Univention Bugzilla – Bug 45560
SAML Traceback if DC Master time is not synchronized
Last modified: 2022-02-11 13:07:15 CET
My DC Slave uses the current time. My DC Master still thinks it is yesterday. Logging in on the slave shows: Interner Server-Fehler. The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1145, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1155, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1272, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python2.7/dist-packages/saml2/client_base.py", line 580, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python2.7/dist-packages/saml2/entity.py", line 1087, in _parse_response response = response.verify(keys) File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 975, in verify if self.parse_assertion(keys): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 895, in parse_assertion if not self._assertion(assertion, False): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 776, in _assertion self.authn_statement_ok() File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 542, in authn_statement_ok self.timeslack): File "/usr/lib/python2.7/dist-packages/saml2/validate.py", line 86, in validate_on_or_after (nooa, now)) Exception: Can't use it, it's too old 1508282811 > 1508327729
We should upgrade to a newer version of python-saml2. Then the exception changed into ResponseLifetimeExceed and we can handle it.
Version: 4.2-2 errata216 (Lesum)
Internal server error. The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1145, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1155, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1272, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python2.7/dist-packages/saml2/client_base.py", line 580, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python2.7/dist-packages/saml2/entity.py", line 1087, in _parse_response response = response.verify(keys) File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 975, in verify if self.parse_assertion(keys): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 895, in parse_assertion if not self._assertion(assertion, False): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 780, in _assertion if not self.condition_ok(): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 575, in condition_ok conditions.not_on_or_after, self.timeslack) File "/usr/lib/python2.7/dist-packages/saml2/validate.py", line 86, in validate_on_or_after (nooa, now)) Exception: Can't use it, it's too old 1510243624 > 1510243774
*** Bug 45866 has been marked as a duplicate of this bug. ***
UCS Technical training 2017-12-1[23] And today on laiva
Interner Server-Fehler. The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1161, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1171, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1288, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python2.7/dist-packages/saml2/client_base.py", line 580, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python2.7/dist-packages/saml2/entity.py", line 1087, in _parse_response response = response.verify(keys) File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 975, in verify if self.parse_assertion(keys): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 895, in parse_assertion if not self._assertion(assertion, False): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 780, in _assertion if not self.condition_ok(): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 577, in condition_ok validate_before(conditions.not_before, self.timeslack) File "/usr/lib/python2.7/dist-packages/saml2/validate.py", line 97, in validate_before raise Exception("Can't use it yet %d <= %d" % (nbefore, now)) Exception: Can't use it yet 1520485621 <= 1520485592
simplesamlphp (our IdP) subtracts 30 sec from its server time. That means the slaves time can't be more than 30 sec in the past otherwise saml fails. In the other direction the slaves time can be 5 min into the future. The umc (the SP in this case) can the configured to allow a bit more room by setting: accepted_time_diff in univention-management-console/usr/share/univention-management-console/saml/sp.py 30 sec feels quite strict. But in any case we should throw a more meaningful error message (Adjust the server time).
Interner Server-Fehler. The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1184, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1194, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1314, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python2.7/dist-packages/saml2/client_base.py", line 580, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python2.7/dist-packages/saml2/entity.py", line 1087, in _parse_response response = response.verify(keys) File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 975, in verify if self.parse_assertion(keys): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 895, in parse_assertion if not self._assertion(assertion, False): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 780, in _assertion if not self.condition_ok(): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 575, in condition_ok conditions.not_on_or_after, self.timeslack) File "/usr/lib/python2.7/dist-packages/saml2/validate.py", line 86, in validate_on_or_after (nooa, now)) Exception: Can't use it, it's too old 1539099963 > 1539100270
See also Bug #27728 and Bug #23266
Again: UCS technical training 2018-11-29
Reported again: Version: 4.3-3 errata390 (Neustadt) Internal server error. The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1184, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1194, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1314, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python2.7/dist-packages/saml2/client_base.py", line 580, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python2.7/dist-packages/saml2/entity.py", line 1087, in _parse_response response = response.verify(keys) File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 975, in verify if self.parse_assertion(keys): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 895, in parse_assertion if not self._assertion(assertion, False): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 780, in _assertion if not self.condition_ok(): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 577, in condition_ok validate_before(conditions.not_before, self.timeslack) File "/usr/lib/python2.7/dist-packages/saml2/validate.py", line 97, in validate_before raise Exception("Can't use it yet %d <= %d" % (nbefore, now)) Exception: Can't use it yet 1546901080 <= 1546901055 Role: domaincontroller_slave
Reported again: Version: 4.3-3 errata456 (Neustadt) - UCS@school 4.3 v6 Traceback: Same as comment #11
Reported again: Version: 4.4-0 errata5 (Blumenthal) Traceback: Same as Comment #11 Role: domaincontroller_backup
Reported again: Version: 4.3-3, UCS@school 4.3 Two different Tracebacks at Ticket#2019040321000994 (one is similar to #1, the other is similar to #6) The environment is virtualized via HyperV.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
reported again Version: 4.4-3 errata427 (Blumenthal) Traceback(d41d8cd98f00b204e9800998ecf8427e): Internal server error. The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1155, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1165, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1285, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python2.7/dist-packages/saml2/client_base.py", line 580, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python2.7/dist-packages/saml2/entity.py", line 1087, in _parse_response response = response.verify(keys) File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 975, in verify if self.parse_assertion(keys): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 895, in parse_assertion if not self._assertion(assertion, False): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 780, in _assertion if not self.condition_ok(): File "/usr/lib/python2.7/dist-packages/saml2/response.py", line 577, in condition_ok validate_before(conditions.not_before, self.timeslack) File "/usr/lib/python2.7/dist-packages/saml2/validate.py", line 97, in validate_before raise Exception("Can't use it yet %d <= %d" % (nbefore, now)) Exception: Can't use it yet 1580111685 <= 1580111668 Role: domaincontroller_master
This has been fixed in UCS 5.0 in git:6247389ecdaf818985737d764d018aa0b692066f. In UCS 4 the python-pysaml2 version is to old to fix it.
Reported again: Version: 4.4-8 errata1043 (Blumenthal) Error: Traceback (most recent call last): File "%PY2.7%/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "%PY2.7%/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "%PY2.7%/cherrypy/_cpdispatch.py", line 61, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1221, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1229, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1350, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "%PY2.7%/saml2/client_base.py", line 580, in parse_authn_request_response binding, **kwargs) File "%PY2.7%/saml2/entity.py", line 1087, in _parse_response response = response.verify(keys) File "%PY2.7%/saml2/response.py", line 975, in verify if self.parse_assertion(keys): File "%PY2.7%/saml2/response.py", line 895, in parse_assertion if not self._assertion(assertion, False): File "%PY2.7%/saml2/response.py", line 780, in _assertion if not self.condition_ok(): File "%PY2.7%/saml2/response.py", line 577, in condition_ok validate_before(conditions.not_before, self.timeslack) File "%PY2.7%/saml2/validate.py", line 97, in validate_before raise Exception("Can't use it yet %d <= %d" % (nbefore, now)) Exception: Can't use it yet 1633696159 <= 1633696074
*** Bug 54401 has been marked as a duplicate of this bug. ***