Error in keycloak during join

UCS - Univention Corporate Server
, ,
#1

Hello, i’m trying migrate to keycloack,following this How-to it install ok, but fail on join, the error is this…

File “/usr/sbin/univention-keycloak”, line 3100, in
sys.exit(main())
File “/usr/sbin/univention-keycloak”, line 3096, in main
return opt.func(opt) or 0
File “/usr/sbin/univention-keycloak”, line 2768, in init_keycloak_ucs
locales_format = [locale[:locale.index("")] for locale in locales]
File “/usr/sbin/univention-keycloak”, line 2768, in
locales_format = [locale[:locale.index("")] for locale in locales]
ValueError: substring not found
/usr/lib/univention-install/50keycloak.inst: FATAL:
EXITCODE=2
9ddc672d-a763-4c46-a014-f9f1ef76026f

Any help?

#2

Anyone can help out?

#3

Hi codemind,

it would helpfully to see the full traceback or the complete join.log to understand, why the 50keycloak.inst failed while the keycloak installation.

Kind regards,
Mirac

#4

Hello @MiracErde thanks for your time. The log is really what i have posted… but i put here the full join log

RUNNING 50keycloak.inst
2024-05-10 14:10:19.123477355+01:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/keycloak/description/de
Setting ucs/web/overview/entries/admin/keycloak/description
Setting ucs/web/overview/entries/admin/keycloak/label
Setting ucs/web/overview/entries/admin/keycloak/link
Setting ucs/web/overview/entries/admin/keycloak/icon
Setting ucs/web/overview/entries/admin/keycloak/link-target
Module: create_portal_entries
No modification: cn=keycloak,cn=entry,cn=portals,cn=univention,dc=ccm,dc=local
WARNING: cannot append cn=Domain Admins,cn=groups,dc=ccm,dc=local to allowedGroups, value exists
Object exists: cn=ldapacl,cn=univention,dc=ccm,dc=local
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,dc=ccm,dc=local
Waiting for activation of the extension object 67keycloak: OK
Could not chdir to home directory /dev/null: Not a directory
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Multifile: /etc/postgresql/11/main/pg_hba.conf
Multifile: /etc/postgresql/11/main/pg_hba.conf
Warning: The file ‘/etc/postgresql/15/main/pg_hba.conf’ is not registered as an UCR template.
Adding A record “ucs-sso-ng 192.168.120.2” to zone ccm.local…
done
10.05.24 14:10:34.160 DEBUG_INIT
10.05.24 14:10:34.161 DEBUG_EXIT
Restarting keycloak …
estarting keycloak … done
Traceback (most recent call last):
File “/usr/sbin/univention-keycloak”, line 3101, in
sys.exit(main())
File “/usr/sbin/univention-keycloak”, line 3097, in main
return opt.func(opt) or 0
File “/usr/sbin/univention-keycloak”, line 2768, in init_keycloak_ucs
locales_format = [locale[:locale.index("")] for locale in locales]
File “/usr/sbin/univention-keycloak”, line 2768, in
locales_format = [locale[:locale.index("")] for locale in locales]
ValueError: substring not found
/usr/lib/univention-install/50keycloak.inst: FATAL:
EXITCODE=2
15892b30-76d9-49f3-ae42-9d441c9dafb8
univention-join-hooks: looking for hook type “join/post-joinscripts” on CCMDC01.ccm.local
Found hooks:
sex mai 10 14:11:16 WEST 2024
univention-run-join-scripts finished

Also i’m unable to login to keycloak admin because get wrong credentials, i’m assuming that is because the join failed

#5

@MiracErde do you have opportunity to look at the logs? Do you need more info from my side?

Thanks

#6

Hello,

Even with latest upgrades i still have this issue.
Anyone can point out where i can dig to find the issue? The log information don’t tell much

#7

Hi Codemind,

sounds like the issue from this article:

Greetings

#8

I saw when you post that, but then i run the command and i don’t get any error

~# univention-keycloak --binduser “${keycloak_admin_user:-admin}” realms get
[‘master’]

So i assume that could be other thing… i will try that solution

root@CCMDC01:~# rm /etc/keycloak.secret
root@CCMDC01:~# su postgres
postgres@CCMDC01:/$ dropdb keycloak
could not change directory to “/root”: Permission denied
postgres@CCMDC01:/root$ cd …
postgres@CCMDC01:/$ dropdb keycloak
dropdb: database removal failed: ERROR: database “keycloak” does not exist

Then run install again and it still not work

#9

So still have the issue, also the log output that i have is a little different from post.

