Accidentally edit /etc/machine.secret

I have problem with /etc/machine.secret becasue I try to fix my adconnector and I accidentally edit /etc/machine.secret, right now I can not login as root or administrator on Univention management and can’t login OX Appsuite
I try to univention-ldapsearch
Out put is

root@email:~# univention-ldapsearch
ldap_bind: Invalid credentials (49)

I try

udm computers/domaincontroller_master modify \
 --dn "$(ucr get ldap/hostdn)" --set password="$pass"
echo -n "$pass" >/etc/machine.secret
echo "$pass" >/etc/libnss-ldap.secret

But still not working
Is there any solution to regenerate /etc/machine.secret
Thank you
Best regards


did your try to reset the password for the users “root” and “Administrator” with the udm command?

I doubt it will work as your above command indeed are correct and should work.

What does ucr get ldap/hostdn say?


Not yet try to reset password

I try again

root@email:~# univention-ldapsearch
ldap_bind: Server is unwilling to perform (53)
        additional info: unauthenticated bind (DN with no password) disallowed

It seem no password in machine.secret

root@email:~# ucr get ldap/hostdn

Thank you


try to run the join script again which usually creates the machine.secret:

univention-run-join-scripts --ask-pass -dcaccount administrator --force --run-scripts 10univention-ldap-server.inst

If this does not work, do the following:

udm computers/domaincontroller_master modify --dn "$(ucr get ldap/hostdn)" --set password=$password
echo -n $password > /etc/machine.secret
chmod 0600 /etc/machine.secret

If this does not work I am out of options or there might be some additional issue on your system.

It asks for DC Master Password where I can fiind the password?

Well, this is the password you assigned during installation.

The password of your user “Administrator”.

If you forgot this, too you might need to acquire some more experience in administrating server operation systems.

Otherwise you have a chance to reset by this way:
First, get DN of administrator:

root@master:~# udm users/user list --filter uid=Administrator | grep "DN:"
DN: uid=Administrator,cn=users,dc=multi,dc=de

Use this dn to reset the password for the account:

root@master:~# udm users/user modify --dn="uid=Administrator,cn=users,dc=multi,dc=ucs" --set password="never_before_used_password"


result is

root@email:~# univention-run-join-scripts --ask-pass -dcaccount administrator --force --run-scripts 10univention-ldap-server.inst
Enter DC Master Password:

Search LDAP binddn Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

* Running join scripts failed!                                           *
* Message:  binddn for user administrator not found

I use Root passord for DC Master Password

root@email:~# udm users/user modify --dn="uid=Administrator,cn=users,dc=pluscard,dc=com" --set password="NewPassword"
Value may not change: key=password old={KINIT} new=NewPassword


root@email:~# password="1234QWERasdf"
root@email:~# udm computers/domaincontroller_master modify --dn $(get ldap/hostdn) --set password=$password
-bash: get: command not found
LDAP Error: Invalid DN syntax: invalid DN: --set
root@email:~# echo -n $password > /etc/machine.secret
root@email:~# chmod 0600 /etc/machine.secret


my fault. Typo.


udm computers/domaincontroller_master modify --dn "$(ucr get ldap/hostdn)"  --set password=$password
echo -n $password > /etc/machine.secret
chmod 0600 /etc/machine.secret
1 Like

It works now for login UMC management for Root and Administrator user but I can’t login into OX Appsuite


I have no clue about OX.

Possibly you might need to re-run the join scripts?

univention-run-join-scripts --force




You are not supposed to do a

univention-run-join-scripts --force

on a DC master /primary! This will cause more damage than it heals

There are two failed and still not work

root@email:~# univention-run-join-scripts --force
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2018 Univention GmbH, Germany

