Document preauth flags for service principals

author Ben Kaduk <kaduk@mit.edu>

Thu, 30 May 2013 22:49:36 +0000 (18:49 -0400)

committer Ben Kaduk <kaduk@mit.edu>

Fri, 31 May 2013 17:09:45 +0000 (13:09 -0400)
author Ben Kaduk <kaduk@mit.edu>
Thu, 30 May 2013 22:49:36 +0000 (18:49 -0400)
committer Ben Kaduk <kaduk@mit.edu>
Fri, 31 May 2013 17:09:45 +0000 (13:09 -0400)
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst

index 3072eec715ee830552f321b07e6c6b68fa46b1ca..39351dfd90d10e86be0051f663086b1b151dd9b7 100644 (file)
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -242,12 +242,18 @@ Options:
  {-\|+}\ **requires_preauth**
      **+requires_preauth** requires this principal to preauthenticate
      before being allowed to kinit.  **-requires_preauth** clears this
-    flag.
+    flag.  When **+requires_preauth** is set on a service principal,
+    the KDC will only issue service tickets for that service principal
+    if the client's initial authentication was performed using
+    preauthentication.
  
  {-\|+}\ **requires_hwauth**
      **+requires_hwauth** requires this principal to preauthenticate
      using a hardware device before being allowed to kinit.
-    **-requires_hwauth** clears this flag.
+    **-requires_hwauth** clears this flag.  When **+requires_hwauth** is
+    set on a service principal, the KDC will only issue service tickets
+    for that service principal if the client's initial authentication was
+    performed using a hardware device to preauthenticate.
  
  {-\|+}\ **ok_as_delegate**
      **+ok_as_delegate** sets the **okay as delegate** flag on tickets
author	Ben Kaduk <kaduk@mit.edu>
	Thu, 30 May 2013 22:49:36 +0000 (18:49 -0400)
committer	Ben Kaduk <kaduk@mit.edu>
	Fri, 31 May 2013 17:09:45 +0000 (13:09 -0400)