i = 0; i < sizeof(oakley_groups) / sizeof(oakley_groups[0]); i++)
-        if (oakley_groups[i].bits >= minimum_prime_size)
-            if (oakley_parse_group(pool, &oakley_groups[i], &params) == 0)
-                return params;
-    return NULL;
-}
-
-/* Create DH parameters to be sent to the KDC.  On success, dh_params should
- * contain an encoded DomainParameters structure (per RFC3280, the "parameters"
- * in an AlgorithmIdentifier), and dh_pubkey should contain the public value
- * we're prepared to send to the KDC, encoded as an integer (per RFC3280, the
- * "subjectPublicKey" field of a SubjectPublicKeyInfo -- the integer is wrapped
- * up into a bitstring elsewhere). */
-krb5_error_code
-client_create_dh(krb5_context context,
-                 pkinit_plg_crypto_context plg_cryptoctx,
-                 pkinit_req_crypto_context req_cryptoctx,
-                 pkinit_identity_crypto_context id_cryptoctx,
-                 int dh_size_bits,
-                 unsigned char **dh_params,
-                 unsigned int *dh_params_len,
-                 unsigned char **dh_pubkey, unsigned int *dh_pubkey_len)
-{
-    PLArenaPool *pool;
-    PK11SlotInfo *slot;
-    SECKEYPrivateKey *priv;
-    SECKEYPublicKey *pub;
-    SECKEYDHParams dh_param;
-    struct domain_parameters *params;
-    SECItem encoded;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-    memset(&params, 0, sizeof(params));
-
-    /* Find suitable domain parameters. */
-    params = oakley_get_group(pool, dh_size_bits);
-    if (params == NULL) {
-        pkiDebug("%s: error finding suitable parameters\n", __FUNCTION__);
-        return ENOENT;
-    }
-
-    /* Set up to generate the public key. */
-    memset(&dh_param, 0, sizeof(dh_param));
-    dh_param.arena = pool;
-    dh_param.prime = params->p;
-    dh_param.base = params->g;
-
-    /* Generate a public value and a private key. */
-    slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,
-                            crypto_pwcb_prep(id_cryptoctx, NULL, context));
-    if (slot == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        pkiDebug("%s: error selecting slot\n", __FUNCTION__);
-        return ENOMEM;
-    }
-    pub = NULL;
-    priv = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
-                                &dh_param, &pub, PR_FALSE, PR_FALSE,
-                                crypto_pwcb_prep(id_cryptoctx, NULL, context));
-
-    /* Finish building the return values. */
-    memset(&encoded, 0, sizeof(encoded));
-    if (SEC_ASN1EncodeItem(pool, &encoded, params,
-                           domain_parameters_template) != &encoded) {
-        PK11_FreeSlot(slot);
-        PORT_FreeArena(pool, PR_TRUE);
-        pkiDebug("%s: error encoding parameters\n", __FUNCTION__);
-        return ENOMEM;
-    }
-
-    /* Export the return values. */
-    if (secitem_to_buf_len(&encoded, dh_params, dh_params_len) != 0) {
-        PK11_FreeSlot(slot);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (secitem_to_dh_pubval(&pub->u.dh.publicValue, dh_pubkey,
-                             dh_pubkey_len) != 0) {
-        free(*dh_params);
-        *dh_params = NULL;
-        PK11_FreeSlot(slot);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Save our private and public keys for reuse later. */
-    if (req_cryptoctx->client_dh_privkey != NULL)
-        SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey);
-    req_cryptoctx->client_dh_privkey = priv;
-    if (req_cryptoctx->client_dh_pubkey != NULL)
-        SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey);
-    req_cryptoctx->client_dh_pubkey = pub;
-
-    PK11_FreeSlot(slot);
-    PORT_FreeArena(pool, PR_TRUE);
-    return 0;
-}
-
-/* Combine the KDC's public key value with our copy of the parameters and our
- * secret key to generate the session key. */
-krb5_error_code
-client_process_dh(krb5_context context,
-                  pkinit_plg_crypto_context plg_cryptoctx,
-                  pkinit_req_crypto_context req_cryptoctx,
-                  pkinit_identity_crypto_context id_cryptoctx,
-                  unsigned char *dh_pubkey,
-                  unsigned int dh_pubkey_len,
-                  unsigned char **dh_session_key,
-                  unsigned int *dh_session_key_len)
-{
-    PLArenaPool *pool;
-    PK11SlotInfo *slot;
-    SECKEYPublicKey *pub, pub2;
-    PK11SymKey *sym;
-    SECItem *bits;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-
-    /* Rebuild the KDC's public key using our parameters and the supplied
-     * public value (subjectPublicKey). */
-    pub = SECKEY_CopyPublicKey(req_cryptoctx->client_dh_pubkey);
-    if (pub == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    pub2 = *pub;
-    if (secitem_from_dh_pubval(pool, dh_pubkey, dh_pubkey_len,
-                               &pub2.u.dh.publicValue) != 0) {
-        SECKEY_DestroyPublicKey(pub);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Generate the shared value using our private key and the KDC's
-     * public key. */
-    slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,
-                            crypto_pwcb_prep(id_cryptoctx, NULL, context));
-    if (slot == NULL) {
-        SECKEY_DestroyPublicKey(pub);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    sym = PK11_PubDerive(req_cryptoctx->client_dh_privkey, &pub2, PR_FALSE,
-                         NULL, NULL,
-                         CKM_DH_PKCS_DERIVE,
-                         CKM_TLS_MASTER_KEY_DERIVE_DH,
-                         CKA_DERIVE,
-                         0, crypto_pwcb_prep(id_cryptoctx, NULL, context));
-    if (sym == NULL) {
-        PK11_FreeSlot(slot);
-        SECKEY_DestroyPublicKey(pub);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Export the shared value. */
-    if ((PK11_ExtractKeyValue(sym) != SECSuccess) ||
-        ((bits = PK11_GetKeyData(sym)) == NULL) ||
-        (secitem_to_buf_len(bits, dh_session_key, dh_session_key_len) != 0)) {
-        PK11_FreeSymKey(sym);
-        PK11_FreeSlot(slot);
-        SECKEY_DestroyPublicKey(pub);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    PK11_FreeSymKey(sym);
-    PK11_FreeSlot(slot);
-    SECKEY_DestroyPublicKey(pub);
-    PORT_FreeArena(pool, PR_TRUE);
-    return 0;
-}
-
-/* Given a binary-encoded integer, count the number of bits. */
-static int
-get_integer_bits(SECItem *integer)
-{
-    unsigned int i;
-    unsigned char c;
-    int size = 0;
-
-    for (i = 0; i < integer->len; i++) {
-        c = integer->data[i];
-        if (c != 0) {
-            size = (integer->len - i - 1) * 8;
-            while (c != 0) {
-                c >>= 1;
-                size++;
-            }
-            break;
-        }
-    }
-    return size;
-}
-
-/* Verify that the client-supplied parameters include a prime of sufficient
- * size. */
-krb5_error_code
-server_check_dh(krb5_context context,
-                pkinit_plg_crypto_context plg_cryptoctx,
-                pkinit_req_crypto_context req_cryptoctx,
-                pkinit_identity_crypto_context id_cryptoctx,
-                krb5_data *dh_params, int minbits)
-{
-    PLArenaPool *pool;
-    SECItem item;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-
-    item.data = (unsigned char *)dh_params->data;
-    item.len = dh_params->length;
-    memset(&req_cryptoctx->client_dh_params, 0,
-           sizeof(req_cryptoctx->client_dh_params));
-    if (SEC_ASN1DecodeItem(req_cryptoctx->pool,
-                           &req_cryptoctx->client_dh_params,
-                           domain_parameters_template, &item) != SECSuccess) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    if (get_integer_bits(&req_cryptoctx->client_dh_params.p) < minbits) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
-    }
-
-    PORT_FreeArena(pool, PR_TRUE);
-    return 0;
-}
-
-/* Take apart the client-supplied SubjectPublicKeyInfo, which contains both an
- * encoded DomainParameters structure (per RFC3279), and a public value, and
- * generate our own private key and public value using the supplied parameters.
- * Use our private key and the client's public value to derive the session key,
- * and hand our public value and the session key back to our caller. */
-krb5_error_code
-server_process_dh(krb5_context context,
-                  pkinit_plg_crypto_context plg_cryptoctx,
-                  pkinit_req_crypto_context req_cryptoctx,
-                  pkinit_identity_crypto_context id_cryptoctx,
-                  unsigned char *received_pubkey,
-                  unsigned int received_pub_len,
-                  unsigned char **dh_pubkey,
-                  unsigned int *dh_pubkey_len,
-                  unsigned char **server_key,
-                  unsigned int *server_key_len)
-{
-    PLArenaPool *pool;
-    SECKEYPrivateKey *priv;
-    SECKEYPublicKey *pub, pub2;
-    SECKEYDHParams dh_params;
-    PK11SymKey *sym;
-    SECItem pubval, *bits;
-    PK11SlotInfo *slot;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-
-    /* Store the client's public value. */
-    pubval.data = received_pubkey;
-    pubval.len = received_pub_len;
-
-    /* Set up DH parameters the using client's domain parameters. */
-    memset(&dh_params, 0, sizeof(dh_params));
-    dh_params.arena = pool;
-    dh_params.prime = req_cryptoctx->client_dh_params.p;
-    dh_params.base = req_cryptoctx->client_dh_params.g;
-
-    /* Generate a public value and a private key using the parameters. */
-    slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,
-                            crypto_pwcb_prep(id_cryptoctx, NULL, context));
-    if (slot == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    pub = NULL;
-    priv = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
-                                &dh_params, &pub, PR_FALSE, PR_FALSE,
-                                crypto_pwcb_prep(id_cryptoctx, NULL, context));
-    if (priv == NULL) {
-        PK11_FreeSlot(slot);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Build the client's public key using the client's parameters and
-     * public value. */
-    pub2 = *pub;
-    if (SEC_ASN1DecodeItem(pool, &pub2.u.dh.publicValue,
-                           SEC_ASN1_GET(SEC_IntegerTemplate),
-                           &pubval) != SECSuccess) {
-        SECKEY_DestroyPrivateKey(priv);
-        SECKEY_DestroyPublicKey(pub);
-        PK11_FreeSlot(slot);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Generate the shared value using our private key and the client's
-     * public key. */
-    sym = PK11_PubDerive(priv, &pub2, PR_FALSE,
-                         NULL, NULL,
-                         CKM_DH_PKCS_DERIVE,
-                         CKM_TLS_MASTER_KEY_DERIVE_DH,
-                         CKA_DERIVE,
-                         0, crypto_pwcb_prep(id_cryptoctx, NULL, context));
-    if (sym == NULL) {
-        SECKEY_DestroyPrivateKey(priv);
-        SECKEY_DestroyPublicKey(pub);
-        PK11_FreeSlot(slot);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Export the shared value for our use and our public value for
-     * transmission back to the client. */
-    *server_key = NULL;
-    *dh_pubkey = NULL;
-    if ((PK11_ExtractKeyValue(sym) != SECSuccess) ||
-        ((bits = PK11_GetKeyData(sym)) == NULL) ||
-        (secitem_to_buf_len(bits, server_key, server_key_len) != 0) ||
-        (secitem_to_dh_pubval(&pub->u.dh.publicValue,
-                              dh_pubkey, dh_pubkey_len) != 0)) {
-        free(*server_key);
-        free(*dh_pubkey);
-        PK11_FreeSymKey(sym);
-        SECKEY_DestroyPrivateKey(priv);
-        SECKEY_DestroyPublicKey(pub);
-        PK11_FreeSlot(slot);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    PK11_FreeSymKey(sym);
-    SECKEY_DestroyPrivateKey(priv);
-    SECKEY_DestroyPublicKey(pub);
-    PK11_FreeSlot(slot);
-    PORT_FreeArena(pool, PR_TRUE);
-    return 0;
-}
-
-/* Create the issuer-and-serial portion of an external principal identifier for
- * a KDC's cert that we already have. */
-krb5_error_code
-create_issuerAndSerial(krb5_context context,
-                       pkinit_plg_crypto_context plg_cryptoctx,
-                       pkinit_req_crypto_context req_cryptoctx,
-                       pkinit_identity_crypto_context id_cryptoctx,
-                       unsigned char **kdcId_buf, unsigned int *kdcId_len)
-{
-    PLArenaPool *pool;
-    struct issuer_and_serial_number isn;
-    SECItem item;
-
-    /* Check if we have a peer cert.  If we don't have one, that's okay. */
-    if (req_cryptoctx->peer_cert == NULL)
-        return 0;
-
-    /* Scratch arena. */
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-
-    /* Encode the peer's issuer/serial. */
-    isn.issuer = req_cryptoctx->peer_cert->derIssuer;
-    isn.serial = req_cryptoctx->peer_cert->serialNumber;
-    memset(&item, 0, sizeof(item));
-    if (SEC_ASN1EncodeItem(id_cryptoctx->id_cert->arena, &item, &isn,
-                           issuer_and_serial_number_template) != &item) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Export the value. */
-    if (secitem_to_buf_len(&item, kdcId_buf, kdcId_len) != 0) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    PORT_FreeArena(pool, PR_TRUE);
-    return 0;
-}
-
-/* Populate a list of AlgorithmIdentifier structures with the OIDs of the key
- * wrap algorithms that we support. */
-static void
-free_n_algorithm_identifiers(krb5_algorithm_identifier **ids, int i)
-{
-    while (i >= 0) {
-        free(ids[i]->algorithm.data);
-        free(ids[i]);
-        i--;
-    }
-    free(ids);
-}
-
-krb5_error_code
-create_krb5_supportedCMSTypes(krb5_context context,
-                              pkinit_plg_crypto_context plg_cryptoctx,
-                              pkinit_req_crypto_context req_cryptoctx,
-                              pkinit_identity_crypto_context id_cryptoctx,
-                              krb5_algorithm_identifier ***supportedCMSTypes)
-{
-    SECOidData *oid;
-    SECOidTag oids[] = {
-        SEC_OID_CMS_3DES_KEY_WRAP,      /* no parameters */
-        SEC_OID_AES_128_KEY_WRAP,       /* no parameters */
-        SEC_OID_AES_192_KEY_WRAP,       /* no parameters */
-        SEC_OID_AES_256_KEY_WRAP,       /* no parameters */
-        /* RC2 key wrap requires parameters, so skip it */
-    };
-    krb5_algorithm_identifier **ids, *id;
-    unsigned int i;
-
-    ids = malloc(sizeof(id) * ((sizeof(oids) / sizeof(oids[0])) + 1));
-    if (ids == NULL)
-        return ENOMEM;
-
-    for (i = 0; i < (sizeof(oids) / sizeof(oids[0])); i++) {
-        id = malloc(sizeof(*id));
-        if (id == NULL) {
-            free_n_algorithm_identifiers(ids, i - 1);
-            return ENOMEM;
-        }
-        memset(id, 0, sizeof(*id));
-        ids[i] = id;
-        oid = SECOID_FindOIDByTag(oids[i]);
-        if (secitem_to_buf_len(&oid->oid,
-                               (unsigned char **)&id->algorithm.data,
-                               &id->algorithm.length) != 0) {
-            free(ids[i]);
-            free_n_algorithm_identifiers(ids, i - 1);
-            return ENOMEM;
-        }
-    }
-    ids[i] = NULL;
-    *supportedCMSTypes = ids;
-    return 0;
-}
-
-/* Populate a list of trusted certifiers with the list of the root certificates
- * that we trust. */
-static void
-free_n_principal_identifiers(krb5_external_principal_identifier **ids, int i)
-{
-    while (i >= 0) {
-        free(ids[i]->subjectKeyIdentifier.data);
-        free(ids[i]->issuerAndSerialNumber.data);
-        free(ids[i]->subjectName.data);
-        free(ids[i]);
-        i--;
-    }
-    free(ids);
-}
-
-krb5_error_code
-create_krb5_trustedCertifiers(krb5_context context,
-                              pkinit_plg_crypto_context plg_cryptoctx,
-                              pkinit_req_crypto_context req_cryptoctx,
-                              pkinit_identity_crypto_context id_cryptoctx,
-                              krb5_external_principal_identifier ***
-                              trustedCertifiers)
-{
-    CERTCertListNode *node;
-    krb5_external_principal_identifier **ids, *id;
-    unsigned int i, n;
-
-    *trustedCertifiers = NULL;
-
-    /* Count the root certs. */
-    n = 0;
-    if (!CERT_LIST_EMPTY(id_cryptoctx->ca_certs)) {
-        for (n = 0, node = CERT_LIST_HEAD(id_cryptoctx->ca_certs);
-             (node != NULL) &&
-                 (node->cert != NULL) &&
-                 !CERT_LIST_END(node, id_cryptoctx->ca_certs);
-             node = CERT_LIST_NEXT(node)) {
-            n++;
-        }
-    }
-
-    /* Build the result list. */
-    if (n > 0) {
-        ids = malloc((n + 1) * sizeof(id));
-        if (ids == NULL)
-            return ENOMEM;
-        node = CERT_LIST_HEAD(id_cryptoctx->ca_certs);
-        for (i = 0; i < n; i++) {
-            id = malloc(sizeof(*id));
-            if (id == NULL) {
-                free_n_principal_identifiers(ids, i - 1);
-                return ENOMEM;
-            }
-            memset(id, 0, sizeof(*id));
-            /* Use the certificate's subject key ID iff it's
-             * actually in the certificate.  Allocate the memory
-             * from the heap because it'll be freed by other parts
-             * of the pkinit module. */
-            if ((node->cert->keyIDGenerated ?
-                 secitem_to_buf_len(&node->cert->derSubject,
-                                    (unsigned char **)
-                                    &id->subjectName.data,
-                                    &id->subjectName.length) :
-                 secitem_to_buf_len(&node->cert->subjectKeyID,
-                                    (unsigned char **)
-                                    &id->subjectKeyIdentifier.data,
-                                    &id->subjectKeyIdentifier.length)) != 0) {
-                /* Free the earlier items. */
-                free(ids[i]);
-                free_n_principal_identifiers(ids, i - 1);
-                return ENOMEM;
-            }
-            ids[i] = id;
-            node = CERT_LIST_NEXT(node);
-        }
-        ids[i] = NULL;
-        *trustedCertifiers = ids;
-    }
-    return 0;
-}
-
-/* Add a certificate to a list if it isn't already in the list.  Since the list
- * would take ownership of the cert if we added it to the list, if it's already
- * in the list, delete this reference to it. */
-static SECStatus
-cert_maybe_add_to_list(CERTCertList *list, CERTCertificate *cert)
-{
-    CERTCertListNode *node;
-
-    for (node = CERT_LIST_HEAD(list);
-         (node != NULL) &&
-             (node->cert != NULL) &&
-             !CERT_LIST_END(node, list);
-         node = CERT_LIST_NEXT(node)) {
-        if (SECITEM_ItemsAreEqual(&node->cert->derCert, &cert->derCert)) {
-            /* Don't add the duplicate. */
-            CERT_DestroyCertificate(cert);
-            return SECSuccess;
-        }
-    }
-    return CERT_AddCertToListTail(list, cert);
-}
-
-/* Load CA certificates from the slot. */
-static SECStatus
-cert_load_ca_certs_from_slot(krb5_context context,
-                             pkinit_identity_crypto_context id,
-                             PK11SlotInfo *slot,
-                             const char *identity)
-{
-    CERTCertificate *cert;
-    CERTCertList *list;
-    CERTCertListNode *node;
-    CERTCertTrust trust;
-    SECStatus status;
-
-    /* Log in if the slot requires it. */
-    PK11_TokenRefresh(slot);
-    if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id, identity, context)) &&
-        PK11_NeedLogin(slot)) {
-        pkiDebug("%s: logging in to token \"%s\"\n",
-                 __FUNCTION__, PK11_GetTokenName(slot));
-        if (PK11_Authenticate(slot, PR_TRUE,
-                              crypto_pwcb_prep(id, identity,
-                                               context)) != SECSuccess) {
-            pkiDebug("%s: error logging into \"%s\": %s, skipping\n",
-                     __FUNCTION__, PK11_GetTokenName(slot),
-                     PORT_ErrorToName(PORT_GetError()));
-            return SECFailure;
-        }
-    }
-    /* Get the list of certs from the slot. */
-    list = PK11_ListCertsInSlot(slot);
-    if (list == NULL) {
-        pkiDebug("%s: nothing found in token \"%s\"\n",
-                 __FUNCTION__, PK11_GetTokenName(slot));
-        return SECSuccess;
-    }
-    if (CERT_LIST_EMPTY(list)) {
-        CERT_DestroyCertList(list);
-        pkiDebug("%s: nothing found in token \"%s\"\n",
-                 __FUNCTION__, PK11_GetTokenName(slot));
-        return SECSuccess;
-    }
-    /* Walk the list of certs, and for each one that's a CA, add
-     * it to our CA cert list. */
-    status = SECSuccess;
-    for (node = CERT_LIST_HEAD(list);
-         (node != NULL) &&
-             (node->cert != NULL) &&
-             !CERT_LIST_END(node, list);
-         node = CERT_LIST_NEXT(node)) {
-#if 0
-        /* Skip it if it's not a root. */
-        if (!node->cert->isRoot) {
-            continue;
-        }
-#endif
-        /* Skip it if we don't trust it to issue certificates. */
-        if (CERT_GetCertTrust(node->cert, &trust) != SECSuccess)
-            continue;
-        if ((SEC_GET_TRUST_FLAGS(&trust, trustSSL) &
-             (CERTDB_TRUSTED_CA |
-              CERTDB_TRUSTED_CLIENT_CA | CERTDB_NS_TRUSTED_CA)) == 0)
-            continue;
-        /* DestroyCertList frees all of the certs in the list,
-         * so we need to create a copy that we can own. */
-        cert = CERT_DupCertificate(node->cert);
-        /* Add it to the list. */
-        if (cert_maybe_add_to_list(id->ca_certs, cert) != SECSuccess)
-            status = SECFailure;
-    }
-    CERT_DestroyCertList(list);
-    return status;
-}
-
-/* Load certificates for which we have private keys from the slot. */
-static int
-cert_load_certs_with_keys_from_slot(krb5_context context,
-                                    pkinit_identity_crypto_context
-                                    id_cryptoctx,
-                                    PK11SlotInfo *slot,
-                                    const char *cert_label,
-                                    const char *cert_id,
-                                    const char *identity)
-{
-    CERTCertificate *cert;
-    CERTCertList *clist;
-    CERTCertListNode *cnode;
-    SECKEYPrivateKey *key;
-    int status;
-
-    /* Log in if the slot requires it. */
-    PK11_TokenRefresh(slot);
-    if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx, identity,
-                                                context)) &&
-        PK11_NeedLogin(slot)) {
-        pkiDebug("%s: logging in to token \"%s\"\n",
-                 __FUNCTION__, PK11_GetTokenName(slot));
-        if (PK11_Authenticate(slot, PR_TRUE,
-                              crypto_pwcb_prep(id_cryptoctx, identity,
-                                               context)) != SECSuccess) {
-            pkiDebug("%s: error logging into \"%s\": %s, skipping\n",
-                     __FUNCTION__, PK11_GetTokenName(slot),
-                     PORT_ErrorToName(PORT_GetError()));
-            return id_cryptoctx->defer_id_prompt ? 0 : ENOMEM;
-        }
-    }
-    /* Get the list of certs from the slot. */
-    clist = PK11_ListCertsInSlot(slot);
-    if (clist == NULL) {
-        pkiDebug("%s: nothing found in token \"%s\"\n",
-                 __FUNCTION__, PK11_GetTokenName(slot));
-        return 0;
-    }
-    if (CERT_LIST_EMPTY(clist)) {
-        CERT_DestroyCertList(clist);
-        pkiDebug("%s: nothing found in token \"%s\"\n",
-                 __FUNCTION__, PK11_GetTokenName(slot));
-        return 0;
-    }
-    /* Walk the list of certs, and for each one for which we can
-     * find the matching private key, add it and the keys to the
-     * lists. */
-    status = 0;
-    for (cnode = CERT_LIST_HEAD(clist);
-         (cnode != NULL) &&
-             (cnode->cert != NULL) &&
-             !CERT_LIST_END(cnode, clist);
-         cnode = CERT_LIST_NEXT(cnode)) {
-        if (cnode->cert->nickname != NULL) {
-            if ((cert_label != NULL) && (cert_id != NULL)) {
-                if ((strcmp(cert_id, cnode->cert->nickname) != 0) &&
-                    (strcmp(cert_label, cnode->cert->nickname) != 0))
-                    continue;
-            } else if (cert_label != NULL) {
-                if (strcmp(cert_label, cnode->cert->nickname) != 0)
-                    continue;
-            } else if (cert_id != NULL) {
-                if (strcmp(cert_id, cnode->cert->nickname) != 0)
-                    continue;
-            }
-        }
-        key = PK11_FindPrivateKeyFromCert(slot, cnode->cert,
-                                          crypto_pwcb_prep(id_cryptoctx,
-                                                           identity, context));
-        if (key == NULL) {
-            pkiDebug("%s: no key for \"%s\", skipping it\n",
-                     __FUNCTION__,
-                     cnode->cert->nickname ?
-                     cnode->cert->nickname : "(no name)");
-            continue;
-        }
-        pkiDebug("%s: found \"%s\" and its matching key\n",
-                 __FUNCTION__,
-                 cnode->cert->nickname ? cnode->cert->nickname : "(no name)");
-        /* DestroyCertList frees all of the certs in the list,
-         * so we need to create a copy that it can own. */
-        cert = CERT_DupCertificate(cnode->cert);
-        if (cert_maybe_add_to_list(id_cryptoctx->id_certs,
-                                   cert) != SECSuccess)
-            status = ENOMEM;
-        /* We don't need this reference to the key. */
-        SECKEY_DestroyPrivateKey(key);
-    }
-    CERT_DestroyCertList(clist);
-    return status;
-}
-
-/*
- * Reassemble the identity as it was supplied by the user or the library
- * configuration.
- */
-static char *
-reassemble_pkcs11_name(PLArenaPool *pool, pkinit_identity_opts *idopts)
-{
-    struct k5buf buf;
-    int n = 0;
-    char *ret;
-
-    k5_buf_init_dynamic(&buf);
-    k5_buf_add(&buf, "PKCS11:");
-    n = 0;
-    if (idopts->p11_module_name != NULL) {
-        k5_buf_add_fmt(&buf, "%smodule_name=%s", n++ ? ":" : "",
-                       idopts->p11_module_name);
-    }
-    if (idopts->token_label != NULL) {
-        k5_buf_add_fmt(&buf, "%stoken=%s", n++ ? ":" : "",
-                       idopts->token_label);
-    }
-    if (idopts->cert_label != NULL) {
-        k5_buf_add_fmt(&buf, "%scertlabel=%s", n++ ? ":" : "",
-                       idopts->cert_label);
-    }
-    if (idopts->cert_id_string != NULL) {
-        k5_buf_add_fmt(&buf, "%scertid=%s", n++ ? ":" : "",
-                       idopts->cert_id_string);
-    }
-    if (idopts->slotid != PK_NOSLOT) {
-        k5_buf_add_fmt(&buf, "%sslotid=%ld", n++ ? ":" : "",
-                       (long)idopts->slotid);
-    }
-    if (k5_buf_status(&buf) == 0)
-        ret = PORT_ArenaStrdup(pool, buf.data);
-    else
-        ret = NULL;
-    k5_buf_free(&buf);
-    return ret;
-}
-
-/*
- * Assemble an identity string that will distinguish this token from any other
- * that is accessible through the same module, even if the user didn't specify
- * a token name.
- */
-static char *
-reassemble_pkcs11_identity(PLArenaPool *pool, pkinit_identity_opts *idopts,
-                           long slotid, const char *tokenname)
-{
-    struct k5buf buf;
-    int n = 0;
-    char *ret;
-
-    k5_buf_init_dynamic(&buf);
-    k5_buf_add(&buf, "PKCS11:");
-    n = 0;
-    if (idopts->p11_module_name != NULL) {
-        k5_buf_add_fmt(&buf, "%smodule_name=%s",
-                       n++ ? ":" : "",
-                       idopts->p11_module_name);
-    }
-
-    if (slotid != PK_NOSLOT)
-        k5_buf_add_fmt(&buf, "%sslotid=%ld", n++ ? ":" : "", slotid);
-
-    if (tokenname != NULL)
-        k5_buf_add_fmt(&buf, "%stoken=%s", n++ ? ":" : "", tokenname);
-
-    if (k5_buf_status(&buf) == 0)
-        ret = PORT_ArenaStrdup(pool, buf.data);
-    else
-        ret = NULL;
-    k5_buf_free(&buf);
-
-    return ret;
-}
-
-static SECStatus
-crypto_load_pkcs11(krb5_context context,
-                   pkinit_plg_crypto_context plg_cryptoctx,
-                   pkinit_req_crypto_context req_cryptoctx,
-                   pkinit_identity_opts *idopts,
-                   pkinit_identity_crypto_context id_cryptoctx)
-{
-    struct _pkinit_identity_crypto_module **id_modules, *module;
-    PK11SlotInfo *slot;
-    CK_TOKEN_INFO tinfo;
-    char *spec, *identity;
-    size_t spec_size;
-    const char *tokenname;
-    SECStatus status;
-    int i, j;
-
-    if (idopts == NULL)
-        return SECFailure;
-
-    /* If no module is specified, use the default module from pkinit.h. */
-    if (idopts->p11_module_name == NULL) {
-        idopts->p11_module_name = strdup(PKCS11_MODNAME);
-        if (idopts->p11_module_name == NULL)
-            return SECFailure;
-    }
-
-    /* Build the module spec. */
-    spec_size = strlen("library=''") + strlen(idopts->p11_module_name) * 2 + 1;
-    spec = PORT_ArenaZAlloc(id_cryptoctx->pool, spec_size);
-    if (spec == NULL)
-        return SECFailure;
-    strlcpy(spec, "library=\"", spec_size);
-    j = strlen(spec);
-    for (i = 0; idopts->p11_module_name[i] != '\0'; i++) {
-        if (strchr("\"", idopts->p11_module_name[i]) != NULL)
-            spec[j++] = '\\';
-        spec[j++] = idopts->p11_module_name[i];
-    }
-    spec[j++] = '\0';
-    strlcat(spec, "\"", spec_size);
-
-    /* Count the number of modules we've already loaded. */
-    if (id_cryptoctx->id_modules != NULL) {
-        for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++)
-            continue;
-    } else {
-        i = 0;
-    }
-
-    /* Allocate a bigger list. */
-    id_modules = PORT_ArenaZAlloc(id_cryptoctx->pool,
-                                  sizeof(id_modules[0]) * (i + 2));
-    if (id_modules == NULL)
-        return SECFailure;
-    for (j = 0; j < i; j++)
-        id_modules[j] = id_cryptoctx->id_modules[j];
-
-    /* Actually load the module, or just ref an already-loaded copy. */
-    module = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*module));
-    if (module == NULL)
-        return SECFailure;
-    module->name = reassemble_pkcs11_name(id_cryptoctx->pool, idopts);
-    if (module->name == NULL)
-        return SECFailure;
-    module->spec = spec;
-    for (j = 0; j < i; j++) {
-        if (strcmp(module->spec, id_modules[j]->spec) == 0)
-            break;
-    }
-    if (j < i)
-        module->module = SECMOD_ReferenceModule(id_modules[j]->module);
-    else
-        module->module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE);
-    if (module->module == NULL) {
-        pkiDebug("%s: error loading PKCS11 module \"%s\"",
-                 __FUNCTION__, idopts->p11_module_name);
-        return SECFailure;
-    }
-    if (!module->module->loaded) {
-        pkiDebug("%s: error really loading PKCS11 module \"%s\"",
-                 __FUNCTION__, idopts->p11_module_name);
-        SECMOD_DestroyModule(module->module);
-        module->module = NULL;
-        return SECFailure;
-    }
-    SECMOD_UpdateSlotList(module->module);
-    pkiDebug("%s: loaded PKCS11 module \"%s\"\n", __FUNCTION__,
-             idopts->p11_module_name);
-
-    /* Add us to the list and set the new list. */
-    id_modules[j++] = module;
-    id_modules[j] = NULL;
-    id_cryptoctx->id_modules = id_modules;
-
-    /* Walk the list of slots in the module. */
-    status = SECFailure;
-    for (i = 0;
-         (i < module->module->slotCount) &&
-         ((slot = module->module->slots[i]) != NULL);
-         i++) {
-        PK11_TokenRefresh(slot);
-        if (idopts->slotid != PK_NOSLOT) {
-            if (idopts->slotid != PK11_GetSlotID(slot))
-                continue;
-        }
-        tokenname = PK11_GetTokenName(slot);
-        if (tokenname == NULL || strlen(tokenname) == 0)
-            continue;
-        /* If we're looking for a specific token, and this isn't it, go on. */
-        if (idopts->token_label != NULL) {
-            if (strcmp(idopts->cert_label, tokenname) != 0)
-                continue;
-        }
-        /* Assemble a useful identity string, in case of an incomplete one. */
-        identity = reassemble_pkcs11_identity(id_cryptoctx->pool, idopts,
-                                              (long)PK11_GetSlotID(slot),
-                                              tokenname);
-        /*
-         * Skip past all of the loading-certificates-and-keys logic, pick up
-         * the token flags, and call it done for now.
-         */
-        if (id_cryptoctx->defer_id_prompt) {
-            if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx, identity,
-                                                        context)) &&
-                PK11_NeedLogin(slot)) {
-                pkiDebug("%s: reading flags for token \"%s\"\n",
-                         __FUNCTION__, PK11_GetTokenName(slot));
-                if (PK11_GetTokenInfo(slot, &tinfo) == SECSuccess) {
-                    pkinit_set_deferred_id(&id_cryptoctx->deferred_ids,
-                                           identity, tinfo.flags, NULL);
-                }
-            }
-            return SECSuccess;
-        }
-        if (!PK11_IsPresent(slot))
-            continue;
-        /* Load private keys and their certs from this token. */
-        if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
-                                                slot, idopts->cert_label,
-                                                idopts->cert_id_string,
-                                                identity) == 0)
-            status = SECSuccess;
-        /* If no label was specified, then we've looked at a token, so we're
-         * done. */
-        if (idopts->token_label == NULL)
-            break;
-    }
-
-    return status;
-}
-
-/* Return the slot which we'll use for holding PEM items.  Open the module if
- * we need to, first. */
-static PK11SlotInfo *
-crypto_get_pem_slot(struct _pkinit_identity_crypto_context *id)
-{
-    PK11SlotInfo *slot;
-    char *pem_module_name, *spec;
-    size_t spec_size;
-
-    if (id->pem_module == NULL) {
-        pem_module_name = PR_GetLibraryName(NULL, PEM_MODULE);
-        if (pem_module_name == NULL) {
-            pkiDebug("%s: error determining library name for %s\n",
-                     __FUNCTION__, PEM_MODULE);
-            return NULL;
-        }
-        spec_size = strlen("library=") + strlen(pem_module_name) + 1;
-        spec = malloc(spec_size);
-        if (spec == NULL) {
-            pkiDebug("%s: out of memory building spec for %s\n",
-                     __FUNCTION__, pem_module_name);
-            PR_FreeLibraryName(pem_module_name);
-            return NULL;
-        }
-        snprintf(spec, spec_size, "library=%s", pem_module_name);
-        id->pem_module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE);
-        if (id->pem_module == NULL)
-            pkiDebug("%s: error loading %s\n", __FUNCTION__, pem_module_name);
-        else if (!id->pem_module->loaded)
-            pkiDebug("%s: error really loading %s\n", __FUNCTION__,
-                     pem_module_name);
-        else
-            SECMOD_UpdateSlotList(id->pem_module);
-        free(spec);
-        PR_FreeLibraryName(pem_module_name);
-    }
-    if ((id->pem_module != NULL) && id->pem_module->loaded) {
-        if (id->pem_module->slotCount != 0)
-            slot = id->pem_module->slots[0];
-        else
-            slot = NULL;
-        if (slot == NULL)
-            pkiDebug("%s: no slots in %s?\n", __FUNCTION__, PEM_MODULE);
-    } else {
-        slot = NULL;
-    }
-    return slot;
-}
-
-/* Resolve any ambiguities from having a duplicate nickname in the PKCS12
- * bundle and in the database, or the bag not providing a nickname.  Note: you
- * might expect "arg" to be a wincx, but it's actually a certificate!  (Mozilla
- * bug #321584, fixed in 3.12, documented by #586163, in 3.13.) */
-static SECItem *
-crypto_nickname_c_cb(SECItem *old_nickname, PRBool *cancel, void *arg)
-{
-    CERTCertificate *leaf;
-    char *old_name, *new_name, *p;
-    SECItem *new_nickname, tmp;
-    size_t new_name_size;
-    int i;
-
-    leaf = arg;
-    if (old_nickname != NULL)
-        pkiDebug("%s: warning: nickname collision on \"%.*s\", "
-                 "generating a new nickname\n", __FUNCTION__,
-                 old_nickname->len, old_nickname->data);
-    else
-        pkiDebug("%s: warning: nickname collision, generating a new "
-                 "nickname\n", __FUNCTION__);
-    new_nickname = NULL;
-    if (old_nickname == NULL) {
-        old_name = leaf->subjectName;
-        new_name_size = strlen(PKCS12_PREFIX ":  #1") + strlen(old_name) + 1;
-        new_name = PR_Malloc(new_name_size);
-        if (new_name != NULL) {
-            snprintf(new_name, new_name_size, PKCS12_PREFIX ": %s #1",
-                     old_name);
-            tmp.data = (unsigned char *) new_name;
-            tmp.len = strlen(new_name) + 1;
-            new_nickname = SECITEM_DupItem(&tmp);
-            PR_Free(new_name);
-        }
-    } else {
-        old_name = (char *) old_nickname->data;
-        if (strncmp(old_name, PKCS12_PREFIX ": ",
-                    strlen(PKCS12_PREFIX) + 2) == 0) {
-            p = strrchr(old_name, '#');
-            i = (p ? atoi(p + 1) : 0) + 1;
-            old_name = leaf->subjectName;
-            new_name_size = strlen(PKCS12_PREFIX ":  #") +
-                strlen(old_name) + 3 * sizeof(i) + 1;
-            new_name = PR_Malloc(new_name_size);
-        } else {
-            old_name = leaf->subjectName;
-            new_name_size = strlen(PKCS12_PREFIX ":  #1") +
-                strlen(old_name) + 1;
-            new_name = PR_Malloc(new_name_size);
-            i = 1;
-        }
-        if (new_name != NULL) {
-            snprintf(new_name, new_name_size, PKCS12_PREFIX ": %s #%d",
-                     old_name, i);
-            tmp.data = (unsigned char *) new_name;
-            tmp.len = strlen(new_name) + 1;
-            new_nickname = SECITEM_DupItem(&tmp);
-            PR_Free(new_name);
-        }
-    }
-    if (new_nickname == NULL) {
-        pkiDebug("%s: warning: unable to generate a new nickname\n",
-                 __FUNCTION__);
-        *cancel = PR_TRUE;
-    } else {
-        pkiDebug("%s: generated new nickname \"%.*s\"\n",
-                 __FUNCTION__, new_nickname->len, new_nickname->data);
-        *cancel = PR_FALSE;
-    }
-    return new_nickname;
-}
-
-static char *
-reassemble_pkcs12_name(PLArenaPool *pool, const char *filename)
-{
-    char *tmp, *ret;
-
-    if (asprintf(&tmp, "PKCS12:%s", filename) < 0)
-        return NULL;
-    ret = PORT_ArenaStrdup(pool, tmp);
-    free(tmp);
-    return ret;
-}
-
-static SECStatus
-crypto_load_pkcs12(krb5_context context,
-                   pkinit_plg_crypto_context plg_cryptoctx,
-                   pkinit_req_crypto_context req_cryptoctx,
-                   const char *name,
-                   pkinit_identity_crypto_context id_cryptoctx)
-{
-    PK11SlotInfo *slot;
-    SEC_PKCS12DecoderContext *ctx;
-    unsigned char emptypwd[] = { '\0', '\0' };
-    SECItem tmp, password;
-    PRBool retry;
-    int attempt;
-    char *identity;
-
-    if ((slot = crypto_get_p12_slot(id_cryptoctx)) == NULL) {
-        pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": "
-                 "no slot found\n", __FUNCTION__, name);
-        return SECFailure;
-    }
-    if (secitem_from_file(id_cryptoctx->pool, name,
-                          secitem_from_file_decode, &tmp) != 0) {
-        pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": "
-                 "error reading from file\n", __FUNCTION__, name);
-        return SECFailure;
-    }
-    /* There's a chance we'll need these. */
-    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, PR_TRUE);
-    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, PR_TRUE);
-    SEC_PKCS12EnableCipher(PKCS12_RC4_40, PR_TRUE);
-    SEC_PKCS12EnableCipher(PKCS12_RC4_128, PR_TRUE);
-    SEC_PKCS12EnableCipher(PKCS12_DES_56, PR_TRUE);
-    SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, PR_TRUE);
-    /* Pass in the password. */
-    memset(&password, 0, sizeof(password));
-    password.data = emptypwd;
-    password.len = 2;
-    attempt = 0;
-    ctx = NULL;
-    identity = reassemble_pkcs12_name(id_cryptoctx->pool, name);
-    if (identity == NULL)
-        return SECFailure;
-    id_cryptoctx->id_p12_slot.p12name = identity;
-    do {
-        retry = PR_FALSE;
-        ctx = SEC_PKCS12DecoderStart(&password,
-                                     slot,
-                                     crypto_pwcb_prep(id_cryptoctx, identity,
-                                                      context),
-                                     NULL, NULL, NULL, NULL, NULL);
-        if (ctx == NULL) {
-            pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": "
-                     "error setting up decoder\n", __FUNCTION__, name);
-            return SECFailure;
-        }
-        if (SEC_PKCS12DecoderUpdate(ctx, tmp.data, tmp.len) != SECSuccess) {
-            pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": "
-                     "error passing data to decoder\n", __FUNCTION__, name);
-            SEC_PKCS12DecoderFinish(ctx);
-            return SECFailure;
-        }
-        if (SEC_PKCS12DecoderVerify(ctx) != SECSuccess) {
-            char *newpass;
-            krb5_ucs2 *ucs2;
-            unsigned char *ucs2s;
-            size_t i, n_ucs2s;
-            SECErrorCodes err;
-
-            err = PORT_GetError();
-            SEC_PKCS12DecoderFinish(ctx);
-            switch (err) {
-            case SEC_ERROR_BAD_PASSWORD:
-                if (id_cryptoctx->defer_id_prompt) {
-                    pkinit_set_deferred_id(&id_cryptoctx->deferred_ids,
-                                           identity, 0, NULL);
-                    return SECSuccess;
-                }
-                pkiDebug("%s: prompting for password for %s\n",
-                         __FUNCTION__, name);
-                newpass = crypto_pwfn(name, PR_FALSE, 0, (attempt > 0),
-                                      id_cryptoctx);
-                attempt++;
-                if (newpass != NULL) {
-                    /* convert to 16-bit big-endian */
-                    if (krb5int_utf8s_to_ucs2les(newpass,
-                                                 &ucs2s, &n_ucs2s) == 0) {
-                        PR_Free(newpass);
-                        ucs2 = (krb5_ucs2 *) ucs2s;
-                        for (i = 0; i < n_ucs2s / 2; i++)
-                            ucs2[i] = SWAP16(ucs2[i]);
-                        password.data = (void *) ucs2s;
-                        password.len = n_ucs2s + 2;
-                        PORT_SetError(0);
-                        retry = PR_TRUE;
-                        continue;
-                    }
-                    PR_Free(newpass);
-                }
-                break;
-            default:
-                break;
-            }
-            pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": "
-                     "error verifying data: %d\n", __FUNCTION__,
-                     name, PORT_GetError());
-            return SECFailure;
-        }
-    } while (retry);
-    if (SEC_PKCS12DecoderValidateBags(ctx,
-                                      crypto_nickname_c_cb) != SECSuccess) {
-        pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": "
-                 "error validating bags: %d\n", __FUNCTION__, name,
-                 PORT_GetError());
-        SEC_PKCS12DecoderFinish(ctx);
-        if (password.data != emptypwd)
-            free(password.data);
-        return SECFailure;
-    }
-    if (SEC_PKCS12DecoderImportBags(ctx) != SECSuccess) {
-        pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": "
-                 "error importing data: %d\n", __FUNCTION__, name,
-                 PORT_GetError());
-        SEC_PKCS12DecoderFinish(ctx);
-        if (password.data != emptypwd)
-            free(password.data);
-        return SECFailure;
-    }
-    pkiDebug("%s: imported PKCS12 bundle \"%s\"\n", __FUNCTION__, name);
-    SEC_PKCS12DecoderFinish(ctx);
-    if (password.data != emptypwd)
-        free(password.data);
-    if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx, slot,
-                                            NULL, NULL, identity) == 0)
-        return SECSuccess;
-    else
-        return SECFailure;
-}
-
-/* Helper to fill out a CK_ATTRIBUTE. */
-static void
-crypto_set_attributes(CK_ATTRIBUTE *attr,
-                      CK_ATTRIBUTE_TYPE type,
-                      void *pValue, CK_ULONG ulValueLen)
-{
-    memset(attr, 0, sizeof(*attr));
-    attr->type = type;
-    attr->pValue = pValue;
-    attr->ulValueLen = ulValueLen;
-}
-
-static char *
-reassemble_files_name(PLArenaPool *pool, const char *certfile,
-                      const char *keyfile)
-{
-    char *tmp, *ret;
-
-    if (keyfile != NULL) {
-        if (asprintf(&tmp, "FILE:%s,%s", certfile, keyfile) < 0)
-            return NULL;
-    } else {
-        if (asprintf(&tmp, "FILE:%s", certfile) < 0)
-            return NULL;
-    }
-    ret = PORT_ArenaStrdup(pool, tmp);
-    free(tmp);
-    return ret;
-}
-
-/* Load keys, certs, and/or CRLs from files. */
-static SECStatus
-crypto_load_files(krb5_context context,
-                  pkinit_plg_crypto_context plg_cryptoctx,
-                  pkinit_req_crypto_context req_cryptoctx,
-                  const char *certfile,
-                  const char *keyfile,
-                  const char *crlfile,
-                  PRBool cert_self, PRBool cert_mark_trusted,
-                  pkinit_identity_crypto_context id_cryptoctx)
-{
-    PK11SlotInfo *slot;
-    struct _pkinit_identity_crypto_file *cobj, *kobj, **id_objects;
-    PRBool permanent;
-    SECKEYPrivateKey *key;
-    CK_ATTRIBUTE attrs[4];
-    CK_BBOOL cktrue = CK_TRUE, cktrust;
-    CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE;
-    CERTCertificate *cert;
-    SECItem tmp, *crl, **crls;
-    SECStatus status;
-    int i, j, n_attrs, n_objs, n_crls;
-
-    if ((slot = crypto_get_pem_slot(id_cryptoctx)) == NULL) {
-        if (certfile != NULL)
-            pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n",
-                     __FUNCTION__, certfile);
-        if (keyfile != NULL)
-            pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n",
-                     __FUNCTION__, keyfile);
-        if (crlfile != NULL)
-            pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n",
-                     __FUNCTION__, crlfile);
-        return SECFailure;
-    }
-    if ((certfile == NULL) && (crlfile == NULL))
-        return SECFailure;
-
-    /* Load the certificate first to work around RHBZ#859535. */
-    cobj = NULL;
-    if (certfile != NULL) {
-        n_attrs = 0;
-        crypto_set_attributes(&attrs[n_attrs++], CKA_CLASS,
-                              &certclass, sizeof(certclass));
-        crypto_set_attributes(&attrs[n_attrs++], CKA_TOKEN,
-                              &cktrue, sizeof(cktrue));
-        crypto_set_attributes(&attrs[n_attrs++], CKA_LABEL,
-                              (char *) certfile, strlen(certfile) + 1);
-        cktrust = cert_mark_trusted ? CK_TRUE : CK_FALSE;
-        crypto_set_attributes(&attrs[n_attrs++], CKA_TRUST,
-                              &cktrust, sizeof(cktrust));
-        permanent = PR_FALSE;   /* set lifetime to "session" */
-        cobj = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*cobj));
-        if (cobj == NULL)
-            return SECFailure;
-        cobj->name = reassemble_files_name(id_cryptoctx->pool,
-                                           certfile, keyfile);
-        if (cobj->name == NULL)
-            return SECFailure;
-        cobj->obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent);
-        if (cobj->obj == NULL) {
-            pkiDebug("%s: error loading %scertificate \"%s\": %s\n",
-                     __FUNCTION__, cert_mark_trusted ? "CA " : "", certfile,
-                     PORT_ErrorToName(PORT_GetError()));
-            status = SECFailure;
-        } else {
-            pkiDebug("%s: loaded %scertificate \"%s\"\n",
-                     __FUNCTION__, cert_mark_trusted ? "CA " : "", certfile);
-            status = SECSuccess;
-            /* Add it to the list of objects that we're keeping. */
-            if (id_cryptoctx->id_objects != NULL)
-                for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++)
-                    continue;
-            else
-                i = 0;
-            id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool,
-                                          sizeof(id_objects[0]) * (i + 2));
-            if (id_objects != NULL) {
-                n_objs = i;
-                for (i = 0; i < n_objs; i++)
-                    id_objects[i] = id_cryptoctx->id_objects[i];
-                id_objects[i++] = cobj;
-                id_objects[i++] = NULL;
-                id_cryptoctx->id_objects = id_objects;
-            }
-            /* Find the certificate that goes with this generic object. */
-            memset(&tmp, 0, sizeof(tmp));
-            status = PK11_ReadRawAttribute(PK11_TypeGeneric, cobj->obj,
-                                           CKA_VALUE, &tmp);
-            if (status == SECSuccess) {
-                cobj->cert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),
-                                                    &tmp);
-                SECITEM_FreeItem(&tmp, PR_FALSE);
-            } else {
-                pkiDebug("%s: error locating certificate \"%s\"\n",
-                         __FUNCTION__, certfile);
-            }
-            /* Save a reference to the right list. */
-            if (cobj->cert != NULL) {
-                cert = CERT_DupCertificate(cobj->cert);
-                if (cert == NULL)
-                    return SECFailure;
-                if (cert_self) {
-                    /* Add to the identity list. */
-                    if (cert_maybe_add_to_list(id_cryptoctx->id_certs,
-                                               cert) != SECSuccess)
-                        status = SECFailure;
-                } else if (cert_mark_trusted) {
-                    /* Add to the CA list. */
-                    if (cert_maybe_add_to_list(id_cryptoctx->ca_certs,
-                                               cert) != SECSuccess)
-                        status = SECFailure;
-                } else {
-                    /* Don't just lose the reference. */
-                    CERT_DestroyCertificate(cert);
-                }
-            }
-        }
-    }
-
-    /* Now load what should be the corresponding private key. */
-    kobj = NULL;
-    if (status == SECSuccess && keyfile != NULL) {
-        n_attrs = 0;
-        crypto_set_attributes(&attrs[n_attrs++], CKA_CLASS,
-                              &keyclass, sizeof(keyclass));
-        crypto_set_attributes(&attrs[n_attrs++], CKA_TOKEN,
-                              &cktrue, sizeof(cktrue));
-        crypto_set_attributes(&attrs[n_attrs++], CKA_LABEL,
-                              (char *)keyfile, strlen(keyfile) + 1);
-        permanent = PR_FALSE;   /* set lifetime to "session" */
-        kobj = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*kobj));
-        if (kobj == NULL)
-            return SECFailure;
-        kobj->obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent);
-        if (kobj->obj == NULL) {
-            pkiDebug("%s: error loading key \"%s\": %s\n", __FUNCTION__,
-                     keyfile, PORT_ErrorToName(PORT_GetError()));
-            status = SECFailure;
-        } else {
-            pkiDebug("%s: loaded key \"%s\"\n", __FUNCTION__, keyfile);
-            status = SECSuccess;
-            /* Add it to the list of objects that we're keeping. */
-            if (id_cryptoctx->id_objects != NULL) {
-                for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++)
-                    continue;
-            } else {
-                i = 0;
-            }
-            id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool,
-                                          sizeof(id_objects[0]) * (i + 2));
-            if (id_objects != NULL) {
-                n_objs = i;
-                for (i = 0; i < n_objs; i++)
-                    id_objects[i] = id_cryptoctx->id_objects[i];
-                id_objects[i++] = kobj;
-                id_objects[i++] = NULL;
-                id_cryptoctx->id_objects = id_objects;
-            }
-        }
-
-        /* "Log in" (provide an encryption password) if the PEM slot now
-         * requires it. */
-        PK11_TokenRefresh(slot);
-
-        /*
-         * Unlike most tokens, this one won't self-destruct if we throw wrong
-         * passwords at it, but it will cause the module to clear the
-         * needs-login flag so that we can continue importing PEM items.
-         */
-        if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx, cobj->name,
-                                                    context)) &&
-            PK11_NeedLogin(slot)) {
-            pkiDebug("%s: logging in to token \"%s\"\n",
-                     __FUNCTION__, PK11_GetTokenName(slot));
-            if (PK11_Authenticate(slot, PR_TRUE,
-                                  crypto_pwcb_prep(id_cryptoctx, cobj->name,
-                                                   context)) != SECSuccess) {
-                pkiDebug("%s: error logging into \"%s\": %s, skipping\n",
-                         __FUNCTION__, PK11_GetTokenName(slot),
-                         PORT_ErrorToName(PORT_GetError()));
-                status = SECFailure;
-                PK11_DestroyGenericObject(kobj->obj);
-                kobj->obj = NULL;
-            }
-        }
-
-        /* If we loaded a key and a certificate, see if they match. */
-        if (cobj != NULL && cobj->cert != NULL && kobj->obj != NULL) {
-            key = PK11_FindPrivateKeyFromCert(slot, cobj->cert,
-                                              crypto_pwcb_prep(id_cryptoctx,
-                                                               cobj->name,
-                                                               context));
-            if (key == NULL) {
-                pkiDebug("%s: no private key found for \"%s\"(%s), "
-                         "even though we just loaded that key?\n",
-                         __FUNCTION__,
-                         cobj->cert->nickname ?
-                         cobj->cert->nickname : "(no name)",
-                         certfile);
-                status = SECFailure;
-            } else {
-                /* We don't need this reference to the key. */
-                SECKEY_DestroyPrivateKey(key);
-            }
-        }
-    }
-
-    /* If we succeeded to this point, or more likely didn't do anything
-     * yet, cache a CRL. */
-    if ((status == SECSuccess) && (crlfile != NULL)) {
-        memset(&tmp, 0, sizeof(tmp));
-        if (secitem_from_file(id_cryptoctx->pool, crlfile,
-                              secitem_from_file_decode, &tmp) == 0) {
-            crl = SECITEM_ArenaDupItem(id_cryptoctx->pool, &tmp);
-            /* Count the CRLs. */
-            if (id_cryptoctx->id_crls != NULL) {
-                for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++)
-                    continue;
-            } else {
-                i = 0;
-            }
-            n_crls = i;
-            /* Allocate a bigger list. */
-            crls = PORT_ArenaZAlloc(id_cryptoctx->pool,
-                                    sizeof(crls[0]) * (n_crls + 2));
-            for (j = 0; j < n_crls; j++)
-                crls[j] = id_cryptoctx->id_crls[j];
-            if (crl != NULL) {
-                status = CERT_CacheCRL(CERT_GetDefaultCertDB(), crl);
-                if (status == SECSuccess) {
-                    crls[j++] = crl;
-                    pkiDebug("%s: cached CRL from \"%s\"\n",
-                             __FUNCTION__, crlfile);
-                } else
-                    pkiDebug("%s: error loading CRL from \"%s\": %d\n",
-                             __FUNCTION__, crlfile, PORT_GetError());
-            }
-            crls[j++] = NULL;
-            id_cryptoctx->id_crls = crls;
-        } else
-            status = SECFailure;
-    }
-    return status;
-}
-
-static SECStatus
-crypto_load_dir(krb5_context context,
-                pkinit_plg_crypto_context plg_cryptoctx,
-                pkinit_req_crypto_context req_cryptoctx,
-                const char *dirname,
-                PRBool cert_self, PRBool cert_mark_trusted, PRBool load_crl,
-                pkinit_identity_crypto_context id_cryptoctx)
-{
-    SECStatus status;
-    DIR *dir;
-    struct dirent *ent;
-    char *key, *certcrl;
-    const char *suffix = load_crl ? ".crl" : ".crt";
-    int i;
-
-    if (crypto_get_pem_slot(id_cryptoctx) == NULL) {
-        pkiDebug("%s: nsspem module not loaded, "
-                 "not loading directory \"%s\"\n", __FUNCTION__, dirname);
-        return SECFailure;
-    }
-    if (dirname == NULL)
-        return SECFailure;
-    dir = opendir(dirname);
-    if (dir == NULL) {
-        pkiDebug("%s: error loading directory \"%s\": %s\n",
-                 __FUNCTION__, dirname, strerror(errno));
-        return SECFailure;
-    }
-    status = SECFailure;
-    pkiDebug("%s: scanning directory \"%s\"\n", __FUNCTION__, dirname);
-    while ((ent = readdir(dir)) != NULL) {
-        i = strlen(ent->d_name);
-        /* Skip over anything that isn't named "<something>.crt" or
-         * "<something>.crl", whichever we want at the moment. */
-        if ((i < 5) || (strcmp(ent->d_name + i - 4, suffix) != 0)) {
-            pkiDebug("%s: skipping candidate \"%s/%s\"\n",
-                     __FUNCTION__, dirname, ent->d_name);
-            continue;
-        }
-        /* Construct a path to the file. */
-        certcrl = NULL;
-        if (k5_path_join(dirname, ent->d_name, &certcrl) != 0) {
-            pkiDebug("%s: error building pathname \"%s %s\"\n",
-                     __FUNCTION__, dirname, ent->d_name);
-            continue;
-        }
-        key = NULL;
-        if (!load_crl && cert_self) {   /* No key. */
-            /* Construct the matching key name. */
-            if (k5_path_join(dirname, ent->d_name, &key) != 0) {
-                pkiDebug("%s: error building pathname \"%s %s\"\n",
-                         __FUNCTION__, dirname, ent->d_name);
-                free(certcrl);
-                continue;
-            }
-            i = strlen(key);
-            memcpy(key + i - 4, ".key", 5);
-        }
-        /* Try loading the key and file as a pair. */
-        if (crypto_load_files(context,
-                              plg_cryptoctx,
-                              req_cryptoctx,
-                              load_crl ? NULL : certcrl,
-                              key,
-                              load_crl ? certcrl : NULL,
-                              cert_self, cert_mark_trusted,
-                              id_cryptoctx) == SECSuccess)
-            status = SECSuccess;
-        free(certcrl);
-        free(key);
-    }
-    closedir(dir);
-    return status;
-}
-
-static char *
-reassemble_nssdb_name(PLArenaPool *pool, const char *dbdir)
-{
-    char *tmp, *ret;
-
-    if (asprintf(&tmp, "NSS:%s", dbdir) < 0)
-        return NULL;
-    ret = PORT_ArenaStrdup(pool, tmp);
-    free(tmp);
-    return ret;
-}
-
-/* Load up a certificate database. */
-static krb5_error_code
-crypto_load_nssdb(krb5_context context,
-                  pkinit_plg_crypto_context plg_cryptoctx,
-                  pkinit_req_crypto_context req_cryptoctx,
-                  const char *configdir,
-                  pkinit_identity_crypto_context id_cryptoctx)
-{
-    struct _pkinit_identity_crypto_userdb *userdb, **id_userdbs;
-    char *p;
-    size_t spec_size;
-    int i, j;
-
-    if (configdir == NULL)
-        return ENOENT;
-
-    /* Build the spec. */
-    spec_size = strlen("configDir='' flags=readOnly") +
-        strlen(configdir) * 2 + 1;
-    p = PORT_ArenaZAlloc(id_cryptoctx->pool, spec_size);
-    if (p == NULL)
-        return ENOMEM;
-    strlcpy(p, "configDir='", spec_size);
-    j = strlen(p);
-    for (i = 0; configdir[i] != '\0'; i++) {
-        if (configdir[i] == '\'')
-            p[j++] = '\\';      /* Is this the right way to do
-                                 * escaping? */
-        p[j++] = configdir[i];
-    }
-    p[j++] = '\0';
-    strlcat(p, "' flags=readOnly", spec_size);
-
-    /* Count the number of modules we've already loaded. */
-    if (id_cryptoctx->id_userdbs != NULL) {
-        for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++)
-            continue;
-    } else
-        i = 0;
-
-    /* Allocate a bigger list. */
-    id_userdbs = PORT_ArenaZAlloc(id_cryptoctx->pool,
-                                  sizeof(id_userdbs[0]) * (i + 2));
-    for (j = 0; j < i; j++)
-        id_userdbs[j] = id_cryptoctx->id_userdbs[j];
-
-    /* Actually load the module. */
-    userdb = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*userdb));
-    if (userdb == NULL)
-        return SECFailure;
-    userdb->name = reassemble_nssdb_name(id_cryptoctx->pool, configdir);
-    if (userdb->name == NULL)
-        return SECFailure;
-    userdb->userdb = SECMOD_OpenUserDB(p);
-    if (userdb->userdb == NULL) {
-        pkiDebug("%s: error loading NSS cert database \"%s\"\n",
-                 __FUNCTION__, configdir);
-        return ENOENT;
-    }
-    pkiDebug("%s: opened NSS database \"%s\"\n", __FUNCTION__, configdir);
-
-    /* Add us to the list and set the new list. */
-    id_userdbs[i++] = userdb;
-    id_userdbs[i++] = NULL;
-    id_cryptoctx->id_userdbs = id_userdbs;
-
-    /* Load the CAs from the database. */
-    cert_load_ca_certs_from_slot(context, id_cryptoctx, userdb->userdb,
-                                 userdb->name);
-
-    /* Load the keys from the database. */
-    return cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
-                                               userdb->userdb, NULL, NULL,
-                                               userdb->name);
-}
-
-/* Load up a certificate and associated key. */
-krb5_error_code
-crypto_load_certs(krb5_context context,
-                  pkinit_plg_crypto_context plg_cryptoctx,
-                  pkinit_req_crypto_context req_cryptoctx,
-                  pkinit_identity_opts *idopts,
-                  pkinit_identity_crypto_context id_cryptoctx,
-                  krb5_principal princ,
-                  krb5_boolean defer_id_prompts)
-{
-    SECStatus status;
-
-    id_cryptoctx->defer_id_prompt = defer_id_prompts;
-
-    switch (idopts->idtype) {
-    case IDTYPE_FILE:
-        id_cryptoctx->defer_with_dummy_password = TRUE;
-        status = crypto_load_files(context,
-                                   plg_cryptoctx,
-                                   req_cryptoctx,
-                                   idopts->cert_filename,
-                                   idopts->key_filename,
-                                   NULL, PR_TRUE, PR_FALSE, id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading files \"%s\" and \"%s\": %s\n",
-                     __FUNCTION__, idopts->cert_filename,
-                     idopts->key_filename, PORT_ErrorToName(PORT_GetError()));
-            return defer_id_prompts ? 0 : ENOMEM;
-        }
-        return 0;
-        break;
-    case IDTYPE_NSS:
-        id_cryptoctx->defer_with_dummy_password = FALSE;
-        status = crypto_load_nssdb(context,
-                                   plg_cryptoctx,
-                                   req_cryptoctx,
-                                   idopts->cert_filename, id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading NSS certdb \"%s\": %s\n",
-                     __FUNCTION__, idopts->cert_filename,
-                     PORT_ErrorToName(PORT_GetError()));
-            return ENOMEM;
-        }
-        return 0;
-        break;
-    case IDTYPE_DIR:
-        id_cryptoctx->defer_with_dummy_password = TRUE;
-        status = crypto_load_dir(context,
-                                 plg_cryptoctx,
-                                 req_cryptoctx,
-                                 idopts->cert_filename,
-                                 PR_TRUE, PR_FALSE, PR_FALSE, id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading directory \"%s\": %s\n",
-                     __FUNCTION__, idopts->cert_filename,
-                     PORT_ErrorToName(PORT_GetError()));
-            return defer_id_prompts ? 0 : ENOMEM;
-        }
-        return 0;
-        break;
-    case IDTYPE_PKCS11:
-        id_cryptoctx->defer_with_dummy_password = FALSE;
-        status = crypto_load_pkcs11(context,
-                                    plg_cryptoctx,
-                                    req_cryptoctx, idopts, id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading module \"%s\": %s\n",
-                     __FUNCTION__, idopts->p11_module_name,
-                     PORT_ErrorToName(PORT_GetError()));
-            return ENOMEM;
-        }
-        return 0;
-        break;
-    case IDTYPE_PKCS12:
-        id_cryptoctx->defer_with_dummy_password = FALSE;
-        status = crypto_load_pkcs12(context,
-                                    plg_cryptoctx,
-                                    req_cryptoctx,
-                                    idopts->cert_filename, id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading PKCS12 bundle \"%s\"\n",
-                     __FUNCTION__, idopts->cert_filename);
-            return ENOMEM;
-        }
-        return 0;
-        break;
-    default:
-        return EINVAL;
-        break;
-    }
-}
-
-/* Drop "self" certificate and keys that we didn't select. */
-krb5_error_code
-crypto_free_cert_info(krb5_context context,
-                      pkinit_plg_crypto_context plg_cryptoctx,
-                      pkinit_req_crypto_context req_cryptoctx,
-                      pkinit_identity_crypto_context id_cryptoctx)
-{
-    /* Mimic the OpenSSL-based implementation's check first. */
-    if (id_cryptoctx == NULL)
-        return EINVAL;
-
-    /* Maybe should we nuke the id_certs list here? */
-    return 0;
-}
-
-/* Count how many candidate "self" certificates and keys we have.  We could as
- * easily count the keys. */
-krb5_error_code
-crypto_cert_get_count(krb5_context context,
-                      pkinit_plg_crypto_context plg_cryptoctx,
-                      pkinit_req_crypto_context req_cryptoctx,
-                      pkinit_identity_crypto_context id_cryptoctx,
-                      int *cert_count)
-{
-    CERTCertListNode *node;
-
-    *cert_count = 0;
-    if (!CERT_LIST_EMPTY(id_cryptoctx->id_certs))
-        for (node = CERT_LIST_HEAD(id_cryptoctx->id_certs);
-             (node != NULL) &&
-                 (node->cert != NULL) &&
-                 !CERT_LIST_END(node, id_cryptoctx->id_certs);
-             node = CERT_LIST_NEXT(node))
-            (*cert_count)++;
-    pkiDebug("%s: %d candidate key/certificate pairs found\n",
-             __FUNCTION__, *cert_count);
-    return 0;
-}
-
-/* Start walking the list of "self" certificates and keys. */
-krb5_error_code
-crypto_cert_iteration_begin(krb5_context context,
-                            pkinit_plg_crypto_context plg_cryptoctx,
-                            pkinit_req_crypto_context req_cryptoctx,
-                            pkinit_identity_crypto_context id_cryptoctx,
-                            pkinit_cert_iter_handle *iter_handle)
-{
-    PLArenaPool *pool;
-    struct _pkinit_cert_iter_info *handle;
-
-    if (CERT_LIST_EMPTY(id_cryptoctx->id_certs))
-        return ENOENT;
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-    handle = PORT_ArenaZAlloc(pool, sizeof(*handle));
-    if (handle == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    handle->pool = pool;
-    handle->id_cryptoctx = id_cryptoctx;
-    handle->node = CERT_LIST_HEAD(handle->id_cryptoctx->id_certs);
-    *iter_handle = handle;
-    return 0;
-}
-
-/* Stop walking the list of "self" certificates and keys. */
-krb5_error_code
-crypto_cert_iteration_end(krb5_context context,
-                          pkinit_cert_iter_handle iter_handle)
-{
-    PORT_FreeArena(iter_handle->pool, PR_TRUE);
-    return 0;
-}
-
-/* Walk to the first/next "self" certificate and key.  The cert_handle we
- * produce here has to be useful beyond the life of the iteration handle, so it
- * can't be allocated from the iteration handle's memory pool. */
-krb5_error_code
-crypto_cert_iteration_next(krb5_context context,
-                           pkinit_cert_iter_handle iter_handle,
-                           pkinit_cert_handle *cert_handle)
-{
-    PLArenaPool *pool;
-
-    /* Check if we're at the last node. */
-    if (CERT_LIST_END(iter_handle->node,
-                      iter_handle->id_cryptoctx->id_certs)) {
-        /* No more entries. */
-        *cert_handle = NULL;
-        return PKINIT_ITER_NO_MORE;
-    }
-    /* Create a pool to hold info about this certificate. */
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-    *cert_handle = PORT_ArenaZAlloc(pool, sizeof(**cert_handle));
-    if (*cert_handle == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    (*cert_handle)->pool = pool;
-    /* Return a copy of the certificate in this node, and then move on to
-     * the next one. */
-    (*cert_handle)->id_cryptoctx = iter_handle->id_cryptoctx;
-    (*cert_handle)->cert = CERT_DupCertificate(iter_handle->node->cert);
-    iter_handle->node = CERT_LIST_NEXT(iter_handle->node);
-    return 0;
-}
-
-/* Read names, key usage, and extended key usage from the cert. */
-static SECItem *
-cert_get_ext_by_tag(CERTCertificate *cert, SECOidTag tag)
-{
-    SECOidData *oid;
-    int i;
-
-    oid = SECOID_FindOIDByTag(tag);
-    for (i = 0;
-         (cert->extensions != NULL) && (cert->extensions[i] != NULL);
-         i++)
-        if (SECITEM_ItemsAreEqual(&cert->extensions[i]->id, &oid->oid))
-            return &cert->extensions[i]->value;
-    return NULL;
-}
-
-/* Check for the presence of a particular key usage in the cert's keyUsage
- * extension field.  If it's not there, NSS just sets all of the bits, which is
- * consistent with what the OpenSSL version of this does. */
-static unsigned int
-cert_get_ku_bits(krb5_context context, CERTCertificate *cert)
-{
-    unsigned int ku = 0;
-
-    if (cert->keyUsage & KU_DIGITAL_SIGNATURE)
-        ku |= PKINIT_KU_DIGITALSIGNATURE;
-    if (cert->keyUsage & KU_KEY_ENCIPHERMENT)
-        ku |= PKINIT_KU_KEYENCIPHERMENT;
-    return ku;
-}
-
-static unsigned int
-cert_get_eku_bits(krb5_context context, CERTCertificate *cert, PRBool kdc)
-{
-    PLArenaPool *pool;
-    SECItem *ext, **oids;
-    SECOidData *clientauth, *serverauth, *email;
-    int i;
-    unsigned int eku;
-
-    /* Pull out the extension. */
-    ext = cert_get_ext_by_tag(cert, SEC_OID_X509_EXT_KEY_USAGE);
-    if (ext == NULL)
-        return 0;
-
-    /* Look up the well-known OIDs. */
-    clientauth = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
-    serverauth = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
-    email = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
-
-    /* Decode the list of OIDs. */
-    pool = PORT_NewArena(sizeof(double));
-    oids = NULL;
-    if (SEC_ASN1DecodeItem(pool, &oids,
-                           SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate),
-                           ext) != SECSuccess) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return 0;
-    }
-    eku = 0;
-    for (i = 0; (oids != NULL) && (oids[i] != NULL); i++) {
-        if (SECITEM_ItemsAreEqual(oids[i], &email->oid))
-            eku |= PKINIT_EKU_EMAILPROTECTION;
-        if (kdc) {
-            if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_kdc))
-                eku |= PKINIT_EKU_PKINIT;
-            if (SECITEM_ItemsAreEqual(oids[i], &serverauth->oid))
-                eku |= PKINIT_EKU_CLIENTAUTH;
-        } else {
-            if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_client))
-                eku |= PKINIT_EKU_PKINIT;
-            if (SECITEM_ItemsAreEqual(oids[i], &clientauth->oid))
-                eku |= PKINIT_EKU_CLIENTAUTH;
-        }
-        if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_mssclogin))
-            eku |= PKINIT_EKU_MSSCLOGIN;
-    }
-    PORT_FreeArena(pool, PR_TRUE);
-    return eku;
-}
-
-krb5_error_code
-crypto_cert_get_matching_data(krb5_context context,
-                              pkinit_cert_handle cert_handle,
-                              pkinit_cert_matching_data **ret_data)
-{
-    pkinit_cert_matching_data *md;
-
-    md = malloc(sizeof(*md));
-    if (md == NULL) {
-        return ENOMEM;
-    }
-    md->ch = cert_handle;
-    md->subject_dn = strdup(cert_handle->cert->subjectName);
-    /* FIXME: string representation varies from OpenSSL's */
-    md->issuer_dn = strdup(cert_handle->cert->issuerName);
-    /* FIXME: string representation varies from OpenSSL's */
-    md->ku_bits = cert_get_ku_bits(context, cert_handle->cert);
-    md->eku_bits = cert_get_eku_bits(context, cert_handle->cert, PR_FALSE);
-    if (cert_retrieve_cert_sans(context, cert_handle->cert,
-                                &md->sans, &md->sans, NULL) != 0)
-        md->sans = NULL;
-    *ret_data = md;
-    return 0;
-}
-
-/* Free up the data for this certificate. */
-krb5_error_code
-crypto_cert_release(krb5_context context, pkinit_cert_handle cert_handle)
-{
-    CERT_DestroyCertificate(cert_handle->cert);
-    PORT_FreeArena(cert_handle->pool, PR_TRUE);
-    return 0;
-}
-
-/* Free names, key usage, and extended key usage from the cert matching data
- * structure -- everything except the cert_handle it contains, anyway. */
-krb5_error_code
-crypto_cert_free_matching_data(krb5_context context,
-                               pkinit_cert_matching_data *data)
-{
-    free(data->subject_dn);
-    free(data->issuer_dn);
-    free(data);
-    return 0;
-}
-
-/* Mark the cert tracked in the matching data structure as the one we're going
- * to use. */
-krb5_error_code
-crypto_cert_select(krb5_context context, pkinit_cert_matching_data *data)
-{
-    CERTCertificate *cert;
-
-    cert = CERT_DupCertificate(data->ch->cert);
-    if (data->ch->id_cryptoctx->id_cert != NULL)
-        CERT_DestroyCertificate(data->ch->id_cryptoctx->id_cert);
-    data->ch->id_cryptoctx->id_cert = cert;
-    crypto_update_signer_identity(context, data->ch->id_cryptoctx);
-    return 0;
-}
-
-/* Try to select the "default" cert, which for now is the only cert, if we only
- * have one. */
-krb5_error_code
-crypto_cert_select_default(krb5_context context,
-                           pkinit_plg_crypto_context plg_cryptoctx,
-                           pkinit_req_crypto_context req_cryptoctx,
-                           pkinit_identity_crypto_context id_cryptoctx)
-{
-    CERTCertListNode *node;
-    CERTCertificate *cert;
-    krb5_principal *sans;
-    krb5_data *c;
-    krb5_error_code code;
-    int result, count, i;
-
-    result = crypto_cert_get_count(context,
-                                   plg_cryptoctx,
-                                   req_cryptoctx, id_cryptoctx, &count);
-    if (result != 0)
-        return result;
-    if (count == 1)
-        /* use the only cert */
-        cert = (CERT_LIST_HEAD(id_cryptoctx->id_certs))->cert;
-    else {
-        pkiDebug("%s: searching for a KDC certificate\n", __FUNCTION__);
-        /* look for a cert that includes a TGS principal name */
-        cert = NULL;
-        for (node = CERT_LIST_HEAD(id_cryptoctx->id_certs);
-             (node != NULL) &&
-                 (node->cert != NULL) &&
-                 !CERT_LIST_END(node, id_cryptoctx->id_certs);
-             node = CERT_LIST_NEXT(node)) {
-            sans = NULL;
-            pkiDebug("%s: checking candidate certificate \"%s\"\n",
-                     __FUNCTION__, node->cert->subjectName);
-            code = cert_retrieve_cert_sans(context, node->cert,
-                                           &sans, NULL, NULL);
-            if ((code == 0) && (sans != NULL)) {
-                for (i = 0; sans[i] != NULL; i++) {
-                    c = krb5_princ_component(context, sans[i], 0);
-                    if ((c->length == KRB5_TGS_NAME_SIZE) &&
-                        (memcmp(c->data, KRB5_TGS_NAME,
-                                KRB5_TGS_NAME_SIZE) == 0)) {
-                        cert = node->cert;
-                        pkiDebug("%s: selecting %s "
-                                 "certificate \"%s\"\n",
-                                 __FUNCTION__,
-                                 KRB5_TGS_NAME, cert->subjectName);
-                    }
-                    krb5_free_principal(context, sans[i]);
-                }
-                free(sans);
-                sans = NULL;
-            }
-            if (cert != NULL)
-                break;
-        }
-        if (cert == NULL)
-            return ENOENT;
-    }
-    if (id_cryptoctx->id_cert != NULL)
-        CERT_DestroyCertificate(id_cryptoctx->id_cert);
-    id_cryptoctx->id_cert = CERT_DupCertificate(cert);
-    crypto_update_signer_identity(context, id_cryptoctx);
-    return 0;
-}
-
-krb5_error_code
-crypto_load_cas_and_crls(krb5_context context,
-                         pkinit_plg_crypto_context plg_cryptoctx,
-                         pkinit_req_crypto_context req_cryptoctx,
-                         pkinit_identity_opts * idopts,
-                         pkinit_identity_crypto_context id_cryptoctx,
-                         int idtype, int catype, char *id)
-{
-    SECStatus status;
-    PRBool cert_self, cert_mark_trusted, load_crl;
-
-    /* Figure out what we're doing here. */
-    switch (catype) {
-    case CATYPE_ANCHORS:
-        /* Screen out source types we can't use. */
-        switch (idtype) {
-        case IDTYPE_FILE:
-        case IDTYPE_DIR:
-        case IDTYPE_NSS:
-            /* We only support these sources. */
-            break;
-        default:
-            return EINVAL;
-            break;
-        }
-        /* Mark certs we load as trusted roots. */
-        cert_self = PR_FALSE;
-        cert_mark_trusted = PR_TRUE;
-        load_crl = PR_FALSE;
-        break;
-    case CATYPE_INTERMEDIATES:
-        /* Screen out source types we can't use. */
-        switch (idtype) {
-        case IDTYPE_FILE:
-        case IDTYPE_DIR:
-        case IDTYPE_NSS:
-            /* We only support these sources. */
-            break;
-        default:
-            return EINVAL;
-            break;
-        }
-        /* Hang on to certs as reference material. */
-        cert_self = PR_FALSE;
-        cert_mark_trusted = PR_FALSE;
-        load_crl = PR_FALSE;
-        break;
-    case CATYPE_CRLS:
-        /* Screen out source types we can't use. */
-        switch (idtype) {
-        case IDTYPE_FILE:
-        case IDTYPE_DIR:
-            /* We only support these sources. */
-            break;
-        default:
-            return EINVAL;
-            break;
-        }
-        /* No certs, just CRLs. */
-        cert_self = PR_FALSE;
-        cert_mark_trusted = PR_FALSE;
-        load_crl = PR_TRUE;
-        break;
-    default:
-        return ENOSYS;
-        break;
-    }
-
-    switch (idtype) {
-    case IDTYPE_FILE:
-        status = crypto_load_files(context,
-                                   plg_cryptoctx,
-                                   req_cryptoctx,
-                                   load_crl ? NULL : id,
-                                   NULL,
-                                   load_crl ? id : NULL,
-                                   cert_self, cert_mark_trusted, id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading file \"%s\"\n", __FUNCTION__, id);
-            return ENOMEM;
-        }
-        return 0;
-        break;
-    case IDTYPE_NSS:
-        status = crypto_load_nssdb(context,
-                                   plg_cryptoctx,
-                                   req_cryptoctx, id, id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading NSS certdb \"%s\"\n",
-                     __FUNCTION__, idopts->cert_filename);
-            return ENOMEM;
-        }
-        return 0;
-        break;
-    case IDTYPE_DIR:
-        status = crypto_load_dir(context,
-                                 plg_cryptoctx,
-                                 req_cryptoctx,
-                                 id,
-                                 cert_self, cert_mark_trusted, load_crl,
-                                 id_cryptoctx);
-        if (status != SECSuccess) {
-            pkiDebug("%s: error loading directory \"%s\"\n", __FUNCTION__, id);
-            return ENOMEM;
-        }
-        return 0;
-        break;
-    default:
-        return EINVAL;
-        break;
-    }
-}
-
-/* Retrieve the client's copy of the KDC's certificate. */
-krb5_error_code
-pkinit_get_kdc_cert(krb5_context context,
-                    pkinit_plg_crypto_context plg_cryptoctx,
-                    pkinit_req_crypto_context req_cryptoctx,
-                    pkinit_identity_crypto_context id_cryptoctx,
-                    krb5_principal princ)
-{
-    /* Nothing to do. */
-    return 0;
-}
-
-/* Create typed-data with sets of acceptable DH parameters. */
-krb5_error_code
-pkinit_create_td_dh_parameters(krb5_context context,
-                               pkinit_plg_crypto_context plg_cryptoctx,
-                               pkinit_req_crypto_context req_cryptoctx,
-                               pkinit_identity_crypto_context id_cryptoctx,
-                               pkinit_plg_opts *opts, krb5_pa_data ***pa_data)
-{
-    struct domain_parameters *params;
-    SECItem tmp, *oid;
-    krb5_algorithm_identifier id[sizeof(oakley_groups) /
-                                 sizeof(oakley_groups[0])];
-    krb5_algorithm_identifier *ids[(sizeof(id) / sizeof(id[0])) + 1];
-    unsigned int i, j;
-    krb5_data *data;
-    krb5_pa_data **typed_data;
-    krb5_error_code code;
-
-    *pa_data = NULL;
-
-    /* Fetch the algorithm OID. */
-    oid = get_oid_from_tag(SEC_OID_X942_DIFFIE_HELMAN_KEY);
-    if (oid == NULL)
-        return ENOMEM;
-    /* Walk the lists of parameters that we know. */
-    for (i = 0, j = 0; i < sizeof(id) / sizeof(id[0]); i++) {
-        if (oakley_groups[i].bits < opts->dh_min_bits)
-            continue;
-        /* Encode these parameters for use as algorithm parameters. */
-        if (oakley_parse_group(req_cryptoctx->pool, &oakley_groups[i],
-                               &params) != 0)
-            continue;
-        memset(&params, 0, sizeof(params));
-        if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &tmp,
-                               params,
-                               domain_parameters_template) != SECSuccess)
-            continue;
-        /* Add it to the list. */
-        memset(&id[j], 0, sizeof(id[j]));
-        id[j].algorithm.data = (char *)oid->data;
-        id[j].algorithm.length = oid->len;
-        id[j].parameters.data = (char *)tmp.data;
-        id[j].parameters.length = tmp.len;
-        ids[j] = &id[j];
-        j++;
-    }
-    if (j == 0)
-        return ENOENT;
-    ids[j] = NULL;
-    /* Pass it back up. */
-    data = NULL;
-    code = (*k5int_encode_krb5_td_dh_parameters)(ids, &data);
-    if (code != 0)
-        return code;
-    typed_data = malloc(sizeof(*typed_data) * 2);
-    if (typed_data == NULL) {
-        krb5_free_data(context, data);
-        return ENOMEM;
-    }
-    typed_data[0] = malloc(sizeof(**typed_data));
-    if (typed_data[0] == NULL) {
-        free(typed_data);
-        krb5_free_data(context, data);
-        return ENOMEM;
-    }
-    typed_data[0]->pa_type = TD_DH_PARAMETERS;
-    typed_data[0]->length = data->length;
-    typed_data[0]->contents = (unsigned char *) data->data;
-    typed_data[1] = NULL;
-    *pa_data = typed_data;
-    free(data);
-    return code;
-}
-
-/* Parse typed-data with sets of acceptable DH parameters and return the
- * minimum prime size that the KDC will accept. */
-krb5_error_code
-pkinit_process_td_dh_params(krb5_context context,
-                            pkinit_plg_crypto_context plg_cryptoctx,
-                            pkinit_req_crypto_context req_cryptoctx,
-                            pkinit_identity_crypto_context id_cryptoctx,
-                            krb5_algorithm_identifier **algId,
-                            int *new_dh_size)
-{
-    struct domain_parameters params;
-    SECItem item;
-    int i, size;
-
-    /* Set an initial reasonable guess if we got no hints that we could
-     * parse. */
-    *new_dh_size = 2048;
-    for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) {
-        /* Decode the domain parameters. */
-        item.len = algId[i]->parameters.length;
-        item.data = (unsigned char *)algId[i]->parameters.data;
-        memset(&params, 0, sizeof(params));
-        if (SEC_ASN1DecodeItem(req_cryptoctx->pool, &params,
-                               domain_parameters_template,
-                               &item) != SECSuccess)
-            continue;
-        /* Count the size of the prime by finding the first non-zero
-         * byte and working out the size of the integer. */
-        size = get_integer_bits(&params.p);
-        /* If this is the first parameter set, or the current parameter
-         * size is lower than our previous guess, use it. */
-        if ((i == 0) || (size < *new_dh_size))
-            *new_dh_size = size;
-    }
-    return 0;
-}
-
-/* Create typed-data with the client cert that we didn't like. */
-krb5_error_code
-pkinit_create_td_invalid_certificate(krb5_context context,
-                                     pkinit_plg_crypto_context plg_cryptoctx,
-                                     pkinit_req_crypto_context req_cryptoctx,
-                                     pkinit_identity_crypto_context
-                                     id_cryptoctx, krb5_pa_data ***pa_data)
-{
-    CERTCertificate *invalid;
-    krb5_external_principal_identifier id;
-    krb5_external_principal_identifier *ids[2];
-    struct issuer_and_serial_number isn;
-    krb5_data *data;
-    SECItem item;
-    krb5_pa_data **typed_data;
-    krb5_error_code code;
-
-    *pa_data = NULL;
-
-    /* We didn't trust the peer's certificate.  FIXME: or was it a
-     * certificate that was somewhere in its certifying chain? */
-    if (req_cryptoctx->peer_cert == NULL)
-        return ENOENT;
-    invalid = req_cryptoctx->peer_cert;
-
-    /* Fill in the identifier. */
-    memset(&id, 0, sizeof(id));
-    if (req_cryptoctx->peer_cert->keyIDGenerated) {
-        isn.issuer = invalid->derIssuer;
-        isn.serial = invalid->serialNumber;
-        if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn,
-                               issuer_and_serial_number_template) != &item)
-            return ENOMEM;
-        id.issuerAndSerialNumber.data = (char *)item.data;
-        id.issuerAndSerialNumber.length = item.len;
-    } else {
-        item = invalid->subjectKeyID;
-        id.subjectKeyIdentifier.data = (char *)item.data;
-        id.subjectKeyIdentifier.length = item.len;
-    }
-    ids[0] = &id;
-    ids[1] = NULL;
-
-    /* Pass it back up. */
-    data = NULL;
-    code = (*k5int_encode_krb5_td_trusted_certifiers)(ids, &data);
-    if (code != 0)
-        return code;
-    typed_data = malloc(sizeof(*typed_data) * 2);
-    if (typed_data == NULL) {
-        krb5_free_data(context, data);
-        return ENOMEM;
-    }
-    typed_data[0] = malloc(sizeof(**typed_data));
-    if (typed_data[0] == NULL) {
-        free(typed_data);
-        krb5_free_data(context, data);
-        return ENOMEM;
-    }
-    typed_data[0]->pa_type = TD_INVALID_CERTIFICATES;
-    typed_data[0]->length = data->length;
-    typed_data[0]->contents = (unsigned char *) data->data;
-    typed_data[1] = NULL;
-    *pa_data = typed_data;
-    free(data);
-    return code;
-}
-
-/* Create typed-data with a list of certifiers that we would accept. */
-krb5_error_code
-pkinit_create_td_trusted_certifiers(krb5_context context,
-                                    pkinit_plg_crypto_context plg_cryptoctx,
-                                    pkinit_req_crypto_context req_cryptoctx,
-                                    pkinit_identity_crypto_context
-                                    id_cryptoctx, krb5_pa_data ***pa_data)
-{
-    krb5_external_principal_identifier **ids;
-    krb5_external_principal_identifier *id;
-    struct issuer_and_serial_number isn;
-    krb5_data *data;
-    SECItem item;
-    krb5_pa_data **typed_data;
-    krb5_error_code code;
-    int i;
-    unsigned int trustf;
-    SECStatus status;
-    PK11SlotList *slist;
-    PK11SlotListElement *sle;
-    CERTCertificate *cert;
-    CERTCertList *sclist, *clist;
-    CERTCertListNode *node;
-
-    *pa_data = NULL;
-
-    /* Build the list of trusted roots. */
-    clist = CERT_NewCertList();
-    if (clist == NULL)
-        return ENOMEM;
-
-    /* Get the list of tokens.  All of them. */
-    slist = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE,
-                              PR_FALSE,
-                              crypto_pwcb_prep(id_cryptoctx, NULL, context));
-    if (slist == NULL) {
-        CERT_DestroyCertList(clist);
-        return ENOENT;
-    }
-
-    /* Walk the list of tokens. */
-    i = 0;
-    status = SECSuccess;
-    for (sle = slist->head; sle != NULL; sle = sle->next) {
-        /* Skip over slots we would still need to log in to before using. */
-        if (!PK11_IsLoggedIn(sle->slot,
-                             crypto_pwcb_prep(id_cryptoctx, NULL, context)) &&
-            PK11_NeedLogin(sle->slot)) {
-            pkiDebug("%s: skipping token \"%s\"\n",
-                     __FUNCTION__, PK11_GetTokenName(sle->slot));
-            continue;
-        }
-        /* Get the list of certs, and skip the slot if it doesn't have
-         * any. */
-        sclist = PK11_ListCertsInSlot(sle->slot);
-        if (sclist == NULL) {
-            pkiDebug("%s: nothing found in token \"%s\"\n",
-                     __FUNCTION__, PK11_GetTokenName(sle->slot));
-            continue;
-        }
-        if (CERT_LIST_EMPTY(sclist)) {
-            CERT_DestroyCertList(sclist);
-            pkiDebug("%s: nothing found in token \"%s\"\n",
-                     __FUNCTION__, PK11_GetTokenName(sle->slot));
-            continue;
-        }
-        /* Walk the list of certs, and for each one that's a trusted
-         * root, add it to the list. */
-        for (node = CERT_LIST_HEAD(sclist);
-             (node != NULL) &&
-                 (node->cert != NULL) &&
-                 !CERT_LIST_END(node, sclist);
-             node = CERT_LIST_NEXT(node)) {
-            /* If we have no trust for it, we can't trust it. */
-            if (node->cert->trust == NULL)
-                continue;
-            /* We need to trust it to issue client certs. */
-            trustf = SEC_GET_TRUST_FLAGS(node->cert->trust, trustSSL);
-            if (!(trustf & CERTDB_TRUSTED_CLIENT_CA))
-                continue;
-            /* DestroyCertList frees all of the certs in the list,
-             * so we need to create a copy that it can own. */
-            cert = CERT_DupCertificate(node->cert);
-            if (cert_maybe_add_to_list(clist, cert) != SECSuccess)
-                status = ENOMEM;
-            else
-                i++;
-        }
-        CERT_DestroyCertList(sclist);
-    }
-    PK11_FreeSlotList(slist);
-    if (status != SECSuccess) {
-        CERT_DestroyCertList(clist);
-        return ENOMEM;
-    }
-
-    /* Allocate some temporary storage. */
-    id = PORT_ArenaZAlloc(req_cryptoctx->pool, sizeof(**ids) * i);
-    ids = PORT_ArenaZAlloc(req_cryptoctx->pool, sizeof(*ids) * (i + 1));
-    if ((id == NULL) || (ids == NULL)) {
-        CERT_DestroyCertList(clist);
-        return ENOMEM;
-    }
-
-    /* Fill in the identifiers. */
-    i = 0;
-    for (node = CERT_LIST_HEAD(clist);
-         (node != NULL) &&
-             (node->cert != NULL) &&
-             !CERT_LIST_END(node, clist);
-         node = CERT_LIST_NEXT(node)) {
-        if (node->cert->keyIDGenerated) {
-            isn.issuer = node->cert->derIssuer;
-            isn.serial = node->cert->serialNumber;
-            if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn,
-                                   issuer_and_serial_number_template) !=
-                &item) {
-                CERT_DestroyCertList(clist);
-                return ENOMEM;
-            }
-            id[i].issuerAndSerialNumber.data = (char *)item.data;
-            id[i].issuerAndSerialNumber.length = item.len;
-        } else {
-            item = node->cert->subjectKeyID;
-            id[i].subjectKeyIdentifier.data = (char *)item.data;
-            id[i].subjectKeyIdentifier.length = item.len;
-        }
-        ids[i] = &id[i];
-        i++;
-    }
-    ids[i] = NULL;
-
-    /* Pass the list back up. */
-    data = NULL;
-    code = (*k5int_encode_krb5_td_trusted_certifiers)(ids, &data);
-    CERT_DestroyCertList(clist);
-    if (code != 0)
-        return code;
-    typed_data = malloc(sizeof(*typed_data) * 2);
-    if (typed_data == NULL) {
-        krb5_free_data(context, data);
-        return ENOMEM;
-    }
-    typed_data[0] = malloc(sizeof(**typed_data));
-    if (typed_data[0] == NULL) {
-        free(typed_data);
-        krb5_free_data(context, data);
-        return ENOMEM;
-    }
-    typed_data[0]->pa_type = TD_TRUSTED_CERTIFIERS;
-    typed_data[0]->length = data->length;
-    typed_data[0]->contents = (unsigned char *) data->data;
-    typed_data[1] = NULL;
-    *pa_data = typed_data;
-    free(data);
-    return code;
-}
-
-krb5_error_code
-pkinit_process_td_trusted_certifiers(krb5_context context,
-                                     pkinit_plg_crypto_context plg_cryptoctx,
-                                     pkinit_req_crypto_context req_cryptoctx,
-                                     pkinit_identity_crypto_context
-                                     id_cryptoctx,
-                                     krb5_external_principal_identifier **
-                                     trustedCertifiers,
-                                     int td_type)
-{
-    /* We should select a different client certificate based on the list of
-     * trusted certifiers, but for now we'll just chicken out. */
-    return KRB5KDC_ERR_PREAUTH_FAILED;
-}
-
-/* Check if the encoded issuer/serial matches our (the KDC's) certificate. */
-krb5_error_code
-pkinit_check_kdc_pkid(krb5_context context,
-                      pkinit_plg_crypto_context plg_cryptoctx,
-                      pkinit_req_crypto_context req_cryptoctx,
-                      pkinit_identity_crypto_context id_cryptoctx,
-                      unsigned char *pkid_buf,
-                      unsigned int pkid_len, int *valid_kdcPkId)
-{
-    PLArenaPool *pool;
-    CERTCertificate *cert;
-    SECItem pkid;
-    struct issuer_and_serial_number isn;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-
-    /* Verify that we have selected a certificate for our (the KDC's) own
-     * use. */
-    if (id_cryptoctx->id_cert == NULL)
-        return ENOENT;
-    cert = id_cryptoctx->id_cert;
-
-    /* Decode the pair. */
-    pkid.data = pkid_buf;
-    pkid.len = pkid_len;
-    memset(&isn, 0, sizeof(isn));
-    if (SEC_ASN1DecodeItem(pool, &isn, issuer_and_serial_number_template,
-                           &pkid) != SECSuccess) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Compare the issuer and serial number. */
-    *valid_kdcPkId = SECITEM_ItemsAreEqual(&isn.issuer,
-                                           &cert->derIssuer) &&
-        SECITEM_ItemsAreEqual(&isn.serial, &cert->serialNumber);
-
-    /* Clean up. */
-    PORT_FreeArena(pool, PR_TRUE);
-
-    return 0;
-}
-
-krb5_error_code
-pkinit_identity_set_prompter(pkinit_identity_crypto_context id_cryptoctx,
-                             krb5_prompter_fct prompter, void *prompter_data)
-{
-    id_cryptoctx->pwcb_args.prompter = prompter;
-    id_cryptoctx->pwcb_args.prompter_data = prompter_data;
-    return 0;
-}
-
-/* Convert a DH secret and optional data to a keyblock using the specified
- * digest and a big-endian counter of the specified length that starts at the
- * specified value. */
-static krb5_error_code
-pkinit_octetstring_hkdf(krb5_context context,
-                        SECOidTag hash_alg,
-                        int counter_start, size_t counter_length,
-                        krb5_enctype etype,
-                        unsigned char *dh_key, unsigned int dh_key_len,
-                        char *other_data, unsigned int other_data_len,
-                        krb5_keyblock *krb5key)
-{
-    PK11Context *ctx;
-    unsigned int left, length, rnd_len;
-    unsigned char counter[8], buf[512];  /* the longest digest we support */
-    int i;
-    char *rnd_buf;
-    size_t kbyte, klength;
-    krb5_data rnd_data;
-    krb5_error_code result;
-    NSSInitContext *ncontext;
-
-    if (counter_length > sizeof(counter))
-        return EINVAL;
-    result = krb5_c_keylengths(context, etype, &kbyte, &klength);
-    if (result != 0)
-        return result;
-    rnd_buf = malloc(dh_key_len);
-    if (rnd_buf == NULL)
-        return ENOMEM;
-
-    memset(counter, 0, sizeof(counter));
-    for (i = sizeof(counter) - 1; i >= 0; i--)
-        counter[i] = (counter_start >> (8 * (counter_length - 1 - i))) & 0xff;
-    rnd_len = kbyte;
-    left = rnd_len;
-    ncontext = NSS_InitContext(DEFAULT_CONFIGDIR,
-                               NULL,
-                               NULL,
-                               NULL,
-                               NULL,
-                               NSS_INIT_READONLY |
-                               NSS_INIT_NOCERTDB |
-                               NSS_INIT_NOMODDB |
-                               NSS_INIT_FORCEOPEN |
-                               NSS_INIT_NOROOTINIT |
-                               NSS_INIT_PK11RELOAD);
-    while (left > 0) {
-        ctx = PK11_CreateDigestContext(hash_alg);
-        if (ctx == NULL) {
-            krb5int_zap(buf, sizeof(buf));
-            krb5int_zap(rnd_buf, dh_key_len);
-            free(rnd_buf);
-            return ENOMEM;
-        }
-        if (PK11_DigestBegin(ctx) != SECSuccess) {
-            PK11_DestroyContext(ctx, PR_TRUE);
-            krb5int_zap(buf, sizeof(buf));
-            krb5int_zap(rnd_buf, dh_key_len);
-            free(rnd_buf);
-            return ENOMEM;
-        }
-        if (PK11_DigestOp(ctx, counter, counter_length) != SECSuccess) {
-            PK11_DestroyContext(ctx, PR_TRUE);
-            krb5int_zap(buf, sizeof(buf));
-            krb5int_zap(rnd_buf, dh_key_len);
-            free(rnd_buf);
-            return ENOMEM;
-        }
-        if (PK11_DigestOp(ctx, dh_key, dh_key_len) != SECSuccess) {
-            PK11_DestroyContext(ctx, PR_TRUE);
-            krb5int_zap(buf, sizeof(buf));
-            krb5int_zap(rnd_buf, dh_key_len);
-            free(rnd_buf);
-            return ENOMEM;
-        }
-        if ((other_data_len > 0) &&
-            (PK11_DigestOp(ctx, (const unsigned char *) other_data,
-                           other_data_len) != SECSuccess)) {
-            PK11_DestroyContext(ctx, PR_TRUE);
-            krb5int_zap(buf, sizeof(buf));
-            krb5int_zap(rnd_buf, dh_key_len);
-            free(rnd_buf);
-            return ENOMEM;
-        }
-        if (PK11_DigestFinal(ctx, buf, &length, sizeof(buf)) != SECSuccess) {
-            PK11_DestroyContext(ctx, PR_TRUE);
-            krb5int_zap(buf, sizeof(buf));
-            krb5int_zap(rnd_buf, dh_key_len);
-            free(rnd_buf);
-            return ENOMEM;
-        }
-        PK11_DestroyContext(ctx, PR_TRUE);
-        if (left < length) {
-            length = left;
-        }
-        memcpy(rnd_buf + rnd_len - left, buf, length);
-        left -= length;
-        for (i = counter_length - 1; i >= 0; i--) {
-            counter[i] = ((counter[i] + 1) & 0xff);
-            if (counter[i] != 0)
-                break;
-        }
-    }
-
-    if (NSS_ShutdownContext(ncontext) != SECSuccess)
-        pkiDebug("%s: error shutting down context\n", __FUNCTION__);
-
-    krb5key->contents = malloc(klength);
-    if (krb5key->contents == NULL) {
-        krb5key->length = 0;
-        return ENOMEM;
-    }
-    krb5key->length = klength;
-    krb5key->enctype = etype;
-
-    rnd_data.data = rnd_buf;
-    rnd_data.length = rnd_len;
-    result = krb5_c_random_to_key(context, etype, &rnd_data, krb5key);
-
-    krb5int_zap(buf, sizeof(buf));
-    krb5int_zap(rnd_buf, dh_key_len);
-    free(rnd_buf);
-
-    return result;
-}
-
-/* Convert a DH secret to a keyblock, RFC4556-style. */
-krb5_error_code
-pkinit_octetstring2key(krb5_context context,
-                       krb5_enctype etype,
-                       unsigned char *dh_key,
-                       unsigned int dh_key_len, krb5_keyblock *krb5key)
-{
-    return pkinit_octetstring_hkdf(context,
-                                   SEC_OID_SHA1, 0, 1, etype,
-                                   dh_key, dh_key_len, NULL, 0,
-                                   krb5key);
-}
-
-/* Return TRUE if the item and the "algorithm" part of the algorithm identifier
- * are the same. */
-static PRBool
-data_and_ptr_and_length_equal(const krb5_data *data,
-                              const void *ptr, size_t len)
-{
-    return (data->length == len) && (memcmp(data->data, ptr, len) == 0);
-}
-
-/* Encode the other info used by the agility KDF.  Taken almost verbatim from
- * parts of the agility KDF in pkinit_crypto_openssl.c */
-static krb5_error_code
-encode_agility_kdf_other_info(krb5_context context,
-                              krb5_data *alg_oid,
-                              krb5_const_principal party_u_info,
-                              krb5_const_principal party_v_info,
-                              krb5_enctype enctype,
-                              krb5_data *as_req,
-                              krb5_data *pk_as_rep,
-                              krb5_data **other_info)
-{
-    krb5_error_code retval = 0;
-    krb5_sp80056a_other_info other_info_fields;
-    krb5_pkinit_supp_pub_info supp_pub_info_fields;
-    krb5_data *supp_pub_info = NULL;
-    krb5_algorithm_identifier alg_id;
-
-    /* If this is anonymous pkinit, we need to use the anonymous principal for
-     * party_u_info */
-    if (party_u_info &&
-        krb5_principal_compare_any_realm(context, party_u_info,
-                                         krb5_anonymous_principal()))
-        party_u_info = krb5_anonymous_principal();
-
-    /* Encode the ASN.1 octet string for "SuppPubInfo" */
-    supp_pub_info_fields.enctype = enctype;
-    supp_pub_info_fields.as_req = *as_req;
-    supp_pub_info_fields.pk_as_rep = *pk_as_rep;
-    retval = encode_krb5_pkinit_supp_pub_info(&supp_pub_info_fields,
-                                              &supp_pub_info);
-    if (retval != 0)
-        goto cleanup;
-
-    /* Now encode the ASN.1 octet string for "OtherInfo" */
-    memset(&alg_id, 0, sizeof alg_id);
-    alg_id.algorithm = *alg_oid; /*alias, don't have to free it*/
-
-    other_info_fields.algorithm_identifier = alg_id;
-    other_info_fields.party_u_info = (krb5_principal) party_u_info;
-    other_info_fields.party_v_info = (krb5_principal) party_v_info;
-    other_info_fields.supp_pub_info = *supp_pub_info;
-    retval = encode_krb5_sp80056a_other_info(&other_info_fields, other_info);
-    if (retval != 0)
-        goto cleanup;
-
-cleanup:
-    krb5_free_data(context, supp_pub_info);
-
-    return retval;
-}
-
-/* Convert a DH secret to a keyblock using the key derivation function
- * identified by the passed-in algorithm identifier.  Return ENOSYS if it's not
- * one that we support. */
-krb5_error_code
-pkinit_alg_agility_kdf(krb5_context context,
-                       krb5_data *secret,
-                       krb5_data *alg_oid,
-                       krb5_const_principal party_u_info,
-                       krb5_const_principal party_v_info,
-                       krb5_enctype enctype,
-                       krb5_data *as_req,
-                       krb5_data *pk_as_rep,
-                       krb5_keyblock *key_block)
-{
-    krb5_data *other_info = NULL;
-    krb5_error_code retval = ENOSYS;
-
-    retval = encode_agility_kdf_other_info(context,
-                                           alg_oid,
-                                           party_u_info,
-                                           party_v_info,
-                                           enctype, as_req, pk_as_rep,
-                                           &other_info);
-    if (retval != 0)
-        return retval;
-
-    if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha512_oid,
-                                      krb5_pkinit_sha512_oid_len))
-        retval = pkinit_octetstring_hkdf(context,
-                                         SEC_OID_SHA512, 1, 4, enctype,
-                                         (unsigned char *)secret->data,
-                                         secret->length, other_info->data,
-                                         other_info->length, key_block);
-    else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha256_oid,
-                                           krb5_pkinit_sha256_oid_len))
-        retval = pkinit_octetstring_hkdf(context,
-                                         SEC_OID_SHA256, 1, 4, enctype,
-                                         (unsigned char *)secret->data,
-                                         secret->length, other_info->data,
-                                         other_info->length, key_block);
-    else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha1_oid,
-                                           krb5_pkinit_sha1_oid_len))
-        retval = pkinit_octetstring_hkdf(context,
-                                         SEC_OID_SHA1, 1, 4, enctype,
-                                         (unsigned char *)secret->data,
-                                         secret->length, other_info->data,
-                                         other_info->length, key_block);
-    else
-        retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF;
-
-    krb5_free_data(context, other_info);
-
-    return retval;
-}
-
-static int
-cert_add_string(unsigned char ***list, int *count,
-                int len, const unsigned char *value)
-{
-    unsigned char **tmp;
-
-    tmp = malloc(sizeof(tmp[0]) * (*count + 2));
-    if (tmp == NULL) {
-        return ENOMEM;
-    }
-    memcpy(tmp, *list, *count * sizeof(tmp[0]));
-    tmp[*count] = malloc(len + 1);
-    if (tmp[*count] == NULL) {
-        free(tmp);
-        return ENOMEM;
-    }
-    memcpy(tmp[*count], value, len);
-    tmp[*count][len] = '\0';
-    tmp[*count + 1] = NULL;
-    if (*count != 0) {
-        free(*list);
-    }
-    *list = tmp;
-    (*count)++;
-    return 0;
-}
-
-static int
-cert_add_princ(krb5_context context, krb5_principal princ,
-               krb5_principal **sans_inout, int *n_sans_inout)
-{
-    krb5_principal *tmp;
-
-    tmp = malloc(sizeof(krb5_principal *) * (*n_sans_inout + 2));
-    if (tmp == NULL) {
-        return ENOMEM;
-    }
-    memcpy(tmp, *sans_inout, sizeof(tmp[0]) * *n_sans_inout);
-    if (krb5_copy_principal(context, princ, &tmp[*n_sans_inout]) != 0) {
-        free(tmp);
-        return ENOMEM;
-    }
-    tmp[*n_sans_inout + 1] = NULL;
-    if (*n_sans_inout > 0) {
-        free(*sans_inout);
-    }
-    *sans_inout = tmp;
-    (*n_sans_inout)++;
-    return 0;
-}
-
-static int
-cert_add_upn(PLArenaPool * pool, krb5_context context, SECItem *name,
-             krb5_principal **sans_inout, int *n_sans_inout)
-{
-    SECItem decoded;
-    char *unparsed;
-    krb5_principal tmp;
-    int i;
-
-    /* Decode the string. */
-    memset(&decoded, 0, sizeof(decoded));
-    if (SEC_ASN1DecodeItem(pool, &decoded,
-                           SEC_ASN1_GET(SEC_UTF8StringTemplate),
-                           name) != SECSuccess) {
-        return ENOMEM;
-    }
-    unparsed = malloc(decoded.len + 1);
-    if (unparsed == NULL) {
-        return ENOMEM;
-    }
-    memcpy(unparsed, decoded.data, decoded.len);
-    unparsed[decoded.len] = '\0';
-    /* Parse the string into a principal name. */
-    if (krb5_parse_name(context, unparsed, &tmp) != 0) {
-        free(unparsed);
-        return ENOMEM;
-    }
-    free(unparsed);
-    /* Unparse the name back into a string and make sure it matches what
-     * was in the certificate. */
-    if (krb5_unparse_name(context, tmp, &unparsed) != 0) {
-        krb5_free_principal(context, tmp);
-        return ENOMEM;
-    }
-    if ((strlen(unparsed) != decoded.len) ||
-        (memcmp(unparsed, decoded.data, decoded.len) != 0)) {
-        krb5_free_unparsed_name(context, unparsed);
-        krb5_free_principal(context, tmp);
-        return ENOMEM;
-    }
-    /* Add the principal name to the list. */
-    i = cert_add_princ(context, tmp, sans_inout, n_sans_inout);
-    krb5_free_unparsed_name(context, unparsed);
-    krb5_free_principal(context, tmp);
-    return i;
-}
-
-static int
-cert_add_kpn(PLArenaPool * pool, krb5_context context, SECItem *name,
-             krb5_principal** sans_inout, int *n_sans_inout)
-{
-    struct kerberos_principal_name kname;
-    SECItem **names;
-    krb5_data *comps;
-    krb5_principal_data tmp;
-    unsigned long name_type;
-    int i, j;
-
-    /* Decode the structure. */
-    memset(&kname, 0, sizeof(kname));
-    if (SEC_ASN1DecodeItem(pool, &kname,
-                           kerberos_principal_name_template,
-                           name) != SECSuccess)
-        return ENOMEM;
-
-    /* Recover the name type and count the components. */
-    if (SEC_ASN1DecodeInteger(&kname.principal_name.name_type,
-                              &name_type) != SECSuccess)
-        return ENOMEM;
-    names = kname.principal_name.name_string;
-    for (i = 0; (names != NULL) && (names[i] != NULL); i++)
-        continue;
-    comps = malloc(sizeof(comps[0]) * i);
-
-    /* Fake up a principal structure. */
-    for (j = 0; j < i; j++) {
-        comps[j].length = names[j]->len;
-        comps[j].data = (char *) names[j]->data;
-    }
-    memset(&tmp, 0, sizeof(tmp));
-    tmp.type = name_type;
-    tmp.realm.length = kname.realm.len;
-    tmp.realm.data = (char *) kname.realm.data;
-    tmp.length = i;
-    tmp.data = comps;
-
-    /* Add the principal name to the list. */
-    i = cert_add_princ(context, &tmp, sans_inout, n_sans_inout);
-    free(comps);
-    return i;
-}
-
-static const char *
-crypto_get_identity_by_slot(krb5_context context,
-                            pkinit_identity_crypto_context id_cryptoctx,
-                            PK11SlotInfo *slot)
-{
-    PK11SlotInfo *mslot;
-    struct _pkinit_identity_crypto_userdb *userdb;
-    struct _pkinit_identity_crypto_module *module;
-    int i, j;
-
-    mslot = id_cryptoctx->id_p12_slot.slot;
-    if ((mslot != NULL) && (PK11_GetSlotID(mslot) == PK11_GetSlotID(slot)))
-        return id_cryptoctx->id_p12_slot.p12name;
-    for (i = 0;
-         (id_cryptoctx->id_userdbs != NULL) &&
-         (id_cryptoctx->id_userdbs[i] != NULL);
-         i++) {
-        userdb = id_cryptoctx->id_userdbs[i];
-        if (PK11_GetSlotID(userdb->userdb) == PK11_GetSlotID(slot))
-            return userdb->name;
-    }
-    for (i = 0;
-         (id_cryptoctx->id_modules != NULL) &&
-         (id_cryptoctx->id_modules[i] != NULL);
-         i++) {
-        module = id_cryptoctx->id_modules[i];
-        for (j = 0; j < module->module->slotCount; j++) {
-            mslot = module->module->slots[j];
-            if (PK11_GetSlotID(mslot) == PK11_GetSlotID(slot))
-                return module->name;
-        }
-    }
-    return NULL;
-}
-
-static void
-crypto_update_signer_identity(krb5_context context,
-                              pkinit_identity_crypto_context id_cryptoctx)
-{
-    PK11SlotList *slist;
-    PK11SlotListElement *sle;
-    CERTCertificate *cert;
-    struct _pkinit_identity_crypto_file *obj;
-    int i;
-
-    id_cryptoctx->identity = NULL;
-    if (id_cryptoctx->id_cert == NULL)
-        return;
-    cert = id_cryptoctx->id_cert;
-    for (i = 0;
-         (id_cryptoctx->id_objects != NULL) &&
-         (id_cryptoctx->id_objects[i] != NULL);
-         i++) {
-        obj = id_cryptoctx->id_objects[i];
-        if ((obj->cert != NULL) && CERT_CompareCerts(obj->cert, cert)) {
-            id_cryptoctx->identity = obj->name;
-            return;
-        }
-    }
-    if (cert->slot != NULL) {
-        id_cryptoctx->identity = crypto_get_identity_by_slot(context,
-                                                             id_cryptoctx,
-                                                             cert->slot);
-        if (id_cryptoctx->identity != NULL)
-            return;
-    }
-    slist = PK11_GetAllSlotsForCert(cert, NULL);
-    if (slist != NULL) {
-        for (sle = PK11_GetFirstSafe(slist);
-             sle != NULL;
-             sle = PK11_GetNextSafe(slist, sle, PR_FALSE)) {
-            id_cryptoctx->identity = crypto_get_identity_by_slot(context,
-                                                                 id_cryptoctx,
-                                                                 sle->slot);
-            if (id_cryptoctx->identity != NULL) {
-                PK11_FreeSlotList(slist);
-                return;
-            }
-        }
-        PK11_FreeSlotList(slist);
-    }
-}
-
-krb5_error_code
-crypto_retrieve_signer_identity(krb5_context context,
-                                pkinit_identity_crypto_context id_cryptoctx,
-                                const char **identity)
-{
-    *identity = id_cryptoctx->identity;
-    if (*identity == NULL)
-        return ENOENT;
-    return 0;
-}
-
-static krb5_error_code
-cert_retrieve_cert_sans(krb5_context context,
-                        CERTCertificate *cert,
-                        krb5_principal **pkinit_sans_out,
-                        krb5_principal **upn_sans_out,
-                        unsigned char ***kdc_hostname_out)
-{
-    PLArenaPool *pool;
-    CERTGeneralName name;
-    SECItem *ext, **encoded_names;
-    int i, n_pkinit_sans, n_upn_sans, n_hostnames;
-
-    /* Pull out the extension. */
-    ext = cert_get_ext_by_tag(cert, SEC_OID_X509_SUBJECT_ALT_NAME);
-    if (ext == NULL)
-        return ENOENT;
-
-    /* Split up the list of names. */
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-    encoded_names = NULL;
-    if (SEC_ASN1DecodeItem(pool, &encoded_names,
-                           SEC_ASN1_GET(SEC_SequenceOfAnyTemplate),
-                           ext) != SECSuccess) {
-        pkiDebug("%s: error decoding subjectAltName extension\n",
-                 __FUNCTION__);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Check each name in turn. */
-    for (i = 0, n_pkinit_sans = 0, n_upn_sans = 0, n_hostnames = 0;
-         (encoded_names != NULL) && (encoded_names[i] != NULL);
-         i++) {
-        memset(&name, 0, sizeof(name));
-        if (CERT_DecodeGeneralName(pool, encoded_names[i], &name) != &name) {
-            pkiDebug("%s: error decoding GeneralName value, skipping\n",
-                     __FUNCTION__);
-            continue;
-        }
-        switch (name.type) {
-        case certDNSName:
-            /* hostname, easy */
-            if ((kdc_hostname_out != NULL) &&
-                (cert_add_string(kdc_hostname_out, &n_hostnames,
-                                 name.name.other.len,
-                                 name.name.other.data) != 0)) {
-                PORT_FreeArena(pool, PR_TRUE);
-                return ENOMEM;
-            }
-            break;
-        case certOtherName:
-            /* possibly a kerberos principal name */
-            if (SECITEM_ItemsAreEqual(&name.name.OthName.oid,
-                                      &pkinit_nt_principal)) {
-                /* Add it to the list. */
-                if ((pkinit_sans_out != NULL) &&
-                    (cert_add_kpn(pool, context, &name.name.OthName.name,
-                                  pkinit_sans_out, &n_pkinit_sans) != 0)) {
-                    PORT_FreeArena(pool, PR_TRUE);
-                    return ENOMEM;
-                }
-                /* If both lists are the same, fix the count. */
-                if (pkinit_sans_out == upn_sans_out)
-                    n_upn_sans = n_pkinit_sans;
-            } else
-                /* possibly a user principal name */
-                if (SECITEM_ItemsAreEqual(&name.name.OthName.oid,
-                                          &pkinit_nt_upn)) {
-                    /* Add it to the list. */
-                    if ((upn_sans_out != NULL) &&
-                        (cert_add_upn(pool, context, &name.name.OthName.name,
-                                      upn_sans_out, &n_upn_sans) != 0)) {
-                        PORT_FreeArena(pool, PR_TRUE);
-                        return ENOMEM;
-                    }
-                    /* If both lists are the same, fix the count. */
-                    if (upn_sans_out == pkinit_sans_out)
-                        n_pkinit_sans = n_upn_sans;
-                }
-            break;
-        default:
-            break;
-        }
-    }
-    PORT_FreeArena(pool, PR_TRUE);
-
-    return 0;
-}
-
-krb5_error_code
-crypto_retrieve_cert_sans(krb5_context context,
-                          pkinit_plg_crypto_context plg_cryptoctx,
-                          pkinit_req_crypto_context req_cryptoctx,
-                          pkinit_identity_crypto_context id_cryptoctx,
-                          krb5_principal **pkinit_sans,
-                          krb5_principal **upn_sans,
-                          unsigned char ***kdc_hostname)
-{
-    return cert_retrieve_cert_sans(context,
-                                   req_cryptoctx->peer_cert,
-                                   pkinit_sans, upn_sans, kdc_hostname);
-}
-
-krb5_error_code
-crypto_check_cert_eku(krb5_context context,
-                      pkinit_plg_crypto_context plg_cryptoctx,
-                      pkinit_req_crypto_context req_cryptoctx,
-                      pkinit_identity_crypto_context id_cryptoctx,
-                      int checking_kdc_cert,
-                      int allow_secondary_usage, int *eku_valid)
-{
-    int ku, eku;
-
-    *eku_valid = 0;
-
-    ku = cert_get_ku_bits(context, req_cryptoctx->peer_cert);
-    if (!(ku & PKINIT_KU_DIGITALSIGNATURE)) {
-        return 0;
-    }
-
-    eku = cert_get_eku_bits(context, req_cryptoctx->peer_cert,
-                            checking_kdc_cert ? PR_TRUE : PR_FALSE);
-    if (checking_kdc_cert) {
-        if (eku & PKINIT_EKU_PKINIT) {
-            *eku_valid = 1;
-        } else if (allow_secondary_usage && (eku & PKINIT_EKU_CLIENTAUTH)) {
-            *eku_valid = 1;
-        }
-    } else {
-        if (eku & PKINIT_EKU_PKINIT) {
-            *eku_valid = 1;
-        } else if (allow_secondary_usage && (eku & PKINIT_EKU_MSSCLOGIN)) {
-            *eku_valid = 1;
-        }
-    }
-    return 0;
-}
-
-krb5_error_code
-cms_contentinfo_create(krb5_context context,
-                       pkinit_plg_crypto_context plg_cryptoctx,
-                       pkinit_req_crypto_context req_cryptoctx,
-                       pkinit_identity_crypto_context id_cryptoctx,
-                       int cms_msg_type,
-                       unsigned char *in_data, unsigned int in_length,
-                       unsigned char **out_data, unsigned int *out_data_len)
-{
-    PLArenaPool *pool;
-    SECItem *oid, encoded;
-    SECOidTag encapsulated_tag;
-    struct content_info cinfo;
-
-    switch (cms_msg_type) {
-    case CMS_SIGN_DRAFT9:
-        encapsulated_tag = get_pkinit_data_auth_data9_tag();
-        break;
-    case CMS_SIGN_CLIENT:
-        encapsulated_tag = get_pkinit_data_auth_data_tag();
-        break;
-    case CMS_SIGN_SERVER:
-        encapsulated_tag = get_pkinit_data_dhkey_data_tag();
-        break;
-    case CMS_ENVEL_SERVER:
-        encapsulated_tag = get_pkinit_data_rkey_data_tag();
-        break;
-    default:
-        return ENOSYS;
-        break;
-    }
-
-    oid = get_oid_from_tag(encapsulated_tag);
-    if (oid == NULL) {
-        return ENOMEM;
-    }
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL) {
-        return ENOMEM;
-    }
-
-    memset(&cinfo, 0, sizeof(cinfo));
-    cinfo.content_type = *oid;
-    cinfo.content.data = in_data;
-    cinfo.content.len = in_length;
-
-    memset(&encoded, 0, sizeof(encoded));
-    if (SEC_ASN1EncodeItem(pool, &encoded, &cinfo,
-                           content_info_template) != &encoded) {
-        PORT_FreeArena(pool, PR_TRUE);
-        pkiDebug("%s: error encoding data\n", __FUNCTION__);
-        return ENOMEM;
-    }
-
-    if (secitem_to_buf_len(&encoded, out_data, out_data_len) != 0) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-#ifdef DEBUG_DER
-    derdump(*out_data, *out_data_len);
-#endif
-#ifdef DEBUG_CMS
-    cmsdump(*out_data, *out_data_len);
-#endif
-
-    PORT_FreeArena(pool, PR_TRUE);
-
-    return 0;
-}
-
-/* Create a signed-data content info, add a signature to it, and return it. */
-enum sdcc_include_certchain {
-    signeddata_common_create_omit_chain,
-    signeddata_common_create_with_chain
-};
-enum sdcc_include_signed_attrs {
-    signeddata_common_create_omit_signed_attrs,
-    signeddata_common_create_with_signed_attrs
-};
-static krb5_error_code
-crypto_signeddata_common_create(krb5_context context,
-                                pkinit_plg_crypto_context plg_cryptoctx,
-                                pkinit_req_crypto_context req_cryptoctx,
-                                pkinit_identity_crypto_context id_cryptoctx,
-                                NSSCMSMessage *msg,
-                                SECOidTag digest,
-                                enum sdcc_include_certchain certchain_mode,
-                                enum sdcc_include_signed_attrs add_signedattrs,
-                                NSSCMSSignedData **signed_data_out)
-{
-    NSSCMSSignedData *sdata;
-    NSSCMSSignerInfo *signer;
-    NSSCMSCertChainMode chainmode;
-
-    /* Create a signed-data object. */
-    sdata = NSS_CMSSignedData_Create(msg);
-    if (sdata == NULL)
-        return ENOMEM;
-
-    if (id_cryptoctx->id_cert != NULL) {
-        /* Create a signer and add it to the signed-data pointer. */
-        signer = NSS_CMSSignerInfo_Create(msg, id_cryptoctx->id_cert, digest);
-        if (signer == NULL)
-            return ENOMEM;
-        chainmode = (certchain_mode == signeddata_common_create_with_chain) ?
-                    NSSCMSCM_CertChain :
-                    NSSCMSCM_CertOnly;
-        if (NSS_CMSSignerInfo_IncludeCerts(signer,
-                                           chainmode,
-                                           certUsageAnyCA) != SECSuccess) {
-            pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__);
-            return ENOMEM;
-        }
-        if (NSS_CMSSignedData_AddSignerInfo(sdata, signer) != SECSuccess)
-            return ENOMEM;
-
-        if (add_signedattrs == signeddata_common_create_with_signed_attrs) {
-            /* The presence of any signed attribute means the digest
-             * becomes a signed attribute, too. */
-            if (NSS_CMSSignerInfo_AddSigningTime(signer,
-                                                 PR_Now()) != SECSuccess) {
-                pkiDebug("%s: error adding signing time\n", __FUNCTION__);
-                return ENOMEM;
-            }
-        }
-    }
-
-    *signed_data_out = sdata;
-    return 0;
-}
-
-/* Create signed-then-enveloped data. */
-krb5_error_code
-cms_envelopeddata_create(krb5_context context,
-                         pkinit_plg_crypto_context plg_cryptoctx,
-                         pkinit_req_crypto_context req_cryptoctx,
-                         pkinit_identity_crypto_context id_cryptoctx,
-                         krb5_preauthtype pa_type,
-                         int include_certchain,
-                         unsigned char *key_pack,
-                         unsigned int key_pack_len,
-                         unsigned char **envel_data,
-                         unsigned int *envel_data_len)
-{
-    NSSCMSMessage *msg;
-    NSSCMSContentInfo *info;
-    NSSCMSEnvelopedData *env;
-    NSSCMSRecipientInfo *recipient;
-    NSSCMSSignedData *sdata;
-    PLArenaPool *pool;
-    SECOidTag encapsulated_tag, digest;
-    SECItem plain, encoded;
-    enum sdcc_include_signed_attrs add_signed_attrs;
-
-    switch (pa_type) {
-    case KRB5_PADATA_PK_AS_REQ_OLD:
-    case KRB5_PADATA_PK_AS_REP_OLD:
-        digest = SEC_OID_MD5;
-        add_signed_attrs = signeddata_common_create_omit_signed_attrs;
-        encapsulated_tag = get_pkinit_data_rkey_data_tag();
-        break;
-    case KRB5_PADATA_PK_AS_REQ:
-    case KRB5_PADATA_PK_AS_REP:
-        digest = SEC_OID_SHA1;
-        add_signed_attrs = signeddata_common_create_with_signed_attrs;
-        encapsulated_tag = get_pkinit_data_rkey_data_tag();
-        break;
-    default:
-        return ENOSYS;
-        break;
-    }
-
-    if (id_cryptoctx->id_cert == NULL) {
-        pkiDebug("%s: no signer identity\n", __FUNCTION__);
-        return ENOENT;
-    }
-
-    if (req_cryptoctx->peer_cert == NULL) {
-        pkiDebug("%s: no recipient identity\n", __FUNCTION__);
-        return ENOENT;
-    }
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL) {
-        return ENOMEM;
-    }
-
-    /* Create the containing message. */
-    msg = NSS_CMSMessage_Create(pool);
-    if (msg == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Create an enveloped-data pointer and set it as the message's
-     * contents. */
-    env = NSS_CMSEnvelopedData_Create(msg, SEC_OID_DES_EDE3_CBC, 0);
-    if (env == NULL) {
-        pkiDebug("%s: error creating enveloped-data\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    info = NSS_CMSMessage_GetContentInfo(msg);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (NSS_CMSContentInfo_SetContent_EnvelopedData(msg, info,
-                                                    env) != SECSuccess) {
-        pkiDebug("%s: error setting enveloped-data content\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Create a recipient and add it to the enveloped-data pointer. */
-    recipient = NSS_CMSRecipientInfo_Create(msg, req_cryptoctx->peer_cert);
-    if (recipient == NULL) {
-        pkiDebug("%s: error creating recipient-info\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (NSS_CMSEnvelopedData_AddRecipient(env, recipient) != SECSuccess) {
-        pkiDebug("%s: error adding recipient\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Create a signed-data pointer and set it as the enveloped-data's
-     * contents. */
-    info = NSS_CMSEnvelopedData_GetContentInfo(env);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    sdata = NULL;
-    if ((crypto_signeddata_common_create(context,
-                                         plg_cryptoctx,
-                                         req_cryptoctx,
-                                         id_cryptoctx,
-                                         msg,
-                                         digest,
-                                         include_certchain ?
-                                         signeddata_common_create_with_chain :
-                                         signeddata_common_create_omit_chain,
-                                         add_signed_attrs,
-                                         &sdata) != 0) || (sdata == NULL)) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (NSS_CMSContentInfo_SetContent_SignedData(msg, info,
-                                                 sdata) != SECSuccess) {
-        pkiDebug("%s: error setting signed-data content\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Set the raw data as the contents for the signed-data. */
-    info = NSS_CMSSignedData_GetContentInfo(sdata);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (NSS_CMSContentInfo_SetContent(msg, info, encapsulated_tag,
-                                      NULL) != SECSuccess) {
-        pkiDebug("%s: error setting encapsulated content\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Encode and export. */
-    memset(&plain, 0, sizeof(plain));
-    plain.data = key_pack;
-    plain.len = key_pack_len;
-    memset(&encoded, 0, sizeof(encoded));
-    if (NSS_CMSDEREncode(msg, &plain, &encoded, pool) != SECSuccess) {
-        pkiDebug("%s: error encoding enveloped-data\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (secitem_to_buf_len(&encoded, envel_data, envel_data_len) != 0) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-#ifdef DEBUG_DER
-    derdump(*envel_data, *envel_data_len);
-#endif
-#ifdef DEBUG_CMS
-    cmsdump(*envel_data, *envel_data_len);
-#endif
-
-    NSS_CMSMessage_Destroy(msg);
-    PORT_FreeArena(pool, PR_TRUE);
-
-    return 0;
-}
-
-/* Check if this cert is marked as a CA which is trusted to issue certs for
- * the indicated usage.  Return PR_TRUE if it is. */
-static PRBool
-crypto_is_cert_trusted(CERTCertificate *cert, SECCertUsage usage)
-{
-    CERTCertTrust trust;
-    unsigned int ca_trust;
-
-    if (usage == certUsageSSLClient)
-        ca_trust = CERTDB_TRUSTED_CLIENT_CA;
-    else if (usage == certUsageSSLServer)
-        ca_trust = CERTDB_TRUSTED_CA;
-    else {
-        pkiDebug("%s: internal error: needed CA trust unknown\n", __FUNCTION__);
-        return PR_FALSE;
-    }
-    memset(&trust, 0, sizeof(trust));
-    if (CERT_GetCertTrust(cert, &trust) != SECSuccess) {
-        pkiDebug("%s: unable to find trust for \"%s\"\n", __FUNCTION__,
-                 cert->subjectName);
-        return PR_FALSE;
-    }
-    if ((SEC_GET_TRUST_FLAGS(&trust, trustSSL) & ca_trust) != ca_trust) {
-        pkiDebug("%s: \"%s\" is not a trusted CA\n", __FUNCTION__,
-                 cert->subjectName);
-        return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-/* Check if this cert includes an AuthorityInfoAccess extension which points
- * to an OCSP responder.  Return PR_TRUE if it does. */
-static PRBool
-crypto_cert_has_ocsp_responder(CERTCertificate *cert)
-{
-    CERTAuthInfoAccess **aia;
-    SECOidData *ocsp;
-    SECItem encoded_aia;
-    int i;
-
-    /* Look up the OID for "use an OCSP responder". */
-    ocsp = SECOID_FindOIDByTag(SEC_OID_PKIX_OCSP);
-    if (ocsp == NULL) {
-        pkiDebug("%s: internal error: OCSP not known\n", __FUNCTION__);
-        return PR_FALSE;
-    }
-    /* Find the AIA extension. */
-    memset(&encoded_aia, 0, sizeof(encoded_aia));
-    if (CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
-                               &encoded_aia) != SECSuccess) {
-        pkiDebug("%s: no AuthorityInfoAccess extension for \"%s\"\n",
-                 __FUNCTION__, cert->subjectName);
-        return PR_FALSE;
-    }
-    /* Decode the AIA extension. */
-    aia = CERT_DecodeAuthInfoAccessExtension(cert->arena, &encoded_aia);
-    if (aia == NULL) {
-        pkiDebug("%s: error parsing AuthorityInfoAccess for \"%s\"\n",
-                 __FUNCTION__, cert->subjectName);
-        return PR_FALSE;
-    }
-    /* We're looking for at least one OCSP responder. */
-    for (i = 0; (aia[i] != NULL); i++)
-        if (SECITEM_ItemsAreEqual(&(aia[i]->method), &(ocsp->oid))) {
-            pkiDebug("%s: found OCSP responder for \"%s\"\n",
-                     __FUNCTION__, cert->subjectName);
-            return PR_TRUE;
-        }
-    return PR_FALSE;
-}
-
-/* In the original implementation, the assumption has been that we'd use any
- * CRLs, and if we were missing a CRL for the certificate or any point in its
- * issuing chain, we'd raise a failure iff the require_crl_checking flag was
- * set.
- *
- * This is not exactly how NSS does things.  When checking the revocation
- * status of a particular certificate, NSS will consult a cached copy of a CRL
- * issued by the certificate's issuer if one's available.  If the CRL shows
- * that the certificate is revoked, it returns an error.  If it succeeds,
- * however, processing continues, and if the certificate contains an AIA
- * extension which lists an OCSP responder, the library attempts to contact the
- * responder to also give it a chance to tell us that the certificate has been
- * revoked.  We can control what happens if this connection attempt fails by
- * calling CERT_SetOCSPFailureMode().
- *
- * We attempt to compensate for this difference in behavior by walking the
- * issuing chain ourselves, ensuring that for the certificate and all of its
- * issuers, that either we have a CRL on-hand for its issuer, or if OCSP
- * checking is allowed, that the certificate contains the location of an OCSP
- * responder.  We stop only when we reach a trusted CA certificate, as NSS
- * does. */
-static int
-crypto_check_for_revocation_information(CERTCertificate *cert,
-                                        CERTCertDBHandle *certdb,
-                                        PRBool allow_ocsp_checking,
-                                        SECCertUsage usage)
-{
-    CERTCertificate *issuer;
-    CERTSignedCrl *crl;
-
-    issuer = CERT_FindCertIssuer(cert, PR_Now(), usage);
-    while (issuer != NULL) {
-        /* Do we have a CRL for this cert's issuer? */
-        crl = SEC_FindCrlByName(certdb, &cert->derIssuer, SEC_CRL_TYPE);
-        if (crl != NULL) {
-            pkiDebug("%s: have CRL for \"%s\"\n", __FUNCTION__,
-                     cert->issuerName);
-        } else {
-            SEC_DestroyCrl(crl);
-            if (allow_ocsp_checking) {
-                /* Check if the cert points to an OCSP responder. */
-                if (!crypto_cert_has_ocsp_responder(cert)) {
-                    /* No CRL, no OCSP responder. */
-                    pkiDebug("%s: no OCSP responder for \"%s\"\n", __FUNCTION__,
-                             cert->subjectName);
-                    return -1;
-                }
-            } else {
-                /* No CRL, and OCSP not allowed. */
-                pkiDebug("%s: no CRL for issuer \"%s\"\n", __FUNCTION__,
-                         cert->issuerName);
-                return -1;
-            }
-        }
-        /* Check if this issuer is a trusted CA.  If it is, we're done. */
-        if (crypto_is_cert_trusted(issuer, usage)) {
-            pkiDebug("%s: \"%s\" is a trusted CA\n", __FUNCTION__,
-                     issuer->subjectName);
-            CERT_DestroyCertificate(issuer);
-            return 0;
-        }
-        /* Move on to the next link in the chain. */
-        cert = issuer;
-        issuer = CERT_FindCertIssuer(cert, PR_Now(), usage);
-        if (issuer == NULL) {
-            pkiDebug("%s: unable to find issuer for \"%s\"\n", __FUNCTION__,
-                     cert->subjectName);
-            /* Don't leak the reference to the last intermediate. */
-            CERT_DestroyCertificate(cert);
-            return -1;
-        }
-        if (SECITEM_ItemsAreEqual(&cert->derCert, &issuer->derCert)) {
-            pkiDebug("%s: \"%s\" is self-signed, but not trusted\n",
-                     __FUNCTION__, cert->subjectName);
-            /* Don't leak the references to the self-signed cert. */
-            CERT_DestroyCertificate(issuer);
-            CERT_DestroyCertificate(cert);
-            return -1;
-        }
-        /* Don't leak the reference to the just-traversed intermediate. */
-        CERT_DestroyCertificate(cert);
-        cert = NULL;
-    }
-    return -1;
-}
-
-/* Verify that we have a signed-data content info, that it has one signer, that
- * the signer can be trusted, and then check the type of the encapsulated
- * content and return that content. */
-static krb5_error_code
-crypto_signeddata_common_verify(krb5_context context,
-                                pkinit_plg_crypto_context plg_cryptoctx,
-                                pkinit_req_crypto_context req_cryptoctx,
-                                pkinit_identity_crypto_context id_cryptoctx,
-                                int require_crl_checking,
-                                NSSCMSContentInfo *cinfo,
-                                CERTCertDBHandle *certdb,
-                                SECCertUsage usage,
-                                SECOidTag expected_type,
-                                SECOidTag expected_type2,
-                                PLArenaPool *pool,
-                                int cms_msg_type,
-                                SECItem **plain_out,
-                                int *is_signed_out)
-{
-    NSSCMSSignedData *sdata;
-    NSSCMSSignerInfo *signer;
-    NSSCMSMessage *ecmsg;
-    NSSCMSContentInfo *ecinfo;
-    CERTCertificate *cert;
-    SECOidTag encapsulated_tag;
-    SEC_OcspFailureMode ocsp_failure_mode;
-    SECOidData *expected, *received;
-    SECStatus status;
-    SECItem *edata;
-    int n_signers;
-    PRBool allow_ocsp_checking = PR_TRUE;
-
-    *is_signed_out = 0;
-
-    /* Handle cases where we're passed data containing signed-data. */
-    if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
-        /* Look at the payload data. */
-        edata = NSS_CMSContentInfo_GetContent(cinfo);
-        if (edata == NULL) {
-            pkiDebug("%s: no plain-data content\n", __FUNCTION__);
-            return ENOMEM;
-        }
-        /* See if it's content-info. */
-        ecmsg = NSS_CMSMessage_CreateFromDER(edata,
-                                             NULL, NULL,
-                                             crypto_pwcb,
-                                             crypto_pwcb_prep(id_cryptoctx,
-                                                              NULL, context),
-                                             NULL, NULL);
-        if (ecmsg == NULL) {
-            pkiDebug("%s: plain-data not parsable\n", __FUNCTION__);
-            return ENOMEM;
-        }
-        /* Check if it actually contains signed-data. */
-        ecinfo = NSS_CMSMessage_GetContentInfo(ecmsg);
-        if (ecinfo == NULL) {
-            pkiDebug("%s: plain-data has no cinfo\n", __FUNCTION__);
-            NSS_CMSMessage_Destroy(ecmsg);
-            return ENOMEM;
-        }
-        if (NSS_CMSContentInfo_GetContentTypeTag(ecinfo) !=
-            SEC_OID_PKCS7_SIGNED_DATA) {
-            pkiDebug("%s: plain-data is not sdata\n", __FUNCTION__);
-            NSS_CMSMessage_Destroy(ecmsg);
-            return EINVAL;
-        }
-        pkiDebug("%s: parsed plain-data (length=%ld) as signed-data\n",
-                 __FUNCTION__, (long) edata->len);
-        cinfo = ecinfo;
-    } else
-        /* Okay, it's a normal signed-data blob. */
-        ecmsg = NULL;
-
-    /* Check that we have signed data, that it has exactly one signature,
-     * and fish out the signer information. */
-    if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) !=
-        SEC_OID_PKCS7_SIGNED_DATA) {
-        pkiDebug("%s: content type mismatch\n", __FUNCTION__);
-        if (ecmsg != NULL)
-            NSS_CMSMessage_Destroy(ecmsg);
-        return EINVAL;
-    }
-    sdata = NSS_CMSContentInfo_GetContent(cinfo);
-    if (sdata == NULL) {
-        pkiDebug("%s: decoding error? content-info was NULL\n", __FUNCTION__);
-        if (ecmsg != NULL)
-            NSS_CMSMessage_Destroy(ecmsg);
-        return ENOENT;
-    }
-    n_signers = NSS_CMSSignedData_SignerInfoCount(sdata);
-    if (n_signers > 1) {
-        pkiDebug("%s: wrong number of signers (%d, not 0 or 1)\n",
-                 __FUNCTION__, n_signers);
-        if (ecmsg != NULL)
-            NSS_CMSMessage_Destroy(ecmsg);
-        return ENOENT;
-    }
-    if (n_signers < 1)
-        signer = NULL;
-    else {
-        /* Import the bundle's certs and locate the signerInfo. */
-        if (NSS_CMSSignedData_ImportCerts(sdata, certdb, usage,
-                                          PR_FALSE) != SECSuccess) {
-            pkiDebug("%s: error importing signer certs\n", __FUNCTION__);
-            if (ecmsg != NULL)
-                NSS_CMSMessage_Destroy(ecmsg);
-            return ENOENT;
-        }
-        signer = NSS_CMSSignedData_GetSignerInfo(sdata, 0);
-        if (signer == NULL) {
-            pkiDebug("%s: no signers?\n", __FUNCTION__);
-            if (ecmsg != NULL)
-                NSS_CMSMessage_Destroy(ecmsg);
-            return ENOENT;
-        }
-        if (!NSS_CMSSignedData_HasDigests(sdata)) {
-            pkiDebug("%s: no digests?\n", __FUNCTION__);
-            if (ecmsg != NULL)
-                NSS_CMSMessage_Destroy(ecmsg);
-            return ENOENT;
-        }
-        if (require_crl_checking && (signer->cert != NULL))
-            if (crypto_check_for_revocation_information(signer->cert, certdb,
-                                                        allow_ocsp_checking,
-                                                        usage) != 0) {
-                if (ecmsg != NULL)
-                    NSS_CMSMessage_Destroy(ecmsg);
-                return KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE;
-            }
-        if (allow_ocsp_checking) {
-            status = CERT_EnableOCSPChecking(certdb);
-            if (status != SECSuccess) {
-                pkiDebug("%s: error enabling OCSP: %s\n", __FUNCTION__,
-                         PR_ErrorToString(status == SECFailure ?
-                                          PORT_GetError() : status,
-                                          PR_LANGUAGE_I_DEFAULT));
-                if (ecmsg != NULL)
-                    NSS_CMSMessage_Destroy(ecmsg);
-                return ENOMEM;
-            }
-            ocsp_failure_mode = require_crl_checking ?
-                ocspMode_FailureIsVerificationFailure :
-                ocspMode_FailureIsNotAVerificationFailure;
-            status = CERT_SetOCSPFailureMode(ocsp_failure_mode);
-            if (status != SECSuccess) {
-                pkiDebug("%s: error setting OCSP failure mode: %s\n",
-                         __FUNCTION__,
-                         PR_ErrorToString(status == SECFailure ?
-                                          PORT_GetError() : status,
-                                          PR_LANGUAGE_I_DEFAULT));
-                if (ecmsg != NULL)
-                    NSS_CMSMessage_Destroy(ecmsg);
-                return ENOMEM;
-            }
-        } else {
-            status = CERT_DisableOCSPChecking(certdb);
-            if ((status != SECSuccess) &&
-                (PORT_GetError() != SEC_ERROR_OCSP_NOT_ENABLED)) {
-                pkiDebug("%s: error disabling OCSP: %s\n", __FUNCTION__,
-                         PR_ErrorToString(status == SECFailure ?
-                                          PORT_GetError() : status,
-                                          PR_LANGUAGE_I_DEFAULT));
-                if (ecmsg != NULL)
-                    NSS_CMSMessage_Destroy(ecmsg);
-                return ENOMEM;
-            }
-        }
-        status = NSS_CMSSignedData_VerifySignerInfo(sdata, 0, certdb, usage);
-        if (status != SECSuccess) {
-            pkiDebug("%s: signer verify failed: %s\n", __FUNCTION__,
-                     PR_ErrorToString(status == SECFailure ?
-                                      PORT_GetError() : status,
-                                      PR_LANGUAGE_I_DEFAULT));
-            if (ecmsg != NULL)
-                NSS_CMSMessage_Destroy(ecmsg);
-            switch (cms_msg_type) {
-            case CMS_SIGN_DRAFT9:
-            case CMS_SIGN_CLIENT:
-                switch (PORT_GetError()) {
-                case SEC_ERROR_REVOKED_CERTIFICATE:
-                    return KRB5KDC_ERR_REVOKED_CERTIFICATE;
-                case SEC_ERROR_UNKNOWN_ISSUER:
-                    return KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE;
-                default:
-                    return KRB5KDC_ERR_CLIENT_NOT_TRUSTED;
-                }
-                break;
-            case CMS_SIGN_SERVER:
-            case CMS_ENVEL_SERVER:
-                switch (PORT_GetError()) {
-                case SEC_ERROR_REVOKED_CERTIFICATE:
-                    return KRB5KDC_ERR_REVOKED_CERTIFICATE;
-                case SEC_ERROR_UNKNOWN_ISSUER:
-                    return KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE;
-                default:
-                    return KRB5KDC_ERR_KDC_NOT_TRUSTED;
-                }
-                break;
-            default:
-                return ENOMEM;
-            }
-        }
-        pkiDebug("%s: signer verify passed\n", __FUNCTION__);
-        *is_signed_out = 1;
-    }
-    /* Pull out the payload. */
-    ecinfo = NSS_CMSSignedData_GetContentInfo(sdata);
-    if (ecinfo == NULL) {
-        pkiDebug("%s: error getting encapsulated content\n", __FUNCTION__);
-        if (ecmsg != NULL)
-            NSS_CMSMessage_Destroy(ecmsg);
-        return ENOMEM;
-    }
-    encapsulated_tag = NSS_CMSContentInfo_GetContentTypeTag(ecinfo);
-    if ((encapsulated_tag != expected_type) &&
-        ((expected_type2 == SEC_OID_UNKNOWN) ||
-         (encapsulated_tag != expected_type2))) {
-        pkiDebug("%s: wrong encapsulated content type\n", __FUNCTION__);
-        expected = SECOID_FindOIDByTag(expected_type);
-        if (encapsulated_tag != SEC_OID_UNKNOWN)
-            received = SECOID_FindOIDByTag(encapsulated_tag);
-        else
-            received = NULL;
-        if (expected != NULL) {
-            if (received != NULL) {
-                pkiDebug("%s: was expecting \"%s\"(%d), but got \"%s\"(%d)\n",
-                         __FUNCTION__,
-                         expected->desc, expected->offset,
-                         received->desc, received->offset);
-            } else {
-                pkiDebug("%s: was expecting \"%s\"(%d), "
-                         "but got unrecognized type (%d)\n",
-                         __FUNCTION__,
-                         expected->desc, expected->offset, encapsulated_tag);
-            }
-        }
-        if (ecmsg != NULL)
-            NSS_CMSMessage_Destroy(ecmsg);
-        return EINVAL;
-    }
-    *plain_out = NSS_CMSContentInfo_GetContent(ecinfo);
-    if ((*plain_out != NULL) && ((*plain_out)->len == 0))
-        pkiDebug("%s: warning: encapsulated content appears empty\n",
-                 __FUNCTION__);
-    if (signer != NULL) {
-        /* Save the peer cert -- we'll need it later. */
-        pkiDebug("%s: saving peer certificate\n", __FUNCTION__);
-        if (req_cryptoctx->peer_cert != NULL)
-            CERT_DestroyCertificate(req_cryptoctx->peer_cert);
-        cert = NSS_CMSSignerInfo_GetSigningCertificate(signer, certdb);
-        req_cryptoctx->peer_cert = CERT_DupCertificate(cert);
-    }
-    if (ecmsg != NULL) {
-        *plain_out = SECITEM_ArenaDupItem(pool, *plain_out);
-        NSS_CMSMessage_Destroy(ecmsg);
-    }
-    return 0;
-}
-
-/* Verify signed-then-enveloped data, and return the data that was signed. */
-krb5_error_code
-cms_envelopeddata_verify(krb5_context context,
-                         pkinit_plg_crypto_context plg_cryptoctx,
-                         pkinit_req_crypto_context req_cryptoctx,
-                         pkinit_identity_crypto_context id_cryptoctx,
-                         krb5_preauthtype pa_type,
-                         int require_crl_checking,
-                         unsigned char *envel_data,
-                         unsigned int envel_data_len,
-                         unsigned char **signed_data,
-                         unsigned int *signed_data_len)
-{
-    NSSCMSMessage *msg;
-    NSSCMSContentInfo *info;
-    NSSCMSEnvelopedData *env;
-    CERTCertDBHandle *certdb;
-    PLArenaPool *pool;
-    SECItem *plain, encoded;
-    SECCertUsage usage;
-    SECOidTag expected_tag, expected_tag2;
-    int is_signed, ret;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-    certdb = CERT_GetDefaultCertDB();
-
-    /* Decode the message. */
-#ifdef DEBUG_DER
-    derdump(envel_data, envel_data_len);
-#endif
-    encoded.data = envel_data;
-    encoded.len = envel_data_len;
-    msg = NSS_CMSMessage_CreateFromDER(&encoded,
-                                       NULL, NULL,
-                                       crypto_pwcb,
-                                       crypto_pwcb_prep(id_cryptoctx,
-                                                        NULL, context),
-                                       NULL, NULL);
-    if (msg == NULL)
-        return ENOMEM;
-
-    /* Make sure it's enveloped-data. */
-    info = NSS_CMSMessage_GetContentInfo(msg);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (NSS_CMSContentInfo_GetContentTypeTag(info) !=
-        SEC_OID_PKCS7_ENVELOPED_DATA) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return EINVAL;
-    }
-
-    /* Okay, it's enveloped-data. */
-    env = NSS_CMSContentInfo_GetContent(info);
-
-    /* Pull out the encapsulated content.  It should be signed-data. */
-    info = NSS_CMSEnvelopedData_GetContentInfo(env);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Pull out the signed data and verify it. */
-    expected_tag = get_pkinit_data_rkey_data_tag();
-    expected_tag2 = SEC_OID_PKCS7_DATA;
-    usage = certUsageSSLServer;
-    plain = NULL;
-    is_signed = 0;
-    ret = crypto_signeddata_common_verify(context,
-                                          plg_cryptoctx,
-                                          req_cryptoctx,
-                                          id_cryptoctx,
-                                          require_crl_checking,
-                                          info,
-                                          certdb,
-                                          usage,
-                                          expected_tag,
-                                          expected_tag2,
-                                          pool,
-                                          CMS_ENVEL_SERVER,
-                                          &plain,
-                                          &is_signed);
-    if ((ret != 0) || (plain == NULL) || !is_signed) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ret ? ret : ENOMEM;
-    }
-    /* Export the payload. */
-    if (secitem_to_buf_len(plain, signed_data, signed_data_len) != 0) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    NSS_CMSMessage_Destroy(msg);
-    PORT_FreeArena(pool, PR_TRUE);
-
-    return 0;
-}
-
-krb5_error_code
-cms_signeddata_create(krb5_context context,
-                      pkinit_plg_crypto_context plg_cryptoctx,
-                      pkinit_req_crypto_context req_cryptoctx,
-                      pkinit_identity_crypto_context id_cryptoctx,
-                      int cms_msg_type,
-                      int include_certchain,
-                      unsigned char *payload,
-                      unsigned int payload_len,
-                      unsigned char **signed_data,
-                      unsigned int *signed_data_len)
-{
-    NSSCMSMessage *msg;
-    NSSCMSContentInfo *info;
-    NSSCMSSignedData *sdata;
-    PLArenaPool *pool;
-    SECItem plain, encoded;
-    SECOidTag digest, encapsulated_tag;
-    enum sdcc_include_signed_attrs add_signed_attrs;
-
-    switch (cms_msg_type) {
-    case CMS_SIGN_DRAFT9:
-        digest = SEC_OID_MD5;
-        add_signed_attrs = signeddata_common_create_omit_signed_attrs;
-        encapsulated_tag = get_pkinit_data_auth_data9_tag();
-        break;
-    case CMS_SIGN_CLIENT:
-        digest = SEC_OID_SHA1;
-        add_signed_attrs = signeddata_common_create_with_signed_attrs;
-        encapsulated_tag = get_pkinit_data_auth_data_tag();
-        break;
-    case CMS_SIGN_SERVER:
-        digest = SEC_OID_SHA1;
-        add_signed_attrs = signeddata_common_create_with_signed_attrs;
-        encapsulated_tag = get_pkinit_data_dhkey_data_tag();
-        break;
-    case CMS_ENVEL_SERVER:
-    default:
-        return ENOSYS;
-        break;
-    }
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-
-    /* Create the containing message. */
-    msg = NSS_CMSMessage_Create(pool);
-    if (msg == NULL) {
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Create a signed-data pointer and set it as the message's
-     * contents. */
-    info = NSS_CMSMessage_GetContentInfo(msg);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    sdata = NULL;
-    if ((crypto_signeddata_common_create(context,
-                                         plg_cryptoctx,
-                                         req_cryptoctx,
-                                         id_cryptoctx,
-                                         msg,
-                                         digest,
-                                         include_certchain ?
-                                         signeddata_common_create_with_chain :
-                                         signeddata_common_create_omit_chain,
-                                         add_signed_attrs,
-                                         &sdata) != 0) || (sdata == NULL)) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (NSS_CMSContentInfo_SetContent_SignedData(msg, info,
-                                                 sdata) != SECSuccess) {
-        pkiDebug("%s: error setting signed-data content\n", __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Set the data as the contents of the signed-data. */
-    info = NSS_CMSSignedData_GetContentInfo(sdata);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    if (NSS_CMSContentInfo_SetContent(msg, info, encapsulated_tag,
-                                      NULL) != SECSuccess) {
-        pkiDebug("%s: error setting encapsulated content type\n",
-                 __FUNCTION__);
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Encode and export. */
-    memset(&plain, 0, sizeof(plain));
-    plain.data = payload;
-    plain.len = payload_len;
-    memset(&encoded, 0, sizeof(encoded));
-    if (NSS_CMSDEREncode(msg, &plain, &encoded, pool) != SECSuccess) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        pkiDebug("%s: error encoding signed-data: %s\n", __FUNCTION__,
-                 PORT_ErrorToName(PORT_GetError()));
-        return ENOMEM;
-    }
-    if (secitem_to_buf_len(&encoded, signed_data, signed_data_len) != 0) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-#ifdef DEBUG_DER
-    derdump(*signed_data, *signed_data_len);
-#endif
-#ifdef DEBUG_CMS
-    cmsdump(*signed_data, *signed_data_len);
-#endif
-
-    NSS_CMSMessage_Destroy(msg);
-    PORT_FreeArena(pool, PR_TRUE);
-
-    return 0;
-}
-
-krb5_error_code
-cms_signeddata_verify(krb5_context context,
-                      pkinit_plg_crypto_context plg_cryptoctx,
-                      pkinit_req_crypto_context req_cryptoctx,
-                      pkinit_identity_crypto_context id_cryptoctx,
-                      int cms_msg_type,
-                      int require_crl_checking,
-                      unsigned char *signed_data,
-                      unsigned int signed_data_len,
-                      unsigned char **payload,
-                      unsigned int *payload_len,
-                      unsigned char **authz_data,
-                      unsigned int *authz_data_len,
-                      int *is_signed)
-{
-    NSSCMSMessage *msg;
-    NSSCMSContentInfo *info;
-    CERTCertDBHandle *certdb;
-    SECCertUsage usage;
-    SECOidTag expected_tag, expected_tag2;
-    PLArenaPool *pool;
-    SECItem *plain, encoded;
-    struct content_info simple_content_info;
-    int was_signed, ret;
-
-    switch (cms_msg_type) {
-    case CMS_SIGN_DRAFT9:
-        usage = certUsageSSLClient;
-        expected_tag = get_pkinit_data_auth_data9_tag();
-        break;
-    case CMS_SIGN_CLIENT:
-        usage = certUsageSSLClient;
-        expected_tag = get_pkinit_data_auth_data_tag();
-        break;
-    case CMS_SIGN_SERVER:
-        usage = certUsageSSLServer;
-        expected_tag = get_pkinit_data_dhkey_data_tag();
-        break;
-    case CMS_ENVEL_SERVER:
-    default:
-        return ENOSYS;
-        break;
-    }
-    expected_tag2 = SEC_OID_UNKNOWN;
-
-    pool = PORT_NewArena(sizeof(double));
-    if (pool == NULL)
-        return ENOMEM;
-    certdb = CERT_GetDefaultCertDB();
-
-#ifdef DEBUG_DER
-    derdump(signed_data, signed_data_len);
-#endif
-
-    memset(&encoded, 0, sizeof(encoded));
-    encoded.data = signed_data;
-    encoded.len = signed_data_len;
-
-    /* Take a quick look at what it claims to be. */
-    memset(&simple_content_info, 0, sizeof(simple_content_info));
-    if (SEC_ASN1DecodeItem(pool, &simple_content_info,
-                           content_info_template, &encoded) == SECSuccess)
-        /* If it's unsigned data of the right type... */
-        if (SECOID_FindOIDTag(&simple_content_info.content_type) ==
-            expected_tag) {
-            /* Pull out the payload -- it's not wrapped in a
-             * SignedData. */
-            pkiDebug("%s: data is not signed\n", __FUNCTION__);
-            if (is_signed != NULL)
-                *is_signed = 0;
-            if (secitem_to_buf_len(&simple_content_info.content,
-                                   payload, payload_len) != 0) {
-                PORT_FreeArena(pool, PR_TRUE);
-                return ENOMEM;
-            }
-            return 0;
-        }
-
-    /* Decode the message. */
-    msg = NSS_CMSMessage_CreateFromDER(&encoded,
-                                       NULL, NULL,
-                                       crypto_pwcb,
-                                       crypto_pwcb_prep(id_cryptoctx,
-                                                        NULL, context),
-                                       NULL, NULL);
-    if (msg == NULL)
-        return ENOMEM;
-
-    /* Double-check that it's signed. */
-    info = NSS_CMSMessage_GetContentInfo(msg);
-    if (info == NULL) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    switch (NSS_CMSContentInfo_GetContentTypeTag(info)) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-        /* It's signed: try to verify the signature. */
-        pkiDebug("%s: data is probably signed, checking\n", __FUNCTION__);
-        plain = NULL;
-        was_signed = 0;
-        ret = crypto_signeddata_common_verify(context,
-                                              plg_cryptoctx,
-                                              req_cryptoctx,
-                                              id_cryptoctx,
-                                              require_crl_checking,
-                                              info,
-                                              certdb,
-                                              usage,
-                                              expected_tag,
-                                              expected_tag2,
-                                              pool,
-                                              cms_msg_type,
-                                              &plain,
-                                              &was_signed);
-        if ((ret != 0) || (plain == NULL)) {
-            NSS_CMSMessage_Destroy(msg);
-            PORT_FreeArena(pool, PR_TRUE);
-            return ret ? ret : ENOMEM;
-        }
-        if (is_signed != NULL)
-            *is_signed = was_signed;
-        break;
-    case SEC_OID_PKCS7_DATA:
-        /* It's not signed: try to pull out the payload. */
-        pkiDebug("%s: data is not signed\n", __FUNCTION__);
-        if (is_signed != NULL)
-            *is_signed = 0;
-        plain = NSS_CMSContentInfo_GetContent(info);
-        break;
-    default:
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-
-    /* Export the payload. */
-    if ((plain == NULL) ||
-        (secitem_to_buf_len(plain, payload, payload_len) != 0)) {
-        NSS_CMSMessage_Destroy(msg);
-        PORT_FreeArena(pool, PR_TRUE);
-        return ENOMEM;
-    }
-    NSS_CMSMessage_Destroy(msg);
-    PORT_FreeArena(pool, PR_TRUE);
-
-    return 0;
-}
-
-/*
- * Add an item to the pkinit_identity_crypto_context's list of deferred
- * identities.
- */
-krb5_error_code
-crypto_set_deferred_id(krb5_context context,
-                       pkinit_identity_crypto_context id_cryptoctx,
-                       const char *identity, const char *password)
-{
-    unsigned long ck_flags;
-
-    ck_flags = pkinit_get_deferred_id_flags(id_cryptoctx->deferred_ids,
-                                            identity);
-    return pkinit_set_deferred_id(&id_cryptoctx->deferred_ids,
-                                  identity, ck_flags, password);
-}
-
-/*
- * Retrieve a read-only copy of the pkinit_identity_crypto_context's list of
- * deferred identities, sure to be valid only until the next time someone calls
- * either pkinit_set_deferred_id() or crypto_set_deferred_id().
- */
-const pkinit_deferred_id *
-crypto_get_deferred_ids(krb5_context context,
-                        pkinit_identity_crypto_context id_cryptoctx)
-{
-    pkinit_deferred_id *deferred;
-    const pkinit_deferred_id *ret;
-
-    deferred = id_cryptoctx->deferred_ids;
-    ret = (const pkinit_deferred_id *)deferred;
-    return ret;
-}
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 74fffbf32129..ac107c2c1b67 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -67,10 +67,6 @@ static krb5_error_code pkinit_decode_data
  const uint8_t *data, unsigned int data_len, uint8_t **decoded,
  unsigned int *decoded_len);
 
