search

larrabee / freeipa-password-reset

Self-service password reset app for FreeIPA
GNU General Public License v3.0
88 stars 30 forks source link

Cannot Retrieve Kerberos Ticket #47

Open YoungCree opened 3 years ago

YoungCree commented 3 years ago

Hey there, I'm having troubles with the kerberos ticket portion of the setup. When clicking on "Reset Password" I get "Cannot retrieve kerberos ticket". I'm able to grab a keytab and store it in /opt/data/IPAPasswordReset/passwordreset.keytab and I'm pointing to that in the settings.py ../passwordreset.keytab I'm also able to run the command kinit -kt /opt/data/IPAPasswordReset/passwordreset.keytab passwordreset without any issues. Running klist -A I get the following: Ticket cache: KCM:0:4774 Default principal: passwordreset@DOMAIN

Valid starting Expires Service principal 09/14/2020 09:53:36 09/15/2020 09:53:36 krbtgt/DOMAIN@DOMAIN 09/14/2020 10:02:55 09/15/2020 09:53:36 HTTP/server@DOMAIN

Ticket cache: KCM:0 Default principal: admin@DOMAIN

Valid starting Expires Service principal 09/10/2020 12:05:50 09/11/2020 12:05:47 krbtgt/DOMAIN@DOMAIN 09/10/2020 12:05:55 09/11/2020 12:05:47 cifs/SERVER@DOMAIN

Ticket cache: KCM:0:72320 Default principal: cifs/server@DOMAIN

Valid starting Expires Service principal 09/10/2020 12:07:04 09/11/2020 12:07:04 krbtgt/DOMAIN@DOMAIN

Do you know what's going on? Thanks in advance for the help!

larrabee commented 3 years ago

Hello.
Please double check, that you properly follow the installation steps:

# Get keytab
ipa-getkeytab -p ldap-passwd-reset -k /opt/data/IPAPasswordReset/ldap-passwd-reset.keytab
# And change files owner
chown -R ldap-passwd-reset:ldap-passwd-reset /opt/data/IPAPasswordReset
YoungCree commented 3 years ago

I generated the keytab using that method, and the password reset user has access to the entire directory, any other ideas?