Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User deletion fails in some circumstances #4375

Closed
putt1ck opened this issue Apr 18, 2017 · 12 comments
Closed

User deletion fails in some circumstances #4375

putt1ck opened this issue Apr 18, 2017 · 12 comments
Labels
bug feature: ldap stale Ticket or PR with no recent activity

Comments

@putt1ck
Copy link

putt1ck commented Apr 18, 2017

Steps to reproduce

  1. Create user
  2. Have user be active
  3. Delete user in web UI

Expected behaviour

User account should be deleted

Actual behaviour

User account appears to be deleted but reappears later

Server configuration

Operating system: Ubuntu 16.04, all official repo installation apart from NC
Web server:: Apache
Database: Postgres
PHP version: 7
Nextcloud version: 11.01, updated from 10(ish?)
Where did you install Nextcloud from: tgz from official

Are you using an external user-backend, if yes which one: LDAP (Samba 4) - but the user account in question was a local test account with the same "real name" (login name, but not UID) as an LDAP account, and this may be the unique circumstance - it also seems that the end user was logged in with their new (in admin group) LDAP account at around the same time as the deletion and added the wrong version of themselves to a new group they created.

However, by a lucky coincidence the server was being accessed by CLI for the purposes of illustrating to tech staff how the files were stored, so we know the local account had been deleted insofar as the related user folder was not there. The user folder was recreated with a set from new user template when the end user accidentally logged in with the old user/pass combination.

@MorrisJobke
Copy link
Member

LDAP (Samba 4) - but the user account in question was a local test account with the same "real name" (login name, but not UID) as an LDAP account, and this may be the unique circumstance - it also seems that the end user was logged in with their new (in admin group) LDAP account at around the same time as the deletion and added the wrong version of themselves to a new group they created.

We don't support that usually. If the LDAP app detects this case it appends a number to the user name. Deleting LDAP users in general is not possible.

However, by a lucky coincidence the server was being accessed by CLI for the purposes of illustrating to tech staff how the files were stored, so we know the local account had been deleted insofar as the related user folder was not there. The user folder was recreated with a set from new user template when the end user accidentally logged in with the old user/pass combination.

This happens, because the LDAP now can create the user with that name.

I would say this is intended behaviour, right @blizzz ?

@putt1ck
Copy link
Author

putt1ck commented May 17, 2017

Steps:
1: user created first.lastname (defaultl user group only)
2: LDAP hooked up, and LDAP server has user available first.lastname
3: user admin shows both original user (as first.lastname|first.lastname and LDAP user UID|first.lastname
4: LDAP user first.lastname added to admin group
5: original test account first.lastname deleted (including directory removed from disk)
6: LDAP user first.lastname (in admin group) logs in at more or less the same time and mistakenly adds original test account to a new group
7: original test account login details somehow retained during this process
8: user first.lastname (accidentally, possibly had set matching local auth password) logs in, undeletion completes by recreating user profile/directory from template

This is intended behaviour?

@MorrisJobke
Copy link
Member

This is intended behaviour?

@blizzz

@MorrisJobke MorrisJobke reopened this May 17, 2017
@blizzz
Copy link
Member

blizzz commented May 17, 2017

with step 3: local user is identified in Nextcloud by "first.lastname" and LDAP user by "$UUID" (e.g. 'fcb098f0-850a-40d3-9428-0342d90d5aea')

with step 8 and "accidentally, possibly had set matching local auth password": if the loginname and password are the same, then the first backend that can authenticate the user will do so. IIRC local backend is always tried first. → LDAP user was never authenticated.

Next login attempt succeeds with LDAP Backend and also has a new folder.

What is the issue now?

@putt1ck
Copy link
Author

putt1ck commented May 17, 2017

The LDAP account had already logged in and created its folder and had content. Non-LDAP account had some minor test content.

LDAP account was in admin group, non-LDAP wasn't. Non-LDAP account was deleted, and got recreated during login.

@MorrisJobke
Copy link
Member

LDAP account was in admin group, non-LDAP wasn't. Non-LDAP account was deleted, and got recreated during login.

How do you know it was recreated? The user folder is no indicator for this AFAIK.

@putt1ck
Copy link
Author

putt1ck commented May 17, 2017

The previous folder and contents were deleted; in addition by coincidence a sys admin was accessing the server doing documentation and had a folder listing without the first.lastname folder, which then reappeared, but as a clean "new user" folder set..

@MorrisJobke
Copy link
Member

The previous folder and contents were deleted; in addition by coincidence a sys admin was accessing the server doing documentation and had a folder listing without the first.lastname folder, which then reappeared, but as a clean "new user" folder set..

This could also mean, that the LDAP user created this. Could you check the oc_users table, because I doubt, that a user is re-created.

@putt1ck
Copy link
Author

putt1ck commented May 17, 2017

The LDAP user folders are named with the UID and existed prior to the local user of the same (login/real) name.

@MorrisJobke
Copy link
Member

The LDAP user folders are named with the UID and existed prior to the local user of the same (login/real) name.

Anyways: is the user then also listen in oc_users in the database?

@MorrisJobke
Copy link
Member

@rullzer @icewind1991 This weird "user is deleted but folder is created again" sounds maybe also like a session that is still active. 🤔

@skjnldsv
Copy link
Member

skjnldsv commented Jun 6, 2019

As there is no feedback since a while I will close this ticket. If this is still happening please make sure to upgrade to the latest version. After that, feel free to reopen.

@skjnldsv skjnldsv closed this as completed Jun 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug feature: ldap stale Ticket or PR with no recent activity
Projects
None yet
Development

No branches or pull requests

5 participants