document capaths section

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13077 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/krb5.conf.5

@@ -157,20 +157,11 @@ manual page.
 .Bl -tag -width "xxx" -offset indent
 .It Va destination-realm Li = Va next-hop-realm
 .It ...
-.El
-Normally, all requests to realms different from the one of the current
-client are sent to this KDC to get cross-realm tickets.
-If this KDC does not have a cross-realm key with the desired realm and
-the hierarchical path to that realm does not work, a path can be
-configured using this directive.
-The text shown above instructs the KDC to try to obtain a cross-realm
-ticket to
-.Va next-hop-realm
-when the desired realm is
-.Va destination-realm .
-This configuration should preferably be done on the KDC where it will
-help all its clients but can also be done on the client itself.
 .It Li }
+.El
+This is deprecated, see the 
+.Li capaths
+section below.
 .It Li default_etypes = Va etypes ...
 A list of default encryption types to use.
 .It Li default_etypes_des = Va etypes ...
@@ -299,6 +290,25 @@ Old DCE secd (pre 1.1) might need this to be true.
 .El
 .It Li }
 .El
+.It Li [capaths]
+.Bl -tag -width "xxx" -offset indent
+.It Va client-realm Li = {
+.Bl -tag -width "xxx" -offset indent
+.It Va server-realm Li = Va hop-realm ...
+This serves two purposes. First the first listed
+.Va hop-realm
+tells a client which realm it should contact in order to ultimately
+obtain credentials for a service in the
+.Va server-realm .
+Secondly, it tells the KDC (and other servers) which realms are
+allowed in a multi-hop traversal from
+.Va client-realm 
+to
+.Va server-realm .
+Except for the client case, the order of the realms are not important.
+.El
+.It Va }
+.El
 .It Li [logging]
 .Bl -tag -width "xxx" -offset indent
 .It Va entity Li = Va destination