vendor/krb5/1.21.1

12 files changed, 266 insertions, 275 deletions

diff --git a/doc/html/_sources/admin/admin_commands/index.txt b/doc/html/_sources/admin/admin_commands/index.rst.txt
index e8dc76524ed6..e8dc76524ed6 100644
--- a/doc/html/_sources/admin/admin_commands/index.txt
+++ b/doc/html/_sources/admin/admin_commands/index.rst.txt
diff --git a/doc/html/_sources/admin/admin_commands/k5srvutil.txt b/doc/html/_sources/admin/admin_commands/k5srvutil.rst.txt
index b873d907774b..79502cf9eb98 100644
--- a/doc/html/_sources/admin/admin_commands/k5srvutil.txt
+++ b/doc/html/_sources/admin/admin_commands/k5srvutil.rst.txt
@@ -56,7 +56,14 @@ k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in
 place.
 
 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
 SEE ALSO
 --------
 
-:ref:`kadmin(1)`, :ref:`ktutil(1)`
+:ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt
index 9b5ccf4e911a..2435b3c3611e 100644
--- a/doc/html/_sources/admin/admin_commands/kadmin_local.txt
+++ b/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt
@@ -28,8 +28,6 @@ SYNOPSIS
 [**-x** *db_args*]
 [command args...]
 
-.. _kadmin_synopsis_end:
-
 
 DESCRIPTION
 -----------
@@ -44,9 +42,9 @@ Kerberos principals, password policies, and service key tables
 (keytabs).
 
 The remote kadmin client uses Kerberos to authenticate to kadmind
-using the service principal ``kadmin/ADMINHOST`` (where *ADMINHOST* is
-the fully-qualified hostname of the admin server) or ``kadmin/admin``.
-If the credentials cache contains a ticket for one of these
+using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST``
+(where *ADMINHOST* is the fully-qualified hostname of the admin
+server).  If the credentials cache contains a ticket for one of these
 principals, and the **-c** credentials_cache option is specified, that
 ticket is used to authenticate to kadmind.  Otherwise, the **-p** and
 **-k** options are used to specify the client Kerberos principal name
@@ -55,7 +53,7 @@ it requests a service ticket from the KDC, and uses that service
 ticket to authenticate to kadmind.
 
 Since kadmin.local directly accesses the KDC database, it usually must
-be run directly on the master KDC with sufficient permissions to read
+be run directly on the primary KDC with sufficient permissions to read
 the KDC database.  If the KDC database uses the LDAP database module,
 kadmin.local can be run on any host which can access the LDAP server.
 
@@ -100,10 +98,10 @@ OPTIONS
     fully anonymous operation.
 
 **-c** *credentials_cache*
-    Use *credentials_cache* as the credentials cache.  The
-    cache should contain a service ticket for the ``kadmin/ADMINHOST``
-    (where *ADMINHOST* is the fully-qualified hostname of the admin
-    server) or ``kadmin/admin`` service; it can be acquired with the
+    Use *credentials_cache* as the credentials cache.  The cache
+    should contain a service ticket for the ``kadmin/admin`` or
+    ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified
+    hostname of the admin server) service; it can be acquired with the
     :ref:`kinit(1)` program.  If this option is not specified, kadmin
     requests a new service ticket from the KDC, and stores it in its
     own temporary ccache.
@@ -142,8 +140,6 @@ OPTIONS
     Specifies the database specific arguments.  See the next section
     for supported options.
 
-.. _kadmin_options_end:
-
 Starting with release 1.14, if any command-line arguments remain after
 the options, they will be treated as a single query to be executed.
 This mode of operation is intended for scripts and behaves differently
@@ -297,8 +293,9 @@ Options:
 
 {-\|+}\ **allow_dup_skey**
     **-allow_dup_skey** disables user-to-user authentication for this
-    principal by prohibiting this principal from obtaining a session
-    key for another user.  **+allow_dup_skey** clears this flag.
+    principal by prohibiting others from obtaining a service ticket
+    encrypted in this principal's TGT session key.
+    **+allow_dup_skey** clears this flag.
 
 {-\|+}\ **requires_preauth**
     **+requires_preauth** requires this principal to preauthenticate
@@ -325,7 +322,9 @@ Options:
 
 {-\|+}\ **allow_svr**
     **-allow_svr** prohibits the issuance of service tickets for this
-    principal.  **+allow_svr** clears this flag.
+    principal.  In release 1.17 and later, user-to-user service
+    tickets are still allowed unless the **-allow_dup_skey** flag is
+    also set.  **+allow_svr** clears this flag.
 
 {-\|+}\ **allow_tgs_req**
     **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)
@@ -416,15 +415,13 @@ Options:
 Example::
 
     kadmin: addprinc jennifer
-    WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
+    No policy specified for "jennifer@ATHENA.MIT.EDU";
     defaulting to no policy.
     Enter password for principal jennifer@ATHENA.MIT.EDU:
     Re-enter password for principal jennifer@ATHENA.MIT.EDU:
     Principal "jennifer@ATHENA.MIT.EDU" created.
     kadmin:
 
-.. _add_principal_end:
-
 .. _modify_principal:
 
 modify_principal
@@ -448,8 +445,6 @@ Options (in addition to the **addprinc** options):
     authentication attempts without enough time between them according
     to its password policy) so that it can successfully authenticate.
 
-.. _modify_principal_end:
-
 .. _rename_principal:
 
 rename_principal
@@ -465,8 +460,6 @@ This command requires the **add** and **delete** privileges.
 
 Alias: **renprinc**
 
-.. _rename_principal_end:
-
 .. _delete_principal:
 
 delete_principal
@@ -481,8 +474,6 @@ This command requires the **delete** privilege.
 
