Update manpages

src/man/k5identity.man

@@ -1,4 +1,6 @@
-.TH "K5IDENTITY" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "K5IDENTITY" "5" " " "1.14" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
 .
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH DESCRIPTION
 .sp
 The .k5identity file, which resides in a user\(aqs home directory,
@@ -98,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/k5login.man

@@ -1,4 +1,6 @@
-.TH "K5LOGIN" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "K5LOGIN" "5" " " "1.14" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
 .
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH DESCRIPTION
 .sp
 The .k5login file, which resides in a user\(aqs home directory, contains
@@ -41,7 +41,7 @@ administrators remote root access to the host via Kerberos.
 .SH EXAMPLES
 .sp
 Suppose the user \fBalice\fP had a .k5login file in her home directory
-containing the following line:
+containing just the following line:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -55,7 +55,12 @@ bob@FOOBAR.ORG
 .sp
 This would allow \fBbob\fP to use Kerberos network applications, such as
 ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
-tickets.
+tickets.  In a default configuration (with \fBk5login_authoritative\fP set
+to true in \fIkrb5.conf(5)\fP), this .k5login file would not let
+\fBalice\fP use those network applications to access her account, since
+she is not listed!  With no .k5login file, or with \fBk5login_authoritative\fP
+set to false, a default rule would permit the principal \fBalice\fP in the
+machine\(aqs default realm to access the \fBalice\fP account.
 .sp
 Let us further suppose that \fBalice\fP is a system administrator.
 Alice and the other system administrators would have their principals
@@ -86,6 +91,6 @@ kerberos(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/k5srvutil.man

@@ -1,4 +1,6 @@
-.TH "K5SRVUTIL" "1" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "K5SRVUTIL" "1" " " "1.14" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
 .
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH SYNOPSIS
 .sp
 \fBk5srvutil\fP \fIoperation\fP
@@ -84,6 +84,6 @@ place.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/kadm5.acl.man

@@ -1,4 +1,6 @@
-.TH "KADM5.ACL" "5" " " "1.13" "MIT Kerberos"
+.\" Man page generated from reStructuredText.
+.
+.TH "KADM5.ACL" "5" " " "1.14" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
 .
@@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.\" Man page generated from reStructuredText.
-.
 .SH DESCRIPTION
 .sp
 The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List
@@ -39,7 +39,7 @@ which principals can operate on which other principals.
 .sp
 The default location of the Kerberos ACL file is
 \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP  unless this is overridden by the \fIacl_file\fP
-variable in \fIkdc.conf(5)\fP.
+variable in \fIkdc.conf(5)\fP\&.
 .SH SYNTAX
 .sp
 Empty lines and lines starting with the sharp sign (\fB#\fP) are
@@ -54,10 +54,14 @@ principal  permissions  [target_principal  [restrictions] ]
 .fi
 .UNINDENT
 .UNINDENT
-.IP Note
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
 Line order in the ACL file is important.  The first matching entry
 will control access for an actor principal on a target principal.
-.RE
+.UNINDENT
+.UNINDENT
 .INDENT 0.0
 .TP
 .B \fIprincipal\fP
@@ -105,7 +109,7 @@ _
 T{
 l
 T}	T{
-[Dis]allows the listing of principals or policies
+[Dis]allows the listing of all principals or policies
 T}
 _
 T{
@@ -129,7 +133,7 @@ _
 T{
 x
 T}	T{
-Short for admcil. All privileges
+Short for admcilsp. All privileges
 T}
 _
 T{
@@ -148,7 +152,7 @@ character.
 .sp
 \fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
 in which \fB*number\fP matches the corresponding wildcard in
-\fIprincipal\fP.
+\fIprincipal\fP\&.
 .TP
 .B \fIrestrictions\fP
 (Optional) A string of flags. Allowed restrictions are:
@@ -158,14 +162,14 @@ in which \fB*number\fP matches the corresponding wildcard in
 .TP
 .B {+|\-}\fIflagname\fP
 flag is forced to the indicated value.  The permissible flags
-are the same as the + and \- flags for the kadmin
-\fIadd_principal\fP and \fImodify_principal\fP commands.
+are the same as those for the \fBdefault_principal_flags\fP
+variable in \fIkdc.conf(5)\fP\&.
 .TP
 .B \fI\-clearpolicy\fP
 policy is forced to be empty.
 .TP
 .B \fI\-policy pol\fP
-policy is forced to be \fIpol\fP.
+policy is forced to be \fIpol\fP\&.
 .TP
 .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
 (\fIgetdate\fP string) associated value will be forced to
@@ -177,24 +181,28 @@ MIN(\fItime\fP, requested value).
 The above flags act as restrictions on any add or modify operation
 which is allowed due to that ACL line.
 .UNINDENT
-.IP Warning
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
 If the kadmind ACL file is modified, the kadmind daemon needs to be
 restarted for changes to take effect.
-.RE
+.UNINDENT
+.UNINDENT
 .SH EXAMPLE
 .sp
-Here is an example of a kadm5.acl file.
+Here is an example of a kadm5.acl file:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-*/admin@ATHENA.MIT.EDU        *                           # line 1
+*/admin@ATHENA.MIT.EDU    *                               # line 1
 joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
-joeadmin/*@ATHENA.MIT.EDU il  */root@ATHENA.MIT.EDU       # line 3
-*/root@ATHENA.MIT.EDU     cil *1@ATHENA.MIT.EDU           # line 4
-*/*@ATHENA.MIT.EDU        i                               # line 5
-*/admin@EXAMPLE.COM       x   * \-maxlife 9h \-postdateable # line 6
+joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
+*/root@ATHENA.MIT.EDU     ci  *1@ATHENA.MIT.EDU           # line 4
+*/root@ATHENA.MIT.EDU     l   *                           # line 5
+sms@ATHENA.MIT.EDU        x   * \-maxlife 9h \-postdateable # line 6
 .ft P
 .fi
 .UNINDENT
@@ -208,28 +216,30 @@ an \fBadmin\fP instance has all administrative privileges.
 1).  He has no permissions at all with his null instance,
 \fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2).  His \fBroot\fP and other
 non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have
-inquire and list permissions with any principal that has the
-instance \fBroot\fP (matches line 3).
+inquire permissions with any principal that has the instance \fBroot\fP
+(matches line 3).
 .sp
-(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list,
+(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
 or change the password of their null instance, but not any other
 null instance.  (Here, \fB*1\fP denotes a back\-reference to the
 component matching the first wildcard in the actor principal.)
 .sp
-(line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for
-\fBjoeadmin@ATHENA.MIT.EDU\fP, as mentioned above) has inquire
-privileges.
+(line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate
+the list of principals in the database, and the list of policies
+in the database.  This line is separate from line 4, because list
+permission can only be granted globally, not to specific target
+principals.
 .sp
-(line 6) Finally, any principal with an \fBadmin\fP instance in \fBEXAMPLE.COM\fP
-has all permissions, but any principal that they create or modify will
-not be able to get postdateable tickets or tickets with a life of
-longer than 9 hours.
+(line 6) Finally, the Service Management System principal
+\fBsms@ATHENA.MIT.EDU\fP has all permissions, but any principal that it
+creates or modifies will not be able to get postdateable tickets or
+tickets with a life of longer than 9 hours.
 .SH SEE ALSO
 .sp
 \fIkdc.conf(5)\fP, \fIkadmind(8)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2013, MIT
+1985-2015, MIT
 .\" Generated by docutils manpage writer.
 .