External storage will prompt for password but always tell you it's the wrong password

[skjnldsv]

This issue have been created to gather the aftermath of a few fixes that seems to work for some but not for all. Initial regression PR: https://github.com/nextcloud/server/pull/50910

References

• https://github.com/nextcloud/server/issues/51637
• https://github.com/nextcloud/server/issues/51919
• https://github.com/nextcloud/server/pull/50465 (31, 30 & 29)
• https://github.com/zorn-v/nextcloud-social-login/issues/494
• https://www.youtube.com/watch?v=Iqog7N9cRNU

Various findings

• First issue was an ldap/oidc issue where the password should NOT have been requested, but the script was not handling this properly. This got fixed by https://github.com/nextcloud/server/pull/50465
• Second related issue was that the password was NOT properly forwarded to the backend. It seemed to be an issue on some setups where mod_rewrite and/or mod_env were NOT enabled. This seems to be mandatory or else the AUTH header is empty https://github.com/nextcloud/server/blob/7be047a5c08d4401899d38c9a7d7ebdb6d8e78b2/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php#L81
• Third issue was a frontend setting saving issue, fixed by https://github.com/nextcloud/server/pull/51320

[skjnldsv]

To everyone finding this issue, I locked this for now so I can think of proper ways to gather the right data. I got pinged from too many places and because the issue initially came from various different context, this is quite messy.

Right now, It seems like LDAP and OIDC is working properly. If you're logged in as an ldap or oidc user, the password should NOT be asked.

---

From my current quick thinking, I gathered that most of you keeps entering the password, but it always errors out by stating the entered password is wrong. If that is the case to you, please apply this patch: https://github.com/nextcloud/server/pull/53474

Then I will need a screenshot of your network requests. Before you do anything, open the development tools, there is a tab called network. Click on it and then the xhr filter. Do the password confirmation and screenshot the network log like this:

How to access your development tools (Click to expand)

Chrome

• Press either CTRL + SHIFT + J to open the “console” tab of the Developer Tools.
• Alternative method:
  1. Press either CTRL + SHIFT + I or F12 to open the Developer Tools.
  2. Click the “console” tab.

Safari

• Press CMD + ALT + I to open the Web Inspector.
• See Chrome’s step 2. (Chrome and Safari have pretty much identical dev tools.)

Firefox

• Press CTRL + SHIFT + K to open the Web console (COMMAND + SHIFT + K on Macs).
• or, if Firebug is installed (recommended):
  1. Press F12 to open Firebug.
  2. Click on the “console” tab.

Opera

1. Press CTRL + SHIFT + I to open Dragonfly.
2. Click on the “console” tab.

[skjnldsv]

Alright, please only post the screenshot from above, then we'll see how to proceed 🙏

[cmdrscotty]

ok applied the patch (also verified that apache env and rewrite were enabled)

still got the error and captured the network log (tried it both by saving global creds, or adding a new storage mount)

Let me know if there's any other logs I can grab for you.

Details


[skjnldsv]

Ah sorry @cmdrscotty, there's a slight change on the PR I linked above, can you try again and update your message? 🙇

[cmdrscotty]

Ah sorry @cmdrscotty, there's a slight change on the PR I linked above, can you try again and update your message? 🙇

ok cool made the new updates in the PR but same results. updated the screenshots showing the code added to the php file

[skjnldsv]

Damned, I'm surprised this is an error 500. Do you have the error in your logs please? 🙈

[cmdrscotty]

@skjnldsv yeah sure, here's the log I was able to pull from the server for that error:

[index] Error: Missing or invalid Authorization header
	POST /index.php/apps/files_external/globalcredentials
	from 192.168.2.5 by *** at Jun 13, 2025, 1:45:02 PM

{"reqId":"tSN8bss4KmibhpHpnxVG",
"level":3,
"time":"2025-06-13T20:45:02+00:00",
"remoteAddr":"192.168.2.5",
"user":"***",
"app":"index",
"method":"POST",
"url":"/index.php/apps/files_external/globalcredentials",
"message":"Missing or invalid Authorization header",
"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0",
"version":"31.0.6.2",
"exception":{"Exception":"Exception","Message":"Missing or invalid Authorization header",
"Code":400,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php",
"line":73,
"function":"beforeController",
"class":"OC\\AppFramework\\Middleware\\Security\\PasswordConfirmationMiddleware",
"type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
"line":106,"function":"beforeController",
"class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher",
"type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php",
"line":161,"function":"dispatch",
"class":"OC\\AppFramework\\Http\\Dispatcher",
"type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php",
"line":307,"function":"main",
"class":"OC\\AppFramework\\App",
"type":"::"},
{"file":"/var/www/nextcloud/lib/base.php",
"line":1040,"function":"match",
"class":"OC\\Route\\Router",
"type":"->"},{"file":"/var/www/nextcloud/index.php",
"line":24,"function":"handleRequest",
"class":"OC",
"type":"::"}],
"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php",
"Line":86,"message":"Missing or invalid Authorization header",
"exception":[],"CustomMessage":"Missing or invalid Authorization header"},
"id":"684c8dfb8cdb4"}

