search

ubccr / mokey

FreeIPA self-service account management portal
BSD 3-Clause "New" or "Revised" License
194 stars 46 forks source link

forgot password page reloads after submit causing 2 refreshes #93

Closed SomePersonSomeWhereInTheWorld closed 1 year ago

SomePersonSomeWhereInTheWorld commented 3 years ago

I upgraded to mokey-0.5.6-1.el7.x86_64 on Fedora 33 and tried setting the new option to replace_token: true and replace_token: false but the CAPTCHA for the Forgot Password option fails with The numbers you typed in do not match the image as it appears the web page reloads after the logs say an email was sent.

May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Handling query input: 0x558546020700 (892)
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: Connection matched service nfs-client
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Processing request [0x558546020700 (892)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x558546020700 (892)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0,socket: (null)
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x558546020700 (892)]: [0x7f4548049060 (856)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Handling query output: 0x7f4548049060 (856)
May 18 15:23:57  gssproxy[1092333]: [2021/05/18 19:23:57]: [status] Handling query reply: 0x7f4548049060 (856)
May 18 15:23:57  gssproxy[1092333]: [2021/05/18 19:23:57]: [status] Sending data: 0x7f4548049060 (856)
May 18 15:23:57  gssproxy[1092333]: [2021/05/18 19:23:57]: [status] Sending data [0x7f4548049060 (856)]: successful write of 856
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Handling query input: 0x558546020700 (1048)
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: Connection matched service nfs-client
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Processing request [0x558546020700 (1048)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Executing request 8 (GSSX_INIT_SEC_CONTEXT) from [0x558546020700 (1048)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
May 18 15:23:57  gssproxy[1092333]:    GSSX_ARG_INIT_SEC_CONTEXT( call_ctx: { "" [  ] } context_handle: <Null> cred_handle:
 target_name: { "nfs@ourdomain.edu" { 1 2 840 113554 1 2 1 4 } [  ] [  ] [ ] } mech_type: { 1 2 840 113554 1 2 2 } req_flags: 2 time_req: 0 input_cb: <Null> input_token: <Null> [ { [ 73796e635f6d6f6469666965645f63726564730 ] [ 64656661756c740 ] } ] )
May 18 15:23:57 olddsm gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: Credentials allowed by configuration
May 18 15:23:57 olddsm gssproxy[1092333]:    GSSX_RES_INIT_SEC_CONTEXT( status: { 851968 { 1 2 840 113554 1 2 2 } 2529638919 "Unspecified GSS failure.  Minor code may provide more information" "Server krbtgt/OURDOMAIN.EDU@OURDOMAIN.EDU not found in Kerberos database" [  ] } context_handle: <Null> output_token: <Null> )
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Returned buffer 8 (GSSX_INIT_SEC_CONTEXT) from [0x558546020700 (1048)]: [0x7f4548018470 (236)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Handling query output: 0x7f4548018470 (236)
May 18 15:23:57  gssproxy[1092333]: [2021/05/18 19:23:57]: [status] Handling query reply: 0x7f4548018470 (236)
May 18 15:23:57  gssproxy[1092333]: [2021/05/18 19:23:57]: [status] Sending data: 0x7f4548018470 (236)
May 18 15:23:57  gssproxy[1092333]: [2021/05/18 19:23:57]: [status] Sending data [0x7f4548018470 (236)]: successful write of 236
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Handling query input: 0x558546020700 (892)
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: Connection matched service nfs-client
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Processing request [0x558546020700 (892)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x558546020700 (892)]
May 18 15:23:57  gssproxy[1092333]: [CID 14][2021/05/18 19:23:57]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0,socket: (null)

Also does kinit admin need to be always unexpired for this to work?

aebruno commented 3 years ago

I upgraded to mokey-0.5.6-1.el7.x86_64 on Fedora 33 and tried setting the new option to replace_token: true and replace_token: false but the CAPTCHA for the Forgot Password option fails with The numbers you typed in do not match the image as it appears the web page reloads after the logs say an email was sent.

I wasn't able to reproduce this. The logs above look to be krb related? Perhaps there's an issue with your kerb configs?

Also does kinit admin need to be always unexpired for this to work?

I'm not sure I follow the question but mokey does not require the admin user specifically anywhere.

SomePersonSomeWhereInTheWorld commented 3 years ago

Whether this is related or not after a server reboot:

ourserver systemd[1]: mokey.service: Failed with result 'exit-code'.
ourserver  mokey[17230]: time="2021-06-03T15:46:39-04:00" level=info msg="Using template dir: /usr/share/mokey/templates"
mokey[17230]: time="2021-06-03T15:46:39-04:00" level=fatal msg="dial tcp 127.0.0.1:3306: connect: connection refused"

But IPA appears to be running and I can log into the IP GUI:

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

EDIT:

Sorry MySQL was not set to start on reboot. Seeing this error about favicon:

Jun  3 19:44:52 mokey[18564]: time="2021-06-03T19:44:52-04:00" level=error msg="Requested path not found" ip=150.108.64.156 path=/favicon.ico
Jun  3 19:44:52  mokey[18564]: {"time":"2021-06-03T19:44:52.425849923-04:00","level":"ERROR","prefix":"echo","file":"server.go","line":"68","message":"code=404, message=Not Found"}
Jun  3 19:44:58  mokey[18564]: time="2021-06-03T19:44:58-04:00" level=error msg="Requested path not found" ip=150.108.64.156 path=/favicon.ico
Jun  3 19:44:59  mokey[18564]: {"time":"2021-06-03T19:44:58.995370229-04:00","level":"ERROR","prefix":"echo","file":"server.go","line":"68","message":"code=404, message=Not Found"}

Edit: The page loads using http, not https.

But the afore mentioned behavior exists, Perhaps it is a misconfiguration of FreeIPA. I have verbose logging on so there is so much log noise I'm not sure where to start.

Edit: the logs indicate an email is sent but again the message "The numbers you typed in do not match the image " appears. Any other troubleshooting of settings and logs with MoKey that I can try?