"OCP\Files\NotFoundException" when logging in

[AdamReece-WebBox]

Steps to reproduce

Login as an LDAP user.
(Does not occur if I login as the root user.)

Expected behaviour

Login completed with index view.

Actual behaviour

Internal server error without an exception message.

My only thoughts would be:

• "www-data" user can't read the home folder contents brought from the LDAP user, but then session authentication should be used like for SMB/CIFS external mounts.
• Skeleton directory is empty, because I don't want those sample files being put in everyone's home folder.

Technical details

Remote Address: 172.29.x.x
Request ID: DXi878HN1UFNp0KfkUPp
Type: OCP\Files\NotFoundException
Code: 0
Message:
File: /var/www/cloud/lib/private/legacy/helper.php
Line: 570

Trace

#0 /var/www/cloud/apps/files/lib/Controller/ViewController.php(132): OC_Helper::getStorageInfo('/', false)
#1 /var/www/cloud/apps/files/lib/Controller/ViewController.php(203): OCA\Files\Controller\ViewController->getStorageInfo()
#2 [internal function]: OCA\Files\Controller\ViewController->index('', '', NULL)
#3 /var/www/cloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array)
#4 /var/www/cloud/lib/private/AppFramework/Http/Dispatcher.php(89): OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\Files\Controller\ViewController), 'index')
#5 /var/www/cloud/lib/private/AppFramework/App.php(98): OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\Files\Controller\ViewController), 'index')
#6 /var/www/cloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC\AppFramework\App::main('ViewController', 'index', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
#7 [internal function]: OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
#8 /var/www/cloud/lib/private/Route/Router.php(299): call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
#9 /var/www/cloud/lib/base.php(918): OC\Route\Router->match('/apps/files/')
#10 /var/www/cloud/index.php(49): OC::handleRequest()
#11 {main}

Server configuration

Operating system: Debian Linux 9 "Stretch"

Web server: Apache 2.4.25 (Debian)

Database: mysql Ver 15.1 Distrib 10.1.23-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

PHP version: PHP 7.0.19-1 (cli) (built: May 11 2017 14:04:47) ( NTS )

ownCloud version: ownCloud 10.0.1.5 (production)

Updated from an older ownCloud or fresh install: Fresh

Where did you install ownCloud from: Manual through shell. (Not using apt/yum.)

Signing status (ownCloud 9.0 and above): https://gist.github.com/AdamReece-WebBox/7a1e3eb17573daac4c9079dca6c6679b

The content of config/config.php: https://gist.github.com/AdamReece-WebBox/e1d79c950e4ea95a71b94841f4f8de39

List of activated apps:

Enabled:

• calendar: 1.4.2
• comments: 0.3.0
• configreport: 0.1.1
• contacts: 1.5.2
• dav: 0.2.9
• external: 1.2
• federatedfilesharing: 0.3.0
• federation: 0.1.0
• files: 1.5.1
• files_antivirus: 0.10.0.0
• files_external: 0.7.0
• files_external_ftp: 0.2.0
• files_pdfviewer: 0.8.2
• files_sharing: 0.10.0
• files_texteditor: 2.2
• files_trashbin: 0.9.0
• files_versions: 1.3.0
• files_videoplayer: 0.9.8
• firstrunwizard: 1.1
• market: 0.1.0
• notifications: 0.3.0
• provisioning_api: 0.5.0
• systemtags: 0.3.0
• templateeditor: 0.1
• updatenotification: 0.2.1
• user_external: 0.4
• user_ldap: 0.9.1
  Disabled:
• encryption
• theme-example

