user_saml
user_saml copied to clipboard
nextcloud
external_storage for SMB/CIFS with Kerberos authentification shows red icon
How to use GitHub
- Please use the 👍 reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Steps to reproduce
- Configure an external storage for SMB/CIFS with Kerberos authentification
Expected behaviour
The icon should become green and the share can be accessed
Actual behaviour
The icon is red
Server configuration
Operating system: Debian 10 Web server: Apache/2.4.38 (Debian) in separate Proxmox lxc container Database: 10.3.17-MariaDB-0+deb10u1 Debian 10 in separate Proxmox lxc container PHP version: 10.3.17-MariaDB-0+deb10u1 Debian 10 Nextcloud version: (see Nextcloud admin page) Nextcloud 20.0.3
Updated from an older Nextcloud/ownCloud or fresh install:
Where did you install Nextcloud from:
No errors have been found.
List of activated apps:
App list
``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contactsinteraction: 1.1.0 - dashboard: 7.0.0 - dav: 1.16.1 - federatedfilesharing: 1.10.1 - federation: 1.10.1 - files: 1.15.0 - files_external: 1.11.1 - files_pdfviewer: 2.0.1 - files_rightclick: 0.17.0 - files_sharing: 1.12.0 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - firstrunwizard: 2.9.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - password_policy: 1.10.1 - photos: 1.2.1 - privacy: 1.4.0 - provisioning_api: 1.10.0 - recommendations: 0.8.0 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - support: 1.3.0 - survey_client: 1.8.0 - systemtags: 1.10.0 - text: 3.1.0 - theming: 1.11.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_ldap: 1.10.2 - user_saml: 3.3.1 - user_status: 1.0.1 - viewer: 1.4.0 - weather_status: 1.0.0 - workflowengine: 2.2.0 Disabled: - admin_audit - encryption - smb_test - twofactor_totp ```Nextcloud configuration:
Config report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"192.168.1.123",
"nextcloud.xxx.net",
"cloud2.xxx.net",
"cloud.xxx.net"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "20.0.3.2",
"overwrite.cli.url": "http:\/\/cloud2.xxx.net\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"memcache.locking": "\\OC\\Memcache\\Redis",
"memcache.local": "\\OC\\Memcache\\APCu",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_sendmailmode": "smtp",
"mail_smtpsecure": "tls",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauthtype": "PLAIN",
"mail_smtpport": "25",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"maintenance": false,
"theme": "",
"log_type": "file",
"logfile": "var\/log\/nextcloud.log",
"logfilemode": 416,
"loglevel": 1,
"updater.secret": "***REMOVED SENSITIVE VALUE***"
}
}
Are you using external storage, if yes which one: local/smb/sftp/... Try to use SMB/CIFS with Kerberos authentification Are you using encryption: yes/no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... openLDAP in separate Proxmox lxc container
LDAP config
+-------------------------------+-----------------------------------------------------------------------------------------------------------+
| Configuration | s02 |
+-------------------------------+-----------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=admin,dc=lan,dc=xxx,dc=net |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | ou=users,dc=lan,dc=xxx,dc=net |
| ldapBaseGroups | ou=groups,dc=lan,dc=xxx,dc=net |
| ldapBaseUsers | ou=users,dc=lan,dc=xxx,dc=net |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | ldap2.xxx.net |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(objectclass=inetOrgPerson)(memberof=ou=nextcloud,ou=services,dc=lan,dc=xxx,dc=net))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapMatchingRuleInChainState | unknown |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectclass=inetOrgPerson)(memberof=ou=nextcloud,ou=services,dc=lan,dc=xxx,dc=net)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+-----------------------------------------------------------------------------------------------------------+
Client configuration
Browser: Firefox 84.0 in Proxmox VM Operating system: Ubuntu 18.04
Logs
Web server error log
I have added some error_log statements in php code. Maybe it helps you.
