Bug 57313 - Keycloak installation fails because of Postgres DB - Invalid user credentials
Keycloak installation fails because of Postgres DB - Invalid user credentials
Status: NEW
Product: UCS
Classification: Unclassified
Component: Keycloak
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-22 16:16 CEST by Mirac Erdemiroglu
Modified: 2024-07-01 17:38 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2024051521000209
Bug group (optional): Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mirac Erdemiroglu univentionstaff 2024-05-22 16:16:07 CEST
UCS: 5.0-7 errata1044
Installed: keycloak=24.0.3-ucs1

In our case, keycloak was installed on the primary in an earlier version for test purposes, but was removed again after a short time.
Now we want to use Keycloak effectively and install it on the backup node, but the installation keeps failing.

The presumed reason for this was that the Postgres DB had stored the wrong password from the previous version. According to this, when Keycloak is removed, the Postgres DB is not carefully cleaned up, 
so that a new installation is also assigned the current password. 


Information from the join.log

RUNNING 50keycloak.inst
2024-05-21 12:40:56.845491270+02:00 (in joinscript_init)
No module named 'ucs-school-ucr-l10n-fr'
Create ucs/web/overview/entries/admin/keycloak/description/de
Create ucs/web/overview/entries/admin/keycloak/description
Create ucs/web/overview/entries/admin/keycloak/label
Create ucs/web/overview/entries/admin/keycloak/link
Create ucs/web/overview/entries/admin/keycloak/icon
Create ucs/web/overview/entries/admin/keycloak/link-target
Module: ucs-school-ucr-xxx-xx
Module: create_portal_entries
Object modified: cn=keycloak,cn=entry,cn=portals,cn=univention,dc=edu,dc=univention,dc=de
Object exists: cn=ldapacl,cn=univention,dc=edu,dc=univention,dc=de
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,dc=edu,dc=univention,dc=de

Waiting for activation of the extension object 67keycloak: OK
Object exists: cn=services,cn=univention,dc=edu,dc=univention,dc=de
Object created: cn=keycloak DB,cn=services,cn=univention,dc=edu,dc=univention,dc=de
Object modified: cn=xxx,cn=dc,cn=computers,dc=edu,dc=univention,dc=de
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Warning: The file '/etc/postgresql/11/main/pg_hba.conf' is not registered as an UCR template.
Warning: The file '/etc/postgresql/15/main/pg_hba.conf' is not registered as an UCR template.
Adding A record "sso xx.xxx.xx.xx" to zone xxx.univention.de...
21.05.24 12:41:06.797  DEBUG_INIT
21.05.24 12:41:06.800  DEBUG_EXIT
Restarting keycloak ...
^MRestarting keycloak ...  done ^M
Traceback (most recent call last):
  File "/usr/sbin/univention-keycloak", line 3101, in <module>
    sys.exit(main())
  File "/usr/sbin/univention-keycloak", line 3097, in main
    return opt.func(opt) or 0
  File "/usr/sbin/univention-keycloak", line 510, in get_realms
    session = UniventionKeycloakAdmin(opt)                                                                                                                 
  File "/usr/sbin/univention-keycloak", line 191, in __init__                                                                                             
    verify=opt.no_ssl_verify,                                                                                                                              
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__                                                                   
    self.get_token()                                                                                                                                       
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token                                                              
    self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type)                                                          
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token                                                                  
    return raise_error_from_response(data_raw, KeycloakGetError)                                                                                           
  File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response                                                     
    response_body=response.content)                                                                                                   
keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}' 



And of course if we try the following command, we get the same traceback.


univention-keycloak --binduser "${keycloak_admin_user:-admin}" realms get                                                                               

Traceback (most recent call last):                                                                                                                                        
  
File "/usr/sbin/univention-keycloak", line 3101, in <module>                                                                                                           
   sys.exit(main())                                                                                                                                                      
  File "/usr/sbin/univention-keycloak", line 3097, in main                                                                                                                
    return opt.func(opt) or 0                                                                                                                                             
  File "/usr/sbin/univention-keycloak", line 510, in get_realms                                                                                                           
    session = UniventionKeycloakAdmin(opt)                                                                                                                                
  File "/usr/sbin/univention-keycloak", line 191, in __init__                                                                                                             
    verify=opt.no_ssl_verify,                                                                                                                                             
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__                                                                                  
    self.get_token()                                                                                                                                                      
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token                                                                               
    self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type)                                                                         
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token                                                                                   
    return raise_error_from_response(data_raw, KeycloakGetError)                                                                                                          
  File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response                                                                    
    response_body=response.content)                                                                                                                                       
keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}'



Steps taken to remove the database.

    univention-app remove keycloak
    rm -r /etc/keycloak.secret*
    su postgres
    dropdb keycloak
Comment 1 Mirac Erdemiroglu univentionstaff 2024-05-22 16:49:59 CEST
Knowledge Base Article to solve this issue:

https://help.univention.com/t/problem-keycloak-installation-of-keycloak-failes-because-invalid-user-credentials/23030
Comment 2 Dirk Ahrnke univentionstaff 2024-07-01 17:38:27 CEST
observed during training with UCS: 5.0-8 errata1073 keycloak=24.0.5-ucs1

- have Keycloak installed on the primary
- do a backup2master
- reinstall as backup with the same hostname and ip-adress
- try to install keycloak

to me it didnt look like that the database survived the reinstallation.