Omit signedpath if no_auth_data_required is set

The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them.  Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.

ticket: 7697 (new)

diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index a291b678c20c579b95edb36bf0c6c32c5c5d5360..bcae5d4d26804d992bad05b2105d9cfaf46e72a8 100644 (file)
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -284,6 +284,15 @@ Options:
     **+password_changing_service** marks this principal as a password
     change service principal.
 
+{-\|+}\ **ok_to_auth_as_delegate**
+    **+ok_to_auth_as_delegate** allows this principal to acquire
+    forwardable tickets to itself from arbitrary users, for use with
+    constrained delegation.
+
+{-\|+}\ **no_auth_data_required**
+    **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from
+    being added to service tickets for the principal.
+
 **-randkey**
     Sets the key of the principal to a random value.
 

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 3b56e61e82740ccba51645ce2baee40ba14f0212..3ae8907f989ce8d684e864f9de07050708b9f532 100644 (file)
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -126,8 +126,8 @@ For each realm, the following tags may be specified:
         tickets.
 
     **no-auth-data-required**
-        Enabling this flag prevents PAC data from being added to
-        service tickets for the principal.
+        Enabling this flag prevents PAC or AD-SIGNEDPATH data from
+        being added to service tickets for the principal.
 
     **ok-as-delegate**
         If this flag is enabled, it hints the client that credentials

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index c029892f2a9da4f84507c2426475e70b92999038..731c7d5d1c9475f32be84712ddcdcc4946cce41a 100644 (file)
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -1159,7 +1159,8 @@ handle_signedpath_authdata (krb5_context context,
 
     /* No point in including signedpath authdata for a cross-realm TGT, since
      * it will be presented to a different KDC. */
-    if (!is_cross_tgs_principal(server->princ) &&
+    if (!isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) &&
+        !is_cross_tgs_principal(server->princ) &&
         !only_pac_p(context, enc_tkt_reply->authorization_data)) {
         code = make_ad_signedpath(context,
                                   for_user_princ,