Bypass Active Directory Connection

UCS - Univention Corporate Server
#1

Hello,

We are facing an issue with a univention mail server and an Active Directory 2003 Integration. The problem starts with the error:

root@ucs:/var/log/univention# univention-adsearch cn=ucs-lda
kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
kinit: Password incorrect
Traceback (most recent call last):
  File "/usr/sbin/univention-adsearch", line 163, in <module>
    get_kerberos_ticket()
  File "/usr/sbin/univention-adsearch", line 156, in get_kerberos_ticket
    raise kerberosAuthenticationFailed('The following command failed: "%s"' % string.join(cmd_block))
__main__.kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret ucs-ldap$"

 --- connect failed, failure was: ---
Traceback (most recent call last):
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 303, in main
    connect()
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 191, in connect
    baseConfig['%s/ad/listener/dir' % CONFIGBASENAME]
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 839, in __init__
    self.open_ad()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1038, in open_ad
    self.get_kerberos_ticket()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1016, in get_kerberos_ticket
    raise kerberosAuthenticationFailed('The following command failed: "%s" (%s): %s' % (string.join(cmd_block), p1.returncode, stdout))
kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret ucs-ldap$" (1): kinit: Password incorrect

Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul  4 13:40:01 ucs-ldap ldapsearch: DIGEST-MD5 common mech free
Jul  4 13:40:01 ucs-ldap ldapsearch: DIGEST-MD5 common mech free
Jul  4 13:40:01 ucs-ldap ldapsearch: DIGEST-MD5 common mech free
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share/univention-kde-profiles/default/.local/share#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univention-kde-profiles/default/.config:/etc/xdg/#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-profiles/default/.kde#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share/univention-kde-profiles/default/.local/share#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univention-kde-profiles/default/.config:/etc/xdg/#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-profiles/default/.kde#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share/univention-kde-profiles/default/.local/share#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univention-kde-profiles/default/.config:/etc/xdg/#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-profiles/default/.kde#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_unix(cron:session): session closed for user root
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_unix(cron:session): session closed for user root
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_unix(cron:session): session closed for user root
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: failed to bind to LDAP server ldap://ucs-ldap.DOMAIN.DOM:7389: Invalid credentials
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: reconnecting to LDAP server...
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: failed to bind to LDAP server ldap://ucs-ldap.DOMAIN.DOM:7389: Invalid credentials
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Jul  4 13:41:27 ucs-ldap nscd: nss_ldap: failed to bind to LDAP server ldap://ucs-ldap.DOMAIN.DOM:7389: Invalid credentials
Jul  4 13:41:27 ucs-ldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Jul  4 13:41:27 ucs-ldap python2.7: pam_unix(univention-management-console:auth): check pass; user unknown
Jul  4 13:41:27 ucs-ldap python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul  4 13:41:27 ucs-ldap python2.7: pam_krb5(univention-management-console:auth): user administrator authenticated as administrator@DOMAIN.DOM
Jul  4 13:41:27 ucs-ldap python2.7: pam_unix(univention-management-console:account): could not identify user (from getpwnam(administrator))

We have checked the configuration file /etc/machine.secret and the AD user who performs the AD Queries and the password doesn’t match. When we fix the issue the sync starts and the AD Connection works based on the logs but then we have authentication error on Roundcube webmail and email access via outlook with all users to authenticate we get authentication error message.

As a workaround we would like to bypass the AD passwords and change them somehow via the UCS management console. The problem is the UCS doesn’t allow this action because of the AD Integration.

Is there any way to bypass this issue until we replace the mail server? Unfortunately there is no window for tests/interruptions!

image

Thanks in advance,

George

#2

How did you fix the sync issue exactly ? i have a problem with user who are not sync from Active Directory to my server ( LDAP Directory missing users )

Thanks for your help !

