external_storage for SMB/CIFS with Kerberos authentification shows red icon

[gno65]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Configure an external storage for SMB/CIFS with Kerberos authentification

Expected behaviour

The icon should become green and the share can be accessed

Actual behaviour

The icon is red

Server configuration

Operating system: Debian 10 Web server: Apache/2.4.38 (Debian) in separate Proxmox lxc container Database: 10.3.17-MariaDB-0+deb10u1 Debian 10 in separate Proxmox lxc container PHP version: 10.3.17-MariaDB-0+deb10u1 Debian 10 Nextcloud version: (see Nextcloud admin page) Nextcloud 20.0.3

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

No errors have been found.

List of activated apps:

App list

``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contactsinteraction: 1.1.0 - dashboard: 7.0.0 - dav: 1.16.1 - federatedfilesharing: 1.10.1 - federation: 1.10.1 - files: 1.15.0 - files_external: 1.11.1 - files_pdfviewer: 2.0.1 - files_rightclick: 0.17.0 - files_sharing: 1.12.0 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - firstrunwizard: 2.9.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - password_policy: 1.10.1 - photos: 1.2.1 - privacy: 1.4.0 - provisioning_api: 1.10.0 - recommendations: 0.8.0 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - support: 1.3.0 - survey_client: 1.8.0 - systemtags: 1.10.0 - text: 3.1.0 - theming: 1.11.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_ldap: 1.10.2 - user_saml: 3.3.1 - user_status: 1.0.1 - viewer: 1.4.0 - weather_status: 1.0.0 - workflowengine: 2.2.0 Disabled: - admin_audit - encryption - smb_test - twofactor_totp ```

Nextcloud configuration:

Config report

``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "192.168.1.123", "nextcloud.xxx.net", "cloud2.xxx.net", "cloud.xxx.net" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "20.0.3.2", "overwrite.cli.url": "http:\/\/cloud2.xxx.net\/", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\APCu", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "mail_smtpmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_sendmailmode": "smtp", "mail_smtpsecure": "tls", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "PLAIN", "mail_smtpport": "25", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "maintenance": false, "theme": "", "log_type": "file", "logfile": "var\/log\/nextcloud.log", "logfilemode": 416, "loglevel": 1, "updater.secret": "***REMOVED SENSITIVE VALUE***" } } ```

Are you using external storage, if yes which one: local/smb/sftp/... Try to use SMB/CIFS with Kerberos authentification Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... openLDAP in separate Proxmox lxc container

LDAP config

``` +-------------------------------+-----------------------------------------------------------------------------------------------------------+ | Configuration | s02 | +-------------------------------+-----------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 0 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | cn=admin,dc=lan,dc=xxx,dc=net | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | ou=users,dc=lan,dc=xxx,dc=net | | ldapBaseGroups | ou=groups,dc=lan,dc=xxx,dc=net | | ldapBaseUsers | ou=users,dc=lan,dc=xxx,dc=net | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | | | ldapExtStorageHomeAttribute | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ldap2.xxx.net | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(objectclass=inetOrgPerson)(memberof=ou=nextcloud,ou=services,dc=lan,dc=xxx,dc=net))(uid=%uid)) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapMatchingRuleInChainState | unknown | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | | | ldapUserFilter | (&(objectclass=inetOrgPerson)(memberof=ou=nextcloud,ou=services,dc=lan,dc=xxx,dc=net)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+-----------------------------------------------------------------------------------------------------------+ ```

Client configuration

Browser: Firefox 84.0 in Proxmox VM Operating system: Ubuntu 18.04

Logs

Web server error log

I have added some error_log statements in php code. Maybe it helps you.

Web server error log

