App passwords not working, 2FA enabled

ℹ️ Support
,
1

I just ennabled 2FA. While my Desktop Clients still work, I can’t mount my cloud anymore, on any plateform. I expected app passwords to solve this: however, after following the steps in the documentation, it doesn’t work.
On Windows 11, I want to use the command

net use * https://<my_Nextcloud_URL>/remote.php/dav/files/myusername/ /user:myusername 
> *type app-specific password here*

in PowerShell but I get an error saying that “the user is not authentificated”.
In rclone, I do a “rclone config” and type the app specific password, then I mount, it does something, but when I do a “ls /path/to/mountpoint” I get the following error:

<3>ERROR : IO error: couldn't list files: OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden: 401 Unauthorized

For mounting as a remote WebDAV in KDE directly (using KDE Plasma on OpenSUSE Tumbleweed), I don’t have any error but the drive is empty, and in Dolphin directly, Dolphin freezes as soon as I click go (though in this particular case I’m not even sure that 2FA is the problem).
So I’m kind of stuck, everywhere… I tried adding passwords to existing sessions, and creating new ones, to no avail. Any help would be much appreciated. Thanks!

[/details]

Nextcloud version (eg, 20.0.5): 26.0.2
Operating system and version (eg, Ubuntu 20.04): Linux 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 on the server, see post for the laptops.
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4
PHP version (eg, 7.4): 8.0

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. enable 2FA
  2. try to mount with one of the above mentionned methods using app-specific password

EDIT: I more or less managed to get around all of the above problems by now.

  1. On Windows, I followed the section “Mapping drives with Windows Explorer” of this doc page. It’s all GUI, and when I selected “app token identification” it worked immediately. I basically gives the same result as the PowerShell command methods from my original post, but with the bonus that it auto-mounts at login/boot. And it’s pretty fast as well.
  2. On Linux, I now use rclone; the problem with what I did before was that modifying the old config didn’t work no matter what, but creating a new remote and using an app token from the beginning works. I don’t really understand why, but the important thing is that it works now. Note: the flags that get me the fastest browsing are: rclone mount --dir-cache-time=1000h --vfs-cache-mode=full --vfs-cache-max-size=150G --vfs-cache-max-age=12h --vfs-fast-fingerprint remote: local&
  3. As for Dolphin and KDE Online Accounts, I did not make any progress. It just doesn’t work.

I hope this info will be usefull to someone one day!

Nextcloud and system info:

The output of your Nextcloud log in Admin > Logging:

I don’t see anything relevant to security or passwords in my logs.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'myinstanceID',
  'passwordsalt' => 'mypasswordhash',
  'secret' => 'mysecret',
  'trusted_domains' => 
  array (
    0 => 'mydomain.com',
    1 => 'cloud.mydomain.com',
  ),
  'default_phone_region' => 'FR',
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '26.0.2.1',
  'overwrite.cli.url' => 'https://mydomain.com/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud_user',
  'dbpassword' => 'hashofdbpassword',
  'installed' => true,
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'logfilemode' => 416,
  'loglevel' => 0,
  'logdateformat' => 'F d, Y H:i:s',
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'myuser',
  'mail_domain' => 'mydomain',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'in-v3.mailjet.com',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'something',
  'mail_smtppassword' => 'something',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
    0 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'theme' => '',
  'filelocking.enabled' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.8,
  ),
  0 => 
  array (
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0.0,
    'password' => '',
  ),
  'session_lifetime' => 31536000,
  'remember_login_cookie_lifetime' => 31536000,
  'app_install_overwrite' => 
  array (
    0 => 'documentserver_community',
  ),
  'enforce_theme' => '',
);

The output of your Apache/nginx/system log in /var/log/____:

Nginx: access.log (x2) and error.log (x10-ish), all empty
Apache2: nothing
System: inexistant

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.
no such logs.

2

Your config appears to have extra bogus entry right after your Redis entry. Judging by the port number in it I suspect it’s an old Redis configuration from before you switched to a UNIX socket. Not the cause of your issues here, but just noting it.

Can you confirm it is the Two-Factor TOTP Provider app that you enabled?

Can you confirm that the application passwords you’re trying to use are the ones under Personal Settings → Security that you create one at a time at the bottom under your session list? I ask because sometimes people mistakenly use the TOTP backup passwords…

Can you provide the output of ./occ app:list from your NC server?

What do you mean, specifically, when you say your tried the app passwords with “existing sessions”?

3

image
image1356×611 50.6 KB

image
image756×691 72.2 KB 

sudo -u www-data php /var/www/nextcloud/occ app:list                                
[sudo] password for *myuser*:
Enabled:
  - activity: 2.18.0
  - admin_audit: 1.16.0
  - breezedark: 26.0.0
  - bruteforcesettings: 2.6.0
  - camerarawpreviews: 0.8.1
  - circles: 26.0.0
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contactsinteraction: 1.7.0
  - dav: 1.25.0
  - documentserver_community: 0.1.13
  - drawio: 2.1.1
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_accesscontrol: 1.16.0
  - files_automatedtagging: 1.16.1
  - files_downloadactivity: 1.16.0
  - files_markdown: 2.4.0
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_texteditor: 2.15.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - firstrunwizard: 2.15.0
  - groupfolders: 14.0.2
  - imageconverter: 1.3.5
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - metadata: 0.18.0
  - nextcloud_announcements: 1.15.0
  - notifications: 2.14.0
  - oauth2: 1.14.0
  - onlyoffice: 7.8.0
  - password_policy: 1.16.0
  - previewgenerator: 5.3.0
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - related_resources: 1.1.0-alpha1
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - support: 1.9.0
  - survey_client: 1.14.0
  - systemtags: 1.16.0
  - text: 3.7.2
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - twofactor_nextcloud_notification: 3.7.0
  - twofactor_totp: 8.0.0
  - unsplash: 2.2.0
  - updatenotification: 1.16.0
  - user_status: 1.6.0
  - viewer: 1.10.0
  - workflowengine: 2.8.0
Disabled:
  - dashboard: 7.6.0 (installed 7.1.0)
  - dicomviewer: 1.2.4 (installed 1.2.4)
  - encryption: 2.14.0
  - extract: 1.3.5 (installed 1.3.5)
  - files_external: 1.18.0
  - files_trackdownloads: 1.11.0 (installed 1.11.0)
  - ocdownloader: 1.9.1 (installed 1.9.1)
  - photos: 2.2.0 (installed 1.3.0)
  - recommendations: 1.5.0 (installed 1.0.0)
  - suspicious_login: 4.4.0
  - user_ldap: 1.16.0
  - video_converter: 1.0.5 (installed 1.0.5)
  - weather_status: 1.6.0 (installed 1.1.0)
  - workflow_media_converter: 1.7.0 (installed 1.7.0)

What do you mean, specifically, when you say your tried the app passwords with “existing sessions”?

I mean what you can see in the second screenshot (for PowerShell I created a new “app” with a “dedicated app password”, and for KDE and Dolphin I just guessed which sessions corresponded to my requests and added a “dedicated app password”).

4

Windows is prone to exhibit this behavior, even if password is correct.

This is how it works for me:

net use * /delete /yes
net use Z: \\%my_Nextcloud_URL%@ssl\remote.php\dav\files\%UID%\ /user:%UID% %App-Password%

Just my 2 cent

5

Thanks! I’ll try it for the sake of curiosity, because I realized I could do the same thing through GUI using File Exporer (and it works, and it’s faster than I thought it would be).

I’ll edit my post to explain what I did.