Univention Bugzilla – Bug 47250
stunnel4 does not start on slave, member, basesystem roles due to unknown user samlcgi
Last modified: 2019-03-15 22:19:28 CET
We have a patch againt stunnel4: 10_created_piddir.patch There, the /var/run/univention-saml directory is created if nonexistant, and the owner is changed to samlcgi. The issue is, that this user is only created by the univention-saml package, and as such is unknown on server roles slave, member, basesystem. The stunnel4 service can not be started. Workaround on affected systems: mkdir /var/run/univention-saml + service restart When removing the patch, the logic can be moved to the univention-saml package: saml/univention-saml/debian/univention-saml.service
This means, that stunnel4 can not be used on UCS Slaves and Memberservers, but is often needed in scenarios like this one: https://www.univention.de/2018/06/how-to-fuer-anbindung-von-webuntis-an-ucsschool-fuer-single-sign-on-anmeldungen/ The log entries when trying to start stunnel4 look like this on a system with german locales: > Jun 26 16:34:59 slave01 systemd[1]: Starting LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)... > Jun 26 16:34:59 slave01 stunnel4[10535]: Starting TLS tunnels:install: Ungültiger Anwender „samlcgi“ > Jun 26 16:34:59 slave01 systemd[1]: stunnel4.service: Control process exited, code=exited status=1 > Jun 26 16:34:59 slave01 systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons). > Jun 26 16:34:59 slave01 systemd[1]: stunnel4.service: Unit entered failed state. > Jun 26 16:34:59 slave01 systemd[1]: stunnel4.service: Failed with result 'exit-code'.
This hit me again today. Please remove the patch for stunnel4 and move the logic to univention-saml.
I just want to emphasize: since /var/run/ is a tmpfs, /var/run/univention-saml needs to be created on every boot. So even if we apply the workaround from comment #0 this only works until the next reboot.
The creation of /var/run/univention-saml has been moved into the univention-saml package. The init script patch for stunnel4 has been removed. r18272: Bug #47250: Runtime directory is now created in the univention-saml package. [4.3-2 a8ec345196] Bug #47250: Create runtime directory for stunnel [4.3-2 65b55bd387] Bug #47250: Merge branch 'juern/bug47250' into 4.3-2 [4.3-2 ed848310f7] Bug #47250: YAML
Sorry I didn't need to delete the patch. The errata release has its own patch folder. r18274: Bug #47250: revert patch deletion (wrong folder)
OK: stunnel4 patch removed, package rebuild OK: stunnel4: installable and running on slave+member after package installation; no adaptions required. OK: /var/run/univention-saml created by u-saml package, with correct permissions OK: u-saml package update. Tunnel works after package update OK: no failing tests OK: yaml files stunnel4 + univention-saml Verified
<http://errata.software-univention.de/ucs/4.3/246.html> <http://errata.software-univention.de/ucs/4.3/247.html>