Sharing to AD group fails when not all users have logged in #22907

Closed
kalletabur opened this Issue Mar 7, 2016 · 7 comments

Projects

None yet

4 participants

@kalletabur

Steps to reproduce

  1. Setup owncloud with LDAP, choosing couple of groups to be available
  2. Share file to AD group
  3. Try to access shared files

Expected behaviour

Share keys should be created to everyone who has been logged in and file should be accessible by all these users.

Actual behaviour

File has been shared - email notifications sent, file is viewable under Shared folder but users cannot access this file.
User gets error:
"Can not read this file, probably this is a shared file. Please ask the file owner to reshare the file with you."
User who shares don't see any error message.
Share keys are not created.
Re-sharing doesn't help.
Cause - share to a group fails because one user hasn't logged in.

Server configuration

Operating system:
Debian 8.3

Web server:
NGINX

Database:
MySQL

PHP version:
PHP 5.6.17-0+deb8u1

ownCloud version: (see ownCloud admin page)
ownCloud 8.2.2 (stable)

Updated from an older ownCloud or fresh install:
fresh install

Where did you install ownCloud from:
apt-get

List of activated apps:

Enabled:
  - activity: 2.1.3
  - encryption: 1.1.0
  - files: 1.2.0
  - files_pdfviewer: 0.7
  - files_sharing: 0.7.0
  - files_texteditor: 2.0
  - files_trashbin: 0.7.0
  - files_versions: 1.1.0
  - files_videoviewer: 0.1.3
  - firstrunwizard: 1.1
  - user_ldap: 0.7.1
Disabled:
  - external
  - files_external
  - gallery
  - notifications
  - provisioning_api
  - templateeditor
  - user_external

The content of config/config.php:

"system": {
        "instanceid": "instanceid",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "oc.export.com"
        ],
        "logtimezone": "UTC",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "mail.export.com",
        "mail_smtpport": "25",
        "forcessl": true,
        "datadirectory": "\/var\/ocdata",
        "overwrite.cli.url": "https:\/\/mail.export.com",
        "dbtype": "mysql",
        "version": "8.2.2.2",
        "dbname": "ocdb",
        "dbhost": "localhost",
        "dbtableprefix": "oc_prefix",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "loglevel": 1

Are you using external storage, if yes which one: local/smb/sftp/...
no

Are you using encryption: yes/no
yes

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

+-------------------------------+--+
| Configuration||
+-------------------------------+--+
| hasMemberOfFilterSupport| 1|
| hasPagedResultSupport||
| homeFolderNamingRule||
| lastJpegPhotoLookup| 0|
| ldapAgentName| CN=sites,DC=example,DC=local|
| ldapAgentPassword||
| ldapAttributesForGroupSearch||
| ldapAttributesForUserSearch||
| ldapBackupHost||
| ldapBackupPort||
| ldapBase| DC=example,DC=local|
| ldapBaseGroups| DC=example,DC=local|
| ldapBaseUsers| DC=example,DC=local|
| ldapCacheTTL| 600|
| ldapConfigurationActive| 1|
| ldapEmailAttribute| mail|
| ldapExperiencedAdmin| 0|
| ldapExpertUUIDGroupAttr||
| ldapExpertUUIDUserAttr||
| ldapExpertUsernameAttr| sAMAccountName|
| ldapGroupDisplayName| cn|
| ldapGroupFilter| (&(|(objectclass=group))(|(cn=)(cn=)))|
| ldapGroupFilterGroups||
| ldapGroupFilterMode| 0|
| ldapGroupFilterObjectclass| group|
| ldapGroupMemberAssocAttr| member|
| ldapHost| expdc|
| ldapIgnoreNamingRules||
| ldapLoginFilter| (&(&(|(objectclass=person))(|(|())))(samaccountname=%uid))|
| ldapLoginFilterAttributes||
| ldapLoginFilterEmail| 0|
| ldapLoginFilterMode| 0|
| ldapLoginFilterUsername| 1|
| ldapNestedGroups| 0|
| ldapOverrideMainServer||
| ldapPagingSize| 500|
| ldapPort| 3389|
| ldapQuotaAttribute||
| ldapQuotaDefault||
| ldapTLS| 0|
| ldapUserDisplayName| displayName|
| ldapUserFilter| (&(|(objectclass=person))(|(|(memberof=)(primaryGroupID=00))))|
| ldapUserFilterGroups||
| ldapUserFilterMode| 0|
| ldapUserFilterObjectclass| person|
| ldapUuidGroupAttribute| auto|
| ldapUuidUserAttribute| auto|
| turnOffCertCheck| 0|
| useMemberOfToDetectMembership| 1|
+-------------------------------+--+

Logs

ownCloud log (data/owncloud.log)

