Can't get login to Meet: No Access

mniehren

Hi,

i am trying to setup kopano meet on self made linux system (LFS). After
successfully setting up Kopano (i can login over webapp to Kopano), i followed
the Youtube Video from Felix to setup Kopano-Meet.

• Kopano-kwebd is running
• Kopano-konnectd is runng
• Kopano-grapi is running
• Kopano-kavid is running
• Kopano-Server is running

If i call in the Browser the Meet-Link, i got an Login-Page like in the video.
But i can not login. The credentials are ok, i always got the message:

“Kein Zugriff”

Sie haben keine Berechtigung für diese App. … bitten Sie den Administrator,
den Zugriff freizuschalten.

I see no errros in the Logs.
Any ideas where to search for a solution ?

best regards
Michael

fbartels

Hi @mniehren,

how exactly did you install and configure Meet? Did you compile it yourself (since you are running LFS) or are you using the (Docker) containers?

It sounds like you are missing configured scopes.

mniehren

Hi Felix,

i compile kopano-core myself and use the binaries of kapid, konnectd, kwebd and
kwmserverd from https://download.kopano.io/community/.

Would it be better to compile them ?

regards
Michael

longsleep

@mniehren said in Can't get login to Meet: No Access:

But i can not login. The credentials are ok, i always got the message:

“Kein Zugriff”

Sie haben keine Berechtigung für diese App. … bitten Sie den Administrator,
den Zugriff freizuschalten.

This error means, that the access token does not grant the requires scopes for the given app. In your case Meet requires at the very least the kopano/kwm scope. It requests it from Konnect, and Konnect only grants scopes it knows about (for security reasons).

Configure scopes in Konnect via the scopes.yaml file (–identifier-scopes-conf commandline parameter). Lilke so for example:

---
scopes:
  kopano/kwm:
    description: "Access Kopano Webmeetings"

  kopano/kvs:
    description: "Access Kopano Key Value Store"

  kopano/gc:
    description: "Access Kopano Groupware"

  kopano/pubs:
    description: "Access Kopano Pubs"

These are all the scopes which potentially can be used by Meet. @fbartels no idea if we have this somwhere in instructions / README if someone installs everything from source.

mniehren

Hi longsleep,

that’s it, many thanks for you help, it runs !!!

It would be nice to see that in the documentation.

so, for now i will take a long sleep ;-)

best regards
Michael

mniehren

Sorry, one more issue.

After successfully login into meet, i don’t got the contacts with the error:
Failed to fetch contacts: Unexpected Status 502

Should i see at this position the GAB ?

in webapp i see all the users in the GAB.

best regards
Michael

fbartels

Hi @mniehren,

that sounds like grapi is not yet properly configured. You can for example have a look how the components are set up at https://github.com/zokradonh/kopano-docker and then copy the config values.

mniehren

Hi Felix,

thanks again for you help.
I found my bug, grapi was not startet with --insecure. Now the error of fetching contacts
is gone.
But i still see no contacts in Meet, neither the other kopano-users nor the contacts i
have added in the webapp. Do you have a tip, where to search ?

By the way, where can i find the mail-webapp and the contacts-webapp to where
the Links in Meet leads. I can only find the calendar-webapp in the kopano-calendar
package ?

best regards
Michael

fbartels

@mniehren said in Can't get login to Meet: No Access:

grapi was not startet with --insecure

For a production deployment the usage of --insecure is not recommended. Instead you should make sure that certificates are trusted by all involved systems.

@mniehren said in Can't get login to Meet: No Access:

neither the other kopano-users nor the contacts i have added in the webapp

Even it it would work, you would only see users that are part of your gab. Meet does not show contacts from your personal contacts.

@mniehren said in Can't get login to Meet: No Access:

where can i find the mail-webapp and the contacts-webapp

These currently only exist as internal prototypes. The goal is to next properly release the calendar app and then probably get back to one of the others.

@mniehren said in Can't get login to Meet: No Access:

Do you have a tip, where to search ?

