Closed tes5884 closed 6 years ago
Focus is a special user used by jicofo, you need to create a different user and use that one.
created a user tes5884
prosodyctl register tzvi auth.jitsi.mydomain.com mypassword
logged in and getting the same error.
Did I break it by changing the password for focus?
Thanks
Yep, it is definitely a problem if you haven't updated jicofo config.
ok, I reloaded the OS - just to clear any stray configs.
Followed the link, then created a separate user using:
prosodyctl register tzvi auth.jitsi.mydomain.com mypassword
I try to login, and get the same error
+1, any suggestion so far?
I never got a working response
On Oct 3, 2017 06:33, "davidetrapani" notifications@github.com wrote:
+1, any suggestion so far?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jitsi/jitsi-meet/issues/1942#issuecomment-333802999, or mute the thread https://github.com/notifications/unsubscribe-auth/AByqcu8pIXYsbpWb8LArqJH5rds0WDKBks5sog1dgaJpZM4PF8Hb .
Ups, sorry I missed your replay. Than, it will be usefull to see some logs. JS console logs and jicofo logs so we can further continue debugging it.
I created the user someuser with
sudo prosodyctl register someuser auth.my.domain.it somepassword
in /etc/prosody/conf.d/my.domain.it.cfg.lua
authentication = "internal_plain"
admins = { "focus@auth.my.domain.it", "someuser@auth.my.domain.it" }
VirtualHost "guest.my.domain.it"
authentication = "anonymous"
Component "someuser.my.domain.it"
component_secret="somepassword"
jicofo is running with org.jitsi.jicofo.auth.URL=XMPP:my.domain.it
when connecting to https://my.domain.it/someRoom it asks me for username/password and I put someuser@auth.my.domain.it / somepassword
this is /var/log/prosody/prosody.log
Oct 03 14:59:59 mod_bosh info New BOSH session, assigned it sid 'e54a7ec0-a57a-41a9-ad5f-06d583d020a8'
Oct 03 14:59:59 boshe54a7ec0-a57a-41a9-ad5f-06d583d020a8 info Authenticated as f39c6811-f6dd-4818-8ec9-93eb1a0e7715@guest.my.domain.it
Oct 03 15:00:08 someuser.my.domain.it:component warn Component not connected, bouncing error for: <iq id='gxvld-5189' type='get' to='someuser.my.domain.it' from='focus@auth.my.domain.it/focus1372436671847822'>
Oct 03 15:00:09 mod_bosh info New BOSH session, assigned it sid '1f4d9096-27ae-4d37-a4ca-089c4a9f37ea'
Oct 03 15:00:10 bosh1f4d9096-27ae-4d37-a4ca-089c4a9f37ea info Authenticated as someuser@auth.my.domain.it
Oct 03 15:00:10 bosh1f4d9096-27ae-4d37-a4ca-089c4a9f37ea info BOSH client disconnected
this is /var/log/jitsi/jicofo.log
Jicofo 2017-10-03 15:03:41.853 INFO: [140] org.jitsi.jicofo.xmpp.FocusComponent.handleConferenceIq().396 Focus request for room: wiseducksdifferanxiously@conference.my.domain.it
browser-side the error is
[modules/UI/authentication/AuthHandler.js] <>: authenticateAndUpgradeRole failed {authenticationError: "not-authorized", message: ""}
So you have VirtualHost "auth.my.domain.it" authentication = "internal_plain"
VirtualHost "guest.my.domain.it" authentication = "anonymous"
And in your config.js you have: hosts: { domain: 'auth.my.domain.it', anonymousdomain: 'guest.my.domain.it',
Is this correct?
And in jicofo you must have org.jitsi.jicofo.auth.URL=XMPP:auth.my.domain.it if you have the configs above. I think you had mixed some domains and subdomains and this is the main problem.
I have
VirtualHost "my.domain.it" authentication = "internal_plain"
then it's right
What about config.js ? You must create your user under my.domain.it not auth...
damencho Facing the same problem. Right after BOSH creates a new session it authenticates the registered user in prosody and BOSH gets disconnected. This is happening for any registered user including focus user. Any suggestions?
@pradyumnaba any prosody errors in the logs, do you see any reason for the disconnect? Check in prosody configs, in your host config file and in the general one for this property: c2s_require_encryption, it should be false.
