UCS server uses it’s machine account (hostname$) to authenticate against windows active directory.

All 21 days, UCS changes its machine account password. Sometimes this step can fail.

You will notice it having an eye on

/var/log/univention/server_password_change.log

and the obvious, univention-adsearch fails and no changes in AD will make it into the UCS system anymore.

UCS store its machine account password in the obvious file

/etc/machine.secret

If the secret still works against AD can be checked with

kinit –password-file=/etc/machine.secret ‚hostname$‘

kinit: Password incorrect

The best solution is to simply change the password for the machine account in windows AD.

Get a powershell as admin and enter:

Set-ADAccountPassword ‚CN=mailserver,CN=Computers,DC=MYDOMAIN,DC=local‘ -Reset -NewPassword (ConvertTo-SecureString -AsPlainText „HERE-GOES-THE-CONTENT-FROM-MACHINE.SECRET.FILE“ -Force)

Categories: Blog