nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.38k stars 4.07k forks source link

[Bug]: Cannot view disabled users #43658

Closed venator42 closed 6 months ago

venator42 commented 8 months ago

⚠️ This issue respects the following points: ⚠️

Bug description

If I try to view the disabled users I get the following error message: An error occurred during the request. Unable to proceed.

Steps to reproduce

  1. Open "Users"
  2. Click on "Disabled users"

Expected behavior

A list of disabled users should open

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 22.1 to 22.2)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.domain.de",
            "cloud.domain.intranet",
            "nextcloud.domain.intranet"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "updatedirectory": "\/srv\/nextcloud-updater",
        "dbtype": "mysql",
        "version": "28.0.2.5",
        "overwrite.cli.url": "https:\/\/cloud.domain.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "sendmail",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mysql.utf8mb4": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "theme": "",
        "loglevel": 2,
        "enable_previews": true,
        "defaultapp": "apporder",
        "default_language": "de",
        "default_locale": "de_DE",
        "default_phone_region": "DE",
        "allow_user_to_change_display_name": true,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "check_for_working_wellknown_setup": false,
        "maintenance_window_start": 1
    }
}

List of activated Apps

Enabled:
  - activity: 2.20.0
  - appointments: 1.15.5
  - bookmarks: 13.1.3
  - bruteforcesettings: 2.8.0
  - calendar: 4.6.4
  - circles: 28.0.0-dev
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contacts: 5.5.1
  - contactsinteraction: 1.9.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - deck: 1.12.2
  - drawio: 3.0.2
  - drop_account: 2.4.0
  - external: 5.3.1
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_mindmap: 0.0.30
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - firstrunwizard: 2.17.0
  - groupfolders: 16.0.3
  - groupquota: 0.1.12
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - nextcloud_announcements: 1.17.0
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - photos: 2.4.0
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - quota_warning: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - richdocuments: 8.3.1
  - richdocumentscode: 23.5.705
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - spreed: 18.0.3
  - support: 1.11.0
  - survey_client: 1.16.0
  - suspicious_login: 6.0.0
  - systemtags: 1.18.0
  - tasks: 0.15.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_ldap: 1.19.0
  - user_status: 1.8.1
  - viewer: 2.2.0
  - weather_status: 1.8.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - apporder: 0.11.0 (installed 0.11.0)
  - dashboardcharts: 0.1.3 (installed 0.1.3)
  - data_request: 1.14.0 (installed 1.14.0)
  - encryption: 2.16.0
  - extract: 1.3.5 (installed 1.3.5)
  - files_external: 1.20.0
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - fulltextsearch: 20.0.0 (installed 20.0.0)
  - fulltextsearch_elasticsearch: 20.0.0 (installed 20.0.0)
  - impersonate: 1.11.0 (installed 1.11.0)
  - mail: 1.9.3 (installed 1.9.3)
  - quicknotes: 0.8.10 (installed 0.8.10)
  - ransomware_protection: 1.14.0 (installed 1.14.0)
  - registration: 2.2.0 (installed 2.2.0)
  - twofactor_totp: 10.0.0-beta.2
  - weather: 1.7.6 (installed 1.7.6)
  - workflow_pdf_converter: 1.8.0 (installed 1.8.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

Error from developer tools in Firefox:

XHR GET https://cloud.domain.de/ocs/v2.php/cloud/users/disabled?offset=0&limit=25  [HTTP/1.1 404 Not Found 102ms]
susnux commented 8 months ago

XHR GET https://cloud.domain.de/ocs/v2.php/cloud/users/disabled?offset=0&limit=25 [HTTP/1.1 404 Not Found 102ms]

If the domain is correct and you do not use a subdirectory for Nextcloud then the URL is fine and should not return 404. Can verify that the domain is correct and you can connect to your cloud using the part before /ocs?

venator42 commented 8 months ago

Can verify that the domain is correct and you can connect to your cloud using the part before /ocs?

I can connect to the domain before /ocs.

I should also mention that the cloud is behind an apache reverse proxy, but the other sites Admins and Active Users are working fine. The error even persists if I'm accessing the cloud directly on the intranet. So reverse proxy should not be the issue.

I have also another error message from developer tools in firefox from index.js:44:10. I will attach the file, maybe it helps. nextcloud_error_disabled_users.txt

joshtrichards commented 8 months ago

I can't reproduce this in a stock installation of v28.0.2.

joshtrichards commented 8 months ago

Can you show your Network tab from the browser console/inspector when trying to do look at the disabled users?

susnux commented 8 months ago

For me this sounds a lot like a configuration issue with the reverse proxy, make sure to follow the guide: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html#reverse-proxy

venator42 commented 8 months ago

Can you show your Network tab from the browser console/inspector when trying to do look at the disabled users?

Here is a HAR-File from firefox developer tools: nextcloud_networktab_firefox_devtools.json

Somehow the issue is not happening anymore. It just started to working "magically". I don't know what happened as I didn't changed the configuration or restarted the webservers.

