Subject: [PATCH] Move kadmin and ktutil to /usr/bin.
Author: Jelmer Vernooij <jelmer@samba.org>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=168170
Status: merged upstream, 5fd158db474838c3e2fa7e50c2920fdb771c3a51

---
 admin/Makefile.am   |   4 +-
 admin/ktutil.1      | 124 ++++++++++++++++++
 admin/ktutil.8      | 124 ------------------
 kadmin/Makefile.am  |   4 +-
 kadmin/kadmin.1     | 362 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 kadmin/kadmin.8     | 362 ----------------------------------------------------
 kadmin/kadmind.8    |   2 +-
 lib/krb5/kerberos.8 |   4 +-
 8 files changed, 493 insertions(+), 493 deletions(-)
 create mode 100644 admin/ktutil.1
 delete mode 100644 admin/ktutil.8
 create mode 100644 kadmin/kadmin.1
 delete mode 100644 kadmin/kadmin.8

diff --git a/admin/Makefile.am b/admin/Makefile.am
index 7bb5ef5..21d0157 100644
--- a/admin/Makefile.am
+++ b/admin/Makefile.am
@@ -4,9 +4,9 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto)
 
-man_MANS = ktutil.8
+man_MANS = ktutil.1
 
-sbin_PROGRAMS = ktutil
+bin_PROGRAMS = ktutil
 
 dist_ktutil_SOURCES =				\
 	add.c					\
diff --git a/admin/ktutil.1 b/admin/ktutil.1
new file mode 100644
index 0000000..a905419
--- /dev/null
+++ b/admin/ktutil.1
@@ -0,0 +1,124 @@
+.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd April 14, 2005
+.Dt KTUTIL 1
+.Os HEIMDAL
+.Sh NAME
+.Nm ktutil
+.Nd manage Kerberos keytabs
+.Sh SYNOPSIS
+.Nm
+.Oo Fl k Ar keytab \*(Ba Xo
+.Fl Fl keytab= Ns Ar keytab
+.Xc
+.Oc
+.Op Fl v | Fl Fl verbose
+.Op Fl Fl version
+.Op Fl h | Fl Fl help
+.Ar command
+.Op Ar args
+.Sh DESCRIPTION
+.Nm
+is a program for managing keytabs.
+Supported options:
+.Bl -tag -width Ds
+.It Fl v , Fl Fl verbose
+Verbose output.
+.El
+.Pp
+.Ar command
+can be one of the following:
+.Bl -tag -width srvconvert
+.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
+Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
+Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
+Oo Fl Fl password= Ns Ar password Oc Oo Fl r Oc Oo Fl Fl random Oc \
+Oo Fl s Oc Oo Fl Fl no-salt Oc Oo Fl H Oc Op Fl Fl hex
+Adds a key to the keytab. Options that are not specified will be
+prompted for. This requires that you know the password or the hex key of the
+principal to add; if what you really want is to add a new principal to
+the keytab, you should consider the
+.Ar get
+command, which talks to the kadmin server.
+.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
+Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \
+Oo Fl Fl s Ar port Oc Op Fl Fl server-port= Ns Ar port
+Update one or several keys to new versions.  By default, use the admin
+server for the realm of a keytab entry.  Otherwise it will use the
+values specified by the options.
+.Pp
+If no principals are given, all the ones in the keytab are updated.
+.It copy Ar keytab-src Ar keytab-dest
+Copies all the entries from
+.Ar keytab-src
+to
+.Ar keytab-dest .
+.It get Oo Fl p Ar admin principal Oc \
+Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
+Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
+Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
+Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
+Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
+For each
+.Ar principal ,
+generate a new key for it (creating it if it doesn't already exist),
+and put that key in the keytab.
+.Pp
+If no
+.Ar realm
+is specified, the realm to operate on is taken from the first
+principal.
+.It list Oo Fl Fl keys Oc Op Fl Fl timestamp
+List the keys stored in the keytab.
+.It remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
+Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
+Oo Fl Fl enctype= Ns Ar enctype Oc
+Removes the specified key or keys. Not specifying a
+.Ar kvno
+removes keys with any version number. Not specifying an
+.Ar enctype
+removes keys of any type.
+.It rename Ar from-principal Ar to-principal
+Renames all entries in the keytab that match the
+.Ar from-principal
+to
+.Ar to-principal .
