Problem: SelfService Password Change - Errorcode 20

Problem:

When trying to change the password through the web interface (UMC) users are constantly getting the following error:

Error changing password
Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: Errorcode 20: The new password could not be set.
Fehler bei Passwortänderung
Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Errorcode 20: Das neue Passwort konnte nicht gesetzt werden.

Please see also this article with similar error Message:

Manually changing the password does not work either.

root@master:~# kinit cscheini
cscheini@SCHEIN.IG's Password:
root@master:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: cscheini@SCHEIN.IG

Issued Expires Principal
Jan 21 14:38:47 2019 Jan 22 00:38:43 2019 krbtgt/SCHEIN.IG@SCHEIN.IG

root@master:~# kdestroy
root@master:~# kpasswd cscheini
cscheini@SCHEIN.IG's Password:
New password for cscheini@SCHEIN.IG:
Verify password - New password for cscheini@SCHEIN.IG:
Auth error : Authentication failed

Environment:

The domain setup is a bit unusual here:
The master server does not have samba installed, so here is the standard heimdal-kdc service for kerberos installed.
The backup server instead does have samba4 and the s4connector installed, and kerberos is served by samba4.

Solution:

Please set the following ucr varaibles on the master if you have a backupserver:
ucr set kerberos/kpasswdserver='backup.schein.ig'

Investigation

Check

host -t srv _kerberos._tcp.$(ucr get domainname)
host -t srv _kerberos._udp.$(ucr get domainname)

on the master
They will point to the samba4 servers in the domain, but not to the master anymore, when samba4 is installed in the domain.

So in this case the problem is related to the setup.
The SelfService uses kpasswd to change the password. And kpasswd follows this mechanism.
He gets a ticket from the registered Kerberos server. For this he makes a DNS lookup. This is the default behavior (dns_lookup_kdc = true in krb5.conf). In this case the backup server is in this service entry, and so it turns to this and gets the Kerberos ticket from the backup. The password change itself, however, now turns to the master. But here the keys for decrypting the ticket differ due to the different Kerberos versions (heimdal vs samba) and the authentication fails.

Bug# 48585

Mastodon