Critical: Check kerberos authenticated DNS update after restore

From my previous thread of a upgrade gone bad I have decided it was quicker and easier to start over and restore from a backup and followed Cool Solution - Single Server Backup and Restore and was successful with no errors during the restore process.

I performed a system diagnostic on the new DC Master and I get the error:
Critical: Check kerberos authenticated DNS update (on DC Master)

Errors occured while running `kinit` or `nsupdate`.
`kinit` for principal ad$ with password file /etc/machine.secret failed.

From the thread Critical: Check kerberos authenticated DNS update (on DC Master) I checked with:

kinit --password-file=/etc/machine.secret $(hostname)\$

The output is:

# kinit --password-file=/etc/machine.secret $(hostname)\$
kinit: Password incorrect
# klist
klist: No ticket file: /tmp/krb5cc_0

And for some system info:

# univention-app info
UCS: 4.4-0 errata137
Installed: google-apps=2.3 pkgdb=11.0 prometheus-node-exporter=1.1 radius=5.0 samba4=4.10 4.3/admin-dashboard=1.2 4.3/prometheus=1.1

Where do I go from here? I know @Moritz_Bunkus has worked on threads related to this.

I had this same issue before some days. I’ve solved it by triggering a machine password change on the affected system:

Thanks, that worked like a charm.


I am trying to trigger the script and I can’t run it. Can you explain how you run it?

If you look in the linked article in just copy/paste this into your shell.


that would not do anything (you have to read the linked article to the end !!!)

youo first have to set the password change interval
ucr set server/password/interval=-1



and after that reset the interval to the default :

ucr set server/password/interval=21


1 Like