Hi Guys,
I originally posted this on GitHub, but was told to post here instead. I would really appreciate any light anyone can shine on this issue.
Thanks!
Steps to reproduce
1.Upgrade to v16 from v15 (using LDAP auth, nginx webserver, php7.2)
Expected behaviour
Login page will display error for invalid passwords, and for correct passwords, will allow you to login.
Actual behaviour
The page simply refreshes when credentials are added. No logs are printed in nextcloud.log, and no webserver/php logs are printed either. However, notifications seem to still be working.
Server configuration
Operating system:
CentOS 7.6
Web server:
Nginx:
nginx version: nginx/1.16.0 (packages.exove.com: SSE2, openssl-1.1.1b, PCRE JIT, TCP Fast Open)
built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)
built with OpenSSL 1.1.1b 26 Feb 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-pcre=../pcre-8.43 --with-pcre-jit --with-pcre-opt=-fPIC --with-openssl=../openssl-1.1.1b --with-libatomic --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --build='packages.exove.com: SSE2, openssl-1.1.1b, PCRE JIT, TCP Fast Open' --with-openssl-opt=no-dtls --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC -mmmx -msse -msse2 -DTCP_FASTOPEN=23' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
Database:
MariaDB 10.1.38-1.el7
PHP version:
PHP 7.2.17 (cli) (built: Apr 3 2019 10:02:16) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.17, Copyright © 1999-2018, by Zend Technologies
Nextcloud version: (see Nextcloud admin page)
16.0.0.9
Updated from an older Nextcloud/ownCloud or fresh install:
Upgrade from Nextcloud v15(latest stable build, can’t remember which version)
Where did you install Nextcloud from:
Using built-in updater via php command line. Also attempted to install using bz2 archive, with same results.
Signing status:
Cannot access signing status, as login fails. I have repaired using occ, with no change.
Signing status
Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
List of activated apps:
App list
Enabled: - accessibility: 1.2.0 - activity: 2.9.1 - admin_audit: 1.6.0 - bruteforcesettings: 1.3.0 - camerarawpreviews: 0.6.5 - cloud_federation_api: 0.2.0 - comments: 1.6.0 - contacts: 3.1.1 - dav: 1.9.2 - deck: 0.6.0 - federatedfilesharing: 1.6.0 - federation: 1.6.0 - files: 1.11.0 - files_external: 1.7.0 - files_frommail: 0.2.0 - files_pdfviewer: 1.5.0 - files_rightclick: 0.13.0 - files_sharing: 1.8.0 - files_texteditor: 2.8.0 - files_trashbin: 1.6.0 - files_versions: 1.9.0 - files_videoplayer: 1.5.0 - firstrunwizard: 2.5.0 - gallery: 18.3.0 - groupfolders: 3.0.0 - logreader: 2.1.0 - lookup_server_connector: 1.4.0 - nextcloud_announcements: 1.5.0 - notifications: 2.4.1 - oauth2: 1.4.2 - password_policy: 1.6.0 - privacy: 1.0.0 - provisioning_api: 1.6.0 - recommendations: 0.4.0 - serverinfo: 1.6.0 - sharebymail: 1.6.0 - social: 0.1.4 - socialsharing_email: 1.0.5 - socialsharing_facebook: 1.0.4 - socialsharing_twitter: 1.0.4 - support: 1.0.0 - survey_client: 1.4.0 - systemtags: 1.6.0 - theming: 1.7.0 - twofactor_backupcodes: 1.5.0 - twofactor_totp: 2.1.2 - twofactor_u2f: 2.1.3 - unsplash: 1.1.3 - updatenotification: 1.6.0 - user_ldap: 1.6.0 - viewer: 1.0.0 - workflowengine: 1.6.0 Disabled: - calendar - dropit - encryption - files_downloadactivity - mail - ownbackup - spreed - tasksIf you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Nextcloud configuration:
Config report
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder
or
Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
[root@cloud nextcloud]# sudo -u nginx php occ config:list system
{
"system": {
"trusted_domains": [
"blah.blah"
],
"memcache.local": "\\OC\\Memcache\\Redis",
"filelocking.enabled": "true",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/blah.blah",
"dbtype": "mysql",
"version": "16.0.0.9",
"logtimezone": "America\/Toronto",
"ldapIgnoreNamingRules": false,
"mail_smtpmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"loglevel": 2,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"theme": "",
"appstore.experimental.enabled": true,
"ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
"mail_smtpauthtype": "LOGIN",
"app.mail.accounts.default": {
"email": "%EMAIL%",
"imapHost": "mail.blah.blah",
"imapPort": 143,
"imapUser": "%EMAIL%",
"imapSslMode": "tls",
"smtpHost": "mail.blah.blah",
"smtpPort": 587,
"smtpUser": "%EMAIL%",
"smtpSslMode": "tls"
},
"mail_smtpsecure": "tls",
"mail_sendmailmode": "smtp",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"mysql.utf8mb4": true,
