From 55d0fcac60b575123e997abf583bc8cd501e8fae Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 27 Apr 2009 15:42:23 +0000 Subject: Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin support for the flag. In the KDC, remove the restriction on returning the flag on cross-realm TGTs since there is now a defined meaning for that (it allows ok-as-delegate to be honored on the foreign realm's service tickets). ticket: 5596 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22281 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/cli/kadmin.M | 10 ++++++++++ src/kadmin/cli/kadmin.c | 10 +++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) (limited to 'src/kadmin') diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index 165bf0c73..22c096de5 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -341,6 +341,16 @@ flag.) .B -requires_hwauth clears this flag. .TP +{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP +.B +ok_as_delegate +sets the OK-AS-DELEGATE flag on tickets issued for use with this principal +as the service, which clients may use as a hint that credentials can and +should be delegated when authenticating to the service. (Sets the +.SM KRB5_KDB_OK_AS_DELEGATE +flag.) +.B -ok_as_delegate +clears this flag. +.TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP .B -allow_svr prohibits the issuance of service tickets for this principal. (Sets the diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 557b63a25..fcfe4d94f 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -71,7 +71,8 @@ static struct pflag flags[] = { {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 } +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 } }; static char *prflags[] = { @@ -91,6 +92,11 @@ static char *prflags[] = { "PWCHANGE_SERVICE", /* 0x00002000 */ "SUPPORT_DESMD5", /* 0x00004000 */ "NEW_PRINC", /* 0x00008000 */ + "UNKNOWN_0x00010000", /* 0x00010000 */ + "UNKNOWN_0x00020000", /* 0x00020000 */ + "UNKNOWN_0x00040000", /* 0x00040000 */ + "UNKNOWN_0x00080000", /* 0x00080000 */ + "OK_AS_DELEGATE", /* 0x00100000 */ }; char *getenv(); @@ -1117,6 +1123,7 @@ kadmin_addprinc_usage(func) "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n"); } @@ -1133,6 +1140,7 @@ kadmin_modprinc_usage(func) "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n" ); -- cgit