+.It purge Op Fl Fl age= Ns Ar age
+Removes all old versions of a key for which there is a newer version
+that is at least
+.Ar age
+(default one week) old.
+.El
+.Sh SEE ALSO
+.Xr kadmin 1
diff --git a/admin/ktutil.8 b/admin/ktutil.8
deleted file mode 100644
index 72a6c81..0000000
--- a/admin/ktutil.8
+++ /dev/null
@@ -1,124 +0,0 @@
-.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden).
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" 3. Neither the name of the Institute nor the names of its contributors
-.\"    may be used to endorse or promote products derived from this software
-.\"    without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $Id$
-.\"
-.Dd April 14, 2005
-.Dt KTUTIL 8
-.Os HEIMDAL
-.Sh NAME
-.Nm ktutil
-.Nd manage Kerberos keytabs
-.Sh SYNOPSIS
-.Nm
-.Oo Fl k Ar keytab \*(Ba Xo
-.Fl Fl keytab= Ns Ar keytab
-.Xc
-.Oc
-.Op Fl v | Fl Fl verbose
-.Op Fl Fl version
-.Op Fl h | Fl Fl help
-.Ar command
-.Op Ar args
-.Sh DESCRIPTION
-.Nm
-is a program for managing keytabs.
-Supported options:
-.Bl -tag -width Ds
-.It Fl v , Fl Fl verbose
-Verbose output.
-.El
-.Pp
-.Ar command
-can be one of the following:
-.Bl -tag -width srvconvert
-.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
-Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
-Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
-Oo Fl Fl password= Ns Ar password Oc Oo Fl r Oc Oo Fl Fl random Oc \
-Oo Fl s Oc Oo Fl Fl no-salt Oc Oo Fl H Oc Op Fl Fl hex
-Adds a key to the keytab. Options that are not specified will be
-prompted for. This requires that you know the password or the hex key of the
-principal to add; if what you really want is to add a new principal to
-the keytab, you should consider the
-.Ar get
-command, which talks to the kadmin server.
-.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
-Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \
-Oo Fl Fl s Ar port Oc Op Fl Fl server-port= Ns Ar port
-Update one or several keys to new versions.  By default, use the admin
-server for the realm of a keytab entry.  Otherwise it will use the
-values specified by the options.
-.Pp
-If no principals are given, all the ones in the keytab are updated.
-.It copy Ar keytab-src Ar keytab-dest
-Copies all the entries from
-.Ar keytab-src
-to
-.Ar keytab-dest .
-.It get Oo Fl p Ar admin principal Oc \
-Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
-Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
-Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
-Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
-Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
-For each
-.Ar principal ,
-generate a new key for it (creating it if it doesn't already exist),
-and put that key in the keytab.
-.Pp
-If no
-.Ar realm
-is specified, the realm to operate on is taken from the first
-principal.
-.It list Oo Fl Fl keys Oc Op Fl Fl timestamp
-List the keys stored in the keytab.
-.It remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
-Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
-Oo Fl Fl enctype= Ns Ar enctype Oc
-Removes the specified key or keys. Not specifying a
-.Ar kvno
-removes keys with any version number. Not specifying an
-.Ar enctype
-removes keys of any type.
-.It rename Ar from-principal Ar to-principal
-Renames all entries in the keytab that match the
-.Ar from-principal
-to
-.Ar to-principal .
-.It purge Op Fl Fl age= Ns Ar age
-Removes all old versions of a key for which there is a newer version
-that is at least
-.Ar age
-(default one week) old.
-.El
-.Sh SEE ALSO
-.Xr kadmin 8
diff --git a/kadmin/Makefile.am b/kadmin/Makefile.am
index 96e4c2f..a26c3cc 100644
--- a/kadmin/Makefile.am
+++ b/kadmin/Makefile.am
@@ -4,11 +4,11 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_readline) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5 -I$(top_builddir)/include/gssapi
 
-sbin_PROGRAMS = kadmin
+bin_PROGRAMS = kadmin
 
 libexec_PROGRAMS = kadmind
 
-man_MANS = kadmin.8 kadmind.8
+man_MANS = kadmin.1 kadmind.8
 
 noinst_PROGRAMS = add_random_users
 
diff --git a/kadmin/kadmin.1 b/kadmin/kadmin.1
new file mode 100644
index 0000000..ca61f71
--- /dev/null
+++ b/kadmin/kadmin.1
@@ -0,0 +1,362 @@
+.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd Feb  22, 2007
+.Dt KADMIN 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmin
+.Nd Kerberos administration utility
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
+.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
+.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
+.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
+.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
+.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
+.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
+.Op Fl l | Fl Fl local
+.Op Fl h | Fl Fl help
+.Op Fl v | Fl Fl version
+.Op Ar command
+.Ek
+.Sh DESCRIPTION
+The
+.Nm
+program is used to make modifications to the Kerberos database, either remotely via the
+.Xr kadmind 8
+daemon, or locally (with the
+.Fl l
+option).
