In #2184 support was added to change the type of the authorization data attached to a Kerberos ticket. Currently this means adding a PAC or no authorization data. But in #2184 this support was only added for principals of pure service objects. But the hosts objects include a service principal as well and currently it is not possible to modify the authorization data type for those services via the CLI or Web UI.
There are two ways to solve this for the CLI:
A similar solution should be found for the web UI.
It is has implications to the CLI and UI so it is sort of missing functionality that is more an RFE than a bug. Turning into RFE.
If it is currently necessary to overwrite the default authorization data type (PAC type) for the host/ service principal it can be done with the CLI:
ipa host-mod --addattr=ipakrbauthzdata=NONE your.host.name
Moving my tickets back to free-to-take pool.
Metadata Update from @sbose: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.