Keycloak join script fails due to UCS reject when creating krbleycloak user in Samba

UCS - Univention Corporate Server
, , ,
1

Hi everyone,

I just installed keycloak on my UCS 5.0 main node and the join scripts failed with error code 2.

join.log shows that the script is waiting indefentely for krbkeycloak user to be available in samba:

RUNNING 50keycloak.inst
2025-06-01 19:00:04.048293570+02:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/keycloak/description/de
Setting ucs/web/overview/entries/admin/keycloak/description
Setting ucs/web/overview/entries/admin/keycloak/label
Setting ucs/web/overview/entries/admin/keycloak/link
Setting ucs/web/overview/entries/admin/keycloak/icon
Setting ucs/web/overview/entries/admin/keycloak/link-target
Module: create_portal_entries
No modification: cn=keycloak,cn=entry,cn=portals,cn=univention,dc=intern,dc=example,dc=com
WARNING: cannot append cn=Domain Admins,cn=groups,dc=intern,dc=example,dc=com to allowedGroups, value exists
Object exists: cn=ldapacl,cn=univention,dc=intern,dc=example,dc=com
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,dc=intern,dc=example,dc=com

Waiting for activation of the extension object 67keycloak: OK
Could not chdir to home directory /dev/null: Not a directory
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Multifile: /etc/postgresql/15/main/pg_hba.conf
Warning: The file '/etc/postgresql/11/main/pg_hba.conf' is not registered as an UCR template.
Multifile: /etc/postgresql/15/main/pg_hba.conf
Adding A record "ucs-sso-ng 10.10.10.5" to zone intern.example.com...
done
01.06.25 19:00:11.243  DEBUG_INIT
01.06.25 19:00:11.246  DEBUG_EXIT
['master', 'ucs']
Restarting keycloak ...
  ^MRestarting keycloak ...  done ^M
['master', 'ucs']
Using bind-dn:
Check if init is needed: no, already executed
Nothing to do, already at domain config version 26.1.4-ucs2
CREATING KEYCLOAK SAML CLIENT.....
CREATING KEYCLOAK SAML CLIENT.....
CREATING KEYCLOAK SAML CLIENT.....
creating keycloak kerberos user
Object created: uid=krbkeycloak,cn=users,dc=intern,dc=example,dc=com
modifying entry "uid=krbkeycloak,cn=users,dc=intern,dc=example,dc=com"

looking for spn account "krbkeycloak" in local samba
looking for spn account "krbkeycloak" in local samba
looking for spn account "krbkeycloak" in local samba
looking for spn account "krbkeycloak" in local samba
looking for spn account "krbkeycloak" in local samba

Checking the S4 connector sync state shows that there is a UCS sync error:

univention-s4connector-list-rejected

UCS rejected

    1:   UCS DN: uid=krbkeycloak,cn=users,dc=intern,dc=example,dc=com
          S4 DN: cn=krbkeycloak,cn=users,DC=intern,DC=example,DC=com
         Filename: /var/lib/univention-connector/s4/1748797446.462057


S4 rejected


	last synced USN: 10640

Removing the object from the rejected list and triggering a resync does not solve the issue.
I already tried to remove and reinstall keycloak always with the same result.

Any idea how to resolve the problem ?

Thank you for any help !

2

It seems that there has been an samba replication error on one of the slaves preventing the script from running.

After resolving that the join script went along.