Are you using external storage, if yes which one: SMB/CIFS

Are you using encryption: No

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                                                                         |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      |                                                                                                                                                                         |
| hasPagedResultSupport         |                                                                                                                                                                         |
| homeFolderNamingRule          | attr:homeDirectory                                                                                                                                                      |
| lastJpegPhotoLookup           | 0                                                                                                                                                                       |
| ldapAgentName                 | ***REMOVED SENSITIVE VALUE*** (but this works OK)                                                                                                                       |
| ldapAgentPassword             | ***                                                                                                                                                                     |
| ldapAttributesForGroupSearch  |                                                                                                                                                                         |
| ldapAttributesForUserSearch   |                                                                                                                                                                         |
| ldapBackupHost                |                                                                                                                                                                         |
| ldapBackupPort                |                                                                                                                                                                         |
| ldapBase                      | ***REMOVED SENSITIVE VALUE*** (but this works OK)                                                                                                                       |
| ldapBaseGroups                | ***REMOVED SENSITIVE VALUE*** (but this works OK)                                                                                                                       |
| ldapBaseUsers                 | ***REMOVED SENSITIVE VALUE*** (but this works OK)                                                                                                                       |
| ldapCacheTTL                  | 600                                                                                                                                                                     |
| ldapConfigurationActive       | 1                                                                                                                                                                       |
| ldapDynamicGroupMemberURL     |                                                                                                                                                                         |
| ldapEmailAttribute            | mail                                                                                                                                                                    |
| ldapExperiencedAdmin          | 0                                                                                                                                                                       |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                                         |
| ldapExpertUUIDUserAttr        |                                                                                                                                                                         |
| ldapExpertUsernameAttr        | uid                                                                                                                                                                     |
| ldapGroupDisplayName          | cn                                                                                                                                                                      |
| ldapGroupFilter               | (&(|(objectclass=posixGroup))(|(cn=Account Managers)(cn=Administrators)(cn=Developers)(cn=Staff)(cn=Users)))                                                            |
| ldapGroupFilterGroups         | Account Managers;Administrators;Developers;Staff;Users                                                                                                                  |
| ldapGroupFilterMode           | 0                                                                                                                                                                       |
| ldapGroupFilterObjectclass    | posixGroup                                                                                                                                                              |
| ldapGroupMemberAssocAttr      | memberUid                                                                                                                                                               |
| ldapHost                      | ldap://172.29.x.x                                                                                                                                                       |
| ldapIgnoreNamingRules         |                                                                                                                                                                         |
| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson)(objectclass=posixAccount)(objectclass=sambaSamAccount)(objectclass=shadowAccount))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes     |                                                                                                                                                                         |
| ldapLoginFilterEmail          | 1                                                                                                                                                                       |
| ldapLoginFilterMode           | 0                                                                                                                                                                       |
| ldapLoginFilterUsername       | 1                                                                                                                                                                       |
| ldapNestedGroups              | 0                                                                                                                                                                       |
| ldapOverrideMainServer        |                                                                                                                                                                         |
| ldapPagingSize                | 500                                                                                                                                                                     |
| ldapPort                      | 389                                                                                                                                                                     |
| ldapQuotaAttribute            |                                                                                                                                                                         |
| ldapQuotaDefault              |                                                                                                                                                                         |
| ldapTLS                       | 0                                                                                                                                                                       |
| ldapUserDisplayName           | displayname                                                                                                                                                             |
| ldapUserDisplayName2          |                                                                                                                                                                         |
| ldapUserFilter                | (|(objectclass=inetOrgPerson)(objectclass=posixAccount)(objectclass=sambaSamAccount)(objectclass=shadowAccount))                                                        |
| ldapUserFilterGroups          |                                                                                                                                                                         |
| ldapUserFilterMode            | 0                                                                                                                                                                       |
| ldapUserFilterObjectclass     | inetOrgPerson;posixAccount;sambaSamAccount;shadowAccount                                                                                                                |
| ldapUuidGroupAttribute        | auto                                                                                                                                                                    |
| ldapUuidUserAttribute         | auto                                                                                                                                                                    |
| turnOffCertCheck              | 0                                                                                                                                                                       |
| useMemberOfToDetectMembership | 1                                                                                                                                                                       |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser: Happens on any (Chrome/Edge/...)

Operating system: Happens on any (Windows/OSX/...)

Logs

Web server error log

Irrelevant, same as stack trace posted above.

ownCloud log (data/owncloud.log)

Irrelevant, same as stack trace posted above.

Browser log

Irrelevant, server side issue.

[AdamReece-WebBox]

Doesn't look like the skeleton files missing was the cause. I've put them back and the issue still happens.

[AdamReece-WebBox]

Also tried removing the homeDirectory attribute so that the user data DIR becomes .../data/uid, also didn't work.

[AdamReece-WebBox]

I've got passed the exception by manually changing the "home" property in the accounts table from "/home/adam_reece" to "/var/www/cloud/data/root".

I guess what's happening here is that the real home folder "/home/adam_reece" is trying to be looked at as the "www-data" user, whereas what should be happening is session pass-through authentication in the same way that the SMB/CIFS mounts work.

This makes the setting to specify a home folder "homeFolderNamingRule" useless in the LDAP authentication module if it's not going to use the right credentials to access the underlying file system.

[PVince81]

but then session authentication should be used like for SMB/CIFS external mounts.

AFAIK the web server can only ever access folders as "www-data". It is not possible to make it switch to another user on FS/process level, if that's what you mean.

The SMB/CIFS mount happen on PHP level, so it's not really a filesystem mount but PHP which is connecting directly to SMB and virtually make the contents appear inside OC. It's not done on FS level.

