search

larrabee / freeipa-password-reset

Self-service password reset app for FreeIPA
GNU General Public License v3.0
92 stars 31 forks source link

Cannot Retrieve Kerberos Ticket #47

Open YoungCree opened 4 years ago

YoungCree commented 4 years ago

Hey there, I'm having troubles with the kerberos ticket portion of the setup. When clicking on "Reset Password" I get "Cannot retrieve kerberos ticket". I'm able to grab a keytab and store it in /opt/data/IPAPasswordReset/passwordreset.keytab and I'm pointing to that in the settings.py ../passwordreset.keytab I'm also able to run the command kinit -kt /opt/data/IPAPasswordReset/passwordreset.keytab passwordreset without any issues. Running klist -A I get the following: Ticket cache: KCM:0:4774 Default principal: passwordreset@DOMAIN

Valid starting Expires Service principal 09/14/2020 09:53:36 09/15/2020 09:53:36 krbtgt/DOMAIN@DOMAIN 09/14/2020 10:02:55 09/15/2020 09:53:36 HTTP/server@DOMAIN

Ticket cache: KCM:0 Default principal: admin@DOMAIN

Valid starting Expires Service principal 09/10/2020 12:05:50 09/11/2020 12:05:47 krbtgt/DOMAIN@DOMAIN 09/10/2020 12:05:55 09/11/2020 12:05:47 cifs/SERVER@DOMAIN

Ticket cache: KCM:0:72320 Default principal: cifs/server@DOMAIN

Valid starting Expires Service principal 09/10/2020 12:07:04 09/11/2020 12:07:04 krbtgt/DOMAIN@DOMAIN

Do you know what's going on? Thanks in advance for the help!

larrabee commented 4 years ago

Hello.
Please double check, that you properly follow the installation steps:

# Get keytab
ipa-getkeytab -p ldap-passwd-reset -k /opt/data/IPAPasswordReset/ldap-passwd-reset.keytab
# And change files owner
chown -R ldap-passwd-reset:ldap-passwd-reset /opt/data/IPAPasswordReset
YoungCree commented 4 years ago

I generated the keytab using that method, and the password reset user has access to the entire directory, any other ideas?

lanhampr commented 2 months ago

I too am having this issue. What should the file permissions be set as for ldap-passwd-reset.keytab ?

-rw-------. 1 ldap-passwd-reset ldap-passwd-reset 674 Sep 6 10:17 ldap-passwd-reset.keytab

I did not install Redis. What does Redis do and do I need to install it?

In creating the ldap-passwd-reset user there is --password "CHANGE_ME_PLEASE". Do I replace the password? Does it relate to any other passwords in FreeIPA?

Is the password defined by this line relate to another password in FreeIPA:

SECURITY WARNING: keep the secret key used in production secret!

SECRET_KEY = '<>'

Are there any log files to check to help determine the issue?

Thanks.