Updating machine account passwords in UCS domains


How are the intervals for updating the passwords of computer accounts configured?


A password is created on the master domain controller master for all computers which join the domain. This password is saved in the LDAP directory as an account password and copied onto the computer in the /etc/machine.secret file. This password is used to authenticate the computer during access to the directory service and is automatically replaced by a newly generated password. The Univention Configuration Registry variable server/password/interval can be used to specify the change interval of the computer account password in days. This value is preconfigured as 21 days. To change the interval for a computer to 14 days, for example, the following command can be run on this computer:

univention-config-registry set server/password/interval=14

The variable is checked daily at 1 a.m. by means of a cron job, which runs the program /usr/lib/univention-server/server_password_change. The cron job can be found under /etc/cron.d/univention-server*.