Update to 2.0.8194-1 stable: Can't create conferences no more

keithbayer · January 12, 2023, 6:36pm

I got a server installed last week with last weeks stable, secure domain enabled. Today I did apt update/ apt upgrade (ubuntu22), and since then no login in order to open a room seems to work. It feels like my login is invalid.

prosody.log says

|Jan 12 18:10:32 mod_bosh|info|New BOSH session, assigned it sid 'a90127e1-af77-4cbd-923a-b335bd1fc2e9'|
|Jan 12 18:10:33 bosha90127e1-af77-4cbd-923a-b335bd1fc2e9|info|Authenticated as keith@[server]

… and that’s it. No entry in prosody.err.

jicofo.log says

Jicofo 2023-01-12 18:13:15.207 INFO: [42] ConferenceIqHandler.handleConferenceIq#69: Focus request for room: availableknocksresignlow@conference.[server]

… so it just seems to wait for the conference to be opened.
Nothing in jvb.log, up and running.

When deleting “Secure Domain” features, to make it a public server without any authentication, after clicking “Join Meeting” the button turns grey and stays grey.

From the default prosody template I just noticed that “authentication=anonymous” seems to have been changed into “authentication=jitsi-anonymous” , but playing around with that doesn’t solve the problem.

From the Firefox browser console:

2023-01-12T18:31:03.750Z [connection.js] CONNECTION FAILED: connection.passwordRequired

I can’t find a connection.js on the server…

So I wonder, where should I start to look… Something must have been changed dramatically between those two versions that causes this behaviour, any hints?

emrah · January 12, 2023, 7:59pm

Did you disable anonymousdomain in config.js when switching to jitsi-anonymous in prosody?

emrah · January 12, 2023, 8:32pm

I can confirm that secure domain doesn’t work for the latest stable.

Missing mandatory attribute 'machine-uid' error in the browser console. It seems related with jicofo

@saghul @damencho

damencho · January 12, 2023, 10:25pm

Hey @emrah will you be able to test the unstable once we merge chore(deps) lib-jitsi-meet@latest by damencho · Pull Request #12776 · jitsi/jitsi-meet · GitHub? Thanks

emrah · January 13, 2023, 8:51am

Yep, it is working after this commit

I built it using the current master of jitsi-meet and lib-jitsi-meet

VictorAE · January 13, 2023, 12:06pm

What is the easiest way to make these changes on a production server? Everyone who uses ldap + anonymous access has problems, is it possible to quickly release with critical fixes?

damencho · January 13, 2023, 12:33pm

Thanks @emrah for confirming. The stable is being updates now.

@VictorAE update from stable again.

VictorAE · January 13, 2023, 12:48pm

works, thank you

keithbayer · January 13, 2023, 1:13pm

Now everything works again smooth and nice! Thanks a lot !
One more question regarding this update and “Secure Domain”:

Handbook says to add this to
/etc/jitsi/jicofo/jicofo.conf

 authentication: {
   enabled: true
  type: XMPP
  login-url: "[Server]"
 }

But in my case “Secure Domain” works even without that entry. Can this be?

In /etc/jitsi/jicofo/sip-communicator.properties I still have the entry

org.jitsi.jicofo.auth.URL=XMPP:[SERVER]

… which I learned of some time ago, but is not documented anymore.

emrah · January 13, 2023, 1:21pm

Both are the same but the last one is old format and not recommended. It probably won’t be supported at some point.

olivluca · January 13, 2023, 1:53pm

Would this also affect shibboleth authentication?

This morning I found that the upgrade (debian 11/bullseye) to these packages:

2023-01-13 06:36:09 upgrade jitsi-videobridge2:all 2.2-63-g252d14bc-1 2.2-67-gc7f2b2d5-1
2023-01-13 06:36:17 upgrade jitsi-meet:all 2.0.8138-1 2.0.8194-1
2023-01-13 06:36:18 upgrade jicofo:all 1.0-968-1 1.0-977-1
2023-01-13 06:36:21 upgrade jitsi-meet-web:all 1.0.6854-1 1.0.6897-1
2023-01-13 06:36:23 upgrade jitsi-meet-web-config:all 1.0.6854-1 1.0.6897-1
2023-01-13 06:36:24 upgrade jitsi-meet-prosody:all 1.0.6854-1 1.0.6897-1

would break the authentication.

I reverted to old packages and now the authentication works.

cy8aer · January 13, 2023, 2:06pm

Yep there is a jitsi-meet 2.0.8218 out now where the bug should be fixed.

olivluca · January 13, 2023, 3:02pm

nope, just upgraded to jitsi-meet 2.0.8218 and shibbooleth doesn’t work.

Edit: actually, the problem is not jitsi-meet 2.0.8218 (I still have that installed) but one of the other packages (which I reverted)

cy8aer · January 13, 2023, 3:15pm

I thought jitsi-meet is a bundle package, so I meant all packages bundled with this version. Hope that is not disinterpreted.

olivluca · January 13, 2023, 3:17pm

Well, I just did an “apt upgrade” and it broke the authentication.
These are the packages currently upgradable

jicofo/stable 1.0-980-1 all [upgradable from: 1.0-967-1]
jitsi-meet-prosody/stable 1.0.6918-1 all [upgradable from: 1.0.6850-1]
jitsi-meet-web-config/stable 1.0.6918-1 all [upgradable from: 1.0.6850-1]
jitsi-meet-web/stable 1.0.6918-1 all [upgradable from: 1.0.6850-1]
jitsi-videobridge2/stable 2.2-67-gc7f2b2d5-1 all [upgradable from: 2.2-61-g98c9f868-1]

D1eter · January 16, 2023, 9:56pm

I’m also using Shibboleth with Jitsi and in the latest release 2.0.8218 (2023-01-13) Shibboleth it is indeed broken. It worked nicely with 2.0.8138 (2022-12-07) that I was running until just now.

Downgrading to 2.0.8138 fixes the problem so it wasn’t the fault of any other updates I installed today.

Update: Downgrading only jitsi-meet-web alone to Version 1.0.6854-1 also fixes Shibboleth authentication.

Boris_Grozev · January 17, 2023, 3:19pm

Can you share some details abut how it fails?

olivluca · January 17, 2023, 3:58pm

Instead of being redirected to the authentication portal (or, if already logged in, briefly seeing the screen “Hello! you should be redirected to the conference soon”) I get a login prompt.

D1eter · January 17, 2023, 4:00pm

The standard login dialog appears without any interaction with the IDP i.e. Shibboleth authentication is not invoked at all. Much like described in Struggling with Shibboleth auth in update 2.0.5765

There is an easy way to test if Shibboleth would be working without having to set up Shibboleth first. It was shared by Damien_FETIS here: Struggling with Shibboleth auth in update 2.0.5765 - #12 by Damien_FETIS

You can probably reproduce the problem like this

Damien_FETIS · January 17, 2023, 6:40pm

Hi,
The original shibboleth Auth implementation in jitsi jicofo will be deprecated soon.
So the redirection mechanism may be broken in new version.

You can read this thread to understand the why and the alternative: https://community.jitsi.org/t/intent-to-deprecate-and-remove-external-auth-mechanisms

As an alternative,we have shared a simple solution with a jwt token generator to run behind a shibboleth service provider : GitHub - Renater/Jitsi-SAML2JWT: Easily use SAML with JItsi-Meet JWT authentification.

You can also look at the keyclocak integration from @emrah : GitHub - nordeck/jitsi-keycloak-adapter: Allow Jitsi to use Keycloak as an identity and OIDC provider. SSO support for Jitsi

Regards,
Damien.