Import MIT KRB5 1.16.vendor/krb5/1.16vendor/krb5

1424 files changed, 26823 insertions, 16546 deletions

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 000000000000..ec170eda02b9
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,26 @@
+language: c++
+
+sudo: required
+
+dist: xenial
+
+matrix:
+  include:
+  - compiler: clang
+    env: MAKEVARS=CPPFLAGS=-Werror
+  - compiler: gcc
+
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -y bison dejagnu gettext keyutils ldap-utils libldap2-dev libkeyutils-dev libssl-dev python-cjson python-paste python-pyrad slapd tcl-dev tcsh
+  - mkdir -p cmocka/build
+  - cd cmocka
+  - wget https://cmocka.org/files/1.1/cmocka-1.1.1.tar.xz
+  - tar -xvf cmocka-1.1.1.tar.xz
+  - cd build
+  - cmake ../cmocka-1.1.1 -DCMAKE_INSTALL_PREFIX=/usr
+  - make
+  - sudo make install
+  - cd ../..
+
+script: cd src && autoreconf && ./configure --enable-maintainer-mode --with-ldap && make $MAKEVARS && make check
diff --git a/NOTICE b/NOTICE
index ff102ff3f113..1db2420a7e09 100644
--- a/NOTICE
+++ b/NOTICE
@@ -583,7 +583,7 @@ Marked test programs in src/lib/krb5/krb have the following copyright:
 
 ======================================================================
 
-The KCM Mach RPC definition file used on OS X has the following
+The KCM Mach RPC definition file used on macOS has the following
 copyright:
 
       Copyright (C) 2009 Kungliga Tekniska Högskola
diff --git a/README b/README
index a8eabd5ab9e2..f702e486b45d 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-                   Kerberos Version 5, Release 1.15
+                   Kerberos Version 5, Release 1.16
 
                             Release Notes
                         The MIT Kerberos Team
@@ -73,192 +73,149 @@ from using single-DES cryptosystems.  Among these is a configuration
 variable that enables "weak" enctypes, which defaults to "false"
 beginning with krb5-1.8.
 
-Major changes in 1.15.1 (2017-03-01)
-------------------------------------
+Major changes in 1.16 (2017-12-05)
+----------------------------------
 
-This is a bug fix release.
+Administrator experience:
 
-* Allow KDB modules to determine how the e_data field of principal
-  fields is freed
+* The KDC can match PKINIT client certificates against the
+  "pkinit_cert_match" string attribute on the client principal entry,
+  using the same syntax as the existing "pkinit_cert_match" profile
+  option.
 
-* Fix udp_preference_limit when the KDC location is configured with
-  SRV records
+* The ktutil addent command supports the "-k 0" option to ignore the
+  key version, and the "-s" option to use a non-default salt string.
 
-* Fix KDC and kadmind startup on some IPv4-only systems
+* kpropd supports a --pid-file option to write a pid file at startup,
+  when it is run in standalone mode.
 
-* Fix the processing of PKINIT certificate matching rules which have
-  two components and no explicit relation
+* The "encrypted_challenge_indicator" realm option can be used to
+  attach an authentication indicator to tickets obtained using FAST
+  encrypted challenge pre-authentication.
 
-* Improve documentation
+* Localization support can be disabled at build time with the
+  --disable-nls configure option.
 
-krb5-1.15.1 changes by ticket ID
---------------------------------
+Developer experience:
 
-7940    PKINIT docs only work for one-component client principals
-8523    Add krbPwdPolicy attributes to kerberos.ldif
-8524    Add caveats to krbtgt change documentation
-8525    Fix error handling in PKINIT decode_data()
-8530    KDC/kadmind explicit wildcard listener addresses do not use pktinfo
-8531    KDC/kadmind may fail to start on IPv4-only systems
-8532    Fix GSSAPI authind attribute name in docs
-8538    Need a way to free KDB module e_data
-8540    Document default realm and login authorization
-8552    Add GSSAPI S4U documentation
-8553    Fix PKINIT two-component matching rule parsing
-8554    udp_preference_limit fails with SRV records
+* The kdcpolicy pluggable interface allows modules control whether
+  tickets are issued by the KDC.
 
+* The kadm5_auth pluggable interface allows modules to control whether
+  kadmind grants access to a kadmin request.
 
-Major changes in 1.15 (2016-12-01)
-----------------------------------
-
-Administrator experience:
+* The certauth pluggable interface allows modules to control which
+  PKINIT client certificates can authenticate to which client
+  principals.
 
-* Improve support for multihomed Kerberos servers by adding options
-  for specifying restricted listening addresses for the KDC and
-  kadmind.
+* KDB modules can use the client and KDC interface IP addresses to
+  determine whether to allow an AS request.
 
-* Add support to kadmin for remote extraction of current keys without
-  changing them (requires a special kadmin permission that is excluded
-  from the wildcard permission), with the exception of highly
-  protected keys.
+* GSS applications can query the bit strength of a krb5 GSS context
+  using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+  gss_inquire_sec_context_by_oid().
 
-* Add a lockdown_keys principal attribute to prevent retrieval of the
-  principal's keys (old or new) via the kadmin protocol.  In newly
-  created databases, this attribute is set on the krbtgt and kadmin
-  principals.
+* GSS applications can query the impersonator name of a krb5 GSS
+  credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+  gss_inquire_cred_by_oid().
 
-* Restore recursive dump capability for DB2 back end, so sites can
-  more easily recover from database corruption resulting from power
-  failure events.
+* kdcpreauth modules can query the KDC for the canonicalized requested
+  client principal name, or match a principal name against the
+  requested client principal name with canonicalization.
 
-* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
- in addition to SRV records.  URI records can convey TCP and UDP
- servers and master KDC status in a single DNS lookup, and can also
- point to HTTPS proxy servers.
+Protocol evolution:
 
-* Add support for password history to the LDAP back end.
+* The client library will continue to try pre-authentication
+  mechanisms after most failure conditions.
 
-* Add support for principal renaming to the LDAP back end.
+* The KDC will issue trivially renewable tickets (where the renewable
+  lifetime is equal to or less than the ticket lifetime) if requested
+  by the client, to be friendlier to scripts.
 
-* Use the getrandom system call on supported Linux kernels to avoid
-  blocking problems when getting entropy from the operating system.
+* The client library will use a random nonce for TGS requests instead
+  of the current system time.
 
-* In the PKINIT client, use the correct DigestInfo encoding for PKCS
-  #1 signatures, so that some especially strict smart cards will work.
+* For the RC4 string-to-key or PAC operations, UTF-16 is supported
+  (previously only UCS-2 was supported).
 
-Code quality:
+* When matching PKINIT client certificates, UPN SANs will be matched
+  correctly as UPNs, with canonicalization.
 
-* Clean up numerous compilation warnings.
+User experience:
 
-* Remove various infrequently built modules, including some preauth
-  modules that were not built by default.
+* Dates after the year 2038 are accepted (provided that the platform
+  time facilities support them), through the year 2106.
 
-Developer experience:
+* Automatic credential cache selection based on the client realm will
+  take into account the fallback realm and the service hostname.
 
-* Add support for building with OpenSSL 1.1.
+* Referral and alternate cross-realm TGTs will not be cached, avoiding
+  some scenarios where they can be added to the credential cache
+  multiple times.
 
-* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
-  authenticators in the replay cache.  This helps sites that must
-  build with FIPS 140 conformant libraries that lack MD5.
+* A German translation has been added.
 
-* Eliminate util/reconf and allow the use of autoreconf alone to
-  regenerate the configure script.
+Code quality:
 
-Protocol evolution:
+* The build is warning-clean under clang with the configured warning
+  options.
 
-* Add support for the AES-SHA2 enctypes, which allows sites to conform
-  to Suite B crypto requirements.
+* The automated test suite runs cleanly under AddressSanitizer.
 
-krb5-1.15 changes by ticket ID
+krb5-1.16 changes by ticket ID
 ------------------------------
 
-1093    KDC could use feature to limit listening interfaces
-5889    password history doesn't work with LDAP KDB
-6666    some non-default plugin directories don't build in 1.8 branch
-7852    kadmin.local's ktadd -norandkey does not handle multiple kvnos
-        in the KDB
-7985    Add krb5_get_init_creds_opt_set_pac_request
-8065    Renaming principals with LDAP KDB deletes the principal
-8277    iprop can choose wrong realm
-8278    Add krb5_expand_hostname() API
-8280    Fix impersonate_name to work with interposers
-8295    kdb5_ldap_stash_service_password() stash file logic needs tweaking
-8297    jsonwalker.py test fails
-8298    Audit Test fails when system has IPV6 address
-8299    Remove util/reconf
-8329    Only run export-check.pl in maintainer mode
-8344    Create KDC and kadmind log files with mode 0640
-8345    Remove nss libk5crypto implementation
-8348    Remove workaround when binding to udp addresses and pktinfo
-        isn't supported by the system
-8353    Replace MD5 use in rcache with SHA-256
-8354    Only store latest keys in key history entry
-8355    Add kadm5_setkey_principal_4 RPC to kadmin
-8364    Add get_principal_keys RPC to kadmin
-8365    Add the ability to lock down principal keys
-8366    Increase initial DNS buffer size
-8368    Remove hdb KDB module
-8371    Improve libkadm5 client RPC thread safety
-8372    Use cached S4U2Proxy tickets in GSSAPI
-8374    Interoperate with incomplete SPNEGO responses
-8375    Allow zero cksumtype in krb5_k_verify_checksum()
-8379    Add auth indicator handling to libkdb_ldap
-8381    Don't fall back to master on password read error
-8386    Add KDC pre-send and post-receive KDC hooks
-8388    Remove port 750 from the KDC default ports
-8389    Make profile includedir accept all *.conf files
-8391    Add kinit long option support for all platforms
-8393    Password Expiration "Never" Inconsistently Applied
-8394    Add debug message filtering to krb5_klog_syslog
-8396    Skip password prompt when running ksu as root
-8398    Add libk5crypto support for OpenSSL 1.1.0
-8399    Unconstify some krb5 GSS OIDs
-8403    kinit documentation page
-8404    Remove non-DFSG documentation
-8405    Work around python-ldap bug in kerberos.ldif
-8412    Link correct VS2015 C libraries for debug builds
-8414    Use library malloc for principal, policy entries
-8418    Add libkdb function to specialize principal's salt
-8419    Do not indicate deprecated GSS mechanisms
-8423    Add SPNEGO special case for NTLMSSP+MechListMIC
-8425    Add auth-indicator authdata module
-8426    test_check_allowed_to_delegate() should free unparsed princ output
-8428    Minimize timing leaks in PKINIT decryption
-8429    Fix Makefile for paths containing '+' character
-8434    Fix memory leak in old gssrpc authentication
-8436    Update libev sources to 4.22
-8446    Fix leak in key change operations
-8451    Add hints for -A flag to kdestroy
-8456    Add the kprop-port option to kadmind
-8462    Better handle failures to resolve client keytab
-8464    Set prompt type for OTP preauth prompt
-8465    Improve bad password inference in kinit
-8466    Rename k5-queue.h macros
-8471    Change KDC error for encrypted timestamp preauth
-8476    Restore recursive dump functionality
-8478    usability improvements for bttest
-8488    Stop generating doc/CHANGES
-8490    Add aes-sha2 enctype support
-8494    Add krb5_db_register_keytab()
-8496    Add KDC discovery from URI records
-8498    Potential memory leak in prepare_error_as()
-8499    Use getrandom system call on recent Linux kernels
-8500    Document krb5_kt_next_entry() requirement
-8502    ret_boolean in profile_get_boolean() should be krb5_boolean *
-        instead of int *
-8504    Properly handle EOF condition on libkrad sockets
-8506    PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
-8507    Suggest unlocked iteration for mkey rollover
-8508    Clarify krb5_kt_resolve() API documentation
-8509    Leak in krb5_cccol_have_content with truncated ccache
-8510    Update features list for 1.15
-8512    Fix detection of libaceclnt for securid_sam2
-8513    Add doxygen comments for RFC 8009, RFC 4757
-8514    Make zap() more reliable
-8516    Fix declaration without type in t_shs3.c
-8520    Relicense ccapi/common/win/OldCC/autolock.hxx
-8521    Allow slapd path configuration in t_kdb.py
-
+3349    Allow keytab entries to ignore the key version
+7647    let ktutil support non-default salts
+7877    Interleaved init_creds operations use same per-request preauth context
+8352    Year 2038 fixes
+8515    Add German translation
+8517    Add KRB5_TRACE calls for DNS lookups
+8518    Remove redeclaration of ttyname() in ksu
+8526    Constify service and hostname in krb5_mk_req()
+8527    Clean up memory handling in krb5_fwd_tgt_creds()
+8528    Improve PKINIT UPN SAN matching
+8529    Add OpenLDAP LDIF file for Kerberos schema
+8533    Bug in src/tests/responder.c
+8534    Add configure option to disable nls support
+8537    Preauthentication should continue after failure
+8539    Preauth tryagain should copy KDC cookie
+8544    Wrong PKCS11 PIN can trigger PKINIT draft9 code
+8548    Add OID to inquire GSS cred impersonator name
+8549    Use fallback realm for GSSAPI ccache selection
+8558    kvno memory leak (1.15.1)
+8561    Add certauth pluggable interface
+8562    Add the certauth dbmatch module
+8568    Convert some pkiDebug messages to TRACE macros
+8569    Add support to query the SSF of a GSS context
+8570    Add the client_name() kdcpreauth callback
+8571    Use the canonical client principal name for OTP
+8572    Un-deprecate krb5_auth_con_initivector()
+8575    Add FAST encrypted challenge auth indicator
+8577    Replace UCS-2 conversions with UTF-16
+8578    Add various bound checks
+8579    duplicate caching of some cross-realm TGTs
+8582    Use a random nonce in TGS requests
+8583    Pass client address to DAL audit_as_req
+8592    Parse all kadm5.acl fields at startup
+8595    Pluggable interface for kadmin authorization
+8597    acx_pthread.m4 needs to be updated
+8602    Make ccache name work for klist/kdestroy -A
+8603    Remove incomplete PKINIT OCSP support
+8606    Add KDC policy pluggable interface
+8607    kpropd should write a pidfile when started in standalone mode...
+8608    Fix AIX build issues
+8609    Renewed tickets can be marked renewable with no renewable endtime
+8610    Don't set ctime in KDC error replies
+8612    Bump bundled libverto for 0.3.0 release
+8613    Add hostname-based ccselect module
+8615    Abort client preauth on keyboard interrupt
+8616    Fix default enctype order in docs
+8617    PKINIT matching can crash for certs with long issuer and subject
+8620    Length check when parsing GSS token encapsulation
+8621    Expose context errors in pkinit_server_plugin_init
+8623    Update features list for 1.16
+8624    Update config.guess, config.sub
 
