Problem:

The join of additional UCS backup servers fails in 91univention-saml.inst

Environment

1. Only joining servers with backup role are affected, no slave or member server.
2. On the joining server:
   You will notice the following lines in /var/log/univention/join.log:

scp: /etc/univention/ssl/ucs-sso.multi.ucs/private.key: Permission denied
scp: /etc/univention/ssl/ucs-sso.multi.ucs/req.pem: Permission denied
scp: /etc/univention/ssl/ucs-sso.multi.ucs/openssl.cnf: Permission denied
scp: /etc/univention/ssl/ucs-sso.multi.ucs/cert.pem: Permission denied

__JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************

3. On the master server
   Check file permissions:

root@ucs:~# ls -alh /etc/univention/ssl/ucs-sso.multi.ucs/
insgesamt 28K
drwxr-x---  2 root DC Backup Hosts 4,0K Feb 19 21:31 .
drwxr-xr-x 35 root DC Backup Hosts 4,0K Mär  7 08:08 ..
-rw-------  1 root DC Backup Hosts 5,3K Feb 19 21:31 cert.pem
-rw-------  1 root DC Backup Hosts 2,8K Feb 19 21:31 openssl.cnf
-rw-------  1 root DC Backup Hosts 1,7K Feb 19 21:31 private.key
-rw-------  1 root DC Backup Hosts 1,3K Feb 19 21:31 req.pem

Solution

Permissions on the certificate files are set too restrictive. The group “Backup Hosts” is not allowed to read the files and thus can not copy them which is needed for a backup server.
Set set permissions as follows:
chmod 0640 etc/univention/ssl/ucs-sso.multi.ucs/*

Restart the join process.

The reason for the wrong permissions are under investigation, there is a bug open for the failing joinscript.