szaimen
commented
1 year ago Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!
My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!
If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+
Steps to reproduce
Expected behaviour
the login succedes and the user can use the cloud
Actual behaviour
after authenticating with kerberos nextcloud looks up the user in the ldap database and finds it then it trys a bind for the user and fails as for users it is impossible to bind with ldap as that is handled by kerberos
(all ldap lockups are done anonymous and testing the configuration in the settings or with the occ command return the expected results)
Server configuration detail
Operating system: Linux 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
Webserver: Apache/2.4.48 (Debian) (apache2handler)
Database: pgsql PostgreSQL 13.3 (Debian 13.3-1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
PHP version:
7.4.21 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, apache2handler, mysqlnd, PDO, xml, apcu, bcmath, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, imagick, intl, json, ldap, luasandbox, exif, mcrypt, mysqli, pdo_mysql, pdo_pgsql, pgsql, apc, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wikidiff2, xmlreader, xmlwriter, xsl, zip, Phar, Zend OPcache
Nextcloud version: 22.2.0 - 22.2.0.2
Updated from an older Nextcloud/ownCloud or fresh install: updated from 18.something in the steps the updater sugests
Where did you install Nextcloud from: unknown
Signing status
Array ( )List of activated apps
``` Enabled: - accessibility: 1.8.0 - activity: 2.15.0 - admin_audit: 1.12.0 - apporder: 0.13.0 - calendar: 2.3.4 - circles: 22.1.1 - cloud_federation_api: 1.5.0 - comments: 1.12.0 - contacts: 4.0.3 - contactsinteraction: 1.3.0 - dashboard: 7.2.0 - dav: 1.19.0 - deck: 1.5.3 - event_update_notification: 1.3.0 - federatedfilesharing: 1.12.0 - federation: 1.12.0 - files: 1.17.0 - files_fulltextsearch: 22.0.1 - files_mindmap: 0.0.25 - files_pdfviewer: 2.3.0 - files_rightclick: 1.1.0 - files_sharing: 1.14.0 - files_trashbin: 1.12.0 - files_versions: 1.15.0 - firstrunwizard: 2.11.0 - fulltextsearch: 22.0.1 - impersonate: 1.9.0 - issuetemplate: 0.7.0 - logreader: 2.7.0 - lookup_server_connector: 1.10.0 - mail: 1.10.5 - nextcloud_announcements: 1.11.0 - notes: 4.1.1 - notifications: 2.10.1 - oauth2: 1.10.0 - password_policy: 1.12.0 - photos: 1.4.0 - privacy: 1.6.0 - provisioning_api: 1.12.0 - quicknotes: 0.7.2 - recommendations: 1.1.0 - serverinfo: 1.12.0 - settings: 1.4.0 - sharebymail: 1.12.0 - support: 1.5.0 - survey_client: 1.10.0 - suspicious_login: 4.0.0 - systemtags: 1.12.0 - text: 3.3.0 - theming: 1.13.0 - twofactor_backupcodes: 1.11.0 - updatenotification: 1.12.0 - user_ldap: 1.12.0 - user_saml: 4.1.1 - user_status: 1.2.0 - viewer: 1.6.0 - weather_status: 1.2.0 - workflowengine: 2.4.0 Disabled: - carnet - encryption - files_external - files_videoplayer - polls - tasks ```Configuration (config/config.php)
``` { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "wilhelm.physik.uni-kl.de" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "22.2.0.2", "overwrite.cli.url": "https:\/\/wilhelm.physik.uni-kl.de\/nextcloud", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "sendmail", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "htaccess.RewriteBase": "\/nextcloud", "ldapIgnoreNamingRules": false, "maintenance": false, "theme": "", "loglevel": 0, "memcache.local": "\\OC\\Memcache\\APCu", "has_rebuilt_cache": true, "updater.secret": "***REMOVED SENSITIVE VALUE***", "data-fingerprint": "851d7e6fd91df0607def152cea5dca0b", "default_phone_region": "DE", "app_install_overwrite": [ "calendar", "issuetemplate" ], "encryption.legacy_format_support": true, "encryption.key_storage_migrated": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory" } ```Are you using external storage, if yes which one: local/smb/sftp/...
