Open gno65 opened 3 years ago
After some debugging I found a solution. Maybe this helps others who have the same problem.
The Kerberos authentication is done with Apache mod_auth_gssapi. The config looks like this:
<Location "/index.php/apps/user_saml/saml/login">
AuthType GSSAPI
AuthName "Nextcloud SSO Login"
Require valid-user
GssapiCredStore keytab:/etc/apache2/http.keytab
GssapiBasicAuth On
GssapiNegotiateOnce On
GssapiSSLonly On
GssapiLocalName On
GssapiDelegCcacheDir /var/lib/apache2/ccache
</Location>
smbclient needs the Kerberos ticket of the authenticated user but didn't get it.
I did two little changes to make the ticket accessible to smbclient
--- apps/user_saml//lib/Controller/SAMLController.php.orig 2021-02-13 17:03:50.980145264 +0000
+++ apps/user_saml//lib/Controller/SAMLController.php 2021-02-13 16:51:18.807334055 +0000
@@ -122,6 +122,8 @@
$uid = $auth[$uidMapping];
}
+ $_SESSION['ccname'] = $_SERVER['KRB5CCNAME'];
+
// make sure that a valid UID is given
if (empty($uid)) {
$this->logger->error('Uid "' . $uid . '" is not a valid uid please check your attribute mapping', ['app' => $this->appName]);
--- apps/files_external/lib/Lib/Storage/SMB.php.orig 2021-02-13 17:05:12.351033284 +0000
+++ apps/files_external/lib/Lib/Storage/SMB.php 2021-02-13 16:49:24.836621464 +0000
@@ -125,6 +125,8 @@
}
}
+ putenv('KRB5CCNAME=' . $_SESSION['ccname']);
+
$serverFactory = new ServerFactory($options);
$this->server = $serverFactory->createServer($params['host'], $auth);
$this->share = $this->server->getShare(trim($params['share'], '/'));
@gno65
always get the red icon
Hi How about curent NC 21.0.2? (External storage 1.12.0 + SSO & SAML auth 4.1.1 ) SMB + kerberos ticket still not work as is. Do you have new patch?
p.s your hint don't affect now
Бля!!!... спустя два месяца анальных мучений таки заработала эта кривая функция kerberos-ticket.
Не ясно куда смотрят люди которые развивают этот проект? Ибо этих изменений не внесено в код, а документации как был абсолютный ноль - так и осталось. И реакции никакой на этот тред. то ли это кривой костыль, то ли х.з.
1) без изменения в php можно с консоли сервера использовать sudo -u www-data kinit ####. с keytab или руками пароль ввести. И тогда в web тоже работает kerberos ticket. но по факту - так ничем не отличается от global creds. т.е. бессмысленно.. а использовать ticket через SSO (environment variable REMOTE_USER) никаким образом не получается - без этих правок как в теме. а если и можно то никто не пишет как.
2) 2 месяца не работало даже с изменениями в php - из-за того что GssapiDelegCcacheDir крайне глючная приблуда
в /tmp оно не хотело создавать файл. х.з. почему. поэтому и $_SERVER['KRB5CCNAME'] не обрабатывалось.
пришлось искать\создавать папку в которой только апач может писать. /var/cache/apache2
х.з. почему в linux такие заморочки с доступом к файлам - я так и не понял сути как и зачем это делается.
но Это только пол-беды, хоть я IE11 и использовал постоянно для тестов но чаще всё же в Chrome тестировал.
так вот для того чтобы это заработало пришлось скачать ADMX для chrome и через него в gpedit.msc ещё надо включать политику - на каких сайтах можно использовать kerberos.
т.е. идиотия - SSO работает но х.з. через какой протокол - файл GssapiDelegCcacheDir не создаётся.
и дело не "интранет" сайтах. chrome этого недостаточно. IE11 да.