 Alias: **delprinc**
 
-.. _delete_principal_end:
-
 .. _change_password:
 
 change_password
@@ -526,8 +517,6 @@ Example::
     Password for systest@BLEEP.COM changed.
     kadmin:
 
-.. _change_password_end:
-
 .. _purgekeys:
 
 purgekeys
@@ -543,8 +532,6 @@ is new in release 1.12.
 
 This command requires the **modify** privilege.
 
-.. _purgekeys_end:
-
 .. _get_principal:
 
 get_principal
@@ -566,16 +553,16 @@ Examples::
     Principal: tlyu/admin@BLEEP.COM
     Expiration date: [never]
     Last password change: Mon Aug 12 14:16:47 EDT 1996
-    Password expiration date: [none]
+    Password expiration date: [never]
     Maximum ticket life: 0 days 10:00:00
     Maximum renewable life: 7 days 00:00:00
     Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
     Last successful authentication: [never]
     Last failed authentication: [never]
     Failed password attempts: 0
-    Number of keys: 2
-    Key: vno 1, des-cbc-crc
-    Key: vno 1, des-cbc-crc:v4
+    Number of keys: 1
+    Key: vno 1, aes256-cts-hmac-sha384-192
+    MKey: vno 1
     Attributes:
     Policy: [none]
 
@@ -585,8 +572,6 @@ Examples::
     tlyu/admin@BLEEP.COM     786100034 0    0
     kadmin:
 
-.. _get_principal_end:
-
 .. _list_principals:
 
 list_principals
@@ -604,7 +589,7 @@ expression.
 
 This command requires the **list** privilege.
 
-Alias: **listprincs**, **get_principals**, **get_princs**
+Alias: **listprincs**, **get_principals**, **getprincs**
 
 Example::
 
@@ -615,8 +600,6 @@ Example::
     testuser@SECURE-TEST.OV.COM
     kadmin:
 
-.. _list_principals_end:
-
 .. _get_strings:
 
 get_strings
@@ -628,9 +611,7 @@ Displays string attributes on *principal*.
 
 This command requires the **inquire** privilege.
 
-Alias: **getstr**
-
-.. _get_strings_end:
+Alias: **getstrs**
 
 .. _set_string:
 
@@ -668,6 +649,15 @@ KDC:
     is in the same format as those used by the **pkinit_cert_match**
     option in :ref:`krb5.conf(5)`.  (New in release 1.16.)
 
+**pac_privsvr_enctype**
+    Forces the encryption type of the PAC KDC checksum buffers to the
+    specified encryption type for tickets issued to this server, by
+    deriving a key from the local krbtgt key if it is of a different
+    encryption type.  It may be necessary to set this value to
+    "aes256-sha1" on the cross-realm krbtgt entry for an Active
+    Directory realm when using aes-sha2 keys on the local krbtgt
+    entry.
+
 This command requires the **modify** privilege.
 
 Alias: **setstr**
@@ -677,8 +667,6 @@ Example::
     set_string host/foo.mit.edu session_enctypes aes128-cts
     set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
 
-.. _set_string_end:
-
 .. _del_string:
 
 del_string
@@ -692,8 +680,6 @@ This command requires the **delete** privilege.
 
 Alias: **delstr**
 
-.. _del_string_end:
-
 .. _add_policy:
 
 add_policy
@@ -770,8 +756,6 @@ Example::
     kadmin: add_policy -maxlife "2 days" -minlength 5 guests
     kadmin:
 
-.. _add_policy_end:
-
 .. _modify_policy:
 
 modify_policy
@@ -786,8 +770,6 @@ This command requires the **modify** privilege.
 
 Alias: **modpol**
 
-.. _modify_policy_end:
-
 .. _delete_policy:
 
 delete_policy
@@ -810,8 +792,6 @@ Example::
     (yes/no): yes
     kadmin:
 
-.. _delete_policy_end:
-
 .. _get_policy:
 
 get_policy
@@ -825,7 +805,7 @@ tabs.
 
 This command requires the **inquire** privilege.
 
-Alias: getpol
+Alias: **getpol**
 
 Examples::
 
@@ -846,8 +826,6 @@ The "Reference count" is the number of principals using that policy.
 With the LDAP KDC database module, the reference count field is not
 meaningful.
 
-.. _get_policy_end:
-
 .. _list_policies:
 
 list_policies
@@ -878,8 +856,6 @@ Examples::
     test-pol-nopw
     kadmin:
 
-.. _list_policies_end:
-
 .. _ktadd:
 
 ktadd
@@ -919,6 +895,8 @@ An entry for each of the principal's unique encryption types is added,
 ignoring multiple keys with the same encryption type but different
 salt types.
 
+Alias: **xst**
+
 Example::
 
     kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
@@ -927,8 +905,6 @@ Example::
          FILE:/tmp/foo-new-keytab
     kadmin:
 
-.. _ktadd_end:
-
 .. _ktremove:
 
 ktremove
@@ -954,6 +930,8 @@ The options are:
 **-q**
     Display less verbose information.
 
+Alias: **ktrem**
+
 Example::
 
     kadmin: ktremove kadmin/admin all
@@ -961,8 +939,6 @@ Example::
          FILE:/etc/krb5.keytab
     kadmin:
 
