Adding new principal attributes?

Luke Howard lukeh at
Thu Oct 6 02:23:45 EDT 2011

On 06/10/2011, at 5:15 PM, Nico Williams wrote:

> I have a need for a principal attribute that indicates that the given
> principal cannot handle large tickets, which should then cause the TGS
> to strip out large non-critical authorization-data (e.g., the PAC).

You could use KRB5_KDB_NO_AUTH_DATA_REQUIRED. See handle_kdb_authdata:

     * Check whether KDC issued authorization data should be included.
     * A server can explicitly disable the inclusion of authorization
     * data by setting the KRB5_KDB_NO_AUTH_DATA_REQUIRED flag on its
     * principal entry. Otherwise authorization data will be included
     * if it was present in the TGT, the client is from another realm
     * or protocol transition/constrained delegation was used, or, in
     * the AS-REQ case, if the pre-auth data indicated the PAC should
     * be present.
    if (tgs_req) {
        assert(enc_tkt_request != NULL);

        if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED))
            return 0;

        if (enc_tkt_request->authorization_data == NULL &&
            !isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U))
            return 0;

        assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime);
    } else {
        if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC))
            return 0;

-- Luke

More information about the krbdev mailing list