I am having some issues regarding keycloak, as part of the upgrade to UCS 5.2.2. I have read a lot of posts here and tried to follow their advice, with no luck.
Before upgrading UCS to UCS 5.2-2 errata150 I was told, that I need to switch to keycloak before doing so. As I could not get keycloak running, I decided to remove keycloak completely and postpone the keycloak setup, after upgrade to UCS 5.2-2.
Athough the upgrade was successfull, nothing changed. I have removed and reinstalled keycloak=26.2.5-ucs1 several times now without success.
Because of the #$% ânew users are only allowed to post 2 linksâ protection I needed to split my post.
I studied the âTroubleshootingâ section according to âKeycloak app troubleshootingâ
In /var/log/univention/appcenter.log I see âRunning 50keycloak.inst failed (exitcode: 2)â, although when I install keycloak via the app store, I do not see any failure message. During installation I just confirmed the defaults, as our univention setup is pretty vanilla. I can not see any other entries in the log, that show any failed steps.
The joinscript â50keycloakâ fails like it failed before the upgrade to UCS 5.2.-2, as seen in /var/log/univention/join.log
Create ucs-sso-ng.dom.contoso.net (192.168.1.103) A record on 192.168.1.34
['kinit', '--password-file=/etc/machine.secret', 'ucs-8802$', 'nsupdate', '-v', '-g', '/tmp/tmprk9rh8q6'] failed with 1 (kinit: Password incorrect
)
failed to add A record for ucs-sso to 192.168.1.34
/usr/lib/univention-install/50keycloak.inst: FATAL:
EXITCODE=2
23654d20-afdf-433b-9888-e8fbb03f1cd5
univention-join-hooks: looking for hook type "join/post-joinscripts" on ucs-8802.dom.contoso.net
univention-keycloak --binduser "${keycloak_admin_user:-admin}" realms get
with this error message
keycloak.exceptions.KeycloakConnectionError: Canât connect to server (HTTPSConnectionPool(host=âucs-sso-ng.dom.contoso.netâ, port=443): Max retries exceeded with url: /realms/master/protocol/openid-connect/token (Caused by NewConnectionError(â<urllib3.connection.HTTPSConnection object at 0x7fcb84673050>: Failed to establish a new connection: [Errno -2] Name or service not knownâ)))
This is no suprise to me, as I can not open the admin panel on ucs-sso-ng.dom.contoso.net/admin in my browser either, though itâs docker container is running fine, as far as I see in the output of âdocker psâ command.
885a931d470f docker.software-univention.de/keycloak-keycloak:26.2.5-ucs1 â/opt/keycloak/bin/kâŠâ About an hour ago Up About an hour (healthy) 0.0.0.0:7600->7600/tcp, :::7600->7600/tcp, 8080/tcp, 0.0.0.0:8180->8180/tcp, :::8180->8180/tcp, 8443/tcp keycloak
I have no idea what to do about this and appreciate any help.
After this I was able to access the admin panel for http://ucs-sso-ng.dom.contoso.net/ , but still could not login, with either my admin nor the domain admin on the Windows server.
I managed to resolve this by following the steps mentioned here again:
During installation I used the credentials of the domain admin on the Windows server and now can thankfully access the keycloak admin panel. In the consequence the join to the domain by keycloak was also completed without any issues
