From: Greg Hudson Date: Tue, 20 Aug 2013 00:01:03 +0000 (-0400) Subject: Omit signedpath if no_auth_data_required is set X-Git-Tag: krb5-1.12-alpha1~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eaaf406f5ab3224fc262da300476efa21b407bed;p=thirdparty%2Fkrb5.git Omit signedpath if no_auth_data_required is set The no_auth_data_required bit was introduced to suppress PACs in service tickets when the back end supports them. Make it also suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket can be avoided for services which aren't going to do constrained delegation. ticket: 7697 (new) --- diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index a291b678c2..bcae5d4d26 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -284,6 +284,15 @@ Options: **+password_changing_service** marks this principal as a password change service principal. +{-\|+}\ **ok_to_auth_as_delegate** + **+ok_to_auth_as_delegate** allows this principal to acquire + forwardable tickets to itself from arbitrary users, for use with + constrained delegation. + +{-\|+}\ **no_auth_data_required** + **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from + being added to service tickets for the principal. + **-randkey** Sets the key of the principal to a random value. diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 3b56e61e82..3ae8907f98 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -126,8 +126,8 @@ For each realm, the following tags may be specified: tickets. **no-auth-data-required** - Enabling this flag prevents PAC data from being added to - service tickets for the principal. + Enabling this flag prevents PAC or AD-SIGNEDPATH data from + being added to service tickets for the principal. **ok-as-delegate** If this flag is enabled, it hints the client that credentials diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index c029892f2a..731c7d5d1c 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -1159,7 +1159,8 @@ handle_signedpath_authdata (krb5_context context, /* No point in including signedpath authdata for a cross-realm TGT, since * it will be presented to a different KDC. */ - if (!is_cross_tgs_principal(server->princ) && + if (!isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) && + !is_cross_tgs_principal(server->princ) && !only_pac_p(context, enc_tkt_reply->authorization_data)) { code = make_ad_signedpath(context, for_user_princ,