First Last Prev Next    This bug is not in your last search results.
Bug 39920 - Domain join of slave/backup/member fails in ipv6-dualstack configuration
Domain join of slave/backup/member fails in ipv6-dualstack configuration
Status: CLOSED WORKSFORME
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Florian Best
Sönke Schwardt-Krummrich
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-12 17:37 CET by Julian Hupertz
Modified: 2016-04-06 19:06 CEST (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): IPv6, SAML
Max CVSS v3 score:

Attachments
syslog (6.32 KB, text/plain)
2015-12-11 11:45 CET, Bastian Reitemeier 		Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julian Hupertz univentionstaff 2015-11-12 17:37:36 CET 
See here: http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv%20%28IPv6%29/SystemrolleElse=slave6,SystemrolleMaster=master46/lastBuild/artifact/join.log

System configuration is a master with ipv4/ipv6 and a slave with ipv6, both using UCS-4.1.

As the join.log shows, after calling run_join_setup_on_non_master from utils.sh which calls univention-run-join-scripts, installation fo 92univention-management-console-web-server.inst fails by resolving the hostname ucs-sso.*.* because it uses an A-Record for resolving instead of the AAAA-Record.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2015-11-27 12:00:52 CET 
This causes a failure of several ucs-test scripts in IPv6 environments if check_join_status is called:
Warning: 'univention-management-console-web-server' is not configured
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-11-27 12:01:48 CET 
This also seem to break SAML on IPv6 only systems if the DC master is a dual-stack system.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2015-12-03 22:07:20 CET 
(In reply to Sönke Schwardt-Krummrich from comment #1)
> Warning: 'univention-management-console-web-server' is not configured

Happened again on my private UCS system (DC Master with dual stack setup).
UMC constantly complains about missing join script.
Update 4.1-0 e0 to 4.1-0 e7 resulted in the following updater.log output:

Calling joinscript 92univention-management-console-web-server.inst ...
2015-12-03 21:55:33.678802514+01:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/umc/icon
Setting ucs/web/overview/entries/admin/umc/link
Setting ucs/web/overview/entries/admin/umc/link/de
Setting ucs/web/overview/entries/admin/umc/priority
File: /var/www/ucs-overview/entries.json
Setting ucs/web/overview/entries/admin/umc/label
Setting ucs/web/overview/entries/admin/umc/label/de
Setting ucs/web/overview/entries/admin/umc/description
Setting ucs/web/overview/entries/admin/umc/description/de
File: /var/www/ucs-overview/entries.json
Object exists: SAMLServiceProviderIdentifier=https://master.censored.domain/univention-management-console/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=censored,dc=domain
No modification: SAMLServiceProviderIdentifier=https://master.censored.domain/univention-management-console/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=censored,dc=domain
Not updating ucs/server/sso/fqdn
Reloading web server config: apache2.
Create umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
--2015-12-03 21:55:36--  https://ucs-sso.censored.domain/simplesamlphp/saml2/idp/metadata.php
Auflösen des Hostnamen »ucs-sso.censored.domain (ucs-sso.censored.domain)«... 111.222.333.444
Verbindungsaufbau zu ucs-sso.censored.domain (ucs-sso.censored.domain)|111.222.333.444|:443... verbunden.
GnuTLS: A TLS fatal alert has been received.
Es ist nicht möglich, eine SSL-Verbindung herzustellen.
Try to download idp metadata (2/60)

…

GnuTLS: A TLS fatal alert has been received.
Es ist nicht möglich, eine SSL-Verbindung herzustellen.
Try to download idp metadata (60/60)
--2015-12-03 21:56:50--  https://ucs-sso.censored.domain/simplesamlphp/saml2/idp/metadata.php
Auflösen des Hostnamen »ucs-sso.censored.domain (ucs-sso.censored.domain)«... 111.222.333.444
Verbindungsaufbau zu ucs-sso.censored.domain (ucs-sso.censored.domain)|111.222.333.444|:443... verbunden.
GnuTLS: A TLS fatal alert has been received.
Es ist nicht möglich, eine SSL-Verbindung herzustellen.
Reloading Univention Management Console Web Server.
done.
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Could not download IDP metadata for https://ucs-sso.censored.domain/simplesamlphp/saml2/idp/metadata.php
Unsetting umc/saml/idp-server
Module: setup_saml_sp
Reloading Univention Management Console Web Server.
done.
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Module: setup_saml_sp
Joinscript 92univention-management-console-web-server.inst finished with exitcode 3
Trigger für python-support werden verarbeitet ...
Comment 4 Bastian Reitemeier univentionstaff 2015-12-11 11:45:40 CET 
Created attachment 7363 [details]
syslog
Comment 5 Nico Stöckigt univentionstaff 2016-02-23 18:08:15 CET 
looks like this also happened here: Ticket#2016012721000469
Comment 6 Stefan Gohmann univentionstaff 2016-02-23 20:03:33 CET 
(In reply to Nico Stöckigt from comment #5)
> looks like this also happened here: Ticket#2016012721000469

Sure?
Comment 7 Florian Best univentionstaff 2016-02-25 11:23:16 CET 
Bug #40658 fixed this.
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2016-03-18 12:09:31 CET 
Julian reported that the join now works in IPv6 environments.
Comment 9 Julian Hupertz univentionstaff 2016-03-18 16:17:35 CET 
*** Bug 39510 has been marked as a duplicate of this bug. ***
Comment 10 Janek Walkenhorst univentionstaff 2016-04-06 19:06:25 CEST 
(In reply to Julian Hupertz from comment #9)
> *** Bug 39510 has been marked as a duplicate of this bug. ***
Erroneously, already taken back.
First Last Prev Next    This bug is not in your last search results.