06.06.24 17:09:20.323 DEBUG_EXIT
Restarting keycloak …
estarting keycloak … done
[‘master’]
Traceback (most recent call last):
File “/usr/sbin/univention-keycloak”, line 3101, in
sys.exit(main())
File “/usr/sbin/univention-keycloak”, line 3097, in main
return opt.func(opt) or 0
File “/usr/sbin/univention-keycloak”, line 2768, in init_keycloak_ucs
locales_format = [locale[:locale.index("")] for locale in locales]
File “/usr/sbin/univention-keycloak”, line 2768, in
locales_format = [locale[:locale.index("")] for locale in locales]
ValueError: substring not found
/usr/lib/univention-install/50keycloak.inst: FATAL:

I have errors in lines 2768 and don’t have in lines 510, 191, 96 etc… also after restarting in the logs i have output of [‘master’]

#10

Ok…

I’m able to find the admin password inside docker compose file and i’m able to login into keycloak… but still can’t figure out why the join is failing

#11

Hi @codedmind did you ever get any where with this issue?

I too am getting the same traceback and substring error on the join script. Despite agreeing with you that the linked article seems like a different error at a different point, I also followed the steps to completely remove the keycloak install and start it again with the same outcome.

I am on a fully patched 5.0-8 version if it helps.

CLI app install log: 

root@dcm1:~# univention-app install keycloak
Resolving dependencies for keycloak
Going to install Keycloak (25.0.1-ucs2)
Password for Administrator:
Showing License agreement for keycloak=25.0.1-ucs2
Showing README for keycloak=25.0.1-ucs2
Falling back to initial value for keycloak/apache2/ssl/certificate
Falling back to initial value for keycloak/apache2/ssl/key
Falling back to initial value for keycloak/apache2/ssl/ca
Falling back to initial value for keycloak/csp/frame-ancestors
Cannot read ucs/self/registration/check_email_verification while keycloak=25.0.1-ucs2 is not running
Cannot read keycloak/password/change/endpoint while keycloak=25.0.1-ucs2 is not running
Falling back to initial value for keycloak/password/change/endpoint
Cannot read kc/db/url while keycloak=25.0.1-ucs2 is not running
Falling back to initial value for kc/db/url
Cannot read kc/db/username while keycloak=25.0.1-ucs2 is not running
Falling back to initial value for kc/db/username
Cannot read kc/db/password while keycloak=25.0.1-ucs2 is not running
Falling back to initial value for kc/db/password
Cannot read kc/db/driver while keycloak=25.0.1-ucs2 is not running
Falling back to initial value for kc/db/driver
Cannot read kc/db/ping/datatype while keycloak=25.0.1-ucs2 is not running
Falling back to initial value for kc/db/ping/datatype
Configuring keycloak=25.0.1-ucs2
Setting keycloak/server/sso/fqdn to 'ucs-sso-ng.<--snipped base FQDN-->'
Setting keycloak/server/sso/path to '/'
Setting keycloak/server/sso/virtualhost to 'true'
Setting keycloak/apache/config to 'true'
Setting keycloak/server/sso/autoregistration to 'true'
Unsetting keycloak/apache2/ssl/certificate
Unsetting keycloak/apache2/ssl/key
Unsetting keycloak/apache2/ssl/ca
Unsetting keycloak/csp/frame-ancestors
Setting keycloak/cookies/samesite to 'None'
Setting keycloak/login/messages/en/pwdChangeSuccessMsg to 'The password has been changed successfully.<br>Please log in again.<br/>'
Setting keycloak/login/messages/de/pwdChangeSuccessMsg to 'Das Passwort wurde erfolgreich geändert.<br>Bitte melden Sie sich erneut an.<br/>'
Setting keycloak/login/messages/en/accountNotVerifiedMsg to 'Your account is not verified.<br>You must <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">verify your account</a> before you can login.<br/>'
Setting keycloak/login/messages/de/accountNotVerifiedMsg to 'Konto nicht verifiziert.<br>Sie m\\u00FCssen Ihr <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">Konto verifizieren</a>, bevor Sie sich einloggen k\\u00F6nnen.<br/>'
Setting keycloak/login/messages/en/accessDeniedMsg to 'Access forbidden.<br>You do not have the needed privileges to access this application. Please contact the administrator that you do not have access to the service {0} if you find this to be incorrect.'
Setting keycloak/login/messages/de/accessDeniedMsg to 'Zugriff verboten.<br>Bitte wenden Sie sich an den Administrator, dass Sie keinen Zugriff auf den Service {0} haben, wenn Sie feststellen, dass dies nicht korrekt ist.'
Setting keycloak/log/level to 'INFO'
Setting kc/db/kind to 'postgres'
Setting kc/db/xa to 'false'
Setting keycloak/federation/remote/identifier to 'univentionObjectIdentifier'
Setting keycloak/federation/source/identifier to 'univentionSourceIAM'
Cannot write settings while keycloak=25.0.1-ucs2 is not running
Installing univention-keycloak apache template
Installing Keycloak data/settings acl
Installing Keycloak apache template info
Installing Keycloak translation template info
Installing Keycloak transaltion template
File: /var/lib/univention-appcenter/apps/keycloak/conf/UCS/login/messages/messages_de.properties
File: /var/lib/univention-appcenter/apps/keycloak/conf/UCS/login/messages/messages_en.properties
Installing 50-keycloak postgresql 11 template
Installing 50-keycloak postgresql 15 template
Installing 50-keycloak postgresql template info
Installing keycloak ispn configuration template
Creating data directories for keycloak...
Registering UCR for keycloak
Marking keycloak=25.0.1-ucs2 as installed
Multifile: /etc/postgresql/11/main/pg_hba.conf
File: /etc/univention/service.info/services/univention-appcenter.cfg
Multifile: /etc/apache2/sites-available/000-default.conf
Multifile: /etc/apache2/sites-available/default-ssl.conf
Adding localhost to LDAP object
Reloading apache2 configuration (via systemctl): apache2.service.
univention-postgresql was already set to manually installed.
Checking if database keycloak exists (postgresql implementation)
Database keycloak does not exist
Creating database for keycloak=25.0.1-ucs2
createuser: creation of new role failed: ERROR:  role "keycloak" already exist
Password for keycloak database in /etc/postgresql-keycloak.secret
Registering the container host keycl-31776113 for keycloak
Downloading app images
Running command: docker-compose -p keycloak pull
Pulling keycloak ... done