Web server error log
==> /var/log/apache2/nextcloud-ssl-error.log <==
[Thu Dec 17 11:29:20.810591 2020] [ssl:info] [pid 9616] [client 192.168.1.130:54496] AH01964: Connection to child 4 established (server cloud2.xxx.net:443)
[Thu Dec 17 11:29:20.855522 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] SMB->getFileInfo
[Thu Dec 17 11:29:20.856284 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeFileInfo->getSize
[Thu Dec 17 11:29:20.856315 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeFileInfo->stat
[Thu Dec 17 11:29:20.856383 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496]
[Thu Dec 17 11:29:20.856417 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeShare->getAttribute
[Thu Dec 17 11:29:20.856457 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Icewind\\SMB\\Native\\NativeShare Object\n(\n [server:Icewind\\SMB\\Native\\NativeShare:private] => Icewind\\SMB\\Native\\NativeServer Object\n (\n [state:protected] => Icewind\\SMB\\Native\\NativeState Object\n (\n [state:protected] => \n [handlerSet:protected] => \n [connected:protected] => \n )\n\n [host:protected] => srv.xxx.net\n [auth:protected] => Icewind\\SMB\\KerberosAuth Object\n (\n )\n\n [system:protected] => Icewind\\SMB\\System Object\n (\n [paths:Icewind\\SMB\\System:private] => Array\n (\n )\n\n )\n\n [timezoneProvider:protected] => Icewind\\SMB\\TimeZoneProvider Object\n (\n [timeZones:Icewind\\SMB\\TimeZoneProvider:private] => Array\n (\n )\n\n [system:Icewind\\SMB\\TimeZoneProvider:private] => Icewind\\SMB\\System Object\n (\n [paths:Icewind\\SMB\\System:private] => Array\n (\n )\n\n )\n\n )\n\n [options:protected] => Icewind\\SMB\\Options Object\n (\n [timeout:Icewind\\SMB\\Options:private] => 20\n )\n\n )\n\n [name:Icewind\\SMB\\Native\\NativeShare:private] => nextcloud\n [state:Icewind\\SMB\\Native\\NativeShare:private] => \n [forbiddenCharacters:Icewind\\SMB\\AbstractShare:private] => Array\n (\n [0] => ?\n [1] => <\n [2] => >\n [3] => :\n [4] => *\n [5] => |\n [6] => "\n [7] =>
[Thu Dec 17 11:29:20.856554 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeState->init
[Thu Dec 17 11:29:20.856609 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] connected:
[Thu Dec 17 11:29:20.857122 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Username: dummy
[Thu Dec 17 11:29:20.857170 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Workgroup: dummy
[Thu Dec 17 11:29:20.857202 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Password:
[Thu Dec 17 11:29:20.857238 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Arguments: -k
[Thu Dec 17 11:29:20.857272 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] result: 1
[Thu Dec 17 11:29:20.857302 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] connected: 1
[Thu Dec 17 11:29:20.857337 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] NativeState->getxattr
[Thu Dec 17 11:29:20.857382 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] Icewind\\SMB\\Native\\NativeState Object\n(\n [state:protected] => Resource id nextcloud/server#16\n [handlerSet:protected] => \n [connected:protected] => 1\n)\n
[Thu Dec 17 11:29:20.857415 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] uri: smb://srv.xxx.net/nextcloud/
[Thu Dec 17 11:29:20.857444 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] key: system.dos_attr.*
[Thu Dec 17 11:29:20.964758 2020] [php7:notice] [pid 9616] [client 192.168.1.130:54496] result:
==> /var/log/apache2/nextcloud-ssl-access.log <==
192.168.1.130 - - [17/Dec/2020:11:29:20 +0000] "GET /index.php/apps/files_external/userstorages/4?testOnly=true HTTP/1.1" 200 2291 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
Nextcloud log (data/nextcloud.log)
Nextcloud log
[no app in context] Error: Icewind\SMB\Exception\ForbiddenException: Invalid request for / (ForbiddenException) at <<closure>>
0. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 66
Icewind\SMB\Exception\Exception::fromMap({1: "Icewind\\SM ... "}, 1, "/")
1. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 78
Icewind\SMB\Native\NativeState->handleError("/")
2. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 306
Icewind\SMB\Native\NativeState->testResult("*** sensitive parameter replaced ***", "smb://srv.xxx.net/nextcloud/")
3. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 308
Icewind\SMB\Native\NativeState->getxattr("smb://srv.xxx.net/nextcloud/", "system.dos_attr.*")
4. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 66
Icewind\SMB\Native\NativeShare->getAttribute("/", "system.dos_attr.*")
5. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 87
Icewind\SMB\Native\NativeFileInfo->stat()
6. /var/www/html/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 113
Icewind\SMB\Native\NativeFileInfo->getSize()
7. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 189
Icewind\SMB\Native\NativeShare->stat("/")
8. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 337
OCA\Files_External\Lib\Storage\SMB->getFileInfo("/")
9. /var/www/html/nextcloud/lib/private/Files/Storage/Common.php line 458
OCA\Files_External\Lib\Storage\SMB->stat("")
10. /var/www/html/nextcloud/apps/files_external/lib/Lib/Storage/SMB.php line 706
OC\Files\Storage\Common->test()
11. /var/www/html/nextcloud/apps/files_external/lib/MountConfig.php line 264
OCA\Files_External\Lib\Storage\SMB->test("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
12. /var/www/html/nextcloud/apps/files_external/lib/Controller/StoragesController.php line 255
OCA\Files_External\MountConfig::getBackendStatus("*** sensitive parameters replaced ***")
13. /var/www/html/nextcloud/apps/files_external/lib/Controller/StoragesController.php line 330
OCA\Files_External\Controller\StoragesController->updateStorageStatus("*** sensitive parameters replaced ***")
14. /var/www/html/nextcloud/apps/files_external/lib/Controller/UserStoragesController.php line 108
OCA\Files_External\Controller\StoragesController->show("4", "*** sensitive parameter replaced ***")
15. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 169
OCA\Files_External\Controller\UserStoragesController->show("4", "*** sensitive parameter replaced ***")
16. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 100
OC\AppFramework\Http\Dispatcher->executeController(OCA\Files_Extern ... {}, "show")
17. /var/www/html/nextcloud/lib/private/AppFramework/App.php line 152
OC\AppFramework\Http\Dispatcher->dispatch(OCA\Files_Extern ... {}, "show")
18. /var/www/html/nextcloud/lib/private/Route/Router.php line 308
OC\AppFramework\App::main("OCA\\Files_Exte ... r", "show", OC\AppFramework\ ... {}, {action: null,id ... "})
19. /var/www/html/nextcloud/lib/base.php line 1008
OC\Route\Router->match("/apps/files_external/userstorages/4")
20. /var/www/html/nextcloud/index.php line 37
OC::handleRequest()
GET /index.php/apps/files_external/userstorages/4?testOnly=true
from 192.168.1.130 by test05 at 2020-12-17T11:29:20+00:00
Browser log
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
Description
When I do the following on the client or on the web server I can connect to the share
kinit test05
smbclient //srv.xxx.net/nextcloud/ -U test05 -k
In nextcloud configuration I always get the red icon
After some debugging I found a solution. Maybe this helps others who have the same problem.
The Kerberos authentication is done with Apache mod_auth_gssapi. The config looks like this:
<Location "/index.php/apps/user_saml/saml/login">
AuthType GSSAPI
AuthName "Nextcloud SSO Login"
Require valid-user
GssapiCredStore keytab:/etc/apache2/http.keytab
GssapiBasicAuth On
GssapiNegotiateOnce On
GssapiSSLonly On
GssapiLocalName On
GssapiDelegCcacheDir /var/lib/apache2/ccache
</Location>
smbclient needs the Kerberos ticket of the authenticated user but didn't get it.
I did two little changes to make the ticket accessible to smbclient
- write $_SERVER['KRB5CCNAME'] (which has the path to the credentials cache) into the session variable. Note 1: this is necessary because KRB5CCNAME is only filled after login Note 2: putenv at this time didn't work because it will be cleared before smbclient is called
- get the variable from the session and write it to the environment before smbclient is called.