I only added another proxy server into the trusted_proxies array. The additional proxy server is not in production use right now but is working fundamentally. It is planned for migration in the future. I didn't even accessed the nextcloud via this proxy. Could this be related? If I remove the new entry everything is working further on.

nextcloud-command commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

joshtrichards commented 7 months ago

Somehow the issue is not happening anymore. It just started to working "magically". I don't know what happened as I didn't changed the configuration or restarted the webservers.

Not sure either. I guess we'll keep an eye out for similar reports (and this will be here as a record in case someone searches for a similar matter).

I didn't even accessed the nextcloud via this proxy. Could this be related? If I remove the new entry everything is working further on.

Not in any way that comes to mind.

I'll close this for now, but can always be revisited if it reoccurs.

Manuel1948 commented 7 months ago

I have the same problem with one installation, but there is no reverse proxy active.

Active apps: Activity 2.20.0
Calendar 4.6.7
Circles 28.0.0
Collaborative tags 1.18.0
Comments 1.18.0
Contacts Interaction 1.9.0
Dashboard 7.8.0
Deleted files 1.18.0
External storage support 1.20.0
Federation 1.18.0
File reminders 1.1.0
File sharing 1.20.0
First run wizard 2.17.0
LDAP user and group backend 1.19.0
Log Reader 2.13.0
Monitoring 1.18.0
Nextcloud announcements 1.17.0
Notifications 2.16.0
ONLYOFFICE 9.0.0
Password policy 1.18.0
PDF viewer 2.9.0
Photos 2.4.0
Privacy 1.12.0
Recommendations 2.0.0
Related Resources 1.3.0
Share by mail 1.18.0
Support 1.11.1
Text 3.9.1
Update notification 1.18.0
Usage survey 1.16.0
User status 1.8.1
Versions 1.21.0
Weather status 1.8.0

Getting a 404 error only for the "/ocs/v2.php/cloud/users/disabled"-URL: [05/Apr/2024:17:04:57 +0200] "GET /ocs/v2.php/cloud/users/disabled?offset=0&limit=25 HTTP/1.1" 404 1011

This error is only appearing for the main admin account (admin), if I click on "disabled users" within a subadmin (for a group), I don't get the 404 error.

Update 05.04.2024 17:22 (CET): During further research in the browser I found the following detailed information:

"ocs": { "meta": { "status": "failure", "statuscode": 404, "message": "90e1e250-066b-102f-82c5-cd86f74ac099 is not a valid user anymore" }, "data": [] }

I tried to delete this uid from oc_accounts mysql table, but everytime I try to reload the page the id changed and was again created and visible in the oc_accounts table.

I then tried to login with another admin account (in the admin group), which had no problems. After that, the problem was also gone fo the "admin"-account.

Strange...

Could also maybe have to do with some recently disabled ldap user.

michael-r-elp commented 6 months ago

We have the same problem on one of our customers nextcloud servers.

In the web browser the request to /ocs/v2.php/cloud/users/disabled?offset=0&limit=25 leads to a 404 error with the following response:

{
    "ocs": {
        "meta": {
            "status": "failure",
            "statuscode": 404,
            "message": "User does not exist"
        },
        "data": []
    }
}

I could not find any clues on either the nextcloud logs, nginx logs and php-fpm logs. I tried everything I could do so far, restarting the server, checking the databse entries (there were some orphaned entries for ldap users I had to remove manually), tried with a different user as admin. Nothing helped and the issue still persists, so far I can only hope it resolves itself magically like for the others here that had a problem similar to mine or someone with more insight into the inner workings of nextcloud could provide some clues behind what could cause it to return this error.

Attached is the generated support report:

Server configuration detail

Operating system: Linux 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64

Webserver: Unknown (cli)

Database: mysql 10.6.16

PHP version: 8.1.27

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, ldap, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 28.0.4 - 28.0.4.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status []
List of activated apps ``` Enabled: - activity: 2.20.0 - bruteforcesettings: 2.8.0 - circles: 28.0.0 - cloud_federation_api: 1.11.0 - comments: 1.18.0 - contacts: 5.5.3 - contactsinteraction: 1.9.0 - dashboard: 7.8.0 - dav: 1.29.1 - federatedfilesharing: 1.18.0 - federation: 1.18.0 - files: 2.0.0 - files_pdfviewer: 2.9.0 - files_reminders: 1.1.0 - files_sharing: 1.20.0 - files_trashbin: 1.18.0 - files_versions: 1.21.0 - firstrunwizard: 2.17.0 - groupfolders: 16.0.6 - logreader: 2.13.0 - lookup_server_connector: 1.16.0 - nextcloud_announcements: 1.17.0 - notifications: 2.16.0 - oauth2: 1.16.3 - onlyoffice: 9.1.2 - password_policy: 1.18.0 - photos: 2.4.0 - privacy: 1.12.0 - provisioning_api: 1.18.0 - recommendations: 2.0.0 - related_resources: 1.3.0 - serverinfo: 1.18.0 - settings: 1.10.1 - sharebymail: 1.18.0 - support: 1.11.1 - survey_client: 1.16.0 - systemtags: 1.18.0 - text: 3.9.1 - theming: 2.3.0 - twofactor_backupcodes: 1.17.0 - updatenotification: 1.18.0 - user_ldap: 1.19.0 - user_status: 1.8.1 - viewer: 2.2.0 - weather_status: 1.8.0 - workflowengine: 2.10.0 Disabled: - admin_audit - calendar: 4.6.7 - deck: 1.12.2 - encryption - files_external - files_rightclick: 1.6.0 - mail: 3.5.8 - side_menu: 3.12.0 - spreed: 18.0.7 - suspicious_login - twofactor_totp ```
Configuration (config/config.php) ``` { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "192.168.100.201", "cloud.***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "28.0.4.1", "overwrite.cli.url": "https:\/\/192.168.100.201", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "maintenance_window_start": 1, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "theme": "", "loglevel": 2, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "default_phone_region": "DE", "ldapUserCleanupInterval": 51, "updater.release.channel": "stable", "filelocking.enabled": true, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379, "timeout": 0, "password": "***REMOVED SENSITIVE VALUE***" } } ```

