add blurb about adding and removing addresses; update kdc.conf section

to match reality


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11196 ec53bebd-3082-4978-b11e-865c3cabbd6b

kdc/kdc.8

@@ -1,6 +1,6 @@
 .\" $Id$
 .\"
-.Dd July 27, 1997
+.Dd August 22, 2002
 .Dt KDC 8
 .Os HEIMDAL
 .Sh NAME
@@ -96,14 +96,14 @@ and
 The entity used for logging is
 .Nm kdc .
 .Sh CONFIGURATION FILE
-The configuration file has the same syntax as the
-.Pa krb5.conf
-file (you can actually put the configuration in
+The configuration file has the same syntax as 
+.Xr krb5.conf 5 ,
+but will be read before 
 .Pa /etc/krb5.conf ,
-and then start the KDC with
-.Fl -config-file= Ns Ar /etc/krb5.conf ) .
-All options should be in a section called
-.Dq kdc .
+so it may override settings found there. Options specific to the KDC
+only are found in the
+.Dq [kdc] 
+section.
 All the command-line options can preferably be added in the
 configuration file.  The only difference is the pre-authentication flag,
 that has to be specified as:
@@ -139,5 +139,22 @@ An example of a config file:
 	v4-realm = FOO.SE
 	key-file = /key-file
 .Ed
+.Sh BUGS
+If the machine running the KDC has new addresses added to it, the KDC
+will have to be restarted to listen to them. The reason it doesn't
+just listen to wildcarded (like INADDR_ANY) addresses, is that the
+replies has to come from the same address they were sent to, and most
+OS:es doesn't pass this information to the application. If your normal
+mode of operation require that you add and remove addresses, the best
+option is probably to listen to a wildcarded TCP socket, and make sure
+your clients use TCP to connect. For instance, this will listen to
+IPv4 TCP port 88 only:
+.Bd -literal -offset indent
+kdc --addresses=0.0.0.0 --ports="88/tcp" 
+.Ed
+.Pp
+There should be a way to specify protocol, port, and address triplets,
+not just addresses and protocol, port tuples.
 .Sh SEE ALSO
-.Xr kinit 1
+.Xr kinit 1 ,
+.Xr krb5.conf 5