"updater.release.channel": "daily"
}
}
Are you using external storage, if yes which one: local/smb/sftp/…
No
Are you using encryption: yes/no
No
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
LDAP (Active Directory)
LDAP configuration (delete this part if not used)
LDAP config
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder
±------------------------------±------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
±------------------------------±------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=cloud,CN=Users,DC=adx,DC=blah,DC=net |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | prod-dc2.adx.blah.net |
| ldapBackupPort | 389 |
| ldapBase | DC=adx,DC=blah,DC=net |
| ldapBaseGroups | DC=adx,DC=blah,DC=net |
| ldapBaseUsers | DC=adx,DC=blah,DC=net |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | samAccountName |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))(|(cn=Domain Admins)(cn=Domain Users))) |
| ldapGroupFilterGroups | Domain Admins;Domain Users |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | gidNumber |
| ldapHost | prod-dc1.adx.blah.net |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=person)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=user))(|(|(memberof=CN=Domain Users,CN=Users,DC=adx,DC=blah,DC=net)(primaryGroupID=513)))) |
| ldapUserFilterGroups | Domain Users |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±------------------------------------------------------------------------------------------------------------------+
Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';
Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.
Client configuration
Browser:
Google Chrome 74.0.3729.108
Operating system:
Fedora 29
Logs
Web server error log
Web server error log
No logs written in error.log during test. Access log shows the following:
172.16.21.1 - - [29/Apr/2019:12:43:46 -0400] "GET /login HTTP/2.0" 200 4107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36" "-"
172.16.21.1 - - [29/Apr/2019:12:43:46 -0400] "GET /login HTTP/2.0" 200 4106 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36" "-"
172.16.21.1 - - [29/Apr/2019:12:43:46 -0400] "GET /login HTTP/2.0" 200 4105 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36" "-"
172.16.21.1 - lizzy [29/Apr/2019:12:43:47 -0400] "PROPFIND /remote.php/dav/files/lizzy/ HTTP/2.0" 207 386 "-" "Mozilla/5.0 (Windows) mirall/2.5.1final (build 20181204) (Nextcloud)" "-"
172.16.21.1 - - [29/Apr/2019:12:43:48 -0400] "GET /api/v1/instance HTTP/1.1" 302 5 "-" "MastoPeek v0.7.2 - https://mastopeek.app-dist.eu" "-"
172.16.21.1 - - [29/Apr/2019:12:43:48 -0400] "GET /login HTTP/1.1" 200 2035 "-" "MastoPeek v0.7.2 - https://mastopeek.app-dist.eu" "-"
^C
My nginx config is as follows:
upstream php-handler {
server unix:/var/run/php-fpm/php-fpm.sock;
}
server {
listen 80;
server_name blah.blah www.blah.blah cloud.blah.blah;
root /var/www/html;
location ~ /.well-known {
allow all;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
server_name blah.blah;
ssl_certificate /etc/letsencrypt/live/blah.blah/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blah.blah/privkey.pem;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_session_cache shared:TLS:2m;
ssl_buffer_size 4k;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
fastcgi_hide_header X-Powered-By;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
# rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 8192M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
}
# location ^~ /data {
# internal;
# alias /var/www/data;
# }
}
Nextcloud log (data/nextcloud.log)
Nextcloud log
``` No logs written during test. ```Browser log
Browser log
content.js:4 [Deprecation] chrome.loadTimes() is deprecated, instead use standardized API: nextHopProtocol in Navigation Timing 2. https://www.chromestatus.com/features/5637885046816768.
(anonymous) @ content.js:4
content.js:5 [Deprecation] chrome.loadTimes() is deprecated, instead use standardized API: nextHopProtocol in Navigation Timing 2. https://www.chromestatus.com/features/5637885046816768.
(anonymous) @ content.js:5
main.js?v=a2be8d33-41:278 JQMIGRATE: Migrate is installed, version 1.4.1
DevTools failed to parse SourceMap: https://blah.blah/core/js/dist/main.js.map
onloadwff.js:71 [Violation] 'setTimeout' handler took 58ms
DevTools failed to parse SourceMap: https://blah.blah/core/js/dist/share_backend.js.map
DevTools failed to parse SourceMap: https://blah.blah/apps/files_videoplayer/js/main.js.map