-static krb5_error_code decode_data
-(uint8_t **, unsigned int *, const uint8_t *, unsigned int, EVP_PKEY *pkey,
- X509 *cert);
-
 #ifdef DEBUG_DH
 static void print_dh(DH *, char *);
 static void print_pubkey(BIGNUM *, char *);
@@ -1154,7 +1150,7 @@ cms_signeddata_create(krb5_context context,
     X509_ALGOR *alg = NULL;
     ASN1_OCTET_STRING *digest = NULL;
     unsigned int alg_len = 0, digest_len = 0;
-    unsigned char *y = NULL, *alg_buf = NULL, *digest_buf = NULL;
+    unsigned char *y = NULL;
     X509 *cert = NULL;
     ASN1_OBJECT *oid = NULL, *oid_copy;
 
@@ -1321,18 +1317,12 @@ cms_signeddata_create(krb5_context context,
                 goto cleanup2;
             X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
             alg_len = i2d_X509_ALGOR(alg, NULL);
-            alg_buf = malloc(alg_len);
-            if (alg_buf == NULL)
-                goto cleanup2;
 
             digest = ASN1_OCTET_STRING_new();
             if (digest == NULL)
                 goto cleanup2;
             ASN1_OCTET_STRING_set(digest, md_data2, (int)md_len2);
             digest_len = i2d_ASN1_OCTET_STRING(digest, NULL);
-            digest_buf = malloc(digest_len);
-            if (digest_buf == NULL)
-                goto cleanup2;
 
             digestInfo_len = ASN1_object_size(1, (int)(alg_len + digest_len),
                                               V_ASN1_SEQUENCE);
@@ -1421,9 +1411,7 @@ cleanup2:
 #ifndef WITHOUT_PKCS11
         if (id_cryptoctx->pkcs11_method == 1 &&
             id_cryptoctx->mech == CKM_RSA_PKCS) {
-            free(digest_buf);
             free(digestInfo_buf);
-            free(alg_buf);
             if (digest != NULL)
                 ASN1_OCTET_STRING_free(digest);
         }
@@ -2101,11 +2089,21 @@ crypto_retrieve_X509_sans(krb5_context context,
 {
     krb5_error_code retval = EINVAL;
     char buf[DN_BUF_LEN];
-    int p = 0, u = 0, d = 0, l;
+    int p = 0, u = 0, d = 0, ret = 0, l;
     krb5_principal *princs = NULL;
     krb5_principal *upns = NULL;
     unsigned char **dnss = NULL;
-    unsigned int i, num_found = 0;
+    unsigned int i, num_found = 0, num_sans = 0;
+    X509_EXTENSION *ext = NULL;
+    GENERAL_NAMES *ialt = NULL;
+    GENERAL_NAME *gen = NULL;
+
+    if (princs_ret != NULL)
+        *princs_ret = NULL;
+    if (upn_ret != NULL)
+        *upn_ret = NULL;
+    if (dns_ret != NULL)
+        *dns_ret = NULL;
 
     if (princs_ret == NULL && upn_ret == NULL && dns_ret == NULL) {
         pkiDebug("%s: nowhere to return any values!\n", __FUNCTION__);
@@ -2121,143 +2119,137 @@ crypto_retrieve_X509_sans(krb5_context context,
                       buf, sizeof(buf));
     pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
 
-    if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
-        X509_EXTENSION *ext = NULL;
-        GENERAL_NAMES *ialt = NULL;
-        GENERAL_NAME *gen = NULL;
-        int ret = 0;
-        unsigned int num_sans = 0;
+    l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
+    if (l < 0)
+        return 0;
 
-        if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
-            pkiDebug("%s: found no subject alt name extensions\n",
-                     __FUNCTION__);
-            goto cleanup;
-        }
-        num_sans = sk_GENERAL_NAME_num(ialt);
+    if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
+        pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
+        goto cleanup;
+    }
+    num_sans = sk_GENERAL_NAME_num(ialt);
 
-        pkiDebug("%s: found %d subject alt name extension(s)\n",
-                 __FUNCTION__, num_sans);
+    pkiDebug("%s: found %d subject alt name extension(s)\n", __FUNCTION__,
+             num_sans);
 
-        /* OK, we're likely returning something. Allocate return values */
-        if (princs_ret != NULL) {
-            princs = calloc(num_sans + 1, sizeof(krb5_principal));
-            if (princs == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
+    /* OK, we're likely returning something. Allocate return values */
+    if (princs_ret != NULL) {
+        princs = calloc(num_sans + 1, sizeof(krb5_principal));
+        if (princs == NULL) {
+            retval = ENOMEM;
+            goto cleanup;
         }
-        if (upn_ret != NULL) {
-            upns = calloc(num_sans + 1, sizeof(krb5_principal));
-            if (upns == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
+    }
+    if (upn_ret != NULL) {
+        upns = calloc(num_sans + 1, sizeof(krb5_principal));
+        if (upns == NULL) {
+            retval = ENOMEM;
+            goto cleanup;
         }
-        if (dns_ret != NULL) {
-            dnss = calloc(num_sans + 1, sizeof(*dnss));
-            if (dnss == NULL) {
-                retval = ENOMEM;
-                goto cleanup;
-            }
+    }
+    if (dns_ret != NULL) {
+        dnss = calloc(num_sans + 1, sizeof(*dnss));
+        if (dnss == NULL) {
+            retval = ENOMEM;
+            goto cleanup;
         }
+    }
 
-        for (i = 0; i < num_sans; i++) {
-            krb5_data name = { 0, 0, NULL };
+    for (i = 0; i < num_sans; i++) {
+        krb5_data name = { 0, 0, NULL };
 
-            gen = sk_GENERAL_NAME_value(ialt, i);
-            switch (gen->type) {
-            case GEN_OTHERNAME:
-                name.length = gen->d.otherName->value->value.sequence->length;
-                name.data = (char *)gen->d.otherName->value->value.sequence->data;
-                if (princs != NULL
-                    && OBJ_cmp(plgctx->id_pkinit_san,
-                               gen->d.otherName->type_id) == 0) {
+        gen = sk_GENERAL_NAME_value(ialt, i);
+        switch (gen->type) {
+        case GEN_OTHERNAME:
+            name.length = gen->d.otherName->value->value.sequence->length;
+            name.data = (char *)gen->d.otherName->value->value.sequence->data;
+            if (princs != NULL &&
+                OBJ_cmp(plgctx->id_pkinit_san,
+                        gen->d.otherName->type_id) == 0) {
 #ifdef DEBUG_ASN1
-                    print_buffer_bin((unsigned char *)name.data, name.length,
-                                     "/tmp/pkinit_san");
+                print_buffer_bin((unsigned char *)name.data, name.length,
+                                 "/tmp/pkinit_san");
 #endif
-                    ret = k5int_decode_krb5_principal_name(&name, &princs[p]);
-                    if (ret) {
-                        pkiDebug("%s: failed decoding pkinit san value\n",
-                                 __FUNCTION__);
-                    } else {
-                        p++;
-                        num_found++;
-                    }
-                } else if (upns != NULL
-                           && OBJ_cmp(plgctx->id_ms_san_upn,
-                                      gen->d.otherName->type_id) == 0) {
-                    /* Prevent abuse of embedded null characters. */
-                    if (memchr(name.data, '\0', name.length))
-                        break;
-                    ret = krb5_parse_name(context, name.data, &upns[u]);
-                    if (ret) {
-                        pkiDebug("%s: failed parsing ms-upn san value\n",
-                                 __FUNCTION__);
-                    } else {
-                        u++;
-                        num_found++;
-                    }
+                ret = k5int_decode_krb5_principal_name(&name, &princs[p]);
+                if (ret) {
+                    pkiDebug("%s: failed decoding pkinit san value\n",
+                             __FUNCTION__);
                 } else {
-                    pkiDebug("%s: unrecognized othername oid in SAN\n",
+                    p++;
+                    num_found++;
+                }
+            } else if (upns != NULL &&
+                       OBJ_cmp(plgctx->id_ms_san_upn,
+                               gen->d.otherName->type_id) == 0) {
+                /* Prevent abuse of embedded null characters. */
+                if (memchr(name.data, '\0', name.length))
+                    break;
+                ret = krb5_parse_name_flags(context, name.data,
+                                            KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+                                            &upns[u]);
+                if (ret) {
+                    pkiDebug("%s: failed parsing ms-upn san value\n",
                              __FUNCTION__);
-                    continue;
+                } else {
+                    u++;
+                    num_found++;
                 }
+            } else {
+                pkiDebug("%s: unrecognized othername oid in SAN\n",
+                         __FUNCTION__);
+                continue;
+            }
 
-                break;
-            case GEN_DNS:
-                if (dnss != NULL) {
-                    /* Prevent abuse of embedded null characters. */
-                    if (memchr(gen->d.dNSName->data, '\0',
-                               gen->d.dNSName->length))
-                        break;
-                    pkiDebug("%s: found dns name = %s\n",
-                             __FUNCTION__, gen->d.dNSName->data);
-                    dnss[d] = (unsigned char *)
-                        strdup((char *)gen->d.dNSName->data);
-                    if (dnss[d] == NULL) {
-                        pkiDebug("%s: failed to duplicate dns name\n",
-                                 __FUNCTION__);
-                    } else {
-                        d++;
-                        num_found++;
-                    }
+            break;
+        case GEN_DNS:
+            if (dnss != NULL) {
+                /* Prevent abuse of embedded null characters. */
+                if (memchr(gen->d.dNSName->data, '\0', gen->d.dNSName->length))
+                    break;
+                pkiDebug("%s: found dns name = %s\n", __FUNCTION__,
+                         gen->d.dNSName->data);
+                dnss[d] = (unsigned char *)
+                    strdup((char *)gen->d.dNSName->data);
+                if (dnss[d] == NULL) {
+                    pkiDebug("%s: failed to duplicate dns name\n",
+                             __FUNCTION__);
+                } else {
+                    d++;
+                    num_found++;
                 }
-                break;
-            default:
-                pkiDebug("%s: SAN type = %d expecting %d\n",
-                         __FUNCTION__, gen->type, GEN_OTHERNAME);
             }
+            break;
+        default:
+            pkiDebug("%s: SAN type = %d expecting %d\n", __FUNCTION__,
+                     gen->type, GEN_OTHERNAME);
         }
-        sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
     }
+    sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
 
     retval = 0;
-    if (princs)
+    if (princs != NULL && *princs != NULL) {
         *princs_ret = princs;
-    if (upns)
+        princs = NULL;
+    }
+    if (upns != NULL && *upns != NULL) {
         *upn_ret = upns;
-    if (dnss)
+        upns = NULL;
+    }
+    if (dnss != NULL && *dnss != NULL) {
         *dns_ret = dnss;
+        dnss = NULL;
+    }
 
 cleanup:
-    if (retval) {
-        if (princs != NULL) {
-            for (i = 0; princs[i] != NULL; i++)
-                krb5_free_principal(context, princs[i]);
-            free(princs);
-        }
-        if (upns != NULL) {
-            for (i = 0; upns[i] != NULL; i++)
-                krb5_free_principal(context, upns[i]);
-            free(upns);
-        }
-        if (dnss != NULL) {
-            for (i = 0; dnss[i] != NULL; i++)
-                free(dnss[i]);
-            free(dnss);
-        }
-    }
+    for (i = 0; princs != NULL && princs[i] != NULL; i++)
+        krb5_free_principal(context, princs[i]);
+    free(princs);
+    for (i = 0; upns != NULL && upns[i] != NULL; i++)
+        krb5_free_principal(context, upns[i]);
+    free(upns);
+    for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
+        free(dnss[i]);
+    free(dnss);
     return retval;
 }
 
@@ -2313,7 +2305,6 @@ crypto_check_cert_eku(krb5_context context,
 
     X509_NAME_oneline(X509_get_subject_name(reqctx->received_cert),
                       buf, sizeof(buf));
-    pkiDebug("%s: looking for EKUs in cert = %s\n", __FUNCTION__, buf);
 
     if ((i = X509_get_ext_by_NID(reqctx->received_cert,
                                  NID_ext_key_usage, -1)) >= 0) {
@@ -2347,7 +2338,6 @@ crypto_check_cert_eku(krb5_context context,
 
         if (found_eku) {
             ASN1_BIT_STRING *usage = NULL;
-            pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
 
             /* check that digitalSignature KeyUsage is present */
             X509_check_ca(reqctx->received_cert);
@@ -2356,12 +2346,10 @@ crypto_check_cert_eku(krb5_context context,
 
                 if (!ku_reject(reqctx->received_cert,
                                X509v3_KU_DIGITAL_SIGNATURE)) {
-                    pkiDebug("%s: found digitalSignature KU\n",
-                             __FUNCTION__);
+                    TRACE_PKINIT_EKU(context);
                     *valid_eku = 1;
                 } else
-                    pkiDebug("%s: didn't find digitalSignature KU\n",
-                             __FUNCTION__);
+                    TRACE_PKINIT_EKU_NO_KU(context);
             }
             ASN1_BIT_STRING_free(usage);
         }
@@ -3581,12 +3569,14 @@ openssl_callback(int ok, X509_STORE_CTX * ctx)
 {
 #ifdef DEBUG
     if (!ok) {
+        X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
+        int err = X509_STORE_CTX_get_error(ctx);
+        const char *errmsg = X509_verify_cert_error_string(err);
         char buf[DN_BUF_LEN];
 
-        X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf, sizeof(buf));
+        X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
         pkiDebug("cert = %s\n", buf);
-        pkiDebug("callback function: %d (%s)\n", ctx->error,
-                 X509_verify_cert_error_string(ctx->error));
+        pkiDebug("callback function: %d (%s)\n", err, errmsg);
     }
 #endif
     return ok;
@@ -3979,12 +3969,34 @@ pkinit_decode_data_fs(krb5_context context,
                       const uint8_t *data, unsigned int data_len,
                       uint8_t **decoded_data, unsigned int *decoded_data_len)
 {
-    if (decode_data(decoded_data, decoded_data_len, data, data_len,
-                    id_cryptoctx->my_key, sk_X509_value(id_cryptoctx->my_certs,
-                                                        id_cryptoctx->cert_index)) <= 0) {
-        pkiDebug("failed to decode data\n");
+    X509 *cert = sk_X509_value(id_cryptoctx->my_certs,
+                               id_cryptoctx->cert_index);
+    EVP_PKEY *pkey = id_cryptoctx->my_key;
+    uint8_t *buf;
+    int buf_len, decrypt_len;
+
+    *decoded_data = NULL;
+    *decoded_data_len = 0;
+
+    if (cert != NULL && !X509_check_private_key(cert, pkey)) {
+        pkiDebug("private key does not match certificate\n");
+        return KRB5KDC_ERR_PREAUTH_FAILED;
+    }
+
+    buf_len = EVP_PKEY_size(pkey);
+    buf = malloc(buf_len + 10);
+    if (buf == NULL)
+        return KRB5KDC_ERR_PREAUTH_FAILED;
+
+    decrypt_len = EVP_PKEY_decrypt_old(buf, data, data_len, pkey);
+    if (decrypt_len <= 0) {
+        pkiDebug("unable to decrypt received data (len=%d)\n", data_len);
+        free(buf);
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
+
+    *decoded_data = buf;
+    *decoded_data_len = decrypt_len;
     return 0;
 }
 
@@ -4027,6 +4039,9 @@ pkinit_decode_data_pkcs11(krb5_context context,
     uint8_t *cp;
     int r;
 
+    *decoded_data = NULL;
+    *decoded_data_len = 0;
+
     if (pkinit_open_session(context, id_cryptoctx)) {
         pkiDebug("can't open pkcs11 session\n");
         return KRB5KDC_ERR_PREAUTH_FAILED;
@@ -4075,6 +4090,9 @@ pkinit_decode_data(krb5_context context,
 {
     krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
 
+    *decoded_data = NULL;
+    *decoded_data_len = 0;
+
     if (id_cryptoctx->pkcs11_method != 1)
         retval = pkinit_decode_data_fs(context, id_cryptoctx, data, data_len,
                                        decoded_data, decoded_data_len);
@@ -4188,41 +4206,6 @@ pkinit_sign_data(krb5_context context,
 }
 
 
-static int
-decode_data(uint8_t **out_data, unsigned int *out_data_len,
-            const uint8_t *data, unsigned int data_len, EVP_PKEY *pkey,
-            X509 *cert)
-{
-    int retval;
-    unsigned char *buf = NULL;
-    int buf_len = 0;
-
-    if (cert && !X509_check_private_key(cert, pkey)) {
-        pkiDebug("private key does not match certificate\n");
-        return 0;
-    }
-
-    buf_len = EVP_PKEY_size(pkey);
-    buf = malloc((size_t) buf_len + 10);
-    if (buf == NULL)
-        return 0;
-
-#if OPENSSL_VERSION_NUMBER >= 0x00909000L
-    retval = EVP_PKEY_decrypt_old(buf, data, (int)data_len, pkey);
-#else
-    retval = EVP_PKEY_decrypt(buf, data, (int)data_len, pkey);
-#endif
-    if (retval <= 0) {
-        pkiDebug("unable to decrypt received data (len=%d)\n", data_len);
-        free(buf);
-        return 0;
-    }
-    *out_data = buf;
-    *out_data_len = retval;
-
-    return 1;
-}
-
 static krb5_error_code
 create_signature(unsigned char **sig, unsigned int *sig_len,
                  unsigned char *data, unsigned int data_len, EVP_PKEY *pkey)
@@ -4310,8 +4293,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
 
     fp = fopen(idopts->cert_filename, "rb");
     if (fp == NULL) {
-        pkiDebug("Failed to open PKCS12 file '%s', error %d\n",
-                 idopts->cert_filename, errno);
+        TRACE_PKINIT_PKCS_OPEN_FAIL(context, idopts->cert_filename, errno);
         goto cleanup;
     }
     set_cloexec_file(fp);
@@ -4319,8 +4301,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
     p12 = d2i_PKCS12_fp(fp, NULL);
     fclose(fp);
     if (p12 == NULL) {
-        pkiDebug("Failed to decode PKCS12 file '%s' contents\n",
-                 idopts->cert_filename);
+        TRACE_PKINIT_PKCS_DECODE_FAIL(context, idopts->cert_filename);
         goto cleanup;
     }
     /*
@@ -4338,7 +4319,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
         char *p12name = reassemble_pkcs12_name(idopts->cert_filename);
         const char *tmp;
 
-        pkiDebug("Initial PKCS12_parse with no password failed\n");
+        TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context);
 
         if (id_cryptoctx->defer_id_prompt) {
             /* Supply the identity name to be passed to the responder. */
@@ -4379,14 +4360,14 @@ pkinit_get_certs_pkcs12(krb5_context context,
                                           NULL, NULL, 1, &kprompt);
             k5int_set_prompt_types(context, 0);
             if (r) {
-                pkiDebug("Failed to prompt for PKCS12 password");
+                TRACE_PKINIT_PKCS_PROMPT_FAIL(context);
                 goto cleanup;
             }
         }
 
         ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL);
         if (ret == 0) {
-            pkiDebug("Second PKCS12_parse with password failed\n");
+            TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(context);
             goto cleanup;
         }
     }
@@ -4509,8 +4490,7 @@ pkinit_get_certs_fs(krb5_context context,
     }
 
     if (idopts->key_filename == NULL) {
-        pkiDebug("%s: failed to get user's private key location\n",
-                 __FUNCTION__);
+        TRACE_PKINIT_NO_PRIVKEY(context);
         goto cleanup;
     }
 
@@ -4538,8 +4518,7 @@ pkinit_get_certs_dir(krb5_context context,
     char *dirname, *suf;
 
     if (idopts->cert_filename == NULL) {
-        pkiDebug("%s: failed to get user's certificate directory location\n",
-                 __FUNCTION__);
+        TRACE_PKINIT_NO_CERT(context);
         return ENOENT;
     }
 
@@ -4583,8 +4562,7 @@ pkinit_get_certs_dir(krb5_context context,
         retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx,
                                              certname, keyname, i);
         if (retval == 0) {
-            pkiDebug("%s: Successfully loaded cert (and key) for %s\n",
-                     __FUNCTION__, dentry->d_name);
+            TRACE_PKINIT_LOADED_CERT(context, dentry->d_name);
             i++;
         }
         else
@@ -4592,8 +4570,7 @@ pkinit_get_certs_dir(krb5_context context,
     }
 
     if (!id_cryptoctx->defer_id_prompt && i == 0) {
-        pkiDebug("%s: No cert/key pairs found in directory '%s'\n",
-                 __FUNCTION__, idopts->cert_filename);
+        TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename);
         retval = ENOENT;
         goto cleanup;
     }
@@ -4947,136 +4924,16 @@ cleanup:
     return retval;
 }
 
-/*
- * Get number of certificates available after crypto_load_certs()
- */
-krb5_error_code
-crypto_cert_get_count(krb5_context context,
-                      pkinit_plg_crypto_context plg_cryptoctx,
-                      pkinit_req_crypto_context req_cryptoctx,
-                      pkinit_identity_crypto_context id_cryptoctx,
-                      int *cert_count)
-{
-    int count;
-
-    if (id_cryptoctx == NULL || id_cryptoctx->creds[0] == NULL)
-        return EINVAL;
-
-    for (count = 0;
-         count <= MAX_CREDS_ALLOWED && id_cryptoctx->creds[count] != NULL;
-         count++);
-    *cert_count = count;
-    return 0;
-}
-
-
-/*
- * Begin iteration over the certs loaded in crypto_load_certs()
- */
-krb5_error_code
-crypto_cert_iteration_begin(krb5_context context,
-                            pkinit_plg_crypto_context plg_cryptoctx,
-                            pkinit_req_crypto_context req_cryptoctx,
-                            pkinit_identity_crypto_context id_cryptoctx,
-                            pkinit_cert_iter_handle *ih_ret)
-{
-    struct _pkinit_cert_iter_data *id;
-
-    if (id_cryptoctx == NULL || ih_ret == NULL)
-        return EINVAL;
-    if (id_cryptoctx->creds[0] == NULL) /* No cred info available */
-        return ENOENT;
-
-    id = calloc(1, sizeof(*id));
-    if (id == NULL)
-        return ENOMEM;
-    id->magic = ITER_MAGIC;
-    id->plgctx = plg_cryptoctx,
-        id->reqctx = req_cryptoctx,
-        id->idctx = id_cryptoctx;
-    id->index = 0;
-    *ih_ret = (pkinit_cert_iter_handle) id;
-    return 0;
-}
-
-/*
- * End iteration over the certs loaded in crypto_load_certs()
- */
-krb5_error_code
-crypto_cert_iteration_end(krb5_context context,
-                          pkinit_cert_iter_handle ih)
-{
-    struct _pkinit_cert_iter_data *id = (struct _pkinit_cert_iter_data *)ih;
-
-    if (id == NULL || id->magic != ITER_MAGIC)
-        return EINVAL;
-    free(ih);
-    return 0;
-}
-
-/*
- * Get next certificate handle
- */
-krb5_error_code
-crypto_cert_iteration_next(krb5_context context,
-                           pkinit_cert_iter_handle ih,
-                           pkinit_cert_handle *ch_ret)
-{
-    struct _pkinit_cert_iter_data *id = (struct _pkinit_cert_iter_data *)ih;
-    struct _pkinit_cert_data *cd;
-    pkinit_identity_crypto_context id_cryptoctx;
-
-    if (id == NULL || id->magic != ITER_MAGIC)
-        return EINVAL;
-
-    if (ch_ret == NULL)
-        return EINVAL;
-
-    id_cryptoctx = id->idctx;
-    if (id_cryptoctx == NULL)
-        return EINVAL;
-
-    if (id_cryptoctx->creds[id->index] == NULL)
-        return PKINIT_ITER_NO_MORE;
-
-    cd = calloc(1, sizeof(*cd));
-    if (cd == NULL)
-        return ENOMEM;
-
-    cd->magic = CERT_MAGIC;
-    cd->plgctx = id->plgctx;
-    cd->reqctx = id->reqctx;
-    cd->idctx = id->idctx;
-    cd->index = id->index;
-    cd->cred = id_cryptoctx->creds[id->index++];
-    *ch_ret = (pkinit_cert_handle)cd;
-    return 0;
-}
-
-/*
- * Release cert handle
- */
-krb5_error_code
-crypto_cert_release(krb5_context context,
-                    pkinit_cert_handle ch)
-{
-    struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch;
-    if (cd == NULL || cd->magic != CERT_MAGIC)
-        return EINVAL;
-    free(cd);
-    return 0;
-}
-
 /*
  * Get certificate Key Usage and Extended Key Usage
  */
 static krb5_error_code
-crypto_retieve_X509_key_usage(krb5_context context,
-                              pkinit_plg_crypto_context plgcctx,
-                              pkinit_req_crypto_context reqcctx,
-                              X509 *x,
-                              unsigned int *ret_ku_bits,
-                              unsigned int *ret_eku_bits)
+crypto_retrieve_X509_key_usage(krb5_context context,
+                               pkinit_plg_crypto_context plgcctx,
+                               pkinit_req_crypto_context reqcctx,
+                               X509 *x,
+                               unsigned int *ret_ku_bits,
+                               unsigned int *ret_eku_bits)
 {
     krb5_error_code retval = 0;
     int i;
@@ -5145,85 +5002,112 @@ out:
     return retval;
 }
 
-/*
- * Return a string format of an X509_NAME in buf where
- * size is an in/out parameter.  On input it is the size
- * of the buffer, and on output it is the actual length
- * of the name.
- * If buf is NULL, returns the length req'd to hold name
- */
-static char *
-X509_NAME_oneline_ex(X509_NAME * a,
-                     char *buf,
-                     unsigned int *size,
-                     unsigned long flag)
+static krb5_error_code
+rfc2253_name(X509_NAME *name, char **str_out)
 {
-    BIO *out = NULL;
+    BIO *b = NULL;
+    char *str;
 
-    out = BIO_new(BIO_s_mem ());
-    if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
-        if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) {
-            memset(buf, 0, *size);
-            BIO_read(out, buf, (int) BIO_number_written(out));
-        }
-        else {
-            *size = BIO_number_written(out);
-        }
-    }
-    BIO_free(out);
-    return (buf);
+    *str_out = NULL;
+    b = BIO_new(BIO_s_mem());
+    if (b == NULL)
+        return ENOMEM;
+    if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
+        goto error;
+    str = calloc(BIO_number_written(b) + 1, 1);
+    if (str == NULL)
+        goto error;
+    BIO_read(b, str, BIO_number_written(b));
+    BIO_free(b);
+    *str_out = str;
+    return 0;
+
+error:
+    BIO_free(b);
+    return ENOMEM;
 }
 
 /*
- * Get certificate information
+ * Get number of certificates available after crypto_load_certs()
  */
-krb5_error_code
-crypto_cert_get_matching_data(krb5_context context,
-                              pkinit_cert_handle ch,
-                              pkinit_cert_matching_data **ret_md)
+static krb5_error_code
+crypto_cert_get_count(pkinit_identity_crypto_context id_cryptoctx,
+                      int *cert_count)
 {
-    krb5_error_code retval;
-    pkinit_cert_matching_data *md;
-    krb5_principal *pkinit_sans =NULL, *upn_sans = NULL;
-    struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch;
-    unsigned int i, j;
-    char buf[DN_BUF_LEN];
-    unsigned int bufsize = sizeof(buf);
+    int count;
 
-    if (cd == NULL || cd->magic != CERT_MAGIC)
-        return EINVAL;
-    if (ret_md == NULL)
+    *cert_count = 0;
+    if (id_cryptoctx == NULL || id_cryptoctx->creds[0] == NULL)
         return EINVAL;
 
-    md = calloc(1, sizeof(*md));
+    for (count = 0;
+         count <= MAX_CREDS_ALLOWED && id_cryptoctx->creds[count] != NULL;
+         count++);
+    *cert_count = count;
+    return 0;
+}
+
+void
+crypto_cert_free_matching_data(krb5_context context,
+                               pkinit_cert_matching_data *md)
+{
+    int i;
+
     if (md == NULL)
-        return ENOMEM;
+        return;
+    free(md->subject_dn);
+    free(md->issuer_dn);
+    for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++)
+        krb5_free_principal(context, md->sans[i]);
+    free(md->sans);
+    free(md);
+}
 
-    md->ch = ch;
+/*
+ * Free certificate matching data.
+ */
+void
+crypto_cert_free_matching_data_list(krb5_context context,
+                                    pkinit_cert_matching_data **list)
+{
+    int i;
 
-    /* get the subject name (in rfc2253 format) */
-    X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert),
-                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
-    md->subject_dn = strdup(buf);
-    if (md->subject_dn == NULL) {
-        retval = ENOMEM;
+    for (i = 0; list != NULL && list[i] != NULL; i++)
+        crypto_cert_free_matching_data(context, list[i]);
+    free(list);
+}
+
+/*
+ * Get certificate matching data for cert.
+ */
+static krb5_error_code
+get_matching_data(krb5_context context,
+                  pkinit_plg_crypto_context plg_cryptoctx,
+                  pkinit_req_crypto_context req_cryptoctx, X509 *cert,
+                  pkinit_cert_matching_data **md_out)
+{
+    krb5_error_code ret = ENOMEM;
+    pkinit_cert_matching_data *md = NULL;
+    krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
+    size_t i, j;
+
+    *md_out = NULL;
+
+    md = calloc(1, sizeof(*md));
+    if (md == NULL)
         goto cleanup;
-    }
 
-    /* get the issuer name (in rfc2253 format) */
-    X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert),
-                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
-    md->issuer_dn = strdup(buf);
-    if (md->issuer_dn == NULL) {
-        retval = ENOMEM;
+    ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
+    if (ret)
+        goto cleanup;
+    ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
+    if (ret)
         goto cleanup;
-    }
 
-    /* get the san data */
-    retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx,
-                                       cd->cred->cert, &pkinit_sans,
-                                       &upn_sans, NULL);
-    if (retval)
+    /* Get the SAN data. */
+    ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
+                                    cert, &pkinit_sans, &upn_sans, NULL);
+    if (ret)
         goto cleanup;
 
     j = 0;
@@ -5238,7 +5122,7 @@ crypto_cert_get_matching_data(krb5_context context,
     if (j != 0) {
         md->sans = calloc((size_t)j+1, sizeof(*md->sans));
         if (md->sans == NULL) {
-            retval = ENOMEM;
+            ret = ENOMEM;
             goto cleanup;
         }
         j = 0;
@@ -5256,88 +5140,96 @@ crypto_cert_get_matching_data(krb5_context context,
     } else
         md->sans = NULL;
 
-    /* get the KU and EKU data */
-
-    retval = crypto_retieve_X509_key_usage(context, cd->plgctx, cd->reqctx,
-                                           cd->cred->cert,
-                                           &md->ku_bits, &md->eku_bits);
-    if (retval)
+    /* Get the KU and EKU data. */
+    ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx,
+                                         req_cryptoctx, cert, &md->ku_bits,
+                                         &md->eku_bits);
+    if (ret)
         goto cleanup;
 
-    *ret_md = md;
-    retval = 0;
+    *md_out = md;
+    md = NULL;
+
 cleanup:
-    if (retval) {
-        if (md)
-            crypto_cert_free_matching_data(context, md);
-    }
-    return retval;
+    crypto_cert_free_matching_data(context, md);
+    return ret;
 }
 
-/*
- * Free certificate information
- */
 krb5_error_code
-crypto_cert_free_matching_data(krb5_context context,
-                               pkinit_cert_matching_data *md)
+crypto_cert_get_matching_data(krb5_context context,
+                              pkinit_plg_crypto_context plg_cryptoctx,
+                              pkinit_req_crypto_context req_cryptoctx,
+                              pkinit_identity_crypto_context id_cryptoctx,
+                              pkinit_cert_matching_data ***md_out)
 {
-    krb5_principal p;
-    int i;
+    krb5_error_code ret;
+    pkinit_cert_matching_data **md_list = NULL;
+    int count, i;
 
-    if (md == NULL)
-        return EINVAL;
-    if (md->subject_dn)
-        free(md->subject_dn);
-    if (md->issuer_dn)
-        free(md->issuer_dn);
-    if (md->sans) {
-        for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i])
-            krb5_free_principal(context, p);
-        free(md->sans);
+    ret = crypto_cert_get_count(id_cryptoctx, &count);
+    if (ret)
+        goto cleanup;
+
+    md_list = calloc(count + 1, sizeof(*md_list));
+    if (md_list == NULL) {
+        ret = ENOMEM;
+        goto cleanup;
     }
-    free(md);
-    return 0;
+
+    for (i = 0; i < count; i++) {
+        ret = get_matching_data(context, plg_cryptoctx, req_cryptoctx,
+                                id_cryptoctx->creds[i]->cert, &md_list[i]);
+        if (ret) {
+            pkiDebug("%s: crypto_cert_get_matching_data error %d, %s\n",
+                     __FUNCTION__, ret, error_message(ret));
+            goto cleanup;
+        }
+    }
+
+    *md_out = md_list;
+    md_list = NULL;
+
+cleanup:
+    crypto_cert_free_matching_data_list(context, md_list);
+    return ret;
 }
 
 /*
- * Make this matching certificate "the chosen one"
+ * Set the certificate in idctx->creds[cred_index] as the selected certificate.
  */
 krb5_error_code
-crypto_cert_select(krb5_context context,
-                   pkinit_cert_matching_data *md)
+crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx,
+                   size_t cred_index)
 {
-    struct _pkinit_cert_data *cd;
-    if (md == NULL)
-        return EINVAL;
+    pkinit_cred_info ci = NULL;
 
-    cd = (struct _pkinit_cert_data *)md->ch;
-    if (cd == NULL || cd->magic != CERT_MAGIC)
-        return EINVAL;
+    if (cred_index >= MAX_CREDS_ALLOWED || idctx->creds[cred_index] == NULL)
+        return ENOENT;
 
+    ci = idctx->creds[cred_index];
     /* copy the selected cert into our id_cryptoctx */
-    if (cd->idctx->my_certs != NULL) {
-        sk_X509_pop_free(cd->idctx->my_certs, X509_free);
-    }
-    cd->idctx->my_certs = sk_X509_new_null();
-    sk_X509_push(cd->idctx->my_certs, cd->cred->cert);
-    free(cd->idctx->identity);
+    if (idctx->my_certs != NULL)
+        sk_X509_pop_free(idctx->my_certs, X509_free);
+    idctx->my_certs = sk_X509_new_null();
+    sk_X509_push(idctx->my_certs, ci->cert);
+    free(idctx->identity);
     /* hang on to the selected credential name */
-    if (cd->idctx->creds[cd->index]->name != NULL)
-        cd->idctx->identity = strdup(cd->idctx->creds[cd->index]->name);
+    if (ci->name != NULL)
+        idctx->identity = strdup(ci->name);
     else
-        cd->idctx->identity = NULL;
-    cd->idctx->creds[cd->index]->cert = NULL;       /* Don't free it twice */
-    cd->idctx->cert_index = 0;
+        idctx->identity = NULL;
 
-    if (cd->idctx->pkcs11_method != 1) {
-        cd->idctx->my_key = cd->cred->key;
-        cd->idctx->creds[cd->index]->key = NULL;    /* Don't free it twice */
+    ci->cert = NULL;       /* Don't free it twice */
+    idctx->cert_index = 0;
+    if (idctx->pkcs11_method != 1) {
+        idctx->my_key = ci->key;
+        ci->key = NULL;    /* Don't free it twice */
     }
 #ifndef WITHOUT_PKCS11
     else {
-        cd->idctx->cert_id = cd->cred->cert_id;
-        cd->idctx->creds[cd->index]->cert_id = NULL; /* Don't free it twice */
-        cd->idctx->cert_id_len = cd->cred->cert_id_len;
+        idctx->cert_id = ci->cert_id;
+        ci->cert_id = NULL; /* Don't free it twice */
+        idctx->cert_id_len = ci->cert_id_len;
     }
 #endif
     return 0;
@@ -5353,19 +5245,14 @@ crypto_cert_select_default(krb5_context context,
                            pkinit_identity_crypto_context id_cryptoctx)
 {
     krb5_error_code retval;
-    int cert_count = 0;
+    int cert_count;
 
-    retval = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx,
-                                   id_cryptoctx, &cert_count);
-    if (retval) {
-        pkiDebug("%s: crypto_cert_get_count error %d, %s\n",
-                 __FUNCTION__, retval, error_message(retval));
+    retval = crypto_cert_get_count(id_cryptoctx, &cert_count);
+    if (retval)
         goto errout;
-    }
+
     if (cert_count != 1) {
-        pkiDebug("%s: ERROR: There are %d certs to choose from, "
-                 "but there must be exactly one.\n",
-                 __FUNCTION__, cert_count);
+        TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count);
         retval = EINVAL;
         goto errout;
     }
@@ -5513,7 +5400,7 @@ load_cas_and_crls(krb5_context context,
     switch(catype) {
     case CATYPE_ANCHORS:
         if (sk_X509_num(ca_certs) == 0) {
-            pkiDebug("no anchors in file, %s\n", filename);
+            TRACE_PKINIT_NO_CA_ANCHOR(context, filename);
             if (id_cryptoctx->trustedCAs == NULL)
                 sk_X509_free(ca_certs);
         } else {
@@ -5523,7 +5410,7 @@ load_cas_and_crls(krb5_context context,
         break;
     case CATYPE_INTERMEDIATES:
         if (sk_X509_num(ca_certs) == 0) {
-            pkiDebug("no intermediates in file, %s\n", filename);
+            TRACE_PKINIT_NO_CA_INTERMEDIATE(context, filename);
             if (id_cryptoctx->intermediateCAs == NULL)
                 sk_X509_free(ca_certs);
         } else {
@@ -5533,7 +5420,7 @@ load_cas_and_crls(krb5_context context,
         break;
     case CATYPE_CRLS:
         if (sk_X509_CRL_num(ca_crls) == 0) {
-            pkiDebug("no crls in file, %s\n", filename);
+            TRACE_PKINIT_NO_CRL(context, filename);
             if (id_cryptoctx->revoked == NULL)
                 sk_X509_CRL_free(ca_crls);
         } else {
@@ -5619,14 +5506,14 @@ crypto_load_cas_and_crls(krb5_context context,
                          int catype,
                          char *id)
 {
-    pkiDebug("%s: called with idtype %s and catype %s\n",
-             __FUNCTION__, idtype2string(idtype), catype2string(catype));
     switch (idtype) {
     case IDTYPE_FILE:
+        TRACE_PKINIT_LOAD_FROM_FILE(context);
         return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx,
                                  id_cryptoctx, catype, id);
         break;
     case IDTYPE_DIR:
+        TRACE_PKINIT_LOAD_FROM_DIR(context);
         return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx,
                                      id_cryptoctx, catype, id);
         break;
@@ -6170,3 +6057,50 @@ crypto_get_deferred_ids(krb5_context context,
     ret = (const pkinit_deferred_id *)deferred;
     return ret;
 }
+
+/* Return the received certificate as DER-encoded data. */
+krb5_error_code
+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
+                       uint8_t **der_out, size_t *der_len)
+{
+    int len;
+    unsigned char *der, *p;
+
+    *der_out = NULL;
+    *der_len = 0;
+
+    if (reqctx->received_cert == NULL)
+        return EINVAL;
+    p = NULL;
+    len = i2d_X509(reqctx->received_cert, NULL);
+    if (len <= 0)
+        return EINVAL;
+    p = der = malloc(len);
+    if (der == NULL)
+        return ENOMEM;
+    if (i2d_X509(reqctx->received_cert, &p) <= 0) {
+        free(der);
+        return EINVAL;
+    }
+    *der_out = der;
+    *der_len = len;
+    return 0;
+}
+
+/*
+ * Get the certificate matching data from the request certificate.
+ */
+krb5_error_code
+crypto_req_cert_matching_data(krb5_context context,
+                              pkinit_plg_crypto_context plgctx,
+                              pkinit_req_crypto_context reqctx,
+                              pkinit_cert_matching_data **md_out)
+{
+    *md_out = NULL;
+
+    if (reqctx == NULL || reqctx->received_cert == NULL)
+        return ENOENT;
+
+    return get_matching_data(context, plgctx, reqctx, reqctx->received_cert,
+                             md_out);
+}
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
index 2fe357c5e733..7411348fab8c 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
@@ -115,23 +115,4 @@ struct _pkinit_req_crypto_context {
     DH *dh;
 };
 
-#define CERT_MAGIC 0x53534c43
-struct _pkinit_cert_data {
-    unsigned int magic;
-    pkinit_plg_crypto_context plgctx;
-    pkinit_req_crypto_context reqctx;
-    pkinit_identity_crypto_context idctx;
-    pkinit_cred_info cred;
-    unsigned int index;	    /* Index of this cred in the creds[] array */
-};
-
-#define ITER_MAGIC 0x53534c49
-struct _pkinit_cert_iter_data {
-    unsigned int magic;
-    pkinit_plg_crypto_context plgctx;
-    pkinit_req_crypto_context reqctx;
-    pkinit_identity_crypto_context idctx;
-    unsigned int index;
-};
-
 #endif	/* _PKINIT_CRYPTO_OPENSSL_H */
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 177a2cad82fa..e8997c9351a8 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -93,9 +93,6 @@ idtype2string(int idtype)
     case IDTYPE_PKCS11: return "PKCS11"; break;
     case IDTYPE_PKCS12: return "PKCS12"; break;
     case IDTYPE_ENVVAR: return "ENV"; break;
-#ifdef PKINIT_CRYPTO_IMPL_NSS
-    case IDTYPE_NSS: return "NSS"; break;
-#endif
     default: return "INVALID"; break;
     }
 }
@@ -125,7 +122,6 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts)
     opts->anchors = NULL;
     opts->intermediates = NULL;
     opts->crls = NULL;
-    opts->ocsp = NULL;
 
     opts->cert_filename = NULL;
     opts->key_filename = NULL;
@@ -174,12 +170,6 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
     if (retval)
         goto cleanup;
 
-    if (src_opts->ocsp != NULL) {
-        newopts->ocsp = strdup(src_opts->ocsp);
-        if (newopts->ocsp == NULL)
-            goto cleanup;
-    }
-
     if (src_opts->cert_filename != NULL) {
         newopts->cert_filename = strdup(src_opts->cert_filename);
         if (newopts->cert_filename == NULL)
@@ -413,10 +403,6 @@ process_option_identity(krb5_context context,
             idtype = IDTYPE_DIR;
         } else if (strncmp(value, "ENV:", typelen) == 0) {
             idtype = IDTYPE_ENVVAR;
-#ifdef PKINIT_CRYPTO_IMPL_NSS
-        } else if (strncmp(value, "NSS:", typelen) == 0) {
-            idtype = IDTYPE_NSS;
-#endif
         } else {
             pkiDebug("%s: Unsupported type while processing '%s'\n",
                      __FUNCTION__, value);
@@ -453,13 +439,6 @@ process_option_identity(krb5_context context,
         if (idopts->cert_filename == NULL)
             retval = ENOMEM;
         break;
-#ifdef PKINIT_CRYPTO_IMPL_NSS
-    case IDTYPE_NSS:
-        idopts->cert_filename = strdup(residual);
-        if (idopts->cert_filename == NULL)
-            retval = ENOMEM;
-        break;
-#endif
     default:
         krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
                                _("Internal error parsing "
@@ -496,10 +475,6 @@ process_option_ca_crl(krb5_context context,
         idtype = IDTYPE_FILE;
     } else if (strncmp(value, "DIR:", typelen) == 0) {
         idtype = IDTYPE_DIR;
-#ifdef PKINIT_CRYPTO_IMPL_NSS
-    } else if (strncmp(value, "NSS:", typelen) == 0) {
-        idtype = IDTYPE_NSS;
-#endif
     } else {
         return ENOTSUP;
     }
@@ -615,7 +590,6 @@ pkinit_identity_prompt(krb5_context context,
             retval = pkinit_cert_matching(context, plg_cryptoctx,
                                           req_cryptoctx, id_cryptoctx, princ);
             if (retval) {
-                pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
                 crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
                                       id_cryptoctx);
                 goto errout;
@@ -628,8 +602,6 @@ pkinit_identity_prompt(krb5_context context,
             retval = crypto_cert_select_default(context, plg_cryptoctx,
                                                 req_cryptoctx, id_cryptoctx);
             if (retval) {
-                pkiDebug("%s: Failed while selecting default certificate\n",
-                         __FUNCTION__);
                 crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
                                       id_cryptoctx);
                 goto errout;
@@ -674,10 +646,6 @@ pkinit_identity_prompt(krb5_context context,
         if (retval)
             goto errout;
     }
-    if (idopts->ocsp != NULL) {
-        retval = ENOTSUP;
-        goto errout;
-    }
 
 errout:
     return retval;
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index a50c50c8dc92..c1ce84b82641 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -544,7 +544,7 @@ check_all_certs(krb5_context context,
                 rule_set *rs,   /* rule to check */
                 pkinit_cert_matching_data **matchdata,
                 int *match_found,
-                pkinit_cert_matching_data **matching_cert)
+                size_t *match_index)
 {
     krb5_error_code retval;
     pkinit_cert_matching_data *md;
@@ -553,12 +553,12 @@ check_all_certs(krb5_context context,
     int total_cert_matches = 0;
     rule_component *rc;
     int certs_checked = 0;
-    pkinit_cert_matching_data *save_match = NULL;
+    size_t save_index = 0;
 
-    if (match_found == NULL || matching_cert == NULL)
+    if (match_found == NULL || match_index == NULL)
         return EINVAL;
 
-    *matching_cert = NULL;
+    *match_index = 0;
     *match_found = 0;
 
     pkiDebug("%s: matching rule relation is %s with %d components\n",
@@ -590,7 +590,7 @@ check_all_certs(krb5_context context,
                 pkiDebug("%s: cert matches rule (OR relation)\n",
                          __FUNCTION__);
                 total_cert_matches++;
-                save_match = md;
+                save_index = i;
                 goto nextcert;
             }
             if (!comp_match && rs->relation == relation_and) {
@@ -602,7 +602,7 @@ check_all_certs(krb5_context context,
         if (rc == NULL && comp_match) {
             pkiDebug("%s: cert matches rule (AND relation)\n", __FUNCTION__);
             total_cert_matches++;
-            save_match = md;
+            save_index = i;
         }
     nextcert:
         continue;
@@ -611,7 +611,7 @@ check_all_certs(krb5_context context,
              __FUNCTION__, certs_checked, total_cert_matches);
     if (total_cert_matches == 1) {
         *match_found = 1;
-        *matching_cert = save_match;
+        *match_index = save_index;
     }
 
     retval = 0;
@@ -621,111 +621,6 @@ check_all_certs(krb5_context context,
     return retval;
 }
 
-static krb5_error_code
-free_all_cert_matching_data(krb5_context context,
-                            pkinit_cert_matching_data **matchdata)
-{
-    krb5_error_code retval;
-    pkinit_cert_matching_data *md;
-    int i;
-
-    if (matchdata == NULL)
-        return EINVAL;
-
-    for (i = 0, md = matchdata[i]; md != NULL; md = matchdata[++i]) {
-        pkinit_cert_handle ch = md->ch;
-        retval = crypto_cert_free_matching_data(context, md);
-        if (retval) {
-            pkiDebug("%s: crypto_cert_free_matching_data error %d, %s\n",
-                     __FUNCTION__, retval, error_message(retval));
-            goto cleanup;
-        }
-        retval = crypto_cert_release(context, ch);
-        if (retval) {
-            pkiDebug("%s: crypto_cert_release error %d, %s\n",
-                     __FUNCTION__, retval, error_message(retval));
-            goto cleanup;
-        }
-    }
-    free(matchdata);
-    retval = 0;
-
-cleanup:
-    return retval;
-}
-
-static krb5_error_code
-obtain_all_cert_matching_data(krb5_context context,
-                              pkinit_plg_crypto_context plg_cryptoctx,
-                              pkinit_req_crypto_context req_cryptoctx,
-                              pkinit_identity_crypto_context id_cryptoctx,
-                              pkinit_cert_matching_data ***all_matching_data)
-{
-    krb5_error_code retval;
-    int i, cert_count;
-    pkinit_cert_iter_handle ih = NULL;
-    pkinit_cert_handle ch;
-    pkinit_cert_matching_data **matchdata = NULL;
-
-    retval = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx,
-                                   id_cryptoctx, &cert_count);
-    if (retval) {
-        pkiDebug("%s: crypto_cert_get_count error %d, %s\n",
-                 __FUNCTION__, retval, error_message(retval));
-        goto cleanup;
-    }
-
-    pkiDebug("%s: crypto_cert_get_count says there are %d certs\n",
-             __FUNCTION__, cert_count);
-
-    matchdata = calloc((size_t)cert_count + 1, sizeof(*matchdata));
-    if (matchdata == NULL)
-        return ENOMEM;
-
-    retval = crypto_cert_iteration_begin(context, plg_cryptoctx, req_cryptoctx,
-                                         id_cryptoctx, &ih);
-    if (retval) {
-        pkiDebug("%s: crypto_cert_iteration_begin returned %d, %s\n",
-                 __FUNCTION__, retval, error_message(retval));
-        goto cleanup;
-    }
-
-    for (i = 0; i < cert_count; i++) {
-        retval = crypto_cert_iteration_next(context, ih, &ch);
-        if (retval) {
-            if (retval == PKINIT_ITER_NO_MORE)
-                pkiDebug("%s: We thought there were %d certs, but "
-                         "crypto_cert_iteration_next stopped after %d?\n",
-                         __FUNCTION__, cert_count, i);
-            else
-                pkiDebug("%s: crypto_cert_iteration_next error %d, %s\n",
-                         __FUNCTION__, retval, error_message(retval));
-            goto cleanup;
-        }
-
-        retval = crypto_cert_get_matching_data(context, ch, &matchdata[i]);
-        if (retval) {
-            pkiDebug("%s: crypto_cert_get_matching_data error %d, %s\n",
-                     __FUNCTION__, retval, error_message(retval));
-            goto cleanup;
-        }
-
-    }
-
-    *all_matching_data = matchdata;
-    retval = 0;
-cleanup:
-    if (ih != NULL)
-        crypto_cert_iteration_end(context, ih);
-    if (retval) {
-        if (matchdata != NULL)
-            free_all_cert_matching_data(context, matchdata);
-    }
-    pkiDebug("%s: returning %d, certinfo %p\n",
-             __FUNCTION__, retval, *all_matching_data);
-    return retval;
-}
-
 krb5_error_code
 pkinit_cert_matching(krb5_context context,
                      pkinit_plg_crypto_context plg_cryptoctx,
@@ -740,7 +635,7 @@ pkinit_cert_matching(krb5_context context,
     rule_set *rs = NULL;
     int match_found = 0;
     pkinit_cert_matching_data **matchdata = NULL;
-    pkinit_cert_matching_data *the_matching_cert = NULL;
+    size_t match_index = 0;
 
     /* If no matching rules, select the default cert and we're done */
     pkinit_libdefault_strings(context, krb5_princ_realm(context, princ),
@@ -777,7 +672,7 @@ pkinit_cert_matching(krb5_context context,
          * until we are done.
          */
         if (matchdata == NULL) {
-            retval = obtain_all_cert_matching_data(context, plg_cryptoctx,
+            retval = crypto_cert_get_matching_data(context, plg_cryptoctx,
                                                    req_cryptoctx, id_cryptoctx,
                                                    &matchdata);
             if (retval || matchdata == NULL) {
@@ -790,7 +685,7 @@ pkinit_cert_matching(krb5_context context,
 
         retval = check_all_certs(context, plg_cryptoctx, req_cryptoctx,
                                  id_cryptoctx, princ, rs, matchdata,
-                                 &match_found, &the_matching_cert);
+                                 &match_found, &match_index);
         if (retval) {
             pkiDebug("%s: Error %d, checking certs against rule '%s'\n",
                      __FUNCTION__, retval, rules[x]);
@@ -803,26 +698,62 @@ pkinit_cert_matching(krb5_context context,
         }
     }
 
-    if (match_found && the_matching_cert != NULL) {
+    if (match_found) {
         pkiDebug("%s: Selecting the matching cert!\n", __FUNCTION__);
-        retval = crypto_cert_select(context, the_matching_cert);
+        retval = crypto_cert_select(context, id_cryptoctx, match_index);
         if (retval) {
             pkiDebug("%s: crypto_cert_select error %d, %s\n",
                      __FUNCTION__, retval, error_message(retval));
             goto cleanup;
         }
     } else {
+        TRACE_PKINIT_NO_MATCHING_CERT(context);
         retval = ENOENT;    /* XXX */
         goto cleanup;
     }
 
     retval = 0;
+
 cleanup:
-    if (rules != NULL)
-        profile_free_list(rules);
-    if (rs != NULL)
-        free_rule_set(context, rs);
-    if (matchdata != NULL)
-        free_all_cert_matching_data(context, matchdata);
+    profile_free_list(rules);
+    free_rule_set(context, rs);
+    crypto_cert_free_matching_data_list(context, matchdata);
     return retval;
 }
+
+krb5_error_code
+pkinit_client_cert_match(krb5_context context,
+                         pkinit_plg_crypto_context plgctx,
+                         pkinit_req_crypto_context reqctx,
+                         const char *match_rule,
+                         krb5_boolean *matched)
+{
+    krb5_error_code ret;
+    pkinit_cert_matching_data *md = NULL;
+    rule_component *rc = NULL;
+    int comp_match = 0;
+    rule_set *rs = NULL;
+
+    *matched = FALSE;
+    ret = parse_rule_set(context, match_rule, &rs);
+    if (ret)
+        goto cleanup;
+
+    ret = crypto_req_cert_matching_data(context, plgctx, reqctx, &md);
+    if (ret)
+        goto cleanup;
+
+    for (rc = rs->crs; rc != NULL; rc = rc->next) {
+        comp_match = component_match(context, rc, md);
+        if ((comp_match && rs->relation == relation_or) ||
+            (!comp_match && rs->relation == relation_and)) {
+            break;
+        }
+    }
+    *matched = comp_match;
+
+cleanup:
+    free_rule_set(context, rs);
+    crypto_cert_free_matching_data(context, md);
+    return ret;
+}
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 295be25e18bf..4e9685885f80 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -31,6 +31,25 @@
 
 #include <k5-int.h>
 #include "pkinit.h"
+#include "krb5/certauth_plugin.h"
+
+/* Aliases used by the built-in certauth modules */
+struct certauth_req_opts {
+    krb5_kdcpreauth_callbacks cb;
+    krb5_kdcpreauth_rock rock;
+    pkinit_kdc_context plgctx;
+    pkinit_kdc_req_context reqctx;
+};
+
+typedef struct certauth_module_handle_st {
+    struct krb5_certauth_vtable_st vt;
+    krb5_certauth_moddata moddata;
+} *certauth_handle;
+
+struct krb5_kdcpreauth_moddata_st {
+    pkinit_kdc_context *realm_contexts;
+    certauth_handle *certauth_modules;
+};
 
 static krb5_error_code
 pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob);
@@ -51,6 +70,34 @@ pkinit_find_realm_context(krb5_context context,
                           krb5_kdcpreauth_moddata moddata,
                           krb5_principal princ);
 
+static void
+free_realm_contexts(krb5_context context, pkinit_kdc_context *realm_contexts)
+{
+    int i;
+
+    if (realm_contexts == NULL)
+        return;
+    for (i = 0; realm_contexts[i] != NULL; i++)
+        pkinit_server_plugin_fini_realm(context, realm_contexts[i]);
+    pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts);
+    free(realm_contexts);
+}
+
+static void
+free_certauth_handles(krb5_context context, certauth_handle *list)
+{
+    int i;
+
+    if (list == NULL)
+        return;
+    for (i = 0; list[i] != NULL; i++) {
+        if (list[i]->vt.fini != NULL)
+            list[i]->vt.fini(context, list[i]->moddata);
+        free(list[i]);
+    }
+    free(list);
+}
+
 static krb5_error_code
 pkinit_create_edata(krb5_context context,
                     pkinit_plg_crypto_context plg_cryptoctx,
@@ -121,7 +168,9 @@ static krb5_error_code
 verify_client_san(krb5_context context,
                   pkinit_kdc_context plgctx,
                   pkinit_kdc_req_context reqctx,
-                  krb5_principal client,
+                  krb5_kdcpreauth_callbacks cb,
+                  krb5_kdcpreauth_rock rock,
+                  krb5_const_principal client,
                   int *valid_san)
 {
     krb5_error_code retval;
@@ -132,6 +181,7 @@ verify_client_san(krb5_context context,
     char *client_string = NULL, *san_string;
 #endif
 
+    *valid_san = 0;
     retval = crypto_retrieve_cert_sans(context, plgctx->cryptoctx,
                                        reqctx->cryptoctx, plgctx->idctx,
                                        &princs,
@@ -142,6 +192,13 @@ verify_client_san(krb5_context context,
         retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
         goto out;
     }
+
+    if (princs == NULL && upns == NULL) {
+        TRACE_PKINIT_SERVER_NO_SAN(context);
+        retval = ENOENT;
+        goto out;
+    }
+
     /* XXX Verify this is consistent with client side XXX */
 #if 0
     retval = call_san_checking_plugins(context, plgctx, reqctx, princs,
@@ -171,8 +228,8 @@ verify_client_san(krb5_context context,
                  __FUNCTION__, client_string, san_string);
         krb5_free_unparsed_name(context, san_string);
 #endif
-        if (krb5_principal_compare(context, princs[i], client)) {
-            pkiDebug("%s: pkinit san match found\n", __FUNCTION__);
+        if (cb->match_client(context, rock, princs[i])) {
+            TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(context);
             *valid_san = 1;
             retval = 0;
             goto out;
@@ -199,8 +256,8 @@ verify_client_san(krb5_context context,
                  __FUNCTION__, client_string, san_string);
         krb5_free_unparsed_name(context, san_string);
 #endif
-        if (krb5_principal_compare(context, upns[i], client)) {
-            pkiDebug("%s: upn san match found\n", __FUNCTION__);
+        if (cb->match_client(context, rock, upns[i])) {
+            TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context);
             *valid_san = 1;
             retval = 0;
             goto out;
@@ -248,7 +305,7 @@ verify_client_eku(krb5_context context,
     *eku_accepted = 0;
 
     if (plgctx->opts->require_eku == 0) {
-        pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__);
+        TRACE_PKINIT_SERVER_EKU_SKIP(context);
         *eku_accepted = 1;
         retval = 0;
         goto out;
@@ -271,6 +328,74 @@ out:
     return retval;
 }
 
+
+/* Run the received, verified certificate through certauth modules, to verify
+ * that it is authorized to authenticate as client. */
+static krb5_error_code
+authorize_cert(krb5_context context, certauth_handle *certauth_modules,
+               pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx,
+               krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
+               krb5_principal client)
+{
+    krb5_error_code ret;
+    certauth_handle h;
+    struct certauth_req_opts opts;
+    krb5_boolean accepted = FALSE;
+    uint8_t *cert;
+    size_t i, cert_len;
+    void *db_ent = NULL;
+    char **ais = NULL, **ai = NULL;
+
+    /* Re-encode the received certificate into DER, which is extra work, but
+     * avoids creating an X.509 library dependency in the interface. */
+    ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len);
+    if (ret)
+        goto cleanup;
+
+    /* Set options for the builtin module. */
+    opts.plgctx = plgctx;
+    opts.reqctx = reqctx;
+    opts.cb = cb;
+    opts.rock = rock;
+
+    db_ent = cb->client_entry(context, rock);
+
+    /*
+     * Check the certificate against each certauth module.  For the certificate
+     * to be authorized at least one module must return 0, and no module can an
+     * error code other than KRB5_PLUGIN_NO_HANDLE (pass).  Add indicators from
+     * modules that return 0 or pass.
+     */
+    ret = KRB5_PLUGIN_NO_HANDLE;
+    for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
+        h = certauth_modules[i];
+        TRACE_PKINIT_SERVER_CERT_AUTH(context, h->vt.name);
+        ret = h->vt.authorize(context, h->moddata, cert, cert_len, client,
+                              &opts, db_ent, &ais);
+        if (ret == 0)
+            accepted = TRUE;
+        else if (ret != KRB5_PLUGIN_NO_HANDLE)
+            goto cleanup;
+
+        if (ais != NULL) {
+            /* Assert authentication indicators from the module. */
+            for (ai = ais; *ai != NULL; ai++) {
+                ret = cb->add_auth_indicator(context, rock, *ai);
+                if (ret)
+                    goto cleanup;
+            }
+            h->vt.free_ind(context, h->moddata, ais);
+            ais = NULL;
+        }
+    }
+
+    ret = accepted ? 0 : KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+
+cleanup:
+    free(cert);
+    return ret;
+}
+
 static void
 pkinit_server_verify_padata(krb5_context context,
                             krb5_data *req_pkt,
@@ -293,7 +418,6 @@ pkinit_server_verify_padata(krb5_context context,
     pkinit_kdc_req_context reqctx = NULL;
     krb5_checksum cksum = {0, 0, 0, NULL};
     krb5_data *der_req = NULL;
-    int valid_eku = 0, valid_san = 0;
     krb5_data k5data;
     int is_signed = 1;
     krb5_pa_data **e_data = NULL;
@@ -331,7 +455,7 @@ pkinit_server_verify_padata(krb5_context context,
 
     switch ((int)data->pa_type) {
     case KRB5_PADATA_PK_AS_REQ:
-        pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n");
+        TRACE_PKINIT_SERVER_PADATA_VERIFY(context);
         retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp);
         if (retval) {
             pkiDebug("decode_krb5_pa_pk_as_req failed\n");
@@ -354,7 +478,7 @@ pkinit_server_verify_padata(krb5_context context,
         break;
     case KRB5_PADATA_PK_AS_REP_OLD:
     case KRB5_PADATA_PK_AS_REQ_OLD:
-        pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n");
+        TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context);
         retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9);
         if (retval) {
             pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n");
@@ -382,31 +506,15 @@ pkinit_server_verify_padata(krb5_context context,
         goto cleanup;
     }
     if (retval) {
-        pkiDebug("pkcs7_signeddata_verify failed\n");
+        TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context);
         goto cleanup;
     }
     if (is_signed) {
-
-        retval = verify_client_san(context, plgctx, reqctx, request->client,
-                                   &valid_san);
-        if (retval)
-            goto cleanup;
-        if (!valid_san) {
-            pkiDebug("%s: did not find an acceptable SAN in user "
-                     "certificate\n", __FUNCTION__);
-            retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
-            goto cleanup;
-        }
-        retval = verify_client_eku(context, plgctx, reqctx, &valid_eku);
+        retval = authorize_cert(context, moddata->certauth_modules, plgctx,
+                                reqctx, cb, rock, request->client);
         if (retval)
             goto cleanup;
 
-        if (!valid_eku) {
-            pkiDebug("%s: did not find an acceptable EKU in user "
-                     "certificate\n", __FUNCTION__);
-            retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
-            goto cleanup;
-        }
     } else { /* !is_signed */
         if (!krb5_principal_compare(context, request->client,
                                     krb5_anonymous_principal())) {
@@ -728,7 +836,7 @@ pkinit_server_return_padata(krb5_context context,
         return ENOENT;
     }
 
-    pkiDebug("pkinit_return_padata: entered!\n");
+    TRACE_PKINIT_SERVER_RETURN_PADATA(context);
     reqctx = (pkinit_kdc_req_context)modreq;
 
     if (encrypting_key->contents) {
@@ -1150,7 +1258,7 @@ static krb5_error_code
 pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
 {
     krb5_error_code retval;
-    char *eku_string = NULL;
+    char *eku_string = NULL, *ocsp_check = NULL;
 
     pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
     retval = pkinit_kdcdefault_string(context, plgctx->realmname,
@@ -1185,7 +1293,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
 
     pkinit_kdcdefault_string(context, plgctx->realmname,
                              KRB5_CONF_PKINIT_KDC_OCSP,
-                             &plgctx->idopts->ocsp);
+                             &ocsp_check);
+    if (ocsp_check != NULL) {
+        free(ocsp_check);
+        retval = ENOTSUP;
+        krb5_set_error_message(context, retval,
+                               _("OCSP is not supported: (realm: %s)"),
+                               plgctx->realmname);
+        goto errout;
+    }
 
     pkinit_kdcdefault_integer(context, plgctx->realmname,
                               KRB5_CONF_PKINIT_DH_MIN_BITS,
@@ -1243,11 +1359,15 @@ pkinit_find_realm_context(krb5_context context,
                           krb5_principal princ)
 {
     int i;
-    pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
+    pkinit_kdc_context *realm_contexts;
 
     if (moddata == NULL)
         return NULL;
 
+    realm_contexts = moddata->realm_contexts;
+    if (realm_contexts == NULL)
+        return NULL;
+
     for (i = 0; realm_contexts[i] != NULL; i++) {
         pkinit_kdc_context p = realm_contexts[i];
 
@@ -1329,6 +1449,211 @@ errout:
     return retval;
 }
 
+static krb5_error_code
+pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata,
+                     const uint8_t *cert, size_t cert_len,
+                     krb5_const_principal princ, const void *opts,
+                     const struct _krb5_db_entry_new *db_entry,
+                     char ***authinds_out)
+{
+    krb5_error_code ret;
+    int valid_san;
+    const struct certauth_req_opts *req_opts = opts;
+
+    *authinds_out = NULL;
+
+    ret = verify_client_san(context, req_opts->plgctx, req_opts->reqctx,
+                            req_opts->cb, req_opts->rock, princ, &valid_san);
+    if (ret == ENOENT)
+        return KRB5_PLUGIN_NO_HANDLE;
+    else if (ret)
+        return ret;
+
+    if (!valid_san) {
+        TRACE_PKINIT_SERVER_SAN_REJECT(context);
+        return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
+                     const uint8_t *cert, size_t cert_len,
+                     krb5_const_principal princ, const void *opts,
+                     const struct _krb5_db_entry_new *db_entry,
+                     char ***authinds_out)
+{
+    krb5_error_code ret;
+    int valid_eku;
+    const struct certauth_req_opts *req_opts = opts;
+
+    *authinds_out = NULL;
+
+    /* Verify the client EKU. */
+    ret = verify_client_eku(context, req_opts->plgctx, req_opts->reqctx,
+                            &valid_eku);
+    if (ret)
+        return ret;
+
+    if (!valid_eku) {
+        TRACE_PKINIT_SERVER_EKU_REJECT(context);
+        return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
+    }
+
+    return KRB5_PLUGIN_NO_HANDLE;
+}
+
+static krb5_error_code
+certauth_pkinit_san_initvt(krb5_context context, int maj_ver, int min_ver,
+                           krb5_plugin_vtable vtable)
+{
+    krb5_certauth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_certauth_vtable)vtable;
+    vt->name = "pkinit_san";
+    vt->authorize = pkinit_san_authorize;
+    return 0;
+}
+
+static krb5_error_code
+certauth_pkinit_eku_initvt(krb5_context context, int maj_ver, int min_ver,
+                           krb5_plugin_vtable vtable)
+{
+    krb5_certauth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_certauth_vtable)vtable;
+    vt->name = "pkinit_eku";
+    vt->authorize = pkinit_eku_authorize;
+    return 0;
+}
+
+/*
+ * Do certificate auth based on a match expression in the pkinit_cert_match
+ * attribute string.  An expression should be in the same form as those used
+ * for the pkinit_cert_match configuration option.
+ */
+static krb5_error_code
+dbmatch_authorize(krb5_context context, krb5_certauth_moddata moddata,
+                  const uint8_t *cert, size_t cert_len,
+                  krb5_const_principal princ, const void *opts,
+                  const struct _krb5_db_entry_new *db_entry,
+                  char ***authinds_out)
+{
+    krb5_error_code ret;
+    const struct certauth_req_opts *req_opts = opts;
+    char *pattern;
+    krb5_boolean matched;
+
+    *authinds_out = NULL;
+
+    /* Fetch the matching pattern.  Pass if it isn't specified. */
+    ret = req_opts->cb->get_string(context, req_opts->rock,
+                                   "pkinit_cert_match", &pattern);
+    if (ret)
+        return ret;
+    if (pattern == NULL)
+        return KRB5_PLUGIN_NO_HANDLE;
+
+    /* Check the certificate against the match expression. */
+    ret = pkinit_client_cert_match(context, req_opts->plgctx->cryptoctx,
+                                   req_opts->reqctx->cryptoctx, pattern,
+                                   &matched);
+    req_opts->cb->free_string(context, req_opts->rock, pattern);
+    if (ret)
+        return ret;
+    return matched ? 0 : KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+}
+
+static krb5_error_code
+certauth_dbmatch_initvt(krb5_context context, int maj_ver, int min_ver,
+                        krb5_plugin_vtable vtable)
+{
+    krb5_certauth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_certauth_vtable)vtable;
+    vt->name = "dbmatch";
+    vt->authorize = dbmatch_authorize;
+    return 0;
+}
+
+static krb5_error_code
+load_certauth_plugins(krb5_context context, certauth_handle **handle_out)
+{
+    krb5_error_code ret;
+    krb5_plugin_initvt_fn *modules = NULL, *mod;
+    certauth_handle *list = NULL, h;
+    size_t count;
+
+    /* Register the builtin modules. */
+    ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH,
+                             "pkinit_san", certauth_pkinit_san_initvt);
+    if (ret)
+        goto cleanup;
+
+    ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH,
+                             "pkinit_eku", certauth_pkinit_eku_initvt);
+    if (ret)
+        goto cleanup;
+
+    ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, "dbmatch",
+                             certauth_dbmatch_initvt);
+    if (ret)
+        goto cleanup;
+
+    ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CERTAUTH, &modules);
+    if (ret)
+        goto cleanup;
+
+    /* Allocate handle list. */
+    for (count = 0; modules[count]; count++);
+    list = k5calloc(count + 1, sizeof(*list), &ret);
+    if (list == NULL)
+        goto cleanup;
+
+    /* Initialize each module, ignoring ones that fail. */
+    count = 0;
+    for (mod = modules; *mod != NULL; mod++) {
+        h = k5calloc(1, sizeof(*h), &ret);
+        if (h == NULL)
+            goto cleanup;
+
+        ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
+        if (ret) {
+            TRACE_CERTAUTH_VTINIT_FAIL(context, ret);
+            free(h);
+            continue;
+        }
+        h->moddata = NULL;
+        if (h->vt.init != NULL) {
+            ret = h->vt.init(context, &h->moddata);
+            if (ret) {
+                TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret);
+                free(h);
+                continue;
+            }
+        }
+        list[count++] = h;
+        list[count] = NULL;
+    }
+    list[count] = NULL;
+
+    ret = 0;
+    *handle_out = list;
+    list = NULL;
+
+cleanup:
+    k5_plugin_free_modules(context, modules);
+    free_certauth_handles(context, list);
+    return ret;
+}
+
 static int
 pkinit_server_plugin_init(krb5_context context,
                           krb5_kdcpreauth_moddata *moddata_out,
@@ -1336,6 +1661,8 @@ pkinit_server_plugin_init(krb5_context context,
 {
     krb5_error_code retval = ENOMEM;
     pkinit_kdc_context plgctx, *realm_contexts = NULL;
+    certauth_handle *certauth_modules = NULL;
+    krb5_kdcpreauth_moddata moddata;
     size_t  i, j;
     size_t numrealms;
 
@@ -1352,30 +1679,43 @@ pkinit_server_plugin_init(krb5_context context,
         return ENOMEM;
 
     for (i = 0, j = 0; i < numrealms; i++) {
-        pkiDebug("%s: processing realm '%s'\n", __FUNCTION__, realmnames[i]);
-        retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx);
-        if (retval == 0 && plgctx != NULL)
+        TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]);
+        krb5_clear_error_message(context);
+        retval = pkinit_server_plugin_init_realm(context, realmnames[i],
+                                                 &plgctx);
+        if (retval)
+            TRACE_PKINIT_SERVER_INIT_FAIL(context, realmnames[i], retval);
+        else
             realm_contexts[j++] = plgctx;
     }
 
     if (j == 0) {
-        retval = EINVAL;
-        krb5_set_error_message(context, retval,
-                               _("No realms configured correctly for pkinit "
-                                 "support"));
+        if (numrealms == 1) {
+            k5_prependmsg(context, retval, "PKINIT initialization failed");
+        } else {
+            retval = EINVAL;
+            k5_setmsg(context, retval,
+                      _("No realms configured correctly for pkinit support"));
+        }
         goto errout;
     }
 
-    *moddata_out = (krb5_kdcpreauth_moddata)realm_contexts;
-    retval = 0;
-    pkiDebug("%s: returning context at %p\n", __FUNCTION__, realm_contexts);
+    retval = load_certauth_plugins(context, &certauth_modules);
+    if (retval)
+        goto errout;
 
-errout:
-    if (retval) {
-        pkinit_server_plugin_fini(context,
-                                  (krb5_kdcpreauth_moddata)realm_contexts);
-    }
+    moddata = k5calloc(1, sizeof(*moddata), &retval);
+    if (moddata == NULL)
+        goto errout;
+    moddata->realm_contexts = realm_contexts;
+    moddata->certauth_modules = certauth_modules;
+    *moddata_out = moddata;
+    pkiDebug("%s: returning context at %p\n", __FUNCTION__, moddata);
+    return 0;
 
+errout:
+    free_realm_contexts(context, realm_contexts);
+    free_certauth_handles(context, certauth_modules);
     return retval;
 }
 
@@ -1403,17 +1743,11 @@ static void
 pkinit_server_plugin_fini(krb5_context context,
                           krb5_kdcpreauth_moddata moddata)
 {
-    pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
-    int i;
-
-    if (realm_contexts == NULL)
+    if (moddata == NULL)
         return;
-
-    for (i = 0; realm_contexts[i] != NULL; i++) {
-        pkinit_server_plugin_fini_realm(context, realm_contexts[i]);
-    }
-    pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts);
-    free(realm_contexts);
+    free_realm_contexts(context, moddata->realm_contexts);
+    free_certauth_handles(context, moddata->certauth_modules);
+    free(moddata);
 }
 
 static krb5_error_code
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
index b3f5cbb20e18..d4eb39d88b95 100644
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
@@ -47,12 +47,14 @@
 #define TRACE_PKINIT_CLIENT_KDF_OS2K(c, keyblock)                       \
     TRACE(c, "PKINIT client used octetstring2key to compute reply key " \
           "{keyblock}", keyblock)
+#define TRACE_PKINIT_CLIENT_NO_DRAFT9(c)                                \
+    TRACE(c, "PKINIT client ignoring draft 9 offer from RFC 4556 KDC")
 #define TRACE_PKINIT_CLIENT_NO_IDENTITY(c)                              \
     TRACE(c, "PKINIT client has no configured identity; giving up")
 #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received)    \
     TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, "      \
           "received {cksum}", expected, received)
-#define TRACE_PKINIT_CLIENT_REP_DH(c)                   \
+#define TRACE_PKINIT_CLIENT_REP_DH(c)           \
     TRACE(c, "PKINIT client verified DH reply")
 #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c)              \
     TRACE(c, "PKINIT client could not verify DH reply")
@@ -91,4 +93,78 @@
 #define TRACE_PKINIT_OPENSSL_ERROR(c, msg)              \
     TRACE(c, "PKINIT OpenSSL error: {str}", msg)
 
+#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname)                       \
+    TRACE(c, "PKINIT server authorizing cert with module {str}",        \
+          modname)
+#define TRACE_PKINIT_SERVER_EKU_REJECT(c)                               \
+    TRACE(c, "PKINIT server found no acceptable EKU in client cert")
+#define TRACE_PKINIT_SERVER_EKU_SKIP(c)                                 \
+    TRACE(c, "PKINIT server skipping EKU check due to configuration")
+#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm)                \
+    TRACE(c, "PKINIT server initializing realm {str}", realm)
+#define TRACE_PKINIT_SERVER_INIT_FAIL(c, realm, retval)                 \
+    TRACE(c, "PKINIT server initialization failed for realm {str}: {kerr}", \
+          realm, retval)
+#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c)                       \
+    TRACE(c, "PKINIT server found a matching UPN SAN in client cert")
+#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c)                       \
+    TRACE(c, "PKINIT server found a matching SAN in client cert")
+#define TRACE_PKINIT_SERVER_NO_SAN(c)                           \
+    TRACE(c, "PKINIT server found no SAN in client cert")
+#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c)                    \
+    TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ")
+#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c)                        \
+    TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD")
+#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c)       \
+    TRACE(c, "PKINIT server failed to verify PA data")
+#define TRACE_PKINIT_SERVER_RETURN_PADATA(c)    \
+    TRACE(c, "PKINIT server returning PA data")
+#define TRACE_PKINIT_SERVER_SAN_REJECT(c)                               \
+    TRACE(c, "PKINIT server found no acceptable SAN in client cert")
+
+#define TRACE_PKINIT_EKU(c)                                             \
+    TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU")
+#define TRACE_PKINIT_EKU_NO_KU(c)                                       \
+    TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU")
+#define TRACE_PKINIT_LOADED_CERT(c, name)                       \
+    TRACE(c, "PKINIT loaded cert and key for {str}", name)
+#define TRACE_PKINIT_LOAD_FROM_FILE(c)                          \
+    TRACE(c, "PKINIT loading CA certs and CRLs from FILE")
+#define TRACE_PKINIT_LOAD_FROM_DIR(c)                           \
+    TRACE(c, "PKINIT loading CA certs and CRLs from DIR")
+#define TRACE_PKINIT_NO_CA_ANCHOR(c, file)              \
+    TRACE(c, "PKINIT no anchor CA in file {str}", file)
+#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file)                \
+    TRACE(c, "PKINIT no intermediate CA in file {str}", file)
+#define TRACE_PKINIT_NO_CERT(c)                 \
+    TRACE(c, "PKINIT no certificate provided")
+#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname)                        \
+    TRACE(c, "PKINIT no cert and key pair found in directory {str}",    \
+          dirname)
+#define TRACE_PKINIT_NO_CRL(c, file)                    \
+    TRACE(c, "PKINIT no CRL in file {str}", file)
+#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count)                          \
+    TRACE(c, "PKINIT error: There are {int} certs, but there must "     \
+          "be exactly one.", count)
+#define TRACE_PKINIT_NO_MATCHING_CERT(c)                \
+    TRACE(c, "PKINIT no matching certificate found")
+#define TRACE_PKINIT_NO_PRIVKEY(c)              \
+    TRACE(c, "PKINIT no private key provided")
+#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name)                          \
+    TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name)
+#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err)                       \
+    TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}",    \
+          name, err)
+#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c)                           \
+    TRACE(c, "PKINIT initial PKCS12_parse with no password failed")
+#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c)                          \
+    TRACE(c, "PKINIT second PKCS12_parse with password failed")
+#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c)                        \
+    TRACE(c, "PKINIT failed to prompt for PKCS12 password")
+
+#define TRACE_CERTAUTH_VTINIT_FAIL(c, ret)                              \
+    TRACE(c, "certauth module failed to init vtable: {kerr}", ret)
+#define TRACE_CERTAUTH_INIT_FAIL(c, name, ret)                          \
+    TRACE(c, "certauth module {str} failed to init: {kerr}", name, ret)
+
 #endif /* PKINIT_TRACE_H */
diff --git a/src/plugins/preauth/test/Makefile.in b/src/plugins/preauth/test/Makefile.in
index ac3cb8155bb2..77321b60f5e2 100644
--- a/src/plugins/preauth/test/Makefile.in
+++ b/src/plugins/preauth/test/Makefile.in
@@ -9,9 +9,9 @@ RELDIR=../plugins/preauth/test
 SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
 SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
 
-STLIBOBJS=cltest.o kdctest.o
+STLIBOBJS=cltest.o kdctest.o common.o
 
-SRCS= $(srcdir)/cltest.c $(srcdir)/kdctest.c
+SRCS= $(srcdir)/cltest.c $(srcdir)/kdctest.c $(srcdir)/common.c
 
 all-unix: all-liblinks
 install-unix: install-libs
diff --git a/src/plugins/preauth/test/cltest.c b/src/plugins/preauth/test/cltest.c
index 4c31e1c0f8b2..f5f7c5aba167 100644
--- a/src/plugins/preauth/test/cltest.c
+++ b/src/plugins/preauth/test/cltest.c
@@ -1,7 +1,7 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 /* plugins/preauth/test/cltest.c - Test clpreauth module */
 /*
- * Copyright (C) 2015 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2015, 2017 by the Massachusetts Institute of Technology.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 
 /*
  * This module is used to test preauth interface features.  At this time, the
- * clpreauth module does two things:
+ * clpreauth module does the following:
  *
  * - It decrypts a message from the initial KDC pa-data using the reply key and
  *   prints it to stdout.  (The unencrypted message "no key" can also be
@@ -45,17 +45,27 @@
  *   it to the server, instructing the kdcpreauth module to assert one or more
  *   space-separated authentication indicators.  (This string is sent on both
  *   round trips if a second round trip is requested.)
+ *
+ * - If a KDC_ERR_ENCTYPE_NOSUPP error with e-data is received, it prints the
+ *   accompanying error padata and sends a follow-up request containing
+ *   "tryagain".
+ *
+ * - If the "fail_optimistic", "fail_2rt", or "fail_tryagain" gic options are
+ *   set, it fails with a recognizable error string at the requested point in
+ *   processing.
  */
 
 #include "k5-int.h"
 #include <krb5/clpreauth_plugin.h>
-
-#define TEST_PA_TYPE -123
+#include "common.h"
 
 static krb5_preauthtype pa_types[] = { TEST_PA_TYPE, 0 };
 
 struct client_state {
     char *indicators;
+    krb5_boolean fail_optimistic;
+    krb5_boolean fail_2rt;
+    krb5_boolean fail_tryagain;
 };
 
 struct client_request_state {
@@ -70,6 +80,7 @@ test_init(krb5_context context, krb5_clpreauth_moddata *moddata_out)
     st = malloc(sizeof(*st));
     assert(st != NULL);
     st->indicators = NULL;
+    st->fail_optimistic = st->fail_2rt = st->fail_tryagain = FALSE;
     *moddata_out = (krb5_clpreauth_moddata)st;
     return 0;
 }
@@ -114,7 +125,6 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata,
     struct client_state *st = (struct client_state *)moddata;
     struct client_request_state *reqst = (struct client_request_state *)modreq;
     krb5_error_code ret;
-    krb5_pa_data **list, *pa;
     krb5_keyblock *k;
     krb5_enc_data enc;
     krb5_data plain;
@@ -123,20 +133,18 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata,
     if (pa_data->length == 0) {
         /* This is an optimistic preauth test.  Send a recognizable padata
          * value so the KDC knows not to expect a cookie. */
-        list = k5calloc(2, sizeof(*list), &ret);
-        assert(!ret);
-        pa = k5alloc(sizeof(*pa), &ret);
-        assert(!ret);
-        pa->pa_type = TEST_PA_TYPE;
-        pa->contents = (uint8_t *)strdup("optimistic");
-        assert(pa->contents != NULL);
-        pa->length = 10;
-        list[0] = pa;
-        list[1] = NULL;
-        *out_pa_data = list;
+        if (st->fail_optimistic) {
+            k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced optimistic fail");
+            return KRB5_PREAUTH_FAILED;
+        }
+        *out_pa_data = make_pa_list("optimistic", 10);
         return 0;
     } else if (reqst->second_round_trip) {
         printf("2rt: %.*s\n", pa_data->length, pa_data->contents);
+        if (st->fail_2rt) {
+            k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced 2rt fail");
+            return KRB5_PREAUTH_FAILED;
+        }
     } else if (pa_data->length == 6 &&
                memcmp(pa_data->contents, "no key", 6) == 0) {
         printf("no key\n");
@@ -157,17 +165,34 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata,
     reqst->second_round_trip = TRUE;
 
     indstr = (st->indicators != NULL) ? st->indicators : "";
-    list = k5calloc(2, sizeof(*list), &ret);
-    assert(!ret);
-    pa = k5alloc(sizeof(*pa), &ret);
-    assert(!ret);
-    pa->pa_type = TEST_PA_TYPE;
-    pa->contents = (uint8_t *)strdup(indstr);
-    assert(pa->contents != NULL);
-    pa->length = strlen(indstr);
-    list[0] = pa;
-    list[1] = NULL;
-    *out_pa_data = list;
+    *out_pa_data = make_pa_list(indstr, strlen(indstr));
+    return 0;
+}
+
+static krb5_error_code
+test_tryagain(krb5_context context, krb5_clpreauth_moddata moddata,
+              krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
+              krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
+              krb5_kdc_req *request, krb5_data *enc_req, krb5_data *enc_prev,
+              krb5_preauthtype pa_type, krb5_error *error,
+              krb5_pa_data **padata, krb5_prompter_fct prompter,
+              void *prompter_data, krb5_pa_data ***padata_out)
+{
+    struct client_state *st = (struct client_state *)moddata;
+    int i;
+
+    *padata_out = NULL;
+    if (st->fail_tryagain) {
+        k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced tryagain fail");
+        return KRB5_PREAUTH_FAILED;
+    }
+    if (error->error != KDC_ERR_ENCTYPE_NOSUPP)
+        return KRB5_PREAUTH_FAILED;
+    for (i = 0; padata[i] != NULL; i++) {
+        if (padata[i]->pa_type == TEST_PA_TYPE)
+            printf("tryagain: %.*s\n", padata[i]->length, padata[i]->contents);
+    }
+    *padata_out = make_pa_list("tryagain", 8);
     return 0;
 }
 
