One user account repeatedly disabled by system, seemingly random

Support intro

Nextcloud version (eg, 20.0.5): Nextcloud Hub II 23.0.3
Operating system and version (eg, Ubuntu 20.04): Ubuntu 18.04
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 7.4): 7.4.3
Database: PostgreSQL 12.9

The issue you are facing:

I am hosting a Nextcloud instance from home. It is behind a firewall. All the required ports are open. There are 4-5 active users.

This issue affects only 1 user - the same user repeatedly. At seemingly random times, the user account is disabled by the system.

The firewall logs don’t mention anything relevant.

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

This manifests itself as following:

  • the user is logged in, doing whatever
  • after a random time the browser shows them a user login (username/password) modal prompt, the Nextcloud page is still visible but they are unable to interact with the page
  • they enter their username and password
  • they are then redirected to the login page saying “user account disabled”

It is so far impossble to replicate or to identify what is causing it. The user’s activity is mainly:

  • synching files to/from 4 devices (2 computers, 2 mobile devices),
  • listening to music hosted on the server (using the Music app)
  • checking email (using the mailapp)
  • editing docs

The user’s devices can be connected to the internal network, via WiFi, and via external mobile network at the same time.

The output of your Nextcloud log in Admin > Logging:

There is nothing in the Nextcloud logs before, during, or after that points to the server disabling the user account.

Everything looks normal.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

user@AAA-BBB-CCC-DDD-EEE:/app/code# cat /app/data/config/config.php
<?php
$CONFIG = array (
  'passwordsalt' => 'STRING',
  'secret' => 'STRING',
  'trusted_domains' =>
  array (
    0 => 'DOMAIN.TLD',
  ),
  'datadirectory' => '/app/data',
  'dbtype' => 'pgsql',
  'version' => '23.0.3.2',
  'overwrite.cli.url' => 'https://DOMAIN.TLD',
  'dbname' => 'STRING',
  'dbhost' => 'postgresql',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'STRING',
  'dbpassword' => 'STRING',
  'installed' => true,
  'trusted_proxies' =>
  array (
    0 => 'AAA.BBB.CCC.DDD',
  ),
  'forcessl' => '1',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'mail',
  'mail_smtpport' => 'XXXX',
  'mail_smtpname' => 'STRING@AAA.CCC.DDD',
  'mail_smtppassword' => 'STRING',
  'mail_from_address' => 'STRING',
  'mail_domain' => 'AAA.BBB.CCC',
  'overwritehost' => 'AAA.BBB.CCC.DDD',
  'overwriteprotocol' => 'https',
  'updatechecker' => false,
  'updater.release.channel' => 'STRING',
  'logfile' => '/dev/stderr',
  'loglevel' => '3',
  'debug' => false,
  'redis' =>
  array (
    'host' => 'redis-AAA-BBB-CCC-DDD',
    'port' => 'STRING',
    'password' => 'STRING',
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'integrity.check.disabled' => true,
  'htaccess.RewriteBase' => '/',
  'simpleSignUpLink.shown' => false,
  'instanceid' => 'STRING',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'app_install_overwrite' =>
  array (
    0 => 'radio',
    1 => 'files_reader',
    2 => 'spreed',
    3 => 'pdfdraw',
    4 => 'ocr',
    5 => 'forms',
  ),
  'maintenance' => false,
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
    0 => 'admin',
  ),
  'default_phone_region' => 'US',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpsecure' => '',
);

The output of your Apache/nginx/system log in /var/log/____:

There is nothing in the Nextcloud logs before, during, or after that points to the server disabling the user account.

List of enabled apps:

# occ app:list
Enabled:
  - accessibility: 1.9.0
  - activity: 2.15.0
  - breezedark: 23.2.1
  - cloud_federation_api: 1.6.0
  - dashboard: 7.3.0
  - dav: 1.21.0
  - event_update_notification: 1.4.0
  - external: 3.10.2
  - extract: 1.3.3
  - federatedfilesharing: 1.13.0
  - federation: 1.13.0
  - files: 1.18.0
  - files_external: 1.15.0
  - files_pdfviewer: 2.4.0
  - files_sharing: 1.15.0
  - files_trashbin: 1.13.0
  - files_videoplayer: 1.12.0
  - gpxpod: 4.3.0
  - logreader: 2.8.0
  - lookup_server_connector: 1.11.0
  - mail: 1.11.7
  - maps: 0.1.10
  - music: 1.5.1
  - nextcloud_announcements: 1.12.0
  - notifications: 2.11.1
  - oauth2: 1.11.0
  - password_policy: 1.13.0
  - phonetrack: 0.7.0
  - photos: 1.5.0
  - provisioning_api: 1.13.0
  - richdocuments: 5.0.3
  - serverinfo: 1.13.0
  - settings: 1.5.0
  - sharebymail: 1.13.0
  - text: 3.4.1
  - theming: 1.14.0
  - twofactor_backupcodes: 1.12.0
  - unsplash: 1.2.4
  - updatenotification: 1.13.0
  - user_ldap: 1.13.1
  - viewer: 1.7.0
  - weather_status: 1.3.0
  - workflowengine: 2.5.0
Disabled:
  - admin_audit
  - bruteforcesettings: 2.3.0
  - calendar: 3.2.0
  - circles: 22.1.1
  - comments: 1.9.0
  - contacts: 4.0.8
  - contactsinteraction: 1.2.0
  - encryption
  - files_rightclick: 0.17.0
  - files_versions: 1.15.0
  - firstrunwizard: 2.9.0
  - geoblocker: 0.5.4
  - health: 1.5.0
  - impersonate: 1.10.0
  - onlyoffice: 7.3.2
  - piwik: 0.10.0
  - privacy: 1.6.0
  - recommendations: 0.8.0
  - spreed: 13.0.3
  - support: 1.3.0
  - survey_client: 1.8.0
  - suspicious_login: 4.1.0
  - systemtags: 1.9.0
  - tasks: 0.14.2
  - twofactor_admin
  - twofactor_totp: 6.2.0
  - user_status: 1.0.1

I’d appreciate any suggestions, or ideas on how to investigate further.

What’s the name of the user? root? admin? mngr? Could be the brute-force protection…

Hi, the user is in the admin group.

I thought the same initially so I disabled the bruteforce protection app. You can see that it is in the disabled apps list.

This has not solved it as the issue still continues.