#3

Hello,

Unfortunately we haven’t fixed yet this issue
 We changed the ldap query username/password on both Active Directory and Univention at “password-file=/etc/machine.secret” and the replication works after that but when the replication is performed looks like the roundcube/dovecot webmail is getting locked out for some reason and the users can’t log in on their webmail


This could be a bug but not really sure


https://docs.software-univention.de/developer-reference-4.4.html#settings:ldapschema

You can also check your “/var/log/univention/connector-status.log” log file for more details


/var/log/univention# cat connector-status.log

— retry in 30 seconds —
Fri Nov 15 15:12:21 2019
Fri Nov 15 15:12:22 2019
— connect failed, failure was: —
Traceback (most recent call last):
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 303, in main
connect()
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 191, in connect
baseConfig[’%s/ad/listener/dir’ % CONFIGBASENAME]
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 839, in init
self.open_ad()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1038, in open_ad
self.get_kerberos_ticket()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1016, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s” (%s): %s’ % (string.join(cmd_block), p1.returncode, stdout))
kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/etc/machine.secret ucs-ldap$” (1): kinit: Password incorrect

I think we must run those univention scripts: 4.4. LDAP secrets

https://docs.software-univention.de/developer-reference-4.4.html#join:serverPassword:example

#4

I m just looking at this password change step on the developer’s manual which says that there should be a cron job for this process
 Unfortunately I can’t find any script into my directory. Is there any into yours? Unfortunately I haven’t found any reference with the default cron scripts into the documentation.

image

I am not sure if anyone has deleted it


image

#5

This is what i see in the file /var/log/univention/connector-status.log

Mon Nov 18 10:43:55 2019
Mon Nov 18 10:43:56 2019
— connect failed, failure was: —
Traceback (most recent call last):
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 303, in main
connect()
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 191, in connect
baseConfig[’%s/ad/listener/dir’ % CONFIGBASENAME]
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 839, in init
self.open_ad()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1038, in open_ad
self.get_kerberos_ticket()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1016, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s” (%s): %s’ % (string.join(cmd_block), p1.returncode, stdout))
kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/etc/machine.secret cloud$” (1): kinit: Password incorrect

— retry in 30 seconds —

It’s always the same error again and again every 30 seconds

So im wondering how to change the password and what is this password exactly ?
Is it the password of the account to sync the active directory ?

How did you change it you ?

How can we retreive this information

Here is my cron.d directory

root@cloud:/etc/cron.d# pwd
/etc/cron.d
root@cloud:/etc/cron.d# ls -la
total 104
drwxr-xr-x 2 root root 4096 Nov 13 11:57 .
drwxr-xr-x 121 root root 12288 Nov 18 10:09 

-rw-r–r-- 1 root root 273 Apr 10 2016 mrtg
-rw-r–r-- 1 root root 712 Jan 1 2017 php
-rw-r–r-- 1 root root 102 May 3 2015 .placeholder
-rw-r–r-- 1 root root 1672 Aug 26 10:54 postgresql
-rw-r–r-- 1 root root 396 May 25 2017 sysstat
-rw-r–r-- 1 root root 637 May 10 2019 univention-config-registry-backup
-rw-r–r-- 1 root root 573 Apr 1 2019 univention-directory-policy
-rw-r–r-- 1 root root 617 Nov 13 11:57 univention-directory-reports-cleanup
-rw-r–r-- 1 root root 707 May 8 2018 univention-home-mounter
-rw-r–r-- 1 root root 589 Nov 12 16:37 univention-ldap
-rw-r–r-- 1 root root 611 Nov 12 16:37 univention-ldap-server
-rw-r–r-- 1 root root 584 Aug 26 10:53 univention-mail-postfix
-rw-r–r-- 1 root root 539 May 8 2018 univention-mrtg
-rw-r–r-- 1 root root 596 Nov 12 16:38 univention-nagios
-rw-r–r-- 1 root root 608 Aug 26 10:53 univention-pam
-rw-r–r-- 1 root root 169 Feb 27 2018 univention-samba
-rw-r–r-- 1 root root 562 Nov 12 15:34 univention-server-master
-rw-r–r-- 1 root root 143 Dec 11 2017 univention-ssl
-rw-r–r-- 1 root root 620 Nov 12 15:34 univention-system-stats
-rw-r–r-- 1 root root 522 May 10 2019 univention-ucr-cronjobs
-rw-r–r-- 1 root root 246 Mar 12 2018 univention-updater
-rw-r–r-- 1 root root 845 Nov 12 15:32 univention-updater-check

Thanks !