How about the logging of Kapi and Grapi?

longsleep

@mniehren said in Can't get login to Meet: No Access:

But i still see no contacts in Meet, neither the other kopano-users nor the contacts i
have added in the webapp. Do you have a tip, where to search ?

Maybe there are more than 100 users? If so Meet does not pre-load any contacts and waits for search input.

mniehren

@longsleep: there are only 2 users, it’s a test environment

@fbartels

nothing in the grapi and kapid.log:

Insert Code Here2020-05-06_07:31:05.76403 INFO: 2020-05-06 09:31:05,763 - 3527 - starting kopano-mfr
2020-05-06_07:31:05.79599 INFO: 2020-05-06 09:31:05,795 - 3542 - starting notify worker: unix:/var/run/kopano-grapi/notify.sock
2020-05-06_07:31:06.13779 INFO: 2020-05-06 09:31:06,137 - 3534 - starting rest worker: unix:/var/run/kopano-grapi/rest0.sock
2020-05-06_07:31:06.17965 INFO: 2020-05-06 09:31:06,179 - 3538 - starting rest worker: unix:/var/run/kopano-grapi/rest4.sock
2020-05-06_07:31:06.18991 INFO: 2020-05-06 09:31:06,189 - 3535 - starting rest worker: unix:/var/run/kopano-grapi/rest1.sock
2020-05-06_07:31:06.19917 INFO: 2020-05-06 09:31:06,198 - 3539 - starting rest worker: unix:/var/run/kopano-grapi/rest5.sock
2020-05-06_07:31:06.21167 INFO: 2020-05-06 09:31:06,211 - 3536 - starting rest worker: unix:/var/run/kopano-grapi/rest2.sock
2020-05-06_07:31:06.21863 INFO: 2020-05-06 09:31:06,218 - 3537 - starting rest worker: unix:/var/run/kopano-grapi/rest3.sock
2020-05-06_07:31:06.22769 INFO: 2020-05-06 09:31:06,227 - 3541 - starting rest worker: unix:/var/run/kopano-grapi/rest7.sock
2020-05-06_07:31:06.29234 INFO: 2020-05-06 09:31:06,292 - 3540 - starting rest worker: unix:/var/run/kopano-grapi/rest6.sock

