Samba-tool user setpassword... leads to univention-s4search and samba-tool drs showrepl shows error messages

Continuing the discussion from Problem: univention-s4search and samba-tool drs showrepl shows error messages:

Our problem is that Samba has the wrong password:

root@pdc:~# kinit --password-file=/etc/machine.secret 'pdc$'
kinit: Password incorrect

Now, when we try to set it:

samba-tool user setpassword 'pdc$' --newpassword=$(< /etc/machine.secret)

then the msDS-KeyVersionNumber in /var/lib/samba/private/secrets.ldb and
/var/lib/samba/private/sam.ldb differ. Setting the msDS-KeyVersionNumber
to the higher number from sam.ldb in secrets.ldb does NOT help:

root@pdc:~# univention-s4search
Wrong username or password: kinit for pdc$ failed (Preauthentication failed)

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityCon|
text error, data 52e, v1db1> <>                                                                                         |
Failed to connect to 'ldaps://' with backend 'ldaps': LDAP error 49 LDAP_INVALID_CREDENTIALS -  <800903
0C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Failed to connect to ldaps:// - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C09
04DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>

Any hints, how to resolve this problem?

Ciao; Gregor


have you tried the server-password-change on the server?

If this is not working anymore, because the /etc/machine.secret is no longer valid on the master, you may also set the secret for the server account. You can use the Solution from this article, but only just in case, the server-password-change fails!


problem is, server-password-change does not work: When the scripts in pdc:/usr/lib/univention-server/server_password_change.d/ are run, the change of password for samba breaks and in consequence the whole procedure is rolled back.

If we instead try to change the password manually the problem is the same: Samba does not accept the password. And we do not know why.

Wild guess: Might it be the case that the password is checked against the samba password policy and this fails?

Thanks for your attention, Gregor


if you have set the complexity for the machine.secret, there could be some characters in the credentials file, that samba do not like.

 ucr info machine/password/complexity
machine/password/complexity: <empty>
 The machine passwords are generated with the tool pwgen. This variable configures the parameters used during generation (see 'man pwgen'). If the variable is unset, 'scn' applies.

But this would be no problem for the second password change.
So maybe you can provide the logfile from the server-password-change, there might be some hints there.

Doing a manual server-password change is a little bit tricky, because you have to set, after you changed the password via samb-tool, the new secret manual. Because samba does not read /etc/machine.secret automatically, it uses a separate file for this, which you can edit via ldbedit / ldbmodify (not ldapmodify !):
If you change the password manually, then the msDS-KeyVersionNumber must be adjusted here directly so that it matches the value in sam.ldb. Samba automatically increments the value in sam.ldb by one counter each time the password hash is changed. If you change the password in secrets.ldb you have to increase the msDS-KeyVersionNumber stored there directly in the same step.

  1. So get keyversionnumber from sam.ldb
ldbsearch -H /var/lib/samba/private/sam.ldb \
samaccountname=$(hostname)\$ msDS-KeyVersionNumber
  1. get current machine.secret
cat /etc/machine.secret; echo
  1. Get the flatname:
eval "$(ucr shell)" echo -e "dn: flatname=$windows_domain,cn=Primary Domains"
  1. Modify the entry and fill in your dn: the keyversionnumber from sam.ldb output and new secret.
ldbmodify -H /var/lib/samba/private/secrets.ldb <<%EOR
dn: flatname=SCHEIN,cn=Primary Domains
changetype: modify
replace: secret
secret: 6M3aeXgX8qfwTFF8Q68M
replace: msDS-KeyVersionNumber
msDS-KeyVersionNumber: 1

HI, thanks for your advise which worked.

But we still have problems. I did:

samba-tool user setpassword 'pdc'$ --newpassword=$(< /etc/machine.secret)

and then the steps 1-3 from your list. The 3rd step produced an empty $windows_domain

I got correct value for $windows_domain via

ldbsearch -H /var/lib/samba/private/secrets.ldb 'samAccountName=pdc$' msDS-KeyVersionNumber

Question: Is it a problem that $windows_domain is not set? And if: How do we set it?

I then did your 4th step and it succeded with “Modified 1 records successfully”. After that several tests succeded:

kinit --password-file=/etc/machine.secret 'pdc$'

gave no output,


gave a ticket,

ldapsearch -xZZ -D $(ucr get ldap/hostdn) -y /etc/machine.secret -s base

were all successful. Thanks for that.

But then


failed like so:

run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Object modified: cn=pdc,cn=dc,cn=computers,dc=intern,dc=izt,dc=de
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
authentication error: Authentication failed
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server nochange

Wild guess: Is it possible that some samba password policy does not accept the password?

Thanks for your help, Gregor