@@ -181,6 +206,12 @@ test_gic_opt(krb5_context kcontext, krb5_clpreauth_moddata moddata,
         free(st->indicators);
         st->indicators = strdup(value);
         assert(st->indicators != NULL);
+    } else if (strcmp(attr, "fail_optimistic") == 0) {
+        st->fail_optimistic = TRUE;
+    } else if (strcmp(attr, "fail_2rt") == 0) {
+        st->fail_2rt = TRUE;
+    } else if (strcmp(attr, "fail_tryagain") == 0) {
+        st->fail_tryagain = TRUE;
     }
     return 0;
 }
@@ -205,6 +236,7 @@ clpreauth_test_initvt(krb5_context context, int maj_ver,
     vt->request_init = test_request_init;
     vt->request_fini = test_request_fini;
     vt->process = test_process;
+    vt->tryagain = test_tryagain;
     vt->gic_opts = test_gic_opt;
     return 0;
 }
diff --git a/src/plugins/preauth/test/common.c b/src/plugins/preauth/test/common.c
new file mode 100644
index 000000000000..4d1f49dfafc5
--- /dev/null
+++ b/src/plugins/preauth/test/common.c
@@ -0,0 +1,61 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/preauth/test/common.c - common functions for test preauth module */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "common.h"
+
+krb5_pa_data *
+make_pa(const char *contents, size_t len)
+{
+    krb5_error_code ret;
+    krb5_pa_data *pa;
+
+    pa = calloc(1, sizeof(*pa));
+    assert(pa != NULL);
+    pa->pa_type = TEST_PA_TYPE;
+    pa->contents = k5memdup(contents, len, &ret);
+    assert(!ret);
+    pa->length = len;
+    return pa;
+}
+
+/* Make a one-element padata list of type TEST_PA_TYPE. */
+krb5_pa_data **
+make_pa_list(const char *contents, size_t len)
+{
+    krb5_pa_data **list;
+
+    list = calloc(2, sizeof(*list));
+    assert(list != NULL);
+    list[0] = make_pa(contents, len);
+    return list;
+}
diff --git a/src/plugins/preauth/test/common.h b/src/plugins/preauth/test/common.h
new file mode 100644
index 000000000000..b748e0874bc6
--- /dev/null
+++ b/src/plugins/preauth/test/common.h
@@ -0,0 +1,41 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/preauth/test/common.h - Declarations for test preauth module */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef COMMON_H
+#define COMMON_H
+
+#define TEST_PA_TYPE -123
+
+krb5_pa_data *make_pa(const char *contents, size_t len);
+krb5_pa_data **make_pa_list(const char *contents, size_t len);
+
+#endif /* COMMON_H */
diff --git a/src/plugins/preauth/test/deps b/src/plugins/preauth/test/deps
index b48f0003261c..b1429e9e15f5 100644
--- a/src/plugins/preauth/test/deps
+++ b/src/plugins/preauth/test/deps
@@ -11,7 +11,7 @@ cltest.so cltest.po $(OUTPRE)cltest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
   $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  cltest.c
+  cltest.c common.h
 kdctest.so kdctest.po $(OUTPRE)kdctest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
@@ -22,4 +22,14 @@ kdctest.so kdctest.po $(OUTPRE)kdctest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h
   $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
   $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  kdctest.c
+  common.h kdctest.c
+common.so common.po $(OUTPRE)common.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h common.c common.h
diff --git a/src/plugins/preauth/test/kdctest.c b/src/plugins/preauth/test/kdctest.c
index 026dc680dc07..66b77969a3d0 100644
--- a/src/plugins/preauth/test/kdctest.c
+++ b/src/plugins/preauth/test/kdctest.c
@@ -1,7 +1,7 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 /* plugins/preauth/test/kdctest.c - Test kdcpreauth module */
 /*
- * Copyright (C) 2015 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2015, 2017 by the Massachusetts Institute of Technology.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -40,10 +40,20 @@
  *   key; the encrypted message "no attr" is sent if there is no string
  *   attribute.)  It also sets a cookie containing "method-data".
  *
- * - It retrieves the "2rt" attribute from the client principal.  If set, the
- *   verify method sends the client a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
- *   with the contents of the 2rt attribute as pa-data, and sets a cookie
- *   containing "more".
+ * - If the "err" attribute is set on the client principal, the verify method
+ *   returns an KDC_ERR_ETYPE_NOSUPP error on the first try, with the contents
+ *   of the err attribute as pa-data.  If the client tries again with the
+ *   padata value "tryagain", the verify method preuthenticates successfully
+ *   with no additional processing.
+ *
+ * - If the "failopt" attribute is set on the client principal, the verify
+ *   method returns KDC_ERR_PREAUTH_FAILED on optimistic preauth attempts.
+ *
+ * - If the "2rt" attribute is set on client principal, the verify method sends
+ *   the client a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error with the contents of
+ *   the 2rt attribute as pa-data, and sets a cookie containing "more".  If the
+ *   "fail2rt" attribute is set on the client principal, the client's second
+ *   try results in a KDC_ERR_PREAUTH_FAILED error.
  *
  * - It receives a space-separated list from the clpreauth module and asserts
  *   each string as an authentication indicator.  It always succeeds in
@@ -52,6 +62,7 @@
 
 #include "k5-int.h"
 #include <krb5/kdcpreauth_plugin.h>
+#include "common.h"
 
 #define TEST_PA_TYPE -123
 
@@ -73,11 +84,6 @@ test_edata(krb5_context context, krb5_kdc_req *req,
 
     ret = cb->get_string(context, rock, "teststring", &attr);
     assert(!ret);
-    pa = k5alloc(sizeof(*pa), &ret);
-    assert(!ret);
-    if (pa == NULL)
-        abort();
-    pa->pa_type = TEST_PA_TYPE;
     if (k != NULL) {
         d = string2data((attr != NULL) ? attr : "no attr");
         ret = krb5_c_encrypt_length(context, k->enctype, d.length, &enclen);
@@ -86,12 +92,10 @@ test_edata(krb5_context context, krb5_kdc_req *req,
         assert(!ret);
         ret = krb5_c_encrypt(context, k, 1024, NULL, &d, &enc);
         assert(!ret);
-        pa->contents = (uint8_t *)enc.ciphertext.data;
-        pa->length = enc.ciphertext.length;
+        pa = make_pa(enc.ciphertext.data, enc.ciphertext.length);
+        free(enc.ciphertext.data);
     } else {
-        pa->contents = (uint8_t *)strdup("no key");
-        assert(pa->contents != NULL);
-        pa->length = 6;
+        pa = make_pa("no key", 6);
     }
 
     /* Exercise setting a cookie information from the edata method. */
@@ -111,12 +115,19 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
             krb5_kdcpreauth_verify_respond_fn respond, void *arg)
 {
     krb5_error_code ret;
-    krb5_boolean second_round_trip = FALSE;
-    krb5_pa_data **list;
+    krb5_boolean second_round_trip = FALSE, optimistic = FALSE;
+    krb5_pa_data **list = NULL;
     krb5_data cookie_data, d;
-    char *str, *ind, *attr, *toksave = NULL;
+    char *str, *ind, *toksave = NULL;
+    char *attr_err, *attr_2rt, *attr_fail2rt, *attr_failopt;
 
-    ret = cb->get_string(context, rock, "2rt", &attr);
+    ret = cb->get_string(context, rock, "err", &attr_err);
+    assert(!ret);
+    ret = cb->get_string(context, rock, "2rt", &attr_2rt);
+    assert(!ret);
+    ret = cb->get_string(context, rock, "fail2rt", &attr_fail2rt);
+    assert(!ret);
+    ret = cb->get_string(context, rock, "failopt", &attr_failopt);
     assert(!ret);
 
     /* Check the incoming cookie value. */
@@ -124,13 +135,36 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         /* Make sure we are seeing optimistic preauth and not a lost cookie. */
         d = make_data(data->contents, data->length);
         assert(data_eq_string(d, "optimistic"));
+        optimistic = TRUE;
     } else if (data_eq_string(cookie_data, "more")) {
         second_round_trip = TRUE;
     } else {
-        assert(data_eq_string(cookie_data, "method-data"));
+        assert(data_eq_string(cookie_data, "method-data") ||
+               data_eq_string(cookie_data, "err"));
     }
 
-    if (attr == NULL || second_round_trip) {
+    if (attr_err != NULL) {
+        d = make_data(data->contents, data->length);
+        if (data_eq_string(d, "tryagain")) {
+            /* Authenticate successfully. */
+            enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
+        } else {
+            d = string2data("err");
+            ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d);
+            assert(!ret);
+            ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+            list = make_pa_list(attr_err, strlen(attr_err));
+        }
+    } else if (attr_2rt != NULL && !second_round_trip) {
+        d = string2data("more");
+        ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d);
+        assert(!ret);
+        ret = KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED;
+        list = make_pa_list(attr_2rt, strlen(attr_2rt));
+    } else if ((attr_fail2rt != NULL && second_round_trip) ||
+               (attr_failopt != NULL && optimistic)) {
+        ret = KRB5KDC_ERR_PREAUTH_FAILED;
+    } else {
         /* Parse and assert the indicators. */
         str = k5memdup0(data->contents, data->length, &ret);
         if (ret)
@@ -142,21 +176,13 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         }
         free(str);
         enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
-        cb->free_string(context, rock, attr);
-        (*respond)(arg, 0, NULL, NULL, NULL);
-    } else {
-        d = string2data("more");
-        ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d);
-        list = k5calloc(2, sizeof(*list), &ret);
-        assert(!ret);
-        list[0] = k5alloc(sizeof(*list[0]), &ret);
-        assert(!ret);
-        list[0]->pa_type = TEST_PA_TYPE;
-        list[0]->contents = (uint8_t *)attr;
-        list[0]->length = strlen(attr);
-        (*respond)(arg, KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, NULL, list,
-                   NULL);
     }
+
+    cb->free_string(context, rock, attr_err);
+    cb->free_string(context, rock, attr_2rt);
+    cb->free_string(context, rock, attr_fail2rt);
+    cb->free_string(context, rock, attr_failopt);
+    (*respond)(arg, ret, NULL, list, NULL);
 }
 
 static krb5_error_code
diff --git a/src/po/Makefile.in b/src/po/Makefile.in
index fdaf872a1605..6753447dc7bd 100644
--- a/src/po/Makefile.in
+++ b/src/po/Makefile.in
@@ -18,7 +18,7 @@ ETSRCS=	$(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.c \
 	$(BUILDTOP)/lib/krb5/error_tables/kv5m_err.c \
 	$(BUILDTOP)/lib/krb5/error_tables/krb524_err.c
 # This is a placeholder until we have an actual translation.
-CATALOGS=en_US.mo
+CATALOGS=en_US.mo de.mo
 
