krb5 commit: Omit signedpath if no_auth_data_required is set

[Greg Hudson]

https://github.com/krb5/krb5/commit/eaaf406f5ab3224fc262da300476efa21b407bed
commit eaaf406f5ab3224fc262da300476efa21b407bed
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Aug 19 20:01:03 2013 -0400

    Omit signedpath if no_auth_data_required is set
    
    The no_auth_data_required bit was introduced to suppress PACs in
    service tickets when the back end supports them.  Make it also
    suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
    can be avoided for services which aren't going to do constrained
    delegation.
    
    ticket: 7697 (new)

 doc/admin/admin_commands/kadmin_local.rst |    9 +++++++++
 doc/admin/conf_files/kdc_conf.rst         |    4 ++--
 src/kdc/kdc_authdata.c                    |    3 ++-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index a291b67..bcae5d4 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -284,6 +284,15 @@ Options:
     **+password_changing_service** marks this principal as a password
     change service principal.
 
+{-\|+}\ **ok_to_auth_as_delegate**
+    **+ok_to_auth_as_delegate** allows this principal to acquire
+    forwardable tickets to itself from arbitrary users, for use with
+    constrained delegation.
+
+{-\|+}\ **no_auth_data_required**
+    **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from
+    being added to service tickets for the principal.
+
 **-randkey**
     Sets the key of the principal to a random value.
 
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 3b56e61..3ae8907 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -126,8 +126,8 @@ For each realm, the following tags may be specified:
         tickets.
 
     **no-auth-data-required**
-        Enabling this flag prevents PAC data from being added to
-        service tickets for the principal.
+        Enabling this flag prevents PAC or AD-SIGNEDPATH data from
+        being added to service tickets for the principal.
 
     **ok-as-delegate**
         If this flag is enabled, it hints the client that credentials
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index c029892..731c7d5 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -1159,7 +1159,8 @@ handle_signedpath_authdata (krb5_context context,
 
     /* No point in including signedpath authdata for a cross-realm TGT, since
      * it will be presented to a different KDC. */
-    if (!is_cross_tgs_principal(server->princ) &&
+    if (!isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) &&
+        !is_cross_tgs_principal(server->princ) &&
         !only_pac_p(context, enc_tkt_reply->authorization_data)) {
         code = make_ad_signedpath(context,
                                   for_user_princ,