Problem:

You see the following traceback in the connector-s4.log

25.03.2018 06:25:11,52 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=someuser,ou=someou,DC=example,DC=intrane
25.03.2018 06:25:46,834 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1510818361.430555
25.03.2018 06:25:46,898 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 791, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2520, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/password.py", line 641, in password_sync_ucs_to_s4
    s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ ctrl_bypass_password_hash ])
  [...]
CONSTRAINT_VIOLATION: {'info': '0000202F: Primary:Kerberos missing at ../source4/dsdb/samdb/ldb_modules/password_hash.c:320', 'desc': 'Constraint violation'}

Possible reason: Windows changes the requirements for encryption algorithms from time to time (especially backwards compatibility). For example, DES is still supported. However, if you use ucr to switch off weak encryption for security reasons, Windows will no longer accept the account because a key is missing

Solution: switch on weaker keys for kerberos

ucr set kerberos/allow/weak/crypto=true

change a user password via UDM or UMC