Bug 53963 – Veyon certificate has the same name on each schoolslave

Bug 53963 - Veyon certificate has the same name on each schoolslave


Summary:	Veyon certificate has the same name on each schoolslave

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Veyon
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.4 v9-errata
Assigned To:	Daniel Tröder
QA Contact:	Ole Schwiegert

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-10-20 11:43 CEST by Christina Scheinig
Modified:	2021-10-25 14:20 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.343
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021101121000301
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2021-10-20 11:43:11 CEST

If the certificate has always the same name (veyon-cert.pem) on the school slave, and the certificate is stored in the sysvol directory, it is overwritten by a newer slave installations certificate.

Afaik the default of sysvol replication is to replicate to all slaves and back to master.

The school manual says to use the certificate from sysvol.

With italk, the certificate was individualized:
-r--r--r--  1 root          root            590 Mär 31  2021 italc-key.pub
lrwxrwxrwx  1 root          root             13 Mär 31  2021 italc-key.pub.key.txt -> italc-key.pub
-r--r--r--  1 root          root            590 Mär 31  2021 italc-key_slave-02.pub
lrwxrwxrwx  1 root          root             22 Mär 31  2021 italc-key_slave-02.pub.key.txt -> italc-key_slave-02.pub
-rw-r--r--  1 root          root            800 Apr 27 17:03 veyon-cert.pem

Comment 1 Christina Scheinig

2021-10-21 09:42:42 CEST

The impact is, that veyon is not usable. You may install the certificate from the netlogon path, but this seems not to be the solution or workaround for all environments, if the netlogon is linked to the sysvol (ucrv samba/share/netlogon/path)

Comment 2 Daniel Tröder

2021-10-21 17:23:21 CEST

Fixed in:

[4.4 888cd24ee] Bug #53963: add hostname to veyon certificate file name
[4.4 e7ac4a9d6] Bug #53963: advisory update

ucs-school-veyon-windows (4.5.2.0-2)


[5.0 dc946f6aa] Bug #53963: add hostname to veyon certificate file name

ucs-school-veyon-windows (4.5.2.0-ucs5.0-1)

--------------------------------------------------------------------

The raised join script version will result in new certificate files.
Before:

ls -1 /var/lib/samba/sysvol/uni.dtr/scripts/veyon* /var/lib/samba/netlogon/veyon/veyon-cert*

/var/lib/samba/netlogon/veyon/veyon-cert.pem
/var/lib/samba/sysvol/uni.dtr/scripts/veyon-cert.pem


After update (and u..-run-join-s..):

# ls -1 /var/lib/samba/sysvol/uni.dtr/scripts/veyon* /var/lib/samba/netlogon/veyon/veyon-cert*

/var/lib/samba/netlogon/veyon/veyon-cert.pem
/var/lib/samba/netlogon/veyon/veyon-cert_s44edu.pem
/var/lib/samba/sysvol/uni.dtr/scripts/veyon-cert.pem
/var/lib/samba/sysvol/uni.dtr/scripts/veyon-cert_s44edu.pem

Comment 4 Ole Schwiegert

2021-10-25 10:01:25 CEST

Looks good to me in 4.4 and 5.0

Old cert still exists
New certs are created

Comment 5 Tobias Wenzel

2021-10-25 14:20:25 CEST

Errata updates for UCS@school 4.4 v9 have been released.

https://docs.software-univention.de/changelog-ucsschool-4.4v9-de.html

If this error occurs again, please clone this bug.