Nextcloud 2FA borked. All admins locked out

No, rather not. I’d suggest to wipe the codes from the DB, since we’ve deactivated all twofactor modules and also have set your account to not have any backup_codes enabled, but they’re there anyway.

So… go ahead and remove them from the table using this query:

delete from oc_twofactor_backupcodes where user_id=‘MarkB’;

1 Like

deleted and verified removed by checking with
select * from oc_twofactor_backupcodes where user_id=‘MarkB’;

still dead and losing hope

budy i would like to take this time to once again say i truly appreciate all your help
i know you owe me nothing and i cant thank you enough.

that said…should i run twofactorauth:cleanup?

I’d say, it cannot hurt - we’re already so deep into the weeds here. :wink:

And no worry about myself, although I actually thought, that this issue would be easier to tackle. Is this your personal instance? I am asking, because we might hit a point, where you will have to face a re-install of NC. You would not use any actual data, but this step would cause some real work on the database, but it is possible.

Also, it might be a good idea to bump the log level to debug and watch the nextcloud.log, when trying to log in.

Sounds a lot like what I faced. Check this thread and see if the steps I took help:

ok ill do it.
it is my personal instance. my last resort…
i did one thing right (i suppose) and i duplicated the entire nextcloud folder and labled it as running config.
would i be shooting myself in the foot if i just rename the file to nextcloud, log in, and go about my business?
i dup’ed this a while ago and the data directory is inside of it as well

root@ADELL nextcloud]# sudo -u apache php occ app:list
Enabled:

  • accessibility: 1.1.0
  • activity: 2.8.2
  • bruteforcesettings: 1.3.0
  • cloud_federation_api: 0.1.0
  • comments: 1.5.0
  • dav: 1.8.1
  • federatedfilesharing: 1.5.0
  • federation: 1.5.0
  • files: 1.10.0
  • files_external: 1.6.0
  • files_pdfviewer: 1.4.0
  • files_sharing: 1.7.0
  • files_texteditor: 2.7.0
  • files_trashbin: 1.5.0
  • files_versions: 1.8.0
  • files_videoplayer: 1.4.0
  • firstrunwizard: 2.4.0
  • gallery: 18.2.0
  • logreader: 2.0.0
  • lookup_server_connector: 1.3.0
  • nextcloud_announcements: 1.4.0
  • notifications: 2.3.0
  • oauth2: 1.3.0
  • password_policy: 1.5.0
  • provisioning_api: 1.5.0
  • serverinfo: 1.5.0
  • sharebymail: 1.5.0
  • support: 1.0.0
  • survey_client: 1.3.0
  • systemtags: 1.5.0
  • theming: 1.6.0
  • twofactor_backupcodes: 1.4.1
  • updatenotification: 1.5.0
  • workflowengine: 1.5.0
    Disabled:
  • admin_audit
  • encryption
  • twofactor_admin
  • twofactor_totp
  • user_ldap
    [root@ADELL nextcloud]# sudo -u apache php occ app:disable twofactor_backupcodes
    twofactor_backupcodes can’t be disabled.
    [root@ADELL nextcloud]#

Ahh… you do have the twofactor_admin installed. That one would provide you with a backup_code for your user:

./occ twofactorauth:admin:generate-code MarkB

[root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:admin:generate-code MarkB

There are no commands defined in the “twofactorauth:admin” namespace.

Did you mean this?
twofactorauth

[root@ADELL nextcloud]#

Ehh… sorry… please re-enable the twofactor_admin app…

ok we are getting somewhere…
i have my code but now for some reason nextcloud login page says
Could not load at least one of your enabled two-factor auth methods. Please contact your admin.
Two-factor authentication is enforced but has not been configured on your account. Contact your admin for assistance.

Well… then re-enable the other, currently disabled twofactor_totp app.

i have enabled the totp app
gives same error on logon

disabled and then re-enabled all other twofactor apps
still same message on login
no im trying to figure out why it wont say “use backup codes” anymore
i created an admin account to try and solve this. should i delete that and try and create another?

You might also need to re-enable 2fa for your account again, no? We disabled that for your account.

