diff --git a/kadmin/kadmin.1 b/kadmin/kadmin.1
index c03e0e95c..401b6a9f6 100644
--- a/kadmin/kadmin.1
+++ b/kadmin/kadmin.1
@@ -423,7 +423,8 @@ Possible attributes are:
 .Li disallow-renewable ,
 .Li disallow-tgt-based ,
 .Li disallow-forwardable ,
-.Li disallow-postdated
+.Li disallow-postdated ,
+.Li no-auth-data-reqd
 .Pp
 Attributes may be negated with a "-", e.g.,
 .Pp
diff --git a/kadmin/util.c b/kadmin/util.c
index 7a999d358..720d9d3b7 100644
--- a/kadmin/util.c
+++ b/kadmin/util.c
@@ -69,6 +69,7 @@ struct units kdb_attrs[] = {
     { "disallow-tgt-based",	KRB5_KDB_DISALLOW_TGT_BASED },
     { "disallow-forwardable",	KRB5_KDB_DISALLOW_FORWARDABLE },
     { "disallow-postdated",	KRB5_KDB_DISALLOW_POSTDATED },
+    { "no-auth-data-reqd",	KRB5_KDB_NO_AUTH_DATA_REQUIRED },
     { NULL, 0 }
 };
 
diff --git a/lib/hdb/hdb.asn1 b/lib/hdb/hdb.asn1
index 2011f7ab2..f6490783a 100644
--- a/lib/hdb/hdb.asn1
+++ b/lib/hdb/hdb.asn1
@@ -54,6 +54,7 @@ HDBFlags ::= BIT STRING {
 	virtual-keys(20),		-- entry     stored; keys mostly derived
 	virtual(21),			-- entry not stored; keys always derived
 	synthetic(22),			-- entry not stored; for PKINIT
+	no-auth-data-reqd(23),		-- omit PAC from service tickets
 
 	force-canonicalize(30),		-- force the KDC to return the canonical
 					-- principal irrespective of the setting
diff --git a/lib/kadm5/admin.h b/lib/kadm5/admin.h
index d466130ed..4f8ac22d9 100644
--- a/lib/kadm5/admin.h
+++ b/lib/kadm5/admin.h
@@ -77,6 +77,7 @@
 #define KRB5_KDB_VIRTUAL_KEYS           0x00200000 /* MIT doesn't have this */
 #define KRB5_KDB_VIRTUAL                0x00400000 /* MIT doesn't have this */
 #define KRB5_KDB_DISALLOW_CLIENT        0x00800000 /* MIT doesn't have this */
+#define KRB5_KDB_NO_AUTH_DATA_REQUIRED	0x01000000 /* 0x00400000 in MIT */
 
 /*
  * MIT has:
diff --git a/lib/kadm5/ent_setup.c b/lib/kadm5/ent_setup.c
index bb3ede4a3..677bda6d8 100644
--- a/lib/kadm5/ent_setup.c
+++ b/lib/kadm5/ent_setup.c
@@ -63,6 +63,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
     flags->materialize =       !!(attr & KRB5_KDB_MATERIALIZE);
     flags->virtual_keys =      !!(attr & KRB5_KDB_VIRTUAL_KEYS);
     flags->virtual =           !!(attr & KRB5_KDB_VIRTUAL);
+    flags->no_auth_data_reqd = !!(attr & KRB5_KDB_NO_AUTH_DATA_REQUIRED);
 }
 
 /*
diff --git a/lib/kadm5/get_s.c b/lib/kadm5/get_s.c
index f4a9835bd..56aec67a2 100644
--- a/lib/kadm5/get_s.c
+++ b/lib/kadm5/get_s.c
@@ -185,6 +185,7 @@ kadm5_s_get_principal(void *server_handle,
 	out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
 	out->attributes |= ent.entry.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
 	out->attributes |= ent.entry.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
+	out->attributes |= ent.entry.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
     }
     if(mask & KADM5_MAX_LIFE) {
 	if(ent.entry.max_life)
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index 894af0549..75626f6ce 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -77,6 +77,7 @@ kpasswdd="${kpasswdd} --addresses=localhost -p $pwport"
 server=host/datan.test.h5l.se
 server2=host/computer.example.com
 server3=host/refer-me-out.test.h5l.se
+server4=host/no-auth-data-reqd.test.h5l.se
 serverip=host/10.11.12.13
 serveripname=host/ip.test.h5l.org
 serveripname2=host/10.11.12.14
@@ -246,6 +247,10 @@ ${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
 ${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
 ${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
 
+${kadmin} add -p nopac --use-defaults ${server4}@${R2} || exit 1
+${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} || exit 1
+${kadmin} ext -k ${keytab} ${server4}@${R2} || exit 1
+
 ${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
 ${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
@@ -525,6 +530,20 @@ for a in $enctypes; do
 done
 ${kdestroy}
 
+echo "Getting client initial tickets with PAC"; > messages.log
+${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+	echo "Getting tickets for PAC-less service principal ($a)"; > messages.log
+	${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
+		{ ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy} --credential=${server4}@${R2}
+done
+${kdestroy}
+
 echo "Getting client authenticated anonymous initial tickets"; > messages.log
 ${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
 	{ ec=1 ; eval "${testfailed}"; }