Frequent log offs - Ajax Authentication Error?

Hello Community

I’m having a problem with my NextCloud 10.0.1 (stable, ssl enabled) installation.
Setup and access through the iOS App works just fine.
But when I try to use the webinterface I get frequent log offs (it throws me back to the login page),
mainly if I click on an internal link.

Here’s the log output with an authentication error:

Exception: {“Message”:“HTTP/1.1 401 Cannot authenticate over ajax calls”,“Exception”:“Sabre\DAV\Exception\NotAuthenticated”,“Code”:0,“Trace”:"#0 /kunden/123456_78123/files/apps/dav/lib/Connector/Sabre/Auth.php(155): OCA\DAV\Connector\Sabre\Auth->auth(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#1 /kunden/123456_78123/files/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php(163): OCA\DAV\Connector\Sabre\Auth->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#2 [internal function]: Sabre\DAV\Auth\Plugin->beforeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#3 /kunden/123456_78123/files/3rdparty/sabre/event/lib/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\n#4 /kunden/123456_78123/files/3rdparty/sabre/dav/lib/DAV/Server.php(446): Sabre\Event\EventEmitter->emit(‘beforeMethod’, Array)\n#5 /kunden/123456_78123/files/3rdparty/sabre/dav/lib/DAV/Server.php(248): Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))\n#6 /kunden/123456_78123/files/apps/dav/appinfo/v1/webdav.php(60): Sabre\DAV\Server->exec()\n#7 /kunden/123456_78123/files/remote.php(165): require_once(’/kunden/388924_…’)\n#8 {main}",“File”:"/kunden/123456_78123/files/apps/dav/lib/Connector/Sabre/Auth.php",“Line”:248,“User”:false}

Thank you very much for your help!
InfinityTrapdoor

@LukasReschke do you have an idea what went wrong here?

same problem

centos 7.2
php70 @remi
nginx 1.10.2

cat config.php

<?php
$CONFIG = array (
  'appstore.experimental.enabled' => false,
  'datadirectory' => '/mnt/nextcloud',
  'dbhost' => 'db.home.lan',
  'dbname' => 'nextcloud',
  'dbpassword' => '======',
  'dbtableprefix' => 'oc_',
  'dbtype' => 'mysql',
  'dbuser' => 'nextcloud',
  'installed' => true,
  'instanceid' => '======',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'loglevel' => 3,
  'logtimezone' => 'Europe/Kiev',
  'mail_domain' => 'home.net',
  'mail_from_address' => 'nextcloud',
  'mail_smtpauth' => 1,
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtphost' => 'exmple.net',
  'mail_smtpmode' => 'smtp',
  'mail_smtpname' => 'nextcloud',
  'mail_smtppassword' => '======',
  'mail_smtpport' => '465',
  'mail_smtpsecure' => 'ssl',
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'overwrite.cli.url' => 'https://example.net',
  'passwordsalt' => '======',
  'redis' => 
  array (
    'host' => 'redis.home.lan',
    'port' => 6379,
    'timeout' => 0,
    'password' => '',
    'dbindex' => 0,
  ),
  'secret' => '======',
  'trashbin_retention_obligation' => '30, 45',
  'trusted_domains' => 
  array (
    0 => 'example.net',
  ),
  'updater.release.channel' => 'stable',
  'updater.server.url' => 'https://updates.nextcloud.org/updater_server/',
  'version' => '9.1.1.5',
);

cat /etc/nginx/sites/example.net.conf

upstream php-handler-nc {
	#server			unix:/run/php-fpm/nc.sock;
	server			unix:/run/php-fpm/nc.php70.sock;
}
server {
	listen 80;
	listen 443 ssl;
	server_name example.net;

	access_log		/var/log/nginx/example.net-access.log;
	#access_log		off;
	error_log		/var/log/nginx/example.net-error.log;
	#error_log		/dev/null;

	include			snippets/letsencrypt.conf;
	include			snippets/require_https.conf;

	# Add headers to serve security related headers
	# Before enabling Strict-Transport-Security headers please read into this
	# topic first.
	add_header Strict-Transport-Security "max-age=15768000;
	# includeSubDomains; preload;";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;

	# Path to the root of your installation
	root /var/www/example.net/;

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	# The following 2 rules are only needed for the user_webfinger app.
	# Uncomment it if you're planning to use this app.
	#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
	#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
	# last;

	location = /.well-known/carddav {
		return 301 $scheme://$host/remote.php/dav;
	}
	location = /.well-known/caldav {
		return 301 $scheme://$host/remote.php/dav;
	}

	# set max upload size
	client_max_body_size 512M;
	fastcgi_buffers 64 4K;

	# Disable gzip to avoid the removal of the ETag header
	gzip off;

	# Uncomment if your server is build with the ngx_pagespeed module
	# This module is currently not supported.
	#pagespeed off;

	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;

	location / {
		rewrite ^ /index.php$uri;
	}

	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	}
	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}

	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS on;
		#Avoid sending the security headers twice
		fastcgi_param modHeadersAvailable true;
		fastcgi_param front_controller_active true;
		fastcgi_pass php-handler-nc;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
	}

	location ~ ^/(?:updater|ocs-provider)(?:$|/) {
		try_files $uri/ =404;
		index index.php;
	}

	# Adding the cache control header for js and css files
	# Make sure it is BELOW the PHP block
	location ~* \.(?:css|js)$ {
		try_files $uri /index.php$uri$is_args$args;
		add_header Cache-Control "public, max-age=7200";
		# Add headers to serve security related headers (It is intended to
		# have those duplicated to the ones above)
		# Before enabling Strict-Transport-Security headers please read into
		# this topic first.
		# add_header Strict-Transport-Security "max-age=15768000;
		#  includeSubDomains; preload;";
		add_header X-Content-Type-Options nosniff;
		add_header X-Frame-Options "SAMEORIGIN";
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;
		# Optional: Don't log access to assets
		access_log off;
	}

	location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
		try_files $uri /index.php$uri$is_args$args;
		# Optional: Don't log access to other assets
		access_log off;
	}
}

It’s probably the best to create a new issue on the bugtracker and to fill out the issue template.

very community friendly

You should use the issue template. You didn’t add the logfiles, no more specific details to the LDAP configuration. With so little information like in your github post, how should someone be able to verify or reproduce your problem?

Thank you for the reply.

1. there is LDAP config (despite the fact that the problem does not depend on the user’s location (ldap or internal user), and I have told about it)
2. there is line from the log-file with error message

Why not ask me to provide more information (nginx config, full log-file, etc.) if it is needed?
Why should immediately close the issue?

I do not want anyone to accuse of being incompetent or something like that. I just do not understand such behavior of the community, which is positioning itself more friendly than the community OC …

I apologize if I hurt someone in my own words.

Many people use successfully the standard configuration. If you setup is not working, you can try to get as close as possible to this configuration and if it doesn’t work, you can point out the differences. In the past, there were some issues, where people just forgot about the most important things.

If you have already discussed a subject on the forum, you can as well link it, especially when more people are affected. It’s hard to tell what is enough info and each developer sees it differently, if you have more information you can just add them beneath and ping the developer to reopen the issue again.