Manually trigger server password change

ucs-4

#1

General information

To reconfirm the trust relation between UCS systems, computers need to regularly change the password associated with the machine account. This is controlled through the Univention Configuration Registry variable

 server/password/change

For UCS servers this is evaluated by the script

 /usr/lib/univention-server/server_password_change

, which is invoked nightly at 01:00 by cron(8). The interval is controlled through a second Univention Configuration Registry variable

server/password/interval

, which defaults to 21 days.

The password is stored in the plain text file

/etc/machine.secret

Many long running services read these credentials only on startup, which breaks when the password is changed while they are still running. Therefore UCS provides a mechanism to invoke arbitrary commands, when the machine password is changed. This can be used for example to restart specific services.

Logging

The process is logged at:

/var/log/univention/server_password_change.log

Manual trigger

It is possible to manually trigger the server password change by changing the interval to -1:

ucr set server/password/interval=-1
/usr/lib/univention-server/server_password_change
ucr set server/password/interval=21 (default)

UCS 4.2.2 kann nicht mehr mit LDAP verbinden
Samba4 DC-Master funktioniert nicht
[RESOLVED] UNIVENTION_LDAP_AUTH is CRITICAL on UCS Master