#6

Hello,

Yes, your info details look like my issue. I couldn’t get downtime to do some tests so I can’t tell you for sure how to fix it! I assume running those univention scripts for password change I mentioned on the previous should help with this issue to be fixed. Make sure though that you have changed the password on the user into your active directory first before you update the password with the scripts.

It’s always the same error again and again every 30 seconds - This is by default from UCS

So im wondering how to change the password and what is this password exactly ? Using the ldap.secret and machine.secret or running the univention-run-join-scripts

Is it the password of the account to sync the active directory ? yes

How did you change it you ? I have tried to change it into the active directory but still need to take time window to run the scripts

How can we retreive this information - I don’t think we can maybe if you open the txt files from the machine and ldap secret but I would recommend to change it and re-run the scripts

#7

How exactly can i run the univention-run-join-scripts to join it back to my domain

#8

You just type the command with root rights.

image

#9

Ok ive done it but it did not fix anything

root@cloud:~# univention-adsearch CN=Administrator
kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
kinit: Password incorrect
Traceback (most recent call last):
File “/usr/sbin/univention-adsearch”, line 163, in
get_kerberos_ticket()
File “/usr/sbin/univention-adsearch”, line 156, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s”’ % string.join(cmd_block))
main.kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/etc/machine.secret cloud$”
root@cloud:~#

How can we update the user and password that connect to my AD Domain. What if someone change the password of that user. We need to change it on the UCS server too but i don’t find how

root@cloud:~# univention-run-join-scripts
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright © 2001-2019 Univention GmbH, Germany

Running pre-joinscripts hook(s): done
Running 01univention-ldap-server-init.inst skipped (already exec uted)
Running 02univention-directory-notifier.inst skipped (already exec uted)
Running 03univention-directory-listener.inst skipped (already exec uted)
Running 04univention-ldap-client.inst skipped (already exec uted)
Running 05univention-bind.inst skipped (already exec uted)
Running 08univention-apache.inst skipped (already exec uted)
Running 10univention-ldap-server.inst skipped (already exec uted)
Running 11univention-heimdal-init.inst skipped (already exec uted)
Running 11univention-pam.inst skipped (already exec uted)
Running 15univention-directory-notifier-post.inst skipped (already exec uted)
Running 15univention-heimdal-kdc.inst skipped (already exec uted)
Running 18python-univention-directory-manager.inst skipped (already exec uted)
Running 20univention-directory-policy.inst skipped (already exec uted)
Running 20univention-join.inst skipped (already exec uted)
Running 22univention-directory-manager-rest.inst skipped (already exec uted)
Running 26univention-nagios-common.inst skipped (already exec uted)
Running 26univention-samba.inst skipped (already exec uted)
Running 30univention-appcenter.inst skipped (already exec uted)
Running 30univention-nagios-client.inst skipped (already exec uted)
Running 31univention-nagios-ad-connector.inst skipped (already exec uted)
Running 33univention-portal.inst skipped (already exec uted)
Running 34univention-management-console-server.inst skipped (already exec uted)
Running 35univention-appcenter-docker.inst skipped (already exec uted)
Running 35univention-management-console-module-adconnector.skipped (already exec uted)
Running 35univention-management-console-module-appcenter.inskipped (already exec uted)
Running 35univention-management-console-module-diagnostic.iskipped (already exec uted)
Running 35univention-management-console-module-ipchange.insskipped (already exec uted)
Running 35univention-management-console-module-join.inst skipped (already exec uted)
Running 35univention-management-console-module-lib.inst skipped (already exec uted)
Running 35univention-management-console-module-mrtg.inst skipped (already exec uted)
Running 35univention-management-console-module-quota.inst skipped (already exec uted)
Running 35univention-management-console-module-reboot.inst skipped (already exec uted)
Running 35univention-management-console-module-services.insskipped (already exec uted)
Running 35univention-management-console-module-setup.inst skipped (already exec uted)
Running 35univention-management-console-module-sysinfo.instskipped (already exec uted)
Running 35univention-management-console-module-top.inst skipped (already exec uted)
Running 35univention-management-console-module-ucr.inst skipped (already exec uted)
Running 35univention-management-console-module-udm.inst skipped (already exec uted)
Running 35univention-management-console-module-updater.instskipped (already exec uted)
Running 35univention-server-overview.inst skipped (already exec uted)
Running 36univention-management-console-module-apps.inst skipped (already exec uted)
Running 40univention-postgresql.inst skipped (already exec uted)
Running 40univention-virtual-machine-manager-schema.inst skipped (already exec uted)
Running 50collabora.inst skipped (already exec uted)
Running 50nextcloud.inst skipped (already exec uted)
Running 81univention-ad-connector.inst skipped (already exec uted)
Running 81univention-nfs-server.inst skipped (already exec uted)
Running 90univention-bind-post.inst skipped (already exec uted)
Running 91univention-saml.inst skipped (already exec uted)
Running 92univention-management-console-web-server.inst skipped (already exec uted)
Running 98univention-pkgdb-tools.inst skipped (already exec uted)
Running post-joinscripts hook(s): done

