Update to 2.0.8194-1 stable: Can't create conferences no more

I got a server installed last week with last weeks stable, secure domain enabled. Today I did apt update/ apt upgrade (ubuntu22), and since then no login in order to open a room seems to work. It feels like my login is invalid.

prosody.log says

|Jan 12 18:10:32 mod_bosh|info|New BOSH session, assigned it sid 'a90127e1-af77-4cbd-923a-b335bd1fc2e9'|
|Jan 12 18:10:33 bosha90127e1-af77-4cbd-923a-b335bd1fc2e9|info|Authenticated as keith@[server]

… and that’s it. No entry in prosody.err.

jicofo.log says

Jicofo 2023-01-12 18:13:15.207 INFO: [42] ConferenceIqHandler.handleConferenceIq#69: Focus request for room: availableknocksresignlow@conference.[server]

… so it just seems to wait for the conference to be opened.
Nothing in jvb.log, up and running.

When deleting “Secure Domain” features, to make it a public server without any authentication, after clicking “Join Meeting” the button turns grey and stays grey.

From the default prosody template I just noticed that “authentication=anonymous” seems to have been changed into “authentication=jitsi-anonymous” , but playing around with that doesn’t solve the problem.

From the Firefox browser console:

2023-01-12T18:31:03.750Z [connection.js] CONNECTION FAILED: connection.passwordRequired

I can’t find a connection.js on the server…

So I wonder, where should I start to look… Something must have been changed dramatically between those two versions that causes this behaviour, any hints?

Did you disable anonymousdomain in config.js when switching to jitsi-anonymous in prosody?

I can confirm that secure domain doesn’t work for the latest stable.

Missing mandatory attribute 'machine-uid' error in the browser console. It seems related with jicofo

@saghul @damencho

Hey @emrah will you be able to test the unstable once we merge chore(deps) lib-jitsi-meet@latest by damencho · Pull Request #12776 · jitsi/jitsi-meet · GitHub? Thanks

2 Likes

Yep, it is working after this commit :+1:

I built it using the current master of jitsi-meet and lib-jitsi-meet

What is the easiest way to make these changes on a production server? Everyone who uses ldap + anonymous access has problems, is it possible to quickly release with critical fixes?

Thanks @emrah for confirming. The stable is being updates now.

@VictorAE update from stable again.

2 Likes

works, thank you

1 Like

Now everything works again smooth and nice! Thanks a lot !
One more question regarding this update and “Secure Domain”:

Handbook says to add this to
/etc/jitsi/jicofo/jicofo.conf

 authentication: {
   enabled: true
  type: XMPP
  login-url: "[Server]"
 }

But in my case “Secure Domain” works even without that entry. Can this be?

In /etc/jitsi/jicofo/sip-communicator.properties I still have the entry

org.jitsi.jicofo.auth.URL=XMPP:[SERVER]

… which I learned of some time ago, but is not documented anymore.

1 Like

Both are the same but the last one is old format and not recommended. It probably won’t be supported at some point.

2 Likes

Would this also affect shibboleth authentication?

This morning I found that the upgrade (debian 11/bullseye) to these packages:

2023-01-13 06:36:09 upgrade jitsi-videobridge2:all 2.2-63-g252d14bc-1 2.2-67-gc7f2b2d5-1
2023-01-13 06:36:17 upgrade jitsi-meet:all 2.0.8138-1 2.0.8194-1
2023-01-13 06:36:18 upgrade jicofo:all 1.0-968-1 1.0-977-1
2023-01-13 06:36:21 upgrade jitsi-meet-web:all 1.0.6854-1 1.0.6897-1
2023-01-13 06:36:23 upgrade jitsi-meet-web-config:all 1.0.6854-1 1.0.6897-1
2023-01-13 06:36:24 upgrade jitsi-meet-prosody:all 1.0.6854-1 1.0.6897-1

would break the authentication.

I reverted to old packages and now the authentication works.

Yep there is a jitsi-meet 2.0.8218 out now where the bug should be fixed.

1 Like

nope, just upgraded to jitsi-meet 2.0.8218 and shibbooleth doesn’t work.

Edit: actually, the problem is not jitsi-meet 2.0.8218 (I still have that installed) but one of the other packages (which I reverted)

I thought jitsi-meet is a bundle package, so I meant all packages bundled with this version. Hope that is not disinterpreted.

Well, I just did an “apt upgrade” and it broke the authentication.
These are the packages currently upgradable

jicofo/stable 1.0-980-1 all [upgradable from: 1.0-967-1]
jitsi-meet-prosody/stable 1.0.6918-1 all [upgradable from: 1.0.6850-1]
jitsi-meet-web-config/stable 1.0.6918-1 all [upgradable from: 1.0.6850-1]
jitsi-meet-web/stable 1.0.6918-1 all [upgradable from: 1.0.6850-1]
jitsi-videobridge2/stable 2.2-67-gc7f2b2d5-1 all [upgradable from: 2.2-61-g98c9f868-1]

I’m also using Shibboleth with Jitsi and in the latest release 2.0.8218 (2023-01-13) Shibboleth it is indeed broken. It worked nicely with 2.0.8138 (2022-12-07) that I was running until just now.

Downgrading to 2.0.8138 fixes the problem so it wasn’t the fault of any other updates I installed today.

Update: Downgrading only jitsi-meet-web alone to Version 1.0.6854-1 also fixes Shibboleth authentication.

Can you share some details abut how it fails?

Instead of being redirected to the authentication portal (or, if already logged in, briefly seeing the screen “Hello! you should be redirected to the conference soon”) I get a login prompt.

The standard login dialog appears without any interaction with the IDP i.e. Shibboleth authentication is not invoked at all. Much like described in Struggling with Shibboleth auth in update 2.0.5765

There is an easy way to test if Shibboleth would be working without having to set up Shibboleth first. It was shared by Damien_FETIS here: Struggling with Shibboleth auth in update 2.0.5765 - #12 by Damien_FETIS

You can probably reproduce the problem like this

Hi,
The original shibboleth Auth implementation in jitsi jicofo will be deprecated soon.
So the redirection mechanism may be broken in new version.

You can read this thread to understand the why and the alternative: https://community.jitsi.org/t/intent-to-deprecate-and-remove-external-auth-mechanisms

As an alternative,we have shared a simple solution with a jwt token generator to run behind a shibboleth service provider : GitHub - Renater/Jitsi-SAML2JWT: Easily use SAML with JItsi-Meet JWT authentification.

You can also look at the keyclocak integration from @emrah : GitHub - nordeck/jitsi-keycloak-adapter: Allow Jitsi to use Keycloak as an identity and OIDC provider. SSO support for Jitsi

Regards,
Damien.

2 Likes