General information

To reconfirm the trust relation between UCS systems, computers need to regularly change the password associated with the machine account. This is controlled through the Univention Configuration Registry variable

 server/password/interval

For UCS servers this is evaluated by the script

 /usr/lib/univention-server/server_password_change

, which is invoked nightly at 01:00 by cron(8). The interval is controlled through a second Univention Configuration Registry variable

server/password/interval

, which defaults to 21 days.

The password is stored in the plain text file

/etc/machine.secret

Many long running services read these credentials only on startup, which breaks when the password is changed while they are still running. Therefore UCS provides a mechanism to invoke arbitrary commands, when the machine password is changed. This can be used for example to restart specific services.

Logging

The process is logged at:

/var/log/univention/server_password_change.log

Manual trigger

It is possible to manually trigger the server password change by changing the interval to -1:

ucr set server/password/interval=-1
/usr/lib/univention-server/server_password_change
ucr set server/password/interval=21 (default)