UCS server uses it’s machine account (hostname$) to authenticate against windows active directory.
All 21 days, UCS changes its machine account password. Sometimes this step can fail.
You will notice it having an eye on
and the obvious, univention-adsearch fails and no changes in AD will make it into the UCS system anymore.
UCS store its machine account password in the obvious file
If the secret still works against AD can be checked with
kinit --password-file=/etc/machine.secret $(hostname)
kinit: Password incorrect
The best solution is to simply change the password for the machine account in windows AD.
Get a powershell as admin and enter:
Set-ADAccountPassword "CN=mailserver,CN=Computers,DC=domain,DC=local" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText „kennwort-aus-/etc/machine.secret“ -Force)