Initializing app image
Running command: docker-compose -p keycloak up -d --no-build --no-recreate
Creating network "keycloak_appcenter_net" with the default driver
Creating keycloak ... done

Preconfiguring container 53f37d9d1898a8232b28ae29adef85fcc35a4550def26fe3673922097b486618
Starting keycloak ...
 tarting keycloak ...  done
Running command: docker cp /etc/postgresql-keycloak.secret 53f37d9d1898a8232b28ae29adef85fcc35a4550def26fe3673922097b486618:/etc/postgresql-keycloak.secret
Configuring keycloak=25.0.1-ucs2
Setting keycloak/server/sso/fqdn to 'ucs-sso-ng.<--snipped base FQDN-->'
Setting keycloak/server/sso/virtualhost to 'true'
Setting keycloak/apache/config to 'true'
Setting keycloak/server/sso/autoregistration to 'true'
Unsetting keycloak/apache2/ssl/certificate
Unsetting keycloak/apache2/ssl/key
Unsetting keycloak/apache2/ssl/ca
Unsetting keycloak/csp/frame-ancestors
Setting keycloak/cookies/samesite to 'None'
Setting keycloak/log/level to 'INFO'
Setting keycloak/server/sso/path to '/'
Setting keycloak/login/messages/en/pwdChangeSuccessMsg to 'The password has been changed successfully.<br>Please log in again.<br/>'
Setting keycloak/login/messages/de/pwdChangeSuccessMsg to 'Das Passwort wurde erfolgreich geändert.<br>Bitte melden Sie sich erneut an.<br/>'
Setting ucs/self/registration/check_email_verification to 'false'
Setting keycloak/login/messages/en/accountNotVerifiedMsg to 'Your account is not verified.<br>You must <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">verify your account</a> before you can login.<br/>'
Setting keycloak/login/messages/de/accountNotVerifiedMsg to 'Konto nicht verifiziert.<br>Sie m\\u00FCssen Ihr <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">Konto verifizieren</a>, bevor Sie sich einloggen k\\u00F6nnen.<br/>'
Setting keycloak/login/messages/en/accessDeniedMsg to 'Access forbidden.<br>You do not have the needed privileges to access this application. Please contact the administrator that you do not have access to the service {0} if you find this to be incorrect.'
Setting keycloak/login/messages/de/accessDeniedMsg to 'Zugriff verboten.<br>Bitte wenden Sie sich an den Administrator, dass Sie keinen Zugriff auf den Service {0} haben, wenn Sie feststellen, dass dies nicht korrekt ist.'
Setting keycloak/password/change/endpoint to 'dcm1.<--snipped base FQDN-->'
Unsetting kc/db/url
Setting kc/db/username to 'keycloak'
Setting kc/db/kind to 'postgres'
Setting kc/db/xa to 'false'
Unsetting kc/db/driver
Unsetting kc/db/ping/datatype
Setting keycloak/federation/remote/identifier to 'univentionObjectIdentifier'
Setting keycloak/federation/source/identifier to 'univentionSourceIAM'
ucr cannot be found, falling back to changing the database file directly
Executing interface restore_data_before_setup for keycloak
No interface defined
Executing interface restore_data_after_setup for keycloak
No interface defined
Falling back to initial value for keycloak/apache2/ssl/certificate
Falling back to initial value for keycloak/apache2/ssl/key
Falling back to initial value for keycloak/apache2/ssl/ca
Falling back to initial value for keycloak/csp/frame-ancestors
Falling back to initial value for kc/db/url
Falling back to initial value for kc/db/password
Falling back to initial value for kc/db/driver
Falling back to initial value for kc/db/ping/datatype
Configuring keycloak=25.0.1-ucs2
Setting keycloak/server/sso/fqdn to 'ucs-sso-ng.<--snipped base FQDN-->'
Setting keycloak/server/sso/path to '/'
Setting keycloak/server/sso/virtualhost to 'true'
Setting keycloak/apache/config to 'true'
Setting keycloak/server/sso/autoregistration to 'true'
Unsetting keycloak/apache2/ssl/certificate
Unsetting keycloak/apache2/ssl/key
Unsetting keycloak/apache2/ssl/ca
Unsetting keycloak/csp/frame-ancestors
Setting keycloak/cookies/samesite to 'None'
Setting keycloak/login/messages/en/pwdChangeSuccessMsg to 'The password has been changed successfully.<br>Please log in again.<br/>'
Setting keycloak/login/messages/de/pwdChangeSuccessMsg to 'Das Passwort wurde erfolgreich geändert.<br>Bitte melden Sie sich erneut an.<br/>'
Setting ucs/self/registration/check_email_verification to 'false'
Setting keycloak/login/messages/en/accountNotVerifiedMsg to 'Your account is not verified.<br>You must <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">verify your account</a> before you can login.<br/>'
Setting keycloak/login/messages/de/accountNotVerifiedMsg to 'Konto nicht verifiziert.<br>Sie m\\u00FCssen Ihr <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">Konto verifizieren</a>, bevor Sie sich einloggen k\\u00F6nnen.<br/>'
Setting keycloak/login/messages/en/accessDeniedMsg to 'Access forbidden.<br>You do not have the needed privileges to access this application. Please contact the administrator that you do not have access to the service {0} if you find this to be incorrect.'
Setting keycloak/login/messages/de/accessDeniedMsg to 'Zugriff verboten.<br>Bitte wenden Sie sich an den Administrator, dass Sie keinen Zugriff auf den Service {0} haben, wenn Sie feststellen, dass dies nicht korrekt ist.'
Setting keycloak/log/level to 'INFO'
