Nextcloud 2FA borked. All admins locked out

Also, it might be a good idea to bump the log level to debug and watch the nextcloud.log, when trying to log in.

Sounds a lot like what I faced. Check this thread and see if the steps I took help:

ok ill do it.
it is my personal instance. my last resort…
i did one thing right (i suppose) and i duplicated the entire nextcloud folder and labled it as running config.
would i be shooting myself in the foot if i just rename the file to nextcloud, log in, and go about my business?
i dup’ed this a while ago and the data directory is inside of it as well

root@ADELL nextcloud]# sudo -u apache php occ app:list
Enabled:

  • accessibility: 1.1.0
  • activity: 2.8.2
  • bruteforcesettings: 1.3.0
  • cloud_federation_api: 0.1.0
  • comments: 1.5.0
  • dav: 1.8.1
  • federatedfilesharing: 1.5.0
  • federation: 1.5.0
  • files: 1.10.0
  • files_external: 1.6.0
  • files_pdfviewer: 1.4.0
  • files_sharing: 1.7.0
  • files_texteditor: 2.7.0
  • files_trashbin: 1.5.0
  • files_versions: 1.8.0
  • files_videoplayer: 1.4.0
  • firstrunwizard: 2.4.0
  • gallery: 18.2.0
  • logreader: 2.0.0
  • lookup_server_connector: 1.3.0
  • nextcloud_announcements: 1.4.0
  • notifications: 2.3.0
  • oauth2: 1.3.0
  • password_policy: 1.5.0
  • provisioning_api: 1.5.0
  • serverinfo: 1.5.0
  • sharebymail: 1.5.0
  • support: 1.0.0
  • survey_client: 1.3.0
  • systemtags: 1.5.0
  • theming: 1.6.0
  • twofactor_backupcodes: 1.4.1
  • updatenotification: 1.5.0
  • workflowengine: 1.5.0
    Disabled:
  • admin_audit
  • encryption
  • twofactor_admin
  • twofactor_totp
  • user_ldap
    [root@ADELL nextcloud]# sudo -u apache php occ app:disable twofactor_backupcodes
    twofactor_backupcodes can’t be disabled.
    [root@ADELL nextcloud]#

Ahh… you do have the twofactor_admin installed. That one would provide you with a backup_code for your user:

./occ twofactorauth:admin:generate-code MarkB

[root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:admin:generate-code MarkB

There are no commands defined in the “twofactorauth:admin” namespace.

Did you mean this?
twofactorauth

[root@ADELL nextcloud]#

Ehh… sorry… please re-enable the twofactor_admin app…

ok we are getting somewhere…
i have my code but now for some reason nextcloud login page says
Could not load at least one of your enabled two-factor auth methods. Please contact your admin.
Two-factor authentication is enforced but has not been configured on your account. Contact your admin for assistance.

Well… then re-enable the other, currently disabled twofactor_totp app.

i have enabled the totp app
gives same error on logon

disabled and then re-enabled all other twofactor apps
still same message on login
no im trying to figure out why it wont say “use backup codes” anymore
i created an admin account to try and solve this. should i delete that and try and create another?

You might also need to re-enable 2fa for your account again, no? We disabled that for your account.

./occ twofactorauth:enable MarkB totp

I don’t know, if creating a new user would help you, but you could of cause try that as well.

Ok so a little update…
i ran
root@ADELL nextcloud]# sudo -u apache php occ twofactorauth:enable MarkB totp
The provider does not support this operation.

finally got fed up and created an account called admin
granted admin access to this account…and logged in!
i see now i have all access to nextcloud from the account however…
i navigated to the security settings and removed the admin group from the enforced group settings
added it to not enforced groups
unchecked the enforce 2FA box
tried logging in with MY admin account aaaaaaaaand nothing. it still says 2FA not configured

going back to admin user account i check the log when i try and log in on another computer and 4 errors pop up immediately

[core] Error: 1 two-factor auth providers failed to load
GET /index.php/login/selectchallenge
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

[core] Error: two-factor auth provider ‘admin’ failed to load
GET /index.php/login/selectchallenge
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

[core] Error: 1 two-factor auth providers failed to load
POST /index.php/login
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

[core] Error: two-factor auth provider ‘admin’ failed to load
POST /index.php/login
from xxx.xxx.x.xxx by MarkB at 2019-03-30T22:17:27+00:00

what do you guys think

Well… this is why I asked about your instance and it’s importance. As it seems to be right now, I’d go for a new installation and keep the data folder, if there’s data on it, which you don’t have anywhere else.

