Problem
A user encountered an issue with an expired password. Upon logging into the portal, they were prompted to change their password. However, when attempting to set a new password, the following error occurred:
Password change failed. The reason could not be determined.
The original error message provided was:
Authentication failed. Your password will expire at Thu Jan 1 01:00:00 1970 . Errorcode 20: Das neue Passwort konnte nicht gesetzt werden.
Additionally, the following log entries were found in /var/log/univention/management-console-server.log:
15.01.25 13:20:34.071 AUTH ( ERROR ) : PAM: authentication error: ('Authentication token is no longer valid; new one required', 12)
15.01.25 13:20:34.117 AUTH ( WARN ) : Changing password failed (('Authentication token manipulation error', 20)).
Prompts: [('Current Kerberos password: ', 1), ('Your password will expire at Thu Jan 1 01:00:00 1970\n', 4), ('New password: ', 1), ('Retype new password: ', 1), (': Authentication failed', 3)]
15.01.25 13:20:34.119 AUTH ( ERROR ) : Password change failed. The reason could not be determined.
Investigation
The error suggests that the authentication token is no longer valid and needs to be replaced. This issue was traced to the UCS master, where the password changes are processed via the self-service mechanism. The component responsible for handling password changes is kpasswdd.
On UCS systems with Samba installed, kpasswdd is provided by Samba. On systems without Samba (like this UCS master), it is provided by Heimdal.
The configuration was previously set as follows:
ucr get kerberos/kpasswdserver
ucs-master.example.com
This caused the UCS master to use its own Heimdal service for password changes. However, Heimdal was unable to process the request, leading to the following error in systemctl status heimdal-kdc:
krb5_rd_req: Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
The root cause of this issue is that the Kerberos Key Distribution Center (KDC) which grants tickets to users is running on the UCS backup server, provided by Samba. Hence the Heimdal service on the UCS master can not correctly handle the authentication request.
Solution
To resolve this issue, the UCS master was reconfigured to use the correct KDC for password changes. The following command was executed:
ucr set kerberos/kpasswdserver='ucs-backup.example.com'
After applying this change, password changes for users with expired passwords functioned correctly.
Additional Notes
- The KDC is queried via DNS lookup, as indicated by the following configuration:
ucr search --brief kerberos/kdc kerberos/defaults/dns_lookup_kdc
kerberos/defaults/dns_lookup_kdc: <empty>
If this variable is set to 'true' or unset, the KDC(s) used by the system are read from DNS service records. This can be disabled by setting the variable to 'false', is which case the KDC(s) must be set through the variable 'kerberos/kdc'.
kerberos/kdc: <empty>
A list of Kerberos KDC servers can be configured here. The hostnames should be specified in FQDN form. Multiple values need to be separated by a blank. If the variable is unset, the KDC is queried from DNS service records (see 'kerberos/defaults/dns_lookup_kdc').
- You can look up the DNS service records like this:
udm dns/srv_record list --filter relativeDomainName=_kerberos* | grep -Ei "DN:|location" - The password change succeeded when using the UCS backup server (
ucs-backup.example.com) because it runs the correct KDC service. - If required, the
kerberos/kpasswdservervariable can be further extended to include additional servers.