The synapse user password is no longer the yunohost user password

pyrignis · October 15, 2022, 12:19pm

My YunoHost server

Hardware: VPS bought online
YunoHost version: 11.0.9.15
I have access to my server : Through SSH & through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

When using synapse, the password of the users seems to no longer be the one used by yunohost.

The synapse server is working fine for all currently logged-on clients.

Setting up a new client is impossible as the correct yunohost user password is rejected.

I have seen this bug report but the update hasn’t solved the issue for me.

Here is the type of logs I get (I edited my username and domain) around the time of a rejected password attempt

journalctl

oct. 15 14:04:14 python[1516]: 2022-10-15 14:04:14,548 - synapse.api.auth - 444 - WARNING - GET-4457- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
oct. 15 14:04:21 python[1516]: 2022-10-15 14:04:21,544 - synapse.api.auth - 444 - WARNING - GET-4462- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
oct. 15 14:04:24 python[1516]: 2022-10-15 14:04:24,964 - synapse.api.auth - 444 - WARNING - GET-4464- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
oct. 15 14:04:30 python[1516]: 2022-10-15 14:04:30,303 - synapse.handlers.auth - 1390 - WARNING - POST-4468- Failed password login for user @user1:matrix.domain.tld
oct. 15 14:04:31 python[1516]: 2022-10-15 14:04:31,580 - synapse.api.auth - 444 - WARNING - GET-4470- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
oct. 15 14:04:36 python[1516]: 2022-10-15 14:04:36,351 - synapse.api.auth - 444 - WARNING - GET-4479- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
oct. 15 14:04:43 python[1516]: 2022-10-15 14:04:43,163 - synapse.api.auth - 444 - WARNING - GET-4488- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token..

