diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-08-19 20:01:03 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-08-20 00:25:02 -0400 |
commit | eaaf406f5ab3224fc262da300476efa21b407bed (patch) | |
tree | 8efbcc809da665d9c43d33563e19b8066e8ba8e9 /doc | |
parent | 5e1b506d2988ae2a3bc8fcbaa275bc1e5bd8b630 (diff) | |
download | krb5-eaaf406f5ab3224fc262da300476efa21b407bed.tar.gz krb5-eaaf406f5ab3224fc262da300476efa21b407bed.tar.xz krb5-eaaf406f5ab3224fc262da300476efa21b407bed.zip |
Omit signedpath if no_auth_data_required is set
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
ticket: 7697 (new)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin/admin_commands/kadmin_local.rst | 9 | ||||
-rw-r--r-- | doc/admin/conf_files/kdc_conf.rst | 4 |
2 files changed, 11 insertions, 2 deletions
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index a291b678c2..bcae5d4d26 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -284,6 +284,15 @@ Options: **+password_changing_service** marks this principal as a password change service principal. +{-\|+}\ **ok_to_auth_as_delegate** + **+ok_to_auth_as_delegate** allows this principal to acquire + forwardable tickets to itself from arbitrary users, for use with + constrained delegation. + +{-\|+}\ **no_auth_data_required** + **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from + being added to service tickets for the principal. + **-randkey** Sets the key of the principal to a random value. diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 3b56e61e82..3ae8907f98 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -126,8 +126,8 @@ For each realm, the following tags may be specified: tickets. **no-auth-data-required** - Enabling this flag prevents PAC data from being added to - service tickets for the principal. + Enabling this flag prevents PAC or AD-SIGNEDPATH data from + being added to service tickets for the principal. **ok-as-delegate** If this flag is enabled, it hints the client that credentials |