First login fail after migrating to v10


#1

Hi, I am having problem with first user login. I mean user are authenticated against active directory 2008 and in previuos version I had to just insert user in the right AD group; nowadays (after migrating to 10 and conversion of db to uft8mb4) new user are unable to login. The error, looking in owncloud.log, seems to be in objectGUID field recognized as malformed utf8.
As workaround I have to insert manually the user in table oc_ldap_user_mapping.
Any clue?
thank you
Daniele

Steps to reproduce

  1. first login
  2. owc reply user/password incorrect

Expected behaviour

user should login

Actual behaviour

login denied

Server configuration

Operating system:
Ubuntu 16.04.5 LTS- Linux vmcloud 4.4.0-137-generic #163-Ubuntu SMP Mon Sep 24 13:14:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Web server:
apache2 2.4.18-2ubuntu3.9

Database:
mysql-server 5.7.23-0ubuntu0.16

PHP version:
php7.0 7.0.32-0ubuntu0.16

ownCloud version: (see ownCloud admin page)
10.0.9.5

Updated from an older ownCloud or fresh install:
updated from ver 9

Where did you install ownCloud from:
tarball

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

No errors have been found.

The content of config/config.php:
sudo -u www-data php occ config:list system

{
“system”: {
“instanceid”: “octr84l01bm4”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“192.168.222.39”,
REMOVED SENSITIVE VALUE”,
REMOVED SENSITIVE VALUE
],
“datadirectory”: “/var/www/owncloud/data”,
“overwrite.cli.url”: “REMOVED SENSITIVE VALUE”,
“dbtype”: “mysql”,
“version”: “10.0.9.5”,
“dbname”: “owncloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“mysql.utf8mb4”: true,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“logtimezone”: “Europe/Rome”,
“loglevel”: 0,
“installed”: true,
“ldapIgnoreNamingRules”: false,
“maintenance”: false,
“singleuser”: false,
“memcache.local”: “\OC\Memcache\APCu”,
“mail_smtpmode”: “php”,
“updater.secret”: “REMOVED SENSITIVE VALUE
}
}

List of activated apps:
sudo -u www-data php occ app:list

Enabled:

  • comments: 0.3.0
  • configreport: 0.1.1
  • dav: 0.3.2
  • federatedfilesharing: 0.3.1
  • federation: 0.1.0
  • files: 1.5.1
  • files_external: 0.7.1
  • files_sharing: 0.10.1
  • files_trashbin: 0.9.1
  • files_versions: 1.3.0
  • files_videoplayer: 0.9.8
  • firstrunwizard: 1.1
  • market: 0.2.5
  • notifications: 0.3.4
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • templateeditor: 0.3.1
  • updatenotification: 0.2.1
  • user_ldap: 0.11.0
    Disabled:
  • encryption
  • external
  • user_external

Are you using external storage, if yes which one: local/smb/sftp/…
no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
ActiveDirectory

LDAP configuration (delete this part if not used)

