univention-s4connector-list-rejected shows very frequently rejects as follows:
UCS rejected 1: UCS DN: cn=Console Logon,cn=Builtin,dc=domain,dc=intranet S4 DN: cn=console logon,cn=builtin,DC=domain,DC=intranet Filename: /var/lib/univention-connector/s4/1532257834.494789 S4 rejected 1: S4 DN: CN=Console Logon,CN=Builtin,DC=domain,DC=intranet UCS DN: cn=console logon,cn=builtin,dc=domain,dc=intranet last synced USN: 25042
Removing the reject only helps for a short time and the reject happens again later.
It appears this group is to be ignored by the connector (see bug) but is not set in the filter rules.
To add and this group as a new entry to the
connector/s4/mapping/group/ignorelist do the following:
ucr set connector/s4/mapping/group/ignorelist="Console Logon, $(ucr get connector/s4/mapping/group/ignorelist)" systemctl restart univention-s4-connector
You might use UMC to add this entry to the UCS registry, too.