``` ==> /var/log/apache2/nextcloud-ssl-error.log <== [Thu Dec 17 11:29:20.810591 2020] [ssl:info] [pid 9616] [client 192.168.1.130:54496] AH01964: Connection to child 4 established (server cloud2.xxx.net:443) [Thu Dec 17 11:29:20.855522 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] SMB->getFileInfo [Thu Dec 17 11:29:20.856284 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeFileInfo->getSize [Thu Dec 17 11:29:20.856315 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeFileInfo->stat [Thu Dec 17 11:29:20.856383 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] [Thu Dec 17 11:29:20.856417 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeShare->getAttribute [Thu Dec 17 11:29:20.856457 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Icewind\\SMB\\Native\\NativeShare Object\n(\n [server:Icewind\\SMB\\Native\\NativeShare:private] => Icewind\\SMB\\Native\\NativeServer Object\n (\n [state:protected] => Icewind\\SMB\\Native\\NativeState Object\n (\n [state:protected] => \n [handlerSet:protected] => \n [connected:protected] => \n )\n\n [host:protected] => srv.xxx.net\n [auth:protected] => Icewind\\SMB\\KerberosAuth Object\n (\n )\n\n [system:protected] => Icewind\\SMB\\System Object\n (\n [paths:Icewind\\SMB\\System:private] => Array\n (\n )\n\n )\n\n [timezoneProvider:protected] => Icewind\\SMB\\TimeZoneProvider Object\n (\n [timeZones:Icewind\\SMB\\TimeZoneProvider:private] => Array\n (\n )\n\n [system:Icewind\\SMB\\TimeZoneProvider:private] => Icewind\\SMB\\System Object\n (\n [paths:Icewind\\SMB\\System:private] => Array\n (\n )\n\n )\n\n )\n\n [options:protected] => Icewind\\SMB\\Options Object\n (\n [timeout:Icewind\\SMB\\Options:private] => 20\n )\n\n )\n\n [name:Icewind\\SMB\\Native\\NativeShare:private] => nextcloud\n [state:Icewind\\SMB\\Native\\NativeShare:private] => \n [forbiddenCharacters:Icewind\\SMB\\AbstractShare:private] => Array\n (\n [0] => ?\n [1] => <\n [2] => >\n [3] => :\n [4] => *\n [5] => |\n [6] => "\n [7] => [Thu Dec 17 11:29:20.856554 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeState->init [Thu Dec 17 11:29:20.856609 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] connected: [Thu Dec 17 11:29:20.857122 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Username: dummy [Thu Dec 17 11:29:20.857170 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Workgroup: dummy [Thu Dec 17 11:29:20.857202 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Password: [Thu Dec 17 11:29:20.857238 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Arguments: -k [Thu Dec 17 11:29:20.857272 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] result: 1 [Thu Dec 17 11:29:20.857302 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] connected: 1 [Thu Dec 17 11:29:20.857337 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeState->getxattr [Thu Dec 17 11:29:20.857382 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Icewind\\SMB\\Native\\NativeState Object\n(\n [state:protected] => Resource id nextcloud/server#16\n [handlerSet:protected] => \n [connected:protected] => 1\n)\n [Thu Dec 17 11:29:20.857415 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] uri: smb://srv.xxx.net/nextcloud/ [Thu Dec 17 11:29:20.857444 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] key: system.dos_attr.* [Thu Dec 17 11:29:20.964758 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] result: ==> /var/log/apache2/nextcloud-ssl-access.log <== 192.168.1.130 - - [17/Dec/2020:11:29:20 +0000] "GET /index.php/apps/files_external/userstorages/4?testOnly=true HTTP/1.1" 200 2291 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" ```

Nextcloud log (data/nextcloud.log)