and attaching the log I pulled from the browser for the 500 error (had to redact some things in there)

cmdr_scotty_server_log.txt

[ghnfox509]

For me I am using LDAP but the account that I am using to make the changes is the built in local admin account in NextCloud, it is not an LDAP account. I have a very basic config, the only thing I use Nextcloud for is for file management, all other apps are disabled. I have local storage enabled and the shares in question are mounted via NFS to the Nextcloud servers. I have a few LDAP groups to control access to some of the shares. Reading your initial stuff above, note that I do not have mod_rewrite enabled on Apache 2(Ubuntu 24.04). Nextcloud setup checks didn't flag that as something that was missing (perhaps only needed for sites that have the urls at something other than root?). Also have not had mod_rewrite enabled for ownCloud either for probably the past decade.

I haven't tried to do anything since I found a workaround to export the rows from my ownCloud system to Nextcloud for those tables(migrating from ownCloud to NextCloud for ongoing PHP support), fortunately the data was compatible. I haven't had to make a change to that specific config in almost 3 years and don't anticipate needing to make another change in the next year or two, if not longer.

[skjnldsv]

@skjnldsv yeah sure, here's the log I was able to pull from the server for that error:

Thanks @cmdrscotty, that is perfect ! 🎉 So the header isn't being sent to the backend or the backend is discarding it. On the network request, if you click on the red one, you should be able to see the request headers that are being sent. You can see the Authorization header right?

[cmdrscotty]

@skjnldsv yeah sure, here's the log I was able to pull from the server for that error:

Thanks @cmdrscotty, that is perfect ! 🎉 So the header isn't being sent to the backend or the backend is discarding it. On the network request, if you click on the red one, you should be able to see the request headers that are being sent. You can see the Authorization header right?

yeah, went and double checked, it's in there

[skjnldsv]

Thanks, that confirms my assumptions . Do you have a reverse proxy?

[cmdrscotty]

Thanks, that confirms my assumptions . Do you have a reverse proxy?

I do have HaProxy handling traffic coming externally.

I disabled it temporarily and tested it again as well as connected directly via ip (https disabled), but didn't seem to make a difference, still the same errors.

[skjnldsv]

No php fpm ? Can you ensure the following (I know I already asked some of it, but it's to make sure)

1. You have enabled the apache modules:
   • mod_rewrite
   • mod_env
   • mod_setenvif
   • mod_headers
   • mod_allowoverride
2. Making sure your apache config is the same as our docs: https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html#apache-web-server-configuration
3. Restarted your services & run an occ maintenance:update:htaccess

[1234Erwan]

Hello, With this exact configuration all external storage works exepte SMB/CIFS (with an LDAP account nothing works)

[cmdrscotty]

No php fpm ? Can you ensure the following (I know I already asked some of it, but it's to make sure)

1. You have enabled the apache modules:

   • mod_rewrite
   • mod_env
   • mod_setenvif
   • mod_headers
   • mod_allowoverride

2. Making sure your apache config is the same as our docs: https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html#apache-web-server-configuration

3. Restarted your services & run an occ maintenance:update:htaccess

eyyy that got it fixed!

looks like this was something were prior to about version 29.x it wasn't too strict about the Apache config for that site and would work just fine.

All I had in it was

<VirtualHost *:80>
ServerName nas.***.com
DirectoryIndex index.php index.html

DocumentRoot /var/www/nextcloud
<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>
</VirtualHost>

Updated it to the example in the doc which got it working

<VirtualHost *:80>
  DocumentRoot /var/www/nextcloud
  ServerName nas.***.com

  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
       Dav off
    </IfModule>
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>
  </Directory>

</VirtualHost>

Did some playing around as well to identify what part of it specifically was effecting it and it's this section that if missing causes the issue:

    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

I wonder how difficult it would be to adjust the error it throws to have a note about checking that configuration or have something to check that those are enabled. Granted the amount of users coming from pre 29.x.x is likely dwindling but could be helpful to have a system check look out for this missing.

