Active Directory user lockouts after upgrade from OwnCloud v10.0.4 to v10.3.0

Expected behaviour

Users log on to OwnCloud and are able to use the system without being lockout by Active Directory.

Actual behaviour

When users sign into OwnCloud in an hours time users will be locked out via Active Directory.

Server configuration

Operating system:
Ubuntu 18.04

Web server:
er version: Apache/2.4.29 (Ubuntu)
Server built: 2019-09-16T12:58:48

Database:
mysql Ver 14.14 Distrib 5.7.28, for Linux (x86_64) using EditLine wrapper

PHP version:
7.2

ownCloud version: (see ownCloud admin page)
10.3.0

Updated from an older ownCloud or fresh install:
10.0.4

Where did you install ownCloud from:
10.0.4
Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

No errors have been found.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local/smb/sftp/…
smb

Are you using encryption: yes/no
yes

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
ActiveDirectory

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

NA

ownCloud log (data/owncloud.log)

NA

NA

NA

NA

We have recently upgraded OwnCloud from 10.0.4 on an Ubuntu 16.04 server to 10.3.0. We then upgraded the server to Ubuntu 18.04. Since this change users who sign into the server are subsequently lockedout by ActiveDirectory. Does anyone have any experience with something like this occurring with a similar setup. We have SMB external storage setup configured and LDAP with ActiveDirectory.

Just so that I understand correctly, if a user tries to log in on ownCloud, the AD will lock them out of everything? Basically disable the account?

Did you by any chance upgrade your PHP as well as your ownCloud? Have you made sure all the same libraries are installed?

Hello,

@eneubauer, we have set up a lockout rule that after a certain number of incorrect password attempts a user will get locked out of ActiveDirectory and won’t be able to use any services that utilize AD. As such OwnCloud is somehow causing users to get locked out of AD even though they are successfully able to authenticate with the system. Some users who have not signed in, but have been synced from LDAP/AD using occ are also being lockedout. We have updated all of the dependencies including apache2, php. OwnCloud is installed from the Ubuntu repo and not manually. Is OwnCloud somehow attempting to sign users in?

I believe we have found the culprit and we are still testing. I will keep this post updated on my solution.

1 Like