I agree that the proposed fix would cause a 
subtle change of KDC behavior, but like Ken, 
I can't imagine that it would catch anyone 
by surprise.  And the fix is a really
important security feature to any site that needs
to allow user2user, and to require preauthentication.

Text could be added to the
release notes that this fix allows user2user
tickets for principals that are set 
-allow_svr (which was not the case in 
previous KDCs)

I also think the documentation could be 
made more clear. 


Below are four suggested changes 
to doc/admin.texinfo

1)---------------------------
OLD admin.texinfo:
@itemx dup-skey
Enabling this flag allows the principal 
to obtain a session key for
another user, permitting user-to-user 
authentication for this principal.

NEW admin.texinfo:
@itemx dup-skey
Enabling this flag allows the KDC to 
issue a user-to-user service ticket  
for this principal.

2)--------------------
OLD admin.texinfo:
@itemx service
Enabling this flag allows the KDC 
to issue service tickets for this
principal.

NEW admin.texinfo:
Enabling this flag allows the KDC 
to issue service tickets for this
principal that contain text encrypted 
in the principal's key, which may 
be a security issue. 

3) -------------------------
OLD admin.texinfo:
@item @{-|+@}allow_dup_skey
The ``-allow_dup_skey'' option disables 
user-to-user authentication for
this principal by prohibiting this 
principal from obtaining a session
key for another user.  
``+allow_dup_skey'' clears this flag.  
In effect,``-allow_dup_skey'' sets 
the @* KRB5_KDB_DISALLOW_DUP_SKEY flag on the
principal in the database.

NEW admin.texinfo:
@item @{-|+@}allow_dup_skey
The ``-allow_dup_skey'' option disables 
user-to-user authentication for
this principal by prohibiting others 
from obtaining a service ticket encrypted 
in this principal's TGT session key. 
 ``+allow_dup_skey'' clears this flag.  
In effect,``-allow_dup_skey'' sets the 
@* KRB5_KDB_DISALLOW_DUP_SKEY flag on the
principal in the database.


4) -------------------------------------
OLD admin.texinfo:
@item @{-|+@}allow_svr
The ``-allow_svr'' flag prohibits the issuance 
of service tickets for this principal.  
``+allow_svr'' clears this flag.  In effect,
``-allow_svr'' sets the 
@* KRB5_KDB_DISALLOW_SVR flag on the 
principal in the database.

NEW admin.texinfo:
@item @{-|+@}allow_svr
The ``-allow_svr'' flag prohibits the issuance 
of service tickets for this principal 
that contain text encrypted in the
principal's key. Failing to set ``-allow_svr``
on user principals may be a security issue.
``+allow_svr'' clears this flag.  In effect,
``-allow_svr'' sets the 
@* KRB5_KDB_DISALLOW_SVR flag on the 
principal in the database.