You cannot access an external storage smb if you use social login to enter nextcloud

[danielepercivaldi]

Steps to reproduce

Configure an external storage smb with authentication "login credentials, saved in database" for your ldap user. Associates your ldap user to any social login (facebook, google, etc.) Enter Nextcloud using social login button you have configured.

Expected behaviour

You can access the external storage smb you have configured.

Actual behaviour

The external storage is not accessible (red colored). If you exit and then login by using your ldap credentials you can access the external storage. It seems that when you enter by using social login the user of the session is not the ldap user.

Server configuration detail

Operating system: Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64

Webserver: Apache/2.4.41 (Ubuntu) (apache2handler)

Database: mysql 8.0.23

PHP version:

7.4.14 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, apache2handler, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, enchant, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, json, ldap, exif, mysqli, pdo_mysql, apc, posix, pspell, readline, redis, shmop, SimpleXML, smbclient, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlrpc, xmlwriter, xsl, zip, Phar, libsmbclient, Zend OPcache

Nextcloud version: 20.0.7 - 20.0.7.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: unknown

Signing status

Array ( )

List of activated apps

``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - admin_audit: 1.10.0 - apporder: 0.11.0 - audioplayer: 3.0.0 - audioplayer_editor: 0.3.0 - audioplayer_sonos: 1.2.0 - bookmarks: 4.0.8 - bruteforcesettings: 2.0.1 - calendar: 2.1.3 - camerarawpreviews: 0.7.10 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contactsinteraction: 1.1.0 - data_request: 1.7.0 - dav: 1.16.2 - drawio: 0.9.8 - drop_account: 1.0.2 - event_update_notification: 1.2.0 - extract: 1.3.0 - federatedfilesharing: 1.10.2 - federation: 1.10.1 - files: 1.15.0 - files_downloadactivity: 1.9.0 - files_external: 1.11.1 - files_markdown: 2.3.1 - files_mindmap: 0.0.24 - files_pdfviewer: 2.0.1 - files_retention: 1.9.0 - files_rightclick: 0.17.0 - files_sharing: 1.12.2 - files_texteditor: 2.14.0 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - firstrunwizard: 2.9.0 - flowupload: 1.1.2 - groupfolders: 8.2.0 - impersonate: 1.7.0 - issuetemplate: 0.7.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - metadata: 0.12.0 - nextbackup: 21.1.0 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - onlyoffice: 6.2.0 - password_policy: 1.10.1 - photos: 1.2.3 - piwik: 0.7.0 - privacy: 1.4.0 - provisioning_api: 1.10.0 - quota_warning: 1.9.1 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - sociallogin: 4.0.3 - socialsharing_email: 2.1.0 - socialsharing_facebook: 2.1.0 - spreed: 10.0.5 - support: 1.3.0 - survey_client: 1.8.0 - suspicious_login: 3.2.1 - systemtags: 1.10.0 - theming: 1.11.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_ldap: 1.10.2 - user_status: 1.0.1 - viewer: 1.4.0 - workflow_pdf_converter: 1.5.1 - workflowengine: 2.2.0 Disabled: - dashboard - encryption - files_antivirus - files_automatedtagging - recommendations - registration - text - twofactor_admin - twofactor_nextcloud_notification - weather_status ```

