23.8. Enforcing a Specific Authentication Indicator When Obtaining a Ticket from the KDC
To enforce a specific authentication indicator on:
- A host object, execute:
# ipa host-mod host_name --auth-ind=indicator
- A Kerberos service, execute:
# ipa service-mod service/host_name --auth-ind=indicator
To set multiple authentication indicators, specify the
--auth-ind
parameter multiple times.
Warning
Setting an authentication indicator to the
HTTP/IdM_master
service causes the IdM master to fail. Additionally, the utilities provided by IdM do not enable you to restore the master.
Example 23.2. Enforcing the pkinit Indicator on a Specific Host
The following command configures that only the users authenticated through a smart card can obtain a service ticket for the
host.idm.example.com
host:
# ipa host-mod host.idm.example.com --auth-ind=pkinit
The setting above ensures that the ticket-granting ticket (TGT) of a user requesting a Kerberos ticket, contains the pkinit authentication indicator.