From 7425e9b69566c241c54eb2686fb37f216122423f Mon Sep 17 00:00:00 2001 From: Ben Kaduk Date: Thu, 30 May 2013 18:49:36 -0400 Subject: Document preauth flags for service principals These flags are overloaded to mean different things for clients and servers; previously we only documented the client behavior. ticket: 7653 (new) tags: pullup target_version: 1.11.4 --- doc/admin/admin_commands/kadmin_local.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'doc/admin') diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index 3072eec..39351df 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -242,12 +242,18 @@ Options: {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate before being allowed to kinit. **-requires_preauth** clears this - flag. + flag. When **+requires_preauth** is set on a service principal, + the KDC will only issue service tickets for that service principal + if the client's initial authentication was performed using + preauthentication. {-\|+}\ **requires_hwauth** **+requires_hwauth** requires this principal to preauthenticate using a hardware device before being allowed to kinit. - **-requires_hwauth** clears this flag. + **-requires_hwauth** clears this flag. When **+requires_hwauth** is + set on a service principal, the KDC will only issue service tickets + for that service principal if the client's initial authentication was + performed using a hardware device to preauthenticate. {-\|+}\ **ok_as_delegate** **+ok_as_delegate** sets the **okay as delegate** flag on tickets -- cgit v1.1