 Acknowledgements
 ----------------
@@ -349,7 +306,7 @@ Past and present members of the Kerberos Team at MIT:
     Zhanna Tsitkova
     Ted Ts'o
     Marshall Vale
-    Tom Yu
+    Taylor Yu
 
 The following external contributors have provided code, patches, bug
 reports, suggestions, and valuable resources:
@@ -372,7 +329,9 @@ reports, suggestions, and valuable resources:
     Radoslav Bodo
     Sumit Bose
     Emmanuel Bouillon
+    Isaac Boukris
     Philip Brown
+    Samuel Cabrero
     Michael Calmer
     Andrea Campi
     Julien Chaffraix
@@ -396,7 +355,9 @@ reports, suggestions, and valuable resources:
     Mark Deneen
     Günther Deschner
     John Devitofranceschi
+    Marc Dionne
     Roland Dowdeswell
+    Dorian Ducournau
     Viktor Dukhovni
     Jason Edgecombe
     Mark Eichin
@@ -421,6 +382,7 @@ reports, suggestions, and valuable resources:
     Philip Guenther
     Dominic Hargreaves
     Robbie Harwood
+    John Hascall
     Jakob Haufe
     Matthieu Hautreux
     Jochen Hein
@@ -441,18 +403,25 @@ reports, suggestions, and valuable resources:
     Pavel Jindra
     Brian Johannesmeyer
     Joel Johnson
+    Alexander Karaivanov
     Anders Kaseorg
+    Bar Katz
+    Zentaro Kavanagh
+    Mubashir Kazia
     W. Trevor King
     Patrik Kis
+    Martin Kittel
     Mikkel Kruse
     Reinhard Kugler
     Tomas Kuthan
     Pierre Labastie
+    Chris Leick
     Volker Lendecke
     Jan iankko Lieskovsky
     Todd Lipcon
     Oliver Loch
     Kevin Longfellow
+    Frank Lonigro
     Jon Looney
     Nuno Lopes
     Ryan Lynch
@@ -486,6 +455,7 @@ reports, suggestions, and valuable resources:
     Jonathan Reams
     Jonathan Reed
     Robert Relyea
+    Tony Reix
     Martin Rex
     Jason Rogers
     Matt Rogers
@@ -493,10 +463,13 @@ reports, suggestions, and valuable resources:
     Solly Ross
     Mike Roszkowski
     Guillaume Rousse
+    Joshua Schaeffer
     Andreas Schneider
     Tom Shaw
     Jim Shi
     Peter Shoults
+    Richard Silverman
+    Cel Skeggs
     Simo Sorce
     Michael Spang
     Michael Ströder
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 50c3b99ea428..9b5ccf4e911a 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -661,6 +661,13 @@ KDC:
     *principal*.  The *value* is a JSON string representing an array
     of objects, each having optional ``type`` and ``username`` fields.
 
+**pkinit_cert_match**
+    Specifies a matching expression that defines the certificate
+    attributes required for the client certificate used by the
+    principal during PKINIT authentication.  The matching expression
+    is in the same format as those used by the **pkinit_cert_match**
+    option in :ref:`krb5.conf(5)`.  (New in release 1.16.)
+
 This command requires the **modify** privilege.
 
 Alias: **setstr**
diff --git a/doc/admin/admin_commands/kpropd.rst b/doc/admin/admin_commands/kpropd.rst
index 5e01e2f14bc1..5468b06754e1 100644
--- a/doc/admin/admin_commands/kpropd.rst
+++ b/doc/admin/admin_commands/kpropd.rst
@@ -14,6 +14,7 @@ SYNOPSIS
 [**-F** *principal_database*]
 [**-p** *kdb5_util_prog*]
 [**-P** *port*]
+[**--pid-file**\ =\ *pid_file*]
 [**-d**]
 [**-t**]
 
@@ -104,6 +105,10 @@ OPTIONS
     Allows the user to specify the path to the kpropd.acl file; by
     default the path used is |kdcdir|\ ``/kpropd.acl``.
 
+**--pid-file**\ =\ *pid_file*
+    In standalone mode, write the process ID of the daemon into
+    *pid_file*.
+
 
 ENVIRONMENT
 -----------
diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst
index d55ddc8944c6..2eb19ded2769 100644
--- a/doc/admin/admin_commands/ktutil.rst
+++ b/doc/admin/admin_commands/ktutil.rst
@@ -87,7 +87,7 @@ add_entry
 ~~~~~~~~~
 
     **add_entry** {**-key**\|\ **-password**} **-p** *principal*
-    **-k** *kvno* **-e** *enctype*
+    **-k** *kvno* **-e** *enctype* [**-s** *salt*]
 
 Add *principal* to keylist using key or password.
 
diff --git a/doc/admin/conf_files/kadm5_acl.rst b/doc/admin/conf_files/kadm5_acl.rst
index d23fb8a5789e..290bf0e037a7 100644
--- a/doc/admin/conf_files/kadm5_acl.rst
+++ b/doc/admin/conf_files/kadm5_acl.rst
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
     */root@ATHENA.MIT.EDU     l   *                           # line 5
     sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
 
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1).  He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2).  His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1).  He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2).  His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
 
 (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
 or change the password of their null instance, but not any other
@@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target
 principals.
 
 (line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+
+MODULE BEHAVIOR
+---------------
+
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
 
 SEE ALSO
 --------
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 13077ecf4bc2..3af1c3796e6b 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
 **acl_file**
     (String.)  Location of the access control list file that
     :ref:`kadmind(8)` uses to determine which principals are allowed
-    which permissions on the Kerberos database.  The default value is
-    |kdcdir|\ ``/kadm5.acl``.  For more information on Kerberos ACL
-    file see :ref:`kadm5.acl(5)`.
+    which permissions on the Kerberos database.  To operate without an
+    ACL file, set this relation to the empty string with ``acl_file =
+    ""``.  The default value is |kdcdir|\ ``/kadm5.acl``.  For more
+    information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
 
 **database_module**
     (String.)  This relation indicates the name of the configuration
@@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection:
     if there is no policy assigned to the principal, no dictionary
     checks of passwords will be performed.
 
+**encrypted_challenge_indicator**
+    (String.)  Specifies the authentication indicator value that the KDC
+    asserts into tickets obtained using FAST encrypted challenge
+    pre-authentication.  New in 1.16.
+
 **host_based_services**
     (Whitespace- or comma-separated list.)  Lists services which will
     get host-based referral processing even if the server principal is
@@ -765,9 +771,6 @@ For information about the syntax of some of these options, see
     pkinit is used to authenticate.  This option may be specified
     multiple times.  (New in release 1.14.)
 
-**pkinit_kdc_ocsp**
-    Specifies the location of the KDC's OCSP.
-
 **pkinit_pool**
     Specifies the location of intermediate certificates which may be
     used by the KDC to complete the trust chain between a client's
@@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts                 Camellia-256 CTS mode with
 camellia128-cts-cmac camellia128-cts                 Camellia-128 CTS mode with CMAC
 des                                                  The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
 des3                                                 The triple DES family: des3-cbc-sha1
-aes                                                  The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+aes                                                  The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 rc4                                                  The RC4 family: arcfour-hmac
 camellia                                             The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
 ==================================================== =========================================================
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 653aad613cbc..4ed9832c7b17 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -55,9 +55,10 @@ following directives at the beginning of a line::
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ".conf" are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".".  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
 
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations:
     the local user or by root.
 
 **kcm_mach_service**
-    On OS X only, determines the name of the bootstrap service used to
+    On macOS only, determines the name of the bootstrap service used to
     contact the KCM daemon for the KCM credential cache type.  If the
     value is ``-``, Mach RPC will not be used to contact the KCM
     daemon.  The default value is ``org.h5l.kcm``.
@@ -744,6 +745,10 @@ disabled with the disable tag):
     Uses the service realm to guess an appropriate cache from the
     collection
 
+**hostname**
+    If the service principal is host-based, uses the service hostname
+    to guess an appropriate cache from the collection
+
 .. _pwqual:
 
 pwqual interface
@@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.
 
+.. _kadm5_auth:
+
+kadm5_auth interface
+####################
+
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:
+
+**acl**
+    This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+    operations which are allowed according to the rules in the file.
+
+**self**
+    This module authorizes self-service operations including password
+    changes, creation of new random keys, fetching the client's
+    principal record or string attributes, and fetching the policy
+    record associated with the client principal.
+
 .. _clpreauth:
 
 .. _kdcpreauth:
@@ -858,6 +883,32 @@ built-in modules exist for this interface:
     This module authorizes a principal to a local account if the
     principal name maps to the local account name.
 
+.. _certauth:
+
+certauth interface
+##################
+
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built-in modules exist for this interface:
+
+**pkinit_san**
+    This module authorizes the certificate if it contains a PKINIT
+    Subject Alternative Name for the requested client principal, or a
+    Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
+    is set to true for the realm.
+
+**pkinit_eku**
+    This module rejects the certificate if it does not contain an
+    Extended Key Usage attribute consistent with the
+    **pkinit_eku_checking** value for the realm.
+
+**dbmatch**
+    This module authorizes or rejects the certificate according to
+    whether it matches the **pkinit_cert_match** string attribute on
+    the client principal, if that attribute is present.
+
 
 PKINIT options
 --------------
diff --git a/doc/admin/pkinit.rst b/doc/admin/pkinit.rst
index 460d75d1e2be..c601c5c9ebba 100644
--- a/doc/admin/pkinit.rst
+++ b/doc/admin/pkinit.rst
@@ -223,6 +223,26 @@ time as follows::
 
     kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'
 
+By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT.  Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+**pkinit_cert_match** string attribute on each client principal entry.
+For example::
+
+    kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$"
+
+The **pkinit_cert_match** string attribute follows the syntax used by
+the :ref:`krb5.conf(5)` **pkinit_cert_match** relation.  To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the **pkinit_eku_checking** relation;
+for example::
+
+    [kdcdefaults]
+        pkinit_eku_checking = none
+
+
 
 Configuring the clients
 -----------------------
diff --git a/doc/admin/realm_config.rst b/doc/admin/realm_config.rst
index c016d720fded..c7d9164f5e78 100644
--- a/doc/admin/realm_config.rst
+++ b/doc/admin/realm_config.rst
@@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query.
 
 The client performs a query for the following URI records:
 
-* ``_kerberos.REALM`` for fiding KDCs.
+* ``_kerberos.REALM`` for finding KDCs.
 * ``_kerberos-adm.REALM`` for finding kadmin services.
 * ``_kpasswd.REALM`` for finding password services.
 
diff --git a/doc/appdev/gssapi.rst b/doc/appdev/gssapi.rst
index 0258f793b99b..c39bbddb9738 100644
--- a/doc/appdev/gssapi.rst
+++ b/doc/appdev/gssapi.rst
@@ -312,6 +312,25 @@ issue a ticket from the client to the target service.  The GSSAPI
 library will then use this ticket to authenticate to the target
 service.
 
+If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID
+(new in release 1.16, declared in ``<gssapi/gssapi_krb5.h>``) using
+the gss_inquire_cred_by_oid extension (declared in
+``<gssapi/gssapi_ext.h>``)::
+
+    OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+                                      const gss_cred_id_t cred_handle,
+                                      gss_OID desired_object,
+                                      gss_buffer_set_t *data_set);
+
+If the call succeeds and *cred_handle* is a proxy credential,
+*data_set* will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service.  If *cred_handle*
+is not a proxy credential, *data_set* will be set to an empty buffer
+set.  If the library does not support the query,
+gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**.
+
 
 AEAD message wrapping
 ---------------------
diff --git a/doc/appdev/index.rst b/doc/appdev/index.rst
index 3d62045ca870..961bb1e9e23a 100644
--- a/doc/appdev/index.rst
+++ b/doc/appdev/index.rst
@@ -5,6 +5,7 @@ For application developers
    :maxdepth: 1
 
    gssapi.rst
+   y2038.rst
    h5l_mit_apidiff.rst
    init_creds.rst
    princ_handle.rst
diff --git a/doc/appdev/y2038.rst b/doc/appdev/y2038.rst
new file mode 100644
index 000000000000..bc4122dad0a4
--- /dev/null
+++ b/doc/appdev/y2038.rst
@@ -0,0 +1,28 @@
+Year 2038 considerations for uses of krb5_timestamp
+===================================================
+
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038.  This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+:c:type:`krb5_timestamp` type.  For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values.  To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t::
+
+    (time_t)(uint32_t)timestamp
+
+Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type.  This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times.  Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.
diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
index ff857f4f9422..d147f0d7aa99 100644
--- a/doc/basic/ccache_def.rst
+++ b/doc/basic/ccache_def.rst
@@ -64,7 +64,7 @@ library.
 
    KCM client support is new in release 1.13.  A KCM daemon has not
    yet been implemented in MIT krb5, but the client will interoperate
-   with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+   with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
    provides a KCM daemon as part of the operating system, and the
    **KCM** cache type is used as the default cache on that platform in
    a default build.
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
index 0fd03072cd2d..ac1a8b9515b0 100644
--- a/doc/build/options2configure.rst
+++ b/doc/build/options2configure.rst
@@ -350,10 +350,6 @@ Optional packages
     prng specify ``--with-prng-alg=os``.  The default is ``fortuna``.
     (See :ref:`mitK5features`)
 
-**-**\ **-with-pkinit-crypto-impl=**\ *IMPL*
-    Use the specified pkinit crypto implementation *IMPL*.
-    Defaults to using OpenSSL.
-
 **-**\ **-without-libedit**
     Do not compile and link against libedit.  Some utilities will no
     longer offer command history or completion in interactive mode if
diff --git a/doc/conf.py b/doc/conf.py
index 3ee2df6301f5..ccd02d6b7e6e 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -272,7 +272,7 @@ else:
     rst_epilog += '''
 .. |krb5conf| replace:: ``/etc/krb5.conf``
 .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
-.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4``
+.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4``
 .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
 .. |copy| unicode:: U+000A9
 '''
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
index 50c3b99ea428..9b5ccf4e911a 100644
--- a/doc/html/_sources/admin/admin_commands/kadmin_local.txt
+++ b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
@@ -661,6 +661,13 @@ KDC:
     *principal*.  The *value* is a JSON string representing an array
     of objects, each having optional ``type`` and ``username`` fields.
 
+**pkinit_cert_match**
+    Specifies a matching expression that defines the certificate
+    attributes required for the client certificate used by the
+    principal during PKINIT authentication.  The matching expression
+    is in the same format as those used by the **pkinit_cert_match**
+    option in :ref:`krb5.conf(5)`.  (New in release 1.16.)
+
 This command requires the **modify** privilege.
 
 Alias: **setstr**
diff --git a/doc/html/_sources/admin/admin_commands/kpropd.txt b/doc/html/_sources/admin/admin_commands/kpropd.txt
index 5e01e2f14bc1..5468b06754e1 100644
--- a/doc/html/_sources/admin/admin_commands/kpropd.txt
+++ b/doc/html/_sources/admin/admin_commands/kpropd.txt
@@ -14,6 +14,7 @@ SYNOPSIS
 [**-F** *principal_database*]
 [**-p** *kdb5_util_prog*]
 [**-P** *port*]
+[**--pid-file**\ =\ *pid_file*]
 [**-d**]
 [**-t**]
 
@@ -104,6 +105,10 @@ OPTIONS
     Allows the user to specify the path to the kpropd.acl file; by
     default the path used is |kdcdir|\ ``/kpropd.acl``.
 
+**--pid-file**\ =\ *pid_file*
+    In standalone mode, write the process ID of the daemon into
+    *pid_file*.
+
 
 ENVIRONMENT
 -----------
diff --git a/doc/html/_sources/admin/admin_commands/ktutil.txt b/doc/html/_sources/admin/admin_commands/ktutil.txt
index d55ddc8944c6..2eb19ded2769 100644
--- a/doc/html/_sources/admin/admin_commands/ktutil.txt
+++ b/doc/html/_sources/admin/admin_commands/ktutil.txt
@@ -87,7 +87,7 @@ add_entry
 ~~~~~~~~~
 