 .SUFFIXES: .po .mo
 .po.mo:
diff --git a/src/po/de.po b/src/po/de.po
new file mode 100644
index 000000000000..2144d7833c0e
--- /dev/null
+++ b/src/po/de.po
@@ -0,0 +1,9301 @@
+# German translation of mit-krb5.
+# This file is distributed under the same license as the mit-krb5 package.
+# Copyright (C) 1985-2013 by the Massachusetts Institute of Technology.
+# Copyright (C) of this file 2014-2016 Chris Leick <c.leick@vollbio.de>.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: mit-krb5 13.2\n"
+"Report-Msgid-Bugs-To: krbdev@mit.edu\n"
+"POT-Creation-Date: 2015-05-06 14:59-0400\n"
+"PO-Revision-Date: 2016-04-07 08:15+0200\n"
+"Last-Translator: Chris Leick <c.leick@vollbio.de>\n"
+"Language-Team: German <debian-l10n-german@lists.debian.org>\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:62
+#, c-format
+msgid "Usage: %s [-A] [-q] [-c cache_name]\n"
+msgstr "Aufruf: %s [-A] [-q] [-c Zwischenspeichername]\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:63
+#, c-format
+msgid "\t-A destroy all credential caches in collection\n"
+msgstr "\t-A vernichtet alle Anmeldedatenzwischenspeicher in der Sammlung.\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:64
+#, c-format
+msgid "\t-q quiet mode\n"
+msgstr "\t-q stiller Modus\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:65
+#: ../../src/clients/kswitch/kswitch.c:45
+#, c-format
+msgid "\t-c specify name of credentials cache\n"
+msgstr "\t-c gibt den Namen des Zwischenspeichers für Anmeldedaten an.\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:98
+#: ../../src/clients/kinit/kinit.c:383 ../../src/clients/ksu/main.c:284
+#, c-format
+msgid "Only one -c option allowed\n"
+msgstr "Nur eine »-c«-Option ist erlaubt.\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:105
+#: ../../src/clients/kinit/kinit.c:412 ../../src/clients/klist/klist.c:182
+#, c-format
+msgid "Kerberos 4 is no longer supported\n"
+msgstr "Kerberos 4 wird nicht mehr unterstützt.\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:126
+#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:131
+#: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97
+#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:926
+#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1052
+msgid "while initializing krb5"
+msgstr "beim Initialisieren von Krb5"
+
+#: ../../src/clients/kdestroy/kdestroy.c:133
+msgid "while listing credential caches"
+msgstr "beim Auflisten der Anmeldedatenzwischenspeicher"
+
+#: ../../src/clients/kdestroy/kdestroy.c:140
+msgid "composing ccache name"
+msgstr "Ccache-Name wird zusammengesetzt."
+
+#: ../../src/clients/kdestroy/kdestroy.c:145
+#, c-format
+msgid "while destroying cache %s"
+msgstr "beim Zerstören des Zwischenspeichers %s"
+
+#: ../../src/clients/kdestroy/kdestroy.c:157
+#: ../../src/clients/kswitch/kswitch.c:104
+#, c-format
+msgid "while resolving %s"
+msgstr "beim Auflösen von %s"
+
+#: ../../src/clients/kdestroy/kdestroy.c:163
+#: ../../src/clients/kinit/kinit.c:501 ../../src/clients/klist/klist.c:460
+msgid "while getting default ccache"
+msgstr "beim Holen des Standard-Ccaches"
+
+#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:986
+msgid "while destroying cache"
+msgstr "beim Zerstören des Zwischenspeichers"
+
+#: ../../src/clients/kdestroy/kdestroy.c:173
+#, c-format
+msgid "Ticket cache NOT destroyed!\n"
+msgstr "Ticketzwischenspeicher NICHT vernichtet!\n"
+
+#: ../../src/clients/kdestroy/kdestroy.c:175
+#, c-format
+msgid "Ticket cache %cNOT%c destroyed!\n"
+msgstr "Ticketzwischenspeicher %cNICHT%c vernichtet!\n"
+
+#: ../../src/clients/kinit/kinit.c:213
+#, c-format
+msgid "\t-V verbose\n"
+msgstr "\t-V detaillierte Ausgabe\n"
+
+#: ../../src/clients/kinit/kinit.c:214
+#, c-format
+msgid "\t-l lifetime\n"
+msgstr "\t-l Lebensdauer\n"
+
+#: ../../src/clients/kinit/kinit.c:215
+#, c-format
+msgid "\t-s start time\n"
+msgstr "\t-s Startzeit\n"
+
+#: ../../src/clients/kinit/kinit.c:216
+#, c-format
+msgid "\t-r renewable lifetime\n"
+msgstr "\t-r verlängerbare Lebensdauer\n"
+
+#: ../../src/clients/kinit/kinit.c:217
+#, c-format
+msgid "\t-f forwardable\n"
+msgstr "\t-f weiterleitbar\n"
+
+#: ../../src/clients/kinit/kinit.c:218
+#, c-format
+msgid "\t-F not forwardable\n"
+msgstr "\t-F nicht weiterleitbar\n"
+
+#: ../../src/clients/kinit/kinit.c:219
+#, c-format
+msgid "\t-p proxiable\n"
+msgstr "\t-p Proxy nutzbar\n"
+
+#: ../../src/clients/kinit/kinit.c:220
+#, c-format
+msgid "\t-P not proxiable\n"
+msgstr "\t-P Proxy nicht nutzbar\n"
+
+#: ../../src/clients/kinit/kinit.c:221
+#, c-format
+msgid "\t-n anonymous\n"
+msgstr "\t-n anonym\n"
+
+#: ../../src/clients/kinit/kinit.c:222
+#, c-format
+msgid "\t-a include addresses\n"
+msgstr "\t-a bezieht Adressen ein.\n"
+
+#: ../../src/clients/kinit/kinit.c:223
+#, c-format
+msgid "\t-A do not include addresses\n"
+msgstr "\t-a bezieht Adressen nicht ein.\n"
+
+#: ../../src/clients/kinit/kinit.c:224
+#, c-format
+msgid "\t-v validate\n"
+msgstr "\t-v überprüft\n"
+
+#: ../../src/clients/kinit/kinit.c:225
+#, c-format
+msgid "\t-R renew\n"
+msgstr "\t-R erneuert\n"
+
+#: ../../src/clients/kinit/kinit.c:226
+#, c-format
+msgid "\t-C canonicalize\n"
+msgstr "\t-C bringt in Normalform\n"
+
+#: ../../src/clients/kinit/kinit.c:227
+#, c-format
+msgid "\t-E client is enterprise principal name\n"
+msgstr "\t-E Client ist der Principal-Name des Unternehmens\n"
+
+#: ../../src/clients/kinit/kinit.c:228
+#, c-format
+msgid "\t-k use keytab\n"
+msgstr "\t-k verwendet Schlüsseltabelle\n"
+
+#: ../../src/clients/kinit/kinit.c:229
+#, c-format
+msgid "\t-i use default client keytab (with -k)\n"
+msgstr "\t-i verwendet die Standardschlüsseltabelle des Clients (mit -k).\n"
+
+#: ../../src/clients/kinit/kinit.c:230
+#, c-format
+msgid "\t-t filename of keytab to use\n"
+msgstr "\t-t Dateiname der zu verwendenden Schlüsseltabelle\n"
+
+#: ../../src/clients/kinit/kinit.c:231
+#, c-format
+msgid "\t-c Kerberos 5 cache name\n"
+msgstr "\t-c Kerberos-5-Zwischenspeichername\n"
+
+#: ../../src/clients/kinit/kinit.c:232
+#, c-format
+msgid "\t-S service\n"
+msgstr "\t-S Dienst\n"
+
+#: ../../src/clients/kinit/kinit.c:233
+#, c-format
+msgid "\t-T armor credential cache\n"
+msgstr "\t-T gehärteter Anmeldedatenzwischenspeicher\n"
+
+#: ../../src/clients/kinit/kinit.c:234
+#, c-format
+msgid "\t-X <attribute>[=<value>]\n"
+msgstr "\t-X <Attribut>[=<Wert>]\n"
+
+#: ../../src/clients/kinit/kinit.c:301 ../../src/clients/kinit/kinit.c:309
+#, c-format
+msgid "Bad lifetime value %s\n"
+msgstr "falscher Wert für die Lebensdauer %s\n"
+
+#: ../../src/clients/kinit/kinit.c:343
+#, c-format
+msgid "Bad start time value %s\n"
+msgstr "falscher Wert für die Startzeit %s\n"
+
+#: ../../src/clients/kinit/kinit.c:362
+#, c-format
+msgid "Only one -t option allowed.\n"
+msgstr "Nur eine -t-Option ist erlaubt.\n"
+
+#: ../../src/clients/kinit/kinit.c:370
+#, c-format
+msgid "Only one armor_ccache\n"
+msgstr "nur ein gehärteter Ccache\n"
+
+#: ../../src/clients/kinit/kinit.c:391
+#, c-format
+msgid "Only one -I option allowed\n"
+msgstr "Nur eine -I-Option ist erlaubt.\n"
+
+#: ../../src/clients/kinit/kinit.c:401
+msgid "while adding preauth option"
+msgstr "beim Hinzufügen der Option »preauth«"
+
+#: ../../src/clients/kinit/kinit.c:425
+#, c-format
+msgid "Only one of -f and -F allowed\n"
+msgstr "Nur eine der Optionen -f und -F ist erlaubt.\n"
+
+#: ../../src/clients/kinit/kinit.c:430
+#, c-format
+msgid "Only one of -p and -P allowed\n"
+msgstr "Nur eine der Optionen -p und -P ist erlaubt.\n"
+
+#: ../../src/clients/kinit/kinit.c:435
+#, c-format
+msgid "Only one of -a and -A allowed\n"
+msgstr "Nur eine der Optionen -a und -A ist erlaubt.\n"
+
+#: ../../src/clients/kinit/kinit.c:440
+#, c-format
+msgid "Only one of -t and -i allowed\n"
+msgstr "Nur eine der Optionen -t und-i ist erlaubt.\n"
+
+#: ../../src/clients/kinit/kinit.c:447
+#, c-format
+msgid "keytab specified, forcing -k\n"
+msgstr "Schlüsseltabelle angegeben, -k wird erzwungen\n"
+
+#: ../../src/clients/kinit/kinit.c:451 ../../src/clients/klist/klist.c:221
+#, c-format
+msgid "Extra arguments (starting with \"%s\").\n"
+msgstr "zusätzliche Argumente (beginnend mit »%s«)\n"
+
+#: ../../src/clients/kinit/kinit.c:480
+msgid "while initializing Kerberos 5 library"
+msgstr "beim Initialisieren der Kerberos-5-Bibliothek"
+
+#: ../../src/clients/kinit/kinit.c:488 ../../src/clients/kinit/kinit.c:644
+#, c-format
+msgid "resolving ccache %s"
+msgstr "Ccache %s wird ermittelt"
+
+#: ../../src/clients/kinit/kinit.c:493
+#, c-format
+msgid "Using specified cache: %s\n"
+msgstr "Angegebener Zwischenspeicher wird verwendet: %s\n"
+
+#: ../../src/clients/kinit/kinit.c:515 ../../src/clients/kinit/kinit.c:595
+#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238
+#, c-format
+msgid "when parsing name %s"
+msgstr "wenn der Name %s ausgewertet wird"
+
+#: ../../src/clients/kinit/kinit.c:523 ../../src/kadmin/dbutil/kdb5_util.c:307
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391
+#: ../../src/slave/kprop.c:203
+msgid "while getting default realm"
+msgstr "beim Holen des Standard-Realms"
+
+#: ../../src/clients/kinit/kinit.c:535
+msgid "while building principal"
+msgstr "beim Erstellen des Principals"
+
+#: ../../src/clients/kinit/kinit.c:543
+msgid "When resolving the default client keytab"
+msgstr "beim Auflösen der Standardschlüsseltabelle des Clients"
+
+#: ../../src/clients/kinit/kinit.c:550
+msgid "When determining client principal name from keytab"
+msgstr "beim Bestimmen des Dienst-Principal-Namens anhand der Schlüsseltabelle"
+
+#: ../../src/clients/kinit/kinit.c:559
+msgid "when creating default server principal name"
+msgstr "wenn der Standard-Principal-Name des Servers erstellt wird"
+
+#: ../../src/clients/kinit/kinit.c:566
+#, c-format
+msgid "(principal %s)"
+msgstr "(Principal %s)"
+
+#: ../../src/clients/kinit/kinit.c:569
+msgid "for local services"
+msgstr "für lokale Dienste"
+
+#: ../../src/clients/kinit/kinit.c:590 ../../src/clients/kpasswd/kpasswd.c:42
+#, c-format
+msgid "Unable to identify user\n"
+msgstr "Benutzer kann nicht identifiziert werden\n"
+
+#: ../../src/clients/kinit/kinit.c:605 ../../src/clients/kswitch/kswitch.c:116
+#, c-format
+msgid "while searching for ccache for %s"
+msgstr "beim Suchen nach Ccache für %s"
+
+#: ../../src/clients/kinit/kinit.c:611
+#, c-format
+msgid "Using existing cache: %s\n"
+msgstr "Existierender Zwischenspeicher wird verwendet: %s\n"
+
+#: ../../src/clients/kinit/kinit.c:620
+msgid "while generating new ccache"
+msgstr "beim Erstellen von neuem Ccache"
+
+#: ../../src/clients/kinit/kinit.c:624
+#, c-format
+msgid "Using new cache: %s\n"
+msgstr "Neuer Zwischenspeicher wird verwendet: %s\n"
+
+#: ../../src/clients/kinit/kinit.c:636
+#, c-format
+msgid "Using default cache: %s\n"
+msgstr "Standardzwischenspeicher wird verwendet: %s\n"
+
+#: ../../src/clients/kinit/kinit.c:649
+#, c-format
+msgid "Using specified input cache: %s\n"
+msgstr "Angegebener Eingabezwischenspeicher wird verwendet: %s\n"
+
+#: ../../src/clients/kinit/kinit.c:657 ../../src/clients/ksu/krb_auth_su.c:160
+msgid "when unparsing name"
+msgstr "beim Rückgängigmachen der Auswertung des Namens"
+
+#: ../../src/clients/kinit/kinit.c:661
+#, c-format
+msgid "Using principal: %s\n"
+msgstr "verwendeter Principal: %s\n"
+
+#: ../../src/clients/kinit/kinit.c:752
+msgid "getting local addresses"
+msgstr "Lokale Adressen werden geholt."
+
+#: ../../src/clients/kinit/kinit.c:771
+#, c-format
+msgid "while setting up KDB keytab for realm %s"
+msgstr "beim Einrichten der KDB-Schlüsseltabelle für Realm %s"
+
+#: ../../src/clients/kinit/kinit.c:780 ../../src/clients/kvno/kvno.c:201
+#, c-format
+msgid "resolving keytab %s"
+msgstr "Schlüsseltabelle wird ermittelt: %s"
+
+#: ../../src/clients/kinit/kinit.c:785
+#, c-format
+msgid "Using keytab: %s\n"
+msgstr "Schlüsseltabelle wird verwendet: %s\n"
+
+#: ../../src/clients/kinit/kinit.c:789
+msgid "resolving default client keytab"
+msgstr "Standardschlüsseltabelle des Clients wird ermittelt."
+
+#: ../../src/clients/kinit/kinit.c:799
+#, c-format
+msgid "while setting '%s'='%s'"
+msgstr "beim Setzen von »%s«=»%s«"
+
+#: ../../src/clients/kinit/kinit.c:804
+#, c-format
+msgid "PA Option %s = %s\n"
+msgstr "PA-Option %s = %s\n"
+
+#: ../../src/clients/kinit/kinit.c:849
+msgid "getting initial credentials"
+msgstr "Anfängliche Anmeldedaten werden geholt."
+
+#: ../../src/clients/kinit/kinit.c:852
+msgid "validating credentials"
+msgstr "Anmeldedaten werden geprüft."
+
+#: ../../src/clients/kinit/kinit.c:855
+msgid "renewing credentials"
+msgstr "Anmeldedaten werden erneuert."
+
+#: ../../src/clients/kinit/kinit.c:860
+#, c-format
+msgid "%s: Password incorrect while %s\n"
+msgstr "%s: Passwort bei %s falsch\n"
+
+#: ../../src/clients/kinit/kinit.c:863
+#, c-format
+msgid "while %s"
+msgstr "bei %s"
+
+#: ../../src/clients/kinit/kinit.c:871 ../../src/slave/kprop.c:224
+#, c-format
+msgid "when initializing cache %s"
+msgstr "beim Initialisieren des Zwischenspeichers %s"
+
+#: ../../src/clients/kinit/kinit.c:876
+#, c-format
+msgid "Initialized cache\n"
+msgstr "initialisierter Zwischenspeicher\n"
+
+#: ../../src/clients/kinit/kinit.c:880
+msgid "while storing credentials"
+msgstr "beim Speichern der Anmeldedaten"
+
+#: ../../src/clients/kinit/kinit.c:884
+#, c-format
+msgid "Stored credentials\n"
+msgstr "gespeicherte Anmeldedaten\n"
+
+#: ../../src/clients/kinit/kinit.c:891
+msgid "while switching to new ccache"
+msgstr "beim Wechsel zum neuen Ccache"
+
+#: ../../src/clients/kinit/kinit.c:946
+#, c-format
+msgid "Authenticated to Kerberos v5\n"
+msgstr "Authentifiziert für Kerberos v5\n"
+
+#: ../../src/clients/klist/klist.c:91
+#, c-format
+msgid ""
+"Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] "
+"[name]\n"
+msgstr ""
+"Aufruf: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-"
+"K]] [Name]\n"
+
+#: ../../src/clients/klist/klist.c:93
+#, c-format
+msgid "\t-c specifies credentials cache\n"
+msgstr "\t-c gibt den Anmeldedatenzwischenspeicher an\n"
+
+#: ../../src/clients/klist/klist.c:94
+#, c-format
+msgid "\t-k specifies keytab\n"
+msgstr "\t-k gibt die Schlüsseltabelle an.\n"
+
+#: ../../src/clients/klist/klist.c:95
+#, c-format
+msgid "\t   (Default is credentials cache)\n"
+msgstr "\t   (Voreinstellung ist Anmeldedatenzwischenspeicher)\n"
+
+#: ../../src/clients/klist/klist.c:96
+#, c-format
+msgid "\t-i uses default client keytab if no name given\n"
+msgstr ""
+"\t-i verwendet die Standardschlüsseltabelle des Clients, falls kein Name "
+"angegeben wurde.\n"
+
+#: ../../src/clients/klist/klist.c:97
+#, c-format
+msgid "\t-l lists credential caches in collection\n"
+msgstr "\t-l listet gesammelte Anmeldedatenzwischenspeicher auf.\n"
+
+#: ../../src/clients/klist/klist.c:98
+#, c-format
+msgid "\t-A shows content of all credential caches\n"
+msgstr "\t-A zeigt den Inhalt aller Anmeldedatenzwischenspeicher an.\n"
+
+#: ../../src/clients/klist/klist.c:99
+#, c-format
+msgid "\t-e shows the encryption type\n"
+msgstr "\t-e zeigt den Verschlüsselungstyp.\n"
+
+#: ../../src/clients/klist/klist.c:100
+#, c-format
+msgid "\t-V shows the Kerberos version and exits\n"
+msgstr "\t-V zeigt die Kerberos-Version und wird beendet.\n"
+
+#: ../../src/clients/klist/klist.c:101
+#, c-format
+msgid "\toptions for credential caches:\n"
+msgstr "\tOptionen für Anmeldedatenzwischenspeicher:\n"
+
+#: ../../src/clients/klist/klist.c:102
+#, c-format
+msgid "\t\t-d shows the submitted authorization data types\n"
+msgstr "\t\t-d zeigt die übertragenen Autorisierungsdatentypen.\n"
+
+#: ../../src/clients/klist/klist.c:104
+#, c-format
+msgid "\t\t-f shows credentials flags\n"
+msgstr "t\t-f zeigt die Anmeldedatenschalter.\n"
+
+#: ../../src/clients/klist/klist.c:105
+#, c-format
+msgid "\t\t-s sets exit status based on valid tgt existence\n"
+msgstr ""
+"\t\t-s setzt den Exit-Status auf Basis der Existenz eines gültigen TGTs.\n"
+
+#: ../../src/clients/klist/klist.c:107
+#, c-format
+msgid "\t\t-a displays the address list\n"
+msgstr "\t\t-a zeigt die Adressliste.\n"
+
+#: ../../src/clients/klist/klist.c:108
+#, c-format
+msgid "\t\t\t-n do not reverse-resolve\n"
+msgstr "\t\t\t-n löst nicht rückwärts auf.\n"
+
+#: ../../src/clients/klist/klist.c:109
+#, c-format
+msgid "\toptions for keytabs:\n"
+msgstr "\tOptionen für Schlüsseltabellen:\n"
+
+#: ../../src/clients/klist/klist.c:110
+#, c-format
+msgid "\t\t-t shows keytab entry timestamps\n"
+msgstr "\t\t-t zeigt die Zeitstempel der Schlüsseltabelleneinträge.\n"
+
+#: ../../src/clients/klist/klist.c:111
+#, c-format
+msgid "\t\t-K shows keytab entry keys\n"
+msgstr "\t\t-K zeigt die Schlüssel der Schlüsseltabelleneinträge.\n"
+
+#: ../../src/clients/klist/klist.c:230
+#, c-format
+msgid "%s version %s\n"
+msgstr "%s Version %s\n"
+
+#: ../../src/clients/klist/klist.c:282
+msgid "while getting default client keytab"
+msgstr "beim Holen der Standardschlüsseltabelle des Clients"
+
+#: ../../src/clients/klist/klist.c:287
+msgid "while getting default keytab"
+msgstr "beim Holen der Standardschlüsseltabelle"
+
+#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:108
+#, c-format
+msgid "while resolving keytab %s"
+msgstr "beim Ermitteln der Schlüsseltabelle %s"
+
+#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:92
+msgid "while getting keytab name"
+msgstr "beim Holen des Schlüsseltabellennamens"
+
+#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:399
+msgid "while starting keytab scan"
+msgstr "beim Start des Schlüsseltabellen-Scans"
+
+#: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:500
+#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:550
+msgid "while unparsing principal name"
+msgstr "beim Rückgängigmachen des Auswertens des Principal-Namens"
+
+#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:443
+msgid "while scanning keytab"
+msgstr "beim Scannen der Schlüsseltabelle"
+
+#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:448
+msgid "while ending keytab scan"
+msgstr "beim Beenden des Schlüsseltabellen-Scans"
+
+#: ../../src/clients/klist/klist.c:371 ../../src/clients/klist/klist.c:434
+msgid "while listing ccache collection"
+msgstr "beim Aufführen der Ccache-Sammlung"
+
+#: ../../src/clients/klist/klist.c:411
+msgid "(Expired)"
+msgstr "(abgelaufen)"
+
+#: ../../src/clients/klist/klist.c:466
+#, c-format
+msgid "while resolving ccache %s"
+msgstr "beim Ermitteln des Ccaches %s"
+
+#: ../../src/clients/klist/klist.c:504
+#, c-format
+msgid ""
+"Ticket cache: %s:%s\n"
+"Default principal: %s\n"
+"\n"
+msgstr ""
+"Ticketzwischenspeicher: %s:%s\n"
+"Standard-Principal: %s\n"
+"\n"
+
+#: ../../src/clients/klist/klist.c:518
+msgid "while starting to retrieve tickets"
+msgstr "während das Abfragen der Tickets beginnt"
+
+#: ../../src/clients/klist/klist.c:539
+msgid "while finishing ticket retrieval"
+msgstr "während das Abfragem der Tickets endet"
+
+#: ../../src/clients/klist/klist.c:545
+msgid "while closing ccache"
+msgstr "beim Schließen des Ccaches"
+
+#: ../../src/clients/klist/klist.c:555
+msgid "while retrieving a ticket"
+msgstr "beim Abfragen eines Tickets"
+
+#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:450
+#: ../../src/slave/kpropd.c:1225 ../../src/slave/kpropd.c:1285
+msgid "while unparsing client name"
+msgstr "beim Rückgängigmachen des Auswertens des Client-Namens"
+
+#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:455
+#: ../../src/slave/kprop.c:240
+msgid "while unparsing server name"
+msgstr "beim Rückgängigmachen des Auswertens des Server-Namens"
+
+#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:480
+#, c-format
+msgid "\tfor client %s"
+msgstr "\tfür Client %s"
+
+#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:489
+msgid "renew until "
+msgstr "erneuern bis "
+
+#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:499
+#, c-format
+msgid "Flags: %s"
+msgstr "Schalter: %s"
+
+#: ../../src/clients/klist/klist.c:749
+#, c-format
+msgid "Etype (skey, tkt): %s, "
+msgstr "Etype (Skey, TKT): %s, "
+
+#: ../../src/clients/klist/klist.c:766
+#, c-format
+msgid "AD types: "
+msgstr "AD-Typen"
+
+#: ../../src/clients/klist/klist.c:783
+#, c-format
+msgid "\tAddresses: (none)\n"
+msgstr "\tAdressen: (keine)\n"
+
+#: ../../src/clients/klist/klist.c:785
+#, c-format
+msgid "\tAddresses: "
+msgstr "\tAdressen: "
+
+#: ../../src/clients/klist/klist.c:818
+#, c-format
+msgid "broken address (type %d length %d)"
+msgstr "kaputte Adresse (Typ %d Länge %d)"
+
+#: ../../src/clients/klist/klist.c:838
+#, c-format
+msgid "unknown addrtype %d"
+msgstr "unbekannter »addrtype« %d"
+
+#: ../../src/clients/klist/klist.c:847
+#, c-format
+msgid "unprintable address (type %d, error %d %s)"
+msgstr "nicht druckbare Adresse (Typ %d Fehler %d %s)"
+
+#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:396
+msgid "Enter new password"
+msgstr "Geben Sie ein neues Passwort ein."
+
+#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:404
+msgid "Enter it again"
+msgstr "Geben Sie es erneut ein."
+
+#: ../../src/clients/kpasswd/kpasswd.c:33
+#, c-format
+msgid "Unable to identify user from password file\n"
+msgstr ""
+"Der Benutzer kann nicht anhand der Passwortdatei identifiziert werden.\n"
+
+#: ../../src/clients/kpasswd/kpasswd.c:65
+#, c-format
+msgid "usage: %s [principal]\n"
+msgstr "Aufruf: %s [Principal]\n"
+
+#: ../../src/clients/kpasswd/kpasswd.c:73
+msgid "initializing kerberos library"
+msgstr "Kerberos-Bibliothek wird initialisiert."
+
+#: ../../src/clients/kpasswd/kpasswd.c:77
+msgid "allocating krb5_get_init_creds_opt"
+msgstr "krb5_get_init_creds_opt wird reserviert."
+
+#: ../../src/clients/kpasswd/kpasswd.c:92
+msgid "opening default ccache"
+msgstr "Standard-Ccache wird geöffnet."
+
+#: ../../src/clients/kpasswd/kpasswd.c:97
+msgid "getting principal from ccache"
+msgstr "Principal wird vom Ccache geholt."
+
+#: ../../src/clients/kpasswd/kpasswd.c:104
+msgid "while setting FAST ccache"
+msgstr "beim Setzen des FAST-Ccaches"
+
+#: ../../src/clients/kpasswd/kpasswd.c:111
+msgid "closing ccache"
+msgstr "Ccache wird geschlossen."
+
+#: ../../src/clients/kpasswd/kpasswd.c:118
+msgid "parsing client name"
+msgstr "Client-Name wird ausgewertet."
+
+#: ../../src/clients/kpasswd/kpasswd.c:135
+msgid "Password incorrect while getting initial ticket"
+msgstr "Passwort beim Holen des anfänglichen Tickets falsch"
+
+#: ../../src/clients/kpasswd/kpasswd.c:137
+msgid "getting initial ticket"
+msgstr "Anfängliches Ticket wird geholt."
+
+#: ../../src/clients/kpasswd/kpasswd.c:144
+msgid "while reading password"
+msgstr "beim Lesen des Passworts"
+
+#: ../../src/clients/kpasswd/kpasswd.c:152
+msgid "changing password"
+msgstr "Passwort wird geändert."
+
+#: ../../src/clients/kpasswd/kpasswd.c:174
+#: ../lib/kadm5/chpass_util_strings.c:30
+#, c-format
+msgid "Password changed.\n"
+msgstr "Passwort geändert\n"
+
+#: ../../src/clients/ksu/authorization.c:369
+#, c-format
+msgid ""
+"Error: bad entry - %s in %s file, must be either full path or just the cmd "
+"name\n"
+msgstr ""
+"Fehler: falscher Eintrag – %s in Datei %s muss entweder ein vollständiger "
+"Pfad oder nur ein Befehlsname sein.\n"
+
+#: ../../src/clients/ksu/authorization.c:377
+#, c-format
+msgid ""
+"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH "
+"must be defined \n"
+msgstr ""
+"Fehler: falscher Eintrag – %s in Datei %s. Da %s nur ein Befehlsname ist, "
+"muss CMD_PATH definiert sein.\n"
+
+#: ../../src/clients/ksu/authorization.c:392
+#, c-format
+msgid "Error: bad entry - %s in %s file, CMD_PATH contains no paths \n"
+msgstr ""
+"Fehler: falscher Eintrag – %s in Datei %s. CMD_PATH enthält keine Pfade.\n"
+
+#: ../../src/clients/ksu/authorization.c:401
+#, c-format
+msgid "Error: bad path %s in CMD_PATH for %s must start with '/' \n"
+msgstr "Fehler: falscher Pfad %s in CMD_PATH für %s muss mit »/« beginnen\n"
+
+#: ../../src/clients/ksu/authorization.c:517
+msgid "Error: not found -> "
+msgstr "Fehler: nicht gefunden -> "
+
+#: ../../src/clients/ksu/authorization.c:723
+#, c-format
+msgid "home directory name `%s' too long, can't search for .k5login\n"
+msgstr ""
+"Name des Home-Verzeichnisses »%s« ist zu lang, Suche nach .k5login nicht "
+"möglich\n"
+
+#: ../../src/clients/ksu/ccache.c:368
+#, c-format
+msgid "home directory path for %s too long\n"
+msgstr "Home-Verzeichnispfad für %s zu lang\n"
+
+#: ../../src/clients/ksu/ccache.c:461
+msgid "while retrieving principal name"
+msgstr "beim Abfragen des Principal-Namens"
+
+#: ../../src/clients/ksu/krb_auth_su.c:57
+#: ../../src/clients/ksu/krb_auth_su.c:62 ../../src/slave/kprop.c:247
+msgid "while copying client principal"
+msgstr "beim Kopieren des Client-Principals"
+
+#: ../../src/clients/ksu/krb_auth_su.c:69
+msgid "while creating tgt for local realm"
+msgstr "beim Erstellen des TGTs für lokalen Realm"
+
+#: ../../src/clients/ksu/krb_auth_su.c:84
+msgid "while retrieving creds from cache"
+msgstr "beim Abfragen der Anmeldedaten aus dem Zwischenspeicher"
+
+#: ../../src/clients/ksu/krb_auth_su.c:95
+msgid "while switching to target uid"
+msgstr "beim Umschalten auf die Ziel-UID"
+
+#: ../../src/clients/ksu/krb_auth_su.c:100
+#, c-format
+msgid ""
+"WARNING: Your password may be exposed if you enter it here and are logged \n"
+msgstr ""
+"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben "
+"und\n"
+
+#: ../../src/clients/ksu/krb_auth_su.c:102
+#, c-format
+msgid "         in remotely using an unsecure (non-encrypted) channel. \n"
+msgstr ""
+"         in der Ferne mittels eines unsicheren (unverschlüsselten) Kanals\n"
+"         angemeldet sind.\n"
+
+#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:464
+msgid "while reclaiming root uid"
+msgstr "beim erneuten Beanspruchen der Root-UID"
+
+#: ../../src/clients/ksu/krb_auth_su.c:121
+#, c-format
+msgid "does not have any appropriate tickets in the cache.\n"
+msgstr "hat keine geeigneten Tickets im Zwischenspeicher.\n"
+
+#: ../../src/clients/ksu/krb_auth_su.c:133
+msgid "while verifying ticket for server"
+msgstr "beim Prüfen des Tickets für Server"
+
+#: ../../src/clients/ksu/krb_auth_su.c:167
+msgid "while getting time of day"
+msgstr "beim Holen der Tageszeit"
+
+#: ../../src/clients/ksu/krb_auth_su.c:171
+#, c-format
+msgid "Kerberos password for %s: "
+msgstr "Kerberos-Passwort für %s: "
+
+#: ../../src/clients/ksu/krb_auth_su.c:175
+#, c-format
+msgid "principal name %s too long for internal buffer space\n"
+msgstr "Principal-Name %s für den internen Pufferbereich zu groß\n"
+
+#: ../../src/clients/ksu/krb_auth_su.c:184
+#, c-format
+msgid "while reading password for '%s'\n"
+msgstr "beim Lesen des Passworts für »%s«\n"
+
+#: ../../src/clients/ksu/krb_auth_su.c:191
+#, c-format
+msgid "No password given\n"
+msgstr "kein Passwort angegeben\n"
+
+#: ../../src/clients/ksu/krb_auth_su.c:204
+#, c-format
+msgid "%s: Password incorrect\n"
+msgstr "%s: Passwort falsch\n"
+
+#: ../../src/clients/ksu/krb_auth_su.c:206
+msgid "while getting initial credentials"
+msgstr "beim Holen der Anfangsanmeldedaten"
+
+#: ../../src/clients/ksu/krb_auth_su.c:226
+#: ../../src/clients/ksu/krb_auth_su.c:240
+#, c-format
+msgid " %s while unparsing name\n"
+msgstr "%s beim Rückgängigmachen der Namensauswertung\n"
+
+#: ../../src/clients/ksu/main.c:68
+#, c-format
+msgid ""
+"Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r "
+"time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a "
+"[args... ] ]\n"
+msgstr ""
+"Aufruf: %s [Zielbenutzer] [-n Principal] [-c Quellenzwischenspeichername] [-"
+"k] [-D] [-r Zeit] [-pf] [-l Lebensdauer] [-zZ] [-q] [-e Befehl [Argumente "
+"…] ] [-a [Argumente …] ]\n"
+
+#: ../../src/clients/ksu/main.c:147
+msgid ""
+"program name too long - quitting to avoid triggering system logging bugs"
+msgstr ""
+"Programmname zu lang – wird beendet, um das Auslösen von "
+"Systemprotokollierungsfehlern zu vermeiden"
+
+#: ../../src/clients/ksu/main.c:173
+msgid "while allocating memory"
+msgstr "bei Reservieren von Speicher"
+
+#: ../../src/clients/ksu/main.c:186
+msgid "while setting euid to source user"
+msgstr "beim Setzen der EUID auf dem Quellbenutzer"
+
+#: ../../src/clients/ksu/main.c:196 ../../src/clients/ksu/main.c:231
+#, c-format
+msgid "Bad lifetime value (%s hours?)\n"
+msgstr "falscher Wert für Lebensdauer (%s Stunden?)\n"
+
+#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:292
+msgid "when gathering parameters"
+msgstr "beim Zusammenstellen der Parameter"
+
+#: ../../src/clients/ksu/main.c:251
+#, c-format
+msgid "-z option is mutually exclusive with -Z.\n"
+msgstr "Die Optionen -z und -Z schließen sich gegenseitig aus.\n"
+
+#: ../../src/clients/ksu/main.c:259
+#, c-format
+msgid "-Z option is mutually exclusive with -z.\n"
+msgstr "Die Optionen -Z und -z schließen sich gegenseitig aus.\n"
+
+#: ../../src/clients/ksu/main.c:272
+#, c-format
+msgid "while looking for credentials cache %s"
+msgstr "beim Suchen nach dem Anmeldedatenzwischenspeicher %s"
+
+#: ../../src/clients/ksu/main.c:278
+#, c-format
+msgid "malformed credential cache name %s\n"
+msgstr "falsch gebildeter Anmeldedatenzwischenspeichername %s\n"
+
+# ksu ist eine Kerberos-Variante von su
+#: ../../src/clients/ksu/main.c:336
+#, c-format
+msgid "ksu: who are you?\n"
+msgstr "ksu: Wer sind Sie?\n"
+
+#: ../../src/clients/ksu/main.c:340
+#, c-format
+msgid "Your uid doesn't match your passwd entry?!\n"
+msgstr "Ihre UID passt nicht zu Ihrem Passworteintrag.\n"
+
+#: ../../src/clients/ksu/main.c:355
+#, c-format
+msgid "ksu: unknown login %s\n"
+msgstr "ksu: unbekannter Anmeldename %s\n"
+
+#: ../../src/clients/ksu/main.c:375
+msgid "while getting source cache"
+msgstr "beim Holen des Quellenzwischenspeichers"
+
+#: ../../src/clients/ksu/main.c:381 ../../src/clients/kvno/kvno.c:194
+msgid "while opening ccache"
+msgstr "beim Öffnen des Ccaches"
+
+#: ../../src/clients/ksu/main.c:389
+msgid "while selecting the best principal"
+msgstr "beim Auswählen des besten Principals"
+
+#: ../../src/clients/ksu/main.c:397
+msgid "while returning to source uid after finding best principal"
+msgstr ""
+"bei der Rückkehr zur Quell-UID, nachdem der beste Principal gefunden wurde"
+
+#: ../../src/clients/ksu/main.c:417
+#, c-format
+msgid "account %s: authorization failed\n"
+msgstr "Konto %s: Autorisierung fehlgeschlagen\n"
+
+#: ../../src/clients/ksu/main.c:442
+msgid "while parsing temporary name"
+msgstr "beim Auswertens des temporären Namens"
+
+#: ../../src/clients/ksu/main.c:447
+msgid "while creating temporary cache"
+msgstr "bei Erstellen des temporären Zwischenspeichers"
+
+#: ../../src/clients/ksu/main.c:453 ../../src/clients/ksu/main.c:693
+#, c-format
+msgid "while copying cache %s to %s"
+msgstr "beim Kopieren des Zwischenspeichers %s nach %s"
+
+#: ../../src/clients/ksu/main.c:471
+#, c-format
+msgid ""
+"WARNING: Your password may be exposed if you enter it here and are logged\n"
+msgstr ""
+"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben "
+"und\n"
+
+#: ../../src/clients/ksu/main.c:473
+#, c-format
+msgid "         in remotely using an unsecure (non-encrypted) channel.\n"
+msgstr ""
+"         in der Ferne über einen unsicheren (unverschlüsselten) Kanal "
+"angemeldet\n"
+"sind.\n"
+
+#: ../../src/clients/ksu/main.c:479
+#, c-format
+msgid "Goodbye\n"
+msgstr "Auf Wiedersehen\n"
+
+#: ../../src/clients/ksu/main.c:483
+#, c-format
+msgid "Could not get a tgt for "
+msgstr "Es konnte kein TGT geholt werden für "
+
+#: ../../src/clients/ksu/main.c:505
+#, c-format
+msgid "Authentication failed.\n"
+msgstr "Authentifizierung fehlgeschlagen.\n"
+
+#: ../../src/clients/ksu/main.c:513
+msgid "When unparsing name"
+msgstr "beim Rückgängigmachen der Namensauswertung"
+
+#: ../../src/clients/ksu/main.c:517
+#, c-format
+msgid "Authenticated %s\n"
+msgstr "Authentifiziert %s\n"
+
+#: ../../src/clients/ksu/main.c:524
+msgid "while switching to target for authorization check"
+msgstr "beim Wechsel des Ziels der Autorisierungsprüfung"
+
+#: ../../src/clients/ksu/main.c:531
+msgid "while checking authorization"
+msgstr "beim Prüfen der Autorisierung"
+
+#: ../../src/clients/ksu/main.c:537
+msgid "while switching back from target after authorization check"
+msgstr "beim Zurückwechsel vom Ziel nach der Autorisierungsprüfung"
+
+#: ../../src/clients/ksu/main.c:544
+#, c-format
+msgid "Account %s: authorization for %s for execution of\n"
+msgstr "Konto %s: Autorisierung für %s zum Ausführen von\n"
+
+#: ../../src/clients/ksu/main.c:546
+#, c-format
+msgid "               %s successful\n"
+msgstr "               %s erfolgreich\n"
+
+#: ../../src/clients/ksu/main.c:552
+#, c-format
+msgid "Account %s: authorization for %s successful\n"
+msgstr "Konto %s: Autorisierung für %s erfolgreich\n"
+
+#: ../../src/clients/ksu/main.c:564
+#, c-format
+msgid "Account %s: authorization for %s for execution of %s failed\n"
+msgstr "Konto %s: Autorisierung für %s zum Ausführen von %s fehlgeschlagen\n"
+
+#: ../../src/clients/ksu/main.c:572
+#, c-format
+msgid "Account %s: authorization of %s failed\n"
+msgstr "Konto %s: Autorisierung von %s fehlgeschlagen\n"
+
+#: ../../src/clients/ksu/main.c:587
+msgid "while calling cc_filter"
+msgstr "beim Aufruf von »cc_filter«"
+
+#: ../../src/clients/ksu/main.c:595
+msgid "while erasing target cache"
+msgstr "bei Löschen des Zielzwischenspeichers"
+
+#: ../../src/clients/ksu/main.c:615
+#, c-format
+msgid "ksu: permission denied (shell).\n"
+msgstr "ksu: Zugriff verweigert (Shell)\n"
+
+#: ../../src/clients/ksu/main.c:624
+#, c-format
+msgid "ksu: couldn't set environment variable USER\n"
+msgstr "ksu: Umgebungsvariable USER kann nicht gesetzt werden\n"
+
+#: ../../src/clients/ksu/main.c:630
+#, c-format
+msgid "ksu: couldn't set environment variable HOME\n"
+msgstr "ksu: Umgebungsvariable HOME kann nicht gesetzt werden\n"
+
+#: ../../src/clients/ksu/main.c:635
+#, c-format
+msgid "ksu: couldn't set environment variable SHELL\n"
+msgstr "ksu: Umgebungsvariable SHELL kann nicht gesetzt werden\n"
+
+#: ../../src/clients/ksu/main.c:646
+#, c-format
+msgid "ksu: initgroups failed.\n"
+msgstr "ksu: »initgroups« fehlgeschlagen\n"
+
+#: ../../src/clients/ksu/main.c:651
+#, c-format
+msgid "Leaving uid as %s (%ld)\n"
+msgstr "UID bleibt %s (%ld)\n"
+
+#: ../../src/clients/ksu/main.c:654
+#, c-format
+msgid "Changing uid to %s (%ld)\n"
+msgstr "UID wird zu %s (%ld) geändert\n"
+
+#: ../../src/clients/ksu/main.c:680
+msgid "while getting name of target ccache"
+msgstr "beim Holen des Ziel-Ccache-Namens"
+
+#: ../../src/clients/ksu/main.c:700
+#, c-format
+msgid "%s does not have correct permissions for %s, %s aborted"
+msgstr "%s hat nicht die korrekten Rechte für %s, %s wird abgebrochen."
+
+#: ../../src/clients/ksu/main.c:721
+#, c-format
+msgid "Internal error: command %s did not get resolved\n"
+msgstr "Interner Fehler: Befehl %s wurde nicht aufgelöst\n"
+
+#: ../../src/clients/ksu/main.c:738 ../../src/clients/ksu/main.c:774
+#, c-format
+msgid "while trying to execv %s"
+msgstr "beim Versuch von »execv %s«"
+
+#: ../../src/clients/ksu/main.c:764
+msgid "while calling waitpid"
+msgstr "beim Aufruf von »waitpid«"
+
+#: ../../src/clients/ksu/main.c:769
+msgid "while trying to fork."
+msgstr "beim Versuch zu verzweigen."
+
+#: ../../src/clients/ksu/main.c:791
+msgid "while reading cache name from ccache"
+msgstr "beim Lesen des Zwischenspeichernamens aus dem Ccache"
+
+#: ../../src/clients/ksu/main.c:797
+#, c-format
+msgid "ksu: couldn't set environment variable %s\n"
+msgstr "ksu: Umgebungsvariable %s kann nicht gesetzt werden\n"
+
+#: ../../src/clients/ksu/main.c:820
+#, c-format
+msgid "while clearing the value of %s"
+msgstr "beim Leeren des Werts von %s"
+
+#: ../../src/clients/ksu/main.c:828
+msgid "while resetting target ccache name"
+msgstr "beim Zurücksetzen des Ziel-Ccache-Namens"
+
+#: ../../src/clients/ksu/main.c:842
+msgid "while determining target ccache name"
+msgstr "beim Bestimmen des Ziel-Ccache-Namens"
+
+#: ../../src/clients/ksu/main.c:881
+msgid "while generating part of the target ccache name"
+msgstr "beim Erzeugen eines Teils des Ziel-Ccache-Namens"
+
+#: ../../src/clients/ksu/main.c:887
+msgid "while allocating memory for the target ccache name"
+msgstr "beim Reservieren von Speicher für den Ziel-Ccache-Namen"
+
+#: ../../src/clients/ksu/main.c:906
+msgid "while creating new target ccache"
+msgstr "bei Erstellen von neuem Ziel-Ccache"
+
+#: ../../src/clients/ksu/main.c:912
+msgid "while initializing target cache"
+msgstr "beim Initialisieren des Zielzwischenspeichers"
+
+#: ../../src/clients/ksu/main.c:952
+#, c-format
+msgid "terminal name %s too long\n"
+msgstr "Terminal-Name %s ist zu lang.\n"
+
+#: ../../src/clients/ksu/main.c:980
+msgid "while changing to target uid for destroying ccache"
+msgstr "beim Ändern der Ziel-UID für das Zerstören von Ccache"
+
+#: ../../src/clients/kswitch/kswitch.c:44
+#, c-format
+msgid "Usage: %s {-c cache_name | -p principal}\n"
+msgstr "Aufruf: %s {-c Zwischenspeichername | -p Principal}\n"
+
+#: ../../src/clients/kswitch/kswitch.c:46
+#, c-format
+msgid "\t-p specify name of principal\n"
+msgstr "\t-p gibt den Namen des Principals an.\n"
+
+#: ../../src/clients/kswitch/kswitch.c:69
+#, c-format
+msgid "Only one -c or -p option allowed\n"
+msgstr "Nur eine der Optionen -c oder -p ist erlaubt.\n"
+
+#: ../../src/clients/kswitch/kswitch.c:88
+#, c-format
+msgid "One of -c or -p must be specified\n"
+msgstr "Entweder -c oder -p muss angegeben werden.\n"
+
+#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:211
+#: ../../src/clients/kvno/kvno.c:245 ../../src/kadmin/cli/keytab.c:350
+#: ../../src/kadmin/dbutil/kdb5_util.c:576
+#, c-format
+msgid "while parsing principal name %s"
+msgstr "beim Auswerten des Principal-Namens %s"
+
+#: ../../src/clients/kswitch/kswitch.c:124
+msgid "while switching to credential cache"
+msgstr "beim Wechsel auf den Anmeldedatenzwischenspeicher"
+
+#: ../../src/clients/kvno/kvno.c:46
+#, c-format
+msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n"
+msgstr "Aufruf: %s [-C] [-u] [-c Ccache] [-e Etype]\n"
+
+#: ../../src/clients/kvno/kvno.c:47
+#, c-format
+msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n"
+msgstr "\t[-k Schlüsseltabelle] [-S Sname] [-U für_Benutzer [-P]]\n"
+
+#: ../../src/clients/kvno/kvno.c:48
+#, c-format
+msgid "\tservice1 service2 ...\n"
+msgstr "\tDienst1 Dienst2 …\n"
+
+#: ../../src/clients/kvno/kvno.c:103 ../../src/clients/kvno/kvno.c:111
+#, c-format
+msgid "Options -u and -S are mutually exclusive\n"
+msgstr "Die Optionen -u und -S schließen sich gegenseitig aus.\n"
+
+#: ../../src/clients/kvno/kvno.c:126
+#, c-format
+msgid "Option -P (constrained delegation) requires keytab to be specified\n"
+msgstr ""
+"Die Option -P (eingeschränkte Abtretung) erfordert zur Angabe eine "
+"Schlüsseltabelle.\n"
+
+#: ../../src/clients/kvno/kvno.c:130
+#, c-format
+msgid ""
+"Option -P (constrained delegation) requires option -U (protocol transition)\n"
+msgstr ""
+"Die Option -P (eingeschränkte Abtretung) erfordert die Option -U "
+"(Protokollübergang)\n"
+
+#: ../../src/clients/kvno/kvno.c:175 ../../src/kadmin/cli/kadmin.c:280
+msgid "while initializing krb5 library"
+msgstr "beim Initialisieren der Krb5-Bibliothek"
+
+#: ../../src/clients/kvno/kvno.c:182
+msgid "while converting etype"
+msgstr "bei der Etype-Umwandlung"
+
+#: ../../src/clients/kvno/kvno.c:218
+msgid "while getting client principal name"
+msgstr "beim Holen des Client-Principal-Namens"
+
+#: ../../src/clients/kvno/kvno.c:256
+#, c-format
+msgid "while formatting parsed principal name for '%s'"
+msgstr "beim Formatieren des ausgewerteten Principal-Namens für »%s«"
+
+#: ../../src/clients/kvno/kvno.c:267
+msgid "client and server principal names must match"
+msgstr "Die Principal-Namen von Client und Server müssen übereinstimmen."
+
+#: ../../src/clients/kvno/kvno.c:284
+#, c-format
+msgid "while getting credentials for %s"
+msgstr "beim Holen der Anmeldedaten für %s"
+
+#: ../../src/clients/kvno/kvno.c:291
+#, c-format
+msgid "while decoding ticket for %s"
+msgstr "beim Dekodieren des Tickets für %s"
+
+#: ../../src/clients/kvno/kvno.c:302
+#, c-format
+msgid "while decrypting ticket for %s"
+msgstr "beim Entschlüsseln des Tickets für %s"
+
+#: ../../src/clients/kvno/kvno.c:306
+#, c-format
+msgid "%s: kvno = %d, keytab entry valid\n"
+msgstr "%s: KVNO = %d, Schlüsseltabelleneintrag gültig\n"
+
+#: ../../src/clients/kvno/kvno.c:324
+#, c-format
+msgid "%s: constrained delegation failed"
+msgstr "%s: eingeschränkte Abtretung fehlgeschlagen"
+
+#: ../../src/clients/kvno/kvno.c:330
+#, c-format
+msgid "%s: kvno = %d\n"
+msgstr "%s: KVNO = %d\n"
+
+#: ../../src/kadmin/cli/kadmin.c:118
+#, c-format
+msgid ""
+"Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n"
+"\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]\n"
+"\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n"
+"where,\n"
+"\t[-x db_args]* - any number of database specific arguments.\n"
+"\t\t\tLook at each database documentation for supported arguments\n"
+msgstr ""
+"Aufruf: %s [-r Realm] [-p Principal] [-q Abfrage] [clnt|lokale Argumente]\n"
+"\tclnt Argumente: [-s Admin-Server[:Port]] [[-c Ccache]|\n"
+"\t[-k [-t Schlüsseltabelle]]]|[-n] lokale Argumente: [-x DB-Argumente]*\n"
+"\t[-d Datenbankname] [-e \"enc:Salt …\"] [-m]\n"
+"wobei\n"
+"\t[-x DB-Argumente]* - eine beliebige Anzahl datenbankspezifischer "
+"Argumente\n"
+"\tist. Die unterstützten Argumente finden Sie in den jeweiligen "
+"\tDatenbankdokumentationen\n"
+
+#: ../../src/kadmin/cli/kadmin.c:292 ../../src/kadmin/cli/kadmin.c:333
+#, c-format
+msgid "%s: Cannot initialize. Not enough memory\n"
+msgstr "%s: Zu wenig Speicher zum Initialisieren\n"
+
+#: ../../src/kadmin/cli/kadmin.c:353 ../../src/kadmin/cli/kadmin.c:804
+#: ../../src/kadmin/cli/kadmin.c:1084 ../../src/kadmin/cli/kadmin.c:1634
+#: ../../src/kadmin/cli/keytab.c:159 ../../src/kadmin/dbutil/kdb5_util.c:591
+#, c-format
+msgid "while parsing keysalts %s"
+msgstr "beim Auswerten der Schlüssel-Salts %s"
+
+#: ../../src/kadmin/cli/kadmin.c:376
+#, c-format
+msgid "%s: unable to get default realm\n"
+msgstr "%s: Standard-Realm kann nicht geholt werden\n"
+
+#: ../../src/kadmin/cli/kadmin.c:396
+msgid "while opening default credentials cache"
+msgstr "beim Öffnen des Standardanmeldedatenzwischenspeichers"
+
+#: ../../src/kadmin/cli/kadmin.c:402
+#, c-format
+msgid "while opening credentials cache %s"
+msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s"
+
+#: ../../src/kadmin/cli/kadmin.c:424 ../../src/kadmin/cli/kadmin.c:479
+#: ../../src/kadmin/cli/kadmin.c:487 ../../src/kadmin/cli/kadmin.c:494
+#, c-format
+msgid "%s: out of memory\n"
+msgstr "%s: Speicherplatz reicht nicht aus\n"
+
+#: ../../src/kadmin/cli/kadmin.c:433 ../../src/kadmin/cli/kadmin.c:448
+#: ../../src/slave/kpropd.c:681
+msgid "while canonicalizing principal name"
+msgstr "während der Principal-Name in die normale Form gebracht wird"
+
+#: ../../src/kadmin/cli/kadmin.c:442
+msgid "creating host service principal"
+msgstr "Principal des Rechnerdienstes wird erstellt"
+
+#: ../../src/kadmin/cli/kadmin.c:455
+#, c-format
+msgid "%s: unable to canonicalize principal\n"
+msgstr "%s: Principal kann nicht in die normale Form gebracht werden\n"
+
+#: ../../src/kadmin/cli/kadmin.c:499
+#, c-format
+msgid "%s: unable to figure out a principal name\n"
+msgstr "%s: Es kann kein Principal-Name herausgefunden werden.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:507
+msgid "while setting up logging"
+msgstr "beim Einrichten der Protokollierung"
+
+#: ../../src/kadmin/cli/kadmin.c:516
+#, c-format
+msgid "Authenticating as principal %s with existing credentials.\n"
+msgstr "Authentifizierung als Principal %s mit existierenden Anmeldedaten\n"
+
+#: ../../src/kadmin/cli/kadmin.c:522
+#, c-format
+msgid "Authenticating as principal %s with password; anonymous requested.\n"
+msgstr ""
+"Authentifizierung als Principal %s mit Passwort; Anonymität erwünscht\n"
+
+#: ../../src/kadmin/cli/kadmin.c:529
+#, c-format
+msgid "Authenticating as principal %s with keytab %s.\n"
+msgstr "Authentifizierung als Principal %s mit Schlüsseltabelle %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:532
+#, c-format
+msgid "Authenticating as principal %s with default keytab.\n"
+msgstr "Authentifizierung als Principal %s mit Standardschlüsseltabelle\n"
+
+#: ../../src/kadmin/cli/kadmin.c:538
+#, c-format
+msgid "Authenticating as principal %s with password.\n"
+msgstr "Authentifizierung als Principal %s mit Passwort\n"
+
+#: ../../src/kadmin/cli/kadmin.c:546 ../../src/slave/kpropd.c:728
+#, c-format
+msgid "while initializing %s interface"
+msgstr "beim Initialisieren der Schnittstelle %s"
+
+#: ../../src/kadmin/cli/kadmin.c:560
+#, c-format
+msgid "while closing ccache %s"
+msgstr "beim Schließen von Ccache %s"
+
+#: ../../src/kadmin/cli/kadmin.c:566
+msgid "while mapping update log"
+msgstr "beim Abbilden des Aktualisierungsprotokolls"
+
+#: ../../src/kadmin/cli/kadmin.c:581
+msgid "while unlocking locked database"
+msgstr "beim Entsperren der Datenbank"
+
+#: ../../src/kadmin/cli/kadmin.c:590
+msgid "Administration credentials NOT DESTROYED.\n"
+msgstr "Verwaltungsanmeldedaten NICHT VERNICHTET\n"
+
+#: ../../src/kadmin/cli/kadmin.c:639
+#, c-format
+msgid "usage: delete_principal [-force] principal\n"
+msgstr "Aufruf: delete_principal [-force] Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:644 ../../src/kadmin/cli/kadmin.c:819
+msgid "while parsing principal name"
+msgstr "beim Auswerten des Principal-Namens"
+
+#: ../../src/kadmin/cli/kadmin.c:650 ../../src/kadmin/cli/kadmin.c:825
+#: ../../src/kadmin/cli/kadmin.c:1217 ../../src/kadmin/cli/kadmin.c:1339
+#: ../../src/kadmin/cli/kadmin.c:1409 ../../src/kadmin/cli/kadmin.c:1858
+#: ../../src/kadmin/cli/kadmin.c:1902 ../../src/kadmin/cli/kadmin.c:1948
+#: ../../src/kadmin/cli/kadmin.c:1988
+msgid "while canonicalizing principal"
+msgstr "während der Principal in die normale Form gebracht wird"
+
+#: ../../src/kadmin/cli/kadmin.c:654
+#, c-format
+msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): "
+msgstr ""
+"Sind Sie sicher, dass Sie den Principal »%s« löschen möchten? (yes/no): "
+
+#: ../../src/kadmin/cli/kadmin.c:658
+#, c-format
+msgid "Principal \"%s\" not deleted\n"
+msgstr "Principal »%s« nicht gelöscht\n"
+
+#: ../../src/kadmin/cli/kadmin.c:665
+#, c-format
+msgid "while deleting principal \"%s\""
+msgstr "beim Löschen von Principal »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:668
+#, c-format
+msgid "Principal \"%s\" deleted.\n"
+msgstr "Principal »%s« gelöscht\n"
+
+#: ../../src/kadmin/cli/kadmin.c:669
+#, c-format
+msgid ""
+"Make sure that you have removed this principal from all ACLs before "
+"reusing.\n"
+msgstr ""
+"Stellen Sie sicher, dass Sie diesen Principal aus allen ACLs entfernt haben, "
+"bevor Sie ihn erneut benutzen.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:686
+#, c-format
+msgid "usage: rename_principal [-force] old_principal new_principal\n"
+msgstr "Aufruf: rename_principal [-force] alter_Principal neuer_Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:693
+msgid "while parsing old principal name"
+msgstr "beim Auswerten des alten Principal-Namens"
+
+#: ../../src/kadmin/cli/kadmin.c:699
+msgid "while parsing new principal name"
+msgstr "beim Auswerten des neuen Principal-Namens"
+
+#: ../../src/kadmin/cli/kadmin.c:705
+msgid "while canonicalizing old principal"
+msgstr "während der alte Principal in die normale Form gebracht wird"
+
+#: ../../src/kadmin/cli/kadmin.c:711
+msgid "while canonicalizing new principal"
+msgstr "während der neue Principal in die normale Form gebracht wird"
+
+#: ../../src/kadmin/cli/kadmin.c:715
+#, c-format
+msgid ""
+"Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): "
+msgstr ""
+"Sind Sie sicher, dass Sie den Principal »%s« in »%s« umbenennen möchten? "
+"(yes/no): "
+
+#: ../../src/kadmin/cli/kadmin.c:719
+#, c-format
+msgid "Principal \"%s\" not renamed\n"
+msgstr "Principal »%s« wurde nicht umbenannt.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:726
+#, c-format
+msgid "while renaming principal \"%s\" to \"%s\""
+msgstr "beim Umbenennen von Principal »%s« in »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:730
+#, c-format
+msgid "Principal \"%s\" renamed to \"%s\".\n"
+msgstr "Principal »%s« wurde in »%s« umbenannt.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:731
+#, c-format
+msgid ""
+"Make sure that you have removed the old principal from all ACLs before "
+"reusing.\n"
+msgstr ""
+"Stellen Sie sicher, dass Sie den alten Principal aus allen ACLs entfernt "
+"haben, bevor Sie ihn erneut benutzen.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:746
+#, c-format
+msgid ""
+"usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] "
+"principal\n"
+msgstr ""
+"Aufruf: change_password [-randkey] [-keepold] [-e Schlüssel-Salt-Liste] [-pw "
+"Passwort] Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:772
+msgid "change_password: missing db argument"
+msgstr "change_password: fehlendes Datenbankargument"
+
+#: ../../src/kadmin/cli/kadmin.c:778
+#, c-format
+msgid "change_password: Not enough memory\n"
+msgstr "change_password: zu wenig Speicher\n"
+
+#: ../../src/kadmin/cli/kadmin.c:786
+msgid "change_password: missing password arg"
+msgstr "change_password: fehlendes Passwortargument"
+
+#: ../../src/kadmin/cli/kadmin.c:797
+msgid "change_password: missing keysaltlist arg"
+msgstr "change_password: fehlendes Schlüssel-Salt-Listenargument"
+
+#: ../../src/kadmin/cli/kadmin.c:813
+msgid "missing principal name"
+msgstr "fehlender Principal-Name"
+
+#: ../../src/kadmin/cli/kadmin.c:837 ../../src/kadmin/cli/kadmin.c:874
+#, c-format
+msgid "while changing password for \"%s\"."
+msgstr "beim Ändern des Passworts von »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:840 ../../src/kadmin/cli/kadmin.c:877
+#, c-format
+msgid "Password for \"%s\" changed.\n"
+msgstr "Passwort von »%s« geändert\n"
+
+#: ../../src/kadmin/cli/kadmin.c:846 ../../src/kadmin/cli/kadmin.c:1290
+#, c-format
+msgid "while randomizing key for \"%s\"."
+msgstr "beim Erzeugen eines zufälligen Schlüssels für »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:849
+#, c-format
+msgid "Key for \"%s\" randomized.\n"
+msgstr "Es wurde ein zufälliger Schlüssel für %s erzeugt\n"
+
+#: ../../src/kadmin/cli/kadmin.c:854 ../../src/kadmin/cli/kadmin.c:1250
+#, c-format
+msgid "Enter password for principal \"%s\""
+msgstr "Geben Sie das Passwort für Principal »%s« ein."
+
+#: ../../src/kadmin/cli/kadmin.c:856 ../../src/kadmin/cli/kadmin.c:1252
+#, c-format
+msgid "Re-enter password for principal \"%s\""
+msgstr "Geben Sie das Passwort für Principal »%s« erneut ein."
+
+#: ../../src/kadmin/cli/kadmin.c:861 ../../src/kadmin/cli/kadmin.c:1256
+#, c-format
+msgid "while reading password for \"%s\"."
+msgstr "beim Lesen des Passworts von »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:915
+#, c-format
+msgid "Not enough memory\n"
+msgstr "Speicher reicht nicht aus\n"
+
+#: ../../src/kadmin/cli/kadmin.c:945 ../../src/kadmin/dbutil/kdb5_util.c:623
+msgid "while getting time"
+msgstr "beim Holen der Zeit"
+
+#: ../../src/kadmin/cli/kadmin.c:994 ../../src/kadmin/cli/kadmin.c:1007
+#: ../../src/kadmin/cli/kadmin.c:1020 ../../src/kadmin/cli/kadmin.c:1033
+#: ../../src/kadmin/cli/kadmin.c:1546 ../../src/kadmin/cli/kadmin.c:1558
+#: ../../src/kadmin/cli/kadmin.c:1601 ../../src/kadmin/cli/kadmin.c:1618
+#, c-format
+msgid "Invalid date specification \"%s\".\n"
+msgstr "ungültige Datumsangabe »%s«\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1118 ../../src/kadmin/cli/kadmin.c:1333
+#: ../../src/kadmin/cli/kadmin.c:1404 ../../src/kadmin/cli/kadmin.c:1852
+#: ../../src/kadmin/cli/kadmin.c:1896 ../../src/kadmin/cli/kadmin.c:1942
+#: ../../src/kadmin/cli/kadmin.c:1982
+msgid "while parsing principal"
+msgstr "beim Auswerten des Principals"
+
+#: ../../src/kadmin/cli/kadmin.c:1127
+#, c-format
+msgid "usage: add_principal [options] principal\n"
+msgstr "Aufruf: add_principal [Optionen] Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1128 ../../src/kadmin/cli/kadmin.c:1155
+#: ../../src/kadmin/cli/kadmin.c:1657
+#, c-format
+msgid "\toptions are:\n"
+msgstr "\tEs gibt folgende Optionen:\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1130
+#, c-format
+msgid ""
+"\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire "
+"pwexpdate] [-maxlife maxtixlife]\n"
+"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n"
+"\t\t[-pw password] [-maxrenewlife maxrenewlife]\n"
+"\t\t[-e keysaltlist]\n"
+"\t\t[{+|-}attribute]\n"
+msgstr ""
+"\t\t[-randkey|-nokey] [-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-"
+"pwexpire Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n"
+"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n"
+"\t\t[-pw Passwort] [-maxrenewlife maximale_Dauer_bis_zum_Erneuern]\n"
+"\t\t[-e Schlüssel-Salt-Liste]\n"
+"\t\t[{+|-}Attribut]\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1136
+#, c-format
+msgid "\tattributes are:\n"
+msgstr "\tEs gibt folgende Attribute:\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1164
+#, c-format
+msgid ""
+"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n"
+"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n"
+"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+"\n"
+"where,\n"
+"\t[-x db_princ_args]* - any number of database specific arguments.\n"
+"\t\t\tLook at each database documentation for supported arguments\n"
+msgstr ""
+"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n"
+"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n"
+"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+"\n"
+"wobei\n"
+"\t[-x DB-Principal-Argumente]* - eine beliebige Zahl\n"
+"\tdatenbankspezifischer Argumente ist.\n"
+"\t\t\tDie unterstützten Argumente finden Sie in der jeweiligen\n"
+"Datenbankdokumentation.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1154
+#, c-format
+msgid "usage: modify_principal [options] principal\n"
+msgstr "Aufruf: modify_principal [Optionen] Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1157
+#, c-format
+msgid ""
+"\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife "
+"maxtixlife]\n"
+"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n"
+"\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n"
+msgstr ""
+"\t\t[-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-pwexpire "
+"Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n"
+"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n"
+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern] [-unlock] [{+|-}"
+"Attribut]\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1224 ../../src/kadmin/cli/kadmin.c:1362
+#, c-format
+msgid "WARNING: policy \"%s\" does not exist\n"
+msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1230
+#, c-format
+msgid "NOTICE: no policy specified for %s; assigning \"default\"\n"
+msgstr ""
+"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« "
+"zugewiesen\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1235
+#, c-format
+msgid "WARNING: no policy specified for %s; defaulting to no policy\n"
+msgstr ""
+"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe "
+"»keine\n"
+"Richtlinie« verwandt.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1276
+#, c-format
+msgid "Admin server does not support -nokey while creating \"%s\"\n"
+msgstr ""
+"Der Administrationsrechner unterstützt beim Erstellen von »%s« kein -nokey\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1298
+#, c-format
+msgid "while clearing DISALLOW_ALL_TIX for \"%s\"."
+msgstr "beim Löschen von DISALLOW_ALL_TIX für »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:1345
+#, c-format
+msgid "while getting \"%s\"."
+msgstr "beim Holen von »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:1371
+#, c-format
+msgid "while modifying \"%s\"."
+msgstr "beim Ändern von »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:1375
+#, c-format
+msgid "Principal \"%s\" modified.\n"
+msgstr "Principal »%s« wurde geändert.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1396
+#, c-format
+msgid "usage: get_principal [-terse] principal\n"
+msgstr "Aufruf: get_principal [-terse] Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1415
+#, c-format
+msgid "while retrieving \"%s\"."
+msgstr "beim Abfragen von »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:1420 ../../src/kadmin/cli/kadmin.c:1425
+msgid "while unparsing principal"
+msgstr "beim Rückgängigmachen der Auswertung des Principals"
+
+#: ../../src/kadmin/cli/kadmin.c:1429
+#, c-format
+msgid "Principal: %s\n"
+msgstr "Principal: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1430
+#, c-format
+msgid "Expiration date: %s\n"
+msgstr "Ablaufdatum: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1431 ../../src/kadmin/cli/kadmin.c:1433
+#: ../../src/kadmin/cli/kadmin.c:1444
+msgid "[never]"
+msgstr "[niemals]"
+
+#: ../../src/kadmin/cli/kadmin.c:1432
+#, c-format
+msgid "Last password change: %s\n"
+msgstr "Letzte Passwortänderung: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1434
+#, c-format
+msgid "Password expiration date: %s\n"
+msgstr "Passwortablaufdatum: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1436 ../../src/kadmin/cli/kadmin.c:1478
+msgid "[none]"
+msgstr "[keins]"
+
+#: ../../src/kadmin/cli/kadmin.c:1437
+#, c-format
+msgid "Maximum ticket life: %s\n"
+msgstr "maximale Ticketlebensdauer: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1438
+#, c-format
+msgid "Maximum renewable life: %s\n"
+msgstr "maximale verlängerbare Lebensdauer: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1440
+#, c-format
+msgid "Last modified: %s (%s)\n"
+msgstr "zuletzt geändert: %s (%s)\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1442
+#, c-format
+msgid "Last successful authentication: %s\n"
+msgstr "letzte erfolgreiche Authentifizierung: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1448
+#, c-format
+msgid "Failed password attempts: %d\n"
+msgstr "Fehlgeschlagene Anmeldeversuche: %d\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1450
+#, c-format
+msgid "Number of keys: %d\n"
+msgstr "Anzahl der Schlüssel: %d\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1457
+#, c-format
+msgid "<Encryption type 0x%x>"
+msgstr "<Verschlüsselungstyp 0x%x>"
+
+#: ../../src/kadmin/cli/kadmin.c:1464
+#, c-format
+msgid "<Salt type 0x%x>"
+msgstr "<Salt-Typ 0x%x>"
+
+#: ../../src/kadmin/cli/kadmin.c:1470
+#, c-format
+msgid "MKey: vno %d\n"
+msgstr "MKey: vno %d\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1472
+#, c-format
+msgid "Attributes:"
+msgstr "Attribute:"
+
+#: ../../src/kadmin/cli/kadmin.c:1480
+msgid " [does not exist]"
+msgstr " [existiert nicht]"
+
+#: ../../src/kadmin/cli/kadmin.c:1481
+#, c-format
+msgid "Policy: %s%s\n"
+msgstr "Richtlinie: %s%s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1517
+#, c-format
+msgid "usage: get_principals [expression]\n"
+msgstr "Aufruf: get_principals [Ausdruck]\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1522 ../../src/kadmin/cli/kadmin.c:1794
+msgid "while retrieving list."
+msgstr "beim Abfragen der Liste."
+
+#: ../../src/kadmin/cli/kadmin.c:1647
+#, c-format
+msgid "%s: parser lost count!\n"
+msgstr "%s: Auswertungsprogramm verlor Anzahl!\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1656
+#, c-format
+msgid "usage; %s [options] policy\n"
+msgstr "Aufruf: %s [Optionen] Richtlinie\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1659
+#, c-format
+msgid ""
+"\t\t[-maxlife time] [-minlife time] [-minlength length]\n"
+"\t\t[-minclasses number] [-history number]\n"
+"\t\t[-maxfailure number] [-failurecountinterval time]\n"
+"\t\t[-allowedkeysalts keysalts]\n"
+msgstr ""
+"\t\t[-maxlife Zeit] [-minlife Zeit] [-minlength Länge]\n"
+"\t\t[-minclasses Anzahl] [-history Nummer]\n"
+"\t\t[-maxfailure Anzahl] [-failurecountinterval Zeit]\n"
+"\t\t[-allowedkeysalts Schlüssel-Salts]\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1663
+#, c-format
+msgid "\t\t[-lockoutduration time]\n"
+msgstr "\t\t[-lockoutduration Dauer]\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1682
+#, c-format
+msgid "while creating policy \"%s\"."
+msgstr "beim Erstellen der Richtlinie »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:1703
+#, c-format
+msgid "while modifying policy \"%s\"."
+msgstr "beim Ändern der Richtlinie »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:1715
+#, c-format
+msgid "usage: delete_policy [-force] policy\n"
+msgstr "Aufruf: delete_policy [-force] Richtlinie\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1719
+#, c-format
+msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): "
+msgstr ""
+"Sind Sie sicher, dass Sie die Richtlinie »%s« löschen möchten? (yes/no): "
+
+#: ../../src/kadmin/cli/kadmin.c:1723
+#, c-format
+msgid "Policy \"%s\" not deleted.\n"
+msgstr "Richtlinie »%s« nicht gelöscht\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1729
+#, c-format
+msgid "while deleting policy \"%s\""
+msgstr "bei Löschen der Richtlinie »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:1741
+#, c-format
+msgid "usage: get_policy [-terse] policy\n"
+msgstr "Aufruf: get_policy [-terse] Richtlinie\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1746
+#, c-format
+msgid "while retrieving policy \"%s\"."
+msgstr "beim Abfragen der Richtlinie »%s«."
+
+#: ../../src/kadmin/cli/kadmin.c:1751
+#, c-format
+msgid "Policy: %s\n"
+msgstr "Richtlinie: »%s«\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1752
+#, c-format
+msgid "Maximum password life: %ld\n"
+msgstr "maximale Passwortlebensdauer: %ld\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1753
+#, c-format
+msgid "Minimum password life: %ld\n"
+msgstr "minimale Passwortlebensdauer: %ld\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1754
+#, c-format
+msgid "Minimum password length: %ld\n"
+msgstr "minimale Passwortlänge: %ld\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1755
+#, c-format
+msgid "Minimum number of password character classes: %ld\n"
+msgstr "minimale Anzahl von Passwortzeichenklassen: %ld\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1757
+#, c-format
+msgid "Number of old keys kept: %ld\n"
+msgstr "Anzahl aufbewahrter alter Schlüssel: %ld\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1758
+#, c-format
+msgid "Maximum password failures before lockout: %lu\n"
+msgstr "maximale Anzahl falscher Passworteingaben vor dem Sperren: %lu\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1760
+#, c-format
+msgid "Password failure count reset interval: %s\n"
+msgstr "Rücksetzintervall für zu viele falsch eingebene Passwörter: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1762
+#, c-format
+msgid "Password lockout duration: %s\n"
+msgstr "Passwortsperrdauer: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1765
+#, c-format
+msgid "Allowed key/salt types: %s\n"
+msgstr "erlaubte Schlüssel-/Salt-Typen: %s\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1789
+#, c-format
+msgid "usage: get_policies [expression]\n"
+msgstr "Aufruf: get_policies [Ausdruck]\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1811
+#, c-format
+msgid "usage: get_privs\n"
+msgstr "Aufruf: get_privs\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1816
+msgid "while retrieving privileges"
+msgstr "beim Abfragen von Rechten"
+
+#: ../../src/kadmin/cli/kadmin.c:1819
+#, c-format
+msgid "current privileges:"
+msgstr "aktuelle Rechte:"
+
+#: ../../src/kadmin/cli/kadmin.c:1845
+#, c-format
+msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n"
+msgstr ""
+"Aufruf: purgekeys [-all|-keepkvno älteste_KVNO_die_behalten_wird] Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1865
+#, c-format
+msgid "while purging keys for principal \"%s\""
+msgstr "beim vollständigen Löschen der Schlüssel für Principal »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:1870
+#, c-format
+msgid "All keys for principal \"%s\" removed.\n"
+msgstr "Alle Schlüssel für Principal »%s« wurden entfernt.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1872
+#, c-format
+msgid "Old keys for principal \"%s\" purged.\n"
+msgstr "Alte Schlüssel für Principal »%s« wurden entfernt.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1889
+#, c-format
+msgid "usage: get_strings principal\n"
+msgstr "Aufruf: get_strings Principal\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1909
+#, c-format
+msgid "while getting attributes for principal \"%s\""
+msgstr "beim Holen von Attributen für Principal »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:1914
+#, c-format
+msgid "(No string attributes.)\n"
+msgstr "(keine Zeichenkettenattribute)\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1933
+#, c-format
+msgid "usage: set_string principal key value\n"
+msgstr "Aufruf: set_string Principal Schlüssel Wert\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1955
+#, c-format
+msgid "while setting attribute on principal \"%s\""
+msgstr "beim Setzen eines Attributes für Principal »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:1959
+#, c-format
+msgid "Attribute set for principal \"%s\".\n"
+msgstr "Attribute für Principal »%s« wurden gesetzt.\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1974
+#, c-format
+msgid "usage: del_string principal key\n"
+msgstr "Aufruf: del_string Principal Schlüssel\n"
+
+#: ../../src/kadmin/cli/kadmin.c:1995
+#, c-format
+msgid "while deleting attribute from principal \"%s\""
+msgstr "beim Löschen eines Attributs von Principal »%s«"
+
+#: ../../src/kadmin/cli/kadmin.c:1999
+#, c-format
+msgid "Attribute removed from principal \"%s\".\n"
+msgstr "Attribut von Principal »%s« wurde gelöscht.\n"
+
+#: ../../src/kadmin/cli/keytab.c:56
+#, c-format
+msgid ""
+"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] "
+"[principal | -glob princ-exp] [...]\n"
+msgstr ""
+"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] [-"
+"norandkey] [Principal | -glob Principal-Ausdruck] […]\n"
+
+#: ../../src/kadmin/cli/keytab.c:59
+#, c-format
+msgid ""
+"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob "
+"princ-exp] [...]\n"
+msgstr ""
+"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] "
+"[Principal | -glob Principal-Ausdruck] […]\n"
+
+#: ../../src/kadmin/cli/keytab.c:67
+#, c-format
+msgid ""
+"Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n"
+msgstr ""
+"Aufruf: ktremove [-k[eytab] Schlüsseltabelle] [-q] Principal "
+"[kvno|»all«|»old«]\n"
+
+#: ../../src/kadmin/cli/keytab.c:81 ../../src/kadmin/cli/keytab.c:102
+msgid "while creating keytab name"
+msgstr "beim Erstellen des Schlüsseltabellennamens"
+
+#: ../../src/kadmin/cli/keytab.c:86
+msgid "while opening default keytab"
+msgstr "beim Öffnen der Standardschlüsseltabelle"
+
+#: ../../src/kadmin/cli/keytab.c:147
+#, c-format
+msgid "-norandkey option only valid for kadmin.local\n"
+msgstr "Die Option »-norandkey« ist nur für »kadmin.local« gültig.\n"
+
+#: ../../src/kadmin/cli/keytab.c:176
+#, c-format
+msgid "cannot specify keysaltlist when not changing key\n"
+msgstr ""
+"Schlüssel-Salt-Liste kann nicht angegeben werden, wenn der Schlüssel nicht "
+"geändert wird\n"
+
+#: ../../src/kadmin/cli/keytab.c:192
+#, c-format
+msgid "while expanding expression \"%s\"."
+msgstr "beim Expandieren des Ausdrucks »%s«."
+
+#: ../../src/kadmin/cli/keytab.c:211 ../../src/kadmin/cli/keytab.c:251
+msgid "while closing keytab"
+msgstr "beim Schließen der Schlüsseltabelle"
+
+#: ../../src/kadmin/cli/keytab.c:275
+#, c-format
+msgid "while parsing -add principal name %s"
+msgstr "beim Auswerten von »-add Principal-Name %s«"
+
+#: ../../src/kadmin/cli/keytab.c:289
+#, c-format
+msgid "%s: Principal %s does not exist.\n"
+msgstr "%s: Principal %s existiert nicht.\n"
+
+#: ../../src/kadmin/cli/keytab.c:292
+#, c-format
+msgid "while changing %s's key"
+msgstr "beim Ändern des Schlüssels von %s"
+
+#: ../../src/kadmin/cli/keytab.c:299
+msgid "while retrieving principal"
+msgstr "beim Abfragen des Principals"
+
+#: ../../src/kadmin/cli/keytab.c:311
+msgid "while adding key to keytab"
+msgstr "beim Hinzufügen des Schlüssels zur Schlüsseltabelle"
+
+#: ../../src/kadmin/cli/keytab.c:317
+#, c-format
+msgid ""
+"Entry for principal %s with kvno %d, encryption type %s added to keytab %s.\n"
+msgstr ""
+"Der Eintrag für Principal %s mit KVNO %d und Verschlüsselungstyp %s wurde "
+"der Schlüsseltabelle %s hinzugefügt.\n"
+
+#: ../../src/kadmin/cli/keytab.c:326
+msgid "while freeing principal entry"
+msgstr "beim Freigeben des Principal-Eintrags"
+
+#: ../../src/kadmin/cli/keytab.c:373
+#, c-format
+msgid "%s: Keytab %s does not exist.\n"
+msgstr "%s: Schlüsseltabelle %s existiert nicht.\n"
+
+#: ../../src/kadmin/cli/keytab.c:377
+#, c-format
+msgid "%s: No entry for principal %s exists in keytab %s\n"
+msgstr ""
+"%s: Für Principal %s existiert kein Eintrag in der Schlüsseltabelle %s.\n"
+
+#: ../../src/kadmin/cli/keytab.c:381
+#, c-format
+msgid "%s: No entry for principal %s with kvno %d exists in keytab %s\n"
+msgstr ""
+"%s: Für den Principal %s mit der KVNO %d existiert kein Eintrag in der "
+"Schlüsseltabelle %s.\n"
+
+#: ../../src/kadmin/cli/keytab.c:387
+msgid "while retrieving highest kvno from keytab"
+msgstr "beim Abfragen der höchsten KVNO der Schlüsseltabelle"
+
+#: ../../src/kadmin/cli/keytab.c:420
+msgid "while temporarily ending keytab scan"
+msgstr "beim Unterbrechen des Schlüsseltabellen-Scans"
+
+#: ../../src/kadmin/cli/keytab.c:425
+msgid "while deleting entry from keytab"
+msgstr "beim Löschen eines Eintrags aus der Schlüsseltabelle"
+
+#: ../../src/kadmin/cli/keytab.c:430
+msgid "while restarting keytab scan"
+msgstr "bei der Wiederaufnahme des Schlüsseltabellen-Scans"
+
+#: ../../src/kadmin/cli/keytab.c:436
+#, c-format
+msgid "Entry for principal %s with kvno %d removed from keytab %s.\n"
+msgstr ""
+"Der Eintrag für Principal %s mit KVNO %d wurde aus der Schlüsseltabelle %s "
+"entfernt.\n"
+
+#: ../../src/kadmin/cli/keytab.c:458
+#, c-format
+msgid "%s: There is only one entry for principal %s in keytab %s\n"
+msgstr ""
+"%s: Es gibt nur einen Eintrag für Principal %s in der Schlüsseltabelle %s.\n"
+
+#: ../../src/kadmin/cli/ss_wrapper.c:49 ../../src/kadmin/ktutil/ktutil.c:58
+msgid "creating invocation"
+msgstr "Aufruf wird erstellt"
+
+#: ../../src/kadmin/dbutil/dump.c:165
+msgid "while allocating temporary filename dump"
+msgstr "beim Reservieren des temporären Dateinamenspeicherauszugs"
+
+#: ../../src/kadmin/dbutil/dump.c:176
+msgid "while renaming dump file into place"
+msgstr "während das Umbenennen der Auszugsdateien Gestalt annimmt"
+
+#: ../../src/kadmin/dbutil/dump.c:192
+msgid "while allocating dump_ok filename"
+msgstr "beim Reservieren des »dump_ok«-Dateinamens"
+
+#: ../../src/kadmin/dbutil/dump.c:199
+#, c-format
+msgid "while creating 'ok' file, '%s'"
+msgstr "beim Erstellen der Datei »ok«, »%s«"
+
+#: ../../src/kadmin/dbutil/dump.c:206
+#, c-format
+msgid "while locking 'ok' file, '%s'"
+msgstr "beim Sperren der Datei »ok«, »%s«"
+
+#: ../../src/kadmin/dbutil/dump.c:248 ../../src/kadmin/dbutil/dump.c:277
+#, c-format
+msgid "%s: regular expression error: %s\n"
+msgstr "%s: Fehler im regulären Ausdruck: %s\n"
+
+#: ../../src/kadmin/dbutil/dump.c:260
+#, c-format
+msgid "%s: regular expression match error: %s\n"
+msgstr "%s: Fehler beim Abgleich mit regulärem Ausdruck: %s\n"
+
+#: ../../src/kadmin/dbutil/dump.c:361
+#, c-format
+msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n"
+msgstr ""
+"%s: Unstimmigkeit in der markierten Datenliste für %s (%d gezählt, %d "
+"gespeichert)\n"
+
+#: ../../src/kadmin/dbutil/dump.c:519
+#, c-format
+msgid ""
+"Warning!  Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n"
+msgstr ""
+"Warnung! Mehrere DES-CBC-CRC-Schlüssel für Principal %s, Duplikate werden "
+"übersprungen.\n"
+
+#: ../../src/kadmin/dbutil/dump.c:530
+#, c-format
+msgid ""
+"Warning!  No DES-CBC-CRC key for principal %s, cannot generate OV-compatible "
+"record; skipping\n"
+msgstr ""
+"Warnung! Kein DES-CBC-CRC-Schlüssel für Principal %s, es kann kein OV-"
+"kompatibler Datensatz erzeugt werden, wird übersprungen\n"
+
+#: ../../src/kadmin/dbutil/dump.c:558
+#, c-format
+msgid "while converting %s to new master key"
+msgstr "beim Umwandeln von %s in den neuen Hauptschlüssel"
+
+#: ../../src/kadmin/dbutil/dump.c:579
+#, c-format
+msgid "%s(%d): %s\n"
+msgstr "%s(%d): %s\n"
+
+#: ../../src/kadmin/dbutil/dump.c:622
+#, c-format
+msgid "%s(%d): ignoring trash at end of line: "
+msgstr "%s(%d): Müll am Zeilenende wird ignoriert: "
+
+#: ../../src/kadmin/dbutil/dump.c:685
+msgid "cannot read tagged data type and length"
+msgstr "Markierter Datentyp und Länge können nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:692
+msgid "cannot read tagged data contents"
+msgstr "Inhalt der markierten Daten kann nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:726
+msgid "cannot match size tokens"
+msgstr "Größenmerkmale können nicht zugeordnet werden."
+
+#: ../../src/kadmin/dbutil/dump.c:755
+msgid "cannot read name string"
+msgstr "Namenszeichenkette kann nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:760
+#, c-format
+msgid "while parsing name %s"
+msgstr "beim Auswerten des Namens %s"
+
+#: ../../src/kadmin/dbutil/dump.c:768
+msgid "cannot read principal attributes"
+msgstr "Principal-Attribute können nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:821
+msgid "cannot read key size and version"
+msgstr "Schlüssellänge und -version können nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:832
+msgid "cannot read key type and length"
+msgstr "Schlüsseltyp und -länge können nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:838
+msgid "cannot read key data"
+msgstr "Schlüsseldaten können nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:848
+msgid "cannot read extra data"
+msgstr "Zusätzliche Daten können nicht gelesen werden."
+
+#: ../../src/kadmin/dbutil/dump.c:857
+#, c-format
+msgid "while storing %s"
+msgstr "beim Speichern von %s"
+
+#: ../../src/kadmin/dbutil/dump.c:896 ../../src/kadmin/dbutil/dump.c:935
+#: ../../src/kadmin/dbutil/dump.c:981
+#, c-format
+msgid "cannot parse policy (%d read)\n"
+msgstr "Richtlinie kann nicht ausgewertet werden (%d gelesen)\n"
+
+#: ../../src/kadmin/dbutil/dump.c:904 ../../src/kadmin/dbutil/dump.c:943
+#: ../../src/kadmin/dbutil/dump.c:1001
+msgid "while creating policy"
+msgstr "beim Erstellen der Richtlinie"
+
+#: ../../src/kadmin/dbutil/dump.c:908
+#, c-format
+msgid "created policy %s\n"
+msgstr "erstellte Richtlinie %s\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1038
+#, c-format
+msgid "unknown record type \"%s\"\n"
+msgstr "unbekannter Datensatztyp »%s«\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1167
+#, c-format
+msgid "%s: Unknown iprop dump version %d\n"
+msgstr "%s: unbekannte Iprop-Auszugsversion %d\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1270 ../../src/kadmin/dbutil/dump.c:1498
+#, c-format
+msgid "Iprop not enabled\n"
+msgstr "Iprop nicht aktiviert\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1308
+msgid "Conditional dump is an undocumented option for use only for iprop dumps"
+msgstr ""
+"Bedingter Auszug ist eine nicht dokumentierte Option, die nur für Iprop-"
+"Auszüge benutzt wird."
+
+#: ../../src/kadmin/dbutil/dump.c:1321
+msgid "Database not currently opened!"
+msgstr "Die Datenbank ist zur Zeit nicht geöffnet!"
+
+#: ../../src/kadmin/dbutil/dump.c:1335
+#: ../../src/kadmin/dbutil/kdb5_stash.c:116
+#: ../../src/kadmin/dbutil/kdb5_util.c:479
+msgid "while reading master key"
+msgstr "beim Lesen des Hauptschlüssels"
+
+#: ../../src/kadmin/dbutil/dump.c:1341
+msgid "while verifying master key"
+msgstr "beim Prüfen des Hauptschlüssels"
+
+#: ../../src/kadmin/dbutil/dump.c:1360 ../../src/kadmin/dbutil/dump.c:1370
+msgid "while reading new master key"
+msgstr "beim Lesen des neuen Hauptschlüssels"
+
+#: ../../src/kadmin/dbutil/dump.c:1364
+#, c-format
+msgid "Please enter new master key....\n"
+msgstr "Bitte geben Sie den neuen Hauptschlüssel ein …\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1388
+#, c-format
+msgid "while opening %s for writing"
+msgstr "beim Öffnen von %s zum Schreiben"
+
+#: ../../src/kadmin/dbutil/dump.c:1403
+msgid "while reading update log header"
+msgstr "beim Lesen der Aktualisierungsprotokollkopfzeilen"
+
+#: ../../src/kadmin/dbutil/dump.c:1418 ../../src/kadmin/dbutil/dump.c:1425
+#, c-format
+msgid "performing %s dump"
+msgstr "Auszug von %s wird durchgeführt"
+
+#: ../../src/kadmin/dbutil/dump.c:1455
+#, c-format
+msgid "%s: error processing line %d of %s\n"
+msgstr "%s: Fehler beim Verarbeiten von Zeile %d von %s\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1507
+msgid "while parsing options"
+msgstr "beim Auswerten der Optionen"
+
+#: ../../src/kadmin/dbutil/dump.c:1522
+#, c-format
+msgid "while opening %s"
+msgstr "beim Öffnen von %s"
+
+#: ../../src/kadmin/dbutil/dump.c:1527 ../../src/kadmin/dbutil/dump.c:1626
+msgid "standard input"
+msgstr "Standardeingabe"
+
+#: ../../src/kadmin/dbutil/dump.c:1532
+#, c-format
+msgid "%s: can't read dump header in %s\n"
+msgstr "%s: Kopfzeilen des Auszugs in %s können nicht gelesen werden.\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1540 ../../src/kadmin/dbutil/dump.c:1557
+#, c-format
+msgid "%s: dump header bad in %s\n"
+msgstr "%s: falsche Kopfzeilen des Auszugs in %s\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1566
+#, c-format
+msgid "Could not open iprop ulog\n"
+msgstr "Iprop-Ulog kann nicht geöffnet werden.\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1571
+#, c-format
+msgid "%s: dump version %s can only be loaded with the -update flag\n"
+msgstr ""
+"%s: Die Auszugsversion %s kann nur mit dem Schalter -update geladen werden.\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1580 ../../src/kadmin/dbutil/dump.c:1585
+msgid "computing parameters for database"
+msgstr "Parameter für die Datenbank werden berechnet."
+
+#: ../../src/kadmin/dbutil/dump.c:1591
+msgid "while creating database"
+msgstr "beim Erstellen der Datenbank"
+
+#: ../../src/kadmin/dbutil/dump.c:1600
+msgid "while opening database"
+msgstr "beim Öffnen der Datenbank"
+
+#: ../../src/kadmin/dbutil/dump.c:1610
+msgid "while permanently locking database"
+msgstr "beim dauerhaften Sperren der Datenbank"
+
+#: ../../src/kadmin/dbutil/dump.c:1628
+#, c-format
+msgid "%s: %s restore failed\n"
+msgstr "%s: Wiederherstellen von %s fehlgeschlagen\n"
+
+#: ../../src/kadmin/dbutil/dump.c:1633
+msgid "while unlocking database"
+msgstr "beim Aufheben der Datenbanksperre"
+
+#: ../../src/kadmin/dbutil/dump.c:1643 ../../src/kadmin/dbutil/dump.c:1662
+msgid "while reinitializing update log"
+msgstr "beim erneuten Initialisieren des Aktualisierungsprotokolls"
+
+#: ../../src/kadmin/dbutil/dump.c:1653
+msgid "while making newly loaded database live"
+msgstr "beim Aktivieren der neu geladenen Datenbank"
+
+#: ../../src/kadmin/dbutil/dump.c:1669
+msgid "while writing update log header"
+msgstr "beim Schreiben der Aktualisierungsprotokollkopfzeilen"
+
+#: ../../src/kadmin/dbutil/dump.c:1683
+#, c-format
+msgid "while deleting bad database %s"
+msgstr "beim Löschen der falschen Datenbank %s"
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:84
+msgid "while looking up the Kerberos configuration"
+msgstr "beim Nachschlagen der Kerberos-Konfiguration"
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:111
+msgid "while initializing the Kerberos admin interface"
+msgstr "beim Initialisieren der Kerberos-Administrationsoberfläche"
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:169
+#, c-format
+msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n"
+msgstr ""
+"getaddrinfo(%s): Die Normalform des Rechnernamens kann nicht bestimmt "
+"werden.\n"
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:190
+#: ../../src/kadmin/dbutil/kadm5_create.c:196
+#, c-format
+msgid "Out of memory\n"
+msgstr "Speicherplatz reicht nicht aus.\n"
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:270
+msgid "while appending realm to principal"
+msgstr "beim Anhängen des Realms an den Principal"
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:275
+msgid "while parsing admin principal name"
+msgstr "beim Auswerten des Principal-Namens des Administrators"
+
+#: ../../src/kadmin/dbutil/kadm5_create.c:286
+#, c-format
+msgid "while creating principal %s"
+msgstr "beim Erstellen des Principals %s"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:175
+#: ../../src/kadmin/dbutil/kdb5_util.c:241
+#: ../../src/kadmin/dbutil/kdb5_util.c:248
+msgid "while parsing command arguments\n"
+msgstr "beim Auswerten der Befehlsargumente\n"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:198
+#, c-format
+msgid "Loading random data\n"
+msgstr "Zufällige Daten werden geladen.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:201
+msgid "Loading random data"
+msgstr "Zufällige Daten werden geladen."
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:211
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:242
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:435
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:591
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1149
+#: ../../src/kadmin/dbutil/kdb5_util.c:423
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:606
+msgid "while setting up master key name"
+msgstr "beim Einrichten des Hauptschlüsselnamens"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:222
+#, c-format
+msgid ""
+"Initializing database '%s' for realm '%s',\n"
+"master key name '%s'\n"
+msgstr ""
+"Datenbank »%s« für Realm »%s« wird initialisiert,\n"
+"Hauptschlüsselname »%s«\n"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:227
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:516
+#, c-format
+msgid "You will be prompted for the database Master Password.\n"
+msgstr "Sie werden nach dem Master-Passwort der Datenbank gefragt.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:228
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:260
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517
+#, c-format
+msgid "It is important that you NOT FORGET this password.\n"
+msgstr "Es ist wichtig, dass Sie dieses Passwort NICHT VERGESSEN.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:234
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:266
+msgid "while creating new master key"
+msgstr "beim Erstellen des neuen Hauptschlüssels"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:242
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527
+msgid "while reading master key from keyboard"
+msgstr "beim Lesen des Hauptschlüssels von der Tastatur"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:252
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:285
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:618
+msgid "while calculating master key salt"
+msgstr "beim Berechnen des Hauptschlüssel-Salts"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:260
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:294
+#: ../../src/kadmin/dbutil/kdb5_util.c:465
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:630
+msgid "while transforming master key from password"
+msgstr "beim Umwandeln des Hauptschlüssels vom Passwort"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:270
+msgid "while initializing random key generator"
+msgstr "beim Initialisieren des Zufallsschlüsselgenerators"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:275
+#, c-format
+msgid "while creating database '%s'"
+msgstr "beim Erstellen der Datenbank »%s«"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:293
+msgid "while creating update log"
+msgstr "beim Erstellen des Aktualisierungsprotokolls"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:304
+msgid "while initializing update log"
+msgstr "beim Initialisieren des Aktualisierungsprotokolls"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:320
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:642
+msgid "while adding entries to the database"
+msgstr "beim Hinzufügen von Einträgen in die Datenbank"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:348
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:339
+#: ../../src/kadmin/dbutil/kdb5_stash.c:133
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:667
+msgid "while storing key"
+msgstr "beim Speichern des Schlüssels"
+
+#: ../../src/kadmin/dbutil/kdb5_create.c:349
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:340
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:668
+#, c-format
+msgid "Warning: couldn't stash master key.\n"
+msgstr "Warnung: Hauptschlüssel kann nicht gelagert werden.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_destroy.c:57
+msgid "while initializing krb5_context"
+msgstr "beim Initialisieren von »krb5_context«"
+
+#: ../../src/kadmin/dbutil/kdb5_destroy.c:63
+#: ../../src/kadmin/dbutil/kdb5_util.c:259
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291
+msgid "while setting default realm name"
+msgstr "beim Einstellen des Standard-Realm-Namens"
+
+#: ../../src/kadmin/dbutil/kdb5_destroy.c:83
+#, c-format
+msgid "Deleting KDC database stored in '%s', are you sure?\n"
+msgstr ""
+"Die in »%s« gespeicherte KDC-Datenbank wird gelöscht. Sind Sie sicher?\n"
+
+#: ../../src/kadmin/dbutil/kdb5_destroy.c:85
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1166
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1482
+#, c-format
+msgid "(type 'yes' to confirm)? "
+msgstr "(Geben Sie als Bestätigung »yes« ein)? "
+
+#: ../../src/kadmin/dbutil/kdb5_destroy.c:92
+#, c-format
+msgid "OK, deleting database '%s'...\n"
+msgstr "OK, Datenbank »%s« wird gelöscht …\n"
+
+#: ../../src/kadmin/dbutil/kdb5_destroy.c:97
+#, c-format
+msgid "deleting database '%s'"
+msgstr "Datenbank »%s« wird gelöscht."
+
+#: ../../src/kadmin/dbutil/kdb5_destroy.c:106
+#, c-format
+msgid "** Database '%s' destroyed.\n"
+msgstr "** Datenbank »%s« vernichtet\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:218
+#, c-format
+msgid "%s is an invalid enctype"
+msgstr "%s ist ein ungültiger Verschlüsselungstyp"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:250
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:443
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:599
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:986
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1157
+#, c-format
+msgid "while getting master key principal %s"
+msgstr "beim Holen des Hauptschlüssels von Principal %s"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:256
+#, c-format
+msgid "Creating new master key for master key principal '%s'\n"
+msgstr ""
+"Es wird ein neuer Hauptschlüssel für den Hauptschlüssel-Principal »%s« "
+"erstellt.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:259
+#, c-format
+msgid "You will be prompted for a new database Master Password.\n"
+msgstr "Sie werden nach einem neuen Datenbank-Master-Passwort gefragt.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:275
+msgid "while reading new master key from keyboard"
+msgstr "beim Lesen des neuen Hauptschlüssels von der Tastatur"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:304
+msgid "adding new master key to master principal"
+msgstr "dem Haupt-Principal wird ein neuer Hauptschlüssel hinzugefügt"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:310
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:402
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:843
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356
+msgid "while getting current time"
+msgstr "beim Holen der aktuellen Zeit"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:317
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:544
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1363
+msgid "while updating the master key principal modification time"
+msgstr "beim Aktulisieren der Änderungszeit des Hauptschlüssel-Principals"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:325
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:553
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1374
+msgid "while adding master key entry to the database"
+msgstr "beim Hinzufügen des Hauptschlüsseleintrags zur Datenbank"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:383
+msgid "0 is an invalid KVNO value"
+msgstr "0 ist kein gültiger KVNO-Wert"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:394
+#, c-format
+msgid "%d is an invalid KVNO value"
+msgstr "%d ist kein gültiger KVNO-Wert"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:410
+#, c-format
+msgid "could not parse date-time string '%s'"
+msgstr "»date-time«-Zeichenkette »%s« konnte nicht ausgewertet werden"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:452
+msgid "while looking up active version of master key"
+msgstr "beim Nachschlagen der aktiven Version des Hauptschlüssels"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:491
+msgid "while adding new master key"
+msgstr "beim Hinzufügen eines neuen Hauptschlüssels"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:529
+msgid "there must be one master key currently active"
+msgstr "ein Hauptschlüssel muss derzeit aktiv sein"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:537
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1342
+msgid "while updating actkvno data for master principal entry"
+msgstr "beim Aktualisieren der Actkvno-Daten für den Haupt-Principal-Eintrag"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:581
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:948
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1116
+msgid "master keylist not initialized"
+msgstr "Hauptschlüsselliste ist nicht initialisiert"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:607
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:994
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254
+msgid "while looking up active kvno list"
+msgstr "beim Nachschlagen der Liste aktiver KVNOs"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:615
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1002
+msgid "while looking up active master key"
+msgstr "beim Nachschlagen des aktiven Hauptschlüssels"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:627
+msgid "while getting enctype description"
+msgstr "beim Holen des Verschlüsselungsbeschreibung"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:644
+#, c-format
+msgid "KVNO: %d, Enctype: %s, Active on: %s *\n"
+msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s *\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:649
+#, c-format
+msgid "KVNO: %d, Enctype: %s, Active on: %s\n"
+msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:653
+#, c-format
+msgid "KVNO: %d, Enctype: %s, No activate time set\n"
+msgstr "KVNO: %d, Verschlüsselungstyp: %s, keine Aktivierungszeit gesetzt\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:658
+msgid "asprintf could not allocate enough memory to hold output"
+msgstr ""
+"Asprintf konnte nicht genug Speicher reservieren, um die Ausgabe "
+"bereitzuhalten"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:793
+msgid "getting string representation of principal name"
+msgstr "Principal-Name wird im Klartext geholt"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:817
+#, c-format
+msgid "determining master key used for principal '%s'"
+msgstr "Hauptschlüssel, der für Principal »%s« benutzt wird, wird bestimmt"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:823
+#, c-format
+msgid "would skip:   %s\n"
+msgstr "würde übersprungen:   %s\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:825
+#, c-format
+msgid "skipping: %s\n"
+msgstr "wird übersprungen: %s\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:831
+#, c-format
+msgid "would update: %s\n"
+msgstr "würde aktualisiert: %s\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:835
+#, c-format
+msgid "updating: %s\n"
+msgstr "wird aktualisiert: %s\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:839
+#, c-format
+msgid "error re-encrypting key for principal '%s'"
+msgstr "Fehler beim erneuten Verschlüsseln des Schlüssels für Principal »%s«"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:850
+#, c-format
+msgid "while updating principal '%s' modification time"
+msgstr "beim Aktualisieren der Änderungszeit von Principal »%s«"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:857
+#, c-format
+msgid "while updating principal '%s' key data in the database"
+msgstr ""
+"beim Aktualisieren der Schlüsseldaten von Principal »%s« in der Datenbank"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:889
+#, c-format
+msgid ""
+"\n"
+"(type 'yes' to confirm)? "
+msgstr ""
+"\n"
+"(Geben Sie als Bestätigung »yes« ein) "
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:942
+msgid "while formatting master principal name"
+msgstr "beim Formatieren des Haupt-Principal-Namens"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:959
+#, c-format
+msgid "converting glob pattern '%s' to regular expression"
+msgstr "Platzhalter »%s« wird in einen regulären Ausdruck umgewandelt"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:977
+#, c-format
+msgid "error compiling converted regexp '%s'"
+msgstr "Fehler beim Kompilieren des umgewandelten regulären Ausdrucks »%s«"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1010
+#, c-format
+msgid "Re-encrypt all keys not using master key vno %u?"
+msgstr ""
+"Sollen alle Schlüssel neu verschlüsselt werden, die nicht die Hauptschlüssel-"
+"VNO %u verwenden?"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1012
+#, c-format
+msgid "OK, doing nothing.\n"
+msgstr "Ok, es wird nichts getan.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1018
+#, c-format
+msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n"
+msgstr ""
+"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt "
+"WÜRDEN:\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1021
+#, c-format
+msgid ""
+"Principals whose keys are being re-encrypted to master key vno %u if "
+"necessary:\n"
+msgstr ""
+"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt "
+"werden, falls nötig:\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1037
+msgid "trying to process principal database"
+msgstr "es wird versucht, die Principal-Datenbank zu verarbeiten"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1042
+#, c-format
+msgid "%u principals processed: %u would be updated, %u already current\n"
+msgstr ""
+"%u Principals verarbeitet: %u würden aktualisiert, %u bereits aktuell\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1046
+#, c-format
+msgid "%u principals processed: %u updated, %u already current\n"
+msgstr "%u Principals verarbeitet: %u aktualisiert, %u bereits aktuell\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1164
+#, c-format
+msgid ""
+"Will purge all unused master keys stored in the '%s' principal, are you "
+"sure?\n"
+msgstr ""
+"Sind Sie sicher, dass alle nicht verwendeten Hauptschlüssel, die für "
+"Principal »%s« gespeichert sind, vollständig entfernt werden sollen?\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1175
+#, c-format
+msgid "OK, purging unused master keys from '%s'...\n"
+msgstr ""
+"Ok, die nicht verwendeten Hauptschlüssel von »%s« werden vollständig "
+"entfernt …\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183
+#, c-format
+msgid "There is only one master key which can not be purged.\n"
+msgstr ""
+"Es gibt nur einen einzigen Hauptschlüssel, der nicht vollständig entfernt "
+"werden kann.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1192
+msgid "while allocating args.kvnos"
+msgstr "beim Reservieren von »args.kvnos«"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1208
+msgid "while finding master keys in use"
+msgstr "bei der Suche nach den gerade verwendeten Hauptschlüsseln"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1217
+#, c-format
+msgid "Would purge the following master key(s) from %s:\n"
+msgstr ""
+"Der/Die folgende(n) Hauptschlüssel würden/würde von %s vollständig "
+"entfernt:\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1220
+#, c-format
+msgid "Purging the following master key(s) from %s:\n"
+msgstr ""
+"Der/Die folgende(n) Hauptschlüssel werden/wird von %s vollständig entfernt:\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1232
+msgid "master key stash file needs updating, command aborting"
+msgstr ""
+"Ablagedatei des Hauptschlüssels erfordert Aktualisierung, Befehl abgebrochen"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238
+#, c-format
+msgid "KVNO: %d\n"
+msgstr "KVNO: %d\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1243
+#, c-format
+msgid "All keys in use, nothing purged.\n"
+msgstr "Alle Schlüssel sind in Gebrauch, keiner wurde vollständig entfernt.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1248
+#, c-format
+msgid "%d key(s) would be purged.\n"
+msgstr "%d Schlüssel würde(n) vollständig entfernt.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1261
+msgid "while looking up mkey aux data list"
+msgstr "beim Nachschlagen der Mkey-Aux-Datenliste"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1269
+msgid "while allocating key_data"
+msgstr "beim Reservieren von »key_data«"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1350
+msgid "while updating mkey_aux data for master principal entry"
+msgstr "beim Aktualisieren der Mkey-Aux-Daten für den Haupt-Principal-Eintrag"
+
+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1378
+#, c-format
+msgid "%d key(s) purged.\n"
+msgstr "%d Schlüssel vollständig entfernt\n"
+
+#: ../../src/kadmin/dbutil/kdb5_stash.c:97
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:538
+#, c-format
+msgid "while setting up enctype %d"
+msgstr "beim Einrichten des Verschlüsselungstyps %d"
+
+#: ../../src/kadmin/dbutil/kdb5_stash.c:123
+msgid "while getting master key list"
+msgstr "beim Holen der Hauptschlüsselliste"
+
+#: ../../src/kadmin/dbutil/kdb5_stash.c:127
+#, c-format
+msgid "Using existing stashed keys to update stash file.\n"
+msgstr ""
+"Zur Aktualisierung der Ablagedatei werden existierende gelagert Schlüssel "
+"verwendet.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:80
+#, c-format
+msgid ""
+"Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M "
+"mkeyname]\n"
+"\t        [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n"
+"\tcreate  [-s]\n"
+"\tdestroy [-f]\n"
+"\tstash   [-f keyfile]\n"
+"\tdump    [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n"
+"\t        [-mkey_convert] [-new_mkey_file mkey_file]\n"
+"\t        [-rev] [-recurse] [filename [princs...]]\n"
+"\tload    [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename\n"
+"\tark     [-e etype_list] principal\n"
+"\tadd_mkey [-e etype] [-s]\n"
+"\tuse_mkey kvno [time]\n"
+"\tlist_mkeys\n"
+msgstr ""
+"Aufruf: kdb5_util [-x Datenbankargumente]* [-r Realm] [-d Datenbankname] [-k "
+"Mkeytype] [-M Mkeyname]\n"
+"\t        [-kv MkeyVNO] [-sf Ablagedateiname] [-m] Befehl [Befehlsoptionen]\n"
+"\tcreate  [-s]\n"
+"\tdestroy [-f]\n"
+"\tstash   [-f Schlüsseldatei]\n"
+"\tdump    [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n"
+"\t        [-mkey_convert] [-new_mkey_file mkey-Datei]\n"
+"\t        [-rev] [-recurse] [Dateiname [Principals …]]\n"
+"\tload    [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] Dateiname\n"
+"\tark     [-e Etype-Liste] Principal\n"
+"\tadd_mkey [-e Etype] [-s]\n"
+"\tuse_mkey kvno [Zeit]\n"
+"\tlist_mkeys\n"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:98
+#, c-format
+msgid ""
+"\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n"
+"\tpurge_mkeys [-f] [-n] [-v]\n"
+"\n"
+"where,\n"
+"\t[-x db_args]* - any number of database specific arguments.\n"
+"\t\t\tLook at each database documentation for supported arguments\n"
+msgstr ""
+"\tupdate_princ_encryption [-f] [-n] [-v] [Principal-Muster]\n"
+"\tpurge_mkeys [-f] [-n] [-v]\n"
+"\n"
+"dabei sind\n"
+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer "
+"Argumente.\n"
+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation "
+"der jeweiligen Datenbank.\n"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:211
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260
+msgid "while initializing Kerberos code"
+msgstr "beim Initialisieren von Kerberos-Code"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:217
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267
+msgid "while creating sub-command arguments"
+msgstr "beim Erstellen von Unterbefehlsargumenten"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:235
+msgid "while parsing command arguments"
+msgstr "beim Auswerten von Befehlsargumenten"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:264
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298
+#, c-format
+msgid ": %s is an invalid enctype"
+msgstr ": %s ist kein gültiger Verschlüsselungstyp"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:272
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307
+#, c-format
+msgid ": %s is an invalid mkeyVNO"
+msgstr ": %s ist kein gültiger MkeyVNO"
+
+# FIXME s/retreiving/retrieving/
+#: ../../src/kadmin/dbutil/kdb5_util.c:317
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431
+msgid "while retreiving configuration parameters"
+msgstr "beim Abfragen der Konfigurationsparameter"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:368
+msgid "Too few arguments"
+msgstr "zu wenige Argumente"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:369
+#, c-format
+msgid "Usage: %s dbpathname realmname"
+msgstr "Aufruf: %s Datenbankpfadname Realm-Name"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:375
+msgid "while closing previous database"
+msgstr "beim Schließen der vorherigen Datenbank"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:412
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:877
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1497
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564
+msgid "while initializing database"
+msgstr "beim Initialisieren der Datenbank"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:429
+msgid "while retrieving master entry"
+msgstr "beim Abfragen des Haupteintrags"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:448
+msgid "while calculated master key salt"
+msgstr "beim Berechnen des Hauptschlüssel-Salts"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:480
+msgid "Warning: proceeding without master key"
+msgstr "Warnung: Es wird ohne Hauptschlüssel fortgefahren"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:498
+msgid "while seeding random number generator"
+msgstr "beim Erzeugen des Startwerts des Zufallszahlengenerators"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:508
+#, c-format
+msgid "%s: Could not map log\n"
+msgstr "%s: Protokolldatei konnte nicht abgebildet werden\n"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:535
+msgid "while closing database"
+msgstr "beim Schließen der Datenbank"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:582
+#, c-format
+msgid "while fetching principal %s"
+msgstr "beim Abrufen von Principal %s"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:605
+msgid "while finding mkey"
+msgstr "beim Suchen nach Mkey"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:630
+msgid "while setting changetime"
+msgstr "beim Setzen der Änderungszeit der Datei"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:638
+#, c-format
+msgid "while saving principal %s"
+msgstr "beim Speichern von Principal %s"
+
+#: ../../src/kadmin/dbutil/kdb5_util.c:642
+#, c-format
+msgid "%s changed\n"
+msgstr "%s geändert\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:73
+#, c-format
+msgid "%s: invalid arguments\n"
+msgstr "%s: ungültige Argumente\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:78
+msgid "while freeing ktlist"
+msgstr "beim Freigeben von »ktlist«"
+
+#: ../../src/kadmin/ktutil/ktutil.c:89
+#, c-format
+msgid "%s: must specify keytab to read\n"
+msgstr ""
+"%s: Die Schlüsseltabelle, die gelesen werden soll, muss angegeben werden.\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:94
+#, c-format
+msgid "while reading keytab \"%s\""
+msgstr "beim Lesen der Schlüsseltabelle »%s«"
+
+#: ../../src/kadmin/ktutil/ktutil.c:104
+#, c-format
+msgid "%s: must specify the srvtab to read\n"
+msgstr "%s: Die zu lesende Dienstschlüsseltabelle muss angegeben werden.\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:109
+#, c-format
+msgid "while reading srvtab \"%s\""
+msgstr "beim Lesen der Dienstschlüsseltabelle »%s«"
+
+#: ../../src/kadmin/ktutil/ktutil.c:119
+#, c-format
+msgid "%s: must specify keytab to write\n"
+msgstr "%s: Die zu schreibende Schlüsseltabelle muss angegeben werden.\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:124
+#, c-format
+msgid "while writing keytab \"%s\""
+msgstr "beim Schreiben der Schlüsseltabelle »%s«"
+
+#: ../../src/kadmin/ktutil/ktutil.c:131
+#, c-format
+msgid "%s: writing srvtabs is no longer supported\n"
+msgstr ""
+"%s: Schreiben der Dienstschlüsseltabelle wird nicht länger unterstützt\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:169
+#, c-format
+msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n"
+msgstr ""
+"Aufruf: %s (-key | -password) -p Principal -k KVNO -e Verschlüsselungstyp\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:176
+msgid "while adding new entry"
+msgstr "beim Hinzufügen eines neuen Eintrags"
+
+#: ../../src/kadmin/ktutil/ktutil.c:186
+#, c-format
+msgid "%s: must specify entry to delete\n"
+msgstr "%s: zu löschender Eintrag muss angegeben werden\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:191
+#, c-format
+msgid "while deleting entry %d"
+msgstr "beim Löschen von Eintrag %d"
+
+#: ../../src/kadmin/ktutil/ktutil.c:219
+#, c-format
+msgid "%s: usage: %s [-t] [-k] [-e]\n"
+msgstr "%s: Aufruf: %s [-t] [-k] [-e]\n"
+
+#: ../../src/kadmin/ktutil/ktutil.c:259
+msgid "While converting enctype to string"
+msgstr "beim Umwandeln des Verschlüsselungstyps in eine Zeichenkette"
+
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:162
+#, c-format
+msgid "Password for %.1000s"
+msgstr "Passwort für %.1000s"
+
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:179
+#, c-format
+msgid "Key for %s (hex): "
+msgstr "Schlüssel für %s (hexadezimal): "
+
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:191
+#, c-format
+msgid "addent: Error reading key.\n"
+msgstr "addent: Fehler beim Lesen des Schlüssels\n"
+
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:206
+#, c-format
+msgid "addent: Illegal character in key.\n"
+msgstr "addent: unerlaubtes Zeichen im Schlüssel\n"
+
+#: ../../src/kadmin/server/ipropd_svc.c:48
+#, c-format
+msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s"
+msgstr "unberechtigte Anfrage: %s, Client=%s, Dienst=%s, Adresse=%s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:49
+#: ../../src/kadmin/server/ipropd_svc.c:212
+#, c-format
+msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
+msgstr "Anfrage: %s, %s, %s, Client=%s, Dienst=%s, Adresse=%s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:146
+#: ../../src/kadmin/server/ipropd_svc.c:271
+#, c-format
+msgid "%s: server handle is NULL"
+msgstr "%s: Server-Identifikator ist NULL"
+
+#: ../../src/kadmin/server/ipropd_svc.c:156
+#: ../../src/kadmin/server/ipropd_svc.c:284
+#, c-format
+msgid "%s: setup_gss_names failed"
+msgstr "%s: setup_gss_names fehlgeschlagen"
+
+#: ../../src/kadmin/server/ipropd_svc.c:166
+#: ../../src/kadmin/server/ipropd_svc.c:295
+#, c-format
+msgid "%s: out of memory recording principal names"
+msgstr "%s: Speicher reicht nicht zur Aufzeichnung der Principal-Namen aus"
+
+#: ../../src/kadmin/server/ipropd_svc.c:195
+#, c-format
+msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu"
+msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=%lu"
+
+#: ../../src/kadmin/server/ipropd_svc.c:201
+#, c-format
+msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A"
+msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=N/A"
+
+#: ../../src/kadmin/server/ipropd_svc.c:320
+#, c-format
+msgid "%s: getclhoststr failed"
+msgstr "%s: getclhoststr fehlgeschlagen"
+
+#: ../../src/kadmin/server/ipropd_svc.c:342
+#, c-format
+msgid "%s: cannot construct kdb5 util dump string too long; out of memory"
+msgstr ""
+"Ausgabenzeichenkette des KDB5-Hilfswerkzeugs nicht konstruierbar, da zu "
+"lang; Speicher reicht nicht aus.%s: Die Ausgabezeichenkette des KDB5-"
+"Hilfswerkzeugs kann nicht erstellt werden, weil sie zu lang ist. Der "
+"Speicherplatz reicht nicht aus."
+
+#: ../../src/kadmin/server/ipropd_svc.c:362
+#, c-format
+msgid "%s: fork failed: %s"
+msgstr "%s: Verzweigen fehlgeschlagen: %s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:374
+#, c-format
+msgid "%s: popen failed: %s"
+msgstr "%s: popen fehlgeschlagen: %s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:388
+#, c-format
+msgid "%s: pclose(popen) failed: %s"
+msgstr "%s: pclose(popen) fehlgeschlagen: %s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:405
+#, c-format
+msgid "%s: exec failed: %s"
+msgstr "%s: exec fehlgeschlagen: %s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:421
+#, c-format
+msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"
+msgstr ""
+"Anfrage: %s, hervorgebrachter Neusynchronisationsprozess %d, Client=%s, "
+"Dienst=%s, Adresse=%s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:485
+#: ../../src/kadmin/server/kadm_rpc_svc.c:275
+#, c-format
+msgid "check_rpcsec_auth: failed inquire_context, stat=%u"
+msgstr "check_rpcsec_auth: inquire_context fehlgeschlagen, Stat=%u"
+
+#: ../../src/kadmin/server/ipropd_svc.c:515
+#: ../../src/kadmin/server/kadm_rpc_svc.c:304
+#, c-format
+msgid "bad service principal %.*s%s"
+msgstr "falscher Dienst-Principal %.*s%s"
+
+#: ../../src/kadmin/server/ipropd_svc.c:538
+#, c-format
+msgid "authentication attempt failed: %s, RPC authentication flavor %d"
+msgstr ""
+"Authentifizierungsversuche gescheitert: %s, PRC-Authentifizierungsvariante %d"
+
+#: ../../src/kadmin/server/ipropd_svc.c:572
+#, c-format
+msgid "RPC unknown request: %d (%s)"
+msgstr "unbekannte PRC-Anfrage: %d (%s)"
+
+#: ../../src/kadmin/server/ipropd_svc.c:580
+#, c-format
+msgid "RPC svc_getargs failed (%s)"
+msgstr "RPC-»svc_getargs« fehlgeschlagen (%s)"
+
+#: ../../src/kadmin/server/ipropd_svc.c:590
+#, c-format
+msgid "RPC svc_sendreply failed (%s)"
+msgstr "RPC-»svc_sendreply« fehlgeschlagen (%s)"
+
+#: ../../src/kadmin/server/ipropd_svc.c:596
+#, c-format
+msgid "RPC svc_freeargs failed (%s)"
+msgstr "RPC-»svc_freeargs« fehlgeschlagen (%s)"
+
+#: ../../src/kadmin/server/kadm_rpc_svc.c:325
+#, c-format
+msgid "gss_to_krb5_name: failed display_name status %d"
+msgstr "gss_to_krb5_name: display_name fehlgeschlagen, Status %d"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:86
+#, c-format
+msgid ""
+"Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n"
+"\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n"
+"\t\t[-K path-to-kprop] [-P pid_file]\n"
+"\n"
+"where,\n"
+"\t[-x db_args]* - any number of database specific arguments.\n"
+"\t\t\tLook at each database documentation for supported arguments\n"
+msgstr ""
+"Aufruf: kadmind [-x Datenbankargumente]* [-r Realm] [-m] [-nofork]\n"
+"\t\t[-port Portummer] [-p Pfad_zum_KDB5-Hilfswerkzeug] [-F Auszugsdatei]\n"
+"\t\t[-K Pfad_zu_Kprop] [-P PID-Datei]\n"
+"\n"
+"dabei sind\n"
+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer "
+"Argumente.\n"
+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation "
+"der jeweiligen Datenbank.\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:111
+#, c-format
+msgid "%s: %s while %s, aborting\n"
+msgstr "%s: %s bei %s, wird abgebrochen\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:113
+#, c-format
+msgid "%s while %s, aborting\n"
+msgstr "%s bei %s, wird abgebrochen\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:115
+#, c-format
+msgid "%s: %s, aborting\n"
+msgstr "%s: %s, wird abgebrochen\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:116
+#, c-format
+msgid "%s, aborting"
+msgstr "%s, wird abgebrochen"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:282
+#, c-format
+msgid ""
+"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s"
+"%s, addr = %s"
+msgstr ""
+"WARNUNG! Gefälschte/verstümmelte Anfrage: %s, geforderter Client = %.*s%s, "
+"Server = %.*s%s, Adresse = %s"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:288
+#, c-format
+msgid ""
+"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s"
+"%s, addr = %s"
+msgstr ""
+"WARNUNG! Gefälschte/verstümmelte Anfrage: %d,   Client = %.*s%s, Server = "
+"%.*s%s, Adresse = %s"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:302
+#, c-format
+msgid "Miscellaneous RPC error: %s, %s"
+msgstr "sonstiger PRC-Fehler: %s, %s"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:318
+#, c-format
+msgid "%s Cannot decode status %d"
+msgstr "%s: Status %d kann nicht dekodiert werden"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:336
+#, c-format
+msgid "Authentication attempt failed: %s, GSS-API error strings are:"
+msgstr "Authentifizierungsversuch fehlgeschlagen: %s, GSS-API-Fehlermeldungen:"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:341
+msgid "   GSS-API error strings complete."
+msgstr "   GSS-API-Fehlermeldungen vollständig"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:378
+#, c-format
+msgid "%s: cannot initialize. Not enough memory\n"
+msgstr "%s: kann nicht initialisiert werden: Speicher reicht nicht aus.\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:445
+#, c-format
+msgid "%s: %s while initializing context, aborting\n"
+msgstr "%s: %s beim Initialisieren des Kontextes, wird abgebrochen\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:456
+msgid "initializing"
+msgstr "wird initialisiert"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:460
+msgid "getting config parameters"
+msgstr "beim Holen der Konfigurationsparameter"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:462
+msgid "Missing required realm configuration"
+msgstr "erforderliche Realm-Konfiguration fehlt"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:464
+msgid "Missing required ACL file configuration"
+msgstr "erforderliche ACL-Dateikonfiguration fehlt"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:468
+msgid "initializing network"
+msgstr "Netzwerk wird initialisiert"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:473
+msgid "Cannot build GSSAPI auth names"
+msgstr "GSS-API-Authentifizierungsnamen können nicht gebildet werden."
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:477
+msgid "Cannot set up KDB keytab"
+msgstr "Die KDB-Schlüsseltabelle kann nicht eingerichtet werden."
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:480
+msgid "Cannot set GSSAPI authentication names"
+msgstr "GSS-API-Authentifizierungsnamen können nicht gesetzt werden."
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:497
+msgid "Cannot initialize GSSAPI service name"
+msgstr "GSSAPI-Dienstname kann nicht initialisiert werden"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:501
+msgid "initializing ACL file"
+msgstr "ACL-Datei wird initialisiert"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:504
+msgid "spawning daemon process"
+msgstr "Daemon-Prozess wird erzeugt"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:508
+msgid "creating PID file"
+msgstr "PID-Datei wird erstellt"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:511
+msgid "Seeding random number generator"
+msgstr "Startwert des Zufallszahlengenerators wird erzeugt"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:514
+msgid "getting random seed"
+msgstr "Zufallsstartwert wird geholt"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:521
+msgid "mapping update log"
+msgstr "Aktualisierungsprotokoll wird abgebildet"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:525
+#, c-format
+msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n"
+msgstr "%s: IPROP-Dienst wird erstellt (PROG=%d, VERS=%d)\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:530
+msgid "starting"
+msgstr "startet"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:532 ../../src/kdc/main.c:1061
+#, c-format
+msgid "%s: starting...\n"
+msgstr "%s: startet …\n"
+
+#: ../../src/kadmin/server/ovsec_kadmd.c:535
+msgid "finished, exiting"
+msgstr "fertig, wird beendet"
+
+#: ../../src/kadmin/server/schpw.c:282
+#, c-format
+msgid "setpw request from %s by %.*s%s for %.*s%s: %s"
+msgstr "»setpw«-Anfrage von %s durch %.*s%s für %.*s%s: %s"
+
+#: ../../src/kadmin/server/schpw.c:287
+#, c-format
+msgid "chpw request from %s for %.*s%s: %s"
+msgstr "»chpw«-Anfrage von %s für %.*s%s: %s"
+
+#: ../../src/kadmin/server/schpw.c:464
+#, c-format
+msgid "chpw: Couldn't open admin keytab %s"
+msgstr "chpw«: Administratorschlüsseltabelle %s konnte nicht geöffnet werden"
+
+#: ../../src/kadmin/server/server_stubs.c:293
+#, c-format
+msgid ""
+"Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s"
+msgstr ""
+"Unauthorisierte Anfrage: %s, %.*s%s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s"
+
+#: ../../src/kadmin/server/server_stubs.c:314
+#: ../../src/kadmin/server/server_stubs.c:649
+#: ../../src/kadmin/server/server_stubs.c:1792
+msgid "success"
+msgstr "erfolgreich"
+
+#: ../../src/kadmin/server/server_stubs.c:324
+#, c-format
+msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s"
+msgstr "Anfrage: %s, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s"
+
+#: ../../src/kadmin/server/server_stubs.c:628
+#, c-format
+msgid ""
+"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s"
+"%s, service=%.*s%s, addr=%s"
+msgstr ""
+"Unauthorisierte Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, Client="
+"%.*s%s, Dienst=%.*s%s, Adresse=%s"
+
+#: ../../src/kadmin/server/server_stubs.c:644
+#, c-format
+msgid ""
+"Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, "
+"service=%.*s%s, addr=%s"
+msgstr ""
+"Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, %s, Client=%.*s%s, "
+"Dienst=%.*s%s, Adresse=%s"
+
+#: ../../src/kadmin/server/server_stubs.c:1788
+#, c-format
+msgid ""
+"Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, "
+"vers=%d, flavor=%d"
+msgstr ""
+"Anfrage: kadm5_init, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s, "
+"Version=%d, Variante=%d"
+
+#: ../../src/kdc/do_as_req.c:273
+#, c-format
+msgid "AS_REQ : handle_authdata (%d)"
+msgstr "AS_REQ: handle_authdata (%d)"
+
+#: ../../src/kdc/do_tgs_req.c:593
+#, c-format
+msgid "TGS_REQ : handle_authdata (%d)"
+msgstr "TGS_REQ: handle_authdata (%d)"
+
+#: ../../src/kdc/do_tgs_req.c:655
+msgid "not checking transit path"
+msgstr "Übergangspfad wird nicht geprüft"
+
+#: ../../src/kdc/fast_util.c:62
+#, c-format
+msgid "%s while handling ap-request armor"
+msgstr "%s bei der Handhabung des »ap-request«-Schutzes"
+
+#: ../../src/kdc/fast_util.c:71
+msgid "ap-request armor for something other than the local TGS"
+msgstr "»ap-request«-Schutz für etwas anderes als den lokalen TGS"
+
+#: ../../src/kdc/fast_util.c:80
+msgid "ap-request armor without subkey"
+msgstr "»ap-request«-Schutz ohne Unterschlüssel"
+
+#: ../../src/kdc/fast_util.c:162
+msgid "Ap-request armor not permitted with TGS"
+msgstr "»ap-request«-Schutz nicht mit TGS gestattet"
+
+#: ../../src/kdc/fast_util.c:169
+#, c-format
+msgid "Unknown FAST armor type %d"
+msgstr "unbekanntet FAST-Schutztyp %d"
+
+#: ../../src/kdc/fast_util.c:183
+msgid "No armor key but FAST armored request present"
+msgstr "Es gibt keinen Schutzschlüssel aber eine FAST-geschützte Anfrage"
+
+#: ../../src/kdc/fast_util.c:219
+msgid "FAST req_checksum invalid; request modified"
+msgstr "FAST-»req_checksum« ungültig; Anfrage geändert"
+
+#: ../../src/kdc/fast_util.c:225
+msgid "Unkeyed checksum used in fast_req"
+msgstr "in fast_req wurde eine Prüfsumme ohne Schlüssel benutzt"
+
+#: ../../src/kdc/kdc_audit.c:110
+#, c-format
+msgid "audit plugin %s failed to open. error=%i"
+msgstr "Öffnen der Audit-Erweiterung %s fehlgeschlagen. Fehler=%i"
+
+#: ../../src/kdc/kdc_authdata.c:292 ../../src/kdc/kdc_authdata.c:328
+#, c-format
+msgid "authdata %s failed to initialize: %s"
+msgstr "Initialisieren von »authdata« %s fehlgeschlagen: %s"
+
+#: ../../src/kdc/kdc_authdata.c:779
+#, c-format
+msgid "authdata (%s) handling failure: %s"
+msgstr "Handhabung von »authdata« %s fehlgeschlagen: %s"
+
+#: ../../src/kdc/kdc_log.c:82
+#, c-format
+msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s"
+msgstr "AS_REQ (%s) %s: PROBLEM: Authentifizierungszeit %d, %s, %s für %s"
+
+#: ../../src/kdc/kdc_log.c:88
+#, c-format
+msgid "AS_REQ (%s) %s: %s: %s for %s%s%s"
+msgstr "AS_REQ (%s) %s: %s: %s für %s%s%s"
+
+#: ../../src/kdc/kdc_log.c:159
+#, c-format
+msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s"
+msgstr "TGS_REQ (%s) %s: %s: Authentifizierungszeit %d, %s%s %s für %s%s%s"
+
+#: ../../src/kdc/kdc_log.c:166
+#, c-format
+msgid "... PROTOCOL-TRANSITION s4u-client=%s"
+msgstr "… PROTOKOLLÜBERGANG s4u-client=%s"
+
+#: ../../src/kdc/kdc_log.c:170
+#, c-format
+msgid "... CONSTRAINED-DELEGATION s4u-client=%s"
+msgstr "…  EINHESCHRÄNKTE DELEGIERUNG s4u-client=%s"
+
+#: ../../src/kdc/kdc_log.c:174
+#, c-format
+msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s"
+msgstr "TGS_REQ %s: %s: Authentifizierungszeit %d, %s für %s, 2. TKT-Client %s"
+
+#: ../../src/kdc/kdc_log.c:208
+#, c-format
+msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'"
+msgstr "falscher Realm-Übergangspfad von »%s« zu »%s« über »%.*s%s«"
+
+#: ../../src/kdc/kdc_log.c:214
+#, c-format
+msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s"
+msgstr ""
+"unerwarteter Fehler bei der Prüfung des Übergangs von »%s« zu »%s« über »%.*s"
+"%s«: %s"
+
+#: ../../src/kdc/kdc_log.c:232
+msgid "TGS_REQ: issuing alternate <un-unparseable> TGT"
+msgstr "TGS_REQ: alternativer <nicht nicht auswertbarer> TGT wird erstellt"
+
+#: ../../src/kdc/kdc_log.c:235
+#, c-format
+msgid "TGS_REQ: issuing TGT %s"
+msgstr "TGS_REQ: TGT %s wird erstellt"
+
+#: ../../src/kdc/kdc_preauth.c:328
+#, c-format
+msgid "preauth %s failed to initialize: %s"
+msgstr "Initialisieren von »preauth« %s fehlgeschlagen: %s"
+
+#: ../../src/kdc/kdc_preauth.c:339
+#, c-format
+msgid "preauth %s failed to setup loop: %s"
+msgstr "Einrichten der Schleife von »preauth« %s fehlgeschlagen: %s"
+
+#: ../../src/kdc/kdc_preauth.c:760
+#, c-format
+msgid "%spreauth required but hint list is empty"
+msgstr "%spreauth benötigt, aber Hinweisliste ist leer"
+
+#: ../../src/kdc/kdc_preauth_ec.c:75
+msgid "Encrypted Challenge used outside of FAST tunnel"
+msgstr "verschlüsselte Aufforderung wurde außerhalb des FAST-Tunnels verwendet"
+
+#: ../../src/kdc/kdc_preauth_ec.c:110
+msgid "Incorrect password in encrypted challenge"
+msgstr "falsches Passwort in verschlüsselter Aufforderung"
+
+#: ../../src/kdc/kdc_util.c:236
+msgid "TGS_REQ: SESSION KEY or MUTUAL"
+msgstr "TGS_REQ: SITZUNGSSCHLÜSSEL oder BEIDERSEITIG"
+
+#: ../../src/kdc/kdc_util.c:314
+msgid "PROCESS_TGS: failed lineage check"
+msgstr "PROCESS_TGS: Abstammungsprüfung fehlgeschlagen"
+
+#: ../../src/kdc/kdc_util.c:468
+#, c-format
+msgid "TGS_REQ: UNKNOWN SERVER: server='%s'"
+msgstr "TGS_REQ: UNBEKANNTER SERVER: Server=»%s«"
+
+#: ../../src/kdc/main.c:231
+#, c-format
+msgid "while getting context for realm %s"
+msgstr "beim Holen des Kontextes für Realm %s"
+
+#: ../../src/kdc/main.c:329
+#, c-format
+msgid "while setting default realm to %s"
+msgstr "beim Setzen des Standard-Realms auf %s"
+
+#: ../../src/kdc/main.c:337
+#, c-format
+msgid "while initializing database for realm %s"
+msgstr "beim Initialisieren der Datenbank für Realm %s"
+
+#: ../../src/kdc/main.c:346
+#, c-format
+msgid "while setting up master key name %s for realm %s"
+msgstr "beim Einrichten des Hauptschlüsselnamens %s für Realm %s"
+
+#: ../../src/kdc/main.c:359
+#, c-format
+msgid "while fetching master key %s for realm %s"
+msgstr "beim Abholen des Hauptschlüssels %s für Realm %s"
+
+#: ../../src/kdc/main.c:367
+#, c-format
+msgid "while fetching master keys list for realm %s"
+msgstr "beim Abholen der Hauptschlüsselliste für Realm %s"
+
+#: ../../src/kdc/main.c:376
+#, c-format
+msgid "while resolving kdb keytab for realm %s"
+msgstr "beim Ermitteln der KDB-Schlüsseltabelle für Realm %s"
+
+#: ../../src/kdc/main.c:385
+#, c-format
+msgid "while building TGS name for realm %s"
+msgstr "beim Bilden des TGS-Namens für Realm %s"
+
+#: ../../src/kdc/main.c:503
+#, c-format
+msgid "creating %d worker processes"
+msgstr "%d Arbeitsprozesse werden erzeugt"
+
+#: ../../src/kdc/main.c:513
+msgid "Unable to reinitialize main loop"
+msgstr "Hauptschleife konnte nicht neu initialisiert werden"
+
+#: ../../src/kdc/main.c:518
+#, c-format
+msgid "Unable to initialize signal handlers in pid %d"
+msgstr ""
+"Signalbehandlungsprogramme in PID %d konnten nicht initialisiert werden"
+
+#: ../../src/kdc/main.c:548
+#, c-format
+msgid "worker %ld exited with status %d"
+msgstr "Arbeitsprozess %ld endete mit Status %d"
+
+#: ../../src/kdc/main.c:572
+#, c-format
+msgid "signal %d received in supervisor"
+msgstr "Überwachungsprogramm empfing Signal %d"
+
+#: ../../src/kdc/main.c:591
+#, c-format
+msgid ""
+"usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n"
+"\t\t[-R replaycachename] [-m] [-k masterenctype]\n"
+"\t\t[-M masterkeyname] [-p port] [-P pid_file]\n"
+"\t\t[-n] [-w numworkers] [/]\n"
+"\n"
+"where,\n"
+"\t[-x db_args]* - Any number of database specific arguments.\n"
+"\t\t\tLook at each database module documentation for \t\t\tsupported "
+"arguments\n"
+msgstr ""
+"Aufruf: %s [-x Datenbankargumente]* [-d Datenbankpfadname]\n"
+"\t\t[-r Datenbank-Realm-Name] [-m] [-k Hauptverschlüsselungstyp]\n"
+"\t\t[-M Hauptschlüsselname] [-p Port] [-P PID-Datei]\n"
+"\t\t[-n] [-w Arbeitsprozessanzahl] [/]\n"
+"\n"
+"dabei sind\n"
+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer "
+"Argumente.\n"
+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation "
+"der jeweiligen Datenbank.\n"
+
+#: ../../src/kdc/main.c:653 ../../src/kdc/main.c:660 ../../src/kdc/main.c:774
+#, c-format
+msgid " KDC cannot initialize. Not enough memory\n"
+msgstr "KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n"
+
+#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:722 ../../src/kdc/main.c:733
+#, c-format
+msgid "%s: KDC cannot initialize. Not enough memory\n"
+msgstr "%s: KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n"
+
+#: ../../src/kdc/main.c:699 ../../src/kdc/main.c:816
+#, c-format
+msgid "%s: cannot initialize realm %s - see log file for details\n"
+msgstr ""
+"%s: Realm %s kann nicht initialisiert werden - Einzelheiten finden Sie in "
+"der Protokolldatei\n"
+
+#: ../../src/kdc/main.c:710
+#, c-format
+msgid "%s: cannot initialize realm %s. Not enough memory\n"
+msgstr ""
+"%s: Realm %s kann nicht initialisiert werden. Speicher reicht nicht aus\n"
+
+#: ../../src/kdc/main.c:761
+#, c-format
+msgid "invalid enctype %s"
+msgstr "ungültiger Verschlüsselungstyp %s"
+
+#: ../../src/kdc/main.c:804
+msgid "while attempting to retrieve default realm"
+msgstr "beim Versuch, den Standard-Realm abzufragen"
+
+#: ../../src/kdc/main.c:806
+#, c-format
+msgid "%s: %s, attempting to retrieve default realm\n"
+msgstr "%s: %s, es wird versucht, den Standard-Realm abzufragen\n"
+
+#: ../../src/kdc/main.c:912
+#, c-format
+msgid "%s: cannot get memory for realm list\n"
+msgstr "%s: Speicher für die Realm-Liste kann nicht erlangt werden\n"
+
+# http://www.oreilly.de/german/freebooks/linuxdrive2ger/getcache.html
+#: ../../src/kdc/main.c:947
+msgid "while initializing lookaside cache"
+msgstr "beim Initialisieren des Lookaside-Zwischenspeichers"
+
+#: ../../src/kdc/main.c:955
+msgid "while creating main loop"
+msgstr "beim Erzeugen der Hauptschleife"
+
+# SAM=Security Accounts Manager
+#: ../../src/kdc/main.c:965
+msgid "while initializing SAM"
+msgstr "beim Initialisieren des SAMs"
+
+#: ../../src/kdc/main.c:1011
+msgid "while initializing routing socket"
+msgstr "beim Initialisieren des Routing-Sockets"
+
+#: ../../src/kdc/main.c:1017
+msgid "while initializing signal handlers"
+msgstr "beim Initialisieren des Signalbehandlungsprogramms"
+
+#: ../../src/kdc/main.c:1024
+msgid "while initializing network"
+msgstr "beim Initialisieren des Netzwerks"
+
+#: ../../src/kdc/main.c:1029
+msgid "while detaching from tty"
+msgstr "beim Lösen vom Terminal"
+
+#: ../../src/kdc/main.c:1036
+msgid "while creating PID file"
+msgstr "beim Erstellen der PID-Datei"
+
+#: ../../src/kdc/main.c:1045
+msgid "creating worker processes"
+msgstr "Arbeitsprozesse werden erzeugt"
+
+#: ../../src/kdc/main.c:1055
+msgid "while loading audit plugin module(s)"
+msgstr "beim Laden des/der Auditerweiterungsmoduls/Auditerweiterungsmodule"
+
+#: ../../src/kdc/main.c:1059
+msgid "commencing operation"
+msgstr "Aktion wird begonnen"
+
+#: ../../src/kdc/main.c:1067
+msgid "shutting down"
+msgstr "wird heruntergefahren"
+
+#: ../../src/lib/apputils/net-server.c:258
+msgid "Got signal to request exit"
+msgstr "Signal zur Anfrage des Beendens empfangen"
+
+#: ../../src/lib/apputils/net-server.c:272
+msgid "Got signal to reset"
+msgstr "Signal zum Zurücksetzen empfangen"
+
+#: ../../src/lib/apputils/net-server.c:429
+#, c-format
+msgid "closing down fd %d"
+msgstr "Dateideskriptor %d wird geschlossen"
+
+#: ../../src/lib/apputils/net-server.c:443
+#, c-format
+msgid "descriptor %d closed but still in svc_fdset"
+msgstr "Deskriptor %d geschlossen, aber immer noch in »svc_fdset«"
+
+#: ../../src/lib/apputils/net-server.c:469
+msgid "cannot create io event"
+msgstr "E/A-Ereignis kann nicht erzeugt werden"
+
+#: ../../src/lib/apputils/net-server.c:475
+msgid "cannot save event"
+msgstr "Ereignis kann nicht gesichert werden"
+
+#: ../../src/lib/apputils/net-server.c:495
+#, c-format
+msgid "file descriptor number %d too high"
+msgstr "Dateideskriptornummer %d zu hoch"
+
+#: ../../src/lib/apputils/net-server.c:503
+msgid "cannot allocate storage for connection info"
+msgstr "Speicher für Verbindungsinformation kann nicht reserviert werden"
+
+#: ../../src/lib/apputils/net-server.c:562
+#, c-format
+msgid "Cannot create TCP server socket on %s"
+msgstr "Auf %s kann kein TCP-Server-Socket erstellt werden."
+
+#: ../../src/lib/apputils/net-server.c:571
+#, c-format
+msgid "TCP socket fd number %d (for %s) too high"
+msgstr "TCP-Socket-Deskriptornummer %d (für %s) zu hoch"
+
+#: ../../src/lib/apputils/net-server.c:579
+#, c-format
+msgid "Cannot enable SO_REUSEADDR on fd %d"
+msgstr "SO_REUSEADDR kann nicht für Dateideskriptor %d aktiviert werden"
+
+#: ../../src/lib/apputils/net-server.c:586
+#, c-format
+msgid "setsockopt(%d,IPV6_V6ONLY,1) failed"
+msgstr "setsockopt(%d,IPV6_V6ONLY,1) fehlgeschlagen"
+
+#: ../../src/lib/apputils/net-server.c:588
+#, c-format
+msgid "setsockopt(%d,IPV6_V6ONLY,1) worked"
+msgstr "setsockopt(%d,IPV6_V6ONLY,1) funktioniert"
+
+#: ../../src/lib/apputils/net-server.c:591
+msgid "no IPV6_V6ONLY socket option support"
+msgstr "keine Socket-Option für IPV6_V6ONLY unterstützt"
+
+#: ../../src/lib/apputils/net-server.c:597
+#, c-format
+msgid "Cannot bind server socket on %s"
+msgstr "Server-Socket kann nicht an %s gebunden werden"
+
+#: ../../src/lib/apputils/net-server.c:624
+#, c-format
+msgid "Cannot create RPC service: %s; continuing"
+msgstr "RPC-Dienst kann nicht erstellt werden: %s; es wird fortgefahren"
+
+#: ../../src/lib/apputils/net-server.c:633
+#, c-format
+msgid "Cannot register RPC service: %s; continuing"
+msgstr "RPC-Dienst kann nicht registriert werden: %s; es wird fortgefahren"
+
+#: ../../src/lib/apputils/net-server.c:682
+#, c-format
+msgid "Cannot listen on TCP server socket on %s"
+msgstr ""
+"Auf dem TCP-Server-Socket kann nicht auf eine Verbindung gewartet werden auf "
+"%s."
+
+#: ../../src/lib/apputils/net-server.c:688
+#, c-format
+msgid "cannot set listening tcp socket on %s non-blocking"
+msgstr ""
+"Das auf eine Verbindung wartende TCP-Socket kann nicht auf nicht-"
+"blockierendes %s gesetzt werden."
+
+#: ../../src/lib/apputils/net-server.c:695
+#, c-format
+msgid "disabling SO_LINGER on TCP socket on %s"
+msgstr "SO_LINGER auf dem TCP-Socket auf %s wird deaktiviert"
+
+#: ../../src/lib/apputils/net-server.c:743
+#: ../../src/lib/apputils/net-server.c:752
+#, c-format
+msgid "listening on fd %d: tcp %s"
+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: TCP %s"
+
+#: ../../src/lib/apputils/net-server.c:757
+msgid "assuming IPv6 socket accepts IPv4"
+msgstr "es wird davon ausgegangen, dass das IPv6-Socket IPv4 akzeptiert"
+
+#: ../../src/lib/apputils/net-server.c:791
+#: ../../src/lib/apputils/net-server.c:804
+#, c-format
+msgid "listening on fd %d: rpc %s"
+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: RPC %s"
+
+#: ../../src/lib/apputils/net-server.c:883
+#, c-format
+msgid "Cannot request packet info for udp socket address %s port %d"
+msgstr ""
+"Paketinformation für UDP-Socket-Adresse %s, Port %d, kann nicht abgefragt "
+"werden"
+
+#: ../../src/lib/apputils/net-server.c:889
+#, c-format
+msgid "listening on fd %d: udp %s%s"
+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: UDP %s%s"
+
+#: ../../src/lib/apputils/net-server.c:918
+msgid "Failed to reconfigure network, exiting"
+msgstr "Neukonfiguration des Netzwerks fehlgeschlagen, wird beendet"
+
+#: ../../src/lib/apputils/net-server.c:979
+#, c-format
+msgid ""
+"unhandled routing message type %d, will reconfigure just for the fun of it"
+msgstr ""
+"nicht behandelter Routing-Meldungstyp %d, es wird es nur zum Spaß neu "
+"konfiguriert"
+
+#: ../../src/lib/apputils/net-server.c:1013
+#, c-format
+msgid "short read (%d/%d) from routing socket"
+msgstr "ungenügende Daten (%d/%d) vom Routing-Socket gelesen"
+
+#: ../../src/lib/apputils/net-server.c:1023
+#, c-format
+msgid "read %d from routing socket but msglen is %d"
+msgstr "%d vom Routing-Socket gelesen, Nachrichtenlänge ist jedoch %d"
+
+#: ../../src/lib/apputils/net-server.c:1055
+#, c-format
+msgid "couldn't set up routing socket: %s"
+msgstr "Routing-Socket konnte nicht eingerichtet werden: %s"
+
+#: ../../src/lib/apputils/net-server.c:1058
+#, c-format
+msgid "routing socket is fd %d"
+msgstr "Das Routing-Socket hat den Dateideskriptor %d."
+
+#: ../../src/lib/apputils/net-server.c:1084
+msgid "setting up network..."
+msgstr "Netzwerk wird eingerichtet …"
+
+#: ../../src/lib/apputils/net-server.c:1101
+#, c-format
+msgid "set up %d sockets"
+msgstr "%d Sockets werden eingerichtet"
+
+#: ../../src/lib/apputils/net-server.c:1103
+msgid "no sockets set up?"
+msgstr "keine Sockets eingerichtet?"
+
+#: ../../src/lib/apputils/net-server.c:1351
+#: ../../src/lib/apputils/net-server.c:1405
+msgid "while dispatching (udp)"
+msgstr "beim Versenden (UDP)"
+
+#: ../../src/lib/apputils/net-server.c:1380
+#, c-format
+msgid "while sending reply to %s/%s from %s"
+msgstr "beim Senden der Antwort zu %s/%s von %s"
+
+#: ../../src/lib/apputils/net-server.c:1385
+#, c-format
+msgid "short reply write %d vs %d\n"
+msgstr "ungenügende Ausgabe der Antwort %d gegenüber %d\n"
+
+#: ../../src/lib/apputils/net-server.c:1430
+msgid "while receiving from network"
+msgstr "beim Empfangen vom Netzwerk"
+
+#: ../../src/lib/apputils/net-server.c:1446
+#, c-format
+msgid "pktinfo says local addr is %s"
+msgstr "Pktinfo sagt, die lokale Adresse sei %s"
+
+#: ../../src/lib/apputils/net-server.c:1479
+msgid "too many connections"
+msgstr "zu viele Verbindungen"
+
+#: ../../src/lib/apputils/net-server.c:1502
+#, c-format
+msgid "dropping %s fd %d from %s"
+msgstr "%s Dateideskriptor %d von %s wird verworfen"
+
+#: ../../src/lib/apputils/net-server.c:1580
+#, c-format
+msgid "allocating buffer for new TCP session from %s"
+msgstr "Puffer für neue TCP-Sitzung von %s wird reserviert"
+
+#: ../../src/lib/apputils/net-server.c:1610
+msgid "while dispatching (tcp)"
+msgstr "beim Versenden (TCP)"
+
+#: ../../src/lib/apputils/net-server.c:1642
+msgid "error allocating tcp dispatch private!"
+msgstr "Fehler beim Reservieren zum nicht öffentlichen TCP-Versand!"
+
+#: ../../src/lib/apputils/net-server.c:1689
+#, c-format
+msgid "TCP client %s wants %lu bytes, cap is %lu"
+msgstr "TCP-Client %s will %lu Byte, Cap ist %lu"
+
+#: ../../src/lib/apputils/net-server.c:1697
+#, c-format
+msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s"
+msgstr "Fehler beim Erzeugen des KRB_ERR_FIELD_TOOLONG-Fehlers! %s"
+
+#: ../../src/lib/apputils/net-server.c:1876
+#, c-format
+msgid "accepted RPC connection on socket %d from %s"
+msgstr "akzeptierte PRC-Verbindung auf Socket %d von %s"
+
+# pseudo random function
+#: ../../src/lib/crypto/krb/cf2.c:114
+#, c-format
+msgid "Enctype %d has no PRF"
+msgstr "Verschlüsselungstyp %d hat keine PRF"
+
+#: ../../src/lib/crypto/krb/prng_fortuna.c:428
+msgid "Random number generator could not be seeded"
+msgstr "Zufallszahlengenerator konnte kein Startwert zugewiesen werden"
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:43
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165
+msgid "A required input parameter could not be read"
+msgstr "Ein benötigter Eingabeparameter konnte nicht gelesen werden."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:44
+msgid "A required input parameter could not be written"
+msgstr "Ein benötigter Eingabeparameter konnte nicht geschrieben werden."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:45
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175
+msgid "A parameter was malformed"
+msgstr "Ein Parameter hatte eine falsche Form"
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:48
+msgid "calling error"
+msgstr "Aufruffehler"
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:59
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195
+msgid "An unsupported mechanism was requested"
+msgstr "Ein nicht unterstützter Mechanismus wurde angefordert."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:60
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199
+msgid "An invalid name was supplied"
+msgstr "Ein ungültiger Name wurde übergeben."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:61
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203
+msgid "A supplied name was of an unsupported type"
+msgstr "Ein übergebener Name hatte einen nicht unterstützten Typ."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:62
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208
+msgid "Incorrect channel bindings were supplied"
+msgstr "Falsche Kanalbindungen wurden übergeben."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:63
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334
+msgid "An invalid status code was supplied"
+msgstr "Ein ungültiger Statuscode wurde übergeben."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:64
+msgid "A token had an invalid signature"
+msgstr "Ein Merkmal hatte eine ungültige Signatur."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:65
+msgid "No credentials were supplied"
+msgstr "Es wurden keine Anmeldedaten übergeben."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:66
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223
+msgid "No context has been established"
+msgstr "Es wurde keine Kontext etabliert."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:67
+msgid "A token was invalid"
+msgstr "Ein Merkmal war ungültig."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:68
+msgid "A credential was invalid"
+msgstr "Eine der Anmeldedaten war ungültig."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:69
+msgid "The referenced credentials have expired"
+msgstr "Die referenzierten Anmeldedaten sind abgelaufen."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:70
+msgid "The context has expired"
+msgstr "Der Kontext ist abgelaufen."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:71
+msgid "Miscellaneous failure"
+msgstr "sonstiger Fehlschlag"
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:72
+msgid "The quality-of-protection requested could not be provided"
+msgstr ""
+"Die angeforderte Qualität des Schutzes konnte nicht bereitgestellt werden."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:73
+msgid "The operation is forbidden by the local security policy"
+msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:74
+msgid "The operation or option is not available"
+msgstr "Die Aktion oder Option ist nicht verfügbar."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:77
+msgid "routine error"
+msgstr "Fehler in einer Routine"
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:89
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311
+msgid "The routine must be called again to complete its function"
+msgstr ""
+"Die Routine muss erneut aufgerufen werden, um ihre Funktion zu "
+"vervollständigen."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:90
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316
+msgid "The token was a duplicate of an earlier token"
+msgstr "Das Merkmal war ein Zweitexemplar eines früheren Merkmals."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:91
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321
+msgid "The token's validity period has expired"
+msgstr "Die Gültigkeitsperiode des Merkmals ist abgelaufen."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:92
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325
+msgid "A later token has already been processed"
+msgstr "Es wurde bereits ein neueres Merkmal verarbeitet."
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:95
+msgid "supplementary info code"
+msgstr "zusätzlicher Informationscode"
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:106
+#: ../lib/krb5/error_tables/krb5_err.c:23
+msgid "No error"
+msgstr "kein Fehler"
+
+#: ../../src/lib/gssapi/generic/disp_major_status.c:107
+#, c-format
+msgid "Unknown %s (field = %d)"
+msgstr "%s unbekannt (Feld = %d)"
+
+#: ../../src/lib/gssapi/krb5/acquire_cred.c:165
+#, c-format
+msgid "No key table entry found matching %s"
+msgstr "Es wurde kein zu %s passender Schlüsseltabelleneintrag gefunden."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161
+msgid "The routine completed successfully"
+msgstr "Die Routine wurde erfolgreich abgeschlossen"
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170
+msgid "A required output parameter could not be written"
+msgstr "Ein erforderlicher Ausgabeparameter konnte nicht geschrieben werden."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212
+msgid "A token had an invalid Message Integrity Check (MIC)"
+msgstr ""
+"Ein Merkmal hatte eine ungültige Meldungsintegritätsprüfung (Message "
+"Integrity Check/MIC)."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217
+msgid ""
+"No credentials were supplied, or the credentials were unavailable or "
+"inaccessible"
+msgstr ""
+"Es wurden keine Anmeldedaten übergeben oder die Anmeldedaten waren nicht "
+"verfügbar bzw. ein Zugriff darauf nicht möglich."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227
+msgid "Invalid token was supplied"
+msgstr "Es wurde ein ungültiges Token übergeben."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231
+msgid "Invalid credential was supplied"
+msgstr "ungültige Anmeldedaten wurden übergeben"
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235
+msgid "The referenced credential has expired"
+msgstr "Die referenzierten Anmeldedaten sind abgelaufen."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239
+msgid "The referenced context has expired"
+msgstr "Der referenzierte Kontext ist abgelaufen."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243
+msgid "Unspecified GSS failure.  Minor code may provide more information"
+msgstr ""
+"nicht spezifizierter GSS-Fehlschlag. Möglicherweise stellt der "
+"untergeordnete Code weitere Informationen bereit."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248
+msgid "The quality-of-protection (QOP) requested could not be provided"
+msgstr ""
+"Die Qualität des Schutzes (quality-of-protection/QOP) konnte nicht "
+"bereitgestellt werden."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253
+msgid "The operation is forbidden by local  security policy"
+msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258
+msgid "The operation or option is not available or unsupported"
+msgstr ""
+"Die Aktion oder Option ist nicht verfügbar oder wird nicht unterstützt."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263
+msgid "The requested credential element already exists"
+msgstr "Das angeforderte Anmeldedatenelement existiert bereits."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268
+msgid "The provided name was not mechanism specific (MN)"
+msgstr "Der bereitgestellte Name war nicht mechanismusspezifisch (MN)."
+
+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329
+msgid "An expected per-message token was not received"
+msgstr "Ein erwartetes nachrichtenspezifisches Token wurde nicht empfangen."
+
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1860
+msgid "SPNEGO cannot find mechanisms to negotiate"
+msgstr "SPNEGO kann keine Mechanismen zum Aushandeln finden."
+
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1865
+msgid "SPNEGO failed to acquire creds"
+msgstr "SPNEGO ist beim Beschaffen von Anmeldedaten gescheitert"
+
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1870
+msgid "SPNEGO acceptor did not select a mechanism"
+msgstr "SPNEGO-Abnehmer hat keinen Mechanismus ausgewählt"
+
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1875
+msgid "SPNEGO failed to negotiate a mechanism"
+msgstr "SPNEGO ist beim Aushandeln eines Mechanismus gescheitert."
+
+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1880
+msgid "SPNEGO acceptor did not return a valid token"
+msgstr "SPNEGO-Abnehmer hat kein gültiges Token zurückgeliefert"
+
+#: ../../src/lib/kadm5/alt_prof.c:854
+#, c-format
+msgid "Cannot resolve address of admin server \"%s\" for realm \"%s\""
+msgstr ""
+"Adresse des Admin-Servers »%s« für Realm »%s« kann nicht ermittelt werden"
+
+#: ../../src/lib/kadm5/logger.c:56
+#, c-format
+msgid "%s: cannot parse <%s>\n"
+msgstr "%s: <%s> kann nicht ausgewertet werden\n"
+
+#: ../../src/lib/kadm5/logger.c:57
+#, c-format
+msgid "%s: warning - logging entry syntax error\n"
+msgstr "%s: Warnung – Syntaxfehler bei Protokolleintrag\n"
+
+#: ../../src/lib/kadm5/logger.c:58
+#, c-format
+msgid "%s: error writing to %s\n"
+msgstr "%s: Fehler beim Schreiben auf %s\n"
+
+#: ../../src/lib/kadm5/logger.c:59
+#, c-format
+msgid "%s: error writing to %s device\n"
+msgstr "%s: Fehler beim Schreiben auf Gerät %s\n"
+
+#: ../../src/lib/kadm5/logger.c:61
+msgid "EMERGENCY"
+msgstr "NOTFALL"
+
+#: ../../src/lib/kadm5/logger.c:62
+msgid "ALERT"
+msgstr "ALARM"
+
+#: ../../src/lib/kadm5/logger.c:63
+msgid "CRITICAL"
+msgstr "KRITISCH"
+
+#: ../../src/lib/kadm5/logger.c:64
+msgid "Error"
+msgstr "Fehler"
+
+#: ../../src/lib/kadm5/logger.c:65
+msgid "Warning"
+msgstr "Warnung"
+
+#: ../../src/lib/kadm5/logger.c:66
+msgid "Notice"
+msgstr "Hinweis"
+
+#: ../../src/lib/kadm5/logger.c:67
+msgid "info"
+msgstr "Information"
+
+#: ../../src/lib/kadm5/logger.c:68
+msgid "debug"
+msgstr "Fehlersuchmeldung"
+
+#: ../../src/lib/kadm5/logger.c:967
+#, c-format
+msgid "Couldn't open log file %s: %s\n"
+msgstr "Protokolldatei %s konnte nicht geöffnet werden: %s\n"
+
+#: ../../src/lib/kadm5/srv/kadm5_hook.c:119
+#, c-format
+msgid "kadm5_hook %s failed postcommit %s: %s"
+msgstr "»kadm5_hook« %s ist beim Nach-Commit %s gescheitert: %s"
+
+#: ../../src/lib/kadm5/srv/pwqual_dict.c:106
+msgid "No dictionary file specified, continuing without one."
+msgstr "keine Wörterbuchdatei angegeben, es wird ohne fortgefahren"
+
+#: ../../src/lib/kadm5/srv/pwqual_dict.c:113
+#, c-format
+msgid "WARNING!  Cannot find dictionary file %s, continuing without one."
+msgstr ""
+"WARNUNG! Wörterbuchdatei %s kann nicht gefunden werden, es wird ohne "
+"fortgefahren"
+
+#: ../../src/lib/kadm5/srv/pwqual_empty.c:42
+msgid "Empty passwords are not allowed"
+msgstr "Leere Passwörter sind nicht erlaubt."
+
+#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114
+msgid "Password may not match user information."
+msgstr "Das Passwort darf keinen Anwenderdaten entsprechen."
+
+#: ../../src/lib/kadm5/srv/pwqual_princ.c:54
+msgid "Password may not match principal name"
+msgstr "Das Passwort darf nicht mit dem Principal-Namen übereinstimmen."
+
+#: ../../src/lib/kadm5/srv/server_acl.c:89
+#, c-format
+msgid "%s: line %d too long, truncated"
+msgstr "%s: Zeile %d zu lang, wurde gekürzt"
+
+#: ../../src/lib/kadm5/srv/server_acl.c:90
+#, c-format
+msgid "Unrecognized ACL operation '%c' in %s"
+msgstr "unbekannte ACL-Aktion »%c« in %s"
+
+#: ../../src/lib/kadm5/srv/server_acl.c:92
+#, c-format
+msgid "%s: syntax error at line %d <%10s...>"
+msgstr "%s: Syntaxfehler in Zeile %d <%10s …>"
+
+#: ../../src/lib/kadm5/srv/server_acl.c:94
+#, c-format
+msgid "%s while opening ACL file %s"
+msgstr "%s beim Öffnen der ACL-Datei %s"
+
+#: ../../src/lib/kadm5/srv/server_acl.c:353
+#, c-format
+msgid "%s: invalid restrictions: %s"
+msgstr "%s: ungültige Beschränkung: %s"
+
+#: ../../src/lib/kadm5/srv/server_kdb.c:192
+msgid "History entry contains no key data"
+msgstr "Chronikeintrag enthält keine Schlüsseldaten"
+
+#: ../../src/lib/kadm5/srv/server_misc.c:128
+#, c-format
+msgid "password quality module %s rejected password for %s: %s"
+msgstr ""
+"Das Modul %s für Passwortqualität hat das Passwort für %s abgelehnt: %s"
+
+#: ../../src/lib/kadm5/str_conv.c:80
+msgid "Not Postdateable"
+msgstr "nicht vordatierbar"
+
+#: ../../src/lib/kadm5/str_conv.c:81
+msgid "Not Forwardable"
+msgstr "nicht weiterleitbar"
+
+#: ../../src/lib/kadm5/str_conv.c:82
+msgid "No TGT-based requests"
+msgstr "keine TGT-basierten Anfragen"
+
+#: ../../src/lib/kadm5/str_conv.c:83
+msgid "Not renewable"
+msgstr "nicht erneuerbar"
+
+#: ../../src/lib/kadm5/str_conv.c:84
+msgid "Not proxiable"
+msgstr "Proxy nicht nutzbar"
+
+#: ../../src/lib/kadm5/str_conv.c:85
+msgid "No DUP_SKEY requests"
+msgstr "keine DUP_SKEY-Anfragen"
+
+#: ../../src/lib/kadm5/str_conv.c:86
+msgid "All Tickets Disallowed"
+msgstr "keine Tickets erlaubt"
+
+#: ../../src/lib/kadm5/str_conv.c:87
+msgid "Preauthentication required"
+msgstr "Vorauthentifizierung erforderlich"
+
+#: ../../src/lib/kadm5/str_conv.c:88
+msgid "HW authentication required"
+msgstr "HW-Authentifizierung erforderlich"
+
+#: ../../src/lib/kadm5/str_conv.c:89
+msgid "OK as Delegate"
+msgstr "OK als Vertreter"
+
+#: ../../src/lib/kadm5/str_conv.c:90
+msgid "Password Change required"
+msgstr "Passwortänderung erforderlich"
+
+#: ../../src/lib/kadm5/str_conv.c:91
+msgid "Service Disabled"
+msgstr "Dienst deaktiviert"
+
+#: ../../src/lib/kadm5/str_conv.c:92
+msgid "Password Changing Service"
+msgstr "Passwortänderungsdienst"
+
+#: ../../src/lib/kadm5/str_conv.c:93
+msgid "RSA-MD5 supported"
+msgstr "RSA-MD5 unterstützt"
+
+#: ../../src/lib/kadm5/str_conv.c:94
+msgid "Protocol transition with delegation allowed"
+msgstr "Protokollübergang mit Vertretung erlaubt"
+
+#: ../../src/lib/kadm5/str_conv.c:95
+msgid "No authorization data required"
+msgstr "keine Autorisierungsdaten erforderlich"
+
+#: ../../src/lib/kdb/kdb5.c:219
+msgid "No default realm set; cannot initialize KDB"
+msgstr "kein Standard-Realm gesetzt; KDB kann nicht initialisiert werden"
+
+#: ../../src/lib/kdb/kdb5.c:324 ../../src/lib/kdb/kdb5.c:406
+#, c-format
+msgid "Unable to find requested database type: %s"
+msgstr "angeforderter Datenbanktyp kann nicht gefunden werden. %s"
+
+#: ../../src/lib/kdb/kdb5.c:416
+#, c-format
+msgid "plugin symbol 'kdb_function_table' lookup failed: %s"
+msgstr ""
+"Nachschlagen des Erweiterungssymbols »kdb_function_table« fehlgeschlagen: %s"
+
+#: ../../src/lib/kdb/kdb5.c:426
+#, c-format
+msgid ""
+"Unable to load requested database module '%s': plugin symbol "
+"'kdb_function_table' not found"
+msgstr ""
+"angefordertes Datenbankmodul »%s« kann nicht geladen werden: "
+"Erweiterungssymbol »kdb_function_table« nicht gefunden"
+
+#: ../../src/lib/kdb/kdb5.c:1650
+#, c-format
+msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n"
+msgstr "Ungültige Versionsnummer für KRB5_TL_MKEY_AUX %d\n"
+
+#: ../../src/lib/kdb/kdb5.c:1819
+#, c-format
+msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n"
+msgstr "Ungültige Versionsnummer für KRB5_TL_ACTKVNO %d\n"
+
+#: ../../src/lib/kdb/kdb_default.c:164
+#, c-format
+msgid "keyfile (%s) is not a regular file: %s"
+msgstr "Schlüsseldatei (%s) ist keine normale Datei: %s"
+
+#: ../../src/lib/kdb/kdb_default.c:177
+msgid "Could not create temp keytab file name."
+msgstr "Temporärer Schlüsseltabellendateiname konnte nicht erstellt werden."
+
+#: ../../src/lib/kdb/kdb_default.c:202
+#, c-format
+msgid "Temporary stash file already exists: %s."
+msgstr "Temporäre Ablagedatei existiert bereits: %s."
+
+#: ../../src/lib/kdb/kdb_default.c:230
+#, c-format
+msgid "rename of temporary keyfile (%s) to (%s) failed: %s"
+msgstr ""
+"Umbenennen von temporärer Schlüsseldatei (%s) in (%s) fehlgeschlagen: %s"
+
+#: ../../src/lib/kdb/kdb_default.c:419
+#, c-format
+msgid "Can not fetch master key (error: %s)."
+msgstr "Hauptschlüssel kann nicht abgeholt werden (Fehler: %s)"
+
+#: ../../src/lib/kdb/kdb_default.c:482
+msgid "Unable to decrypt latest master key with the provided master key\n"
+msgstr ""
+"Letzter Hauptschlüssel kann nicht mit dem bereitgestellten Hauptschlüssel "
+"entschlüsselt werden.\n"
+
+#: ../../src/lib/kdb/kdb_log.c:83
+msgid "could not sync ulog header to disk"
+msgstr "Ulog-Kopfzeilen konnten nicht auf die Platte synchronisiert werden"
+
+#: ../../src/lib/krb5/ccache/cc_dir.c:122
+#, c-format
+msgid "Subsidiary cache path %s has no parent directory"
+msgstr ""
+"Ergänzender Zwischenspeicherpfad %s hat kein übergeordnetes Verzeichnis."
+
+#: ../../src/lib/krb5/ccache/cc_dir.c:128
+#, c-format
+msgid "Subsidiary cache path %s filename does not begin with \"tkt\""
+msgstr ""
+"Dateiname des ergänzenden Zwischenspeicherpfads %s beginnt nicht mit »tkt«"
+
+#: ../../src/lib/krb5/ccache/cc_dir.c:169
+#, c-format
+msgid "%s contains invalid filename"
+msgstr "%s enthält einen ungültigen Dateinamen."
+
+#: ../../src/lib/krb5/ccache/cc_dir.c:229
+#, c-format
+msgid "Credential cache directory %s does not exist"
+msgstr "Anmeldedatenzwischenspeicherverzeichnis %s existiert nicht."
+
+#: ../../src/lib/krb5/ccache/cc_dir.c:235
+#, c-format
+msgid "Credential cache directory %s exists but is not a directory"
+msgstr ""
+"Anmeldedatenzwischenspeicherverzeichnis %s existiert, ist jedoch kein "
+"Verzeichnis"
+
+#: ../../src/lib/krb5/ccache/cc_dir.c:400
+msgid ""
+"Can't create new subsidiary cache because default cache is not a directory "
+"collection"
+msgstr ""
+"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der "
+"Standardzwischenspeicher keine Ansammlung von Verzeichnissen ist."
+
+#: ../../src/lib/krb5/ccache/cc_file.c:569
+#, c-format
+msgid "Credentials cache file '%s' not found"
+msgstr "Anmeldedatenzwischenspeicherdatei »%s« nicht gefunden"
+
+#: ../../src/lib/krb5/ccache/cc_file.c:1575
+#, c-format
+msgid "Credentials cache I/O operation failed (%s)"
+msgstr "Anmeldedatenzwischenspeicher-E/A-Aktion fehlgeschlagen (%s)"
+
+#: ../../src/lib/krb5/ccache/cc_keyring.c:1151
+msgid ""
+"Can't create new subsidiary cache because default cache is already a "
+"subsidiary"
+msgstr ""
+"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der "
+"Standardzwischenspeicher bereits eine Ergänzung ist."
+
+#: ../../src/lib/krb5/ccache/cc_keyring.c:1219
+#, c-format
+msgid "Credentials cache keyring '%s' not found"
+msgstr "Schlüsselbund %s des Anmeldedatenzwischenspeichers nicht gefunden"
+
+#: ../../src/lib/krb5/ccache/cccursor.c:212
+#, c-format
+msgid "Can't find client principal %s in cache collection"
+msgstr ""
+"Client-Principal %s kann nicht in der Zwischenspeicheransammlung gefunden "
+"werden"
+
+#: ../../src/lib/krb5/ccache/cccursor.c:253
+msgid "No Kerberos credentials available"
+msgstr "keine Kerberos-Anmeldedaten verfügbar"
+
+#: ../../src/lib/krb5/keytab/kt_file.c:398
+#, c-format
+msgid "No key table entry found for %s"
+msgstr "Für %s wurde kein Schlüsseltabelleneintrag gefunden."
+
+#: ../../src/lib/krb5/keytab/kt_file.c:815
+#: ../../src/lib/krb5/keytab/kt_file.c:848
+msgid "Cannot change keytab with keytab iterators active"
+msgstr ""
+"Schlüsseltabelle mit aktiven Schlüsseltabelleniteratoren kann nicht geändert "
+"werden"
+
+#: ../../src/lib/krb5/keytab/kt_file.c:1047
+#, c-format
+msgid "Key table file '%s' not found"
+msgstr "Schlüsseltabellendatei »%s« nicht gefunden"
+
+#: ../../src/lib/krb5/keytab/ktfns.c:127
+#, c-format
+msgid "Keytab %s is nonexistent or empty"
+msgstr "Schlüsseltabelle %s existiert nicht oder ist leer"
+
+#: ../../src/lib/krb5/krb/chpw.c:251
+msgid "Malformed request error"
+msgstr "Fehler wegen Anfrage in falscher Form"
+
+#: ../../src/lib/krb5/krb/chpw.c:254 ../lib/krb5/error_tables/kdb5_err.c:58
+msgid "Server error"
+msgstr "Serverfehler"
+
+#: ../../src/lib/krb5/krb/chpw.c:257
+msgid "Authentication error"
+msgstr "Authentifizierungsfehler"
+
+#: ../../src/lib/krb5/krb/chpw.c:260
+msgid "Password change rejected"
+msgstr "Passwortänderung abgelehnt"
+
+#: ../../src/lib/krb5/krb/chpw.c:263
+msgid "Access denied"
+msgstr "Zugriff verweigert"
+
+#: ../../src/lib/krb5/krb/chpw.c:266
+msgid "Wrong protocol version"
+msgstr "falsche Protokollversion"
+
+#: ../../src/lib/krb5/krb/chpw.c:269
+msgid "Initial password required"
+msgstr "Erstpasswort erforderlich"
+
+#: ../../src/lib/krb5/krb/chpw.c:272
+msgid "Success"
+msgstr "Erfolg"
+
+#: ../../src/lib/krb5/krb/chpw.c:275 ../lib/krb5/error_tables/krb5_err.c:257
+msgid "Password change failed"
+msgstr "Ändern des Passworts fehlgeschlagen"
+
+#: ../../src/lib/krb5/krb/chpw.c:433
+msgid ""
+"The password must include numbers or symbols.  Don't include any part of "
+"your name in the password."
+msgstr ""
+"Das Passwort muss Zahlen oder Symbole enthalten. Fügen Sie keinen Teil Ihres "
+"Namens in das Passwort ein."
+
+#: ../../src/lib/krb5/krb/chpw.c:439
+#, c-format
+msgid "The password must contain at least %d character."
+msgid_plural "The password must contain at least %d characters."
+msgstr[0] "Das Passwort muss mindestens %d Zeichen enthalten."
+msgstr[1] "Das Passwort muss mindestens %d Zeichen enthalten."
+
+#: ../../src/lib/krb5/krb/chpw.c:448
+#, c-format
+msgid "The password must be different from the previous password."
+msgid_plural "The password must be different from the previous %d passwords."
+msgstr[0] "Das Passwort muss sich vom vorhergehenden Passwort unterscheiden."
+msgstr[1] ""
+"Das Passwort muss sich von den vorhergehenden %d Passwörtern unterscheiden."
+
+#: ../../src/lib/krb5/krb/chpw.c:460
+#, c-format
+msgid "The password can only be changed once a day."
+msgid_plural "The password can only be changed every %d days."
+msgstr[0] "Das Passwort kann nur einmal täglich geändert werden."
+msgstr[1] "Das Passwort kann nur alle %d Tage geändert werden."
+
+#: ../../src/lib/krb5/krb/chpw.c:506
+msgid "Try a more complex password, or contact your administrator."
+msgstr ""
+"Versuchen Sie es mit einem etwas komplexeren Passwort oder wenden Sie sich "
+"an Ihren Administrator."
+
+#: ../../src/lib/krb5/krb/fast.c:217
+#, c-format
+msgid "%s constructing AP-REQ armor"
+msgstr "%s-Konstruktion von AP-REQ-Schutz"
+
+#: ../../src/lib/krb5/krb/fast.c:399
+#, c-format
+msgid "%s while decrypting FAST reply"
+msgstr "%s beim Entschlüsseln der FAST-Antwort"
+
+#: ../../src/lib/krb5/krb/fast.c:408
+msgid "nonce modified in FAST response: KDC response modified"
+msgstr ""
+"Nummer für einmaligen Gebrauch in der FAST-Anwort geändert: KDC-Anwort "
+"geändert"
+
+#: ../../src/lib/krb5/krb/fast.c:474
+msgid "Expecting FX_ERROR pa-data inside FAST container"
+msgstr "Innerhalb des FAST-Containers wird »FX_ERROR pa-data« erwartet."
+
+#: ../../src/lib/krb5/krb/fast.c:545
+msgid "FAST response missing finish message in KDC reply"
+msgstr "Der FAST-Anwort fehlt die Beendigungsnachricht in der KDC-Anwort"
+
+#: ../../src/lib/krb5/krb/fast.c:558
+msgid "Ticket modified in KDC reply"
+msgstr "Ticket in der KDC-Antwort verändert"
+
+#: ../../src/lib/krb5/krb/gc_via_tkt.c:208
+#, c-format
+msgid "KDC returned error string: %.*s"
+msgstr "KDC gab eine Fehlermeldung zurück: %.*s"
+
+#: ../../src/lib/krb5/krb/gc_via_tkt.c:217
+#, c-format
+msgid "Server %s not found in Kerberos database"
+msgstr "Server %s wurde nicht in der Kerberos-Datenbank gefunden"
+
+#: ../../src/lib/krb5/krb/get_in_tkt.c:133
+msgid "Reply has wrong form of session key for anonymous request"
+msgstr ""
+"Antwort hat die falsche Form des Sitzungschlüssels für eine anonyme Anfrage"
+
+#: ../../src/lib/krb5/krb/get_in_tkt.c:1628
+#, c-format
+msgid "%s while storing credentials"
+msgstr "%s beim Speichern der Anmeldedaten"
+
+#: ../../src/lib/krb5/krb/get_in_tkt.c:1715
+#, c-format
+msgid "Client '%s' not found in Kerberos database"
+msgstr "Client »%s« wurde nicht in der Kerberos-Datenbank gefunden"
+
+#: ../../src/lib/krb5/krb/gic_keytab.c:207
+#, c-format
+msgid "Keytab contains no suitable keys for %s"
+msgstr "Schlüsseltabelle enthält keine passenden Schlüssel für %s"
+
+#: ../../src/lib/krb5/krb/gic_pwd.c:75
+#, c-format
+msgid "Password for %s"
+msgstr "Passwort for %s"
+
+#: ../../src/lib/krb5/krb/gic_pwd.c:227
+#, c-format
+msgid "Warning: Your password will expire in less than one hour on %s"
+msgstr ""
+"Warnung: Ihr Passwort auf %s wird in weniger als einer Stunde ablaufen."
+
+# FIXME in German impossible; plural without »s«
+#: ../../src/lib/krb5/krb/gic_pwd.c:231
+#, c-format
+msgid "Warning: Your password will expire in %d hour%s on %s"
+msgstr "Warnung: Ihr Passwort wird in %d Stunden%s auf %s ablaufen."
+
+#: ../../src/lib/krb5/krb/gic_pwd.c:235
+#, c-format
+msgid "Warning: Your password will expire in %d days on %s"
+msgstr "Warnung: Ihr Passwort wird in %d Tagen auf %s ablaufen."
+
+#: ../../src/lib/krb5/krb/gic_pwd.c:409
+msgid "Password expired.  You must change it now."
+msgstr "Passwort abgelaufen. Sie müssen es nun ändern."
+
+#: ../../src/lib/krb5/krb/gic_pwd.c:428 ../../src/lib/krb5/krb/gic_pwd.c:432
+#, c-format
+msgid "%s.  Please try again."
+msgstr "%s. Bitte versuchen Sie es erneut."
+
+#: ../../src/lib/krb5/krb/gic_pwd.c:471
+#, c-format
+msgid "%.*s%s%s.  Please try again.\n"
+msgstr "%.*s%s%s. Bitte versuchen Sie es erneut.\n"
+
+#: ../../src/lib/krb5/krb/parse.c:203
+#, c-format
+msgid "Principal %s is missing required realm"
+msgstr "Principal %s fehlt erforderlicher Realm"
+
+#: ../../src/lib/krb5/krb/parse.c:215
+#, c-format
+msgid "Principal %s has realm present"
+msgstr "Für Principal %s ist Realm vorhanden"
+
+#: ../../src/lib/krb5/krb/plugin.c:165
+#, c-format
+msgid "Invalid module specifier %s"
+msgstr "ungültiger Modulbezeichner %s"
+
+#: ../../src/lib/krb5/krb/plugin.c:402
+#, c-format
+msgid "Could not find %s plugin module named '%s'"
+msgstr "Das Erweiterungsmodul %s namens »%s« konnte nicht gefunden werden."
+
+#: ../../src/lib/krb5/krb/preauth2.c:1018
+msgid "Unable to initialize preauth context"
+msgstr "Vorauthentifizierungskontext konnte nicht initialisiert werden."
+
+#: ../../src/lib/krb5/krb/preauth2.c:1032
+#, c-format
+msgid "Preauth module %s: %s"
+msgstr "Vorauthentifizierungsmodul %s: %s"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:510
+msgid "Please choose from the following:\n"
+msgstr "Bitte wählen Sie aus dem Folgenden aus:\n"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:511
+msgid "Vendor:"
+msgstr "Anbieter:"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:523
+msgid "Enter #"
+msgstr "Geben Sie # ein"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:559
+msgid "OTP Challenge:"
+msgstr "Anforderung des Einwegpassworts:"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:588
+msgid "OTP Token PIN"
+msgstr "Einwegpasswort-Token-PIN"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:702
+msgid "OTP value doesn't match any token formats"
+msgstr "Wert des Einwegpassworts entspricht keinem Token-Format"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:769
+msgid "Enter OTP Token Value"
+msgstr "Geben Sie den Wert des Einwegpasswort-Tokens an"
+
+#: ../../src/lib/krb5/krb/preauth_otp.c:914
+msgid "No supported tokens"
+msgstr "keine unterstützten Token"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:49
+msgid "Challenge for Enigma Logic mechanism"
+msgstr "Anforderung für Enigma-Logic-Mechanismus"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:53
+msgid "Challenge for Digital Pathways mechanism"
+msgstr "Anforderung für Digital-Pathway-Mechanismus"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:57
+msgid "Challenge for Activcard mechanism"
+msgstr "Anforderung für Activcard-Mechanismus"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:60
+msgid "Challenge for Enhanced S/Key mechanism"
+msgstr "Anforderung für erweiterten S/Key-Mechanismus"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:63
+msgid "Challenge for Traditional S/Key mechanism"
+msgstr "Anforderung für traditionellen S/Key-Mechanismus"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:66
+#: ../../src/lib/krb5/krb/preauth_sam2.c:69
+msgid "Challenge for Security Dynamics mechanism"
+msgstr "Anforderung für Security-Dynamics-Mechanismus"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:72
+msgid "Challenge from authentication server"
+msgstr "Anforderung vom Authentifizierungsserver"
+
+#: ../../src/lib/krb5/krb/preauth_sam2.c:166
+msgid "SAM Authentication"
+msgstr "SAM-Authentifizierung"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:145
+#, c-format
+msgid "Cannot find key for %s kvno %d in keytab"
+msgstr ""
+"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:150
+#, c-format
+msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)"
+msgstr ""
+"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden "
+"(angefragter Ticketserver %s)"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:175
+#, c-format
+msgid "Cannot decrypt ticket for %s using keytab key for %s"
+msgstr ""
+"Ticket für %s kann nicht mittels des Schlüsseltabellenschlüssels für %s "
+"entschlüsselt werden"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:197
+#, c-format
+msgid "Server principal %s does not match request ticket server %s"
+msgstr "Server-Principal %s passt nicht zum abgefragten Ticketserver %s"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:226
+msgid "No keys in keytab"
+msgstr "keine Schlüssel in der Schlüsseltabelle"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:229
+#, c-format
+msgid "Server principal %s does not match any keys in keytab"
+msgstr ""
+"Server-Principal %s hat keinen passenden Schlüssel in der Schlüsseltabelle"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:236
+#, c-format
+msgid ""
+"Request ticket server %s found in keytab but does not match server principal "
+"%s"
+msgstr ""
+"abgefragter Ticketserver %s wurde in der Schlüsseltabelle gefunden, er passte "
+"jedoch nicht zu Server-Principal %s"
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:241
+#, c-format
+msgid "Request ticket server %s not found in keytab (ticket kvno %d)"
+msgstr ""
+"Abgefragter Ticketserver %s wurde nicht in der Schlüsseltabelle gefunden "
+"(Ticket KVNO %d)."
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:247
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d not found in keytab; ticket is likely out "
+"of date"
+msgstr ""
+"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle "
+"gefunden; Ticket ist wahrscheinlich abgelaufen."
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:252
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d not found in keytab; keytab is likely out "
+"of date"
+msgstr ""
+"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle "
+"gefunden; Schlüsseltabelle ist wahrscheinlich nicht mehr aktuell."
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:261
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d found in keytab but not with enctype %s"
+msgstr ""
+"Abgefragter Ticketserver %s KVNO %d wurde in der Schlüsseltabelle gefunden, "
+"jedoch nicht mit Verschlüsselungstyp %s."
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:266
+#, c-format
+msgid ""
+"Request ticket server %s kvno %d enctype %s found in keytab but cannot "
+"decrypt ticket"
+msgstr ""
+"Abgefragter Ticketserver %s KVNO %d mit Verschlüsselungstyp %s in der "
+"Schlüsseltabelle gefunden, Ticket kann jedoch nicht entschlüsselt werden."
+
+#: ../../src/lib/krb5/krb/rd_req_dec.c:897
+#, c-format
+msgid "Encryption type %s not permitted"
+msgstr "Verschlüsselungstyp %s nicht erlaubt"
+
+#: ../../src/lib/krb5/os/expand_path.c:316
+#, c-format
+msgid "Can't find username for uid %lu"
+msgstr "Zu UID %lu kann kein Benutzername gefunden werden."
+
+#: ../../src/lib/krb5/os/expand_path.c:405
+#: ../../src/lib/krb5/os/expand_path.c:421
+msgid "Invalid token"
+msgstr "ungültiges Token"
+
+#: ../../src/lib/krb5/os/expand_path.c:506
+msgid "variable missing }"
+msgstr "Variable fehlt }"
+
+#: ../../src/lib/krb5/os/locate_kdc.c:660
+#, c-format
+msgid "Cannot find KDC for realm \"%.*s\""
+msgstr "KDC für Realm »%.*s« kann nicht gefunden werden"
+
+#: ../../src/lib/krb5/os/sendto_kdc.c:475
+#, c-format
+msgid "Cannot contact any KDC for realm '%.*s'"
+msgstr "für Realm »%.*s« kann nicht KDC kontaktiert werden"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:106
+#, c-format
+msgid "Cannot fstat replay cache file %s: %s"
+msgstr "»fstat« für Antwortzwischenspeicherdatei %s nicht möglich: %s"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:112
+#, c-format
+msgid ""
+"Insecure mkstemp() file mode for replay cache file %s; try running this "
+"program with umask 077"
+msgstr ""
+"unsicherer mkstemp()-Dateimodus für Antwortzwischenspeicherdatei %s; "
+"versuchen Sie, dieses Programm mit der Umask 077 auszuführen"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:144
+#, c-format
+msgid "Cannot %s replay cache file %s: %s"
+msgstr "%s der Wiederholungszwischenspeicherdatei %s nicht möglich: %s"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:149
+#, c-format
+msgid "Cannot %s replay cache: %s"
+msgstr "%s des Wiederholungszwischenspeichers nicht möglich: %s"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:272
+#, c-format
+msgid "Insecure file mode for replay cache file %s"
+msgstr "unsicherer Dateimodus für Wiederholungszwischenspeicherdatei %s"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:278
+#, c-format
+msgid "rcache not owned by %d"
+msgstr "Rcache gehört nicht %d"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:406
+#: ../../src/lib/krb5/rcache/rc_io.c:411
+#, c-format
+msgid "Can't write to replay cache: %s"
+msgstr ""
+"in Wiederholungszwischenspeicherdatei kann nicht geschrieben werden: %s"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:432
+#, c-format
+msgid "Cannot sync replay cache file: %s"
+msgstr ""
+"Wiederholungszwischenspeicherdatei kann nicht synchronisiert werden: %s"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:451
+#, c-format
+msgid "Can't read from replay cache: %s"
+msgstr "aus dem Wiederholungszwischenspeicher kann nicht gelesen werden: %s"
+
+#: ../../src/lib/krb5/rcache/rc_io.c:482 ../../src/lib/krb5/rcache/rc_io.c:488
+#: ../../src/lib/krb5/rcache/rc_io.c:493
+#, c-format
+msgid "Can't destroy replay cache: %s"
+msgstr "Wiederholungszwischenspeicher kann nicht vernichtet werden: %s"
+
+#: ../../src/plugins/kdb/db2/kdb_db2.c:245
+#: ../../src/plugins/kdb/db2/kdb_db2.c:830
+#, c-format
+msgid "Unsupported argument \"%s\" for db2"
+msgstr "nicht unterstütztes Argument »%s« für DB2"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:887
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1088
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1507
+msgid "while reading kerberos container information"
+msgstr "beim Lesen der Kerberos-Container-Information"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166
+msgid "while providing time specification"
+msgstr "beim Bereitstellen der Zeitspezifikation"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304
+msgid "while creating policy object"
+msgstr "beim Erstellen des Richtlinienobjekts"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1515
+msgid "while reading realm information"
+msgstr "beim Lesen der Realm-Information"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407
+msgid "while destroying policy object"
+msgstr "beim Zerstören des Richtlinienobjekts"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358
+#, c-format
+msgid "This will delete the policy object '%s', are you sure?\n"
+msgstr "Dies wird das Richtlinienobjekt »%s« löschen, sind Sie sicher?\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663
+msgid "while modifying policy object"
+msgstr "beim Ändern des Richtlinienobjekts"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487
+#, c-format
+msgid "while reading information of policy '%s'"
+msgstr "beim Lesen der Information der Richtlinie »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692
+msgid "while viewing policy"
+msgstr "beim Betrachten der Richtlinie"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701
+#, c-format
+msgid "while viewing policy '%s'"
+msgstr "beim Betrachten der Richtlinie »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835
+msgid "while listing policy objects"
+msgstr "beim Auflisten der Richtlinienobjekte"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453
+#, c-format
+msgid "for subtree while creating realm '%s'"
+msgstr "für einen Teilbaum beim Erstellen von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465
+#, c-format
+msgid "for container reference while creating realm '%s'"
+msgstr "für Container-Bezug beim Erstellen von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:489
+#, c-format
+msgid "invalid search scope while creating realm '%s'"
+msgstr "ungültiger Suchbereich beim Erstellen von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:504
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:823
+#, c-format
+msgid "'%s' is an invalid option\n"
+msgstr "»%s« ist keine gültige Option\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512
+#, c-format
+msgid "Initializing database for realm '%s'\n"
+msgstr "Datenbank für Realm »%s« wird initialisiert\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:536
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:696
+#, c-format
+msgid "while creating realm '%s'"
+msgstr "beim Erstellen von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:556
+#, c-format
+msgid "Enter DN of Kerberos container: "
+msgstr "Geben Sie die den DN des Kerberos-Containers ein: "
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:591
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:894
+#, c-format
+msgid "while reading information of realm '%s'"
+msgstr "beim Lesen der Information von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:733
+msgid "while reading Kerberos container information"
+msgstr "beim Lesen der Kerberos-Container-Information"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:774
+#, c-format
+msgid "for subtree while modifying realm '%s'"
+msgstr "für einen Teilbaum beim Ändern von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:785
+#, c-format
+msgid "for container reference while modifying realm '%s'"
+msgstr "für Container-Bezug beim Ändern von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:812
+#, c-format
+msgid "specified for search scope while modifying information of realm '%s'"
+msgstr ""
+"angegeben für Suchbereich, während die Information für Realm »%s« geändert "
+"wird"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:851
+#, c-format
+msgid "while modifying information of realm '%s'"
+msgstr "beim Ändern der Information von Realm »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:940
+msgid "Realm Name"
+msgstr "Realm-Name"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:943
+msgid "Subtree"
+msgstr "Teilbaum"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946
+msgid "Principal Container Reference"
+msgstr "Principal-Container-Bezug"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:953
+msgid "SearchScope"
+msgstr "Suchbereich"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951
+msgid "Invalid !"
+msgstr "ungültig!"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:958
+msgid "KDC Services"
+msgstr "KDC-Dienste"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:973
+msgid "Admin Services"
+msgstr "Administratordienste"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:988
+msgid "Passwd Services"
+msgstr "Passwortdienste"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004
+msgid "Maximum Ticket Life"
+msgstr "maximale Ticketlebensdauer"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009
+msgid "Maximum Renewable Life"
+msgstr "maximale verlängerbare Lebensdauer"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1016
+msgid "Ticket flags"
+msgstr "Ticket-Flags"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1095
+msgid "while listing realms"
+msgstr "beim Auflisten der Realms"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1439
+msgid "while adding entries to database"
+msgstr "beim Hinzufügen von Einträgen zur Datenbank"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1480
+#, c-format
+msgid "Deleting KDC database of '%s', are you sure?\n"
+msgstr ""
+"Sind Sie sicher, dass die KDC-Datenbank von »%s« gelöscht werden soll?\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491
+#, c-format
+msgid "OK, deleting database of '%s'...\n"
+msgstr "OK, die Datenbank von »%s« wird gelöscht …\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1524
+#, c-format
+msgid "deleting database of '%s'"
+msgstr "Die Datenbank von »%s« wird gelöscht."
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1529
+#, c-format
+msgid "** Database of '%s' destroyed.\n"
+msgstr "** Datenbank von »%s« vernichtet\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:81
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:88
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:96
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:104
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:120
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:148
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227
+msgid "while setting service object password"
+msgstr "beim Setzen des Passworts für das Dienstobjekt"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:140
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477
+#, c-format
+msgid "Password for \"%s\""
+msgstr "Passwort für »%s«"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:143
+#, c-format
+msgid "Re-enter password for \"%s\""
+msgstr "Geben Sie das Passwort für »%s« erneut ein."
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:154
+#, c-format
+msgid "%s: Invalid password\n"
+msgstr "%s: ungültiges Passwort\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:170
+msgid "Failed to convert the password to hexadecimal"
+msgstr "Das Umwandeln des Passworts in Dezimalschreibweise ist fehlgeschlagen."
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:183
+#, c-format
+msgid "Failed to open file %s: %s"
+msgstr "Datei %s konnte nicht geöffnet werden: %s"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:205
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:247
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:256
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:283
+msgid "Failed to write service object password to file"
+msgstr ""
+"Schreiben des Passworts für das Dienstobjekt in eine Datei fehlgeschlagen"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:211
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:268
+msgid "Error reading service object password file"
+msgstr "Fehler beim Lesen der Passwortdatei für das Dienstobjekt"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236
+#, c-format
+msgid "Error creating file %s"
+msgstr "Fehler beim Erstellen der Datei %s"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105
+#, c-format
+msgid ""
+"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n"
+"\tcmd [cmd_options]\n"
+"create          [-subtrees subtree_dn_list] [-sscope search_scope] [-"
+"containerref container_reference_dn]\n"
+"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n"
+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
+"\t\t[ticket_flags] [-r realm]\n"
+"modify          [-subtrees subtree_dn_list] [-sscope search_scope] [-"
+"containerref container_reference_dn]\n"
+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
+"\t\t[ticket_flags] [-r realm]\n"
+"view            [-r realm]\n"
+"destroy                [-f] [-r realm]\n"
+"list\n"
+"stashsrvpw      [-f filename] service_dn\n"
+"create_policy   [-r realm] [-maxtktlife max_ticket_life]\n"
+"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
+"modify_policy   [-r realm] [-maxtktlife max_ticket_life]\n"
+"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
+"view_policy     [-r realm] policy\n"
+"destroy_policy  [-r realm] [-force] policy\n"
+"list_policy     [-r realm]\n"
+msgstr ""
+"Aufruf: kdb5_ldap_util [-D Benutzer-DN [-w Passwort]] [-H LDAP-URI]\n"
+"\tcmd [Befehlsoptionen]\n"
+"create          [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-"
+"containerref Container-Bezug-DN]\n"
+"\t\t[-m|-P Passwort|-sf Ablagedateiname] [-k mkeytype] [-kv mkeyVNO] [-s]\n"
+"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n"
+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
+"\t\t[Ticket_Flags] [-r Realm]\n"
+"modify          [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-"
+"containerref Container-Bezug-DN]\n"
+"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n"
+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
+"\t\t[Ticket_Flags] [-r Realm]\n"
+"view            [-r Realm]\n"
+"destroy                [-f] [-r Realm]\n"
+"list\n"
+"stashsrvpw      [-f Dateiname] Dienst-DN\n"
+"create_policy   [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n"
+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
+"\t\t[Ticket_Flags] Richtlinie\n"
+"modify_policy   [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n"
+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
+"\t\t[Ticket_Flags] Richtlinie\n"
+"view_policy     [-r Realm] Richtlinie\n"
+"destroy_policy  [-r Realm] [-force] Richtlinie\n"
+"list_policy     [-r Realm]\n"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341
+msgid "while reading ldap parameters"
+msgstr "beim Lesen der LDAP-Parameter"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439
+msgid "while initializing error handling"
+msgstr "beim Initialisieren der Fehlerbehandlung"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447
+msgid "while initializing ldap handle"
+msgstr "beim Initialisieren des LDAP-Identifikators"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525
+msgid "while retrieving ldap configuration"
+msgstr "beim Abfragen der LDAP-Konfiguration"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516
+msgid "while initializing server list"
+msgstr "beim Initialisieren der Serverliste"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547
+msgid "while setting up lib handle"
+msgstr "ein Einrichten der BibliotheksIdentifikators"
+
+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556
+msgid "while reading ldap configuration"
+msgstr "beim Lesen der LDAP-Konfiguration"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68
+msgid "Unable to read Kerberos container"
+msgstr "Kerberos-Container kann nicht gelesen werden"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:74
+msgid "Unable to read Realm"
+msgstr "Realm kann nicht gelesen werden"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:215
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73
+msgid "Error processing LDAP DB params:"
+msgstr "Fehler beim Verarbeiten der LDAP-Datenbankparameter:"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:222
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:80
+msgid "Error reading LDAP server params:"
+msgstr "Fehler beim Lesen der LDAP-Server-Parameters:"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64
+msgid "LDAP bind dn value missing"
+msgstr "LDAP-Bindungs-DN-Wert fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69
+msgid "LDAP bind password value missing"
+msgstr "LDAP-Bindungs-Passwortwert fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:77
+msgid "Error reading password from stash: "
+msgstr "Fehler beim Lesen des Passworts aus der Ablage: "
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85
+msgid "Service password length is zero"
+msgstr "Länge des Dienstpassworts ist Null"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145
+#, c-format
+msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s"
+msgstr ""
+"mit LDAP-Server »%s« kann keine Verbindung mit SASL-Mechanismus »%s« "
+"hergestellt werden: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158
+#, c-format
+msgid "Cannot bind to LDAP server '%s' as '%s': %s"
+msgstr ""
+"mit LDAP-Server »%s« kann keine Verbindung als »%s« hergestellt werden: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183
+#, c-format
+msgid "Cannot create LDAP handle for '%s': %s"
+msgstr "LDAP-Identifikator für »%s« kann nicht erstellt werden: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:131
+msgid "could not complete roll-back, error deleting Kerberos Container"
+msgstr ""
+"Zurücksetzen kann nicht abgeschlossen werden, Fehler beim Löschen des "
+"Kerberos-Containers"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67
+msgid "Error reading kerberos container location from krb5.conf"
+msgstr ""
+"Fehler beim Lesen des Kerberos-Container-Speicherorts aus der »krb5.conf«."
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75
+msgid "Kerberos container location not specified"
+msgstr "Kerberos-Container-Speicherort nicht angegeben"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:55
+#, c-format
+msgid "Error reading '%s' attribute: %s"
+msgstr "Fehler beim Lesen des Attributs »%s«: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:218
+msgid "KDB module requires -update argument"
+msgstr "KDB-Modul benötigt Argument »-update«"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:224
+#, c-format
+msgid "'%s' value missing"
+msgstr "Wert »%s« fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:282
+#, c-format
+msgid "unknown option '%s'"
+msgstr "unbekannte Option »%s«"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:342
+msgid "Minimum connections required per server is 2"
+msgstr "Die benötigte Mindestanzahl von Verbindungen pro Server ist zwei"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159
+msgid "Default realm not set"
+msgstr "Standard-Realm nicht gesetzt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262
+msgid "DN information missing"
+msgstr "DN-Information fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108
+msgid "Principal does not belong to realm"
+msgstr "Principal gehört nicht zum Realm"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:278
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:287
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:295
+#, c-format
+msgid "%s option not supported"
+msgstr "Option %s wird nicht unterstützt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:302
+#, c-format
+msgid "unknown option: %s"
+msgstr "unbekannte Option: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:309
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:316
+#, c-format
+msgid "%s option value missing"
+msgstr "Wert der Option %s fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:542
+msgid "Principal does not belong to the default realm"
+msgstr "Principal gehört nicht zum Standard-Realm"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:610
+#, c-format
+msgid ""
+"operation can not continue, more than one entry with principal name \"%s\" "
+"found"
+msgstr ""
+"Die Aktion kann nicht fortfahren, da mehr als ein Principal namens »%s« "
+"gefunden wurde."
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:673
+#, c-format
+msgid "'%s' not found: "
+msgstr "»%s« nicht gefunden: "
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:751
+msgid "DN is out of the realm subtree"
+msgstr "DN liegt außerhalb ders Teilbaums des Realms"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:807
+#, c-format
+msgid "ldap object is already kerberized"
+msgstr "LDAP-Objekt ist bereits an Kerberos angepasst"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:827
+#, c-format
+msgid ""
+"link information can not be set/updated as the kerberos principal belongs to "
+"an ldap object"
+msgstr ""
+"Verweisinformation kann nicht eingerichtet/aktualisiert werden, da der "
+"Kerberos-Principal zu einem LDAP-Objekt gehört."
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:842
+#, c-format
+msgid "Failed getting object references"
+msgstr "Holen von Objektbezügen fehlgeschlagen"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:849
+#, c-format
+msgid "kerberos principal is already linked to a ldap object"
+msgstr "Kerberos-Principal ist bereits mit einem LDAP-Objekt verknüpft"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1167
+msgid "ticket policy object value: "
+msgstr "Wert des Ticket-Richtlinienobjekts: "
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1215
+#, c-format
+msgid "Principal delete failed (trying to replace entry): %s"
+msgstr ""
+"Löschen des Principals fehlgeschlagen (es wird versucht, den Eintrag zu "
+"ersetzen): %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1225
+#, c-format
+msgid "Principal add failed: %s"
+msgstr "Hinzufügen des Principals fehlgeschlagen: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1263
+#, c-format
+msgid "User modification failed: %s"
+msgstr "Änderung des Benutzers fehlgeschlagen: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1336
+msgid "Error reading ticket policy. "
+msgstr "Fehler beim Lesen der Ticket-Richtlinie"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1402
+#, c-format
+msgid "unable to decode stored principal key data (%s)"
+msgstr ""
+"Die gespeicherten Schlüsseldaten des Principals (%s) konnten nicht "
+"dekodiert werden."
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223
+msgid "Realm information not available"
+msgstr "Realm-Information nicht verfügbar"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294
+msgid "Error reading ticket policy: "
+msgstr "Fehler beim Lesen der Ticket-Richtlinie:"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:307
+#, c-format
+msgid "Realm Delete FAILED: %s"
+msgstr "Löschen des Realms FEHLGESCHLAGEN: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:387
+msgid "subtree value: "
+msgstr "Wert des Teilbaums: "
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:404
+msgid "container reference value: "
+msgstr "Wert des Container-Bezugs: "
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:487
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550
+msgid "Kerberos Container information is missing"
+msgstr "Kerberos-Container-Information fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:499
+msgid "Invalid Kerberos container DN"
+msgstr "ungültiger Kerberos-Container-DN"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:515
+#, c-format
+msgid "Kerberos Container create FAILED: %s"
+msgstr "Erstellen des Kerberos-Containers FEHLGESCHLAGEN: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:558
+#, c-format
+msgid "Kerberos Container delete FAILED: %s"
+msgstr "Löschen des Kerberos-Containers FEHLGESCHLAGEN: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:634
+msgid "realm object value: "
+msgstr "Wert des Realm-Objekts: "
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48
+msgid "Not a hexadecimal password"
+msgstr "kein hexadezimales Passwort"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66
+msgid "Password corrupt"
+msgstr "Passwort beschädigt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93
+#, c-format
+msgid "Cannot open LDAP password file '%s': %s"
+msgstr "LDAP-Passwortdatei »%s« kann nicht geöffnet werden: %s"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123
+#, c-format
+msgid "Bind DN entry '%s' missing in LDAP password file '%s'"
+msgstr "Bind-DN-Eintrag »%s« fehlt in der LDAP-Passwortdatei »%s«"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:56
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:132
+msgid "Ticket Policy Name missing"
+msgstr "Ticket-Richtlinienname fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:144
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:221
+msgid "ticket policy object: "
+msgstr "Ticket-Richtlinienobjekt: "
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:209
+msgid "Ticket Policy Object information missing"
+msgstr "Ticket-Richtlinienobjekt-Information fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:300
+msgid "Ticket Policy Object DN missing"
+msgstr "DN des Ticket-Richtlinienobjekts fehlt"
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:327
+msgid "Delete Failed: One or more Principals associated with the Ticket Policy"
+msgstr ""
+"Löschen fehlgeschlagen: Ein oder mehrere Principals gehören zur Ticket-"
+"Richtlinie."
+
+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:435
+msgid "Error reading container object: "
+msgstr "Fehler beim Lesen des Container-Objekts: "
+
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:652
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4153
+msgid "Pass phrase for"
+msgstr "Passphrase für"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1081
+#, c-format
+msgid "Cannot create cert chain: %s"
+msgstr "Zertifikatskette kann nicht erstellt werden: %s"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1408
+msgid "Invalid pkinit packet: octet string expected"
+msgstr "ungültiges Pkinit-Paket: Achtbit-Zeichenkette erwartet"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1427
+msgid "wrong oid\n"
+msgstr "falsche OID\n"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5994
+#, c-format
+msgid "unknown code 0x%x"
+msgstr "unbekannter Code 0x%x"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424
+#, c-format
+msgid "Unsupported type while processing '%s'\n"
+msgstr "nicht unterstützter Typ bei der Verarbeitung von »%s«\n"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465
+msgid "Internal error parsing X509_user_identity\n"
+msgstr "interner Fehler beim Auswerten von »X509_user_identity«\n"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560
+msgid "No user identity options specified"
+msgstr "keine Optionen der Nutzeridentität angegeben"
+
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:414
+msgid "Pkinit request not signed, but client not anonymous."
+msgstr "Pkinit-Anfrage nicht signiert, Client ist jedoch nicht anonym"
+
+# DH = Diffie-Hellman
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:447
+msgid "Anonymous pkinit without DH public value not supported."
+msgstr "Anonymes Pkinit wird nicht ohne öffentlichen DH-Wert unterstützt."
+
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1147
+#, c-format
+msgid "No pkinit_identity supplied for realm %s"
+msgstr "Für Realm %s wird keine »pkinit_identity« bereitgestellt."
+
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1158
+#, c-format
+msgid "No pkinit_anchors supplied for realm %s"
+msgstr "Für Realm %s werden keine »pkinit_anchors« bereitgestellt."
+
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1346
+msgid "No realms configured correctly for pkinit support"
+msgstr "Für Pkinit-Unterstützung wurden keine Realms korrekt konfiguriert."
+
+#: ../../src/slave/kprop.c:85
+#, c-format
+msgid ""
+"\n"
+"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n"
+"\n"
+msgstr ""
+"\n"
+"Aufruf: %s [-r Realm] [-f Datei] [-d] [-P Port] [-s Dienstschlüsseltabelle] "
+"untergeordneter_Rechner\n"
+"\n"
+
+#: ../../src/slave/kprop.c:114
+#, c-format
+msgid "Database propagation to %s: SUCCEEDED\n"
+msgstr "Datenbankverbreitung auf %s: ERFOLGREICH\n"
+
+#: ../../src/slave/kprop.c:187
+msgid "while setting client principal name"
+msgstr "beim Setzen des Client-Principal-Namens"
+
+#: ../../src/slave/kprop.c:194 ../../src/slave/kprop.c:209
+msgid "while setting client principal realm"
+msgstr "beim Setzen des Client-Principal-Realms"
+
+#: ../../src/slave/kprop.c:217
+#, c-format
+msgid "while opening credential cache %s"
+msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s"
+
+#: ../../src/slave/kprop.c:233
+msgid "while setting server principal name"
+msgstr "beim Setzen des Server-Principal-Namens"
+
+#: ../../src/slave/kprop.c:255
+msgid "while resolving keytab"
+msgstr "beim Ermitteln der Schlüsseltabelle"
+
+#: ../../src/slave/kprop.c:264
+msgid "while getting initial credentials\n"
+msgstr "beim Holen der Anfangsanmeldedaten\n"
+
+#: ../../src/slave/kprop.c:301
+msgid "while creating socket"
+msgstr "beim Erstellen eines Sockets"
+
+#: ../../src/slave/kprop.c:317
+msgid "while converting server address"
+msgstr "beim Umwandeln der Server-Adresse"
+
+#: ../../src/slave/kprop.c:327
+msgid "while connecting to server"
+msgstr "beim Verbinden mit dem Server"
+
+#: ../../src/slave/kprop.c:334 ../../src/slave/kpropd.c:1215
+msgid "while getting local socket address"
+msgstr "beim Holen der lokalen Socket-Adresse"
+
+#: ../../src/slave/kprop.c:339
+msgid "while converting local address"
+msgstr "beim Umwandeln der lokalen Socket-Adresse"
+
+#: ../../src/slave/kprop.c:362
+msgid "in krb5_auth_con_setaddrs"
+msgstr "in »krb5_auth_con_setaddrs«"
+
+#: ../../src/slave/kprop.c:370
+msgid "while authenticating to server"
+msgstr "beim Authentifizieren am Server"
+
+#: ../../src/slave/kprop.c:374 ../../src/slave/kprop.c:573
+#: ../../src/slave/kpropd.c:1521
+#, c-format
+msgid "Generic remote error: %s\n"
+msgstr "allgemeiner ferner Fehler: %s\n"
+
+#: ../../src/slave/kprop.c:380 ../../src/slave/kprop.c:579
+msgid "signalled from server"
+msgstr "signalisiert vom Server"
+
+#: ../../src/slave/kprop.c:382 ../../src/slave/kprop.c:581
+#, c-format
+msgid "Error text from server: %s\n"
+msgstr "Fehlermeldung vom Server: %s\n"
+
+#: ../../src/slave/kprop.c:410
+#, c-format
+msgid "allocating database file name '%s'"
+msgstr "Datenbankdateiname »%s« wird reserviert"
+
+#: ../../src/slave/kprop.c:416
+#, c-format
+msgid "while trying to open %s"
+msgstr "beim Versuch, %s zu öffnen"
+
+#: ../../src/slave/kprop.c:423
+msgid "database locked"
+msgstr "Datenbank gesperrt"
+
+#: ../../src/slave/kprop.c:426 ../../src/slave/kpropd.c:525
+#, c-format
+msgid "while trying to lock '%s'"
+msgstr "beim Versuch, »%s« zu sperren"
+
+#: ../../src/slave/kprop.c:430 ../../src/slave/kprop.c:438
+#, c-format
+msgid "while trying to stat %s"
+msgstr "beim Versuch, »stat« für %s auszuführen"
+
+#: ../../src/slave/kprop.c:434
+msgid "while trying to malloc data_ok_fn"
+msgstr "beim Versuch, Speicher für »data_ok_fn« zu reservieren"
+
+#: ../../src/slave/kprop.c:443
+#, c-format
+msgid "'%s' more recent than '%s'."
+msgstr "»%s« ist aktueller als »%s«."
+
+#: ../../src/slave/kprop.c:459
+#, c-format
+msgid "while unlocking database '%s'"
+msgstr "beim Entsperren von Datenbank »%s«"
+
+#: ../../src/slave/kprop.c:492 ../../src/slave/kprop.c:493
+msgid "while encoding database size"
+msgstr "beim Aufbereiten der Datenbankgröße"
+
+#: ../../src/slave/kprop.c:501
+msgid "while sending database size"
+msgstr "beim Senden der Datenbankgröße"
+
+#: ../../src/slave/kprop.c:511
+msgid "while allocating i_vector"
+msgstr "beim Reservieren von »i_vector«"
+
+#: ../../src/slave/kprop.c:534
+#, c-format
+msgid "while sending database block starting at %d"
+msgstr "beim Senden des Datenbankblocks, der bei %d beginnt"
+
+#: ../../src/slave/kprop.c:544
+msgid "Premature EOF found for database file!"
+msgstr "vorzeitiges EOF für Datenbankdatei gefunden!"
+
+#: ../../src/slave/kprop.c:557
+msgid "while reading response from server"
+msgstr "beim Lesen der Antwort vom Servers"
+
+#: ../../src/slave/kprop.c:568
+msgid "while decoding error response from server"
+msgstr "beim Aufschlüsseln der Fehlerantwort vom Server"
+
+#: ../../src/slave/kprop.c:599
+#, c-format
+msgid "Kpropd sent database size %d, expecting %d"
+msgstr "Kpropd sendet Datenbankgröße %d, erwartet wurde %d"
+
+#: ../../src/slave/kprop.c:643
+msgid "while allocating filename for update_last_prop_file"
+msgstr "beim Reservieren des Dateinamens für »update_last_prop_file«"
+
+#: ../../src/slave/kprop.c:648
+#, c-format
+msgid "while creating 'last_prop' file, '%s'"
+msgstr "beim Erstellen der Datei »last_prop«, »%s«"
+
+#: ../../src/slave/kpropd.c:170
+#, c-format
+msgid ""
+"\n"
+"Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n"
+msgstr ""
+"\n"
+"Aufruf: %s [-r Realm] [-s Dienstschlüsseltabelle] [-dS] [-f "
+"untergeordnete_Datei]\n"
+
+#: ../../src/slave/kpropd.c:172
+#, c-format
+msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n"
+msgstr "\t[-F Kerberos-Datenbankdatei ] [-p KDB5-Hilfswerkzeugpfadname]\n"
+
+#: ../../src/slave/kpropd.c:173
+#, c-format
+msgid "\t[-x db_args]* [-P port] [-a acl_file]\n"
+msgstr "\t[-x Datenbankargumente]* [-P Port] [-a ACL-Datei]\n"
+
+#: ../../src/slave/kpropd.c:174
+#, c-format
+msgid "\t[-A admin_server]\n"
+msgstr "\t[-A Serveradministrator]\n"
+
+#: ../../src/slave/kpropd.c:215
+#, c-format
+msgid "Killing fullprop child (%d)\n"
+msgstr "Beenden des Fullprop-Kindprozesses (%d) wird erzwungen\n"
+
+#: ../../src/slave/kpropd.c:244
+msgid "while checking if stdin is a socket"
+msgstr "beim Prüfen, ob die Standardeingabe ein Socket ist"
+
+#: ../../src/slave/kpropd.c:262
+#, c-format
+msgid "ready\n"
+msgstr "bereit\n"
+
+#: ../../src/slave/kpropd.c:272
+#, c-format
+msgid "Could not open /dev/null: %s"
+msgstr "/dev/null konnte nicht geöffnet werden: %s"
+
+#: ../../src/slave/kpropd.c:279
+#, c-format
+msgid "Could not dup the inetd socket: %s"
+msgstr "Das Inetd-Socket konnte nicht dupliziert werden: %s"
+
+#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327
+msgid "do_iprop failed.\n"
+msgstr "»do_iprop« fehlgeschlagen\n"
+
+#: ../../src/slave/kpropd.c:366
+#, c-format
+msgid "getaddrinfo: %s\n"
+msgstr "getaddrinfo: %s\n"
+
+#: ../../src/slave/kpropd.c:372
+msgid "while obtaining socket"
+msgstr "beim Erlangen des Sockets"
+
+#: ../../src/slave/kpropd.c:378
+msgid "while setting SO_REUSEADDR option"
+msgstr "beim Setzen der Option SO_REUSEADDR"
+
+#: ../../src/slave/kpropd.c:386
+msgid "while unsetting IPV6_V6ONLY option"
+msgstr "beim Entfernen der Option IPV6_V6ONLY"
+
+#: ../../src/slave/kpropd.c:391
+msgid "while binding listener socket"
+msgstr "beim Anbinden an das auf Verbindung wartende Socket"
+
+#: ../../src/slave/kpropd.c:402
+#, c-format
+msgid "waiting for a kprop connection\n"
+msgstr "warten auf Kprop-Verbindung\n"
+
+#: ../../src/slave/kpropd.c:408
+msgid "while accepting connection"
+msgstr "beim Akzeptieren der Verbindung"
+
+#: ../../src/slave/kpropd.c:414
+msgid "while forking"
+msgstr "beim Erzeugen eines Kindprozesses"
+
+#: ../../src/slave/kpropd.c:429
+#, c-format
+msgid "waitpid() failed to wait for doit() (%d %s)\n"
+msgstr "waitpid() schlug beim Warten auf doit() fehl (%d %s)\n"
+
+#: ../../src/slave/kpropd.c:433
+msgid "while waiting to receive database"
+msgstr "beim Warten auf den Erhalt der Datenbank"
+
+#: ../../src/slave/kpropd.c:437
+#, c-format
+msgid "Database load process for full propagation completed.\n"
+msgstr ""
+"Der Datenbankladeprozess für eine vollständige Verbreitung ist "
+"abgeschlossen.\n"
+
+#: ../../src/slave/kpropd.c:471
+#, c-format
+msgid ""
+"%s: Standard input does not appear to be a network socket.\n"
+"\t(Not run from inetd, and missing the -S option?)\n"
+msgstr ""
+"%s: Bei der Standardeingabe scheint es sich nicht um ein Netzwerk-Socket zu\n"
+"\thandeln (läuft nicht aus Inetd und die Option -S fehlt?).\n"
+
+#: ../../src/slave/kpropd.c:485
+msgid "while attempting setsockopt (SO_KEEPALIVE)"
+msgstr "beim Versuch, »setsockopt« auszuführen (SO_KEEPALIVE)"
+
+#: ../../src/slave/kpropd.c:490
+#, c-format
+msgid "Connection from %s"
+msgstr "Verbindung von %s"
+
+#: ../../src/slave/kpropd.c:510
+#, c-format
+msgid "Rejected connection from unauthorized principal %s\n"
+msgstr "Zurückgewiesene Verbindung von nicht autorisiertem Principal %s\n"
+
+#: ../../src/slave/kpropd.c:514
+#, c-format
+msgid "Rejected connection from unauthorized principal %s"
+msgstr "Zurückgewiesene Verbindung von nicht authorisiertem Principal %s"
+
+#: ../../src/slave/kpropd.c:531
+#, c-format
+msgid "while opening database file, '%s'"
+msgstr "beim Öffnen der Datenbankdatei, »%s«"
+
+#: ../../src/slave/kpropd.c:537
+#, c-format
+msgid "while renaming %s to %s"
+msgstr "beim Umbenennen von %s in %s"
+
+#: ../../src/slave/kpropd.c:543
+#, c-format
+msgid "while downgrading lock on '%s'"
+msgstr "beim Downgrade der Sperre auf »%s«"
+
+#: ../../src/slave/kpropd.c:550
+#, c-format
+msgid "while unlocking '%s'"
+msgstr "beim Aufheben der Sperre »%s«"
+
+#: ../../src/slave/kpropd.c:562
+msgid "while sending # of received bytes"
+msgstr "beim Senden n empfangener Byte"
+
+#: ../../src/slave/kpropd.c:568
+msgid "while trying to close database file"
+msgstr "beim Versuch, die Datenbankdatei zu schließen"
+
+#: ../../src/slave/kpropd.c:624
+#, c-format
+msgid "Incremental propagation enabled\n"
+msgstr "inkrementelle Verbreitung aktiviert\n"
+
+#: ../../src/slave/kpropd.c:634
+msgid "Unable to get default realm"
+msgstr "Standard-Realm kann nicht geholt werden"
+
+#: ../../src/slave/kpropd.c:647
+#, c-format
+msgid "%s: unable to get kiprop host based service name for realm %s\n"
+msgstr ""
+"%s: Kiprop-rechnerbasierter Dienstname für Realm %s kann nicht geholt "
+"werden\n"
+
+#: ../../src/slave/kpropd.c:658
+msgid "while trying to construct host service principal"
+msgstr "beim Versuch, den Rechnerdienst-Principal zu erstellen"
+
+#: ../../src/slave/kpropd.c:672
+msgid "while determining local service principal name"
+msgstr "beim Bestimmen des lokalen Dienst-Principal-Namens"
+
+#: ../../src/slave/kpropd.c:692
+#, c-format
+msgid "Initializing kadm5 as client %s\n"
+msgstr "Kadm5 wird als Client %s initialisiert\n"
+
+#: ../../src/slave/kpropd.c:706
+#, c-format
+msgid "kadm5 initialization failed!\n"
+msgstr "Initialisierung von Kadm5 fehlgeschlagen!\n"
+
+#: ../../src/slave/kpropd.c:715
+msgid "while attempting to connect to master KDC ... retrying"
+msgstr ""
+"beim Versuch, eine Verbindung zum Master-KDC aufzubauen … wird erneut "
+"versucht"
+
+#: ../../src/slave/kpropd.c:719
+#, c-format
+msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n"
+msgstr ""
+"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (RPC-FEHLER).\n"
+
+#: ../../src/slave/kpropd.c:735
+#, c-format
+msgid "while initializing %s interface, retrying"
+msgstr "beim Initialisieren der Schnittstelle %s, wird erneut versucht"
+
+#: ../../src/slave/kpropd.c:739
+#, c-format
+msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n"
+msgstr ""
+"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (läuft Krb5kdc "
+"nicht?).\n"
+
+#: ../../src/slave/kpropd.c:749
+#, c-format
+msgid "kadm5 initialization succeeded\n"
+msgstr "Initialisieren von Kadm5 erfolgreich\n"
+
+#: ../../src/slave/kpropd.c:771
+msgid "reading update log header"
+msgstr "Aktualisierungsprotokollkopfzeilen werden gelesen"
+
+#: ../../src/slave/kpropd.c:782
+#, c-format
+msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n"
+msgstr "»iprop_get_updates_1()« wird aufgerufen (sno=%u sec=%u usec=%u)\n"
+
+#: ../../src/slave/kpropd.c:792
+msgid "iprop_get_updates call failed"
+msgstr "Aufruf von »iprop_get_updates« fehlgeschlagen"
+
+#: ../../src/slave/kpropd.c:798
+#, c-format
+msgid "Reinitializing iprop because get updates failed\n"
+msgstr ""
+"Iprop wird neu initialisiert, da Aktualisierungen fehlgeschlagen sind\n"
+
+#: ../../src/slave/kpropd.c:819
+#, c-format
+msgid "Still waiting for full resync\n"
+msgstr ""
+"Es wird immer noch auf das vollständige erneute Synchronisieren gewartet.\n"
+
+#: ../../src/slave/kpropd.c:824
+#, c-format
+msgid "Full resync needed\n"
+msgstr "erneutes vollständiges Synchronisieren erforderlich\n"
+
+#: ../../src/slave/kpropd.c:825
+msgid "kpropd: Full resync needed."
+msgstr "Kpropd: erneutes vollständiges Synchronisieren erforderlich"
+
+#: ../../src/slave/kpropd.c:830
+msgid "iprop_full_resync call failed"
+msgstr "Aufruf von »iprop_full_resync« fehlgeschlagen"
+
+#: ../../src/slave/kpropd.c:841
+#, c-format
+msgid "Full resync request granted\n"
+msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt\n"
+
+#: ../../src/slave/kpropd.c:842
+msgid "Full resync request granted."
+msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt"
+
+# FIXME s/backoff/back-off/
+#: ../../src/slave/kpropd.c:851
+#, c-format
+msgid "Exponential backoff\n"
+msgstr "exponentieller Wartezyklus\n"
+
+#: ../../src/slave/kpropd.c:857
+#, c-format
+msgid "Full resync permission denied\n"
+msgstr "vollständiges erneutes Synchronisieren nicht gestattet\n"
+
+#: ../../src/slave/kpropd.c:858
+msgid "Full resync, permission denied."
+msgstr "vollständiges erneutes Synchronisieren, nicht gestattet"
+
+#: ../../src/slave/kpropd.c:863
+#, c-format
+msgid "Full resync error from master\n"
+msgstr "Fehler beim vollständigen erneuten Synchronisieren vom Master\n"
+
+#: ../../src/slave/kpropd.c:864
+msgid " Full resync, error returned from master KDC."
+msgstr ""
+"vollständiges erneutes Synchronisieren, das Master-KDC gab einen Fehler "
+"zurück"
+
+#: ../../src/slave/kpropd.c:872
+#, c-format
+msgid "Full resync invalid result from master\n"
+msgstr ""
+"Beim vollständigen erneuten Synchronisieren gab der Master ein ungültiges "
+"Ergebnis zurück.\n"
+
+#: ../../src/slave/kpropd.c:874
+msgid "Full resync, invalid return from master KDC."
+msgstr ""
+"vollständiges erneutes Synchronisieren, ungültiger Rückgabewert vom Master-"
+"KDC"
+
+#: ../../src/slave/kpropd.c:890
+#, c-format
+msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n"
+msgstr ""
+"inkrementelle Aktualisierungen erhalten (sno=%u sec=%u usec=%u)\n"
+
+#: ../../src/slave/kpropd.c:902
+#, c-format
+msgid "ulog_replay failed (%s), updates not registered\n"
+msgstr ""
+"»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert\n"
+
+#: ../../src/slave/kpropd.c:905
+#, c-format
+msgid "ulog_replay failed (%s), updates not registered."
+msgstr "»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert"
+
+#: ../../src/slave/kpropd.c:914
+#, c-format
+msgid "Incremental updates: %d updates / %lu us"
+msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us"
+
+#: ../../src/slave/kpropd.c:917
+#, c-format
+msgid "Incremental updates: %d updates / %lu us\n"
+msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us\n"
+
+#: ../../src/slave/kpropd.c:925
+#, c-format
+msgid "get_updates permission denied\n"
+msgstr "Zugriff bei »get_updates« verweigert\n"
+
+#: ../../src/slave/kpropd.c:926
+msgid "get_updates, permission denied."
+msgstr "»get_updates«, Zugriff verweigert"
+
+#: ../../src/slave/kpropd.c:931
+#, c-format
+msgid "get_updates error from master\n"
+msgstr "»get_updates«-Fehler vom Master\n"
+
+#: ../../src/slave/kpropd.c:932
+msgid "get_updates, error returned from master KDC."
+msgstr "Vom Master-KDC wurde ein »get_updates«-Fehler zurückgegeben."
+
+# FIXME s/backoff/back-off/
+#: ../../src/slave/kpropd.c:940
+#, c-format
+msgid "get_updates master busy; backoff\n"
+msgstr "»get_updates«-Master ausgelastet; hält sich zurück\n"
+
+#: ../../src/slave/kpropd.c:949
+#, c-format
+msgid "KDC is synchronized with master.\n"
+msgstr "KDC wurde mit dem Master synchronisiert.\n"
+
+#: ../../src/slave/kpropd.c:957
+#, c-format
+msgid "get_updates invalid result from master\n"
+msgstr "ungültiges »get_updates«-Ergebnis vom Master\n"
+
+#: ../../src/slave/kpropd.c:958
+msgid "get_updates, invalid return from master KDC."
+msgstr "»get_updates«, ungültiger Rückgabewert vom Master-KDC"
+
+# FIXME s/backoff/back-off/
+#: ../../src/slave/kpropd.c:973
+#, c-format
+msgid "Busy signal received from master, backoff for %d secs\n"
+msgstr ""
+"Vom Master wurde ein Signal empfangen, dass er ausgelastet ist, "
+"Zurückhaltung für %d Sekunden\n"
+
+#: ../../src/slave/kpropd.c:980
+#, c-format
+msgid "Waiting for %d seconds before checking for updates again\n"
+msgstr ""
+"vor der erneuten Prufung auf Aktualisierungen wird %d Sekunden gewartet\n"
+
+#: ../../src/slave/kpropd.c:991
+#, c-format
+msgid "ERROR returned by master, bailing\n"
+msgstr "FEHLER vom Master zurückgegeben, Ausstieg\n"
+
+#: ../../src/slave/kpropd.c:992
+msgid "ERROR returned by master KDC, bailing.\n"
+msgstr "FEHLER vom Master-KDC zurückgegeben, Ausstieg\n"
+
+#: ../../src/slave/kpropd.c:1134
+msgid "copying db args"
+msgstr "Datenbankargumente werden kopiert"
+
+#: ../../src/slave/kpropd.c:1161
+msgid "while trying to construct my service name"
+msgstr "beim Versuch, meinen Dienstnamen zu erstellen"
+
+#: ../../src/slave/kpropd.c:1167
+msgid "while constructing my service realm"
+msgstr "beim Erstellen meines Dienst-Realms"
+
+#: ../../src/slave/kpropd.c:1175
+msgid "while allocating filename for temp file"
+msgstr "beim Reservieren des Dateinamens für die temporäre Datei"
+
+#: ../../src/slave/kpropd.c:1181
+msgid "while initializing"
+msgstr "bei der Initialisierung"
+
+#: ../../src/slave/kpropd.c:1189
+msgid "Unable to map log!\n"
+msgstr "Protokoll kann nicht abgebildet werden!\n"
+
+#: ../../src/slave/kpropd.c:1235
+#, c-format
+msgid "Error in krb5_auth_con_ini: %s"
+msgstr "Fehler in »krb5_auth_con_ini«: %s"
+
+#: ../../src/slave/kpropd.c:1243
+#, c-format
+msgid "Error in krb5_auth_con_setflags: %s"
+msgstr "Fehler in »krb5_auth_con_setflags«: %s"
+
+#: ../../src/slave/kpropd.c:1251
+#, c-format
+msgid "Error in krb5_auth_con_setaddrs: %s"
+msgstr "Fehler in »krb5_auth_con_setaddrs«: %s"
+
+#: ../../src/slave/kpropd.c:1259
+#, c-format
+msgid "Error in krb5_kt_resolve: %s"
+msgstr "Fehler in »krb5_kt_resolve«: %s"
+
+#: ../../src/slave/kpropd.c:1268
+#, c-format
+msgid "Error in krb5_recvauth: %s"
+msgstr "Fehler in »krb5_recvauth«: %s"
+
+#: ../../src/slave/kpropd.c:1275
+#, c-format
+msgid "Error in krb5_copy_prinicpal: %s"
+msgstr "Fehler in »krb5_copy_prinicpal«: %s"
+
+#: ../../src/slave/kpropd.c:1291
+msgid "while unparsing ticket etype"
+msgstr "beim Rückgängigmachen der Auswertung des »etype«s des Tickets"
+
+#: ../../src/slave/kpropd.c:1295
+#, c-format
+msgid "authenticated client: %s (etype == %s)\n"
+msgstr "Authentifizierter Client: %s (etype == %s)\n"
+
+#: ../../src/slave/kpropd.c:1374
+msgid "while reading size of database from client"
+msgstr "beim Lesen der Datenbankgröße vom Client"
+
+#: ../../src/slave/kpropd.c:1384
+msgid "while decoding database size from client"
+msgstr "beim Dekodieren der Datenbankgröße vom Client"
+
+#: ../../src/slave/kpropd.c:1397
+msgid "while initializing i_vector"
+msgstr "beim Initialisieren von »i_vector«"
+
+#: ../../src/slave/kpropd.c:1402
+#, c-format
+msgid "Full propagation transfer started.\n"
+msgstr "vollständige Verbreitungsübertragung gestartet\n"
+
+#: ../../src/slave/kpropd.c:1455
+#, c-format
+msgid "Full propagation transfer finished.\n"
+msgstr "vollständige Verbreitungsübertragung beendet\n"
+
+#: ../../src/slave/kpropd.c:1516
+msgid "while decoding error packet from client"
+msgstr "beim Dekodieren des Fehlerpakets vom Client"
+
+#: ../../src/slave/kpropd.c:1525
+msgid "signaled from server"
+msgstr "signalisiert vom Server"
+
+#: ../../src/slave/kpropd.c:1527
+#, c-format
+msgid "Error text from client: %s\n"
+msgstr "Fehlermeldung vom Client: %s\n"
+
+#: ../../src/slave/kpropd.c:1576
+#, c-format
+msgid "while trying to fork %s"
+msgstr "beim Versuch, einen Kindprozess von %s zu erzeugen"
+
+#: ../../src/slave/kpropd.c:1580
+#, c-format
+msgid "while trying to exec %s"
+msgstr "beim Versuch, %s auszuführen"
+
+#: ../../src/slave/kpropd.c:1587
+#, c-format
+msgid "while waiting for %s"
+msgstr "beim Warten auf %s"
+
+#: ../../src/slave/kpropd.c:1593
+#, c-format
+msgid "%s load terminated"
+msgstr "Laden von %s beendet"
+
+#: ../../src/slave/kpropd.c:1599
+#, c-format
+msgid "%s returned a bad exit status (%d)"
+msgstr "%s gab einen falschen Exit-Status (%d) zurück"
+
+#: ../../src/slave/kproplog.c:27
+#, c-format
+msgid ""
+"\n"
+"Usage: %s [-h] [-v] [-v] [-e num]\n"
+"\t%s -R\n"
+"\n"
+msgstr ""
+"\n"
+"Aufruf: %s [-h] [-v] [-v] [-e Zahl]\n"
+"\t%s -R\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:129
+#, c-format
+msgid ""
+"\n"
+"Couldn't allocate memory"
+msgstr ""
+"\n"
+"Speicher konnte nicht reserviert werden"
+
+#: ../../src/slave/kproplog.c:223
+#, c-format
+msgid "\t\tAttribute flags\n"
+msgstr "\t\tAttributschalter\n"
+
+#: ../../src/slave/kproplog.c:228
+#, c-format
+msgid "\t\tMaximum ticket life\n"
+msgstr "\t\tmaximale Ticketlebensdauer\n"
+
+#: ../../src/slave/kproplog.c:233
+#, c-format
+msgid "\t\tMaximum renewable life\n"
+msgstr "\t\tmaximale verlängerbare Lebensdauer\n"
+
+#: ../../src/slave/kproplog.c:238
+#, c-format
+msgid "\t\tPrincipal expiration\n"
+msgstr "\t\tAblauf des Principals\n"
+
+#: ../../src/slave/kproplog.c:243
+#, c-format
+msgid "\t\tPassword expiration\n"
+msgstr "\t\tAblauf des Passworts\n"
+
+#: ../../src/slave/kproplog.c:248
+#, c-format
+msgid "\t\tLast successful auth\n"
+msgstr "\t\tletzte erfolgreiche Authentifizierung\n"
+
+#: ../../src/slave/kproplog.c:253
+#, c-format
+msgid "\t\tLast failed auth\n"
+msgstr "\t\tletzte fehlgeschlagene Authentifizierung\n"
+
+#: ../../src/slave/kproplog.c:258
+#, c-format
+msgid "\t\tFailed passwd attempt\n"
+msgstr "\t\tfehlgeschlagener Passwortversuch\n"
+
+#: ../../src/slave/kproplog.c:263
+#, c-format
+msgid "\t\tPrincipal\n"
+msgstr "\t\tPrincipal\n"
+
+#: ../../src/slave/kproplog.c:268
+#, c-format
+msgid "\t\tKey data\n"
+msgstr "\t\tSchlüsseldaten\n"
+
+#: ../../src/slave/kproplog.c:275
+#, c-format
+msgid "\t\tTL data\n"
+msgstr "\t\tTL-Daten\n"
+
+#: ../../src/slave/kproplog.c:282
+#, c-format
+msgid "\t\tLength\n"
+msgstr "\t\tLänge\n"
+
+#: ../../src/slave/kproplog.c:287
+#, c-format
+msgid "\t\tPassword last changed\n"
+msgstr "\t\tletzte Passwortänderung\n"
+
+#: ../../src/slave/kproplog.c:292
+#, c-format
+msgid "\t\tModifying principal\n"
+msgstr "\t\ttPrincipal wird geändert\n"
+
+#: ../../src/slave/kproplog.c:297
+#, c-format
+msgid "\t\tModification time\n"
+msgstr "\t\tÄnderungszeit\n"
+
+#: ../../src/slave/kproplog.c:302
+#, c-format
+msgid "\t\tModified where\n"
+msgstr "\t\tGeändert wobei\n"
+
+#: ../../src/slave/kproplog.c:307
+#, c-format
+msgid "\t\tPassword policy\n"
+msgstr "\t\tPasswortrichtlinie\n"
+
+#: ../../src/slave/kproplog.c:312
+#, c-format
+msgid "\t\tPassword policy switch\n"
+msgstr "\t\tPasswortrichtlinienumschalter\n"
+
+#: ../../src/slave/kproplog.c:317
+#, c-format
+msgid "\t\tPassword history KVNO\n"
+msgstr "\t\tPasswortchronik KVNO\n"
+
+#: ../../src/slave/kproplog.c:322
+#, c-format
+msgid "\t\tPassword history\n"
+msgstr "\t\tPasswortchronik\n"
+
+#: ../../src/slave/kproplog.c:356
+#, c-format
+msgid ""
+"Corrupt update entry\n"
+"\n"
+msgstr ""
+"beschädigter Aktualisierungseintrag\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:364
+#, c-format
+msgid ""
+"Entry data decode failure\n"
+"\n"
+msgstr ""
+"Dekodieren der eingetragenen Daten fehlgeschlagen\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:369
+#, c-format
+msgid "Update Entry\n"
+msgstr "Aktualisierungseintrag\n"
+
+#: ../../src/slave/kproplog.c:371
+#, c-format
+msgid "\tUpdate serial # : %u\n"
+msgstr "\tAktualisierung der Seriennummer: %u\n"
+
+#: ../../src/slave/kproplog.c:373
+#, c-format
+msgid "\tUpdate operation : "
+msgstr "\tAktualisierungsaktion: "
+
+#: ../../src/slave/kproplog.c:375
+#, c-format
+msgid "Delete\n"
+msgstr "Löschen\n"
+
+#: ../../src/slave/kproplog.c:377
+#, c-format
+msgid "Add\n"
+msgstr "Hinzufügen\n"
+
+#: ../../src/slave/kproplog.c:381
+#, c-format
+msgid ""
+"Could not allocate principal name\n"
+"\n"
+msgstr ""
+"Der Principal-Name konnte nicht reserviert werden.\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:387
+#, c-format
+msgid "\tUpdate principal : %s\n"
+msgstr "\tAktualisierung des Principals: %s\n"
+
+#: ../../src/slave/kproplog.c:389
+#, c-format
+msgid "\tUpdate size : %u\n"
+msgstr "\tGröße der Aktualisierung: %u\n"
+
+#: ../../src/slave/kproplog.c:390
+#, c-format
+msgid "\tUpdate committed : %s\n"
+msgstr "\tAktualisierung übergeben: %s\n"
+
+#: ../../src/slave/kproplog.c:394
+#, c-format
+msgid "\tUpdate time stamp : None\n"
+msgstr "\tZeitstempel der Aktualisierung: keiner\n"
+
+#: ../../src/slave/kproplog.c:396
+#, c-format
+msgid "\tUpdate time stamp : %s"
+msgstr "\tZeitstempel der Aktualisierung: %s"
+
+#: ../../src/slave/kproplog.c:400
+#, c-format
+msgid "\tAttributes changed : %d\n"
+msgstr "\tgeänderte Attribute: %d\n"
+
+#: ../../src/slave/kproplog.c:465
+#, c-format
+msgid ""
+"Unable to initialize Kerberos\n"
+"\n"
+msgstr ""
+"Kerberos kann nicht initialisiert werden\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:472
+#, c-format
+msgid ""
+"Couldn't read database_name\n"
+"\n"
+msgstr ""
+"»database_name« kann nicht gelesen werden\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:476
+#, c-format
+msgid ""
+"\n"
+"Kerberos update log (%s)\n"
+msgstr ""
+"\n"
+"Kerberos-Aktualisierungsprotokoll (%s)\n"
+
+#: ../../src/slave/kproplog.c:480 ../../src/slave/kproplog.c:495
+#, c-format
+msgid ""
+"Unable to map log file %s\n"
+"\n"
+msgstr ""
+"Protokolldatei %s kann nicht abgebildet werden\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:485
+#, c-format
+msgid ""
+"Couldn't reinitialize ulog file %s\n"
+"\n"
+msgstr ""
+"Ulog-Datei %s konnte nicht neu initialisiert werden\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:489
+#, c-format
+msgid "Reinitialized the ulog.\n"
+msgstr "Das Ulog wurde neu initialisiert.\n"
+
+#: ../../src/slave/kproplog.c:501
+#, c-format
+msgid ""
+"Corrupt header log, exiting\n"
+"\n"
+msgstr ""
+"beschädigtes Kopfzeilenprotokoll, wird beendet\n"
+"\n"
+
+#: ../../src/slave/kproplog.c:505
+#, c-format
+msgid "Update log dump :\n"
+msgstr "Aktualisierungsprotokollauszug :\n"
+
+#: ../../src/slave/kproplog.c:506
+#, c-format
+msgid "\tLog version # : %u\n"
+msgstr "\tProtokollversion #:  %u\n"
+
+#: ../../src/slave/kproplog.c:507
+#, c-format
+msgid "\tLog state : "
+msgstr "\tProtokollstatus: "
+
+#: ../../src/slave/kproplog.c:510
+#, c-format
+msgid "Stable\n"
+msgstr "stabil\n"
+
+#: ../../src/slave/kproplog.c:513
+#, c-format
+msgid "Unstable\n"
+msgstr "instabil\n"
+
+#: ../../src/slave/kproplog.c:516
+#, c-format
+msgid "Corrupt\n"
+msgstr "beschädigt\n"
+
+#: ../../src/slave/kproplog.c:519
+#, c-format
+msgid "Unknown state: %d\n"
+msgstr "unbekannter Status: %d\n"
+
+#: ../../src/slave/kproplog.c:522
+#, c-format
+msgid "\tEntry block size : %u\n"
+msgstr "\tBlockgrößeneintrag: %u\n"
+
+#: ../../src/slave/kproplog.c:523
+#, c-format
+msgid "\tNumber of entries : %u\n"
+msgstr "\tAnzahl der Einträge: %u\n"
+
+#: ../../src/slave/kproplog.c:526
+#, c-format
+msgid "\tLast serial # : None\n"
+msgstr "\tletzte Seriennummer: keine\n"
+
+#: ../../src/slave/kproplog.c:529
+#, c-format
+msgid "\tFirst serial # : None\n"
+msgstr "\terste Seriennummer: keine\n"
+
+#: ../../src/slave/kproplog.c:531
+#, c-format
+msgid "\tFirst serial # : "
+msgstr "\terste Seriennummer: "
+
+#: ../../src/slave/kproplog.c:535
+#, c-format
+msgid "\tLast serial # : "
+msgstr "\tletzte Seriennummer: "
+
+#: ../../src/slave/kproplog.c:540
+#, c-format
+msgid "\tLast time stamp : None\n"
+msgstr "\tletzter Zeitstempel: keiner\n"
+
+#: ../../src/slave/kproplog.c:543
+#, c-format
+msgid "\tFirst time stamp : None\n"
+msgstr "\terster Zeitstempel: keiner\n"
+
+#: ../../src/slave/kproplog.c:545
+#, c-format
+msgid "\tFirst time stamp : %s"
+msgstr "\terster Zeitstempel: %s"
+
+#: ../../src/slave/kproplog.c:549
+#, c-format
+msgid "\tLast time stamp : %s\n"
+msgstr "\tletzter Zeitstempel: %s\n"
+
+#: ../../src/util/support/errors.c:77
+msgid "Kerberos library initialization failure"
+msgstr "Initialisieren der Kerberos-Bibliothek fehlgeschlagen"
+
+#: ../../src/util/support/errors.c:93
+#, c-format
+msgid "error %ld"
+msgstr "Fehler %ld"
+
+#: ../../src/util/support/plugins.c:186
+#, c-format
+msgid "unable to find plugin [%s]: %s"
+msgstr "Erweiterung [%s] konnte nicht gefunden werden: %s"
+
+#: ../../src/util/support/plugins.c:274
+msgid "unknown failure"
+msgstr "unbekannter Fehlschlag"
+
+#: ../../src/util/support/plugins.c:277
+#, c-format
+msgid "unable to load plugin [%s]: %s"
+msgstr "Erweiterung [%s] konnte nicht geladen werden: %s"
+
+#: ../../src/util/support/plugins.c:300
+#, c-format
+msgid "unable to load DLL [%s]"
+msgstr "DLL [%s] konnte nicht geladen werden"
+
+#: ../../src/util/support/plugins.c:316
+#, c-format
+msgid "plugin unavailable: %s"
+msgstr "Erweiterung nicht verfügbar: %s"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:23
+msgid "No @ in SERVICE-NAME name string"
+msgstr "keine @ in der Namenszeichenkette SERVICE-NAME"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:24
+msgid "STRING-UID-NAME contains nondigits"
+msgstr "STRING-UID-NAME enthält etwas anderes als Ziffern"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:25
+msgid "UID does not resolve to username"
+msgstr "UID lässt sich nicht zu Benutzernamen ermitteln"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:26
+msgid "Validation error"
+msgstr "Überprüfungsfehler"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:27
+msgid "Couldn't allocate gss_buffer_t data"
+msgstr "»gss_buffer_t«-Daten konnten reserviert werden"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:28
+msgid "Message context invalid"
+msgstr "Nachrichtenkontext ungültig"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:29
+msgid "Buffer is the wrong size"
+msgstr "Puffer hat die falsche Größe"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:30
+msgid "Credential usage type is unknown"
+msgstr "Typ des Anmeldedatenaufrufs ist unbekannt"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:31
+msgid "Unknown quality of protection specified"
+msgstr "unbekannte Schutzqualität angegeben"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:32
+msgid "Local host name could not be determined"
+msgstr "lokaler Rechnername konnte nicht bestimmt werden"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:33
+msgid "Hostname in SERVICE-NAME string could not be canonicalized"
+msgstr ""
+"Rechnername in der Zeichenkette »SERVICE-NAME« konnte nicht in Normalform "
+"gebracht werden"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:34
+msgid "Mechanism is incorrect"
+msgstr "Mechanismus ist nicht korrekt"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:35
+msgid "Token header is malformed or corrupt"
+msgstr "Token-Kopfzeilen haben die falsche Form oder sind beschädigt"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:36
+msgid "Packet was replayed in wrong direction"
+msgstr "Paket wurde in falscher Richtung erneut abgespielt"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:37
+msgid "Token is missing data"
+msgstr "dem Token fehlen Daten"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:38
+msgid "Token was reflected"
+msgstr "Token wurde zurückgeworfen"
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:39
+msgid "Received token ID does not match expected token ID"
+msgstr "Die empfangene Token-Kennung passt nicht zur erwarteten Token-Kennung."
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:40
+msgid "The given credential's usage does not match the requested usage"
+msgstr ""
+"Die Verwendung der angegebenen Anmeldedaten passt nicht zur angeforderten "
+"Verwendung."
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:41
+msgid "Storing of acceptor credentials is not supported by the mechanism"
+msgstr ""
+"Das Speichern von Abnehmeranmeldedaten wird nicht durch den Mechanismus "
+"unterstützt."
+
+#: ../lib/gssapi/generic/gssapi_err_generic.c:42
+msgid "Storing of non-default credentials is not supported by the mechanism"
+msgstr ""
+"Das Speichern von Nichtstandardanmeldedaten wird nicht durch den Mechanismus "
+"unterstützt."
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:23
+msgid "Principal in credential cache does not match desired name"
+msgstr ""
+"Principal im Anmeldedatenzwischenspeicher entspricht nicht dem gewünschten "
+"Namen"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:24
+msgid "No principal in keytab matches desired name"
+msgstr "Kein Principal in der Schlüsseltabelle passt zum gewünschten Namen."
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:25
+msgid "Credential cache has no TGT"
+msgstr "Anmeldedatenzwischenspeicher hat kein TGT"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:26
+msgid "Authenticator has no subkey"
+msgstr "Schlüsselziffer hat keinen Unterschlüssel"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:27
+msgid "Context is already fully established"
+msgstr "Kontext wurde bereits vollständig eingerichtet"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:28
+msgid "Unknown signature type in token"
+msgstr "unbekannter Signaturtyp im Token"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:29
+msgid "Invalid field length in token"
+msgstr "falsche Feldlänge im Token"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:30
+msgid "Attempt to use incomplete security context"
+msgstr ""
+"Es wurde versucht, einen unvollständigen Sicherheitskontext zu verwenden."
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:31
+msgid "Bad magic number for krb5_gss_ctx_id_t"
+msgstr "falsche magische Zahl für »krb5_gss_ctx_id_t«"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:32
+msgid "Bad magic number for krb5_gss_cred_id_t"
+msgstr "falsche magische Zahl für »krb5_gss_cred_id_t«"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:33
+msgid "Bad magic number for krb5_gss_enc_desc"
+msgstr "falsche magische Zahl für »krb5_gss_enc_desc«"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:34
+msgid "Sequence number in token is corrupt"
+msgstr "Sequnznummer im Token ist beschädigt"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:35
+msgid "Credential cache is empty"
+msgstr "Anmeldedatenzwischenspeicher ist leer"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:36
+msgid "Acceptor and Initiator share no checksum types"
+msgstr "Abnehmer und Initiator haben keinen gemeinsamen Prüfsummentyp"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:37
+msgid "Requested lucid context version not supported"
+msgstr "angeforderte »lucid«-Kontextversion nicht unterstützt"
+
+# PRF = Pseudo Random Function
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:38
+msgid "PRF input too long"
+msgstr "PRF-Eingabe zu lang"
+
+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:39
+msgid "Bad magic number for iakerb_ctx_id_t"
+msgstr "falsche magische Zahl für »iakerb_ctx_id_t«"
+
+#: ../lib/kadm5/chpass_util_strings.c:23
+msgid "while getting policy info."
+msgstr "beim Holen der Richtlinieninformation."
+
+#: ../lib/kadm5/chpass_util_strings.c:24
+msgid "while getting principal info."
+msgstr "beim Holen der Principal-Information."
+
+#: ../lib/kadm5/chpass_util_strings.c:25
+msgid "New passwords do not match - password not changed.\n"
+msgstr "neue Passwörter stimmen nicht überein – Passwort nicht geändert\n"
+
+#: ../lib/kadm5/chpass_util_strings.c:26
+msgid "New password"
+msgstr "neues Passwort"
+
+#: ../lib/kadm5/chpass_util_strings.c:27
+msgid "New password (again)"
+msgstr "neues Passwort (erneut)"
+
+#: ../lib/kadm5/chpass_util_strings.c:28
+msgid ""
+"You must type a password. Passwords must be at least one character long.\n"
+msgstr ""
+"Sie müssen ein Passwort eingeben. Passwörter müssen mindestens ein Zeichen "
+"lang sein.\n"
+
+#: ../lib/kadm5/chpass_util_strings.c:29
+msgid "yet no policy set!  Contact your system security administrator."
+msgstr ""
+"noch keine Richtlinie gesetzt! Kontaktieren Sie Ihren "
+"Systemsicherheitsadministrator"
+
+#: ../lib/kadm5/chpass_util_strings.c:31
+msgid ""
+"New password was found in a dictionary of possible passwords and\n"
+"therefore may be easily guessed. Please choose another password.\n"
+"See the kpasswd man page for help in choosing a good password."
+msgstr ""
+"Das neue Passwort wurde in einem Wörterbuch mit möglichen Passwörtern "
+"gefunden\n"
+"und kann daher leicht erraten werden. Bitte wählen Sie ein anderes "
+"Passwort.\n"
+"Hilfe bei der Wahl guter Passwörter finden Sie in der Handbuchseite von\n"
+"»kpasswd«."
+
+#: ../lib/kadm5/chpass_util_strings.c:32
+msgid "Password not changed."
+msgstr "Passwort nicht geändert"
+
+#: ../lib/kadm5/chpass_util_strings.c:33
+#, c-format
+msgid ""
+"New password is too short.\n"
+"Please choose a password which is at least %d characters long."
+msgstr ""
+"Das neue Passwort ist zu kurz.\n"
+"Bitte wählen Sie ein Passwort, das mindestens %d Zeichen lang ist."
+
+#: ../lib/kadm5/chpass_util_strings.c:34
+#, c-format
+msgid ""
+"New password does not have enough character classes.\n"
+"The character classes are:\n"
+"\t- lower-case letters,\n"
+"\t- upper-case letters,\n"
+"\t- digits,\n"
+"\t- punctuation, and\n"
+"\t- all other characters (e.g., control characters).\n"
+"Please choose a password with at least %d character classes."
+msgstr ""
+"Das neue Passwort besteht aus zu wenigen Zeichenklassen.\n"
+"Die Zeichenklassen sind:\n"
+"\t- Kleinbuchstaben,\n"
+"\t- Großbuchstaben,\n"
+"\t- Ziffern,\n"
+"\t- Satzzeichen und\n"
+"\t- alle anderen Zeichen (z.B. Steuerzeichen).\n"
+"Bitte wählen Sie ein Passwort mit mindestens %d Zeichenklassen."
+
+#: ../lib/kadm5/chpass_util_strings.c:35
+#, c-format
+msgid ""
+"Password cannot be changed because it was changed too recently.\n"
+"Please wait until %s before you change it.\n"
+"If you need to change your password before then, contact your system\n"
+"security administrator."
+msgstr ""
+"Das Passwort kann nicht geändert werden, da es erst vor kurzem geändert "
+"wurde.\n"
+"Bitte warten Sie bis %s, ehe Sie es ändern.\n"
+"Falls Sie es vorher ändern müssen, kontaktieren Sie Ihren\n"
+"Systemsicherheitsadministrator."
+
+#: ../lib/kadm5/chpass_util_strings.c:36
+msgid "New password was used previously. Please choose a different password."
+msgstr ""
+"Das neue Passwort wurde zuvor schon benutzt. Bitte wählen Sie ein anderes "
+"Passwort."
+
+#: ../lib/kadm5/chpass_util_strings.c:37
+msgid "while trying to change password."
+msgstr "beim Versuch, das Passwort zu ändern."
+
+#: ../lib/kadm5/chpass_util_strings.c:38
+msgid "while reading new password."
+msgstr "beim Lesen des neuen Passworts."
+
+#: ../lib/kadm5/kadm_err.c:23
+msgid "Operation failed for unspecified reason"
+msgstr "Aktion aus nicht näher beschriebenem Grund fehlgeschlagen"
+
+#: ../lib/kadm5/kadm_err.c:24
+msgid "Operation requires ``get'' privilege"
+msgstr "Aktion erfordert »get«-Recht"
+
+#: ../lib/kadm5/kadm_err.c:25
+msgid "Operation requires ``add'' privilege"
+msgstr "Aktion erfordert »add«-Recht"
+
+#: ../lib/kadm5/kadm_err.c:26
+msgid "Operation requires ``modify'' privilege"
+msgstr "Aktion erfordert »modify«-Recht"
+
+#: ../lib/kadm5/kadm_err.c:27
+msgid "Operation requires ``delete'' privilege"
+msgstr "Aktion erfordert »delete«-Recht"
+
+#: ../lib/kadm5/kadm_err.c:28
+msgid "Insufficient authorization for operation"
+msgstr "unzureichende Berechtigung für diese Aktion"
+
+#: ../lib/kadm5/kadm_err.c:29 ../lib/kdb/adb_err.c:29
+msgid "Database inconsistency detected"
+msgstr "Datenbankinkonsistenz entdeckt"
+
+#: ../lib/kadm5/kadm_err.c:30 ../lib/kdb/adb_err.c:24
+msgid "Principal or policy already exists"
+msgstr "Principal oder Richtlinie existiert bereits"
+
+#: ../lib/kadm5/kadm_err.c:31
+msgid "Communication failure with server"
+msgstr "Kommunikation mit dem Server fehlgeschlagen"
+
+#: ../lib/kadm5/kadm_err.c:32
+msgid "No administration server found for realm"
+msgstr "kein Administrationsserver für den Realm gefunden"
+
+#: ../lib/kadm5/kadm_err.c:33
+msgid "Password history principal key version mismatch"
+msgstr "Die Passwortchronikschlüssel des Principals passen nicht zusammen."
+
+#: ../lib/kadm5/kadm_err.c:34
+msgid "Connection to server not initialized"
+msgstr "Verbindung zum Server nicht initialisiert"
+
+#: ../lib/kadm5/kadm_err.c:35
+msgid "Principal does not exist"
+msgstr "Principal existiert nicht"
+
+#: ../lib/kadm5/kadm_err.c:36
+msgid "Policy does not exist"
+msgstr "Richtlinie existiert nicht"
+
+#: ../lib/kadm5/kadm_err.c:37
+msgid "Invalid field mask for operation"
+msgstr "ungültige Feldmaske für Aktion"
+
+#: ../lib/kadm5/kadm_err.c:38
+msgid "Invalid number of character classes"
+msgstr "ungültige Anzahl von Zeichenklassen"
+
+#: ../lib/kadm5/kadm_err.c:39
+msgid "Invalid password length"
+msgstr "ungültige Passwortlänge"
+
+#: ../lib/kadm5/kadm_err.c:40
+msgid "Illegal policy name"
+msgstr "unzulässiger Richtlinienname"
+
+#: ../lib/kadm5/kadm_err.c:41
+msgid "Illegal principal name"
+msgstr "unzulässiger Principal-Name"
+
+# FIXME s/auxillary/auxilary/
+#: ../lib/kadm5/kadm_err.c:42
+msgid "Invalid auxillary attributes"
+msgstr "ungültige Zusatzattribute"
+
+#: ../lib/kadm5/kadm_err.c:43
+msgid "Invalid password history count"
+msgstr "ungültige Passwortchronikanzahl"
+
+#: ../lib/kadm5/kadm_err.c:44
+msgid "Password minimum life is greater than password maximum life"
+msgstr "Die minimale Lebensdauer des Passworts ist größer als die maximale."
+
+#: ../lib/kadm5/kadm_err.c:45
+msgid "Password is too short"
+msgstr "Das Passwort ist zu kurz."
+
+#: ../lib/kadm5/kadm_err.c:46
+msgid "Password does not contain enough character classes"
+msgstr "Das Passwort enthält nicht genug Zeichenklassen."
+
+#: ../lib/kadm5/kadm_err.c:47
+msgid "Password is in the password dictionary"
+msgstr "Das Passwort steht im Passwortwörterbuch."
+
+#: ../lib/kadm5/kadm_err.c:48
+msgid "Cannot reuse password"
+msgstr "Das Passwort kann nicht erneut verwendet werden."
+
+#: ../lib/kadm5/kadm_err.c:49
+msgid "Current password's minimum life has not expired"
+msgstr "Die aktuell minimale Lebensdauer des Passworts ist nicht abgelaufen."
+
+#: ../lib/kadm5/kadm_err.c:50 ../lib/krb5/error_tables/kdb5_err.c:67
+msgid "Policy is in use"
+msgstr "Richtlinie ist in Benutzung"
+
+#: ../lib/kadm5/kadm_err.c:51
+msgid "Connection to server already initialized"
+msgstr "Verbindung zum Server ist bereits initialisiert"
+
+#: ../lib/kadm5/kadm_err.c:52
+msgid "Incorrect password"
+msgstr "falsches Passwort"
+
+#: ../lib/kadm5/kadm_err.c:53
+msgid "Cannot change protected principal"
+msgstr "geschützter Principal kann nicht geändert werden"
+
+#: ../lib/kadm5/kadm_err.c:54
+msgid "Programmer error! Bad Admin server handle"
+msgstr "Fehler des Programmierers! Falscher Admin-Server-Identifikator"
+
+#: ../lib/kadm5/kadm_err.c:55
+msgid "Programmer error! Bad API structure version"
+msgstr "Fehler des Programmierers! Falsche API-Strukturversion"
+
+#: ../lib/kadm5/kadm_err.c:56
+msgid ""
+"API structure version specified by application is no longer supported (to "
+"fix, recompile application against current KADM5 API header files and "
+"libraries)"
+msgstr ""
+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger "
+"unterstützt. (Kompilieren Sie die Anwendung mit den aktuellen KADM5-API-"
+"Header-Dateien und -Bibliotheken, um dies zu beheben.)"
+
+#: ../lib/kadm5/kadm_err.c:57
+msgid ""
+"API structure version specified by application is unknown to libraries (to "
+"fix, obtain current KADM5 API header files and libraries and recompile "
+"application)"
+msgstr ""
+"Die von der Anwendung angegebene Version der API-Struktur ist den "
+"Bibliotheken unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-"
+"Dateien und -Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu "
+"beheben.)"
+
+#: ../lib/kadm5/kadm_err.c:58
+msgid "Programmer error! Bad API version"
+msgstr "Fehler des Programmierers! Falsche API-Version"
+
+#: ../lib/kadm5/kadm_err.c:59
+msgid ""
+"API version specified by application is no longer supported by libraries (to "
+"fix, update application to adhere to current API version and recompile)"
+msgstr ""
+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger "
+"von den Bibliotheken unterstützt. (Aktualisieren Sie die Anwendung, dass sie "
+"zu der aktuellen API-Version passt, und kompilieren Sie sie, um dies zu "
+"beheben.)"
+
+#: ../lib/kadm5/kadm_err.c:60
+msgid ""
+"API version specified by application is no longer supported by server (to "
+"fix, update application to adhere to current API version and recompile)"
+msgstr ""
+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger "
+"vom Server unterstützt. (Aktualisieren Sie die Anwendung, dass sie zu der "
+"aktuellen API-Version passt, und kompilieren Sie sie, um dies zu beheben.)"
+
+#: ../lib/kadm5/kadm_err.c:61
+msgid ""
+"API version specified by application is unknown to libraries (to fix, obtain "
+"current KADM5 API header files and libraries and recompile application)"
+msgstr ""
+"Die von der Anwendung angegebenene API-Version ist den Bibliotheken "
+"unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-Dateien und -"
+"Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu beheben.)"
+
+#: ../lib/kadm5/kadm_err.c:62
+msgid ""
+"API version specified by application is unknown to server (to fix, obtain "
+"and install newest KADM5 Admin Server)"
+msgstr ""
+"Die von der Anwendung angegebene API-Version ist dem Server unbekannt. "
+"(Besorgen und installieren Sie sich den neuesten KADM5-Admin-Server, um dies "
+"zu beheben.)"
+
+#: ../lib/kadm5/kadm_err.c:63
+msgid "Database error! Required KADM5 principal missing"
+msgstr "Datenbankfehler! Erforderlicher KADM5-Principal fehlt"
+
+#: ../lib/kadm5/kadm_err.c:64
+msgid "The salt type of the specified principal does not support renaming"
+msgstr "Der Salt-Typ des angegebenen Principals unterstützt kein Umbenennen."
+
+#: ../lib/kadm5/kadm_err.c:65
+msgid "Illegal configuration parameter for remote KADM5 client"
+msgstr "widerrechtlicher Konfigurationsparameter für fernen KADM5-Client"
+
+#: ../lib/kadm5/kadm_err.c:66
+msgid "Illegal configuration parameter for local KADM5 client"
+msgstr "widerrechtlicher Konfigurationsparameter für lokalen KADM5-Client"
+
+#: ../lib/kadm5/kadm_err.c:67
+msgid "Operation requires ``list'' privilege"
+msgstr "Aktion erfordert das »list«-Recht"
+
+#: ../lib/kadm5/kadm_err.c:68
+msgid "Operation requires ``change-password'' privilege"
+msgstr "Aktion erfordert das »change-password«-Recht"
+
+#: ../lib/kadm5/kadm_err.c:69
+msgid "GSS-API (or Kerberos) error"
+msgstr "GSS-API- (oder Kerberos-) Fehler"
+
+#: ../lib/kadm5/kadm_err.c:70
+msgid "Programmer error! Illegal tagged data list type"
+msgstr ""
+"Fehler des Programmierers! Widerrechlicher Listentyp für gekennzeichnete "
+"Daten"
+
+#: ../lib/kadm5/kadm_err.c:71
+msgid "Required parameters in kdc.conf missing"
+msgstr "erforderliche Parameter in »kdc.conf« fehlen"
+
+#: ../lib/kadm5/kadm_err.c:72
+msgid "Bad krb5 admin server hostname"
+msgstr "falscher Rechnername des KRB5-Admin-Servers"
+
+#: ../lib/kadm5/kadm_err.c:73
+msgid "Operation requires ``set-key'' privilege"
+msgstr "Aktion erfordert das »set-key«-Recht"
+
+#: ../lib/kadm5/kadm_err.c:74
+msgid "Multiple values for single or folded enctype"
+msgstr ""
+"mehrere Werte für einzelnen Verschlüsselungstyp oder Verschlüsselungstyp mit "
+"Salt"
+
+#: ../lib/kadm5/kadm_err.c:75
+msgid "Invalid enctype for setv4key"
+msgstr "widerrechtlicher Verschlüsselungstyp für Setv4key"
+
+#: ../lib/kadm5/kadm_err.c:76
+msgid "Mismatched enctypes for setkey3"
+msgstr "nicht zusammenpassende Verschlüsselungstypen für Setkey3"
+
+#: ../lib/kadm5/kadm_err.c:77
+msgid "Missing parameters in krb5.conf required for kadmin client"
+msgstr "für Kadmin-Client benötigte Parameter fehlen in »krb5.conf«"
+
+#: ../lib/kadm5/kadm_err.c:78 ../lib/kdb/adb_err.c:30
+msgid "XDR encoding error"
+msgstr "XDR-Verschlüsselungsfehler"
+
+#: ../lib/kadm5/kadm_err.c:79
+msgid "Cannot resolve network address for admin server in requested realm"
+msgstr ""
+"Die Netzwerkadresse für den Admin-Server im angeforderten Realm kann nicht "
+"aufgelöst werden."
+
+#: ../lib/kadm5/kadm_err.c:80
+msgid "Unspecified password quality failure"
+msgstr "nicht näher angegebener Passwortqualitätsfehlschlag"
+
+#: ../lib/kadm5/kadm_err.c:81
+msgid "Invalid key/salt tuples"
+msgstr "ungültige Schlüssel-/Salt-Tupel"
+
+#: ../lib/kdb/adb_err.c:23
+msgid "No Error"
+msgstr "kein Fehler"
+
+#: ../lib/kdb/adb_err.c:25
+msgid "Principal or policy does not exist"
+msgstr "Principal oder Richtlinie existiert nicht"
+
+#: ../lib/kdb/adb_err.c:26
+msgid "Database not initialized"
+msgstr "Datenbank nicht initialisiert"
+
+#: ../lib/kdb/adb_err.c:27
+msgid "Invalid policy name"
+msgstr "ungültiger Richtlinienname"
+
+#: ../lib/kdb/adb_err.c:28
+msgid "Invalid principal name"
+msgstr "ungültiger Principal-Name"
+
+#: ../lib/kdb/adb_err.c:31
+msgid "Failure!"
+msgstr "Fehlschlag!"
+
+#: ../lib/kdb/adb_err.c:32
+msgid "Bad lock mode"
+msgstr "falscher Sperrmodus"
+
+#: ../lib/kdb/adb_err.c:33
+msgid "Cannot lock database"
+msgstr "Datenbank kann nicht gesperrt werden"
+
+#: ../lib/kdb/adb_err.c:34
+msgid "Database not locked"
+msgstr "Datenbank nicht gesperrt"
+
+#: ../lib/kdb/adb_err.c:35
+msgid "KADM5 administration database lock file missing"
+msgstr "Sperrdatei der KADM5-Verwaltungsdatenbank fehlt"
+
+#: ../lib/kdb/adb_err.c:36
+msgid "Insufficient permission to lock file"
+msgstr "keine ausreichenden Rechte zum Sperren der Datei"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:23
+msgid "Plugin does not support interface version"
+msgstr "Erweiterung unterstützt nicht die Schnittstellenversion"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:24
+msgid "Invalid module specifier"
+msgstr "ungültige Modulangabe"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:25
+msgid "Plugin module name not found"
+msgstr "Erweiterungsmodulname nicht gefunden"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:26
+msgid "The KDC should discard this request"
+msgstr "Das KDC sollte diese Anfrage verwerfen"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:27
+msgid "Can't create new subsidiary cache"
+msgstr "Der neue ergänzende Zwischenspeicher kann nicht erzeugt werden"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:28
+msgid "Invalid keyring anchor name"
+msgstr "ungültiger Schlüsselbundverankerungsname"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:29
+msgid "Unknown keyring collection version"
+msgstr "unbekannte Schlüsselbundsammlungsversion"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:30
+msgid "Invalid UID in persistent keyring name"
+msgstr "ungültige UID im beständigen Schlüsselbundnamen"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:31
+msgid "Malformed reply from KCM daemon"
+msgstr "Antwort des KCM-Daemons hat die falsche Form"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:32
+msgid "Mach RPC error communicating with KCM daemon"
+msgstr "Mach-RPC-Fehler beim der Kommunikation mit dem KCM-Daemon"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:33
+msgid "KCM daemon reply too big"
+msgstr "Antwort des KCM-Daemons zu groß"
+
+#: ../lib/krb5/error_tables/k5e1_err.c:34
+msgid "No KCM server found"
+msgstr "Kein KCM-Server gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:24
+msgid "Client's entry in database has expired"
+msgstr "Eintrag des Clients in der Datenbank ist abgelaufen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:25
+msgid "Server's entry in database has expired"
+msgstr "Eintrag des Servers in der Datenbank ist abgelaufen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:26
+msgid "Requested protocol version not supported"
+msgstr "angeforderte Protokollversion nicht unterstützt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:27
+msgid "Client's key is encrypted in an old master key"
+msgstr ""
+"Der Schlüssel des Clients wurde mit einem alten Hauptschlüssel verschlüsselt."
+
+#: ../lib/krb5/error_tables/krb5_err.c:28
+msgid "Server's key is encrypted in an old master key"
+msgstr ""
+"Der Schlüssel des Servers wurde mit einem alten Hauptschlüssel verschlüsselt."
+
+#: ../lib/krb5/error_tables/krb5_err.c:29
+msgid "Client not found in Kerberos database"
+msgstr "Client nicht in der Kerberos-Datenbank gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:30
+msgid "Server not found in Kerberos database"
+msgstr "Server nicht in der Kerberos-Datenbank gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:31
+msgid "Principal has multiple entries in Kerberos database"
+msgstr "Principal hat in der Kerberos-Datenbank mehrere Einträge"
+
+#: ../lib/krb5/error_tables/krb5_err.c:32
+msgid "Client or server has a null key"
+msgstr "Client oder Server hat einen Nullschlüssel"
+
+#: ../lib/krb5/error_tables/krb5_err.c:33
+msgid "Ticket is ineligible for postdating"
+msgstr "Ticket ist zum Vordatieren ungeeignet"
+
+#: ../lib/krb5/error_tables/krb5_err.c:34
+msgid "Requested effective lifetime is negative or too short"
+msgstr "Die angeforderte effektive Lebensdauer ist negativ oder zu kurz."
+
+#: ../lib/krb5/error_tables/krb5_err.c:35
+msgid "KDC policy rejects request"
+msgstr "KDC-Richtlinie weist die Anfrage zurück"
+
+#: ../lib/krb5/error_tables/krb5_err.c:36
+msgid "KDC can't fulfill requested option"
+msgstr "KDC kann erforderliche Option nicht erfüllen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:37
+msgid "KDC has no support for encryption type"
+msgstr "KDC unterstützt diesen Verschlüsselungstyp nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:38
+msgid "KDC has no support for checksum type"
+msgstr "KDC unterstützt diesen Prüfsummentyp nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:39
+msgid "KDC has no support for padata type"
+msgstr "KDC unterstützt diesen Padata-Typ nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:40
+msgid "KDC has no support for transited type"
+msgstr "KDC unterstützt diesen Übergangstyp nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:41
+msgid "Clients credentials have been revoked"
+msgstr "Anmeldedaten des Clients wurden widerrufen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:42
+msgid "Credentials for server have been revoked"
+msgstr "Anmeldedaten für den Server wurden widerrufen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:43
+msgid "TGT has been revoked"
+msgstr "TGT wurde widerrufen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:44
+msgid "Client not yet valid - try again later"
+msgstr "Client noch nicht gültig – versuchen Sie es später noch einmal"
+
+#: ../lib/krb5/error_tables/krb5_err.c:45
+msgid "Server not yet valid - try again later"
+msgstr "Server noch nicht gültig – versuchen Sie es später noch einmal"
+
+#: ../lib/krb5/error_tables/krb5_err.c:46
+msgid "Password has expired"
+msgstr "Passwort ist abgelaufen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:47
+msgid "Preauthentication failed"
+msgstr "Vorauthentifizierung fehlgeschlagen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:48
+msgid "Additional pre-authentication required"
+msgstr "zusätzlich Vorauthentifizierung erforderlich"
+
+#: ../lib/krb5/error_tables/krb5_err.c:49
+msgid "Requested server and ticket don't match"
+msgstr "abgefragter Server und Ticket passen nicht zusammen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:50
+msgid "Server principal valid for user2user only"
+msgstr "Der Server-Principal ist nur für »user2user« gültig"
+
+#: ../lib/krb5/error_tables/krb5_err.c:51
+msgid "KDC policy rejects transited path"
+msgstr "KDC-Richtlinie verwirft durchgereichten Pfad"
+
+#: ../lib/krb5/error_tables/krb5_err.c:52
+msgid "A service is not available that is required to process the request"
+msgstr ""
+"Ein Dienst, der zum Verarbeiten der Abfrage erforderlich ist, ist nicht "
+"verfügbar."
+
+#: ../lib/krb5/error_tables/krb5_err.c:53
+msgid "KRB5 error code 30"
+msgstr "KRB5-Fehlercode 30"
+
+#: ../lib/krb5/error_tables/krb5_err.c:54
+msgid "Decrypt integrity check failed"
+msgstr "Entschlüsselungsintegritätsprüfung fehlgeschlagen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:55
+msgid "Ticket expired"
+msgstr "Ticket abgelaufen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:56
+msgid "Ticket not yet valid"
+msgstr "Ticket noch nicht gültig"
+
+#: ../lib/krb5/error_tables/krb5_err.c:57
+msgid "Request is a replay"
+msgstr "Anfrage ist eine Wiederholung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:58
+msgid "The ticket isn't for us"
+msgstr "Das Ticket ist nicht für uns."
+
+#: ../lib/krb5/error_tables/krb5_err.c:59
+msgid "Ticket/authenticator don't match"
+msgstr "Ticket/Schlüsselziffer passen nicht zueinander"
+
+#: ../lib/krb5/error_tables/krb5_err.c:60
+msgid "Clock skew too great"
+msgstr "Uhrzeitabweichung zu groß"
+
+#: ../lib/krb5/error_tables/krb5_err.c:61
+msgid "Incorrect net address"
+msgstr "falsche Netzwerkadresse"
+
+#: ../lib/krb5/error_tables/krb5_err.c:62
+msgid "Protocol version mismatch"
+msgstr "Protokollversion passt nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:63
+msgid "Invalid message type"
+msgstr "ungültiger Nachrichtentyp"
+
+#: ../lib/krb5/error_tables/krb5_err.c:64
+msgid "Message stream modified"
+msgstr "Nachrichtendatenstrom geändert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:65
+msgid "Message out of order"
+msgstr "Nachricht nicht in Ordnung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:66
+msgid "Illegal cross-realm ticket"
+msgstr "Widerrechliches Realm-übergreifendes Ticket"
+
+#: ../lib/krb5/error_tables/krb5_err.c:67
+msgid "Key version is not available"
+msgstr "Schlüsselversion ist nicht verfügbar"
+
+#: ../lib/krb5/error_tables/krb5_err.c:68
+msgid "Service key not available"
+msgstr "Dienstschlüssel nicht verfügbar"
+
+#: ../lib/krb5/error_tables/krb5_err.c:69
+#: ../lib/krb5/error_tables/krb5_err.c:181
+msgid "Mutual authentication failed"
+msgstr "gegenseitige Authentifizierung fehlgeschlagen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:70
+msgid "Incorrect message direction"
+msgstr "falsche Nachrichtenrichtung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:71
+msgid "Alternative authentication method required"
+msgstr "alternative Authentifizierungsmethode erforderlich"
+
+#: ../lib/krb5/error_tables/krb5_err.c:72
+msgid "Incorrect sequence number in message"
+msgstr "falsche Sequenznummer in der Nachricht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:73
+msgid "Inappropriate type of checksum in message"
+msgstr "ungeeigneter Prüfsummentyp in der Nachricht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:74
+msgid "Policy rejects transited path"
+msgstr "Richtlinie verwirft durchgereichten Pfad"
+
+#: ../lib/krb5/error_tables/krb5_err.c:75
+msgid "Response too big for UDP, retry with TCP"
+msgstr "Antwort für UDP zu groß, erneuter Versuch mit TCP"
+
+#: ../lib/krb5/error_tables/krb5_err.c:76
+msgid "KRB5 error code 53"
+msgstr "KRB5-Fehlercode 53"
+
+#: ../lib/krb5/error_tables/krb5_err.c:77
+msgid "KRB5 error code 54"
+msgstr "KRB5-Fehlercode 54"
+
+#: ../lib/krb5/error_tables/krb5_err.c:78
+msgid "KRB5 error code 55"
+msgstr "KRB5-Fehlercode 55"
+
+#: ../lib/krb5/error_tables/krb5_err.c:79
+msgid "KRB5 error code 56"
+msgstr "KRB5-Fehlercode 56"
+
+#: ../lib/krb5/error_tables/krb5_err.c:80
+msgid "KRB5 error code 57"
+msgstr "KRB5-Fehlercode 57"
+
+#: ../lib/krb5/error_tables/krb5_err.c:81
+msgid "KRB5 error code 58"
+msgstr "KRB5-Fehlercode 58"
+
+#: ../lib/krb5/error_tables/krb5_err.c:82
+msgid "KRB5 error code 59"
+msgstr "KRB5-Fehlercode 59"
+
+#: ../lib/krb5/error_tables/krb5_err.c:83
+msgid "Generic error (see e-text)"
+msgstr "allgemeiner Fehler (siehe E-Text)"
+
+#: ../lib/krb5/error_tables/krb5_err.c:84
+msgid "Field is too long for this implementation"
+msgstr "Feld ist für diese Implementierung zu lang"
+
+#: ../lib/krb5/error_tables/krb5_err.c:85
+msgid "Client not trusted"
+msgstr "Client nicht vertrauenswürdig"
+
+#: ../lib/krb5/error_tables/krb5_err.c:86
+msgid "KDC not trusted"
+msgstr "KDC nicht vertrauenswürdig"
+
+#: ../lib/krb5/error_tables/krb5_err.c:87
+msgid "Invalid signature"
+msgstr "ungültige Signatur"
+
+#: ../lib/krb5/error_tables/krb5_err.c:88
+msgid "Key parameters not accepted"
+msgstr "Schlüsselparameter nicht akzeptiert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:89
+msgid "Certificate mismatch"
+msgstr "Zertifikat passt nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:90
+msgid "No ticket granting ticket"
+msgstr "kein ticketgewährendes Ticket"
+
+#: ../lib/krb5/error_tables/krb5_err.c:91
+msgid "Realm not local to KDC"
+msgstr "Realm für KDC nicht lokal"
+
+#: ../lib/krb5/error_tables/krb5_err.c:92
+msgid "User to user required"
+msgstr "Benutzer-zu-Benutzer erforderlich"
+
+#: ../lib/krb5/error_tables/krb5_err.c:93
+msgid "Can't verify certificate"
+msgstr "Zertifikat kann nicht überprüft werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:94
+msgid "Invalid certificate"
+msgstr "ungültiges Zertifikat"
+
+#: ../lib/krb5/error_tables/krb5_err.c:95
+msgid "Revoked certificate"
+msgstr "widerrufenes Zertifikat"
+
+#: ../lib/krb5/error_tables/krb5_err.c:96
+msgid "Revocation status unknown"
+msgstr "Widerrufsstatus unbekannt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:97
+msgid "Revocation status unavailable"
+msgstr "Widerrufsstatus nicht verfügbar"
+
+#: ../lib/krb5/error_tables/krb5_err.c:98
+msgid "Client name mismatch"
+msgstr "Client-Name passt nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:99
+msgid "KDC name mismatch"
+msgstr "KDC-Name passt nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:100
+msgid "Inconsistent key purpose"
+msgstr "inkonstistenter Schlüsselzweck"
+
+#: ../lib/krb5/error_tables/krb5_err.c:101
+msgid "Digest in certificate not accepted"
+msgstr "Kurzfassung im Zertifikat nicht akzeptiert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:102
+msgid "Checksum must be included"
+msgstr "Prüfsumme muss enthalten sein"
+
+#: ../lib/krb5/error_tables/krb5_err.c:103
+msgid "Digest in signed-data not accepted"
+msgstr "Kurzfassung in signierten Daten nicht akzeptiert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:104
+msgid "Public key encryption not supported"
+msgstr "Asymetrische Verschlüsselung nicht unterstützt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:105
+msgid "KRB5 error code 82"
+msgstr "KRB5-Fehlercode 82"
+
+#: ../lib/krb5/error_tables/krb5_err.c:106
+msgid "KRB5 error code 83"
+msgstr "KRB5-Fehlercode 83"
+
+#: ../lib/krb5/error_tables/krb5_err.c:107
+msgid "KRB5 error code 84"
+msgstr "KRB5-Fehlercode 84"
+
+#: ../lib/krb5/error_tables/krb5_err.c:108
+msgid "The IAKERB proxy could not find a KDC"
+msgstr "Der IAKERB-Proxy konnte kein KDC finden."
+
+#: ../lib/krb5/error_tables/krb5_err.c:109
+msgid "The KDC did not respond to the IAKERB proxy"
+msgstr "Das KDC anwortete dem IAKERB-Proxy nicht."
+
+#: ../lib/krb5/error_tables/krb5_err.c:110
+msgid "KRB5 error code 87"
+msgstr "KRB5-Fehlercode 87"
+
+#: ../lib/krb5/error_tables/krb5_err.c:111
+msgid "KRB5 error code 88"
+msgstr "KRB5-Fehlercode 88"
+
+#: ../lib/krb5/error_tables/krb5_err.c:112
+msgid "KRB5 error code 89"
+msgstr "KRB5-Fehlercode 89"
+
+#: ../lib/krb5/error_tables/krb5_err.c:113
+msgid "KRB5 error code 90"
+msgstr "KRB5-Fehlercode 90"
+
+#: ../lib/krb5/error_tables/krb5_err.c:114
+msgid "KRB5 error code 91"
+msgstr "KRB5-Fehlercode 91"
+
+#: ../lib/krb5/error_tables/krb5_err.c:115
+msgid "KRB5 error code 92"
+msgstr "KRB5-Fehlercode 92"
+
+#: ../lib/krb5/error_tables/krb5_err.c:116
+msgid "An unsupported critical FAST option was requested"
+msgstr "Es wurde eine nicht unterstützte kritische FAST-Aktion angefordert."
+
+#: ../lib/krb5/error_tables/krb5_err.c:117
+msgid "KRB5 error code 94"
+msgstr "KRB5-Fehlercode 94"
+
+#: ../lib/krb5/error_tables/krb5_err.c:118
+msgid "KRB5 error code 95"
+msgstr "KRB5-Fehlercode 95"
+
+#: ../lib/krb5/error_tables/krb5_err.c:119
+msgid "KRB5 error code 96"
+msgstr "KRB5-Fehlercode 96"
+
+#: ../lib/krb5/error_tables/krb5_err.c:120
+msgid "KRB5 error code 97"
+msgstr "KRB5-Fehlercode 97"
+
+#: ../lib/krb5/error_tables/krb5_err.c:121
+msgid "KRB5 error code 98"
+msgstr "KRB5-Fehlercode 98"
+
+#: ../lib/krb5/error_tables/krb5_err.c:122
+msgid "KRB5 error code 99"
+msgstr "KRB5-Fehlercode 99"
+
+#: ../lib/krb5/error_tables/krb5_err.c:123
+msgid "No acceptable KDF offered"
+msgstr "kein akzeptables KDF angeboten"
+
+#: ../lib/krb5/error_tables/krb5_err.c:124
+msgid "KRB5 error code 101"
+msgstr "KRB5-Fehlercode 101"
+
+#: ../lib/krb5/error_tables/krb5_err.c:125
+msgid "KRB5 error code 102"
+msgstr "KRB5-Fehlercode 102"
+
+#: ../lib/krb5/error_tables/krb5_err.c:126
+msgid "KRB5 error code 103"
+msgstr "KRB5-Fehlercode 103"
+
+#: ../lib/krb5/error_tables/krb5_err.c:127
+msgid "KRB5 error code 104"
+msgstr "KRB5-Fehlercode 104"
+
+#: ../lib/krb5/error_tables/krb5_err.c:128
+msgid "KRB5 error code 105"
+msgstr "KRB5-Fehlercode 105"
+
+#: ../lib/krb5/error_tables/krb5_err.c:129
+msgid "KRB5 error code 106"
+msgstr "KRB5-Fehlercode 106"
+
+#: ../lib/krb5/error_tables/krb5_err.c:130
+msgid "KRB5 error code 107"
+msgstr "KRB5-Fehlercode 107"
+
+#: ../lib/krb5/error_tables/krb5_err.c:131
+msgid "KRB5 error code 108"
+msgstr "KRB5-Fehlercode 108"
+
+#: ../lib/krb5/error_tables/krb5_err.c:132
+msgid "KRB5 error code 109"
+msgstr "KRB5-Fehlercode 109"
+
+#: ../lib/krb5/error_tables/krb5_err.c:133
+msgid "KRB5 error code 110"
+msgstr "KRB5-Fehlercode 110"
+
+#: ../lib/krb5/error_tables/krb5_err.c:134
+msgid "KRB5 error code 111"
+msgstr "KRB5-Fehlercode 111"
+
+#: ../lib/krb5/error_tables/krb5_err.c:135
+msgid "KRB5 error code 112"
+msgstr "KRB5-Fehlercode 112"
+
+#: ../lib/krb5/error_tables/krb5_err.c:136
+msgid "KRB5 error code 113"
+msgstr "KRB5-Fehlercode 113"
+
+#: ../lib/krb5/error_tables/krb5_err.c:137
+msgid "KRB5 error code 114"
+msgstr "KRB5-Fehlercode 114"
+
+#: ../lib/krb5/error_tables/krb5_err.c:138
+msgid "KRB5 error code 115"
+msgstr "KRB5-Fehlercode 115"
+
+#: ../lib/krb5/error_tables/krb5_err.c:139
+msgid "KRB5 error code 116"
+msgstr "KRB5-Fehlercode 116"
+
+#: ../lib/krb5/error_tables/krb5_err.c:140
+msgid "KRB5 error code 117"
+msgstr "KRB5-Fehlercode 117"
+
+#: ../lib/krb5/error_tables/krb5_err.c:141
+msgid "KRB5 error code 118"
+msgstr "KRB5-Fehlercode 118"
+
+#: ../lib/krb5/error_tables/krb5_err.c:142
+msgid "KRB5 error code 119"
+msgstr "KRB5-Fehlercode 119"
+
+#: ../lib/krb5/error_tables/krb5_err.c:143
+msgid "KRB5 error code 120"
+msgstr "KRB5-Fehlercode 120"
+
+#: ../lib/krb5/error_tables/krb5_err.c:144
+msgid "KRB5 error code 121"
+msgstr "KRB5-Fehlercode 121"
+
+#: ../lib/krb5/error_tables/krb5_err.c:145
+msgid "KRB5 error code 122"
+msgstr "KRB5-Fehlercode 122"
+
+#: ../lib/krb5/error_tables/krb5_err.c:146
+msgid "KRB5 error code 123"
+msgstr "KRB5-Fehlercode 123"
+
+#: ../lib/krb5/error_tables/krb5_err.c:147
+msgid "KRB5 error code 124"
+msgstr "KRB5-Fehlercode 124"
+
+#: ../lib/krb5/error_tables/krb5_err.c:148
+msgid "KRB5 error code 125"
+msgstr "KRB5-Fehlercode 125"
+
+#: ../lib/krb5/error_tables/krb5_err.c:149
+msgid "KRB5 error code 126"
+msgstr "KRB5-Fehlercode 126"
+
+#: ../lib/krb5/error_tables/krb5_err.c:150
+msgid "KRB5 error code 127"
+msgstr "KRB5-Fehlercode 127"
+
+#: ../lib/krb5/error_tables/krb5_err.c:151
+#: ../lib/krb5/error_tables/kdb5_err.c:23
+msgid "$Id$"
+msgstr "$Id$"
+
+#: ../lib/krb5/error_tables/krb5_err.c:152
+msgid "Invalid flag for file lock mode"
+msgstr "ungültiger Schalter für den Datei-Sperrmodus"
+
+#: ../lib/krb5/error_tables/krb5_err.c:153
+msgid "Cannot read password"
+msgstr "Passwort kann nicht gelesen werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:154
+msgid "Password mismatch"
+msgstr "Passwort stimmt nicht überein"
+
+#: ../lib/krb5/error_tables/krb5_err.c:155
+msgid "Password read interrupted"
+msgstr "Lesen des Passworts unterbrochen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:156
+msgid "Illegal character in component name"
+msgstr "ungültiges Zeichen in Komponentenname"
+
+#: ../lib/krb5/error_tables/krb5_err.c:157
+msgid "Malformed representation of principal"
+msgstr "Darstellung des Principals in falscher Form"
+
+#: ../lib/krb5/error_tables/krb5_err.c:158
+msgid "Can't open/find Kerberos configuration file"
+msgstr "Kerberos-Konfigurationsdatei kann nicht geöffnet/gefunden werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:159
+msgid "Improper format of Kerberos configuration file"
+msgstr "Format der Kerberos-Konfigurationsdatei ist ungeeignet"
+
+#: ../lib/krb5/error_tables/krb5_err.c:160
+msgid "Insufficient space to return complete information"
+msgstr "Platz reicht nicht zur Rückgabe aller Informationen aus"
+
+#: ../lib/krb5/error_tables/krb5_err.c:161
+msgid "Invalid message type specified for encoding"
+msgstr "der zum Kodieren angegebene Nachrichtentyp ist ungültig"
+
+#: ../lib/krb5/error_tables/krb5_err.c:162
+msgid "Credential cache name malformed"
+msgstr "falsche Form des Anmeldedatenzwischenspeichernamens"
+
+#: ../lib/krb5/error_tables/krb5_err.c:163
+msgid "Unknown credential cache type"
+msgstr "unbekannter Anmeldedatenzwischenspeichertyp"
+
+#: ../lib/krb5/error_tables/krb5_err.c:164
+msgid "Matching credential not found"
+msgstr "keine passenden Anmeldedaten gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:165
+msgid "End of credential cache reached"
+msgstr "Ende des Anmeldedatenzwischenspeichers erreicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:166
+msgid "Request did not supply a ticket"
+msgstr "Anfrage lieferte kein Ticket"
+
+#: ../lib/krb5/error_tables/krb5_err.c:167
+msgid "Wrong principal in request"
+msgstr "falscher Principal in der Anfrage"
+
+#: ../lib/krb5/error_tables/krb5_err.c:168
+msgid "Ticket has invalid flag set"
+msgstr "Das Ticket hat einen falsch gesetzten Schalter."
+
+#: ../lib/krb5/error_tables/krb5_err.c:169
+msgid "Requested principal and ticket don't match"
+msgstr "angeforderter Principal und Ticket passen nicht zusammen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:170
+msgid "KDC reply did not match expectations"
+msgstr "KDC-Antwort entsprach nicht den Erwartungen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:171
+msgid "Clock skew too great in KDC reply"
+msgstr "Zeitversatz in der KDC-Antwort zu groß"
+
+#: ../lib/krb5/error_tables/krb5_err.c:172
+msgid "Client/server realm mismatch in initial ticket request"
+msgstr ""
+"Client-/Server-Realm passen in der anfänglichen Ticketanfrage nicht zusammen."
+
+#: ../lib/krb5/error_tables/krb5_err.c:173
+msgid "Program lacks support for encryption type"
+msgstr ""
+"Dem Programm fehlt es an der Unterstützung für den Verschlüsselungstyp."
+
+#: ../lib/krb5/error_tables/krb5_err.c:174
+msgid "Program lacks support for key type"
+msgstr "Dem Programm fehlt es an der Unterstützung für den Schlüsseltyp."
+
+#: ../lib/krb5/error_tables/krb5_err.c:175
+msgid "Requested encryption type not used in message"
+msgstr ""
+"Der angeforderte Verschlüsselungstyp wird in der Nachricht nicht verwendet."
+
+#: ../lib/krb5/error_tables/krb5_err.c:176
+msgid "Program lacks support for checksum type"
+msgstr "Dem Programm fehlt es an der Unterstützung für den Prüfsummentyp."
+
+#: ../lib/krb5/error_tables/krb5_err.c:177
+msgid "Cannot find KDC for requested realm"
+msgstr "KDC für angeforderten Realm kann nicht gefunden werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:178
+msgid "Kerberos service unknown"
+msgstr "Kerberos-Dienst unbekannt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:179
+msgid "Cannot contact any KDC for requested realm"
+msgstr "Für den angeforderten Realm kann kein KDC kontaktiert werden."
+
+#: ../lib/krb5/error_tables/krb5_err.c:180
+msgid "No local name found for principal name"
+msgstr "Für den Principal-Namen wurde kein lokaler Name gefunden."
+
+#: ../lib/krb5/error_tables/krb5_err.c:182
+msgid "Replay cache type is already registered"
+msgstr "Wiederholungszwischenspeichertyp ist bereits registriert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:183
+msgid "No more memory to allocate (in replay cache code)"
+msgstr ""
+"kein Speicher mehr zu reservieren (im Wiederholungszwischenspeichercode)"
+
+#: ../lib/krb5/error_tables/krb5_err.c:184
+msgid "Replay cache type is unknown"
+msgstr "Wiederholungszwischenspeichertyp ist unbekannt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:185
+msgid "Generic unknown RC error"
+msgstr "allgemeiner unbekannter Wiederholungszwischenspeicherfehler"
+
+#: ../lib/krb5/error_tables/krb5_err.c:186
+msgid "Message is a replay"
+msgstr "Nachricht ist eine Wiederholung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:187
+msgid "Replay cache I/O operation failed"
+msgstr "Wiederholungszwischenspeicher-E/A-Aktion fehlgeschlagen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:188
+msgid "Replay cache type does not support non-volatile storage"
+msgstr ""
+"Wiederholungszwischenspeichertyp unterstützt keinen beständigen Speicher"
+
+#: ../lib/krb5/error_tables/krb5_err.c:189
+msgid "Replay cache name parse/format error"
+msgstr "Auswerte-/Formatfehler im Wiederholungszwischenspeichernamens"
+
+#: ../lib/krb5/error_tables/krb5_err.c:190
+msgid "End-of-file on replay cache I/O"
+msgstr "Dateiende bei der E/A des Wiederholungszwischenspeichers"
+
+#: ../lib/krb5/error_tables/krb5_err.c:191
+msgid "No more memory to allocate (in replay cache I/O code)"
+msgstr ""
+"kein weiterer Speicher reservierbar (im Wiederholungszwischenspeicher-E/A-"
+"Code)"
+
+#: ../lib/krb5/error_tables/krb5_err.c:192
+msgid "Permission denied in replay cache code"
+msgstr "Zugriff im Wiederholungszwischenspeichercode verweigert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:193
+msgid "I/O error in replay cache i/o code"
+msgstr "E/A-Fehler im Wiederholungszwischenspeicher-E/A-Code"
+
+#: ../lib/krb5/error_tables/krb5_err.c:194
+msgid "Generic unknown RC/IO error"
+msgstr "allgemeiner unbekannter Wiederholungszwischenspeicher-/E/A-Fehler"
+
+#: ../lib/krb5/error_tables/krb5_err.c:195
+msgid "Insufficient system space to store replay information"
+msgstr ""
+"Platz im System reicht nicht zum Speichern der Wiederholungsinformationen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:196
+msgid "Can't open/find realm translation file"
+msgstr "Realm-Übersetzungsdatei kann nicht geöffnet/gefunden werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:197
+msgid "Improper format of realm translation file"
+msgstr "Format der Realm-Übersetzungsdatei ist ungeeignet"
+
+#: ../lib/krb5/error_tables/krb5_err.c:198
+msgid "Can't open/find lname translation database"
+msgstr "die Lname-Übersetzungsdatenbank kann nicht geöffnet/gefunden werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:199
+msgid "No translation available for requested principal"
+msgstr "Für den angeforderten Principal ist keine Übersetzung verfügbar."
+
+#: ../lib/krb5/error_tables/krb5_err.c:200
+msgid "Improper format of translation database entry"
+msgstr "Format des Eintrags der Übersetzungsdatenbank ist ungeeignet"
+
+#: ../lib/krb5/error_tables/krb5_err.c:201
+msgid "Cryptosystem internal error"
+msgstr "interner Fehler des Verschlüsselungssystems"
+
+#: ../lib/krb5/error_tables/krb5_err.c:202
+msgid "Key table name malformed"
+msgstr "falsche Form des Schlüsseltabellennamens"
+
+#: ../lib/krb5/error_tables/krb5_err.c:203
+msgid "Unknown Key table type"
+msgstr "unbekannter Schlüsseltabellentyp"
+
+#: ../lib/krb5/error_tables/krb5_err.c:204
+msgid "Key table entry not found"
+msgstr "Schlüsseltabelleneintrag nicht gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:205
+msgid "End of key table reached"
+msgstr "Ende der Schlüsseltabelle erreicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:206
+msgid "Cannot write to specified key table"
+msgstr "in angegebene Schlüsseltabelle kann nicht geschrieben werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:207
+msgid "Error writing to key table"
+msgstr "Fehler beim Schreiben in Schlüsseltabelle"
+
+#: ../lib/krb5/error_tables/krb5_err.c:208
+msgid "Cannot find ticket for requested realm"
+msgstr "Ticket für angeforderten Realm kann nicht gefunden werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:209
+msgid "DES key has bad parity"
+msgstr "DES-Schlüssel hat falsche Parität"
+
+#: ../lib/krb5/error_tables/krb5_err.c:210
+msgid "DES key is a weak key"
+msgstr "DES-Schlüssel ist schwach"
+
+#: ../lib/krb5/error_tables/krb5_err.c:211
+msgid "Bad encryption type"
+msgstr "falscher Verschlüsselungstyp"
+
+#: ../lib/krb5/error_tables/krb5_err.c:212
+msgid "Key size is incompatible with encryption type"
+msgstr "Schlüssellänge ist nicht mit dem Verschlüsselungstyp kompatibel"
+
+#: ../lib/krb5/error_tables/krb5_err.c:213
+msgid "Message size is incompatible with encryption type"
+msgstr "Nachrichtengröße ist nicht mit Verschlüsselungstyp kompatibel"
+
+#: ../lib/krb5/error_tables/krb5_err.c:214
+msgid "Credentials cache type is already registered."
+msgstr "Anmeldedatenzwischenspeichertyp ist bereits registriert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:215
+msgid "Key table type is already registered."
+msgstr "Schlüsseltabellentyp ist bereits registriert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:216
+msgid "Credentials cache I/O operation failed XXX"
+msgstr "E/A-Aktion für Anmeldedatenzwischenspeicher fehlgeschlagen XXX"
+
+#: ../lib/krb5/error_tables/krb5_err.c:217
+msgid "Credentials cache permissions incorrect"
+msgstr "Anmeldedatenzwischenspeicherrechte nicht korrekt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:218
+msgid "No credentials cache found"
+msgstr "kein Anmeldedatenzwischenspeicher gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:219
+msgid "Internal credentials cache error"
+msgstr "interner Anmeldedatenzwischenspeicherfehler"
+
+#: ../lib/krb5/error_tables/krb5_err.c:220
+msgid "Error writing to credentials cache"
+msgstr "Fehler beim Schreiben in den Anmeldedatenzwischenspeicher"
+
+#: ../lib/krb5/error_tables/krb5_err.c:221
+msgid "No more memory to allocate (in credentials cache code)"
+msgstr ""
+"kein weiterer Speicher zu reservieren (im Anmeldedatenzwischenspeichercode)"
+
+#: ../lib/krb5/error_tables/krb5_err.c:222
+msgid "Bad format in credentials cache"
+msgstr "falsches Format im Anmeldedatenzwischenspeicher"
+
+#: ../lib/krb5/error_tables/krb5_err.c:223
+msgid "No credentials found with supported encryption types"
+msgstr "keine Anmeldedaten mit unterstützten Verschlüsselungstypen gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:224
+msgid "Invalid KDC option combination (library internal error)"
+msgstr "ungültige Kombination von KDC-Optionen (interner Bibliotheksfehler)"
+
+#: ../lib/krb5/error_tables/krb5_err.c:225
+msgid "Request missing second ticket"
+msgstr "Der Anfrage fehlt das zweite Ticket."
+
+#: ../lib/krb5/error_tables/krb5_err.c:226
+msgid "No credentials supplied to library routine"
+msgstr "der Bibliotheks-Routine wurden keine Anmeldedaten geliefert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:227
+msgid "Bad sendauth version was sent"
+msgstr "Es wurde eine falsche Sendauth-Version verschickt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:228
+msgid "Bad application version was sent (via sendauth)"
+msgstr "Es wurde eine falsche Anwendungsversion (über Sendauth) verschickt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:229
+msgid "Bad response (during sendauth exchange)"
+msgstr "falsche Antwort (beim Sendauth-Austausch)"
+
+#: ../lib/krb5/error_tables/krb5_err.c:230
+msgid "Server rejected authentication (during sendauth exchange)"
+msgstr "Server wies Authentifizierung (beim Sendauth-Austausch) zurück"
+
+#: ../lib/krb5/error_tables/krb5_err.c:231
+msgid "Unsupported preauthentication type"
+msgstr "nicht unterstützter Vorauthentifizierungstyp"
+
+#: ../lib/krb5/error_tables/krb5_err.c:232
+msgid "Required preauthentication key not supplied"
+msgstr "erforderlicher Vorauthentifizierungsschlüssel nicht bereitgestellt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:233
+msgid "Generic preauthentication failure"
+msgstr "allgemeiner Fehlschlag der Vorauthentifizierung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:234
+msgid "Unsupported replay cache format version number"
+msgstr ""
+"nicht unterstütztes Versionsnummernformat des Wiederholungszwischenspeichers"
+
+#: ../lib/krb5/error_tables/krb5_err.c:235
+msgid "Unsupported credentials cache format version number"
+msgstr ""
+"nicht unterstütztes Versionsnummernformat des Anmeldedatenzwischenspeichers"
+
+#: ../lib/krb5/error_tables/krb5_err.c:236
+msgid "Unsupported key table format version number"
+msgstr "nicht unterstütztes Versionsnummernformat der Schlüsseltabelle"
+
+#: ../lib/krb5/error_tables/krb5_err.c:237
+msgid "Program lacks support for address type"
+msgstr "Dem Programm fehlt es an der Unterstützung des Adresstyps."
+
+#: ../lib/krb5/error_tables/krb5_err.c:238
+msgid "Message replay detection requires rcache parameter"
+msgstr "Erkennung der Antwortnachricht erfordert den Parameter »rcache«"
+
+#: ../lib/krb5/error_tables/krb5_err.c:239
+msgid "Hostname cannot be canonicalized"
+msgstr "Rechnername kann nicht in Normalform gebracht werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:240
+msgid "Cannot determine realm for host"
+msgstr "Realm für Rechner kann nicht bestimmt werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:241
+msgid "Conversion to service principal undefined for name type"
+msgstr "Umwandlung in Dienst-Principal für Namenstyp nicht definiert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:242
+msgid "Initial Ticket response appears to be Version 4 error"
+msgstr "anfängliche Ticket-Antwort scheint ein Fehler der Version 4 zu sein"
+
+#: ../lib/krb5/error_tables/krb5_err.c:243
+msgid "Cannot resolve network address for KDC in requested realm"
+msgstr ""
+"Netzwerkadresse für KDC im angeforderten Realm kann nicht aufgelöst werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:244
+msgid "Requesting ticket can't get forwardable tickets"
+msgstr "anforderndes Ticket kann keine weiterleitbaren Tickets holen"
+
+#: ../lib/krb5/error_tables/krb5_err.c:245
+msgid "Bad principal name while trying to forward credentials"
+msgstr "falscher Principal beim Versuch, Anmeldedaten weiterzuleiten"
+
+#: ../lib/krb5/error_tables/krb5_err.c:246
+msgid "Looping detected inside krb5_get_in_tkt"
+msgstr "Schleife innerhalb von »krb5_get_in_tkt« entdeckt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:247
+msgid "Configuration file does not specify default realm"
+msgstr "Konfigurationsdatei gibt keinen Standard-Realm an"
+
+#: ../lib/krb5/error_tables/krb5_err.c:248
+msgid "Bad SAM flags in obtain_sam_padata"
+msgstr "falsche SAM-Schalter in »obtain_sam_padata«"
+
+#: ../lib/krb5/error_tables/krb5_err.c:249
+msgid "Invalid encryption type in SAM challenge"
+msgstr "ungültiger Verschlüsselungstyp in der SAM-Aufforderung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:250
+msgid "Missing checksum in SAM challenge"
+msgstr "fehlende Prüfsumme in der SAM-Aufforderung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:251
+msgid "Bad checksum in SAM challenge"
+msgstr "falsche Prüfsumme in der SAM-Aufforderung"
+
+#: ../lib/krb5/error_tables/krb5_err.c:252
+msgid "Keytab name too long"
+msgstr "Schlüsseltabellennamen zu lang"
+
+#: ../lib/krb5/error_tables/krb5_err.c:253
+msgid "Key version number for principal in key table is incorrect"
+msgstr ""
+"Schlüsselversionsnummer des Principals in der Schlüsseltabelle ist nicht "
+"korrekt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:254
+msgid "This application has expired"
+msgstr "Diese Anwendung ist abgelaufen."
+
+#: ../lib/krb5/error_tables/krb5_err.c:255
+msgid "This Krb5 library has expired"
+msgstr "Diese Krb5-Bibliothek ist abgelaufen."
+
+#: ../lib/krb5/error_tables/krb5_err.c:256
+msgid "New password cannot be zero length"
+msgstr "Das neue Passwort kann nicht die Länge Null haben."
+
+#: ../lib/krb5/error_tables/krb5_err.c:258
+msgid "Bad format in keytab"
+msgstr "falsches Format in der Schlüsseltabelle"
+
+#: ../lib/krb5/error_tables/krb5_err.c:259
+msgid "Encryption type not permitted"
+msgstr "Verschlüsselungstyp nicht erlaubt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:260
+msgid "No supported encryption types (config file error?)"
+msgstr ""
+"keine unterstützten Verschlüsselungstypen (Fehler in der "
+"Konfigurationsdatei?)"
+
+#: ../lib/krb5/error_tables/krb5_err.c:261
+msgid "Program called an obsolete, deleted function"
+msgstr "Das Programm rief eine veraltete, gelöschte Funktion auf."
+
+#: ../lib/krb5/error_tables/krb5_err.c:262
+msgid "unknown getaddrinfo failure"
+msgstr "unbekannter Getaddrinfo-Fehlschlag"
+
+#: ../lib/krb5/error_tables/krb5_err.c:263
+msgid "no data available for host/domain name"
+msgstr "keine Daten für Rechner/Domain-Namen verfügbar"
+
+#: ../lib/krb5/error_tables/krb5_err.c:264
+msgid "host/domain name not found"
+msgstr "Rechner/Domain-Name nicht gefunden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:265
+msgid "service name unknown"
+msgstr "Dienstname unbekannt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:266
+msgid "Cannot determine realm for numeric host address"
+msgstr "Realm für numerische Rechneradresse kann nicht bestimmt werden"
+
+#: ../lib/krb5/error_tables/krb5_err.c:267
+msgid "Invalid key generation parameters from KDC"
+msgstr "ungültige Parameter zum Erzeugen von Schlüsseln vom KDC"
+
+#: ../lib/krb5/error_tables/krb5_err.c:268
+msgid "service not available"
+msgstr "Dienst nicht verfügbar"
+
+#: ../lib/krb5/error_tables/krb5_err.c:269
+msgid "Ccache function not supported: read-only ccache type"
+msgstr "Ccache-Funktion nicht unterstützt: Ccache-Typ nur lesbar"
+
+#: ../lib/krb5/error_tables/krb5_err.c:270
+msgid "Ccache function not supported: not implemented"
+msgstr "Ccache-Funktion nicht unterstützt: nicht implementiert"
+
+#: ../lib/krb5/error_tables/krb5_err.c:271
+msgid "Invalid format of Kerberos lifetime or clock skew string"
+msgstr ""
+"ungültiges Format der Kerberos-Lebensdauer oder der Zeitversatzzeichenkette"
+
+#: ../lib/krb5/error_tables/krb5_err.c:272
+msgid "Supplied data not handled by this plugin"
+msgstr ""
+"Die bereitgestellten Daten werden nicht von dieser Erweiterung behandelt."
+
+#: ../lib/krb5/error_tables/krb5_err.c:273
+msgid "Plugin does not support the operation"
+msgstr "Erweiterung unterstützt diese Aktion nicht"
+
+#: ../lib/krb5/error_tables/krb5_err.c:274
+msgid "Invalid UTF-8 string"
+msgstr "ungültige UTF-8-Zeichenkette"
+
+#: ../lib/krb5/error_tables/krb5_err.c:275
+msgid "FAST protected pre-authentication required but not supported by KDC"
+msgstr ""
+"FAST-geschützte Vorauthentifizierung erforderlich, aber nicht vom KDC "
+"unterstützt"
+
+#: ../lib/krb5/error_tables/krb5_err.c:276
+msgid "Auth context must contain local address"
+msgstr "Authentifizierungskontext muss lokale Adresse enthalten"
+
+#: ../lib/krb5/error_tables/krb5_err.c:277
+msgid "Auth context must contain remote address"
+msgstr "Authentifizierungskontext muss ferne Adresse enthalten"
+
+#: ../lib/krb5/error_tables/krb5_err.c:278
+msgid "Tracing unsupported"
+msgstr "Verfolgung nicht unterstützt"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:24
+msgid "Entry already exists in database"
+msgstr "Eintrag existiert bereits in der Datenbank"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:25
+msgid "Database store error"
+msgstr "Datenbank-Speicherfehler"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:26
+msgid "Database read error"
+msgstr "Datenbank-Lesefehler"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:27
+msgid "Insufficient access to perform requested operation"
+msgstr "Zugriffsrechte reichen nicht zur Durchführung der angeforderten Aktion"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:28
+msgid "No such entry in the database"
+msgstr "kein derartiger Eintrag in der Datenbank"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:29
+msgid "Illegal use of wildcard"
+msgstr "ungültige Verwendung eines Platzhalters"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:30
+msgid "Database is locked or in use--try again later"
+msgstr ""
+"Datenbank ist gesperrt oder wird gerade benutzt – versuchen Sie es später "
+"wieder"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:31
+msgid "Database was modified during read"
+msgstr "Datenbank wurde während des Lesens geändert"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:32
+msgid "Database record is incomplete or corrupted"
+msgstr "Datensatz ist unvollständig oder beschädigt"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:33
+msgid "Attempt to lock database twice"
+msgstr "Es wurde zweimal versucht, die Datenbank zu sperren."
+
+#: ../lib/krb5/error_tables/kdb5_err.c:34
+msgid "Attempt to unlock database when not locked"
+msgstr ""
+"Es wurde versucht, die Datenbank zu entsperren, obwohl sie nicht gesperrt "
+"ist."
+
+#: ../lib/krb5/error_tables/kdb5_err.c:35
+msgid "Invalid kdb lock mode"
+msgstr "ungültiger KDB-Sperrmodus"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:36
+msgid "Database has not been initialized"
+msgstr "Datenbank wurde nicht initialisiert"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:37
+msgid "Database has already been initialized"
+msgstr "Datenbank wurde bereits initialisiert"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:38
+msgid "Bad direction for converting keys"
+msgstr "falsche Richtung zum Umwandeln von Schlüsseln"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:39
+msgid "Cannot find master key record in database"
+msgstr "Hauptschlüsseldatensatz kann nicht in der Datenbank gefunden werden"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:40
+msgid "Master key does not match database"
+msgstr "Hauptschlüssel passt nicht zur Datenbank"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:41
+msgid "Key size in database is invalid"
+msgstr "Die Schlüssellänge in der Datenbank ist ungültig,"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:42
+msgid "Cannot find/read stored master key"
+msgstr "Der gespeicherte Hauptschlüssel kann nicht gefunden/gelesen werden."
+
+#: ../lib/krb5/error_tables/kdb5_err.c:43
+msgid "Stored master key is corrupted"
+msgstr "Der gespeicherte Hauptschlüssel ist beschädigt."
+
+#: ../lib/krb5/error_tables/kdb5_err.c:44
+msgid "Cannot find active master key"
+msgstr "Der aktive Hauptschlüssel kann nicht gefunden werden."
+
+#: ../lib/krb5/error_tables/kdb5_err.c:45
+msgid "KVNO of new master key does not match expected value"
+msgstr "KVNO des neuen Hauptschlüssels passt nicht zum erwarteten Wert"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:46
+msgid "Stored master key is not current"
+msgstr "gespeicherter Hauptschlüssel ist nicht aktuell"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:47
+msgid "Insufficient access to lock database"
+msgstr "keine ausreichenden Zugriffsrechte zum Sperren der Datenbank"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:48
+msgid "Database format error"
+msgstr "fehlerhaftes Datenbankformat"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:49
+msgid "Unsupported version in database entry"
+msgstr "nicht unterstützte Version im Datenbankeintrag"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:50
+msgid "Unsupported salt type"
+msgstr "nicht unterstützter Salt-Typ"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:51
+msgid "Unsupported encryption type"
+msgstr "nicht unterstützter Verschlüsselungstyp"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:52
+msgid "Bad database creation flags"
+msgstr "falsche Schalter zum Erstellen der Datenbank"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:53
+msgid "No matching key in entry having a permitted enctype"
+msgstr ""
+"kein passender Schlüssel in einem Eintrag mit erlaubtem Verschlüsselungstyp"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:54
+msgid "No matching key in entry"
+msgstr "kein passender Schlüssel im Eintrag"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:55
+msgid "Unable to find requested database type"
+msgstr "angeforderter Datenbanktyp kann nicht gefunden werden"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:56
+msgid "Database type not supported"
+msgstr "Datenbanktyp nicht unterstützt"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:57
+msgid "Database library failed to initialize"
+msgstr "Initialisieren der Datenbankbibliothek fehlgeschlagen"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:59
+msgid "Unable to access Kerberos database"
+msgstr "auf die Kerberos-Datenbank kann nicht zugegriffen werden"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:60
+msgid "Kerberos database internal error"
+msgstr "interner Kerberos-Datenbankfehler"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:61
+msgid "Kerberos database constraints violated"
+msgstr "Kerberos-Datenbankbeschränkungen verletzt"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:62
+msgid "Update log conversion error"
+msgstr "Fehler beim Umwandeln des Aktualisierungsprotokolls"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:63
+msgid "Update log is unstable"
+msgstr "Aktualisierungsprotokoll ist instabil"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:64
+msgid "Update log is corrupt"
+msgstr "Aktualisierungsprotokoll ist beschädigt"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:65
+msgid "Generic update log error"
+msgstr "allgemeiner Aktualisierungsprotokollfehler"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:66
+msgid "Database module does not match KDC version"
+msgstr "Datenbankmodul passt nicht zur KDC-Version"
+
+#: ../lib/krb5/error_tables/kdb5_err.c:68
+msgid "Too much string mapping data"
+msgstr "zu viele zeichenkettenabbildenden Daten"
+
+#: ../lib/krb5/error_tables/asn1_err.c:23
+msgid "ASN.1 failed call to system time library"
+msgstr "ASN.1 beim Aufruf der Systemzeitbibliothek gescheitert"
+
+#: ../lib/krb5/error_tables/asn1_err.c:24
+msgid "ASN.1 structure is missing a required field"
+msgstr "ein erforderliches Feld fehlt in der ASN.1-Struktur"
+
+#: ../lib/krb5/error_tables/asn1_err.c:25
+msgid "ASN.1 unexpected field number"
+msgstr "ASN.1 unerwartete Feldnummer"
+
+#: ../lib/krb5/error_tables/asn1_err.c:26
+msgid "ASN.1 type numbers are inconsistent"
+msgstr "ASN.1-Typnummern sind inkonsistent"
+
+#: ../lib/krb5/error_tables/asn1_err.c:27
+msgid "ASN.1 value too large"
+msgstr "ASN.1-Wert zu groß"
+
+#: ../lib/krb5/error_tables/asn1_err.c:28
+msgid "ASN.1 encoding ended unexpectedly"
+msgstr "ASN.1-Kodierung endete unerwartet"
+
+#: ../lib/krb5/error_tables/asn1_err.c:29
+msgid "ASN.1 identifier doesn't match expected value"
+msgstr "ASN.1-Bezeichner passt nicht zum erwarteten Wert"
+
+#: ../lib/krb5/error_tables/asn1_err.c:30
+msgid "ASN.1 length doesn't match expected value"
+msgstr "Länge von ASN.1 passt nicht zum erwarteten Wert"
+
+#: ../lib/krb5/error_tables/asn1_err.c:31
+msgid "ASN.1 badly-formatted encoding"
+msgstr "fehlerhaft formatierte ASN.1-Kodierung"
+
+#: ../lib/krb5/error_tables/asn1_err.c:32
+msgid "ASN.1 parse error"
+msgstr "ASN.1-Auswertungsfehler"
+
+#: ../lib/krb5/error_tables/asn1_err.c:33
+msgid "ASN.1 bad return from gmtime"
+msgstr "ASN.1 falscher Rückgabewert von Gmtime"
+
+#: ../lib/krb5/error_tables/asn1_err.c:34
+msgid "ASN.1 non-constructed indefinite encoding"
+msgstr "nicht konstruierte unbestimmte ASN.1-Kodierung"
+
+#: ../lib/krb5/error_tables/asn1_err.c:35
+msgid "ASN.1 missing expected EOC"
+msgstr "ASN.1 fehlt erwartetes EOC"
+
+#: ../lib/krb5/error_tables/asn1_err.c:36
+msgid "ASN.1 object omitted in sequence"
+msgstr "ASN.1-Objekt in Sequenz ausgelassen"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:23
+msgid "Kerberos V5 magic number table"
+msgstr "Tabelle magischer Zahlen von Kerberos V5"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:24
+msgid "Bad magic number for krb5_principal structure"
+msgstr "falsche magische Zahl für Krb5_principal-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:25
+msgid "Bad magic number for krb5_data structure"
+msgstr "falsche magische Zahl für Krb5_data-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:26
+msgid "Bad magic number for krb5_keyblock structure"
+msgstr "falsche magische Zahl für Krb5_krb5_keyblock-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:27
+msgid "Bad magic number for krb5_checksum structure"
+msgstr "falsche magische Zahl für Krb5_krb5_checksum-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:28
+msgid "Bad magic number for krb5_encrypt_block structure"
+msgstr "falsche magische Zahl für Krb5_encrypt_bloc-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:29
+msgid "Bad magic number for krb5_enc_data structure"
+msgstr "falsche magische Zahl für Krb5_enc_data-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:30
+msgid "Bad magic number for krb5_cryptosystem_entry structure"
+msgstr "falsche magische Zahl für Krb5_cryptosystem_entry-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:31
+msgid "Bad magic number for krb5_cs_table_entry structure"
+msgstr "falsche magische Zahl für Krb5_cs_table_entry-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:32
+msgid "Bad magic number for krb5_checksum_entry structure"
+msgstr "falsche magische Zahl für Krb5_checksum_entry-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:33
+msgid "Bad magic number for krb5_authdata structure"
+msgstr "falsche magische Zahl für Krb5_authdata-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:34
+msgid "Bad magic number for krb5_transited structure"
+msgstr "falsche magische Zahl für Krb5_transited-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:35
+msgid "Bad magic number for krb5_enc_tkt_part structure"
+msgstr "falsche magische Zahl für Krb5_enc_tkt_part-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:36
+msgid "Bad magic number for krb5_ticket structure"
+msgstr "falsche magische Zahl für Krb5_ticket-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:37
+msgid "Bad magic number for krb5_authenticator structure"
+msgstr "falsche magische Zahl für Krb5_authenticator-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:38
+msgid "Bad magic number for krb5_tkt_authent structure"
+msgstr "falsche magische Zahl für Krb5_tkt_authent-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:39
+msgid "Bad magic number for krb5_creds structure"
+msgstr "falsche magische Zahl für Krb5_creds-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:40
+msgid "Bad magic number for krb5_last_req_entry structure"
+msgstr "falsche magische Zahl für Krb5_last_req_entry-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:41
+msgid "Bad magic number for krb5_pa_data structure"
+msgstr "falsche magische Zahl für Krb5_pa_data-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:42
+msgid "Bad magic number for krb5_kdc_req structure"
+msgstr "falsche magische Zahl für Krb5_kdc_req-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:43
+msgid "Bad magic number for krb5_enc_kdc_rep_part structure"
+msgstr "falsche magische Zahl für Krb5_enc_kdc_rep_part-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:44
+msgid "Bad magic number for krb5_kdc_rep structure"
+msgstr "falsche magische Zahl für Krb5_kdc_rep-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:45
+msgid "Bad magic number for krb5_error structure"
+msgstr "falsche magische Zahl für Krb5_error-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:46
+msgid "Bad magic number for krb5_ap_req structure"
+msgstr "falsche magische Zahl für Krb5_ap_req-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:47
+msgid "Bad magic number for krb5_ap_rep structure"
+msgstr "falsche magische Zahl für Krb5_ap_rep-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:48
+msgid "Bad magic number for krb5_ap_rep_enc_part structure"
+msgstr "falsche magische Zahl für Krb5_ap_rep_enc_part-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:49
+msgid "Bad magic number for krb5_response structure"
+msgstr "falsche magische Zahl für Krb5_response-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:50
+msgid "Bad magic number for krb5_safe structure"
+msgstr "falsche magische Zahl für Krb5_safe-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:51
+msgid "Bad magic number for krb5_priv structure"
+msgstr "falsche magische Zahl für Krb5_priv-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:52
+msgid "Bad magic number for krb5_priv_enc_part structure"
+msgstr "falsche magische Zahl für Krb5_priv_enc_part-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:53
+msgid "Bad magic number for krb5_cred structure"
+msgstr "falsche magische Zahl für Krb5_cred-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:54
+msgid "Bad magic number for krb5_cred_info structure"
+msgstr "falsche magische Zahl für Krb5_cred_info-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:55
+msgid "Bad magic number for krb5_cred_enc_part structure"
+msgstr "falsche magische Zahl für Krb5_cred_enc_part-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:56
+msgid "Bad magic number for krb5_pwd_data structure"
+msgstr "falsche magische Zahl für Krb5_pwd_data-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:57
+msgid "Bad magic number for krb5_address structure"
+msgstr "falsche magische Zahl für Krb5_address-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:58
+msgid "Bad magic number for krb5_keytab_entry structure"
+msgstr "falsche magische Zahl für Krb5_keytab_entry-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:59
+msgid "Bad magic number for krb5_context structure"
+msgstr "falsche magische Zahl für Krb5_context-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:60
+msgid "Bad magic number for krb5_os_context structure"
+msgstr "falsche magische Zahl für Krb5_os_context-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:61
+msgid "Bad magic number for krb5_alt_method structure"
+msgstr "falsche magische Zahl für Krb5_alt_method-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:62
+msgid "Bad magic number for krb5_etype_info_entry structure"
+msgstr "falsche magische Zahl für Krb5_etype_info_entry-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:63
+msgid "Bad magic number for krb5_db_context structure"
+msgstr "falsche magische Zahl für Krb5_db_context-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:64
+msgid "Bad magic number for krb5_auth_context structure"
+msgstr "falsche magische Zahl für Krb5_auth_context-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:65
+msgid "Bad magic number for krb5_keytab structure"
+msgstr "falsche magische Zahl für Krb5_keytab-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:66
+msgid "Bad magic number for krb5_rcache structure"
+msgstr "falsche magische Zahl für Krb5_rcache-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:67
+msgid "Bad magic number for krb5_ccache structure"
+msgstr "falsche magische Zahl für Krb5_ccache-Struktur"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:68
+msgid "Bad magic number for krb5_preauth_ops"
+msgstr "falsche magische Zahl für Krb5_preauth_ops"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:69
+msgid "Bad magic number for krb5_sam_challenge"
+msgstr "falsche magische Zahl für Krb5_sam_challenge"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:70
+msgid "Bad magic number for krb5_sam_challenge_2"
+msgstr "falsche magische Zahl für Krb5_sam_challenge_2"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:71
+msgid "Bad magic number for krb5_sam_key"
+msgstr "falsche magische Zahl für Krb5_sam_key"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:72
+#: ../lib/krb5/error_tables/kv5m_err.c:73
+msgid "Bad magic number for krb5_enc_sam_response_enc"
+msgstr "falsche magische Zahl für Krb5_enc_sam_response_enc"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:74
+msgid "Bad magic number for krb5_sam_response"
+msgstr "falsche magische Zahl für Krb5_sam_response"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:75
+msgid "Bad magic number for krb5_sam_response 2"
+msgstr "falsche magische Zahl für Krb5_sam_response 2"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:76
+msgid "Bad magic number for krb5_predicted_sam_response"
+msgstr "falsche magische Zahl für Krb5_predicted_sam_response"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:77
+msgid "Bad magic number for passwd_phrase_element"
+msgstr "falsche magische Zahl für Passwd_phrase_element"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:78
+msgid "Bad magic number for GSSAPI OID"
+msgstr "falsche magische Zahl für GSSAPI OID"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:79
+msgid "Bad magic number for GSSAPI QUEUE"
+msgstr "falsche magische Zahl für GSSAPI QUEUE"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:80
+msgid "Bad magic number for fast armored request"
+msgstr "falsche magische Zahl für per FAST geschützte Anfrage"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:81
+msgid "Bad magic number for FAST request"
+msgstr "falsche magische Zahl für FAST-Anfrage"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:82
+msgid "Bad magic number for FAST response"
+msgstr "falsche magische Zahl für FAST-Antwort"
+
+#: ../lib/krb5/error_tables/kv5m_err.c:83
+msgid "Bad magic number for krb5_authdata_context"
+msgstr "falsche magische Zahl für Krb5_authdata_context"
+
+#: ../lib/krb5/error_tables/krb524_err.c:23
+msgid "Cannot convert V5 keyblock"
+msgstr "V5-Schlüsselblock kann nicht umgewandelt werden"
+
+#: ../lib/krb5/error_tables/krb524_err.c:24
+msgid "Cannot convert V5 address information"
+msgstr "V5-Adressinformationen können nicht umgewandelt werden"
+
+#: ../lib/krb5/error_tables/krb524_err.c:25
+msgid "Cannot convert V5 principal"
+msgstr "V5-Principal kann nicht umgewandelt werden"
+
+#: ../lib/krb5/error_tables/krb524_err.c:26
+msgid "V5 realm name longer than V4 maximum"
+msgstr "V5-Realm-Name ist länger als die V4-Maximallänge"
+
+#: ../lib/krb5/error_tables/krb524_err.c:27
+msgid "Kerberos V4 error"
+msgstr "Kerberos-V4-Fehler"
+
+#: ../lib/krb5/error_tables/krb524_err.c:28
+msgid "Encoding too large"
+msgstr "Kodierung zu lang"
+
+#: ../lib/krb5/error_tables/krb524_err.c:29
+msgid "Decoding out of data"
+msgstr "Dekodieren außerhalb der Daten"
+
+#: ../lib/krb5/error_tables/krb524_err.c:30
+msgid "Service not responding"
+msgstr "Dienst antwortet nicht"
+
+#: ../lib/krb5/error_tables/krb524_err.c:31
+msgid "Kerberos version 4 support is disabled"
+msgstr "Kerberos 4 Unterstützung ist deaktiviert"
+
+#~ msgid "while creating server %s principal name"
+#~ msgstr "beim Erstellen des Principal-Namens für Server %s"
+
+# KDC = Key Distribution Center
+#~ msgid "while getting credentials from kdc"
+#~ msgstr "beim Holen der Anmeldedaten vom KDC"
+
+# FIXME s/Retrieving/retrieving/
+#~ msgid "while Retrieving credentials"
+#~ msgstr "beim Abfragen der Anmeldedaten"
+
+#~ msgid "while copying principal"
+#~ msgstr "beim Kopieren des Principals"
+
+#~ msgid "%s does not have correct permissions for %s\n"
+#~ msgstr "%s hat nicht die erforderlichen Zugriffsrechte für %s\n"
+
+#~ msgid "no salt\n"
+#~ msgstr "kein Salt\n"
+
+#~ msgid "%s: Couldn't grab lock\n"
+#~ msgstr "%s: Es konnte keine Sperre erlangt werden.\n"
+
+#~ msgid "%s: Loads disallowed when iprop is enabled and a ulog is present\n"
+#~ msgstr ""
+#~ "%s: Wenn Iprop aktiviert und Ulog vorhanden ist, ist Laden nicht "
+#~ "möglich.\n"
+
+#~ msgid "trying to lock database"
+#~ msgstr "es wird versucht, die Datenbank zu sperren"
+
+#~ msgid "GSS-API error %s: %s\n"
+#~ msgstr "GSS-API-Fehler %s: %s\n"
+
+#~ msgid "Couldn't create KRB5 Name NameType OID\n"
+#~ msgstr "KRB5 Name NameType OID konnte nicht erstellt werden.\n"
+
+#~ msgid "%s: %s while initializing, aborting"
+#~ msgstr "%s: %s beim Initialisieren, wird abgebrochen"
+
+#~ msgid ""
+#~ "%s: Missing required configuration values (%lx) while initializing, "
+#~ "aborting"
+#~ msgstr ""
+#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte "
+#~ "(%lx), wird abgebrochen"
+
+#~ msgid ""
+#~ "%s: Missing required configuration values (%lx) while initializing, "
+#~ "aborting\n"
+#~ msgstr ""
+#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte "
+#~ "(%lx), wird abgebrochen\n"
+
+#~ msgid "%s: could not initialize loop, aborting"
+#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen"
+
+#~ msgid "%s: could not initialize loop, aborting\n"
+#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen\n"
+
+#~ msgid "%s: %s while initializing signal handlers, aborting"
+#~ msgstr ""
+#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird "
+#~ "abgebrochen"
+
+#~ msgid "%s: %s while initializing signal handlers, aborting\n"
+#~ msgstr ""
+#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird "
+#~ "abgebrochen\n"
+
+#~ msgid "%s: %s while initializing network, aborting"
+#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen"
+
+#~ msgid "%s: %s while initializing network, aborting\n"
+#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen\n"
+
+#~ msgid "Cannot build GSS-API authentication names, failing."
+#~ msgstr ""
+#~ "GSS-API-Authentifizierungsnamen können nicht gebildet werden, "
+#~ "fehlgeschlagen"
+
+#~ msgid "Can't set kdb keytab's internal context."
+#~ msgstr ""
+#~ "Der interne Kontext von KDBs Schlüsseltabelle kann nicht gesetzt werden."
+
+#~ msgid "Can't register kdb keytab."
+#~ msgstr "Die KDB-Schlüsseltabelle kann nicht registriert werden."
+
+#~ msgid "Can't register acceptor keytab."
+#~ msgstr "Die Empfängerschlüsseltabelle kann nicht registriert werden."
+
+#~ msgid ""
+#~ "Cannot set GSS-API authentication names (keytab not present?), failing."
+#~ msgstr ""
+#~ "GSS-API-Authentifizierungsnamen können nicht gesetzt werden "
+#~ "(Schlüsseltabelle nicht vorhanden?), fehlgeschlagen"
+
+#~ msgid "Cannot initialize acl file: %s"
+#~ msgstr "ACL-Datei kann nicht initialisiert werden: %s"
+
+#~ msgid "%s: Cannot initialize acl file: %s\n"
+#~ msgstr "%s: ACL-Datei kann nicht initialisiert werden: %s\n"
+
+#~ msgid "Cannot detach from tty: %s"
+#~ msgstr "kann nicht vom Terminal gelöst werden: %s"
+
+#~ msgid "Cannot create PID file %s: %s"
+#~ msgstr "PID-Datei %s kann nicht erstellt werden: %s"
+
+#~ msgid "%s: %s while mapping update log (`%s.ulog')\n"
+#~ msgstr "%s: %s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)\n"
+
+#~ msgid "%s while mapping update log (`%s.ulog')"
+#~ msgstr "%s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)"
+
+#~ msgid "%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"
+#~ msgstr ""
+#~ "%s: IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d)\n"
+
+#~ msgid "Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."
+#~ msgstr ""
+#~ "IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d), "
+#~ "fehlgeschlagen"
+
+#~ msgid "%s while getting IProp svc name, failing"
+#~ msgstr "%s beim Holen des IProp-Dienstnamens, fehlgeschlagen"
+
+#~ msgid "%s: %s while getting IProp svc name, failing\n"
+#~ msgstr "%s: %s beim Holen des IProp-Dienstnamens, fehlgeschlagen\n"
+
+#~ msgid "Unable to set RPCSEC_GSS service name (`%s'), failing."
+#~ msgstr ""
+#~ "der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, fehlgeschlagen"
+
+#~ msgid "%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"
+#~ msgstr ""
+#~ "%s: der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, "
+#~ "fehlgeschlagen\n"
+
+#~ msgid "GSS-API authentication error %.*s: recursive failure!"
+#~ msgstr "GSS-API-Authentifizierungsfehler %.*s: rekursiver Fehlschlag!"
+
+#~ msgid "skipping unrecognized local address family %d"
+#~ msgstr "nicht erkannte lokale Adressfamilie %d wird übersprungen"
+
+#~ msgid "got routing msg type %d(%s) v%d"
+#~ msgstr "Routing-Meldungstyp %d(%s) v%d erhalten"
+
+#~ msgid "Could not create temp stash file: %s"
+#~ msgstr "Temporäre Ablagedatei konnte nicht erstellt werden: %s"
+
+#~ msgid "ulog_sync_header: could not sync to disk"
+#~ msgstr "ulog_sync_header: kann nicht auf Platte sychronisiert werden"
+
+#~ msgid "%s: attempt to convert non-extended krb5_get_init_creds_opt"
+#~ msgstr ""
+#~ "%s: Es wird versucht, nicht erweiterte »krb5_get_init_creds_opt« "
+#~ "umzuwandeln"
+
+#~ msgid "krb5_sname_to_principal, while adding entries to the database"
+#~ msgstr ""
+#~ "»krb5_sname_to_principal« beim Hinzufügen von Einträgen zur Datenbank"
+
+#~ msgid "krb5_copy_principal, while adding entries to the database"
+#~ msgstr "»krb5_copy_principal« beim Hinzufügen von Einträgen zur Datenbank"
+
+#~ msgid ""
+#~ "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. "
+#~ "Proceeding anyway ..."
+#~ msgstr ""
+#~ "Es konnte nicht geprüft werden, ob der Mechanismus SASL EXTERNAL vom LDAP-"
+#~ "Server unterstützt wird. Es wird trotzdem fortgesetzt …"
+
+#~ msgid ""
+#~ "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform "
+#~ "certificate-based bind."
+#~ msgstr ""
+#~ "Der Mechanismus SASL EXTERNAL wird nicht vom LDAP-Server unterstützt. Es "
+#~ "kann keine zertifikatbasierte Verbindung hergestellt werden."
+
+#~ msgid "Error reading 'ldap_servers' attribute"
+#~ msgstr "Fehler beim Lesen des Attributs »ldap_servers«"
+
+#~ msgid "Stash file entry corrupt"
+#~ msgstr "Eintrag in der Ablagedatei beschädigt"
+
+#~ msgid "while setting server principal realm"
+#~ msgstr "beim Setzen des Server-Principal-Realms"
+
+#~ msgid "while getting initial ticket\n"
+#~ msgstr "beim Holen eines Anfangs-Tickets\n"
+
+#~ msgid "while destroying ticket cache"
+#~ msgstr "beim Zerstören des Ticket-Zwischenspeichers"
+
+#~ msgid "while closing default ccache"
+#~ msgstr "beim Schließen des Standard-Ccaches"
diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index 6bfe3330adb6..f79f386172fc 100644
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: mit-krb5 1.15.1\n"
+"Project-Id-Version: mit-krb5 1.16\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2017-03-02 12:03-0500\n"
+"POT-Creation-Date: 2017-12-05 12:00-0500\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -18,57 +18,62 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
 