@damencho in both the places of config c2s_require_encryption is set to false. In prosody, reason seems to be BOSH doesn't know the session Id and hence disconnecting. Below is the log trace
Oct 26 06:44:35 mod_bosh info New BOSH session, assigned it sid 'c4d3b8ae-cc84-40f8-96f0-fd3b267a2d6f' Oct 26 06:44:35 boshc4d3b8ae-cc84-40f8-96f0-fd3b267a2d6f info Authenticated as focus@auth.mydomain.com Oct 26 06:44:36 boshc4d3b8ae-cc84-40f8-96f0-fd3b267a2d6f warn rid too large (means a request was lost). Last rid: 2575871858 New rid: 2575871860 Oct 26 06:44:36 boshc4d3b8ae-cc84-40f8-96f0-fd3b267a2d6f info BOSH client disconnected Oct 26 06:44:36 mod_bosh info Client tried to use sid 'c4d3b8ae-cc84-40f8-96f0-fd3b267a2d6f' which we don't know about
Can you send a full js console log from the browser?
Logger.js:125 [modules/xmpp/strophe.jingle.js]
: Configured STUN servers: (3) [{…}, {…}, {…}] Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: Lip-sync enabled ! Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: (TIME) Strophe connecting: 61814.670000000006 Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: (TIME) Strophe connected: 62709.03500000001 Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: My Jabber ID: focus@auth.mydomain.com/e7b4c2f7-7c77-42ec-bb0a-4522d70c5ad2 Logger.js:125 [modules/xmpp/ChatRoom.js] : Joined MUC as bigcheat@conference.mydomain.com/focus-76b3e5 Logger.js:125 [modules/xmpp/moderator.js] <i.createConferenceIq>: Session ID: null machine UID: 45ecc215723f46aea61ad4f343ab5326 Logger.js:125 [modules/xmpp/strophe.ping.js] <o.value>: XMPP pings will be sent ev mydomain.com-1509026756108.log ery 10000 ms Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: (TIME) Strophe disconnecting: 63057.82000000001 Logger.js:125 [modules/UI/authentication/AuthHandler.js] <>: authenticateAndUpgradeRole failed {authenticationError: "not-authorized", message: ""}
Are you using the focus user to connect to the room? The focus user is reserved for jicofo and must not be used by users.
Getting the same error even with other user who has admin access in prosody
Logger.js:125 [modules/xmpp/strophe.jingle.js]
: Configured STUN servers: (3) [{…}, {…}, {…}] Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: Lip-sync enabled ! Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: (TIME) Strophe connecting: 31532.595000000005 Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: (TIME) Strophe connected: 32317.615000000005 Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: My Jabber ID: admin@auth.mydomain.com/345cba03-6406-4f47-b94b-b2de2a0951fd Logger.js:125 [modules/xmpp/ChatRoom.js] : Joined MUC as strong@conference.mydomain.com/admin-d55af5 Logger.js:125 [modules/xmpp/moderator.js] <i.createConferenceIq>: Session ID: null machine UID: 45ecc215723f46aea61ad4f343ab5326 Logger.js:125 [modules/xmpp/strophe.ping.js] <o.value>: XMPP pings will be sent every 10000 ms Logger.js:125 [modules/xmpp/xmpp.js] <t.value>: (TIME) Strophe disconnecting: 32565.360000000004 Logger.js:125 [modules/UI/authentication/AuthHandler.js] <>: authenticateAndUpgradeRole failed {authenticationError: "not-authorized", message: ""}
Seems the response of the bosh requests doesn't reach the client, at least this is what I suspect can you open https://mydomain.com/http-bind the output should be like https://meet.jit.si/http-bind
It works! Now point your BOSH client to this URL to connect to Prosody. For more information see Prosody: Setting up BOSH.
Getting it right!
Hum, what I would suggest is clean jicofo logs, restart jicofo. Try entering the room by not using focus user and paste the whole jicofo log and client logs, as it is hard to guess what can be the problem. By the way which versions of jitsi-meet, jicofo and bridge are you using? The latest from stable or from unstable?
I am using the latest stable on my Ubuntu 16.04 and I have just followed https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md to install full jitsi-meet and tried enabling authentication following https://github.com/jitsi/jicofo (Secure domain section). Will upload the complete logs after restarting services in sometime
Browser Log: mydomain.com-1509034217128.log Jicofo Log: jicofo.log Jvb Log: jvb.log Prosody Log: prosody.log
prosody.err was 0KB so didn't attach that.
