Problem: keycloak Name or service not known

Knowledge Base Community
,
1

Problem:

If you run

# univention-keycloak saml/sp get
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 162, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw)
  File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 57, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

or you see

Original Error: {'desc': 'Invalid credentials', 'info': 'SASL(-13): authentication failure: SAML assertion issuer https://auth.schein.me/realms/ucs is unknown'}

or

univention-management-console-server[1484]: Unsupported binding: urn:oasis:names:tc:SAML:2.0:bindings:SOAP (https://auth.schein.me/realms/ucs)

or

keycloak.exceptions.KeycloakConnectionError: Can't connect to server (HTTPSConnectionPool(host='ucs-sso-ng.schein.me', port=443): Max retries exceeded with url: /realms/master/protocol/openid-connect/token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f17a9889c88>: Failed to establish a new connection: [Errno -2] Name or service not known')))

in some of your logfiles.

Solution:

  • It could be, that you have adjusted the FQDN of keycloak. If you face this above error, you may have not set
ucr set keycloak/server/sso/fqdn=auth.schein.me

on all your servers.

  • If you have portal and saml on two different servers, it might be necessary to set
    ucr set umc/saml/trusted/sp/portal.example.org=portal.example.org
    an indication for that is the primarys syslog with slapd complaining about:

Feb 12 14:36:39 ucs01 slapd[2000]: SASL [conn=27127] Failure: SAML assertion issuer https://portal.example.org/realms/ucs is unknown

  • You should also check the /etc/ldap/sasl2/slapd.conf file on your primary. This should have entrys like that, depending on your count of servers and configuration:
cat /etc/ldap/sasl2/slapd.conf 
## Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
#       /etc/univention/templates/files/etc/ldap/sasl2/slapd.conf
# 
saml_grace: 600
saml_userid: urn:oid:0.9.2342.19200300.100.1.1
saml_idp0: /usr/share/univention-management-console/saml/idp/ucs-sso-ng.schein.me.xml
saml_trusted_sp0: https://portal.schein.me/univention/saml/metadata
saml_trusted_sp1: https://backup.schein.me/univention/saml/metadata
saml_trusted_sp2: https://primary.schein.me/univention/saml/metadata
saml_trusted_sp3: https://schul-repl1.schein.me/univention/saml/metadata
saml_trusted_sp4: https://schul-repl2.schein.me/univention/saml/metadata
saml_trusted_sp5: https://schul-repl3.schein.me/univention/saml/metadata
oauthbearer_grace: 3
oauthbearer_userid: uid
oauthbearer_trusted_jwks0: /usr/share/univention-management-console/oidc/https%3A%2F%2Fucs-sso-ng.schein.me%2Frealms%2Fucs.jwks
oauthbearer_trusted_iss0: https://ucs-sso-ng.schein.me/realms/ucs
oauthbearer_trusted_iss1: https://ucs-sso-ng.schein.me/realms/ucs
oauthbearer_trusted_aud0: ldaps://primary.schein.me/
oauthbearer_trusted_aud1: ldaps://schein.me/
oauthbearer_trusted_aud2: ucsportaloidc
oauthbearer_trusted_aud3: ucsportaloidc
oauthbearer_trusted_azp0: https://backup.schein.me/univention/oidc/
oauthbearer_trusted_azp1: https://portal.schein.me/univention/oidc/
oauthbearer_trusted_azp2: https://primary.schein.me/univention/oidc/
oauthbearer_trusted_azp3: https://schul-repl1.schein.me/univention/oidc/
oauthbearer_trusted_azp4: https://schul-repl2.schein.me/univention/oidc/
oauthbearer_trusted_azp5: https://schul-repl3.schein.me/univention/oidc/
oauthbearer_trusted_azp6: ucsportaloidc
mech_list: EXTERNAL gssapi DIGEST-MD5 CRAM-MD5 LOGIN SAML OAUTHBEARER PLAIN

But if entries like this saml_idp0: /usr/share/univention-management-console/saml/idp/ucs-sso-ng.schein.me.xml are missing the file is not healthy and you should rerun and check afterwards:

univention-run-join-scripts \
   --force \
   --run-scripts 92univention-management-console-web-server.inst