hdb: add no-auth-data-reqd flag to HDB entry

Add a new flag, no-auth-data-reqd, to the HDB entry which indicates that a PAC
should not be included on issued service tickets.

lib/hdb/hdb.asn1

@@ -54,6 +54,7 @@ HDBFlags ::= BIT STRING {
 	virtual-keys(20),		-- entry     stored; keys mostly derived
 	virtual(21),			-- entry not stored; keys always derived
 	synthetic(22),			-- entry not stored; for PKINIT
+	no-auth-data-reqd(23),		-- omit PAC from service tickets
 
 	force-canonicalize(30),		-- force the KDC to return the canonical
 					-- principal irrespective of the setting

lib/kadm5/admin.h

@@ -77,6 +77,7 @@
 #define KRB5_KDB_VIRTUAL_KEYS           0x00200000 /* MIT doesn't have this */
 #define KRB5_KDB_VIRTUAL                0x00400000 /* MIT doesn't have this */
 #define KRB5_KDB_DISALLOW_CLIENT        0x00800000 /* MIT doesn't have this */
+#define KRB5_KDB_NO_AUTH_DATA_REQUIRED	0x01000000 /* 0x00400000 in MIT */
 
 /*
  * MIT has:

lib/kadm5/ent_setup.c

@@ -63,6 +63,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
     flags->materialize =       !!(attr & KRB5_KDB_MATERIALIZE);
     flags->virtual_keys =      !!(attr & KRB5_KDB_VIRTUAL_KEYS);
     flags->virtual =           !!(attr & KRB5_KDB_VIRTUAL);
+    flags->no_auth_data_reqd = !!(attr & KRB5_KDB_NO_AUTH_DATA_REQUIRED);
 }
 
 /*

lib/kadm5/get_s.c

@@ -185,6 +185,7 @@ kadm5_s_get_principal(void *server_handle,
 	out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
 	out->attributes |= ent.entry.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
 	out->attributes |= ent.entry.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
+	out->attributes |= ent.entry.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
     }
     if(mask & KADM5_MAX_LIFE) {
 	if(ent.entry.max_life)