-.. _ktremove_end:
-
 lock
 ~~~~
 
@@ -996,7 +972,14 @@ The kadmin program was originally written by Tom Yu at MIT, as an
 interface to the OpenVision Kerberos administration program.
 
 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
 SEE ALSO
 --------
 
-:ref:`kpasswd(1)`, :ref:`kadmind(8)`
+:ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/kadmind.txt b/doc/html/_sources/admin/admin_commands/kadmind.rst.txt
index f5b7733ea33d..7e1482635d0a 100644
--- a/doc/html/_sources/admin/admin_commands/kadmind.txt
+++ b/doc/html/_sources/admin/admin_commands/kadmind.rst.txt
@@ -23,9 +23,9 @@ DESCRIPTION
 -----------
 
 kadmind starts the Kerberos administration server.  kadmind typically
-runs on the master Kerberos server, which stores the KDC database.  If
-the KDC database uses the LDAP module, the administration server and
-the KDC server need not run on the same machine.  kadmind accepts
+runs on the primary Kerberos server, which stores the KDC database.
+If the KDC database uses the LDAP module, the administration server
+and the KDC server need not run on the same machine.  kadmind accepts
 remote requests from programs such as :ref:`kadmin(1)` and
 :ref:`kpasswd(1)` to administer the information in these database.
 
@@ -49,14 +49,14 @@ After the server begins running, it puts itself in the background and
 disassociates itself from its controlling terminal.
 
 kadmind can be configured for incremental database propagation.
-Incremental propagation allows slave KDC servers to receive principal
-and policy updates incrementally instead of receiving full dumps of
-the database.  This facility can be enabled in the :ref:`kdc.conf(5)`
-file with the **iprop_enable** option.  Incremental propagation
-requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the
-master KDC's canonical host name, and REALM the realm name).  In
-release 1.13, this principal is automatically created and registered
-into the datebase.
+Incremental propagation allows replica KDC servers to receive
+principal and policy updates incrementally instead of receiving full
+dumps of the database.  This facility can be enabled in the
+:ref:`kdc.conf(5)` file with the **iprop_enable** option.  Incremental
+propagation requires the principal ``kiprop/PRIMARY\@REALM`` (where
+PRIMARY is the primary KDC's canonical host name, and REALM the realm
+name).  In release 1.13, this principal is automatically created and
+registered into the datebase.
 
 
 OPTIONS
@@ -74,14 +74,13 @@ OPTIONS
 
 **-nofork**
     causes the server to remain in the foreground and remain
-    associated to the terminal.  In normal operation, you should allow
-    the server to place itself in the background.
+    associated to the terminal.
 
 **-proponly**
-    causes the server to only listen and respond to Kerberos slave
+    causes the server to only listen and respond to Kerberos replica
     incremental propagation polling requests.  This option can be used
-    to set up a hierarchical propagation topology where a slave KDC
-    provides incremental updates to other Kerberos slaves.
+    to set up a hierarchical propagation topology where a replica KDC
+    provides incremental updates to other Kerberos replicas.
 
 **-port** *port-number*
     specifies the port on which the administration server listens for
@@ -100,12 +99,12 @@ OPTIONS
 
 **-K** *kprop_path*
     specifies the path to the kprop command to use to send full dumps
-    to slaves in response to full resync requests.
+    to replicas in response to full resync requests.
 
 **-k** *kprop_port*
-    specifies the port by which the kprop process that is spawned by kadmind
-    connects to the slave kpropd, in order to transfer the dump file during
-    an iprop full resync request.
+    specifies the port by which the kprop process that is spawned by
+    kadmind connects to the replica kpropd, in order to transfer the
+    dump file during an iprop full resync request.
 
 **-F** *dump_file*
     specifies the file path to be used for dumping the KDB in response
@@ -116,8 +115,15 @@ OPTIONS
     <dboptions>` in :ref:`kadmin(1)` for supported arguments.
 
 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
 SEE ALSO
 --------
 
 :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`,
-:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`
+:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt b/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.rst.txt
index cbf313f55a66..73a920f4388a 100644
--- a/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt
+++ b/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.rst.txt
@@ -29,6 +29,9 @@ COMMAND-LINE OPTIONS
 
 .. _kdb5_ldap_util_options:
 
+**-r** *realm*
+    Specifies the realm to be operated on.
+
 **-D** *user_dn*
     Specifies the Distinguished Name (DN) of the user who has
     sufficient rights to perform the operation on the LDAP server.
@@ -38,8 +41,12 @@ COMMAND-LINE OPTIONS
     recommended.
 
 **-H** *ldapuri*
-    Specifies the URI of the LDAP server.  It is recommended to use
-    ``ldapi://`` or ``ldaps://`` to connect to the LDAP server.
+    Specifies the URI of the LDAP server.
+
+By default, kdb5_ldap_util operates on the default realm (as specified
+in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP
+server in the same manner as :ref:kadmind(8)` would given the
+parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`.
 
 .. _kdb5_ldap_util_options_end:
 
@@ -58,9 +65,9 @@ create
     [**-containerref** *container_reference_dn*]
     [**-k** *mkeytype*]
     [**-kv** *mkeyVNO*]
+    [**-M** *mkeyname*]
     [**-m|-P** *password*\|\ **-sf** *stashfilename*]
     [**-s**]
-    [**-r** *realm*]
     [**-maxtktlife** *max_ticket_life*]
     [**-maxrenewlife** *max_renewable_ticket_life*]
     [*ticket_flags*]
@@ -92,6 +99,11 @@ Creates realm in directory. Options:
     Specifies the version number of the master key in the database;
     the default is 1.  Note that 0 is not allowed.
 
+**-M** *mkeyname*
+    Specifies the principal name for the master key in the database.
+    If not specified, the name is determined by the
+    **master_key_name** variable in :ref:`kdc.conf(5)`.
+
 **-m**
     Specifies that the master database password should be read from
     the TTY rather than fetched from a file on the disk.
@@ -100,9 +112,6 @@ Creates realm in directory. Options:
     Specifies the master database password. This option is not
     recommended.
 
-**-r** *realm*
