Univention Bugzilla – Bug 44669
FAILED: 91univention-saml.inst
Last modified: 2023-07-28 14:39:33 CEST
Version: 4.1-4 errata324 (Vahr) Domain setup (this might take a while): FAILED: 91univention-saml.inst
Reported again: Version: 4.2-3 errata52 (Lesum)
Reported again (due to #46319): Version: 4.2-3 errata305 (Lesum) Domain setup (this might take a while): FAILED: 91univention-saml.inst
Reported again: Version: 4.3-0 errata3 (Neustadt) Remark: Ständiger Fehler bei diesem Script Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: 91univention-saml.inst Role: domaincontroller_backup
needmoreinfo: setup.log and join.log from an affected system
Version: 4.3-3 errata410 (Neustadt) Remark: Join as backup domain controller ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** * Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- FAILED: 91univention-saml.inst **************************************************************************
Version: UCS4.3-3 errata 456 We're running into that bug, when joining a (formerly crashed) fresh installed backup domain controller.
Ticket #2019031421001027 has an USI from the DC backup.
(In reply to Arvid Requate from comment #8) > Ticket #2019031421001027 has an USI from the DC backup. At that ticket the issue was, that the permissions of the ucs-sso certificates were wrong: files below /etc/univention/ssl/ucs-sso.$domainname/ were not readable by the group "DC Backup Hosts", so they could not be transferred in the joinscript. At least comment#6 has a completely different error. There seems to be not one single issue causing failure of this joinscript
Reported again: Version: 4.4-3 errata482 (Blumenthal) Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/91univention-saml.inst Configure 91univention-saml.inst Sat Mar 14 11:09:06 CET 2020 2020-03-14 11:09:06.783440326+01:00 (in joinscript_init) Role: domaincontroller_master
reported again: Version: 4.4-3 errata499 (Blumenthal) Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/91univention-saml.inst Configure 91univention-saml.inst Fri Mar 20 23:34:57 CET 2020 2020-03-20 23:34:57.303243474+01:00 (in joinscript_init) Create saml/idp/certificate/privatekey Create saml/idp/certificate/certificate Create saml/idp/entityID Create ucs/server/sso/fqdn File: /etc/stunnel/univention_saml.conf File: /etc/apache2/sites-available/univention-saml.conf Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php File: /etc/apache2/sites-available/univention-proxy.conf chown: ungültige Gruppe: „root:DC Backup Hosts“ Creating SAML user Make SAML user a system user Multifile: /etc/simplesamlphp/authsources.php Creating certificate: ucs-sso.****.intranet Generating RSA private key, 2048 bit long modulus ...........................................+++++ .....+++++ unable to write 'random state' e is 65537 (0x010001) Using configuration from /etc/univention/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'****' stateOrProvinceName :PRINTABLE:'****' localityName :PRINTABLE:'****' organizationName :PRINTABLE:'****' organizationalUnitName:PRINTABLE:'Univention Corporate Server' commonName :PRINTABLE:'ucs-sso.****.intranet' emailAddress :IA5STRING:'ssl@****.intranet' Certificate is to be certified until Mar 19 22:35:00 2025 GMT (1825 days) Write out database with 1 new entries Data Base Updated unable to write 'random state' File: /etc/apache2/sites-available/univention-saml.conf Adding A record "ucs-sso ****" to zone ****.intranet... done 20.03.20 23:35:00.682 DEBUG_INIT Object created: uid=ucs-sso,cn=users,dc=****,dc=intranet modifying entry "uid=ucs-sso,cn=users,dc=****,dc=intranet" chown: ungültige Gruppe: „samlcgi:DC Backup Hosts“ __JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/98univention-samba4-saml-kerberos.inst Configure 98univention-samba4-saml-kerberos.inst Fri Mar 20 23:40:43 CET 2020 2020-03-20 23:40:43.298910840+01:00 (in joinscript_init) Waiting for user replication... Expiry for user 'ucs-sso' disabled. Added 1 records successfully Changed password OK chown: ungültige Gruppe: „samlcgi:DC Backup Hosts“ __JOINERR__:FAILED: /usr/lib/univention-install/98univention-samba4-saml-kerberos.inst Role: domaincontroller_master
