This appears to be the minimum needed to be able to set the OK-AS-DELEGATE
flag on an entry using kadmin, and to have the flag propagate back to clients
from the KDC.  Note: this affects the KDB storage format, so this MUST NOT be
used until it's in upstream's tree.

Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo	(revision 19683)
+++ doc/admin.texinfo	(working copy)
@@ -2758,6 +2758,13 @@
 @samp{KRB5_KDB_REQURES_HW_AUTH} flag.)  @code{-requires_hwauth} clears
 this flag.
 
+@itemx @{-|+@}ok_as_delegate
+@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
+this flag.
+
 @itemx @{-|+@}allow_svr
 @code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.
 
Index: src/include/kdb.h
===================================================================
--- src/include/kdb.h	(revision 19683)
+++ src/include/kdb.h	(working copy)
@@ -79,6 +79,7 @@
 #define KRB5_KDB_PWCHANGE_SERVICE	0x00002000
 #define KRB5_KDB_SUPPORT_DESMD5         0x00004000
 #define	KRB5_KDB_NEW_PRINC		0x00008000
+#define	KRB5_KDB_OK_AS_DELEGATE		0x00010000
 
 /* Creation flags */
 #define KRB5_KDB_CREATE_BTREE		0x00000001
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c	(revision 19683)
+++ src/kdc/do_tgs_req.c	(working copy)
@@ -533,6 +533,10 @@
 	goto cleanup;
     }
 
+    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+	setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+    }
+
     ticket_reply.enc_part2 = &enc_tkt_reply;
 
     /*
Index: src/kdc/do_as_req.c
===================================================================
--- src/kdc/do_as_req.c	(revision 19683)
+++ src/kdc/do_as_req.c	(working copy)
@@ -257,6 +257,10 @@
     enc_tkt_reply.caddrs = request->addresses;
     enc_tkt_reply.authorization_data = 0;
 
+    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+	setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+    }
+
     /* 
      * Check the preauthentication if it is there.
      */
Index: src/kadmin/cli/kadmin.c
===================================================================
--- src/kadmin/cli/kadmin.c	(revision 19683)
+++ src/kadmin/cli/kadmin.c	(working copy)
@@ -65,7 +65,8 @@
 {"needchange", 10,	KRB5_KDB_REQUIRES_PWCHANGE,	0},
 {"allow_svr", 9,	KRB5_KDB_DISALLOW_SVR, 1},
 {"password_changing_service",	25,	KRB5_KDB_PWCHANGE_SERVICE,	0 },
-{"support_desmd5",	14,	KRB5_KDB_SUPPORT_DESMD5,	0 }
+{"support_desmd5",	14,	KRB5_KDB_SUPPORT_DESMD5,	0 },
+{"ok_as_delegate",	14,	KRB5_KDB_OK_AS_DELEGATE,	0 }
 };
 
 static char *prflags[] = {
@@ -85,6 +86,7 @@
     "PWCHANGE_SERVICE",		/* 0x00002000 */
     "SUPPORT_DESMD5",		/* 0x00004000 */
     "NEW_PRINC",		/* 0x00008000 */
+    "OK_AS_DELEGATE" 		/* 0x00010000 */
 };
 
 char *getenv();
@@ -1101,6 +1103,7 @@
 	    "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
 	    "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
 	    "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+	    "\t\tok_as_delegate\n"
 	    "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
 	    "\t\t\tLook at each database documentation for supported arguments\n");
 }
@@ -1117,6 +1120,7 @@
 	    "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
 	    "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
 	    "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+	    "\t\tok_as_delegate\n"
 	    "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
 	    "\t\t\tLook at each database documentation for supported arguments\n"
 	);
Index: src/kadmin/cli/kadmin.M
===================================================================
--- src/kadmin/cli/kadmin.M	(revision 19683)
+++ src/kadmin/cli/kadmin.M	(working copy)
@@ -327,6 +327,16 @@
 .B -requires_hwauth
 clears this flag.
 .TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service.  (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
 {\fB\-\fP|\fB+\fP}\fBallow_svr\fP
 .B -allow_svr
 prohibits the issuance of service tickets for this principal.  (Sets the
Index: src/lib/kadm5/str_conv.c
===================================================================
--- src/lib/kadm5/str_conv.c	(revision 19683)
+++ src/lib/kadm5/str_conv.c	(working copy)
@@ -73,6 +73,7 @@
 static const char flags_tickets_in[]	= "allow-tickets";
 static const char flags_preauth_in[]	= "preauth";
 static const char flags_hwauth_in[]	= "hwauth";
+static const char flags_ok_as_delegate_in[]	= "ok-as-delegate";
 static const char flags_pwchange_in[]	= "pwchange";
 static const char flags_service_in[]	= "service";
 static const char flags_pwsvc_in[]	= "pwservice";
@@ -86,6 +87,7 @@
 static const char flags_tickets_out[]	= "All Tickets Disallowed";
 static const char flags_preauth_out[]	= "Preauthorization required";
 static const char flags_hwauth_out[]	= "HW Authorization required";
+static const char flags_ok_as_delegate_out[]	= "OK as Delegate";
 static const char flags_pwchange_out[]	= "Password Change required";
 static const char flags_service_out[]	= "Service Disabled";
 static const char flags_pwsvc_out[]	= "Password Changing Service";
@@ -109,6 +111,7 @@
 { KRB5_KDB_DISALLOW_ALL_TIX,	0,	flags_tickets_in,  flags_tickets_out },
 { KRB5_KDB_REQUIRES_PRE_AUTH,	1,	flags_preauth_in,  flags_preauth_out },
 { KRB5_KDB_REQUIRES_HW_AUTH,	1,	flags_hwauth_in,   flags_hwauth_out  },
+{ KRB5_KDB_OK_AS_DELEGATE,	1,	flags_ok_as_delegate_in, flags_ok_as_delegate_out },
 { KRB5_KDB_REQUIRES_PWCHANGE,	1,	flags_pwchange_in, flags_pwchange_out},
 { KRB5_KDB_DISALLOW_SVR,	0,	flags_service_in,  flags_service_out },
 { KRB5_KDB_PWCHANGE_SERVICE,	1,	flags_pwsvc_in,	   flags_pwsvc_out   },