в итоге всё же выставил везде в External storages smb - kerberos ticket - и стали зелёные галки, вместо красных. НО третий косяк smbclient -kL не работает на DC AD с DFS. т.е. smbclient -L domain.local - работает, а smbclient -kL domain.local уже нет. хотя прекрасно работает smbclient -kL comp.domain.local и даже smbclient -kL comp. тоже очередной бред от линуха. пришлось все шары переделывать. было domain.local folders и всё работало
пришлось делать dc1 (domain.local) folders
т.е отказоустойчивость снизилась
И ВСЁ ВЫШЕПЕРЕЧИСЛЕННОЕ ВСЛЕПУЮ. МЕТОДОМ НАУЧНОГО ТЫКА. нету во всём инете ни одного мануала! так что 2 месяца это даже быстро...
и ещё - подтверждается что данные правки - какой то костыль, не очень правильный. ибо хоть сами smb-шары и работают по kerberos и даже можно зашарить вовне (http)? но все логи забиты ошибками
т.е. х.з. как работает и глючит одновременно
Please post only in English, thank you!
As this looks like a user_saml issue, I am transfering it there.
How to use GitHub
Steps to reproduce
Expected behaviour
The icon should become green and the share can be accessed
Actual behaviour
The icon is red
Server configuration
Operating system: Debian 10 Web server: Apache/2.4.38 (Debian) in separate Proxmox lxc container Database: 10.3.17-MariaDB-0+deb10u1 Debian 10 in separate Proxmox lxc container PHP version: 10.3.17-MariaDB-0+deb10u1 Debian 10 Nextcloud version: (see Nextcloud admin page) Nextcloud 20.0.3
Updated from an older Nextcloud/ownCloud or fresh install:
Where did you install Nextcloud from:
List of activated apps:
App list
``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contactsinteraction: 1.1.0 - dashboard: 7.0.0 - dav: 1.16.1 - federatedfilesharing: 1.10.1 - federation: 1.10.1 - files: 1.15.0 - files_external: 1.11.1 - files_pdfviewer: 2.0.1 - files_rightclick: 0.17.0 - files_sharing: 1.12.0 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - firstrunwizard: 2.9.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - password_policy: 1.10.1 - photos: 1.2.1 - privacy: 1.4.0 - provisioning_api: 1.10.0 - recommendations: 0.8.0 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - support: 1.3.0 - survey_client: 1.8.0 - systemtags: 1.10.0 - text: 3.1.0 - theming: 1.11.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_ldap: 1.10.2 - user_saml: 3.3.1 - user_status: 1.0.1 - viewer: 1.4.0 - weather_status: 1.0.0 - workflowengine: 2.2.0 Disabled: - admin_audit - encryption - smb_test - twofactor_totp ```Nextcloud configuration:
Config report
``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "192.168.1.123", "nextcloud.xxx.net", "cloud2.xxx.net", "cloud.xxx.net" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "20.0.3.2", "overwrite.cli.url": "http:\/\/cloud2.xxx.net\/", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\APCu", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "mail_smtpmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_sendmailmode": "smtp", "mail_smtpsecure": "tls", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "PLAIN", "mail_smtpport": "25", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "maintenance": false, "theme": "", "log_type": "file", "logfile": "var\/log\/nextcloud.log", "logfilemode": 416, "loglevel": 1, "updater.secret": "***REMOVED SENSITIVE VALUE***" } } ```Are you using external storage, if yes which one: local/smb/sftp/... Try to use SMB/CIFS with Kerberos authentification Are you using encryption: yes/no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... openLDAP in separate Proxmox lxc container
LDAP config
``` +-------------------------------+-----------------------------------------------------------------------------------------------------------+ | Configuration | s02 | +-------------------------------+-----------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 0 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | cn=admin,dc=lan,dc=xxx,dc=net | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | ou=users,dc=lan,dc=xxx,dc=net | | ldapBaseGroups | ou=groups,dc=lan,dc=xxx,dc=net | | ldapBaseUsers | ou=users,dc=lan,dc=xxx,dc=net | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | | | ldapExtStorageHomeAttribute | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ldap2.xxx.net | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(objectclass=inetOrgPerson)(memberof=ou=nextcloud,ou=services,dc=lan,dc=xxx,dc=net))(uid=%uid)) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapMatchingRuleInChainState | unknown | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | | | ldapUserFilter | (&(objectclass=inetOrgPerson)(memberof=ou=nextcloud,ou=services,dc=lan,dc=xxx,dc=net)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+-----------------------------------------------------------------------------------------------------------+ ```Client configuration
Browser: Firefox 84.0 in Proxmox VM Operating system: Ubuntu 18.04
Logs
Web server error log
I have added some error_log statements in php code. Maybe it helps you.
