Okay, I was brave.
- I stopped the
univention-s4-connector.service - I created the krbtgt account using Apache Directory Studio by using the Administrator account as a template. I removed all attributes too specific to the Administrator and edited other attributes to match those in Samba 4.
- I restarted the
univention-s4-connector.service. - The rejected sync disappeared.