After setting an authentication indicator on a service. You cannot use delstr to remove it. kadmin.local: setstr host/hostname.domain@realm require_auth LOA2 Attribute set for principal " host/hostname.domain@realm " kadmin.local: getstrs host/hostname.domain require_auth: LOA2 kadmin.local: delstr host/hostname.domain require_auth Attribute removed from principal "host/hostname.domain@realm". kadmin.local: getstrs host/hostname.domain require_auth: LOA2 krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c nevers checks to see if krbPrincipalAuthInd exists, in the case where it’s not being set. /* Parse the "require_auth" string for auth indicators, adding them to the * krbPrincipalAuthInd attribute. */ static krb5_error_code update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, LDAPMod ***mods) { int i = 0; krb5_error_code ret; char *auth_ind = NULL; char *strval[10] = { 0 }; char *ai, *ai_save = NULL; int sv_num = sizeof(strval) / sizeof(*strval); ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH, &auth_ind); if (ret || auth_ind == NULL) goto cleanup; ai = strtok_r(auth_ind, " ", &ai_save); while (ai != NULL && i < sv_num) { strval[i++] = ai; ai = strtok_r(NULL, " ", &ai_save); } ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd", LDAP_MOD_REPLACE, strval); cleanup: krb5_dbe_free_string(context, auth_ind); return ret; } Change above to : int attr_mask = 0; krb5_boolean has_AuthInd; if (ret || auth_ind == NULL) { /* No krbPrincipalAuthInd to be set - lets check and see if current */ /* settings in ldap has it set. If so then we need to delete it */ ret = krb5_get_attributes_mask(context, entry, &attr_mask); if (ret == 0){ /* If current ldap entry has krbPrincipalAuthInd set we need to delete it */ has_AuthInd = ((attr_mask & KDB_AUTH_IND_ATTR ) != 0); if (has_AuthInd) { ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd", LDAP_MOD_DELETE, NULL ); } } goto cleanup; }