search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.37k stars 2.06k forks source link

LDAP user encryption doesn't work with new files #26487

Closed kalletabur closed 8 years ago

kalletabur commented 8 years ago

Steps to reproduce

  1. Upgraded from 8.2.2 to 8.2.8
  2. Added files over web gui
  3. added files over desktop sync

    Expected behaviour

Everything should be working normal

Actual behaviour

Errors are shown

Desktop client:

10-26 09:17:51:785 0x228f350   ** error Strings:  ("Error downloading https://our.owncloud.server/remote.php/webdav/2%20added%20plugins.png - server replied: Service Unavailable", "Operation canceled", "2 added plugins.png: Error downloading https://our.owncloud.server/remote.php/webdav/2%20added%20plugins.png - server replied: Service Unavailable") 
Server error: HTTP\\\/1.1 503 Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error

Comments

Working with new files, LDAP/AD user:

Encryption doesn't seem to work with new files (when I'm using this owncloud instance as LDAP user). Tried uploading/adding files and every time there is some sort of errors. For example I added text file over browser - file created ok and I could edit it but then I closed it, there was no "saved" message and after that I couldn't open this file any more and it doesn't sync this file with desktop client. Adding files with desktop client (syncing) isn't working as expected - I can see file on web gui but I cannot open it.

Older files, LDAP user:

I don't use this owncloud instance very often (I normally use other instance). I have there files that are like a year old and these files are ok. I can view these files, sync, share and owncloud works normally.

All files, local account

I have administrator account I can do anything under that account. Add files, add/edit text files, sync use GUI, change text files, view shared files - everything works and no error messages.

Additional info

Before upgrading we had encryption problems and I created issue for that Shared file cannot be opened - #26406. I was told to upgrade first. Last upgrade we made (before today) was some time at spring (from oc 8.2.1 to 8.2.2) and that wasn't done by me - so maybe this wasn't actually successful and something was messed up with encryption.

Server configuration

Operating system: Debian 8 Web server: nginx 1.6 Database: percona 5.6 PHP version: php 5.6 ownCloud version: (see ownCloud admin page) 8.2.8 Updated from an older ownCloud or fresh install: 8.2.2 Where did you install ownCloud from: linux packages

List of activated apps:

Enabled:
  - activity: 2.1.4
  - contacts: 0.5.0.0
  - encryption: 1.1.0
  - files: 1.2.1
  - files_pdfviewer: 0.7.1
  - files_sharing: 0.7.0
  - files_texteditor: 2.0
  - files_trashbin: 0.7.0
  - files_versions: 1.1.0
  - files_videoviewer: 0.1.3
  - firstrunwizard: 1.1
  - gallery: 14.2.0
  - user_ldap: 0.7.1
Disabled:
  - external
  - files_antivirus
  - files_external
  - notifications
  - provisioning_api
  - templateeditor
  - user_external

The content of config/config.php:

{
    "system": {
        "instanceid": "instanceid",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "our.owncloud.server"
        ],
        "datadirectory": "\/var\/ownclouddatadirectory\/",
        "overwrite.cli.url": "https:\/\/our.owncloud.server",
        "dbtype": "mysql",
        "version": "8.2.8.2",
        "dbname": "ownclouddatabase",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "logtimezone": "Europe\/SomeCity",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "smtpserver",
        "mail_smtpport": "25",
        "forcessl": true,
        "maintenance": false,
        "singleuser": false,
        "loglevel": 1,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "theme": "",
        "trashbin_retention_obligation": "auto"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/... no Are you using encryption: yes/no yes Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... Active Directory