Reported again: Version: 4.4-4 errata579 (Blumenthal) chown: ungültige Gruppe: „samlcgi:DC Backup Hosts“ __JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst Role: domaincontroller_master
reported again: Version: 4.2-4 errata418 (Lesum) Remark: Install additional Backup DC and during installation this error occurs. The iso is 4.2-4. Role: domaincontroller_backup
reported again: Version: 4.4-6 errata776 (Blumenthal) Remark: Auf AsRock MiniDesk A300 mit 3400G CPU, 32 GByte RAM und 500 GByte NVME
Version: 4.4-7 errata829 (Blumenthal) Error: Domäneneinrichtung (Dies kann einige Zeit dauern): Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- FAILED: 91univention-saml.inst Configure 91univention-saml.inst Mon Mar 15 19:15:50 CET 2021 2021-03-15 19:15:50.797960262+01:00 (in joinscript_init) Create saml/idp/certificate/privatekey Create saml/idp/certificate/certificate Create saml/idp/entityID Create ucs/server/sso/fqdn File: /etc/stunnel/univention_saml.conf File: /etc/apache2/sites-available/univention.conf Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php File: /etc/apache2/sites-available/univention-saml.conf File: /etc/apache2/sites-available/univention-portal.conf File: /etc/apache2/sites-available/univention-proxy.conf Could not chdir to home directory /dev/null: Not a directory Successfully downloaded the sys-idp-user credential file Multifile: /etc/simplesamlphp/authsources.php Could not chdir to home directory /dev/null: Not a directory scp: /etc/univention/ssl/ucs-sso.****: No such file or directory __JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** * Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- FAILED: 91univention-saml.inst ************************************************************************** Role: domaincontroller_backup
Version: 5.0-1 errata174 Error: Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/05univention-bind.inst Configure 05univention-bind.inst Thu Dec 16 13:54:59 CET 2021 2021-12-16 13:54:59.215318635+01:00 (in joinscript_init) Failed creating the DNS zone ****.**.\nCommand failed with 1:\nE: failed nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed. Adding ZONE record "root@****.**. 1 28800 7200 604800 10800 ucs.****.**." to zone ****.**... Traceback (most recent call last): File "/usr/share/univention-admin-tools/univention-dnsedit", line 452, in <module> main() File "/usr/share/univention-admin-tools/univention-dnsedit", line 433, in main add_zone(*args) File "/usr/share/univention-admin-tools/univention-dnsedit", line 391, in add_zone zone['nameserver'] = list(nameserver) File "%PY3%/univention/admin/handlers/__init__.py", line 421, in __setitem__ raise univention.admin.uexceptions.valueInvalidSyntax("%s: %s" % (key, err), property=key) univention.admin.uexceptions.valueInvalidSyntax: nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed. __JOINERR__:FAILED: /usr/lib/univention-install/05univention-bind.inst 05univention-bind.inst: Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/15univention-heimdal-kdc.inst Configure 15univention-heimdal-kdc.inst Thu Dec 16 13:55:49 CET 2021 2021-12-16 13:55:49.785218889+01:00 (in joinscript_init) /etc/machine.secret: No such file or directory E: Zone ****.