Install - Replica preparation - OTP

[taniahagan]

Hi,

When attempting to use the ipareplica role, I see the error with the task Install - Replica preparation:

kvno: KDC policy rejects request while getting credentials for host

Looking at the master server, I see: HIGHER_AUTHENTICATION_REQUIRED: Required auth indicators not present in ticket: otp

Is there a way to grant this higher auth?

Many Thanks, Tania

[abbra]

No, and this is not supported for management operations, as explained in https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html#authentication-indicators-and-freeipa-services

[taniahagan]

Thank you for the response.

When I looked the user I was using for auth (admin), hasn't got otp enabled via ticking "Two factor authentication (password + OTP)", any idea why its asking for it in the first place? I do have otp enabled for other users.

[abbra]

KDC policy rejection happened because you have the otp authentication indicator set in the target service principal, not on the user principal. Check the service principal where KDC complaints about the policy rejection. It may well be that a a wrong kerberos ticket policy was applied to this principal or someone modified a default kerberos ticket policy to enforce otp. The latter one applies to every principal, not just to users.

In general, you need to design carefully your application of the kerberos ticket policies. It is too easy to shoot yourself in the feet.

[taniahagan]

Thank you, I will check that. Unfortunately I didn't set it up, but we only have a small selection of users setup with OTP, so hopefully I'll be able to modify.