authentication indicators and S4U2Self

[Greg Hudson]

On 5/6/20 2:20 PM, Alexander Bokovoy wrote:
> Together with Isaac we were looking into cross-realm S4U2Self
> implementation in FreeIPA and I noticed that MIT Kerberos does not allow
> to issue S4U2Self service ticket to a service protected with
> an authentication indicator.

I think we can just omit the indicator check for S4U2Self requests.
Restricting how strong the initial ticket acquisition must have been to
access a service has nothing to do with the service fetching tickets for
itself.