     **add_entry** {**-key**\|\ **-password**} **-p** *principal*
-    **-k** *kvno* **-e** *enctype*
+    **-k** *kvno* **-e** *enctype* [**-s** *salt*]
 
 Add *principal* to keylist using key or password.
 
diff --git a/doc/html/_sources/admin/conf_files/kadm5_acl.txt b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
index d23fb8a5789e..290bf0e037a7 100644
--- a/doc/html/_sources/admin/conf_files/kadm5_acl.txt
+++ b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
     */root@ATHENA.MIT.EDU     l   *                           # line 5
     sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
 
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1).  He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2).  His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1).  He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2).  His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
 
 (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
 or change the password of their null instance, but not any other
@@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target
 principals.
 
 (line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+
+MODULE BEHAVIOR
+---------------
+
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
 
 SEE ALSO
 --------
diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.txt b/doc/html/_sources/admin/conf_files/kdc_conf.txt
index 13077ecf4bc2..3af1c3796e6b 100644
--- a/doc/html/_sources/admin/conf_files/kdc_conf.txt
+++ b/doc/html/_sources/admin/conf_files/kdc_conf.txt
@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
 **acl_file**
     (String.)  Location of the access control list file that
     :ref:`kadmind(8)` uses to determine which principals are allowed
-    which permissions on the Kerberos database.  The default value is
-    |kdcdir|\ ``/kadm5.acl``.  For more information on Kerberos ACL
-    file see :ref:`kadm5.acl(5)`.
+    which permissions on the Kerberos database.  To operate without an
+    ACL file, set this relation to the empty string with ``acl_file =
+    ""``.  The default value is |kdcdir|\ ``/kadm5.acl``.  For more
+    information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
 
 **database_module**
     (String.)  This relation indicates the name of the configuration
@@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection:
     if there is no policy assigned to the principal, no dictionary
     checks of passwords will be performed.
 
+**encrypted_challenge_indicator**
+    (String.)  Specifies the authentication indicator value that the KDC
+    asserts into tickets obtained using FAST encrypted challenge
+    pre-authentication.  New in 1.16.
+
 **host_based_services**
     (Whitespace- or comma-separated list.)  Lists services which will
     get host-based referral processing even if the server principal is
@@ -765,9 +771,6 @@ For information about the syntax of some of these options, see
     pkinit is used to authenticate.  This option may be specified
     multiple times.  (New in release 1.14.)
 
-**pkinit_kdc_ocsp**
-    Specifies the location of the KDC's OCSP.
-
 **pkinit_pool**
     Specifies the location of intermediate certificates which may be
     used by the KDC to complete the trust chain between a client's
@@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts                 Camellia-256 CTS mode with
 camellia128-cts-cmac camellia128-cts                 Camellia-128 CTS mode with CMAC
 des                                                  The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
 des3                                                 The triple DES family: des3-cbc-sha1
-aes                                                  The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+aes                                                  The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 rc4                                                  The RC4 family: arcfour-hmac
 camellia                                             The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
 ==================================================== =========================================================
diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.txt b/doc/html/_sources/admin/conf_files/krb5_conf.txt
index 653aad613cbc..4ed9832c7b17 100644
--- a/doc/html/_sources/admin/conf_files/krb5_conf.txt
+++ b/doc/html/_sources/admin/conf_files/krb5_conf.txt
@@ -55,9 +55,10 @@ following directives at the beginning of a line::
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in ".conf" are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".".  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
 
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations:
     the local user or by root.
 
 **kcm_mach_service**
-    On OS X only, determines the name of the bootstrap service used to
+    On macOS only, determines the name of the bootstrap service used to
     contact the KCM daemon for the KCM credential cache type.  If the
     value is ``-``, Mach RPC will not be used to contact the KCM
     daemon.  The default value is ``org.h5l.kcm``.
@@ -744,6 +745,10 @@ disabled with the disable tag):
     Uses the service realm to guess an appropriate cache from the
     collection
 
+**hostname**
+    If the service principal is host-based, uses the service hostname
+    to guess an appropriate cache from the collection
+
 .. _pwqual:
 
 pwqual interface
@@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.
 
+.. _kadm5_auth:
+
+kadm5_auth interface
+####################
+
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:
+
+**acl**
+    This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+    operations which are allowed according to the rules in the file.
+
+**self**
+    This module authorizes self-service operations including password
+    changes, creation of new random keys, fetching the client's
+    principal record or string attributes, and fetching the policy
+    record associated with the client principal.
+
 .. _clpreauth:
 
 .. _kdcpreauth:
@@ -858,6 +883,32 @@ built-in modules exist for this interface:
     This module authorizes a principal to a local account if the
     principal name maps to the local account name.
 
+.. _certauth:
+
+certauth interface
+##################
+
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built-in modules exist for this interface:
+
+**pkinit_san**
+    This module authorizes the certificate if it contains a PKINIT
+    Subject Alternative Name for the requested client principal, or a
+    Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
+    is set to true for the realm.
+
+**pkinit_eku**
+    This module rejects the certificate if it does not contain an
+    Extended Key Usage attribute consistent with the
+    **pkinit_eku_checking** value for the realm.
+
+**dbmatch**
+    This module authorizes or rejects the certificate according to
+    whether it matches the **pkinit_cert_match** string attribute on
+    the client principal, if that attribute is present.
+
 
 PKINIT options
 --------------
diff --git a/doc/html/_sources/admin/pkinit.txt b/doc/html/_sources/admin/pkinit.txt
index 460d75d1e2be..c601c5c9ebba 100644
--- a/doc/html/_sources/admin/pkinit.txt
+++ b/doc/html/_sources/admin/pkinit.txt
@@ -223,6 +223,26 @@ time as follows::
 
     kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'
 
+By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT.  Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+**pkinit_cert_match** string attribute on each client principal entry.
+For example::
+
+    kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$"
+
+The **pkinit_cert_match** string attribute follows the syntax used by
+the :ref:`krb5.conf(5)` **pkinit_cert_match** relation.  To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the **pkinit_eku_checking** relation;
+for example::
+
+    [kdcdefaults]
+        pkinit_eku_checking = none
+
+
 
 Configuring the clients
 -----------------------
diff --git a/doc/html/_sources/admin/realm_config.txt b/doc/html/_sources/admin/realm_config.txt
index c016d720fded..c7d9164f5e78 100644
--- a/doc/html/_sources/admin/realm_config.txt
+++ b/doc/html/_sources/admin/realm_config.txt
@@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query.
 
 The client performs a query for the following URI records:
 
-* ``_kerberos.REALM`` for fiding KDCs.
+* ``_kerberos.REALM`` for finding KDCs.
 * ``_kerberos-adm.REALM`` for finding kadmin services.
 * ``_kpasswd.REALM`` for finding password services.
 
diff --git a/doc/html/_sources/appdev/gssapi.txt b/doc/html/_sources/appdev/gssapi.txt
index 0258f793b99b..c39bbddb9738 100644
--- a/doc/html/_sources/appdev/gssapi.txt
+++ b/doc/html/_sources/appdev/gssapi.txt
@@ -312,6 +312,25 @@ issue a ticket from the client to the target service.  The GSSAPI
 library will then use this ticket to authenticate to the target
 service.
 