-#: ../../src/clients/kdestroy/kdestroy.c:56
+#: ../../src/clients/kdestroy/kdestroy.c:55
 #, c-format
 msgid "Usage: %s [-A] [-q] [-c cache_name]\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:57
+#: ../../src/clients/kdestroy/kdestroy.c:56
 #, c-format
 msgid "\t-A destroy all credential caches in collection\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:58
+#: ../../src/clients/kdestroy/kdestroy.c:57
 #, c-format
 msgid "\t-q quiet mode\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:59
+#: ../../src/clients/kdestroy/kdestroy.c:58
 #: ../../src/clients/kswitch/kswitch.c:45
 #, c-format
 msgid "\t-c specify name of credentials cache\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:73
+#: ../../src/clients/kdestroy/kdestroy.c:72
 #: ../../src/clients/kdestroy/kdestroy.c:151
 msgid "while listing credential caches"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:80
+#: ../../src/clients/kdestroy/kdestroy.c:79
 #, c-format
 msgid "Other credential caches present, use -A to destroy all\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:116
-#: ../../src/clients/kinit/kinit.c:358 ../../src/clients/ksu/main.c:285
+#: ../../src/clients/kdestroy/kdestroy.c:109
+#: ../../src/clients/kinit/kinit.c:346 ../../src/clients/ksu/main.c:285
 #, c-format
 msgid "Only one -c option allowed\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:123
-#: ../../src/clients/kinit/kinit.c:387 ../../src/clients/klist/klist.c:178
+#: ../../src/clients/kdestroy/kdestroy.c:116
+#: ../../src/clients/kinit/kinit.c:374 ../../src/clients/klist/klist.c:178
 #, c-format
 msgid "Kerberos 4 is no longer supported\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:144
-#: ../../src/clients/klist/klist.c:249 ../../src/clients/ksu/main.c:131
+#: ../../src/clients/kdestroy/kdestroy.c:136
+#: ../../src/clients/klist/klist.c:241 ../../src/clients/ksu/main.c:131
 #: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97
-#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:953
-#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1031
+#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:954
+#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1058
 msgid "while initializing krb5"
 msgstr ""
 
+#: ../../src/clients/kdestroy/kdestroy.c:143
+#: ../../src/clients/klist/klist.c:248
+msgid "while setting default cache name"
+msgstr ""
+
 #: ../../src/clients/kdestroy/kdestroy.c:158
 msgid "composing ccache name"
 msgstr ""
@@ -78,378 +83,376 @@ msgstr ""
 msgid "while destroying cache %s"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:176
-#: ../../src/clients/kswitch/kswitch.c:104
-#, c-format
-msgid "while resolving %s"
+#: ../../src/clients/kdestroy/kdestroy.c:175
+#: ../../src/clients/klist/klist.c:462
+msgid "while resolving ccache"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:182
-#: ../../src/clients/kinit/kinit.c:485 ../../src/clients/klist/klist.c:457
-msgid "while getting default ccache"
-msgstr ""
-
-#: ../../src/clients/kdestroy/kdestroy.c:189 ../../src/clients/ksu/main.c:977
+#: ../../src/clients/kdestroy/kdestroy.c:181 ../../src/clients/ksu/main.c:977
 msgid "while destroying cache"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:192
+#: ../../src/clients/kdestroy/kdestroy.c:184
 #, c-format
 msgid "Ticket cache NOT destroyed!\n"
 msgstr ""
 
-#: ../../src/clients/kdestroy/kdestroy.c:194
+#: ../../src/clients/kdestroy/kdestroy.c:186
 #, c-format
 msgid "Ticket cache %cNOT%c destroyed!\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:176
+#: ../../src/clients/kinit/kinit.c:170
 #, c-format
 msgid "\t-V verbose\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:177
+#: ../../src/clients/kinit/kinit.c:171
 #, c-format
 msgid "\t-l lifetime\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:178
+#: ../../src/clients/kinit/kinit.c:172
 #, c-format
 msgid "\t-s start time\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:179
+#: ../../src/clients/kinit/kinit.c:173
 #, c-format
 msgid "\t-r renewable lifetime\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:180
+#: ../../src/clients/kinit/kinit.c:174
 #, c-format
 msgid "\t-f forwardable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:181
+#: ../../src/clients/kinit/kinit.c:175
 #, c-format
 msgid "\t-F not forwardable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:182
+#: ../../src/clients/kinit/kinit.c:176
 #, c-format
 msgid "\t-p proxiable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:183
+#: ../../src/clients/kinit/kinit.c:177
 #, c-format
 msgid "\t-P not proxiable\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:184
+#: ../../src/clients/kinit/kinit.c:178
 #, c-format
 msgid "\t-n anonymous\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:185
+#: ../../src/clients/kinit/kinit.c:179
 #, c-format
 msgid "\t-a include addresses\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:186
+#: ../../src/clients/kinit/kinit.c:180
 #, c-format
 msgid "\t-A do not include addresses\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:187
+#: ../../src/clients/kinit/kinit.c:181
 #, c-format
 msgid "\t-v validate\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:188
+#: ../../src/clients/kinit/kinit.c:182
 #, c-format
 msgid "\t-R renew\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:189
+#: ../../src/clients/kinit/kinit.c:183
 #, c-format
 msgid "\t-C canonicalize\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:190
+#: ../../src/clients/kinit/kinit.c:184
 #, c-format
 msgid "\t-E client is enterprise principal name\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:191
+#: ../../src/clients/kinit/kinit.c:185
 #, c-format
 msgid "\t-k use keytab\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:192
+#: ../../src/clients/kinit/kinit.c:186
 #, c-format
 msgid "\t-i use default client keytab (with -k)\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:193
+#: ../../src/clients/kinit/kinit.c:187
 #, c-format
 msgid "\t-t filename of keytab to use\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:194
+#: ../../src/clients/kinit/kinit.c:188
 #, c-format
 msgid "\t-c Kerberos 5 cache name\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:195
+#: ../../src/clients/kinit/kinit.c:189
 #, c-format
 msgid "\t-S service\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:196
+#: ../../src/clients/kinit/kinit.c:190
 #, c-format
 msgid "\t-T armor credential cache\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:197
+#: ../../src/clients/kinit/kinit.c:191
 #, c-format
 msgid "\t-X <attribute>[=<value>]\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:276 ../../src/clients/kinit/kinit.c:284
+#: ../../src/clients/kinit/kinit.c:264 ../../src/clients/kinit/kinit.c:272
 #, c-format
 msgid "Bad lifetime value %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:318
+#: ../../src/clients/kinit/kinit.c:306
 #, c-format
 msgid "Bad start time value %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:337
+#: ../../src/clients/kinit/kinit.c:324
 #, c-format
 msgid "Only one -t option allowed.\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:345
+#: ../../src/clients/kinit/kinit.c:332
 #, c-format
 msgid "Only one armor_ccache\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:366
+#: ../../src/clients/kinit/kinit.c:354
 #, c-format
 msgid "Only one -I option allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:376
+#: ../../src/clients/kinit/kinit.c:363
 msgid "while adding preauth option"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:403
+#: ../../src/clients/kinit/kinit.c:389
 #, c-format
 msgid "Only one of -f and -F allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:408
+#: ../../src/clients/kinit/kinit.c:393
 #, c-format
 msgid "Only one of -p and -P allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:413
+#: ../../src/clients/kinit/kinit.c:397
 #, c-format
 msgid "Only one of --request-pac and --no-request-pac allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:419
+#: ../../src/clients/kinit/kinit.c:402
 #, c-format
 msgid "Only one of -a and -A allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:424
+#: ../../src/clients/kinit/kinit.c:406
 #, c-format
 msgid "Only one of -t and -i allowed\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:431
+#: ../../src/clients/kinit/kinit.c:412
 #, c-format
 msgid "keytab specified, forcing -k\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:435 ../../src/clients/klist/klist.c:217
+#: ../../src/clients/kinit/kinit.c:415 ../../src/clients/klist/klist.c:216
 #, c-format
 msgid "Extra arguments (starting with \"%s\").\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:464
+#: ../../src/clients/kinit/kinit.c:441
 msgid "while initializing Kerberos 5 library"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:472 ../../src/clients/kinit/kinit.c:628
+#: ../../src/clients/kinit/kinit.c:449 ../../src/clients/kinit/kinit.c:603
 #, c-format
 msgid "resolving ccache %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:477
+#: ../../src/clients/kinit/kinit.c:454
 #, c-format
 msgid "Using specified cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:499 ../../src/clients/kinit/kinit.c:579
-#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238
+#: ../../src/clients/kinit/kinit.c:462
+msgid "while getting default ccache"
+msgstr ""
+
+#: ../../src/clients/kinit/kinit.c:476 ../../src/clients/kinit/kinit.c:555
+#: ../../src/clients/kpasswd/kpasswd.c:30 ../../src/clients/ksu/main.c:238
 #, c-format
 msgid "when parsing name %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:507 ../../src/kadmin/dbutil/kdb5_util.c:310
+#: ../../src/clients/kinit/kinit.c:484 ../../src/kadmin/dbutil/kdb5_util.c:310
 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391
-#: ../../src/slave/kprop.c:178
+#: ../../src/slave/kprop.c:156
 msgid "while getting default realm"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:519
+#: ../../src/clients/kinit/kinit.c:495
 msgid "while building principal"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:527
+#: ../../src/clients/kinit/kinit.c:503
 msgid "When resolving the default client keytab"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:534
+#: ../../src/clients/kinit/kinit.c:510
 msgid "When determining client principal name from keytab"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:543
+#: ../../src/clients/kinit/kinit.c:519
 msgid "when creating default server principal name"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:550
+#: ../../src/clients/kinit/kinit.c:526
 #, c-format
 msgid "(principal %s)"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:553
+#: ../../src/clients/kinit/kinit.c:529
 msgid "for local services"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:574 ../../src/clients/kpasswd/kpasswd.c:42
+#: ../../src/clients/kinit/kinit.c:550 ../../src/clients/kpasswd/kpasswd.c:42
 #, c-format
 msgid "Unable to identify user\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:589 ../../src/clients/kswitch/kswitch.c:116
+#: ../../src/clients/kinit/kinit.c:564 ../../src/clients/kswitch/kswitch.c:116
 #, c-format
 msgid "while searching for ccache for %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:595
+#: ../../src/clients/kinit/kinit.c:570
 #, c-format
 msgid "Using existing cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:604
+#: ../../src/clients/kinit/kinit.c:579
 msgid "while generating new ccache"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:608
+#: ../../src/clients/kinit/kinit.c:583
 #, c-format
 msgid "Using new cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:620
+#: ../../src/clients/kinit/kinit.c:595
 #, c-format
 msgid "Using default cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:633
+#: ../../src/clients/kinit/kinit.c:608
 #, c-format
 msgid "Using specified input cache: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:641 ../../src/clients/ksu/krb_auth_su.c:160
+#: ../../src/clients/kinit/kinit.c:615 ../../src/clients/ksu/krb_auth_su.c:160
 msgid "when unparsing name"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:645
+#: ../../src/clients/kinit/kinit.c:619
 #, c-format
 msgid "Using principal: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:746
+#: ../../src/clients/kinit/kinit.c:700
 msgid "getting local addresses"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:769
+#: ../../src/clients/kinit/kinit.c:723
 #, c-format
 msgid "while setting up KDB keytab for realm %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:778 ../../src/clients/kvno/kvno.c:197
+#: ../../src/clients/kinit/kinit.c:732 ../../src/clients/kvno/kvno.c:308
 #, c-format
 msgid "resolving keytab %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:783
+#: ../../src/clients/kinit/kinit.c:737
 #, c-format
 msgid "Using keytab: %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:787
+#: ../../src/clients/kinit/kinit.c:741
 msgid "resolving default client keytab"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:797
+#: ../../src/clients/kinit/kinit.c:751
 #, c-format
 msgid "while setting '%s'='%s'"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:802
+#: ../../src/clients/kinit/kinit.c:756
 #, c-format
 msgid "PA Option %s = %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:847
+#: ../../src/clients/kinit/kinit.c:797
 msgid "getting initial credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:850
+#: ../../src/clients/kinit/kinit.c:800
 msgid "validating credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:853
+#: ../../src/clients/kinit/kinit.c:803
 msgid "renewing credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:861
+#: ../../src/clients/kinit/kinit.c:811
 #, c-format
 msgid "%s: Password incorrect while %s\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:864
+#: ../../src/clients/kinit/kinit.c:814
 #, c-format
 msgid "while %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:873
+#: ../../src/clients/kinit/kinit.c:823
 #, c-format
 msgid "when initializing cache %s"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:878
+#: ../../src/clients/kinit/kinit.c:828
 #, c-format
 msgid "Initialized cache\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:882
+#: ../../src/clients/kinit/kinit.c:832
 msgid "while storing credentials"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:886
+#: ../../src/clients/kinit/kinit.c:836
 #, c-format
 msgid "Stored credentials\n"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:893
+#: ../../src/clients/kinit/kinit.c:842
 msgid "while switching to new ccache"
 msgstr ""
 
-#: ../../src/clients/kinit/kinit.c:951
+#: ../../src/clients/kinit/kinit.c:897
 #, c-format
 msgid "Authenticated to Kerberos v5\n"
 msgstr ""
@@ -546,7 +549,7 @@ msgstr ""
 msgid "\t\t-K shows keytab entry keys\n"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:226
+#: ../../src/clients/klist/klist.c:225
 #, c-format
 msgid "%s version %s\n"
 msgstr ""
@@ -555,51 +558,46 @@ msgstr ""
 msgid "while getting default client keytab"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:283
+#: ../../src/clients/klist/klist.c:284
 msgid "while getting default keytab"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:288 ../../src/kadmin/cli/keytab.c:103
+#: ../../src/clients/klist/klist.c:290 ../../src/kadmin/cli/keytab.c:103
 #, c-format
 msgid "while resolving keytab %s"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:294 ../../src/kadmin/cli/keytab.c:87
+#: ../../src/clients/klist/klist.c:297 ../../src/kadmin/cli/keytab.c:87
 msgid "while getting keytab name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:301 ../../src/kadmin/cli/keytab.c:422
+#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:422
 msgid "while starting keytab scan"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:322 ../../src/clients/klist/klist.c:485
-#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:553
+#: ../../src/clients/klist/klist.c:328 ../../src/clients/klist/klist.c:484
+#: ../../src/clients/ksu/ccache.c:455 ../../src/kadmin/dbutil/dump.c:554
 #: ../../src/kadmin/dbutil/tabdump.c:552
 msgid "while unparsing principal name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:347 ../../src/kadmin/cli/keytab.c:466
+#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:466
 msgid "while scanning keytab"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:351 ../../src/kadmin/cli/keytab.c:471
+#: ../../src/clients/klist/klist.c:355 ../../src/kadmin/cli/keytab.c:471
 msgid "while ending keytab scan"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:368 ../../src/clients/klist/klist.c:430
+#: ../../src/clients/klist/klist.c:372 ../../src/clients/klist/klist.c:435
 msgid "while listing ccache collection"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:407
+#: ../../src/clients/klist/klist.c:411
 msgid "(Expired)"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:463
-#, c-format
-msgid "while resolving ccache %s"
-msgstr ""
-
-#: ../../src/clients/klist/klist.c:489
+#: ../../src/clients/klist/klist.c:488
 #, c-format
 msgid ""
 "Ticket cache: %s:%s\n"
@@ -611,96 +609,96 @@ msgstr ""
 msgid "while starting to retrieve tickets"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:513
+#: ../../src/clients/klist/klist.c:514
 msgid "while finishing ticket retrieval"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:518
+#: ../../src/clients/klist/klist.c:519
 msgid "while retrieving a ticket"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:677 ../../src/clients/ksu/ccache.c:450
-#: ../../src/slave/kpropd.c:1214 ../../src/slave/kpropd.c:1274
+#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:440
+#: ../../src/slave/kpropd.c:1209 ../../src/slave/kpropd.c:1269
 msgid "while unparsing client name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:682 ../../src/clients/ksu/ccache.c:455
-#: ../../src/slave/kprop.c:212
+#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:445
+#: ../../src/slave/kprop.c:190
 msgid "while unparsing server name"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:711 ../../src/clients/ksu/ccache.c:480
+#: ../../src/clients/klist/klist.c:702 ../../src/clients/ksu/ccache.c:470
 #, c-format
 msgid "\tfor client %s"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:723 ../../src/clients/ksu/ccache.c:489
+#: ../../src/clients/klist/klist.c:714 ../../src/clients/ksu/ccache.c:479
 msgid "renew until "
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:740 ../../src/clients/ksu/ccache.c:499
+#: ../../src/clients/klist/klist.c:731 ../../src/clients/ksu/ccache.c:489
 #, c-format
 msgid "Flags: %s"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:759
+#: ../../src/clients/klist/klist.c:750
 #, c-format
 msgid "Etype (skey, tkt): %s, "
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:776
+#: ../../src/clients/klist/klist.c:766
 #, c-format
 msgid "AD types: "
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:793
+#: ../../src/clients/klist/klist.c:782
 #, c-format
 msgid "\tAddresses: (none)\n"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:795
+#: ../../src/clients/klist/klist.c:784
 #, c-format
 msgid "\tAddresses: "
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:828
+#: ../../src/clients/klist/klist.c:818 ../../src/clients/klist/klist.c:828
 #, c-format
 msgid "broken address (type %d length %d)"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:848
+#: ../../src/clients/klist/klist.c:837
 #, c-format
 msgid "unknown addrtype %d"
 msgstr ""
 
-#: ../../src/clients/klist/klist.c:857
+#: ../../src/clients/klist/klist.c:846
 #, c-format
 msgid "unprintable address (type %d, error %d %s)"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:395
+#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:395
 msgid "Enter new password"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:403
+#: ../../src/clients/kpasswd/kpasswd.c:14 ../../src/lib/krb5/krb/gic_pwd.c:403
 msgid "Enter it again"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:33
+#: ../../src/clients/kpasswd/kpasswd.c:34
 #, c-format
 msgid "Unable to identify user from password file\n"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:65
+#: ../../src/clients/kpasswd/kpasswd.c:63
 #, c-format
 msgid "usage: %s [principal]\n"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:73
+#: ../../src/clients/kpasswd/kpasswd.c:71
 msgid "initializing kerberos library"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:77
+#: ../../src/clients/kpasswd/kpasswd.c:76
 msgid "allocating krb5_get_init_creds_opt"
 msgstr ""
 
@@ -712,31 +710,31 @@ msgstr ""
 msgid "getting principal from ccache"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:104
+#: ../../src/clients/kpasswd/kpasswd.c:102
 msgid "while setting FAST ccache"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:111
+#: ../../src/clients/kpasswd/kpasswd.c:108
 msgid "closing ccache"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:118
+#: ../../src/clients/kpasswd/kpasswd.c:116
 msgid "parsing client name"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:135
+#: ../../src/clients/kpasswd/kpasswd.c:134
 msgid "Password incorrect while getting initial ticket"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:137
+#: ../../src/clients/kpasswd/kpasswd.c:136
 msgid "getting initial ticket"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:144
+#: ../../src/clients/kpasswd/kpasswd.c:146
 msgid "while reading password"
 msgstr ""
 
-#: ../../src/clients/kpasswd/kpasswd.c:152
+#: ../../src/clients/kpasswd/kpasswd.c:154
 msgid "changing password"
 msgstr ""
 
@@ -779,12 +777,12 @@ msgstr ""
 msgid "home directory name `%s' too long, can't search for .k5login\n"
 msgstr ""
 
-#: ../../src/clients/ksu/ccache.c:368
+#: ../../src/clients/ksu/ccache.c:358
 #, c-format
 msgid "home directory path for %s too long\n"
 msgstr ""
 
-#: ../../src/clients/ksu/ccache.c:461
+#: ../../src/clients/ksu/ccache.c:451
 msgid "while retrieving principal name"
 msgstr ""
 
@@ -1166,8 +1164,13 @@ msgstr ""
 msgid "One of -c or -p must be specified\n"
 msgstr ""
 
-#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:207
-#: ../../src/clients/kvno/kvno.c:241 ../../src/kadmin/cli/keytab.c:373
+#: ../../src/clients/kswitch/kswitch.c:104
+#, c-format
+msgid "while resolving %s"
+msgstr ""
+
+#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:177
+#: ../../src/clients/kvno/kvno.c:318 ../../src/kadmin/cli/keytab.c:373
 #: ../../src/kadmin/dbutil/kdb5_util.c:584
 #, c-format
 msgid "while parsing principal name %s"
@@ -1177,17 +1180,17 @@ msgstr ""
 msgid "while switching to credential cache"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:42
+#: ../../src/clients/kvno/kvno.c:44
 #, c-format
 msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:43
+#: ../../src/clients/kvno/kvno.c:45
 #, c-format
 msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:44
+#: ../../src/clients/kvno/kvno.c:46
 #, c-format
 msgid "\tservice1 service2 ...\n"
 msgstr ""
@@ -1208,62 +1211,62 @@ msgid ""
 "Option -P (constrained delegation) requires option -U (protocol transition)\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:171 ../../src/kadmin/cli/kadmin.c:310
-msgid "while initializing krb5 library"
-msgstr ""
-
-#: ../../src/clients/kvno/kvno.c:178
-msgid "while converting etype"
-msgstr ""
-
-#: ../../src/clients/kvno/kvno.c:190
-msgid "while opening ccache"
-msgstr ""
-
-#: ../../src/clients/kvno/kvno.c:214
-msgid "while getting client principal name"
-msgstr ""
-
-#: ../../src/clients/kvno/kvno.c:252
+#: ../../src/clients/kvno/kvno.c:185
 #, c-format
 msgid "while formatting parsed principal name for '%s'"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:263
+#: ../../src/clients/kvno/kvno.c:196
 msgid "client and server principal names must match"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:280
+#: ../../src/clients/kvno/kvno.c:212
 #, c-format
 msgid "while getting credentials for %s"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:287
+#: ../../src/clients/kvno/kvno.c:219
 #, c-format
 msgid "while decoding ticket for %s"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:298
+#: ../../src/clients/kvno/kvno.c:230
 #, c-format
 msgid "while decrypting ticket for %s"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:302
+#: ../../src/clients/kvno/kvno.c:234
 #, c-format
 msgid "%s: kvno = %d, keytab entry valid\n"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:320
+#: ../../src/clients/kvno/kvno.c:248
 #, c-format
 msgid "%s: constrained delegation failed"
 msgstr ""
 
