Nextcloud 2FA borked. All admins locked out

markmn123 · March 27, 2019, 7:29pm

Well I am sure I goofed up good.
After seeing the 2FA option for a while now I decided to enable not knowing anything about it.
I very ignorantly did not write down any of the backup codes it generated thinking it was going to “configure” during my next login.
Welp…it didnt. And now my admin account is locked out. When attempting to log in it asks for the backup codes which I stupidly dont have.
In short…
I ran: (while in nextcloud DIR)
sudo -u apache php occ twofactorauth:disable “user” <–actual user entered w/o quotes
Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
Not enough arguments (missing: “provider_id”).

Ran:
sudo -u apache php app:update --all

Ran:
sudo -u apache php occ twofactorauth:state “user”
Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
Two-factor authentication is enabled for user “user”

Enabled providers:

backup_codes

Ran:
sudo -u apache php occ twofactorauth:disable “user” backup_codes
The provider does not support this operation

Ran:
sudo -u apache php occ app:update twofactor_backupcodes
sudo -u apache php occ app:update twofactor_totp
sudo -u apache php occ app:disable twofactor_backupcodes
sudo -u apache php occ app:disable twofactor_totp
sudo -u apache php occ app:enable twofactor_backupcodes
sudo -u apache php occ app:enable twofactor_totp

I still cant get it to my admin account
I even created another account…logged in to make sure it works and it did.
Once i granted admin rights to the newly created account…it then asked for backup codes on next login.

Nextcloud version 15.0.0.10
Version string 15.0.0
Running on centOS-release-7-6.1810.2.el7

budy · March 27, 2019, 7:58pm

First of all… I’d start with updating NC to the latest version. You can do that using the cli updater like this:

sudo -u apache php </path/to/nextcloud DIR/updater/updater.phar

Now, check the twofactor state of your user:

sudo -u apache php occ twofactorauth:state “user”

Afterwards, I’d disable the enabled providers like this:

sudo -u apache php occ twofactorauth:disable “user” totp
sudo -u apache php occ twofactorauth:disable “user” backup_codes
sudo -u apache php occ twofactorauth:disable “user” u2f

markmn123 · March 27, 2019, 8:03pm

So the updater failed…
[x] Check for expected files failed
The following extra files have been found:
.zfs

My nextcloud install is in a zfs file system. hopefully this doesnt make it worse

budy · March 27, 2019, 8:13pm

Hmm… this is the, usually hidden folder, where ZFS stores it’s snapshots. As I said, this folder usually doesn’t show up, unless you set a specific ZFS attribute named snapdir. What does

zfs get snapdir zfs_volume

show?

markmn123 · March 27, 2019, 8:20pm

cannot open ‘zfs_volume’: dataset does not exist
tried with “name of my dataset” instead of “volume”…same thing
If it helps i have only taken two snapshots since i made the dataset and i dont think they are stored there in the nextcloud folder. i think they are in the root of my zfs pool
can i delete those files since i have verified i dont have any snapshots there?

budy · March 27, 2019, 8:34pm

Please provide the output of

zfs list -r

markmn123 · March 27, 2019, 8:37pm

[root@ADELL ~]# zfs list -r
NAME USED AVAIL REFER MOUNTPOINT
AWESOME 2.76T 6.02T 1.58T /AWESOME
AWESOME/Backup 415G 6.02T 415G /AWESOME/Backup
AWESOME/Games 421G 6.02T 421G /AWESOME/Games
AWESOME/Pictures 60.9G 6.02T 60.9G /AWESOME/Pictures
AWESOME/System 12.6G 6.02T 12.6G /AWESOME/System
AWESOME/nextcloud 59.2G 6.02T 59.2G /AWESOME/nextcloud

yeah i know its a weird name but oh well

budy · March 27, 2019, 8:43pm

There it is:

Ha ha, you could have done worse… and… ZFS really is an awesome fs!
So the command to check is this:

zfs get snapdir AWESOME/nextcloud

markmn123 · March 27, 2019, 8:45pm

[root@ADELL ~]# zfs get snapdir AWESOME/nextcloud
NAME PROPERTY VALUE SOURCE
AWESOME/nextcloud snapdir visible inherited from AWESOME

budy · March 27, 2019, 8:47pm

There you have it…

zfs set snapdir=hidden AWESOME/nextcloud

and then try the updater again.

markmn123 · March 27, 2019, 8:55pm

Ok update done and i thank you for the help however…

[root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:state “user”
Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
Two-factor authentication is enabled for user “user”
Enabled providers:

backup_codes

[root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:disable “user” backup_codes
Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
The provider does not support this operation.

i also ran:
[root@ADELL nextcloud]# sudo -u apache php occ app:update --all

still no dice

budy · March 27, 2019, 9:00pm

Have you also run the occ upgrade command after updating?

markmn123 · March 27, 2019, 9:04pm

Just ran it…update successful
Then:

[root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:state “user”
Two-factor authentication is enabled for user “user”
Enabled providers:

backup_codes

[root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:disable "user"backup_codes
The provider does not support this operation.

budy · March 27, 2019, 9:08pm

Hmm… we’re nearing the point, where there’s not much left to try…
What database are you using for your NC instance?

markmn123 · March 27, 2019, 9:08pm

Im using mariaDB

budy · March 27, 2019, 9:18pm

Okay, here we go… grab the user and pw from your config.php and log in to your mariadb instance as the nc user and disable the twofactor apps using this query:

update oc_appconfig set configvalue=‘no’ where appid=‘twofactor_backcodes’ and configkey=‘enabled’;
update oc_appconfig set configvalue=‘no’ where appid=‘twofactor_u2f’ and configkey=‘enabled’;
update oc_appconfig set configvalue=‘no’ where appid=‘twofactor_totp’ and configkey=‘enabled’;

This should disable all of the twofactor apps in your NC instance.

budy · March 27, 2019, 9:23pm

There’s probably something else, you could try…

update oc_twofactor_providers set enabled=‘0’ where provider_id=‘backup_codes’ and uid=‘<nc user name>’;

Maybe you should try that one first.

markmn123 · March 27, 2019, 9:27pm

MariaDB [(none)]> alter oc_appconfig set configvalue=‘no’ where appid=‘twofactor_backcodes’ and configkey=‘enabled’;

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'oc_appconfig set configvalue=‘no’ where appid=‘twofactor_backcodes’ and ’ at line 1

MariaDB [(none)]> alter oc_twofactor_providers set enabled=‘0’ where provider_id=‘backup_codes’ and uid=’user’;

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'oc_twofactor_providers set enabled=‘0’ where provider_id=‘backup_codes’ ’ at line 1

Have to run into a meeting right quick

budy · March 27, 2019, 9:37pm

Yeah… my bad… it’s already late over here… your user doesn’t really is named “user”, is it? Anyway, make sure to replace “user” with the actual NC user name:

update oc_twofactor_providers set enabled=‘0’ where provider_id=‘backup_codes’ and uid=’<nc user name>’;

markmn123 · March 27, 2019, 9:52pm

It’s not that’s my futile attempt to retain privacy at this point I dont care
The user is MarkB
So it should be…
pdate oc_twofactor_providers set enabled=‘0’ where provider_id=‘backup_codes’ and uid=’<MarkB>’;
Correct?