#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
#ifndef KRB5_KDB5_EXT__
#define KRB5_KDB5_EXT__
-/* Can be delegated as in TicketFlags */
-#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
/* Allowed to use protocol transition */
#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000
/* Service does not require authorization data */
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "UNKNOWN_0x00010000", /* 0x00010000 */
+ "UNKNOWN_0x00020000", /* 0x00020000 */
+ "UNKNOWN_0x00040000", /* 0x00040000 */
+ "UNKNOWN_0x00080000", /* 0x00080000 */
+ "OK_AS_DELEGATE", /* 0x00100000 */
};
char *getenv();
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
- if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
- !is_referral) {
- /* Ensure that we are not returning a referral */
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE))
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
- }
/*
* Fix header_ticket's starttime; if it's zero, fill in the
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },