[8121] in Release_7.7_team
Re: locked out of my debathena workstation
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Mon Mar 16 12:48:59 2015
Date: Mon, 16 Mar 2015 12:48:50 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Jonathan D Reed <jdreed@MIT.EDU>
cc: Alex T Prengel <alexp@MIT.EDU>,
"release-team@mit.edu" <release-team@MIT.EDU>
In-Reply-To: <9220E3AA-D0FD-4733-81F6-39BE72276DC7@mit.edu>
Message-ID: <alpine.GSO.1.10.1503161246040.3953@multics.mit.edu>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-698374279-1426524530=:3953"
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---559023410-698374279-1426524530=:3953
Content-Type: TEXT/PLAIN; charset=Windows-1252
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Sat, 14 Mar 2015, Jonathan D Reed wrote:
> Oh, good call. That would make sense. Unfortunately, there=92s no root
> password for Alex to trivially log in and fix this. We can reboot into
> single-user mode in person on Monday, of course. I vaguely wonder if
Did this happen? I don't want Alex to be stuck with an unusable machine
any longer than we need to.
The 1DES host keytab does seem almost certain to be the issue here.
> bumping the key in kadmin would trigger a different failure in pam_krb5,
> such that Alex could log in, but I suspect not.
>
> If this turns out to be the cause, we=92ll definitely need to do some
> outreach (e.g. what jweiss has been doing with dialup users=92 non-null
> instances) before this goes into production, I guarantee there are other
> machines out there which are in a similar state. Can a principal always
> getprinc itself? I assume running kadmin in the maintainer script is a
> terrible idea=85
I'm on the fence about whether adding a check with ktutil in the
maintainer script is a good idea; we can probably ask for log-scraping of
1DES session keys issued for host/ principals. I guess I can take point
on asking for those.
-Ben
---559023410-698374279-1426524530=:3953--