After setting an authentication indicator on a service. You cannot use delstr to remove it.

 

    kadmin.local:  setstr host/hostname.domain@realm require_auth LOA2

    Attribute set for principal " host/hostname.domain@realm "

 

    kadmin.local:  getstrs host/hostname.domain 

    require_auth: LOA2

    

    kadmin.local:  delstr host/hostname.domain require_auth

    Attribute removed from principal "host/hostname.domain@realm".

    

    kadmin.local:   getstrs host/hostname.domain 

    require_auth: LOA2

 

 

krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c nevers checks to see if krbPrincipalAuthInd exists, in the case where it’s not being set.

 

/* Parse the "require_auth" string for auth indicators, adding them to the

 * krbPrincipalAuthInd attribute. */

static krb5_error_code

update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,

                         LDAPMod ***mods)

{

    int i = 0;

    krb5_error_code ret;

    char *auth_ind = NULL;

    char *strval[10] = { 0 };

    char *ai, *ai_save = NULL;

    int sv_num = sizeof(strval) / sizeof(*strval);

 

    ret = krb5_dbe_get_string(context, entry, KRB5_KDB_SK_REQUIRE_AUTH,

                              &auth_ind);

    if (ret || auth_ind == NULL)

 

        goto cleanup;

 

    ai = strtok_r(auth_ind, " ", &ai_save);

    while (ai != NULL && i < sv_num) {

        strval[i++] = ai;

        ai = strtok_r(NULL, " ", &ai_save);

    }

 

    ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",

                                    LDAP_MOD_REPLACE, strval);

 

cleanup:

    krb5_dbe_free_string(context, auth_ind);

    return ret;

}

 

Change above to :

int attr_mask = 0;

                krb5_boolean has_AuthInd;

 

   if (ret || auth_ind == NULL)

    {

        /* No krbPrincipalAuthInd to be set - lets check and see if current */

        /* settings in ldap has it set. If so then we need to delete it */

        ret = krb5_get_attributes_mask(context, entry, &attr_mask);

        if (ret == 0){

            /* If current ldap entry has krbPrincipalAuthInd set we need to delete it */

            has_AuthInd = ((attr_mask & KDB_AUTH_IND_ATTR ) != 0);

            if (has_AuthInd) {

                ret = krb5_add_str_mem_ldap_mod(mods, "krbPrincipalAuthInd",

                                               LDAP_MOD_DELETE,

                                               NULL );

            }

        }

        goto cleanup;

    }