Can't access admin settings after upgrade to NC30

I tried upgrading to NC30 twice, once when NC30.0.0 was published and now when NC30.0.1 was published. Both times I had the same issue: After the upgrade I couldn’t access the admin panels (settings or external apps). The latter gives “Access forbidden: Logged in account must be an admin”.

I already tried adding the user to the admin group via the occ command. I checked, it was in the admin group but still couldn’t access it. Also tried disabling and enabling all apps, that are not shipped (occ app:list --shipped false).
Also one user is missing when accessing “Accounts”.

On the previous version (latest 29) everything worked perfectly fine.

Any help is greatly appreciated.

Nextcloud version: 30.0.1
Operating system and version: Debian GNU/Linux 12 (bookworm) - All packages up to date
Apache or nginx version: Apache/2.4.62 (Debian)
PHP version: 8.2.24

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

1. Upgrade to from NC29 to NC30
2. Try to access any admin settings

The output of your Nextcloud log in Admin > Logging: (cat nextcloud.log | grep Error)

{"reqId":"mUY2Vi4taySxAW2qcywR","level":3,"time":"2024-10-18T07:20:02+00:00","remoteAddr":"","user":"--","app":"core","method":"","url":"--","message":"Error while running background job OCA\\DAV\\Migration\\BuildCalendarSearchIndexBackgroundJob (id: 63432, arguments: {\"offset\":0,\"stopAt\":742})","userAgent":"--","version":"30.0.1.2","exception":{"Exception":"InvalidArgumentException","Message":"Calendarobject does not exists: 19b75a64-a691-457c-b01f-40d2b11083d0.ics","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/dav/lib/CalDAV/CalDavBackend.php","line":3192,"function":"getCalendarObjectId","class":"OCA\\DAV\\CalDAV\\CalDavBackend","type":"->"},{"file":"/var/www/nextcloud/lib/public/AppFramework/Db/TTransactional.php","line":45,"function":"OCA\\DAV\\CalDAV\\{closure}","class":"OCA\\DAV\\CalDAV\\CalDavBackend","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/CalDAV/CalDavBackend.php","line":3191,"function":"atomic","class":"OCA\\DAV\\CalDAV\\CalDavBackend","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Migration/BuildCalendarSearchIndexBackgroundJob.php","line":77,"function":"updateProperties","class":"OCA\\DAV\\CalDAV\\CalDavBackend","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Migration/BuildCalendarSearchIndexBackgroundJob.php","line":37,"function":"buildIndex","class":"OCA\\DAV\\Migration\\BuildCalendarSearchIndexBackgroundJob","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/Job.php","line":61,"function":"run","class":"OCA\\DAV\\Migration\\BuildCalendarSearchIndexBackgroundJob","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/QueuedJob.php","line":43,"function":"start","class":"OCP\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/QueuedJob.php","line":29,"function":"start","class":"OCP\\BackgroundJob\\QueuedJob","type":"->"},{"file":"/var/www/nextcloud/cron.php","line":162,"function":"execute","class":"OCP\\BackgroundJob\\QueuedJob","type":"->"}],"File":"/var/www/nextcloud/apps/dav/lib/CalDAV/CalDavBackend.php","Line":3422,"message":"Error while running background job OCA\\DAV\\Migration\\BuildCalendarSearchIndexBackgroundJob (id: 63432, arguments: {\"offset\":0,\"stopAt\":742})","exception":{},"CustomMessage":"Error while running background job OCA\\DAV\\Migration\\BuildCalendarSearchIndexBackgroundJob (id: 63432, arguments: {\"offset\":0,\"stopAt\":742})"}}