Web server error log
``` ==> /var/log/apache2/nextcloud-ssl-error.log <== [Thu Dec 17 11:29:20.810591 2020] [ssl:info] [pid 9616] [client 192.168.1.130:54496] AH01964: Connection to child 4 established (server cloud2.xxx.net:443) [Thu Dec 17 11:29:20.855522 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] SMB->getFileInfo [Thu Dec 17 11:29:20.856284 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeFileInfo->getSize [Thu Dec 17 11:29:20.856315 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeFileInfo->stat [Thu Dec 17 11:29:20.856383 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] [Thu Dec 17 11:29:20.856417 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeShare->getAttribute [Thu Dec 17 11:29:20.856457 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Icewind\\SMB\\Native\\NativeShare Object\n(\n [server:Icewind\\SMB\\Native\\NativeShare:private] => Icewind\\SMB\\Native\\NativeServer Object\n (\n [state:protected] => Icewind\\SMB\\Native\\NativeState Object\n (\n [state:protected] => \n [handlerSet:protected] => \n [connected:protected] => \n )\n\n [host:protected] => srv.xxx.net\n [auth:protected] => Icewind\\SMB\\KerberosAuth Object\n (\n )\n\n [system:protected] => Icewind\\SMB\\System Object\n (\n [paths:Icewind\\SMB\\System:private] => Array\n (\n )\n\n )\n\n [timezoneProvider:protected] => Icewind\\SMB\\TimeZoneProvider Object\n (\n [timeZones:Icewind\\SMB\\TimeZoneProvider:private] => Array\n (\n )\n\n [system:Icewind\\SMB\\TimeZoneProvider:private] => Icewind\\SMB\\System Object\n (\n [paths:Icewind\\SMB\\System:private] => Array\n (\n )\n\n )\n\n )\n\n [options:protected] => Icewind\\SMB\\Options Object\n (\n [timeout:Icewind\\SMB\\Options:private] => 20\n )\n\n )\n\n [name:Icewind\\SMB\\Native\\NativeShare:private] => nextcloud\n [state:Icewind\\SMB\\Native\\NativeShare:private] => \n [forbiddenCharacters:Icewind\\SMB\\AbstractShare:private] => Array\n (\n [0] => ?\n [1] => <\n [2] => >\n [3] => :\n [4] => *\n [5] => |\n [6] => "\n [7] => [Thu Dec 17 11:29:20.856554 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeState->init [Thu Dec 17 11:29:20.856609 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] connected: [Thu Dec 17 11:29:20.857122 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Username: dummy [Thu Dec 17 11:29:20.857170 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Workgroup: dummy [Thu Dec 17 11:29:20.857202 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Password: [Thu Dec 17 11:29:20.857238 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Arguments: -k [Thu Dec 17 11:29:20.857272 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] result: 1 [Thu Dec 17 11:29:20.857302 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] connected: 1 [Thu Dec 17 11:29:20.857337 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeState->getxattr [Thu Dec 17 11:29:20.857382 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Icewind\\SMB\\Native\\NativeState Object\n(\n [state:protected] => Resource id nextcloud/server#16\n [handlerSet:protected] => \n [connected:protected] => 1\n)\n [Thu Dec 17 11:29:20.857415 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] uri: smb://srv.xxx.net/nextcloud/ [Thu Dec 17 11:29:20.857444 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] key: system.dos_attr.* [Thu Dec 17 11:29:20.964758 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] result: ==> /var/log/apache2/nextcloud-ssl-access.log <== 192.168.1.130 - - [17/Dec/2020:11:29:20 +0000] "GET /index.php/apps/files_external/userstorages/4?testOnly=true HTTP/1.1" 200 2291 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" ```Nextcloud log (data/nextcloud.log)
Nextcloud log
``` [no app in context] Error: Icewind\SMB\Exception\ForbiddenException: Invalid request for / (ForbiddenException) at <Browser log
Browser log
``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```Description
When I do the following on the client or on the web server I can connect to the share
In nextcloud configuration I always get the red icon