Alexander Bokovoy via FreeIPA-users wrote: > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote: >> Hi there, >> >> When I try and re-enable TOTP for a host auth indicator I receive >> "invalid 'krbprincipalauthind': authentication indicators not allowed in >> service "host"" >> Running FreeIPA 4.9.10 on Rocky. >> >> I'm having some issues working out the current methods of OTP enforcement >> for SSH interactive as a login method. I've had a look through >> https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html >> >> but am still stuck. >> >> I previously had a host configured (on its own details page) as requiring >> password and otp as auth indicators. This was a little buggy in that the >> GUI didn't display it after setting it, but did require an OTP on logging >> in with SSH and was reflected byt the krbPrincipalAuthInd attr being set. >> [image: image.png] >> I cleared this for the host for $reasons - resulting in the attrs being >> removed, and now if I try and re-enable I get: >> >> [image: image.png] >> >> Following that clue and those from other posts, I've been looking at the >> services auth indicators as where to set instead, but as ssh or login >> don't >> have services I can't work out how I am supposed to achieve this now? > > Is this system an IPA server or a client? For IPA servers we prevent > adding authentication indicators for the reasons described in the > workshop chapter you reference. The check is done by seeing if this > server's hostname is returned by 'ipa server-find' command.
Per ticket https://pagure.io/freeipa/issue/8206 rob > > You can modify 'krbprincipalauthind' LDAP attribute directly with > ldapmodify to unstuck. > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