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl p Ar string , Fl Fl principal= Ns Ar string
+principal to authenticate as
+.It Fl K Ar string , Fl Fl keytab= Ns Ar string
+keytab for authentication principal
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
+location of config file
+.It Fl k Ar file , Fl Fl key-file= Ns Ar file
+location of master key file
+.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
+realm to use
+.It Fl a Ar host , Fl Fl admin-server= Ns Ar host
+server to contact
+.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
+port to use
+.It Fl l , Fl Fl local
+local admin mode
+.El
+.Pp
+If no
+.Ar command
+is given on the command line,
+.Nm
+will prompt for commands to process. Some of the commands that take
+one or more principals as argument
+.Ns ( Nm delete ,
+.Nm ext_keytab ,
+.Nm get ,
+.Nm modify ,
+and
+.Nm passwd )
+will accept a glob style wildcard, and perform the operation on all
+matching principals.
+.Pp
+Commands include:
+.\" not using a list here, since groff apparently gets confused
+.\" with nested Xo/Xc
+.Pp
+.Nm add
+.Op Fl r | Fl Fl random-key
+.Op Fl Fl random-password
+.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
+.Op Fl Fl key= Ns Ar string
+.Op Fl Fl max-ticket-life= Ns Ar lifetime
+.Op Fl Fl max-renewable-life= Ns Ar lifetime
+.Op Fl Fl attributes= Ns Ar attributes
+.Op Fl Fl expiration-time= Ns Ar time
+.Op Fl Fl pw-expiration-time= Ns Ar time
+.Op Fl Fl policy= Ns Ar policy-name
+.Ar principal...
+.Bd -ragged -offset indent
+Adds a new principal to the database. The options not passed on the
+command line will be promped for.
+The only policy supported by Heimdal servers is
+.Q1 default .
+.Ed
+.Pp
+.Nm add_enctype
+.Op Fl r | Fl Fl random-key
+.Ar principal enctypes...
+.Pp
+.Bd -ragged -offset indent
+Adds a new encryption type to the principal, only random key are
+supported.
+.Ed
+.Pp
+.Nm delete
+.Ar principal...
+.Bd -ragged -offset indent
+Removes a principal.
+.Ed
+.Pp
+.Nm del_enctype
+.Ar principal enctypes...
+.Bd -ragged -offset indent
+Removes some enctypes from a principal; this can be useful if the
+service belonging to the principal is known to not handle certain
+enctypes.
+.Ed
+.Pp
+.Nm ext_keytab
+.Oo Fl k Ar string \*(Ba Xo
+.Fl Fl keytab= Ns Ar string
+.Xc
+.Oc
+.Ar principal...
+.Bd -ragged -offset indent
+Creates a keytab with the keys of the specified principals.  Requires
+get-keys rights, otherwise the principal's keys are changed and saved in
+the keytab.
+.Ed
+.Pp
+.Nm get
+.Op Fl l | Fl Fl long
+.Op Fl s | Fl Fl short
+.Op Fl t | Fl Fl terse
+.Op Fl o Ar string | Fl Fl column-info= Ns Ar string
+.Ar principal...
+.Bd -ragged -offset indent
+Lists the matching principals, short prints the result as a table,
+while long format produces a more verbose output. Which columns to
+print can be selected with the
+.Fl o
+option. The argument is a comma separated list of column names
+optionally appended with an equal sign
+.Pq Sq =
+and a column header. Which columns are printed by default differ
+slightly between short and long output.
+.Pp
+The default terse output format is similar to
+.Fl s o Ar principal= ,
+just printing the names of matched principals.
