diff --git a/base/univention-server/server_password_change b/base/univention-server/server_password_change
index 99ea147498..362efee411 100755
--- a/base/univention-server/server_password_change
+++ b/base/univention-server/server_password_change
@@ -178,10 +178,7 @@ echo -n "$new_password" >/etc/machine.secret
 chmod 600 /etc/machine.secret
 [ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3
 
-# change samba password locally
-run-parts --verbose --arg localchange --regex '^univention-samba4' -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
-# if samba-tool user setpassword fails, reset the old password.
-if [ $? != 0 ]; then
+revert_password_change() {
 	# Reset to the old password with UDM
 	/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3
 
@@ -192,7 +189,14 @@ if [ $? != 0 ]; then
 
 	# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')
 	run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
+}
+
+# change samba password locally
+run-parts --verbose --arg localchange --regex '^univention-samba4' -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
+# if samba-tool user setpassword fails, reset the old password.
+if [ $? != 0 ]; then
 	FAIL "resetting old server password for $ldap_hostdn, because samba could not set the new password locally."
+	revert_password_change
 fi
 
 # The password is changed on the master now, but it is not clear if
@@ -213,17 +217,8 @@ do
 		# been set with UDM but LDAP does't work with it. Do not continue with
 		# changes that would only worsen the situation. Instead, try to rollback.
 		# Reset the old password with UDM and give up.
-
-		/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3
-
-		# Rollback /etc/machine.secret and restart listener
-		awk '{pwd=$2}; END {printf("%s", pwd)}' /etc/machine.secret.old > /etc/machine.secret
-		chmod 600 /etc/machine.secret
-		[ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3
-
-		# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')
-		run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
 		FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password"
+		revert_password_change
 	fi
 	trial_counter=$(( trial_counter - 1))
 done
diff --git a/services/univention-samba4/server_password_change.d/univention-samba4 b/services/univention-samba4/server_password_change.d/univention-samba4
index 0d69c744ea..9745fe5e44 100755
--- a/services/univention-samba4/server_password_change.d/univention-samba4
+++ b/services/univention-samba4/server_password_change.d/univention-samba4
@@ -36,6 +36,9 @@ set_machine_secret() {
 	old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p')
 	new_kvno=$(($old_kvno + 1))
 
+	## Backup /etc/krb5.keytab to avoid key duplication in case a revert is necessary
+	install -m 0600 /etc/krb5.keytab /etc/krb5.keytab.SAVE
+
 	ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF
 	dn: flatname=${windows_domain},cn=Primary Domains
 	changetype: modify
@@ -46,6 +49,10 @@ set_machine_secret() {
 	msDS-KeyVersionNumber: $new_kvno
 	-
 	%EOF
+	if [ "$?" -ne "0" ]; then
+		install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab
+		exit 1
+	fi
 
 	## 2. replace random machine secret in SAM with /etc/machine.secret
 	samba-tool user setpassword "${hostname}\$" --newpassword="$(cat /etc/machine.secret)"
@@ -54,22 +61,24 @@ set_machine_secret() {
 if [ "$1" = "localchange" ]; then
 	set_machine_secret
 
-	## if samba-tool user setpassword fails, revert changes to secrets.ldb
+	## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab
 	if [ "$?" -ne "0" ]; then
+		old_password=$(tail -n 1 /etc/machine.secret.old | sed -n 's/^[0-9]*: //p')
 		ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF
 		dn: flatname=${windows_domain},cn=Primary Domains
 		changetype: modify
 		replace: secret
-		secret: $(cat /etc/machine.secret.old | tail -n 1 | sed 's/[0-9]*: //g')
+		secret: $old_password
 		-
 		replace: msDS-KeyVersionNumber
 		msDS-KeyVersionNumber: $old_kvno
 		-
 		%EOF
-		test -x /etc/init.d/samba && /etc/init.d/samba restart
+
+		install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab
+
 		exit 1
 	fi
 
 	test -x /etc/init.d/samba && /etc/init.d/samba restart
 fi
-