+If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID
+(new in release 1.16, declared in ``<gssapi/gssapi_krb5.h>``) using
+the gss_inquire_cred_by_oid extension (declared in
+``<gssapi/gssapi_ext.h>``)::
+
+    OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+                                      const gss_cred_id_t cred_handle,
+                                      gss_OID desired_object,
+                                      gss_buffer_set_t *data_set);
+
+If the call succeeds and *cred_handle* is a proxy credential,
+*data_set* will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service.  If *cred_handle*
+is not a proxy credential, *data_set* will be set to an empty buffer
+set.  If the library does not support the query,
+gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**.
+
 
 AEAD message wrapping
 ---------------------
diff --git a/doc/html/_sources/appdev/index.txt b/doc/html/_sources/appdev/index.txt
index 3d62045ca870..961bb1e9e23a 100644
--- a/doc/html/_sources/appdev/index.txt
+++ b/doc/html/_sources/appdev/index.txt
@@ -5,6 +5,7 @@ For application developers
    :maxdepth: 1
 
    gssapi.rst
+   y2038.rst
    h5l_mit_apidiff.rst
    init_creds.rst
    princ_handle.rst
diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
index 7d5bf4cf03ee..4dc9e0afb9a0 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
@@ -1,5 +1,5 @@
-krb5_auth_con_initivector
-=========================
+krb5_auth_con_initivector -  Cause an auth context to use cipher state. 
+========================================================================
 
 ..
 
@@ -10,30 +10,31 @@ krb5_auth_con_initivector
 
 :param:
 
-	          **context**
+	          **[in]** **context** - Library context
 
-	          **auth_context**
+	          **[in]** **auth_context** - Authentication context
 
 
 ..
 
 
+:retval:
+         -   0   Success; otherwise - Kerberos error codes
 
-..
 
+..
 
-DEPRECATED Not replaced. 
 
 
 
 
 
 
+Prepare *auth_context* to use cipher state when :c:func:`krb5_mk_priv()` or :c:func:`krb5_rd_priv()` encrypt or decrypt data.
 
 
 
 
-RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API.
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
index a6273bbb2c75..fab6d70594f3 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
@@ -3,7 +3,7 @@ krb5_fwd_tgt_creds -  Get a forwarded TGT and format a KRB-CRED message.
 
 ..
 
-.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, const char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
 
 ..
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
index 85efec065a5e..011fe47837fd 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
@@ -27,7 +27,7 @@ krb5_init_creds_free -  Free an initial credentials context.
 
 
 
-
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
index 05c26f3759b4..291fa509269d 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
@@ -34,6 +34,10 @@ This function synchronously obtains credentials using a context created by :c:fu
 
 
 
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
index 6bbbeed869e4..c703124106db 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
@@ -44,6 +44,10 @@ This function creates a new context for acquiring initial credentials. Use :c:fu
 
 
 
+Any subsequent calls to :c:func:`krb5_init_creds_step()` , :c:func:`krb5_init_creds_get()` , or :c:func:`krb5_init_creds_free()` for this initial credentials context must use the same *context* argument as the one passed to this function.
+
+
+
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
index d08ffc7d629d..67b9b5d6de0b 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
@@ -32,7 +32,7 @@ krb5_init_creds_set_service -  Specify a service principal for acquiring initial
 
 
 
-This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
+Thisfunction supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
index c4e8a202aa53..8008e6724f1a 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
@@ -50,6 +50,10 @@ If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should tr
 
 
 
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
 
 
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
index e3a5da424a8d..695eb79399cb 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
@@ -3,7 +3,7 @@ krb5_mk_req -  Create a KRB_AP_REQ message.
 
 ..
 
-.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, char * service, char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, const char * service, const char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
 
 ..
 
diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
index d9af52f770ab..338b43a1453e 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
@@ -62,7 +62,7 @@ If successful, *pac* is marked as verified.
 
 .. note::
 
-	 A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
+	 A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
  
 
 
diff --git a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
index e9263e49d1b7..dc3e9eee79ab 100644
--- a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
+++ b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
@@ -9,8 +9,9 @@ krb5_timestamp
 .. c:type:: krb5_timestamp
 ..
 
+Represents a timestamp in seconds since the POSIX epoch.
 
-
+This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t.
 
 Declaration
 ------------
diff --git a/doc/html/_sources/appdev/y2038.txt b/doc/html/_sources/appdev/y2038.txt
new file mode 100644
index 000000000000..bc4122dad0a4
--- /dev/null
+++ b/doc/html/_sources/appdev/y2038.txt
@@ -0,0 +1,28 @@
+Year 2038 considerations for uses of krb5_timestamp
+===================================================
+
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038.  This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+:c:type:`krb5_timestamp` type.  For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values.  To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t::
+
+    (time_t)(uint32_t)timestamp
+
+Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type.  This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times.  Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.
diff --git a/doc/html/_sources/basic/ccache_def.txt b/doc/html/_sources/basic/ccache_def.txt
index ff857f4f9422..d147f0d7aa99 100644
--- a/doc/html/_sources/basic/ccache_def.txt
+++ b/doc/html/_sources/basic/ccache_def.txt
@@ -64,7 +64,7 @@ library.
 
    KCM client support is new in release 1.13.  A KCM daemon has not
    yet been implemented in MIT krb5, but the client will interoperate
-   with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+   with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
    provides a KCM daemon as part of the operating system, and the
    **KCM** cache type is used as the default cache on that platform in
    a default build.
diff --git a/doc/html/_sources/build/options2configure.txt b/doc/html/_sources/build/options2configure.txt
index 0fd03072cd2d..ac1a8b9515b0 100644
--- a/doc/html/_sources/build/options2configure.txt
+++ b/doc/html/_sources/build/options2configure.txt
@@ -350,10 +350,6 @@ Optional packages
     prng specify ``--with-prng-alg=os``.  The default is ``fortuna``.
     (See :ref:`mitK5features`)
 
-**-**\ **-with-pkinit-crypto-impl=**\ *IMPL*
-    Use the specified pkinit crypto implementation *IMPL*.
-    Defaults to using OpenSSL.
-
 **-**\ **-without-libedit**
     Do not compile and link against libedit.  Some utilities will no
     longer offer command history or completion in interactive mode if
diff --git a/doc/html/_sources/mitK5features.txt b/doc/html/_sources/mitK5features.txt
index b4e4b8b9b780..9df7e34d65be 100644
--- a/doc/html/_sources/mitK5features.txt
+++ b/doc/html/_sources/mitK5features.txt
@@ -19,8 +19,8 @@ Quick facts
 License - :ref:`mitK5license`
 
 Releases:
-    - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/
-    - Supported: http://web.mit.edu/kerberos/krb5-1.14/
+    - Latest stable: http://web.mit.edu/kerberos/krb5-1.16/
+    - Supported: http://web.mit.edu/kerberos/krb5-1.15/
     - Release cycle: 9 -- 12 months
 
 Supported platforms \/ OS distributions:
@@ -162,7 +162,7 @@ Release 1.13
  -   Add client support for the Kerberos Cache Manager protocol. If
      the host is running a Heimdal kcm daemon, caches served by the
      daemon can be accessed with the KCM: cache type.
- -   When built on OS X 10.7 and higher, use "KCM:" as the default
+ -   When built on macOS 10.7 and higher, use "KCM:" as the default
      cachetype, unless overridden by command-line options or
      krb5-config values.
  -   Add support for doing unlocked database dumps for the DB2 KDC
@@ -309,6 +309,95 @@ Release 1.15
   - Add support for the AES-SHA2 enctypes, which allows sites to
     conform to Suite B crypto requirements.
 
+Release 1.16
+
+* Administrator experience:
+
+  - The KDC can match PKINIT client certificates against the
+    "pkinit_cert_match" string attribute on the client principal
+    entry, using the same syntax as the existing "pkinit_cert_match"
+    profile option.
+
+  - The ktutil addent command supports the "-k 0" option to ignore the
+    key version, and the "-s" option to use a non-default salt string.
+
+  - kpropd supports a --pid-file option to write a pid file at
+    startup, when it is run in standalone mode.
+
+  - The "encrypted_challenge_indicator" realm option can be used to
+    attach an authentication indicator to tickets obtained using FAST
+    encrypted challenge pre-authentication.
+
+  - Localization support can be disabled at build time with the
+    --disable-nls configure option.
+
+* Developer experience:
+
+  - The kdcpolicy pluggable interface allows modules control whether
+    tickets are issued by the KDC.
+
+  - The kadm5_auth pluggable interface allows modules to control
+    whether kadmind grants access to a kadmin request.
+
+  - The certauth pluggable interface allows modules to control which
+    PKINIT client certificates can authenticate to which client
+    principals.
+
+  - KDB modules can use the client and KDC interface IP addresses to
+    determine whether to allow an AS request.
+
+  - GSS applications can query the bit strength of a krb5 GSS context
+    using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+    gss_inquire_sec_context_by_oid().
+
+  - GSS applications can query the impersonator name of a krb5 GSS
+    credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+    gss_inquire_cred_by_oid().
+
+  - kdcpreauth modules can query the KDC for the canonicalized
+    requested client principal name, or match a principal name against
+    the requested client principal name with canonicalization.
+
+* Protocol evolution:
+
+  - The client library will continue to try pre-authentication
+    mechanisms after most failure conditions.
+
+  - The KDC will issue trivially renewable tickets (where the
+    renewable lifetime is equal to or less than the ticket lifetime)
+    if requested by the client, to be friendlier to scripts.
+
+  - The client library will use a random nonce for TGS requests
+    instead of the current system time.
+
+  - For the RC4 string-to-key or PAC operations, UTF-16 is supported
+    (previously only UCS-2 was supported).
+
+  - When matching PKINIT client certificates, UPN SANs will be matched
+    correctly as UPNs, with canonicalization.
+
+* User experience:
+
+  - Dates after the year 2038 are accepted (provided that the platform
+    time facilities support them), through the year 2106.
+
+  - Automatic credential cache selection based on the client realm
+    will take into account the fallback realm and the service
+    hostname.
+
+  - Referral and alternate cross-realm TGTs will not be cached,
+    avoiding some scenarios where they can be added to the credential
+    cache multiple times.
+
+  - A German translation has been added.
+
+* Code quality:
+
+  - The build is warning-clean under clang with the configured warning
+    options.
+
+  - The automated test suite runs cleanly under AddressSanitizer.
+
 `Pre-authentication mechanisms`
 
 - PW-SALT                                         :rfc:`4120#section-5.2.7.3`
diff --git a/doc/html/_sources/plugindev/certauth.txt b/doc/html/_sources/plugindev/certauth.txt
new file mode 100644
index 000000000000..8a7f7c5ebad6
--- /dev/null
+++ b/doc/html/_sources/plugindev/certauth.txt
@@ -0,0 +1,27 @@
+.. _certauth_plugin:
+
+PKINIT certificate authorization interface (certauth)
+=====================================================
+
+The certauth interface was first introduced in release 1.16.  It
+allows customization of the X.509 certificate attribute requirements
+placed on certificates used by PKINIT enabled clients.  For a detailed
+description of the certauth interface, see the header file
+``<krb5/certauth_plugin.h>``
+
+A certauth module implements the **authorize** method to determine
+whether a client's certificate is authorized to authenticate a client
+principal.  **authorize** receives the DER-encoded certificate, the
+requested client principal, and a pointer to the client's
+krb5_db_entry (for modules that link against libkdb5).  It returns the
+authorization status and optionally outputs a list of authentication
+indicator strings to be added to the ticket.  A module must use its
+own internal or library-provided ASN.1 certificate decoder.
+
+A module can optionally create and destroy module data with the
+**init** and **fini** methods.  Module data objects last for the
+lifetime of the KDC process.
+
+If a module allocates and returns a list of authentication indicators
+from **authorize**, it must also implement the **free_ind** method
+to free the list.
diff --git a/doc/html/_sources/plugindev/index.txt b/doc/html/_sources/plugindev/index.txt
index 3fb921778cb5..5e7834635f42 100644
--- a/doc/html/_sources/plugindev/index.txt
+++ b/doc/html/_sources/plugindev/index.txt
@@ -25,11 +25,14 @@ Contents
    ccselect.rst
    pwqual.rst
    kadm5_hook.rst
+   kadm5_auth.rst
    hostrealm.rst
    localauth.rst
    locate.rst
    profile.rst
    gssapi.rst
    internal.rst
+   certauth.rst
+   kdcpolicy.rst
 