LDAP configuration (delete this part if not used)

| hasMemberOfFilterSupport      |1|
| hasPagedResultSupport||
| homeFolderNamingRule          ||
| lastJpegPhotoLookup           | 0              |
| ldapAgentName                 | CN=Owncloud,OU=Accounts,DC=local|
| ldapAgentPassword             | ***            |
| ldapAttributesForGroupSearch  ||
| ldapAttributesForUserSearch   ||
| ldapBackupHost                ||
| ldapBackupPort                ||
| ldapBase                      | DC=local               |
| ldapBaseGroups                | DC=local               |
| ldapBaseUsers                 | DC=local               |
| ldapCacheTTL                  | 600            |
| ldapConfigurationActive       | 1              |
| ldapEmailAttribute            | mail           |
| ldapExperiencedAdmin          | 0              |
| ldapExpertUUIDGroupAttr       ||
| ldapExpertUUIDUserAttr        ||
| ldapExpertUsernameAttr        | sAMAccountName |
| ldapGroupDisplayName          | cn             |
| ldapGroupFilter               ||
| ldapGroupFilterGroups         ||
| ldapGroupFilterMode           | 0              |
| ldapGroupFilterObjectclass    ||
| ldapGroupMemberAssocAttr      | member         |
| ldapHost                      | DC1       |
| ldapIgnoreNamingRules         ||
| ldapLoginFilter               | (&(&(|(objectclass=user))(memberof=)(samaccountname=%uid)) |
| ldapLoginFilterAttributes     ||
| ldapLoginFilterEmail          | 0              |
| ldapLoginFilterMode           | 0              |
| ldapLoginFilterUsername       | 1              |
| ldapNestedGroups              | 0              |
| ldapOverrideMainServer        | 0              |
| ldapPagingSize                | 500            |
| ldapPort                      | 389            |
| ldapQuotaAttribute            ||
| ldapQuotaDefault              ||
| ldapTLS                       | 1              |
| ldapUserDisplayName           | displayname    |
| ldapUserDisplayName2          ||
| ldapUserFilter                | (&(|(objectclass=user))(memberof=)                         |
| ldapUserFilterGroups          | some groups|
| ldapUserFilterMode            | 0              |
| ldapUserFilterObjectclass     | user           |
| ldapUuidGroupAttribute        | auto           |
| ldapUuidUserAttribute         | auto           |
| turnOffCertCheck              | 1              |
| useMemberOfToDetectMembership | 1              |

Client configuration

Browser: Chrome Operating system: Debian 8

Logs

Web server error log

Logs seem normal

ownCloud log (data/owncloud.log)

{"reqId":"xb0XVcDFARKKfvZydTKt",
"remoteAddr":"10.10.10.10",
"app":"webdav",
"message":"Exception: {\"Message\":\"HTTP\\\/1.1 503 Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error\",
    "Exception\":\"Sabre\\\\DAV\\\\Exception\\\\ServiceUnavailable\",
    "Code\":0,\"Trace\":\"
        #0 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(82): OC\\\\Connector\\\\Sabre\\\\File->get()
        #1 [internal function]: Sabre\\\\DAV\\\\CorePlugin->httpGet(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))
        #2 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)
        #3 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(469): Sabre\\\\Event\\\\EventEmitter->emit('method:GET', Array)
        #4 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))
        #5 \\\/var\\\/www\\\/owncloud\\\/apps\\\/files\\\/appinfo\\\/remote.php(56): Sabre\\\\DAV\\\\Server->exec()
        #6 \\\/var\\\/www\\\/owncloud\\\/remote.php(137): require_once('\\\/var\\\/www\\\/ownclo...')
        #7 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/connector\\\/sabre\\\/file.php\",\"Line\":293}",
"level":4,"time":"2016-10-26T08:04:30+02:00"}

Client log

10-26 09:17:51:785 0x228f350   ** error Strings:  ("Error downloading https://our.owncloud.server/remote.php/webdav/2%20added%20plugins.png - server replied: Service Unavailable", "Operation canceled", "2 added plugins.png: Error downloading https://our.owncloud.server/remote.php/webdav/2%20added%20plugins.png - server replied: Service Unavailable")
kalletabur commented 8 years ago

I now tested with regular user and he was able to work with files normally so this problem seems to be related with my account only. I checked keys on server and found that there are 2 different privateKeys under encryption_migration folder -

  1. encryption_migration_backup/user.privateKey
  2. encryption_migration_backup/OC_DEFAULT_MODULE/user.privateKey First privateKey file is same I have files_encryption/OC_DEFAULT_MODULE/ Second one is different. I'll close this issue for now and try to solve it going through older and similar issues.
lock[bot] commented 5 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.