Access denied when opening files with NC Office on external CIFS storage

dacmot · July 13, 2022, 3:56pm

Hi,

Let me start by saying I’m new to Nextcloud. I’m experimenting to see if it would benefit my immediate family to share files, calendars, lists, etc.

However I’ve run into a problem with my setup and I’m not sure it’s a bug (or missing feature) with Nextcloud, Nextcloud Office, or Collabora, or if it’s a mistake on my part in my configuration. I would definitely appreciate some guidance to find out what part is failing, as well as help debugging and resolving the issue.

The problem is documents stored in external storage (SMB/CIFS) cannot be opened with Nextcloud Office. I get the infamous “Document loading failed. Try again later.”

Documents stored in regular Nextcloud folders open/edit/save without issues. I am also able to access, modify or delete files of all kinds on the external storage otherwise; whether by the web interface, the android app, or the Collabora android app.

The only somewhat relevant issue/thread I could find is Editing files with Collabora doesn't work on external storages · Issue #3407 · nextcloud/android · GitHub… but it applies to the android client, and is closed. I also verified that it works for me.

My client setup:

Desktop running Ubuntu 20.04.4 LTS
Firefox 102.0+build2-0ubuntu0.20.04.1

My server setup:

Ubuntu 20.04.4 LTS
Nextcloud 24.0.2.0 (manual install from zip)
Nexcloud Office App 6.1.1
Apache 2.4.41-4ubuntu3.12
PHP 7.4.3-4ubuntu2.12
Collabora docker, (re)installed 2022-07-12 using the nextcloud/vm collabora_docker.sh script: COOLWSD HTTP Server 22.05.3.1
User configured External Storage SMB/CIFS with “Log-in credentials; save in session”
External storage is a shared folder on a Helios4 NAS running openmediavault (Debian 11 Bullseye)
No issues or security warnings in NC Adminstration Overview
A+ security rating on scan.nextcloud.com
The Nextcloud Office app reports the Collabora Office server is available

Docker logs: (no other logs, NC, Apache contain anything useful)

