Problem: 'Your session has expired, please log in again' while using computerroom

Problem:

‘Your session has expired, please log in again’ while using computerroom, if you are using a SAML Session. Without a saml login the session stays alive.

Environment:

This behaviour occured in bigger school environments, with master and additional backup servers, all configured for saml authentication.

Investigation:

You will find in /var/log/syslog logfile on all servers (master and backup role) this kind of messages:

Oct 5 13:50:34 backup02 simplesamlphp[17090]: 3 [10056ebd97] SimpleSAML_Error_Exception: Error 8 - MemcachePool::set(): Server unix:///var/run/univention-saml/backup01.schein.me.socket (tcp 0, udp 0) failed with: No such file or directory (2)
Oct 5 13:50:35 backup02 simplesamlphp[17091]: 3 [f9dbfd2d83] SimpleSAML_Error_Exception: Error 8 - MemcachePool::set(): Server unix:///var/run/univention-saml/backup06.schein.me.socket (tcp 0, udp 0) failed with: No such file or directory (2)
Oct 5 13:50:35 backup02 simplesamlphp[17091]: 3 [f9dbfd2d83] SimpleSAML_Error_Exception: Error 8 - MemcachePool::set(): Server unix:///var/run/univention-saml/backup03.schein.me.socket (tcp 0, udp 0) failed with: No such file or directory (2)
Oct 5 13:50:35 backup02 simplesamlphp[17091]: 3 [f9dbfd2d83] SimpleSAML_Error_Exception: Error 8 - MemcachePool::set(): Server unix:///var/run/univention-saml/master.schein.me.socket (tcp 0, udp 0) failed with: No such file or directory (2)
Oct 5 13:50:35 backup02 simplesamlphp[17091]: 3 [f9dbfd2d83] SimpleSAML_Error_Exception: Error 8 - MemcachePool::set(): Server unix:///var/run/univention-saml/backup04.schein.me.socket (tcp 0, udp 0) failed with: No such file or directory (2)
Oct 5 13:50:35 backup02 simplesamlphp[17091]: 3 [f9dbfd2d83] SimpleSAML_Error_Exception: Error 8 - MemcachePool::set(): Server unix:///var/run/univention-saml/backup01.schein.me.socket (tcp 0, udp 0) failed with: No such file or directory (2)
Oct 5 13:50:36 backup02 slapd[13363]: connection_read(34): no connection!

ls -lah /var/run/univention-saml/
should show the conversation partner sockets. In this case, there were no sockets shown.
These sockets will be created by startup of the stunnel service.

So two options here:
The stunnel service is not running at all, or it hangs for no visible reason.

Solution:

ps aufx |grep stunnel
samlcgi  32404  0.0  0.0 113304  1120 ?        Ss   Okt20   0:00 /usr/bin/stunnel4 /etc/stunnel/univention_saml.conf
systemctl status stunnel4.service 
● stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)
   Loaded: loaded (/etc/init.d/stunnel4; generated; vendor preset: enabled)
   Active: active (running) since Tue 2020-10-20 16:03:18 CEST; 2 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 1 (limit: 4915)
   Memory: 1.3M
      CPU: 34ms
   CGroup: /system.slice/stunnel4.service
           └─32404 /usr/bin/stunnel4 /etc/stunnel/univention_saml.conf

So these shown pids, maybe the same, but also can be different. If the sockets are missing the stunnel service has to be restartet.
Try this via systemctl and make sure the process gets a new id. If not, try kill or kill -9 on the stunnel process and start the service via systemctl again.

We have a Bug for this, to avoid this behaviour in the future.
Bug 52196

Mastodon