make regen

src/lib/gssapi/krb5/deps

@@ -8,14 +8,15 @@ accept_sec_context.so accept_sec_context.po $(OUTPRE)accept_sec_context.$(OBJEXT
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
   $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
   $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  ../generic/gssapi_err_generic.h accept_sec_context.c \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h ../generic/gssapi_err_generic.h \
+  accept_sec_context.c gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h
 acquire_cred.so acquire_cred.po $(OUTPRE)acquire_cred.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \

src/man/kadmin.man

@@ -63,9 +63,9 @@ Kerberos principals, password policies, and service key tables
 (keytabs).
 .sp
 The remote kadmin client uses Kerberos to authenticate to kadmind
-using the service principal \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is
-the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP\&.
-If the credentials cache contains a ticket for one of these
+using the service principal \fBkadmin/admin\fP or \fBkadmin/ADMINHOST\fP
+(where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
+server).  If the credentials cache contains a ticket for one of these
 principals, and the \fB\-c\fP credentials_cache option is specified, that
 ticket is used to authenticate to kadmind.  Otherwise, the \fB\-p\fP and
 \fB\-k\fP options are used to specify the client Kerberos principal name
@@ -115,10 +115,10 @@ principal.  As of release 1.8, the MIT Kerberos KDC only supports
 fully anonymous operation.
 .TP
 \fB\-c\fP \fIcredentials_cache\fP
-Use \fIcredentials_cache\fP as the credentials cache.  The
-cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
-(where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
-server) or \fBkadmin/admin\fP service; it can be acquired with the
+Use \fIcredentials_cache\fP as the credentials cache.  The cache
+should contain a service ticket for the \fBkadmin/admin\fP or
+\fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified
+hostname of the admin server) service; it can be acquired with the
 kinit(1) program.  If this option is not specified, kadmin
 requests a new service ticket from the KDC, and stores it in its
 own temporary ccache.

src/man/krb5.conf.man

@@ -271,11 +271,10 @@ Indicate whether name lookups will be used to canonicalize
 hostnames for use in service principal names.  Setting this flag
 to false can improve security by reducing reliance on DNS, but
 means that short hostnames will not be canonicalized to
-fully\-qualified hostnames.  The default value is true.
-.sp
-If this option is set to \fBfallback\fP (new in release 1.18), DNS
-canonicalization will only be performed the server hostname is not
-found with the original name when requesting credentials.
+fully\-qualified hostnames.  If this option is set to \fBfallback\fP (new
+in release 1.18), DNS canonicalization will only be performed the
+server hostname is not found with the original name when
+requesting credentials.  The default value is \fBfallback\fP\&.
 .TP
 \fBdns_lookup_kdc\fP
 Indicate whether DNS SRV records should be used to locate the KDCs
@@ -487,6 +486,12 @@ attempt fails.
 If this flag is true, then an attempt to verify initial
 credentials will fail if the client machine does not have a
 keytab.  The default value is false.
+.TP
+\fBclient_aware_channel_bindings\fP
+If this flag is true, then all application protocol authentication
+requests will be flagged to indicate that the application supports
+channel bindings when operating over a secure channel.  The
+default value is false.
 .UNINDENT
 .SS [realms]
 .sp