sd-00001-00182 2022-07-13 15:14:12.163390 +0000 [ docbroker_00d ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| net/Socket.hpp:726
wsd-00001-00182 2022-07-13 15:14:12.333417 +0000 [ docbroker_00d ] ERR  loading document exception: Access denied, 403. WOPI::CheckFileInfo failed on: https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0| wsd/DocumentBroker.cpp:2258
wsd-00001-00182 2022-07-13 15:14:12.333486 +0000 [ docbroker_00d ] ERR  Failed to add session to [https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v] with URI [https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0]: Access denied, 403. WOPI::CheckFileInfo failed on: https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0| wsd/DocumentBroker.cpp:2220
wsd-00001-00182 2022-07-13 15:14:12.333540 +0000 [ docbroker_00d ] ERR  Unauthorized Request while starting session on https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v for socket #23. Terminating connection. Error: Access denied, 403. WOPI::CheckFileInfo failed on: https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0| wsd/COOLWSD.cpp:4425
wsd-00001-00182 2022-07-13 15:14:12.333732 +0000 [ docbroker_00d ] ERR  Invalid or unknown session [09c] to remove.| wsd/DocumentBroker.cpp:2303
wsd-00001-00033 2022-07-13 15:14:12.359981 +0000 [ websrv_poll ] WRN  DocBroker with docKey [https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v] is unloading. Rejecting client request to load.| wsd/COOLWSD.cpp:3010
wsd-00001-00033 2022-07-13 15:14:12.360162 +0000 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed to create DocBroker with docKey [https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v].| wsd/COOLWSD.cpp:4465
wsd-00001-00033 2022-07-13 15:14:12.360231 +0000 [ websrv_poll ] ERR  #23: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1430
wsd-00001-00033 2022-07-13 15:14:12.360288 +0000 [ websrv_poll ] ERR  #23: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1430
wsd-00001-00033 2022-07-13 15:14:12.360334 +0000 [ websrv_poll ] WRN  #23 is shutting down but 64 bytes couldn't be flushed and still remain in the output buffer.| net/WebSocketHandler.hpp:812
wsd-00001-00033 2022-07-13 15:14:12.360455 +0000 [ websrv_poll ] ERR  #23: Attempted to remove: 1072 which is > size: 0 clamped to 0| net/Socket.hpp:1233
wsd-00001-00033 2022-07-13 15:14:12.360536 +0000 [ websrv_poll ] ERR  #23: Error while handling poll at 0 in websrv_poll: #23BIO error: 337690831, rc: -1: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:
140010892289792:error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:../ssl/ssl_lib.c:1917:
| net/Socket.cpp:450
wsd-00001-00033 2022-07-13 15:14:12.892877 +0000 [ websrv_poll ] WRN  DocBroker with docKey [https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v] is unloading. Rejecting client request to load.| wsd/COOLWSD.cpp:3010
wsd-00001-00033 2022-07-13 15:14:12.893291 +0000 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed to create DocBroker with docKey [https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v].| wsd/COOLWSD.cpp:4465
wsd-00001-00033 2022-07-13 15:14:12.893356 +0000 [ websrv_poll ] ERR  #23: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1430
wsd-00001-00033 2022-07-13 15:14:12.893419 +0000 [ websrv_poll ] ERR  #23: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1430
wsd-00001-00033 2022-07-13 15:14:12.893468 +0000 [ websrv_poll ] WRN  #23 is shutting down but 64 bytes couldn't be flushed and still remain in the output buffer.| net/WebSocketHandler.hpp:812
wsd-00001-00033 2022-07-13 15:14:12.893527 +0000 [ websrv_poll ] ERR  #23: Attempted to remove: 1072 which is > size: 0 clamped to 0| net/Socket.hpp:1233
wsd-00001-00033 2022-07-13 15:14:12.893708 +0000 [ websrv_poll ] ERR  #23: Error while handling poll at 0 in websrv_poll: #23BIO error: 337690831, rc: -1: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:
140010892289792:error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:../ssl/ssl_lib.c:1917:
| net/Socket.cpp:450
wsd-00001-00028 2022-07-13 15:14:14.334234 +0000 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/COOLWSD.cpp:3095
wsd-00001-00028 2022-07-13 15:14:14.334405 +0000 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/COOLWSD.cpp:3095
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00029-00029 2022-07-13 15:14:14.946905 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/4GSQsUwI7YHVuCAl/tmp]| common/JailUtil.cpp:70
wsd-00001-00184 2022-07-13 15:14:14.947300 +0000 [ docbroker_00e ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| net/Socket.hpp:726
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00029-00029 2022-07-13 15:14:14.970793 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/4GSQsUwI7YHVuCAl/lo]| common/JailUtil.cpp:70
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00029-00029 2022-07-13 15:14:14.996038 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/4GSQsUwI7YHVuCAl]| common/JailUtil.cpp:70
wsd-00001-00184 2022-07-13 15:14:15.133412 +0000 [ docbroker_00e ] ERR  loading document exception: Access denied, 403. WOPI::CheckFileInfo failed on: https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0&permission=edit| wsd/DocumentBroker.cpp:2258
wsd-00001-00184 2022-07-13 15:14:15.133504 +0000 [ docbroker_00e ] ERR  Failed to add session to [https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v] with URI [https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0&permission=edit]: Access denied, 403. WOPI::CheckFileInfo failed on: https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0&permission=edit| wsd/DocumentBroker.cpp:2220
wsd-00001-00184 2022-07-13 15:14:15.133569 +0000 [ docbroker_00e ] ERR  Unauthorized Request while starting session on https://nextcloud.mydomain.com:443/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v for socket #23. Terminating connection. Error: Access denied, 403. WOPI::CheckFileInfo failed on: https://nextcloud.mydomain.com/index.php/apps/richdocuments/wopi/files/144617_oc2kt4od930v?access_token=cHroCxlKOVZJbo6kKv44yYUrgOqM9RQL&access_token_ttl=0&permission=edit| wsd/COOLWSD.cpp:4425
wsd-00001-00184 2022-07-13 15:14:15.133816 +0000 [ docbroker_00e ] ERR  Invalid or unknown session [09f] to remove.| wsd/DocumentBroker.cpp:2303

If there is information missing, please let me know. I tried my best to be thorough; but as mentioned earlier, I’m new to Nextcloud. Wouldn’t surprise me if I missed something.

Any help would be greatly appreciated!

wwe · July 13, 2022, 4:11pm

Given the fact files on internal storage open without issue integration between Nextcloud and Collabora, reverse proxy etc must be good. focus on the external storage and try to collect logs there maybe you will see why it fails (e.g. richdocuments doesn’t act as right user)…

But at the same time I see Collabora logs which looks like global issues and would expect the integration completely broken:

SSL routines:ssl_write_internal:protocol is shutdown:..:

sounds more like TSL issue between both systems…

dacmot · July 13, 2022, 4:12pm

I think I may have narrowed it down a bit: External storage SMB/CIFS with “Log-in credentials; save in session” does not work. However, using “Log-in credentials; save in database” seems to work.

dacmot · July 13, 2022, 4:21pm

Thanks wwe.

I have both Nextcloud and Collabora servers setup on the same machine, using Apache virtual hosts, each having their own Let’s Encrypt certificate.

I have them both setup with a port 80 redirect to https. Here is the SSL config for both:

Nextcloud:

SSLProtocol             -all +TLSv1.2 +TLSv1.3
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Collabora:

  SSLEngine              on
  SSLCompression         off
  SSLProtocol            -all +TLSv1.2 +TLSv1.3
  SSLCipherSuite         CDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  SSLHonorCipherOrder    off
  SSLSessionTickets      off
  ServerSignature        off

  AllowEncodedSlashes NoDecode

  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

wwe · July 13, 2022, 4:32pm

sounds reasonable - the request coming from Collabora is completely new and independent from existing user session, so credentials stored in user session are not available at this time…