Do you have your data folder inside your NC instance folder - this is the usual setup, but it needn’t to be this way.

SIDENOTE*
you need direct database access to the nextcloud instance to repair this issue!

So after much work and sweating and pondering and trial and error…i got in!!
also with the help of my boss who got me in to nextcloud and knows it alot better than me.
SO… i will do my best to elaborate so that whoever has a similar issue in the future may stumble on this thread and hopefully fix it.
At the end of the day there seemed to be an issue with the database.
If there is ever an issue with 2FA do NOT do what i did and install more apps as it will clutter up the database. Also there is no need to create new users in hopes of getting rid of 2FA that way.

For some reason there was an entry in the database tables under oc_twofactor_providers set as enabled here…

MariaDB [nextcloud]> select * from oc_twofactor_providers;
+----------------------------------+--------------+---------+
| provider_id                      | uid          | enabled |
+----------------------------------+--------------+---------+
| admin                            | user1        |       1 |   <---------THIS STUPID GUY
| backup_codes                     | user2        |       0 |
| backup_codes                     | user3        |       0 |
| backup_codes                     | user4        |       0 |
| backup_codes                     | user1        |       0 |
| backup_codes                     | user5        |       0 |
| backup_codes                     | user6        |       0 |
| backup_codes                     | user7        |       0 |
| backup_codes                     | user8        |       0 |
| totp                             | user1        |       0 |
| totp                             | user8        |       0 |
| twofactor_nextcloud_notification | user1        |       0 |
| twofactor_nextcloud_notification | user8        |       0 |
+----------------------------------+--------------+---------+

for the life of me I could not change any twofactor app settings no matter what OCC commands i ran
so i changed it back to “0” with…
update oc_twofactor_providers set enabled = '0';

now one thing to note…this command sets 2FA for ALL users to inactive
if you want to disable 2FA for the given user run this…
update oc_twofactor_providers set enabled = '0' and uid = 'userID';

So…to recap…
when you have enabled twofactor and you dont have the backup codes for a particular user you can see what user has 2FA enabled from the database and proceed to deactivate to regain access

log in to your database and select the nextcloud database
then issue…
show tables;

on that list you will see alot of tables but you are only interested in
oc_twofactor_providers

to view the current state of the providers issue…
select * from oc_twofactor_providers;

it will return to you a table of all the providers and what users have them enabled just like the above example provided by my database.

then issue…
update oc_twofactor_providers set enabled = '0' and uid = 'userID';
Boom. That should do it. try logging in again with the user in question.

ALSO REMEMBER
if you are copying and pasting the commands here in this thread be sure to retype the single quotations as they will change when making this thread.

hope this helps whoever in need

9 Likes

Thanks a lot !! helped :grinning:
But till today it is an issue in nextcloud 15.0.7

ALexander
btw: for >…enabled = ‘0’;< i dont need quotation marks

Good to know! I’m glad I was at least able to help one other person!

Hi @markmn123

Thanks for the long and informative post. Just to let you know, I edited your post to avoid issues with copy and paste (just in case someone over-reads your warning “ALSO REMEMBER”.

Just so you know, you can write commands without any formatting issues here, by surrounding the command like that:

`command`

So I faced the same issue and managed to solve it by reinstalling the borked provider using the following commands:

occ app:remove twofactor_totp
occ app:install twofactor_totp

After that I was able to login as normal again. Hope it helps someone!

Hi all, I am new in this forum and trying to get my nextCloud (nextCloudPi v1.39.1, nextCloud 21.0.4.1) up and running. I faced the same issue with 2FA. Enablement was easy, Disablement was a problem.
I followed above thread, but finally I could manage on UI level:

  1. Deactivate TOTP in personal settings
  2. Deactivate 2FA enforcement on admin maintenance level
    Logout as ncp and login as ncp was without enforcement of OTP nor Backup codes anymore. Only userid + password

By the way, I had to disable 2FA again, because it somehow makes problems, when I try to sync calendar + contacts between Thunderbird and nextCloud

Best Regards,
Robert

Hey, I ran into a same thing with my Nextcloud instance running in Docker. Turns out the issue was that totp plugin was disabled. I solved this by running

./occ app:enable twofactor_totp

After running this, I was able to login without issues. Hope this helps someone.