Open taniahagan opened 1 year ago
No, and this is not supported for management operations, as explained in https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html#authentication-indicators-and-freeipa-services
Thank you for the response.
When I looked the user I was using for auth (admin), hasn't got otp enabled via ticking "Two factor authentication (password + OTP)", any idea why its asking for it in the first place? I do have otp enabled for other users.
KDC policy rejection happened because you have the otp authentication indicator set in the target service principal, not on the user principal. Check the service principal where KDC complaints about the policy rejection. It may well be that a a wrong kerberos ticket policy was applied to this principal or someone modified a default kerberos ticket policy to enforce otp. The latter one applies to every principal, not just to users.
In general, you need to design carefully your application of the kerberos ticket policies. It is too easy to shoot yourself in the feet.
Thank you, I will check that. Unfortunately I didn't set it up, but we only have a small selection of users setup with OTP, so hopefully I'll be able to modify.
Hi,
When attempting to use the ipareplica role, I see the error with the task Install - Replica preparation:
kvno: KDC policy rejects request while getting credentials for host
Looking at the master server, I see: HIGHER_AUTHENTICATION_REQUIRED: Required auth indicators not present in ticket: otp
Is there a way to grant this higher auth?
Many Thanks, Tania