How to sync krbtgt from S4 to LDAP/UCS?

As I noticed during my further analysis the krbtgt user account is missing in LDAP/UCS. The solution presented in How to deal with s4-connector rejects requires the destination to exist, while the solution in Problem: Remove S4 Connector Rejects Which Does Not Exist in LDAP expects the source to be expendable. I have the situation that my krbtgt account isn’t expendable. I want it synced to the LDAP.

What’s the best approach? Create it manually?

Okay, I was brave.

  • I stopped the univention-s4-connector.service
  • I created the krbtgt account using Apache Directory Studio by using the Administrator account as a template. I removed all attributes too specific to the Administrator and edited other attributes to match those in Samba 4.
  • I restarted the univention-s4-connector.service.
  • The rejected sync disappeared.