4.1 to 4.2 upgrade niggles

UCS - Univention Corporate Server
, ,
4

Regarding the SAML SSO/SSL issues here’s some other details.

The stunnel4.service is not starting after boot on either the master or backup. Is it required for SAML SSO to work? Starting it manually with systemctl will start it, but do I then need to restart any other services to rebind tunnels? Similar to this thread:

When the administrator user attempts to log on via SAML SSO to UMC on the DC backup the DC backup syslog has these entries for SSL|SAML:

:/var/log/univention# tail -f ../syslog|egrep -i 'ssl|saml'
Jul 26 14:06:43 dcm1 univention-saml-stunnel: LOG3[35]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 5 STAT [9167b94fab] User 'administrator' has been successfully authenticated.
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 5 STAT [9167b94fab] saml20-idp-SSO-first https://dcbackup.ourdomain-snipped.com.au/univention/saml/metadata https://ucs-sso.ourdomain-snipped.com.au/simplesamlphp/saml2/idp/metadata.php NA
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 5 STAT [9167b94fab] saml20-idp-SSO https://dcbackup.ourdomain-snipped.com.au/univention/saml/metadata https://ucs-sso.ourdomain-snipped.com.au/simplesamlphp/saml2/idp/metadata.php NA
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/dcbackup.ourdomain-snipped.com.au.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] Backtrace:
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 9 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 8 [builtin] (MemcachePool::get)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:50 (SimpleSAML_Memcache::get)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:42 (SimpleSAML_Store_Memcache::get)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:52 (SimpleSAML_SessionHandlerStore::loadSession)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:325 (SimpleSAML_Session::getSession)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:245 (SimpleSAML_Session::getSessionFromRequest)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:253 (SimpleSAML_Auth_State::loadState)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:17 (require)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 0 /usr/share/simplesamlphp/www/module.php:137 (N/A)
Jul 26 14:06:44 dcm1 univention-saml-stunnel: LOG3[36]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 5 STAT [9167b94fab] saml20-idp-SSO https://dcbackup.ourdomain-snipped.com.au/univention/saml/metadata https://ucs-sso.ourdomain-snipped.com.au/simplesamlphp/saml2/idp/metadata.php NA
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/dcbackup.ourdomain-snipped.com.au.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] Backtrace:
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 11 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 10 [builtin] (MemcachePool::get)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:50 (SimpleSAML_Memcache::get)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 8 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:42 (SimpleSAML_Store_Memcache::get)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 7 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:52 (SimpleSAML_SessionHandlerStore::loadSession)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:325 (SimpleSAML_Session::getSession)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:245 (SimpleSAML_Session::getSessionFromRequest)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:54 (SimpleSAML_Auth_Simple::isAuthenticated)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:264 (SimpleSAML_IdP::isAuthenticated)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:404 (SimpleSAML_IdP::handleAuthenticationRequest)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)

This is in the syslog on the master:

:/var/log# tail -f syslog|egrep -i 'ssl|saml'
Jul 26 14:06:43 dcbackup univention-saml-stunnel: LOG4[35]: CERT: Pre-verification error: unable to get local issuer certificate
Jul 26 14:06:43 dcbackup univention-saml-stunnel: LOG4[35]: Rejected by CERT at depth=0: C=AU, ST=AU, L=AU, O=<snipped company>, OU=Univention Corporate Server, CN=ucs-sso.ourdomain-snipped.com.au, emailAddress=ssl@ourdomain-snipped.com.au
Jul 26 14:06:43 dcbackup univention-saml-stunnel: LOG3[35]: SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Jul 26 14:06:44 dcbackup univention-saml-stunnel: LOG4[36]: CERT: Pre-verification error: unable to get local issuer certificate
Jul 26 14:06:44 dcbackup univention-saml-stunnel: LOG4[36]: Rejected by CERT at depth=0: C=AU, ST=AU, L=AU, O=<snipped company>, OU=Univention Corporate Server, CN=ucs-sso.ourdomain-snipped.com.au, emailAddress=ssl@ourdomain-snipped.com.au
Jul 26 14:06:44 dcbackup univention-saml-stunnel: LOG3[36]: SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

A couple of memcache errors and a mention about a CA.

SAML Package versions are the same on both DCs (4.2-1 errata 99):

> dpkg -l|grep -i saml
ii  cy2-saml                                            1.5.0-6A~4.2.0.201703311555                    amd64        SASL plugin for SAML authentication
ii  liblasso3                                           2.4.1-1.10.201508131139                        amd64        Library for Liberty Alliance and SAML protocols - runtime library
ii  pam-saml                                            1.5.0-6A~4.2.0.201703311555                    amd64        PAM module for SAML authentication
ii  python-pysaml2                                      3.0.0-5A~4.2.0.201702151906                    all          SAML Version 2 to be used in a WSGI environment - Python 2.x
ii  simplesamlphp                                       1.14.11-1A~4.2.0.201703101227                  all          Authentication and federation application supporting several protocols
ii  univention-saml                                     4.0.14-6A~4.2.0.201707031430                   all          Integrates simpleSAMLphp Identity Provider into UCS
ii  univention-saml-schema                              4.0.14-6A~4.2.0.201707031430                   all          UCS simpleSAMLphp ldap integration

Hope that helps.