** does not exist. __JOINERR__:FAILED: /usr/lib/univention-install/15univention-heimdal-kdc.inst Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/20univention-directory-policy.inst Configure 20univention-directory-policy.inst Thu Dec 16 13:55:51 CET 2021 2021-12-16 13:55:51.555771651+01:00 (in joinscript_init) usage: nfsmounts [-h] [-s] [-v] nfsmounts: error: ldap/hostdn is not set. run-parts: /usr/lib/univention-directory-policy/nfsmounts exited with return code 2 usage: univention-policy-update-config-registry [-h] [-a] [-s] [-v] [-l SERVER] [-y PASSWORD_FILE] [hostdn] univention-policy-update-config-registry: error: argument -y/--password-file: can't open '/etc/machine.secret': [Errno 2] No such file or directory: '/etc/machine.secret' run-parts: /usr/lib/univention-directory-policy/univention-policy-update-config-registry exited with return code 2 __JOINERR__:FAILED: /usr/lib/univention-install/20univention-directory-policy.inst Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/20univention-ldap-config-master.inst Configure 20univention-ldap-config-master.inst Thu Dec 16 13:56:08 CET 2021 2021-12-16 13:56:08.407106233+01:00 (in joinscript_init) Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 213, in doit output = univention.admincli.admin.doit(arglist) File "%PY3%/univention/admincli/admin.py", line 380, in doit out = _doit(arglist) File "%PY3%/univention/admincli/admin.py", line 649, in _doit out.extend(cli.create(input, append, ignore_exists, parsed_options, parsed_append_options, parsed_remove_options, policy_reference)) File "%PY3%/univention/admincli/admin.py", line 677, in create return self._create(self.module_name, self.module, self.dn, self.lo, self.position, self.superordinate, *args, **kwargs) File "%PY3%/univention/admincli/admin.py", line 713, in _create out.extend(object_input(module, object, input, append=append)) File "%PY3%/univention/admincli/admin.py", line 351, in object_input object[key] = value File "%PY3%/univention/admin/handlers/__init__.py", line 434, in __setitem__ p = s.parse(value) File "%PY3%/univention/admin/syntax.py", line 297, in parse return super(combobox, cls).parse(text) or text File "%PY3%/univention/admin/syntax.py", line 278, in parse choices = getattr(self, "choices") File "%PY3%/univention/admin/syntax.py", line 3043, in choices return cls._auto_choices() File "%PY3%/univention/admin/syntax.py", line 3064, in _auto_choices conn = getMachineConnection() File "%PY3%/univention/uldap.py", line 168, in getMachineConnection bindpw = open(secret_file).read().rstrip('\n') FileNotFoundError: [Errno 2] No such file or directory: '/etc/machine.secret' __JOINERR__:FAILED: /usr/lib/univention-install/20univention-ldap-config-master.inst Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/30univention-nagios-client.inst Configure 30univention-nagios-client.inst Thu Dec 16 13:59:25 CET 2021 2021-12-16 13:59:25.735538644+01:00 (in joinscript_init) File: /etc/nagios/nrpe.cfg E: DN is missing __JOINERR__:FAILED: /usr/lib/univention-install/30univention-nagios-client.inst Domäneneinrichtung (Dies kann einige Zeit dauern): FAILED: /usr/lib/univention-install/91univention-saml.inst Configure 91univention-saml.inst Thu Dec 16 14:24:54 CET 2021 2021-12-16 14:24:54.884173313+01:00 (in joinscript_init) Create saml/idp/certificate/privatekey Create saml/idp/certificate/certificate Create saml/idp/entityID Create ucs/server/sso/fqdn File: /etc/apache2/sites-available/univention-portal.conf File: /etc/apache2/sites-available/univention-saml.conf Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php File: /etc/apache2/sso-vhost.conf.d/01redirect.conf File: /etc/apache2/sites-available/univention.conf File: /etc/stunnel/univention_saml.conf chown: ungültige Gruppe: „root:DC Backup Hosts“ Creating SAML user Make SAML user a system user Multifile: /etc/simplesamlphp/authsources.php Creating certificate: ucs-sso.****.** /etc/machine.secret: No such file or directory Generating RSA private key, 2048 bit long modulus (2 primes) ..