#10

Alright, I think it’s worthy to try the other two scripts for password changes. Check the highlighted part at the image above I posted it.

#11

Hello,

Did you find any solution about this issue?

#12

No :frowning: I really don’t know what to do

#13

Check this if it can help

#14

OK thanks for the reply. How did you manage to change the password on the computer object? Also do you know how to re run the wizard for the adconnector for univention or where is stored in order to change the password? I found yesterday this but isn’t very clear on how to run the commands. There must be a way to re run the ad connect wizard somehow in order to re run the process or some conf file or something in order to change the password.

9.3.3.5. Changing the AD access password

The access data required by the UCS AD Connector for Active Directory are configured via the Univention Configuration Registry variable connector/ad/ldap/binddn and connector/ad/ldap/bindpw . If the password has changed or you wish to use another user account, these variables must be adapted manually. The Univention Configuration Registry variable connector/ad/ldap/binddn is used to configure the LDAP DN of a privileged replication user. This must be a member of the Domain Admins group in the AD. The corresponding password must be saved locally in a file on the UCS system, the name of which must be entered in the Univention Configuration Registry variable connector/ad/ldap/bindpw . The access rights for the file should be restricted so that only the root owner has access. The following commands show this as an example:

eval "$(ucr shell)" echo "Updating ${connector_ad_ldap_bindpw?}" echo "for AD sync user ${connector_ad_ldap_binddn?}" touch "${connector_ad_ldap_bindpw?}" chmod 600 "${connector_ad_ldap_bindpw?}" echo -n "Current AD Syncuser password" > "${connector_ad_ldap_bindpw?}"

https://docs.software-univention.de/manual-4.3.html#ad-connector:ad-connector-einrichtung

I found this also : https://activedirectoryfaq.com/2013/11/reset-computer-account-password-in-active-directory/

netdom resetpwd /s:Domain-Controller /ud: domain administrator /pd:*

I am not sure on how to syntax the command though


Maybe like this?

netdom resetpwd /s:DC1 /ud: *test.dom* ucs-ldap /pd: PASSWORD

#15

On the Univention server run this command and it will give you the password that should be store in the computer object in your AD

root@cloud:/var/log/univention# more /etc/machine.secret
YLEf94FfpGLLKihVC8EH

Then open a powershell windows on your DC and reset the password of the computer object
mine is called “cloud”

Set-ADAccountPassword ‘CN=cloud,CN=Computers,DC=xxx,DC=xxx,DC=xxx,DC=xxx’ -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “YLEf94FfpGLLKihVC8EH” -Force)

After the sync should start again

1 Like
#16

Hi thanks for the update.

