Automatic restart of samba fails after server-password-reset

I am running UCS 4.4-2 errata330.
Samba version 4.10.1-Univention

Every three weeks during the regular UCS server password update, samba does not restart properly. A manual restart of samba-ad-dc.service fixes the problem. This has now happened a third time in a row and I am wondering whether this is a bug or just a misconfiguration.

/var/log/univention/server_password_change.log

Starting server password change (Fri Nov 22 01:08:48 CET 2019)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-mail-dovecot prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Object modified: cn=ucs,cn=dc,cn=computers,dc=int,dc=ams
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 localchange
Modified 1 records successfully
Changed password OK
Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
Stopping smbd (via systemctl): smbd.service.
Stopping nmbd (via systemctl): nmbd.service.
Starting nmbd (via systemctl): nmbd.service.
Starting smbd (via systemctl): smbd.service.
Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary postchange
46f02bfa-b7fc-47a7-9ac8-f17bc5161471
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind postchange
run-parts: /usr/lib/univention-server/server_password_change.d/univention-bind exited with return code 1
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-mail-dovecot postchange
File: /etc/dovecot/dovecot-ldap.conf.ext
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange
Restarting nscd (via systemctl): nscd.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password postchange
File: /etc/postgresql/pam_ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange
done (Fri Nov 22 01:09:47 CET 2019)

/var/log/samba/log.samba

[2019/11/22 01:09:07.081535,  0, pid=3026] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3026 on SIGTERM
[2019/11/22 01:09:07.118261,  0, pid=3032] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
[2019/11/22 01:09:07.107286,  0, pid=3027] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3032 on SIGTERM
[2019/11/22 01:09:07.081451,  0, pid=27873] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 27873 on SIGTERM
[2019/11/22 01:09:07.096926,  0, pid=3029] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3029 on SIGTERM
  sigterm_signal_handler: Exiting pid 3027 on SIGTERM
[2019/11/22 01:09:07.081497,  0, pid=3033] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
[2019/11/22 01:09:07.180943,  0, pid=3022] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3022 on SIGTERM
[2019/11/22 01:09:07.244787,  0, pid=3028] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3028 on SIGTERM
  sigterm_signal_handler: Exiting pid 3033 on SIGTERM
[2019/11/22 01:09:07.248682,  0, pid=3024] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3024 on SIGTERM
[2019/11/22 01:09:07.307454,  0, pid=3031] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3031 on SIGTERM
[2019/11/22 01:09:07.252228,  0, pid=3030] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3030 on SIGTERM
[2019/11/22 01:09:07.637064,  0, pid=3021] ../../source4/smbd/process_standard.c:84(sigterm_signal_handler)
  sigterm_signal_handler: Exiting pid 3021 on SIGTERM
[2019/11/22 01:09:14.586613,  0, pid=16512] ../../source4/smbd/server.c:587(binary_smbd_main)
  samba version 4.10.1-Univention started.
  Copyright Andrew Tridgell and the Samba Team 1992-2019
[2019/11/22 01:09:19.125797,  0, pid=16514] ../../source4/smbd/server.c:773(binary_smbd_main)
  binary_smbd_main: samba: using 'standard' process model
[2019/11/22 01:09:19.139151,  0, pid=16514] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'samba' finished starting up and ready to serve connections
[2019/11/22 01:09:19.208656,  0, pid=16604] ../../source4/smbd/service_stream.c:374(stream_setup_socket)
  stream_setup_socket: Failed to listen on ::1:135 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2019/11/22 01:09:19.227962,  0, pid=16604] ../../source4/rpc_server/dcerpc_server.c:3221(add_socket_rpc_tcp_iface)
  service_setup_stream_socket(address=::1,port=135) for epmapper mgmt failed - NT_STATUS_ADDRESS_ALREADY_ASSOCIATEDtask_server_terminate: task_server_terminate: [dcerpc: Failed to initialise end points]
[2019/11/22 01:09:19.229032,  0, pid=16514] ../../source4/smbd/server.c:371(samba_terminate)
  samba_terminate: samba_terminate of samba 16514: dcerpc: Failed to initialise end points

I can identify what the problem is: Port 135 is already used (maybe not freed up yet from the just-terminated process?). Restarting samba at any other point in time works with no errors.

I assume appending the following 3 lines to /usr/lib/univention-server/server_password_change.d/univention-samba4 will “fix” the problem

if [ "$1" = "postchange" ]; then
	test -x /etc/init.d/samba-ad-dc && /etc/init.d/samba-ad-dc restart
fi

But without really understanding the problem I find the fix very unsatisfactory.

Maybe somebody with a deeper understanding of samba can help me understand why the restart fails.