Setting keycloak/password/change/endpoint to 'dcm1.<--snipped base FQDN-->'
Unsetting kc/db/url
Setting kc/db/username to 'keycloak'
Setting kc/db/kind to 'postgres'
Setting kc/db/xa to 'false'
Unsetting kc/db/driver
Unsetting kc/db/ping/datatype
Setting keycloak/federation/remote/identifier to 'univentionObjectIdentifier'
Setting keycloak/federation/source/identifier to 'univentionSourceIAM'
ucr cannot be found, falling back to changing the database file directly
File: /etc/apache2/sites-available/univention-keycloak.conf
ucr cannot be found, falling back to changing the database file directly
Saving data from old container (keycloak=25.0.1-ucs2)
Starting keycloak ...
 tarting keycloak ...  done
Running command: docker cp 53f37d9d1898a8232b28ae29adef85fcc35a4550def26fe3673922097b486618:/etc/machine.secret /var/lib/univention-appcenter/apps/keycloak/machine.secret
Starting keycloak ...
 tarting keycloak ...  done
Stopping keycloak ...
 topping keycloak ...  done
Removing old container
Removing keycloak ...
 Removing network keycloak_appcenter_net
Setting up new container (keycloak=25.0.1-ucs2)
Creating data directories for keycloak...
Registering UCR for keycloak
Marking keycloak=25.0.1-ucs2 as installed
Adding localhost to LDAP object
Reloading apache2 configuration (via systemctl): apache2.service.
univention-postgresql was already set to manually installed.
Checking if database keycloak exists (postgresql implementation)
Database keycloak already exists
keycloak=25.0.1-ucs2 already has its database
Initializing app image
Running command: docker-compose -p keycloak up -d --no-build --no-recreate
Creating network "keycloak_appcenter_net" with the default driver
Creating keycloak ...
 reating keycloak ...  done
Preconfiguring container da4a0ff13380bf082716d55a7d8bae292d0e328f57fa0617cb353f77a00744bf
Starting keycloak ...
 tarting keycloak ...  done
Running command: docker cp /etc/postgresql-keycloak.secret da4a0ff13380bf082716d55a7d8bae292d0e328f57fa0617cb353f77a00744bf:/etc/postgresql-keycloak.secret
Configuring keycloak=25.0.1-ucs2
Setting keycloak/server/sso/fqdn to 'ucs-sso-ng.<--snipped base FQDN-->'
Setting keycloak/server/sso/virtualhost to 'true'
Setting keycloak/apache/config to 'true'
Setting keycloak/server/sso/autoregistration to 'true'
Unsetting keycloak/apache2/ssl/certificate
Unsetting keycloak/apache2/ssl/key
Unsetting keycloak/apache2/ssl/ca
Unsetting keycloak/csp/frame-ancestors
Setting keycloak/cookies/samesite to 'None'
Setting keycloak/log/level to 'INFO'
Setting keycloak/server/sso/path to '/'
Setting keycloak/login/messages/en/pwdChangeSuccessMsg to 'The password has been changed successfully.<br>Please log in again.<br/>'
Setting keycloak/login/messages/de/pwdChangeSuccessMsg to 'Das Passwort wurde erfolgreich geändert.<br>Bitte melden Sie sich erneut an.<br/>'
Setting ucs/self/registration/check_email_verification to 'false'
Setting keycloak/login/messages/en/accountNotVerifiedMsg to 'Your account is not verified.<br>You must <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">verify your account</a> before you can login.<br/>'
Setting keycloak/login/messages/de/accountNotVerifiedMsg to 'Konto nicht verifiziert.<br>Sie m\\u00FCssen Ihr <a id="loginSelfServiceLink" href="https://dcm1.<--snipped base FQDN-->/univention/selfservice/#/selfservice/verifyaccount" target="_blank">Konto verifizieren</a>, bevor Sie sich einloggen k\\u00F6nnen.<br/>'
Setting keycloak/login/messages/en/accessDeniedMsg to 'Access forbidden.<br>You do not have the needed privileges to access this application. Please contact the administrator that you do not have access to the service {0} if you find this to be incorrect.'
Setting keycloak/login/messages/de/accessDeniedMsg to 'Zugriff verboten.<br>Bitte wenden Sie sich an den Administrator, dass Sie keinen Zugriff auf den Service {0} haben, wenn Sie feststellen, dass dies nicht korrekt ist.'
Setting keycloak/password/change/endpoint to 'dcm1.<--snipped base FQDN-->'
Setting kc/db/url to 'jdbc:postgresql://dcm1.<--snipped base FQDN-->:5432/keycloak?sslmode=require'
Setting kc/db/username to 'keycloak'
Setting kc/db/kind to 'postgres'
Setting kc/db/xa to 'false'
Setting kc/db/driver to 'org.postgresql.Driver'
Setting kc/db/ping/datatype to 'BYTEA'
Setting keycloak/federation/remote/identifier to 'univentionObjectIdentifier'
Setting keycloak/federation/source/identifier to 'univentionSourceIAM'
ucr cannot be found, falling back to changing the database file directly
Executing interface restore_data_before_setup for keycloak
No interface defined
Executing interface restore_data_after_setup for keycloak
No interface defined
updating certificates for keycloak=25.0.1-ucs2
Registering UCR for keycloak
Marking keycloak=25.0.1-ucs2 as installed
Adding localhost to LDAP object
Reloading apache2 configuration (via systemctl): apache2.service.
Certificate was added to keystore
Executing interface configure for keycloak
No interface defined
updating certificates for keycloak=25.0.1-ucs2
Installing join script /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20240815142626.inst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2024 Univention GmbH, Germany