-#: ../../src/clients/kvno/kvno.c:326
+#: ../../src/clients/kvno/kvno.c:255
 #, c-format
 msgid "%s: kvno = %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:104
+#: ../../src/clients/kvno/kvno.c:282 ../../src/kadmin/cli/kadmin.c:309
+msgid "while initializing krb5 library"
+msgstr ""
+
+#: ../../src/clients/kvno/kvno.c:289
+msgid "while converting etype"
+msgstr ""
+
+#: ../../src/clients/kvno/kvno.c:301
+msgid "while opening ccache"
+msgstr ""
+
+#: ../../src/clients/kvno/kvno.c:325
+msgid "while getting client principal name"
+msgstr ""
+
+#: ../../src/kadmin/cli/kadmin.c:103
 #, c-format
 msgid ""
 "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n"
@@ -1274,298 +1277,298 @@ msgid ""
 "\t\t\tLook at each database documentation for supported arguments\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:163
+#: ../../src/kadmin/cli/kadmin.c:162
 #, c-format
 msgid "Invalid date specification \"%s\".\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:191
+#: ../../src/kadmin/cli/kadmin.c:190
 #, c-format
 msgid "Interval specification \"%s\" is in the past.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:321 ../../src/kadmin/cli/kadmin.c:360
+#: ../../src/kadmin/cli/kadmin.c:320 ../../src/kadmin/cli/kadmin.c:359
 #, c-format
 msgid "%s: Cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:379 ../../src/kadmin/cli/kadmin.c:839
-#: ../../src/kadmin/cli/kadmin.c:1104 ../../src/kadmin/cli/kadmin.c:1619
+#: ../../src/kadmin/cli/kadmin.c:378 ../../src/kadmin/cli/kadmin.c:838
+#: ../../src/kadmin/cli/kadmin.c:1103 ../../src/kadmin/cli/kadmin.c:1618
 #: ../../src/kadmin/cli/keytab.c:148 ../../src/kadmin/dbutil/kdb5_util.c:599
 #, c-format
 msgid "while parsing keysalts %s"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:402
+#: ../../src/kadmin/cli/kadmin.c:401
 #, c-format
 msgid "%s: -q is exclusive with command-line query"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:410
+#: ../../src/kadmin/cli/kadmin.c:409
 #, c-format
 msgid "%s: unable to get default realm\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:430
+#: ../../src/kadmin/cli/kadmin.c:429
 msgid "while opening default credentials cache"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:436
+#: ../../src/kadmin/cli/kadmin.c:435
 #, c-format
 msgid "while opening credentials cache %s"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:458 ../../src/kadmin/cli/kadmin.c:512
-#: ../../src/kadmin/cli/kadmin.c:520 ../../src/kadmin/cli/kadmin.c:527
+#: ../../src/kadmin/cli/kadmin.c:457 ../../src/kadmin/cli/kadmin.c:511
+#: ../../src/kadmin/cli/kadmin.c:519 ../../src/kadmin/cli/kadmin.c:526
 #, c-format
 msgid "%s: out of memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:467 ../../src/kadmin/cli/kadmin.c:482
-#: ../../src/slave/kpropd.c:658
+#: ../../src/kadmin/cli/kadmin.c:466 ../../src/kadmin/cli/kadmin.c:481
+#: ../../src/slave/kpropd.c:680
 msgid "while canonicalizing principal name"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:476
+#: ../../src/kadmin/cli/kadmin.c:475
 msgid "creating host service principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:489
+#: ../../src/kadmin/cli/kadmin.c:488
 #, c-format
 msgid "%s: unable to canonicalize principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:532
+#: ../../src/kadmin/cli/kadmin.c:531
 #, c-format
 msgid "%s: unable to figure out a principal name\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:539
+#: ../../src/kadmin/cli/kadmin.c:538
 msgid "while setting up logging"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:548
+#: ../../src/kadmin/cli/kadmin.c:547
 #, c-format
 msgid "Authenticating as principal %s with existing credentials.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:554
+#: ../../src/kadmin/cli/kadmin.c:553
 #, c-format
 msgid "Authenticating as principal %s with password; anonymous requested.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:561
+#: ../../src/kadmin/cli/kadmin.c:560
 #, c-format
 msgid "Authenticating as principal %s with keytab %s.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:564
+#: ../../src/kadmin/cli/kadmin.c:563
 #, c-format
 msgid "Authenticating as principal %s with default keytab.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:571
+#: ../../src/kadmin/cli/kadmin.c:570
 #, c-format
 msgid "Authenticating as principal %s with password.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:579 ../../src/slave/kpropd.c:705
+#: ../../src/kadmin/cli/kadmin.c:578 ../../src/slave/kpropd.c:727
 #, c-format
 msgid "while initializing %s interface"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:594
+#: ../../src/kadmin/cli/kadmin.c:593
 #, c-format
 msgid "while closing ccache %s"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:600
+#: ../../src/kadmin/cli/kadmin.c:599
 msgid "while mapping update log"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:616
+#: ../../src/kadmin/cli/kadmin.c:615
 msgid "while unlocking locked database"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:625
+#: ../../src/kadmin/cli/kadmin.c:624
 msgid "Administration credentials NOT DESTROYED.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:674
+#: ../../src/kadmin/cli/kadmin.c:673
 msgid "usage: delete_principal [-force] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:679 ../../src/kadmin/cli/kadmin.c:854
+#: ../../src/kadmin/cli/kadmin.c:678 ../../src/kadmin/cli/kadmin.c:853
 msgid "while parsing principal name"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:685 ../../src/kadmin/cli/kadmin.c:860
-#: ../../src/kadmin/cli/kadmin.c:1213 ../../src/kadmin/cli/kadmin.c:1338
-#: ../../src/kadmin/cli/kadmin.c:1408 ../../src/kadmin/cli/kadmin.c:1842
-#: ../../src/kadmin/cli/kadmin.c:1886 ../../src/kadmin/cli/kadmin.c:1932
-#: ../../src/kadmin/cli/kadmin.c:1972
+#: ../../src/kadmin/cli/kadmin.c:684 ../../src/kadmin/cli/kadmin.c:859
+#: ../../src/kadmin/cli/kadmin.c:1212 ../../src/kadmin/cli/kadmin.c:1337
+#: ../../src/kadmin/cli/kadmin.c:1407 ../../src/kadmin/cli/kadmin.c:1841
+#: ../../src/kadmin/cli/kadmin.c:1885 ../../src/kadmin/cli/kadmin.c:1931
+#: ../../src/kadmin/cli/kadmin.c:1971
 msgid "while canonicalizing principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:689
+#: ../../src/kadmin/cli/kadmin.c:688
 #, c-format
 msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): "
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:693
+#: ../../src/kadmin/cli/kadmin.c:692
 #, c-format
 msgid "Principal \"%s\" not deleted\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:700
+#: ../../src/kadmin/cli/kadmin.c:699
 #, c-format
 msgid "while deleting principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:703
+#: ../../src/kadmin/cli/kadmin.c:702
 #, c-format
 msgid "Principal \"%s\" deleted.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:704
+#: ../../src/kadmin/cli/kadmin.c:703
 msgid ""
 "Make sure that you have removed this principal from all ACLs before "
 "reusing.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:721
+#: ../../src/kadmin/cli/kadmin.c:720
 msgid "usage: rename_principal [-force] old_principal new_principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:728
+#: ../../src/kadmin/cli/kadmin.c:727
 msgid "while parsing old principal name"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:734
+#: ../../src/kadmin/cli/kadmin.c:733
 msgid "while parsing new principal name"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:740
+#: ../../src/kadmin/cli/kadmin.c:739
 msgid "while canonicalizing old principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:746
+#: ../../src/kadmin/cli/kadmin.c:745
 msgid "while canonicalizing new principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:750
+#: ../../src/kadmin/cli/kadmin.c:749
 #, c-format
 msgid ""
 "Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): "
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:754
+#: ../../src/kadmin/cli/kadmin.c:753
 #, c-format
 msgid "Principal \"%s\" not renamed\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:761
+#: ../../src/kadmin/cli/kadmin.c:760
 #, c-format
 msgid "while renaming principal \"%s\" to \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:765
+#: ../../src/kadmin/cli/kadmin.c:764
 #, c-format
 msgid "Principal \"%s\" renamed to \"%s\".\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:766
+#: ../../src/kadmin/cli/kadmin.c:765
 msgid ""
 "Make sure that you have removed the old principal from all ACLs before "
 "reusing.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:781
+#: ../../src/kadmin/cli/kadmin.c:780
 msgid ""
 "usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] "
 "principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:807
+#: ../../src/kadmin/cli/kadmin.c:806
 msgid "change_password: missing db argument"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:813
+#: ../../src/kadmin/cli/kadmin.c:812
 msgid "change_password: Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:821
+#: ../../src/kadmin/cli/kadmin.c:820
 msgid "change_password: missing password arg"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:832
+#: ../../src/kadmin/cli/kadmin.c:831
 msgid "change_password: missing keysaltlist arg"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:848
+#: ../../src/kadmin/cli/kadmin.c:847
 msgid "missing principal name"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:872 ../../src/kadmin/cli/kadmin.c:909
+#: ../../src/kadmin/cli/kadmin.c:871 ../../src/kadmin/cli/kadmin.c:908
 #, c-format
 msgid "while changing password for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:875 ../../src/kadmin/cli/kadmin.c:912
+#: ../../src/kadmin/cli/kadmin.c:874 ../../src/kadmin/cli/kadmin.c:911
 #, c-format
 msgid "Password for \"%s\" changed.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:881 ../../src/kadmin/cli/kadmin.c:1289
+#: ../../src/kadmin/cli/kadmin.c:880 ../../src/kadmin/cli/kadmin.c:1288
 #, c-format
 msgid "while randomizing key for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:884
+#: ../../src/kadmin/cli/kadmin.c:883
 #, c-format
 msgid "Key for \"%s\" randomized.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:889 ../../src/kadmin/cli/kadmin.c:1249
+#: ../../src/kadmin/cli/kadmin.c:888 ../../src/kadmin/cli/kadmin.c:1248
 #, c-format
 msgid "Enter password for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:891 ../../src/kadmin/cli/kadmin.c:1251
+#: ../../src/kadmin/cli/kadmin.c:890 ../../src/kadmin/cli/kadmin.c:1250
 #, c-format
 msgid "Re-enter password for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:896 ../../src/kadmin/cli/kadmin.c:1255
+#: ../../src/kadmin/cli/kadmin.c:895 ../../src/kadmin/cli/kadmin.c:1254
 #, c-format
 msgid "while reading password for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:950
+#: ../../src/kadmin/cli/kadmin.c:949
 msgid "Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:980 ../../src/kadmin/dbutil/kdb5_util.c:631
+#: ../../src/kadmin/cli/kadmin.c:979 ../../src/kadmin/dbutil/kdb5_util.c:631
 msgid "while getting time"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1121 ../../src/kadmin/cli/kadmin.c:1332
-#: ../../src/kadmin/cli/kadmin.c:1403 ../../src/kadmin/cli/kadmin.c:1836
-#: ../../src/kadmin/cli/kadmin.c:1880 ../../src/kadmin/cli/kadmin.c:1926
-#: ../../src/kadmin/cli/kadmin.c:1966
+#: ../../src/kadmin/cli/kadmin.c:1120 ../../src/kadmin/cli/kadmin.c:1331
+#: ../../src/kadmin/cli/kadmin.c:1402 ../../src/kadmin/cli/kadmin.c:1835
+#: ../../src/kadmin/cli/kadmin.c:1879 ../../src/kadmin/cli/kadmin.c:1925
+#: ../../src/kadmin/cli/kadmin.c:1965
 msgid "while parsing principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1130
+#: ../../src/kadmin/cli/kadmin.c:1129
 msgid "usage: add_principal [options] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1131 ../../src/kadmin/cli/kadmin.c:1155
-#: ../../src/kadmin/cli/kadmin.c:1642
+#: ../../src/kadmin/cli/kadmin.c:1130 ../../src/kadmin/cli/kadmin.c:1154
+#: ../../src/kadmin/cli/kadmin.c:1641
 msgid "\toptions are:\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1132
+#: ../../src/kadmin/cli/kadmin.c:1131
 msgid ""
 "\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire "
 "pwexpdate] [-maxlife maxtixlife]\n"
@@ -1575,11 +1578,11 @@ msgid ""
 "\t\t[{+|-}attribute]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1137 ../../src/kadmin/cli/kadmin.c:1160
+#: ../../src/kadmin/cli/kadmin.c:1136 ../../src/kadmin/cli/kadmin.c:1159
 msgid "\tattributes are:\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1161
+#: ../../src/kadmin/cli/kadmin.c:1137 ../../src/kadmin/cli/kadmin.c:1160
 msgid ""
 "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n"
 "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n"
@@ -1592,11 +1595,11 @@ msgid ""
 "\t\t\tLook at each database documentation for supported arguments\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1154
+#: ../../src/kadmin/cli/kadmin.c:1153
 msgid "usage: modify_principal [options] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1156
+#: ../../src/kadmin/cli/kadmin.c:1155
 msgid ""
 "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife "
 "maxtixlife]\n"
@@ -1604,170 +1607,170 @@ msgid ""
 "\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1220 ../../src/kadmin/cli/kadmin.c:1361
+#: ../../src/kadmin/cli/kadmin.c:1219 ../../src/kadmin/cli/kadmin.c:1360
 #, c-format
 msgid "WARNING: policy \"%s\" does not exist\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1227
+#: ../../src/kadmin/cli/kadmin.c:1226
 #, c-format
 msgid "NOTICE: no policy specified for %s; assigning \"default\"\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1233
+#: ../../src/kadmin/cli/kadmin.c:1232
 #, c-format
 msgid "WARNING: no policy specified for %s; defaulting to no policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1275
+#: ../../src/kadmin/cli/kadmin.c:1274
 #, c-format
 msgid "Admin server does not support -nokey while creating \"%s\"\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1297
+#: ../../src/kadmin/cli/kadmin.c:1296
 #, c-format
 msgid "while clearing DISALLOW_ALL_TIX for \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1344
+#: ../../src/kadmin/cli/kadmin.c:1343
 #, c-format
 msgid "while getting \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1370
+#: ../../src/kadmin/cli/kadmin.c:1369
 #, c-format
 msgid "while modifying \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1374
+#: ../../src/kadmin/cli/kadmin.c:1373
 #, c-format
 msgid "Principal \"%s\" modified.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1395
+#: ../../src/kadmin/cli/kadmin.c:1394
 msgid "usage: get_principal [-terse] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1414
+#: ../../src/kadmin/cli/kadmin.c:1413
 #, c-format
 msgid "while retrieving \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1419 ../../src/kadmin/cli/kadmin.c:1424
+#: ../../src/kadmin/cli/kadmin.c:1418 ../../src/kadmin/cli/kadmin.c:1423
 msgid "while unparsing principal"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1428
+#: ../../src/kadmin/cli/kadmin.c:1427
 #, c-format
 msgid "Principal: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1429
+#: ../../src/kadmin/cli/kadmin.c:1428
 #, c-format
 msgid "Expiration date: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1430 ../../src/kadmin/cli/kadmin.c:1432
-#: ../../src/kadmin/cli/kadmin.c:1435 ../../src/kadmin/cli/kadmin.c:1443
+#: ../../src/kadmin/cli/kadmin.c:1429 ../../src/kadmin/cli/kadmin.c:1431
+#: ../../src/kadmin/cli/kadmin.c:1434 ../../src/kadmin/cli/kadmin.c:1442
 msgid "[never]"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1431
+#: ../../src/kadmin/cli/kadmin.c:1430
 #, c-format
 msgid "Last password change: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1433
+#: ../../src/kadmin/cli/kadmin.c:1432
 #, c-format
 msgid "Password expiration date: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1436
+#: ../../src/kadmin/cli/kadmin.c:1435
 #, c-format
 msgid "Maximum ticket life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1437
+#: ../../src/kadmin/cli/kadmin.c:1436
 #, c-format
 msgid "Maximum renewable life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1439
+#: ../../src/kadmin/cli/kadmin.c:1438
 #, c-format
 msgid "Last modified: %s (%s)\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1441
+#: ../../src/kadmin/cli/kadmin.c:1440
 #, c-format
 msgid "Last successful authentication: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1447
+#: ../../src/kadmin/cli/kadmin.c:1446
 #, c-format
 msgid "Failed password attempts: %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1449
+#: ../../src/kadmin/cli/kadmin.c:1448
 #, c-format
 msgid "Number of keys: %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1456
+#: ../../src/kadmin/cli/kadmin.c:1455
 #, c-format
 msgid "<Encryption type 0x%x>"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1463
+#: ../../src/kadmin/cli/kadmin.c:1462
 #, c-format
 msgid "<Salt type 0x%x>"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1469
+#: ../../src/kadmin/cli/kadmin.c:1468
 #, c-format
 msgid "MKey: vno %d\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1471
+#: ../../src/kadmin/cli/kadmin.c:1470
 #, c-format
 msgid "Attributes:"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1474
+#: ../../src/kadmin/cli/kadmin.c:1473
 msgid "while printing flags"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1483
+#: ../../src/kadmin/cli/kadmin.c:1482
 msgid "[none]"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1485
+#: ../../src/kadmin/cli/kadmin.c:1484
 msgid " [does not exist]"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1486
+#: ../../src/kadmin/cli/kadmin.c:1485
 #, c-format
 msgid "Policy: %s%s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1522
+#: ../../src/kadmin/cli/kadmin.c:1521
 msgid "usage: get_principals [expression]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1527 ../../src/kadmin/cli/kadmin.c:1778
+#: ../../src/kadmin/cli/kadmin.c:1526 ../../src/kadmin/cli/kadmin.c:1777
 msgid "while retrieving list."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1632
+#: ../../src/kadmin/cli/kadmin.c:1631
 #, c-format
 msgid "%s: parser lost count!\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1641
+#: ../../src/kadmin/cli/kadmin.c:1640
 #, c-format
 msgid "usage; %s [options] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1643
+#: ../../src/kadmin/cli/kadmin.c:1642
 msgid ""
 "\t\t[-maxlife time] [-minlife time] [-minlength length]\n"
 "\t\t[-minclasses number] [-history number]\n"
@@ -1775,172 +1778,172 @@ msgid ""
 "\t\t[-allowedkeysalts keysalts]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1647
+#: ../../src/kadmin/cli/kadmin.c:1646
 msgid "\t\t[-lockoutduration time]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1666
+#: ../../src/kadmin/cli/kadmin.c:1665
 #, c-format
 msgid "while creating policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1687
+#: ../../src/kadmin/cli/kadmin.c:1686
 #, c-format
 msgid "while modifying policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1699
+#: ../../src/kadmin/cli/kadmin.c:1698
 msgid "usage: delete_policy [-force] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1703
+#: ../../src/kadmin/cli/kadmin.c:1702
 #, c-format
 msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): "
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1707
+#: ../../src/kadmin/cli/kadmin.c:1706
 #, c-format
 msgid "Policy \"%s\" not deleted.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1713
+#: ../../src/kadmin/cli/kadmin.c:1712
 #, c-format
 msgid "while deleting policy \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1725
+#: ../../src/kadmin/cli/kadmin.c:1724
 msgid "usage: get_policy [-terse] policy\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1730
+#: ../../src/kadmin/cli/kadmin.c:1729
 #, c-format
 msgid "while retrieving policy \"%s\"."
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1735
+#: ../../src/kadmin/cli/kadmin.c:1734
 #, c-format
 msgid "Policy: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1736
+#: ../../src/kadmin/cli/kadmin.c:1735
 #, c-format
 msgid "Maximum password life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1737
+#: ../../src/kadmin/cli/kadmin.c:1736
 #, c-format
 msgid "Minimum password life: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1738
+#: ../../src/kadmin/cli/kadmin.c:1737
 #, c-format
 msgid "Minimum password length: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1739
+#: ../../src/kadmin/cli/kadmin.c:1738
 #, c-format
 msgid "Minimum number of password character classes: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1741
+#: ../../src/kadmin/cli/kadmin.c:1740
 #, c-format
 msgid "Number of old keys kept: %ld\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1742
+#: ../../src/kadmin/cli/kadmin.c:1741
 #, c-format
 msgid "Maximum password failures before lockout: %lu\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1744
+#: ../../src/kadmin/cli/kadmin.c:1743
 #, c-format
 msgid "Password failure count reset interval: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1746
+#: ../../src/kadmin/cli/kadmin.c:1745
 #, c-format
 msgid "Password lockout duration: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1749
+#: ../../src/kadmin/cli/kadmin.c:1748
 #, c-format
 msgid "Allowed key/salt types: %s\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1773
+#: ../../src/kadmin/cli/kadmin.c:1772
 msgid "usage: get_policies [expression]\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1795
+#: ../../src/kadmin/cli/kadmin.c:1794
 msgid "usage: get_privs\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1800
+#: ../../src/kadmin/cli/kadmin.c:1799
 msgid "while retrieving privileges"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1803
+#: ../../src/kadmin/cli/kadmin.c:1802
 #, c-format
 msgid "current privileges:"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1829
+#: ../../src/kadmin/cli/kadmin.c:1828
 msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1849
+#: ../../src/kadmin/cli/kadmin.c:1848
 #, c-format
 msgid "while purging keys for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1854
+#: ../../src/kadmin/cli/kadmin.c:1853
 #, c-format
 msgid "All keys for principal \"%s\" removed.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1856
+#: ../../src/kadmin/cli/kadmin.c:1855
 #, c-format
 msgid "Old keys for principal \"%s\" purged.\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1873
+#: ../../src/kadmin/cli/kadmin.c:1872
 msgid "usage: get_strings principal\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1893
+#: ../../src/kadmin/cli/kadmin.c:1892
 #, c-format
 msgid "while getting attributes for principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1898
+#: ../../src/kadmin/cli/kadmin.c:1897
 #, c-format
 msgid "(No string attributes.)\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1917
+#: ../../src/kadmin/cli/kadmin.c:1916
 msgid "usage: set_string principal key value\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1939
+#: ../../src/kadmin/cli/kadmin.c:1938
 #, c-format
 msgid "while setting attribute on principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1943
+#: ../../src/kadmin/cli/kadmin.c:1942
 #, c-format
 msgid "Attribute set for principal \"%s\".\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1958
+#: ../../src/kadmin/cli/kadmin.c:1957
 msgid "usage: del_string principal key\n"
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1979
+#: ../../src/kadmin/cli/kadmin.c:1978
 #, c-format
 msgid "while deleting attribute from principal \"%s\""
 msgstr ""
 
-#: ../../src/kadmin/cli/kadmin.c:1983
+#: ../../src/kadmin/cli/kadmin.c:1982
 #, c-format
 msgid "Attribute removed from principal \"%s\".\n"
 msgstr ""
@@ -2087,228 +2090,240 @@ msgstr ""
 msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:521
+#: ../../src/kadmin/dbutil/dump.c:522
 #, c-format
 msgid ""
 "Warning!  Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:532
+#: ../../src/kadmin/dbutil/dump.c:533
 #, c-format
 msgid ""
 "Warning!  No DES-CBC-CRC key for principal %s, cannot generate OV-compatible "
 "record; skipping\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:561
+#: ../../src/kadmin/dbutil/dump.c:562
 #, c-format
 msgid "while converting %s to new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:582
+#: ../../src/kadmin/dbutil/dump.c:583
 #, c-format
 msgid "%s(%d): %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:625
+#: ../../src/kadmin/dbutil/dump.c:626
 #, c-format
 msgid "%s(%d): ignoring trash at end of line: "
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:688
+#: ../../src/kadmin/dbutil/dump.c:689
 msgid "cannot read tagged data type and length"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:695
+#: ../../src/kadmin/dbutil/dump.c:693
+msgid "data type or length overflowed"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/dump.c:700
 msgid "cannot read tagged data contents"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:728
+#: ../../src/kadmin/dbutil/dump.c:733
 msgid "cannot match size tokens"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:757
+#: ../../src/kadmin/dbutil/dump.c:744
+msgid "cannot allocate tl_data (too large)"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/dump.c:766
 msgid "cannot read name string"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:762
+#: ../../src/kadmin/dbutil/dump.c:771
 #, c-format
 msgid "while parsing name %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:770
+#: ../../src/kadmin/dbutil/dump.c:779
 msgid "cannot read principal attributes"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:823
+#: ../../src/kadmin/dbutil/dump.c:832
 msgid "cannot read key size and version"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:834
+#: ../../src/kadmin/dbutil/dump.c:836
+msgid "unsupported key_data_ver version"
+msgstr ""
+
+#: ../../src/kadmin/dbutil/dump.c:847
 msgid "cannot read key type and length"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:840
+#: ../../src/kadmin/dbutil/dump.c:853
 msgid "cannot read key data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:850
+#: ../../src/kadmin/dbutil/dump.c:863
 msgid "cannot read extra data"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:859
+#: ../../src/kadmin/dbutil/dump.c:872
 #, c-format
 msgid "while storing %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:898 ../../src/kadmin/dbutil/dump.c:937
-#: ../../src/kadmin/dbutil/dump.c:983 ../../src/kadmin/dbutil/dump.c:1002
+#: ../../src/kadmin/dbutil/dump.c:911 ../../src/kadmin/dbutil/dump.c:950
+#: ../../src/kadmin/dbutil/dump.c:996 ../../src/kadmin/dbutil/dump.c:1015
 #, c-format
 msgid "cannot parse policy (%d read)\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:906 ../../src/kadmin/dbutil/dump.c:945
-#: ../../src/kadmin/dbutil/dump.c:1023
+#: ../../src/kadmin/dbutil/dump.c:919 ../../src/kadmin/dbutil/dump.c:958
+#: ../../src/kadmin/dbutil/dump.c:1036
 msgid "while creating policy"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:910
+#: ../../src/kadmin/dbutil/dump.c:923
 #, c-format
 msgid "created policy %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1060
+#: ../../src/kadmin/dbutil/dump.c:1073
 #, c-format
 msgid "unknown record type \"%s\"\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1189
+#: ../../src/kadmin/dbutil/dump.c:1202
 #, c-format
 msgid "%s: Unknown iprop dump version %d\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1292 ../../src/kadmin/dbutil/dump.c:1519
+#: ../../src/kadmin/dbutil/dump.c:1305 ../../src/kadmin/dbutil/dump.c:1532
 #, c-format
 msgid "Iprop not enabled\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1329
+#: ../../src/kadmin/dbutil/dump.c:1342
 msgid "Conditional dump is an undocumented option for use only for iprop dumps"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1342
+#: ../../src/kadmin/dbutil/dump.c:1355
 msgid "Database not currently opened!"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1356
+#: ../../src/kadmin/dbutil/dump.c:1369
 #: ../../src/kadmin/dbutil/kdb5_stash.c:116
 #: ../../src/kadmin/dbutil/kdb5_util.c:485
 msgid "while reading master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1362
+#: ../../src/kadmin/dbutil/dump.c:1375
 msgid "while verifying master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1381 ../../src/kadmin/dbutil/dump.c:1391
+#: ../../src/kadmin/dbutil/dump.c:1394 ../../src/kadmin/dbutil/dump.c:1404
 msgid "while reading new master key"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1385
+#: ../../src/kadmin/dbutil/dump.c:1398
 #, c-format
 msgid "Please enter new master key....\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1409
+#: ../../src/kadmin/dbutil/dump.c:1422
 #, c-format
 msgid "while opening %s for writing"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1424
+#: ../../src/kadmin/dbutil/dump.c:1437
 msgid "while reading update log header"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1439 ../../src/kadmin/dbutil/dump.c:1446
+#: ../../src/kadmin/dbutil/dump.c:1452 ../../src/kadmin/dbutil/dump.c:1459
 #, c-format
 msgid "performing %s dump"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1476
+#: ../../src/kadmin/dbutil/dump.c:1489
 #, c-format
 msgid "%s: error processing line %d of %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1528
+#: ../../src/kadmin/dbutil/dump.c:1541
 msgid "while parsing options"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1543
+#: ../../src/kadmin/dbutil/dump.c:1556
 #, c-format
 msgid "while opening %s"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1548 ../../src/kadmin/dbutil/dump.c:1647
+#: ../../src/kadmin/dbutil/dump.c:1561 ../../src/kadmin/dbutil/dump.c:1660
 msgid "standard input"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1553
+#: ../../src/kadmin/dbutil/dump.c:1566
 #, c-format
 msgid "%s: can't read dump header in %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1561 ../../src/kadmin/dbutil/dump.c:1578
+#: ../../src/kadmin/dbutil/dump.c:1574 ../../src/kadmin/dbutil/dump.c:1591
 #, c-format
 msgid "%s: dump header bad in %s\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1587
+#: ../../src/kadmin/dbutil/dump.c:1600
 #, c-format
 msgid "Could not open iprop ulog\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1592
+#: ../../src/kadmin/dbutil/dump.c:1605
 #, c-format
 msgid "%s: dump version %s can only be loaded with the -update flag\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1601 ../../src/kadmin/dbutil/dump.c:1606
+#: ../../src/kadmin/dbutil/dump.c:1614 ../../src/kadmin/dbutil/dump.c:1619
 msgid "computing parameters for database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1612
+#: ../../src/kadmin/dbutil/dump.c:1625
 msgid "while creating database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1621
+#: ../../src/kadmin/dbutil/dump.c:1634
 msgid "while opening database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1631
+#: ../../src/kadmin/dbutil/dump.c:1644
 msgid "while permanently locking database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1649
+#: ../../src/kadmin/dbutil/dump.c:1662
 #, c-format
 msgid "%s: %s restore failed\n"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1654
+#: ../../src/kadmin/dbutil/dump.c:1667
 msgid "while unlocking database"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1664 ../../src/kadmin/dbutil/dump.c:1683
+#: ../../src/kadmin/dbutil/dump.c:1677 ../../src/kadmin/dbutil/dump.c:1696
 msgid "while reinitializing update log"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1674
+#: ../../src/kadmin/dbutil/dump.c:1687
 msgid "while making newly loaded database live"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1690
+#: ../../src/kadmin/dbutil/dump.c:1703
 msgid "while writing update log header"
 msgstr ""
 
-#: ../../src/kadmin/dbutil/dump.c:1704
+#: ../../src/kadmin/dbutil/dump.c:1717
 #, c-format
 msgid "while deleting bad database %s"
 msgstr ""
@@ -2965,161 +2980,198 @@ msgstr ""
 msgid "%s: writing srvtabs is no longer supported\n"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil.c:169
+#: ../../src/kadmin/ktutil/ktutil.c:177
 #, c-format
-msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n"
+msgid ""
+"usage: %s (-key | -password) -p principal -k kvno -e enctype [-s salt]\n"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil.c:176
+#: ../../src/kadmin/ktutil/ktutil.c:185
 msgid "while adding new entry"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil.c:186
+#: ../../src/kadmin/ktutil/ktutil.c:195
 #, c-format
 msgid "%s: must specify entry to delete\n"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil.c:191
+#: ../../src/kadmin/ktutil/ktutil.c:200
 #, c-format
 msgid "while deleting entry %d"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil.c:219
+#: ../../src/kadmin/ktutil/ktutil.c:228
 #, c-format
 msgid "%s: usage: %s [-t] [-k] [-e]\n"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil.c:259
+#: ../../src/kadmin/ktutil/ktutil.c:268
 msgid "While converting enctype to string"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil_funcs.c:162
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:163
 #, c-format
 msgid "Password for %.1000s"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil_funcs.c:179
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:185
 #, c-format
 msgid "Key for %s (hex): "
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil_funcs.c:191
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:197
 #, c-format
 msgid "addent: Error reading key.\n"
 msgstr ""
 
-#: ../../src/kadmin/ktutil/ktutil_funcs.c:206
+#: ../../src/kadmin/ktutil/ktutil_funcs.c:212
 #, c-format
 msgid "addent: Illegal character in key.\n"
 msgstr ""
 
+#: ../../src/kadmin/server/auth_acl.c:240
+#, c-format
+msgid "%s: invalid restrictions: %s"
+msgstr ""
+
+#: ../../src/kadmin/server/auth_acl.c:288
+#, c-format
+msgid "Unrecognized ACL operation '%c' in %s"
+msgstr ""
+
+#: ../../src/kadmin/server/auth_acl.c:296
+#, c-format
+msgid "Cannot parse client principal '%s'"
+msgstr ""
+
+#: ../../src/kadmin/server/auth_acl.c:304
+#, c-format
+msgid "Cannot parse target principal '%s'"
+msgstr ""
+
+#: ../../src/kadmin/server/auth_acl.c:400
+#, c-format
+msgid "%s while opening ACL file %s"
+msgstr ""
+
+#: ../../src/kadmin/server/auth_acl.c:403
+#, c-format
+msgid "Cannot open %s: %s"
+msgstr ""
+
+#: ../../src/kadmin/server/auth_acl.c:419
+#: ../../src/kadmin/server/auth_acl.c:422
+#, c-format
+msgid "%s: syntax error at line %d <%.10s...>"
+msgstr ""
+
 #: ../../src/kadmin/server/ipropd_svc.c:49
 #, c-format
 msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s"
 msgstr ""
 
 #: ../../src/kadmin/server/ipropd_svc.c:50
-#: ../../src/kadmin/server/ipropd_svc.c:214
+#: ../../src/kadmin/server/ipropd_svc.c:224
 #, c-format
 msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:150
-#: ../../src/kadmin/server/ipropd_svc.c:273
+#: ../../src/kadmin/server/ipropd_svc.c:164
+#: ../../src/kadmin/server/ipropd_svc.c:283
 #, c-format
 msgid "%s: server handle is NULL"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:160
-#: ../../src/kadmin/server/ipropd_svc.c:286
+#: ../../src/kadmin/server/ipropd_svc.c:174
+#: ../../src/kadmin/server/ipropd_svc.c:296
 #, c-format
 msgid "%s: setup_gss_names failed"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:168
-#: ../../src/kadmin/server/ipropd_svc.c:295
+#: ../../src/kadmin/server/ipropd_svc.c:182
+#: ../../src/kadmin/server/ipropd_svc.c:305
 #, c-format
 msgid "%s: out of memory recording principal names"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:197
+#: ../../src/kadmin/server/ipropd_svc.c:207
 #, c-format
 msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:203
+#: ../../src/kadmin/server/ipropd_svc.c:213
 #, c-format
 msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:320
+#: ../../src/kadmin/server/ipropd_svc.c:326
 #, c-format
 msgid "%s: getclhoststr failed"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:342
+#: ../../src/kadmin/server/ipropd_svc.c:348
 #, c-format
 msgid "%s: cannot construct kdb5 util dump string too long; out of memory"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:362
+#: ../../src/kadmin/server/ipropd_svc.c:368
 #, c-format
 msgid "%s: fork failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:374
+#: ../../src/kadmin/server/ipropd_svc.c:380
 #, c-format
 msgid "%s: popen failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:388
+#: ../../src/kadmin/server/ipropd_svc.c:394
 #, c-format
 msgid "%s: pclose(popen) failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:408
+#: ../../src/kadmin/server/ipropd_svc.c:414
 #, c-format
 msgid "%s: exec failed: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:424
+#: ../../src/kadmin/server/ipropd_svc.c:430
 #, c-format
 msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:488
+#: ../../src/kadmin/server/ipropd_svc.c:494
 #: ../../src/kadmin/server/kadm_rpc_svc.c:306
 #, c-format
 msgid "check_rpcsec_auth: failed inquire_context, stat=%u"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:518
+#: ../../src/kadmin/server/ipropd_svc.c:524
 #: ../../src/kadmin/server/kadm_rpc_svc.c:335
 #, c-format
 msgid "bad service principal %.*s%s"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:541
+#: ../../src/kadmin/server/ipropd_svc.c:547
 #, c-format
 msgid "authentication attempt failed: %s, RPC authentication flavor %d"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:575
+#: ../../src/kadmin/server/ipropd_svc.c:581
 #, c-format
 msgid "RPC unknown request: %d (%s)"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:583
+#: ../../src/kadmin/server/ipropd_svc.c:589
 #, c-format
 msgid "RPC svc_getargs failed (%s)"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:593
+#: ../../src/kadmin/server/ipropd_svc.c:599
 #, c-format
 msgid "RPC svc_sendreply failed (%s)"
 msgstr ""
 
-#: ../../src/kadmin/server/ipropd_svc.c:599
+#: ../../src/kadmin/server/ipropd_svc.c:605
 #, c-format
 msgid "RPC svc_freeargs failed (%s)"
 msgstr ""
@@ -3194,157 +3246,157 @@ msgstr ""
 msgid "   GSS-API error strings complete."
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:382
+#: ../../src/kadmin/server/ovsec_kadmd.c:383
 #, c-format
 msgid "%s: cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:454
+#: ../../src/kadmin/server/ovsec_kadmd.c:455
 #, c-format
 msgid "%s: %s while initializing context, aborting\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:465
+#: ../../src/kadmin/server/ovsec_kadmd.c:466
 msgid "initializing"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:469
+#: ../../src/kadmin/server/ovsec_kadmd.c:470
 msgid "getting config parameters"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:471
+#: ../../src/kadmin/server/ovsec_kadmd.c:472
 msgid "Missing required realm configuration"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:473
+#: ../../src/kadmin/server/ovsec_kadmd.c:474
 msgid "Missing required ACL file configuration"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:477
+#: ../../src/kadmin/server/ovsec_kadmd.c:478
 msgid "initializing network"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:482
+#: ../../src/kadmin/server/ovsec_kadmd.c:483
 msgid "Cannot build GSSAPI auth names"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:486
+#: ../../src/kadmin/server/ovsec_kadmd.c:487
 msgid "Cannot set up KDB keytab"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:489
+#: ../../src/kadmin/server/ovsec_kadmd.c:490
 msgid "Cannot set GSSAPI authentication names"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:506
+#: ../../src/kadmin/server/ovsec_kadmd.c:507
 msgid "Cannot initialize GSSAPI service name"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:510
+#: ../../src/kadmin/server/ovsec_kadmd.c:512
 msgid "initializing ACL file"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:513
+#: ../../src/kadmin/server/ovsec_kadmd.c:515
 msgid "spawning daemon process"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:517
+#: ../../src/kadmin/server/ovsec_kadmd.c:519
 msgid "creating PID file"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:520
+#: ../../src/kadmin/server/ovsec_kadmd.c:522
 msgid "Seeding random number generator"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:523
+#: ../../src/kadmin/server/ovsec_kadmd.c:525
 msgid "getting random seed"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:530
+#: ../../src/kadmin/server/ovsec_kadmd.c:532
 msgid "mapping update log"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:534
+#: ../../src/kadmin/server/ovsec_kadmd.c:536
 #, c-format
 msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:542
+#: ../../src/kadmin/server/ovsec_kadmd.c:544
 msgid "starting"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:544 ../../src/kdc/main.c:1062
+#: ../../src/kadmin/server/ovsec_kadmd.c:546 ../../src/kdc/main.c:1069
 #, c-format
 msgid "%s: starting...\n"
 msgstr ""
 
-#: ../../src/kadmin/server/ovsec_kadmd.c:547
+#: ../../src/kadmin/server/ovsec_kadmd.c:549
 msgid "finished, exiting"
 msgstr ""
 
-#: ../../src/kadmin/server/schpw.c:282
+#: ../../src/kadmin/server/schpw.c:273
 #, c-format
 msgid "setpw request from %s by %.*s%s for %.*s%s: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/schpw.c:287
+#: ../../src/kadmin/server/schpw.c:278
 #, c-format
 msgid "chpw request from %s for %.*s%s: %s"
 msgstr ""
 
-#: ../../src/kadmin/server/schpw.c:464
+#: ../../src/kadmin/server/schpw.c:444
 #, c-format
 msgid "chpw: Couldn't open admin keytab %s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:343
+#: ../../src/kadmin/server/server_stubs.c:394
 #, c-format
 msgid ""
 "Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:364
-#: ../../src/kadmin/server/server_stubs.c:666
-#: ../../src/kadmin/server/server_stubs.c:1627
+#: ../../src/kadmin/server/server_stubs.c:415
+#: ../../src/kadmin/server/server_stubs.c:693
+#: ../../src/kadmin/server/server_stubs.c:1618
 msgid "success"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:374
+#: ../../src/kadmin/server/server_stubs.c:425
 #, c-format
 msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:646
+#: ../../src/kadmin/server/server_stubs.c:673
 #, c-format
 msgid ""
 "Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s"
 "%s, service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:661
+#: ../../src/kadmin/server/server_stubs.c:688
 #, c-format
 msgid ""
 "Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, "
 "service=%.*s%s, addr=%s"
 msgstr ""
 
-#: ../../src/kadmin/server/server_stubs.c:1623
+#: ../../src/kadmin/server/server_stubs.c:1614
 #, c-format
 msgid ""
 "Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, "
 "vers=%d, flavor=%d"
 msgstr ""
 
-#: ../../src/kdc/do_as_req.c:295
+#: ../../src/kdc/do_as_req.c:301
 #, c-format
 msgid "AS_REQ : handle_authdata (%d)"
 msgstr ""
 
-#: ../../src/kdc/do_tgs_req.c:661
+#: ../../src/kdc/do_tgs_req.c:659
 msgid "not checking transit path"
 msgstr ""
 
-#: ../../src/kdc/do_tgs_req.c:684
+#: ../../src/kdc/do_tgs_req.c:682
 #, c-format
 msgid "TGS_REQ : handle_authdata (%d)"
 msgstr ""
@@ -3393,51 +3445,51 @@ msgstr ""
 msgid "while loading authdata module %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:82
+#: ../../src/kdc/kdc_log.c:84
 #, c-format
-msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s"
+msgid "AS_REQ (%s) %s: ISSUE: authtime %u, %s, %s for %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:88
+#: ../../src/kdc/kdc_log.c:90
 #, c-format
 msgid "AS_REQ (%s) %s: %s: %s for %s%s%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:159
+#: ../../src/kdc/kdc_log.c:162
 #, c-format
-msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s"
+msgid "TGS_REQ (%s) %s: %s: authtime %u, %s%s %s for %s%s%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:166
+#: ../../src/kdc/kdc_log.c:169
 #, c-format
 msgid "... PROTOCOL-TRANSITION s4u-client=%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:170
+#: ../../src/kdc/kdc_log.c:173
 #, c-format
 msgid "... CONSTRAINED-DELEGATION s4u-client=%s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:174
+#: ../../src/kdc/kdc_log.c:177
 #, c-format
-msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s"
+msgid "TGS_REQ %s: %s: authtime %u, %s for %s, 2nd tkt client %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:208
+#: ../../src/kdc/kdc_log.c:211
 #, c-format
 msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:214
+#: ../../src/kdc/kdc_log.c:217
 #, c-format
 msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:232
+#: ../../src/kdc/kdc_log.c:235
 msgid "TGS_REQ: issuing alternate <un-unparseable> TGT"
 msgstr ""
 
-#: ../../src/kdc/kdc_log.c:235
+#: ../../src/kdc/kdc_log.c:238
 #, c-format
 msgid "TGS_REQ: issuing TGT %s"
 msgstr ""
@@ -3452,16 +3504,16 @@ msgstr ""
 msgid "preauth %s failed to setup loop: %s"
 msgstr ""
 
-#: ../../src/kdc/kdc_preauth.c:773
+#: ../../src/kdc/kdc_preauth.c:804
 #, c-format
 msgid "%spreauth required but hint list is empty"
 msgstr ""
 
-#: ../../src/kdc/kdc_preauth_ec.c:75
+#: ../../src/kdc/kdc_preauth_ec.c:76
 msgid "Encrypted Challenge used outside of FAST tunnel"
 msgstr ""
 
-#: ../../src/kdc/kdc_preauth_ec.c:110
+#: ../../src/kdc/kdc_preauth_ec.c:120
 msgid "Incorrect password in encrypted challenge"
 msgstr ""
 
@@ -3478,76 +3530,76 @@ msgstr ""
 msgid "TGS_REQ: UNKNOWN SERVER: server='%s'"
 msgstr ""
 
-#: ../../src/kdc/kdc_util.c:805
+#: ../../src/kdc/kdc_util.c:798
 #, c-format
 msgid "Required auth indicators not present in ticket: %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:233
+#: ../../src/kdc/main.c:234
 #, c-format
 msgid "while getting context for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:341
+#: ../../src/kdc/main.c:342
 #, c-format
 msgid "while setting default realm to %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:349
+#: ../../src/kdc/main.c:350
 #, c-format
 msgid "while initializing database for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:358
+#: ../../src/kdc/main.c:359
 #, c-format
 msgid "while setting up master key name %s for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:371
+#: ../../src/kdc/main.c:372
 #, c-format
 msgid "while fetching master key %s for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:379
+#: ../../src/kdc/main.c:380
 #, c-format
 msgid "while fetching master keys list for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:388
+#: ../../src/kdc/main.c:389
 #, c-format
 msgid "while resolving kdb keytab for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:397
+#: ../../src/kdc/main.c:398
 #, c-format
 msgid "while building TGS name for realm %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:515
+#: ../../src/kdc/main.c:516
 #, c-format
 msgid "creating %d worker processes"
 msgstr ""
 
-#: ../../src/kdc/main.c:525
+#: ../../src/kdc/main.c:526
 msgid "Unable to reinitialize main loop"
 msgstr ""
 
-#: ../../src/kdc/main.c:530
+#: ../../src/kdc/main.c:531
 #, c-format
 msgid "Unable to initialize signal handlers in pid %d"
 msgstr ""
 
-#: ../../src/kdc/main.c:560
+#: ../../src/kdc/main.c:561
 #, c-format
 msgid "worker %ld exited with status %d"
 msgstr ""
 
-#: ../../src/kdc/main.c:584
+#: ../../src/kdc/main.c:585
 #, c-format
 msgid "signal %d received in supervisor"
 msgstr ""
 
-#: ../../src/kdc/main.c:603
+#: ../../src/kdc/main.c:604
 #, c-format
 msgid ""
 "usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n"
@@ -3561,310 +3613,324 @@ msgid ""
 "arguments\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:678 ../../src/kdc/main.c:685 ../../src/kdc/main.c:799
+#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:686 ../../src/kdc/main.c:800
 #, c-format
 msgid " KDC cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:704 ../../src/kdc/main.c:747 ../../src/kdc/main.c:758
+#: ../../src/kdc/main.c:705 ../../src/kdc/main.c:748 ../../src/kdc/main.c:759
 #, c-format
 msgid "%s: KDC cannot initialize. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:724 ../../src/kdc/main.c:841
+#: ../../src/kdc/main.c:725 ../../src/kdc/main.c:842
 #, c-format
 msgid "%s: cannot initialize realm %s - see log file for details\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:735
+#: ../../src/kdc/main.c:736
 #, c-format
 msgid "%s: cannot initialize realm %s. Not enough memory\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:786
+#: ../../src/kdc/main.c:787
 #, c-format
 msgid "invalid enctype %s"
 msgstr ""
 
-#: ../../src/kdc/main.c:829
+#: ../../src/kdc/main.c:830
 msgid "while attempting to retrieve default realm"
 msgstr ""
 
-#: ../../src/kdc/main.c:831
+#: ../../src/kdc/main.c:832
 #, c-format
 msgid "%s: %s, attempting to retrieve default realm\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:939
+#: ../../src/kdc/main.c:940
 #, c-format
 msgid "%s: cannot get memory for realm list\n"
 msgstr ""
 
-#: ../../src/kdc/main.c:974
+#: ../../src/kdc/main.c:975
 msgid "while initializing lookaside cache"
 msgstr ""
 
-#: ../../src/kdc/main.c:982
+#: ../../src/kdc/main.c:983
 msgid "while creating main loop"
 msgstr ""
 
 #: ../../src/kdc/main.c:992
+msgid "while loading KDC policy plugin"
+msgstr ""
+
+#: ../../src/kdc/main.c:999
 msgid "while initializing SAM"
 msgstr ""
 
-#: ../../src/kdc/main.c:1017
+#: ../../src/kdc/main.c:1024
 msgid "while initializing signal handlers"
 msgstr ""
 
-#: ../../src/kdc/main.c:1025
+#: ../../src/kdc/main.c:1032
 msgid "while initializing network"
 msgstr ""
 
-#: ../../src/kdc/main.c:1030
+#: ../../src/kdc/main.c:1037
 msgid "while detaching from tty"
 msgstr ""
 
-#: ../../src/kdc/main.c:1037
+#: ../../src/kdc/main.c:1044
 msgid "while creating PID file"
 msgstr ""
 
-#: ../../src/kdc/main.c:1046
+#: ../../src/kdc/main.c:1053
 msgid "creating worker processes"
 msgstr ""
 
-#: ../../src/kdc/main.c:1056
+#: ../../src/kdc/main.c:1063
 msgid "while loading audit plugin module(s)"
 msgstr ""
 
-#: ../../src/kdc/main.c:1060
+#: ../../src/kdc/main.c:1067
 msgid "commencing operation"
 msgstr ""
 
-#: ../../src/kdc/main.c:1068
+#: ../../src/kdc/main.c:1075
 msgid "shutting down"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:232
+#: ../../src/kdc/policy.c:230
+#, c-format
+msgid "while loading policy module %s"
+msgstr ""
+
+#: ../../src/lib/apputils/net-server.c:221
 msgid "Got signal to request exit"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:246
+#: ../../src/lib/apputils/net-server.c:235
 msgid "Got signal to reset"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:312
+#: ../../src/lib/apputils/net-server.c:301
 #, c-format
 msgid "Invalid port %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:325
+#: ../../src/lib/apputils/net-server.c:314
 #, c-format
 msgid "Removing address %s since wildcard address is being added"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:332
+#: ../../src/lib/apputils/net-server.c:321
 msgid "Address already added to server"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:503
+#: ../../src/lib/apputils/net-server.c:484
 #, c-format
 msgid "closing down fd %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:517
+#: ../../src/lib/apputils/net-server.c:498
 #, c-format
 msgid "descriptor %d closed but still in svc_fdset"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:543
+#: ../../src/lib/apputils/net-server.c:524
 msgid "cannot create io event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:549
+#: ../../src/lib/apputils/net-server.c:529
 msgid "cannot save event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:569
+#: ../../src/lib/apputils/net-server.c:549
 #, c-format
 msgid "file descriptor number %d too high"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:577
+#: ../../src/lib/apputils/net-server.c:556
 msgid "cannot allocate storage for connection info"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:616
+#: ../../src/lib/apputils/net-server.c:591
 #, c-format
 msgid "Cannot create TCP server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:625
+#: ../../src/lib/apputils/net-server.c:600
 #, c-format
 msgid "TCP socket fd number %d (for %s) too high"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:633
+#: ../../src/lib/apputils/net-server.c:607
 #, c-format
 msgid "Cannot enable SO_REUSEADDR on fd %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:640
+#: ../../src/lib/apputils/net-server.c:612
 #, c-format
 msgid "setsockopt(%d,IPV6_V6ONLY,1) failed"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:642
+#: ../../src/lib/apputils/net-server.c:615
 #, c-format
 msgid "setsockopt(%d,IPV6_V6ONLY,1) worked"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:645
+#: ../../src/lib/apputils/net-server.c:618
 msgid "no IPV6_V6ONLY socket option support"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:651
+#: ../../src/lib/apputils/net-server.c:624
 #, c-format
 msgid "Cannot bind server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:728
+#: ../../src/lib/apputils/net-server.c:694
 #, c-format
 msgid "Setting up %s socket for address %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:743
+#: ../../src/lib/apputils/net-server.c:707
 #, c-format
 msgid "Cannot listen on %s server socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:752
+#: ../../src/lib/apputils/net-server.c:716
 #, c-format
 msgid "cannot set listening %s socket on %s non-blocking"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:761
+#: ../../src/lib/apputils/net-server.c:724
 #, c-format
 msgid "cannot set SO_LINGER on %s socket on %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:768
+#: ../../src/lib/apputils/net-server.c:731
 #, c-format
 msgid "Setting pktinfo on socket %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:773
+#: ../../src/lib/apputils/net-server.c:736
 #, c-format
 msgid "Cannot request packet info for UDP socket address %s port %d"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:775
+#: ../../src/lib/apputils/net-server.c:738
 msgid ""
 "System does not support pktinfo yet binding to a wildcard address.  Packets "
 "are not guaranteed to return on the received address."
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:788
+#: ../../src/lib/apputils/net-server.c:750
 msgid "Error attempting to add verto event"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:798
+#: ../../src/lib/apputils/net-server.c:759
 #, c-format
 msgid "Cannot create RPC service: %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:808
+#: ../../src/lib/apputils/net-server.c:769
 #, c-format
 msgid "Cannot register RPC service: %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:855
+#: ../../src/lib/apputils/net-server.c:813
 msgid "No addresses added to the net server"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:874
+#: ../../src/lib/apputils/net-server.c:832
 #, c-format
 msgid "Failed getting address info (for %s): %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:904
+#: ../../src/lib/apputils/net-server.c:862
 #, c-format
 msgid "Failed setting up a %s socket (for %s)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:951
+#: ../../src/lib/apputils/net-server.c:903
 msgid "setting up network..."
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:954
+#: ../../src/lib/apputils/net-server.c:906
 msgid "Error setting up network"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:957
+#: ../../src/lib/apputils/net-server.c:909
 #, c-format
 msgid "set up %d sockets"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:960
+#: ../../src/lib/apputils/net-server.c:912
 msgid "no sockets set up?"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1021
-#: ../../src/lib/apputils/net-server.c:1075
+#: ../../src/lib/apputils/net-server.c:975
+#: ../../src/lib/apputils/net-server.c:1029
 msgid "while dispatching (udp)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1050
+#: ../../src/lib/apputils/net-server.c:1004
 #, c-format
 msgid "while sending reply to %s/%s from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1055
+#: ../../src/lib/apputils/net-server.c:1009
 #, c-format
 msgid "short reply write %d vs %d\n"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1100
+#: ../../src/lib/apputils/net-server.c:1054
 msgid "while receiving from network"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1116
+#: ../../src/lib/apputils/net-server.c:1070
 #, c-format
 msgid "pktinfo says local addr is %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1149
+#: ../../src/lib/apputils/net-server.c:1108
 msgid "too many connections"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1172
+#: ../../src/lib/apputils/net-server.c:1131
 #, c-format
 msgid "dropping %s fd %d from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1250
+#: ../../src/lib/apputils/net-server.c:1205
 #, c-format
 msgid "allocating buffer for new TCP session from %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1280
+#: ../../src/lib/apputils/net-server.c:1237
 msgid "while dispatching (tcp)"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1312
+#: ../../src/lib/apputils/net-server.c:1269
 msgid "error allocating tcp dispatch private!"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1359
+#: ../../src/lib/apputils/net-server.c:1316
 #, c-format
 msgid "TCP client %s wants %lu bytes, cap is %lu"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1367
+#: ../../src/lib/apputils/net-server.c:1324
 #, c-format
 msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s"
 msgstr ""
 
-#: ../../src/lib/apputils/net-server.c:1551
+#: ../../src/lib/apputils/net-server.c:1363
+#, c-format
+msgid "getsockname failed: %s"
+msgstr ""
+
+#: ../../src/lib/apputils/net-server.c:1507
 #, c-format
 msgid "accepted RPC connection on socket %d from %s"
 msgstr ""
@@ -4171,31 +4237,6 @@ msgstr ""
 msgid "Password may not match principal name"
 msgstr ""
 
-#: ../../src/lib/kadm5/srv/server_acl.c:90
-#, c-format
-msgid "%s: line %d too long, truncated"
-msgstr ""
-
-#: ../../src/lib/kadm5/srv/server_acl.c:91
-#, c-format
-msgid "Unrecognized ACL operation '%c' in %s"
-msgstr ""
-
-#: ../../src/lib/kadm5/srv/server_acl.c:93
-#, c-format
-msgid "%s: syntax error at line %d <%10s...>"
-msgstr ""
-
-#: ../../src/lib/kadm5/srv/server_acl.c:95
-#, c-format
-msgid "%s while opening ACL file %s"
-msgstr ""
-
-#: ../../src/lib/kadm5/srv/server_acl.c:345
-#, c-format
-msgid "%s: invalid restrictions: %s"
-msgstr ""
-
 #: ../../src/lib/kadm5/srv/server_kdb.c:195
 msgid "History entry contains no key data"
 msgstr ""
@@ -4209,36 +4250,36 @@ msgstr ""
 msgid "No default realm set; cannot initialize KDB"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:373
+#: ../../src/lib/kdb/kdb5.c:368
 #, c-format
 msgid "Unable to find requested database type: %s"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:453 ../lib/krb5/error_tables/kdb5_err.c:55
+#: ../../src/lib/kdb/kdb5.c:448 ../lib/krb5/error_tables/kdb5_err.c:55
 msgid "Unable to find requested database type"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:461
+#: ../../src/lib/kdb/kdb5.c:456
 msgid "plugin symbol 'kdb_function_table' lookup failed"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:469
+#: ../../src/lib/kdb/kdb5.c:464
 #, c-format
 msgid ""
 "Unable to load requested database module '%s': plugin symbol "
 "'kdb_function_table' not found"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:607
+#: ../../src/lib/kdb/kdb5.c:602
 msgid "Cannot initialize database library"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:1766
+#: ../../src/lib/kdb/kdb5.c:1762
 #, c-format
 msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n"
 msgstr ""
 
-#: ../../src/lib/kdb/kdb5.c:1938
+#: ../../src/lib/kdb/kdb5.c:1934
 #, c-format
 msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n"
 msgstr ""
@@ -4326,26 +4367,26 @@ msgstr ""
 msgid "Can't find client principal %s in cache collection"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cccursor.c:284
+#: ../../src/lib/krb5/ccache/cccursor.c:293
 msgid "No Kerberos credentials available"
 msgstr ""
 
-#: ../../src/lib/krb5/ccache/cccursor.c:290
+#: ../../src/lib/krb5/ccache/cccursor.c:299
 #, c-format
 msgid "No Kerberos credentials available (default cache: %s)"
 msgstr ""
 
-#: ../../src/lib/krb5/keytab/kt_file.c:404
+#: ../../src/lib/krb5/keytab/kt_file.c:406
 #, c-format
 msgid "No key table entry found for %s"
 msgstr ""
 
-#: ../../src/lib/krb5/keytab/kt_file.c:821
-#: ../../src/lib/krb5/keytab/kt_file.c:854
+#: ../../src/lib/krb5/keytab/kt_file.c:823
+#: ../../src/lib/krb5/keytab/kt_file.c:856
 msgid "Cannot change keytab with keytab iterators active"
 msgstr ""
 
-#: ../../src/lib/krb5/keytab/kt_file.c:1044
+#: ../../src/lib/krb5/keytab/kt_file.c:1046
 #, c-format
 msgid "Key table file '%s' not found"
 msgstr ""
@@ -4456,15 +4497,15 @@ msgstr ""
 msgid "Server %s not found in Kerberos database"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/get_in_tkt.c:220
+#: ../../src/lib/krb5/krb/get_in_tkt.c:202
 msgid "Reply has wrong form of session key for anonymous request"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/get_in_tkt.c:1658
+#: ../../src/lib/krb5/krb/get_in_tkt.c:1682
 msgid "Failed to store credentials"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/get_in_tkt.c:1743
+#: ../../src/lib/krb5/krb/get_in_tkt.c:1771
 #, c-format
 msgid "Client '%s' not found in Kerberos database"
 msgstr ""
@@ -4518,25 +4559,29 @@ msgstr ""
 msgid "Principal %s has realm present"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/plugin.c:166
+#: ../../src/lib/krb5/krb/plugin.c:169
 #, c-format
 msgid "Invalid module specifier %s"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/plugin.c:403
+#: ../../src/lib/krb5/krb/plugin.c:406
 #, c-format
 msgid "Could not find %s plugin module named '%s'"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth2.c:644
+#: ../../src/lib/krb5/krb/preauth2.c:319
+msgid "krb5_init_creds calls must use same library context"
+msgstr ""
+
+#: ../../src/lib/krb5/krb/preauth2.c:716
 msgid "Pre-authentication failed"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth2.c:1016
+#: ../../src/lib/krb5/krb/preauth2.c:1097
 msgid "Unable to initialize preauth context"
 msgstr ""
 
-#: ../../src/lib/krb5/krb/preauth2.c:1029
+#: ../../src/lib/krb5/krb/preauth2.c:1110
 #, c-format
 msgid "Preauth module %s"
 msgstr ""
@@ -4693,7 +4738,7 @@ msgstr ""
 msgid "variable missing }"
 msgstr ""
 
-#: ../../src/lib/krb5/os/locate_kdc.c:819
+#: ../../src/lib/krb5/os/locate_kdc.c:822
 #, c-format
 msgid "Cannot find KDC for realm \"%.*s\""
 msgstr ""
@@ -5374,127 +5419,131 @@ msgstr ""
 msgid "Error reading container object"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:775
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4337
-msgid "Pass phrase for"
-msgstr ""
-
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:502
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:498
 #, c-format
 msgid "%s: %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:532
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:528
 #, c-format
 msgid "%s (depth %d): %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1105
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1115
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:771
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4318
+msgid "Pass phrase for"
+msgstr ""
+
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1101
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1111
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1378
 #: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1388
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1398
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1941
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1929
 msgid "Failed to DER encode PKCS7"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1206
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1202
 msgid "Failed to verify own certificate"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1372
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1362
 msgid "Failed to add digest attribute"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1502
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1490
 msgid "Failed to decode CMS message"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1520
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1508
 msgid "Invalid pkinit packet: octet string expected"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1538
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1526
 msgid "wrong oid\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1690
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1678
 msgid "Failed to verify received certificate"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1728
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1716
 msgid "Failed to verify CMS message"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1916
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1904
 msgid "Failed to encrypt PKCS7 object"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1991
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1979
 msgid "Failed to decode PKCS7"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2008
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1996
 msgid "Failed to decrypt PKCS7 message"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4457
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4438
 #, c-format
 msgid "Cannot read certificate file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4464
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4445
 #, c-format
 msgid "Cannot read key file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5454
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5341
 #, c-format
 msgid "Cannot open file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5461
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5348
 #, c-format
 msgid "Cannot read file '%s'"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:6136
+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:6023
 #, c-format
 msgid "unknown code 0x%x"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:410
 #, c-format
 msgid "Unsupported type while processing '%s'\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:444
 msgid "Internal error parsing X509_user_identity\n"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560
+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:535
 msgid "No user identity options specified"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:415
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:523
 msgid "Pkinit request not signed, but client not anonymous."
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:453
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:561
 msgid "Anonymous pkinit without DH public value not supported."
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1162
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1270
 #, c-format
 msgid "No pkinit_identity supplied for realm %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1173
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1281
 #, c-format
 msgid "No pkinit_anchors supplied for realm %s"
 msgstr ""
 
-#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1364
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1301
+#, c-format
+msgid "OCSP is not supported: (realm: %s)"
+msgstr ""
+
+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1698
 msgid "No realms configured correctly for pkinit support"
 msgstr ""
 
@@ -5511,627 +5560,632 @@ msgstr ""
 msgid "Database propagation to %s: SUCCEEDED\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:197
+#: ../../src/slave/kprop.c:175
 msgid "while setting client principal name"
 msgstr ""
 
-#: ../../src/slave/kprop.c:206
+#: ../../src/slave/kprop.c:184
 msgid "while setting server principal name"
 msgstr ""
 
-#: ../../src/slave/kprop.c:219
+#: ../../src/slave/kprop.c:197
 msgid "while resolving keytab"
 msgstr ""
 
-#: ../../src/slave/kprop.c:227
+#: ../../src/slave/kprop.c:205
 msgid "while getting initial credentials\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:263
+#: ../../src/slave/kprop.c:241
 msgid "while creating socket"
 msgstr ""
 
-#: ../../src/slave/kprop.c:279
+#: ../../src/slave/kprop.c:257
 msgid "while converting server address"
 msgstr ""
 
-#: ../../src/slave/kprop.c:289
+#: ../../src/slave/kprop.c:267
 msgid "while connecting to server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:296 ../../src/slave/kpropd.c:1204
+#: ../../src/slave/kprop.c:274 ../../src/slave/kpropd.c:1199
 msgid "while getting local socket address"
 msgstr ""
 
-#: ../../src/slave/kprop.c:301
+#: ../../src/slave/kprop.c:279
 msgid "while converting local address"
 msgstr ""
 
-#: ../../src/slave/kprop.c:324
+#: ../../src/slave/kprop.c:302
 msgid "in krb5_auth_con_setaddrs"
 msgstr ""
 
-#: ../../src/slave/kprop.c:332
+#: ../../src/slave/kprop.c:310
 msgid "while authenticating to server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:336 ../../src/slave/kprop.c:535
-#: ../../src/slave/kpropd.c:1510
+#: ../../src/slave/kprop.c:314 ../../src/slave/kprop.c:513
+#: ../../src/slave/kpropd.c:1505
 #, c-format
 msgid "Generic remote error: %s\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:342 ../../src/slave/kprop.c:541
+#: ../../src/slave/kprop.c:320 ../../src/slave/kprop.c:519
 msgid "signalled from server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:344 ../../src/slave/kprop.c:543
+#: ../../src/slave/kprop.c:322 ../../src/slave/kprop.c:521
 #, c-format
 msgid "Error text from server: %s\n"
 msgstr ""
 
-#: ../../src/slave/kprop.c:372
+#: ../../src/slave/kprop.c:350
 #, c-format
 msgid "allocating database file name '%s'"
 msgstr ""
 
-#: ../../src/slave/kprop.c:378
+#: ../../src/slave/kprop.c:356
 #, c-format
 msgid "while trying to open %s"
 msgstr ""
 
-#: ../../src/slave/kprop.c:385
+#: ../../src/slave/kprop.c:363
 msgid "database locked"
 msgstr ""
 
-#: ../../src/slave/kprop.c:388 ../../src/slave/kpropd.c:529
+#: ../../src/slave/kprop.c:366 ../../src/slave/kpropd.c:552
 #, c-format
 msgid "while trying to lock '%s'"
 msgstr ""
 
-#: ../../src/slave/kprop.c:392 ../../src/slave/kprop.c:400
+#: ../../src/slave/kprop.c:370 ../../src/slave/kprop.c:378
 #, c-format
 msgid "while trying to stat %s"
 msgstr ""
 
-#: ../../src/slave/kprop.c:396
+#: ../../src/slave/kprop.c:374
 msgid "while trying to malloc data_ok_fn"
 msgstr ""
 
-#: ../../src/slave/kprop.c:405
+#: ../../src/slave/kprop.c:383
 #, c-format
 msgid "'%s' more recent than '%s'."
 msgstr ""
 
-#: ../../src/slave/kprop.c:421
+#: ../../src/slave/kprop.c:399
 #, c-format
 msgid "while unlocking database '%s'"
 msgstr ""
 
-#: ../../src/slave/kprop.c:454 ../../src/slave/kprop.c:455
+#: ../../src/slave/kprop.c:432 ../../src/slave/kprop.c:433
 msgid "while encoding database size"
 msgstr ""
 
-#: ../../src/slave/kprop.c:463
+#: ../../src/slave/kprop.c:441
 msgid "while sending database size"
 msgstr ""
 
-#: ../../src/slave/kprop.c:473
+#: ../../src/slave/kprop.c:451
 msgid "while allocating i_vector"
 msgstr ""
 
-#: ../../src/slave/kprop.c:496
+#: ../../src/slave/kprop.c:474
 #, c-format
 msgid "while sending database block starting at %d"
 msgstr ""
 
-#: ../../src/slave/kprop.c:506
+#: ../../src/slave/kprop.c:484
 msgid "Premature EOF found for database file!"
 msgstr ""
 
-#: ../../src/slave/kprop.c:519
+#: ../../src/slave/kprop.c:497
 msgid "while reading response from server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:530
+#: ../../src/slave/kprop.c:508
 msgid "while decoding error response from server"
 msgstr ""
 
-#: ../../src/slave/kprop.c:561
+#: ../../src/slave/kprop.c:539
 #, c-format
 msgid "Kpropd sent database size %d, expecting %d"
 msgstr ""
 
-#: ../../src/slave/kprop.c:606
+#: ../../src/slave/kprop.c:584
 msgid "while allocating filename for update_last_prop_file"
 msgstr ""
 
-#: ../../src/slave/kprop.c:611
+#: ../../src/slave/kprop.c:589
 #, c-format
 msgid "while creating 'last_prop' file, '%s'"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:170
+#: ../../src/slave/kpropd.c:171
 #, c-format
 msgid ""
 "\n"
 "Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:172
+#: ../../src/slave/kpropd.c:173
 #, c-format
 msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:173
+#: ../../src/slave/kpropd.c:174
 #, c-format
 msgid "\t[-x db_args]* [-P port] [-a acl_file]\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:174
+#: ../../src/slave/kpropd.c:175
 #, c-format
-msgid "\t[-A admin_server]\n"
+msgid "\t[-A admin_server] [--pid-file=pid_file]\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:215
+#: ../../src/slave/kpropd.c:231
 #, c-format
 msgid "Killing fullprop child (%d)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:244
+#: ../../src/slave/kpropd.c:260
 msgid "while checking if stdin is a socket"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:262
+#: ../../src/slave/kpropd.c:278
 #, c-format
 msgid "ready\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:272
+#: ../../src/slave/kpropd.c:284
+#, c-format
+msgid "Could not write pid file %s: %s"
+msgstr ""
+
+#: ../../src/slave/kpropd.c:296
 #, c-format
 msgid "Could not open /dev/null: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:279
+#: ../../src/slave/kpropd.c:303
 #, c-format
 msgid "Could not dup the inetd socket: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327
+#: ../../src/slave/kpropd.c:338 ../../src/slave/kpropd.c:351
 msgid "do_iprop failed.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:366
+#: ../../src/slave/kpropd.c:390
 #, c-format
 msgid "getaddrinfo: %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:372
+#: ../../src/slave/kpropd.c:396
 msgid "while obtaining socket"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:378
+#: ../../src/slave/kpropd.c:402
 msgid "while setting SO_REUSEADDR option"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:386
+#: ../../src/slave/kpropd.c:410
 msgid "while unsetting IPV6_V6ONLY option"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:391
+#: ../../src/slave/kpropd.c:415
 msgid "while binding listener socket"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:402
+#: ../../src/slave/kpropd.c:426
 #, c-format
 msgid "waiting for a kprop connection\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:408
+#: ../../src/slave/kpropd.c:432
 msgid "while accepting connection"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:414
+#: ../../src/slave/kpropd.c:438
 msgid "while forking"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:429
+#: ../../src/slave/kpropd.c:453
 #, c-format
 msgid "waitpid() failed to wait for doit() (%d %s)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:433
+#: ../../src/slave/kpropd.c:457
 msgid "while waiting to receive database"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:437
+#: ../../src/slave/kpropd.c:461
 #, c-format
 msgid "Database load process for full propagation completed.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:475
+#: ../../src/slave/kpropd.c:499
 #, c-format
 msgid ""
 "%s: Standard input does not appear to be a network socket.\n"
 "\t(Not run from inetd, and missing the -S option?)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:489
+#: ../../src/slave/kpropd.c:512
 msgid "while attempting setsockopt (SO_KEEPALIVE)"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:494
+#: ../../src/slave/kpropd.c:517
 #, c-format
 msgid "Connection from %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:514
+#: ../../src/slave/kpropd.c:537
 #, c-format
 msgid "Rejected connection from unauthorized principal %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:518
+#: ../../src/slave/kpropd.c:541
 #, c-format
 msgid "Rejected connection from unauthorized principal %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:535
+#: ../../src/slave/kpropd.c:558
 #, c-format
 msgid "while opening database file, '%s'"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:541
+#: ../../src/slave/kpropd.c:564
 #, c-format
 msgid "while renaming %s to %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:547
+#: ../../src/slave/kpropd.c:570
 #, c-format
 msgid "while downgrading lock on '%s'"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:554
+#: ../../src/slave/kpropd.c:577
 #, c-format
 msgid "while unlocking '%s'"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:566
+#: ../../src/slave/kpropd.c:589
 msgid "while sending # of received bytes"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:572
+#: ../../src/slave/kpropd.c:595
 msgid "while trying to close database file"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:628
+#: ../../src/slave/kpropd.c:650
 #, c-format
 msgid "Incremental propagation enabled\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:639
+#: ../../src/slave/kpropd.c:661
 #, c-format
 msgid "%s: unable to get kiprop host based service name for realm %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:650
+#: ../../src/slave/kpropd.c:672
 msgid "while trying to construct host service principal"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:669
+#: ../../src/slave/kpropd.c:691
 #, c-format
 msgid "Initializing kadm5 as client %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:683
+#: ../../src/slave/kpropd.c:705
 #, c-format
 msgid "kadm5 initialization failed!\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:692
+#: ../../src/slave/kpropd.c:714
 msgid "while attempting to connect to master KDC ... retrying"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:696
+#: ../../src/slave/kpropd.c:718
 #, c-format
 msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:712
+#: ../../src/slave/kpropd.c:734
 #, c-format
 msgid "while initializing %s interface, retrying"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:716
+#: ../../src/slave/kpropd.c:738
 #, c-format
 msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:726
+#: ../../src/slave/kpropd.c:748
 #, c-format
 msgid "kadm5 initialization succeeded\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:748
+#: ../../src/slave/kpropd.c:770
 msgid "reading update log header"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:759
+#: ../../src/slave/kpropd.c:781
 #, c-format
 msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:769
+#: ../../src/slave/kpropd.c:791
 msgid "iprop_get_updates call failed"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:775
+#: ../../src/slave/kpropd.c:797
 #, c-format
 msgid "Reinitializing iprop because get updates failed\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:796
+#: ../../src/slave/kpropd.c:818
 #, c-format
 msgid "Still waiting for full resync\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:801
+#: ../../src/slave/kpropd.c:823
 #, c-format
 msgid "Full resync needed\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:802
+#: ../../src/slave/kpropd.c:824
 msgid "kpropd: Full resync needed."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:807
+#: ../../src/slave/kpropd.c:829
 msgid "iprop_full_resync call failed"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:818
+#: ../../src/slave/kpropd.c:840
 #, c-format
 msgid "Full resync request granted\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:819
+#: ../../src/slave/kpropd.c:841
 msgid "Full resync request granted."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:828
+#: ../../src/slave/kpropd.c:850
 #, c-format
 msgid "Exponential backoff\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:834
+#: ../../src/slave/kpropd.c:856
 #, c-format
 msgid "Full resync permission denied\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:835
+#: ../../src/slave/kpropd.c:857
 msgid "Full resync, permission denied."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:840
+#: ../../src/slave/kpropd.c:862
 #, c-format
 msgid "Full resync error from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:841
+#: ../../src/slave/kpropd.c:863
 msgid " Full resync, error returned from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:849
+#: ../../src/slave/kpropd.c:871
 #, c-format
 msgid "Full resync invalid result from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:851
+#: ../../src/slave/kpropd.c:873
 msgid "Full resync, invalid return from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:867
+#: ../../src/slave/kpropd.c:889
 #, c-format
 msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:879
+#: ../../src/slave/kpropd.c:901
 #, c-format
 msgid "ulog_replay failed (%s), updates not registered\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:882
+#: ../../src/slave/kpropd.c:904
 #, c-format
 msgid "ulog_replay failed (%s), updates not registered."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:891
+#: ../../src/slave/kpropd.c:913
 #, c-format
 msgid "Incremental updates: %d updates / %lu us"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:894
+#: ../../src/slave/kpropd.c:916
 #, c-format
 msgid "Incremental updates: %d updates / %lu us\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:902
+#: ../../src/slave/kpropd.c:924
 #, c-format
 msgid "get_updates permission denied\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:903
+#: ../../src/slave/kpropd.c:925
 msgid "get_updates, permission denied."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:908
+#: ../../src/slave/kpropd.c:930
 #, c-format
 msgid "get_updates error from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:909
+#: ../../src/slave/kpropd.c:931
 msgid "get_updates, error returned from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:917
+#: ../../src/slave/kpropd.c:939
 #, c-format
 msgid "get_updates master busy; backoff\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:926
+#: ../../src/slave/kpropd.c:948
 #, c-format
 msgid "KDC is synchronized with master.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:934
+#: ../../src/slave/kpropd.c:956
 #, c-format
 msgid "get_updates invalid result from master\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:935
+#: ../../src/slave/kpropd.c:957
 msgid "get_updates, invalid return from master KDC."
 msgstr ""
 
-#: ../../src/slave/kpropd.c:950
+#: ../../src/slave/kpropd.c:972
 #, c-format
 msgid "Busy signal received from master, backoff for %d secs\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:957
+#: ../../src/slave/kpropd.c:979
 #, c-format
 msgid "Waiting for %d seconds before checking for updates again\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:968
+#: ../../src/slave/kpropd.c:990
 #, c-format
 msgid "ERROR returned by master, bailing\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:969
+#: ../../src/slave/kpropd.c:991
 msgid "ERROR returned by master KDC, bailing.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1113
+#: ../../src/slave/kpropd.c:1108
 msgid "copying db args"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1138
+#: ../../src/slave/kpropd.c:1133
 msgid "Unable to get default realm"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1145
+#: ../../src/slave/kpropd.c:1140
 msgid "Unable to set default realm"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1155
+#: ../../src/slave/kpropd.c:1150
 msgid "while trying to construct my service name"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1162
+#: ../../src/slave/kpropd.c:1157
 msgid "while allocating filename for temp file"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1170
+#: ../../src/slave/kpropd.c:1165
 msgid "while initializing"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1178
+#: ../../src/slave/kpropd.c:1173
 msgid "Unable to map log!\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1224
+#: ../../src/slave/kpropd.c:1219
 #, c-format
 msgid "Error in krb5_auth_con_ini: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1232
+#: ../../src/slave/kpropd.c:1227
 #, c-format
 msgid "Error in krb5_auth_con_setflags: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1240
+#: ../../src/slave/kpropd.c:1235
 #, c-format
 msgid "Error in krb5_auth_con_setaddrs: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1248
+#: ../../src/slave/kpropd.c:1243
 #, c-format
 msgid "Error in krb5_kt_resolve: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1257
+#: ../../src/slave/kpropd.c:1252
 #, c-format
 msgid "Error in krb5_recvauth: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1264
+#: ../../src/slave/kpropd.c:1259
 #, c-format
 msgid "Error in krb5_copy_prinicpal: %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1280
+#: ../../src/slave/kpropd.c:1275
 msgid "while unparsing ticket etype"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1284
+#: ../../src/slave/kpropd.c:1279
 #, c-format
 msgid "authenticated client: %s (etype == %s)\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1363
+#: ../../src/slave/kpropd.c:1358
 msgid "while reading size of database from client"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1373
+#: ../../src/slave/kpropd.c:1368
 msgid "while decoding database size from client"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1386
+#: ../../src/slave/kpropd.c:1381
 msgid "while initializing i_vector"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1391
+#: ../../src/slave/kpropd.c:1386
 #, c-format
 msgid "Full propagation transfer started.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1444
+#: ../../src/slave/kpropd.c:1439
 #, c-format
 msgid "Full propagation transfer finished.\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1505
+#: ../../src/slave/kpropd.c:1500
 msgid "while decoding error packet from client"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1514
+#: ../../src/slave/kpropd.c:1509
 msgid "signaled from server"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1516
+#: ../../src/slave/kpropd.c:1511
 #, c-format
 msgid "Error text from client: %s\n"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1565
+#: ../../src/slave/kpropd.c:1560
 #, c-format
 msgid "while trying to fork %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1569
+#: ../../src/slave/kpropd.c:1564
 #, c-format
 msgid "while trying to exec %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1576
+#: ../../src/slave/kpropd.c:1571
 #, c-format
 msgid "while waiting for %s"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1582
+#: ../../src/slave/kpropd.c:1577
 #, c-format
 msgid "%s load terminated"
 msgstr ""
 
-#: ../../src/slave/kpropd.c:1588
+#: ../../src/slave/kpropd.c:1583
 #, c-format
 msgid "%s returned a bad exit status (%d)"
 msgstr ""
@@ -6989,6 +7043,10 @@ msgstr ""
 msgid "Principal keys are locked down"
 msgstr ""
 
+#: ../lib/kadm5/kadm_err.c:85
+msgid "Operation requires initial ticket"
+msgstr ""
+
 #: ../lib/kdb/adb_err.c:23
 msgid "No Error"
 msgstr ""
diff --git a/src/slave/kprop.c b/src/slave/kprop.c
index 5bff5de2c979..51799dcc7d4d 100644
--- a/src/slave/kprop.c
+++ b/src/slave/kprop.c
@@ -121,56 +121,34 @@ main(int argc, char **argv)
 static void
 parse_args(krb5_context context, int argc, char **argv)
 {
-    char *word, ch;
+    int c;
     krb5_error_code ret;
 
-    progname = *argv++;
-    while (--argc && (word = *argv++) != NULL) {
-        if (*word != '-') {
-            if (slave_host != NULL)
-                usage();
-            else
-                slave_host = word;
-            continue;
-        }
-        word++;
-        while (word != NULL && (ch = *word++) != '\0') {
-            switch (ch) {
-            case 'r':
-                realm = (*word != '\0') ? word : *argv++;
-                if (realm == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'f':
-                file = (*word != '\0') ? word : *argv++;
-                if (file == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'd':
-                debug++;
-                break;
-            case 'P':
-                port = (*word != '\0') ? word : *argv++;
-                if (port == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 's':
-                srvtab = (*word != '\0') ? word : *argv++;
-                if (srvtab == NULL)
-                    usage();
-                word = NULL;
-                break;
-            default:
-                usage();
-            }
-
+    progname = argv[0];
+    while ((c = getopt(argc, argv, "r:f:dP:s:")) != -1) {
+        switch (c) {
+        case 'r':
+            realm = optarg;
+            break;
+        case 'f':
+            file = optarg;
+            break;
+        case 'd':
+            debug++;
+            break;
+        case 'P':
+            port = optarg;
+            break;
+        case 's':
+            srvtab = optarg;
+            break;
+        default:
+            usage();
         }
     }
-    if (slave_host == NULL)
+    if (argc - optind != 1)
         usage();
+    slave_host = argv[optind];
 
     if (realm == NULL) {
         ret = krb5_get_default_realm(context, &def_realm);
diff --git a/src/slave/kprop_util.c b/src/slave/kprop_util.c
index f182554e6171..7e1ec229d040 100644
--- a/src/slave/kprop_util.c
+++ b/src/slave/kprop_util.c
@@ -45,12 +45,12 @@ sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa,
 
     addr.magic = KV5M_ADDRESS;
     if (family == AF_INET) {
-        struct sockaddr_in *sa4 = (struct sockaddr_in *) sa;
+        struct sockaddr_in *sa4 = sa2sin(sa);
         addr.addrtype = ADDRTYPE_INET;
         addr.length = sizeof(sa4->sin_addr);
         addr.contents = (krb5_octet *) &sa4->sin_addr;
     } else if (family == AF_INET6) {
-        struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *) sa;
+        struct sockaddr_in6 *sa6 = sa2sin6(sa);
         if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
             addr.addrtype = ADDRTYPE_INET;
             addr.contents = (krb5_octet *) &sa6->sin6_addr + 12;
diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
index 056c31a42f2f..d621f108f3fa 100644
--- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c
@@ -119,6 +119,7 @@ static int debug = 0;
 static int nodaemon = 0;
 static char *srvtab = NULL;
 static int standalone = 0;
+static const char *pid_file = NULL;
 
 static pid_t fullprop_child = (pid_t)-1;
 
@@ -141,7 +142,7 @@ static const char *port = KPROP_SERVICE;
 static char **db_args = NULL;
 static int db_args_size = 0;
 
-static void parse_args(char **argv);
+static void parse_args(int argc, char **argv);
 static void do_standalone(void);
 static void doit(int fd);
 static krb5_error_code do_iprop(void);
@@ -171,10 +172,25 @@ usage()
             progname);
     fprintf(stderr, _("\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n"));
     fprintf(stderr, _("\t[-x db_args]* [-P port] [-a acl_file]\n"));
-    fprintf(stderr, _("\t[-A admin_server]\n"));
+    fprintf(stderr, _("\t[-A admin_server] [--pid-file=pid_file]\n"));
     exit(1);
 }
 
+static krb5_error_code
+write_pid_file(const char *path)
+{
+    FILE *fp;
+    unsigned long pid;
+
+    fp = fopen(path, "w");
+    if (fp == NULL)
+        return errno;
+    pid = (unsigned long)getpid();
+    if (fprintf(fp, "%ld\n", pid) < 0 || fclose(fp) == EOF)
+        return errno;
+    return 0;
+}
+
 typedef void (*sig_handler_fn)(int sig);
 
 static void
@@ -238,7 +254,7 @@ main(int argc, char **argv)
     struct stat st;
 
     setlocale(LC_ALL, "");
-    parse_args(argv);
+    parse_args(argc, argv);
 
     if (fstat(0, &st) == -1) {
         com_err(progname, errno, _("while checking if stdin is a socket"));
@@ -262,6 +278,14 @@ main(int argc, char **argv)
             printf(_("ready\n"));
             fflush(stdout);
         }
+        if (pid_file != NULL) {
+            retval = write_pid_file(pid_file);
+            if (retval) {
+                syslog(LOG_ERR, _("Could not write pid file %s: %s"),
+                       pid_file, strerror(errno));
+                exit(1);
+            }
+        }
     } else {
         /*
          * We're an inetd nowait service.  Let's not risk anything
@@ -483,8 +507,7 @@ doit(int fd)
         perror("getpeername");
         exit(1);
     }
-    if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (caddr_t) &on,
-                   sizeof(on)) < 0) {
+    if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) {
         com_err(progname, errno,
                 _("while attempting setsockopt (SO_KEEPALIVE)"));
     }
@@ -589,13 +612,12 @@ full_resync(CLIENT *clnt)
     memset(&clnt_res, 0, sizeof(clnt_res));
 
     status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int32,
-                       (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t,
-                       (caddr_t)&clnt_res, full_resync_timeout);
+                       &vers, (xdrproc_t)xdr_kdb_fullresync_result_t,
+                       &clnt_res, full_resync_timeout);
     if (status == RPC_PROCUNAVAIL) {
         status = clnt_call(clnt, IPROP_FULL_RESYNC, (xdrproc_t)xdr_void,
-                           (caddr_t *)&vers,
-                           (xdrproc_t)xdr_kdb_fullresync_result_t,
-                           (caddr_t)&clnt_res, full_resync_timeout);
+                           &vers, (xdrproc_t)xdr_kdb_fullresync_result_t,
+                           &clnt_res, full_resync_timeout);
     }
 
     return (status == RPC_SUCCESS) ? &clnt_res : NULL;
@@ -1017,10 +1039,15 @@ kpropd_com_err_proc(const char *whoami, long code, const char *fmt,
 }
 
 static void
-parse_args(char **argv)
+parse_args(int argc, char **argv)
 {
-    char **newargs, *word, ch;
+    char **newargs;
+    int c;
     krb5_error_code retval;
+    enum { PID_FILE = 256 };
+    struct option long_options[] = {
+        { "pid-file", 1, NULL, PID_FILE },
+    };
 
     memset(&params, 0, sizeof(params));
 
@@ -1032,101 +1059,69 @@ parse_args(char **argv)
         exit(1);
     }
 
-    progname = *argv++;
-    while ((word = *argv++) != NULL) {
-        /* We don't take any arguments, only options */
-        if (*word != '-')
-            usage();
-
-        word++;
-        while (word != NULL && (ch = *word++) != '\0') {
-            switch (ch) {
-            case 'A':
-                params.mask |= KADM5_CONFIG_ADMIN_SERVER;
-                params.admin_server = (*word != '\0') ? word : *argv++;
-                if (params.admin_server == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'f':
-                file = (*word != '\0') ? word : *argv++;
-                if (file == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'F':
-                kerb_database = (*word != '\0') ? word : *argv++;
-                if (kerb_database == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'p':
-                kdb5_util = (*word != '\0') ? word : *argv++;
-                if (kdb5_util == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'P':
-                port = (*word != '\0') ? word : *argv++;
-                if (port == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'r':
-                realm = (*word != '\0') ? word : *argv++;
-                if (realm == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 's':
-                srvtab = (*word != '\0') ? word : *argv++;
-                if (srvtab == NULL)
-                    usage();
-                word = NULL;
-                break;
-            case 'D':
-                nodaemon++;
-                break;
-            case 'd':
-                debug++;
-                break;
-            case 'S':
-                /* Standalone mode is now auto-detected; see main(). */
-                break;
-            case 'a':
-                acl_file_name = (*word != '\0') ? word : *argv++;
-                if (acl_file_name == NULL)
-                    usage();
-                word = NULL;
-                break;
-
-            case 't':
-                /* Undocumented option - for testing only.  Run the kpropd
-                 * server exactly once. */
-                runonce = 1;
-                break;
-
-            case 'x':
-                newargs = realloc(db_args,
-                                  (db_args_size + 2) * sizeof(*db_args));
-                if (newargs == NULL) {
-                    com_err(argv[0], errno, _("copying db args"));
-                    exit(1);
-                }
-                db_args = newargs;
-                db_args[db_args_size] = (*word != '\0') ? word : *argv++;
-                if (db_args[db_args_size] == NULL)
-                    usage();
-                word = NULL;
-                db_args[db_args_size + 1] = NULL;
-                db_args_size++;
-                break;
-
-            default:
-                usage();
+    progname = argv[0];
+    while ((c = getopt_long(argc, argv, "A:f:F:p:P:r:s:DdSa:tx:",
+                            long_options, NULL)) != -1) {
+        switch (c) {
+        case 'A':
+            params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+            params.admin_server = optarg;
+            break;
+        case 'f':
+            file = optarg;
+            break;
+        case 'F':
+            kerb_database = optarg;
+            break;
+        case 'p':
+            kdb5_util = optarg;
+            break;
+        case 'P':
+            port = optarg;
+            break;
+        case 'r':
+            realm = optarg;
+            break;
+        case 's':
+            srvtab = optarg;
+            break;
+        case 'D':
+            nodaemon++;
+            break;
+        case 'd':
+            debug++;
+            break;
+        case 'S':
+            /* Standalone mode is now auto-detected; see main(). */
+            break;
+        case 'a':
+            acl_file_name = optarg;
+            break;
+        case 't':
+            /* Undocumented option - for testing only.  Run the kpropd
+             * server exactly once. */
+            runonce = 1;
+            break;
+        case 'x':
+            newargs = realloc(db_args, (db_args_size + 2) * sizeof(*db_args));
+            if (newargs == NULL) {
+                com_err(argv[0], errno, _("copying db args"));
+                exit(1);
             }
+            db_args = newargs;
+            db_args[db_args_size] = optarg;
+            db_args[db_args_size + 1] = NULL;
+            db_args_size++;
+            break;
+        case PID_FILE:
+            pid_file = optarg;
+            break;
+        default:
+            usage();
         }
     }
+    if (optind != argc)
+        usage();
 
     openlog("kpropd", LOG_PID | LOG_ODELAY, SYSLOG_CLASS);
     if (!debug)
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index b55469146626..67d3e8200e3f 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -6,12 +6,12 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
 RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
 	LC_ALL=C $(VALGRIND)
 
-OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o icred.o \
-	kdbtest.o localauth.o plugorder.o rdreq.o responder.o s2p.o \
-	s4u2proxy.o unlockiter.o
+OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o \
+	icinterleave.o icred.o kdbtest.o localauth.o plugorder.o rdreq.o \
+	responder.o s2p.o s4u2proxy.o unlockiter.o
 EXTRADEPSRCS= adata.c etinfo.c forward.c gcred.c hist.c hooks.c hrealm.c \
-	icred.c kdbtest.c localauth.c plugorder.c rdreq.o responder.c s2p.c \
-	s4u2proxy.c unlockiter.c
+	icinterleave.c icred.c kdbtest.c localauth.c plugorder.c rdreq.o \
+	responder.c s2p.c s4u2proxy.c unlockiter.c
 
 TEST_DB = ./testdb
 TEST_REALM = FOO.TEST.REALM
@@ -44,6 +44,9 @@ hooks: hooks.o $(KRB5_BASE_DEPLIBS)
 hrealm: hrealm.o $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS)
 
+icinterleave: icinterleave.o $(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o $@ icinterleave.o $(KRB5_BASE_LIBS)
+
 icred: icred.o $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ icred.o $(KRB5_BASE_LIBS)
 
@@ -115,8 +118,9 @@ kdb_check: kdc.conf krb5.conf
 	$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
 	$(RM) $(TEST_DB)* stash_file
 
-check-pytests: adata etinfo forward gcred hist hooks hrealm icred kdbtest
-check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
+check-pytests: adata etinfo forward gcred hist hooks hrealm icinterleave icred
+check-pytests: kdbtest localauth plugorder rdreq responder s2p s4u2proxy
+check-pytests: unlockiter
 	$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
@@ -128,6 +132,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
 	$(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_kadm5_auth.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_pwqual.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_hostrealm.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS)
@@ -167,10 +172,14 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
 	$(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS)
 
 clean:
-	$(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
-	$(RM) localauth plugorder rdreq responder s2p s4u2proxy unlockiter
+	$(RM) adata etinfo forward gcred hist hooks hrealm icinterleave icred
+	$(RM) kdbtest localauth plugorder rdreq responder s2p s4u2proxy
+	$(RM) unlockiter
 	$(RM) krb5.conf kdc.conf
 	$(RM) -rf kdc_realm/sandbox ldap
 	$(RM) au.log
diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c
index 622f549f9f2e..7c0666601c48 100644
--- a/src/tests/create/kdb5_mkdums.c
+++ b/src/tests/create/kdb5_mkdums.c
@@ -247,7 +247,7 @@ add_princ(context, str_newprinc)
 
     {
         /* Add mod princ to db entry */
-        krb5_int32 now;
+        krb5_timestamp now;
 
         retval = krb5_timeofday(context, &now);
         if (retval) {
diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem
index 55fe02c92773..f7421ba02491 100644
--- a/src/tests/dejagnu/pkinit-certs/ca.pem
+++ b/src/tests/dejagnu/pkinit-certs/ca.pem
@@ -1,29 +1,29 @@
 -----BEGIN CERTIFICATE-----
-MIIE5TCCA82gAwIBAgIJANsFDWp1HgAaMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
-VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJp
-ZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJi
-ZXJvcyB0ZXN0IENBMTMwMQYDVQQDFCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8g
-bm90IHVzZSBvdGhlcndpc2UwHhcNMTAwMTA2MTQ1MTI3WhcNMjMwOTE1MTQ1MTI3
-WjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV
-BAcTCUNhbWJyaWRnZTEMMAoGA1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQ
-a2luaXQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3Vp
-dGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn
-ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K
-ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7
-5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc
-5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW
-riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4IBEDCCAQwwHQYDVR0O
-BBYEFFn82RUKgTvkFn0cgwyCQpNeWCxYMIHcBgNVHSMEgdQwgdGAFFn82RUKgTvk
-Fn0cgwyCQpNeWCxYoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz
-c2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAn
-BgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQD
-FCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCCQDb
-BQ1qdR4AGjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBVL2Q6Xubs
-gm881cAy6esku17/BSTZur7hCLHTGof1ZKNcCXALjmwNYNC3tl6owqpX8CSdBdsD
-Bw/Vs9p3mqnaVEoZc8uW8zS6LoAQbcqiYdQHdEXMh3ec8uvAfmdlQsIsm5Ux8q8L
-NM6bKnUOqOFOHme+RC4FGOLb8JqnnuQdwyIZaUyQP6hXbw4zyDphfgo1ZlZn20xh
-I555kPfAZKEi/d3WY0oN4k+sfCs9tWRNjmqZfKkH1OqRpjCFGG0b0vY77MFRMuPz
-YtN2iD3plgla7KkUMljp9th/Z8Ok79uA1TNLYKzoBjlAX0vToxfa8rrSNo1dHFKT
-e5Tj7+29DE4I
+MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowgacxCzAJ
+BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i
+cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl
+cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk
+byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qId
+S8f7Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4r
+rN5WZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevps
+h+LPXsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpU
+OCXopDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKO
+Ka4Y2U5zy3++t6pd3oGlWCr96D0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBSvEuBX
+VNKtIomCkLcxpsKp9Ag9qzCB1AYDVR0jBIHMMIHJgBSvEuBXVNKtIomCkLcxpsKp
+9Ag9q6GBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
+dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ
+bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0
+IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE
+AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArUoCjqxsY
+/m3nx/5BQSkBAL4T5RgWIX+L4y4GXloYYlafpw+SxRq0QffFm5fpCJBnMd21MbPl
+k/YA+oq0/76cKyQmJ6h/Wl4KHCKKMmvGuhCEXzmrevk/EJ8lJXNdPfbBueAuLeyU
+7X9tO8i9fJ59AZ9YWD9d//puOF+8xeHPxJIxHcR2jHpUOJPtm4yVu1LreHiJJTu4
+Xotp9yMpJu/uJM3aBKVS5N/5JreraLj9N6N8nZ/7nEw9Dj1zzGHcHCcqtcxz1oOH
+Zbg5Jo8HhVhIHxKdKLvwEk60P+lkGFIE+IUmhWfcbbprTGs7VhxREwxaWyCapCOk
+qlhbJdEcjHr2
 -----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/dejagnu/pkinit-certs/generic.p12
new file mode 100644
index 000000000000..238baa56bc7b
Binary files /dev/null and b/src/tests/dejagnu/pkinit-certs/generic.p12 differ
diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/dejagnu/pkinit-certs/generic.pem
new file mode 100644
index 000000000000..706c2f341c87
--- /dev/null
+++ b/src/tests/dejagnu/pkinit-certs/generic.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk4CAQcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD
+VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM
+A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex
+MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy
+d2lzZTAeFw0xNzA4MjUxODMyMTFaFw0yODA4MDcxODMyMTFaMEoxCzAJBgNVBAYT
+AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP
+TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qIdS8f7
+Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4rrN5W
+ZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevpsh+LP
+XsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpUOCXo
+pDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKOKa4Y
+2U5zy3++t6pd3oGlWCr96D0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAniIG+xJ
+6rXbrH2kt40GE58fFzrIlzhG4VzncNnpFitvPEMzN0kMa5LBX5/zSYiMawQBQ7C0
+FpCjz+n82VVW8iabCNoqUUNwOP7ZYmsoraHT9klSak/mLfAXOyOG3DUV9jntivnl
+HUIiDO7Pf6GnVVROio9psQEVOX1+W1uq9Vs79+F5GI/s0QR9dG0qXvdJ0h5UdVee
+8LVXQOi3cQKyBOwECwt0HA0pJwwcD6w9e8Y2NYTeOTamWGQVEV3NlcvtdSVuDJ8y
+lTke2YbEKyHdcsQ1vrDHtdyfEmJcgO5c9EL5ptYJB7Yv1QiwWJOhLdT13IBYvOtO
+ebOF6zAD73Bpkw==
+-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem
index 5575ab579a33..4eb811debabf 100644
--- a/src/tests/dejagnu/pkinit-certs/kdc.pem
+++ b/src/tests/dejagnu/pkinit-certs/kdc.pem
@@ -1,25 +1,29 @@
 -----BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCVVMx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
-A1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQa2luaXQgS2VyYmVyb3MgdGVz
-dCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-b3RoZXJ3aXNlMB4XDTEwMDEwNjE0NTgwOFoXDTIzMDkxNTE0NTgwOFowSjELMAkG
-A1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFTATBgNVBAoTDEtSQlRF
-U1QuQ09NIDEMMAoGA1UECxMDS0RDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmnZejPSKdN
-MyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6KueerevR3
-pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY75NbXGIE4
-88iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc5dBSqBwV
-cjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOWriIRmsqq
-81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4HEMIHBMAkGA1UdEwQCMAAwCwYD
-VR0PBAQDAgPoMBIGA1UdJQQLMAkGBysGAQUCAwUwHQYDVR0OBBYEFFn82RUKgTvk
-Fn0cgwyCQpNeWCxYMB8GA1UdIwQYMBaAFFn82RUKgTvkFn0cgwyCQpNeWCxYMAkG
-A1UdEgQCMAAwSAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC0tSQlRFU1QuQ09N
-oSAwHqADAgEBoRcwFRsGa3JidGd0GwtLUkJURVNULkNPTTANBgkqhkiG9w0BAQUF
-AAOCAQEAP0byILHLWPyGlv/1HN34DfIpLdVkgGar2yceMtZ2v/7UjeA5PlZc8DFM
-20bTq/vIN0eWDTPLI57e+MzQTMxs2UHsic4su0m5DG0cvQTsBXRK51CW/qUF+4n0
-qSEORULiDF6LNoo8akoLukNBhzBh+aqYt4aB46hhsmDmNZTDP1CXsNGHQI9/L52l
-oqpUGx8tBpKIFos95PSajXrQn2u66rSMMi4aawitM2igurHPDMbC+XvEYMtXpOS5
-3PEzXEYiSV3TWLTzIE9ytswHeZyHCbp7XHx0LVZFxzqtIe4qmwJJOGhlbH21Izr4
-feF5h5e2ZrOVREY4cKkJmJhEwsqBVA==
+MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowSTELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC/BxU//lImv03EhSCSXe2e2RbzDmC4RJAsqkYVtYIA6dMayAKIf38sauKi
+HUvH+wLq39/ZM8kvTbQw9rJysH6C2mabpyFzSwro65a6nYSrGXbZfGmC5oyIUy7u
+K6zeVmSEUFC25C4rqnOmRTozmcZEdDZAvwsn0EyTuWtk2jK8Hi7MJmNJOSpQKHr6
+bIfiz17CwuurKoGLlgw/HNWfRpSPHVtmm0T7fllCrJBIB6mCawpI7zyGYEu1AwM6
+VDgl6KQw6/6kPXZwGM7ffK/6Qsettf9keCbbWW3bF0A20Gh4VevYiagAqmQdJS8i
+jimuGNlOc8t/vreqXd6BpVgq/eg9AgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUrxLg
+V1TSrSKJgpC3MabCqfQIPaswgdQGA1UdIwSBzDCByYAUrxLgV1TSrSKJgpC3MabC
+qfQIPauhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl
+dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg
+SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p
+dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E
+BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL
+S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG
+A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAFMX7ZTpNPdzFwkE
+hrab7fSDeoG+mN0yorY8e5Evx6sE7pXOtHgHIjQY2Ys0lk2mhbsIKptL/R6jTxWR
+rbmU6jFNFeJgn5ba3NWdhlUiZ8WKe2knp6uc9ZDIK007XaKA4rRoHlJ3vHXoF+ga
+JFOYwRzCtAlmsOCQ0UetoC3Ju6Y6NhCXIE8f81dsh6RMADoQT0n/fcLY/JtbbLXK
+ANTIWHm0oSX9wvOU/yZkYGuwcPd91cc6Mea8f3J8D/OiatMZXc3719extmeR6Cv6
+aba31kv9wtbxVuxkR7HhjlJhzhqfzfIp3tNREaIxPb/qKGWBOjwxGRqSUkdEqMvD
+GjaSlyc=
 -----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh
index b82ef6f83f6e..63f0c6f75b8b 100755
--- a/src/tests/dejagnu/pkinit-certs/make-certs.sh
+++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh
@@ -4,7 +4,9 @@ NAMETYPE=1
 KEYSIZE=2048
 DAYS=4000
 REALM=KRBTEST.COM
+LOWREALM=krbtest.com
 KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
+KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
 PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
 PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
 TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
@@ -85,6 +87,30 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
 basicConstraints = critical,CA:FALSE
 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
 extendedKeyUsage = $CLIENT_EKU_LIST
+
+[exts_upn_client]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+basicConstraints = critical,CA:FALSE
+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
+extendedKeyUsage = $CLIENT_EKU_LIST
+
+[exts_upn2_client]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+basicConstraints = critical,CA:FALSE
+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
+extendedKeyUsage = $CLIENT_EKU_LIST
+
+[exts_upn3_client]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+basicConstraints = critical,CA:FALSE
+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
+extendedKeyUsage = $CLIENT_EKU_LIST
 EOF
 
 # Generate a private key.
@@ -96,15 +122,14 @@ SUBJECT=ca openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
     -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
 
 # Generate a KDC certificate.
-SUBJECT=kdc openssl req -config openssl.cnf -new -subj /CN=kdc \
-    -key privkey.pem -out kdc.csr
+SUBJECT=kdc openssl req -config openssl.cnf -new -key privkey.pem -out kdc.csr
 SUBJECT=kdc openssl x509 -extfile openssl.cnf -extensions exts_kdc \
     -set_serial 2 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
     -out kdc.pem -in kdc.csr
 
 # Generate a client certificate and PKCS#12 bundles.
-SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
-    -key privkey.pem -out user.csr
+SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
+    -out user.csr
 SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_client \
     -set_serial 3 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
     -out user.pem -in user.csr
@@ -113,5 +138,39 @@ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user.p12 \
 openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user-enc.p12 \
     -passout pass:encrypted
 
+# Generate a client certificate and PKCS#12 bundles with a UPN SAN.
+SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
+    -out user-upn.csr
+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn_client \
+    -set_serial 4 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
+    -out user-upn.pem -in user-upn.csr
+openssl pkcs12 -export -in user-upn.pem -inkey privkey.pem -out user-upn.p12 \
+    -passout pass:
+
+SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
+    -out user-upn2.csr
+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn2_client \
+    -set_serial 5 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
+    -out user-upn2.pem -in user-upn2.csr
+openssl pkcs12 -export -in user-upn2.pem -inkey privkey.pem \
+     -out user-upn2.p12 -passout pass:
+
+SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
+    -out user-upn3.csr
+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \
+    -set_serial 6 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
+    -out user-upn3.pem -in user-upn3.csr
+openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \
+     -out user-upn3.p12 -passout pass:
+
+# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
+SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
+    -out generic.csr
+SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \
+    -CAkey privkey.pem -out generic.pem -in generic.csr
+openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \
+    -passout pass:
+
 # Clean up.
-rm -f openssl.cnf kdc.csr user.csr
+rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr
+rm -f generic.csr
diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
index 9f7816f17951..ee35e5cdcf66 100644
--- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
+++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,91CA660D6286E453
+DEK-Info: DES-EDE3-CBC,7DF54DB740F92845
 
-DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7
-Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU
-AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX
-z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL
-EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO
-rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH
-8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn
-593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld
-rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd
-+n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM
-LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37
-bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644
-RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT
-H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V
-DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi
-Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn
-foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw
-WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV
-xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f
-PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe
-/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU
-Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy
-BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d
-mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE
-UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh
+3I3F5dJkYmjX49YRQub+AzWPOJock699vQZV3oxcAabcZWtLVbQ75QBXXBPEtm3j
+LAqb3gRxfETHNHsSIEwGtN3rYre1UdKs3Bu9ROQNTvlbCwRdss3JA1kGhJu2o5bu
+hf5sjpfR+ivf2prJ4whfhb4+efCHE0Ll669V33D2kbPKX0VCokkRmxsIoVtHd2qu
+d1HM/EkjxrOy/GHZ+93mkSeWC4hz56VL5ApGOV4wHuphdvKy121mU0mjtQRKF2El
+N7DtM9/AIAkLPx5wxrTJXuELd+BBDPbRMwmvgqCX1m8sJLJT2fBzVKRKWexowp7T
+d3j9hT+kMiWCTgd4vJ+i/KPkK460Cy9PzFrzCtWut4jh6rZ+F9Tdp1g4Np0ygWAg
+q9tV4RC7ylW0DeseRTXTLuohngfu0h7mXuhutr1Xmq+SoRuhBllZyexV4jJMc1kZ
+2nv9RJ+h7mCAQbLSVvWCZpngfK2IcZhi4hfNiiQ/wqc6rE3eaBIR9E60kaCeBpWB
+rxZm4VHOrwJw0GsaCRLQez1F65Ulk4TA+7TYJWnW/MGrvBptuBamwxk28Ts6eOee
+RVwb/AdY4QBVJKKT+/e3Lfy409evmdTAA2N+tbYzALC1cH4ex4sO0BifaLmKo3t1
+fC2FLna4P9F17bbjcS1lSWVJKodofUEt4H03X7LaMhwe+sLRuKBIoTH2nLPHLIYg
+B8NO1yFiJPFL0a8fi9kG8JJlCPkASQC5vcYg6BE40b7h7T4qw0HmkuH3i6TX6bsG
+nQlryJ2BfQM+IT3MTEh/T1iHPZcTwFLPF9HMnZ/ydL/nM2kElF6YfMClFvuDGULQ
+zmsvG4D/ndSisapJQeoevAwtCHybh8/3cy8CoAjBE9C1JlHOvP2+64rzvFVUAKfa
+z5aZQQJKcdXcKcM8u8PgEyCN5x5tBqWQjSHR904k25KRkePAh8SoiSDuNQPwtzbB
+RHesvkaSXuUaN7q1+oJzeQvzO8i79ud0Diu5y2KePrlB4HBSWCuWmvz9U+WvGBiw
+KpEUAp/YpkqB1as4IUBDNjV1Y77cyUZ+/8EkPgAvB9wltCCAyQ5xi1h70cDJdabj
+swabRD5JV1JLalFMDrOeOPZh1heaTNHXV8f7m8rMVeYVzVTM1JoQLlvKxcc3LVfN
+9RLn/vTN7Ox//+385UiozC/PAo/Cep6Z1Wz+cwsd62HH0LVimVt2mrmHRKY983cw
+U6cZyhvcTB5UOdJdhwbHfnxQipWRu//XRYY/yVdB6W2J4Gzh//adJfKOmHd8+cB+
+y8Q1yZP3diTGkhyY9pkXS7Gv2Q9mcXlMJtoyb7rqBIL/osVTKdsZn7Cj6ZYB6ftF
++hKQKNs/bKXYs3PF09UOInfUf57pENSr1AQBQceAisAsr8znRYsFlpqZ5L8G6um7
+XBneZ1RBj41wheB8g3kL6hj2UrXrE2rxDAw175a3BaxP/Wc2JgGcBWyJTVcZ35Ab
+f24UNlrfcJdgEFETEiy12WY2VaqJCSY3J6YSimHDbffX+ku8QgU1shZf9z8K1l1A
+OJQzbjlxPZT/k4cfw/Xi0rHdgWGcmL7tKLkTcrG/AixdEoI9KCSlQGSksI8CfFmj
 -----END RSA PRIVATE KEY-----
diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem
index 1825dec4e34d..548e5a8d524a 100644
--- a/src/tests/dejagnu/pkinit-certs/privkey.pem
+++ b/src/tests/dejagnu/pkinit-certs/privkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn
-ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K
-ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7
-5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc
-5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW
-riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABAoIBAQCSMh5Tu9S2yUwM
-dEZmZiGxhuf+anAZZAOjqT4QeLI/Fmu3yBNM7rq+p7JrAabyp6pOq46EsXXyWtWS
-SB742wWUk2quGMNVQAj0TAJyhNgGstr+XJu8k8BBPnlycobhF0lP/oH+uQifl0KR
-iSoWLjEG5JTOoXs/UAD6nQMBDDhv9TweEwSyIY9jq1J5Q3wVXm/Nr/FJ/8O53guJ
-/TQeo6dtdx6x2+oxKkeWinfxmy2nSoEZd0eb3WUNPZswijO7QgSJolOo83VNqFcn
-lj8hYT41zUM4chple8kGnuSV4ql4a1w/52dSTLKJbgukIqvxeDtKNost344eQqkS
-Lwcc+NO5AoGBAM0bR8TmFlbP4RJAEOOilXTYgP6Ttd1r1mRXGi3DRPyv4EWGT7WW
-MmBHsqU6Mqz+fcoD/AIy1BBdenhaYrrwyCSvitJpoHPjqzOJDX33wUcrnYeincQ3
-PVzpF41O45vTmm692DSJ8t/uR8DhGpCzf/kxuA9ixvdKgMPgBHYeb5zlAoGBAMSY
-KZvgwbtlRR25CGaUgOCHtW76puaPcyxEeCbJEKkJO1vZDAf8vi1zXOM4e/gorKHm
-349ZrBQfFCrvtZG//KvI12MpjBs0Z/ijSCwS4EkYJaSH+Hm+1ygLdArwWEFkNncL
-qQ+Wme1OUoDiAAxRiBKUxUF/pAQqn7X+0MGa2th3AoGBAJ8kRaFu7XJaRUZF01Ts
-d4571kqxDXFKFMUyGCvd0Q9G33rSZdJ9QYUW3HP7HgrAQ5WVVdnW2lgAT+BGMUjf
-PkvIsKvmLQr+YX3RH1jX/W1dWBM/h64RNll6uj14Mn5bxv2Z68GIL5y0Y5QylMwl
-mmwdubSmbb6+Xf6dOJj1sKBJAoGBAJwP0tAMHp6daL2Mmk+cSaZz9KJx1bYnYB1f
-CSZ47IHTc0yZQ0S/7VR1ROKXf0njOA+aEBRi8ghTF5ZyDefyySixWdI9NByQgIzP
-Sca7AVLlGVTAH4694VzHosngO59FZzsfhYh7XBwW1cW8Ip+kxWlCskgphFFOaNR3
-wM5AGMRHAoGAJELs9VYPRJd7h4dPUa2RqfVPlYkcMwvoLYykY0wE5mjoNaJkQbUr
-W5aKhidh4h48fImt2rpB6OYSofYC4yu3VDEr/Kl2nSb8UPE5qEd1pvmdkHSxMNkh
-M2diIqot6s2v20lE/6UCqLXonlquRK1MAlyfPw9yZHP9meCvlBsYZXc=
+MIIEpAIBAAKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgC
+iH9/LGrioh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22Xxp
+guaMiFMu7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZj
+STkqUCh6+myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88
+hmBLtQMDOlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2Imo
+AKpkHSUvIo4prhjZTnPLf763ql3egaVYKv3oPQIDAQABAoIBAEe7ACa8d9qm4SvX
+FYkAjjakq/JuxrDKxhyPf6utMXjoVGXtDs50matzI1DekVMxlUHe+O5VfMkvc2cj
+a5SXY5n9KqRuGKhzWFBoDnxao7Of5zn5dqE5szGJksjKS6pdZHcutXBHtHKfGbgo
+rJctuf6AaNLdKfI0TFz4NjRznrN2NyFQGhXzPpq34Qm3Rg91hVlU3A8FYjE7ez6b
+vlJBsbKqnvzxEQMWTk0z0bWC79zE1ElH3Hpwfwb2cG7H4EXf0j6N5k2zODg7C45I
+xWtlES+OpZqdDH6mKFBQojU375j6rb2plZGkTA+qxX9GvG7GsF5aOM6Wkge7SUeT
+NUY2lB0CgYEA83u0TtxCMye1p+ykZwQdcEKR+l4aSjNsM2V2s8Zy4eZseR7f5fgZ
+71ggIpzK9pjT55OiYJOwsEkZAPB0gBgiEcqJgow52w3Hg8sUU5LBEahUpx3Qm64W
+64WNIOL9oVXYQu1S/yJ3iWPMQcH1xIlDtPPC1LH+yHyEOnGe4szIeccCgYEAyNkN
+K2JEbbfK7Wsh3/MOtx5KCkzJzFClTSQZ55IxRUf+myauljKt+kI99jYV6eoicAJv
+SMHQeYurLtSkhuyptAHUqo5xgH0HZ7cE7LV1nfam2p588Yg21nIId9XLDPK4AvCx
+Phz1oznaiGMu4jB7esozuW4FKxB1kRmUikM8bdsCgYEA23jMRLFhsr6+jclPP9SD
+vKck8mtUg0Hq7EEvSEk/UMTlTiA4bhC/P/FNtiVjBfkoOXvoR+mYwK6DLUeRm80l
+GKhaXySLGhtHllK91b9Y7NOwypqjaVD5M/9EATraqEy7DUjjITsuSNd+TF/LawbX
+0wpOum5fXNRwVEYKlCFHLA0CgYApr3LeSDzvkK/batrTAj1RoEW5sYpIj4xfYFjI
+CT2UpYagaPzfS5F0WX9GtJ8Dt4aCPN8f+KnuMCDNTXEAV+o45BBhfcLs6gY5bnDl
+OBw7NtAWm8JO1viatXwwcvz7qPysD4yZ2aTZxc4ndH5sj6dxKrpliAIml/nuraJ4
+t8+49QKBgQCxJ7ZDlM9J0quVivSui5aoZ7iLEiu6GSZ5yF1HSNXY69OnqQK3UxMl
+aERCn/cKqtquJQK3v1IE6k6uAaoM7PXDVKqKSH0Z1Jpqciqjg+J/i7Vym6oCdjer
+6zt6P7Q13f9X9uUlZBnNrT9jk5WjR9pSpxAc0vU78VKa0lZMZ3bROg==
 -----END RSA PRIVATE KEY-----
diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12
index 107480c6d256..b2648ceaa04b 100644
Binary files a/src/tests/dejagnu/pkinit-certs/user-enc.p12 and b/src/tests/dejagnu/pkinit-certs/user-enc.p12 differ
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12
new file mode 100644
index 000000000000..6daa5b378b83
Binary files /dev/null and b/src/tests/dejagnu/pkinit-certs/user-upn.p12 differ
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/dejagnu/pkinit-certs/user-upn.pem
new file mode 100644
index 000000000000..21960ea6e2f1
--- /dev/null
+++ b/src/tests/dejagnu/pkinit-certs/user-upn.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExTCCA62gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S
+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
+EHVzZXJAa3JidGVzdC5jb20wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
+AQsFAAOCAQEAceeR7lFXkEEjcMGK/mvNOT5zXcq27ipYuV5HBgGGNLqiawc7NTxF
+ocyZf9HujNOMvBNblTml2GJQ9wmyQesVTGgJFTGORS2sFizICq19jISxrv44cdeF
+X/KQxNmnviClkL9jfA/6oKU0uSpvUAUet3MmDuo8O7ebVXVEmQdvLrhP9ycHGq8u
+qG+5qjN4dpf/ejtCCMGGZdUdPxPosoXJzf17hpyt8/YQohKG2igLSy1O68tuHTXb
+L4yiB52JQdnJfOU1a+vUSk425zMI00MU1aLcDxcjI64kxYBpWflDqn9Ky0N6vA1i
+OoBZgRFeQSELxUp7SUsK4xO2gPM2w0zzvQ==
+-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/dejagnu/pkinit-certs/user-upn2.p12
new file mode 100644
index 000000000000..8f4c6b2d05d1
Binary files /dev/null and b/src/tests/dejagnu/pkinit-certs/user-upn2.p12 differ
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
new file mode 100644
index 000000000000..37e123adec83
--- /dev/null
+++ b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuTCCA6GgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFK8S
+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+BAQDAgPoMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFqAUBgorBgEEAYI3FAIDoAYM
+BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAkYoU
+bTCe61BRrB1yw8mIpnXlRrVLV91M8YEr07Jzk4qGfRLXbWf9BnMpxzbU4YVzEifh
+w6+gYSWGjgq4kDmp6tcY3IDGvzXkglKMAZv2mpFnBa6ZooEQ96tgg9O9G5Lg8Sv0
+kSkoySJq03xapucEZbhPrtGNHKwB/EDo3T0Iaby+Go9bqkObNfuIFXRXC6HqPBS4
+khss6cJ+daEE3Yg21QZ1BUlncwYbkCzt+xp3YaHlY41gdaMdF0tn6iRJjANAM2Kg
+6J45M4GKKT3yo5hJAWIS4lSCZX92g/uiT7BcBhE+vDzi3JuEc1QKajgnza1BMZMG
+EEIPWkC+Lfg8scWS5g==
+-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/dejagnu/pkinit-certs/user-upn3.p12
new file mode 100644
index 000000000000..da888f519d91
Binary files /dev/null and b/src/tests/dejagnu/pkinit-certs/user-upn3.p12 differ
diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
new file mode 100644
index 000000000000..754114f5da3e
--- /dev/null
+++ b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExTCCA62gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S
+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
+EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
+AQsFAAOCAQEAurL26+vQNYFbJNAFJ3yHOt1nwAVO4/OlCtgqzOAq0nBs35HY10Qe
+y8eRcxrLmm4O/Wy+Rwre2v3pIP0AclvIytDzEm6K3Pgj4yJfUUM3VhnSOlXQP6UG
+D9Z9pVxNiDeykj5/SzxwOQAmJbPcMx9aRwP9wOLMwUxi5sKHQlL9YUTC1hffhuYY
+Yccc2dHWd5IyaKaLp9yBVXQryNdVTBYrGA2ZqcwETmcXqU/wCo/Rmf10Ra1sj88X
+VfTb4Sr0j9RaSKeXRZgbEu6kz9i2WK70dcDke08xRv4xVfrlbXrfIS+Va9WYKxrf
+Xb0XCkKp32Q0EHqapeJrCcuQtnDMGvncTQ==
+-----END CERTIFICATE-----
diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12
index a7c2baddf67f..e9c044c5b1d0 100644
Binary files a/src/tests/dejagnu/pkinit-certs/user.p12 and b/src/tests/dejagnu/pkinit-certs/user.p12 differ
diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/dejagnu/pkinit-certs/user.pem
index e6beefcde771..5b2853bc83d1 100644
--- a/src/tests/dejagnu/pkinit-certs/user.pem
+++ b/src/tests/dejagnu/pkinit-certs/user.pem
@@ -1,32 +1,28 @@
 -----BEGIN CERTIFICATE-----
-MIIFkjCCBHqgAwIBAgIIYo5oQQ6iySowDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNV
-BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlk
-Z2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMgSW5zZWN1cmUgUGtpbml0IEtlcmJl
-cm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBu
-b3QgdXNlIG90aGVyd2lzZTAeFw0xMzAxMTcxODU5MDVaFw0yMzEyMzExODU5MDVa
-MIGhMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UE
-BxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBr
-aW5pdCBLZXJiZXJvcyB0ZXN0IENBMS0wKwYDVQQDFCRwa2luaXQgdGVzdCBzdWl0
-ZSBjbGllbnQ7IGRvIG5vdCB1c2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCdgsx7nyfLTQyCyQk/u1nc8hBGlCRcYslkojQd+e0JFsi6+adl6M9Ip00z
-J6PNEjKN3DUUMlQCeldhyJzdMPnzXsbkfrdSuWUAa7L6WFBY3MTpzoq556t69Hek
-xqodeidp+VVqxS7l7YABZWcVvPjHTi4uVB6Oo/CbmxHXFN4tSdV9Jjvk1tcYgTjz
-yINXTBbyeoahVaf9OxF37sq5BQiQmm3z5XomTqE8hw+p7qHuZc0ayBzl0FKoHBVy
-NT0Nt5PjHHESaBB0u3up03BXVk8tCdNCmiA2tPm5/ehJs5OzIzTYY5auIhGayqrz
-Wx8yum+JNFEPCipNQSGgJKivRSZzAgMBAAGjggHEMIIBwDAdBgNVHQ4EFgQUWfzZ
-FQqBO+QWfRyDDIJCk15YLFgwgdwGA1UdIwSB1DCB0YAUWfzZFQqBO+QWfRyDDIJC
-k15YLFihga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
-dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMg
-SW5zZWN1cmUgUGtpbml0IEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5p
-dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIJANsFDWp1HgAa
-MA4GA1UdDwEB/wQEAwIE8DB9BgNVHREEdjB0oC4GBisGAQUCAqAkMCKgDRsLS1JC
-VEVTVC5DT02hETAPoAMCAQGhCDAGGwR1c2VyoCAGCisGAQQBgjcUAgOgEgwQdXNl
-ckBrcmJ0ZXN0LmNvbaAgBgorBgEEAYI3FAIDoBIMEHVzZXJAS1JCVEVTVC5DT00w
-JgYDVR0lBB8wHQYHKwYBBQIDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQEFBQADggEBAJZ+5CMbEj9anyH/b/jxUT8yGgYB3KGj7qL+
-RdU2zjgsQUMSdnlqQzpuEcY3z1wK94dYQVsPaYBv+zHl0rXFMfKlm97nVdCJi0ep
-vplNAaUlhkma3D8rkPN5LmIdHslpJD6pwbV+o69aCEsrwm38flmEnBX0OUynULod
-icDvxOxhmYG2kXmUmF7wZXI+XWX8b/TloDNLAnYfjKytMa3SQdp6wtj76BCk+ZZQ
-GAF3D0BS36lkNQ/8buHFhVv/tC/rFvql8DRbFzk6W02Ymq2OhcP0uz67rFZ2KjZ5
-Z0WP1REC8Cv7yoqOKPk8S+1FK+8RdKHjT1n/n+Mws72F72bxQWQ=
+MIIE0zCCA7ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFK8S
+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+BAQDAgPoMAwGA1UdEwEB/wQCMAAwOQYDVR0RBDIwMKAuBgYrBgEFAgKgJDAioA0b
+C0tSQlRFU1QuQ09NoREwD6ADAgEBoQgwBhsEdXNlcjASBgNVHSUECzAJBgcrBgEF
+AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQClwfj6ACfmDie1YoKzr3zSWZJKZimv7wG1
+iZMNPE6bw22ZmE+P+Vq6WrY5M5e4u7ZdvFmkVq3rUA0HoU6bk3YLGapgsEAG6W1R
+LVzxwoYDf4poOMqjCL34eLFdlVeRDADiulROE8bJGrPLJIiqeii0c7Kzxxuh5nxl
+QHDgNV0fHQQJlejgJssOqgGErsCXCq7k6kkqB8MnKVMErRjsYuY3YI2tpjxBq9nA
+A9dXgIU1zEUVzfpxzBjL9+2pMctbL1y4/ePpTP1+PlfI81TwrQNvMGYjxKNZM1ab
+lZt37n8GQUZQyZ2TacR4JyY+w20ivE/JPN0L3Ncmem6bO1CULpwO
 -----END CERTIFICATE-----
diff --git a/src/tests/deps b/src/tests/deps
index 751805061c14..a7f1515bd795 100644
--- a/src/tests/deps
+++ b/src/tests/deps
@@ -80,8 +80,20 @@ $(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
   $(top_srcdir)/include/socket-utils.h hrealm.c
-$(OUTPRE)icred.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \
-  $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h icred.c
+$(OUTPRE)icinterleave.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h icinterleave.c
+$(OUTPRE)icred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+  icred.c
 $(OUTPRE)kdbtest.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
   $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
index 6c146429793d..604f926dec45 100644
--- a/src/tests/gssapi/Makefile.in
+++ b/src/tests/gssapi/Makefile.in
@@ -15,15 +15,16 @@ SRCS=	$(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
 	$(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
 	$(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
 	$(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
-	$(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \
-	$(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \
-	$(srcdir)/t_saslname.c $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
+	$(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \
+	$(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \
+	$(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
+	$(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
 
 OBJS=	ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \
 	t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \
 	t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \
-	t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \
-	t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
+	t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o \
+	t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
 	t_spnego.o t_srcattrs.o
 
 COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
@@ -31,9 +32,9 @@ COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
 
 all: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \
 	t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \
-	t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \
-	t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \
-	t_srcattrs
+	t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime \
+	t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname \
+	t_spnego t_srcattrs
 
 check-unix: t_oid
 	$(RUN_TEST) ./t_invalid
@@ -42,8 +43,8 @@ check-unix: t_oid
 
 check-pytests: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \
 	t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \
-	t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \
-	t_spnego t_srcattrs
+	t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_pcontok t_s4u \
+	t_s4u2proxy_krb5 t_spnego t_srcattrs
 	$(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
@@ -88,6 +89,8 @@ t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS)
 	$(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS)
 t_iov: t_iov.o $(COMMON_DEPS)
 	$(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS)
+t_lifetime: t_lifetime.o $(COMMON_DEPS)
+	$(CC_LINK) -o $@ t_lifetime.o $(COMMON_LIBS)
 t_namingexts: t_namingexts.o $(COMMON_DEPS)
 	$(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS)
 t_pcontok: t_pcontok.o $(COMMON_DEPS)
@@ -111,5 +114,5 @@ clean:
 	$(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore
 	$(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred
 	$(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov
-	$(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5
-	$(RM) t_saslname t_spnego t_srcattrs
+	$(RM) t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u
+	$(RM) t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs
diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps
index be3cefbb456b..b784deb638d0 100644
--- a/src/tests/gssapi/deps
+++ b/src/tests/gssapi/deps
@@ -45,7 +45,8 @@ $(OUTPRE)t_enctypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
   $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(COM_ERR_DEPS) $(srcdir)/../../lib/gssapi/generic/gssapi_ext.h \
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
   $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
   $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
@@ -113,6 +114,10 @@ $(OUTPRE)t_iov.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
   $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
   common.h t_iov.c
+$(OUTPRE)t_lifetime.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
+  $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
+  common.h t_lifetime.c
 $(OUTPRE)t_namingexts.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
   $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \
diff --git a/src/tests/gssapi/t_authind.py b/src/tests/gssapi/t_authind.py
index 316bc4093801..84793beb623f 100644
--- a/src/tests/gssapi/t_authind.py
+++ b/src/tests/gssapi/t_authind.py
@@ -24,9 +24,8 @@ if ('Attribute auth-indicators Authenticated Complete') not in out:
 if '73757065727374726f6e67' not in out:
     fail('Expected auth indicator not seen in name attributes')
 
-out = realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1)
-if 'gss_init_sec_context: KDC policy rejects request' not in out:
-    fail('Expected error message not seen for indicator mismatch')
+msg = 'gss_init_sec_context: KDC policy rejects request'
+realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1, expected_msg=msg)
 
 realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two'])
 out = realm.run(['./t_srcattrs', 'p:service/2'])
@@ -34,5 +33,20 @@ out = realm.run(['./t_srcattrs', 'p:service/2'])
 if '6f6e65' not in out or '74776f' not in out:
     fail('Expected auth indicator not seen in name attributes')
 
+realm.stop()
+
+# Test the FAST encrypted challenge auth indicator.
+kdcconf = {'realms': {'$realm': {'encrypted_challenge_indicator': 'fast'}}}
+realm = K5Realm(kdc_conf=kdcconf)
+realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
+realm.run([kadminl, 'xst', realm.host_princ])
+realm.kinit(realm.user_princ, password('user'))
+realm.kinit(realm.user_princ, password('user'), ['-T', realm.ccache])
+out = realm.run(['./t_srcattrs', 'p:' + realm.host_princ])
+if ('Attribute auth-indicators Authenticated Complete') not in out:
+    fail('Expected attribute type not seen')
+if '66617374' not in out:
+    fail('Expected auth indicator not seen in name attributes')
+
 realm.stop()
 success('GSSAPI auth indicator tests')
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
index 6be6b4ec06c1..3503f92699b1 100755
--- a/src/tests/gssapi/t_ccselect.py
+++ b/src/tests/gssapi/t_ccselect.py
@@ -31,12 +31,20 @@ r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000,
 
 host1 = 'p:' + r1.host_princ
 host2 = 'p:' + r2.host_princ
-
-# gsserver specifies the target as a GSS name.  The resulting
-# principal will have the host-based type, but the realm won't be
-# known before the client cache is selected (since k5test realms have
-# no domain-realm mapping by default).
-gssserver = 'h:host@' + hostname
+foo = 'foo.krbtest.com'
+foo2 = 'foo.krbtest2.com'
+foobar = "foo.bar.krbtest.com"
+
+# These strings specify the target as a GSS name.  The resulting
+# principal will have the host-based type, with the referral realm
+# (since k5test realms have no domain-realm mapping by default).
+# krb5_cc_select() will use the fallback realm, which is either the
+# uppercased parent domain, or the default realm if the hostname is a
+# single component.
+gssserver = 'h:host@' + foo
+gssserver2 = 'h:host@' + foo2
+gssserver_bar = 'h:host@' + foobar
+gsslocal = 'h:host@localhost'
 
 # refserver specifies the target as a principal in the referral realm.
 # The principal won't be treated as a host principal by the
@@ -45,9 +53,8 @@ refserver = 'p:host/' + hostname + '@'
 
 # Verify that we can't get initiator creds with no credentials in the
 # collection.
-output = r1.run(['./t_ccselect', host1, '-'], expected_code=1)
-if 'No Kerberos credentials available' not in output:
-    fail('Expected error not seen in output when no credentials available')
+r1.run(['./t_ccselect', host1, '-'], expected_code=1,
+       expected_msg='No Kerberos credentials available')
 
 # Make a directory collection and use it for client commands in both realms.
 ccdir = os.path.join(r1.testdir, 'cc')
@@ -67,6 +74,18 @@ r1.addprinc(alice, password('alice'))
 r1.addprinc(bob, password('bob'))
 r2.addprinc(zaphod, password('zaphod'))
 
+# Create host principals and keytabs for fallback realm tests.
+r1.addprinc('host/localhost')
+r2.addprinc('host/localhost')
+r1.addprinc('host/' + foo)
+r2.addprinc('host/' + foo2)
+r1.addprinc('host/' + foobar)
+r1.extract_keytab('host/localhost', r1.keytab)
+r2.extract_keytab('host/localhost', r2.keytab)
+r1.extract_keytab('host/' + foo, r1.keytab)
+r2.extract_keytab('host/' + foo2, r2.keytab)
+r1.extract_keytab('host/' + foobar, r1.keytab)
+
 # Get tickets for one user in each realm (zaphod will be primary).
 r1.kinit(alice, password('alice'))
 r2.kinit(zaphod, password('zaphod'))
@@ -94,10 +113,29 @@ if output != (zaphod + '\n'):
     fail('zaphod not chosen as default initiator name for server in r1')
 
 # Check that primary cache is used if server realm is unknown.
-output = r2.run(['./t_ccselect', gssserver])
+output = r2.run(['./t_ccselect', refserver])
 if output != (zaphod + '\n'):
     fail('zaphod not chosen via primary cache for unknown server realm')
-r1.run(['./t_ccselect', gssserver], expected_code=1)
+r1.run(['./t_ccselect', gssserver2], expected_code=1)
+# Check ccache selection using a fallback realm.
+output = r1.run(['./t_ccselect', gssserver])
+if output != (alice + '\n'):
+    fail('alice not chosen via parent domain fallback')
+output = r2.run(['./t_ccselect', gssserver2])
+if output != (zaphod + '\n'):
+    fail('zaphod not chosen via parent domain fallback')
+# Check ccache selection using a fallback realm (default realm).
+output = r1.run(['./t_ccselect', gsslocal])
+if output != (alice + '\n'):
+    fail('alice not chosen via default realm fallback')
+output = r2.run(['./t_ccselect', gsslocal])
+if output != (zaphod + '\n'):
+    fail('zaphod not chosen via default realm fallback')
+
+# Check that realm ccselect fallback works correctly
+r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
+r2.kinit(zaphod, password('zaphod'))
+r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
 
 # Get a second cred in r1 (bob will be primary).
 r1.kinit(bob, password('bob'))
@@ -105,20 +143,19 @@ r1.kinit(bob, password('bob'))
 # Try some cache selections using .k5identity.
 k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
 k5id.write('%s realm=%s\n' % (alice, r1.realm))
-k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
+k5id.write('%s service=ho*t host=localhost\n' % zaphod)
 k5id.write('noprinc service=bogus')
 k5id.close()
 output = r1.run(['./t_ccselect', host1])
 if output != (alice + '\n'):
     fail('alice not chosen via .k5identity realm line.')
-output = r2.run(['./t_ccselect', gssserver])
+output = r2.run(['./t_ccselect', gsslocal])
 if output != (zaphod + '\n'):
     fail('zaphod not chosen via .k5identity service/host line.')
 output = r1.run(['./t_ccselect', refserver])
 if output != (bob + '\n'):
     fail('bob not chosen via primary cache when no .k5identity line matches.')
-output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
-if 'Can\'t find client principal noprinc' not in output:
-    fail('Expected error not seen when k5identity selects bad principal.')
+r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1,
+       expected_msg="Can't find client principal noprinc")
 
 success('GSSAPI credential selection tests')
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
index 4c8747a506c1..2da87f45b5b2 100755
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -15,9 +15,7 @@ realm.extract_keytab(realm.user_princ, realm.client_keytab)
 realm.extract_keytab(bob, realm.client_keytab)
 
 # Test 1: no name/cache specified, pick first principal from client keytab
-out = realm.run(['./t_ccselect', phost])
-if realm.user_princ not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', phost], expected_msg=realm.user_princ)
 realm.run([kdestroy])
 
 # Test 2: no name/cache specified, pick principal from k5identity
@@ -25,36 +23,27 @@ k5idname = os.path.join(realm.testdir, '.k5identity')
 k5id = open(k5idname, 'w')
 k5id.write('%s service=host host=%s\n' % (bob, hostname))
 k5id.close()
-out = realm.run(['./t_ccselect', gssserver])
-if bob not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', gssserver], expected_msg=bob)
 os.remove(k5idname)
 realm.run([kdestroy])
 
 # Test 3: no name/cache specified, default ccache has name but no creds
 realm.run(['./ccinit', realm.ccache, bob])
-out = realm.run(['./t_ccselect', phost])
-if bob not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', phost], expected_msg=bob)
 # Leave tickets for next test.
 
