Bug#836898: shibboleth-sp2-common: schema problems - "configuration is invalid"

Jonathan Champ royanee at gmail.com
Tue Sep 6 22:15:47 UTC 2016


Package: shibboleth-sp2-common
Version: 2.6.0+dfsg1-3
Severity: important
Tags: patch

Dear Maintainer,

   * What led up to the situation?

      Updated shibboleth from previous 2.5.x; two packages refused to
install due to configuration errors.


   * What was the result of updating?

         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : fatal error
on line 0, column 0, message: unable to open primary document entity
'/catalog.xml'
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : catalog
loader caught exception: XML error(s) during parsing, check log for
specifics
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : fatal error
on line 0, column 0, message: unable to open primary document entity
'/saml20-catalog.xml'
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : catalog
loader caught exception: XML error(s) during parsing, check log for
specifics
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : fatal error
on line 0, column 0, message: unable to open primary document entity
'/saml11-catalog.xml'
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : catalog
loader caught exception: XML error(s) during parsing, check log for
specifics
         2016-09-06 17:31:45 WARN XMLTooling.ParserPool : warning on
line 0, column 0, message: unable to open primary document entity
'/usr/share/xml/shibboleth/xmldsig-core-schema.xsd'
         2016-09-06 17:31:45 WARN XMLTooling.ParserPool : warning on
line 0, column 0, message: unable to open primary document entity
'/usr/share/xml/shibboleth/xml.xsd'
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : error on
line 143, column 56, message: namespace
'http://www.w3.org/XML/1998/namespace' is referenced without import
declaration
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : error on
line 254, column 56, message: namespace
'http://www.w3.org/2000/09/xmldsig#' is referenced without import
declaration
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : error on
line 254, column 56, message: referenced element 'ds:Signature' not
found
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : error on
line 277, column 31, message: namespace
'http://www.w3.org/2000/09/xmldsig#' is referenced without import
declaration
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : error on
line 277, column 31, message: referenced element 'ds:KeyInfo' not
found
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : error on
line 291, column 48, message: namespace
'http://www.w3.org/2000/09/xmldsig#' is referenced without import
declaration
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : error on
line 291, column 48, message: referenced element 'ds:Signature' not
found
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : fatal error
on line 1, column 1, message: invalid document structure
         2016-09-06 17:31:45 ERROR XMLTooling.ParserPool : fatal error
on line 9, column 154, message: fatal error during schema scan
         2016-09-06 17:31:45 ERROR Shibboleth.Config : error while
loading resource (/etc/shibboleth/shibboleth2.xml): XML error(s)
during parsing, check log for specifics
         2016-09-06 17:31:45 FATAL Shibboleth.Config : caught
exception while loading configuration: XML error(s) during parsing,
check log for specifics
         <3>configuration is invalid, check console for specific problems


   * What exactly did you do to try and address the situation?

      I used "/usr/sbin/shibd -t" to test the configuration changes I
added this to console.logger to debug the problem:

         log4j.category.XMLTooling.ParserPool=DEBUG

      Finally, modified the /usr/share/xml/shibboleth/catalog.xml file
to add the six required lines:

         <system systemId="http://www.w3.org/XML/1998/namespace"
uri="/usr/share/xml/xmltooling/xml.xsd"/>
         <system systemId="http://www.w3.org/2001/04/xmlenc#"
uri="/usr/share/xml/xmltooling/xenc-schema.xsd"/>
         <system systemId="http://www.w3.org/2000/09/xmldsig#"
uri="/usr/share/xml/xmltooling/xmldsig-core-schema.xsd"/>

         <system systemId="urn:oasis:names:tc:SAML:2.0:assertion"
uri="/usr/share/xml/opensaml/saml-schema-assertion-2.0.xsd"/>
         <system systemId="urn:oasis:names:tc:SAML:2.0:protocol"
uri="/usr/share/xml/opensaml/saml-schema-protocol-2.0.xsd"/>
         <system systemId="urn:oasis:names:tc:SAML:2.0:metadata"
uri="/usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd"/>


   * What was the outcome from this action?

      The service started successfully, despite some suspicious error messages.

         2016-09-06 17:33:03 ERROR XMLTooling.ParserPool : fatal error
on line 0, column 0, message: unable to open primary document entity
'/catalog.xml'
         2016-09-06 17:33:03 ERROR XMLTooling.ParserPool : catalog
loader caught exception: XML error(s) during parsing, check log for
specifics
         2016-09-06 17:33:03 ERROR XMLTooling.ParserPool : fatal error
on line 0, column 0, message: unable to open primary document entity
'/saml20-catalog.xml'
         2016-09-06 17:33:03 ERROR XMLTooling.ParserPool : catalog
loader caught exception: XML error(s) during parsing, check log for
specifics
         2016-09-06 17:33:03 ERROR XMLTooling.ParserPool : fatal error
on line 0, column 0, message: unable to open primary document entity
'/saml11-catalog.xml'
         2016-09-06 17:33:03 ERROR XMLTooling.ParserPool : catalog
loader caught exception: XML error(s) during parsing, check log for
specifics
         overall configuration is loadable, check console for non-fatal problems


   * What else would you like the maintainer to know?

      There were a few other suspicious messages at the DEBUG level:

         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
with baseURI /usr/share/xml/shibboleth/shibboleth-2.0-afp.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd),
blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve classpath:/schema/shibboleth-2.0-afp.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-basic.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(classpath:/schema/shibboleth-2.0-afp.xsd), blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve classpath:/schema/shibboleth-2.0-afp.xsd with baseURI
/usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-saml.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(classpath:/schema/shibboleth-2.0-afp.xsd), blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-assertion-2.0.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd),
blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-assertion-2.0.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd),
blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-protocol-2.0.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd),
blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd),
blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd
with baseURI /usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request
(http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd),
blocking it
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool : asked to
resolve http://www.w3.org/2001/xml.xsd with baseURI
/usr/share/xml/opensaml/saml-schema-metadata-2.0.xsd
         2016-09-06 17:33:03 DEBUG XMLTooling.ParserPool :
unauthorized entity request (http://www.w3.org/2001/xml.xsd), blocking
it

      I'm not sure what the correct solution is, but I was able to
make those messages go away, by removing the file path from the
schemaLocation and leaving only the filename.


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- Configuration Files:
/etc/shibboleth/attribute-map.xml changed [not included]
/etc/shibboleth/shibboleth2.xml changed [not included]

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/share/xml/shibboleth/catalog.xml (from
shibboleth-sp2-common package)



More information about the Pkg-shibboleth-devel mailing list