 .. TODO: GSSAPI mechanism plugins
diff --git a/doc/html/_sources/plugindev/kadm5_auth.txt b/doc/html/_sources/plugindev/kadm5_auth.txt
new file mode 100644
index 000000000000..b4839617bd2f
--- /dev/null
+++ b/doc/html/_sources/plugindev/kadm5_auth.txt
@@ -0,0 +1,35 @@
+.. _kadm5_auth_plugin:
+
+kadmin authorization interface (kadm5_auth)
+===========================================
+
+The kadm5_auth interface (new in release 1.16) allows modules to
+determine whether a client principal is authorized to perform an
+operation in the kadmin protocol, and to apply restrictions to
+principal operations.  For a detailed description of the kadm5_auth
+interface, see the header file ``<krb5/kadm5_auth_plugin.h>``.
+
+A module can create and destroy per-process state objects by
+implementing the **init** and **fini** methods.  State objects have
+the type kadm5_auth_modinfo, which is an abstract pointer type.  A
+module should typically cast this to an internal type for the state
+object.
+
+The kadm5_auth interface has one method for each kadmin operation,
+with parameters specific to the operation.  Each method can return
+either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the
+decision to other modules, or another error (canonically EPERM) to
+authoritatively deny access.  Access is granted if at least one module
+grants access and no module authoritatively denies access.
+
+The **addprinc** and **modprinc** methods can also impose restrictions
+on the principal operation by returning a ``struct
+kadm5_auth_restrictions`` object.  The module should also implement
+the **free_restrictions** method if it dynamically allocates
+restrictions objects for principal operations.
+
+kadm5_auth modules can optionally inspect principal or policy objects.
+To do this, the module must also include ``<kadm5/admin.h>`` to gain
+access to the structure definitions for those objects.  As the kadmin
+interface is explicitly not as stable as other public interfaces,
+modules which do this may not retain compatibility across releases.
diff --git a/doc/html/_sources/plugindev/kdcpolicy.txt b/doc/html/_sources/plugindev/kdcpolicy.txt
new file mode 100644
index 000000000000..74f21f08fbf4
--- /dev/null
+++ b/doc/html/_sources/plugindev/kdcpolicy.txt
@@ -0,0 +1,24 @@
+.. _kdcpolicy_plugin:
+
+KDC policy interface (kdcpolicy)
+================================
+
+The kdcpolicy interface was first introduced in release 1.16.  It
+allows modules to veto otherwise valid AS and TGS requests or restrict
+the lifetime and renew time of the resulting ticket.  For a detailed
+description of the kdcpolicy interface, see the header file
+``<krb5/kdcpolicy_plugin.h>``.
+
+The optional **check_as** and **check_tgs** functions allow the module
+to perform access control.  Additionally, a module can create and
+destroy module data with the **init** and **fini** methods.  Module
+data objects last for the lifetime of the KDC process, and are
+provided to all other methods.  The data has the type
+krb5_kdcpolicy_moddata, which should be cast to the appropriate
+internal type.
+
+kdcpolicy modules can optionally inspect principal entries.  To do
+this, the module must also include ``<kdb.h>`` to gain access to the
+principal entry structure definition.  As the KDB interface is
+explicitly not as stable as other public interfaces, modules which do
+this may not retain compatibility across releases.
diff --git a/doc/html/about.html b/doc/html/about.html
index 7b9f23462bea..d1e3a2e86e87 100644
--- a/doc/html/about.html
+++ b/doc/html/about.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    './',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -142,7 +142,7 @@ to maintain.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html
index aeab6f19fdba..70300c8e3886 100644
--- a/doc/html/admin/admin_commands/index.html
+++ b/doc/html/admin/admin_commands/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -161,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html
index 6efa10e95cbe..6b2b3304c936 100644
--- a/doc/html/admin/admin_commands/k5srvutil.html
+++ b/doc/html/admin/admin_commands/k5srvutil.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -200,7 +200,7 @@ place.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html
index b1e796c3c214..270fc9376f04 100644
--- a/doc/html/admin/admin_commands/kadmin_local.html
+++ b/doc/html/admin/admin_commands/kadmin_local.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -587,6 +587,12 @@ accepted values.</dd>
 <dd>Enables One Time Passwords (OTP) preauthentication for a client
 <em>principal</em>.  The <em>value</em> is a JSON string representing an array
 of objects, each having optional <tt class="docutils literal"><span class="pre">type</span></tt> and <tt class="docutils literal"><span class="pre">username</span></tt> fields.</dd>
+<dt><strong>pkinit_cert_match</strong></dt>
+<dd>Specifies a matching expression that defines the certificate
+attributes required for the client certificate used by the
+principal during PKINIT authentication.  The matching expression
+is in the same format as those used by the <strong>pkinit_cert_match</strong>
+option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  (New in release 1.16.)</dd>
 </dl>
 <p>This command requires the <strong>modify</strong> privilege.</p>
 <p>Alias: <strong>setstr</strong></p>
@@ -958,7 +964,7 @@ interface to the OpenVision Kerberos administration program.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html
index 7cf3d38e7726..d30f4cede9e9 100644
--- a/doc/html/admin/admin_commands/kadmind.html
+++ b/doc/html/admin/admin_commands/kadmind.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -253,7 +253,7 @@ to full resync requests when iprop is enabled.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html
index 673118aac6b8..b47450502a01 100644
--- a/doc/html/admin/admin_commands/kdb5_ldap_util.html
+++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -536,7 +536,7 @@ userpolicy
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html
index 66fec5262644..87493732a708 100644
--- a/doc/html/admin/admin_commands/kdb5_util.html
+++ b/doc/html/admin/admin_commands/kdb5_util.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -591,7 +591,7 @@ bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html
index 962d316aab40..73939b48421a 100644
--- a/doc/html/admin/admin_commands/kprop.html
+++ b/doc/html/admin/admin_commands/kprop.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -199,7 +199,7 @@ on the remote host.</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html
index b8252223a043..163f4ac8cd75 100644
--- a/doc/html/admin/admin_commands/kpropd.html
+++ b/doc/html/admin/admin_commands/kpropd.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -75,6 +75,7 @@
 [<strong>-F</strong> <em>principal_database</em>]
 [<strong>-p</strong> <em>kdb5_util_prog</em>]
 [<strong>-P</strong> <em>port</em>]
+[<strong>&#8211;pid-file</strong>=<em>pid_file</em>]
 [<strong>-d</strong>]
 [<strong>-t</strong>]</p>
 </div>
@@ -149,6 +150,9 @@ is only useful in combination with the <strong>-S</strong> option.</dd>
 <dt><strong>-a</strong> <em>acl_file</em></dt>
 <dd>Allows the user to specify the path to the kpropd.acl file; by
 default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kpropd.acl</span></tt>.</dd>
+<dt><strong>&#8211;pid-file</strong>=<em>pid_file</em></dt>
+<dd>In standalone mode, write the process ID of the daemon into
+<em>pid_file</em>.</dd>
 </dl>
 </div>
 <div class="section" id="environment">
@@ -262,7 +266,7 @@ will allow Kerberos database propagation via <a class="reference internal" href=
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html
index a961170ccf98..50b7c7e4d35a 100644
--- a/doc/html/admin/admin_commands/kproplog.html
+++ b/doc/html/admin/admin_commands/kproplog.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -225,7 +225,7 @@ output generated for one entry:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html
index 22a0c0ca87e4..f39779bf4f0e 100644
--- a/doc/html/admin/admin_commands/krb5kdc.html
+++ b/doc/html/admin/admin_commands/krb5kdc.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -253,7 +253,7 @@ description for further details.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html
index de4700ef9cc1..ba95ebbe71ff 100644
--- a/doc/html/admin/admin_commands/ktutil.html
+++ b/doc/html/admin/admin_commands/ktutil.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -130,7 +130,7 @@ V4 srvtab file.</p>
 <h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3>
 <blockquote>
 <div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em>
-<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em></div></blockquote>
+<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em> [<strong>-s</strong> <em>salt</em>]</div></blockquote>
 <p>Add <em>principal</em> to keylist using key or password.</p>
 <p>Alias: <strong>addent</strong></p>
 </div>
@@ -268,7 +268,7 @@ ktutil:
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html
index 15e622cf0b5d..1e5e1941f991 100644
--- a/doc/html/admin/admin_commands/sserver.html
+++ b/doc/html/admin/admin_commands/sserver.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -246,7 +246,7 @@ probably not installed in the proper directory.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/advanced/index.html b/doc/html/admin/advanced/index.html
index 223fd15864f6..603f95e2ecd8 100644
--- a/doc/html/admin/advanced/index.html
+++ b/doc/html/admin/advanced/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -143,7 +143,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/advanced/ldapbackend.html b/doc/html/admin/advanced/ldapbackend.html
index e74d2b80770a..662067e84ff6 100644
--- a/doc/html/admin/advanced/ldapbackend.html
+++ b/doc/html/admin/advanced/ldapbackend.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -280,7 +280,7 @@ master key stash:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/advanced/retiring-des.html b/doc/html/admin/advanced/retiring-des.html
index ec846446c12f..8ac29b3dca51 100644
--- a/doc/html/admin/advanced/retiring-des.html
+++ b/doc/html/admin/advanced/retiring-des.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -526,7 +526,7 @@ converted to the new master key.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/appl_servers.html b/doc/html/admin/appl_servers.html
index ef7f37524d9c..09dea1613c52 100644
--- a/doc/html/admin/appl_servers.html
+++ b/doc/html/admin/appl_servers.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -332,7 +332,7 @@ point for learning to configure firewalls.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/auth_indicator.html b/doc/html/admin/auth_indicator.html
index 0d91bfe5f5cd..25f97cfe94b5 100644
--- a/doc/html/admin/auth_indicator.html
+++ b/doc/html/admin/auth_indicator.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -182,7 +182,7 @@ attribute.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/backup_host.html b/doc/html/admin/backup_host.html
index c62dfd5b6809..9e005ec8557a 100644
--- a/doc/html/admin/backup_host.html
+++ b/doc/html/admin/backup_host.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -167,7 +167,7 @@ corrupted, you can load the most recent dump onto the master KDC.
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html
index 8b6207cb6a03..2325611706ae 100644
--- a/doc/html/admin/conf_files/index.html
+++ b/doc/html/admin/conf_files/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -159,7 +159,7 @@ KDC database.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 640fc7bc1c9c..05eab8bbae62 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -203,15 +203,16 @@ joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
 sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
 </pre></div>
 </div>
-<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with
-an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p>
-<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his
-<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line
-1).  He has no permissions at all with his null instance,
-<tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt> (matches line 2).  His <tt class="docutils literal"><span class="pre">root</span></tt> and other
-non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have
-inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt>
-(matches line 3).</p>
+<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an
+<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting
+keys.</p>
+<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except
+extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance,
+<tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line 1).  He has no
+permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt>
+(matches line 2).  His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null
+instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions
+with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p>
 <p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire
 or change the password of their null instance, but not any other
 null instance.  (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the
@@ -222,9 +223,20 @@ in the database.  This line is separate from line 4, because list
 permission can only be granted globally, not to specific target
 principals.</p>
 <p>(line 6) Finally, the Service Management System principal
-<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.</p>
+<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.</p>
+</div>
+<div class="section" id="module-behavior">
+<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>
+<p>The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.</p>
+<p>To operate without an ACL file, set the <em>acl_file</em> variable in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></tt>.</p>
 </div>
 <div class="section" id="see-also">
 <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
@@ -244,6 +256,7 @@ tickets with a life of longer than 9 hours.</p>
 <li><a class="reference internal" href="#description">DESCRIPTION</a></li>
 <li><a class="reference internal" href="#syntax">SYNTAX</a></li>
 <li><a class="reference internal" href="#example">EXAMPLE</a></li>
+<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li>
 <li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
 </ul>
 </li>
@@ -309,7 +322,7 @@ tickets with a life of longer than 9 hours.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html
index b81a78f740f7..183e63cd26d8 100644
--- a/doc/html/admin/conf_files/kdc_conf.html
+++ b/doc/html/admin/conf_files/kdc_conf.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -149,9 +149,10 @@ to define one parameter for the ATHENA.MIT.EDU realm:</p>
 <dt><strong>acl_file</strong></dt>
 <dd>(String.)  Location of the access control list file that
 <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed
-which permissions on the Kerberos database.  The default value is
-<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.  For more information on Kerberos ACL
-file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd>
+which permissions on the Kerberos database.  To operate without an
+ACL file, set this relation to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span>
+<span class="pre">&quot;&quot;</span></tt>.  The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.  For more
+information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd>
 <dt><strong>database_module</strong></dt>
 <dd>(String.)  This relation indicates the name of the configuration
 section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters
@@ -242,6 +243,10 @@ are not allowed as passwords.  The file should contain one string
 per line, with no additional whitespace.  If none is specified or
 if there is no policy assigned to the principal, no dictionary
 checks of passwords will be performed.</dd>
+<dt><strong>encrypted_challenge_indicator</strong></dt>
+<dd>(String.)  Specifies the authentication indicator value that the KDC
+asserts into tickets obtained using FAST encrypted challenge
+pre-authentication.  New in 1.16.</dd>
 <dt><strong>host_based_services</strong></dt>
 <dd>(Whitespace- or comma-separated list.)  Lists services which will
 get host-based referral processing even if the server principal is
@@ -741,8 +746,6 @@ This option is required if pkinit is to be supported by the KDC.</dd>
 <dd>Specifies an authentication indicator to include in the ticket if
 pkinit is used to authenticate.  This option may be specified
 multiple times.  (New in release 1.14.)</dd>
-<dt><strong>pkinit_kdc_ocsp</strong></dt>
-<dd>Specifies the location of the KDC&#8217;s OCSP.</dd>
 <dt><strong>pkinit_pool</strong></dt>
 <dd>Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client&#8217;s
@@ -776,8 +779,8 @@ Encryption types marked as &#8220;weak&#8221; are available for compatibility bu
 not recommended for use.</p>
 <table border="1" class="docutils">
 <colgroup>
-<col width="44%" />
-<col width="56%" />
+<col width="30%" />
+<col width="70%" />
 </colgroup>
 <tbody valign="top">
 <tr class="row-odd"><td>des-cbc-crc</td>
@@ -832,7 +835,7 @@ not recommended for use.</p>
 <td>The triple DES family: des3-cbc-sha1</td>
 </tr>
 <tr class="row-even"><td>aes</td>
-<td>The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96</td>
+<td>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</td>
 </tr>
 <tr class="row-odd"><td>rc4</td>
 <td>The RC4 family: arcfour-hmac</td>
@@ -1045,7 +1048,7 @@ follows:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html
