On 11/28/2011 10:49 AM, Marko Myllynen wrote:
MIT KDC provides related functionality but as the documentation suggests
it is probably something most people do not want to use.

5.3.3 Adding or Modifying Principals

{-|+}allow_svr
    The “-allow_svr” flag prohibits the issuance of service tickets for
this principal. “+allow_svr” clears this flag. In effect, “-allow_svr”
sets the KRB5_KDB_DISALLOW_SVR flag on the principal in the database.
{-|+}allow_tgs_req
    The “-allow_tgs_req” option specifies that a Ticket-Granting Service
(TGS) request for a service ticket for this principal is not permitted.
You will probably never need to use this option. “+allow_tgs_req” clears
this flag. The default is “+allow_tgs_req”. In effect, “-allow_tgs_req”
sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.

http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.2/doc/krb5-admin.html
Thanks for this. The thing is, that the SPN multi-list attribute in Windows means which TGS can be supplied based on a received TGT. That means that you can quite nicely limit the functionality - for example if you know your LDAP server will only serve ldap requests and nothing else, in a SPN attribute for this machine you specify 'ldap/host@REALM' making sure it could never be misused for say NFSv4.

I am unsure whether you could achieve something like that in MIT using the switches above.
Ondrej