From eaaf406f5ab3224fc262da300476efa21b407bed Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 19 Aug 2013 20:01:03 -0400 Subject: Omit signedpath if no_auth_data_required is set The no_auth_data_required bit was introduced to suppress PACs in service tickets when the back end supports them. Make it also suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket can be avoided for services which aren't going to do constrained delegation. ticket: 7697 (new) --- src/kdc/kdc_authdata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index c029892f2..731c7d5d1 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -1159,7 +1159,8 @@ handle_signedpath_authdata (krb5_context context, /* No point in including signedpath authdata for a cross-realm TGT, since * it will be presented to a different KDC. */ - if (!is_cross_tgs_principal(server->princ) && + if (!isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) && + !is_cross_tgs_principal(server->princ) && !only_pac_p(context, enc_tkt_reply->authorization_data)) { code = make_ad_signedpath(context, for_user_princ, -- cgit