Univention-ldapsearch : Invalid credentials (49)

I have searched and searched but cannot find anything in the forums that answer my question here.
I have a very basic UCS set up, just two UCS servers, one primary with file server, the other secondary with mail server - nothing else.
Somehow, I have messed up my primary server so now absolutely nothing works - I can’t log in as any domain users via samba, web-console, ssh, etc. only root via ssh works. I think this had something to do with me accidentally removing the kernel (silly mistake, but I reinstalled the kernel and the system boots) or an apt autoremove. Not sure which did it, but since then this problem has occurred.

If I try to run something like univention-ldapsearch, I get the response ldap_bind: Invalid credentials (49)
univention-check-join-status errors with Error: ldapsearch -x failed
and if I try to run univention-run-join-scripts --ask-pass -dcaccount administrator --force --run-scripts 10univention-ldap-server.inst I get the response Message: binddn for user administrator not found

However, running kinit administrator and entering the password works and klist works after that too.

Some something is messed up, I think it has something to do with the machine.secret not matching, but I can’t reset that via udm as I get an “Authentication failed” error.

Can anybody help me with what I can check next? I believe all services are running and it’s just a computer authentication issue, but if you think otherwise I’m happy to check other things.

Thanks for your help!

Hey pswilde,

maybe Q&A: How can I change the machine password from my ucs master? is of any help for you?
If the autoremove deinstalled necessary packages and this caused the problem there is not much to do without looking at your server in detail. Did the credential issue occur immediately after the deinstallation?

Best regards

Thanks for your reply. I have been through that Q&A already.
Unfortunately the udm command it details results in the error “authentication error: Authentication failed”
Yes, I believe the credential issue did occur fairly immediately.
I’m thinking I’m going to need to reinstall this server. Is there any way I can reinstall as a primary, but use my secondary/backup server as a means to provide the current schema to the new primary?
It’s not a big network, I can recreate, just a bit of a pain.

I get the same message since yesterday. The server was unattended. Not sure if there was an update or not.
I’ve just updated from err373 to err377.

While the udm command is working and I can set a password this way. I still can’t connect to the LDAP server for a password change
failed to contact LDAP server: cannot connect with univention-ldapsearch

(Not sure if I’m hijacking this thread, If it is just a timely coincidence)

Ok, I‘ve got mine fixed with the help above plus this one from the forum search

ppolicy setting was the way.