External Storage with SSO and Kerberos Tickets unavailable

ℹ️ Support
, , ,
1

Hi Everyone

I have Nextcloud 18 via Univention Appliance deployed and my SSO provider is Duo Mobile.

The Duo Access Gateway is configured to send SAML 2.0 Kerberos. The login with SAML works. The only thing that is not working is the external storage SMB authentication via Kerberos.

All the other authentication options for external storage work.

Where can I find detailed instructions How to debug Kerberos?
I saw the Univention Kerberos Debug option, but where is the logfile?

Regards

3

Our Windows Fileserver is Windows 2016, so I assume it’s Kerberos 5. Is it possible that only Kerberos 4 is supported?

4

I was able to access our Windows SMB Shares witout a password only with the kerberos ticket on the console with the following command:
smbclient //server.domain.com/share -U myUser -k

Also the: klist command shows the kerberos tickets are available on the server.

The error in the Weblog reads:
0. /var/www/html/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 66
Icewind\SMB\Exception\Exception::fromMap({1: "Icewind\SM … "}, 1, “/”)

  1. /var/www/html/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 78
    Icewind\SMB\Native\NativeState->handleError("/")
  2. /var/www/html/apps/files_external/3rdparty/icewind/smb/src/Native/NativeState.php line 294
    Icewind\SMB\Native\NativeState->testResult("*** sensitive parameter replaced ***", “smb://server/share/”)
  3. /var/www/html/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 306
    Icewind\SMB\Native\NativeState->getxattr(“smb://server/share/”, “system.dos_attr.*”)
  4. /var/www/html/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 69
    Icewind\SMB\Native\NativeShare->getAttribute("/", “system.dos_attr.*”)
  5. /var/www/html/apps/files_external/3rdparty/icewind/smb/src/Native/NativeFileInfo.php line 88
    Icewind\SMB\Native\NativeFileInfo->stat()
  6. /var/www/html/apps/files_external/3rdparty/icewind/smb/src/Native/NativeShare.php line 113
    Icewind\SMB\Native\NativeFileInfo->getSize()
  7. /var/www/html/apps/files_external/lib/Lib/Storage/SMB.php line 179
    Icewind\SMB\Native\NativeShare->stat("/")
  8. /var/www/html/apps/files_external/lib/Lib/Storage/SMB.php line 297
    OCA\Files_External\Lib\Storage\SMB->getFileInfo("/")
  9. /var/www/html/lib/private/Files/Storage/Common.php line 456
    OCA\Files_External\Lib\Storage\SMB->stat("")
  10. /var/www/html/apps/files_external/lib/Lib/Storage/SMB.php line 613
    OC\Files\Storage\Common->test()
  11. /var/www/html/apps/files_external/lib/config.php line 262
    OCA\Files_External\Lib\Storage\SMB->test("*** sensitive parameter replaced ", " sensitive parameter replaced ***")
  12. /var/www/html/apps/files_external/lib/Controller/StoragesController.php line 258
    OC_Mount_Config::getBackendStatus("*** sensitive parameters replaced ***")
  13. /var/www/html/apps/files_external/lib/Controller/StoragesController.php line 330
    OCA\Files_External\Controller\StoragesController->updateStorageStatus("*** sensitive parameters replaced ***")
  14. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 170
    OCA\Files_External\Controller\StoragesController->show(4, “*** sensitive parameter replaced ***”)
  15. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 99
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Files_Extern … {}, “show”)
  16. /var/www/html/lib/private/AppFramework/App.php line 125
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Files_Extern … {}, “show”)
  17. /var/www/html/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main(“OCA\Files_Exte … r”, “show”, OC\AppFramework\ … {}, {id: “4”,_route: … "})
  18. <>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({id: “4”,_route: … "})
  19. /var/www/html/lib/private/Route/Router.php line 299
    call_user_func(OC\AppFramework\ … {}, {id: “4”,_route: … "})
  20. /var/www/html/lib/base.php line 1008
    OC\Route\Router->match("/apps/files_external/globalstorages/4")
  21. /var/www/html/index.php line 38
    OC::handleRequest()

The GUI error:

External mount error

There was an error with message: Empty response from the server

One thing I have noticed:
When I mount the share on the console I get the following error:
Unable to initialize messaging context

The smbclient might be causing the bug:

5

We have given up on the topic. We switched to LDAP + TOTP authentication. Kerberos seems broken.

6

I found a solution that works for me. Maybe it helps.
https://github.com/nextcloud/server/issues/24744