{"reqId":"mUY2Vi4taySxAW2qcywR","level":3,"time":"2024-10-18T07:20:02+00:00","remoteAddr":"","user":"--","app":"core","method":"","url":"--","message":"Error while running background job OCA\\DAV\\Migration\\BuildSocialSearchIndexBackgroundJob (id: 63433, arguments: {\"offset\":0,\"stopAt\":5})","userAgent":"--","version":"30.0.1.2","exception":{"Exception":"TypeError","Message":"OCA\\DAV\\CardDAV\\CardDavBackend::getUID(): Argument #1 ($cardData) must be of type string, resource given, called in /var/www/nextcloud/apps/dav/lib/CardDAV/CardDavBackend.php on line 680","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/dav/lib/CardDAV/CardDavBackend.php","line":680,"function":"getUID","class":"OCA\\DAV\\CardDAV\\CardDavBackend","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Migration/BuildSocialSearchIndexBackgroundJob.php","line":74,"function":"updateCard","class":"OCA\\DAV\\CardDAV\\CardDavBackend","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Migration/BuildSocialSearchIndexBackgroundJob.php","line":36,"function":"buildIndex","class":"OCA\\DAV\\Migration\\BuildSocialSearchIndexBackgroundJob","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/Job.php","line":61,"function":"run","class":"OCA\\DAV\\Migration\\BuildSocialSearchIndexBackgroundJob","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/QueuedJob.php","line":43,"function":"start","class":"OCP\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/QueuedJob.php","line":29,"function":"start","class":"OCP\\BackgroundJob\\QueuedJob","type":"->"},{"file":"/var/www/nextcloud/cron.php","line":162,"function":"execute","class":"OCP\\BackgroundJob\\QueuedJob","type":"->"}],"File":"/var/www/nextcloud/apps/dav/lib/CardDAV/CardDavBackend.php","Line":1449,"message":"Error while running background job OCA\\DAV\\Migration\\BuildSocialSearchIndexBackgroundJob (id: 63433, arguments: {\"offset\":0,\"stopAt\":5})","exception":{},"CustomMessage":"Error while running background job OCA\\DAV\\Migration\\BuildSocialSearchIndexBackgroundJob (id: 63433, arguments: {\"offset\":0,\"stopAt\":5})"}}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '***REMOVED SENSITIVE VALUE***',
  'passwordsalt' => '***REMOVED SENSITIVE VALUE***',
  'secret' => '***REMOVED SENSITIVE VALUE***',
  'trusted_domains' => 
  array (
    0 => '***REMOVED SENSITIVE VALUE***',
    1 => 'nc.local',
    2 => '***REMOVED SENSITIVE VALUE***',
    3 => '***REMOVED SENSITIVE VALUE***',
  ),
  'trusted_proxies' => 
  array (
    0 => '***REMOVED SENSITIVE VALUE***',
  ),
  'overwrite.cli.url' => '***REMOVED SENSITIVE VALUE***',
  'overwritehost' => '***REMOVED SENSITIVE VALUE***',
  'overwriteprotocol' => 'https',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => '6379',
    'timeout' => 0.0,
  ),
  'htaccess.RewriteBase' => '/',
  'datadirectory' => '/storage/',
  'dbtype' => 'pgsql',
  'version' => '30.0.1.2',
  'dbname' => 'nextclouddb',
  'dbhost' => '***REMOVED SENSITIVE VALUE***:5432',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => '***REMOVED SENSITIVE VALUE***',
  'installed' => true,
  'maintenance_window_start' => 1,
  'default_phone_region' => 'DE',
  'allowed_admin_ranges' => 
  array (
    0 => '127.0.0.1/8',
    1 => '192.168.0.0/16',
  ),
  'mail_smtpmode' => 'smtp',
  'mail_smtpauth' => 1,
  'mail_sendmailmode' => 'smtp',
  'mail_smtphost' => '***REMOVED SENSITIVE VALUE***',
  'mail_smtpport' => '587',
  'mail_from_address' => '***REMOVED SENSITIVE VALUE***',
  'mail_domain' => '***REMOVED SENSITIVE VALUE***',
  'mail_smtpname' => '***REMOVED SENSITIVE VALUE***',
  'mail_smtppassword' => '***REMOVED SENSITIVE VALUE***',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'memories.db.triggers.fcu' => true,
  'memories.exiftool' => '/var/www/nextcloud/apps/memories/bin-ext/exiftool-amd64-glibc',
  'memories.vod.path' => '/var/www/nextcloud/apps/memories/bin-ext/go-vod-amd64',
  'memories.vod.ffmpeg' => '/usr/bin/ffmpeg',
  'memories.vod.ffprobe' => '/usr/bin/ffprobe',
  'memories.gis_type' => 2,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\Image',
    1 => 'OC\\Preview\\Movie',
  ),
  'memories.vod.disable' => false,
  'memories.vod.vaapi' => true,
  'defaultapp' => '',
);