 # Test 4: name specified, non-collectable default cache doesn't match
-out = realm.run(['./t_ccselect', phost, puser], expected_code=1)
-if 'Principal in credential cache does not match desired name' not in out:
-    fail('Expected error not seen')
+msg = 'Principal in credential cache does not match desired name'
+realm.run(['./t_ccselect', phost, puser], expected_code=1, expected_msg=msg)
 realm.run([kdestroy])
 
 # Test 5: name specified, nonexistent default cache
-out = realm.run(['./t_ccselect', phost, pbob])
-if bob not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
 # Leave tickets for next test.
 
 # Test 6: name specified, matches default cache, time to refresh
 realm.run(['./ccrefresh', realm.ccache, '1'])
-out = realm.run(['./t_ccselect', phost, pbob])
-if bob not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
 out = realm.run(['./ccrefresh', realm.ccache])
 if int(out) < 1000:
     fail('Credentials apparently not refreshed')
@@ -67,9 +56,8 @@ realm.run([kdestroy])
 
 # Test 8: ccache specified with name but no creds; name not in client keytab
 realm.run(['./ccinit', realm.ccache, realm.host_princ])
-out = realm.run(['./t_imp_cred', phost], expected_code=1)
-if 'Credential cache is empty' not in out:
-    fail('Expected error not seen')
+realm.run(['./t_imp_cred', phost], expected_code=1,
+          expected_msg='Credential cache is empty')
 realm.run([kdestroy])
 
 # Test 9: ccache specified with name but no creds; name in client keytab
@@ -104,16 +92,12 @@ realm.env['KRB5CCNAME'] = ccname
 # Test 12: name specified, matching cache in collection with no creds
 bobcache = os.path.join(ccdir, 'tktbob')
 realm.run(['./ccinit', bobcache, bob])
-out = realm.run(['./t_ccselect', phost, pbob])
-if bob not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
 # Leave tickets for next test.
 
 # Test 13: name specified, matching cache in collection, time to refresh
 realm.run(['./ccrefresh', bobcache, '1'])
-out = realm.run(['./t_ccselect', phost, pbob])
-if bob not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
 out = realm.run(['./ccrefresh', bobcache])
 if int(out) < 1000:
     fail('Credentials apparently not refreshed')
@@ -121,22 +105,15 @@ realm.run([kdestroy, '-A'])
 
 # Test 14: name specified, collection has default for different principal
 realm.kinit(realm.user_princ, password('user'))
-out = realm.run(['./t_ccselect', phost, pbob])
-if bob not in out:
-    fail('Authenticated as wrong principal')
-out = realm.run([klist])
-if 'Default principal: %s\n' % realm.user_princ not in out:
-    fail('Default cache overwritten by acquire_cred')
+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
+msg = 'Default principal: %s\n' % realm.user_princ
+realm.run([klist], expected_msg=msg)
 realm.run([kdestroy, '-A'])
 
 # Test 15: name specified, collection has no default cache
-out = realm.run(['./t_ccselect', phost, pbob])
-if bob not in out:
-    fail('Authenticated as wrong principal')
+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
 # Make sure the tickets we acquired didn't become the default
-out = realm.run([klist], expected_code=1)
-if 'No credentials cache found' not in out:
-    fail('Expected error not seen')
+realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
 realm.run([kdestroy, '-A'])
 
 # Test 16: default client keytab cannot be resolved, but valid
@@ -145,8 +122,7 @@ conf = {'libdefaults': {'default_client_keytab_name': '%{'}}
 bad_cktname = realm.special_env('bad_cktname', False, krb5_conf=conf)
 del bad_cktname['KRB5_CLIENT_KTNAME']
 realm.kinit(realm.user_princ, password('user'))
-out = realm.run(['./t_ccselect', phost], env=bad_cktname)
-if realm.user_princ not in out:
-    fail('Expected principal not seen for bad client keytab name')
+realm.run(['./t_ccselect', phost], env=bad_cktname,
+          expected_msg=realm.user_princ)
 
 success('Client keytab tests')
diff --git a/src/tests/gssapi/t_enctypes.c b/src/tests/gssapi/t_enctypes.c
index a2ad18f47aba..3fd31e2f8cd5 100644
--- a/src/tests/gssapi/t_enctypes.c
+++ b/src/tests/gssapi/t_enctypes.c
@@ -32,6 +32,7 @@
 
 #include "k5-int.h"
 #include "common.h"
+#include "gssapi_ext.h"
 
 /*
  * This test program establishes contexts with the krb5 mech, the default
@@ -86,6 +87,9 @@ main(int argc, char *argv[])
     gss_krb5_lucid_context_v1_t *ilucid, *alucid;
     gss_krb5_rfc1964_keydata_t *i1964, *a1964;
     gss_krb5_cfx_keydata_t *icfx, *acfx;
+    gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
+    gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF;
+    unsigned int ssf;
     size_t count;
     void *lptr;
     int c;
@@ -139,6 +143,16 @@ main(int argc, char *argv[])
     establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx,
                        NULL, NULL, NULL);
 
+    /* Query the SSF value and range-check the result. */
+    major = gss_inquire_sec_context_by_oid(&minor, ictx, ssf_oid, &bufset);
+    check_gsserr("gss_inquire_sec_context_by_oid(ssf)", major, minor);
+    if (bufset->elements[0].length != 4)
+        errout("SSF buffer has unexpected length");
+    ssf = load_32_be(bufset->elements[0].value);
+    if (ssf < 56 || ssf > 256)
+        errout("SSF value not within acceptable range (56-256)");
+    (void)gss_release_buffer_set(&minor, &bufset);
+
     /* Export to lucid contexts. */
     major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr);
     check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor);
diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
index 862f229895b2..f513db2b55cf 100755
--- a/src/tests/gssapi/t_enctypes.py
+++ b/src/tests/gssapi/t_enctypes.py
@@ -58,9 +58,7 @@ def test(msg, ienc, aenc, tktenc='', tktsession='', proto='', isubkey='',
 # and check that it fails with the expected error message.
 def test_err(msg, ienc, aenc, expected_err):
     shutil.copyfile(os.path.join(realm.testdir, 'save'), realm.ccache)
-    out = realm.run(cmdline(ienc, aenc), expected_code=1)
-    if expected_err not in out:
-        fail(msg)
+    realm.run(cmdline(ienc, aenc), expected_code=1, expected_msg=expected_err)
 
 
 # By default, all of the key enctypes should be aes256.
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
index 698835928901..b98962788b58 100755
--- a/src/tests/gssapi/t_export_cred.py
+++ b/src/tests/gssapi/t_export_cred.py
@@ -23,9 +23,7 @@ def ccache_restore(realm):
 def check(realm, args):
     ccache_restore(realm)
     realm.run(['./t_export_cred'] + args)
-    output = realm.run([klist, '-f'])
-    if 'Flags: Ff' not in output:
-        fail('Forwarded tickets not found in ccache after t_export_cred')
+    realm.run([klist, '-f'], expected_msg='Flags: Ff')
 
 # Check a given set of arguments with no specified mech and with krb5
 # and SPNEGO as the specified mech.
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index e23c936d7f44..6da5fceff3be 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -28,57 +28,40 @@ realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew'])
 
 # Test with no acceptor name, including client/keytab principal
 # mismatch (non-fatal) and missing keytab entry (fatal).
-output = realm.run(['./t_accname', 'p:service1/andrew'])
-if 'service1/abraham' not in output:
-    fail('Expected service1/abraham in t_accname output')
-output = realm.run(['./t_accname', 'p:service1/barack'])
-if 'service1/barack' not in output:
-    fail('Expected service1/barack in t_accname output')
-output = realm.run(['./t_accname', 'p:service2/calvin'])
-if 'service2/calvin' not in output:
-    fail('Expected service1/barack in t_accname output')
-output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1)
-if ' not found in keytab' not in output:
-    fail('Expected error message not seen in t_accname output')
+realm.run(['./t_accname', 'p:service1/andrew'],
+          expected_msg='service1/abraham')
+realm.run(['./t_accname', 'p:service1/barack'], expected_msg='service1/barack')
+realm.run(['./t_accname', 'p:service2/calvin'], expected_msg='service2/calvin')
+realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1,
+          expected_msg=' not found in keytab')
 
 # Test with acceptor name containing service only, including
 # client/keytab hostname mismatch (non-fatal) and service name
 # mismatch (fatal).
-output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'])
-if 'service1/abraham' not in output:
-    fail('Expected service1/abraham in t_accname output')
-output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'],
-                   expected_code=1)
-if ' not found in keytab' not in output:
-    fail('Expected error message not seen in t_accname output')
-output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'])
-if 'service2/calvin' not in output:
-    fail('Expected service2/calvin in t_accname output')
-output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'],
-                   expected_code=1)
-if ' found in keytab but does not match server principal' not in output:
-    fail('Expected error message not seen in t_accname output')
+realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'],
+          expected_msg='service1/abraham')
+realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], expected_code=1,
+          expected_msg=' not found in keytab')
+realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'],
+          expected_msg='service2/calvin')
+realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1,
+          expected_msg=' found in keytab but does not match server principal')
 
 # Test with acceptor name containing service and host.  Use the
 # client's un-canonicalized hostname as acceptor input to mirror what
 # many servers do.
-output = realm.run(['./t_accname', 'p:' + realm.host_princ,
-                    'h:host@%s' % socket.gethostname()])
-if realm.host_princ not in output:
-    fail('Expected %s in t_accname output' % realm.host_princ)
-output = realm.run(['./t_accname', 'p:host/-nomatch-',
-                    'h:host@%s' % socket.gethostname()],
-                   expected_code=1)
-if ' not found in keytab' not in output:
-    fail('Expected error message not seen in t_accname output')
+realm.run(['./t_accname', 'p:' + realm.host_princ,
+           'h:host@%s' % socket.gethostname()], expected_msg=realm.host_princ)
+realm.run(['./t_accname', 'p:host/-nomatch-',
+           'h:host@%s' % socket.gethostname()], expected_code=1,
+          expected_msg=' not found in keytab')
 
 # Test krb5_gss_import_cred.
 realm.run(['./t_imp_cred', 'p:service1/barack'])
 realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
 realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
-output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1)
-if ' not found in keytab' not in output:
-    fail('Expected error message not seen in t_imp_cred output')
+realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1,
+          expected_msg=' not found in keytab')
 
 # Test credential store extension.
 tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache')
@@ -116,10 +99,8 @@ ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}}
 realm = K5Realm(krb5_conf=ignore_conf)
 realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
 realm.run([kadminl, 'xst', 'host/-nomatch-'])
-output = realm.run(['./t_accname', 'p:host/-nomatch-',
-                    'h:host@%s' % socket.gethostname()])
-if 'host/-nomatch-' not in output:
-    fail('Expected host/-nomatch- in t_accname output')
+realm.run(['./t_accname', 'p:host/-nomatch-',
+           'h:host@%s' % socket.gethostname()], expected_msg='host/-nomatch-')
 
 realm.stop()
 
@@ -141,41 +122,25 @@ r3.stop()
 realm = K5Realm()
 
 # Test deferred resolution of the default ccache for initiator creds.
-output = realm.run(['./t_inq_cred'])
-if realm.user_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.user_princ)
-output = realm.run(['./t_inq_cred', '-k'])
-if realm.user_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.user_princ)
-output = realm.run(['./t_inq_cred', '-s'])
-if realm.user_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.user_princ)
+realm.run(['./t_inq_cred'], expected_msg=realm.user_princ)
+realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
+realm.run(['./t_inq_cred', '-s'], expected_msg=realm.user_princ)
 
 # Test picking a name from the keytab for acceptor creds.
-output = realm.run(['./t_inq_cred', '-a'])
-if realm.host_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.host_princ)
-output = realm.run(['./t_inq_cred', '-k', '-a'])
-if realm.host_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.host_princ)
-output = realm.run(['./t_inq_cred', '-s', '-a'])
-if realm.host_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.host_princ)
+realm.run(['./t_inq_cred', '-a'], expected_msg=realm.host_princ)
+realm.run(['./t_inq_cred', '-k', '-a'], expected_msg=realm.host_princ)
+realm.run(['./t_inq_cred', '-s', '-a'], expected_msg=realm.host_princ)
 
 # Test client keytab initiation (non-deferred) with a specified name.
 realm.extract_keytab(realm.user_princ, realm.client_keytab)
 os.remove(realm.ccache)
-output = realm.run(['./t_inq_cred', '-k'])
-if realm.user_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.user_princ)
+realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
 
 # Test deferred client keytab initiation and GSS_C_BOTH cred usage.
 os.remove(realm.client_keytab)
 os.remove(realm.ccache)
 shutil.copyfile(realm.keytab, realm.client_keytab)
-output = realm.run(['./t_inq_cred', '-k', '-b'])
-if realm.host_princ not in output:
-    fail('Expected %s in t_inq_cred output' % realm.host_princ)
+realm.run(['./t_inq_cred', '-k', '-b'], expected_msg=realm.host_princ)
 
 # Test gss_export_name behavior.
 out = realm.run(['./t_export_name', 'u:x'])
@@ -220,4 +185,37 @@ realm.run(['./t_ciflags', 'p:' + realm.host_princ])
 # contexts.
 realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ])
 
+if runenv.sizeof_time_t <= 4:
+    skip_rest('y2038 GSSAPI tests', 'platform has 32-bit time_t')
+
+# Test lifetime results, using a realm with a large maximum lifetime
+# so that we can test ticket end dates after y2038.
+realm.stop()
+conf = {'realms': {'$realm': {'max_life': '9000d'}}}
+realm = K5Realm(kdc_conf=conf, get_creds=False)
+
+# Check a lifetime string result against an expected number value (or None).
+# Allow some variance due to time elapsed during the tests.
+def check_lifetime(msg, val, expected):
+    if expected is None and val != 'indefinite':
+        fail('%s: expected indefinite, got %s' % (msg, val))
+    if expected is not None and val == 'indefinite':
+        fail('%s: expected %d, got indefinite' % (msg, expected))
+    if expected is not None and abs(int(val) - expected) > 100:
+        fail('%s: expected %d, got %s' % (msg, expected, val))
+
+realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d'])
+out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)])
+ln = out.split('\n')
+check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400)
+check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400)
+check_lifetime('acred gss_acquire_cred', ln[2], None)
+check_lifetime('acred gss_inquire_cred', ln[3], None)
+check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400)
+check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400)
+check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400)
+check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300)
+check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300)
+check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300)
+
 success('GSSAPI tests')
diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
index 5c8ddac8dc84..2a332a8ae048 100644
--- a/src/tests/gssapi/t_invalid.c
+++ b/src/tests/gssapi/t_invalid.c
@@ -31,8 +31,8 @@
  */
 
 /*
- * This file contains regression tests for some GSSAPI krb5 invalid per-message
- * token vulnerabilities.
+ * This file contains regression tests for some GSSAPI invalid token
+ * vulnerabilities.
  *
  * 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a
  *    null pointer dereference.  (The token must use SEAL_ALG_NONE or it will
@@ -54,10 +54,13 @@
  *    causes an integer underflow when computing the original message length,
  *    leading to an allocation error.
  *
+ * 5. In the mechglue, truncated encapsulation in the initial context token can
+ *    cause input buffer overruns in gss_accept_sec_context().
+ *
  * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with
- * fewer than 16 bytes after the ASN.1 header will be rejected.  Vulnerability
- * #2 can only be robustly detected using a memory-checking environment such as
- * valgrind.
+ * fewer than 16 bytes after the ASN.1 header will be rejected.
+ * Vulnerabilities #2 and #5 can only be robustly detected using a
+ * memory-checking environment such as valgrind.
  */
 
 #include "k5-int.h"
@@ -406,6 +409,48 @@ test_bad_pad(gss_ctx_id_t ctx, const struct test *test)
     (void)gss_release_buffer(&minor, &out);
 }
 
+static void
+try_accept(void *value, size_t len)
+{
+    OM_uint32 minor;
+    gss_buffer_desc in, out;
+    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
+
+    /* Copy the provided value to make input overruns more obvious. */
+    in.value = malloc(len);
+    if (in.value == NULL)
+        abort();
+    memcpy(in.value, value, len);
+    in.length = len;
+    (void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in,
+                                 GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
+                                 &out, NULL, NULL, NULL);
+    gss_release_buffer(&minor, &out);
+    gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
+    free(in.value);
+}
+
+/* Accept contexts using superficially valid but truncated encapsulations. */
+static void
+test_short_encapsulation()
+{
+    /* Include just the initial application tag, to see if we overrun reading
+     * the sequence length. */
+    try_accept("\x60", 1);
+
+    /* Indicate four additional sequence length bytes, to see if we overrun
+     * reading them (or skipping them and reading the next byte). */
+    try_accept("\x60\x84", 2);
+
+    /* Include an object identifier tag but no length, to see if we overrun
+     * reading the length. */
+    try_accept("\x60\x40\x06", 3);
+
+    /* Include an object identifier tag with a length matching the krb5 mech,
+     * but no OID bytes, to see if we overrun comparing against mechs. */
+    try_accept("\x60\x40\x06\x09", 4);
+}
+
 int
 main(int argc, char **argv)
 {
@@ -425,5 +470,7 @@ main(int argc, char **argv)
         free_fake_context(ctx);
     }
 
+    test_short_encapsulation();
+
     return 0;
 }
diff --git a/src/tests/gssapi/t_lifetime.c b/src/tests/gssapi/t_lifetime.c
new file mode 100644
index 000000000000..8dcf18621bbf
--- /dev/null
+++ b/src/tests/gssapi/t_lifetime.c
@@ -0,0 +1,140 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/gssapi/t_lifetime.c - display cred and context lifetimes */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include "common.h"
+
+/*
+ * Using the default credential, exercise the GSS functions which accept or
+ * produce lifetimes.  Display the following results, one per line, as ASCII
+ * integers or the string "indefinite":
+ *
+ *   initiator cred lifetime according to gss_acquire_cred()
+ *   initiator cred lifetime according to gss_inquire_cred()
+ *   acceptor cred lifetime according to gss_acquire_cred()
+ *   acceptor cred lifetime according to gss_inquire_cred()
+ *   initiator context lifetime according to gss_init_sec_context()
+ *   initiator context lifetime according to gss_inquire_context()
+ *   initiator context lifetime according to gss_context_time()
+ *   acceptor context lifetime according to gss_init_sec_context()
+ *   acceptor context lifetime according to gss_inquire_context()
+ *   acceptor context lifetime according to gss_context_time()
+ */
+
+static void
+display_time(OM_uint32 tval)
+{
+    if (tval == GSS_C_INDEFINITE)
+        puts("indefinite");
+    else
+        printf("%u\n", (unsigned int)tval);
+}
+
+int
+main(int argc, char *argv[])
+{
+    OM_uint32 minor, major;
+    gss_cred_id_t icred, acred;
+    gss_name_t tname;
+    gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
+    gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
+    OM_uint32 time_req = GSS_C_INDEFINITE, time_rec;
+
+    if (argc < 2 || argc > 3) {
+        fprintf(stderr, "Usage: %s targetname [time_req]\n", argv[0]);
+        return 1;
+    }
+    tname = import_name(argv[1]);
+    if (argc >= 3)
+        time_req = atoll(argv[2]);
+
+    /* Get initiator cred and display its lifetime according to
+     * gss_acquire_cred and gss_inquire_cred. */
+    major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
+                             GSS_C_INITIATE, &icred, NULL, &time_rec);
+    check_gsserr("gss_acquire_cred(initiate)", major, minor);
+    display_time(time_rec);
+    major = gss_inquire_cred(&minor, icred, NULL, &time_rec, NULL, NULL);
+    check_gsserr("gss_inquire_cred(initiate)", major, minor);
+    display_time(time_rec);
+
+    /* Get acceptor cred and display its lifetime according to gss_acquire_cred
+     * and gss_inquire_cred. */
+    major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
+                             GSS_C_ACCEPT, &acred, NULL, &time_rec);
+    check_gsserr("gss_acquire_cred(accept)", major, minor);
+    display_time(time_rec);
+    major = gss_inquire_cred(&minor, acred, NULL, &time_rec, NULL, NULL);
+    check_gsserr("gss_inquire_cred(accept)", major, minor);
+    display_time(time_rec);
+
+    /* Make an initiator context and display its lifetime according to
+     * gss_init_sec_context, gss_inquire_context, and gss_context_time. */
+    major = gss_init_sec_context(&minor, icred, &ictx, tname, &mech_krb5, 0,
+                                 time_req, GSS_C_NO_CHANNEL_BINDINGS, &atok,
+                                 NULL, &itok, NULL, &time_rec);
+    check_gsserr("gss_init_sec_context", major, minor);
+    assert(major == GSS_S_COMPLETE);
+    display_time(time_rec);
+    major = gss_inquire_context(&minor, ictx, NULL, NULL, &time_rec, NULL,
+                                NULL, NULL, NULL);
+    check_gsserr("gss_inquire_context(initiate)", major, minor);
+    display_time(time_rec);
+    major = gss_context_time(&minor, ictx, &time_rec);
+    check_gsserr("gss_context_time(initiate)", major, minor);
+    display_time(time_rec);
+
+    major = gss_accept_sec_context(&minor, &actx, acred, &itok,
+                                   GSS_C_NO_CHANNEL_BINDINGS, NULL,
+                                   NULL, &atok, NULL, &time_rec, NULL);
+    check_gsserr("gss_accept_sec_context", major, minor);
+    assert(major == GSS_S_COMPLETE);
+    display_time(time_rec);
+    major = gss_inquire_context(&minor, actx, NULL, NULL, &time_rec, NULL,
+                                NULL, NULL, NULL);
+    check_gsserr("gss_inquire_context(accept)", major, minor);
+    display_time(time_rec);
+    major = gss_context_time(&minor, actx, &time_rec);
+    check_gsserr("gss_context_time(accept)", major, minor);
+    display_time(time_rec);
+
+    (void)gss_release_buffer(&minor, &itok);
+    (void)gss_release_buffer(&minor, &atok);
+    (void)gss_release_name(&minor, &tname);
+    (void)gss_release_cred(&minor, &icred);
+    (void)gss_release_cred(&minor, &acred);
+    (void)gss_delete_sec_context(&minor, &ictx, NULL);
+    (void)gss_delete_sec_context(&minor, &actx, NULL);
+    return 0;
+}
diff --git a/src/tests/gssapi/t_s4u.c b/src/tests/gssapi/t_s4u.c
index 5bc1e4470bdc..0400f8f61f41 100644
--- a/src/tests/gssapi/t_s4u.c
+++ b/src/tests/gssapi/t_s4u.c
@@ -242,6 +242,7 @@ main(int argc, char *argv[])
     gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL;
     gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME;
     gss_OID_set mechs;
+    gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
 
     if (argc < 2 || argc > 5) {
         fprintf(stderr, "Usage: %s [--spnego] [user] "
@@ -305,6 +306,25 @@ main(int argc, char *argv[])
         fprintf(stderr, "\n");
     }
 
+    if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
+        /* Inquire impersonator status. */
+        major = gss_inquire_cred_by_oid(&minor, user_cred_handle,
+                                        GSS_KRB5_GET_CRED_IMPERSONATOR,
+                                        &bufset);
+        check_gsserr("gss_inquire_cred_by_oid", major, minor);
+        if (bufset->count == 0)
+            errout("gss_inquire_cred_by_oid(user) returned NO impersonator");
+        (void)gss_release_buffer_set(&minor, &bufset);
+
+        major = gss_inquire_cred_by_oid(&minor, impersonator_cred_handle,
+                                        GSS_KRB5_GET_CRED_IMPERSONATOR,
+                                        &bufset);
+        check_gsserr("gss_inquire_cred_by_oid", major, minor);
+        if (bufset->count != 0)
+            errout("gss_inquire_cred_by_oid(svc) returned an impersonator");
+        (void)gss_release_buffer_set(&minor, &bufset);
+    }
+
     (void)gss_release_name(&minor, &user);
     (void)gss_release_name(&minor, &target);
     (void)gss_release_cred(&minor, &delegated_cred_handle);
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 7366e3915ee3..e4cd68469300 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -42,10 +42,8 @@ if ('auth1: ' + realm.user_princ not in output or
 # result in no delegated credential being created by
 # accept_sec_context.
 realm.kinit(realm.user_princ, password('user'), ['-c', usercache])
-output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1,
-                    pservice1, pservice2])
-if 'no credential delegated' not in output:
-    fail('krb5 -> no delegated cred')
+realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1,
+           pservice1, pservice2], expected_msg='no credential delegated')
 
 # Try S4U2Self.  Ask for an S4U2Proxy step; this won't happen because
 # service/1 isn't allowed to get a forwardable S4U2Self ticket.
@@ -61,17 +59,15 @@ if ('Warning: no delegated cred handle' not in output or
 # Correct that problem and try again.  As above, the S4U2Proxy step
 # won't actually succeed since we don't support that in DB2.
 realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', service1])
-output = realm.run(['./t_s4u', puser, pservice2], expected_code=1)
-if 'NOT_ALLOWED_TO_DELEGATE' not in output:
-    fail('s4u2self')
+realm.run(['./t_s4u', puser, pservice2], expected_code=1,
+          expected_msg='NOT_ALLOWED_TO_DELEGATE')
 
 # Again with SPNEGO.  This uses SPNEGO for the initial authentication,
 # but still uses krb5 for S4U2Proxy--the delegated cred is returned as
 # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
 # directly rather than saving and reacquiring it.
-output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
-if 'NOT_ALLOWED_TO_DELEGATE' not in output:
-    fail('s4u2self')
+realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1,
+          expected_msg='NOT_ALLOWED_TO_DELEGATE')
 
 realm.stop()
 
@@ -148,9 +144,8 @@ realm.stop()
 # fail, but we can check that the right server principal was used.
 r1, r2 = cross_realms(2, create_user=False)
 r1.run([kinit, '-k', r1.host_princ])
-out = r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1)
-if 'Server not found in Kerberos database' not in out:
-    fail('cross-realm s4u2self (t_s4u output)')
+r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1,
+       expected_msg='Server not found in Kerberos database')
 r1.stop()
 r2.stop()
 with open(os.path.join(r2.testdir, 'kdc.log')) as f:
diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c
index 0934f33fd340..efb4271e587c 100644
--- a/src/tests/hammer/kdc5_hammer.c
+++ b/src/tests/hammer/kdc5_hammer.c
@@ -436,12 +436,11 @@ int get_tgt (context, p_client_str, p_client, ccache)
 {
     char *cache_name = NULL;		/* -f option */
     long lifetime = KRB5_DEFAULT_LIFE;	/* -l option */
-    int options = KRB5_DEFAULT_OPTIONS;
     krb5_error_code code;
     krb5_creds my_creds;
     krb5_timestamp start;
-    krb5_principal tgt_server;
     float dt;
+    krb5_get_init_creds_opt *options;
 
     if (!brief)
       fprintf(stderr, "\tgetting TGT for %s\n", p_client_str);
@@ -458,22 +457,6 @@ int get_tgt (context, p_client_str, p_client, ccache)
 	return(-1);
     }
 
-
-    if ((code = krb5_build_principal_ext(context, &tgt_server,
-				krb5_princ_realm(context, *p_client)->length,
-				krb5_princ_realm(context, *p_client)->data,
-				tgtname.length,
-				tgtname.data,
-				krb5_princ_realm(context, *p_client)->length,
-				krb5_princ_realm(context, *p_client)->data,
-				0))) {
-	com_err(prog, code, "when setting up tgt principal");
-	return(-1);
-    }
-
-    my_creds.client = *p_client;
-    my_creds.server = tgt_server;
-
     code = krb5_cc_initialize (context, ccache, *p_client);
     if (code != 0) {
 	com_err (prog, code, "when initializing cache %s",
@@ -481,17 +464,26 @@ int get_tgt (context, p_client_str, p_client, ccache)
 	return(-1);
     }
 
-    my_creds.times.starttime = 0;	/* start timer when request
-					   gets to KDC */
-    my_creds.times.endtime = start + lifetime;
-    my_creds.times.renew_till = 0;
-
     if (do_timer)
 	swatch_on();
 
-    code = krb5_get_in_tkt_with_password(context, options, 0,
-					 NULL, patype, p_client_str, ccache,
-					 &my_creds, 0);
+    code = krb5_get_init_creds_opt_alloc(context, &options);
+    if (code != 0) {
+	com_err(prog, code, "when allocating init cred options");
+	return(-1);
+    }
+
+    krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
+
+    code = krb5_get_init_creds_opt_set_out_ccache(context, options, ccache);
+    if (code != 0) {
+	com_err(prog, code, "when setting init cred output ccache");
+	return(-1);
+    }
+
+    code = krb5_get_init_creds_password(context, &my_creds, *p_client,
+					p_client_str, NULL, NULL, 0, NULL,
+					options);
     if (do_timer) {
 	dt = swatch_eltime();
 	in_tkt_times.ht_cumulative += dt;
@@ -501,8 +493,7 @@ int get_tgt (context, p_client_str, p_client, ccache)
 	if (dt < in_tkt_times.ht_min)
 	    in_tkt_times.ht_min = dt;
     }
-    my_creds.server = my_creds.client = 0;
-    krb5_free_principal(context, tgt_server);
+    krb5_get_init_creds_opt_free(context, options);
     krb5_free_cred_contents(context, &my_creds);
     if (code != 0) {
 	com_err (prog, code, "while getting initial credentials");
diff --git a/src/tests/icinterleave.c b/src/tests/icinterleave.c
new file mode 100644
index 000000000000..a1bdd3547f08
--- /dev/null
+++ b/src/tests/icinterleave.c
@@ -0,0 +1,128 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/icinterleave.c - interleaved init_creds_step test harness */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This test harness performs multiple initial creds operations using
+ * krb5_init_creds_step(), interleaving the operations to test the scoping of
+ * the preauth state.  All principals must have the same password (or not
+ * require a password).
+ */
+
+#include "k5-int.h"
+
+static krb5_context ctx;
+
+static void
+check(krb5_error_code code)
+{
+    const char *errmsg;
+
+    if (code) {
+        errmsg = krb5_get_error_message(ctx, code);
+        fprintf(stderr, "%s\n", errmsg);
+        krb5_free_error_message(ctx, errmsg);
+        exit(1);
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    const char *password;
+    char **princstrs;
+    krb5_principal client;
+    krb5_init_creds_context *iccs;
+    krb5_data req, *reps, realm;
+    krb5_boolean any_left;
+    int i, nclients, master;
+    unsigned int flags;
+
+    if (argc < 3) {
+        fprintf(stderr, "Usage: icinterleave password princ1 princ2 ...\n");
+        exit(1);
+    }
+    password = argv[1];
+    princstrs = argv + 2;
+    nclients = argc - 2;
+
+    check(krb5_init_context(&ctx));
+
+    /* Create an initial creds context for each client principal. */
+    iccs = calloc(nclients, sizeof(*iccs));
+    assert(iccs != NULL);
+    for (i = 0; i < nclients; i++) {
+        check(krb5_parse_name(ctx, princstrs[i], &client));
+        check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL,
+                                   &iccs[i]));
+        check(krb5_init_creds_set_password(ctx, iccs[i], password));
+        krb5_free_principal(ctx, client);
+    }
+
+    reps = calloc(nclients, sizeof(*reps));
+    assert(reps != NULL);
+
+    any_left = TRUE;
+    while (any_left) {
+        any_left = FALSE;
+        for (i = 0; i < nclients; i++)  {
+            if (iccs[i] == NULL)
+                continue;
+            any_left = TRUE;
+
+            printf("step %d\n", i + 1);
+
+            req = empty_data();
+            realm = empty_data();
+            check(krb5_init_creds_step(ctx, iccs[i], &reps[i], &req, &realm,
+                                       &flags));
+            if (!(flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) {
+                printf("finish %d\n", i + 1);
+                krb5_init_creds_free(ctx, iccs[i]);
+                iccs[i] = NULL;
+                continue;
+            }
+
+            master = 0;
+            krb5_free_data_contents(ctx, &reps[i]);
+            check(krb5_sendto_kdc(ctx, &req, &realm, &reps[i], &master, 0));
+            krb5_free_data_contents(ctx, &req);
+            krb5_free_data_contents(ctx, &realm);
+        }
+    }
+
+    for (i = 0; i < nclients; i++)
+        krb5_free_data_contents(ctx, &reps[i]);
+    free(reps);
+    free(iccs);
+    krb5_free_context(ctx);
+    return 0;
+}
diff --git a/src/tests/icred.c b/src/tests/icred.c
index 071f91c80219..55f929cd7e77 100644
--- a/src/tests/icred.c
+++ b/src/tests/icred.c
@@ -35,8 +35,8 @@
  * it is very simplistic, but it can be extended as needed.
  */
 
+#include "k5-platform.h"
 #include <krb5.h>
-#include <stdio.h>
 
 static krb5_context ctx;
 
@@ -59,29 +59,64 @@ main(int argc, char **argv)
     const char *princstr, *password;
     krb5_principal client;
     krb5_init_creds_context icc;
+    krb5_get_init_creds_opt *opt;
     krb5_creds creds;
+    krb5_boolean stepwise = FALSE;
+    krb5_preauthtype ptypes[64];
+    int c, nptypes = 0;
+    char *val;
 
-    if (argc != 3) {
-        fprintf(stderr, "Usage: icred princname password\n");
-        exit(1);
+    check(krb5_init_context(&ctx));
+    check(krb5_get_init_creds_opt_alloc(ctx, &opt));
+
+    while ((c = getopt(argc, argv, "so:X:")) != -1) {
+        switch (c) {
+        case 's':
+            stepwise = TRUE;
+            break;
+        case 'o':
+            assert(nptypes < 64);
+            ptypes[nptypes++] = atoi(optarg);
+            break;
+        case 'X':
+            val = strchr(optarg, '=');
+            if (val != NULL)
+                *val++ = '\0';
+            else
+                val = "yes";
+            check(krb5_get_init_creds_opt_set_pa(ctx, opt, optarg, val));
+            break;
+        default:
+            abort();
+        }
     }
-    princstr = argv[1];
-    password = argv[2];
 
-    check(krb5_init_context(&ctx));
+    argc -= optind;
+    argv += optind;
+    if (argc != 2)
+        abort();
+    princstr = argv[0];
+    password = argv[1];
+
     check(krb5_parse_name(ctx, princstr, &client));
 
-    /* Try once with the traditional interface. */
-    check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
-                                       NULL, 0, NULL, NULL));
-    krb5_free_cred_contents(ctx, &creds);
+    if (nptypes > 0)
+        krb5_get_init_creds_opt_set_preauth_list(opt, ptypes, nptypes);
 
-    /* Try again with the step interface. */
-    check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc));
-    check(krb5_init_creds_set_password(ctx, icc, password));
-    check(krb5_init_creds_get(ctx, icc));
-    krb5_init_creds_free(ctx, icc);
+    if (stepwise) {
+        /* Use the stepwise interface. */
+        check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc));
+        check(krb5_init_creds_set_password(ctx, icc, password));
+        check(krb5_init_creds_get(ctx, icc));
+        krb5_init_creds_free(ctx, icc);
+    } else {
+        /* Use the traditional one-shot interface. */
+        check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+                                           NULL, 0, NULL, opt));
+        krb5_free_cred_contents(ctx, &creds);
+    }
 
+    krb5_get_init_creds_opt_free(ctx, opt);
     krb5_free_principal(ctx, client);
     krb5_free_context(ctx);
     return 0;
diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c
index 3f63cfb5d102..3f61f3e83bbd 100644
--- a/src/tests/kdbtest.c
+++ b/src/tests/kdbtest.c
@@ -243,8 +243,9 @@ check_entry(krb5_db_entry *ent)
 static void
 sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp)
 {
-    /* Both back ends ignore the request parameter for now. */
-    krb5_db_audit_as_req(ctx, NULL, *entp, *entp, authtime,
+    /* Both back ends ignore the request, local_addr, and remote_addr
+     * parameters for now. */
+    krb5_db_audit_as_req(ctx, NULL, NULL, NULL, *entp, *entp, authtime,
                          ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED);
     krb5_db_free_principal(ctx, *entp);
     CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));
diff --git a/src/tests/responder.c b/src/tests/responder.c
index 21aae65c65af..82f870ea5d4b 100644
--- a/src/tests/responder.c
+++ b/src/tests/responder.c
@@ -226,7 +226,7 @@ responder(krb5_context ctx, void *rawdata, krb5_responder_context rctx)
         if (chl != NULL &&
             chl->identities != NULL &&
             chl->identities[0] != NULL) {
-            if (strncmp(chl->identities[0]->identity, "PKCS12:", 5) == 0)
+            if (strncmp(chl->identities[0]->identity, "PKCS12:", 7) == 0)
                 krb5_responder_pkinit_set_answer(ctx, rctx, "foo", "bar");
         }
         krb5_responder_pkinit_challenge_free(ctx, rctx, chl);
diff --git a/src/tests/t_audit.py b/src/tests/t_audit.py
index 69c9251e0428..00e96bfea69d 100755
--- a/src/tests/t_audit.py
+++ b/src/tests/t_audit.py
@@ -14,18 +14,15 @@ realm.run([kvno, 'target'])
 
 # Make S4U2Self and S4U2Proxy requests so they will be audited.  The
 # S4U2Proxy request is expected to fail.
-out = realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'],
-                expected_code=1)
-if 'NOT_ALLOWED_TO_DELEGATE' not in out:
-    fail('Unexpected error for S4U2Proxy')
+realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'],
+          expected_code=1, expected_msg='NOT_ALLOWED_TO_DELEGATE')
 
 # Make a U2U request so it will be audited.
 uuserver = os.path.join(buildtop, 'appl', 'user_user', 'uuserver')
 uuclient = os.path.join(buildtop, 'appl', 'user_user', 'uuclient')
 port_arg = str(realm.server_port())
 realm.start_server([uuserver, port_arg], 'Server started')
-output = realm.run([uuclient, hostname, 'testing message', port_arg])
-if 'Hello' not in output:
-    fail('U2U request failed unexpectedly')
+realm.run([uuclient, hostname, 'testing message', port_arg],
+          expected_msg='Hello')
 
 success('Audit tests')
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
index 33525022ba84..8a577b4b18ee 100644
--- a/src/tests/t_authdata.py
+++ b/src/tests/t_authdata.py
@@ -24,10 +24,8 @@ if ' -5: test1' not in out or '?-6: test2' not in out:
 if 'fake' in out:
     fail('KDC-only authdata not filtered for request with authdata')
 
-out = realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'],
-                expected_code=1)
-if 'KDC policy rejects request' not in out:
-    fail('Wrong error seen for mandatory-for-kdc failure')
+realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'],
+          expected_code=1, expected_msg='KDC policy rejects request')
 
 # The no_auth_data_required server flag should suppress SIGNTICKET,
 # but not module or request authdata.
@@ -88,6 +86,7 @@ realm, realm2 = cross_realms(2, args=({'realm': 'LOCAL'},
 realm.run([kadminl, 'modprinc', '+requires_preauth', '-maxrenewlife', '2 days',
            realm.user_princ])
 realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.host_princ])
+realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.krbtgt_princ])
 realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
 realm.extract_keytab(realm.host_princ, realm.keytab)
 realm.extract_keytab('krbtgt/FOREIGN', realm.keytab)
@@ -98,45 +97,32 @@ realm2.extract_keytab('krbtgt/LOCAL', realm.keytab)
 # AS request to local-realm service
 realm.kinit(realm.user_princ, password('user'),
             ['-X', 'indicators=indcl', '-r', '2d', '-S', realm.host_princ])
-out = realm.run(['./adata', realm.host_princ])
-if '+97: [indcl]' not in out:
-    fail('auth-indicator not seen for AS req to service')
+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # Ticket modification request
 realm.kinit(realm.user_princ, None, ['-R', '-S', realm.host_princ])
-out = realm.run(['./adata', realm.host_princ])
-if '+97: [indcl]' not in out:
-    fail('auth-indicator not seen for ticket modification request')
+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # AS request to cross TGT
 realm.kinit(realm.user_princ, password('user'),
             ['-X', 'indicators=indcl', '-S', 'krbtgt/FOREIGN'])
-out = realm.run(['./adata', 'krbtgt/FOREIGN'])
-if '+97: [indcl]' not in out:
-    fail('auth-indicator not seen for AS req to cross-realm TGT')
+realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
 
 # Multiple indicators
 realm.kinit(realm.user_princ, password('user'),
             ['-X', 'indicators=indcl indcl2 indcl3'])
-out = realm.run(['./adata', realm.krbtgt_princ])
-if '+97: [indcl, indcl2, indcl3]' not in out:
-    fail('multiple auth-indicators not seen for normal AS req')
+realm.run(['./adata', realm.krbtgt_princ],
+          expected_msg='+97: [indcl, indcl2, indcl3]')
 
 # AS request to local TGT (resulting creds are used for TGS tests)
 realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl'])
-out = realm.run(['./adata', realm.krbtgt_princ])
-if '+97: [indcl]' not in out:
-    fail('auth-indicator not seen for normal AS req')
+realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [indcl]')
 
 # Local TGS request for local realm service
-out = realm.run(['./adata', realm.host_princ])
-if '+97: [indcl]' not in out:
-    fail('auth-indicator not seen for local TGS req')
+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # Local TGS request for cross TGT service
-out = realm.run(['./adata', 'krbtgt/FOREIGN'])
-if '+97: [indcl]' not in out:
-    fail('auth-indicator not seen for TGS req to cross-realm TGT')
+realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
 
 # We don't yet have support for passing auth indicators across realms,
 # so just verify that indicators don't survive cross-realm requests.
@@ -152,16 +138,13 @@ if '97:' in out:
 
 # Test that the CAMMAC signature still works during a krbtgt rollover.
 realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.krbtgt_princ])
-out = realm.run(['./adata', realm.host_princ])
-if '+97: [indcl]' not in out:
-    fail('auth-indicator not seen for local TGS req after krbtgt rotation')
+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
 
 # Test indicator enforcement.
 realm.addprinc('restricted')
 realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong'])
-out = realm.run([kvno, 'restricted'], expected_code=1)
-if 'KDC policy rejects request' not in out:
-    fail('expected error not seen for auth indicator enforcement')
+realm.run([kvno, 'restricted'], expected_code=1,
+          expected_msg='KDC policy rejects request')
 realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl'])
 realm.run([kvno, 'restricted'])
 realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=ind1 ind2'])
@@ -178,6 +161,13 @@ realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'des3-cbc-sha1',
 realm.run(['./forward'])
 realm.run([kvno, realm.host_princ])
 
+# Repeat the above test using a renewed TGT.
+realm.kinit(realm.user_princ, password('user'), ['-r', '2d'])
+realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes128-cts',
+           realm.krbtgt_princ])
+realm.kinit(realm.user_princ, None, ['-R'])
+realm.run([kvno, realm.host_princ])
+
 realm.stop()
 realm2.stop()
 
@@ -222,13 +212,11 @@ if '+97: [indcl]' not in out or '[inds1]' in out:
 # Test that KDB module authdata is included in an AS request, by
 # default or with an explicit PAC request.
 realm.kinit(realm.user_princ, None, ['-k'])
-out = realm.run(['./adata', realm.krbtgt_princ])
-if '-456: db-authdata-test' not in out:
-    fail('DB authdata not seen in default AS request')
+realm.run(['./adata', realm.krbtgt_princ],
+          expected_msg='-456: db-authdata-test')
 realm.kinit(realm.user_princ, None, ['-k', '--request-pac'])
-out = realm.run(['./adata', realm.krbtgt_princ])
-if '-456: db-authdata-test' not in out:
-    fail('DB authdata not seen with --request-pac')
+realm.run(['./adata', realm.krbtgt_princ],
+          expected_msg='-456: db-authdata-test')
 
 # Test that KDB module authdata is suppressed in an AS request by a
 # negative PAC request.
@@ -238,9 +226,7 @@ if '-456: db-authdata-test' in out:
     fail('DB authdata not suppressed by --no-request-pac')
 
 # Test that KDB authdata is included in a TGS request by default.
-out = realm.run(['./adata', 'service/1'])
-if '-456: db-authdata-test' not in out:
-    fail('DB authdata not seen in TGS request')
+realm.run(['./adata', 'service/1'], expected_msg='-456: db-authdata-test')
 
 # Test that KDB authdata is suppressed in a TGS request by the
 # +no_auth_data_required flag.
diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
index 47d96313085e..61d549b7b6a8 100755
--- a/src/tests/t_ccache.py
+++ b/src/tests/t_ccache.py
@@ -35,15 +35,11 @@ if not test_keyring:
 
 # Test kdestroy and klist of a non-existent ccache.
 realm.run([kdestroy])
-output = realm.run([klist], expected_code=1)
-if 'No credentials cache found' not in output:
-    fail('Expected error message not seen in klist output')
+realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
 
 # Test kinit with an inaccessible ccache.
-out = realm.run([kinit, '-c', 'testdir/xx/yy', realm.user_princ],
-                input=(password('user') + '\n'), expected_code=1)
-if 'Failed to store credentials' not in out:
-    fail('Expected error message not seen in kinit output')
+realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'],
+            expected_code=1, expected_msg='Failed to store credentials')
 
 # Test klist -s with a single ccache.
 realm.run([klist, '-s'], expected_code=1)
@@ -61,13 +57,12 @@ realm.addprinc('bob', password('bob'))
 realm.addprinc('carol', password('carol'))
 
 def collection_test(realm, ccname):
+    oldccname = realm.env['KRB5CCNAME']
     realm.env['KRB5CCNAME'] = ccname
 
     realm.run([klist, '-A', '-s'], expected_code=1)
     realm.kinit('alice', password('alice'))
-    output = realm.run([klist])
-    if 'Default principal: alice@' not in output:
-        fail('Initial kinit failed to get credentials for alice.')
+    realm.run([klist], expected_msg='Default principal: alice@')
     realm.run([klist, '-A', '-s'])
     realm.run([kdestroy])
     output = realm.run([klist], expected_code=1)
@@ -88,7 +83,7 @@ def collection_test(realm, ccname):
     if '---\nalice@' not in output or output.count('\n') != 4:
         fail('klist -l did not show expected output after re-kinit for alice.')
     realm.kinit('bob', password('bob'))
-    output = realm.run([klist, '-A'])
+    output = realm.run([klist, '-A', ccname])
     if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \
             'carol' not in output or output.count('Default principal:') != 3:
         fail('klist -A did not show expected output after kinit for bob.')
@@ -96,17 +91,22 @@ def collection_test(realm, ccname):
     output = realm.run([klist, '-l'])
     if '---\ncarol@' not in output or output.count('\n') != 5:
         fail('klist -l did not show expected output after kswitch to carol.')
-    realm.run([kdestroy])
-    output = realm.run([klist, '-l'])
+
+    # Switch to specifying the collection name on the command line
+    # (only works with klist/kdestroy for now, not kinit/kswitch).
+    realm.env['KRB5CCNAME'] = oldccname
+
+    realm.run([kdestroy, '-c', ccname])
+    output = realm.run([klist, '-l', ccname])
     if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4:
         fail('kdestroy failed to remove only primary ccache.')
-    realm.run([klist, '-s'], expected_code=1)
-    realm.run([klist, '-A', '-s'])
-    realm.run([kdestroy, '-A'])
-    output = realm.run([klist, '-l'], expected_code=1)
+    realm.run([klist, '-s', ccname], expected_code=1)
+    realm.run([klist, '-A', '-s', ccname])
+    realm.run([kdestroy, '-A', '-c', ccname])
+    output = realm.run([klist, '-l', ccname], expected_code=1)
     if not output.endswith('---\n') or output.count('\n') != 2:
         fail('kdestroy -a failed to empty cache collection.')
-    realm.run([klist, '-A', '-s'], expected_code=1)
+    realm.run([klist, '-A', '-s', ccname], expected_code=1)
 
 
 collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))
@@ -130,25 +130,20 @@ if test_keyring:
     realm.env['KRB5CCNAME'] = 'KEYRING:' + cname
     realm.run([kdestroy, '-A'])
     realm.kinit(realm.user_princ, password('user'))
-    out = realm.run([klist, '-l'])
-    if 'KEYRING:legacy:' + cname + ':' + cname not in out:
-        fail('Wrong initial primary name in keyring legacy collection')
+    msg = 'KEYRING:legacy:' + cname + ':' + cname
+    realm.run([klist, '-l'], expected_msg=msg)
     # Make sure this cache is linked to the session keyring.
     id = realm.run([keyctl, 'search', '@s', 'keyring', cname])
-    out = realm.run([keyctl, 'list', id.strip()])
-    if 'user: __krb5_princ__' not in out:
-        fail('Legacy cache not linked into session keyring')
+    realm.run([keyctl, 'list', id.strip()],
+              expected_msg='user: __krb5_princ__')
     # Remove the collection keyring.  When the collection is
     # reinitialized, the legacy cache should reappear inside it
     # automatically as the primary cache.
     cleanup_keyring('@s', col_ringname)
-    out = realm.run([klist])
-    if realm.user_princ not in out:
-        fail('Cannot see legacy cache after removing collection')
+    realm.run([klist], expected_msg=realm.user_princ)
     coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname])
-    out = realm.run([keyctl, 'list', coll_id.strip()])
-    if (id.strip() + ':') not in out:
-        fail('Legacy cache did not reappear in collection after klist')
+    msg = id.strip() + ':'
+    realm.run([keyctl, 'list', coll_id.strip()], expected_msg=msg)
     # Destroy the cache and check that it is unlinked from the session keyring.
     realm.run([kdestroy])
     realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1)
@@ -160,8 +155,7 @@ conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}}
 realm = K5Realm(krb5_conf=conf, create_kdb=False)
 del realm.env['KRB5CCNAME']
 uidstr = str(os.getuid())
-out = realm.run([klist], expected_code=1)
-if 'testdir/abc%s' % uidstr not in out:
-    fail('Wrong ccache in klist')
+msg = 'testdir/abc%s' % uidstr
+realm.run([klist], expected_code=1, expected_msg=msg)
 
 success('Credential cache tests')
diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
new file mode 100644
index 000000000000..e64a57b0d5eb
--- /dev/null
+++ b/src/tests/t_certauth.py
@@ -0,0 +1,47 @@
+#!/usr/bin/python
+from k5test import *
+
+# Skip this test if pkinit wasn't built.
+if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
+    skip_rest('certauth tests', 'PKINIT module not built')
+
+certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
+ca_pem = os.path.join(certs, 'ca.pem')
+kdc_pem = os.path.join(certs, 'kdc.pem')
+privkey_pem = os.path.join(certs, 'privkey.pem')
+user_pem = os.path.join(certs, 'user.pem')
+
+modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',
+                       'certauth_test.so')
+pkinit_krb5_conf = {'realms': {'$realm': {
+            'pkinit_anchors': 'FILE:%s' % ca_pem}},
+            'plugins': {'certauth': {'module': ['test1:' + modpath,
+                                                'test2:' + modpath],
+                                     'enable_only': ['test1', 'test2']}}}
+pkinit_kdc_conf = {'realms': {'$realm': {
+            'default_principal_flags': '+preauth',
+            'pkinit_eku_checking': 'none',
+            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
+            'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
+
+file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
+
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+
+# Let the test module match user to CN=user, with indicators.
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % file_identity])
+realm.klist(realm.user_princ)
+realm.run([kvno, realm.host_princ])
+realm.run(['./adata', realm.host_princ],
+          expected_msg='+97: [test1, test2, user, indpkinit1, indpkinit2]')
+
+# Let the test module mismatch with user2 to CN=user.
+realm.addprinc("user2@KRBTEST.COM")
+out = realm.kinit("user2@KRBTEST.COM",
+                  flags=['-X', 'X509_user_identity=%s' % file_identity],
+                  expected_code=1,
+                  expected_msg='kinit: Certificate mismatch')
+
+success("certauth tests")
diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py
index 0d967b8a50f2..e7ddb05254d8 100755
--- a/src/tests/t_crossrealm.py
+++ b/src/tests/t_crossrealm.py
@@ -25,9 +25,7 @@
 from k5test import *
 
 def test_kvno(r, princ, test, env=None):
-    output = r.run([kvno, princ], env=env)
-    if princ not in output:
-        fail('%s: principal %s not in kvno output' % (test, princ))
+    r.run([kvno, princ], env=env, expected_msg=princ)
 
 
 def stop(*realms):
@@ -35,10 +33,39 @@ def stop(*realms):
         r.stop()
 
 
+# Verify that the princs appear as the service principals in the klist
+# output for the realm r, in order.
+def check_klist(r, princs):
+    out = r.run([klist])
+    count = 0
+    seen_header = False
+    for l in out.split('\n'):
+        if l.startswith('Valid starting'):
+            seen_header = True
+            continue
+        if not seen_header or l == '':
+            continue
+        if count >= len(princs):
+            fail('too many entries in klist output')
+        svcprinc = l.split()[4]
+        if svcprinc != princs[count]:
+            fail('saw service princ %s in klist output, expected %s' %
+                 (svcprinc, princs[count]))
+        count += 1
+    if count != len(princs):
+        fail('not enough entries in klist output')
+
+
+def tgt(r1, r2):
+    return 'krbtgt/%s@%s' % (r1.realm, r2.realm)
+
+
 # Basic two-realm test with cross TGTs in both directions.
 r1, r2 = cross_realms(2)
 test_kvno(r1, r2.host_princ, 'basic r1->r2')
+check_klist(r1, (tgt(r1, r1), tgt(r2, r1), r2.host_princ))
 test_kvno(r2, r1.host_princ, 'basic r2->r1')
+check_klist(r2, (tgt(r2, r2), tgt(r1, r2), r1.host_princ))
 stop(r1, r2)
 
 # Test the KDC domain walk for hierarchically arranged realms.  The
@@ -49,6 +76,7 @@ r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
                           args=({'realm': 'A.X'}, {'realm': 'X'},
                                 {'realm': 'B.X'}))
 test_kvno(r1, r3.host_princ, 'KDC domain walk')
+check_klist(r1, (tgt(r1, r1), r3.host_princ))
 stop(r1, r2, r3)
 
 # Test client capaths.  The client in A will ask for a cross TGT to D,
@@ -64,6 +92,8 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
                                     {'realm': 'D', 'krb5_conf': capaths}))
 r1client = r1.special_env('client', False, krb5_conf=capaths)
 test_kvno(r1, r4.host_princ, 'client capaths', r1client)
+check_klist(r1, (tgt(r1, r1), tgt(r2, r1), tgt(r3, r2), tgt(r4, r3),
+                 r4.host_princ))
 stop(r1, r2, r3, r4)
 
 # Test KDC capaths.  The KDCs for A and B have appropriate capaths
@@ -76,6 +106,7 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
                                     {'realm': 'C', 'krb5_conf': capaths},
                                     {'realm': 'D', 'krb5_conf': capaths}))
 test_kvno(r1, r4.host_princ, 'KDC capaths')
+check_klist(r1, (tgt(r1, r1), tgt(r4, r3), r4.host_princ))
 stop(r1, r2, r3, r4)
 
 # Test transited error.  The KDC for C does not recognize B as an
@@ -85,9 +116,9 @@ capaths = {'capaths': {'A': {'C': 'B'}}}
 r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
                           args=({'realm': 'A', 'krb5_conf': capaths},
                                 {'realm': 'B'}, {'realm': 'C'}))
-output = r1.run([kvno, r3.host_princ], expected_code=1)
-if 'KDC policy rejects request' not in output:
-    fail('transited 1: Expected error message not in output')
+r1.run([kvno, r3.host_princ], expected_code=1,
+       expected_msg='KDC policy rejects request')
+check_klist(r1, (tgt(r1, r1), tgt(r3, r2)))
 stop(r1, r2, r3)
 
 # Test a different kind of transited error.  The KDC for D does not
@@ -99,9 +130,9 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
                                     {'realm': 'B', 'krb5_conf': capaths},
                                     {'realm': 'C', 'krb5_conf': capaths},
                                     {'realm': 'D'}))
-output = r1.run([kvno, r4.host_princ], expected_code=1)
-if 'Illegal cross-realm ticket' not in output:
-    fail('transited 2: Expected error message not in output')
+r1.run([kvno, r4.host_princ], expected_code=1,
+       expected_msg='Illegal cross-realm ticket')
+check_klist(r1, (tgt(r1, r1), tgt(r4, r3)))
 stop(r1, r2, r3, r4)
 
 success('Cross-realm tests')
diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py
index 5d3a437625e2..8a9462bd8eaf 100755
--- a/src/tests/t_dump.py
+++ b/src/tests/t_dump.py
@@ -36,12 +36,10 @@ if 'Expiration date: [never]' not in out or 'MKey: vno 1' not in out:
 out = realm.run([kadminl, 'getpols'])
 if 'fred\n' not in out or 'barney\n' not in out:
     fail('Missing policy after load')
-out = realm.run([kadminl, 'getpol', 'compat'])
-if 'Number of old keys kept: 5' not in out:
-    fail('Policy (1.8 format) has wrong value after load')
-out = realm.run([kadminl, 'getpol', 'barney'])
-if 'Number of old keys kept: 1' not in out:
-    fail('Policy has wrong value after load')
+realm.run([kadminl, 'getpol', 'compat'],
+          expected_msg='Number of old keys kept: 5')
+realm.run([kadminl, 'getpol', 'barney'],
+          expected_msg='Number of old keys kept: 1')
 
 # Dump/load again, and make sure everything is still there.
 realm.run([kdb5_util, 'dump', dumpfile])
@@ -81,15 +79,10 @@ dump_compare(realm, ['-ov'], srcdump_ov)
 def load_dump_check_compare(realm, opt, srcfile):
     realm.run([kdb5_util, 'destroy', '-f'])
     realm.run([kdb5_util, 'load'] + opt + [srcfile])
-    out = realm.run([kadminl, 'getprincs'])
-    if 'user@' not in out:
-        fail('Loaded dumpfile missing user principal')
-    out = realm.run([kadminl, 'getprinc', 'nokeys'])
-    if 'Number of keys: 0' not in out:
-        fail('Loading dumpfile did not process zero-key principal')
-    out = realm.run([kadminl, 'getpols'])
-    if 'testpol' not in out:
-        fail('Loaded dumpfile missing test policy')
+    realm.run([kadminl, 'getprincs'], expected_msg='user@')
+    realm.run([kadminl, 'getprinc', 'nokeys'],
+              expected_msg='Number of keys: 0')
+    realm.run([kadminl, 'getpols'], expected_msg='testpol')
     dump_compare(realm, opt, srcfile)
 
 # Load each format of dump, check it, re-dump it, and compare.
@@ -99,12 +92,8 @@ load_dump_check_compare(realm, ['-b7'], srcdump_b7)
 
 # Loading the last (-b7 format) dump won't have loaded the
 # per-principal kadm data.  Load that incrementally with -ov.
-out = realm.run([kadminl, 'getprinc', 'user'])
-if 'Policy: [none]' not in out:
-    fail('Loaded b7 dump unexpectedly contains user policy reference')
+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]')
 realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov])
-out = realm.run([kadminl, 'getprinc', 'user'])
-if 'Policy: testpol' not in out:
-    fail('Loading ov dump did not add user policy reference')
+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol')
 
 success('Dump/load tests')
diff --git a/src/tests/t_general.py b/src/tests/t_general.py
index 6d523fe4513d..91ad0cb8a060 100755
--- a/src/tests/t_general.py
+++ b/src/tests/t_general.py
@@ -3,10 +3,9 @@ from k5test import *
 
 for realm in multipass_realms(create_host=False):
     # Check that kinit fails appropriately with the wrong password.
-    output = realm.run([kinit, realm.user_princ], input='wrong\n',
-                       expected_code=1)
-    if 'Password incorrect while getting initial credentials' not in output:
-        fail('Expected error message not seen in kinit output')
+    msg = 'Password incorrect while getting initial credentials'
+    realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
+              expected_msg=msg)
 
     # Check that we can kinit as a different principal.
     realm.kinit(realm.admin_princ, password('admin'))
@@ -30,6 +29,7 @@ conf={'plugins': {'pwqual': {'disable': 'empty'}}}
 realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
 realm.run([kadminl, 'addprinc', '-pw', '', 'user'])
 realm.run(['./icred', 'user', ''])
+realm.run(['./icred', '-s', 'user', ''])
 realm.stop()
 
 realm = K5Realm(create_host=False)
@@ -42,26 +42,17 @@ realm.run(['./responder', '-r', 'password=%s' % password('user'),
 # Test that WRONG_REALM responses aren't treated as referrals unless
 # they contain a crealm field pointing to a different realm.
 # (Regression test for #8060.)
-out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1)
-if 'not found in Kerberos database' not in out:
-    fail('Expected error message not seen in kinit -C output')
+realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1,
+          expected_msg='not found in Kerberos database')
 
 # Spot-check KRB5_TRACE output
-tracefile = os.path.join(realm.testdir, 'trace')
-realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
-          input=(password('user') + "\n"))
-f = open(tracefile, 'r')
-trace = f.read()
-f.close()
-expected = ('Sending initial UDP request',
-            'Received answer',
-            'Selected etype info',
-            'AS key obtained',
-            'Decrypted AS reply',
-            'FAST negotiation: available',
-            'Storing user@KRBTEST.COM')
-for e in expected:
-    if e not in trace:
-        fail('Expected output not in kinit trace log')
+expected_trace = ('Sending initial UDP request',
+                  'Received answer',
+                  'Selected etype info',
+                  'AS key obtained',
+                  'Decrypted AS reply',
+                  'FAST negotiation: available',
+                  'Storing user@KRBTEST.COM')
+realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace)
 
 success('FAST kinit, trace logging')
diff --git a/src/tests/t_hostrealm.py b/src/tests/t_hostrealm.py
index 76b282d2ac6e..224c067ef424 100755
--- a/src/tests/t_hostrealm.py
+++ b/src/tests/t_hostrealm.py
@@ -20,9 +20,8 @@ def test(realm, args, expected_realms, msg, env=None):
         fail(msg)
 
 def test_error(realm, args, expected_error, msg, env=None):
-    out = realm.run(['./hrealm'] + args, env=env, expected_code=1)
-    if expected_error not in out:
-        fail(msg)
+    realm.run(['./hrealm'] + args, env=env, expected_code=1,
+              expected_msg=expected_error)
 
 def testh(realm, host, expected_realms, msg, env=None):
     test(realm, ['-h', host], expected_realms, msg, env=env)
diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
index e64fdd27993c..8e23cd5de9db 100755
--- a/src/tests/t_iprop.py
+++ b/src/tests/t_iprop.py
@@ -214,9 +214,8 @@ check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, False, 6, 7)
 check_ulog(2, 6, 7, [None, pr2], slave1)
-out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
-if 'Attributes: DISALLOW_ALL_TIX' not in out:
-    fail('slave1 does not have modification from master')
+realm.run([kadminl, 'getprinc', pr2], env=slave1,
+          expected_msg='Attributes: DISALLOW_ALL_TIX')
 
 # Start kadmind -proponly for slave1.  (Use the slave1m environment
 # which defines iprop_port to $port8.)
@@ -245,15 +244,13 @@ check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, False, 7, 8)
 check_ulog(3, 6, 8, [None, pr2, pr1], slave1)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
-if 'Maximum ticket life: 0 days 00:20:00' not in out:
-    fail('slave1 does not have modification from master')
+realm.run([kadminl, 'getprinc', pr1], env=slave1,
+          expected_msg='Maximum ticket life: 0 days 00:20:00')
 kpropd3.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd3, False, 7, 8)
 check_ulog(2, 7, 8, [None, pr1], slave3)
-out = realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=slave3)
-if 'Maximum ticket life: 0 days 00:20:00' not in out:
-    fail('slave3 does not have modification from slave1')
+realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=slave3,
+          expected_msg='Maximum ticket life: 0 days 00:20:00')
 stop_daemon(kpropd3)
 
 # Test dissimilar default_realm and domain_realm map settings (no -r realm).
@@ -287,15 +284,13 @@ check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, False, 8, 9)
 check_ulog(4, 6, 9, [None, pr2, pr1, pr1], slave1)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
-if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
-    fail('slave1 does not have modification from master')
+realm.run([kadminl, 'getprinc', pr1], env=slave1,
+          expected_msg='Maximum renewable life: 0 days 22:00:00\n')
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, False, 8, 9)
 check_ulog(3, 7, 9, [None, pr1, pr1], slave2)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
-if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
-    fail('slave2 does not have modification from slave1')
+realm.run([kadminl, 'getprinc', pr1], env=slave2,
+          expected_msg='Maximum renewable life: 0 days 22:00:00\n')
 
 # Reset the ulog on slave1 to force a full resync from master.  The
 # resync will use the old dump file and then propagate changes.
@@ -317,15 +312,11 @@ check_ulog(10, 1, 10, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1, pr2])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, False, 9, 10)
 check_ulog(5, 6, 10, [None, pr2, pr1, pr1, pr2], slave1)
-out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
-if 'Attributes:\n' not in out:
-    fail('slave1 does not have modification from master')
+realm.run([kadminl, 'getprinc', pr2], env=slave1, expected_msg='Attributes:\n')
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, False, 9, 10)
 check_ulog(4, 7, 10, [None, pr1, pr1, pr2], slave2)
-out = realm.run([kadminl, 'getprinc', pr2], env=slave2)
-if 'Attributes:\n' not in out:
-    fail('slave2 does not have modification from slave1')
+realm.run([kadminl, 'getprinc', pr2], env=slave2, expected_msg='Attributes:\n')
 
 # Create a policy and check that it propagates via full resync.
 realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol'])
@@ -333,15 +324,13 @@ check_ulog(1, 1, 1, [None])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, True, 10, 1)
 check_ulog(1, 1, 1, [None], slave1)
-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
-if 'Minimum number of password character classes: 2' not in out:
-    fail('slave1 does not have policy from master')
+realm.run([kadminl, 'getpol', 'testpol'], env=slave1,
+          expected_msg='Minimum number of password character classes: 2')
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, True, 10, 1)
 check_ulog(1, 1, 1, [None], slave2)
-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
-if 'Minimum number of password character classes: 2' not in out:
-    fail('slave2 does not have policy from slave1')
+realm.run([kadminl, 'getpol', 'testpol'], env=slave2,
+          expected_msg='Minimum number of password character classes: 2')
 
 # Modify the policy and test that it also propagates via full resync.
 realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol'])
@@ -349,15 +338,13 @@ check_ulog(1, 1, 1, [None])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, True, 1, 1)
 check_ulog(1, 1, 1, [None], slave1)
-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
-if 'Minimum password length: 17' not in out:
-    fail('slave1 does not have policy change from master')
+realm.run([kadminl, 'getpol', 'testpol'], env=slave1,
+          expected_msg='Minimum password length: 17')
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, True, 1, 1)
 check_ulog(1, 1, 1, [None], slave2)
-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
-if 'Minimum password length: 17' not in out:
-    fail('slave2 does not have policy change from slave1')
+realm.run([kadminl, 'getpol', 'testpol'], env=slave2,
+          expected_msg='Minimum password length: 17')
 
 # Delete the policy and test that it propagates via full resync.
 realm.run([kadminl, 'delpol', 'testpol'])
@@ -365,15 +352,13 @@ check_ulog(1, 1, 1, [None])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, True, 1, 1)
 check_ulog(1, 1, 1, [None], slave1)
-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1)
-if 'Policy does not exist' not in out:
-    fail('slave1 did not get policy deletion from master')
+realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1,
+          expected_msg='Policy does not exist')
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, True, 1, 1)
 check_ulog(1, 1, 1, [None], slave2)
-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1)
-if 'Policy does not exist' not in out:
-    fail('slave2 did not get policy deletion from slave1')
+realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1,
+          expected_msg='Policy does not exist')
 
 # Modify a principal on the master and test that it propagates incrementally.
 realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1])
@@ -381,15 +366,13 @@ check_ulog(2, 1, 2, [None, pr1])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, False, 1, 2)
 check_ulog(2, 1, 2, [None, pr1], slave1)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
-if 'Maximum ticket life: 0 days 00:10:00' not in out:
-    fail('slave1 does not have modification from master')
+realm.run([kadminl, 'getprinc', pr1], env=slave1,
+          expected_msg='Maximum ticket life: 0 days 00:10:00')
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, False, 1, 2)
 check_ulog(2, 1, 2, [None, pr1], slave2)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
-if 'Maximum ticket life: 0 days 00:10:00' not in out:
-    fail('slave2 does not have modification from slave1')
+realm.run([kadminl, 'getprinc', pr1], env=slave2,
+          expected_msg='Maximum ticket life: 0 days 00:10:00')
 
 # Delete a principal and test that it propagates incrementally.
 realm.run([kadminl, 'delprinc', pr3])
@@ -397,15 +380,13 @@ check_ulog(3, 1, 3, [None, pr1, pr3])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, False, 2, 3)
 check_ulog(3, 1, 3, [None, pr1, pr3], slave1)
-out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1)
-if 'Principal does not exist' not in out:
-    fail('slave1 does not have principal deletion from master')
+realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1,
+          expected_msg='Principal does not exist')
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, False, 2, 3)
 check_ulog(3, 1, 3, [None, pr1, pr3], slave2)
-out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1)
-if 'Principal does not exist' not in out:
-    fail('slave2 does not have principal deletion from slave1')
+realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1,
+          expected_msg='Principal does not exist')
 
 # Rename a principal and test that it propagates incrementally.
 renpr = "quacked@" + realm.realm
@@ -414,16 +395,14 @@ check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr])
 kpropd1.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd1, False, 3, 6)
 check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave1)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave1, expected_code=1)
-if 'Principal does not exist' not in out:
-    fail('slave1 does not have principal deletion from master')
+realm.run([kadminl, 'getprinc', pr1], env=slave1, expected_code=1,
+          expected_msg='Principal does not exist')
 realm.run([kadminl, 'getprinc', renpr], env=slave1)
 kpropd2.send_signal(signal.SIGUSR1)
 wait_for_prop(kpropd2, False, 3, 6)
 check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave2)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave2, expected_code=1)
-if 'Principal does not exist' not in out:
-    fail('slave2 does not have principal deletion from master')
+realm.run([kadminl, 'getprinc', pr1], env=slave2, expected_code=1,
+          expected_msg='Principal does not exist')
 realm.run([kadminl, 'getprinc', renpr], env=slave2)
 
 pr1 = renpr
@@ -455,9 +434,8 @@ out = realm.run_kpropd_once(slave1, ['-d'])
 if 'Got incremental updates (sno=2 ' not in out:
     fail('Expected full dump and synchronized from kpropd -t')
 check_ulog(2, 1, 2, [None, pr1], slave1)
-out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
-if 'Maximum ticket life: 0 days 00:05:00' not in out:
-    fail('slave1 does not have modification from master after kpropd -t')
+realm.run([kadminl, 'getprinc', pr1], env=slave1,
+          expected_msg='Maximum ticket life: 0 days 00:05:00')
 
 # Propagate a policy change via full resync.
 realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol'])
@@ -467,8 +445,7 @@ if ('Full propagation transfer finished' not in out or
     'KDC is synchronized' not in out):
     fail('Expected full dump and synchronized from kpropd -t')
 check_ulog(1, 1, 1, [None], slave1)
-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
-if 'Minimum number of password character classes: 3' not in out:
-    fail('slave1 does not have policy from master after kpropd -t')
+realm.run([kadminl, 'getpol', 'testpol'], env=slave1,
+          expected_msg='Minimum number of password character classes: 3')
 
 success('iprop tests')
diff --git a/src/tests/t_kadm5_auth.py b/src/tests/t_kadm5_auth.py
new file mode 100644
index 000000000000..ba4ab8ef10cf
--- /dev/null
+++ b/src/tests/t_kadm5_auth.py
@@ -0,0 +1,81 @@
+#!/usr/bin/python
+from k5test import *
+
+# Create a realm with the welcomer and bouncer kadm5_auth test modules
+# in place of the builtin modules.
+modpath = os.path.join(buildtop, 'plugins', 'kadm5_auth', 'test',
+                       'kadm5_auth_test.so')
+conf = {'plugins': {'kadm5_auth': {'module': ['welcomer:' + modpath,
+                                              'bouncer:' + modpath],
+                                   'enable_only': ['welcomer', 'bouncer']}}}
+realm = K5Realm(krb5_conf=conf, create_host=False)
+realm.start_kadmind()
+realm.prep_kadmin()
+
+# addprinc: welcomer accepts with policy VIP, bouncer denies maxlife.
+realm.run_kadmin(['addprinc', '-randkey', 'princ'], expected_code=1)
+realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', 'princ'])
+realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', '-maxlife', '3',
+                  'princ'], expected_code=1)
+
+# modprinc: welcomer accepts with only maxrenewlife, bouncer denies
+# with even-component target principal.
+realm.run_kadmin(['modprinc', '-maxlife', '3', 'princ'], expected_code=1)
+realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'princ'])
+realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'user/admin'],
+                 expected_code=1)
+
+# setstr: welcomer accepts with key 'note', bouncer denies with value
+# length > 10.
+realm.run_kadmin(['setstr', 'princ', 'somekey', 'someval'], expected_code=1)
+realm.run_kadmin(['setstr', 'princ', 'note', 'abc'])
+realm.run_kadmin(['setstr', 'princ', 'note', 'abcdefghijkl'], expected_code=1)
+
+# delprinc: welcomer accepts with target principal beginning with 'd',
+# bouncer denies with "nodelete" string attribute.
+realm.run_kadmin(['delprinc', 'user'], expected_code=1)
+realm.run([kadminl, 'addprinc', '-randkey', 'deltest'])
+realm.run_kadmin(['delprinc', 'deltest'])
+realm.run([kadminl, 'addprinc', '-randkey', 'deltest'])
+realm.run([kadminl, 'setstr', 'deltest', 'nodelete', 'yes'])
+realm.run_kadmin(['delprinc', 'deltest'], expected_code=1)
+
+# renprinc: welcomer accepts with same-length first components, bouncer
+# refuses with source principal beginning with 'a'.
+realm.run_kadmin(['renprinc', 'princ', 'xyz'], expected_code=1)
+realm.run_kadmin(['renprinc', 'princ', 'abcde'])
+realm.run_kadmin(['renprinc', 'abcde', 'fghij'], expected_code=1)
+
+# addpol: welcomer accepts with minlength 3, bouncer denies with name
+# length <= 3.
+realm.run_kadmin(['addpol', 'testpol'], expected_code=1)
+realm.run_kadmin(['addpol', '-minlength', '3', 'testpol'])
+realm.run_kadmin(['addpol', '-minlength', '3', 'abc'], expected_code=1)
+
+# modpol: welcomer accepts changes to minlife, bouncer denies with
+# minlife > 10.
+realm.run_kadmin(['modpol', '-minlength', '4', 'testpol'], expected_code=1)
+realm.run_kadmin(['modpol', '-minlife', '8', 'testpol'])
+realm.run_kadmin(['modpol', '-minlife', '11', 'testpol'], expected_code=1)
+
+# getpol: welcomer accepts if policy and client policy have same length,
+# bouncer denies if policy name begins with 'x'.
+realm.run([kadminl, 'addpol', 'aaaa'])
+realm.run([kadminl, 'addpol', 'bbbb'])
+realm.run([kadminl, 'addpol', 'xxxx'])
+realm.run([kadminl, 'modprinc', '-policy', 'aaaa', 'user/admin'])
+realm.run_kadmin(['getpol', 'testpol'], expected_code=1)
+realm.run_kadmin(['getpol', 'bbbb'])
+realm.run_kadmin(['getpol', 'xxxx'], expected_code=1)
+
+# end: welcomer counts operations using "ends" string attribute on
+# "opcount" principal.  kadmind is dumb and invokes the end method for
+# every RPC operation including init, so we expect four calls to the
+# end operation.
+realm.run([kadminl, 'addprinc', '-nokey', 'opcount'])
+realm.run([kadminl, 'setstr', 'opcount', 'ends', '0'])
+realm.run_kadmin(['getprinc', 'user'])
+realm.run_kadmin(['getpol', 'bbbb'])
+realm.run([kadminl, 'getstrs', 'opcount'], expected_msg='ends: 4')
+
+success('kadm5_auth pluggable interface tests')
diff --git a/src/tests/t_kadm5_hook.py b/src/tests/t_kadm5_hook.py
index 708e328b000b..c1c8c9419c09 100755
--- a/src/tests/t_kadm5_hook.py
+++ b/src/tests/t_kadm5_hook.py
@@ -7,12 +7,10 @@ plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test",
 hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}}
 
 realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False)
-output = realm.run([kadminl, 'addprinc', '-randkey', 'test'])
-if "create: stage precommit" not in output:
-    fail('kadm5_hook test output not found')
+realm.run([kadminl, 'addprinc', '-randkey', 'test'],
+          expected_msg='create: stage precommit')
 
-output = realm.run([kadminl, 'renprinc', 'test', 'test2'])
-if "rename: stage precommit" not in output:
-    fail('kadm5_hook test output not found')
+realm.run([kadminl, 'renprinc', 'test', 'test2'],
+          expected_msg='rename: stage precommit')
 
 success('kadm5_hook')
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 188929a76c91..42bdf423c393 100755
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -87,27 +87,24 @@ for pw in (['-pw', 'newpw'], ['-randkey']):
         args = pw + ks
         kadmin_as(all_changepw, ['cpw'] + args + ['unselected'])
         kadmin_as(some_changepw, ['cpw'] + args + ['selected'])
-        out = kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1)
-        if 'Operation requires ``change-password\'\' privilege' not in out:
-            fail('cpw failure (no perms)')
-        out = kadmin_as(some_changepw, ['cpw'] + args + ['unselected'],
-                        expected_code=1)
-        if 'Operation requires ``change-password\'\' privilege' not in out:
-            fail('cpw failure (target)')
-        out = kadmin_as(none, ['cpw'] + args + ['none'])
+        msg = "Operation requires ``change-password'' privilege"
+        kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1,
+                  expected_msg=msg)
+        kadmin_as(some_changepw, ['cpw'] + args + ['unselected'],
+                  expected_code=1, expected_msg=msg)
+        kadmin_as(none, ['cpw'] + args + ['none'])
         realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
-        out = kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1)
-        if 'Current password\'s minimum life has not expired' not in out:
-            fail('cpw failure (minimum life)')
+        msg = "Current password's minimum life has not expired"
+        kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1,
+                  expected_msg=msg)
         realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
 realm.run([kadminl, 'delprinc', 'selected'])
 realm.run([kadminl, 'delprinc', 'unselected'])
 
 kadmin_as(all_add, ['addpol', 'policy'])
 realm.run([kadminl, 'delpol', 'policy'])
-out = kadmin_as(none, ['addpol', 'policy'], expected_code=1)
-if 'Operation requires ``add\'\' privilege' not in out:
-    fail('addpol failure (no perms)')
+kadmin_as(none, ['addpol', 'policy'], expected_code=1,
+          expected_msg="Operation requires ``add'' privilege")
 
 # addprinc can generate two different RPC calls depending on options.
 for ks in ([], ['-e', 'aes256-cts']):
@@ -117,89 +114,62 @@ for ks in ([], ['-e', 'aes256-cts']):
     kadmin_as(some_add, ['addprinc'] + args + ['selected'])
     realm.run([kadminl, 'delprinc', 'selected'])
     kadmin_as(restricted_add, ['addprinc'] + args + ['unselected'])
-    out = realm.run([kadminl, 'getprinc', 'unselected'])
-    if 'REQUIRES_PRE_AUTH' not in out:
-        fail('addprinc success (restrictions) -- restriction check')
+    realm.run([kadminl, 'getprinc', 'unselected'],
+              expected_msg='REQUIRES_PRE_AUTH')
     realm.run([kadminl, 'delprinc', 'unselected'])
-    out = kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1)
-    if 'Operation requires ``add\'\' privilege' not in out:
-        fail('addprinc failure (no perms)')
-    out = kadmin_as(some_add, ['addprinc'] + args + ['unselected'],
-                    expected_code=1)
-    if 'Operation requires ``add\'\' privilege' not in out:
-        fail('addprinc failure (target)')
+    kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1,
+              expected_msg="Operation requires ``add'' privilege")
+    kadmin_as(some_add, ['addprinc'] + args + ['unselected'], expected_code=1,
+              expected_msg="Operation requires ``add'' privilege")
 
 realm.addprinc('unselected', 'pw')
 kadmin_as(all_delete, ['delprinc', 'unselected'])
 realm.addprinc('selected', 'pw')
 kadmin_as(some_delete, ['delprinc', 'selected'])
 realm.addprinc('unselected', 'pw')
-out = kadmin_as(none, ['delprinc', 'unselected'], expected_code=1)
-if 'Operation requires ``delete\'\' privilege' not in out:
-    fail('delprinc failure (no perms)')
-out = kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1)
-if 'Operation requires ``delete\'\' privilege' not in out:
-    fail('delprinc failure (no target)')
+kadmin_as(none, ['delprinc', 'unselected'], expected_code=1,
+          expected_msg="Operation requires ``delete'' privilege")
+kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1,
+          expected_msg="Operation requires ``delete'' privilege")
 realm.run([kadminl, 'delprinc', 'unselected'])
 
-out = kadmin_as(all_inquire, ['getpol', 'minlife'])
-if 'Policy: minlife' not in out:
-    fail('getpol success (acl)')
-out = kadmin_as(none, ['getpol', 'minlife'], expected_code=1)
-if 'Operation requires ``get\'\' privilege' not in out:
-    fail('getpol failure (no perms)')
+kadmin_as(all_inquire, ['getpol', 'minlife'], expected_msg='Policy: minlife')
+kadmin_as(none, ['getpol', 'minlife'], expected_code=1,
+          expected_msg="Operation requires ``get'' privilege")
 realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
-out = kadmin_as(none, ['getpol', 'minlife'])
-if 'Policy: minlife' not in out:
-    fail('getpol success (self policy exemption)')
+kadmin_as(none, ['getpol', 'minlife'], expected_msg='Policy: minlife')
 realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
 
 realm.addprinc('selected', 'pw')
 realm.addprinc('unselected', 'pw')
-out = kadmin_as(all_inquire, ['getprinc', 'unselected'])
-if 'Principal: unselected@KRBTEST.COM' not in out:
-    fail('getprinc success (acl)')
-out = kadmin_as(some_inquire, ['getprinc', 'selected'])
-if 'Principal: selected@KRBTEST.COM' not in out:
-    fail('getprinc success (target)')
-out = kadmin_as(none, ['getprinc', 'selected'], expected_code=1)
-if 'Operation requires ``get\'\' privilege' not in out:
-    fail('getprinc failure (no perms)')
-out = kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1)
-if 'Operation requires ``get\'\' privilege' not in out:
-    fail('getprinc failure (target)')
-out = kadmin_as(none, ['getprinc', 'none'])
-if 'Principal: none@KRBTEST.COM' not in out:
-    fail('getprinc success (self exemption)')
+kadmin_as(all_inquire, ['getprinc', 'unselected'],
+          expected_msg='Principal: unselected@KRBTEST.COM')
+kadmin_as(some_inquire, ['getprinc', 'selected'],
+          expected_msg='Principal: selected@KRBTEST.COM')
+kadmin_as(none, ['getprinc', 'selected'], expected_code=1,
+          expected_msg="Operation requires ``get'' privilege")
+kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1,
+          expected_msg="Operation requires ``get'' privilege")
+kadmin_as(none, ['getprinc', 'none'],
+          expected_msg='Principal: none@KRBTEST.COM')
 realm.run([kadminl, 'delprinc', 'selected'])
 realm.run([kadminl, 'delprinc', 'unselected'])
 
-out = kadmin_as(all_list, ['listprincs'])
-if 'K/M@KRBTEST.COM' not in out:
-    fail('listprincs success (acl)')
-out = kadmin_as(none, ['listprincs'], expected_code=1)
-if 'Operation requires ``list\'\' privilege' not in out:
-    fail('listprincs failure (no perms)')
+kadmin_as(all_list, ['listprincs'], expected_msg='K/M@KRBTEST.COM')
+kadmin_as(none, ['listprincs'], expected_code=1,
+          expected_msg="Operation requires ``list'' privilege")
 
 realm.addprinc('selected', 'pw')
 realm.addprinc('unselected', 'pw')
 realm.run([kadminl, 'setstr', 'selected', 'key', 'value'])
 realm.run([kadminl, 'setstr', 'unselected', 'key', 'value'])
-out = kadmin_as(all_inquire, ['getstrs', 'unselected'])
-if 'key: value' not in out:
-    fail('getstrs success (acl)')
-out = kadmin_as(some_inquire, ['getstrs', 'selected'])
-if 'key: value' not in out:
-    fail('getstrs success (target)')
-out = kadmin_as(none, ['getstrs', 'selected'], expected_code=1)
-if 'Operation requires ``get\'\' privilege' not in out:
-    fail('getstrs failure (no perms)')
-out = kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1)
-if 'Operation requires ``get\'\' privilege' not in out:
-    fail('getstrs failure (target)')
-out = kadmin_as(none, ['getstrs', 'none'])
-if '(No string attributes.)' not in out:
-    fail('getstrs success (self exemption)')
+kadmin_as(all_inquire, ['getstrs', 'unselected'], expected_msg='key: value')
+kadmin_as(some_inquire, ['getstrs', 'selected'], expected_msg='key: value')
+kadmin_as(none, ['getstrs', 'selected'], expected_code=1,
+          expected_msg="Operation requires ``get'' privilege")
+kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1,
+          expected_msg="Operation requires ``get'' privilege")
+kadmin_as(none, ['getstrs', 'none'], expected_msg='(No string attributes.)')
 realm.run([kadminl, 'delprinc', 'selected'])
 realm.run([kadminl, 'delprinc', 'unselected'])
 
@@ -207,27 +177,21 @@ out = kadmin_as(all_modify, ['modpol', '-maxlife', '1 hour', 'policy'],
                 expected_code=1)
 if 'Operation requires' in out:
     fail('modpol success (acl)')
-out = kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'],
-                expected_code=1)
-if 'Operation requires ``modify\'\' privilege' not in out:
-    fail('modpol failure (no perms)')
+kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], expected_code=1,
+          expected_msg="Operation requires ``modify'' privilege")
 
 realm.addprinc('selected', 'pw')
 realm.addprinc('unselected', 'pw')
 kadmin_as(all_modify, ['modprinc', '-maxlife', '1 hour',  'unselected'])
 kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'selected'])
 kadmin_as(restricted_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
-out = realm.run([kadminl, 'getprinc', 'unselected'])
-if 'REQUIRES_PRE_AUTH' not in out:
-    fail('addprinc success (restrictions) -- restriction check')
-out = kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'],
-                expected_code=1)
-if 'Operation requires ``modify\'\' privilege' not in out:
-    fail('addprinc failure (no perms)')
-out = kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'],
-                expected_code=1)
-if 'Operation requires' not in out:
-    fail('modprinc failure (target)')
+realm.run([kadminl, 'getprinc', 'unselected'],
+          expected_msg='REQUIRES_PRE_AUTH')
+kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'],
+          expected_code=1,
+          expected_msg="Operation requires ``modify'' privilege")
+kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'],
+          expected_code=1, expected_msg='Operation requires')
 realm.run([kadminl, 'delprinc', 'selected'])
 realm.run([kadminl, 'delprinc', 'unselected'])
 
@@ -235,12 +199,10 @@ realm.addprinc('selected', 'pw')
 realm.addprinc('unselected', 'pw')
 kadmin_as(all_modify, ['purgekeys', 'unselected'])
 kadmin_as(some_modify, ['purgekeys', 'selected'])
-out = kadmin_as(none, ['purgekeys', 'selected'], expected_code=1)
-if 'Operation requires ``modify\'\' privilege' not in out:
-    fail('purgekeys failure (no perms)')
-out = kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1)
-if 'Operation requires ``modify\'\' privilege' not in out:
-    fail('purgekeys failure (target)')
+kadmin_as(none, ['purgekeys', 'selected'], expected_code=1,
+          expected_msg="Operation requires ``modify'' privilege")
+kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1,
+          expected_msg="Operation requires ``modify'' privilege")
 kadmin_as(none, ['purgekeys', 'none'])
 realm.run([kadminl, 'delprinc', 'selected'])
 realm.run([kadminl, 'delprinc', 'unselected'])
@@ -250,36 +212,27 @@ kadmin_as(all_rename, ['renprinc', 'from', 'to'])
 realm.run([kadminl, 'renprinc', 'to', 'from'])
 kadmin_as(some_rename, ['renprinc', 'from', 'to'])
 realm.run([kadminl, 'renprinc', 'to', 'from'])
-out = kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1)
-if 'Operation requires ``delete\'\' privilege' not in out:
-    fail('renprinc failure (no delete perms)')
-out = kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1)
-if 'Operation requires ``add\'\' privilege' not in out:
-    fail('renprinc failure (no add perms)')
-out = kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1)
-if 'Operation requires ``add\'\' privilege' not in out:
-    fail('renprinc failure (new target)')
+kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1,
+          expected_msg="Insufficient authorization for operation")
+kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1,
+          expected_msg="Insufficient authorization for operation")
+kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1,
+          expected_msg="Insufficient authorization for operation")
 realm.run([kadminl, 'renprinc', 'from', 'notfrom'])
-out = kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1)
-if 'Operation requires ``delete\'\' privilege' not in out:
-    fail('renprinc failure (old target)')
-out = kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'],
-                expected_code=1)
-if 'Operation requires ``add\'\' privilege' not in out:
-    fail('renprinc failure (restrictions)')
+kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
+          expected_msg="Insufficient authorization for operation")
+kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
+          expected_msg="Insufficient authorization for operation")
 realm.run([kadminl, 'delprinc', 'notfrom'])
 
 realm.addprinc('selected', 'pw')
 realm.addprinc('unselected', 'pw')
 kadmin_as(all_modify, ['setstr', 'unselected', 'key', 'value'])
 kadmin_as(some_modify, ['setstr', 'selected', 'key', 'value'])
-out = kadmin_as(none, ['setstr', 'selected',  'key', 'value'], expected_code=1)
-if 'Operation requires ``modify\'\' privilege' not in out:
-    fail('addprinc failure (no perms)')
-out = kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'],
-                expected_code=1)
-if 'Operation requires' not in out:
-    fail('modprinc failure (target)')
+kadmin_as(none, ['setstr', 'selected',  'key', 'value'], expected_code=1,
+          expected_msg="Operation requires ``modify'' privilege")
+kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'],
+          expected_code=1, expected_msg='Operation requires')
 realm.run([kadminl, 'delprinc', 'selected'])
 realm.run([kadminl, 'delprinc', 'unselected'])
 
@@ -287,28 +240,21 @@ kadmin_as(admin, ['addprinc', '-pw', 'pw', 'anytarget'])
 realm.run([kadminl, 'delprinc', 'anytarget'])
 kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card'])
 realm.run([kadminl, 'delprinc', 'wild/card'])
-out = kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'],
-                expected_code=1)
-if 'Operation requires' not in out:
-    fail('addprinc failure (target wildcard extra component)')
+kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'],
+          expected_code=1, expected_msg='Operation requires')
 realm.addprinc('admin/user', 'pw')
 kadmin_as(admin, ['delprinc', 'admin/user'])
-out = kadmin_as(admin, ['delprinc', 'none'], expected_code=1)
-if 'Operation requires' not in out:
-    fail('delprinc failure (wildcard backreferences not matched)')
+kadmin_as(admin, ['delprinc', 'none'], expected_code=1,
+          expected_msg='Operation requires')
 realm.addprinc('four/one/three', 'pw')
 kadmin_as(onetwothreefour, ['delprinc', 'four/one/three'])
 
 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', 'type1'])
-out = realm.run([kadminl, 'getprinc', 'type1'])
-if 'Policy: minlife' not in out:
-    fail('restriction (policy)')
+realm.run([kadminl, 'getprinc', 'type1'], expected_msg='Policy: minlife')
 realm.run([kadminl, 'delprinc', 'type1'])
 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-policy', 'minlife',
                          'type2'])
-out = realm.run([kadminl, 'getprinc', 'type2'])
-if 'Policy: [none]' not in out:
-    fail('restriction (clearpolicy)')
+realm.run([kadminl, 'getprinc', 'type2'], expected_msg='Policy: [none]')
 realm.run([kadminl, 'delprinc', 'type2'])
 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxlife', '1 minute',
                          'type3'])
@@ -319,43 +265,50 @@ if ('Maximum ticket life: 0 days 00:01:00' not in out or
 realm.run([kadminl, 'delprinc', 'type3'])
 kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxrenewlife', '1 day',
                          'type3'])
-out = realm.run([kadminl, 'getprinc', 'type3'])
-if 'Maximum renewable life: 0 days 02:00:00' not in out:
-    fail('restriction (maxrenewlife high)')
+realm.run([kadminl, 'getprinc', 'type3'],
+          expected_msg='Maximum renewable life: 0 days 02:00:00')
 
 realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys'])
-out = kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
-                expected_code=1)
-if 'Operation requires ``extract-keys\'\' privilege' not in out:
-    fail('extractkeys failure (all_wildcard)')
+kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
+          expected_code=1,
+          expected_msg="Operation requires ``extract-keys'' privilege")
 kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
 realm.kinit('extractkeys', flags=['-k'])
 os.remove(realm.keytab)
 
 kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys'])
-out = kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
-                expected_code=1)
-if 'Operation requires ``change-password\'\' privilege' not in out:
-    fail('extractkeys failure (all_changepw)')
+kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
+          expected_code=1,
+          expected_msg="Operation requires ``change-password'' privilege")
 kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys'])
-out = kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'],
-                expected_code=1)
-if 'Operation requires ``extract-keys\'\' privilege' not in out:
-    fail('extractkeys failure (all_extract)')
-out = kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1)
-if 'Operation requires ``delete\'\' privilege' not in out:
-    fail('extractkeys failure (all_delete)')
-out = kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
-                expected_code=1)
-if 'Operation requires ``delete\'\' privilege' not in out:
-    fail('extractkeys failure (all_rename)')
-out = kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
-                expected_code=1)
-if 'Operation requires ``modify\'\' privilege' not in out:
-    fail('extractkeys failure (all_modify)')
+kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], expected_code=1,
+          expected_msg="Operation requires ``extract-keys'' privilege")
+kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1,
+          expected_msg="Operation requires ``delete'' privilege")
+kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
+          expected_code=1,
+          expected_msg="Operation requires ``delete'' privilege")
+kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
+          expected_code=1,
+          expected_msg="Operation requires ``modify'' privilege")
 realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys'])
 kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
 realm.kinit('extractkeys', flags=['-k'])
 os.remove(realm.keytab)
 
+# Verify that self-service key changes require an initial ticket.
+realm.run([kadminl, 'cpw', '-pw', password('none'), 'none'])
+realm.run([kadminl, 'modprinc', '+allow_tgs_req', 'kadmin/admin'])
+realm.kinit('none', password('none'))
+realm.run([kvno, 'kadmin/admin'])
+msg = 'Operation requires initial ticket'
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw', 'none'],
+          expected_code=1, expected_msg=msg)
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw',
+           '-e', 'aes256-cts', 'none'], expected_code=1, expected_msg=msg)
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'],
+          expected_code=1, expected_msg=msg)
+realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
+           'none'], expected_code=1, expected_msg=msg)
+
 success('kadmin ACL enforcement')
diff --git a/src/tests/t_kadmin_parsing.py b/src/tests/t_kadmin_parsing.py
index 92d72d2b08a8..8de387c647a3 100644
--- a/src/tests/t_kadmin_parsing.py
+++ b/src/tests/t_kadmin_parsing.py
@@ -57,33 +57,27 @@ realm = K5Realm(create_host=False, get_creds=False)
 realm.run([kadminl, 'addpol', 'pol'])
 for instr, outstr in intervals:
     realm.run([kadminl, 'modprinc', '-maxlife', instr, realm.user_princ])
-    out = realm.run([kadminl, 'getprinc', realm.user_princ])
-    if 'Maximum ticket life: ' + outstr + '\n' not in out:
-        fail('princ maxlife: ' + instr)
+    msg = 'Maximum ticket life: ' + outstr + '\n'
+    realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg)
 
     realm.run([kadminl, 'modprinc', '-maxrenewlife', instr, realm.user_princ])
-    out = realm.run([kadminl, 'getprinc', realm.user_princ])
-    if 'Maximum renewable life: ' + outstr + '\n' not in out:
-        fail('princ maxrenewlife: ' + instr)
+    msg = 'Maximum renewable life: ' + outstr + '\n'
+    realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg)
 
     realm.run([kadminl, 'modpol', '-maxlife', instr, 'pol'])
-    out = realm.run([kadminl, 'getpol', 'pol'])
-    if 'Maximum password life: ' + outstr + '\n' not in out:
-        fail('pol maxlife: ' + instr)
+    msg = 'Maximum password life: ' + outstr + '\n'
+    realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
 
     realm.run([kadminl, 'modpol', '-minlife', instr, 'pol'])
-    out = realm.run([kadminl, 'getpol', 'pol'])
-    if 'Minimum password life: ' + outstr + '\n' not in out:
-        fail('pol maxlife: ' + instr)
+    msg = 'Minimum password life: ' + outstr + '\n'
+    realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
 
     realm.run([kadminl, 'modpol', '-failurecountinterval', instr, 'pol'])
-    out = realm.run([kadminl, 'getpol', 'pol'])
-    if 'Password failure count reset interval: ' + outstr + '\n' not in out:
-        fail('pol maxlife: ' + instr)
+    msg = 'Password failure count reset interval: ' + outstr + '\n'
+    realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
 
     realm.run([kadminl, 'modpol', '-lockoutduration', instr, 'pol'])
-    out = realm.run([kadminl, 'getpol', 'pol'])
-    if 'Password lockout duration: ' + outstr + '\n' not in out:
-        fail('pol maxlife: ' + instr)
+    msg = 'Password lockout duration: ' + outstr + '\n'
+    realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
 
 success('kadmin command parsing tests')
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 185225afa5a3..217f2cdc3bdc 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -16,22 +16,27 @@ if (not os.path.exists(os.path.join(plugins, 'kdb', 'kldap.so')) and
 if 'SLAPD' not in os.environ and not which('slapd'):
     skip_rest('LDAP KDB tests', 'slapd not found')
 
+slapadd = which('slapadd')
+if not slapadd:
+    skip_rest('LDAP KDB tests', 'slapadd not found')
+
 ldapdir = os.path.abspath('ldap')
 dbdir = os.path.join(ldapdir, 'ldap')
-slapd_conf = os.path.join(ldapdir, 'slapd.conf')
+slapd_conf = os.path.join(ldapdir, 'slapd.d')
 slapd_out = os.path.join(ldapdir, 'slapd.out')
 slapd_pidfile = os.path.join(ldapdir, 'pid')
 ldap_pwfile = os.path.join(ldapdir, 'pw')
 ldap_sock = os.path.join(ldapdir, 'sock')
 ldap_uri = 'ldapi://%s/' % ldap_sock.replace(os.path.sep, '%2F')
 schema = os.path.join(srctop, 'plugins', 'kdb', 'ldap', 'libkdb_ldap',
-                      'kerberos.schema')
+                      'kerberos.openldap.ldif')
 top_dn = 'cn=krb5'
 admin_dn = 'cn=admin,cn=krb5'
 admin_pw = 'admin'
 
 shutil.rmtree(ldapdir, True)
 os.mkdir(ldapdir)
+os.mkdir(slapd_conf)
 os.mkdir(dbdir)
 
 if 'SLAPD' in os.environ:
@@ -44,32 +49,61 @@ else:
     slapd = os.path.join(ldapdir, 'slapd')
     shutil.copy(system_slapd, slapd)
 
-# Find the core schema file if we can.
+def slap_add(ldif):
+    proc = subprocess.Popen([slapadd, '-b', 'cn=config', '-F', slapd_conf],
+                            stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+                            stderr=subprocess.STDOUT)
+    (out, dummy) = proc.communicate(ldif)
+    output(out)
+    return proc.wait()
+
+
+# Configure the pid file and some authorization rules we will need for
+# SASL testing.
+if slap_add('dn: cn=config\n'
+            'objectClass: olcGlobal\n'
+            'olcPidFile: %s\n'
+            'olcAuthzRegexp: '
+            '".*uidNumber=%d,cn=peercred,cn=external,cn=auth" "%s"\n'
+            'olcAuthzRegexp: "uid=digestuser,cn=digest-md5,cn=auth" "%s"\n' %
+            (slapd_pidfile, os.geteuid(), admin_dn, admin_dn)) != 0:
+    skip_rest('LDAP KDB tests', 'slapd basic configuration failed')
+
+# Find a working writable database type, trying mdb (added in OpenLDAP
+# 2.4.27) and bdb (deprecated and sometimes not built due to licensing
+# incompatibilities).
+for dbtype in ('mdb', 'bdb'):
+    # Try to load the module.  This could fail if OpenLDAP is built
+    # without module support, so ignore errors.
+    slap_add('dn: cn=module,cn=config\n'
+             'objectClass: olcModuleList\n'
+             'olcModuleLoad: back_%s\n' % dbtype)
+
+    dbclass = 'olc%sConfig' % dbtype.capitalize()
+    if slap_add('dn: olcDatabase=%s,cn=config\n'
+                'objectClass: olcDatabaseConfig\n'
+                'objectClass: %s\n'
+                'olcSuffix: %s\n'
+                'olcRootDN: %s\n'
+                'olcRootPW: %s\n'
+                'olcDbDirectory: %s\n' %
+                (dbtype, dbclass, top_dn, admin_dn, admin_pw, dbdir)) == 0:
+        break
+else:
+    skip_rest('LDAP KDB tests', 'could not find working slapd db type')
+
+if slap_add('include: file://%s\n' % schema) != 0:
+    skip_rest('LDAP KDB tests', 'failed to load Kerberos schema')
+
+# Load the core schema if we can.
 ldap_homes = ['/etc/ldap', '/etc/openldap', '/usr/local/etc/openldap',
               '/usr/local/etc/ldap']
-local_schema_path = '/schema/core.schema'
+local_schema_path = '/schema/core.ldif'
 core_schema = next((i for i in imap(lambda x:x+local_schema_path, ldap_homes)
                     if os.path.isfile(i)), None)
-
-# Make a slapd config file.  This is deprecated in OpenLDAP 2.3 and
-# later, but it's easier than using LDIF and slapadd.  Include some
-# authz-regexp entries for SASL authentication tests.  Load the core
-# schema if we found it, for use in the DIGEST-MD5 test.
-file = open(slapd_conf, 'w')
-file.write('pidfile %s\n' % slapd_pidfile)
-file.write('include %s\n' % schema)
 if core_schema:
-    file.write('include %s\n' % core_schema)
-file.write('moduleload back_bdb\n')
-file.write('database bdb\n')
-file.write('suffix %s\n' % top_dn)
-file.write('rootdn %s\n' % admin_dn)
-file.write('rootpw %s\n' % admin_pw)
-file.write('directory %s\n' % dbdir)
-file.write('authz-regexp .*uidNumber=%d,cn=peercred,cn=external,cn=auth %s\n' %
-           (os.geteuid(), admin_dn))
-file.write('authz-regexp uid=digestuser,cn=digest-md5,cn=auth %s\n' % admin_dn)
-file.close()
+    if slap_add('include: file://%s\n' % core_schema) != 0:
+        core_schema = None
 
 slapd_pid = -1
 def kill_slapd():
@@ -80,7 +114,7 @@ def kill_slapd():
 atexit.register(kill_slapd)
 
 out = open(slapd_out, 'w')
-subprocess.call([slapd, '-h', ldap_uri, '-f', slapd_conf], stdout=out,
+subprocess.call([slapd, '-h', ldap_uri, '-F', slapd_conf], stdout=out,
                 stderr=out)
 out.close()
 pidf = open(slapd_pidfile, 'r')
@@ -167,47 +201,31 @@ if out != 'KRBTEST.COM\n':
 # because we're sticking a krbPrincipalAux objectclass onto a subtree
 # krbContainer, but it works and it avoids having to load core.schema
 # in the test LDAP server.
-out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
-                expected_code=1)
-if 'DN is out of the realm subtree' not in out:
-    fail('Unexpected kadmin.local output for out-of-realm dn')
+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
+          expected_code=1, expected_msg='DN is out of the realm subtree')
 realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
-out = realm.run([kadminl, 'getprinc', 'princ1'])
-if 'Principal: princ1' not in out:
-    fail('Unexpected kadmin.local output after creating princ1')
-out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5',
-                 'again'], expected_code=1)
-if 'ldap object is already kerberized' not in out:
-    fail('Unexpected kadmin.local output trying to re-kerberize DN')
+realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
+          expected_code=1, expected_msg='ldap object is already kerberized')
 # Check that we can't set linkdn on a non-standalone object.
-out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'],
-                expected_code=1)
-if 'link information can not be set' not in out:
-    fail('Unexpected kadmin.local output trying to set linkdn on princ1')
+realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'],
+          expected_code=1, expected_msg='link information can not be set')
 
 # Create a principal with a specified linkdn.
-out = realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'],
-                expected_code=1)
-if 'DN is out of the realm subtree' not in out:
-    fail('Unexpected kadmin.local output for out-of-realm linkdn')
+realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'],
+          expected_code=1, expected_msg='DN is out of the realm subtree')
 realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=t1,cn=krb5', 'princ2'])
 # Check that we can't reset linkdn.
-out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'],
-                expected_code=1)
-if 'kerberos principal is already linked' not in out:
-    fail('Unexpected kadmin.local output for re-specified linkdn')
+realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'],
+          expected_code=1, expected_msg='kerberos principal is already linked')
 
 # Create a principal with a specified containerdn.
-out = realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
-                 'princ3'], expected_code=1)
-if 'DN is out of the realm subtree' not in out:
-    fail('Unexpected kadmin.local output for out-of-realm containerdn')
+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', 'princ3'],
+          expected_code=1, expected_msg='DN is out of the realm subtree')
 realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5',
            'princ3'])
-out = realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5',
-                 'princ3'], expected_code=1)
-if 'containerdn option not supported' not in out:
-    fail('Unexpected kadmin.local output trying to reset containerdn')
+realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
+          expected_code=1, expected_msg='containerdn option not supported')
 
 # Create and modify a ticket policy.
 kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
@@ -255,9 +273,8 @@ if out:
 kldaputil(['create_policy', 'tktpol2'])
 
 # Try to create a password policy conflicting with a ticket policy.
-out = realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1)
-if 'Already exists while creating policy "tktpol2"' not in out:
-    fail('Expected error not seen in kadmin.local output')
+realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1,
+          expected_msg='Already exists while creating policy "tktpol2"')
 
 # Try to create a ticket policy conflicting with a password policy.
 realm.run([kadminl, 'addpol', 'pwpol'])
@@ -266,16 +283,13 @@ if 'Already exists while creating policy object' not in out:
     fail('Expected error not seen in kdb5_ldap_util output')
 
 # Try to use a password policy as a ticket policy.
-out = realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'],
-                expected_code=1)
-if 'Object class violation' not in out:
-    fail('Expected error not seem in kadmin.local output')
+realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'],
+          expected_code=1, expected_msg='Object class violation')
 
 # Use a ticket policy as a password policy (CVE-2014-5353).  This
 # works with a warning; use kadmin.local -q so the warning is shown.
-out = realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'])
-if 'WARNING: policy "tktpol2" does not exist' not in out:
-    fail('Expected error not seen in kadmin.local output')
+realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'],
+          expected_msg='WARNING: policy "tktpol2" does not exist')
 
 # Do some basic tests with a KDC against the LDAP module, exercising the
 # db_args processing code.
@@ -298,9 +312,8 @@ if 'krbPrincipalAuthInd: otp' not in out:
 if 'krbPrincipalAuthInd: radius' not in out:
     fail('Expected krbPrincipalAuthInd value not in output')
 
-out = realm.run([kadminl, 'getstrs', 'authind'])
-if 'require_auth: otp radius' not in out:
-    fail('Expected auth indicators value not in output')
+realm.run([kadminl, 'getstrs', 'authind'],
+          expected_msg='require_auth: otp radius')
 