{"reqId":"`'|k|b5(c/)(|(e0Sz0YNPF;","remoteAddr":"10.1.10.19","app":"hook","message":"error while running hook (OC\\Encryption\\HookManager::postShared): Public Key missing for user: u.user1","level":3,"time":"2016-03-07T11:44:42+00:00"}
{"reqId":"19(:c`i">gUM*N##E6OW,;La<E4","remoteAddr":"10.10.10.9","app":"no app in context","message":"Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","level":3,"time":"2016-03-07T11:45:00+00:00"}
{"reqId":"19(:c`i">gUM*N##E6OW,;La<E4","remoteAddr":"10.10.10.9","app":"webdav","message":"Exception: {\"Message\":\"Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.\",\"Exception\":\"OC\\\\Encryption\\\\Exceptions\\\\DecryptionFailedException\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(442): OCA\\\\Encryption\\\\Crypto\\\\Encryption->decrypt('mu3pGgA1AcjywnvYQrfK...')\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(281): OC\\\\Files\\\\Stream\\\\Encryption->readCache()\\n#2 [internal function]: OC\\\\Files\\\\Stream\\\\Encryption->stream_read(8192)\\n#3 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/icewind\\\/streams\\\/src\\\/Wrapper.php(67): fread(Resource id #116, 8192)\\n#4 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/icewind\\\/streams\\\/src\\\/CallbackWrapper.php(88): Icewind\\\\Streams\\\\Wrapper->stream_read(8192)\\n#5 [internal function]: Icewind\\\\Streams\\\\CallbackWrapper->stream_read(8192)\\n#6 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/http\\\/lib\\\/Sapi.php(70): file_put_contents('php:\\\/\\\/output', Resource id #119)\\n#7 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\HTTP\\\\Sapi::sendResponse(Object(Sabre\\\\HTTP\\\\Response))\\n#8 \\\/var\\\/www\\\/owncloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#9 \\\/var\\\/www\\\/owncloud\\\/apps\\\/files\\\/appinfo\\\/remote.php(56): Sabre\\\\DAV\\\\Server->exec()\\n#10 \\\/var\\\/www\\\/owncloud\\\/remote.php(137): require_once('\\\/var\\\/www\\\/ownclo...')\\n#11 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/encryption\\\/lib\\\/crypto\\\/encryption.php\",\"Line\":324}","level":4,"time":"2016-03-07T11:45:00+00:00"}

Browser and client error screenshot

owncloud_client_error

group_sharing_owncloud_error

@PVince81
Collaborator
PVince81 commented Mar 7, 2016

Share keys should be created to everyone who has been logged in

@kalletabur this seems to contradict the title where you say sharing with a group where some users in the group haven't logged in yet ?

Note that encryption cannot generate keys for user who have never logged in because the keys require the user's passwords. This is a known issue: #16332

@kalletabur

I don't see major contradict (maybe wording) - in my case I cannot share anything with a group because one user hasn't logged in or to be precise - one user doesn't have keys. All other users have keys. And strange is that file seems to be shared correctly but when user wants to access this file error message is shown. And when I check files under
/ocdata/user_2/files_encryption/keys/files/Documents/shared_file.pptx/OC_DEFAULT_MODULE
there are no shareKey files.

@PVince81
Collaborator
PVince81 commented Mar 7, 2016

If the user has never logged in, then that user has no private/public key pair, which makes it impossible to generate sharing keys. This is part of the limitations of this sharing algorithm.

After sharing with a group, if you say that the file is shared correctly with the other users then it is fine.
The user in question who didn't have the key will receive a message "please ask the owner to share again with you" when trying to access the file.

I'd close this as duplicate of #16332

Note that due to these limitations another simplified encryption method has been developed recently, master key: https://doc.owncloud.org/server/8.2/admin_manual/configuration_files/encryption_configuration.html?highlight=master%20key#occ-encryption-commands

Unfortunately there is no migration path from the one to the other (yet).

@kalletabur

No, you didn't understand. This doesn't concern at all these AD users who haven't logged in (don't have keys).
In our case AD users who have been logged in don't access these files. They have had keys before file was shared. These users get notification that someone (me) shared file with them and when they try to access this file they get error. Even desktop client shows sync error.
And as I understand these normal AD users don't access this file because in this group there is just one (bad) user who has not logged in and because of that one user sharing function don't complete at all (error message in owncloud.log Public Key missing for user: u.user1) and no one can access this shared file .. because no sharedKeys were never generated.

@PVince81
Collaborator
PVince81 commented Mar 7, 2016

Okay, I see. So the bug is that the shared keys generation is aborted when a single non-ready user is found.

@schiesbn

@PVince81 PVince81 added this to the 9.0.1-next-maintenance milestone Mar 7, 2016
@PVince81 PVince81 added the sev2-high label Mar 9, 2016
@schiessle schiessle was assigned by PVince81 Mar 9, 2016
@schiessle
Member

@kalletabur this pr should fix it: #23251 Maybe you can give it a try... Thanks!

@kalletabur

Thanks. Tested and it works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment