Bug 45515 - INVALID_CREDENTIALS: authentication failure: SAML assertion signature verification failure (error -111)
INVALID_CREDENTIALS: authentication failure: SAML assertion signature verific...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Dirk Wiesenthal
Jannik Ahlers
:
Depends on: 44704
Blocks: 47047
  Show dependency treegraph
 
Reported: 2017-10-12 20:12 CEST by Florian Best
Modified: 2018-06-06 16:16 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2018031721000061
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-10-12 20:12:13 CEST
Version: 4.2-2 errata189 (Lesum)

Remark: Open UCC setup after upgrade to 4.2.2-189 on UCS member server

Execution of command 'uccsetup/info/networks' has failed:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 249, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "%PY2.7%/univention/management/console/modules/uccsetup/__init__.py", line 58, in info_networks
    ldap_connection = util.get_ldap_connection()
  File "%PY2.7%/univention/management/console/modules/uccsetup/util.py", line 119, in get_ldap_connection
    _bind_callback(lo)
  File "%PY2.7%/univention/management/console/base.py", line 350, in bind_user_connection
    lo.lo.bind_saml(self._password)
  File "%PY2.7%/univention/uldap.py", line 175, in bind_saml
    self.lo.sasl_interactive_bind_s('', saml)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s
    res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
INVALID_CREDENTIALS: {'info': 'SASL(-13): authentication failure: SAML assertion signature verification failure (error -111)', 'desc': 'Invalid credentials'}
Comment 1 Michael Grandjean univentionstaff 2017-10-23 12:37:14 CEST
Aufgetreten beim Erstellen einer Arbeitsgruppe als Lehrer (oder Schuladmin) auf einem UCS@school Edu-Slave. Passiert nur bei vorheriger erfolgreicher Anmeldung mit SAML über ucs-sso. Bei "direkter" Anmeldung über die lokale UMC (bspw. forciert durch Verwendung der IP) funktioniert das Anlegen der Arbeitsgruppe. Ist nur den Lehrkräften nicht zumutbar.

# univention-app info
UCS: 4.2-2 errata203
App Center compatibility: 4
Installed: cups=1.7.5 dhcp-server=11.0.0 samba4=4.6 squid=3.4 ucsschool=4.2 v3 4.1/nextcloud=12.0.3-0
Upgradable: ucsschool


Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 250, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolgroups/__init__.py", line 54, in _decorated
    return func(self, request, *args, **kwargs)
  File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 123, in wrapper_func
    kwargs[USER_WRITE], po = get_user_connection(bind=__bind_callback, write=True)
  File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 94, in get_user_connection
    return connection()
  File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 140, in _decorated
    kwargs[loarg], kwargs[poarg] = lo, po = getter()
  File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 130, in getter
    conn = connection()
  File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 53, in connection
    bind(lo)
  File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 384, in bind_user_connection
    return super(SchoolBaseModule, self).bind_user_connection(lo)
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 353, in bind_user_connection
    lo.lo.bind_saml(self._password)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 175, in bind_saml
    self.lo.sasl_interactive_bind_s('', saml)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s
    res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
INVALID_CREDENTIALS: An error during LDAP authentication happened. Auth type: SAML; SAML message length: 10592; DN length: 65; Original Error: {'info': 'SASL(-13): authentication failure: SAML assertion signature verification failure (error -111)', 'desc': 'Invalid credentials'}
Comment 2 Florian Best univentionstaff 2017-10-23 13:55:10 CEST
I think there might be 2 reasons for this bug/traceback:

The SSL certificates on either the IDP side (1) or on the SP side (2) aren't recent (anymore).

The following files can help to analyze this:

1.
On all IDP Servers (= DC Master + DC Backups):
$ cat /etc/simplesamlphp/*-idp-certificate.crt

On the Service-Provider Server:
$ cat /usr/share/univention-management-console/saml/idp/*.xml

→ The certificates on these files should be identical.
Otherwise this could be fixed by removing /usr/share/univention-management-console/saml/idp/*.xml on the SP server and force-re-executing the joinscript 92univention-management-console-web-server.

