Univention Bugzilla – Bug 57313
Keycloak installation fails because of Postgres DB - Invalid user credentials
Last modified: 2024-07-01 17:38:27 CEST
UCS: 5.0-7 errata1044 Installed: keycloak=24.0.3-ucs1 In our case, keycloak was installed on the primary in an earlier version for test purposes, but was removed again after a short time. Now we want to use Keycloak effectively and install it on the backup node, but the installation keeps failing. The presumed reason for this was that the Postgres DB had stored the wrong password from the previous version. According to this, when Keycloak is removed, the Postgres DB is not carefully cleaned up, so that a new installation is also assigned the current password. Information from the join.log RUNNING 50keycloak.inst 2024-05-21 12:40:56.845491270+02:00 (in joinscript_init) No module named 'ucs-school-ucr-l10n-fr' Create ucs/web/overview/entries/admin/keycloak/description/de Create ucs/web/overview/entries/admin/keycloak/description Create ucs/web/overview/entries/admin/keycloak/label Create ucs/web/overview/entries/admin/keycloak/link Create ucs/web/overview/entries/admin/keycloak/icon Create ucs/web/overview/entries/admin/keycloak/link-target Module: ucs-school-ucr-xxx-xx Module: create_portal_entries Object modified: cn=keycloak,cn=entry,cn=portals,cn=univention,dc=edu,dc=univention,dc=de Object exists: cn=ldapacl,cn=univention,dc=edu,dc=univention,dc=de INFO: No change of core data of object 67keycloak. No modification: cn=67keycloak,cn=ldapacl,cn=univention,dc=edu,dc=univention,dc=de Waiting for activation of the extension object 67keycloak: OK Object exists: cn=services,cn=univention,dc=edu,dc=univention,dc=de Object created: cn=keycloak DB,cn=services,cn=univention,dc=edu,dc=univention,dc=de Object modified: cn=xxx,cn=dc,cn=computers,dc=edu,dc=univention,dc=de File: /etc/apache2/sites-available/univention-keycloak.conf File: /etc/apache2/sites-available/univention-keycloak.conf Site univention-keycloak already enabled Warning: The file '/etc/postgresql/11/main/pg_hba.conf' is not registered as an UCR template. Warning: The file '/etc/postgresql/15/main/pg_hba.conf' is not registered as an UCR template. Adding A record "sso xx.xxx.xx.xx" to zone xxx.univention.de... 21.05.24 12:41:06.797 DEBUG_INIT 21.05.24 12:41:06.800 DEBUG_EXIT Restarting keycloak ... ^MRestarting keycloak ... done ^M Traceback (most recent call last): File "/usr/sbin/univention-keycloak", line 3101, in <module> sys.exit(main()) File "/usr/sbin/univention-keycloak", line 3097, in main return opt.func(opt) or 0 File "/usr/sbin/univention-keycloak", line 510, in get_realms session = UniventionKeycloakAdmin(opt) File "/usr/sbin/univention-keycloak", line 191, in __init__ verify=opt.no_ssl_verify, File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__ self.get_token() File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type) File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token return raise_error_from_response(data_raw, KeycloakGetError) File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response response_body=response.content) keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}' And of course if we try the following command, we get the same traceback. univention-keycloak --binduser "${keycloak_admin_user:-admin}" realms get Traceback (most recent call last): File "/usr/sbin/univention-keycloak", line 3101, in <module> sys.exit(main()) File "/usr/sbin/univention-keycloak", line 3097, in main return opt.func(opt) or 0 File "/usr/sbin/univention-keycloak", line 510, in get_realms session = UniventionKeycloakAdmin(opt) File "/usr/sbin/univention-keycloak", line 191, in __init__ verify=opt.no_ssl_verify, File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__ self.get_token() File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type) File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token return raise_error_from_response(data_raw, KeycloakGetError) File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response response_body=response.content) keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}' Steps taken to remove the database. univention-app remove keycloak rm -r /etc/keycloak.secret* su postgres dropdb keycloak
Knowledge Base Article to solve this issue: https://help.univention.com/t/problem-keycloak-installation-of-keycloak-failes-because-invalid-user-credentials/23030
observed during training with UCS: 5.0-8 errata1073 keycloak=24.0.5-ucs1 - have Keycloak installed on the primary - do a backup2master - reinstall as backup with the same hostname and ip-adress - try to install keycloak to me it didnt look like that the database survived the reinstallation.