Running pre-joinscripts hook(s):  done
Running 01univention-ldap-server-init.inst skipped (already executed)
Running 02univention-directory-notifier.inst skipped (already executed)
Running 03univention-directory-listener.inst skipped (already executed)
Running 04univention-ldap-client.inst skipped (already executed)
Running 05univention-bind.inst skipped (already executed)
Running 08univention-apache.inst skipped (already executed)
Running 10univention-ldap-server.inst skipped (already executed)
Running 11univention-heimdal-init.inst skipped (already executed)
Running 11univention-pam.inst skipped (already executed)
Running 15univention-directory-notifier-post.inst skipped (already executed)
Running 15univention-heimdal-kdc.inst skipped (already executed)
Running 18python-univention-directory-manager.inst skipped (already executed)
Running 20univention-directory-policy.inst skipped (already executed)
Running 20univention-join.inst skipped (already executed)
Running 20univention-ldap-config-master.inst skipped (already executed)
Running 22univention-directory-manager-rest.inst skipped (already executed)
Running 25univention-dhcp.inst skipped (already executed)
Running 26univention-nagios-common.inst skipped (already executed)
Running 30univention-appcenter.inst skipped (already executed)
Running 30univention-monitoring-client.inst skipped (already executed)
Running 30univention-nagios-client.inst skipped (already executed)
Running 31univention-monitoring-s4-connector.inst skipped (already executed)
Running 31univention-monitoring-samba.inst skipped (already executed)
Running 31univention-nagios-s4-connector.inst skipped (already executed)
Running 31univention-nagios-samba.inst skipped (already executed)
Running 31univention-usercert.inst skipped (already executed)
Running 32univention-windowscert.inst skipped (already executed)
Running 33univention-portal.inst skipped (already executed)
Running 34univention-self-service.inst skipped (already executed)
Running 35univention-appcenter-docker.inst skipped (already executed)
Running 35univention-management-console-module-admindiary.inst skipped (already executed)
Running 35univention-management-console-module-appcenter.inst skipped (already executed)
Running 35univention-management-console-module-diagnostic.inst skipped (already executed)
Running 35univention-management-console-module-ipchange.inst skipped (already executed)
Running 35univention-management-console-module-join.inst skipped (already executed)
Running 35univention-management-console-module-lib.inst skipped (already executed)
Running 35univention-management-console-module-pkgdb.inst skipped (already executed)
Running 35univention-management-console-module-quota.inst skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.inst skipped (already executed)
Running 35univention-management-console-module-setup.inst skipped (already executed)
Running 35univention-management-console-module-sysinfo.inst skipped (already executed)
Running 35univention-management-console-module-top.inst skipped (already executed)
Running 35univention-management-console-module-ucr.inst skipped (already executed)
Running 35univention-management-console-module-udm.inst skipped (already executed)
Running 35univention-management-console-module-updater.inst skipped (already executed)
Running 35univention-management-console-module-welcome.inst skipped (already executed)
Running 35univention-self-service-master.inst skipped (already executed)
Running 35univention-self-service-passwordreset-umc.inst skipped (already executed)
Running 35univention-server-overview.inst skipped (already executed)
Running 36univention-management-console-module-apps.inst skipped (already executed)
Running 40univention-postgresql.inst skipped (already executed)
Running 50keycloak.inst failed (exitcode: 2)
Running 50univention-pkgdb.inst skipped (already executed)
Running 60univention-admin-diary-backend.inst skipped (already executed)
Running 80univention-radius.inst skipped (already executed)
Running 81univention-nfs-server.inst skipped (already executed)
Running 90univention-bind-post.inst skipped (already executed)
Running 91univention-saml.inst skipped (already executed)
Running 92univention-management-console-web-server.inst skipped (already executed)
Running 96univention-samba4.inst skipped (already executed)
Running 97univention-s4-connector.inst skipped (already executed)
Running 98univention-pkgdb-tools.inst skipped (already executed)
Running 98univention-samba4-dns.inst skipped (already executed)
Running 98univention-samba4-saml-kerberos.inst skipped (already executed)
Running post-joinscripts hook(s):  done
Potential script hook folder is unused: /var/lib/univention-appcenter/apps/keycloak/local/hooks/post-install.d
File: /usr/share/univention-management-console/modules/apps.xml