-    Specifies the Kerberos realm of the database.
-
 **-sf** *stashfilename*
     Specifies the stash file of the master database password.
 
@@ -125,7 +134,7 @@ Creates realm in directory. Options:
 Example::
 
     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-        create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
+        -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
     Password for "cn=admin,o=org":
     Initializing database for realm 'ATHENA.MIT.EDU'
     You will be prompted for the database Master Password.
@@ -144,7 +153,6 @@ modify
     [**-subtrees** *subtree_dn_list*]
     [**-sscope** *search_scope*]
     [**-containerref** *container_reference_dn*]
-    [**-r** *realm*]
     [**-maxtktlife** *max_ticket_life*]
     [**-maxrenewlife** *max_renewable_ticket_life*]
     [*ticket_flags*]
@@ -165,9 +173,6 @@ Modifies the attributes of a realm.  Options:
     container object in which the principals of a realm will be
     created.
 
-**-r** *realm*
-    Specifies the Kerberos realm of the database.
-
 **-maxtktlife** *max_ticket_life*
     (:ref:`getdate` string) Specifies maximum ticket life for
     principals in this realm.
@@ -183,9 +188,8 @@ Modifies the attributes of a realm.  Options:
 
 Example::
 
-    shell% kdb5_ldap_util -D cn=admin,o=org -H
-        ldaps://ldap-server1.mit.edu modify +requires_preauth -r
-        ATHENA.MIT.EDU
+    shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu modify +requires_preauth
     Password for "cn=admin,o=org":
     shell%
 
@@ -196,17 +200,14 @@ view
 
 .. _kdb5_ldap_util_view:
 
-    **view** [**-r** *realm*]
+    **view**
 
-Displays the attributes of a realm.  Options:
-
-**-r** *realm*
-    Specifies the Kerberos realm of the database.
+Displays the attributes of a realm.
 
 Example::
 
     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-        view -r ATHENA.MIT.EDU
+        -r ATHENA.MIT.EDU view
     Password for "cn=admin,o=org":
     Realm Name: ATHENA.MIT.EDU
     Subtree: ou=users,o=org
@@ -223,20 +224,17 @@ destroy
 
 .. _kdb5_ldap_util_destroy:
 
-    **destroy** [**-f**] [**-r** *realm*]
+    **destroy** [**-f**]
 
 Destroys an existing realm. Options:
 
 **-f**
     If specified, will not prompt the user for confirmation.
 
-**-r** *realm*
-    Specifies the Kerberos realm of the database.
-
 Example::
 
-    shell% kdb5_ldap_util -D cn=admin,o=org -H
-        ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
+    shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
+        ldaps://ldap-server1.mit.edu destroy
     Password for "cn=admin,o=org":
     Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
     (type 'yes' to confirm)? yes
@@ -252,7 +250,7 @@ list
 
     **list**
 
-Lists the name of realms.
+Lists the names of realms under the container.
 
 Example::
 
@@ -308,7 +306,6 @@ create_policy
 .. _kdb5_ldap_util_create_policy:
 
     **create_policy**
-    [**-r** *realm*]
     [**-maxtktlife** *max_ticket_life*]
     [**-maxrenewlife** *max_renewable_ticket_life*]
     [*ticket_flags*]
@@ -316,9 +313,6 @@ create_policy
 
 Creates a ticket policy in the directory.  Options:
 
-**-r** *realm*
-    Specifies the Kerberos realm of the database.
-
 **-maxtktlife** *max_ticket_life*
     (:ref:`getdate` string) Specifies maximum ticket life for
     principals.
@@ -339,7 +333,7 @@ Creates a ticket policy in the directory.  Options:
 Example::
 
     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-        create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
+        -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
         -maxrenewlife "1 week" -allow_postdated +needchange
         -allow_forwardable tktpolicy
     Password for "cn=admin,o=org":
@@ -352,7 +346,6 @@ modify_policy
 .. _kdb5_ldap_util_modify_policy:
 
     **modify_policy**
-    [**-r** *realm*]
     [**-maxtktlife** *max_ticket_life*]
     [**-maxrenewlife** *max_renewable_ticket_life*]
     [*ticket_flags*]
@@ -364,7 +357,7 @@ Modifies the attributes of a ticket policy.  Options are same as for
 Example::
 
     kdb5_ldap_util -D cn=admin,o=org -H
-        ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
+        ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
         -maxtktlife "60 minutes" -maxrenewlife "10 hours"
         +allow_postdated -requires_preauth tktpolicy
     Password for "cn=admin,o=org":
@@ -377,18 +370,14 @@ view_policy
 .. _kdb5_ldap_util_view_policy:
 
     **view_policy**
-    [**-r** *realm*]
     *policy_name*
 
-Displays the attributes of a ticket policy.  Options:
-
-*policy_name*
-    Specifies the name of the ticket policy.
+Displays the attributes of the named ticket policy.
 
 Example::
 
     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-        view_policy -r ATHENA.MIT.EDU tktpolicy
+        -r ATHENA.MIT.EDU view_policy tktpolicy
     Password for "cn=admin,o=org":
     Ticket policy: tktpolicy
     Maximum ticket life: 0 days 01:00:00
@@ -403,15 +392,11 @@ destroy_policy
 .. _kdb5_ldap_util_destroy_policy:
 
     **destroy_policy**
-    [**-r** *realm*]
     [**-force**]
     *policy_name*
 
 Destroys an existing ticket policy.  Options:
 
-**-r** *realm*
-    Specifies the Kerberos realm of the database.
-
 **-force**
     Forces the deletion of the policy object.  If not specified, the
     user will be prompted for confirmation before deleting the policy.
@@ -422,7 +407,7 @@ Destroys an existing ticket policy.  Options:
 Example::
 
     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-        destroy_policy -r ATHENA.MIT.EDU tktpolicy
+        -r ATHENA.MIT.EDU destroy_policy tktpolicy
     Password for "cn=admin,o=org":
     This will delete the policy object 'tktpolicy', are you sure?
     (type 'yes' to confirm)? yes
@@ -436,18 +421,13 @@ list_policy
 .. _kdb5_ldap_util_list_policy:
 
     **list_policy**
-    [**-r** *realm*]
 
-Lists the ticket policies in realm if specified or in the default
-realm.  Options:
-
-**-r** *realm*
-    Specifies the Kerberos realm of the database.
+Lists ticket policies.
 
 Example::
 
     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-        list_policy -r ATHENA.MIT.EDU
+        -r ATHENA.MIT.EDU list_policy
     Password for "cn=admin,o=org":
     tktpolicy
     tmppolicy
@@ -456,7 +436,14 @@ Example::
 .. _kdb5_ldap_util_list_policy_end:
 
 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
 SEE ALSO
 --------
 
-:ref:`kadmin(1)`