+.Pp
+Possible column names include:
+.Li principal ,
+.Li princ_expire_time ,
+.Li pw_expiration ,
+.Li last_pwd_change ,
+.Li max_life ,
+.Li max_rlife ,
+.Li mod_time ,
+.Li mod_name ,
+.Li attributes ,
+.Li kvno ,
+.Li mkvno ,
+.Li last_success ,
+.Li last_failed ,
+.Li fail_auth_count ,
+.Li policy ,
+and
+.Li keytypes .
+.Ed
+.Pp
+.Nm modify
+.Oo Fl a Ar attributes \*(Ba Xo
+.Fl Fl attributes= Ns Ar attributes
+.Xc
+.Oc
+.Op Fl Fl max-ticket-life= Ns Ar lifetime
+.Op Fl Fl max-renewable-life= Ns Ar lifetime
+.Op Fl Fl expiration-time= Ns Ar time
+.Op Fl Fl pw-expiration-time= Ns Ar time
+.Op Fl Fl kvno= Ns Ar number
+.Op Fl Fl policy= Ns Ar policy-name
+.Ar principal...
+.Bd -ragged -offset indent
+Modifies certain attributes of a principal. If run without command
+line options, you will be prompted. With command line options, it will
+only change the ones specified.
+.Pp
+Only policy supported by Heimdal is
+.Q1 default .
+.Pp
+Possible attributes are:
+.Li new-princ ,
+.Li support-desmd5 ,
+.Li pwchange-service ,
+.Li disallow-svr ,
+.Li requires-pw-change ,
+.Li requires-hw-auth ,
+.Li requires-pre-auth ,
+.Li disallow-all-tix ,
+.Li disallow-dup-skey ,
+.Li disallow-proxiable ,
+.Li disallow-renewable ,
+.Li disallow-tgt-based ,
+.Li disallow-forwardable ,
+.Li disallow-postdated
+.Pp
+Attributes may be negated with a "-", e.g.,
+.Pp
+kadmin -l modify -a -disallow-proxiable user
+.Ed
+.Pp
+.Nm passwd
+.Op Fl Fl keepold
+.Op Fl r | Fl Fl random-key
+.Op Fl Fl random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl Fl password= Ns Ar string
+.Xc
+.Oc
+.Op Fl Fl key= Ns Ar string
+.Ar principal...
+.Bd -ragged -offset indent
+Changes the password of an existing principal.
+.Ed
+.Pp
+.Nm password-quality
+.Ar principal
+.Ar password
+.Bd -ragged -offset indent
+Run the password quality check function locally.
+You can run this on the host that is configured to run the kadmind
+process to verify that your configuration file is correct.
+The verification is done locally, if kadmin is run in remote mode,
+no rpc call is done to the server.
+.Ed
+.Pp
+.Nm privileges
+.Bd -ragged -offset indent
+Lists the operations you are allowed to perform. These include
+.Li add ,
+.Li add_enctype ,
+.Li change-password ,
+.Li delete ,
+.Li del_enctype ,
+.Li get ,
+.Li get-keys ,
+.Li list ,
+and
+.Li modify .
+.Ed
+.Pp
+.Nm rename
+.Ar from to
+.Bd -ragged -offset indent
+Renames a principal. This is normally transparent, but since keys are
+salted with the principal name, they will have a non-standard salt,
+and clients which are unable to cope with this will fail. Kerberos 4
+suffers from this.
+.Ed
+.Pp
+.Nm check
+.Op Ar realm
+.Pp
+.Bd -ragged -offset indent
+Check database for strange configurations on important principals. If
+no realm is given, the default realm is used.
+.Ed
+.Pp
+When running in local mode, the following commands can also be used:
+.Pp
+.Nm dump
+.Op Fl d | Fl Fl decrypt
+.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format
+.Op Ar dump-file
+.Bd -ragged -offset indent
+Writes the database in
+.Dq machine readable text
+form to the specified file, or standard out. If the database is
+encrypted, the dump will also have encrypted keys, unless
+.Fl Fl decrypt
+is used.  If
+.Fl Fl format=MIT
+is used then the dump will be in MIT format.  Otherwise it will be in
+Heimdal format.
+.Ed
+.Pp
+.Nm init
+.Op Fl Fl realm-max-ticket-life= Ns Ar string
+.Op Fl Fl realm-max-renewable-life= Ns Ar string
+.Ar realm
+.Bd -ragged -offset indent
+Initializes the Kerberos database with entries for a new realm. It's
+possible to have more than one realm served by one server.