Nextcloud log

``` [no app in context] Error: Icewind\SMB\Exception\ForbiddenException: Invalid request for / (ForbiddenException) at <> 0. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 66 Icewind\SMB\Exception\Exception::fromMap({1: "Icewind\\SM ... "}, 1, "/") 1. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 78 Icewind\SMB\Native\NativeState->handleError("/") 2. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 306 Icewind\SMB\Native\NativeState->testResult("*** sensitive parameter replaced ***", "smb://srv.xxx.net/nextcloud/") 3. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 308 Icewind\SMB\Native\NativeState->getxattr("smb://srv.xxx.net/nextcloud/", "system.dos_attr.*") 4. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 66 Icewind\SMB\Native\NativeShare->getAttribute("/", "system.dos_attr.*") 5. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 87 Icewind\SMB\Native\NativeFileInfo->stat() 6. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 113 Icewind\SMB\Native\NativeFileInfo->getSize() 7. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 189 Icewind\SMB\Native\NativeShare->stat("/") 8. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 337 OCA\Files_External\Lib\Storage\SMB->getFileInfo("/") 9. /var/www/html/nextcloud/lib/private/Files/Storage/Common.php line 458 OCA\Files_External\Lib\Storage\SMB->stat("") 10. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 706 OC\Files\Storage\Common->test() 11. /var/www/html/nextcloud/apps/files_external/lib/MountConfig.php line 264 OCA\Files_External\Lib\Storage\SMB->test("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***") 12. /var/www/html/nextcloud/apps/files_external/lib/Controller/StoragesController.php line 255 OCA\Files_External\MountConfig::getBackendStatus("*** sensitive parameters replaced ***") 13. /var/www/html/nextcloud/apps/files_external/lib/Controller/StoragesController.php line 330 OCA\Files_External\Controller\StoragesController->updateStorageStatus("*** sensitive parameters replaced ***") 14. /var/www/html/nextcloud/apps/files_external/lib/Controller/UserStoragesController.php line 108 OCA\Files_External\Controller\StoragesController->show("4", "*** sensitive parameter replaced ***") 15. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 169 OCA\Files_External\Controller\UserStoragesController->show("4", "*** sensitive parameter replaced ***") 16. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 100 OC\AppFramework\Http\Dispatcher->executeController(OCA\Files_Extern ... {}, "show") 17. /var/www/html/nextcloud/lib/private/AppFramework/App.php line 152 OC\AppFramework\Http\Dispatcher->dispatch(OCA\Files_Extern ... {}, "show") 18. /var/www/html/nextcloud/lib/private/Route/Router.php line 308 OC\AppFramework\App::main("OCA\\Files_Exte ... r", "show", OC\AppFramework\ ... {}, {action: null,id ... "}) 19. /var/www/html/nextcloud/lib/base.php line 1008 OC\Route\Router->match("/apps/files_external/userstorages/4") 20. /var/www/html/nextcloud/index.php line 37 OC::handleRequest() GET /index.php/apps/files_external/userstorages/4?testOnly=true from 192.168.1.130 by test05 at 2020-12-17T11:29:20+00:00 ```

Browser log

Browser log

``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

Description

When I do the following on the client or on the web server I can connect to the share

kinit test05
smbclient //srv.xxx.net/nextcloud/ -U test05 -k

In nextcloud configuration I always get the red icon

[gno65]

After some debugging I found a solution. Maybe this helps others who have the same problem.

The Kerberos authentication is done with Apache mod_auth_gssapi. The config looks like this:

         <Location "/index.php/apps/user_saml/saml/login">
            AuthType GSSAPI
            AuthName "Nextcloud SSO Login"

            Require valid-user

            GssapiCredStore keytab:/etc/apache2/http.keytab
            GssapiBasicAuth On
            GssapiNegotiateOnce On
            GssapiSSLonly On
            GssapiLocalName On
            GssapiDelegCcacheDir /var/lib/apache2/ccache
        </Location>

smbclient needs the Kerberos ticket of the authenticated user but didn't get it.

I did two little changes to make the ticket accessible to smbclient