sudo -u www-data php occ ldap:show-config

±------------------------------±----------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | |
±------------------------------±----------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=ldap_browser,OU=Domain Controllers,DC=xxx,DC=yyy |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | sn;givenName |
| ldapBackupHost | 172.18.10.24 |
| ldapBackupPort | 389 |
| ldapBase | DC=xxx,DC=yyy |
| ldapBaseGroups | DC=xxx,DC=yyy |
| ldapBaseUsers | DC=xxx,DC=yyy |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | objectguid |
| ldapExpertUsernameAttr | userPrincipalName@xxx.yyy |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))(|(cn=grp_owncloud))) |
| ldapGroupFilterGroups | grp_owncloud |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | 172.18.10.23 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=organizationalPerson))(|(|(memberof=CN=grp_owncloud,CN=Users,DC=xxx,DC=yyy)(primaryGroupID=13661))))(samaccountname=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 5000 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=organizationalPerson))(|(|(memberof=CN=grp_owncloud,CN=Users,DC=xxx,DC=yyy)(primaryGroupID=13661)))) |
| ldapUserFilterGroups | grp_owncloud |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | organizationalPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±----------------------------------------------------------------------------------------------------------------------------------------------+
±------------------------------±----------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
±------------------------------±----------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=ldap_browser,OU=Domain Controllers,DC=xxx,DC=yyy |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | sn;givenName |
| ldapBackupHost | 172.18.10.24 |
| ldapBackupPort | 389 |
| ldapBase | DC=xxx,DC=yyy |
| ldapBaseGroups | DC=xxx,DC=yyy |
| ldapBaseUsers | DC=xxx,DC=yyy |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | objectguid |
| ldapExpertUsernameAttr | userPrincipalName@xxx.yyy |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))(|(cn=grp_owncloud))) |
| ldapGroupFilterGroups | grp_owncloud |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | 172.18.10.24 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=organizationalPerson))(|(|(memberof=CN=grp_owncloud,CN=Users,DC=xxx,DC=yyy)(primaryGroupID=13661))))(samaccountname=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 5000 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | default |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=organizationalPerson))(|(|(memberof=CN=grp_owncloud,CN=Users,DC=xxx,DC=yyy)(primaryGroupID=13661)))) |
| ldapUserFilterGroups | grp_owncloud |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | organizationalPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±----------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:
firefox 62

Operating system:
linux Ubuntu 18.04.1 LTS

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

{“reqId”:“b4PjNOqUqtQGm5wjkex4”,“level”:3,“time”:“2018-10-11T08:43:10+02:00”,“remoteAddr”:“172.18.110.26”,“user”:"–",“app”:“user_ldap”,“method”:“POST”,“url”:"/index.php/login",“message”:“Exception: {“Exception”:“OutOfBoundsException”,“Message”:“Cannot determine username for cn=xxxxx yyyyyyy,ou=gruppi solo utenti,dc=ced,dc=aos from {\“dn\”:[\“cn=xxxxx yyyyyyy,ou=gruppi solo utenti,dc=ced,dc=aos\”],\“samaccountname\”:[\“r.xxxxx\”],\“mail\”:[\“r.xxxxx@xxxxxx.xxx\”],\“displayname\”:[\“yyyyyyy xxxxx\”],\“sn\”:[\“xxxxx\”],\“givenname\”:[\“yyyyyyy\”],\“objectguid\”:[null]}, Malformed UTF-8 characters, possibly incorrectly encoded”,“Code”:0,“Trace”:”#0 \/var\/www\/owncloud\/apps\/user_ldap\/lib\/User\/Manager.php(311): OCA\\User_LDAP\\User\\UserEntry->getUsername()\n#1 \/var\/www\/owncloud\/apps\/user_ldap\/lib\/User\/Manager.php(224): OCA\\User_LDAP\\User\\Manager->resolveUID(Object(OCA\\User_LDAP\\User\\UserEntry))\n#2 \/var\/www\/owncloud\/apps\/user_ldap\/lib\/User\/Manager.php(426): OCA\\User_LDAP\\User\\Manager->getFromEntry(Array)\n#3 \/var\/www\/owncloud\/apps\/user_ldap\/lib\/User_LDAP.php(140): OCA\\User_LDAP\\User\\Manager->getLDAPUserByLoginName(‘r.xxxxx’)\n#4 [internal function]: OCA\\User_LDAP\\User_LDAP->checkPassword(*** sensitive parameters replaced )\n#5 \/var\/www\/owncloud\/apps\/user_ldap\/lib\/User_Proxy.php(75): call_user_func_array(Array, Array)\n#6 \/var\/www\/owncloud\/apps\/user_ldap\/lib\/Proxy.php(145): OCA\\User_LDAP\\User_Proxy->walkBackends(‘r.xxxxx’, ‘checkPassword’, Array)\n#7 \/var\/www\/owncloud\/apps\/user_ldap\/lib\/User_Proxy.php(180): OCA\\User_LDAP\\Proxy->handleRequest(‘r.xxxxx’, ‘checkPassword’, Array)\n#8 \/var\/www\/owncloud\/lib\/private\/User\/Manager.php(252): OCA\\User_LDAP\\User_Proxy->checkPassword( sensitive parameters replaced )\n#9 \/var\/www\/owncloud\/lib\/private\/User\/Session.php(519): OC\\User\\Manager->checkPassword( sensitive parameters replaced )\n#10 \/var\/www\/owncloud\/lib\/private\/User\/Session.php(334): OC\\User\\Session->loginWithPassword( sensitive parameters replaced )\n#11 \/var\/www\/owncloud\/core\/Controller\/LoginController.php(204): OC\\User\\Session->login( sensitive parameters replaced )\n#12 [internal function]: OC\\Core\\Controller\\LoginController->tryLogin( sensitive parameters replaced ***)\n#13 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(159): call_user_func_array(Array, Array)\n#14 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(89): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OC\\Core\\Controller\\LoginController), ‘tryLogin’)\n#15 \/var\/www\/owncloud\/lib\/private\/AppFramework\/App.php(103): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OC\\Core\\Controller\\LoginController), ‘tryLogin’)\n#16 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php(46): OC\\AppFramework\\App::main(‘LoginController’, ‘tryLogin’, Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\n#17 [internal function]: OC\\AppFramework\\Routing\\RouteActionHandler->__invoke(Array)\n#18 \/var\/www\/owncloud\/lib\/private\/Route\/Router.php(342): call_user_func(Object(OC\\AppFramework\\Routing\\RouteActionHandler), Array)\n#19 \/var\/www\/owncloud\/lib\/base.php(919): OC\\Route\\Router->match(’\/login’)\n#20 \/var\/www\/owncloud\/index.php(55): OC::handleRequest()\n#21 {main}",“File”:"\/var\/www\/owncloud\/apps\/user_ldap\/lib\/User\/UserEntry.php",“Line”:110}"}