+.Ed
+.Pp
+.Nm load
+.Ar file
+.Bd -ragged -offset indent
+Reads a previously dumped database, and re-creates that database from
+scratch.
+.Ed
+.Pp
+.Nm merge
+.Ar file
+.Bd -ragged -offset indent
+Similar to
+.Nm load
+but just modifies the database with the entries in the dump file.
+.Ed
+.Pp
+.Nm stash
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl Fl enctype= Ns Ar enctype
+.Xc
+.Oc
+.Oo Fl k Ar keyfile \*(Ba Xo
+.Fl Fl key-file= Ns Ar keyfile
+.Xc
+.Oc
+.Op Fl Fl convert-file
+.Op Fl Fl master-key-fd= Ns Ar fd
+.Bd -ragged -offset indent
+Writes the Kerberos master key to a file used by the KDC.
+.Ed
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kadmind 8 ,
+.Xr kdc 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/kadmin/kadmin.8 b/kadmin/kadmin.8
deleted file mode 100644
index cce545a..0000000
--- a/kadmin/kadmin.8
+++ /dev/null
@@ -1,361 +0,0 @@
-.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden).
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" 3. Neither the name of the Institute nor the names of its contributors
-.\"    may be used to endorse or promote products derived from this software
-.\"    without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $Id$
-.\"
-.Dd Feb  22, 2007
-.Dt KADMIN 8
-.Os HEIMDAL
-.Sh NAME
-.Nm kadmin
-.Nd Kerberos administration utility
-.Sh SYNOPSIS
-.Nm
-.Bk -words
-.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
-.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
-.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
-.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
-.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
-.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
-.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
-.Op Fl l | Fl Fl local
-.Op Fl h | Fl Fl help
-.Op Fl v | Fl Fl version
-.Op Ar command
-.Ek
-.Sh DESCRIPTION
-The
-.Nm
-program is used to make modifications to the Kerberos database, either remotely via the
-.Xr kadmind 8
-daemon, or locally (with the
-.Fl l
-option).
-.Pp
-Supported options:
-.Bl -tag -width Ds
-.It Fl p Ar string , Fl Fl principal= Ns Ar string
-principal to authenticate as
-.It Fl K Ar string , Fl Fl keytab= Ns Ar string
-keytab for authentication principal
-.It Fl c Ar file , Fl Fl config-file= Ns Ar file
-location of config file
-.It Fl k Ar file , Fl Fl key-file= Ns Ar file
-location of master key file
-.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
-realm to use
-.It Fl a Ar host , Fl Fl admin-server= Ns Ar host
-server to contact
-.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
-port to use
-.It Fl l , Fl Fl local
-local admin mode
-.El
-.Pp
-If no
-.Ar command
-is given on the command line,
-.Nm
-will prompt for commands to process. Some of the commands that take
-one or more principals as argument
-.Ns ( Nm delete ,
-.Nm ext_keytab ,
-.Nm get ,
-.Nm modify ,
-and
-.Nm passwd )
-will accept a glob style wildcard, and perform the operation on all
-matching principals.
-.Pp
-Commands include:
-.\" not using a list here, since groff apparently gets confused
-.\" with nested Xo/Xc
-.Pp
-.Nm add
-.Op Fl r | Fl Fl random-key
-.Op Fl Fl random-password
-.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
-.Op Fl Fl key= Ns Ar string
-.Op Fl Fl max-ticket-life= Ns Ar lifetime
-.Op Fl Fl max-renewable-life= Ns Ar lifetime
-.Op Fl Fl attributes= Ns Ar attributes
-.Op Fl Fl expiration-time= Ns Ar time
-.Op Fl Fl pw-expiration-time= Ns Ar time
-.Op Fl Fl policy= Ns Ar policy-name
-.Ar principal...
-.Bd -ragged -offset indent
-Adds a new principal to the database. The options not passed on the
-command line will be promped for.
-The only policy supported by Heimdal servers is
-.Q1 default .
-.Ed
-.Pp
-.Nm add_enctype
-.Op Fl r | Fl Fl random-key
-.Ar principal enctypes...
-.Pp
-.Bd -ragged -offset indent
-Adds a new encryption type to the principal, only random key are
-supported.
-.Ed
-.Pp
-.Nm delete
-.Ar principal...
