UCS 5.2-4: master join-hooks segfault, backup Keycloak invalid_grant, and 5.2-5 pre-update blocked

UCS - Univention Corporate Server
, ,
1

Good day,

Small UCS 5.2-4 domain with three nodes:

  • Master: Primary Directory Node
  • Backup: Backup Directory Node
  • Managed: member (reverse proxy + mail server)

Keycloak app is installed on master node only. Nextcloud, eGroupware, and Rocket.Chat previously installed as apps on managed node but were removed to stand-alone installs prior to 5.0 > 5.2 upgrade.

Attempting to update to 5.2-5 fails in the pre-update checks with:

  • minimum_ucs_version_of_all_systems_in_domain requirement not met
  • update aborts before packages are installed.
    All nodes show version 5.2-4 in LDAP query.
    Errata updates complete successfully.

Attempted domain rejoin:

  1. Master: univention-join-hooks segfault at join/pre-joinscripts
univention-run-join-scripts started
Sat 02 May 2026 09:28:29 AEST

univention-join-hooks: looking for hook type "join/pre-joinscripts" on master.mydomain
Found hooks:
  
/usr/share/univention-join/joinscripthelper.lib: line 318: 3214063 Segmentation fault      /usr/share/univention-join/univention-join-hooks --server-role "$server_role" --hooktype "$hooktype" --master "$master" --binddn "$j_binddn" --bindpwdfile "$j_bindpwdfile" >> /var/log/univention/join.log 2>&1

**************************************************************************
* Running join scripts failed!                                           *
**************************************************************************
* Message:  join/pre-joinscripts failed, see /var/log/univention/join.log
**************************************************************************

Checks on master node:

ls -1 /usr/share/univention-join/join-hooks.d/
# -> No such file or directory (no custom hooks)

file /usr/share/univention-join/univention-join-hooks
# -> Python script, ASCII text executable

dpkg -S /usr/share/univention-join/univention-join-hooks
# -> univention-join

dpkg -V univention-join
# -> no modified files reported

Appears the Python hook runner itself (or something it imports) segfaults during join/pre-joinscripts, with no custom hook directory present.

  1. On Backup node: UMC/Keycloak join invalid_grant (workaround applied)
    On backup node, domain join from the GUI initially failed in:
92univention-management-console-web-server.inst

Excerpt from /var/log/univention/join.log:

CREATING KEYCLOAK SAML CLIENT.....
...
keycloak.exceptions.KeycloakPostError: 400: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}'
92univention-management-console-web-server.inst: Could not create SAML service provider

Context:

  • Keycloak app installed on master node, UCR shows e.g.:

    appcenter/apps/keycloak/status: installed
appcenter/apps/keycloak/version: 26.6.1-ucs1
keycloak/server/sso/fqdn: ucs-sso-ng.mydomain

  • In Keycloak GUI, I see UCS realm clients for:

    • https://master.mydomain/univention/saml/metadata
    • https://backup.mydomain/univention/saml/metadata
    • https://managed.mydomain/univention/saml/metadata

  • No dedicated “sys-idp-user” shows up in the Users list; UCS appears to use client/service-account credentials.

Connectivity from backup node is OK:

curl -vk https://ucs-sso-ng.mydomain
curl -vk https://master.mydomain

both succeed with the UCS internal CA.

As a workaround on backup node:

mv /usr/lib/univention-install/92univention-management-console-web-server.inst \
   /usr/lib/univention-install/92univention-management-console-web-server.inst.disabled

Then from the GUI, re-ran the join; now:

univention-check-join-status
# -> Joined successfully

Backup node joins cleanly with that one joinscript skipped.

Questions

  1. How can I debug/fix the univention-join-hooks segfault at join/pre-joinscripts on master, given:

    • No custom hook directory,
    • univention-join-hooks is an unmodified Python script from univention-join,

  2. What is the recommended way to repair the Keycloak service credentials used by univention-keycloak in 92univention-management-console-web-server.inst (currently returning invalid_grant), when the UCS Keycloak app manages these internally and there is no obvious user in the Keycloak “Users” section?

Many thanks in advance for any guidance.

2

Gentle bump on this.

Any suggestion to resolve the keycloak join issue, or the blocked update to 5.2-5? Latest update 5.2-4 errata435 installed on all 3 nodes.

Checking disk_space ...                           OK
Checking failed_ldif ...                          OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          UNKNOWN attributeDescription "NEXTCLOUDENABLED" inserted.
UNKNOWN attributeDescription "ROCKETCHATACTIVATED" inserted.
OK
Checking master_version ...                       OK
Checking minimum_ucs_version_of_all_systems_in_domain ... FAIL
Checking net_installer ...                        OK
Checking overwritten_umc_templates ...            OK
Checking package_status ...                       OK
Checking role_package_removed ...                 OK
Checking s4-connector-memberof-pre-windows-2k-compatible-access ... OK
Checking slapd_on_member ...                      OK
Checking ssh ...                                  OK
Checking system_date_too_old ...                  OK
Checking term ...                                 OK
Checking ucsschool ...                            OK
Checking valid_machine_credentials ...            OK

The system can not be updated to UCS 5.2 due to the following reasons:

minimum_ucs_version_of_all_systems_in_domain:


Error: Update aborted by pre-update script of release 5.2-5

Would it be recommended instead to install a new domain master and then join the managed node here?

The managed node hosts the only critical services, with DNS readily reconfigured on a new master. UCS is not hosting SSO for this domain.