Error UCS Share - Domain member server authentication failed

Domain Member Server Authentication Failure

After a period of use, the domain member server displays an error when logging in via the graphical interface and Windows SMB. In Windows SMB, when accessing by name:
\files\Public: it reports an incorrect username and password, even though the user has the correct password and access permissions.

When accessing by IP:
\10.16.12.252\files\public: Windows cannot access the share.

When attempting to access the domain member server’s management console, the following error appears:
An error occurred
Internal server error.
{‘msgtype’: 97, ‘msgid’: 2, ‘result’: 49, ‘desc’: ‘Invalid credentials’, ‘ctrls’: }

and in the details:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/management/console/ldap.py”, line 159, in getter
raise KeyError()
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/tornado/web.py”, line 1735, in _execute
result = await result
^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/management/console/resources.py”, line 450, in post
result = await session.authenticate(self.request.body_arguments)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/management/console/session.py”, line 127, in authenticate
self.set_credentials(**result.credentials)
File “/usr/lib/python3/dist-packages/univention/management/console/session.py”, line 154, in set_credentials
self._search_user_dn()
File “/usr/lib/python3/dist-packages/univention/management/console/session.py”, line 165, in _search_user_dn
lo = get_machine_connection(write=False)[0]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/management/console/ldap.py”, line 115, in get_machine_connection
return connection()
^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/management/console/ldap.py”, line 171, in _decorated
kwargs[loarg], kwargs[poarg] = lo, po = getter()
^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/management/console/ldap.py”, line 161, in getter
conn = connection()
^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/management/console/ldap.py”, line 72, in connection
return _getMachineConnection(**kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/admin/uldap.py”, line 78, in getMachineConnection
lo = univention.uldap.getMachineConnection(start_tls, ldap_master=ldap_master)

I tried to perform a direct rejoin as root on the domain member server, but without success.

evidence attached

Traceback (most recent call last).txt (4,5,KB)

image500×530 23.8 KB

     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 150, in getMachineConnection
return access(host=server, port=port, base=ucr[‘ldap/base’], binddn=ucr[‘ldap/hostdn’], bindpw=bindpw, start_tls=start_tls, reconnect=reconnect)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 239, in init
self.__open(ca_certfile)
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 357, in __open
self.bind(self.binddn, self.bindpw)
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 166, in _decorated
return func(self, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/uldap.py”, line 270, in bind
self.lo.simple_bind_s(self.binddn, self.bindpw)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 993, in simple_bind_s
res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 976, in _apply_method_s
return func(self,*args,**kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 249, in simple_bind_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 543, in result3
resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4(
^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 553, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 128, in _ldap_call
result = func(*args,**kwargs)
^^^^^^^^^^^^^^^^^^^^
ldap.INVALID_CREDENTIALS: {‘msgtype’: 97, ‘msgid’: 2, ‘result’: 49, ‘desc’: ‘Invalid credentials’, ‘ctrls’: }

video error : https://youtu.be/0beANW412Rc

image (3)688×336 13.8 KB

The currently installed release version is 5.2-5 errata441

The correction was successfully made using the command: univention-join

After that, the shares started working correctly again by name and IP, but it’s important to understand the reason for the error and how to prevent it from happening again.

commands:

root@files:~# dpkg -l univention-bind bind9
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Nome Versão Arquitectura Descrição
++±===============-============-============-=================================
un bind9 (nenhuma descrição disponível)
un univention-bind (nenhuma descrição disponível)
root@files:~# univention-join
univention-join: joins a computer to an ucs domain
copyright (c) 2001-2026 Univention GmbH, Germany

Enter Primary Directory Node Account : administrator
Enter Primary Directory Node Password:

Search Primary Directory Node: done
Check Primary Directory Node: done
Stop Samba Server: done
Search ldap/base done
Search LDAP binddn done
Running pre-join hook(s): done
Join Computer Account: done
Stopping univention-directory-notifier daemon: done
Stopping univention-directory-listener daemon: done
Check TLS connection: done
Download host certificate: done
Not updating kerberos/adminserver
Running pre-joinscripts hook(s): done
Configure 03univention-directory-listener.inst done
Configure 04univention-ldap-client.inst done
Configure 08univention-apache.inst done
Configure 11univention-pam.inst done
Configure 18python-univention-directory-manager.inst done
Configure 20univention-directory-policy.inst done
Configure 20univention-join.inst done
Configure 26univention-nagios-common.inst done
Configure 26univention-samba.inst done
Configure 30univention-appcenter.inst done
Configure 30univention-monitoring-client.inst done
Configure 30univention-nagios-client.inst done
Configure 33univention-portal.inst done
Configure 35univention-appcenter-docker.inst done
Configure 35univention-management-console-module-appcenter.done
Configure 35univention-management-console-module-diagnosticdonet
Configure 35univention-management-console-module-join.inst done
Configure 35univention-management-console-module-lib.inst done
Configure 35univention-management-console-module-quota.instdone
Configure 35univention-management-console-module-reboot.insdone
Configure 35univention-management-console-module-services.idone
Configure 35univention-management-console-module-setup.instdone
Configure 35univention-management-console-module-sysinfo.indone
Configure 35univention-management-console-module-top.inst done
Configure 35univention-management-console-module-ucr.inst done
Configure 35univention-management-console-module-updater.indone
Configure 36univention-management-console-module-apps.inst done
Configure 49univention-keycloak-client.inst done
Configure 81univention-nfs-server.inst done
Configure 92univention-management-console-web-server.inst done
Configure 98univention-pkgdb-tools.inst done
Running post-joinscripts hook(s): done
root@files:~#

Hi agustavo,

I guess this is our server-password-change (default all 21 days) changing the server password. If this fails, you may get this consequenses. You can deactivate the server-password-change:

Or xou can check
`/var/log/univention/server_password_change.log

With

zgrep 'Proceeding with regular server password change scheduled for today' /var/log/univention/server_password_change.log*

you get the relevant logfiles.

Hope that helps!

Christina Charlotte

Hello, thank you very much for your reply. I will monitor and follow up in case the error returns.

The configuration change you indicated:

ucr set server/password/change=false

should it be made on the master DC or only on the domain member server that reported the error?

Thank you in advance for your support.

Hi,

you should do that on the memberserver, the server which get the issue after the server password change. So the server will not change its password anymore.

Greetings
Christina Charlotte

this isn’t a user/password issue — it’s the UCS - Univention Corporate Server ad-connection machine trust breaking.

the INVALID_CREDENTIALS in getMachineConnection() usually means the domain member’s machine account password is out of sync or the join state is broken.

quick fix path:

• check join status (univention-check-join-status)
• re-run join scripts (univention-run-join-scripts --force)
• if still failing → rejoin the server cleanly (most reliable fix)

also double-check DNS + system time, but 90% of the time this is just a broken machine account sync.