Differentiate the ServiceTicket issued from Kinit vs PKinit

[Ken Hornstein]

>Never mind. I assume the flags is inside the ticket.

Yeah, exactly.  The KDC sets the flags, so you can trust their validity.

The one big issue is that if you're programming the GSSAPI, there's
not a standardized GSSAPI function you can call to retrieve those flags,
which is unfortunate; for MIT Kerberos, there is a function called
gss_krb5_get_ticket_flags() you can use and it looks like the same thing
exists for Heimdal.

--Ken