-.Bd -ragged -offset indent
-Removes a principal.
-.Ed
-.Pp
-.Nm del_enctype
-.Ar principal enctypes...
-.Bd -ragged -offset indent
-Removes some enctypes from a principal; this can be useful if the
-service belonging to the principal is known to not handle certain
-enctypes.
-.Ed
-.Pp
-.Nm ext_keytab
-.Oo Fl k Ar string \*(Ba Xo
-.Fl Fl keytab= Ns Ar string
-.Xc
-.Oc
-.Ar principal...
-.Bd -ragged -offset indent
-Creates a keytab with the keys of the specified principals.  Requires
-get-keys rights.
-.Ed
-.Pp
-.Nm get
-.Op Fl l | Fl Fl long
-.Op Fl s | Fl Fl short
-.Op Fl t | Fl Fl terse
-.Op Fl o Ar string | Fl Fl column-info= Ns Ar string
-.Ar principal...
-.Bd -ragged -offset indent
-Lists the matching principals, short prints the result as a table,
-while long format produces a more verbose output. Which columns to
-print can be selected with the
-.Fl o
-option. The argument is a comma separated list of column names
-optionally appended with an equal sign
-.Pq Sq =
-and a column header. Which columns are printed by default differ
-slightly between short and long output.
-.Pp
-The default terse output format is similar to
-.Fl s o Ar principal= ,
-just printing the names of matched principals.
-.Pp
-Possible column names include:
-.Li principal ,
-.Li princ_expire_time ,
-.Li pw_expiration ,
-.Li last_pwd_change ,
-.Li max_life ,
-.Li max_rlife ,
-.Li mod_time ,
-.Li mod_name ,
-.Li attributes ,
-.Li kvno ,
-.Li mkvno ,
-.Li last_success ,
-.Li last_failed ,
-.Li fail_auth_count ,
-.Li policy ,
-and
-.Li keytypes .
-.Ed
-.Pp
-.Nm modify
-.Oo Fl a Ar attributes \*(Ba Xo
-.Fl Fl attributes= Ns Ar attributes
-.Xc
-.Oc
-.Op Fl Fl max-ticket-life= Ns Ar lifetime
-.Op Fl Fl max-renewable-life= Ns Ar lifetime
-.Op Fl Fl expiration-time= Ns Ar time
-.Op Fl Fl pw-expiration-time= Ns Ar time
-.Op Fl Fl kvno= Ns Ar number
-.Op Fl Fl policy= Ns Ar policy-name
-.Ar principal...
-.Bd -ragged -offset indent
-Modifies certain attributes of a principal. If run without command
-line options, you will be prompted. With command line options, it will
-only change the ones specified.
-.Pp
-Only policy supported by Heimdal is
-.Q1 default .
-.Pp
-Possible attributes are:
-.Li new-princ ,
-.Li support-desmd5 ,
-.Li pwchange-service ,
-.Li disallow-svr ,
-.Li requires-pw-change ,
-.Li requires-hw-auth ,
-.Li requires-pre-auth ,
-.Li disallow-all-tix ,
-.Li disallow-dup-skey ,
-.Li disallow-proxiable ,
-.Li disallow-renewable ,
-.Li disallow-tgt-based ,
-.Li disallow-forwardable ,
-.Li disallow-postdated
-.Pp
-Attributes may be negated with a "-", e.g.,
-.Pp
-kadmin -l modify -a -disallow-proxiable user
-.Ed
-.Pp
-.Nm passwd
-.Op Fl Fl keepold
-.Op Fl r | Fl Fl random-key
-.Op Fl Fl random-password
-.Oo Fl p Ar string \*(Ba Xo
-.Fl Fl password= Ns Ar string
-.Xc
-.Oc
-.Op Fl Fl key= Ns Ar string
-.Ar principal...
-.Bd -ragged -offset indent
-Changes the password of an existing principal.
-.Ed
-.Pp
-.Nm password-quality
-.Ar principal
-.Ar password
-.Bd -ragged -offset indent
-Run the password quality check function locally.
-You can run this on the host that is configured to run the kadmind
-process to verify that your configuration file is correct.
-The verification is done locally, if kadmin is run in remote mode,
-no rpc call is done to the server.
