1 files changed, 12 insertions, 2 deletions

diff --git a/kuser/kinit.1 b/kuser/kinit.1
index 65d733d96ee3..bb3c90af1b5e 100644
--- a/kuser/kinit.1
+++ b/kuser/kinit.1
@@ -166,11 +166,21 @@ in
 .It Fl A , Fl Fl no-addresses
 Request a ticket with no addresses.
 .It Fl n , Fl Fl anonymous
-Request an anonymous ticket. If the principal is specified as @REALM, then
+Request an anonymous ticket.
+With the default (false) setting of the
+.Ar historical_anon_pkinit
+configuration parameter, if the principal is specified as @REALM, then
 anonymous PKINIT will be used to acquire an unauthenticated anonymous ticket
-and both the client name and realm in the returned ticket will be anonymized.
+and both the client name and (with fully RFC-comformant KDCs) realm in the
+returned ticket will be anonymized.
 Otherwise, authentication proceeds as normal and the anonymous ticket will have
 only the client name anonymized.
+With
+.Ar historical_anon_pkinit
+set to
+.Li true ,
+the principal is interpreted as a realm even without an at-sign prefix, and it
+is not possible to obtain authenticated anonymized tickets.
 .It Fl Fl enterprise
 Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
 names are email like principals that are stored in the name part of