Omit signedpath if no_auth_data_required is set

The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them.  Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.

ticket: 7697 (new)

2 files changed, 11 insertions, 2 deletions

diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index a291b678c2..bcae5d4d26 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -284,6 +284,15 @@ Options:
     **+password_changing_service** marks this principal as a password
     change service principal.
 
+{-\|+}\ **ok_to_auth_as_delegate**
+    **+ok_to_auth_as_delegate** allows this principal to acquire
+    forwardable tickets to itself from arbitrary users, for use with
+    constrained delegation.
+
+{-\|+}\ **no_auth_data_required**
+    **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from
+    being added to service tickets for the principal.
+
 **-randkey**
     Sets the key of the principal to a random value.
 
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 3b56e61e82..3ae8907f98 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -126,8 +126,8 @@ For each realm, the following tags may be specified:
         tickets.
 
     **no-auth-data-required**
-        Enabling this flag prevents PAC data from being added to
-        service tickets for the principal.
+        Enabling this flag prevents PAC or AD-SIGNEDPATH data from
+        being added to service tickets for the principal.
 
     **ok-as-delegate**
         If this flag is enabled, it hints the client that credentials