index ca50e7ad27f1..70144fa0bde9 100644
--- a/doc/html/admin/conf_files/krb5_conf.html
+++ b/doc/html/admin/conf_files/krb5_conf.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,9 +112,10 @@ includedir DIRNAME
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
 alphanumeric characters, dashes, or underscores.  Starting in release
-1.15, files with names ending in &#8221;.conf&#8221; are also included.  Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.</p>
+1.15, files with names ending in &#8221;.conf&#8221; are also included, unless the
+name begins with &#8221;.&#8221;.  Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.</p>
 <p>The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
 following directive at the beginning of a line before any section
@@ -223,7 +224,7 @@ the client should request when making a TGS-REQ, in order of
 preference from highest to lowest.  The list may be delimited with
 commas or whitespace.  See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in
 <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag.
-The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types
+The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types
 will be implicitly removed from this list if the value of
 <strong>allow_weak_crypto</strong> is false.</p>
 <p class="last">Do not set this unless required for specific backward
@@ -236,7 +237,7 @@ libraries are upgraded.</p>
 the client should request when making an AS-REQ, in order of
 preference from highest to lowest.  The format is the same as for
 default_tgs_enctypes.  The default value for this tag is
-<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
 removed from this list if the value of <strong>allow_weak_crypto</strong> is
 false.</p>
 <p class="last">Do not set this unless required for specific backward
@@ -308,7 +309,7 @@ files in the user&#8217;s home directory, with the filename .k5login.
 For security reasons, .k5login files must be owned by
 the local user or by root.</dd>
 <dt><strong>kcm_mach_service</strong></dt>
-<dd>On OS X only, determines the name of the bootstrap service used to
+<dd>On macOS only, determines the name of the bootstrap service used to
 contact the KCM daemon for the KCM credential cache type.  If the
 value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM
 daemon.  The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd>
@@ -379,7 +380,7 @@ used across NATs.  The default value is true.</dd>
 <dt><strong>permitted_enctypes</strong></dt>
 <dd>Identifies all encryption types that are permitted for use in
 session key encryption.  The default value for this tag is
-<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">aes256-cts-hmac-sha384-192</span> <span class="pre">aes128-cts-hmac-sha256-128</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
 removed from this list if the value of <strong>allow_weak_crypto</strong> is
 false.</dd>
 <dt><strong>plugin_base_dir</strong></dt>
@@ -749,6 +750,9 @@ client principal</dd>
 <dt><strong>realm</strong></dt>
 <dd>Uses the service realm to guess an appropriate cache from the
 collection</dd>
+<dt><strong>hostname</strong></dt>
+<dd>If the service principal is host-based, uses the service hostname
+to guess an appropriate cache from the collection</dd>
 </dl>
 </div>
 <div class="section" id="pwqual-interface">
@@ -776,6 +780,23 @@ interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.</p>
 </div>
+<div class="section" id="kadm5-auth-interface">
+<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4>
+<p>The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>acl</strong></dt>
+<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file, and authorizes
+operations which are allowed according to the rules in the file.</dd>
+<dt><strong>self</strong></dt>
+<dd>This module authorizes self-service operations including password
+changes, creation of new random keys, fetching the client&#8217;s
+principal record or string attributes, and fetching the policy
+record associated with the client principal.</dd>
+</dl>
+</div>
 <div class="section" id="clpreauth-and-kdcpreauth-interfaces">
 <span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4>
 <p>The clpreauth and kdcpreauth interfaces allow plugin modules to
@@ -840,6 +861,28 @@ the account&#8217;s <a class="reference internal" href="../../user/user_config/k
 principal name maps to the local account name.</dd>
 </dl>
 </div>
+<div class="section" id="certauth-interface">
+<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4>
+<p>The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT.  The
+following built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>pkinit_san</strong></dt>
+<dd>This module authorizes the certificate if it contains a PKINIT
+Subject Alternative Name for the requested client principal, or a
+Microsoft UPN SAN matching the principal if <strong>pkinit_allow_upn</strong>
+is set to true for the realm.</dd>
+<dt><strong>pkinit_eku</strong></dt>
+<dd>This module rejects the certificate if it does not contain an
+Extended Key Usage attribute consistent with the
+<strong>pkinit_eku_checking</strong> value for the realm.</dd>
+<dt><strong>dbmatch</strong></dt>
+<dd>This module authorizes or rejects the certificate according to
+whether it matches the <strong>pkinit_cert_match</strong> string attribute on
+the client principal, if that attribute is present.</dd>
+</dl>
+</div>
 </div>
 </div>
 <div class="section" id="pkinit-options">
@@ -1195,9 +1238,11 @@ Valid parameters are:</p>
 <li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li>
 <li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li>
 <li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li>
+<li><a class="reference internal" href="#kadm5-auth-interface">kadm5_auth interface</a></li>
 <li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li>
 <li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li>
 <li><a class="reference internal" href="#localauth-interface">localauth interface</a></li>
+<li><a class="reference internal" href="#certauth-interface">certauth interface</a></li>
 </ul>
 </li>
 </ul>
@@ -1275,7 +1320,7 @@ Valid parameters are:</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/conf_ldap.html b/doc/html/admin/conf_ldap.html
index 7cdd64dd2cb4..2a9b830ca2a7 100644
--- a/doc/html/admin/conf_ldap.html
+++ b/doc/html/admin/conf_ldap.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -304,7 +304,7 @@ for initial ticket requests.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/database.html b/doc/html/admin/database.html
index dc1cd1971fc9..3b52d123088c 100644
--- a/doc/html/admin/database.html
+++ b/doc/html/admin/database.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -1834,7 +1834,7 @@ config file, and the per-slave dump files are stored in
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/enctypes.html b/doc/html/admin/enctypes.html
index 1cee3212704b..56e5b6be0ae2 100644
--- a/doc/html/admin/enctypes.html
+++ b/doc/html/admin/enctypes.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -321,7 +321,7 @@ single-DES enctypes by default.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/env_variables.html b/doc/html/admin/env_variables.html
index 087accf2a729..a5a6c8ae1109 100644
--- a/doc/html/admin/env_variables.html
+++ b/doc/html/admin/env_variables.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -168,7 +168,7 @@ programs).</dd>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/host_config.html b/doc/html/admin/host_config.html
index 809a2db19269..3c0dbaa87656 100644
--- a/doc/html/admin/host_config.html
+++ b/doc/html/admin/host_config.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -342,7 +342,7 @@ take over, and the rest of krb5.conf will be ignored.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/https.html b/doc/html/admin/https.html
index 4dcdc1b25d44..7429ffb922ee 100644
--- a/doc/html/admin/https.html
+++ b/doc/html/admin/https.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -176,7 +176,7 @@ as <tt class="docutils literal"><span class="pre">kinit</span></tt>, <tt class="
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/index.html b/doc/html/admin/index.html
index adfb25bb083c..54fffddfba05 100644
--- a/doc/html/admin/index.html
+++ b/doc/html/admin/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -163,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install.html b/doc/html/admin/install.html
index ba51b3e151d9..9c321e46a69f 100644
--- a/doc/html/admin/install.html
+++ b/doc/html/admin/install.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -178,7 +178,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install_appl_srv.html b/doc/html/admin/install_appl_srv.html
index 21a292e941d1..753e53d0f1cb 100644
--- a/doc/html/admin/install_appl_srv.html
+++ b/doc/html/admin/install_appl_srv.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -211,7 +211,7 @@ readable only by root.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install_clients.html b/doc/html/admin/install_clients.html
index a75799d4b763..9c4fabbd0f03 100644
--- a/doc/html/admin/install_clients.html
+++ b/doc/html/admin/install_clients.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -188,7 +188,7 @@ krb5.conf.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/install_kdc.html b/doc/html/admin/install_kdc.html
index ceec8cb320fd..b3984a5ed599 100644
--- a/doc/html/admin/install_kdc.html
+++ b/doc/html/admin/install_kdc.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -631,7 +631,7 @@ for details.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html
index 96cae8efd487..ad1b66e5458c 100644
--- a/doc/html/admin/lockout.html
+++ b/doc/html/admin/lockout.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -276,7 +276,7 @@ read access, account lockout will not function.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/otp.html b/doc/html/admin/otp.html
index 7c99a4e135d1..4375c3ff6bbb 100644
--- a/doc/html/admin/otp.html
+++ b/doc/html/admin/otp.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -224,7 +224,7 @@ equivalent to one DEFAULT token (<tt class="docutils literal"><span class="pre">
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/pkinit.html b/doc/html/admin/pkinit.html
index 60645816cd16..50e073c82f0f 100644
--- a/doc/html/admin/pkinit.html
+++ b/doc/html/admin/pkinit.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -266,6 +266,25 @@ time as follows:</p>
 <div class="highlight-python"><div class="highlight"><pre>kadmin -q &#39;add_principal +requires_preauth -nokey YOUR_PRINCNAME&#39;
 </pre></div>
 </div>
+<p>By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT.  Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+<strong>pkinit_cert_match</strong> string attribute on each client principal entry.
+For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin set_string user@REALM pkinit_cert_match &quot;&lt;SUBJECT&gt;CN=user@REALM$&quot;
+</pre></div>
+</div>
+<p>The <strong>pkinit_cert_match</strong> string attribute follows the syntax used by
+the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> <strong>pkinit_cert_match</strong> relation.  To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the <strong>pkinit_eku_checking</strong> relation;
+for example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
+    pkinit_eku_checking = none
+</pre></div>
+</div>
 </div>
 <div class="section" id="configuring-the-clients">
 <h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2>
@@ -423,7 +442,7 @@ will have the client name <tt class="docutils literal"><span class="pre">WELLKNO
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/princ_dns.html b/doc/html/admin/princ_dns.html
index b1097c57a0f6..ecf6c969c612 100644
--- a/doc/html/admin/princ_dns.html
+++ b/doc/html/admin/princ_dns.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -238,7 +238,7 @@ krb5-1.10 or later.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/realm_config.html b/doc/html/admin/realm_config.html
index c64eeab32de2..2d5ca3ae7918 100644
--- a/doc/html/admin/realm_config.html
+++ b/doc/html/admin/realm_config.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -245,7 +245,7 @@ to other transport types, or find a master server.  The URI record can
 convey more information about a realm&#8217;s KDCs with a single query.</p>
 <p>The client performs a query for the following URI records:</p>
 <ul class="simple">
-<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for fiding KDCs.</li>
+<li><tt class="docutils literal"><span class="pre">_kerberos.REALM</span></tt> for finding KDCs.</li>
 <li><tt class="docutils literal"><span class="pre">_kerberos-adm.REALM</span></tt> for finding kadmin services.</li>
 <li><tt class="docutils literal"><span class="pre">_kpasswd.REALM</span></tt> for finding password services.</li>
 </ul>
@@ -375,7 +375,7 @@ database to additional slaves.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/troubleshoot.html b/doc/html/admin/troubleshoot.html
index 85782d4b97f7..96d17b09d369 100644
--- a/doc/html/admin/troubleshoot.html
+++ b/doc/html/admin/troubleshoot.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -249,7 +249,7 @@ location on the slave.</li>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/admin/various_envs.html b/doc/html/admin/various_envs.html
index 23c8e7bb5b66..7dfb6478b4e0 100644
--- a/doc/html/admin/various_envs.html
+++ b/doc/html/admin/various_envs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -165,7 +165,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/gssapi.html b/doc/html/appdev/gssapi.html
index 51eb7706a1df..3d76d64248cd 100644
--- a/doc/html/appdev/gssapi.html
+++ b/doc/html/appdev/gssapi.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="up" title="For application developers" href="index.html" />
-    <link rel="next" title="Differences between Heimdal and MIT Kerberos API" href="h5l_mit_apidiff.html" />
+    <link rel="next" title="Year 2038 considerations for uses of krb5_timestamp" href="y2038.html" />
     <link rel="prev" title="For application developers" href="index.html" /> 
   </head>
   <body>
@@ -44,7 +44,7 @@
             accesskey="C">Contents</a> |
         <a href="index.html" title="For application developers"
             accesskey="P">previous</a> |
-        <a href="h5l_mit_apidiff.html" title="Differences between Heimdal and MIT Kerberos API"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             accesskey="N">next</a> |
         <a href="../genindex.html" title="General Index"
             accesskey="I">index</a> |
@@ -334,6 +334,24 @@ intermediate service has the appropriate permissions, the KDC will
 issue a ticket from the client to the target service.  The GSSAPI
 library will then use this ticket to authenticate to the target
 service.</p>
+<p>If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the <strong>GSS_KRB5_GET_CRED_IMPERSONATOR</strong> OID
+(new in release 1.16, declared in <tt class="docutils literal"><span class="pre">&lt;gssapi/gssapi_krb5.h&gt;</span></tt>) using
+the gss_inquire_cred_by_oid extension (declared in
+<tt class="docutils literal"><span class="pre">&lt;gssapi/gssapi_ext.h&gt;</span></tt>):</p>
+<div class="highlight-python"><div class="highlight"><pre>OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+                                  const gss_cred_id_t cred_handle,
+                                  gss_OID desired_object,
+                                  gss_buffer_set_t *data_set);
+</pre></div>
+</div>
+<p>If the call succeeds and <em>cred_handle</em> is a proxy credential,
+<em>data_set</em> will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service.  If <em>cred_handle</em>
+is not a proxy credential, <em>data_set</em> will be set to an empty buffer
+set.  If the library does not support the query,
+gss_inquire_cred_by_oid will return <strong>GSS_S_UNAVAILABLE</strong>.</p>
 </div>
 <div class="section" id="aead-message-wrapping">
 <h2>AEAD message wrapping<a class="headerlink" href="#aead-message-wrapping" title="Permalink to this headline">¶</a></h2>
@@ -649,6 +667,7 @@ if (GSS_ERROR(major))
 <li class="toctree-l2 current"><a class="current reference internal" href="">Developing with GSSAPI</a><ul class="simple">
 </ul>
 </li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -681,7 +700,7 @@ if (GSS_ERROR(major))
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -690,7 +709,7 @@ if (GSS_ERROR(major))
             >Contents</a> |
         <a href="index.html" title="For application developers"
             >previous</a> |
-        <a href="h5l_mit_apidiff.html" title="Differences between Heimdal and MIT Kerberos API"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             >next</a> |
         <a href="../genindex.html" title="General Index"
             >index</a> |
diff --git a/doc/html/appdev/h5l_mit_apidiff.html b/doc/html/appdev/h5l_mit_apidiff.html
index ace7c9749bb2..a2c475674e8a 100644
--- a/doc/html/appdev/h5l_mit_apidiff.html
+++ b/doc/html/appdev/h5l_mit_apidiff.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -29,7 +29,7 @@
     <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
     <link rel="up" title="For application developers" href="index.html" />
     <link rel="next" title="Initial credentials" href="init_creds.html" />
-    <link rel="prev" title="Developing with GSSAPI" href="gssapi.html" /> 
+    <link rel="prev" title="Year 2038 considerations for uses of krb5_timestamp" href="y2038.html" /> 
   </head>
   <body>
     <div class="header-wrapper">
@@ -42,7 +42,7 @@
                 
