Extending certauth plugin to set ticket flags?

[Greg Hudson]

On 2/21/20 1:11 PM, Ken Hornstein wrote:
> Well, I will defer to your knowledge of the KDC AS-REQ processing path,
> and "perfect is the enemy of the good" and all that.  If you are fine
> with a designated authorize_cert return code, then so am I.

Does your custom PKINIT module set the PA_HARDWARE flag in
pkinit_server_get_flags()?  That would be necessary to make PKINIT work
with client principals flagged with +requires_hwauth, but perhaps you're
not doing that.