+++++ .....................................................................................................................................................................+++++ e is 65537 (0x010001) Using configuration from /etc/univention/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'DE' localityName :PRINTABLE:'DE' organizationName :PRINTABLE:'****' organizationalUnitName:PRINTABLE:'Univention Corporate Server' commonName :PRINTABLE:'ucs-sso.****.**' emailAddress :IA5STRING:'****@****' Certificate is to be certified until Dec 15 13:25:01 2026 GMT (1825 days) Write out database with 1 new entries Data Base Updated File: /etc/apache2/sites-available/univention-saml.conf E: Zone ****.** does not exist. __JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst Role: domaincontroller_master
reported again: 2022041021000091 traceback: Comment 16 Version: 5.0-1 errata174
2022061221000207 Version: 5.0-1 errata336 Error: Domain setup (this might take a while): FAILED: /usr/lib/univention-install/05univention-bind.inst Configure 05univention-bind.inst Sun Jun 12 00:00:26 CST 2022 2022-06-12 00:00:26.223280666+08:00 (in joinscript_init) Failed creating the DNS zone ***.**.\nCommand failed with 1:\nE: failed nameserver: A hostname or any part of a FQDN, separated by dots, starts and ends with a letter or a digit. In between letters, digits, dashes and underscores are allowed. Only numbers are not allowed. Adding ZONE record "***.**. 1 28800 7200 604800 10800 ***.**." to zone ***.**... Traceback (most recent call last): File "/usr/share/univention-admin-tools/univention-dnsedit", line 452, in <module> main() File "/usr/share/univention-admin-tools/univention-dnsedit", line 433, in main add_zone(*args) File "/usr/share/univention-admin-tools/univention-dnsedit", line 391, in add_zone zone['nameserver'] = list(nameserver) File "%PY3%/univention/admin/handlers/__init__.py", line 423, in __setitem__ raise univention.admin.uexceptions.valueInvalidSyntax("%s: %s" % (key, err), property=key) univention.admin.uexceptions.valueInvalidSyntax: nameserver: A hostname or any part of a FQDN, separated by dots, starts and ends with a letter or a digit. In between letters, digits, dashes and underscores are allowed. Only numbers are not allowed. __JOINERR__:FAILED: /usr/lib/univention-install/05univention-bind.inst 05univention-bind.inst: Domain setup (this might take a while): FAILED: /usr/lib/univention-install/15univention-heimdal-kdc.inst Configure 15univention-heimdal-kdc.inst Sun Jun 12 00:00:58 CST 2022 2022-06-12 00:00:58.143005672+08:00 (in joinscript_init) /etc/machine.secret: No such file or directory E: Zone ***.** does not exist. __JOINERR__:FAILED: /usr/lib/univention-install/15univention-heimdal-kdc.inst Domain setup (this might take a while): FAILED: /usr/lib/univention-install/20univention-directory-policy.inst Configure 20univention-directory-policy.inst Sun Jun 12 00:00:59 CST 2022 2022-06-12 00:00:59.840205436+08:00 (in joinscript_init) usage: nfsmounts [-h] [-s] [-v] nfsmounts: error: ldap/hostdn is not set. run-parts: /usr/lib/univention-directory-policy/nfsmounts exited with return code 2 usage: univention-policy-update-config-registry [-h] [-a] [-s] [-v] [-l SERVER] [-y PASSWORD_FILE] [hostdn] univention-policy-update-config-registry: error: argument -y/--password-file: can't open '/etc/machine.secret': [Errno 2] No such file or directory: '/etc/machine.secret' run-parts: /usr/lib/univention-directory-policy/univention-policy-update-config-registry exited with return code 2 __JOINERR__:FAILED: /usr/lib/univention-install/20univention-directory-policy.inst Domain setup (this might take a while): FAILED: /usr/lib/univention-install/20univention-ldap-config-master.inst Configure 20univention-ldap-config-master.inst Sun Jun 12 00:01:07 CST 2022 2022-06-12 00:01:07.984520990+08:00 (in joinscript_init) Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 