Closed hanej closed 6 years ago
hanej
commented
6 years ago Of course after I spent hours on this and right after I filled out an issue I figured it out. Turns out you can't reset the password of an admin user. Good to know... Thank you for this awesome product! It will save us lots of tickets.
aebruno
commented
6 years ago @hanej Thanks for the great feedback. Will add some checking to ensure the keytab exists. We hit the same issue with resetting admin passwords. Will add some documentation about that as well. Glad to hear it's working for you.
I've spent a lot of time pouring through the code and the dependencies to try and track down why I am unable to reset my password. I'm running FreeIPA 4.5.0. I have tried with the svc_mokey user keytab (with 'Modify Users and Reset passwords' and 'User Administrators' roles) and also with the admin keytab.
Side note: one thing I've noticed is there is no checking on the keytab to see if it actually exists or is valid. I get the same response whether the keytab is there or not which makes it difficult to troubleshoot if it's a bad file, bad permissions, etc.
I downloaded the source and started adding debug statements to the code to see where exactly it's failing. I've tracked it down to this line https://github.com/ubccr/goipa/blob/master/ipa.go#L242. There is no session so the client tries to use SPNEGO.
Even with the admin keytab it still fails. I know that keytab works because I use it for creating accounts and other tasks. The Apache log makes me believe that it can connect and is authenticated. I can log into the front end and see all of my stats. It seems to only fail when it tries to reset the password.
Debug output
/var/log/httpd/error_log