MIT KDC provides related functionality but as the documentation suggests
it is probably something most people do not want to use.
5.3.3 Adding or Modifying Principals
{-|+}allow_svr
The “-allow_svr” flag prohibits the issuance of service tickets for
this principal. “+allow_svr” clears this flag. In effect, “-allow_svr”
sets the KRB5_KDB_DISALLOW_SVR flag on the principal in the database.
{-|+}allow_tgs_req
The “-allow_tgs_req” option specifies that a Ticket-Granting Service
(TGS) request for a service ticket for this principal is not permitted.
You will probably never need to use this option. “+allow_tgs_req” clears
this flag. The default is “+allow_tgs_req”. In effect, “-allow_tgs_req”
sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.
http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.2/doc/krb5-admin.html
Thanks for this. The thing is, that the SPN multi-list attribute in
Windows means which TGS can be supplied based on a received TGT.
That means that you can quite nicely limit the functionality - for
example if you know your LDAP server will only serve ldap requests
and nothing else, in a SPN attribute for this machine you specify
'ldap/host@REALM' making sure it could never be misused for say
NFSv4.