Authentication indicators currently should not be enforced against internal IPA services because not all users of those services can produce Kerberos tickets with required authentication indicators. Enforcing the indicators will lead to a broken FreeIPA deployment for such services. Thus, we should add a logic that prevents such broken setup.

host/..., ldap/.., HTTP/.., and 'cifs/..` principals on IPA masters should not allow setting any authentication indicators as of the moment.

In Active Directory infrastructure all services running on the machine are aliases of the machine account (represented with host/... service principal). It means they all have the same Kerberos keys. In FreeIPA there is no strong aliasing between the services running on a host; host/... and cifs/... keys can be different. However, host/... service principal on any IPA system running Samba plays important role for DCE RPC calls authenticated with the help of Kerberos because DCE RPC clients will use host/... key to encrypt a request and DCE RPC server will have to use own host/.. keys to decrypt that request. It means DCE RPC clients will attempt to obtain a service ticket to host/.. on a target DCE RPC server automatically. Assigning an authentication indicator to it will prevent this operation, rendering SMB (and DCE RPC) services impossible to use.

This means that for IPA clients which have Samba services enabled (have cifs/... service principal), there should also be not possible to assign authentication indicator to host/... and cifs/.. principals on the hosts.

We need to figure out if using hardened authentication indicator could be permitted.