[1234Erwan]

<VirtualHost :80> DocumentRoot /var/www/nextcloud ServerName nas.**.com

<Directory /var/www/nextcloud/> Require all granted AllowOverride All Options FollowSymLinks MultiViews

<IfModule mod_dav.c>
   Dav off
</IfModule>
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

Is SMB/CIFS working for you ? I have tested adding your lines to my config and using your strict config (except servername) and SMB/CIFS still not working.

[skjnldsv]

AllowOverride All is what allows the htaccess. Tour configuration was indeed incorrect, glad it's resolved. I had the feeling that was it.

I don't fully know what we can do regarding detecting Apache configs, but I'll raise it up internally!

[1234Erwan]

AllowOverride All is what allows the htaccess. Tour configuration was indeed incorrect, glad it's resolved. I had the feeling that was it.

I don't fully know what we can do regarding detecting Apache configs, but I'll raise it up internally!

I always have the problem for SMB/CIFS storage.

[skjnldsv]

I always have the problem for SMB/CIFS storage.

Can you describe what's exactly happening there? Because the issue raised here is happening for all storages in the settings page. I fail to understand why only some types of storages would fail to authenticate your account :)

[alfiecleofas]

I always have the problem for SMB/CIFS storage.

Can you describe what's exactly happening there? Because the issue raised here is happening for all storages in the settings page. I fail to understand why only some types of storages would fail to authenticate your account :)

I think what happening is your nextcloud username is being used in SMB authentication instead of supplied username and password.

[1234Erwan]

I always have the problem for SMB/CIFS storage.

Can you describe what's exactly happening there? Because the issue raised here is happening for all storages in the settings page. I fail to understand why only some types of storages would fail to authenticate your account :)

When i try to configure an SMB/CIFS storage nextcloud ask me for an password and tell me the password is wrong but for example for an local external storage nextcloud tell me the same password is right.

[1234Erwan]

I always have the problem for SMB/CIFS storage.

Can you describe what's exactly happening there? Because the issue raised here is happening for all storages in the settings page. I fail to understand why only some types of storages would fail to authenticate your account :)

I think what happening is your nextcloud username is being used in SMB authentication instead of supplied username and password.

i think not, but anyway i have tryed with my LDAP account that is exactly the same account using for the SMB share and that also not working

[artonge]

IIRC, the password confirmation prompt does not distinguish between errors, so any error will be interpreted as invalid password.

As a quick workaround, checking the actual answer might help you debug your issue @1234Erwan.

A propre fix would be to display the actual error to the user.

[alfiecleofas]

I always have the problem for SMB/CIFS storage.

Can you describe what's exactly happening there? Because the issue raised here is happening for all storages in the settings page. I fail to understand why only some types of storages would fail to authenticate your account :)

I think what happening is your nextcloud username is being used in SMB authentication instead of supplied username and password.

i think not, but anyway i have tryed with my LDAP account that is exactly the same account using for the SMB share and that also not working

Can you look into your logging and show details?

I am referring to like this event.

[core] Warning: Login failed: 'nextcloud-login' (Remote IP: '1.1.1.37') POST /index.php/apps/files_external/globalstorages from 1.1.1.37 by nextcloud-login at Jun 18, 2025, 10:13:46 PM

[skjnldsv]

@alfiecleofas then, please try the patch I gave earlier, there is a pull request. Then follow the debugging procedure. It's in the first early messages. It should tell us if you do have a proper Nextcloud Apache config or not.

[alfiecleofas]

@alfiecleofas then, please try the patch I gave earlier, there is a pull request. Then follow the debugging procedure. It's in the first early messages. It should tell us if you do have a proper Nextcloud Apache config or not.

i resolve mine by php occ files_external:create nextcloud-files smb password::password -c host=ipaddress -c share=/sharedfolder/ -c user=smbuser -c password='yourpassword'

Thank you!

[1234Erwan]

I have the following errors :

	GET /index.php/apps/files_external/globalstorages/3?testOnly=true
	de 192.168.1.153 par admin à 19 juin 2025, 08:13:24

	GET /index.php/apps/files_external/globalstorages/3?testOnly=true
	de 192.168.1.153 par admin à 19 juin 2025, 08:13:24

[1234Erwan]

my external storage configuration is :

this command is working for me on the same VM : smbclient -U erwan.pergaud "\\\172.16.0.2\Referents"

[skjnldsv]

@1234Erwan this is not related to the issue explained in the first post. Please check the documentation and your logs to deepen your analysis. Then I suggest you head over to the forum to ask for help. You have a configuration issue, not a bug :)

[1234Erwan]

I will try, thanks you for your time.