AD Member Sync Problem


I am currently using UCS 5.0-3 errata622 connected as an active directory member.
The users and groups are synced from AD to UCS.

Some months ago, I had some problems with the sync not working anymore, which I ultimatly fixed by resetting the AD-computer account password to the one in /etc/machine.secret
(I probably did some other changes but I cannot list them now)

Now I have a strange problem:
(for testing purposes I have changed the server/password/interval setting to 7 days)
I can see that UCS changes the password in /etc/machine.secret but not the AD computer account, so the sync breaks and i get those errors:

 sudo tail -n 25 /var/log/univention/connector-ad-status.log
  File "/usr/lib/python3/dist-packages/univention/connector/ad/", line 677, in get_kerberos_ticket
    raise kerberosAuthenticationFailed('The following command failed: "%s" (%s): %s' % (' '.join(cmd_block), p1.returnco                       de, stdout.decode('UTF-8', 'replace'))) The following command failed: "kinit --no-addresses --password-fil                       e=/tmp/tmpqe16mlqb ucs-nextcloud$" (1): kinit: Password incorrect

Now when I put the old AD-computer password in /etc/machine.secret, the sync works again but there are some other auth issues for example when using sudo with a domain admin user…

sudo: Fehler beim PAM-Account-Management: Berechtigungsnachweis für Zugriff auf Authentifizierungsdaten nicht ausreichend: 

… or trying to login to the ucs management webinterface.

Any ideas? Thanks