-.Ed
-.Pp
-.Nm privileges
-.Bd -ragged -offset indent
-Lists the operations you are allowed to perform. These include
-.Li add ,
-.Li add_enctype ,
-.Li change-password ,
-.Li delete ,
-.Li del_enctype ,
-.Li get ,
-.Li get-keys ,
-.Li list ,
-and
-.Li modify .
-.Ed
-.Pp
-.Nm rename
-.Ar from to
-.Bd -ragged -offset indent
-Renames a principal. This is normally transparent, but since keys are
-salted with the principal name, they will have a non-standard salt,
-and clients which are unable to cope with this will fail. Kerberos 4
-suffers from this.
-.Ed
-.Pp
-.Nm check
-.Op Ar realm
-.Pp
-.Bd -ragged -offset indent
-Check database for strange configurations on important principals. If
-no realm is given, the default realm is used.
-.Ed
-.Pp
-When running in local mode, the following commands can also be used:
-.Pp
-.Nm dump
-.Op Fl d | Fl Fl decrypt
-.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format
-.Op Ar dump-file
-.Bd -ragged -offset indent
-Writes the database in
-.Dq machine readable text
-form to the specified file, or standard out. If the database is
-encrypted, the dump will also have encrypted keys, unless
-.Fl Fl decrypt
-is used.  If
-.Fl Fl format=MIT
-is used then the dump will be in MIT format.  Otherwise it will be in
-Heimdal format.
-.Ed
-.Pp
-.Nm init
-.Op Fl Fl realm-max-ticket-life= Ns Ar string
-.Op Fl Fl realm-max-renewable-life= Ns Ar string
-.Ar realm
-.Bd -ragged -offset indent
-Initializes the Kerberos database with entries for a new realm. It's
-possible to have more than one realm served by one server.
-.Ed
-.Pp
-.Nm load
-.Ar file
-.Bd -ragged -offset indent
-Reads a previously dumped database, and re-creates that database from
-scratch.
-.Ed
-.Pp
-.Nm merge
-.Ar file
-.Bd -ragged -offset indent
-Similar to
-.Nm load
-but just modifies the database with the entries in the dump file.
-.Ed
-.Pp
-.Nm stash
-.Oo Fl e Ar enctype \*(Ba Xo
-.Fl Fl enctype= Ns Ar enctype
-.Xc
-.Oc
-.Oo Fl k Ar keyfile \*(Ba Xo
-.Fl Fl key-file= Ns Ar keyfile
-.Xc
-.Oc
-.Op Fl Fl convert-file
-.Op Fl Fl master-key-fd= Ns Ar fd
-.Bd -ragged -offset indent
-Writes the Kerberos master key to a file used by the KDC.
-.Ed
-.\".Sh ENVIRONMENT
-.\".Sh FILES
-.\".Sh EXAMPLES
-.\".Sh DIAGNOSTICS
-.Sh SEE ALSO
-.Xr kadmind 8 ,
-.Xr kdc 8
-.\".Sh STANDARDS
-.\".Sh HISTORY
-.\".Sh AUTHORS
-.\".Sh BUGS
diff --git a/kadmin/kadmind.8 b/kadmin/kadmind.8
index 453b8e7..f666159 100644
--- a/kadmin/kadmind.8
+++ b/kadmin/kadmind.8
@@ -158,6 +158,6 @@ mallory/admin@EXAMPLE.COM  add,get-keys  host/*@EXAMPLE.COM
 .\".Sh DIAGNOSTICS
 .Sh SEE ALSO
 .Xr kpasswd 1 ,
-.Xr kadmin 8 ,
+.Xr kadmin 1 ,
 .Xr kdc 8 ,
 .Xr kpasswdd 8
diff --git a/lib/krb5/kerberos.8 b/lib/krb5/kerberos.8
index 1465a5b..d54ced5 100644
--- a/lib/krb5/kerberos.8
+++ b/lib/krb5/kerberos.8
@@ -85,9 +85,9 @@ For setup instructions see the Heimdal Texinfo manual.
 .Xr telnet 1 ,
 .Xr krb5 3 ,
 .Xr krb5.conf 5 ,
-.Xr kadmin 8 ,
+.Xr kadmin 1 ,
 .Xr kdc 8 ,
-.Xr ktutil 8
+.Xr ktutil 1
 .Sh HISTORY
 The Kerberos authentication system was developed in the late 1980's as
 part of the Athena Project at the Massachusetts Institute of