Hum, there is something strange ... You are trying to create a conference with user from guest.mydomain.com, if you have set up the server using https://github.com/jitsi/jicofo#secure-domain (the 3th point using org.jitsi.jicofo.auth.URL) you should be able to create a conference only using the main domain. Do you have in config.js domain: 'mydomain.com', anonymousdomain: 'guest.mydomain.com', ? The error is: <i._allocateConferenceFocusError>: Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="26f13460-113f-40f1-b3cb-7e553620afc3@guest.mydomain.com/8c6d8c8e-d9af-4b0b-be9d-0ffa9328b1e5" from="focus.mydomain.com"
Yes, These are my hosts in config
hosts: { // XMPP domain. domain: 'mydomain.com', anonymousdomain: 'guest.mydomain.com',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.mydomain.com'
}
That's strange ... I will set it up, locally and will test and will report my findings. Thanks for the patience.
Do you have in your jicofo config: /etc/jitsi/jicofo/sip-communicator.properties org.jitsi.jicofo.auth.URL=XMPP:mydomain.com ?
Hey @paweldomas actually the property is there, so something else must be wrong: Jicofo 2017-10-26 16:08:22.035 INFO: [1] org.jitsi.impl.configuration.ConfigurationServiceImpl.log() org.jitsi.jicofo.auth.URL=XMPP:mydomain.com
@damencho I will make a quick test tomorrow with the latest
Thanks, this is even from stable, before merging smack.
A problem is identified which affects versions in stable and unstable, we are working on a fix.
Thanks @damencho, will wait for the fix
This is fixed in jitsi-meet build 2590, we will work on updating stable these days with those changes. I'm closing this issue if another problem is found feel free to open a new one.
Thanks @damencho I will test once we have the stable update
I am using the latest stable version (ver. 1.0.2635-1) on my Debian 8, I have just followed the quick install notes to install jitsi-meet and I have tried to enable authentication but I have not succeeded. I have the same issues written previously and my system tries to register with the guest domain again and again. Is it possible that this patch is not enough? Anyone has tried this feature?
You have this in your jicofo config(/etc/jitsi/jicofo/sip-communicator.properties): org.jitsi.jicofo.auth.URL=XMPP:mydomain.com? And you have restarted jicofo after changing the line there?
I tested this last week and it was working as expected.
Yes, I have. I think my config is fine, I have checked everything. The strange thing is this line in the prosody log when I try to authenticate my prosody user (user@mydomain.com) Dec 19 13:59:44 mod_bosh info New BOSH session, assigned it sid '69a72829-74f4-4fb8-89bf-259124a36627' Dec 19 13:59:45 bosh69a72829-74f4-4fb8-89bf-259124a36627 info Authenticated as a4660d67-36f6-4cbe-95e4-bff2c3477a14@guest.mydomain.com
I will test it tomorrow with stable versions and will report my findings.
@damencho: Did you find anything ?
Nope, I didn't have time to look at it, but this is still on my todo list and will get to it if not today, for sure after Christmas.
I just tested it and it is working fine on my side with the latest stable release. Having in config.js: hosts: { domain: 'mydomain', anonymousdomain: 'guest.mydomain', ..... In /etc/jitsi/jicofo/sip-communicator.properties: org.jitsi.jicofo.auth.URL=XMPP:mydomain .... And in prosody config /etc/prosody/conf.d/mydomain.cfg.lua: VirtualHost "guest.mydomain" authentication = "anonymous" ..... VirtualHost "mydomain" authentication = "internal_plain" ......
Hi @damencho , I found out about this project today, trying to set up a chat server for my family who's living in distant places. I am running into this issue as well using latest stable. I created someuser@auth.jitsi.mydomain.com with password somepassword. When I go to a meeting URL, jitsi.mydomain.com/randomblabla, I get a login page. When I enter someuser/somepassword, I get a message "obtaining session-id" followed by "Oops!... GET_SESSION_ID_ERROR". I checked everything and it all seems to go as instructed. Glad if you can help.
