UCS server uses it’s machine account (hostname$) to authenticate against windows active directory.

All 21 days, UCS changes its machine account password. Sometimes this step can fail.

You will notice it having an eye on


and the obvious, univention-adsearch fails and no changes in AD will make it into the UCS system anymore.

UCS store its machine account password in the obvious file


If the secret still works against AD can be checked with

kinit --password-file=/etc/machine.secret $(hostname)

kinit: Password incorrect

The best solution is to simply change the password for the machine account in windows AD.

Get a powershell as admin and enter:

Set-ADAccountPassword "CN=mailserver,CN=Computers,DC=domain,DC=local" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText „kennwort-aus-/etc/machine.secret“ -Force)

Categories: Blog