Are you using encryption:
Are you using an external user-backend, if yes which one: LDAP/Kerberos
LDAP configuration (delete this par if not used)
``` cleanUpJobOffset: 0enabled: yesinstalled_version: 1.12.0s01_lastChange: 1632995387s01has_memberof_filter_support: s01home_folder_naming_rule: s01last_jpegPhoto_lookup: 0s01ldap_agent_password: s01ldap_attributes_for_group_search: s01ldap_attributes_for_user_search: s01ldap_backup_host: s01ldap_backup_port: s01ldap_base: dc=rethfeld,dc=physik,dc=uni-kl,dc=des01ldap_base_groups: ou=groups,dc=rethfeld,dc=physik,dc=uni-kl,dc=des01ldap_base_users: ou=people,dc=rethfeld,dc=physik,dc=uni-kl,dc=des01ldap_cache_ttl: 600s01ldap_configuration_active: 1s01ldap_default_ppolicy_dn: s01ldap_display_name: displaynames01ldap_dn: s01ldap_dynamic_group_member_url: s01ldap_email_attr: mails01ldap_experienced_admin: 0s01ldap_expert_username_attr: uids01ldap_expert_uuid_group_attr: cns01ldap_expert_uuid_user_attr: uids01ldap_gid_number: gidNumbers01ldap_group_display_name: cns01ldap_group_filter: (&(|(objectclass=groupOfNames)(objectclass=posixGroup)))s01ldap_group_filter_mode: 0s01ldap_group_member_assoc_attribute: members01ldap_groupfilter_groups: s01ldap_groupfilter_objectclass: groupOfNames posixGroups01ldap_host: ypsilon.physik.uni-kl.des01ldap_login_filter: (&(|(objectclass=posixAccount))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))s01ldap_login_filter_mode: 1s01ldap_loginfilter_attributes: s01ldap_loginfilter_email: 1s01ldap_loginfilter_username: 1s01ldap_nested_groups: 1s01ldap_override_main_server: s01ldap_paging_size: 500s01ldap_port: 389s01ldap_quota_attr: s01ldap_quota_def: s01ldap_tls: 0s01ldap_turn_off_cert_check: 0s01ldap_turn_on_pwd_change: 0s01ldap_user_avatar_rule: defaults01ldap_user_display_name_2: s01ldap_user_filter_mode: 1s01ldap_userfilter_groups: s01ldap_userfilter_objectclass: posixAccounts01ldap_userlist_filter: (|(objectclass=posixAccount))s01use_memberof_to_detect_membership: 1types: authentication ```Client configuration
Browser: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Operating system:
Logs
Web server error log
``` none ```Nextcloud log
``` {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"no app in context","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Token is not valid: Token does not exist","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0 ) Gecko/20100101 Firefox/92.0","version":"22.2.0.2","exception":{"Exception":"OC\\Authentication\\Exceptions\\InvalidTokenException","Message":"Token does not exist","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php","line":146,"function":"getToken","class":"OC\\Authentication\ \Token\\DefaultTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":531,"function":"getToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":447,"function":"isTokenPassword","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":584,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive par ameters replaced ***"]},{"file":"/var/www/nextcloud/lib/base.php","line":1053,"function":"tryBasicAuthLogin","class":"OC\\User\\Session","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":990,"function":"handleLogin","class":"OC","type":"::"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Authentication/Token/DefaultTokenProvider.php","Line":159,"Previous":{"Exception":"OCP\\AppFramework\\Db\\DoesNotExistException","Message":"token does not exist","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Authentication/Token/D efaultTokenProvider.php","line":157,"function":"getToken","class":"OC\\Authentication\\Token\\DefaultTokenMapper","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php","line":146,"function":"getToken","class":"OC\\Authentication\\Token\\DefaultTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":531,"function":"getToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/priva te/User/Session.php","line":447,"function":"isTokenPassword","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":584,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/base.php","line":1053,"function":"tryBasicAuthLogin","class":"OC\\User\\Session","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":990,"function":"handleLogin","class":"OC","type":"::"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleReques t","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Authentication/Token/DefaultTokenMapper.php","Line":93},"CustomMessage":"Token is not valid: Token does not exist"}} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"initializing paged search for filter (&(|(objectclass=posixAccount))(|(uid=lsteinert)(|(mailPrimaryAdd ress=lsteinert)(mail=lsteinert)))), base ou=people,dc=rethfeld,dc=physik,dc=uni-kl,dc=de, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], limit 500, offset 0","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"LDAP error Invalid credentials (49) after calling ldap_bind","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":2,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"initializing paged search for filter (&(|(objectclass=posixAccount))(|(uid=lsteinert)(|(mailPrimaryAddress=lsteinert)(mail=lsteinert)))), base ou=people,dc=rethfeld,dc=physik,dc=uni-kl,dc=de, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], limit 500, offset 0","userAgent":"Mozilla/5.0 ( X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox /92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"LDAP error Invalid credentials (49) after calling ldap_bind","userAgent":"Mozilla/5.0 (X11; Linux x86_ 64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":2,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/2010 0101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":2,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"core","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Login failed: 'lsteinert' (Remote IP: '91.66.218.29')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0 ) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":1,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"core","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Bruteforce attempt from \"91.66.218.29\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Lin ux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"} ```Browser log