Running 01univention-ldap-server-init.inst                 done
Running 02univention-directory-notifier.inst               done
Running 03univention-directory-listener.inst               done
Running 04univention-ldap-client.inst                      done
Running 05univention-bind.inst                             done
Running 08univention-apache.inst                           done
Running 10univention-ldap-server.inst                      failed (exitcode: 3)
Running 11univention-heimdal-init.inst                     done
Running 11univention-pam.inst                              done
Running 15univention-directory-notifier-post.inst          done
Running 15univention-heimdal-kdc.inst                      done
Running 18python-univention-directory-manager.inst         done
Running 20univention-directory-policy.inst                 done
Running 20univention-join.inst                             done
Running 26univention-nagios-common.inst                    done
Running 26univention-samba.inst                            failed (exitcode: 2)
Running 30univention-appcenter.inst                        done
Running 30univention-nagios-client.inst                    done
Running 31univention-nagios-ad-connector.inst              done
Running 33univention-portal.inst                           done
Running 34univention-management-console-server.inst        done
Running 34univention-self-service.inst                     done
Running 35univention-appcenter-docker.inst                 done
Running 35univention-management-console-module-adconnector.done
Running 35univention-management-console-module-appcenter.indone
Running 35univention-management-console-module-diagnostic.idone
Running 35univention-management-console-module-ipchange.insdone
Running 35univention-management-console-module-join.inst   done
Running 35univention-management-console-module-lib.inst    done
Running 35univention-management-console-module-mrtg.inst   done
Running 35univention-management-console-module-pkgdb.inst  done
Running 35univention-management-console-module-quota.inst  done
Running 35univention-management-console-module-reboot.inst done
Running 35univention-management-console-module-services.insdone
Running 35univention-management-console-module-setup.inst  done
Running 35univention-management-console-module-sysinfo.instdone
Running 35univention-management-console-module-top.inst    done
Running 35univention-management-console-module-ucr.inst    done
Running 35univention-management-console-module-udm.inst    done
Running 35univention-management-console-module-updater.instdone
Running 35univention-self-service-passwordreset-umc.inst   done
Running 35univention-server-overview.inst                  done
Running 36univention-management-console-module-apps.inst   done
Running 38univention-management-console-module-oxldb.inst  done
Running 40univention-postgresql.inst                       done
Running 40univention-virtual-machine-manager-schema.inst   done
Running 50univention-pkgdb.inst                            done
Running 65univention-ox.inst                               done
Running 67univention-mail-server.inst                      done
Running 81univention-ad-connector.inst                     done
Running 81univention-nfs-server.inst                       done
Running 82univention-mail-dovecot.inst                     done
Running 90univention-bind-post.inst                        done
Running 91univention-saml.inst                             done
Running 92univention-management-console-web-server.inst    done
Running 98univention-pkgdb-tools.inst                      done

Any hints in join.log?

I try to rejoin to get log

univention-run-join-scripts started
Fri Oct 26 15:14:35 +07 2018

RUNNING 10univention-ldap-server.inst
2018-10-26 15:14:35.723863770+07:00 (in joinscript_init)
Adding SRV record "ldap tcp 0 100 7389" to zone
Adding ZONE record " 1 28800 10800 604800 108001" to zone 10.0.200...
Adding SRV record "domaincontroller_master tcp 0 0 0" to zone
Object exists: cn=Univention,cn=packages,cn=univention,dc=domain,dc=com
Object exists: cn=Fernwartung,cn=packages,cn=univention,dc=domain,dc=com
Object exists: cn=Tools,cn=packages,cn=univention,dc=domain,dc=com
Object exists: cn=Multimedia,cn=packages,cn=univention,dc=domain,dc=com
Object exists: cn=Entwicklung,cn=packages,cn=univention,dc=domain,dc=com
LDAP Error: Type or value exists: modify/add: uniqueMember: value #0 already exists

__JOINERR__:FAILED: /usr/lib/univention-install/10univention-ldap-server.inst

Fri Oct 26 15:15:06 +07 2018
univention-run-join-scripts finished

cp: cannot stat '': No such file or directory

univention-run-join-scripts started
Fri Oct 26 15:16:29 +07 2018

RUNNING 26univention-samba.inst
2018-10-26 15:16:29.882328966+07:00 (in joinscript_init)
INFO: Cannot run joinscript in memberserver mode without join credentials. Please run:
	univention-run-join-scripts --ask-pass
to complete the domain join.

Fri Oct 26 15:16:30 +07 2018
univention-run-join-scripts finished

I try to run join scrip with other account(Admin permission) by

univention-run-join-scripts --ask-pass -dcaccount management --force --run-scripts 26univention-samba.inst
root@email:~# univention-run-join-scripts --ask-pass -dcaccount management --force --run-scripts 26uni                             vention-samba.inst
Enter DC Master Password:

Search LDAP binddn ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Insufficient access (50)

* Running join scripts failed!                                           *
* Message:  binddn for user management not found
root@email:~# univention-run-join-scripts --ask-pass -dcaccount root --force --run-scripts 26univentio                             n-samba.inst
Enter DC Master Password:

Search LDAP binddn Insufficient access (50)

* Running join scripts failed!                                           *
* Message:  binddn for user root not found

Now I can’t login into UMC again after reboot server, I can only login with Root user

I dunno what you are doing on your site. My posted command does not have any links to the administrator user account properties.

I have seen you where trying to use an account named “management” instead of administrator. It is very difficult to help when steps are mixed up.

And when you get different information. Some posts before your wrote:

It works now for login UMC management for Root and Administrator user but I can’t login into OX Appsuite

So I have no clue what you are currently trying to do and which username you are using.


I just try another user to run join script because I try to run as Administrator user there is an error

What tells us::

univention-ldapsearch "uid=administrator"