[OpenAFS] Re: AFS root/admin passwords lost

Andrew Deason adeason@sinenomine.net
Wed, 4 Aug 2010 13:35:25 -0500

On Tue, 3 Aug 2010 12:39:48 -0400
Cory Puckett <corypuckett@depauw.edu> wrote:

> I just took this job and one of the first things they had me do was
> change the root passwords on the linux servers. After I did this the
> Kerberos admin password that worked before I changed the machine's
> root password will not work anymore. The fall semester starts soon and
> I need to be able to make student AFS accounts but can't do that
> without the Kerberos admin password.  Can anyone help me reset the
> Kerberos admin password?

Some off-list discussion showed that Cory is using kaserver. You'll want
to migrate to a Kerberos 5 setup soon, but first things first...

I'm not aware of an easy way to reset a kaserver password if you can't
already obtain administrator credentials. We could probably make 'kas'
able to construct authentication info from a KeyFile, but I don't think
that was ever done.

You could also use ka_util to modify the database directly on disk, but
unless you want to construct a new key by hand, that's probably not too

You can also run kaserver with the -noauth option temporarily, but that
would allow _anyone_ to change passwords and such. You can reduce the
security problems of doing this by taking the machine off of the net
while you do that. If you can take the machine off of the network for a
little while, that might work for you.

You can also convert the kaserver database to a Kerberos 5 database, run
a kaserver emulator, and change the password in the krb5 db. That's a
rather complex task just to reset a password, but you'll need to do it
sometime anyway.

Andrew Deason