Cron Configuration: Array ( [backgroundjobs_mode] => cron [lastcron] => 1713530702 )

External storages: files_external is disabled

Encryption: no

User-backends:

LDAP configuration ``` +-------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAdminGroup | | | ldapAgentName | lehrer\administrator | | ldapAgentPassword | *** | | ldapAttributeAddress | | | ldapAttributeBiography | | | ldapAttributeFediverse | | | ldapAttributeHeadline | | | ldapAttributeOrganisation | | | ldapAttributePhone | | | ldapAttributeRole | | | ldapAttributeTwitter | | | ldapAttributeWebsite | | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackgroundHost | | | ldapBackgroundPort | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=lehrer,dc=local | | ldapBaseGroups | dc=lehrer,dc=local | | ldapBaseUsers | dc=lehrer,dc=local | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapConnectionTimeout | 15 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | sAMAccountName | | ldapExtStorageHomeAttribute | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | (&(|(objectclass=group))(|(cn=Lehrer))) | | ldapGroupFilterGroups | Lehrer | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | group | | ldapGroupMemberAssocAttr | member | | ldapHost | ***REMOVED SENSITIVE VALUE*** | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=person))(|(|(memberof=CN=Lehrer,CN=Gruppen,CN=***REMOVED SENSITIVE VALUE***,DC=lehrer,DC=local)(primaryGroupID=1108))(|(memberof=CN=Administratoren,CN=Builtin,DC=lehrer,DC=local)(primaryGroupID=544))))(samaccountname=%uid)) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 1 | | ldapLoginFilterUsername | 1 | | ldapMatchingRuleInChainState | unknown | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | | | ldapUserFilter | (&(|(objectclass=person))(|(|(memberof=CN=Lehrer,CN=Gruppen,CN=***REMOVED SENSITIVE VALUE***,DC=lehrer,DC=local)(primaryGroupID=1108))(|(memberof=CN=Administratoren,CN=Builtin,DC=lehrer,DC=local)(primaryGroupID=544)))) | | ldapUserFilterGroups | Lehrer;Administratoren | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | person | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | markRemnantsAsDisabled | 0 | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ```

Browser: unknown

michael-r-elp commented 6 months ago

So after a long time I found the cause of the issue. If a user was deleted from the ldap server but somehow remains in the nextcloud database and is not being picked up by occ ldap:show-remnants then when it tries to get one of the users it gets null returned which somewhere seems to cause a "User does not exist" error being passed down all the way.

In order for me to figure out which users where causing the issue I had to modifiy https://github.com/nextcloud/server/blob/deac58ab7ee75e0081dd76af3f756ae4c218d207/lib/private/User/Manager.php#L186 to

\OC::$server->getLogger()->warning('User not found: \''. $uid .'\'', ['app' => 'debug']);
return null;

this way when I open the deactivated user list I could actually see which user caused that error in the log.

After making sure the user being shown in the log does actually not properly exist on nextcloud anymore I manually deleted all remaining database entries in mariadb for that user. Then I just repeat these steps until I eventually was able to see the list of deactivated users again.

It would be great here if in a future update there could be some checks to maybe just skip invalid users when accessing that list or maybe offer some way to have the occ ldap:show-remnants command also account for these users.

susnux commented 6 months ago

It would be great here if in a future update there could be some checks to maybe just skip invalid users when accessing that list or maybe offer some way to have the occ ldap:show-remnants command also account for these users.

I agree! This looks like our code needs to be more resilient

papamoose commented 6 months ago

Getting the same error. No LDAP involved. Nextcloud is handling the users.

I added the line that michael-r-elp recommended and found the two users it detected I thought I had removed a while back. I guess they were not properly deleted in the past.

I found the tables they were in by grepping through a mysqldump and manually removed them like this. This technique is naive and not sure it's recommended... but after doing this I was able to navigate to the disabled accounts page settings/users/disabled.

MariaDB [db]> delete from oc_accounts where uid='user1';
MariaDB [db]> delete from oc_calendars where principaluri='principals/users/user1';
MariaDB [db]> delete from oc_group_user where uid='user1';
MariaDB [db]> delete from oc_preferences where userid='user1';
MariaDB [db]> delete from oc_accounts where uid='user2';