Admins cannot access admin settings

arumes31 · November 29, 2023, 3:43pm

Nextcloud version _: 27.1.4.1 (docker image nextcloud:latest) (same issue with other 27.x images)
Operating system and version (eg, Ubuntu 20.04): 22.04

The issue you are facing:

All admin users can’t access admin settings anymore.
The Admin context menu is not displayed and accessing the url /settings/admin/overview displays access denied.
i cannot find any errors in nextcloud.log or container logs.

admins are still in the admin group, how can i check if the admin group still has admin permissions??

occ group:list:  
  - admin:
    - admin
    - IT

Is this the first time you’ve seen this error? (Y/N): Y

The output of your Nextcloud log in Admin > Logging:

not accessible

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "10.67.249.34:8585",
            "2": "cloud.xxxx.com"
        },
        "overwriteprotocol": "https",
        "overwritehost": "cloud.xxxx.com",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "27.1.4.1",
        "overwrite.cli.url": "http:\/\/10.67.249.34:8585",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "loglevel": 2,
        "maintenance": false,
        "default_phone_region": "AT",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25"
    }
}

occ apps:list: 
Enabled:
  - activity: 2.19.0
  - bruteforcesettings: 2.7.0
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - support: 1.10.0
  - survey_client: 1.15.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - admin_audit: 1.17.0
  - encryption: 2.15.0
  - files_antivirus: 4.0.3 (installed 4.0.3)
  - files_external: 1.19.0
  - suspicious_login: 5.0.0
  - twofactor_totp: 9.0.0
  - user_ldap: 1.17.0

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

no errors ?

jtr · November 29, 2023, 5:04pm

Can you post a screenshot?

arumes31 · November 29, 2023, 7:24pm

sure

Admin User :

Accessing …/settings/admin/overview

ernolf · November 29, 2023, 7:49pm

This is my suspicion:

The USER admin is not member of the GROUP admin, so it ain’t have no admin rights:

And then the display_name is shown in your screenshot. Is that also the user_id / login name?

Try to fix it with this occ command:

occ group:adduser admin admin

I hope this will help to solve your issue.

If your problem is not solved with that, what is the output of

occ user:info admin

Much luck,
ernolf

arumes31 · November 30, 2023, 7:45am

the user is already in the admin group

occ group:adduser admin admin

Output: 
In ExceptionConverter.php line 57:

  An exception occurred while executing a query: SQLSTATE[23505]: Unique viol
  ation: 7 ERROR:  duplicate key value violates unique constraint "oc_group_u
  ser_pkey"
  DETAIL:  Key (gid, uid)=(admin, admin) already exists.


In Exception.php line 30:

  SQLSTATE[23505]: Unique violation: 7 ERROR:  duplicate key value violates u
  nique constraint "oc_group_user_pkey"
  DETAIL:  Key (gid, uid)=(admin, admin) already exists.


In Statement.php line 101:

  SQLSTATE[23505]: Unique violation: 7 ERROR:  duplicate key value violates u
  nique constraint "oc_group_user_pkey"
  DETAIL:  Key (gid, uid)=(admin, admin) already exists.


group:adduser <group> <user>

occ user:info admin

  - user_id: admin
  - display_name: admin
  - email:
  - cloud_id: admin@http://10.67.249.34:8585
  - enabled: true
  - groups:
  - quota: none
  - storage:
    - free: 117892534272
    - used: 7006000
    - total: 117899540272
    - relative: 0.01
    - quota: -3
  - last_seen: 2023-11-30T07:33:10+00:00
  - user_directory: /var/www/html/data/admin
  - backend: Database

arumes31 · November 30, 2023, 8:25am

i have created a new admin, that user works now

command:

docker exec -u www-data -it nextcloud-app-1  sh -c 'export OC_PASS="tempadminpass2023!" && /var/www/html/occ user:add --password-from-env --display-name admin2 -g admin admin2'

other admins are in the admins tab but not in the admin group
adding them to the group admin results in “an error occured during the request. unable to proceed.”
“occ group:removeuser admin admin” does nothing

deleting the admin user with occ user:delete admin
and recreating results in the same error, admin in group admin already exists

jtr · November 30, 2023, 7:46pm

When did this behavior start? Immediately after an update to v27.1.4? What version did you upgrade from?

Somehow your db got messed up.

Was the database restored at some point recently? Or maybe a manually forced (and not at all supported) downgrade or something?

arumes31 · December 1, 2023, 7:46am

no the instanz is on auto update with watchtower, so sadly i cant say when this behavior started
but i can test different backups if i dont find another solution

best regards