Decommission + New Master Single Join Step Fails

We are in process of moving the UCS 4.9 to a virtualized environment in preparation for upgrading to 5.x on all machines. The prior master was decommissioned and removed from the network, only to discover the AD app wasn’t installed on the replacement VM during the initial install. There is a backup dc and all the data is there.

The final join scripts all execute fine with the exception of the samba4-saml-kerberos when running:

univention-run-join-scripts --ask-pass --run-scripts 98univention-samba4-saml-kerberos.inst

The error in the logs show:

RUNNING 98univention-samba4-saml-kerberos.inst
2022-07-24 11:57:25.608638483-05:00 (in joinscript_init)
could not obtain current kerberos secret for sso user
JOINERR:FAILED: /usr/lib/univention-install/98univention-samba4-saml-kerberos.inst

What steps are needed to resolve this issue?

On inspecting the 98univention-samba4-saml-kerberos.inst script, the error

could not obtain current kerberos secret for sso user

is actually due to a missing file /etc/simplesamlphp/ucs-sso-kerberos.secret.

This file is generated by the join script: 91univention-saml.inst.

The script was marked as completing successfully in the web GUI for the join processes, however, the actually file wasn’t created. I don’t know if this issue is reproducible to qualify as a bug, however, the language of the error can change to be more helpful.

Upon rerunning 91univention-saml.inst, followed by 98univention-samba4-saml-kerberos.inst, the join steps were marked as completed. This allowed progressing to the next step in preparation for moving to 5.0.