I2020-05-06_07:31:05.94470 time="2020-05-06T09:31:05+02:00" level=warning msg="received signal" signal=terminated
2020-05-06_07:31:05.94470 time="2020-05-06T09:31:05+02:00" level=info msg="clean server shutdown start"
2020-05-06_07:31:05.94484 time="2020-05-06T09:31:05+02:00" level=debug msg="grapi: close"
2020-05-06_07:31:05.94484 time="2020-05-06T09:31:05+02:00" level=debug msg="kvs: close"
2020-05-06_07:31:05.94497 time="2020-05-06T09:31:05+02:00" level=debug msg="http listener stopped"
2020-05-06_07:31:05.94497 time="2020-05-06T09:31:05+02:00" level=debug msg="pubs: close"
2020-05-06_07:31:06.29881 time="2020-05-06T09:31:06+02:00" level=info msg="serve start"
2020-05-06_07:31:06.29882 time="2020-05-06T09:31:06+02:00" level=info msg="loading plugins from /usr/lib/kopano/kapi-plugins"
2020-05-06_07:31:06.29882 time="2020-05-06T09:31:06+02:00" level=debug msg="all plugins enabled"
2020-05-06_07:31:06.29884 time="2020-05-06T09:31:06+02:00" level=warning msg="insecure mode, TLS client connections are susceptible to man-in-the-middle attacks"
2020-05-06_07:31:06.29885 time="2020-05-06T09:31:06+02:00" level=debug msg="http2 client support is disabled (insecure mode)"
2020-05-06_07:31:06.31357 time="2020-05-06T09:31:06+02:00" level=info msg="plugin loaded: /usr/lib/kopano/kapi-plugins/grapi.so" build="2020-05-05T12:46:41Z" plugin=grapi version=
2020-05-06_07:31:06.32215 time="2020-05-06T09:31:06+02:00" level=info msg="plugin loaded: /usr/lib/kopano/kapi-plugins/kvs.so" build="2020-05-05T12:46:41Z" plugin=kvs version=
2020-05-06_07:31:06.33194 time="2020-05-06T09:31:06+02:00" level=info msg="plugin loaded: /usr/lib/kopano/kapi-plugins/pubs.so" build="2020-05-05T12:46:41Z" plugin=pubs version=
2020-05-06_07:31:06.33195 time="2020-05-06T09:31:06+02:00" level=info msg="plugin registered" plugin=grapi
2020-05-06_07:31:06.33195 time="2020-05-06T09:31:06+02:00" level=info msg="plugin registered" plugin=kvs
2020-05-06_07:31:06.33197 time="2020-05-06T09:31:06+02:00" level=info msg="plugin registered" plugin=pubs
2020-05-06_07:31:06.33197 time="2020-05-06T09:31:06+02:00" level=info msg="serve started"
2020-05-06_07:31:06.33201 time="2020-05-06T09:31:06+02:00" level=debug msg="grapi: initialize"
2020-05-06_07:31:06.33206 time="2020-05-06T09:31:06+02:00" level=info msg="grapi: access requirements set up" required_scopes="[profile email kopano/gc]"
2020-05-06_07:31:06.33215 time="2020-05-06T09:31:06+02:00" level=debug msg="grapi: looking for proxy rest*.sock files in /var/run/kopano-grapi"
2020-05-06_07:31:06.33217 time="2020-05-06T09:31:06+02:00" level=info msg="kvs: access requirements set up" required_scopes="[kopano/kvs]"
2020-05-06_07:31:06.33220 time="2020-05-06T09:31:06+02:00" level=debug msg="kvs: initialize"
2020-05-06_07:31:06.33224 time="2020-05-06T09:31:06+02:00" level=debug msg="grapi: looking for proxy notify*.sock files in /var/run/kopano-grapi"
2020-05-06_07:31:06.33295 time="2020-05-06T09:31:06+02:00" level=debug msg="kv: database version: 1 dirty: false"
2020-05-06_07:31:06.33317 time="2020-05-06T09:31:06+02:00" level=debug msg="kvs: store initialize complete"
2020-05-06_07:31:06.33345 time="2020-05-06T09:31:06+02:00" level=warning msg="pubs: using random secret key"
2020-05-06_07:31:06.33350 time="2020-05-06T09:31:06+02:00" level=info msg="pubs: access requirements set up" required_scopes="[kopano/pubs]"
2020-05-06_07:31:06.33354 time="2020-05-06T09:31:06+02:00" level=debug msg="pubs: initialize with 512 bits HMAC-SHA256 key" broadcast="aY99IMWAUidK8yZfS8H1mmRRbNA3EzQ8VvQAtDeLq8U="
2020-05-06_07:31:06.34633 time="2020-05-06T09:31:06+02:00" level=debug msg="OIDC provider initialized" iss="https://kopano2.tuxlan.de"
2020-05-06_07:31:06.34634 time="2020-05-06T09:31:06+02:00" level=info msg="starting http listener" listenAddr="127.0.0.1:8039"
2020-05-06_07:31:06.34641 time="2020-05-06T09:31:06+02:00" level=info msg="ready to handle requests"
2020-05-06_07:31:07.33322 time="2020-05-06T09:31:07+02:00" level=debug msg="grapi: found 1 notify*.sock upstream proxy workers"
2020-05-06_07:31:07.33324 time="2020-05-06T09:31:07+02:00" level=debug msg="grapi: enabled subscription proxy"
2020-05-06_07:31:07.33351 time="2020-05-06T09:31:07+02:00" level=debug msg="grapi: found 8 rest*.sock upstream proxy workers"
2020-05-06_07:31:07.33352 time="2020-05-06T09:31:07+02:00" level=debug msg="grapi: enabled default api proxy"

The GAB seems to be ok, i see in the Webapp the 2 users (michael, edgar) and SYSTEM and Everyone …

best regards
Michael

mniehren

i found it, the hidden-Flag in the LDAP-Database was not set correctly,

after fixing i see entries in the GAB

thanks for your help
Michael

mniehren

maybe 1 last problem left.

