Problem: Self-Service Password Change Errorcode 20

We fixed a bug where it was impossible to change passwords via the UMC due to the UMC server not closing file descriptors properly. Please check if an update might fix the problem.

Problem

When trying to change the password through the web interface (UMC) users are constantly getting the following error:

Errorcode 20: Stellen Sie sicher, dass der Kerberos Dienst läuft oder informieren Sie einen Administrator.
Errorcode 20: Make sure the Kerberos service is running or contact an administrator.

A restart of the server or the service does not help

Addtionally when logging in to the UMC you will see a warning pop-up:

DNS-Check: Achtung! Der DNS Service Record für den UCS Master wurde nicht im DNS Server gefunden. 
DNS Check: Caution! The DNS service record for the UCS Master was not found in the DNS server.

Please also check this article for errorcode 20 issues

Solution

Correct your local DNS resolution by:
ucr commit /etc/resolv.conf

Root Cause

Trying to get a Kerberos ticket through command line results in an error:

kinit Administrator
Administrator@DOMAIN.TEST's Password:`
kinit: krb5_get_init_creds: unable to reach any KDC in realm DOMAIN.TEST

“unable to reach” would mean either the service is not running or has wrong DNS entries or IP-addresses.

Note: This is only valid for UCS 4.1.x!
To make sure the service is running

service heimdal-kdc restart

Check DNS settings

host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)." 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

_domaincontroller_master._tcp.domain.test has SRV record 0 0 0 ucs.domain.test.

The above states a good and working DNS configuration.

Another way using dig would be:

dig @localhost -t SRV "_domaincontroller_master._tcp.$(ucr get domainname)." +short

with a result like

0 0 0 primary.school.intranet.

To check if any local settings are responsible for the behaviour check the DNS again, but now without requesting from the local nameserver:

host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)." 
_domaincontroller_master._tcp.domain.test has no SRV record

The nameserver entries in /etc/resolv.conf do not point to an UCS domain server.

Note: There is a related article with the same error message but different root cause available here.

1 Like
Mastodon