         <a href="../index.html" title="Full Table of Contents"
             accesskey="C">Contents</a> |
-        <a href="gssapi.html" title="Developing with GSSAPI"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             accesskey="P">previous</a> |
         <a href="init_creds.html" title="Initial credentials"
             accesskey="N">next</a> |
@@ -131,6 +131,7 @@ if it wasn&#8217;t explicitly set in the context</td>
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -163,14 +164,14 @@ if it wasn&#8217;t explicitly set in the context</td>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
                 
         <a href="../index.html" title="Full Table of Contents"
             >Contents</a> |
-        <a href="gssapi.html" title="Developing with GSSAPI"
+        <a href="y2038.html" title="Year 2038 considerations for uses of krb5_timestamp"
             >previous</a> |
         <a href="init_creds.html" title="Initial credentials"
             >next</a> |
diff --git a/doc/html/appdev/index.html b/doc/html/appdev/index.html
index f992c979195c..3c13ae68d7c6 100644
--- a/doc/html/appdev/index.html
+++ b/doc/html/appdev/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -67,6 +67,7 @@
 <div class="toctree-wrapper compound">
 <ul>
 <li class="toctree-l1"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l1"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l1"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l1"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -99,6 +100,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="current reference internal" href="">For application developers</a><ul>
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="princ_handle.html">Principal manipulation and parsing</a></li>
@@ -131,7 +133,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/init_creds.html b/doc/html/appdev/init_creds.html
index 16278e4565bc..abc80c6f9b9c 100644
--- a/doc/html/appdev/init_creds.html
+++ b/doc/html/appdev/init_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -384,6 +384,7 @@ that the users would access reside on networked servers.</p>
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Initial credentials</a><ul class="simple">
 </ul>
@@ -418,7 +419,7 @@ that the users would access reside on networked servers.</p>
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/princ_handle.html b/doc/html/appdev/princ_handle.html
index 21865008b219..afe88645ce76 100644
--- a/doc/html/appdev/princ_handle.html
+++ b/doc/html/appdev/princ_handle.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2 current"><a class="current reference internal" href="">Principal manipulation and parsing</a></li>
@@ -145,7 +146,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/index.html b/doc/html/appdev/refs/api/index.html
index 87c65e42c89c..ca61a0c120a9 100644
--- a/doc/html/appdev/refs/api/index.html
+++ b/doc/html/appdev/refs/api/index.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -442,7 +442,7 @@
 <li class="toctree-l1"><a class="reference internal" href="krb5_524_convert_creds.html">krb5_524_convert_creds -  Convert a Kerberos V5 credentials to a Kerberos V4 credentials.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_getlocalsubkey.html">krb5_auth_con_getlocalsubkey</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_getremotesubkey.html">krb5_auth_con_getremotesubkey</a></li>
-<li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_initivector.html">krb5_auth_con_initivector</a></li>
+<li class="toctree-l1"><a class="reference internal" href="krb5_auth_con_initivector.html">krb5_auth_con_initivector -  Cause an auth context to use cipher state.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_build_principal_va.html">krb5_build_principal_va</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_c_random_seed.html">krb5_c_random_seed</a></li>
 <li class="toctree-l1"><a class="reference internal" href="krb5_calculate_checksum.html">krb5_calculate_checksum</a></li>
@@ -497,6 +497,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -534,7 +535,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_425_conv_principal.html b/doc/html/appdev/refs/api/krb5_425_conv_principal.html
index 8219f9ec89c9..dc8b6b4ccc5d 100644
--- a/doc/html/appdev/refs/api/krb5_425_conv_principal.html
+++ b/doc/html/appdev/refs/api/krb5_425_conv_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_524_conv_principal.html b/doc/html/appdev/refs/api/krb5_524_conv_principal.html
index fd96e8f71ef8..ea1ecf81531a 100644
--- a/doc/html/appdev/refs/api/krb5_524_conv_principal.html
+++ b/doc/html/appdev/refs/api/krb5_524_conv_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_524_convert_creds.html b/doc/html/appdev/refs/api/krb5_524_convert_creds.html
index 0824cda5e558..c8975c429285 100644
--- a/doc/html/appdev/refs/api/krb5_524_convert_creds.html
+++ b/doc/html/appdev/refs/api/krb5_524_convert_creds.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@ int <tt class="descname">krb5_524_convert_creds</tt><big>(</big><a class="refere
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@ int <tt class="descname">krb5_524_convert_creds</tt><big>(</big><a class="refere
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_address_compare.html b/doc/html/appdev/refs/api/krb5_address_compare.html
index fdb5a3c1d291..c99873eb9b57 100644
--- a/doc/html/appdev/refs/api/krb5_address_compare.html
+++ b/doc/html/appdev/refs/api/krb5_address_compare.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_address_order.html b/doc/html/appdev/refs/api/krb5_address_order.html
index 0f68b02f872d..af05b7d78f35 100644
--- a/doc/html/appdev/refs/api/krb5_address_order.html
+++ b/doc/html/appdev/refs/api/krb5_address_order.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@ int <tt class="descname">krb5_address_order</tt><big>(</big><a class="reference
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@ int <tt class="descname">krb5_address_order</tt><big>(</big><a class="reference
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_address_search.html b/doc/html/appdev/refs/api/krb5_address_search.html
index 1a00022b7851..00a95537c27b 100644
--- a/doc/html/appdev/refs/api/krb5_address_search.html
+++ b/doc/html/appdev/refs/api/krb5_address_search.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html b/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html
index 1d0d0726d003..adab192b7f36 100644
--- a/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html
+++ b/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_aname_to_localname.html b/doc/html/appdev/refs/api/krb5_aname_to_localname.html
index 059ff5de1be7..3ecc1e37e3ff 100644
--- a/doc/html/appdev/refs/api/krb5_aname_to_localname.html
+++ b/doc/html/appdev/refs/api/krb5_aname_to_localname.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_anonymous_principal.html b/doc/html/appdev/refs/api/krb5_anonymous_principal.html
index fb0f250dc18a..63ba2ceb2bbf 100644
--- a/doc/html/appdev/refs/api/krb5_anonymous_principal.html
+++ b/doc/html/appdev/refs/api/krb5_anonymous_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_anonymous_realm.html b/doc/html/appdev/refs/api/krb5_anonymous_realm.html
index d3fe823ca3a1..8e9a4e9d8af8 100644
--- a/doc/html/appdev/refs/api/krb5_anonymous_realm.html
+++ b/doc/html/appdev/refs/api/krb5_anonymous_realm.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -103,6 +103,7 @@ const <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" t
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -140,7 +141,7 @@ const <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" t
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_appdefault_boolean.html b/doc/html/appdev/refs/api/krb5_appdefault_boolean.html
index 7c2e0efd9da6..3c5d84cfe65f 100644
--- a/doc/html/appdev/refs/api/krb5_appdefault_boolean.html
+++ b/doc/html/appdev/refs/api/krb5_appdefault_boolean.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@ void <tt class="descname">krb5_appdefault_boolean</tt><big>(</big><a class="refe
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@ void <tt class="descname">krb5_appdefault_boolean</tt><big>(</big><a class="refe
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_appdefault_string.html b/doc/html/appdev/refs/api/krb5_appdefault_string.html
index 6d929ce78a22..031c300d0149 100644
--- a/doc/html/appdev/refs/api/krb5_appdefault_string.html
+++ b/doc/html/appdev/refs/api/krb5_appdefault_string.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -109,6 +109,7 @@ void <tt class="descname">krb5_appdefault_string</tt><big>(</big><a class="refer
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -146,7 +147,7 @@ void <tt class="descname">krb5_appdefault_string</tt><big>(</big><a class="refer
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_free.html b/doc/html/appdev/refs/api/krb5_auth_con_free.html
index d015145ffa86..21cc3895a6b0 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_free.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_free.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html
index 2e13f304b6b6..fed42f3e08be 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -122,6 +122,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -159,7 +160,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html b/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html
index ab20b43e2536..b0b3548c4ab7 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html
index eddcdcdbed98..a01fa20e611d 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html b/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html
index 9a06c86fc897..8fb79ab515be 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getflags.html b/doc/html/appdev/refs/api/krb5_auth_con_getflags.html
index 556548b3aa4f..f1d11da57899 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getflags.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getflags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getkey.html
index a1c38f68be9e..ef975b142804 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html
index 5eb4d483d427..23a6d05e85b7 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html b/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html
index 274cfb83d8bf..5be866a4f845 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html
index 5049ee18b168..ef5a42b8a9c1 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html b/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html
index 5c2deb7d433f..91c5209614d5 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html
index 408624f5fa65..27383ff0b9d9 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html
index 80a6d61a2538..65c75e771536 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html b/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html
index bb8baae2c6ed..e9d18aeef72d 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html
index c7b13b478b8e..906f23f4028c 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -28,7 +28,7 @@
     <link rel="copyright" title="Copyright" href="../../../copyright.html" />
     <link rel="top" title="MIT Kerberos Documentation" href="../../../index.html" />
     <link rel="up" title="krb5 API" href="index.html" />
-    <link rel="next" title="krb5_auth_con_initivector" href="krb5_auth_con_initivector.html" />
+    <link rel="next" title="krb5_auth_con_initivector - Cause an auth context to use cipher state." href="krb5_auth_con_initivector.html" />
     <link rel="prev" title="krb5_auth_con_getlocalsubkey" href="krb5_auth_con_getlocalsubkey.html" /> 
   </head>
   <body>
@@ -44,7 +44,7 @@
             accesskey="C">Contents</a> |
         <a href="krb5_auth_con_getlocalsubkey.html" title="krb5_auth_con_getlocalsubkey"
             accesskey="P">previous</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             accesskey="N">next</a> |
         <a href="../../../genindex.html" title="General Index"
             accesskey="I">index</a> |
@@ -102,6 +102,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +140,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -148,7 +149,7 @@
             >Contents</a> |
         <a href="krb5_auth_con_getlocalsubkey.html" title="krb5_auth_con_getlocalsubkey"
             >previous</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             >next</a> |
         <a href="../../../genindex.html" title="General Index"
             >index</a> |
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html
index 2ce5c7d09fc8..61ba4117be14 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html
index d570a4f9a3fa..6a8e3cf54e47 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_init.html b/doc/html/appdev/refs/api/krb5_auth_con_init.html
index 66bd08fcbd21..a0f1d9d1e54a 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_init.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_init.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_initivector.html b/doc/html/appdev/refs/api/krb5_auth_con_initivector.html
index 1351d4e71ec6..d986ad4be9b4 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_initivector.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_initivector.html
@@ -6,7 +6,7 @@
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     
-    <title>krb5_auth_con_initivector &mdash; MIT Kerberos Documentation</title>
+    <title>krb5_auth_con_initivector - Cause an auth context to use cipher state. &mdash; MIT Kerberos Documentation</title>
     
