Address code review comments (use .Xr and .Pa macros in krb5.conf.5)

lib/krb5/krb5.conf.5

@@ -267,38 +267,57 @@ needed. This option is provided for compatibility with MIT krb5
 configuration files.
 .It Li k5login_authoritative = Va boolean
 If true then if a principal is not found in k5login files then
-krb5_userok() will not fallback on principal to username mapping. This
+.Xr krb5_userok 3
-option is provided for compatibility with MIT krb5 configuration files.
+will not fallback on principal to username mapping. This option is
+provided for compatibility with MIT krb5 configuration files.
 .It Li kuserok = Va rule ...
-Specifies krb5_kuserok(3) behavior.  If multiple values are given, then
+Specifies
-krb5_kuserok(3) will evaluate them in order until one succeeds or all
+.Xr krb5_userok 3
-fail.  Rules are implemented by plugins, with three built-in plugins
+behavior.  If multiple values are given, then
+.Xr krb5_userok 3
+will evaluate them in order until one succeeds or all fail.  Rules are
+implemented by plugins, with three built-in plugins
 described below. Default: USER-K5LOGIN SIMPLE DENY.
 .It Li kuserok = Va DENY
-If set and evaluated then krb5_userok(3) will deny access to the given
+If set and evaluated then
-username no matter what the principal name might be.
+.Xr krb5_userok 3
+will deny access to the given username no matter what the principal name
+might be.
 .It Li kuserok = Va SIMPLE
-If set and evaluated then krb5_userok(3) will use principal to username
+If set and evaluated then
-mapping (see auth_to_local below).  If the principal maps to the
+.Xr krb5_userok 3
-requested username then access is allowed.
+will use principal to username mapping (see auth_to_local below).  If
+the principal maps to the requested username then access is allowed.
 .It Li kuserok = Va SYSTEM-K5LOGIN[:directory]
-If set and evaluated then krb5_userok(3) will use k5login files named
+If set and evaluated then
-after the
+.Xr krb5_userok 3
+will use k5login files named after the
 .Va luser
-argument to krb5_kuserok(3) in the given directory or in
+argument to
-/etc/k5login.d/.  If a directory is given then tokens will be expanded;
+.Xr krb5_userok 3
-the %{luser} token will be replaced with the
+in the given directory or in
+.Pa /etc/k5login.d/ .
+If a directory is given
+then tokens will be expanded; the %{luser} token will be replaced with
+the
 .Va luser
-argument to krb5_kuserok(3). K5login files are text files, with each
+argument to
-line containing just a principal name; principals apearing in a user's
+.Xr krb5_userok 3 .
-k5login file are permitted access to the user's account. Note: this rule
+K5login files are text files, with each line containing just a principal
-performs no ownership nor permissions checks on k5login files; proper
+name; principals apearing in a user's k5login file are permitted access
-ownership and permissions/ACLs are expected due to the system k5login
+to the user's account. Note: this rule performs no ownership nor
-location being a system location.
+permissions checks on k5login files; proper ownership and
+permissions/ACLs are expected due to the system k5login location being a
+system location.
 .It Li kuserok = Va USER-K5LOGIN
-If set and evaluated then krb5_userok(3) will use ~luser/.k5login and
+If set and evaluated then
-~luser/.k5login.d/*. User k5login files and directories must be owned by
+.Xr krb5_userok 3
-the user and must not have world nor group write permissions.
+will use
+.Pa ~luser/.k5login
+and
+.Pa ~luser/.k5login.d/* .
+User k5login files and directories must be owned by the user and must
+not have world nor group write permissions.
 .It Li aname2lname-text-db = Va filename
 The named file must be a sorted (in increasing order) text file where
 every line consists of an unparsed principal name optionally followed by