Configuration (config/config.php)

``` { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/box.intre.it\/", "htaccess.RewriteBase": "\/", "dbtype": "mysql", "version": "20.0.7.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "ldapIgnoreNamingRules": false, "loglevel": 0, "logdateformat": "r", "logtimezone": "Europe\/Rome", "maintenance": false, "theme": "", "trusted_domains": [ "box.intre.it" ], "forcessl": true, "mail_smtpmode": "smtp", "secret": "***REMOVED SENSITIVE VALUE***", "forceSSLforSubdomains": true, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "remember_login_cookie_lifetime": 1296000, "session_lifetime": 86400, "session_keepalive": true, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "filelocking.enabled": true, "appstore.experimental.enabled": true, "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "enable_previews": true, "enabledPreviewProviders": [ "OC\\Preview\\Image", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\MSOfficeDoc", "OC\\Preview\\MSOffice2003", "OC\\Preview\\MSOffice2007", "OC\\Preview\\OpenDocument", "OC\\Preview\\StarOffice", "OC\\Preview\\PDF", "OC\\Preview\\Epub", "OC\\Preview\\FB2", "OC\\Preview\\Illustrator", "OC\\Preview\\Movie", "OC\\Preview\\Photoshop", "OC\\Preview\\Postscript", "OC\\Preview\\SVG", "OC\\Preview\\TIFF", "OC\\Preview\\Font" ], "trashbin_retention_obligation": "auto, 180", "updatechecker": false, "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "updater.release.channel": "stable", "auth.bruteforce.protection.enabled": true, "onlyoffice": { "jwt_header": "AuthorizationJwt" }, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "mail_sendmailmode": "smtp", "mysql.utf8mb4": true, "app_install_overwrite": [ "drop_account" ], "twofactor_enforced": "false", "twofactor_enforced_groups": [ "ml_monza" ], "twofactor_enforced_excluded_groups": [], "updater.secret": "***REMOVED SENSITIVE VALUE***" } ```

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this par if not used)

``` _lastChange: 1612447680background_sync_interval: 43200background_sync_offset: 0background_sync_prefix: cleanUpJobOffset: 0enabled: yesenforce_home_folder_naming_rule: has_memberof_filter_support: 1home_folder_naming_rule: attr:sAMAccountNameinstalled_version: 1.10.2last_jpegPhoto_lookup: 0ldap_agent_password: JVVYdUlvU3pOSDVueFNwcFV2dyU=ldap_attributes_for_group_search: mail nameldap_attributes_for_user_search: mail name givenName sn sAMAccountNameldap_backup_host: 192.168.5.4ldap_backup_port: 389ldap_base: DC=fables,DC=localldap_base_groups: OU=Groups,OU=Intré,DC=fables,DC=localldap_base_users: OU=Monza,OU=Users,OU=Intré,DC=fables,DC=local OU=Seriate,OU=Users,OU=Intré,DC=fables,DC=local OU=External,OU=Users,OU=Intré,DC=fables,DC=localldap_cache_ttl: 600ldap_configuration_active: 1ldap_default_ppolicy_dn: ldap_display_name: nameldap_dn: CN=Ldap_int,OU=Services,OU=Intré,DC=fables,DC=localldap_dynamic_group_member_url: ldap_email_attr: mailldap_experienced_admin: 0ldap_expert_username_attr: sAMAccountNameldap_expert_uuid_group_attr: ldap_expert_uuid_user_attr: ldap_gid_number: gidNumberldap_group_display_name: nameldap_group_filter: (&(|(objectclass=group)))ldap_group_filter_mode: 0ldap_group_member_assoc_attribute: memberldap_groupfilter_groups: ldap_groupfilter_objectclass: groupldap_host: 192.168.5.11ldap_login_filter: (&(&(|(objectclass=user))(|(|(memberof=CN=ml_monza,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1333))(|(memberof=CN=ml_seriate,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1334))(|(memberof=CN=sec_fables_global_box,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=5783))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))ldap_login_filter_mode: 0ldap_loginfilter_attributes: ldap_loginfilter_email: 1ldap_loginfilter_username: 1ldap_matching_rule_in_chain_state: availableldap_nested_groups: 1ldap_override_main_server: 0ldap_paging_size: 500ldap_port: 389ldap_quota_attr: ldap_quota_def: ldap_tls: 0ldap_turn_off_cert_check: 0ldap_turn_on_pwd_change: 0ldap_user_display_name_2: ldap_user_filter_mode: 0ldap_userfilter_groups: ml_monza ml_seriate sec_fables_global_boxldap_userfilter_objectclass: userldap_userlist_filter: (&(|(objectclass=user))(|(|(memberof=CN=ml_monza,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1333))(|(memberof=CN=ml_seriate,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1334))(|(memberof=CN=sec_fables_global_box,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=5783))))types: authenticationuse_memberof_to_detect_membership: 1 ```

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36

Operating system: Ubuntu 20.04

Logs

Web server error log

``` ```

Nextcloud log

``` ```

Browser log

[zorn-v]

Yes, LDAP was not tested by me (as I don't know how). Can you please provide some docker-compose.yaml with minimal working LDAP configuration ?