     <link rel="stylesheet" href="../../../_static/agogo.css" type="text/css" />
     <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -50,7 +50,7 @@
             accesskey="I">index</a> |
         <a href="../../../search.html" title="Enter search criteria"
             accesskey="S">Search</a> |
-    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector">feedback</a>
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector -  Cause an auth context to use cipher state.">feedback</a>
             </div>
         </div>
     </div>
@@ -63,8 +63,8 @@
         <div class="bodywrapper">
           <div class="body">
             
-  <div class="section" id="krb5-auth-con-initivector">
-<h1>krb5_auth_con_initivector<a class="headerlink" href="#krb5-auth-con-initivector" title="Permalink to this headline">¶</a></h1>
+  <div class="section" id="krb5-auth-con-initivector-cause-an-auth-context-to-use-cipher-state">
+<h1>krb5_auth_con_initivector -  Cause an auth context to use cipher state.<a class="headerlink" href="#krb5-auth-con-initivector-cause-an-auth-context-to-use-cipher-state" title="Permalink to this headline">¶</a></h1>
 <dl class="function">
 <dt id="c.krb5_auth_con_initivector">
 <a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> <tt class="descname">krb5_auth_con_initivector</tt><big>(</big><a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a><em>&nbsp;context</em>, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a><em>&nbsp;auth_context</em><big>)</big><a class="headerlink" href="#c.krb5_auth_con_initivector" title="Permalink to this definition">¶</a></dt>
@@ -74,14 +74,24 @@
 <col class="field-name" />
 <col class="field-body" />
 <tbody valign="top">
-<tr class="field-odd field"><th class="field-name">param:</th><td class="field-body"><p class="first"><strong>context</strong></p>
-<p class="last"><strong>auth_context</strong></p>
+<tr class="field-odd field"><th class="field-name">param:</th><td class="field-body"><p class="first"><strong>[in]</strong> <strong>context</strong> - Library context</p>
+<p class="last"><strong>[in]</strong> <strong>auth_context</strong> - Authentication context</p>
 </td>
 </tr>
 </tbody>
 </table>
-<p>DEPRECATED Not replaced.</p>
-<p>RFC 4120 doesn&#8217;t have anything like the initvector concept; only really old protocols may need this API.</p>
+<table class="docutils field-list" frame="void" rules="none">
+<col class="field-name" />
+<col class="field-body" />
+<tbody valign="top">
+<tr class="field-odd field"><th class="field-name">retval:</th><td class="field-body"><ul class="first last simple">
+<li>0   Success; otherwise - Kerberos error codes</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+<p>Prepare <em>auth_context</em> to use cipher state when <a class="reference internal" href="krb5_mk_priv.html#c.krb5_mk_priv" title="krb5_mk_priv"><tt class="xref c c-func docutils literal"><span class="pre">krb5_mk_priv()</span></tt></a> or <a class="reference internal" href="krb5_rd_priv.html#c.krb5_rd_priv" title="krb5_rd_priv"><tt class="xref c c-func docutils literal"><span class="pre">krb5_rd_priv()</span></tt></a> encrypt or decrypt data.</p>
 </div>
 
 
@@ -92,7 +102,7 @@
         <div class="sidebar">
     <h2>On this page</h2>
     <ul>
-<li><a class="reference internal" href="#">krb5_auth_con_initivector</a></li>
+<li><a class="reference internal" href="#">krb5_auth_con_initivector -  Cause an auth context to use cipher state.</a></li>
 </ul>
 
     <br/>
@@ -102,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -139,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
@@ -154,7 +165,7 @@
             >index</a> |
         <a href="../../../search.html" title="Enter search criteria"
             >Search</a> |
-    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector">feedback</a>
+    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_auth_con_initivector -  Cause an auth context to use cipher state.">feedback</a>
             </div>
         </div>
     </div>
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html b/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html
index 0f83652ffcb1..3264450016bc 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html b/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html
index d36967d41a80..d4749be11a99 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html
index 707a2a275ab4..01cc0a37e0dd 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setflags.html b/doc/html/appdev/refs/api/krb5_auth_con_setflags.html
index 3e3592cdb59d..141e994753af 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setflags.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setflags.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setports.html b/doc/html/appdev/refs/api/krb5_auth_con_setports.html
index 9b798296ebe7..6925b45b79a7 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setports.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setports.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -118,6 +118,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -155,7 +156,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html b/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html
index 3bb93fe53206..77182c63c850 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html
index d56418a8f327..430b0df2420e 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html
index 381b76c3caaa..d704f27f9863 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html
index 3d9197a483d9..0756262eb06d 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html
index a4d2b58772ad..cdd432773963 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -117,6 +117,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -154,7 +155,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html
index 3cefdd403d07..2bbb8f410b73 100644
--- a/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html
+++ b/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal.html b/doc/html/appdev/refs/api/krb5_build_principal.html
index 498fa1cadbae..1ff489f5101a 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -123,6 +123,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -160,7 +161,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html b/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html
index 2d66e4443cef..597d6cd87a90 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -121,6 +121,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -158,7 +159,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal_ext.html b/doc/html/appdev/refs/api/krb5_build_principal_ext.html
index 09cd14028bf2..fe57ca549a61 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal_ext.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal_ext.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -119,6 +119,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -156,7 +157,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_build_principal_va.html b/doc/html/appdev/refs/api/krb5_build_principal_va.html
index 3cc02e3a67ac..61cfb1caa45f 100644
--- a/doc/html/appdev/refs/api/krb5_build_principal_va.html
+++ b/doc/html/appdev/refs/api/krb5_build_principal_va.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -29,7 +29,7 @@
     <link rel="top" title="MIT Kerberos Documentation" href="../../../index.html" />
     <link rel="up" title="krb5 API" href="index.html" />
     <link rel="next" title="krb5_c_random_seed" href="krb5_c_random_seed.html" />
-    <link rel="prev" title="krb5_auth_con_initivector" href="krb5_auth_con_initivector.html" /> 
+    <link rel="prev" title="krb5_auth_con_initivector - Cause an auth context to use cipher state." href="krb5_auth_con_initivector.html" /> 
   </head>
   <body>
     <div class="header-wrapper">
@@ -42,7 +42,7 @@
                 
         <a href="../../../index.html" title="Full Table of Contents"
             accesskey="C">Contents</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             accesskey="P">previous</a> |
         <a href="krb5_c_random_seed.html" title="krb5_c_random_seed"
             accesskey="N">next</a> |
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,14 +142,14 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
                 
         <a href="../../../index.html" title="Full Table of Contents"
             >Contents</a> |
-        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector"
+        <a href="krb5_auth_con_initivector.html" title="krb5_auth_con_initivector - Cause an auth context to use cipher state."
             >previous</a> |
         <a href="krb5_c_random_seed.html" title="krb5_c_random_seed"
             >next</a> |
diff --git a/doc/html/appdev/refs/api/krb5_c_block_size.html b/doc/html/appdev/refs/api/krb5_c_block_size.html
index b2f8e7ddefc3..7899da3c213d 100644
--- a/doc/html/appdev/refs/api/krb5_c_block_size.html
+++ b/doc/html/appdev/refs/api/krb5_c_block_size.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_checksum_length.html b/doc/html/appdev/refs/api/krb5_c_checksum_length.html
index 6b179a1d7bee..c095d5ea75fe 100644
--- a/doc/html/appdev/refs/api/krb5_c_checksum_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_checksum_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_crypto_length.html b/doc/html/appdev/refs/api/krb5_c_crypto_length.html
index afd4b0ef9a14..7011c0d98b6f 100644
--- a/doc/html/appdev/refs/api/krb5_c_crypto_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_crypto_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html b/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html
index 9f948b39de9f..d271e3bcf59d 100644
--- a/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_decrypt.html b/doc/html/appdev/refs/api/krb5_c_decrypt.html
index 8337649a6448..0e5d0c94850c 100644
--- a/doc/html/appdev/refs/api/krb5_c_decrypt.html
+++ b/doc/html/appdev/refs/api/krb5_c_decrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html b/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html
index 66464e2a7403..794dd64adf71 100644
--- a/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html b/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html
index 408fcb66aef0..0a34bf9f8a22 100644
--- a/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html
+++ b/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -104,6 +104,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -141,7 +142,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt.html b/doc/html/appdev/refs/api/krb5_c_encrypt.html
index 6a47c3c7e36d..35f90cacc1be 100644
--- a/doc/html/appdev/refs/api/krb5_c_encrypt.html
+++ b/doc/html/appdev/refs/api/krb5_c_encrypt.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -120,6 +120,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -157,7 +158,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html b/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html
index e894538f1ce0..a1cf845800d6 100644
--- a/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html
+++ b/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -125,6 +125,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -162,7 +163,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt_length.html b/doc/html/appdev/refs/api/krb5_c_encrypt_length.html
index 96bf8a55dbb7..49df59f9aa1d 100644
--- a/doc/html/appdev/refs/api/krb5_c_encrypt_length.html
+++ b/doc/html/appdev/refs/api/krb5_c_encrypt_length.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_enctype_compare.html b/doc/html/appdev/refs/api/krb5_c_enctype_compare.html
index ecfd1b68a799..436e2a0d44d9 100644
--- a/doc/html/appdev/refs/api/krb5_c_enctype_compare.html
+++ b/doc/html/appdev/refs/api/krb5_c_enctype_compare.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -114,6 +114,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -151,7 +152,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_free_state.html b/doc/html/appdev/refs/api/krb5_c_free_state.html
index 3560b4e76a4b..a11ef8de0ddb 100644
--- a/doc/html/appdev/refs/api/krb5_c_free_state.html
+++ b/doc/html/appdev/refs/api/krb5_c_free_state.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -112,6 +112,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -149,7 +150,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html b/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html
index 0e7fe96947c8..287faade26f5 100644
--- a/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html
+++ b/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -116,6 +116,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -153,7 +154,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_init_state.html b/doc/html/appdev/refs/api/krb5_c_init_state.html
index c6c96e6c390d..6fc25ecd7a97 100644
--- a/doc/html/appdev/refs/api/krb5_c_init_state.html
+++ b/doc/html/appdev/refs/api/krb5_c_init_state.html
@@ -15,7 +15,7 @@
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
         URL_ROOT:    '../../../',
-        VERSION:     '1.15.1',
+        VERSION:     '1.16',
         COLLAPSE_INDEX: false,
         FILE_SUFFIX: '.html',
         HAS_SOURCE:  true
@@ -113,6 +113,7 @@
 <li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
 <li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
 <li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
 <li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
@@ -150,7 +151,7 @@
 
     <div class="footer-wrapper">
         <div class="footer" >
-            <div class="right" ><i>Release: 1.15.1</i><br />
+            <div class="right" ><i>Release: 1.16</i><br />
                 &copy; <a href="../../../copyright.html">Copyright</a> 1985-2017, MIT.
             </div>
             <div class="left">
diff --git a/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html b/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html
index 7601c114ef97..d57afa507dc4 100644
--- a/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html
+++ b/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html