+:ref:`kadmin(1)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/kdb5_util.txt b/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt
index 258498f0d6ef..444c58bcd967 100644
--- a/doc/html/_sources/admin/admin_commands/kdb5_util.txt
+++ b/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt
@@ -12,10 +12,12 @@ SYNOPSIS
 [**-r** *realm*]
 [**-d** *dbname*]
 [**-k** *mkeytype*]
-[**-M** *mkeyname*]
 [**-kv** *mkeyVNO*]
-[**-sf** *stashfilename*]
+[**-M** *mkeyname*]
 [**-m**]
+[**-sf** *stashfilename*]
+[**-P** *password*]
+[**-x** *db_args*]
 *command* [*command_options*]
 
 .. _kdb5_util_synopsis_end:
@@ -79,6 +81,10 @@ COMMAND-LINE OPTIONS
     expose the password to other users on the system via the process
     list.
 
+**-x** *db_args*
+    specifies database-specific options.  See :ref:`kadmin(1)` for
+    supported options.
+
 .. _kdb5_util_options_end:
 
 
@@ -130,9 +136,10 @@ dump
 
 .. _kdb5_util_dump:
 
-    **dump** [**-b7**\|\ **-ov**\|\ **-r13**] [**-verbose**]
-    [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**]
-    [**-recurse**] [*filename* [*principals*...]]
+    **dump** [**-b7**\|\ **-r13**\|\ **-r18**]
+    [**-verbose**] [**-mkey_convert**] [**-new_mkey_file**
+    *mkey_file*] [**-rev**] [**-recurse**] [*filename*
+    [*principals*...]]
 
 Dumps the current Kerberos and KADM5 database into an ASCII file.  By
 default, the database is dumped in current format, "kdb5_util
@@ -144,9 +151,6 @@ load_dump version 7".  If filename is not specified, or is the string
     load_dump version 4").  This was the dump format produced on
     releases prior to 1.2.2.
 
-**-ov**
-    causes the dump to be in "ovsec_adm_export" format.
-
 **-r13**
     causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
     load_dump version 5").  This was the dump format produced on
@@ -197,8 +201,8 @@ load
 
 .. _kdb5_util_load:
 
-    **load** [**-b7**\|\ **-ov**\|\ **-r13**] [**-hash**]
-    [**-verbose**] [**-update**] *filename* [*dbname*]
+    **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**]
+    [**-verbose**] [**-update**] *filename*
 
 Loads a database dump from the named file into the named database.  If
 no option is given to determine the format of the dump file, the
@@ -215,10 +219,6 @@ Options:
     ("kdb5_util load_dump version 4").  This was the dump format
     produced on releases prior to 1.2.2.
 
-**-ov**
-    requires the database to be in "ovsec_adm_import" format.  Must be
-    used with the **-update** option.
-
 **-r13**
     requires the database to be in Kerberos 5 1.3 format ("kdb5_util
     load_dump version 5").  This was the dump format produced on
@@ -230,10 +230,11 @@ Options:
     releases prior to 1.11.
 
 **-hash**
-    requires the database to be stored as a hash.  If this option is
-    not specified, the database will be stored as a btree.  This
-    option is not recommended, as databases stored in hash format are
-    known to corrupt data and lose principals.
+    stores the database in hash format, if using the DB2 database
+    type.  If this option is not specified, the database will be
+    stored in btree format.  This option is not recommended, as
+    databases stored in hash format are known to corrupt data and lose
+    principals.
 
 **-verbose**
     causes the name of each principal and policy to be printed as it
@@ -245,9 +246,6 @@ Options:
     what is in the dump file and the old one destroyed upon successful
     completion.
 
-If specified, *dbname* overrides the value specified on the command
-line or the default.
-
 .. _kdb5_util_load_end:
 
 ark
@@ -272,9 +270,9 @@ specifies the encryption type of the new master key; see
 values.  The **-s** option stashes the new master key in the stash
 file, which will be created if it doesn't already exist.
 
-After a new master key is added, it should be propagated to slave
+After a new master key is added, it should be propagated to replica
 servers via a manual or periodic invocation of :ref:`kprop(8)`.  Then,
-the stash files on the slave servers should be updated with the
+the stash files on the replica servers should be updated with the
 kdb5_util **stash** command.  Once those steps are complete, the key
 is ready to be marked active with the kdb5_util **use_mkey** command.
 
@@ -478,20 +476,27 @@ Examples::
     $ kdb5_util tabdump -o keyinfo.txt keyinfo
     $ cat keyinfo.txt
     name	keyindex	kvno	enctype	salttype	salt
+    K/M@EXAMPLE.COM	0	1	aes256-cts-hmac-sha384-192	normal	-1
     foo@EXAMPLE.COM	0	1	aes128-cts-hmac-sha1-96	normal	-1
     bar@EXAMPLE.COM	0	1	aes128-cts-hmac-sha1-96	normal	-1
-    bar@EXAMPLE.COM	1	1	des-cbc-crc	normal	-1
     $ sqlite3
     sqlite> .mode tabs
     sqlite> .import keyinfo.txt keyinfo
-    sqlite> select * from keyinfo where enctype like 'des-cbc-%';
-    bar@EXAMPLE.COM	1	1	des-cbc-crc	normal	-1
+    sqlite> select * from keyinfo where enctype like 'aes256-%';
+    K/M@EXAMPLE.COM	1	1	aes256-cts-hmac-sha384-192	normal	-1
     sqlite> .quit
-    $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt
-    bar@EXAMPLE.COM	1	1	des-cbc-crc	normal	-1
+    $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt
+    K/M@EXAMPLE.COM	1	1	aes256-cts-hmac-sha384-192	normal	-1
+
+
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
 
 
 SEE ALSO
 --------
 
-:ref:`kadmin(1)`
+:ref:`kadmin(1)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/kprop.txt b/doc/html/_sources/admin/admin_commands/kprop.rst.txt
index 726c8cc2fdfd..a118b2625d91 100644
--- a/doc/html/_sources/admin/admin_commands/kprop.txt
+++ b/doc/html/_sources/admin/admin_commands/kprop.rst.txt
@@ -12,15 +12,15 @@ SYNOPSIS
 [**-d**]
 [**-P** *port*]
 [**-s** *keytab*]
-*slave_host*
+*replica_host*
 
 
 DESCRIPTION
 -----------
 
 kprop is used to securely propagate a Kerberos V5 database dump file
-from the master Kerberos server to a slave Kerberos server, which is
-specified by *slave_host*.  The dump file must be created by
+from the primary Kerberos server to a replica Kerberos server, which is
+specified by *replica_host*.  The dump file must be created by
 :ref:`kdb5_util(8)`.
 
 
@@ -28,12 +28,12 @@ OPTIONS
 -------
 
 **-r** *realm*
-    Specifies the realm of the master server.
+    Specifies the realm of the primary server.
 
 **-f** *file*
     Specifies the filename where the dumped principal database file is
     to be found; by default the dumped database file is normally
-    |kdcdir|\ ``/slave_datatrans``.
+    |kdcdir|\ ``/replica_datatrans``.
 