homeserver.log

2022-10-15 14:05:38,881 - synapse.access.https.8448 - 450 - INFO - PUT-4546- 2a01:cb10:35:e500:dacb:8aff:fe22:c86f - 8448 - {mtrx.webair.xyz} Processed request: 0.023sec/0.001sec (0.008sec, 0.000sec) (0.002sec/0.012sec/5) 11B 200 "PUT /_matrix/federation/v1/send/1665258140759 HTTP/1.1" "Synapse/1.67.0" [0 dbevts]
2022-10-15 14:05:39,501 - synapse.metrics._gc - 120 - INFO - sentinel- Collecting gc 1
2022-10-15 14:05:42,158 - twisted - 274 - INFO - sentinel- Timing out client: IPv6Address(type='TCP', host='::ffff:148.251.171.213', port=6202, flowInfo=0, scopeID=0)
2022-10-15 14:05:43,085 - twisted - 274 - INFO - sentinel- Timing out client: IPv6Address(type='TCP', host='::ffff:185.211.5.81', port=64599, flowInfo=0, scopeID=0)
2022-10-15 14:05:43,445 - synapse.access.http.8008 - 450 - INFO - GET-4547- 127.0.0.1 - 8008 - {None} Processed request: 0.001sec/0.001sec (0.002sec, 0.000sec) (0.000sec/0.000sec/0) 606B 200 "GET /_matrix/client/versions HTTP/1.0" "-" [0 dbevts]
2022-10-15 14:05:43,452 - synapse.api.auth - 444 - WARNING - GET-4548- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
2022-10-15 14:05:43,454 - synapse.http.server - 107 - INFO - GET-4548- <XForwardedForRequest at 0x7f19880c23a0 method='GET' uri='/_matrix/client/r0/pushrules/?access_token=<redacted>' clientproto='HTTP/1.0' site='8008'> SynapseError: 401 - Invalid access token passed.
2022-10-15 14:05:43,455 - synapse.access.http.8008 - 450 - INFO - GET-4548- 127.0.0.1 - 8008 - {None} Processed request: 0.002sec/0.001sec (0.002sec, 0.000sec) (0.000sec/0.000sec/0) 88B 401 "GET /_matrix/client/r0/pushrules/?access_token=<redacted> HTTP/1.0" "-" [0 dbevts]
2022-10-15 14:05:47,998 - synapse.federation.transport.server.federation - 103 - INFO - PUT-4549- Received txn 1664218775019 from mawalabs.de. (PDUs: 0, EDUs: 1)
2022-10-15 14:05:48,041 - synapse.access.https.8448 - 450 - INFO - PUT-4549- 2a01:4f8:c17:66f5:: - 8448 - {mawalabs.de} Processed request: 0.044sec/0.001sec (0.007sec, 0.002sec) (0.005sec/0.021sec/6) 11B 200 "PUT /_matrix/federation/v1/send/1664218775019 HTTP/1.1" "Synapse/1.67.0" [0 dbevts]
2022-10-15 14:05:48,120 - synapse.access.http.8008 - 450 - INFO - GET-4550- 127.0.0.1 - 8008 - {None} Processed request: 0.001sec/0.001sec (0.002sec, 0.000sec) (0.000sec/0.000sec/0) 606B 200 "GET /_matrix/client/versions HTTP/1.0" "-" [0 dbevts]
2022-10-15 14:05:48,134 - synapse.api.auth - 444 - WARNING - GET-4551- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
2022-10-15 14:05:48,135 - synapse.http.server - 107 - INFO - GET-4551- <XForwardedForRequest at 0x7f194bd8f8b0 method='GET' uri='/_matrix/client/r0/pushrules/?access_token=<redacted>' clientproto='HTTP/1.0' site='8008'> SynapseError: 401 - Invalid access token passed.
2022-10-15 14:05:48,137 - synapse.access.http.8008 - 450 - INFO - GET-4551- 127.0.0.1 - 8008 - {None} Processed request: 0.004sec/0.002sec (0.005sec, 0.001sec) (0.000sec/0.000sec/0) 88B 401 "GET /_matrix/client/r0/pushrules/?access_token=<redacted> HTTP/1.0" "-" [0 dbevts]
2022-10-15 14:05:48,993 - synapse.federation.transport.server.federation - 103 - INFO - PUT-4552- Received txn 1665360920218 from hammons.llc. (PDUs: 0, EDUs: 1)
2022-10-15 14:05:49,004 - synapse.access.https.8448 - 450 - INFO - PUT-4552- 2600:3c02::f03c:93ff:fe55:f412 - 8448 - {hammons.llc} Processed request: 0.012sec/0.001sec (0.003sec, 0.000sec) (0.001sec/0.004sec/2) 11B 200 "PUT /_matrix/federation/v1/send/1665360920218 HTTP/1.1" "Synapse/1.68.0" [0 dbevts]
2022-10-15 14:05:50,401 - synapse.federation.transport.server.federation - 103 - INFO - PUT-4553- Received txn 1665432913922 from federator.dev. (PDUs: 0, EDUs: 1)
2022-10-15 14:05:50,432 - synapse.access.http.8008 - 450 - INFO - GET-4540- 2a01:e0a:4e1:ab50:ed4b:e901:470d:xxxx - 8008 - {@user1:matrix.domain.tdl} Processed request: 14.670sec/0.005sec (0.007sec, 0.000sec) (0.000sec/0.000sec/0) 414B 200 "GET /_matrix/client/r0/sync?filter=0&timeout=30000&since=s363134_57844059_2_1300171_98748_72_63509_2470342_0 HTTP/1.0" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Element/1.11.5 Chrome/104.0.5112.81 Electron/20.0.3 Safari/537.36" [0 dbevts]
2022-10-15 14:05:50,433 - synapse.access.http.8008 - 450 - INFO - GET-4541- 88.123.134.xxx - 8008 - {@user1:matrix.domain.tdl} Processed request: 14.667sec/0.004sec (0.004sec, 0.000sec) (0.000sec/0.000sec/0) 414B 200 "GET /_matrix/client/r0/sync?filter=0&timeout=30000&since=s363134_57844059_2_1300171_98748_72_63509_2470342_0 HTTP/1.0" "Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0" [0 dbevts]
2022-10-15 14:05:50,441 - synapse.access.https.8448 - 450 - INFO - PUT-4553- ::ffff:52.57.205.175 - 8448 - {federator.dev} Processed request: 0.037sec/0.005sec (0.010sec, 0.001sec) (0.004sec/0.019sec/5) 11B 200 "PUT /_matrix/federation/v1/send/1665432913922 HTTP/1.1" "Synapse/1.66.0" [0 dbevts]
2022-10-15 14:05:51,664 - synapse.federation.transport.server.federation - 103 - INFO - PUT-4558- Received txn 1664319114294 from envs.net. (PDUs: 0, EDUs: 1)
2022-10-15 14:05:51,676 - synapse.access.https.8448 - 450 - INFO - PUT-4558- 2a01:4f8:242:430b:0:a:0:14 - 8448 - {envs.net} Processed request: 0.013sec/0.001sec (0.007sec, 0.000sec) (0.001sec/0.005sec/2) 11B 200 "PUT /_matrix/federation/v1/send/1664319114294 HTTP/1.1" "Synapse/1.68.0" [0 dbevts]
2022-10-15 14:05:52,523 - synapse.access.http.8008 - 450 - INFO - GET-4559- 127.0.0.1 - 8008 - {None} Processed request: 0.000sec/0.001sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 606B 200 "GET /_matrix/client/versions HTTP/1.0" "-" [0 dbevts]
2022-10-15 14:05:52,533 - synapse.api.auth - 444 - WARNING - GET-4560- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.
2022-10-15 14:05:52,534 - synapse.http.server - 107 - INFO - GET-4560- <XForwardedForRequest at 0x7f19886b1910 method='GET' uri='/_matrix/client/r0/pushrules/?access_token=<redacted>' clientproto='HTTP/1.0' site='8008'> SynapseError: 401 - Invalid access token passed.
2022-10-15 14:05:52,536 - synapse.access.http.8008 - 450 - INFO - GET-4560- 127.0.0.1 - 8008 - {None} Processed request: 0.003sec/0.001sec (0.002sec, 0.000sec) (0.000sec/0.000sec/0) 88B 401 "GET /_matrix/client/r0/pushrules/?access_token=<redacted> HTTP/1.0" "-" [0 dbevts]
2022-10-15 14:05:54,748 - twisted - 274 - INFO - sentinel- Timing out client: IPv6Address(type='TCP', host='2a01:4f9:4b:23a6::153', port=37446, flowInfo=0, scopeID=0)
2022-10-15 14:05:55,318 - synapse.access.http.8008 - 450 - INFO - GET-4561- 127.0.0.1 - 8008 - {None} Processed request: 0.001sec/0.001sec (0.002sec, 0.000sec) (0.000sec/0.000sec/0) 606B 200 "GET /_matrix/client/versions HTTP/1.0" "-" [0 dbevts]
2022-10-15 14:05:55,331 - synapse.api.auth - 444 - WARNING - GET-4562- Invalid access token in auth: <class 'pymacaroons.exceptions.MacaroonVerificationFailedException'> Macaroon is not a guest token.