[AdamReece-WebBox]

Ah okay... Wouldn't that make "homeFolderNamingRule" quite pointless then? Typically a POSIX home folder path in a directory would be "/home/username".

A web server user would almost never be allowed to read/write anyone else's home folder because allowing anything other than the owning user to read/write a home folder at FS level would deny the user from logging in at all. (The host system or another application would throw a security exception because the home folder is open to exploits.) Example: https://unix.stackexchange.com/questions/37164/ssh-and-home-directory-permissions

This would only be useful if a SMB/CIFS or other external mount path could be used for home folders so file operations happen in context of the owning user rather than the web server's user.

[PVince81]

Many successful deployments use this but have the home folder under the "data" folder inside the OC folder, or a folder in another location also accessible under "www-data". So I wouldn't call it pointless.

I'm not sure how these setups are done in detail though. Maybe permissions are remapped somehow by forcing user/group to be www-data on the FS mount.

[AdamReece-WebBox]

Allowing www-data to directly write to a home folder sounds like disaster waiting to happen. :)

[PVince81]

@jvillafanez @butonic do you know more about how this is used ?

[jvillafanez]

I haven't used it. I'll have to check it at some point.

Anyway, my personal recommendation is to treat the data folder as a black box: you shouldn't care about its folder structure.

[AdamReece-WebBox]

Sounds fair. What I was going to do is set the user quota right down to 1 KiB because it wouldn't be great for user data to be placed with the website, then we will instruct our staff to use the "Personal" external storage folder (which is a SMB/CIFS mount) for their own files.

The downside to this is no deleted or old files could be stored as these are within the user's "black box" space.

[ownclouders]

Hey, this issue has been closed because the label status/STALE is set and there were no updates for 7 days. Feel free to reopen this issue if you deem it appropriate.

[PVince81]

It is not technically possible for the PHP code to make the web server user to switch to another user to access the data from another user on FS level.

[coco3271]

@AdamReece-WebBox Hi I am having the same problem. Getting an error 500 when logging in with another user but login as root is fine.

Could you please point to how to solve this?

Thank you

[AdamReece-WebBox]

@coco3271 as discussed the issue is simply a Linux FS permissions one. Your web server is likely running as user "www-data" or similar, thus won't have permission to read/write to the home folder of the user you're logging in as.

I've got passed the exception by manually changing the "home" property in the accounts table from "/home/adam_reece" to "/var/www/cloud/data/root".

I guess what's happening here is that the real home folder "/home/adam_reece" is trying to be looked at as the "www-data" user, whereas what should be happening is session pass-through authentication in the same way that the SMB/CIFS mounts work.

This makes the setting to specify a home folder "homeFolderNamingRule" useless in the LDAP authentication module if it's not going to use the right credentials to access the underlying file system.

[coco3271]

@AdamReece-WebBox Thanks. My path "/var/www/cloud/data/root" doesn't exist on my server.
Does that mean whenever you have a new user created you would have to change manually within the accounts table?

[jvillafanez]

There might be potentially problematic behaviours changing the default home directory. My personal recommendation is to leave the "homeFolderNamingRule" and "ldapExpertUsernameAttr" ldap configurations with the default empty values.

Does that mean whenever you have a new user created you would have to change manually within the accounts table?

No, you shouldn't. Unless told otherwise, all home directories will be created inside the ownCloud's data directory (consider the "homeFolderNamingRule" as an exception to this), so ownCloud should have enough permissions to create the user's folder there.

[MichaIng]

Just in case someone gets here via web search:

• The Internal server error + OCP\Files\NotFoundException can as well occur without LDAP on first web UI access (login) to a fresh install.
• Never faced this before, but on a test install, I experimented with disabled PHP modules. I guess I had phar and posix disabled on first access, which then failed. Not 100% sure any more. After enabling these needed modules, the error persists. Found /path/to/owncloud/data/<user>/files dir was not created. Creating it manually fixed the issue. Possibly auto creation (which should occur on first access) failed due to disabled PHP modules and is not repeated on second access?

I suggest that ownCloud handles this missing dir better, if /path/to/owncloud/data/<user> exists, just trying to recreate files. But I will do some more testing by times and can then open a separate issue, after enough info collected.

[maxxoverclocker]

Just as an FYI, I have this same problem with LDAP accounts. I can resolve manually by running a
mkdir files files_trashbin files_versions
inside of the user directory. For some reason nextcloud can only create the 'cache' directory.

Edit: this is using Ubuntu snap method. So owner of the path is root:root, not www-data. (by design)

[phil-davis]

For some reason nextcloud can only create the 'cache' directory.

Note: this is the ownCloud repository.