 **-P** *port*
     Specifies the port to use to contact the :ref:`kpropd(8)` server
@@ -49,12 +49,12 @@ OPTIONS
 ENVIRONMENT
 -----------
 
-*kprop* uses the following environment variable:
-
-* **KRB5_CONFIG**
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
 
 
 SEE ALSO
 --------
 
-:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`
+:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`,
+:ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/kpropd.txt b/doc/html/_sources/admin/admin_commands/kpropd.rst.txt
index 5468b06754e1..30c66c7e26a4 100644
--- a/doc/html/_sources/admin/admin_commands/kpropd.txt
+++ b/doc/html/_sources/admin/admin_commands/kpropd.rst.txt
@@ -10,29 +10,31 @@ SYNOPSIS
 [**-r** *realm*]
 [**-A** *admin_server*]
 [**-a** *acl_file*]
-[**-f** *slave_dumpfile*]
+[**-f** *replica_dumpfile*]
 [**-F** *principal_database*]
 [**-p** *kdb5_util_prog*]
 [**-P** *port*]
 [**--pid-file**\ =\ *pid_file*]
+[**-D**]
 [**-d**]
-[**-t**]
+[**-s** *keytab_file*]
 
 DESCRIPTION
 -----------
 
-The *kpropd* command runs on the slave KDC server.  It listens for
+The *kpropd* command runs on the replica KDC server.  It listens for
 update requests made by the :ref:`kprop(8)` program.  If incremental
 propagation is enabled, it periodically requests incremental updates
-from the master KDC.
+from the primary KDC.
 
-When the slave receives a kprop request from the master, kpropd
+When the replica receives a kprop request from the primary, kpropd
 accepts the dumped KDC database and places it in a file, and then runs
 :ref:`kdb5_util(8)` to load the dumped database into the active
-database which is used by :ref:`krb5kdc(8)`.  This allows the master
+database which is used by :ref:`krb5kdc(8)`.  This allows the primary
 Kerberos server to use :ref:`kprop(8)` to propagate its database to
-the slave servers.  Upon a successful download of the KDC database
-file, the slave Kerberos server will have an up-to-date KDC database.
+the replica servers.  Upon a successful download of the KDC database
+file, the replica Kerberos server will have an up-to-date KDC
+database.
 
 Where incremental propagation is not used, kpropd is commonly invoked
 out of inetd(8) as a nowait service.  This is done by adding a line to
@@ -51,15 +53,15 @@ compatibility but does nothing.
 
 Incremental propagation may be enabled with the **iprop_enable**
 variable in :ref:`kdc.conf(5)`.  If incremental propagation is
-enabled, the slave periodically polls the master KDC for updates, at
-an interval determined by the **iprop_slave_poll** variable.  If the
-slave receives updates, kpropd updates its log file with any updates
-from the master.  :ref:`kproplog(8)` can be used to view a summary of
-the update entry log on the slave KDC.  If incremental propagation is
-enabled, the principal ``kiprop/slavehostname@REALM`` (where
-*slavehostname* is the name of the slave KDC host, and *REALM* is the
-name of the Kerberos realm) must be present in the slave's keytab
-file.
+enabled, the replica periodically polls the primary KDC for updates, at
+an interval determined by the **iprop_replica_poll** variable.  If the
+replica receives updates, kpropd updates its log file with any updates
+from the primary.  :ref:`kproplog(8)` can be used to view a summary of
+the update entry log on the replica KDC.  If incremental propagation
+is enabled, the principal ``kiprop/replicahostname@REALM`` (where
+*replicahostname* is the name of the replica KDC host, and *REALM* is
+the name of the Kerberos realm) must be present in the replica's
+keytab file.
 
 :ref:`kproplog(8)` can be used to force full replication when iprop is
 enabled.
@@ -69,33 +71,34 @@ OPTIONS
 --------
 
 **-r** *realm*
-    Specifies the realm of the master server.
+    Specifies the realm of the primary server.
 
 **-A** *admin_server*
     Specifies the server to be contacted for incremental updates; by
-    default, the master admin server is contacted.
+    default, the primary admin server is contacted.
 
 **-f** *file*
     Specifies the filename where the dumped principal database file is
     to be stored; by default the dumped database file is |kdcdir|\
     ``/from_master``.
 
+**-F** *kerberos_db*
+    Path to the Kerberos database file, if not the default.
+
 **-p**
     Allows the user to specify the pathname to the :ref:`kdb5_util(8)`
     program; by default the pathname used is |sbindir|\
     ``/kdb5_util``.
 
-**-d**
-    Turn on debug mode.  In this mode, kpropd will not detach
-    itself from the current job and run in the background.  Instead,
-    it will run in the foreground and print out debugging messages
-    during the database propagation.
+**-D**
+    In this mode, kpropd will not detach itself from the current job
+    and run in the background.  Instead, it will run in the
+    foreground.
 
-**-t**
-    In standalone mode without incremental propagation, exit after one
-    dump file is received.  In incremental propagation mode, exit as
-    soon as the database is up to date, or if the master returns an
-    error.
+**-d**
+    Turn on debug mode.  kpropd will print out debugging messages
+    during the database propogation and will run in the foreground
+    (implies **-D**).
 
 **-P**
     Allow for an alternate port number for kpropd to listen on.  This
@@ -109,14 +112,12 @@ OPTIONS
     In standalone mode, write the process ID of the daemon into
     *pid_file*.
 
+**-s** *keytab_file*
+    Path to a keytab to use for acquiring acceptor credentials.
 
-ENVIRONMENT
------------
-
-kpropd uses the following environment variables:
-
-* **KRB5_CONFIG**
-* **KRB5_KDC_PROFILE**
+**-x** *db_args*
+    Database-specific arguments.  See :ref:`Database Options
+    <dboptions>` in :ref:`kadmin(1)` for supported arguments.
 
 
 FILES
@@ -129,7 +130,15 @@ kpropd.acl
     will allow Kerberos database propagation via :ref:`kprop(8)`.
 
 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
 SEE ALSO
 --------
 
-:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, inetd(8)
+:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`,
+:ref:`kerberos(7)`, inetd(8)
diff --git a/doc/html/_sources/admin/admin_commands/kproplog.txt b/doc/html/_sources/admin/admin_commands/kproplog.rst.txt
index ed906398dfaa..3b72cfa032e0 100644
--- a/doc/html/_sources/admin/admin_commands/kproplog.txt
+++ b/doc/html/_sources/admin/admin_commands/kproplog.rst.txt
@@ -16,19 +16,19 @@ DESCRIPTION
 The kproplog command displays the contents of the KDC database update
