Problem: Self-Service Password Change Errorcode 20

kerberos
dns
ucs4
problem

#1

Problem

When trying to change the password through the web interface (UMC) users are constantly getting the following error:

Errorcode 20: Stellen Sie sicher, dass der Kerberos Dienst läuft oder informieren Sie einen Administrator.
Errorcode 20: Make sure the Kerberos service is running or contact an administrator.

A restart of the server or the service does not help

Addtionally when logging in to the UMC you will see a warning pop-up:

DNS-Check: Achtung! Der DNS Service Record für den UCS Master wurde nicht im DNS Server gefunden. 
DNS Check: Caution! The DNS service record for the UCS Master was not found in the DNS server.

Solution

Correct your local DNS resolution by:
ucr commit /etc/resolv.conf

Root Cause

Trying to get a Kerberos ticket through command line results in an error:

kinit Administrator
Administrator@DOMAIN.TEST's Password:`
kinit: krb5_get_init_creds: unable to reach any KDC in realm DOMAIN.TEST

“unable to reach” would mean either the service is not running or has wrong DNS entries or IP-addresses.

Note: This is only valid for UCS 4.1.x!
To make sure the service is running

service heimdal-kdc restart

Check DNS settings

host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)." 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

_domaincontroller_master._tcp.domain.test has SRV record 0 0 0 ucs.domain.test.

The above states a good and working DNS configuration. To check if any local settings are responsible for the behaviour check the DNS again, but now without requesting from the local nameserver:

host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)." 
_domaincontroller_master._tcp.domain.test has no SRV record

The nameserver entries in /etc/resolv.conf do not point to an UCS domain server.