The output of your Apache/nginx/system log in /var/log/____:
errors.log

[Fri Oct 18 00:00:00.917740 2024] [mpm_prefork:notice] [pid 159:tid 159] AH00163: Apache/2.4.62 (Debian) configured -- resuming normal operations
[Fri Oct 18 00:00:00.917761 2024] [core:notice] [pid 159:tid 159] AH00094: Command line: '/usr/sbin/apache2'
[Fri Oct 18 09:17:52.198098 2024] [mpm_prefork:notice] [pid 159:tid 159] AH00170: caught SIGWINCH, shutting down gracefully
[Fri Oct 18 09:17:52.295828 2024] [mpm_prefork:notice] [pid 121782:tid 121782] AH00163: Apache/2.4.62 (Debian) configured -- resuming normal operations
[Fri Oct 18 09:17:52.295851 2024] [core:notice] [pid 121782:tid 121782] AH00094: Command line: '/usr/sbin/apache2'
[Fri Oct 18 09:26:13.759828 2024] [mpm_prefork:notice] [pid 121782:tid 121782] AH00170: caught SIGWINCH, shutting down gracefully
Fontconfig error: No writable cache directories
Fontconfig error: No writable cache directories
[Fri Oct 18 09:28:29.602264 2024] [mpm_prefork:notice] [pid 159:tid 159] AH00163: Apache/2.4.62 (Debian) configured -- resuming normal operations
[Fri Oct 18 09:28:29.602407 2024] [core:notice] [pid 159:tid 159] AH00094: Command line: '/usr/sbin/apache2'
[Fri Oct 18 09:45:12.766918 2024] [mpm_prefork:notice] [pid 159:tid 159] AH00170: caught SIGWINCH, shutting down gracefully
[Fri Oct 18 10:05:55.442401 2024] [mpm_prefork:notice] [pid 159:tid 159] AH00163: Apache/2.4.62 (Debian) configured -- resuming normal operations
[Fri Oct 18 10:05:55.442564 2024] [core:notice] [pid 159:tid 159] AH00094: Command line: '/usr/sbin/apache2'

I don’t have a solution. But can you perhaps try creating a new admin with occ?

sudo -u www-data php /var/www/nextcloud/occ user:add --group="admin" newuser

Thank you for the suggestion.

Created a new user, confirmed that it is member of “admin” but also no access to admin settings…

  'allowed_admin_ranges' => 
  array (
    0 => '127.0.0.1/8',
    1 => '192.168.0.0/16',

You have this in your config. Are you logging in from one of these IP ranges?

Yes.
So I accessed my NC29 from my laptop (where I have admin rights as it’s inside that IP range), then I upgrade to 30 and as soon as I log in there, I can’t access admin settings anymore. So nothing changed regarding the IP range, the permissions or anything…

Any ideas in what logs to look for the issue?

allowed_admin_ranges was added in v30. In your v29 environment that config entry was ignored.

You can remove the config entry for now.

Then check Admin settings->Overview. My first guess is that your reverse proxy config isn’t passing your remote IP address correctly. Until that’s sorted that config directive will likely not work as expected.

Awesome! I’ll take a look at that. That sounds insanely promising. Weird though as I got that from the security hardening manuals in v29. Really hope I don’t have to restore everything afterwards again ^^

Do you also have any idea why one user was missing after upgrading? It’s the newest user, which might not have logged in via the website as of now, however he has logged in to the iOS App if that matters any. The user folder still existed though, the user just didn’t show in the “accounts” tab… Could that also correspond to missing admin rights? Oddly, I could every user except that one.

EDIT:
Nevermind, I might have just found the issue. I was in a group with all other users and was assigned the group admin. The new user was in another group which I was mistakenly not assigned as group owner which is probably why he didn’t show.

Thank you! That was actually it and I had a misconception, I was not accessing the server from my local network but via my domain which of course accesses it via my public IP then. But as it worked in v29 I thought there couldn’t be something wrong with my config. Should’ve taken a further step back. Cheers mate, thought I was gonna be stuck at v29 forever

I don’t see any references to allowed_admin_ranges in the official manuals for v29, including the hardening guide chapter.

Huh, you‘re right. Weird, maybe I accidentally looked into the v30 docs.
But glad it‘s fixed now!

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.