Univention Bugzilla – Bug 57194
Error 20: Authentication token manipulation error until UMC restart
Last modified: 2024-03-27 09:09:22 CET
It happened increasingly often at customers, that no user could change their password any more using the self-service or the UMC. The UMC then displays Password change failed. The reason could not be determined. In case it helps, the raw error message will be displayed. Errorcode 20: The password could not be saved. Looking into the management-console-server.log you see a lot of this: 18.03.24 07:53:16.995 AUTH ( ERROR ) : PAM: authentication error: ('Authentication token is no longer valid; new one required', 12) 18.03.24 07:53:36.132 AUTH ( ERROR ) : PAM: authentication error: ('Authentication token is no longer valid; new one required', 12) 18.03.24 07:53:36.132 AUTH ( WARN ) : Changing password failed (('Authentication token manipulation error', 20)). Prompts: [('Current Kerberos password: ', 1)] So the password change already fails at the authentication step. The krb5 logs complain about Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 It seems like malformed kerberos tickets are send by the PAM stack, maybe? We haven't seen this problem live yet, so it is not clear where the problem lies. In UMC, PAM or in Heimdal. But usually, a UMC restart was enough to make the password change work again. Important: This bug is not a catchall for all "Errorcode 20" errors. If the UMC output contains "Unable to reach any changepw server in realm", this is not the bug for you.