213, in doit output = univention.admincli.admin.doit(arglist) File "%PY3%/univention/admincli/admin.py", line 365, in doit out = _doit(arglist) File "%PY3%/univention/admincli/admin.py", line 640, in _doit out.extend(cli.create(input, append, ignore_exists, parsed_options, parsed_append_options, parsed_remove_options, policy_reference)) File "%PY3%/univention/admincli/admin.py", line 668, in create return self._create(self.module_name, self.module, self.dn, self.lo, self.position, self.superordinate, *args, **kwargs) File "%PY3%/univention/admincli/admin.py", line 704, in _create out.extend(object_input(module, object, input, append=append)) File "%PY3%/univention/admincli/admin.py", line 347, in object_input object[key] = value File "%PY3%/univention/admin/handlers/__init__.py", line 436, in __setitem__ p = s.parse(value) File "%PY3%/univention/admin/syntax.py", line 523, in parse return super(combobox, cls).parse(text) or text File "%PY3%/univention/admin/syntax.py", line 467, in parse choices = getattr(self, "choices") File "%PY3%/univention/admin/syntax.py", line 3675, in choices return cls._auto_choices() File "%PY3%/univention/admin/syntax.py", line 3696, in _auto_choices conn = getMachineConnection() File "%PY3%/univention/uldap.py", line 168, in getMachineConnection bindpw = open(secret_file).read().rstrip('\n') FileNotFoundError: [Errno 2] No such file or directory: '/etc/machine.secret' __JOINERR__:FAILED: /usr/lib/univention-install/20univention-ldap-config-master.inst Domain setup (this might take a while): FAILED: /usr/lib/univention-install/30univention-nagios-client.inst Configure 30univention-nagios-client.inst Sun Jun 12 00:04:19 CST 2022 2022-06-12 00:04:19.664271380+08:00 (in joinscript_init) File: /etc/nagios/nrpe.cfg E: DN is missing __JOINERR__:FAILED: /usr/lib/univention-install/30univention-nagios-client.inst Domain setup (this might take a while): FAILED: /usr/lib/univention-install/91univention-saml.inst Configure 91univention-saml.inst Sun Jun 12 00:28:48 CST 2022 2022-06-12 00:28:49.195632016+08:00 (in joinscript_init) Create saml/idp/certificate/privatekey Create saml/idp/certificate/certificate Create saml/idp/entityID Create ucs/server/sso/fqdn File: /etc/apache2/sites-available/univention-saml.conf Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php File: /etc/apache2/sites-available/univention.conf File: /etc/stunnel/univention_saml.conf File: /etc/apache2/sso-vhost.conf.d/01redirect.conf File: /etc/apache2/sites-available/univention-portal.conf chown: invalid group: ‘root:DC Backup Hosts’ Creating SAML user Make SAML user a system user Multifile: /etc/simplesamlphp/authsources.php File: /etc/apache2/sites-available/univention-saml.conf E: Zone ***.** does not exist. __JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst Role: domaincontroller_master
The fix adds a debug trace to the joinscript 91univention-saml.inst for unsuccessful executions. Package built: Package: univention-saml Version: 7.0.5-3A~5.0.0.202207061238 Branch: ucs_5.0-0 Scope: errata5.0-2 Commits: ee322fbb0e20 | fixup! Bug #44669: changelog and advisory 226af9021f98 | Bug #44669: changelog and advisory 74b52e4b3d7a | Bug #44669: Add debug log to 91univention-saml.inst
Verified: * Debugging code functionality * Feature branch merged to 5.0-2 * Advisory * Package built and installable * No documentation update needed Note: Since this change only adjusts the behavior of the joinscript and we didn't increase the joinscript version and univention-saml is installed by default on UCS Primary and Backup Directory Nodes, the new debug code will usually only become active once we build and release new iso images (i.e. e.g. for 5.0-3). The debugging code will of course also become active if people rejoin a system.
<https://errata.software-univention.de/#/?erratum=5.0x354>