#
# This patch updates a number of man pages to reflect Solaris specific features
# in Kerberos.
#
# Note: It is not intended that these changes are to be contributed to MIT given
# that the associated updates are for Solaris only features.
# Patch source: in-house
#
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -131,6 +131,12 @@ T} T{
T}
_
T{
+u
+T} T{
+[Dis]allows the creation of one-component user principals whose password can be validated with PAM
+T}
+_
+T{
x
T} T{
Short for admcilsp. All privileges
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -141,4 +141,16 @@ MIT
.SH COPYRIGHT
1985-2016, MIT
.\" Generated by docutils manpage writer.
+.SH NOTES
+.sp
+The \fBkadmind\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier:
+.sp
+.in +2
+.nf
+svc:/network/security/kadmin:default
+.fi
+.in -2
+.sp
+Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command.
+.sp
.
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -96,6 +96,8 @@ subsection does not contain a relation for the tag. See the
.IP \(bu 2
\fBhost_based_services\fP
.IP \(bu 2
+\fBkdc_max_tcp_connections\fP
+.IP \(bu 2
\fBkdc_ports\fP
.IP \(bu 2
\fBkdc_tcp_ports\fP
@@ -300,6 +302,11 @@ is 749, which is used by default.
(String.) Specifies the location where the master key has been
stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
.TP
+.B \fBkdc_max_tcp_connections\fP
+This relation controls the maximum number of TCP connections the
+KDC allows. The minimum value is 10. If this relation is not specified, the
+Kerberos server allows a maximum of 30 TCP connections.
+.TP
.B \fBkdc_ports\fP
(Whitespace\- or comma\-separated list.) Lists the ports on which
the Kerberos server should listen for UDP requests, as a
@@ -600,11 +607,64 @@ If no severity is specified, the default is \fBERR\fP\&. If no
facility is specified, the default is \fBAUTH\fP\&.
.UNINDENT
.sp
+The following relation can be defined to specify how to rotate \fBkadmin\fP
+and \fBkdc\fP log files if the \fBFILE:\fP value is being used to log:
+.sp
+.TP
+.B \fBadmin_server_rotate\fP
+.TP
+.B \fBkdc_rotate\fP
+A relation subsection that enables \fBkadmin\fP (\fBadmin_server_rotate\fP)
+and/or \fBkdc\fP (\fBkdc_rotate\fP) logging to be rotated to multiple files
+based on a time interval. This can be used to avoid logging to one
+file, which might grow too large and bring the \fBKDC\fP to a halt.
+.UNINDENT
+.sp
+.INDENT 0.0
+The time interval for the rotation is specified by the \fBperiod\fP relation.
+The number of log files to be rotated is specified by the \fBversions\fP
+relation. Both the \fBperiod\fP and \fBversions\fP (described below) should be
+included in this subsection. And, this subsection applies only if the
+\fBkdc\fP relation has a \fBFILE:\fP value.
+.sp
+The following relations can be specified for the \fBkdc_rotate\fP relation
+subsection:
+.sp
+.TP
+.B \fBperiod\fP=\fIdelta_time\fP
+Specifies the time interval before a new log file is created. See
+the \fBTimeFormats\fP section in \fBkinit\fP(1) for the valid time duration
+formats you can specify for \fIdelta_time\fP. If \fBperiod\fP is not specified
+or set to never, no rotation occurs.
+.UNINDENT
+.sp
+.INDENT 0.0
+Specifying a time interval does not mean that the log files are rotated
+at the time interval based on real time. This is because the time
+interval is checked at each attempt to write a record to the log, or
+when logging is actually occurring. Therefore, rotation occurs only
+when logging has actually occurred for the specified time interval.
+.sp
+.TP
+.B \fBversions\fP=\fInumber\fP
+Specifies how many previous versions are saved before the rotation
+begins. A number is appended to the log file, starting with 0 and
+ending with (\fInumber\fP - 1). For example, if \fBversions\fP is set to 2, up
+to three logging files are created (\fIfilename\fP, \fIfilename\fP.0, and
+\fIfilename\fP.1) before the first one is overwritten to begin the rotation.
+.UNINDENT
+.sp
+.INDENT 0.0
+Notice that if \fBversions\fP is not specified or set to \fB0\fP, only one log
+file is created, but it is overwritten whenever the time interval is met.
+.sp
In the following example, the logging messages from the KDC will go to
the console and to the system log under the facility LOG_DAEMON with
default severity of LOG_INFO; and the logging messages from the
administrative server will be appended to the file
\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&.
+\fB/var/adm/kadmin.log\fP is rotated between twenty-one log files with a
+specified time interval of a day.