We have windows 2003 server unfortunately. Can you tell me how to reset the computer password via cmd?

I found this Ms document but still not sure how to syntax the command:

https://support.microsoft.com/en-us/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows

#17

I don’t know with command line sorry

#18

Use Netdom.exe to Reset a Machine Account Password

  1. Install the Windows Server 2003 Support Tools on the domain controller whose password you want to reset. These tools are located in the Support\Tools folder on the Windows Server 2003 CD-ROM. To install these tools, right-click the Suptools.msi file in the Support\Tools folder, and then click Install.

Note This step is not necessary in Windows Server 2008 R2 and in Windows Server 2008 because the Netdom.exe tool is included in these Windows editions.

  1. If you want to reset the password for a Windows domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type to Manual.

Notes

  • After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center (KDC) service and set its startup type back to Automatic. This forces the domain controller that has the incorrect computer account password to contact another domain controller for a Kerberos ticket.
  • You may have to disable the Kerberos Key Distribution Center service on all domain controllers except one. If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems.
  1. Remove the Kerberos ticket cache on the domain controller where you receive the errors. You can do this by restarting the computer or by using the KLIST, Kerbtest, or KerbTray tools. KLIST is included in Windows Server 2008 R2 and in Windows Server 2008. For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools. To obtain the tools, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

  1. At a command prompt, type the following command:

netdom resetpwd /s: server /ud: domain \ User /pd:*

A description of this command is:

  • /s: server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
  • /ud: domain \ User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain \ User format. If this parameter is omitted, the current user account is used.
  • /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:

netdom resetpwd /s:server2 /ud: mydomain \administrator /pd:*

  1. Restart the server whose password was changed. In this example, this is Server1.
#19

I need to run a command something like this below:

netdom resetpwd /s:ucs-ldap /ud:test.dom \ucs-ldap /pd:KLDdfLNf0R9avVHJWUDF

Where ucs-ldap is the computer object of univention server

The syntax of this command is:

NETDOM COMPUTERNAME machine [UserO:user] [/PasswordO:[password | *]]
[UserD:user] [/PasswordD:[password | *]]
/Add: | /Remove:
| /MakePrimary: |
/Enumerate[:{AlternateNames | PrimaryName | AllNames}] |
/Verify

NETDOM COMPUTERNAME manages the primary and alternate names for a computer.
This command can safely rename a domain controller or a server.

machine The name of the computer whose names are to be managed.

/UserO User account used to make the connection with the machine to be
managed

/PasswordO Password of the user account specified By /UserO. A * means
to prompt for the password

/UserD User account used to make the connection with the domain of
the machine to be managed

/PasswordD Password of the user account specified By /UserD. A * means
to prompt for the password

/Add Specifies that a new alternate name should be added. The new
name must be a fully qualified DNS name(FQDN - computer name
followed by primary DNS suffix, such as comp1.example.com.).

/REMove Specifies that an existing alternate name should be removed.
The name being removed must be a fully qualified DNS
name (FQDN - computer name followed by primary DNS suffix,
such as comp1.example.com.).

/MakePrimary Specifies that an existing alternate name should be made into
the primary name. The name being made primary must be a fully
qualified DNS name (FQDN - computer name followed by primary
DNS suffix, such as comp1.example.com.).

/ENUMerate Lists the specified names. It defaults to AllNames.

/Verify Checks if there is a DNS A record and an SPN for each computer
name.

NETDOM HELP command | MORE displays Help one screen at a time.

Try “NETDOM HELP” for more information.

#20

C:>netdom.exe resetpwd /s:DC1.test.dom /ud:test.dom\ucs-ldap /pd:T24zYJNf0R9avVHJWUSX
The machine account password for the local machine could not be reset.

Logon failure: unknown user name or bad password.

The command failed to complete successfully.

Looks like the password is hased. Need to reset it or find the clear text of the password.

(ConvertTo-SecureString -AsPlainText “YLEf94FfpGLLKihVC8EH” -Force)

Mastodon