AD integration (win 2016) - works, but login failes

ℹ️ Support
1

Nextcloud version 12.0.4:
Operating system and version Ubuntu 16.04:
Apache or nginx version Apache/2.4.18:
PHP version PHP 7.0.22-0ubuntu0.16.04.1:

The issue you are facing:
Authentication problems against AD on Windows Server 2016

Is this the first time you’ve seen this error? Y:

Steps to replicate it:

  1. connect nextcloud to AD (successful)
  2. login with a valid user (tested)
  3. wrong password. reset?

I am a bit lost where to start to debug this. Is there a debug log where I can see the communication between the nextcloud server and the LDAP server?

the password of the test user is definitely correct, I can login to the windows server just fine. I tried different user name schemes (AD\user user@AD) without success.

the “wrong password” comes most of the time after 30 sec.

time is synced on both machines (as this is a common problem with AD authentication)

The output of your Nextcloud log in Admin > Logging:

Warning	core	Login failed: 'test' (Remote IP: '1.2.3.4')

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '*',
  'passwordsalt' => '*',
  'secret' => '*',
  'trusted_domains' =>.
  array (
    0 => 'domain.com',
  ),
  'datadirectory' => '/home/domain/domains//domain.com//public_html/data',
  'overwrite.cli.url' => 'http://domain.com',
  'dbtype' => 'sqlite3',
  'version' => '12.0.4.3',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
);
2

Silly question: What login attribute have you configured in the ldap wizard?

3

LDAP / AD Username: [x]
LDAP / AD Email Address: [x]
(&(&(|(objectclass=person))(|(|(memberof=CN=Administrators,CN=Builtin,DC=ad,DC=domain,DC=com)(primaryGroupID=544))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))

4

try setting under Login attributes -> Other Attributes -> sAMAccountname. The AD username (i dont know your knowledgelevel of Active Directory, so excuse me if i state the obvious) is usually a very ugly string of Numbers and letters. Did you try login with the e-Mail adress (mail attribute in AD)?

Also it looks like you have restricted acces to users in the Administrators group. Is that intentionally? If not it may cause the trouble. For Troubleshooting reasons, you could also remove the Objectclass=Person from the Users Tab. Just to rule that out.

My LDAP Filter show different syntax, i only have one system to crosscheck and that is a NC11.0.4 so there may be differences i am not aware of. Can you tell me from wich filed the following part of the filter comes from:

(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))

1 Like
5

this did the trick. I didn’t look further because of this sentence in the docs:

Compared to earlier Nextcloud versions, no further tweaks need to be done to make Nextcloud work with Active Directory. Nextcloud will automatically find the correct configuration in the set-up process.

6

Ha, i knew it :sunglasses:

Yeah, that is infact a bit misleading. It gives you a working setup, but not an particulary good one.

Look in the Advanced and expert tabs and explore them.
I do following additional tweaks:

Set homefolder to samaccountname too (experts Tab)
Aswell as Displayname=displayname (Advanced->folders, first entry)
Sometimes i also set a basetree. It simplifys filtering users sometimes, but be aware that you can only state one.
And Mail=mail (could be a default setting in the meantime. Not sure.

Play with it, and have ALL parameters to your liking before going productive. Speaking of production:

You know that this:
'dbtype' => 'sqlite3',
is not a good idea for a production system?

7

Thanks for the advice, I set up a system like you suggest in owncloud some years ago and would have seen your solution right away had I looked at the configuration because I did it like this. :slight_smile: (but now someone else will find the solution in the forum)

re sqlite3 vs. mysql - you are right but the purpose of this installation will be purely sharing of single files for only a few recipients and not a proper extension of an AD environment, so it will never grow beyond the point where mysql will be necessary.