[danielepercivaldi]

Hello. Please, use this run instructions:

docker run --restart always --env-file ./openldap.env --name openldap -p 389:389 -p 636:636 \ -v /data/slapd/database:/var/lib/ldap \ -v /data/slapd/config:/etc/ldap/slapd.d \ -v /data/slapd/backup:/data/backup \ -d osixia/openldap-backup:1.5.0

The content of file openldap.env is:

LDAP_ORGANISATION=contoso LDAP_DOMAIN=contoso.com LDAP_BACKUP_CONFIG_CRON_EXP=45 22 * LDAP_ADMIN_PASSWORD= LDAP_READONLY_USER=true LDAP_READONLY_USER_USERNAME=ro_user LDAP_READONLY_USER_PASSWORD= LDAP_TLS=true LDAP_TLS_CRT_FILENAME=cert.pem LDAP_TLS_KEY_FILENAME=privkey.pem LDAP_TLS_CA_CRT_FILENAME=fullchain.pem LDAP_TLS_VERIFY_CLIENT=allow

This is the management container:

docker run --name openldap-admin \ --restart always -p 8084:80 --env-file ./openldap-admin.env \ -d osixia/phpldapadmin

The content of file openldap-admin.env is:

PHPLDAPADMIN_LDAP_HOSTS=ldap.contoso.com PHPLDAPADMIN_HTTPS=false PHPLDAPADMIN_HTTPS_CRT_FILENAME=cert.pem PHPLDAPADMIN_HTTPS_KEY_FILENAME=privkey.pem PHPLDAPADMIN_HTTPS_CA_CRT_FILENAME=chain.pem

Login with CN=admin,DC=contoso,DC=com and the password of user admin.

Hope this can help you.

Thank you.

[zorn-v]

Is it related to "not same user' issue ?

[danielepercivaldi]

@zorn-v , I don't know. Do you mean #224 ? Well, no, it is different. For instance, my LDAP user is connected to my facebook, gmail, slack account. When I login using social login I enter my LDAP user profile without troubles. The problem is that I cannot access smb external storage that requires session user parameter. If I login using my ldap credentials I can access those smb external storage without troubles. Hope this is clear.

[zorn-v]

Lazy to test. Stay still open

[Blackclaws]

@zorn-v , I don't know. Do you mean #224 ? Well, no, it is different. For instance, my LDAP user is connect to my facebook, gmail, slack account. When I login using social login I enter my LDAP user profile without troubles. The problem is that I cannot access smb external storage that requires session user parameter. If I login using my ldap credentials I can access those smb external storage without troubles. Hope this is clear.

Out of the blue I would ask the question whether the LDAP credentials are available to nextcloud when the login is performed not using LDAP. While nextcloud itself connects to the LDAP server using its own set of credentials to retrieve user information this does not mean it has access to credentials that allow it to make SMB requests on behalf of the user. My guess would be that when you login using LDAP you provide those credentials for that session that are then used, something that simply cannot be done with OIDC due to the way it is designed (no credentials ever get passed to NC only tokens).

[mmccarn]

This workflow works for me:

1. Connect external SMB using "Login Credentials, save in database"
2. Configure social_login:
   • Disable auto create new users
   • Allow users to connect social logins with their account
     3. Tell all users to logout and login using the legacy authentication mechanism
     4. Tell users to open Settings -> Social login and "Connect" the social_login provider

I also tested this successfully with the external share configured using "User entered, store in database".

...and... I "solved" this a couple years ago by manually editing the social_login app to make the Nextcloud username match the username generated by my original authentication mechanism -- which worked for me as I was moving from IMAP Auth against Exchange365 to social_login against the same O365 tenant (so the user's email could be set as the username in both instances)