File: /usr/share/univention-management-console/i18n/de/apps.mo

File: /etc/apt/apt.conf.d/55user_agent

Executing interface update_available for keycloak
No interface defined

Join Log 

univention-run-join-scripts started
Thu 29 Aug 16:33:50 AEST 2024

univention-join-hooks: looking for hook type "join/pre-joinscripts" on dcm1.<--snipped-->
Found hooks:
  
RUNNING 01univention-ldap-server-init.inst
EXITCODE=already_executed
RUNNING 02univention-directory-notifier.inst
EXITCODE=already_executed
RUNNING 03univention-directory-listener.inst
EXITCODE=already_executed
RUNNING 04univention-ldap-client.inst
EXITCODE=already_executed
RUNNING 05univention-bind.inst
EXITCODE=already_executed
RUNNING 08univention-apache.inst
EXITCODE=already_executed
RUNNING 10univention-ldap-server.inst
EXITCODE=already_executed
RUNNING 11univention-heimdal-init.inst
EXITCODE=already_executed
RUNNING 11univention-pam.inst
EXITCODE=already_executed
RUNNING 15univention-directory-notifier-post.inst
EXITCODE=already_executed
RUNNING 15univention-heimdal-kdc.inst
EXITCODE=already_executed
RUNNING 18python-univention-directory-manager.inst
EXITCODE=already_executed
RUNNING 20univention-directory-policy.inst
EXITCODE=already_executed
RUNNING 20univention-join.inst
EXITCODE=already_executed
RUNNING 20univention-ldap-config-master.inst
EXITCODE=already_executed
RUNNING 22univention-directory-manager-rest.inst
EXITCODE=already_executed
RUNNING 25univention-dhcp.inst
EXITCODE=already_executed
RUNNING 26univention-nagios-common.inst
EXITCODE=already_executed
RUNNING 30univention-appcenter.inst
EXITCODE=already_executed
RUNNING 30univention-monitoring-client.inst
EXITCODE=already_executed
RUNNING 30univention-nagios-client.inst
EXITCODE=already_executed
RUNNING 31univention-monitoring-s4-connector.inst
EXITCODE=already_executed
RUNNING 31univention-monitoring-samba.inst
EXITCODE=already_executed
RUNNING 31univention-nagios-s4-connector.inst
EXITCODE=already_executed
RUNNING 31univention-nagios-samba.inst
EXITCODE=already_executed
RUNNING 31univention-usercert.inst
EXITCODE=already_executed
RUNNING 32univention-windowscert.inst
EXITCODE=already_executed
RUNNING 33univention-portal.inst
EXITCODE=already_executed
RUNNING 34univention-self-service.inst
EXITCODE=already_executed
RUNNING 35univention-appcenter-docker.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-admindiary.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-appcenter.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-diagnostic.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-ipchange.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-join.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-lib.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-pkgdb.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-quota.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-reboot.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-services.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-setup.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-sysinfo.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-top.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-ucr.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-udm.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-updater.inst
EXITCODE=already_executed
RUNNING 35univention-management-console-module-welcome.inst
EXITCODE=already_executed
RUNNING 35univention-self-service-master.inst
EXITCODE=already_executed
RUNNING 35univention-self-service-passwordreset-umc.inst
EXITCODE=already_executed
RUNNING 35univention-server-overview.inst
EXITCODE=already_executed
RUNNING 36univention-management-console-module-apps.inst
EXITCODE=already_executed
RUNNING 40univention-postgresql.inst
EXITCODE=already_executed
RUNNING 50keycloak.inst
2024-08-29 16:33:54.959275379+10:00 (in joinscript_init)
Create ucs/web/overview/entries/admin/keycloak/description/de
Create ucs/web/overview/entries/admin/keycloak/description
Create ucs/web/overview/entries/admin/keycloak/label
Create ucs/web/overview/entries/admin/keycloak/link
Create ucs/web/overview/entries/admin/keycloak/icon
Create ucs/web/overview/entries/admin/keycloak/link-target
Module: create_portal_entries
No modification: cn=keycloak,cn=entry,cn=portals,cn=univention,<--snipped baseDn-->
WARNING: cannot append cn=Domain Admins,cn=groups,<--snipped baseDn--> to allowedGroups, value exists
Object exists: cn=ldapacl,cn=univention,<--snipped baseDn-->
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,<--snipped baseDn-->