I take any idea on the issue!

chmeyer · October 19, 2022, 7:29pm

Sorry, I can’t help you, but I want to confirm, that I’m bitten by this bug, too.

I tried to log in as a test user from the Android-app Element, but all credentials I enter are rejected. I also saw Github Issue #328 and #337 claiming that LDAP works fine, now.

Then I had a look at /etc/yunohost/apps/synapse/conf/homeserver.yaml
Yunohost says (even after an app upgrade --force) it is version: 1.67.0~ynh1, but the bind_dn in my configfile still is the old one bind_dn: __SYNAPSE_USER_APP__.

I manually changed it the same way as in the diff from github, but it still doesn’t work for me.

chmeyer · October 20, 2022, 10:33am

Ah, okay.
I fixed my issue. Hope that helps you, too:

I only was focussed on /etc/yunohost/apps/synapse/conf/homeserver.yaml.

After changing the bind_dn in /etc/matrix-synapse/homeserver.yaml, too (and a synapse restart) my password is recognized, again. It now looks like this:
bind_dn: "uid=synapse,ou=users,dc=yunohost,dc=org"

The only thing I still don’t understand is, why Yunohost doesn’t update that file automatically when updating the Synapse-App to 1.67.0~ynh1. …

Christian

pyrignis · October 20, 2022, 8:28pm

Thanks a lot.

I wasn’t quite certain that I would be doing the right thing so I logged precisely what I did:

Change the file /etc/yunohost/apps/synapse/conf/homeserver.yaml and change the line 2249 from

bind_dn: __SYNAPSE_USER_APP__

to

bind_dn: "uid=__SYNAPSE_USER_APP__,ou=users,dc=yunohost,dc=org"

And also the change the file /etc/matrix-synapse/homeserver.yaml on line 2249 from

bind_dn: synapse

to

bind_dn: "uid=synapse,ou=users,dc=yunohost,dc=org"

And it worked for me. I home this is the proper was to do it and that future updates will go smoothly.

system · November 4, 2022, 8:29pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.