 # Test service principal aliases.
 realm.addprinc('canon', password('canon'))
@@ -311,14 +324,11 @@ ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n'
             '-\n'
             'add: krbCanonicalName\n'
             'krbCanonicalName: canon@KRBTEST.COM\n')
-out = realm.run([kadminl, 'getprinc', 'alias'])
-if 'Principal: canon@KRBTEST.COM\n' not in out:
-    fail('Could not fetch canon through alias')
-out = realm.run([kadminl, 'getprinc', 'canon'])
-if 'Principal: canon@KRBTEST.COM\n' not in out:
-    fail('Could not fetch canon through canon')
-realm.run([kvno, 'alias'])
-realm.run([kvno, 'canon'])
+realm.run([kadminl, 'getprinc', 'alias'],
+          expected_msg='Principal: canon@KRBTEST.COM\n')
+realm.run([kadminl, 'getprinc', 'canon'],
+          expected_msg='Principal: canon@KRBTEST.COM\n')
+realm.run([kvno, 'alias', 'canon'])
 out = realm.run([klist])
 if 'alias@KRBTEST.COM\n' not in out or 'canon@KRBTEST.COM' not in out:
     fail('After fetching alias and canon, klist is missing one or both')
@@ -334,9 +344,8 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,'
             '-\n'
             'add: krbCanonicalName\n'
             'krbCanonicalName: krbtgt/KRBTEST.COM@KRBTEST.COM\n')
-out = realm.run([kadminl, 'getprinc', 'tgtalias'])
-if 'Principal: krbtgt/KRBTEST.COM@KRBTEST.COM' not in out:
-    fail('Could not fetch krbtgt through tgtalias')
+realm.run([kadminl, 'getprinc', 'tgtalias'],
+          expected_msg='Principal: krbtgt/KRBTEST.COM@KRBTEST.COM')
 realm.kinit(realm.user_princ, password('user'))
 realm.run([kvno, 'tgtalias'])
 realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM')
@@ -352,9 +361,8 @@ realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
 
 # Test client principal aliases, with and without preauth.
 realm.kinit('canon', password('canon'))
-out = realm.kinit('alias', password('canon'), expected_code=1)
-if 'not found in Kerberos database' not in out:
-    fail('Wrong error message for kinit to alias without -C flag')
+realm.kinit('alias', password('canon'), expected_code=1,
+            expected_msg='not found in Kerberos database')
 realm.kinit('alias', password('canon'), ['-C'])
 realm.run([kvno, 'alias'])
 realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
@@ -413,31 +421,24 @@ realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts',
            'kvnoprinc'])
 realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
            'aes256-cts,aes128-cts', 'kvnoprinc'])
-out = realm.run([kadminl, 'getprinc', 'kvnoprinc'])
-if 'Number of keys: 4' not in out:
-    fail('After cpw -keepold, wrong number of keys')
+realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 4')
 realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
            'aes256-cts,aes128-cts', 'kvnoprinc'])
-out = realm.run([kadminl, 'getprinc', 'kvnoprinc'])
-if 'Number of keys: 6' not in out:
-    fail('After cpw -keepold, wrong number of keys')
+realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 6')
 
 # Regression test for #8041 (NULL dereference on keyless principals).
 realm.run([kadminl, 'addprinc', '-nokey', 'keylessprinc'])
-out = realm.run([kadminl, 'getprinc', 'keylessprinc'])
-if 'Number of keys: 0' not in out:
-    fail('Failed to create a principal with no keys')
+realm.run([kadminl, 'getprinc', 'keylessprinc'],
+          expected_msg='Number of keys: 0')
 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,aes128-cts',
            'keylessprinc'])
 realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
            'aes256-cts,aes128-cts', 'keylessprinc'])
-out = realm.run([kadminl, 'getprinc', 'keylessprinc'])
-if 'Number of keys: 4' not in out:
-    fail('Failed to add keys to keylessprinc')
+realm.run([kadminl, 'getprinc', 'keylessprinc'],
+          expected_msg='Number of keys: 4')
 realm.run([kadminl, 'purgekeys', '-all', 'keylessprinc'])
-out = realm.run([kadminl, 'getprinc', 'keylessprinc'])
-if 'Number of keys: 0' not in out:
-    fail('After purgekeys -all, keys remain')
+realm.run([kadminl, 'getprinc', 'keylessprinc'],
+          expected_msg='Number of keys: 0')
 
 # Test for 8354 (old password history entries when -keepold is used)
 realm.run([kadminl, 'addpol', '-history', '2', 'keepoldpasspol'])
@@ -446,14 +447,20 @@ realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa',
 for p in ('bbbb', 'cccc', 'aaaa'):
     realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc'])
 
+if runenv.sizeof_time_t <= 4:
+    skipped('y2038 LDAP test', 'platform has 32-bit time_t')
+else:
+    # Test storage of timestamps after y2038.
+    realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user'])
+    realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n')
+
 realm.stop()
 
 # Briefly test dump and load.
 dumpfile = os.path.join(realm.testdir, 'dump')
 realm.run([kdb5_util, 'dump', dumpfile])
-out = realm.run([kdb5_util, 'load', dumpfile], expected_code=1)
-if 'KDB module requires -update argument' not in out:
-    fail('Unexpected error from kdb5_util load without -update')
+realm.run([kdb5_util, 'load', dumpfile], expected_code=1,
+          expected_msg='KDB module requires -update argument')
 realm.run([kdb5_util, 'load', '-update', dumpfile])
 
 # Destroy the realm.
@@ -501,14 +508,10 @@ realm.addprinc(realm.user_princ, password('user'))
 realm.kinit(realm.user_princ, password('user'))
 realm.stop()
 # Exercise DB options, which should cause binding to fail.
-out = realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'],
-                expected_code=1)
-if 'Cannot bind to LDAP server' not in out:
-    fail('Expected error not seen in kadmin.local output')
-out = realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'],
-                expected_code=1)
-if 'Cannot bind to LDAP server' not in out:
-    fail('Expected error not seen in kadmin.local output')
+realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'],
+          expected_code=1, expected_msg='Cannot bind to LDAP server')
+realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'],
+          expected_code=1, expected_msg='Cannot bind to LDAP server')
 realm.run([kdb5_ldap_util, 'destroy', '-f'])
 
 # We could still use tests to exercise:
diff --git a/src/tests/t_kdb_locking.py b/src/tests/t_kdb_locking.py
index e8d86e09bfd5..aac0a220f424 100755
--- a/src/tests/t_kdb_locking.py
+++ b/src/tests/t_kdb_locking.py
@@ -21,9 +21,8 @@ if not os.path.exists(kadm5_lock):
     fail('kadm5 lock file not created: ' + kadm5_lock)
 os.unlink(kadm5_lock)
 
-output = realm.kinit(p, p, [], expected_code=1)
-if 'A service is not available' not in output:
-    fail('krb5kdc should have returned service not available error')
+realm.kinit(p, p, [], expected_code=1,
+            expected_msg='A service is not available')
 
 f = open(kadm5_lock, 'w')
 f.close()
diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py
new file mode 100644
index 000000000000..5b198bb430c5
--- /dev/null
+++ b/src/tests/t_kdcpolicy.py
@@ -0,0 +1,62 @@
+#!/usr/bin/python
+from k5test import *
+from datetime import datetime
+import re
+
+testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
+testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test',
+                          'kdcpolicy_test.so')
+krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
+                         'clpreauth': {'module': 'test:' + testpreauth},
+                         'kdcpolicy': {'module': 'test:' + testpolicy}}}
+kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth',
+                                  'max_renewable_life': '1d'}}}
+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf)
+
+realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
+
+def verify_time(out, target_time):
+    times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
+    times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
+    divisor = 1
+    while len(times) > 0:
+        starttime = times.pop(0)
+        endtime = times.pop(0)
+        renewtime = times.pop(0)
+
+        if str((endtime - starttime) * divisor) != target_time:
+            fail('unexpected lifetime value')
+        if str((renewtime - endtime) * divisor) != target_time:
+            fail('unexpected renewable value')
+
+        # Service tickets should have half the lifetime of initial
+        # tickets.
+        divisor = 2
+
+rflags = ['-r', '1d', '-l', '12h']
+
+# Test AS+TGS success path.
+realm.kinit(realm.user_princ, password('user'),
+            rflags + ['-X', 'indicators=SEVEN_HOURS'])
+realm.run([kvno, realm.host_princ])
+realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
+out = realm.run([klist, '-e', realm.ccache])
+verify_time(out, '7:00:00')
+
+# Test AS+TGS success path with different values.
+realm.kinit(realm.user_princ, password('user'),
+            rflags + ['-X', 'indicators=ONE_HOUR'])
+realm.run([kvno, realm.host_princ])
+realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
+out = realm.run([klist, '-e', realm.ccache])
+verify_time(out, '1:00:00')
+
+# Test TGS failure path (using previous creds).
+realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1,
+          expected_msg='KDC policy rejects request')
+
+# Test AS failure path.
+realm.kinit('fail@%s' % realm.realm, password('fail'),
+            expected_code=1, expected_msg='KDC policy rejects request')
+
+success('kdcpolicy tests')
diff --git a/src/tests/t_keydata.py b/src/tests/t_keydata.py
index 686e543bd4dd..5c04a8523f08 100755
--- a/src/tests/t_keydata.py
+++ b/src/tests/t_keydata.py
@@ -5,27 +5,19 @@ realm = K5Realm(create_user=False, create_host=False)
 
 # Create a principal with no keys.
 realm.run([kadminl, 'addprinc', '-nokey', 'user'])
-out = realm.run([kadminl, 'getprinc', 'user'])
-if 'Number of keys: 0' not in out:
-    fail('getprinc (addprinc -nokey)')
+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
 
 # Change its password and check the resulting kvno.
 realm.run([kadminl, 'cpw', '-pw', 'password', 'user'])
-out = realm.run([kadminl, 'getprinc', 'user'])
-if 'vno 1' not in out:
-    fail('getprinc (cpw -pw)')
+realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
 
 # Delete all of its keys.
 realm.run([kadminl, 'purgekeys', '-all', 'user'])
-out = realm.run([kadminl, 'getprinc', 'user'])
-if 'Number of keys: 0' not in out:
-    fail('getprinc (purgekeys)')
+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
 
 # Randomize its keys and check the resulting kvno.
 realm.run([kadminl, 'cpw', '-randkey', 'user'])
-out = realm.run([kadminl, 'getprinc', 'user'])
-if 'vno 1' not in out:
-    fail('getprinc (cpw -randkey)')
+realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
 
 # Return true if patype appears to have been received in a hint list
 # from a KDC error message, based on the trace file fname.
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
index 35d0b61b8056..bfd38914b7a0 100755
--- a/src/tests/t_keyrollover.py
+++ b/src/tests/t_keyrollover.py
@@ -23,25 +23,17 @@ realm.run([kvno, princ1])
 realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
 # Make sure an old TGT fails after purging old TGS key.
 realm.run([kvno, princ2], expected_code=1)
-output = realm.run([klist, '-e'])
-
-expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
     (realm.realm, realm.realm)
-
-if expected not in output:
-    fail('keyrollover: expected TGS enctype not found')
+realm.run([klist, '-e'], expected_msg=msg)
 
 # Check that new key actually works.
 realm.kinit(realm.user_princ, password('user'))
 realm.run([kvno, realm.host_princ])
-output = realm.run([klist, '-e'])
-
-expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
     'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
     (realm.realm, realm.realm)
-
-if expected not in output:
-    fail('keyrollover: expected TGS enctype not found after change')
+realm.run([klist, '-e'], expected_msg=msg)
 
 # Test that the KDC only accepts the first enctype for a kvno, for a
 # local-realm TGS request.  To set this up, we abuse an edge-case
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index a06e6c29653d..a48740ba532a 100755
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -14,9 +14,8 @@ realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
 realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab])
 
 # Test kinit with no keys for client in keytab.
-output = realm.kinit(realm.user_princ, flags=['-k'], expected_code=1)
-if 'no suitable keys' not in output:
-    fail('Expected error not seen in kinit output')
+realm.kinit(realm.user_princ, flags=['-k'], expected_code=1,
+            expected_msg='no suitable keys')
 
 # Test kinit and klist with client keytab defaults.
 realm.extract_keytab(realm.user_princ, realm.client_keytab);
@@ -31,14 +30,12 @@ if realm.client_keytab not in out or realm.user_princ not in out:
 
 # Test implicit request for keytab (-i or -t without -k)
 realm.run([kdestroy])
-output = realm.kinit(realm.host_princ, flags=['-t', realm.keytab])
-if 'keytab specified, forcing -k' not in output:
-    fail('Expected output not seen from kinit -t keytab')
+realm.kinit(realm.host_princ, flags=['-t', realm.keytab],
+            expected_msg='keytab specified, forcing -k')
 realm.klist(realm.host_princ)
 realm.run([kdestroy])
-output = realm.kinit(realm.user_princ, flags=['-i'])
-if 'keytab specified, forcing -k' not in output:
-    fail('Expected output not seen from kinit -i')
+realm.kinit(realm.user_princ, flags=['-i'],
+            expected_msg='keytab specified, forcing -k')
 realm.klist(realm.user_princ)
 
 # Test extracting keys with multiple key versions present.
@@ -70,12 +67,10 @@ def test_key_rotate(realm, princ, expected_kvno):
     realm.run_kadmin(['ktadd', '-k', realm.keytab, princ])
     realm.run([kadminl, 'ktrem', princ, 'old'])
     realm.kinit(princ, flags=['-k'])
-    out = realm.run([klist, '-k'])
-    if ('%d %s' % (expected_kvno, princ)) not in out:
-        fail('kvno %d not listed in keytab' % expected_kvno)
-    out = realm.run_kadmin(['getprinc', princ])
-    if ('Key: vno %d,' % expected_kvno) not in out:
-        fail('vno %d not seen in getprinc output' % expected_kvno)
+    msg = '%d %s' % (expected_kvno, princ)
+    out = realm.run([klist, '-k'], expected_msg=msg)
+    msg = 'Key: vno %d,' % expected_kvno
+    out = realm.run_kadmin(['getprinc', princ], expected_msg=msg)
 
 princ = 'foo/bar@%s' % realm.realm
 realm.addprinc(princ)
@@ -109,9 +104,8 @@ f = open(realm.keytab, 'w')
 f.write('\x05\x02\x00\x00\x00' + chr(len(record)))
 f.write(record)
 f.close()
-out = realm.run([klist, '-k'])
-if ('   2 %s' % realm.user_princ) not in out:
-    fail('Expected entry not seen in klist -k output')
+msg = '   2 %s' % realm.user_princ
+out = realm.run([klist, '-k'], expected_msg=msg)
 
 # Make sure zero-fill isn't treated as a 32-bit kvno.
 f = open(realm.keytab, 'w')
@@ -119,9 +113,8 @@ f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4))
 f.write(record)
 f.write('\x00\x00\x00\x00')
 f.close()
-out = realm.run([klist, '-k'])
-if ('   2 %s' % realm.user_princ) not in out:
-    fail('Expected entry not seen in klist -k output')
+msg = '   2 %s' % realm.user_princ
+out = realm.run([klist, '-k'], expected_msg=msg)
 
 # Make sure a hand-crafted 32-bit kvno is recognized.
 f = open(realm.keytab, 'w')
@@ -129,9 +122,8 @@ f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4))
 f.write(record)
 f.write('\x00\x00\x00\x03')
 f.close()
-out = realm.run([klist, '-k'])
-if ('   3 %s' % realm.user_princ) not in out:
-    fail('Expected entry not seen in klist -k output')
+msg = '   3 %s' % realm.user_princ
+out = realm.run([klist, '-k'], expected_msg=msg)
 
 # Test parameter expansion in profile variables
 realm.stop()
@@ -142,11 +134,9 @@ realm = K5Realm(krb5_conf=conf, create_kdb=False)
 del realm.env['KRB5_KTNAME']
 del realm.env['KRB5_CLIENT_KTNAME']
 uidstr = str(os.getuid())
-out = realm.run([klist, '-k'], expected_code=1)
-if 'FILE:testdir/abc%s' % uidstr not in out:
-    fail('Wrong keytab in klist -k output')
-out = realm.run([klist, '-ki'], expected_code=1)
-if 'FILE:testdir/xyz%s' % uidstr not in out:
-    fail('Wrong keytab in klist -ki output')
+msg = 'FILE:testdir/abc%s' % uidstr
+out = realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
+msg = 'FILE:testdir/xyz%s' % uidstr
+out = realm.run([klist, '-ki'], expected_code=1, expected_msg=msg)
 
 success('Keytab-related tests')
diff --git a/src/tests/t_kprop.py b/src/tests/t_kprop.py
index 02cdfeec245f..39169675d6c4 100755
--- a/src/tests/t_kprop.py
+++ b/src/tests/t_kprop.py
@@ -43,9 +43,7 @@ for realm in multipass_realms(create_user=False):
     realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
     check_output(kpropd)
 
-    out = realm.run([kadminl, 'listprincs'], slave)
-    if 'wakawaka' not in out:
-        fail('Slave does not have all principals from master')
+    realm.run([kadminl, 'listprincs'], slave, expected_msg='wakawaka')
 
 # default_realm tests follow.
 # default_realm and domain_realm different than realm.realm (test -r argument).
@@ -79,9 +77,8 @@ realm.run([kdb5_util, 'dump', dumpfile])
 realm.run([kprop, '-r', realm.realm, '-f', dumpfile, '-P',
            str(realm.kprop_port()), hostname])
 check_output(kpropd)
-out = realm.run([kadminl, '-r', realm.realm, 'listprincs'], slave2)
-if 'wakawaka' not in out:
-    fail('Slave does not have all principals from master')
+realm.run([kadminl, '-r', realm.realm, 'listprincs'], slave2,
+          expected_msg='wakawaka')
 
 stop_daemon(kpropd)
 
@@ -90,8 +87,6 @@ kpropd = realm.start_kpropd(slave3, ['-d'])
 realm.run([kdb5_util, 'dump', dumpfile])
 realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
 check_output(kpropd)
-out = realm.run([kadminl, 'listprincs'], slave3)
-if 'wakawaka' not in out:
-    fail('Slave does not have all principals from master')
+realm.run([kadminl, 'listprincs'], slave3, expected_msg='wakawaka')
 
 success('kprop tests')
diff --git a/src/tests/t_localauth.py b/src/tests/t_localauth.py
index 4590485ac55d..aa625d038f38 100755
--- a/src/tests/t_localauth.py
+++ b/src/tests/t_localauth.py
@@ -14,9 +14,8 @@ def test_an2ln(env, aname, result, msg):
         fail(msg)
 
 def test_an2ln_err(env, aname, err, msg):
-    out = realm.run(['./localauth', aname], env=env, expected_code=1)
-    if err not in out:
-        fail(msg)
+    realm.run(['./localauth', aname], env=env, expected_code=1,
+              expected_msg=err)
 
 def test_userok(env, aname, lname, ok, msg):
     out = realm.run(['./localauth', aname, lname], env=env)
diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py
index c53b71b45ca4..615cd91cac6e 100755
--- a/src/tests/t_mkey.py
+++ b/src/tests/t_mkey.py
@@ -92,9 +92,8 @@ def check_stash(*expected):
 
 # Verify that the user principal has the expected mkvno.
 def check_mkvno(princ, expected_mkvno):
-    out = realm.run([kadminl, 'getprinc', princ])
-    if ('MKey: vno %d\n' % expected_mkvno) not in out:
-        fail('Unexpected mkvno in user DB entry')
+    msg = 'MKey: vno %d\n' % expected_mkvno
+    realm.run([kadminl, 'getprinc', princ], expected_msg=msg)
 
 
 # Change the password using either kadmin.local or kadmin, then check
@@ -160,9 +159,8 @@ check_mkvno(realm.user_princ, 1)
 collisionfile = os.path.join(realm.testdir, 'stash_tmp')
 f = open(collisionfile, 'w')
 f.close()
-output = realm.run([kdb5_util, 'stash'], expected_code=1)
-if 'Temporary stash file already exists' not in output:
-    fail('Did not detect temp stash file collision')
+realm.run([kdb5_util, 'stash'], expected_code=1,
+          expected_msg='Temporary stash file already exists')
 os.unlink(collisionfile)
 
 # Add a new master key with no options.  Verify that:
@@ -179,9 +177,8 @@ change_password_check_mkvno(True, realm.user_princ, 'abcd', 1)
 change_password_check_mkvno(False, realm.user_princ, 'user', 1)
 
 # Verify that use_mkey won't make all master keys inactive.
-out = realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1)
-if 'there must be one master key currently active' not in out:
-    fail('Unexpected error from use_mkey making all mkeys inactive')
+realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1,
+          expected_msg='there must be one master key currently active')
 check_mkey_list((2, defetype, False, False), (1, defetype, True, True))
 
 # Make the new master key active.  Verify that:
@@ -194,9 +191,8 @@ change_password_check_mkvno(True, realm.user_princ, 'abcd', 2)
 change_password_check_mkvno(False, realm.user_princ, 'user', 2)
 
 # Check purge_mkeys behavior with both master keys still in use.
-out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'])
-if 'All keys in use, nothing purged.' not in out:
-    fail('Unexpected output from purge_mkeys with both mkeys in use')
+realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'],
+          expected_msg='All keys in use, nothing purged.')
 
 # Do an update_princ_encryption dry run and for real.  Verify that:
 # 1. The target master key is 2 (the active mkvno).
@@ -226,9 +222,8 @@ update_princ_encryption(False, 2, nprincs - 1, 0)
 check_mkvno(realm.user_princ, 2)
 
 # Test the safety check for purging with an outdated stash file.
-out = realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1)
-if 'stash file needs updating' not in out:
-    fail('Unexpected error from purge_mkeys safety check')
+realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1,
+          expected_msg='stash file needs updating')
 
 # Update the master stash file and check it.  Save a copy of the old
 # one for a later test.
@@ -253,18 +248,15 @@ check_mkey_list((2, defetype, True, True))
 check_master_dbent(2, (2, defetype))
 os.rename(stash_file, stash_file + '.save')
 os.rename(stash_file + '.old', stash_file)
-out = realm.run([kadminl, 'getprinc', 'user'], expected_code=1)
-if 'Unable to decrypt latest master key' not in out:
-    fail('Unexpected error from kadmin.local with old stash file')
+realm.run([kadminl, 'getprinc', 'user'], expected_code=1,
+          expected_msg='Unable to decrypt latest master key')
 os.rename(stash_file + '.save', stash_file)
 realm.run([kdb5_util, 'stash'])
 check_stash((2, defetype))
-out = realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1)
-if '1 is an invalid KVNO value' not in out:
-    fail('Unexpected error from use_mkey with invalid kvno')
-out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'])
-if 'There is only one master key which can not be purged.' not in out:
-    fail('Unexpected output from purge_mkeys with one mkey')
+realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1,
+          expected_msg='1 is an invalid KVNO value')
+realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'],
+          expected_msg='There is only one master key which can not be purged.')
 
 # Add a third master key with a specified enctype.  Verify that:
 # 1. The new master key receives the correct number.
@@ -331,8 +323,7 @@ check_mkey_list((2, defetype, True, True), (1, des3, True, False))
 # Regression test for #8395.  Purge the master key and verify that a
 # master key fetch does not segfault.
 realm.run([kadminl, 'purgekeys', '-all', 'K/M'])
-out = realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1)
-if 'Cannot find master key record in database' not in out:
-    fail('Unexpected output from failed master key fetch')
+realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1,
+          expected_msg='Cannot find master key record in database')
 
 success('Master key rollover tests')
diff --git a/src/tests/t_otp.py b/src/tests/t_otp.py
index f098374f9e61..9b18ff94b9cc 100755
--- a/src/tests/t_otp.py
+++ b/src/tests/t_otp.py
@@ -199,9 +199,8 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', otpconfig('udp')])
 realm.kinit(realm.user_princ, 'accept', flags=flags)
 verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept')
 realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
-out = realm.run(['./adata', realm.krbtgt_princ])
-if '+97: [indotp1, indotp2]' not in out:
-    fail('auth indicators not seen in OTP ticket')
+realm.run(['./adata', realm.krbtgt_princ],
+          expected_msg='+97: [indotp1, indotp2]')
 
 # Repeat with an indicators override in the string attribute.
 daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue))
@@ -212,9 +211,8 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', oconf])
 realm.kinit(realm.user_princ, 'accept', flags=flags)
 verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept')
 realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
-out = realm.run(['./adata', realm.krbtgt_princ])
-if '+97: [indtok1, indtok2]' not in out:
-    fail('auth indicators not seen in OTP ticket')
+realm.run(['./adata', realm.krbtgt_princ],
+          expected_msg='+97: [indtok1, indtok2]')
 
 # Detect upstream pyrad bug
 #   https://github.com/wichert/pyrad/pull/18
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 526473b429f8..b790a7cda071 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -23,6 +23,10 @@ privkey_pem = os.path.join(certs, 'privkey.pem')
 privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem')
 user_p12 = os.path.join(certs, 'user.p12')
 user_enc_p12 = os.path.join(certs, 'user-enc.p12')
+user_upn_p12 = os.path.join(certs, 'user-upn.p12')
+user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
+user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
+generic_p12 = os.path.join(certs, 'generic.p12')
 path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
 path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
 
@@ -36,6 +40,20 @@ pkinit_kdc_conf = {'realms': {'$realm': {
 restrictive_kdc_conf = {'realms': {'$realm': {
             'restrict_anonymous_to_tgt': 'true' }}}
 
+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
+              'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
+              'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}}
+alias_kdc_conf = {'realms': {'$realm': {
+            'default_principal_flags': '+preauth',
+            'pkinit_eku_checking': 'none',
+            'pkinit_allow_upn': 'true',
+            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
+            'database_module': 'test'}},
+                  'dbmodules': {'test': {
+                      'db_library': 'test',
+                      'alias': {'user@krbtest.com': 'user'},
+                      'princs': testprincs}}}
+
 file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
 file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem)
 dir_identity = 'DIR:%s' % path
@@ -45,11 +63,51 @@ dir_file_identity = 'FILE:%s,%s' % (os.path.join(path, 'user.crt'),
 dir_file_enc_identity = 'FILE:%s,%s' % (os.path.join(path_enc, 'user.crt'),
                                         os.path.join(path_enc, 'user.key'))
 p12_identity = 'PKCS12:%s' % user_p12
+p12_upn_identity = 'PKCS12:%s' % user_upn_p12
+p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
+p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
+p12_generic_identity = 'PKCS12:%s' % generic_p12
 p12_enc_identity = 'PKCS12:%s' % user_enc_p12
 p11_identity = 'PKCS11:soft-pkcs11.so'
 p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
                       'slotid=1:token=SoftToken (token)')
 
+# Start a realm with the test kdb module for the following UPN SAN tests.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
+                create_kdb=False)
+realm.start_kdc()
+
+# Compatibility check: cert contains UPN "user", which matches the
+# request principal user@KRBTEST.COM if parsed as a normal principal.
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_upn2_identity])
+
+# Compatibility check: cert contains UPN "user@KRBTEST.COM", which matches
+# the request principal user@KRBTEST.COM if parsed as a normal principal.
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_upn3_identity])
+
+# Cert contains UPN "user@krbtest.com" which is aliased to the request
+# principal.
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_upn_identity])
+
+# Test an id-pkinit-san match to a post-canonical principal.
+realm.kinit('user@krbtest.com',
+            flags=['-E', '-X', 'X509_user_identity=%s' % p12_identity])
+
+# Test a UPN match to a post-canonical principal.  (This only works
+# for the cert with the UPN containing just "user", as we don't allow
+# UPN reparsing when comparing to the canonicalized client principal.)
+realm.kinit('user@krbtest.com',
+            flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity])
+
+# Test a mismatch.
+msg = 'kinit: Client name mismatch while getting initial credentials'
+realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity, 'user2'],
+          expected_code=1, expected_msg=msg)
+realm.stop()
+
 realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
                 get_creds=False)
 
@@ -61,9 +119,8 @@ realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
 # Test anonymous PKINIT.
-out = realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1)
-if 'not found in Kerberos database' not in out:
-    fail('Wrong error for anonymous PKINIT without anonymous enabled')
+realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1,
+            expected_msg='not found in Kerberos database')
 realm.addprinc('WELLKNOWN/ANONYMOUS')
 realm.kinit('@%s' % realm.realm, flags=['-n'])
 realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS')
@@ -78,9 +135,8 @@ f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *')
 f.close()
 realm.start_kadmind()
 realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd'])
-out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1)
-if "Operation requires ``get'' privilege" not in out:
-    fail('Anonymous kadmin has too much privilege')
+realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1,
+          expected_msg="Operation requires ``get'' privilege")
 realm.stop_kadmind()
 
 # Test with anonymous restricted; FAST should work but kvno should fail.
@@ -89,9 +145,8 @@ realm.stop_kdc()
 realm.start_kdc(env=r_env)
 realm.kinit('@%s' % realm.realm, flags=['-n'])
 realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache])
-out = realm.run([kvno, realm.host_princ], expected_code=1)
-if 'KDC policy rejects request' not in out:
-    fail('Wrong error for restricted anonymous PKINIT')
+realm.run([kvno, realm.host_princ], expected_code=1,
+          expected_msg='KDC policy rejects request')
 
 # Regression test for #8458: S4U2Self requests crash the KDC if
 # anonymous is restricted.
@@ -117,6 +172,29 @@ realm.kinit(realm.user_princ,
                    '-X', 'flag_RSA_PROTOCOL=yes'])
 realm.klist(realm.user_princ)
 
+# Test a DH parameter renegotiation by temporarily setting a 4096-bit
+# minimum on the KDC.  (Preauth type 16 is PKINIT PA_PK_AS_REQ;
+# 109 is PKINIT TD_DH_PARAMETERS; 133 is FAST PA-FX-COOKIE.)
+minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
+minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
+realm.stop_kdc()
+realm.start_kdc(env=minbits_env)
+expected_trace = ('Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Preauth module pkinit (16) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, 16',
+                  '/Key parameters not accepted',
+                  'Preauth tryagain input types (16): 109, 133',
+                  'trying again with KDC-provided parameters',
+                  'Preauth module pkinit (16) tryagain returned: 0/Success',
+                  'Followup preauth for next request: 16, 133')
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % file_identity],
+            expected_trace=expected_trace)
+realm.stop_kdc()
+realm.start_kdc()
+
 # Run the basic test - PKINIT with FILE: identity, with a password on the key,
 # supplied by the prompter.
 # Expect failure if the responder does nothing, and we have no prompter.
@@ -128,9 +206,8 @@ realm.kinit(realm.user_princ,
             password='encrypted')
 realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
-out = realm.run(['./adata', realm.host_princ])
-if '+97: [indpkinit1, indpkinit2]' not in out:
-    fail('auth indicators not seen in PKINIT ticket')
+realm.run(['./adata', realm.host_princ],
+          expected_msg='+97: [indpkinit1, indpkinit2]')
 
 # Run the basic test - PKINIT with FILE: identity, with a password on the key,
 # supplied by the responder.
@@ -217,6 +294,51 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity,
 realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
+# Match a single rule.
+rule = '<SAN>^user@KRBTEST.COM$'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_identity])
+realm.klist(realm.user_princ)
+
+# Match a combined rule (default prefix is &&).
+rule = '<SUBJECT>CN=user$<KU>digitalSignature,keyEncipherment'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_identity])
+realm.klist(realm.user_princ)
+
+# Fail an && rule.
+rule = '&&<SUBJECT>O=OTHER.COM<SAN>^user@KRBTEST.COM$'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+msg = 'kinit: Certificate mismatch while getting initial credentials'
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_identity],
+            expected_code=1, expected_msg=msg)
+
+# Pass an || rule.
+rule = '||<SUBJECT>O=KRBTEST.COM<SAN>^otheruser@KRBTEST.COM$'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_identity])
+realm.klist(realm.user_princ)
+
+# Fail an || rule.
+rule = '||<SUBJECT>O=OTHER.COM<SAN>^otheruser@KRBTEST.COM$'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+msg = 'kinit: Certificate mismatch while getting initial credentials'
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_identity],
+            expected_code=1, expected_msg=msg)
+
+# Authorize a client cert with no PKINIT extensions using subject and
+# issuer.  (Relies on EKU checking being turned off.)
+rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,'
+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p12_generic_identity])
+realm.klist(realm.user_princ)
+
 if not have_soft_pkcs11:
     skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
 
@@ -251,6 +373,14 @@ realm.kinit(realm.user_princ,
 realm.klist(realm.user_princ)
 realm.run([kvno, realm.host_princ])
 
+# Supply the wrong PIN, and verify that we ignore the draft9 padata offer
+# in the KDC method data after RFC 4556 PKINIT fails.
+expected_trace = ('PKINIT client has no configured identity; giving up',
+                  'PKINIT client ignoring draft 9 offer from RFC 4556 KDC')
+realm.kinit(realm.user_princ,
+            flags=['-X', 'X509_user_identity=%s' % p11_identity],
+            password='wrong', expected_code=1, expected_trace=expected_trace)
+
 # PKINIT with PKCS11: identity, with a PIN supplied by the responder.
 # Supply the response in raw form.
 realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity,
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index bfec96a93212..26c4e466e4f0 100755
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -7,35 +7,27 @@ realm = K5Realm(create_host=False, start_kadmind=True)
 # Test password quality enforcement.
 realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
 realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser'])
-out = realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1)
-if 'Password is too short' not in out:
-    fail('short password')
-out = realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'],
-                expected_code=1)
-if 'Password does not contain enough character classes' not in out:
-    fail('insufficient character classes')
+realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1,
+          expected_msg='Password is too short')
+realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], expected_code=1,
+          expected_msg='Password does not contain enough character classes')
 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
 
 # Test some password history enforcement.  Even with no history value,
 # the current password should be denied.
-out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'],
-                expected_code=1)
-if 'Cannot reuse password' not in out:
-    fail('reuse of current password')
+realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
+          expected_msg='Cannot reuse password')
 realm.run([kadminl, 'modpol', '-history', '2', 'pwpol'])
 realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser'])
-out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'],
-                expected_code=1)
-if 'Cannot reuse password' not in out:
-    fail('reuse of old password')
+realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
+          expected_msg='Cannot reuse password')
 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
 
 # Test references to nonexistent policies.
 realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser'])
-out = realm.run([kadminl, 'getprinc', 'newuser'])
-if 'Policy: newpol [does not exist]\n' not in out:
-    fail('getprinc output for principal referencing nonexistent policy')
+realm.run([kadminl, 'getprinc', 'newuser'],
+          expected_msg='Policy: newpol [does not exist]\n')
 realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
 # pwuser should allow reuse of the current password since newpol doesn't exist.
 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
@@ -45,29 +37,20 @@ realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
 
 # Create newpol and verify that it is enforced.
 realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])
-out = realm.run([kadminl, 'getprinc', 'pwuser'])
-if 'Policy: newpol\n' not in out:
-    fail('getprinc after creating policy (pwuser)')
-out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1)
-if 'Password is too short' not in out:
-    fail('short password after creating policy (pwuser)')
-out = realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'],
-                expected_code=1)
-if 'Cannot reuse password' not in out:
-    fail('reuse of current password after creating policy')
+realm.run([kadminl, 'getprinc', 'pwuser'], expected_msg='Policy: newpol\n')
+realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1,
+          expected_msg='Password is too short')
+realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], expected_code=1,
+          expected_msg='Cannot reuse password')
 
-out = realm.run([kadminl, 'getprinc', 'newuser'])
-if 'Policy: newpol\n' not in out:
-    fail('getprinc after creating policy (newuser)')
-out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1)
-if 'Password is too short' not in out:
-    fail('short password after creating policy (newuser)')
+realm.run([kadminl, 'getprinc', 'newuser'], expected_msg='Policy: newpol\n')
+realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1,
+          expected_msg='Password is too short')
 
 # Delete the policy and verify that it is no longer enforced.
 realm.run([kadminl, 'delpol', 'newpol'])
-out = realm.run([kadminl, 'getpol', 'newpol'], expected_code=1)
-if 'Policy does not exist' not in out:
-    fail('deletion of referenced policy')
+realm.run([kadminl, 'getpol', 'newpol'], expected_code=1,
+          expected_msg='Policy does not exist')
 realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'])
 
 # Test basic password lockout support.
@@ -78,18 +61,14 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout',
            'user'])
 
 # kinit twice with the wrong password.
-output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
-if 'Password incorrect while getting initial credentials' not in output:
-    fail('Expected error message not seen in kinit output')
-output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
-if 'Password incorrect while getting initial credentials' not in output:
-    fail('Expected error message not seen in kinit output')
+realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
+          expected_msg='Password incorrect while getting initial credentials')
+realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
+          expected_msg='Password incorrect while getting initial credentials')
 
 # Now the account should be locked out.
-output = realm.run([kinit, realm.user_princ], expected_code=1)
-if 'Client\'s credentials have been revoked while getting initial credentials' \
-        not in output:
-    fail('Expected lockout error message not seen in kinit output')
+m = 'Client\'s credentials have been revoked while getting initial credentials'
+realm.run([kinit, realm.user_princ], expected_code=1, expected_msg=m)
 
 # Check that modprinc -unlock allows a further attempt.
 realm.run([kadminl, 'modprinc', '-unlock', 'user'])
@@ -113,10 +92,8 @@ realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user'])
 # Swap the keys, simulating older kadmin having chosen the second entry.
 realm.run(['./hist', 'swap'])
 # Make sure we can read the history entry.
-out = realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'],
-                expected_code=1)
-if 'Cannot reuse password' not in out:
-    fail('Expected error not seen in output')
+realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
+          expected_msg='Cannot reuse password')
 
 # Test key/salt constraints.
 
@@ -142,9 +119,8 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
 
 # Test modpol.
 realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak'])
-out = realm.run([kadminl, 'getpol', 'ak'])
-if not 'Allowed key/salt types: aes256-cts,rc4-hmac' in out:
-    fail('getpol does not implement allowedkeysalts?')
+realm.run([kadminl, 'getpol', 'ak'],
+          expected_msg='Allowed key/salt types: aes256-cts,rc4-hmac')
 
 # Test subsets and full set.
 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server'])
@@ -153,19 +129,14 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server'])
 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server'])
 
 # Check that the order we got is the one from the policy.
-out = realm.run([kadminl, 'getprinc', '-terse', 'server'])
-if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in out:
-    fail('allowed_keysalts policy did not preserve order')
+realm.run([kadminl, 'getprinc', '-terse', 'server'],
+          expected_msg='2\t1\t6\t18\t0\t1\t6\t23\t0')
 
 # Test partially intersecting sets.
-out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts',
-                 'server'], expected_code=1)
-if not 'Invalid key/salt tuples' in out:
-    fail('allowed_keysalts policy not applied properly')
-out = realm.run([kadminl, 'cpw', '-randkey', '-e',
-                 'rc4-hmac,aes256-cts,aes128-cts', 'server'], expected_code=1)
-if not 'Invalid key/salt tuples' in out:
-    fail('allowed_keysalts policy not applied properly')
+realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', 'server'],
+          expected_code=1, expected_msg='Invalid key/salt tuples')
+realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts,aes128-cts',
+           'server'], expected_code=1, expected_msg='Invalid key/salt tuples')
 
 # Test reset of allowedkeysalts.
 realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak'])
diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py
index 0ef8bbca4c4f..fec0bf619ed8 100644
--- a/src/tests/t_preauth.py
+++ b/src/tests/t_preauth.py
@@ -10,18 +10,177 @@ realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
 realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
 realm.run([kadminl, 'setstr', realm.user_princ, 'teststring', 'testval'])
 realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser'])
-out = realm.run([kinit, realm.user_princ], input=password('user')+'\n')
-if 'testval' not in out:
-    fail('Decrypted string attribute not in kinit output')
-out = realm.run([kinit, 'nokeyuser'], input=password('user')+'\n',
-                expected_code=1)
-if 'no key' not in out:
-    fail('Expected "no key" message not in kinit output')
-
-# Exercise KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies.
+realm.kinit(realm.user_princ, password('user'), expected_msg='testval')
+realm.kinit('nokeyuser', password('user'), expected_code=1,
+            expected_msg='no key')
+
+# Preauth type -123 is the test preauth module type; 133 is FAST
+# PA-FX-COOKIE; 2 is encrypted timestamp.
+
+# Test normal preauth flow.
+expected_trace = ('Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  'Decrypted AS reply')
+realm.run(['./icred', realm.user_princ, password('user')],
+          expected_msg='testval', expected_trace=expected_trace)
+
+# Test successful optimistic preauth.
+expected_trace = ('Attempting optimistic preauth',
+                  'Processing preauth types: -123',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: -123',
+                  'Decrypted AS reply')
+realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')],
+          expected_trace=expected_trace)
+
+# Test optimistic preauth failing on client, followed by successful
+# preauth using the same module.
+expected_trace = ('Attempting optimistic preauth',
+                  'Processing preauth types: -123',
+                  '/induced optimistic fail',
+                  'Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  'Decrypted AS reply')
+realm.run(['./icred', '-o', '-123', '-X', 'fail_optimistic', realm.user_princ,
+           password('user')], expected_msg='testval',
+          expected_trace=expected_trace)
+
+# Test optimistic preauth failing on KDC, followed by successful preauth
+# using the same module.
+realm.run([kadminl, 'setstr', realm.user_princ, 'failopt', 'yes'])
+expected_trace = ('Attempting optimistic preauth',
+                  'Processing preauth types: -123',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: -123',
+                  '/Preauthentication failed',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  'Decrypted AS reply')
+realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')],
+          expected_msg='testval', expected_trace=expected_trace)
+realm.run([kadminl, 'delstr', realm.user_princ, 'failopt'])
+
+# Test KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies.
 realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip'])
-out = realm.run([kinit, realm.user_princ], input=password('user')+'\n')
-if '2rt: secondtrip' not in out:
-    fail('multi round-trip cookie test')
+expected_trace = ('Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  '/More preauthentication data is required',
+                  'Continuing preauth mech -123',
+                  'Processing preauth types: -123, 133',
+                  'Produced preauth for next request: 133, -123',
+                  'Decrypted AS reply')
+realm.run(['./icred', realm.user_princ, password('user')],
+          expected_msg='2rt: secondtrip', expected_trace=expected_trace)
+
+# Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
+# falling back to encrypted timestamp.
+expected_trace = ('Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  '/More preauthentication data is required',
+                  'Continuing preauth mech -123',
+                  'Processing preauth types: -123, 133',
+                  '/induced 2rt fail',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Encrypted timestamp (for ',
+                  'module encrypted_timestamp (2) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, 2',
+                  'Decrypted AS reply')
+realm.run(['./icred', '-X', 'fail_2rt', realm.user_princ, password('user')],
+          expected_msg='2rt: secondtrip', expected_trace=expected_trace)
+
+# Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
+# falling back to encrypted timestamp.
+realm.run([kadminl, 'setstr', realm.user_princ, 'fail2rt', 'yes'])
+expected_trace = ('Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  '/More preauthentication data is required',
+                  'Continuing preauth mech -123',
+                  'Processing preauth types: -123, 133',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  '/Preauthentication failed',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Encrypted timestamp (for ',
+                  'module encrypted_timestamp (2) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, 2',
+                  'Decrypted AS reply')
+realm.run(['./icred', realm.user_princ, password('user')],
+          expected_msg='2rt: secondtrip', expected_trace=expected_trace)
+realm.run([kadminl, 'delstr', realm.user_princ, 'fail2rt'])
+
+# Test tryagain flow by inducing a KDC_ERR_ENCTYPE_NOSUPP error on the KDC.
+realm.run([kadminl, 'setstr', realm.user_princ, 'err', 'testagain'])
+expected_trace = ('Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  '/KDC has no support for encryption type',
+                  'Recovering from KDC error 14 using preauth mech -123',
+                  'Preauth tryagain input types (-123): -123, 133',
+                  'Preauth module test (-123) tryagain returned: 0/Success',
+                  'Followup preauth for next request: -123, 133',
+                  'Decrypted AS reply')
+realm.run(['./icred', realm.user_princ, password('user')],
+          expected_msg='tryagain: testagain', expected_trace=expected_trace)
+
+# Test a client-side tryagain failure, falling back to encrypted
+# timestamp.
+expected_trace = ('Sending unauthenticated request',
+                  '/Additional pre-authentication required',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Preauth module test (-123) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, -123',
+                  '/KDC has no support for encryption type',
+                  'Recovering from KDC error 14 using preauth mech -123',
+                  'Preauth tryagain input types (-123): -123, 133',
+                  '/induced tryagain fail',
+                  'Preauthenticating using KDC method data',
+                  'Processing preauth types:',
+                  'Encrypted timestamp (for ',
+                  'module encrypted_timestamp (2) (real) returned: 0/Success',
+                  'Produced preauth for next request: 133, 2',
+                  'Decrypted AS reply')
+realm.run(['./icred', '-X', 'fail_tryagain', realm.user_princ,
+           password('user')], expected_trace=expected_trace)
+
+# Test that multiple stepwise initial creds operations can be
+# performed with the same krb5_context, with proper tracking of
+# clpreauth module request handles.
+realm.run([kadminl, 'addprinc', '-pw', 'pw', 'u1'])
+realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u2'])
+realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u3'])
+realm.run([kadminl, 'setstr', 'u2', '2rt', 'extra'])
+out = realm.run(['./icinterleave', 'pw', 'u1', 'u2', 'u3'])
+if out != ('step 1\nstep 2\nstep 3\nstep 1\nfinish 1\nstep 2\nno attr\n'
+           'step 3\nno attr\nstep 2\n2rt: extra\nstep 3\nfinish 3\nstep 2\n'
+           'finish 2\n'):
+    fail('unexpected output from icinterleave')
 
 success('Pre-authentication framework tests')
diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py
index 0d1d387d820d..011110bd1acf 100755
--- a/src/tests/t_pwqual.py
+++ b/src/tests/t_pwqual.py
@@ -18,29 +18,24 @@ f.close()
 realm.run([kadminl, 'addpol', 'pol'])
 
 # The built-in "empty" module rejects empty passwords even without a policy.
-out = realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1)
-if 'Empty passwords are not allowed' not in out:
-    fail('Expected error not seen for empty password')
+realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1,
+          expected_msg='Empty passwords are not allowed')
 
 # The built-in "dict" module rejects dictionary words, but only with a policy.
 realm.run([kadminl, 'addprinc', '-pw', 'birds', 'p2'])
-out = realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'],
-                expected_code=1)
-if 'Password is in the password dictionary' not in out:
-    fail('Expected error not seen from dictionary password')
+realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'],
+          expected_code=1,
+          expected_msg='Password is in the password dictionary')
 
 # The built-in "princ" module rejects principal components, only with a policy.
 realm.run([kadminl, 'addprinc', '-pw', 'p4', 'p4'])
-out = realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'],
-                expected_code=1)
-if 'Password may not match principal name' not in out:
-    fail('Expected error not seen from principal component')
+realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'],
+          expected_code=1,
+          expected_msg='Password may not match principal name')
 
 # The dynamic "combo" module rejects pairs of dictionary words.
-out = realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'],
-                expected_code=1)
-if 'Password may not be a pair of dictionary words' not in out:
-    fail('Expected error not seen from combo module')
+realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], expected_code=1,
+          expected_msg='Password may not be a pair of dictionary words')
 
 # These plugin ordering tests aren't specifically related to the
 # password quality interface, but are convenient to put here.
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 559fbd5f7c73..98fdf2925616 100755
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -17,15 +17,18 @@ os.rename(realm.ccache, savefile)
 # Get credentials and check that we got a referral to REFREALM.
 def testref(realm, nametype):
     shutil.copyfile(savefile, realm.ccache)
-    realm.run(['./gcred', nametype, 'a/x.d'])
-    realm.klist(realm.user_princ, 'a/x.d@REFREALM')
+    realm.run(['./gcred', nametype, 'a/x.d@'])
+    out = realm.run([klist]).split('\n')
+    if len(out) != 8:
+        fail('unexpected number of lines in klist output')
+    if out[5].split()[4] != 'a/x.d@' or out[6].split()[4] != 'a/x.d@REFREALM':
+        fail('unexpected service principals in klist output')
 
 # Get credentials and check that we get an error, not a referral.
 def testfail(realm, nametype):
     shutil.copyfile(savefile, realm.ccache)
-    out = realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1)
-    if 'not found in Kerberos database' not in out:
-        fail('unexpected error')
+    realm.run(['./gcred', nametype, 'a/x.d@'], expected_code=1,
+              expected_msg='not found in Kerberos database')
 
 # Create a modified KDC environment and restart the KDC.
 def restart_kdc(realm, kdc_conf):
@@ -116,9 +119,8 @@ r1, r2 = cross_realms(2, xtgts=(),
                       create_host=False)
 r2.addprinc('abc\@XYZ', 'pw')
 r1.start_kdc()
-out = r1.kinit('user', expected_code=1)
-if 'not found in Kerberos database' not in out:
-    fail('Expected error not seen for referral without canonicalize flag')
+r1.kinit('user', expected_code=1,
+         expected_msg='not found in Kerberos database')
 r1.kinit('user', password('user'), ['-C'])
 r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
 r1.kinit('abc@XYZ', 'pw', ['-E'])
diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py
index a5f0d4bc1479..034190c80e78 100755
--- a/src/tests/t_renew.py
+++ b/src/tests/t_renew.py
@@ -1,26 +1,55 @@
 #!/usr/bin/python
 from k5test import *
+from datetime import datetime
+import re
 
 conf = {'realms': {'$realm': {'max_life': '20h', 'max_renewable_life': '20h'}}}
 realm = K5Realm(create_host=False, get_creds=False, kdc_conf=conf)
 
-def test(testname, life, rlife, expect_renewable, env=None):
+def test(testname, life, rlife, exp_life, exp_rlife, env=None):
     global realm
     flags = ['-l', life]
     if rlife is not None:
         flags += ['-r', rlife]
     realm.kinit(realm.user_princ, password('user'), flags=flags, env=env)
-    out = realm.run([klist])
+    out = realm.run([klist, '-f'])
+
     if ('Default principal: %s\n' % realm.user_princ) not in out:
         fail('%s: did not get tickets' % testname)
-    renewable = 'renew until' in out
-    if renewable and not expect_renewable:
-        fail('%s: tickets unexpectedly renewable' % testname)
-    elif not renewable and expect_renewable:
-        fail('%s: tickets unexpectedly non-renewable' % testname)
+
+    # Extract flags and check the renewable flag against expectations.
+    flags = re.findall(r'Flags: ([a-zA-Z]*)', out)[0]
+    if exp_rlife is None and 'R' in flags:
+        fail('%s: ticket unexpectedly renewable' % testname)
+    if exp_rlife is not None and 'R' not in flags:
+        fail('%s: ticket unexpectedly non-renewable' % testname)
+
+    # Extract the start time, end time, and renewable end time if present.
+    times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
+    times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
+    starttime = times[0]
+    endtime = times[1]
+    rtime = times[2] if len(times) >= 3 else None
+
+    # Check the ticket lifetime against expectations.  If the lifetime
+    # was determined by the request, there may be a small error
+    # because KDC requests contain an end time rather than a lifetime.
+    life = (endtime - starttime).seconds
+    if abs(life - exp_life) > 5:
+        fail('%s: expected life %d, got %d' % (testname, exp_life, life))
+
+    # Check the ticket renewable lifetime against expectations.
+    if exp_rlife is None and rtime is not None:
+        fail('%s: ticket has unexpected renew_till' % testname)
+    if exp_rlife is not None and rtime is None:
+        fail('%s: ticket is renewable but has no renew_till' % testname)
+    if rtime is not None:
+        rlife = (rtime - starttime).seconds
+        if abs(rlife - exp_rlife) > 5:
+            fail('%s: expected rlife %d, got %d' (testname, exp_rlife, rlife))
 
 # Get renewable tickets.
-test('simple', '1h', '2h', True)
+test('simple', '1h', '2h', 3600, 7200)
 
 # Renew twice, to test that renewed tickets are renewable.
 realm.kinit(realm.user_princ, flags=['-R'])
@@ -31,49 +60,50 @@ realm.klist(realm.user_princ)
 realm.run([kvno, realm.user_princ])
 
 # Make sure we can't renew non-renewable tickets.
-test('non-renewable', '1h', '1h', False)
-out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1)
-if "KDC can't fulfill requested option" not in out:
-    fail('expected error not seen renewing non-renewable ticket')
+test('non-renewable', '1h', None, 3600, None)
+realm.kinit(realm.user_princ, flags=['-R'], expected_code=1,
+            expected_msg="KDC can't fulfill requested option")
 
 # Test that -allow_renewable on the client principal works.
 realm.run([kadminl, 'modprinc', '-allow_renewable', 'user'])
-test('disallowed client', '1h', '2h', False)
+test('disallowed client', '1h', '2h', 3600, None)
 realm.run([kadminl, 'modprinc', '+allow_renewable', 'user'])
 
 # Test that -allow_renewable on the server principal works.
 realm.run([kadminl, 'modprinc', '-allow_renewable',  realm.krbtgt_princ])
-test('disallowed server', '1h', '2h', False)
+test('disallowed server', '1h', '2h', 3600, None)
 realm.run([kadminl, 'modprinc', '+allow_renewable', realm.krbtgt_princ])
 
-# Test that non-renewable tickets are issued if renew_till < till.
-test('short', '2h', '1h', False)
+# Test that trivially renewable tickets are issued if renew_till <=
+# till.  (Our client code bumps up the requested renewable life to the
+# requested life.)
+test('short', '2h', '1h', 7200, 7200)
 
 # Test that renewable tickets are issued if till > max life by
 # default, but not if we configure away the RENEWABLE-OK option.
 no_opts_conf = {'libdefaults': {'kdc_default_options': '0'}}
 no_opts = realm.special_env('no_opts', False, krb5_conf=no_opts_conf)
 realm.run([kadminl, 'modprinc', '-maxlife', '10 hours', 'user'])
-test('long', '15h', None, True)
-test('long noopts', '15h', None, False, env=no_opts)
+test('long', '15h', None, 10 * 3600, 15 * 3600)
+test('long noopts', '15h', None, 10 * 3600, None, env=no_opts)
 realm.run([kadminl, 'modprinc', '-maxlife', '20 hours', 'user'])
 
 # Test maximum renewable life on the client principal.
 realm.run([kadminl, 'modprinc', '-maxrenewlife', '5 hours', 'user'])
-test('maxrenewlife client yes', '4h', '5h', True)
-test('maxrenewlife client no', '6h', '10h', False)
+test('maxrenewlife client 1', '4h', '5h', 4 * 3600, 5 * 3600)
+test('maxrenewlife client 2', '6h', '10h', 6 * 3600, 5 * 3600)
 
 # Test maximum renewable life on the server principal.
 realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours',
            realm.krbtgt_princ])
-test('maxrenewlife server yes', '2h', '3h', True)
-test('maxrenewlife server no', '4h', '8h', False)
+test('maxrenewlife server 1', '2h', '3h', 2 * 3600, 3 * 3600)
+test('maxrenewlife server 2', '4h', '8h', 4 * 3600, 3 * 3600)
 
 # Test realm maximum life.
 realm.run([kadminl, 'modprinc', '-maxrenewlife', '40 hours', 'user'])
 realm.run([kadminl, 'modprinc', '-maxrenewlife', '40 hours',
            realm.krbtgt_princ])
-test('maxrenewlife realm yes', '10h', '20h', True)
-test('maxrenewlife realm no', '21h', '40h', False)
+test('maxrenewlife realm 1', '10h', '20h', 10 * 3600, 20 * 3600)
+test('maxrenewlife realm 2', '21h', '40h', 20 * 3600, 20 * 3600)
 
 success('Renewing credentials')
diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
index e923c92d13eb..ddb1905ed567 100755
--- a/src/tests/t_salt.py
+++ b/src/tests/t_salt.py
@@ -62,13 +62,11 @@ for ks in dup_kstypes:
 # fails.
 def test_reject_afs3(realm, etype):
     query = 'ank -e ' + etype + ':afs3 -pw password princ1'
-    out = realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
-                     'princ1'], expected_code=1)
-    if 'Invalid key generation parameters from KDC' not in out:
-        fail('Allowed afs3 salt for ' + etype)
-    out = realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1)
-    if 'Principal does not exist' not in out:
-        fail('Created principal with afs3 salt and enctype ' + etype)
+    realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
+               'princ1'], expected_code=1,
+              expected_msg='Invalid key generation parameters from KDC')
+    realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1,
+              expected_msg='Principal does not exist')
 
 # Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes.
 # We do not currently do any verification on the key-generation parameters
diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
index b729710702ea..f2ae066951ab 100755
--- a/src/tests/t_skew.py
+++ b/src/tests/t_skew.py
@@ -37,22 +37,16 @@ realm.kinit(realm.user_princ, password('user'),
 
 # kinit should detect too much skew in the KDC response.  kinit with
 # FAST should fail from the KDC since the armor AP-REQ won't be valid.
-out = realm.kinit(realm.user_princ, password('user'), expected_code=1)
-if 'Clock skew too great in KDC reply' not in out:
-    fail('Expected error message not seen in kinit skew case')
-out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache],
-                  expected_code=1)
-if 'Clock skew too great while' not in out:
-    fail('Expected error message not seen in kinit FAST skew case')
+realm.kinit(realm.user_princ, password('user'), expected_code=1,
+            expected_msg='Clock skew too great in KDC reply')
+realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
+            expected_msg='Clock skew too great while')
 
 # kinit (with preauth) should fail from the KDC, with or without FAST.
 realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
-out = realm.kinit(realm.user_princ, password('user'), expected_code=1)
-if 'Clock skew too great while' not in out:
-    fail('Expected error message not seen in kinit skew case (preauth)')
-out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache],
-                  expected_code=1)
-if 'Clock skew too great while' not in out:
-    fail('Expected error message not seen in kinit FAST skew case (preauth)')
+realm.kinit(realm.user_princ, password('user'), expected_code=1,
+            expected_msg='Clock skew too great while')
+realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
+            expected_msg='Clock skew too great while')
 
 success('Clock skew tests')
diff --git a/src/tests/t_stringattr.py b/src/tests/t_stringattr.py
index 281c8726f629..5672a0f2006b 100755
--- a/src/tests/t_stringattr.py
+++ b/src/tests/t_stringattr.py
@@ -28,9 +28,7 @@ realm = K5Realm(start_kadmind=True, create_host=False, get_creds=False)
 
 realm.prep_kadmin()
 
-out = realm.run_kadmin(['getstrs', 'user'])
-if '(No string attributes.)' not in out:
-    fail('Empty attribute query')
+realm.run_kadmin(['getstrs', 'user'], expected_msg='(No string attributes.)')
 
 realm.run_kadmin(['setstr', 'user', 'attr1', 'value1'])
 realm.run_kadmin(['setstr', 'user', 'attr2', 'value2'])
diff --git a/src/tests/t_y2038.py b/src/tests/t_y2038.py
new file mode 100644
index 000000000000..02e946df46bf
--- /dev/null
+++ b/src/tests/t_y2038.py
@@ -0,0 +1,75 @@
+#!/usr/bin/python
+from k5test import *
+
+# These tests will become much less important after the y2038 boundary
+# has elapsed, and may start exhibiting problems around the year 2075.
+
+if runenv.sizeof_time_t <= 4:
+    skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t')
+
+# Start a KDC running roughly 21 years in the future, after the y2038
+# boundary.  Set long maximum lifetimes for later tests.
+conf = {'realms': {'$realm': {'max_life': '9000d',
+                              'max_renewable_life': '9000d'}}}
+realm = K5Realm(start_kdc=False, kdc_conf=conf)
+realm.start_kdc(['-T', '662256000'])
+
+# kinit without preauth should succeed with clock skew correction, but
+# will result in an expired ticket, because we sent an absolute end
+# time and didn't get a chance to correct it..
+realm.kinit(realm.user_princ, password('user'))
+realm.run([kvno, realm.host_princ], expected_code=1,
+          expected_msg='Ticket expired')
+
+# kinit with preauth should succeed and result in a valid ticket, as
+# we get a chance to correct the end time based on the KDC time.  Try
+# with encrypted timestamp and encrypted challenge.
+realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
+realm.kinit(realm.user_princ, password('user'))
+realm.run([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run([kvno, realm.host_princ])
+
+# Test that expiration warning works after y2038, by setting a
+# password expiration time ten minutes after the KDC time.
+realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user'])
+out = realm.kinit(realm.user_princ, password('user'))
+if 'will expire in less than one hour' not in out:
+    fail('password expiration message')
+year = int(out.split()[-1])
+if year < 2038 or year > 9999:
+    fail('password expiration year')
+
+realm.stop_kdc()
+realm.start_kdc()
+realm.start_kadmind()
+realm.prep_kadmin()
+
+# Test getdate parsing of absolute timestamps after 2038 and
+# marshalling over the kadmin protocol.  The local time zone will
+# affect the display time by a little bit, so just look for the year.
+realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ])
+realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n')
+
+# Get a ticket whose lifetime crosses the y2038 boundary and
+# range-check the expiration year as reported by klist.
+realm.kinit(realm.user_princ, password('user'),
+            flags=['-l', '8000d', '-r', '8500d'])
+realm.run([kvno, realm.host_princ])
+out = realm.run([klist])
+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
+    fail('unexpected tgt expiration year')
+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
+    fail('unexpected tgt rtill year')
+if int(out.split('\n')[6].split()[2].split('/')[2]) < 39:
+    fail('unexpected service ticket expiration year')
+if int(out.split('\n')[7].split()[2].split('/')[2]) < 40:
+    fail('unexpected service ticket rtill year')
+realm.kinit(realm.user_princ, None, ['-R'])
+out = realm.run([klist])
+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
+    fail('unexpected renewed tgt expiration year')
+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
+    fail('unexpected renewed tgt rtill year')
+
+success('y2038 tests')
diff --git a/src/util/depfix.pl b/src/util/depfix.pl
index c8df54cbb29d..9982fa0d84ea 100755
--- a/src/util/depfix.pl
+++ b/src/util/depfix.pl
@@ -147,7 +147,7 @@ sub do_subs_2 {
 	s;com_err.h ;\$(COM_ERR_DEPS) ;g;
     }
     if ($thisdir eq "lib/krb5/ccache") {
-	# These files are only used (and kcmrpc.h only generated) on OS X.
+	# These files are only used (and kcmrpc.h only generated) on macOS.
 	# There are conditional dependencies in Makefile.in.
 	s;kcmrpc.h ;;g;
 	s;kcmrpc_types.h ;;g;
diff --git a/src/util/k5test.py b/src/util/k5test.py
index c3d0263773be..4d30baf40454 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -223,8 +223,11 @@ Scripts may use the following realm methods and attributes:
   command-line debugging options.  Fail if the command does not return
   0.  Log the command output appropriately, and return it as a single
   multi-line string.  Keyword arguments can contain input='string' to
-  send an input string to the command, and expected_code=N to expect a
-  return code other than 0.
+  send an input string to the command, expected_code=N to expect a
+  return code other than 0, expected_msg=MSG to expect a substring in
+  the command output, and expected_trace=('a', 'b', ...) to expect an
+  ordered series of line substrings in the command's KRB5_TRACE
+  output.
 
 * realm.kprop_port(): Returns a port number based on realm.portbase
   intended for use by kprop and kpropd.
@@ -647,10 +650,31 @@ def _stop_or_shell(stop, shell, env, ind):
         subprocess.call(os.getenv('SHELL'), env=env)
 
 
-def _run_cmd(args, env, input=None, expected_code=0):
+# Read tracefile and look for the expected strings in successive lines.
+def _check_trace(tracefile, expected):
+    output('*** Trace output for previous command:\n')
+    i = 0
+    with open(tracefile, 'r') as f:
+        for line in f:
+            output(line)
+            if i < len(expected) and expected[i] in line:
+                i += 1
+    if i < len(expected):
+        fail('Expected string not found in trace output: ' + expected[i])
+
+
+def _run_cmd(args, env, input=None, expected_code=0, expected_msg=None,
+             expected_trace=None):
     global null_input, _cmd_index, _last_cmd, _last_cmd_output, _debug
     global _stop_before, _stop_after, _shell_before, _shell_after
 
+    if expected_trace is not None:
+        tracefile = 'testtrace'
+        if os.path.exists(tracefile):
+            os.remove(tracefile)
+        env = env.copy()
+        env['KRB5_TRACE'] = tracefile
+
     if (_match_cmdnum(_debug, _cmd_index)):
         return _debug_cmd(args, env, input)
 
@@ -679,6 +703,13 @@ def _run_cmd(args, env, input=None, expected_code=0):
     # Check the return code and return the output.
     if code != expected_code:
         fail('%s failed with code %d.' % (args[0], code))
+
+    if expected_msg is not None and expected_msg not in outdata:
+        fail('Expected string not found in command output: ' + expected_msg)
+
+    if expected_trace is not None:
+        _check_trace(tracefile, expected_trace)
+
     return outdata
 
 
diff --git a/src/util/profile/prof_parse.c b/src/util/profile/prof_parse.c
index e7c1f65aa09f..1baceea9e8a9 100644
--- a/src/util/profile/prof_parse.c
+++ b/src/util/profile/prof_parse.c
@@ -222,12 +222,16 @@ static errcode_t parse_include_file(const char *filename,
 }
 
 /* Return non-zero if filename contains only alphanumeric characters, dashes,
- * and underscores, or if the filename ends in ".conf". */
+ * and underscores, or if the filename ends in ".conf" and is not a dotfile. */
 static int valid_name(const char *filename)
 {
     const char *p;
     size_t len = strlen(filename);
 
+    /* Ignore dotfiles, which might be editor or filesystem artifacts. */
+    if (*filename == '.')
+        return 0;
+
     if (len >= 5 && !strcmp(filename + len - 5, ".conf"))
         return 1;
 
diff --git a/src/util/profile/profile_tcl.c b/src/util/profile/profile_tcl.c
index cac46270bf43..4f7a86a57218 100644
--- a/src/util/profile/profile_tcl.c
+++ b/src/util/profile/profile_tcl.c
@@ -3102,8 +3102,6 @@ SWIG_InitializeModule(void *clientdata) {
   swig_module_info *module_head, *iter;
   int found, init;
 
-  clientdata = clientdata;
-
   /* check to see if the circular list has been setup, if not, set it up */
   if (swig_module.next==0) {
     /* Initialize the swig_module */
diff --git a/src/util/ss/data.c b/src/util/ss/data.c
index 1a56dc76f99f..e0b09959724e 100644
--- a/src/util/ss/data.c
+++ b/src/util/ss/data.c
@@ -10,8 +10,5 @@
 #include "ss_internal.h"
 #include "copyright.h"
 
-const static char copyright[] =
-    "Copyright 1987, 1988, 1989 by the Massachusetts Institute of Technology";
-
 ss_data **_ss_table = (ss_data **)NULL;
 char *_ss_pager_name = (char *)NULL;
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index 6239e41761ee..0bf0b7a87277 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -143,6 +143,7 @@ SRCS=\
 	$(srcdir)/bcmp.c \
 	$(srcdir)/strerror_r.c \
 	$(srcdir)/t_utf8.c \
+	$(srcdir)/t_utf16.c \
 	$(srcdir)/getopt.c \
 	$(srcdir)/getopt_long.c
 
@@ -220,7 +221,12 @@ t_unal: t_unal.o
 t_utf8: t_utf8.o utf8.o
 	$(CC_LINK) -o t_utf8 t_utf8.o utf8.o
 
-TEST_PROGS= t_k5buf t_path t_path_win t_base64 t_json t_unal t_utf8
+T_UTF16_OBJS= t_utf16.o utf8_conv.o utf8.o k5buf.o $(PRINTF_ST_OBJ)
+
+t_utf16: $(T_UTF16_OBJS)
+	$(CC_LINK) -o $@ $(T_UTF16_OBJS)
+
+TEST_PROGS= t_k5buf t_path t_path_win t_base64 t_json t_unal t_utf8 t_utf16
 
 check-unix: $(TEST_PROGS)
 	./t_k5buf
@@ -230,11 +236,13 @@ check-unix: $(TEST_PROGS)
 	./t_json
 	./t_unal
 	./t_utf8
+	./t_utf16
 
 clean:
 	$(RM) t_k5buf.o t_k5buf t_unal.o t_unal path_win.o path_win
 	$(RM) t_path_win.o t_path_win t_path.o t_path t_base64.o t_base64
 	$(RM) t_json.o t_json libkrb5support.exports t_utf8.o t_utf8
+	$(RM) t_utf16.o t_utf16
 
 @lib_frag@
 @libobj_frag@
diff --git a/src/util/support/cache-addrinfo.h b/src/util/support/cache-addrinfo.h
index a1b7fb28becb..40752ab5f4a7 100644
--- a/src/util/support/cache-addrinfo.h
+++ b/src/util/support/cache-addrinfo.h
@@ -52,12 +52,12 @@
  * the data structures and flag values locally.
  *
  *
- * On Mac OS X, getaddrinfo results aren't cached (though
- * gethostbyname results are), so we need to build a cache here.  Now
- * things are getting really messy.  Because the cache is in use, we
- * use getservbyname, and throw away thread safety.  (Not that the
- * cache is thread safe, but when we get locking support, that'll be
- * dealt with.)  This code needs tearing down and rebuilding, soon.
+ * On macOS, getaddrinfo results aren't cached (though gethostbyname
+ * results are), so we need to build a cache here.  Now things are
+ * getting really messy.  Because the cache is in use, we use
+ * getservbyname, and throw away thread safety.  (Not that the cache
+ * is thread safe, but when we get locking support, that'll be dealt
+ * with.)  This code needs tearing down and rebuilding, soon.
  *
  *
  * Note that recent Windows developers' code has an interesting hack:
diff --git a/src/util/support/deps b/src/util/support/deps
index 4dff014f463b..34d8a884b330 100644
--- a/src/util/support/deps
+++ b/src/util/support/deps
@@ -33,7 +33,8 @@ utf8.so utf8.po $(OUTPRE)utf8.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
   $(top_srcdir)/include/k5-utf8.h supp-int.h utf8.c
 utf8_conv.so utf8_conv.po $(OUTPRE)utf8_conv.$(OBJEXT): \
-  $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-platform.h \
+  $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-utf8.h \
   supp-int.h utf8_conv.c
 gettimeofday.so gettimeofday.po $(OUTPRE)gettimeofday.$(OBJEXT): \
@@ -84,6 +85,9 @@ strerror_r.so strerror_r.po $(OUTPRE)strerror_r.$(OBJEXT): \
 t_utf8.so t_utf8.po $(OUTPRE)t_utf8.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
   $(top_srcdir)/include/k5-utf8.h t_utf8.c
+t_utf16.so t_utf16.po $(OUTPRE)t_utf16.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-utf8.h t_utf16.c
 getopt.so getopt.po $(OUTPRE)getopt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
   getopt.c
diff --git a/src/util/support/fake-addrinfo.c b/src/util/support/fake-addrinfo.c
index df1cc1dec558..3ee162e0d28b 100644
--- a/src/util/support/fake-addrinfo.c
+++ b/src/util/support/fake-addrinfo.c
@@ -52,7 +52,7 @@
  * the data structures and flag values locally.
  *
  *
- * On Mac OS X, getaddrinfo results aren't cached (though
+ * On macOS, getaddrinfo results aren't cached (though
  * gethostbyname results are), so we need to build a cache here.  Now
  * things are getting really messy.  Because the cache is in use, we
  * use getservbyname, and throw away thread safety.  (Not that the
@@ -331,18 +331,6 @@ system_freeaddrinfo (struct addrinfo *ai)
     freeaddrinfo(ai);
 }
 
-/* Note: Implementations written to RFC 2133 use size_t, while RFC
-   2553 implementations use socklen_t, for the second parameter.
-
-   Mac OS X (10.2) and AIX 4.3.3 appear to be in the RFC 2133 camp,
-   but we don't have an autoconf test for that right now.  */
-static inline int
-system_getnameinfo (const struct sockaddr *sa, socklen_t salen,
-                    char *host, size_t hostlen, char *serv, size_t servlen,
-                    int flags)
-{
-    return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
-}
 #endif
 
 #if !defined (HAVE_GETADDRINFO) || defined(WRAP_GETADDRINFO) || defined(FAI_CACHE)
@@ -697,7 +685,7 @@ static inline int fai_add_hosts_by_name (const char *name,
            sometimes associates it with the specified service,
            sometimes not.
 
-           But on Mac OS X (10.3, 10.4) they've "extended" getaddrinfo
+           But on macOS (10.3, 10.4) they've "extended" getaddrinfo
            to make SRV RR queries.  (Please, somebody, show me
            something in the specs that actually supports this?  RFC
            3493 says nothing about it, but it does say getaddrinfo is
diff --git a/src/util/support/gmt_mktime.c b/src/util/support/gmt_mktime.c
index 32fef4386cd4..ac7752fefed0 100644
--- a/src/util/support/gmt_mktime.c
+++ b/src/util/support/gmt_mktime.c
@@ -78,21 +78,20 @@ static const int days_in_month[12] = {
 static time_t
 gmt_mktime(struct tm *t)
 {
-    time_t accum;
+    uint32_t accum;
 
 #define assert_time(cnd) if(!(cnd)) return (time_t) -1
 
     /*
-     * For 32-bit signed time_t centered on 1/1/1970, the range is:
-     * time 0x80000000 -> Fri Dec 13 16:45:52 1901
-     * time 0x7fffffff -> Mon Jan 18 22:14:07 2038
+     * For 32-bit unsigned time values starting on 1/1/1970, the range is:
+     * time 0x00000000 -> Thu Jan  1 00:00:00 1970
+     * time 0xffffffff -> Sun Feb  7 06:28:15 2106
      *
-     * So years 1901 and 2038 are allowable, but we can't encode all
-     * dates in those years, and we're not doing overflow/underflow
-     * checking for such cases.
+     * We can't encode all dates in 2106, and we're not doing overflow checking
+     * for such cases.
      */
-    assert_time(t->tm_year>=1);
-    assert_time(t->tm_year<=138);
+    assert_time(t->tm_year>=70);
+    assert_time(t->tm_year<=206);
 
     assert_time(t->tm_mon>=0);
     assert_time(t->tm_mon<=11);
diff --git a/src/util/support/libkrb5support-fixed.exports b/src/util/support/libkrb5support-fixed.exports
index d5d4177b72dc..fd74a1897ebb 100644
--- a/src/util/support/libkrb5support-fixed.exports
+++ b/src/util/support/libkrb5support-fixed.exports
@@ -52,6 +52,8 @@ k5_path_isabs
 k5_path_join
 k5_path_split
 k5_strerror_r
+k5_utf8_to_utf16le
+k5_utf16le_to_utf8
 krb5int_key_register
 krb5int_key_delete
 krb5int_getspecific
@@ -77,9 +79,6 @@ krb5int_mutex_free
 krb5int_mutex_lock
 krb5int_mutex_unlock
 krb5int_gmt_mktime
-krb5int_utf8cs_to_ucs2les
-krb5int_utf8s_to_ucs2les
-krb5int_ucs2lecs_to_utf8s
 krb5int_ucs4_to_utf8
 krb5int_utf8_to_ucs4
 krb5int_utf8_lentab
diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c
index b0bb2ada8755..47368be9d49b 100644
--- a/src/util/support/plugins.c
+++ b/src/util/support/plugins.c
@@ -592,9 +592,10 @@ krb5int_open_plugin_dirs (const char * const *dirnames,
                     }
                 }
 
-                if (krb5int_open_plugin (filepath, &handle, ep) == 0) {
+                if (!err && krb5int_open_plugin(filepath, &handle, ep) == 0) {
                     err = krb5int_plugin_file_handle_array_add (&h, &count, handle);
-                    if (!err) { handle = NULL; }  /* h takes ownership */
+                    if (!err)
+                        handle = NULL; /* h takes ownership */
                 }
 
                 free(filepath);
diff --git a/src/util/support/t_utf16.c b/src/util/support/t_utf16.c
new file mode 100644
index 000000000000..bc3390a415cd
--- /dev/null
+++ b/src/util/support/t_utf16.c
@@ -0,0 +1,117 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* util/support/t_utf16.c - test UTF-16 conversion functions */
+/*
+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This program tests conversions between UTF-8 and little-endian UTF-16, with
+ * an eye mainly towards covering UTF-16 edge cases and UTF-8 decoding results
+ * which we detect as invalid in utf8_conv.c.  t_utf8.c covers more UTF-8 edge
+ * cases.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "k5-platform.h"
+#include "k5-utf8.h"
+
+struct test {
+    const char *utf8;
+    const char *utf16;
+    size_t utf16len;
+} tests[] = {
+    { "", "", 0 },
+    { "abcd", "a\0b\0c\0d\0", 8 },
+    /* From RFC 2781 (tests code point 0x12345 and some ASCII) */
+    { "\xF0\x92\x8D\x85=Ra", "\x08\xD8\x45\xDF=\0R\0a\0", 10 },
+    /* Lowest and highest Supplementary Plane code points */
+    { "\xF0\x90\x80\x80 \xF4\x8F\xBF\xBF",
+      "\x00\xD8\x00\xDC \0\xFF\xDB\xFF\xDF", 10 },
+    /* Basic Multilingual Plane code points near and above surrogate range */
+    { "\xED\x9F\xBF", "\xFF\xD7", 2 },
+    { "\xEE\x80\x80 \xEE\xBF\xBF", "\x00\xE0 \0\xFF\xEF", 6 },
+    /* Invalid UTF-8: decodes to value in surrogate pair range */
+    { "\xED\xA0\x80", NULL, 0 }, /* 0xD800 */
+    { "\xED\xAF\xBF", NULL, 0 }, /* 0xDBFF */
+    { "\xED\xB0\x80", NULL, 0 }, /* 0xDC00 */
+    { "\xED\xBF\xBF", NULL, 0 }, /* 0xDFFF */
+    /* Invalid UTF-8: decodes to value above Unicode range */
+    { "\xF4\x90\x80\x80", NULL, 0 },
+    { "\xF4\xBF\xBF\xBF", NULL, 0 },
+    { "\xF5\x80\x80\x80", NULL, 0 }, /* thrown out early due to first byte */
+    /* Invalid UTF-16: odd numbers of UTF-16 bytes */
+    { NULL, "\x00", 1 },
+    { NULL, "\x01\x00\x02", 3 },
+    /* Invalid UTF-16: high surrogate without a following low surrogate */
+    { NULL, "\x00\xD8\x00\x00", 4 },
+    { NULL, "\x00\xD8\xFF\xDB", 4 },
+    { NULL, "\xFF\xDB", 2 },
+    /* Invalid UTF-16: low surrogate without a preceding high surrogate */
+    { NULL, "\x61\x00\x00\xDC", 4 },
+    { NULL, "\xFF\xDF\xFF\xDB", 4 },
+};
+
+int
+main(int argc, char **argv)
+{
+    int ret;
+    struct test *t;
+    size_t i, utf16len;
+    uint8_t *utf16;
+    char *utf8;
+
+    for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+        t = &tests[i];
+        if (t->utf8 != NULL) {
+            ret = k5_utf8_to_utf16le(t->utf8, &utf16, &utf16len);
+            if (t->utf16 == NULL) {
+                assert(ret == EINVAL);
+            } else {
+                assert(ret == 0);
+                assert(t->utf16len == utf16len);
+                assert(memcmp(t->utf16, utf16, utf16len) == 0);
+                free(utf16);
+            }
+        }
+
+        if (t->utf16 != NULL) {
+            ret = k5_utf16le_to_utf8((uint8_t *)t->utf16, t->utf16len, &utf8);
+            if (t->utf8 == NULL) {
+                assert(ret == EINVAL);
+            } else {
+                assert(ret == 0);
+                assert(strcmp(t->utf8, utf8) == 0);
+                free(utf8);
+            }
+        }
+    }
+    return 0;
+}
diff --git a/src/util/support/threads.c b/src/util/support/threads.c
index bb8e287ecf75..be7e4c2e3f92 100644
--- a/src/util/support/threads.c
+++ b/src/util/support/threads.c
@@ -237,7 +237,6 @@ void *k5_getspecific (k5_key_t keynum)
     if (err)
         return NULL;
 
-    assert(keynum >= 0 && keynum < K5_KEY_MAX);
     assert(destructors_set[keynum] == 1);
 
 #ifndef ENABLE_THREADS
@@ -271,7 +270,6 @@ int k5_setspecific (k5_key_t keynum, void *value)
     if (err)
         return err;
 
-    assert(keynum >= 0 && keynum < K5_KEY_MAX);
     assert(destructors_set[keynum] == 1);
 
 #ifndef ENABLE_THREADS
@@ -334,8 +332,6 @@ int k5_key_register (k5_key_t keynum, void (*destructor)(void *))
     if (err)
         return err;
 
-    assert(keynum >= 0 && keynum < K5_KEY_MAX);
-
 #ifndef ENABLE_THREADS
 
     assert(destructors_set[keynum] == 0);
@@ -365,8 +361,6 @@ int k5_key_register (k5_key_t keynum, void (*destructor)(void *))
 
 int k5_key_delete (k5_key_t keynum)
 {
-    assert(keynum >= 0 && keynum < K5_KEY_MAX);
-
 #ifndef ENABLE_THREADS
 
     assert(destructors_set[keynum] == 1);
diff --git a/src/util/support/utf8.c b/src/util/support/utf8.c
index e42c0c7dc82b..34e2b6adb059 100644
--- a/src/util/support/utf8.c
+++ b/src/util/support/utf8.c
@@ -205,7 +205,7 @@ int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out)
     return 0;
 }
 
-/* conv UCS-2 to UTF-8, not used */
+/* conv UCS-4 to UTF-8 */
 size_t krb5int_ucs4_to_utf8(krb5_ucs4 c, char *buf)
 {
     size_t len = 0;
diff --git a/src/util/support/utf8_conv.c b/src/util/support/utf8_conv.c
index 80ca90b139e7..5cfc2c512b86 100644
--- a/src/util/support/utf8_conv.c
+++ b/src/util/support/utf8_conv.c
@@ -1,7 +1,7 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 /* util/support/utf8_conv.c */
 /*
- * Copyright 2008 by the Massachusetts Institute of Technology.
+ * Copyright 2008, 2017 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -47,411 +47,156 @@
  * THE PERPETRATOR TO CRIMINAL AND CIVIL LIABILITY.
  */
 
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>. */
+/* This work is based on OpenLDAP Software <http://www.openldap.org/>. */
 
 /*
- * UTF-8 Conversion Routines
- *
- * These routines convert between Wide Character and UTF-8,
- * or between MultiByte and UTF-8 encodings.
- *
- * Both single character and string versions of the functions are provided.
- * All functions return -1 if the character or string cannot be converted.
+ * These routines convert between UTF-16 and UTF-8.  UTF-16 encodes a Unicode
+ * character in either two or four bytes.  Characters in the Basic Multilingual
+ * Plane (hex 0..D7FF and E000..FFFF) are encoded as-is in two bytes.
+ * Characters in the Supplementary Planes (10000..10FFFF) are split into a high
+ * surrogate and a low surrogate, each containing ten bits of the character
+ * value, and encoded in four bytes.
  */
 
 #include "k5-platform.h"
 #include "k5-utf8.h"
+#include "k5-buf.h"
+#include "k5-input.h"
 #include "supp-int.h"
 
 static unsigned char mask[] = { 0, 0x7f, 0x1f, 0x0f, 0x07, 0x03, 0x01 };
 
-static ssize_t
-k5_utf8s_to_ucs2s(krb5_ucs2 *ucs2str,
-                  const char *utf8str,
-                  size_t count,
-                  int little_endian)
-{
-    size_t ucs2len = 0;
-    size_t utflen, i;
-    krb5_ucs2 ch;
-
-    /* If input ptr is NULL or empty... */
-    if (utf8str == NULL || *utf8str == '\0') {
-        if (ucs2str != NULL)
-            *ucs2str = 0;
-
-        return 0;
-    }
-
-    /* Examine next UTF-8 character.  */
-    while (ucs2len < count && *utf8str != '\0') {
-        /* Get UTF-8 sequence length from 1st byte */
-        utflen = KRB5_UTF8_CHARLEN2(utf8str, utflen);
-
-        if (utflen == 0 || utflen > KRB5_MAX_UTF8_LEN)
-            return -1;
-
-        /* First byte minus length tag */
-        ch = (krb5_ucs2)(utf8str[0] & mask[utflen]);
-
-        for (i = 1; i < utflen; i++) {
-            /* Subsequent bytes must start with 10 */
-            if ((utf8str[i] & 0xc0) != 0x80)
-                return -1;
-
-            ch <<= 6;                   /* 6 bits of data in each subsequent byte */
-            ch |= (krb5_ucs2)(utf8str[i] & 0x3f);
-        }
-
-        if (ucs2str != NULL) {
-#ifdef K5_BE
-#ifndef SWAP16
-#define SWAP16(X)       ((((X) << 8) | ((X) >> 8)) & 0xFFFF)
-#endif
-            if (little_endian)
-                ucs2str[ucs2len] = SWAP16(ch);
-            else
-#endif
-                ucs2str[ucs2len] = ch;
-        }
-
-        utf8str += utflen;      /* Move to next UTF-8 character */
-        ucs2len++;              /* Count number of wide chars stored/required */
-    }
-
-    if (ucs2str != NULL && ucs2len < count) {
-        /* Add null terminator if there's room in the buffer. */
-        ucs2str[ucs2len] = 0;
-    }
-
-    return ucs2len;
-}
-
-int
-krb5int_utf8s_to_ucs2s(const char *utf8s,
-                       krb5_ucs2 **ucs2s,
-                       size_t *ucs2chars)
-{
-    ssize_t len;
-    size_t chars;
+/* A high surrogate is ten bits masked with 0xD800. */
+#define IS_HIGH_SURROGATE(c) ((c) >= 0xD800 && (c) <= 0xDBFF)
 
-    chars = krb5int_utf8_chars(utf8s);
-    *ucs2s = (krb5_ucs2 *)malloc((chars + 1) * sizeof(krb5_ucs2));
-    if (*ucs2s == NULL) {
-        return ENOMEM;
-    }
+/* A low surrogate is ten bits masked with 0xDC00. */
+#define IS_LOW_SURROGATE(c) ((c) >= 0xDC00 && (c) <= 0xDFFF)
 
-    len = k5_utf8s_to_ucs2s(*ucs2s, utf8s, chars + 1, 0);
-    if (len < 0) {
-        free(*ucs2s);
-        *ucs2s = NULL;
-        return EINVAL;
-    }
+/* A valid Unicode code point is in the range 0..10FFFF and is not a surrogate
+ * value. */
+#define IS_SURROGATE(c) ((c) >= 0xD800 && (c) <= 0xDFFF)
+#define IS_VALID_UNICODE(c) ((c) <= 0x10FFFF && !IS_SURROGATE(c))
 
-    if (ucs2chars != NULL) {
-        *ucs2chars = chars;
-    }
+/* A Basic Multilingual Plane character is in the range 0..FFFF and is not a
+ * surrogate value. */
+#define IS_BMP(c) ((c) <= 0xFFFF && !IS_SURROGATE(c))
 
-    return 0;
-}
+/* Characters in the Supplementary Planes have a base value subtracted from
+ * their code points to form a 20-bit value; ten bits go in each surrogate. */
+#define BASE 0x10000
+#define HIGH_SURROGATE(c) (0xD800 | (((c) - BASE) >> 10))
+#define LOW_SURROGATE(c) (0xDC00 | (((c) - BASE) & 0x3FF))
+#define COMPOSE(c1, c2) (BASE + ((((c1) & 0x3FF) << 10) | ((c2) & 0x3FF)))
 
 int
-krb5int_utf8cs_to_ucs2s(const char *utf8s,
-                        size_t utf8slen,
-                        krb5_ucs2 **ucs2s,
-                        size_t *ucs2chars)
+k5_utf8_to_utf16le(const char *utf8, uint8_t **utf16_out, size_t *nbytes_out)
 {
-    ssize_t len;
-    size_t chars;
-
-    chars = krb5int_utf8c_chars(utf8s, utf8slen);
-    *ucs2s = (krb5_ucs2 *)malloc((chars + 1) * sizeof(krb5_ucs2));
-    if (*ucs2s == NULL) {
-        return ENOMEM;
-    }
-
-    len = k5_utf8s_to_ucs2s(*ucs2s, utf8s, chars, 0);
-    if (len < 0) {
-        free(*ucs2s);
-        *ucs2s = NULL;
-        return EINVAL;
-    }
-    (*ucs2s)[chars] = 0;
-
-    if (ucs2chars != NULL) {
-        *ucs2chars = chars;
-    }
-
-    return 0;
-}
-
-int
-krb5int_utf8s_to_ucs2les(const char *utf8s,
-                         unsigned char **ucs2les,
-                         size_t *ucs2leslen)
-{
-    ssize_t len;
-    size_t chars;
-
-    chars = krb5int_utf8_chars(utf8s);
-
-    *ucs2les = (unsigned char *)malloc((chars + 1) * sizeof(krb5_ucs2));
-    if (*ucs2les == NULL) {
-        return ENOMEM;
-    }
-
-    len = k5_utf8s_to_ucs2s((krb5_ucs2 *)*ucs2les, utf8s, chars + 1, 1);
-    if (len < 0) {
-        free(*ucs2les);
-        *ucs2les = NULL;
-        return EINVAL;
-    }
-
-    if (ucs2leslen != NULL) {
-        *ucs2leslen = chars * sizeof(krb5_ucs2);
-    }
-
-    return 0;
-}
-
-int
-krb5int_utf8cs_to_ucs2les(const char *utf8s,
-                          size_t utf8slen,
-                          unsigned char **ucs2les,
-                          size_t *ucs2leslen)
-{
-    ssize_t len;
-    size_t chars;
-    krb5_ucs2 *ucs2s;
-
-    *ucs2les = NULL;
-
-    chars = krb5int_utf8c_chars(utf8s, utf8slen);
-    ucs2s = malloc((chars + 1) * sizeof(krb5_ucs2));
-    if (ucs2s == NULL)
-        return ENOMEM;
-
-    len = k5_utf8s_to_ucs2s(ucs2s, utf8s, chars, 1);
-    if (len < 0) {
-        free(ucs2s);
-        return EINVAL;
-    }
-    ucs2s[chars] = 0;
-
-    *ucs2les = (unsigned char *)ucs2s;
-    if (ucs2leslen != NULL) {
-        *ucs2leslen = chars * sizeof(krb5_ucs2);
-    }
+    struct k5buf buf;
+    krb5_ucs4 ch;
+    size_t chlen, i;
+    uint8_t *p;
 
-    return 0;
-}
+    *utf16_out = NULL;
+    *nbytes_out = 0;
 
-/*-----------------------------------------------------------------------------
-  Convert a wide char string to a UTF-8 string.
-  No more than 'count' bytes will be written to the output buffer.
-  Return the # of bytes written to the output buffer, excl null terminator.
+    k5_buf_init_dynamic(&buf);
 
-  ucs2len is -1 if the UCS-2 string is NUL terminated, otherwise it is the
-  length of the UCS-2 string in characters
-*/
-static ssize_t
-k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str,
-                  size_t count, ssize_t ucs2len, int little_endian)
-{
-    int len = 0;
-    int n;
-    char *p = utf8str;
-    krb5_ucs2 empty = 0, ch;
+    /* Examine next UTF-8 character. */
+    while (*utf8 != '\0') {
+        /* Get UTF-8 sequence length from first byte. */
+        chlen = KRB5_UTF8_CHARLEN2(utf8, chlen);
+        if (chlen == 0)
+            goto invalid;
 
-    if (ucs2str == NULL)        /* Treat input ptr NULL as an empty string */
-        ucs2str = &empty;
+        /* First byte minus length tag */
+        ch = (krb5_ucs4)(utf8[0] & mask[chlen]);
 
-    if (utf8str == NULL)        /* Just compute size of output, excl null */
-    {
-        while (ucs2len == -1 ? *ucs2str : --ucs2len >= 0) {
-            /* Get UTF-8 size of next wide char */
-            ch = *ucs2str++;
-#ifdef K5_BE
-            if (little_endian)
-                ch = SWAP16(ch);
-#endif
+        for (i = 1; i < chlen; i++) {
+            /* Subsequent bytes must start with 10. */
+            if ((utf8[i] & 0xc0) != 0x80)
+                goto invalid;
 
-            n = krb5int_ucs2_to_utf8(ch, NULL);
-            if (n < 1 || n > INT_MAX - len)
-                return -1;
-            len += n;
+            /* 6 bits of data in each subsequent byte */
+            ch <<= 6;
+            ch |= (krb5_ucs4)(utf8[i] & 0x3f);
+        }
+        if (!IS_VALID_UNICODE(ch))
+            goto invalid;
+
+        /* Characters in the basic multilingual plane are encoded using two
+         * bytes; other characters are encoded using four bytes. */
+        p = k5_buf_get_space(&buf, IS_BMP(ch) ? 2 : 4);
+        if (p == NULL)
+            return ENOMEM;
+        if (IS_BMP(ch)) {
+            store_16_le(ch, p);
+        } else {
+            /* 0x10000 is subtracted from ch; then the high ten bits plus
+             * 0xD800 and the low ten bits plus 0xDC00 are the surrogates. */
+            store_16_le(HIGH_SURROGATE(ch), p);
+            store_16_le(LOW_SURROGATE(ch), p + 2);
         }
 
-        return len;
-    }
-
-    /* Do the actual conversion. */
-
-    n = 1;                                      /* In case of empty ucs2str */
-    while (ucs2len == -1 ? *ucs2str != 0 : --ucs2len >= 0) {
-        ch = *ucs2str++;
-#ifdef K5_BE
-        if (little_endian)
-            ch = SWAP16(ch);
-#endif
-
-        n = krb5int_ucs2_to_utf8(ch, p);
-
-        if (n < 1)
-            break;
-
-        p += n;
-        count -= n;                     /* Space left in output buffer */
-    }
-
-    /* If not enough room for last character, pad remainder with null
-       so that return value = original count, indicating buffer full. */
-    if (n == 0) {
-        while (count--)
-            *p++ = 0;
-    }
-    /* Add a null terminator if there's room. */
-    else if (count)
-        *p = 0;
-
-    if (n == -1)                        /* Conversion encountered invalid wide char. */
-        return -1;
-
-    /* Return the number of bytes written to output buffer, excl null. */
-    return (p - utf8str);
-}
-
-int
-krb5int_ucs2s_to_utf8s(const krb5_ucs2 *ucs2s,
-                       char **utf8s,
-                       size_t *utf8slen)
-{
-    ssize_t len;
-
-    len = k5_ucs2s_to_utf8s(NULL, ucs2s, 0, -1, 0);
-    if (len < 0) {
-        return EINVAL;
-    }
-
-    *utf8s = (char *)malloc((size_t)len + 1);
-    if (*utf8s == NULL) {
-        return ENOMEM;
-    }
-
-    len = k5_ucs2s_to_utf8s(*utf8s, ucs2s, (size_t)len + 1, -1, 0);
-    if (len < 0) {
-        free(*utf8s);
-        *utf8s = NULL;
-        return EINVAL;
-    }
-
-    if (utf8slen != NULL) {
-        *utf8slen = len;
+        /* Move to next UTF-8 character. */
+        utf8 += chlen;
     }
 
+    *utf16_out = buf.data;
+    *nbytes_out = buf.len;
     return 0;
-}
 
-int
-krb5int_ucs2les_to_utf8s(const unsigned char *ucs2les,
-                         char **utf8s,
-                         size_t *utf8slen)
-{
-    ssize_t len;
-
-    len = k5_ucs2s_to_utf8s(NULL, (krb5_ucs2 *)ucs2les, 0, -1, 1);
-    if (len < 0)
-        return EINVAL;
-
-    *utf8s = (char *)malloc((size_t)len + 1);
-    if (*utf8s == NULL) {
-        return ENOMEM;
-    }
-
-    len = k5_ucs2s_to_utf8s(*utf8s, (krb5_ucs2 *)ucs2les, (size_t)len + 1, -1, 1);
-    if (len < 0) {
-        free(*utf8s);
-        *utf8s = NULL;
-        return EINVAL;
-    }
-
-    if (utf8slen != NULL) {
-        *utf8slen = len;
-    }
-
-    return 0;
+invalid:
+    k5_buf_free(&buf);
+    return EINVAL;
 }
 
 int
-krb5int_ucs2cs_to_utf8s(const krb5_ucs2 *ucs2s,
-                        size_t ucs2slen,
-                        char **utf8s,
-                        size_t *utf8slen)
+k5_utf16le_to_utf8(const uint8_t *utf16bytes, size_t nbytes, char **utf8_out)
 {
-    ssize_t len;
+    struct k5buf buf;
+    struct k5input in;
+    uint16_t ch1, ch2;
+    krb5_ucs4 ch;
+    size_t chlen;
+    void *p;
 
-    if (ucs2slen > SSIZE_MAX)
-        return ERANGE;
+    *utf8_out = NULL;
 
-    len = k5_ucs2s_to_utf8s(NULL, (krb5_ucs2 *)ucs2s, 0,
-                            (ssize_t)ucs2slen, 0);
-    if (len < 0)
+    if (nbytes % 2 != 0)
         return EINVAL;
 
-    *utf8s = (char *)malloc((size_t)len + 1);
-    if (*utf8s == NULL) {
-        return ENOMEM;
-    }
+    k5_buf_init_dynamic(&buf);
+    k5_input_init(&in, utf16bytes, nbytes);
+    while (!in.status && in.len > 0) {
+        /* Get the next character or high surrogate.  A low surrogate without a
+         * preceding high surrogate is invalid. */
+        ch1 = k5_input_get_uint16_le(&in);
+        if (IS_LOW_SURROGATE(ch1))
+            goto invalid;
+        if (IS_HIGH_SURROGATE(ch1)) {
+            /* Get the low surrogate and combine the pair. */
+            ch2 = k5_input_get_uint16_le(&in);
+            if (!IS_LOW_SURROGATE(ch2))
+                goto invalid;
+            ch = COMPOSE(ch1, ch2);
+        } else {
+            ch = ch1;
+        }
 
-    len = k5_ucs2s_to_utf8s(*utf8s, (krb5_ucs2 *)ucs2s, (size_t)len,
-                            (ssize_t)ucs2slen, 0);
-    if (len < 0) {
-        free(*utf8s);
-        *utf8s = NULL;
-        return EINVAL;
+        chlen = krb5int_ucs4_to_utf8(ch, NULL);
+        p = k5_buf_get_space(&buf, chlen);
+        if (p == NULL)
+            return ENOMEM;
+        (void)krb5int_ucs4_to_utf8(ch, p);
     }
-    (*utf8s)[len] = '\0';
 
-    if (utf8slen != NULL) {
-        *utf8slen = len;
-    }
+    if (in.status)
+        goto invalid;
 
+    *utf8_out = buf.data;
     return 0;
-}
-
-int
-krb5int_ucs2lecs_to_utf8s(const unsigned char *ucs2les,
-                          size_t ucs2leslen,
-                          char **utf8s,
-                          size_t *utf8slen)
-{
-    ssize_t len;
 
-    if (ucs2leslen > SSIZE_MAX)
-        return ERANGE;
-
-    len = k5_ucs2s_to_utf8s(NULL, (krb5_ucs2 *)ucs2les, 0,
-                            (ssize_t)ucs2leslen, 1);
-    if (len < 0)
-        return EINVAL;
-
-    *utf8s = (char *)malloc((size_t)len + 1);
-    if (*utf8s == NULL) {
-        return ENOMEM;
-    }
-
-    len = k5_ucs2s_to_utf8s(*utf8s, (krb5_ucs2 *)ucs2les, (size_t)len,
-                            (ssize_t)ucs2leslen, 1);
-    if (len < 0) {
-        free(*utf8s);
-        *utf8s = NULL;
-        return EINVAL;
-    }
-    (*utf8s)[len] = '\0';
-
-    if (utf8slen != NULL) {
-        *utf8slen = len;
-    }
-
-    return 0;
+invalid:
+    k5_buf_free(&buf);
+    return EINVAL;
 }
diff --git a/src/util/verto/README b/src/util/verto/README
index 6de645f6fb15..a3dab834d89d 100644
--- a/src/util/verto/README
+++ b/src/util/verto/README
@@ -36,5 +36,5 @@ BUILTIN_MODULE define.
 
 The libverto and libev upstream project pages are at:
 
-  https://fedorahosted.org/libverto/
+  https://github.com/latchset/libverto/
   http://software.schmorp.de/pkg/libev.html
diff --git a/src/util/verto/libverto.exports b/src/util/verto/libverto.exports
index ecba76ad9d7c..3745d5014653 100644
--- a/src/util/verto/libverto.exports
+++ b/src/util/verto/libverto.exports
@@ -4,6 +4,7 @@ verto_add_io
 verto_add_signal
 verto_add_timeout
 verto_break
+verto_cleanup
 verto_convert_module
 verto_default
 verto_del
diff --git a/src/util/verto/verto-k5ev.c b/src/util/verto/verto-k5ev.c
index 74fa368a83b3..a390af716616 100644
--- a/src/util/verto/verto-k5ev.c
+++ b/src/util/verto/verto-k5ev.c
@@ -36,12 +36,29 @@
 #include <verto.h>
 #include <verto-module.h>
 #include "rename.h"
+
+/* Ignore some warnings generated by the libev code, which the libev maintainer
+ * isn't interested in avoiding. */
+#ifdef __GNUC__
+#pragma GCC diagnostic ignored "-Wunused-value"
+#pragma GCC diagnostic ignored "-Wcomment"
+#pragma GCC diagnostic ignored "-Wunused-result"
+#ifdef __clang__
+#pragma GCC diagnostic ignored "-Wbitwise-op-parentheses"
+#endif
+#endif
+
 #define EV_API_STATIC 1
 #define EV_STANDALONE 1
 /* Avoid using clock_gettime, which would create a dependency on librt. */
 #define EV_USE_MONOTONIC 0
 #define EV_USE_REALTIME 0
-#define EV_FEATURES 0x5f        /* Everything but back ends */
+#define EV_FEATURES 0x4f        /* No back ends or optional watchers */
+/* Enable the optional watcher types we use. */
+#define EV_IDLE_ENABLE 1
+#define EV_SIGNAL_ENABLE 1
+#define EV_CHILD_ENABLE 1
+/* Enable the back ends we want. */
 #ifdef HAVE_POLL_H
 #define EV_USE_POLL 1
 #endif
@@ -97,6 +114,11 @@ libev_callback(EV_P_ ev_watcher *w, int revents)
 {
     verto_ev_flag state = VERTO_EV_FLAG_NONE;
 
+#if EV_MULTIPLICITY
+    /* Match the check in ev.h, which doesn't mark this unused */
+    (void) EV_A;
+#endif
+
     if (verto_get_type(w->data)== VERTO_EV_TYPE_CHILD)
         verto_set_proc_status(w->data, ((ev_child*) w)->rstatus);
 
diff --git a/src/util/verto/verto-libev.c b/src/util/verto/verto-libev.c
index 9c7c32449c72..99256a2fc75c 100644
--- a/src/util/verto/verto-libev.c
+++ b/src/util/verto/verto-libev.c
@@ -80,6 +80,11 @@ libev_callback(EV_P_ ev_watcher *w, int revents)
 {
     verto_ev_flag state = VERTO_EV_FLAG_NONE;
 
+#if EV_MULTIPLICITY
+    /* Match the check in ev.h, which doesn't mark this unused */
+    (void) EV_A;
+#endif
+
     if (verto_get_type(w->data)== VERTO_EV_TYPE_CHILD)
         verto_set_proc_status(w->data, ((ev_child*) w)->rstatus);
 
diff --git a/src/util/verto/verto.c b/src/util/verto/verto.c
index 44ea4373fcf3..71eaffa080de 100644
--- a/src/util/verto/verto.c
+++ b/src/util/verto/verto.c
@@ -22,8 +22,6 @@
  * SOFTWARE.
  */
 
-#define _GNU_SOURCE /* For asprintf() */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -45,6 +43,8 @@
 #define  _str(s) # s
 #define __str(s) _str(s)
 
+#define MUTABLE(flags) (flags & _VERTO_EV_FLAG_MUTABLE_MASK)
+
 /* Remove flags we can emulate */
 #define make_actual(flags) ((flags) & ~(VERTO_EV_FLAG_PERSIST|VERTO_EV_FLAG_IO_CLOSE_FD))
 
@@ -103,7 +103,7 @@ struct module_record {
 /*
  * This symbol can be used when embedding verto.c in a library along with a
  * built-in private module, to preload the module instead of dynamically
- * linking it in later.  Define to verto_module_table_<modulename>.
+ * linking it in later.  Define to <modulename>.
  */
 extern verto_module MODTABLE(BUILTIN_MODULE);
 static module_record builtin_record = {
@@ -119,12 +119,43 @@ static int resize_cb_hierarchical;
 
 #ifdef HAVE_PTHREAD
 static pthread_mutex_t loaded_modules_mutex = PTHREAD_MUTEX_INITIALIZER;
-#define mutex_lock(x) pthread_mutex_lock(x)
-#define mutex_unlock(x) pthread_mutex_unlock(x)
-#else
+
+#ifndef NDEBUG
+#define mutex_lock(x) { \
+        int c = pthread_mutex_lock(x); \
+        if (c != 0) { \
+            fprintf(stderr, "pthread_mutex_lock returned %d (%s) in %s", \
+                    c, strerror(c), __FUNCTION__); \
+        } \
+        assert(c == 0); \
+    }
+#define mutex_unlock(x) { \
+        int c = pthread_mutex_unlock(x); \
+        if (c != 0) { \
+            fprintf(stderr, "pthread_mutex_unlock returned %d (%s) in %s", \
+                    c, strerror(c), __FUNCTION__); \
+        } \
+        assert(c == 0); \
+    }
+#define mutex_destroy(x) { \
+        int c = pthread_mutex_destroy(x); \
+        if (c != 0) { \
+            fprintf(stderr, "pthread_mutex_destroy returned %d (%s) in %s", \
+                    c, strerror(c), __FUNCTION__); \
+        } \
+        assert(c == 0); \
+    }
+#else /* NDEBUG */
+#define mutex_lock pthread_mutex_lock
+#define mutex_unlock pthread_mutex_unlock
+#define mutex_destroy pthread_mutex_destroy
+#endif /* NDEBUG */
+
+#else /* HAVE_PTHREAD */
 #define mutex_lock(x)
 #define mutex_unlock(x)
-#endif
+#define mutex_destroy(x)
+#endif /* HAVE_PTHREAD */
 
 #define vfree(mem) vresize(mem, 0)
 static void *
@@ -132,34 +163,35 @@ vresize(void *mem, size_t size)
 {
     if (!resize_cb)
         resize_cb = &realloc;
+    if (size == 0 && resize_cb == &realloc) {
+        /* Avoid memleak as realloc(X, 0) can return a free-able pointer. */
+        free(mem);
+        return NULL;
+    }
     return (*resize_cb)(mem, size);
 }
 
 #ifndef BUILTIN_MODULE
-static int
-int_vasprintf(char **strp, const char *fmt, va_list ap) {
-    va_list apc;
-    int size = 0;
-
-    va_copy(apc, ap);
-    size = vsnprintf(NULL, 0, fmt, apc);
-    va_end(apc);
+static char *
+string_aconcat(const char *first, const char *second, const char *third) {
+    char *ret;
+    size_t len;
 
-    if (size <= 0 || !(*strp = malloc(size + 1)))
-        return -1;
+    len = strlen(first) + strlen(second);
+    if (third)
+        len += strlen(third);
 
-    return vsnprintf(*strp, size + 1, fmt, ap);
-}
+    ret = malloc(len + 1);
+    if (!ret)
+        return NULL;
 
-static int
-int_asprintf(char **strp, const char *fmt, ...) {
-    va_list ap;
-    int size = 0;
+    strncpy(ret, first, strlen(first));
+    strncpy(ret + strlen(first), second, strlen(second));
+    if (third)
+        strncpy(ret + strlen(first) + strlen(second), third, strlen(third));
 
-    va_start(ap, fmt);
-    size = int_vasprintf(strp, fmt, ap);
-    va_end(ap);
-    return size;
+    ret[len] = '\0';
+    return ret;
 }
 
 static char *
@@ -185,8 +217,7 @@ int_get_table_name_from_filename(const char *filename)
     if (tmp) {
         if (strchr(tmp+1, '.')) {
             *strchr(tmp+1, '.') = '\0';
-            if (int_asprintf(&tmp, "%s%s", __str(VERTO_MODULE_TABLE()), tmp + 1) < 0)
-                tmp = NULL;
+            tmp = string_aconcat(__str(VERTO_MODULE_TABLE()), tmp + 1, NULL);
         } else
             tmp = NULL;
     }
@@ -217,7 +248,7 @@ shouldload(void *symb, void *misc, char **err)
     if (table->symb && data->reqsym
             && !module_symbol_is_present(NULL, table->symb)) {
         if (err)
-            int_asprintf(err, "Symbol not found: %s!", table->symb);
+            *err = string_aconcat("Symbol not found: ", table->symb, "!");
         return 0;
     }
 
@@ -265,6 +296,7 @@ do_load_file(const char *filename, int reqsym, verto_ev_type reqtypes,
     tblname = int_get_table_name_from_filename(filename);
     if (!tblname) {
         free(tblname);
+        free(tmp->filename);
         vfree(tmp);
         return 0;
     }
@@ -278,6 +310,7 @@ do_load_file(const char *filename, int reqsym, verto_ev_type reqtypes,
         free(error);
         module_close(tmp->dll);
         free(tblname);
+        free(tmp->filename);
         vfree(tmp);
         return 0;
     }
@@ -324,7 +357,8 @@ do_load_dir(const char *dirname, const char *prefix, const char *suffix,
         if (flen < slen || strcmp(ent->d_name + flen - slen, suffix))
             continue;
 
-        if (int_asprintf(&tmp, "%s/%s", dirname, ent->d_name) < 0)
+        tmp = string_aconcat(dirname, "/", ent->d_name);
+        if (!tmp)
             continue;
 
         success = do_load_file(tmp, reqsym, reqtypes, record);
@@ -401,8 +435,8 @@ load_module(const char *impl, verto_ev_type reqtypes, module_record **record)
             success = do_load_file(impl, 0, reqtypes, record);
         if (!success) {
             /* Try to do a load by the name */
-            tmp = NULL;
-            if (int_asprintf(&tmp, "%s%s%s", prefix, impl, suffix) > 0) {
+            tmp = string_aconcat(prefix, impl, suffix);
+            if (tmp) {
                 success = do_load_file(tmp, 0, reqtypes, record);
                 free(tmp);
             }
@@ -494,6 +528,8 @@ remove_ev(verto_ev **origin, verto_ev *item)
 static void
 signal_ignore(verto_ctx *ctx, verto_ev *ev)
 {
+    (void) ctx;
+    (void) ev;
 }
 
 verto_ctx *
@@ -565,6 +601,25 @@ verto_free(verto_ctx *ctx)
     vfree(ctx);
 }
 
+void
+verto_cleanup(void)
+{
+    module_record *record;
+
+    mutex_lock(&loaded_modules_mutex);
+
+    for (record = loaded_modules; record; record = record->next) {
+        module_close(record->dll);
+        free(record->filename);
+    }
+
+    vfree(loaded_modules);
+    loaded_modules = NULL;
+
+    mutex_unlock(&loaded_modules_mutex);
+    mutex_destroy(&loaded_modules_mutex);
+}
+
 void
 verto_run(verto_ctx *ctx)
 {
@@ -752,8 +807,12 @@ verto_set_flags(verto_ev *ev, verto_ev_flag flags)
     if (!ev)
         return;
 
+    /* No modification is needed, so do nothing. */
+    if (MUTABLE(ev->flags) == MUTABLE(flags))
+        return;
+
     ev->flags  &= ~_VERTO_EV_FLAG_MUTABLE_MASK;
-    ev->flags  |= flags & _VERTO_EV_FLAG_MUTABLE_MASK;
+    ev->flags  |= MUTABLE(flags);
 
     /* If setting flags isn't supported, just rebuild the event */
     if (!ev->ctx->module->funcs->ctx_set_flags) {
@@ -765,7 +824,7 @@ verto_set_flags(verto_ev *ev, verto_ev_flag flags)
     }
 
     ev->actual &= ~_VERTO_EV_FLAG_MUTABLE_MASK;
-    ev->actual |= flags & _VERTO_EV_FLAG_MUTABLE_MASK;
+    ev->actual |= MUTABLE(flags);
     ev->ctx->module->funcs->ctx_set_flags(ev->ctx->ctx, ev, ev->ev);
 }
 
@@ -861,7 +920,7 @@ verto_convert_module(const verto_module *module, int deflt, verto_mod_ctx *mctx)
     module_record *mr;
 
     if (!module)
-        goto error;
+        return NULL;
 
     if (deflt) {
         mutex_lock(&loaded_modules_mutex);
diff --git a/src/util/verto/verto.h b/src/util/verto/verto.h
index 554036771722..55c583616215 100644
--- a/src/util/verto/verto.h
+++ b/src/util/verto/verto.h
@@ -33,6 +33,7 @@
 typedef HANDLE verto_proc;
 typedef DWORD verto_proc_status;
 #else
+#include <sys/types.h>
 typedef pid_t verto_proc;
 typedef int verto_proc_status;
 #endif
@@ -195,7 +196,8 @@ verto_set_default(const char *impl, verto_ev_type reqtypes);
  * @see verto_add_idle()
  * @see verto_add_signal()
  * @see verto_add_child()
- * @param resize The allocator to use (behaves like realloc())
+ * @param resize The allocator to use (behaves like realloc();
+ *        resize(ptr, 0) must free memory at ptr.)
  * @param hierarchical Zero if the allocator is not hierarchical
  */
 int
@@ -215,6 +217,19 @@ verto_set_allocator(void *(*resize)(void *mem, size_t size), int hierarchical);
 void
 verto_free(verto_ctx *ctx);
 
+/**
+ * Frees global state.
+ *
+ * Remove and free all allocated global state.  Call only when no further
+ * contexts exist and all threads have exited.
+ *
+ * @see verto_new()
+ * @see verto_free()
+ * @see verto_default()
+ */
+void
+verto_cleanup(void);
+
 /**
  * Run the verto_ctx forever, or at least until verto_break() is called.
  *
@@ -444,7 +459,8 @@ verto_get_flags(const verto_ev *ev);
  * Sets the flags associated with the given verto_ev.
  *
  * See _VERTO_EV_FLAG_MUTABLE_MASK for the flags that can be changed
- * with this function. All others will be ignored.
+ * with this function. All others will be ignored. If the flags specified
+ * are the same as the flags the event already has, this function is a no-op.
  *
  * @see verto_add_io()
  * @see verto_add_timeout()
diff --git a/src/windows/cns/tktlist.c b/src/windows/cns/tktlist.c
index f2805f5cd4b8..26e699faea83 100644
--- a/src/windows/cns/tktlist.c
+++ b/src/windows/cns/tktlist.c
@@ -35,6 +35,8 @@
 #include "cns.h"
 #include "tktlist.h"
 
+#define ts2tt(t) (time_t)(uint32_t)(t)
+
 /*
  * Ticket information for a list line
  */
@@ -167,10 +169,10 @@ ticket_init_list (HWND hwnd)
 
       ncred++;
       strcpy (buf, "  ");
-      strncat(buf, short_date (c.times.starttime - kwin_get_epoch()),
+      strncat(buf, short_date(ts2tt(c.times.starttime) - kwin_get_epoch()),
 	      sizeof(buf) - 1 - strlen(buf));
       strncat(buf, "      ", sizeof(buf) - 1 - strlen(buf));
-      strncat(buf, short_date (c.times.endtime - kwin_get_epoch()),
+      strncat(buf, short_date(ts2tt(c.times.endtime) - kwin_get_epoch()),
 	      sizeof(buf) - 1 - strlen(buf));
       strncat(buf, "      ", sizeof(buf) - 1 - strlen(buf));
 
@@ -192,8 +194,8 @@ ticket_init_list (HWND hwnd)
 	return -1;
 
       lpinfo->ticket = TRUE;
-      lpinfo->issue_time = c.times.starttime - kwin_get_epoch();
-      lpinfo->lifetime = c.times.endtime - c.times.starttime;
+      lpinfo->issue_time = ts2tt(c.times.starttime) - kwin_get_epoch();
+      lpinfo->lifetime = ts2tt(c.times.endtime) - c.times.starttime;
       strcpy(lpinfo->buf, buf);
 
       rc = ListBox_AddItemData(hwnd, lpinfo);
diff --git a/src/windows/include/leashwin.h b/src/windows/include/leashwin.h
index 9577365a7ea0..325dce2e96ec 100644
--- a/src/windows/include/leashwin.h
+++ b/src/windows/include/leashwin.h
@@ -111,9 +111,9 @@ struct TicketList {
     TicketList *next;
     char *service;
     char *encTypes;
-    krb5_timestamp issued;
-    krb5_timestamp valid_until;
-    krb5_timestamp renew_until;
+    time_t issued;
+    time_t valid_until;
+    time_t renew_until;
     unsigned long flags;
 };
 
@@ -124,9 +124,9 @@ struct TICKETINFO {
     char   *ccache_name;
     TicketList *ticket_list;
     int     btickets;                 /* Do we have tickets? */
-    long    issued;                   /* The issue time */
-    long    valid_until;              /* */
-    long    renew_until;              /* The Renew time (k5 only) */
+    time_t  issued;                   /* The issue time */
+    time_t  valid_until;              /* */
+    time_t  renew_until;              /* The Renew time (k5 only) */
     unsigned long flags;
 };
 
diff --git a/src/windows/leash/KrbListTickets.cpp b/src/windows/leash/KrbListTickets.cpp
index beab0ea11339..5dd37b05a427 100644
--- a/src/windows/leash/KrbListTickets.cpp
+++ b/src/windows/leash/KrbListTickets.cpp
@@ -92,10 +92,10 @@ etype_string(krb5_enctype enctype)
 static void
 CredToTicketInfo(krb5_creds KRBv5Credentials, TICKETINFO *ticketinfo)
 {
-    ticketinfo->issued = KRBv5Credentials.times.starttime;
-    ticketinfo->valid_until = KRBv5Credentials.times.endtime;
+    ticketinfo->issued = (DWORD)KRBv5Credentials.times.starttime;
+    ticketinfo->valid_until = (DWORD)KRBv5Credentials.times.endtime;
     ticketinfo->renew_until = KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE ?
-        KRBv5Credentials.times.renew_till : 0;
+        (DWORD)KRBv5Credentials.times.renew_till : (DWORD)0;
     _tzset();
     if ( ticketinfo->valid_until - time(0) <= 0L )
         ticketinfo->btickets = EXPD_TICKETS;
@@ -137,10 +137,10 @@ CredToTicketList(krb5_context ctx, krb5_creds KRBv5Credentials,
         functionName = "calloc()";
         goto cleanup;
     }
-    list->issued = KRBv5Credentials.times.starttime;
-    list->valid_until = KRBv5Credentials.times.endtime;
+    list->issued = (DWORD)KRBv5Credentials.times.starttime;
+    list->valid_until = (DWORD)KRBv5Credentials.times.endtime;
     if (KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE)
-        list->renew_until = KRBv5Credentials.times.renew_till;
+        list->renew_until = (DWORD)KRBv5Credentials.times.renew_till;
     else
         list->renew_until = 0;
 
diff --git a/src/windows/leash/LeashView.cpp b/src/windows/leash/LeashView.cpp
index ef2a5a3e0e54..253ae3f066c7 100644
--- a/src/windows/leash/LeashView.cpp
+++ b/src/windows/leash/LeashView.cpp
@@ -229,22 +229,22 @@ static HFONT CreateBoldItalicFont(HFONT font)
 
 bool change_icon_size = true;
 
-void krb5TimestampToFileTime(krb5_timestamp t, LPFILETIME pft)
+void TimestampToFileTime(time_t t, LPFILETIME pft)
 {
     // Note that LONGLONG is a 64-bit value
-    LONGLONG ll;
+    ULONGLONG ll;
 
-    ll = Int32x32To64(t, 10000000) + 116444736000000000;
+    ll = UInt32x32To64((DWORD)t, 10000000) + 116444736000000000;
     pft->dwLowDateTime = (DWORD)ll;
     pft->dwHighDateTime = ll >> 32;
 }
 
 // allocate outstr
-void krb5TimestampToLocalizedString(krb5_timestamp t, LPTSTR *outStr)
+void TimestampToLocalizedString(time_t t, LPTSTR *outStr)
 {
     FILETIME ft, lft;
     SYSTEMTIME st;
-    krb5TimestampToFileTime(t, &ft);
+    TimestampToFileTime(t, &ft);
     FileTimeToLocalFileTime(&ft, &lft);
     FileTimeToSystemTime(&lft, &st);
     TCHAR timeFormat[80]; // 80 is max required for LOCALE_STIMEFORMAT
@@ -1125,9 +1125,9 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
                                 CCacheDisplayData *elem,
                                 int iItem,
                                 char *principal,
-                                long issued,
-                                long valid_until,
-                                long renew_until,
+                                time_t issued,
+                                time_t valid_until,
+                                time_t renew_until,
                                 char *encTypes,
                                 unsigned long flags,
                                 char *ccache_name)
@@ -1145,7 +1145,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
         if (issued == 0) {
             list.SetItemText(iItem, iSubItem++, "Unknown");
         } else {
-            krb5TimestampToLocalizedString(issued, &localTimeStr);
+            TimestampToLocalizedString(issued, &localTimeStr);
             list.SetItemText(iItem, iSubItem++, localTimeStr);
         }
     }
@@ -1155,7 +1155,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
         } else if (valid_until < now) {
             list.SetItemText(iItem, iSubItem++, "Expired");
         } else if (renew_until) {
-            krb5TimestampToLocalizedString(renew_until, &localTimeStr);
+            TimestampToLocalizedString(renew_until, &localTimeStr);
             DurationToString(renew_until - now, &durationStr);
             if (localTimeStr && durationStr) {
                 _snprintf(tempStr, MAX_DURATION_STR, "%s %s", localTimeStr, durationStr);
@@ -1172,7 +1172,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
         } else if (valid_until < now) {
             list.SetItemText(iItem, iSubItem++, "Expired");
         } else {
-            krb5TimestampToLocalizedString(valid_until, &localTimeStr);
+            TimestampToLocalizedString(valid_until, &localTimeStr);
             DurationToString(valid_until - now, &durationStr);
             if (localTimeStr && durationStr) {
                 _snprintf(tempStr, MAX_DURATION_STR, "%s %s", localTimeStr, durationStr);
diff --git a/src/windows/leashdll/lshfunc.c b/src/windows/leashdll/lshfunc.c
index 0f76cc334fd6..8dafb7bede3f 100644
--- a/src/windows/leashdll/lshfunc.c
+++ b/src/windows/leashdll/lshfunc.c
@@ -2898,7 +2898,7 @@ static BOOL cc_have_tickets(krb5_context ctx, krb5_ccache cache)
     _tzset();
     while (!(code = pkrb5_cc_next_cred(ctx, cache, &cur, &creds))) {
         if ((!pkrb5_is_config_principal(ctx, creds.server)) &&
-            (creds.times.endtime - time(0) > 0))
+            ((time_t)(DWORD)creds.times.endtime - time(0) > 0))
             have_tickets = TRUE;
 
         pkrb5_free_cred_contents(ctx, &creds);
diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c
index c3325034ad68..2b4373cc125e 100644
--- a/src/windows/ms2mit/ms2mit.c
+++ b/src/windows/ms2mit/ms2mit.c
@@ -74,7 +74,7 @@ cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets)
             break;
 
         if (!krb5_is_config_principal(kcontext, creds.server) &&
-            creds.times.endtime > now)
+            ts_after(creds.times.endtime, now))
             *has_tickets = 1;
 
         krb5_free_cred_contents(kcontext, &creds);
-- 
cgit v1.2.3