Waiting for activation of the extension object 67keycloak: OK
Object exists: cn=services,cn=univention,<--snipped baseDn-->
Object created: cn=keycloak DB,cn=services,cn=univention,<--snipped baseDn-->
Object modified: cn=dcm1,cn=dc,cn=computers,<--snipped baseDn-->
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Multifile: /etc/postgresql/11/main/pg_hba.conf
Multifile: /etc/postgresql/11/main/pg_hba.conf
Warning: The file '/etc/postgresql/15/main/pg_hba.conf' is not registered as an UCR template.
Adding A record "ucs-sso-ng 10.20.20.10" to zone <--snipped dns zone-->...
done
29.08.24 16:34:05.363  DEBUG_INIT
29.08.24 16:34:05.366  DEBUG_EXIT
Restarting keycloak ... 
  
Restarting keycloak ...  done 
 
['master']
Traceback (most recent call last):
  File "/usr/sbin/univention-keycloak", line 3132, in <module>
    sys.exit(main())
  File "/usr/sbin/univention-keycloak", line 3128, in main
    return opt.func(opt) or 0
  File "/usr/sbin/univention-keycloak", line 2799, in init_keycloak_ucs
    locales_format = [locale[:locale.index("_")] for locale in locales]
  File "/usr/sbin/univention-keycloak", line 2799, in <listcomp>
    locales_format = [locale[:locale.index("_")] for locale in locales]
ValueError: substring not found
/usr/lib/univention-install/50keycloak.inst: FATAL: 
EXITCODE=2
465affb9-e0f5-4d4c-9508-ffe5bd5004a8
RUNNING 50univention-pkgdb.inst
EXITCODE=already_executed
RUNNING 60univention-admin-diary-backend.inst
EXITCODE=already_executed
RUNNING 80univention-radius.inst
EXITCODE=already_executed
RUNNING 81univention-nfs-server.inst
EXITCODE=already_executed
RUNNING 90univention-bind-post.inst
EXITCODE=already_executed
RUNNING 91univention-saml.inst
EXITCODE=already_executed
RUNNING 92univention-management-console-web-server.inst
EXITCODE=already_executed
RUNNING 96univention-samba4.inst
EXITCODE=already_executed
RUNNING 97univention-s4-connector.inst
EXITCODE=already_executed
RUNNING 98univention-pkgdb-tools.inst
EXITCODE=already_executed
RUNNING 98univention-samba4-dns.inst
EXITCODE=already_executed
RUNNING 98univention-samba4-saml-kerberos.inst
EXITCODE=already_executed
univention-join-hooks: looking for hook type "join/post-joinscripts" on dcm1.<--snipped-->
Found hooks:
  

Thu 29 Aug 16:34:24 AEST 2024
univention-run-join-scripts finished

Same error with regard to substring match on locales.

The keycloak admin interface is up and running, but I wasn’t able to login. I see you said you pulled secret from the app contianer?

edit: I can login using the /etc/keycloak.secret. But unsure of what was missed by the partially complete join script.

#12

Hi @codedmind and @MiracErde I got this working now.

A freshly installed core edition VM worked without issue, so I compared my UCR settings vs the fresh one. My UCR locales list was missing the locale I had set as my default, so I added it in and re-ran the join script and it completed this time. This install has come through upgrades from 2015 so perhaps it has snuck in somewhere along the way.

# ucr search --brief locale
locale/default: en_AU.UTF-8:UTF-8
locale: en_US.UTF-8:UTF-8 de_DE.UTF-8:UTF-8   <---- missing en_AU

Don’t know how that happened as I think UMC enforces choosing a default from the installed system locales list only.
So adding in my default locale to the locales list allowed the keycloak joinscript to complete and I can log into the admin console using the UCS administrator creds now.