I try to configure guest support in meet according to the description in
“Special configuration”

Everything works until i create an config.json file. If i call the Meet-Link in the browser,
i only see “prepare (Vorbereiten)” and nothing more happens.

First i copy from config.json.in:

{
  "apiPrefix": "/api/gc/v1",
  "oidc": {
    "iss": "",
    "clientID": ""
  },
  "kwm": {
    "url": ""
  },
  "guests": {
          "enabled": true,
          "default": null
  },
  "disableFullGAB": false
}

But i don’t know, what other value has to be there (iss is clear).

so i tried only

{
  "guests": {
    "enabled": "true"
  }
}

same result, even if i put an empty config.json nothing is changed.

As soon as i delete the file, the login prompt arrives.

I put the file under /usr/share/kopano-meet/config/kopano/meet.json as my
web_root in kwebd is /usr/share/kopano-meet. Is that right ?

Again, nothing in the logs.

Could you help ?

best regards
Michael

mniehren

i see in the request-log of kwebd the following:

192.168.70.10 - - [07/May/2020:08:52:25 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:52:26 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:52:28 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:52:31 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:52:36 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:52:41 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:52:46 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:52:51 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.111 - - [07/May/2020:08:52:53 +0200] "GET /.well-known/openid-configuration HTTP/1.1" 200 524 "-" "Go-http-client/1.1"
192.168.70.111 - - [07/May/2020:08:52:53 +0200] "GET /konnect/v1/jwks.json HTTP/1.1" 200 410 "-" "Go-http-client/1.1"
192.168.70.10 - - [07/May/2020:08:52:56 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:53:01 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"
192.168.70.10 - - [07/May/2020:08:53:06 +0200] "GET /api/config/v1/kopano/meet/config.json HTTP/2.0" 200 158 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.114 Safari/537.36"

fbartels

Hi @mniehren,

did you have a look at the example deployment I’ve linked to above?

The document you have pasted here looks ok and also parses as valid json. It would be interesting to know what your browser reports (in the network console) when loading it. are there any others errors in there?

This is the config we are using for the public service: https://use.meet-app.io/api/config/v1/kopano/meet/config.json

mniehren

in the Web-Console of Firefox i see

Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored.  config.json
failed to fetch config: Error: unexpected Content-Type, retrying in 5000ms actions.js:111:22
Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored.  config.json
failed to fetch config: Error: unexpected Content-Type, retrying in 5000ms actions.js:111:22

Network show’s only

	config.json	fetch	plain	636 B	237 B	2 ms  200	GET kopano2.tuxlan.de
	config.json	fetch	plain	636 B	237 B	8 ms200 	GET kopano2.tuxlan.de
	config.json	fetch	plain	636 B	237 B	2 ms

and so on

nothing else

I tried it with Firefox under Linux and Win7 and with Vivaldi unter Linux

mniehren

here are some screenshots from the vivaldi console …

fbartels

@mniehren said in Can't get login to Meet: No Access:

The connection to the site is untrustworthy

Why is the connection untrustworthy?

@mniehren said in Can't get login to Meet: No Access:

failed to fetch config: Error: unexpected Content-Typ

The kweb package has a dependency on the mailcap package. this package provides identification for the various mime types. you seem be be missing this.

PS: your screenshots are tiny and not really readable. but copy pasting error messages from screenshots is a pain anyways. https://birdeatsbug.com/ produces a nice browser extension to more easily debug web applications. for one it offers the ability to record what is exactly going on on the screen.

longsleep

@fbartels said in Can't get login to Meet: No Access:

The kweb package has a dependency on the mailcap package. this package provides identification for the various mime types. you seem be be missing this.

Technically kweb serves static file content type by looking at the extension and then resolving a mime type by looking at the /etc/mime.types file. So make sure that file exists and includes json.

cat /etc/mime.types|grep json
application/json                                json

On Debian and its derivates this can for example be achieved by installing the mime-support package.

mniehren

Great, now i got an login again.

thanks for you help
Michael