.INDENT 0.0
.INDENT 3.5
.sp
@@ -615,6 +675,10 @@ administrative server will be appended to the file
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/adm/kadmin.log
admin_server = DEVICE=/dev/tty04
+ admin_server_rotate = {
+ period = 1d
+ versions = 20
+ }
.ft P
.fi
.UNINDENT
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -158,4 +158,16 @@ MIT
.SH COPYRIGHT
1985-2016, MIT
.\" Generated by docutils manpage writer.
+.SH NOTES
+.sp
+The \fBkprop\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier:
+.sp
+.in +2
+.nf
+svc:/network/security/krb5_prop:default
+.fi
+.in -2
+.sp
+Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command.
+.sp
.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -204,6 +204,10 @@ set if backward compatibility requires a specific checksum type.
See the \fBkdc_req_checksum_type\fP configuration option for the
possible values and their meanings.
.TP
+.B \fBauth_to_local_realm\fP
+For use in the default realm, non-default realms can be equated
+with the default realm for authenticated name-to-local name mapping.
+.TP
.B \fBcanonicalize\fP
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
@@ -509,7 +513,7 @@ attempt fails.
.B \fBverify_ap_req_nofail\fP
If this flag is true, then an attempt to verify initial
credentials will fail if the client machine does not have a
-keytab. The default value is false.
+keytab. The default value is true.
.UNINDENT
.SS [realms]
.sp
@@ -833,6 +837,52 @@ other realms should have \fBoption2\fP set to true.
The list of specifiable options for each application may be found in
that application\(aqs man pages. The application defaults specified here
are overridden by those specified in the \fI\%realms\fP section.
+.sp
+The following relations can be found in the \fB[appdefaults]\fP section,
+though not all relations are recognized by all kerberized applications.
+Some are specific to particular applications.
+.TP
+.B \fBautologin\fP = [\fBtrue\fP | \fBfalse\fP]
+Forces the application to attempt automatic login by presenting
+Kerberos credentials. This is valid for the following applications:
+\fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP.
+.TP
+.B \fBencrypt\fP = [\fBtrue\fP | \fBfalse\fP]
+Forces applications to use encryption by default (after authentication) to
+protect the privacy of the sessions. This is valid for the following
+applications: \fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP.
+.TP
+.B \fBforward\fP = [\fBtrue\fP | \fBfalse\fP]
+Forces applications to forward the user's credentials (after
+authentication) to the remote server. This is valid for the following
+applications: \fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP.
+.TP
+.B \fBforwardable\fP = [\fBtrue\fP | \fBfalse\fP]
+See the description in the \fB[libdefaults]\fP section above. This is
+used by any application that creates a ticket granting ticket and
+also by applications that can forward tickets to a remote server.
+.TP
+.B \fBproxiable\fP = [\fBtrue\fP | \fBfalse\fP]
+See the description in the \fB[libdefaults]\fP section above. This is
+used by any application that creates a ticket granting ticket.
+.TP
+.B \fBrenewable\fP = [\fBtrue\fP | \fBfalse\fP]
+Creates a TGT that can be renewed (prior to the ticket expiration
+time). This is used by any application that creates a ticket granting ticket.
+.TP
+.B \fBnoaddresses\fP = [\fBtrue\fP | \fBfalse\fP]
+Creates tickets with no address bindings. This is to allow tickets
+to be used across a \fBNAT\fP boundary or when using multi-homed systems.
+This option is valid in the \fBkinit [appdefault]\fP section only.
+.TP
+.B \fBrcmd_protocol\fP = [ \fBrcmdv1\fP | \fBrcmdv2\fP ]
+Specifies which Kerberized "\fBrcmd\fP" protocol to use when using the
+Kerberized \fBrlogin\fP(1), \fBrsh\fP(1), or \fBrcp\fP(1) programs. The default
+is to use \fBrcmdv2\fP by default, as this is the more secure and more recent
+update of the protocol. However, when talking to older \fBMIT\fP or \fBSEAM\fP-
+based "\fBrcmd\fP" servers, it can be necessary to force the new clients
+to use the older \fBrcmdv1\fP protocol. This option is valid only for the
+following applications: \fBrlogin\fP, \fBrcp\fP, and \fBrsh\fP.
.SS [plugins]
.INDENT 0.0
.INDENT 3.5
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -152,4 +152,16 @@ MIT
.SH COPYRIGHT
1985-2016, MIT
.\" Generated by docutils manpage writer.
+.SH NOTES
+.sp
+The \fBkrb5kdc\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier:
+.sp
+.in +2
+.nf
+svc:/network/security/krb5kdc:default
+.fi
+.in -2
+.sp
+Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command.
+.sp
.