--- apps/user_saml//lib/Controller/SAMLController.php.orig 2021-02-13 17:03:50.980145264 +0000
+++ apps/user_saml//lib/Controller/SAMLController.php 2021-02-13 16:51:18.807334055 +0000
@@ -122,6 +122,8 @@
$uid = $auth[$uidMapping];
}
+ $_SESSION['ccname'] = $_SERVER['KRB5CCNAME'];
+
// make sure that a valid UID is given
if (empty($uid)) {
$this->logger->error('Uid "' . $uid . '" is not a valid uid please check your attribute mapping', ['app' => $this->appName]);
--- apps/files_external/lib/Lib/Storage/SMB.php.orig 2021-02-13 17:05:12.351033284 +0000
+++ apps/files_external/lib/Lib/Storage/SMB.php 2021-02-13 16:49:24.836621464 +0000
@@ -125,6 +125,8 @@
}
}
+ putenv('KRB5CCNAME=' . $_SESSION['ccname']);
+
$serverFactory = new ServerFactory($options);
$this->server = $serverFactory->createServer($params['host'], $auth);
$this->share = $this->server->getShare(trim($params['share'], '/'));
@gno65
always get the red icon
Hi How about curent NC 21.0.2? (External storage 1.12.0 + SSO & SAML auth 4.1.1 ) SMB + kerberos ticket still not work as is. Do you have new patch?
p.s your hint don't affect now
Бля!!!... спустя два месяца анальных мучений таки заработала эта кривая функция kerberos-ticket.
Не ясно куда смотрят люди которые развивают этот проект? Ибо этих изменений не внесено в код, а документации как был абсолютный ноль - так и осталось. И реакции никакой на этот тред. то ли это кривой костыль, то ли х.з.
-
без изменения в php можно с консоли сервера использовать sudo -u www-data kinit ####. с keytab или руками пароль ввести. И тогда в web тоже работает kerberos ticket. но по факту - так ничем не отличается от global creds. т.е. бессмысленно.. а использовать ticket через SSO (environment variable REMOTE_USER) никаким образом не получается - без этих правок как в теме. а если и можно то никто не пишет как.
-
2 месяца не работало даже с изменениями в php - из-за того что GssapiDelegCcacheDir крайне глючная приблуда в /tmp оно не хотело создавать файл. х.з. почему. поэтому и $_SERVER['KRB5CCNAME'] не обрабатывалось. пришлось искать\создавать папку в которой только апач может писать. /var/cache/apache2
х.з. почему в linux такие заморочки с доступом к файлам - я так и не понял сути как и зачем это делается. но Это только пол-беды, хоть я IE11 и использовал постоянно для тестов но чаще всё же в Chrome тестировал. так вот для того чтобы это заработало пришлось скачать ADMX для chrome и через него в gpedit.msc ещё надо включать политику - на каких сайтах можно использовать kerberos. т.е. идиотия - SSO работает но х.з. через какой протокол - файл GssapiDelegCcacheDir не создаётся. и дело не "интранет" сайтах. chrome этого недостаточно. IE11 да.
в итоге всё же выставил везде в External storages smb - kerberos ticket - и стали зелёные галки, вместо красных. НО третий косяк smbclient -kL не работает на DC AD с DFS. т.е. smbclient -L domain.local - работает, а smbclient -kL domain.local уже нет. хотя прекрасно работает smbclient -kL comp.domain.local и даже smbclient -kL comp. тоже очередной бред от линуха. пришлось все шары переделывать. было domain.local folders и всё работало
пришлось делать dc1 (domain.local) folders
т.е отказоустойчивость снизилась
И ВСЁ ВЫШЕПЕРЕЧИСЛЕННОЕ ВСЛЕПУЮ. МЕТОДОМ НАУЧНОГО ТЫКА. нету во всём инете ни одного мануала! так что 2 месяца это даже быстро...
и ещё - подтверждается что данные правки - какой то костыль, не очень правильный. ибо хоть сами smb-шары и работают по kerberos и даже можно зашарить вовне (http)? но все логи забиты ошибками
т.е. х.з. как работает и глючит одновременно