./occ twofactorauth:enable MarkB totp

I don’t know, if creating a new user would help you, but you could of cause try that as well.

Ok so a little update…
i ran
root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:enable MarkB totp
The provider does not support this operation.

finally got fed up and created an account called admin
granted admin access to this account…and logged in!
i see now i have all access to nextcloud from the account however…
i navigated to the security settings and removed the admin group from the enforced group settings
added it to not enforced groups
unchecked the enforce 2FA box
tried logging in with MY admin account aaaaaaaaand nothing. it still says 2FA not configured

going back to admin user account i check the log when i try and log in on another computer and 4 errors pop up immediately

[core] Error: 1 two-factor auth providers failed to load
GET /index.php/login/selectchallenge
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

[core] Error: two-factor auth provider ‘admin’ failed to load
GET /index.php/login/selectchallenge
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

[core] Error: 1 two-factor auth providers failed to load
POST /index.php/login
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

[core] Error: two-factor auth provider ‘admin’ failed to load
POST /index.php/login
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

what do you guys think

Well… this is why I asked about your instance and it’s importance. As it seems to be right now, I’d go for a new installation and keep the data folder, if there’s data on it, which you don’t have anywhere else.

Do you have your data folder inside your NC instance folder - this is the usual setup, but it needn’t to be this way.

SIDENOTE*
you need direct database access to the nextcloud instance to repair this issue!

So after much work and sweating and pondering and trial and error…i got in!!
also with the help of my boss who got me in to nextcloud and knows it alot better than me.
SO… i will do my best to elaborate so that whoever has a similar issue in the future may stumble on this thread and hopefully fix it.
At the end of the day there seemed to be an issue with the database.
If there is ever an issue with 2FA do NOT do what i did and install more apps as it will clutter up the database. Also there is no need to create new users in hopes of getting rid of 2FA that way.

For some reason there was an entry in the database tables under oc_twofactor_providers set as enabled here…

MariaDB [nextcloud]> select * from oc_twofactor_providers;
+----------------------------------+--------------+---------+
| provider_id                      | uid          | enabled |
+----------------------------------+--------------+---------+
| admin                            | user1        |       1 |   <---------THIS STUPID GUY
| backup_codes                     | user2        |       0 |
| backup_codes                     | user3        |       0 |
| backup_codes                     | user4        |       0 |
| backup_codes                     | user1        |       0 |
| backup_codes                     | user5        |       0 |
| backup_codes                     | user6        |       0 |
| backup_codes                     | user7        |       0 |
| backup_codes                     | user8        |       0 |
| totp                             | user1        |       0 |
| totp                             | user8        |       0 |
| twofactor_nextcloud_notification | user1        |       0 |
| twofactor_nextcloud_notification | user8        |       0 |
+----------------------------------+--------------+---------+

for the life of me I could not change any twofactor app settings no matter what OCC commands i ran
so i changed it back to “0” with…
update oc_twofactor_providers set enabled = '0';

now one thing to note…this command sets 2FA for ALL users to inactive
if you want to disable 2FA for the given user run this…
update oc_twofactor_providers set enabled = '0' and uid = 'userID';

So…to recap…
when you have enabled twofactor and you dont have the backup codes for a particular user you can see what user has 2FA enabled from the database and proceed to deactivate to regain access

log in to your database and select the nextcloud database
then issue…
show tables;

on that list you will see alot of tables but you are only interested in
oc_twofactor_providers

to view the current state of the providers issue…
select * from oc_twofactor_providers;

it will return to you a table of all the providers and what users have them enabled just like the above example provided by my database.

then issue…
update oc_twofactor_providers set enabled = '0' and uid = 'userID';
Boom. That should do it. try logging in again with the user in question.

ALSO REMEMBER
if you are copying and pasting the commands here in this thread be sure to retype the single quotations as they will change when making this thread.

hope this helps whoever in need

8 Likes

Thanks a lot !! helped :grinning:
But till today it is an issue in nextcloud 15.0.7

ALexander
btw: for >…enabled = ‘0’;< i dont need quotation marks

Good to know! I’m glad I was at least able to help one other person!