ktutil: Add import command and other improvements

- Add an import command that imports JSON as output by
   `ktutil list --json --keys`.

   This is enables one to filter/edit keytabs with jq!

 - Add a `merge` alias for the `copy` command, since that's effectively
   what it does.

 - Add a `--copy-duplicates` option to the `copy`/`merge` command.

 - Add a `--no-create` option to the `get` command.

 - Add a `--no-change-keys` option to the `get` command.

 - Make `add` complain if it can't finish writing to the keytab.

admin/ktutil.1

@@ -82,29 +82,67 @@ server for the realm of a keytab entry.  Otherwise it will use the
 values specified by the options.
 .Pp
 If no principals are given, all the ones in the keytab are updated.
-.It Nm copy Ar keytab-src Ar keytab-dest
+.It Nm copy Oo Fl Fl copy-duplicates Oc Ar keytab-src Ar keytab-dest
 Copies all the entries from
 .Ar keytab-src
 to
 .Ar keytab-dest .
+Because entries already in
+.Ar keytab-dest
+are kept, this command functions to merge keytabs.
+Entries for the same principal, key version number, and
+encryption type in the
+.Ar keytab-src
+that are also in the
+.Ar keytab-dest
+will not be copied to the
+.Ar keytab-dest
+unless the
+.Fl Fl copy-duplicates
+option is given.
 .It Nm get Oo Fl p Ar admin principal Oc \
 Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
+Oo Fl Fl no-create Oc \
+Oo Fl Fl no-change-keys Oc \
 Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
 Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
 Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
 Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
 Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
+.Pp
 For each
 .Ar principal ,
-generate a new key for it (creating it if it doesn't already exist),
-and put that key in the keytab.
+get a the principal's keys from the KDC via the kadmin protocol,
+creating the principal if it doesn't exist (unless
+.Fl Fl no-create
+is given), and changing its keys to new random keys (unless
+.Fl Fl no-change-keys
+is given).
 .Pp
 If no
 .Ar realm
 is specified, the realm to operate on is taken from the first
 principal.
+.It Nm import Oo JSON-FILE Oc
+Read an array of keytab entries in a JSON file and copy them to
+the keytab.
+Use the
+.Nm list
+command with its
+.Fl Fl json
+option
+and
+.Fl Fl keys
+option to export a keytab.
 .It Nm list Oo Fl Fl keys Oc Op Fl Fl timestamp Oo Op Fl Fl json Oc
 List the keys stored in the keytab.
+Use the
+.Fl Fl json
+and
+.Fl Fl keys
+options to export a keytab as JSON for importing with the
+.Nm import
+command.
 .It Nm remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
 Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
 Oo Fl Fl enctype= Ns Ar enctype Oc
@@ -113,8 +151,14 @@ Removes the specified key or keys. Not specifying a
 removes keys with any version number. Not specifying an
 .Ar enctype
 removes keys of any type.
+.It Nm merge Oo Fl Fl copy-duplicates Oc Ar keytab-src Ar keytab-dest
+An alias for the
+.Nm copy
+command.
 .It Nm rename Ar from-principal Ar to-principal
-Renames all entries in the keytab that match the
+Renames all entries for the
+.Ar from-principal
+in the keytab
 .Ar from-principal
 to
 .Ar to-principal .
@@ -123,6 +167,12 @@ Removes all old versions of a key for which there is a newer version
 that is at least
 .Ar age
 (default one week) old.
+Note that this does not update the KDC database.
+The
+.Xr kadmin 1
+command has a
+.Nm prune
+command that can do this on the KDC side.
 .El
 .Sh SEE ALSO
 .Xr kadmin 1