Insert your ownCloud log here


#### Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) …


#2

This looks to me like a db corruption.

I have opened a ticket in the GitHub repo. ownCloud engineers may have a solution for you.


#3

follow up question - does the second login works?

asking because the report says “first” login which seems to imply that the next login works


#4

no, it does not work. As a workaround I am inserting login manually in table oc_ldap_user_mapping, so I specified “first” because after manual insert, login is successfull.


#5

Hi guys, could the problem be related about conversion of this kind of fields? I mean something about ldap libraries … if I run ldapsearch on the server the objectguid field is not correct, while in the windows tool “domain and computers” the ldap attribute is correct. I read about needing conversion from bin to hex.
thank you
Daniele


#6

So… you have 2 LDAP server, ADs, and there the objectguid is correct, but in ldapsearch the objectguid is not correct?


#7

I have AD 2008 servers, not native LDAP. To read the objectguid in AD I use the windows tool “domain and computers”, after this I write this value in oc_ldap_user_mapping table using phpmyadmin.
If I try to read the same field using ldapsearch in owncloud server I got a strange value. For example the correct objectgui 0C44E99A-621F-4A88-BB73-891DA4BE9B72 reported by windows tool is retrieved as mulEDB9iiEq7c4kdpL6bcg== from ldapsearch.
Various threads talk about this encoding problem and may be owncloud is using the same libraries as ldapsearch having a result not in correct format.


#8

Hi, I made a fresh install as a test with ubuntu 16.04 and owc 10 (as production) and the problem is not here. I noticed user’s home dir are no longer in the format _nnnn but the new name is exactly the objectgui!
May be something was wrong in migration from 9 to 10?
Should the migration had to convert from _nnnn to objectgui?
Somebody knows if is possible to recover the situation now?
thank you
Daniele