External storage credentials, 'save in session', and desktop sync - how does this work?

shellac · September 18, 2020, 3:10pm

I’m currently setting up a nextcloud instance. We are using LDAP and external storage using SMB, using credentials saved in session.

This is perfect since a) the user is acting with the proper account and b) their credentials are not stored.

The downside is that sharing isn’t available, but this seems to validate that credentials are not being stored. (How could it work, after all, when neither the sharee nor Nextcloud instance have the credentials)

But…

The desktop client sync works, and as far as I can see the desktop client only has an oauth token.

Could somebody explain how the desktop client is able to act on my behalf?

gsswtr · August 31, 2022, 1:16pm

I have the exact same question and would love to see an answer to this.
I added an external SMB storage to my nextcloud with authentication “Log-in credentials, save in session”.
I noticed that my desktop-client, connected via token, instantly started to copy the whole SMB storage to my desktop-PC. I thought this was impossible because the documentation says “Desktop and mobile clients that use tokens to authenticate can not access those shares”.
I also noticed that I can access this external storage with the iOS-app of nextcloud on my iPhone.
I logged out of my account on the webpage and rebooted the whole nextcloud-server. My desktop and iOS apps still had access to the external storage.

How is this possible?

gsswtr · September 6, 2022, 1:11pm

Is there anyone with the same problem?
Or are there users who use “Log-in credentials, save in session” and can’t access their shares, just as described in the nextcloud-documentation?

Normally, if something works that should not work, it’s no big problem. However, in this case, I am unsure how this works and if credentials are permanently stored on my nextcloud-server (and if this is the case, where/how are they stored and secured?)

I guess I will open a bug report if no one can clarify this…

gsswtr · February 16, 2023, 2:30pm

I made a bug report a while ago, but got no response yet.
If someone wants to take a look:

github.com/nextcloud/server

[Bug]: Win/iOS Client syncs SMB-Share with option “Log-in credentials, save in session”

opened 12:14PM - 07 Sep 22 UTC

traeu

bug needs info 0. Needs triage

### ⚠️ This issue respects the following points: ⚠️ - [X] This is a **bug**, no…t a question or a configuration/webserver/proxy issue. - [X] This issue is **not** already reported on Github _(I've searched it)_. - [X] Nextcloud Server **is** up to date. See [Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) for supported versions. - [X] Nextcloud Server **is** running on 64bit capable CPU, PHP and OS. - [X] I agree to follow Nextcloud's [Code of Conduct](https://nextcloud.com/contribute/code-of-conduct/). ### Bug description My Nextcloud: Version 24.0.4 User auth over LDAP/MS-AD Access over NGINX reverse proxy (User-->NGINX: https/letsencrypt, NGINX-->Nextcloud: http) I added a SMB-share to my nextcloud and used the option “Log-in credentials, save in session” for credentials. The documentation says: "The Log-in credentials, save in session mechanism uses the Nextcloud login credentials of the user to connect to the storage. These are not stored anywhere on the server, but rather in the user session, giving increased security." and "Desktop and mobile clients that use tokens to authenticate can not access those shares" This is exactly what I want, I don't want to store credentials of users permanently on my server. But I noticed, as soon as I added the external storage, my Nextcloud Windows client started to sync the whole smb-share. I also have access to my smb-share over my Nextcloud-iOS-App. Both apps, Windows and iOS, use token authentification as far as I can tell. How is it possible that my apps can access my smb share? Where are the credentials stored (I guess they must be stored somewhere, because otherwise the apps would have no access?) Here someone else experienced the same problem, but no one could help https://help.nextcloud.com/t/external-storage-credentials-save-in-session-and-desktop-sync-how-does-this-work/92602/2 ### Steps to reproduce 1. add external SMB storage with option “Log-in credentials, save in session” 2a. connect iOS app with token/QR-code 2b. access SMB share over iOS app 3a. alternatively, connect Windows desktop app with token 3b. access SMB share over windows app ### Expected behavior Expected behavior as described in official documentation: "Desktop and mobile clients that use tokens to authenticate can not access those shares" ### Installation method Community Manual installation with Archive ### Operating system Debian/Ubuntu ### PHP engine version PHP 8.1 ### Web server Apache (supported) ### Database engine version MariaDB ### Is this bug present after an update or on a fresh install? Fresh Nextcloud Server install ### Are you using the Nextcloud Server Encryption module? Encryption is Disabled ### What user-backends are you using? - [X] Default user-backend _(database)_ - [X] LDAP/ Active Directory - [ ] SSO - SAML - [ ] Other ### Configuration report ```shell { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "CENSORED" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "24.0.4.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "loglevel": 2, "default_phone_region": "DE", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "overwritehost": "CENSORED", "overwrite.cli.url": "CENSORED", "overwriteprotocol": "https", "forcessl": true, "overwritewebroot": "\/", "overwritecondaddr": "^10\\.43\\.43\\.100$", "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "tls", "mail_smtpauth": 1, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "587", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "theme": "", "default_language": "de", "default_locale": "de_DE", "defaultapp": "files", "knowledgebaseenabled": false, "allow_user_to_change_display_name": false, "remember_login_cookie_lifetime": 2592000, "session_lifetime": 172800, "session_relaxed_expiry": true, "auth.webauthn.enabled": false, "skeletondirectory": "\/var\/www\/nextcloud\/core\/skeleton_new", "lost_password_link": "mailto:CENSORED", "trashbin_retention_obligation": "30,30", "ldapUserCleanupInterval": 16, "sort_groups_by_name": true, "profile.enabled": false } } ``` ### List of activated Apps ```shell Enabled: - activity: 2.16.0 - admin_audit: 1.14.0 - bruteforcesettings: 2.4.0 - cloud_federation_api: 1.7.0 - comments: 1.14.0 - dav: 1.22.0 - federatedfilesharing: 1.14.0 - files: 1.19.0 - files_external: 1.16.1 - files_pdfviewer: 2.5.0 - files_rightclick: 1.3.0 - files_sharing: 1.16.2 - files_trashbin: 1.14.0 - files_videoplayer: 1.13.0 - logreader: 2.9.0 - lookup_server_connector: 1.12.0 - notifications: 2.12.0 - oauth2: 1.12.0 - password_policy: 1.14.0 - provisioning_api: 1.14.0 - quota_warning: 1.14.0 - serverinfo: 1.14.0 - settings: 1.6.0 - systemtags: 1.14.0 - tasks: 0.14.4 - text: 3.5.1 - theming: 1.15.0 - twofactor_backupcodes: 1.13.0 - updatenotification: 1.14.0 - user_ldap: 1.14.1 - viewer: 1.8.0 - workflowengine: 2.6.0 Disabled: - accessibility: 1.8.0 - circles: 24.0.1 - contactsinteraction: 1.5.0 - dashboard: 7.2.0 - encryption - federation: 1.12.0 - files_versions: 1.17.0 - firstrunwizard: 2.11.0 - nextcloud_announcements: 1.11.0 - photos: 1.6.0 - privacy: 1.8.0 - recommendations: 1.3.0 - sharebymail: 1.14.0 - support: 1.5.0 - survey_client: 1.10.0 - user_status: 1.2.0 - weather_status: 1.2.0 ``` ### Nextcloud Signing status ```shell No errors have been found. ``` ### Nextcloud Logs _No response_ ### Additional info _No response_