JS Log:
[conference.js] <e.value>: CONFERENCE FAILED: conference.authenticationRequired
Logger.js:125 [modules/xmpp/moderator.js] <i._allocateConferenceFocusError>: Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="c64d0526-d632-4ec5-8c57-f7d6a3992761@guest.jitsi.mydomain.com/66bfcb66-8748-48d0-b6a1-f66b5cb03435" from="focus.jitsi.mydomain.com" id="52b5a433-3a7c-4852-9dec-4fb72a4daeb2:sendIQ">…</iq>
Logger.js:125 [conference.js] <e.value>: CONFERENCE FAILED: conference.authenticationRequired
Logger.js:125 [modules/UI/authentication/AuthHandler.js] <>: authenticateAndUpgradeRole failed {authenticationError: "not-authorized", message: "not authorized user domain"}
/var/log/prosody/prosody.log
Apr 22 18:07:57 general info Hello and welcome to Prosody version 0.9.10
Apr 22 18:07:57 general info Prosody is using the select backend for connection handling
Apr 22 18:07:57 certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/example.com.key': Check that the path is correct, and the file exists. (for example.com)
Apr 22 18:07:57 example.com:tls error Unable to initialize TLS: error loading private key (No such file or directory)
Apr 22 18:07:57 certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/example.com.key': Previous error (see logs), or other system error. (for example.com)
Apr 22 18:07:57 example.com:tls error Unable to initialize TLS: error loading private key (system lib)
Apr 22 18:07:57 portmanager info Activated service 's2s' on [::]:5269, [*]:5269
Apr 22 18:07:57 portmanager info Activated service 'c2s' on [::]:5222, [*]:5222
Apr 22 18:07:57 portmanager info Activated service 'legacy_ssl' on no ports
Apr 22 18:07:57 mod_posix info Prosody is about to detach from the console, disabling further console output
Apr 22 18:07:57 mod_posix info Successfully daemonized to PID 351
Apr 22 18:07:57 portmanager info Activated service 'component' on [127.0.0.1]:5347, [::1]:5347
Apr 22 18:07:57 portmanager info Activated service 'http' on [::]:5280, [*]:5280
Apr 22 18:07:57 portmanager info Activated service 'https' on [::]:5281, [*]:5281
Apr 22 18:07:57 certmanager error SSL/TLS: Failed to load '/etc/prosody/': Reason: no start line (for auth.jitsi.mydomain.com)
Apr 22 18:07:57 auth.jitsi.mydomain.com:tls error Unable to initialize TLS: error loading private key (no start line)
Apr 22 18:07:57 certmanager error SSL/TLS: Failed to load '/etc/prosody/': Reason: pem lib (for auth.jitsi.mydomain.com)
Apr 22 18:07:57 auth.jitsi.mydomain.com:tls error Unable to initialize TLS: error loading private key (PEM lib)
Apr 22 18:07:59 c2s25c2f80 info Client connected
Apr 22 18:07:59 jcp243f710 info Incoming Jabber component connection
Apr 22 18:07:59 focus.jitsi.mydomain.com:component info External component successfully authenticated
Apr 22 18:08:00 c2s25c2f80 info Authenticated as focus@auth.jitsi.mydomain.com
Apr 22 18:08:00 jitsi-videobridge.jitsi.mydomain.com:component warn Component not connected, bouncing error for: <iq id='BOnQa-21' type='get' to='jitsi-videobridge.jitsi.mydomain.com' from='focus@auth.jitsi.mydomain.com/focus4117015487'>
Apr 22 18:08:01 jcp242d690 info Incoming Jabber component connection
Apr 22 18:08:01 jitsi-videobridge.jitsi.mydomain.com:component info External component successfully authenticated
Apr 22 18:08:04 mod_bosh info Client tried to use sid '1918f56b-ab1b-4874-8d99-e8a58c9cfd9a' which we don't know about
Apr 22 18:08:16 mod_bosh info Client tried to use sid '1918f56b-ab1b-4874-8d99-e8a58c9cfd9a' which we don't know about
Apr 22 18:08:39 mod_bosh info New BOSH session, assigned it sid 'a636a76e-29d8-474e-8c18-72676d5fcb2b'
Apr 22 18:08:40 bosha636a76e-29d8-474e-8c18-72676d5fcb2b info Authenticated as cf6e55e0-43cd-4be0-bb72-0d43e37689f6@guest.jitsi.mydomain.com
Apr 22 18:09:10 bosha636a76e-29d8-474e-8c18-72676d5fcb2b info BOSH client disconnected
Apr 22 18:09:14 mod_bosh info New BOSH session, assigned it sid '6720da0d-4699-4040-932c-9cfd69e7df78'
Apr 22 18:09:15 bosh6720da0d-4699-4040-932c-9cfd69e7df78 info Authenticated as c64d0526-d632-4ec5-8c57-f7d6a3992761@guest.jitsi.mydomain.com
Apr 22 18:09:35 mod_bosh info New BOSH session, assigned it sid '2c04ce94-57c6-4434-940b-ec541dd42fd9'
Apr 22 18:09:36 bosh2c04ce94-57c6-4434-940b-ec541dd42fd9 info Authenticated as someuser@auth.jitsi.mydomain.com
Apr 22 18:09:41 bosh2c04ce94-57c6-4434-940b-ec541dd42fd9 info BOSH client disconnected
/etc/prosody/prosody.cfg.lua
admins = { "focus@auth.jitsi.mydomain.com" }
...