 log to standard output.  It can be used to keep track of incremental
 updates to the principal database.  The update log file contains the
-update log maintained by the :ref:`kadmind(8)` process on the master
-KDC server and the :ref:`kpropd(8)` process on the slave KDC servers.
-When updates occur, they are logged to this file.  Subsequently any
-KDC slave configured for incremental updates will request the current
-data from the master KDC and update their log file with any updates
-returned.
+update log maintained by the :ref:`kadmind(8)` process on the primary
+KDC server and the :ref:`kpropd(8)` process on the replica KDC
+servers.  When updates occur, they are logged to this file.
+Subsequently any KDC replica configured for incremental updates will
+request the current data from the primary KDC and update their log
+file with any updates returned.
 
 The kproplog command requires read access to the update log file.  It
 will display update entries only for the KDC it runs on.
 
 If no options are specified, kproplog displays a summary of the update
-log.  If invoked on the master, kproplog also displays all of the
-update entries.  If invoked on a slave KDC server, kproplog displays
+log.  If invoked on the primary, kproplog also displays all of the
+update entries.  If invoked on a replica KDC server, kproplog displays
 only a summary of the updates, which includes the serial number of the
 last update received and the associated time stamp of the last update.
 
@@ -37,9 +37,10 @@ OPTIONS
 -------
 
 **-R**
-    Reset the update log.  This forces full resynchronization.  If used
-    on a slave then that slave will request a full resync.  If used on
-    the master then all slaves will request full resyncs.
+    Reset the update log.  This forces full resynchronization.  If
+    used on a replica then that replica will request a full resync.
+    If used on the primary then all replicas will request full
+    resyncs.
 
 **-h**
     Display a summary of the update log.  This information includes
@@ -74,12 +75,11 @@ OPTIONS
 ENVIRONMENT
 -----------
 
-kproplog uses the following environment variables:
-
-* **KRB5_KDC_PROFILE**
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
 
 
 SEE ALSO
 --------
 
-:ref:`kpropd(8)`
+:ref:`kpropd(8)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/krb5kdc.txt b/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt
index 7ec4ee4d3151..631a0de84e50 100644
--- a/doc/html/_sources/admin/admin_commands/krb5kdc.txt
+++ b/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt
@@ -31,7 +31,9 @@ OPTIONS
 -------
 
 The **-r** *realm* option specifies the realm for which the server
-should provide service.
+should provide service.  This option may be specified multiple times
+to serve multiple realms.  If no **-r** option is given, the default
+realm (as specified in :ref:`krb5.conf(5)`) will be served.
 
 The **-d** *dbname* option specifies the name under which the
 principal database can be found.  This option does not apply to the
@@ -39,7 +41,7 @@ LDAP database.
 
 The **-k** *keytype* option specifies the key type of the master key
 to be entered manually as a password when **-m** is given; the default
-is ``des-cbc-crc``.
+is |defmkey|.
 
 The **-M** *mkeyname* option specifies the principal name for the
 master key in the database (usually ``K/M`` in the KDC's realm).
@@ -48,21 +50,19 @@ The **-m** option specifies that the master database password should
 be fetched from the keyboard rather than from a stash file.
 
 The **-n** option specifies that the KDC does not put itself in the
-background and does not disassociate itself from the terminal.  In
-normal operation, you should always allow the KDC to place itself in
-the background.
+background and does not disassociate itself from the terminal.
 
 The **-P** *pid_file* option tells the KDC to write its PID into
 *pid_file* after it starts up.  This can be used to identify whether
 the KDC is still running and to allow init scripts to stop the correct
 process.
 
-The **-p** *portnum* option specifies the default UDP port numbers
-which the KDC should listen on for Kerberos version 5 requests, as a
-comma-separated list.  This value overrides the UDP port numbers
-specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but
-may be overridden by realm-specific values.  If no value is given from
-any source, the default port is 88.
+The **-p** *portnum* option specifies the default UDP and TCP port
+numbers which the KDC should listen on for Kerberos version 5
+requests, as a comma-separated list.  This value overrides the port
+numbers specified in the :ref:`kdcdefaults` section of
+:ref:`kdc.conf(5)`, but may be overridden by realm-specific values.
+If no value is given from any source, the default port is 88.
 
 The **-w** *numworkers* option tells the KDC to fork *numworkers*
 processes to listen to the KDC ports and process requests in parallel.
@@ -72,13 +72,6 @@ will relay SIGHUP signals to the worker subprocesses, and will
 terminate the worker subprocess if the it is itself terminated or if
 any other worker process exits.
 
-.. note::
-
-          On operating systems which do not have *pktinfo* support,
-          using worker processes will prevent the KDC from listening
-          for UDP packets on network interfaces created after the KDC
-          starts.
-
 The **-x** *db_args* option specifies database-specific arguments.
 See :ref:`Database Options <dboptions>` in :ref:`kadmin(1)` for
 supported arguments.
@@ -110,14 +103,12 @@ description for further details.
 ENVIRONMENT
 -----------
 
-krb5kdc uses the following environment variables:
-
-* **KRB5_CONFIG**
-* **KRB5_KDC_PROFILE**
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
 
 
 SEE ALSO
 --------
 
 :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`,
-:ref:`kdb5_ldap_util(8)`
+:ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/ktutil.txt b/doc/html/_sources/admin/admin_commands/ktutil.rst.txt
index 2eb19ded2769..fd83f0ad9b9f 100644
--- a/doc/html/_sources/admin/admin_commands/ktutil.txt
+++ b/doc/html/_sources/admin/admin_commands/ktutil.rst.txt
@@ -13,8 +13,8 @@ DESCRIPTION
 -----------
 
 The ktutil command invokes a command interface from which an
-administrator can read, write, or edit entries in a keytab or Kerberos
-V4 srvtab file.
+administrator can read, write, or edit entries in a keytab.  (Kerberos
+V4 srvtab files are no longer supported.)
 
 
 COMMANDS
@@ -23,9 +23,11 @@ COMMANDS
 list
 ~~~~
 
