To reconfirm the trust relation between UCS systems, computers need to regularly change the password associated with the machine account. This is controlled through the Univention Configuration Registry variable
For UCS servers this is evaluated by the script
, which is invoked nightly at 01:00 by cron(8). The interval is controlled through a second Univention Configuration Registry variable
, which defaults to 21 days.
The password is stored in the plain text file
Many long running services read these credentials only on startup, which breaks when the password is changed while they are still running. Therefore UCS provides a mechanism to invoke arbitrary commands, when the machine password is changed. This can be used for example to restart specific services.
The process is logged at:
It is possible to manually trigger the server password change by changing the interval to -1:
ucr set server/password/interval=-1 /usr/lib/univention-server/server_password_change ucr set server/password/interval=21 (default)