2.
On all Service-Provider Servern the SSL-Certificates needs to be compared with them stored in LDAP:

$ cat /etc/univention/ssl/$(hostname -f)/cert.pem

$ univention-ldapsearch -LLL
"(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname
-f)/univention/saml/metadata))" serviceProviderMetadata  |
ldapsearch-wrapper | ldapsearch-decode64

→ If they don't match, it might help to execute:
/usr/share/univention-management-console/saml/update_metadata

See also Bug #40229 comment 7 if the root CA certificate was exchanged/renewed.
Comment 3 Michael Grandjean univentionstaff 2017-10-24 10:51:13 CEST
For the record:

I can confirm that in my case (Comment #1) Forian's first suggestion applied. 
The certificate in "/etc/simplesamlphp/*-idp-certificate.crt" on the UCS Master was different from:
- "/etc/simplesamlphp/*-idp-certificate.crt" on the UCS Backup
- "/usr/share/univention-management-console/saml/idp/*.xml" on all (UMC) Service Provider servers

So we had Certificate A as IdP certificate on the UCS Master but Certificate B everywhere else.

This was most probably a leftover of an incomplete renewal of the SSL certificate chain.

To resolve the issue I copied "/usr/share/univention-management-console/saml/idp/*.xml" from the UCS Backup to the UCS Master and forced "92univention-management-console-web-server". Deleting "/usr/share/univention-management-console/saml/idp/*.xml" as suggested did let the joinscript fail.
Comment 4 Florian Best univentionstaff 2017-11-17 17:46:55 CET
My idea for a solution of this bugfix is the following:
Instead of a traceback a regular error message is shown in the error.
Additionally a check for the diagnosis UMC module gets implemented which checks both variants from comment #2 and provides a link to https://help.univention.com/t/renewing-the-ssl-certificates/37 and a button which can resolve the problem.
Comment 5 Florian Best univentionstaff 2017-12-18 12:20:42 CET
There is a starting patch in branch fbest/45515-saml-certificate-verification-fails. But the "solve" buttons don't work on a DC Slave because I cannot execute joinscripts without credentials.
Comment 6 Johannes Keiser univentionstaff 2018-05-03 12:47:45 CEST
Reported again: Version: 4.2-3 errata312 (Lesum)
Comment 7 Dirk Wiesenthal univentionstaff 2018-05-23 13:19:29 CEST
Fixed in
  univention-management-console-module-diagnostic 4.0.0-29A~4.3.0.201805231241

I only used used the checks suggested in fbest/45515-saml-certificate-verification-fails. I got the join script to work, but I am not sure if this fixes the issue reliably. So there is no solution yet.
Comment 8 Jannik Ahlers univentionstaff 2018-06-05 10:08:20 CEST
I wasn't able to reproduce the tracebacks, so i couldn't check if a new error message gets shown.
OK: the diagnostic module correctly recognizes the error
FAIL: The diagnostic module neither provides a 'solve' button nor a link to the sdb article
-> reopened
Comment 9 Dirk Wiesenthal univentionstaff 2018-06-06 11:19:10 CEST
You are right, there is no solve button; the diagnose plugin only describes the problem. I am not sure how this problem emerges from some misconfiguration, and I do not want to add an automatic fix that does not work.

Instead I opened Bug#47047, which says that
  univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server
_may_ solve it.

This bug can be found by using the headline of the problem as the search term... Not ideal, but providing a "solve" button that may or may not work seems worse.
Comment 10 Jannik Ahlers univentionstaff 2018-06-06 11:32:19 CEST
OK: the diagnostic module correctly recognizes the error
OK: Translations
OK: Code

-> Verfified
Comment 11 Erik Damrose univentionstaff 2018-06-06 16:16:21 CEST
<http://errata.software-univention.de/ucs/4.3/100.html>