-    **list**
+    **list** [**-t**] [**-k**] [**-e**]
 
-Displays the current keylist.
+Displays the current keylist.  If **-t**, **-k**, and/or **-e** are
+specified, also display the timestamp, key contents, or enctype
+(respectively).
 
 Alias: **l**
 
@@ -38,15 +40,6 @@ Read the Kerberos V5 keytab file *keytab* into the current keylist.
 
 Alias: **rkt**
 
-read_st
-~~~~~~~
-
-    **read_st** *srvtab*
-
-Read the Kerberos V4 srvtab file *srvtab* into the current keylist.
-
-Alias: **rst**
-
 write_kt
 ~~~~~~~~
 
@@ -56,15 +49,6 @@ Write the current keylist into the Kerberos V5 keytab file *keytab*.
 
 Alias: **wkt**
 
-write_st
-~~~~~~~~
-
-    **write_st** *srvtab*
-
-Write the current keylist into the Kerberos V4 srvtab file *srvtab*.
-
-Alias: **wst**
-
 clear_list
 ~~~~~~~~~~
 
@@ -87,9 +71,14 @@ add_entry
 ~~~~~~~~~
 
     **add_entry** {**-key**\|\ **-password**} **-p** *principal*
-    **-k** *kvno* **-e** *enctype* [**-s** *salt*]
+    **-k** *kvno* [**-e** *enctype*] [**-f**\|\ **-s** *salt*]
 
-Add *principal* to keylist using key or password.
+Add *principal* to keylist using key or password.  If the **-f** flag
+is specified, salt information will be fetched from the KDC; in this
+case the **-e** flag may be omitted, or it may be supplied to force a
+particular enctype.  If the **-f** flag is not specified, the **-e**
+flag must be specified, and the default salt will be used unless
+overridden with the **-s** option.
 
 Alias: **addent**
 
@@ -123,11 +112,18 @@ EXAMPLE
     ktutil:  add_entry -password -p alice@BLEEP.COM -k 1 -e
         aes256-cts-hmac-sha1-96
     Password for alice@BLEEP.COM:
-    ktutil:  write_kt keytab
+    ktutil:  write_kt alice.keytab
     ktutil:
 
 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
 SEE ALSO
 --------
 
-:ref:`kadmin(1)`, :ref:`kdb5_util(8)`
+:ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)`
diff --git a/doc/html/_sources/admin/admin_commands/sserver.txt b/doc/html/_sources/admin/admin_commands/sserver.rst.txt
index b4e464466727..a8dcf5d5b4f8 100644
--- a/doc/html/_sources/admin/admin_commands/sserver.txt
+++ b/doc/html/_sources/admin/admin_commands/sserver.rst.txt
@@ -99,7 +99,14 @@ COMMON ERROR MESSAGES
    probably not installed in the proper directory.
 
 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
 SEE ALSO
 --------
 
-:ref:`sclient(1)`, services(5), inetd(8)
+:ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8)