VirtualHost "jitsi.mydomain.com"
authentication = "internal_plain"
VirtualHost "auth.jitsi.mydomain.com"
authentication = "internal_plain"
VirtualHost "guest.jitsi.mydomain.com"
authentication = "anonymous"
...
Component "focus.jitsi.mydomain.com"
component_secret="focus_secret"
/etc/jitsi/meet/jitsi.mydomain.com-config.js
var config = {
hosts: {
// XMPP domain.
domain: 'jitsi.mydomain.com',
anonymousdomain: 'guest.jitsi.mydomain.com',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.jitsi.mydomain.com'
/etc/jitsi/jicofo/config
# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost
# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=jitsi.mydomain.com
# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=<<<<<redacted>>>>>>
# sets the port to use for the XMPP component connection
JICOFO_PORT=5347
# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.jitsi.mydomain.com
# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus
# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=focuspassword
# extra options to pass to the jicofo daemon
JICOFO_OPTS=""
# adds java system props that are passed to jicofo (default are for home and logging config file)
JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jicofo -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/jicofo/logging.properties"
/etc/jitsi/jicofo/sip-communicator.properties
org.jitsi.jicofo.auth.URL=XMPP:jitsi.mydomain.com
You need to create the user as user@jitsi.mydomain.com
The auth domain is a special one used by the internal components. The instructions https://github.com/jitsi/jicofo#secure-domain are how to secure the main domain used by the deployment, jitsi.mydomain.com.
Hey @damencho , thanks for answering so quickly. OK, I think we're zeroing in on the problem because only adding users to auth.jitsi.mydomain.com works for me:
shell:
root@FamilyChatServer-VM:~# sudo prosodyctl register someuser2 jitsi.mydomain.com somepassword2
Error: Account creation/modification not supported.
root@FamilyChatServer-VM:~# sudo prosodyctl register someuser2 auth.jitsi.mydomain.com somepassword2
root@FamilyChatServer-VM:~#
If it makes things easier, I really just want to create some rooms for my family without anonymous users using my server. If there's a way to create 3 pre-defined rooms and to block any additional rooms from being created, that will be great. I'll just give these rooms weird and long names and nobody will guess them.
In Android and iOS app we have achieved it by adding another layer. No one can join room without giving access code.
On 23-Apr-2018 at 05:10:46 ttimmy 'notifications@github.com' wrote:
If it makes things easier, I really just want to create some rooms for my family without anonymous users using my server. If there's a way to create 3 pre-defined rooms and to block any additional rooms from being created, that will be great. I'll just give these rooms weird and long names and nobody will guess them.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub (https://github.com/jitsi/jitsi-meet/issues/1942#issuecomment-383421292), or mute the thread (https://github.com/notifications/unsubscribe-auth/AkTBU43WLWlgBHl1jEgSmI8-8B8UlFs4ks5trRT9gaJpZM4PF8Hb).
After adding
VirtualHost "jitsi.mydomain.com"
authentication = "internal_plain"
Have you restarted prosody?
@ajaydata Please do not spam threads! And your comment is not correct. Changing the mobile client is not protection, cause everybody can use the deployment using the web client. Protection is not achieved by modifying web or mobile client, but by enforcing it in the backend.
@damencho I restarted the entire server, just to make sure.
That is strange. internal_plain supports adding/modifying users. I see that you execute the command as root, so you should be able to write to that folder /var/lib/prosody (adding the user to auth domain works). I'm out of ideas about this... You can try asking in prosody xmpp room or their mailinglist.
Hi Guys, I followed this link, point being that I'm trying to create authenticated meets only.
After doing the above, I created a prosody user:
prosodyctl register focus auth.jitsi.mydomain.com focuspassword
On browsing to my jitsi instance, it asked me to login. I login using: login: focus@auth.jitsi.mydomain.com password: focuspassword
I get the following error:
Oops! Something went wrong and we couldn't connect to the conference: connection.GET_SESSION_ID_ERROR
Any ideas?