1. write $_SERVER['KRB5CCNAME'] (which has the path to the credentials cache) into the session variable. Note 1: this is necessary because KRB5CCNAME is only filled after login Note 2: putenv at this time didn't work because it will be cleared before smbclient is called
2. get the variable from the session and write it to the environment before smbclient is called.

--- apps/user_saml//lib/Controller/SAMLController.php.orig      2021-02-13 17:03:50.980145264 +0000
+++ apps/user_saml//lib/Controller/SAMLController.php   2021-02-13 16:51:18.807334055 +0000
@@ -122,6 +122,8 @@
                                $uid = $auth[$uidMapping];
                        }

+                        $_SESSION['ccname'] = $_SERVER['KRB5CCNAME'];
+
                        // make sure that a valid UID is given
                        if (empty($uid)) {
                                $this->logger->error('Uid "' . $uid . '" is not a valid uid please check your attribute mapping', ['app' => $this->appName]);

--- apps/files_external/lib/Lib/Storage/SMB.php.orig    2021-02-13 17:05:12.351033284 +0000
+++ apps/files_external/lib/Lib/Storage/SMB.php 2021-02-13 16:49:24.836621464 +0000
@@ -125,6 +125,8 @@
                        }
                }

+                putenv('KRB5CCNAME=' . $_SESSION['ccname']);
+
                $serverFactory = new ServerFactory($options);
                $this->server = $serverFactory->createServer($params['host'], $auth);
                $this->share = $this->server->getShare(trim($params['share'], '/'));

[Quqas]

@gno65

always get the red icon

Hi How about curent NC 21.0.2? (External storage 1.12.0 + SSO & SAML auth 4.1.1 ) SMB + kerberos ticket still not work as is. Do you have new patch?

p.s your hint don't affect now

[Quqas]

Бля!!!... спустя два месяца анальных мучений таки заработала эта кривая функция kerberos-ticket.

Не ясно куда смотрят люди которые развивают этот проект? Ибо этих изменений не внесено в код, а документации как был абсолютный ноль - так и осталось. И реакции никакой на этот тред. то ли это кривой костыль, то ли х.з.

1) без изменения в php можно с консоли сервера использовать sudo -u www-data kinit ####. с keytab или руками пароль ввести. И тогда в web тоже работает kerberos ticket. но по факту - так ничем не отличается от global creds. т.е. бессмысленно.. а использовать ticket через SSO (environment variable REMOTE_USER) никаким образом не получается - без этих правок как в теме. а если и можно то никто не пишет как.

2) 2 месяца не работало даже с изменениями в php - из-за того что GssapiDelegCcacheDir крайне глючная приблуда в /tmp оно не хотело создавать файл. х.з. почему. поэтому и $_SERVER['KRB5CCNAME'] не обрабатывалось. пришлось искать\создавать папку в которой только апач может писать. /var/cache/apache2
х.з. почему в linux такие заморочки с доступом к файлам - я так и не понял сути как и зачем это делается. но Это только пол-беды, хоть я IE11 и использовал постоянно для тестов но чаще всё же в Chrome тестировал. так вот для того чтобы это заработало пришлось скачать ADMX для chrome и через него в gpedit.msc ещё надо включать политику - на каких сайтах можно использовать kerberos. т.е. идиотия - SSO работает но х.з. через какой протокол - файл GssapiDelegCcacheDir не создаётся. и дело не "интранет" сайтах. chrome этого недостаточно. IE11 да.

в итоге всё же выставил везде в External storages smb - kerberos ticket - и стали зелёные галки, вместо красных. НО третий косяк smbclient -kL не работает на DC AD с DFS. т.е. smbclient -L domain.local - работает, а smbclient -kL domain.local уже нет. хотя прекрасно работает smbclient -kL comp.domain.local и даже smbclient -kL comp. тоже очередной бред от линуха. пришлось все шары переделывать. было domain.local folders и всё работало

пришлось делать dc1 (domain.local) folders

т.е отказоустойчивость снизилась

И ВСЁ ВЫШЕПЕРЕЧИСЛЕННОЕ ВСЛЕПУЮ. МЕТОДОМ НАУЧНОГО ТЫКА. нету во всём инете ни одного мануала! так что 2 месяца это даже быстро...

[Quqas]

и ещё - подтверждается что данные правки - какой то костыль, не очень правильный. ибо хоть сами smb-шары и работают по kerberos и даже можно зашарить вовне (http)? но все логи забиты ошибками

т.е. х.з. как работает и глючит одновременно

[szaimen]

Please post only in English, thank you!

[szaimen]

As this looks like a user_saml issue, I am transfering it there.