So, I'm writing this gigantically long document on FileVault, and I come to the part about passwords, master passwords, and resetting things using the latter.
The way it works is, if your user forgets her account password (the one used for creating the FileVault), anyone with the master password should be able to enter that in Login Window, reset the user's password, which will in turn modify the key used to unlock his FileVault disk image. Except, it wasn't working for me.
Login Window allowed me to enter the master password, but when the forgetful user tried to enter her new password, it would just shake.
Reviewing secure.log, I got a lot of this:
Jul 10 12:53:12 home-mac SecurityAgent[71]: User info context values set
Jul 10 12:53:12 home-mac authorizationhost[70]: k5_authenticate(): got -1765328378 (Client not found in Kerberos database) on plugins/krb5/krb5_operations.c:54
Jul 10 12:53:12 home-mac authorizationhost[70]: -[SFBuiltinKrb5Authenticate invoke](): got -1765328378 (Client not found in Kerberos database) on authhostbuiltins.m:1057
I thought it might have something to do with the Local KDC, or the edu.mit.Kerberos file, but the problem was in the log messages.
I had a modified /etc/authorization file on my system. In the system.login.console, it read:
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>mechanisms</key>
<array>
<string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow:login</string>
<string>builtin:krb5authenticate,privileged</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>loginwindow:success</string>
<string>loginwindow:done</string>
</array>
</dict>
It was the part in red the kept me from giving the forgetful user a new password. Once I modified it accordingly, it worked. My addition in red below was just to give me my University Kerberos TGT as a by-product of logging in. (The strike-through is really all I would have needed to do for FileVault. I might have added the krb5authnoverify part at some point, or perhaps something automatically added it, but it's not there by default.)
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>mechanisms</key>
<array>
<string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow:login</string>
<string>
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:krb5authnoverify,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>loginwindow:success</string>
<string>loginwindow:done</string>
</array>
</dict>
