From cfd798faaff791dcbc7b8a831e9b5f3f397440f8 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Sun, 4 Jun 2023 22:55:13 -0500
Subject: [PATCH] kadmin: Add auth-data-reqd attribute

---
 kadmin/kadmin.1 | 62 ++++++++++++++++++++++++++++++++++---------------
 kadmin/util.c   |  1 +
 2 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/kadmin/kadmin.1 b/kadmin/kadmin.1
index 42ccad739..8b9f75e70 100644
--- a/kadmin/kadmin.1
+++ b/kadmin/kadmin.1
@@ -473,25 +473,49 @@ The only policy supported by Heimdal is
 If a krb5 config file is given, it will be saved in the entry.
 .Pp
 Possible attributes are:
-.Li new-princ ,
-.Li support-desmd5 ,
-.Li pwchange-service ,
-.Li disallow-client ,
-.Li disallow-svr ,
-.Li requires-pw-change ,
-.Li requires-hw-auth ,
-.Li requires-pre-auth ,
-.Li allow-digest ,
-.Li trusted-for-delegation ,
-.Li ok-as-delegate ,
-.Li disallow-all-tix ,
-.Li disallow-dup-skey ,
-.Li disallow-proxiable ,
-.Li disallow-renewable ,
-.Li disallow-tgt-based ,
-.Li disallow-forwardable ,
-.Li disallow-postdated ,
-.Li no-auth-data-reqd
+.Bl -tag -width Ds
+.It new-princ
+not used
+.It support-desmd5
+not used
+.It pwchange-service
+for kadmin/admin style service principals
+.It requires-pw-change
+force the user to change their password
+.It requires-hw-auth
+.It requires-pre-auth
+.It allow-digest
+allow NTLM for this user in the KDC's digest service
+.It trusted-for-delegation
+.It ok-as-delegate
+allow forwarding of tickets to this service principal
+.It disallow-client
+disallow issuance of tickets for this principal as a client
+.It disallow-svr
+disallow issuance of tickets for this principal as a server
+.It disallow-all-tix
+disallow issuance of tickets for this principal as a client or
+server
+.It disallow-dup-skey
+not used
+.It disallow-proxiable
+disallow proxiable tickets
+.It disallow-renewable ,
+disallow reneable tickets
+.It disallow-tgt-based ,
+require initial tickets for this service, such as password
+changing services
+.It disallow-forwardable
+disallow forwardable tickets
+.It disallow-postdated
+disallow postdated tickets
+.It no-auth-data-reqd
+do not include a PAC in tickets issued to this service
+.It auth-data-reqd
+do include a PAC in tickets issued to this service even if the
+.Li disable_pac
+KDC configuration parameter is set to true
+.El
 .Pp
 Attributes may be negated with a "-", e.g.,
 .Pp
diff --git a/kadmin/util.c b/kadmin/util.c
index fda1e982a..6b83bb7a2 100644
--- a/kadmin/util.c
+++ b/kadmin/util.c
@@ -47,6 +47,7 @@ get_response(const char *prompt, const char *def, char *buf, size_t len);
  */
 
 struct units kdb_attrs[] = {
+    { "auth-data-reqd",	        KRB5_KDB_AUTH_DATA_REQUIRED },
     { "no-auth-data-reqd",	KRB5_KDB_NO_AUTH_DATA_REQUIRED },
     { "disallow-client",	KRB5_KDB_DISALLOW_CLIENT },
     { "virtual",		KRB5_KDB_VIRTUAL },