# ucr search --brief locale
locale/default: en_AU.UTF-8:UTF-8
locale: en_AU.UTF-8:UTF-8 en_US.UTF-8:UTF-8 de_DE.UTF-8:UTF-8
Successful join script 
univention-run-join-scripts started
Fri 30 Aug 13:01:59 AEST 2024

univention-join-hooks: looking for hook type "join/pre-joinscripts" on dcm1.<--snipped base FQDN-->
Found hooks:

RUNNING 50keycloak.inst
2024-08-30 13:02:00.665793716+10:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/keycloak/description/de
Setting ucs/web/overview/entries/admin/keycloak/description
Setting ucs/web/overview/entries/admin/keycloak/label
Setting ucs/web/overview/entries/admin/keycloak/link
Setting ucs/web/overview/entries/admin/keycloak/icon
Setting ucs/web/overview/entries/admin/keycloak/link-target
Module: create_portal_entries
No modification: cn=keycloak,cn=entry,cn=portals,cn=univention,<--snipped baseDn-->
WARNING: cannot append cn=Domain Admins,cn=groups,<--snipped baseDn--> to allowedGroups, value exists
Object exists: cn=ldapacl,cn=univention,<--snipped baseDn-->
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,<--snipped baseDn-->

Waiting for activation of the extension object 67keycloak: OK
Could not chdir to home directory /dev/null: Not a directory
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Multifile: /etc/postgresql/11/main/pg_hba.conf
Multifile: /etc/postgresql/11/main/pg_hba.conf
Warning: The file '/etc/postgresql/15/main/pg_hba.conf' is not registered as an UCR template.
Adding A record "ucs-sso-ng 10.20.20.10" to zone <--snipped base FQDN-->...
done
30.08.24 13:02:11.218  DEBUG_INIT
30.08.24 13:02:11.221  DEBUG_EXIT
Restarting keycloak ...
 estarting keycloak ...  done
['master']           <<==== FAILED HERE PREVIOUSLY
Using bind-dn:
Check if init is needed: yes, continuing init
CREATING KEYCLOAK SAML CLIENT.....
LDAP User Federation Added: ldap://dcm1.<--snipped base FQDN-->:7389
LDAP Domain Admins Federation Added: ldap://dcm1.<--snipped base FQDN-->:7389
Filter: ['(|(memberOf=cn=Domain Admins,cn=groups,<--snipped baseDn-->)(memberOf=cn=DC Backup Hosts,cn=groups,<--snipped baseDn-->))']
Register extenions: password ldapmapper self-service
Setting domain config version to 25.0.1-ucs2
Nothing to do, already at domain config version 25.0.1-ucs2
CREATING KEYCLOAK SAML CLIENT.....
CREATING KEYCLOAK SAML CLIENT.....
CREATING KEYCLOAK SAML CLIENT.....
CREATING KEYCLOAK SAML CLIENT.....
creating keycloak kerberos user
Object created: uid=krbkeycloak,cn=users,<--snipped baseDn-->
modifying entry "uid=krbkeycloak,cn=users,<--snipped baseDn-->"

looking for spn account "krbkeycloak" in local samba
looking for spn account "krbkeycloak" in local samba
rm: cannot remove '/var/lib/univention-appcenter/apps/keycloak/conf/keycloak.keytab': No such file or directory
Object exists: cn=services,cn=univention,<--snipped baseDn-->
Object created: cn=keycloak,cn=services,cn=univention,<--snipped baseDn-->
Object modified: cn=dcm1,cn=dc,cn=computers,<--snipped baseDn-->
2024-08-30 13:02:55.226020183+10:00 (in joinscript_save_current_version)
EXITCODE=0
univention-join-hooks: looking for hook type "join/post-joinscripts" on dcm1.<--snipped base FQDN-->
Found hooks:


Fri 30 Aug 13:02:56 AEST 2024
univention-run-join-scripts finished

Perhaps something worth documenting or adding a check into the script in case other long-lived systems are in a similar state?

Hope this helps!

#13

Hi pp303,

Thank you for your response and help.

We had some same issues the last past weeks with installed PostgreSQL versions and the used cluster.
It looks like, that upgraded systems from UCS 4.4-9 to 5.0-x are having PostgreSQL 9.6 and 11 installed, but the used cluster is 9.6 and the cluster for 11 is down.

You can check which cluster is used with the following command:

pg_lsclusters -h

You get more informations from this article:

#14

Hello @pp303 thanks for the info… however when i run that command i don’t have the locale missing :frowning:

ucr search --brief locale
locale/default: pt_PT.UTF-8:UTF-8
locale: C:UTF-8 en_US.UTF-8:UTF-8 de_DE.UTF-8:UTF-8 pt_PT.UTF-8:UTF-8

#15

Any luck if you remove the C:UTF-8 ? Thats the only other thing I can see that might be different.

#16

Hello,

Yesterday update both variables,like yours and everything works.
So yeah, maybe the issue could be that entry C:UTF-8 tha i don’t have ideia why is there…

1 Like
#17

Maybe. I can see one other post on the forums with that mentioned where removing it also fixed the problem.

It doesn’t show up in a freshly installed UCS core, so perhaps a leftover from an upgrade or bug in a script somewhere?

Cheers.

Mastodon