Description
Steps to reproduce
- Turn on unsigned binds for LDAP on DC
- Log into Nextcloud with LDAP username and password
- Review Event Log under directory services and see error 2889
This should mean come March MS patch install, Nextcloud LDAP will no longer allow logins when those logins are LDAP connections to a Microsoft Domain Controller and the security patch has been installed.
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type the following command, and then press ENTER: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
- When you are prompted, confirm the overwrite operation by typing Y and pressing ENTER.
- Use Event Viewer to locate the Event ID 2889, which is logged each time that a client computer attempts an unsigned LDAP bind. This event displays the client IP address and the account name that was used when the client computer attempted to authenticate.
- After you have determined the client computers that are attempting to perform unsigned binds, you can disable the diagnostic logging for LDAP Interface Events by running the following command: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0
- Type Y and press ENTER to confirm the settings overwrite, which disables diagnostic logging for the LDAP Interface.
Expected behaviour
Event 2889 should not occur when authentication occurs between a NextCloud web browser, NextCloud Server and Microsoft AD Domain controller.
Actual behaviour
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
The error log you will see will be for the IP of the NextCloud server, and show the username who logged into NextCloud via a web browser.
Client IP address:
[x.x.x.x]:59784
Identity the client attempted to authenticate as:
NET[ms user name]
Binding Type:
1
Server configuration detail
Operating system: Linux 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64
Webserver: Apache (fpm-fcgi)
Database: mysql 5.7.29
PHP version:
7.3.15
Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, bz2, ctype, curl, dom, hash, fileinfo, filter, ftp, gd, gmp, SPL, iconv, intl, json, ldap, mbstring, pcntl, PDO, session, pdo_sqlite, posix, Reflection, standard, SimpleXML, mysqlnd, exif, tokenizer, xml, xmlreader, xmlwriter, zip, pdo_mysql, cgi-fcgi, redis, Zend OPcache
Nextcloud version: 17.0.3 - 17.0.3.1
Updated from an older Nextcloud/ownCloud or fresh install:
Where did you install Nextcloud from: unknown
Signing status
Array
(
)
List of activated apps
Enabled:
- accessibility: 1.3.0
- activity: 2.10.1
- admin_audit: 1.7.0
- apporder: 0.9.0
- bruteforcesettings: 1.5.0
- circles: 0.17.10
- cloud_federation_api: 1.0.0
- comments: 1.7.0
- dav: 1.13.0
- drawio: 0.9.5
- federatedfilesharing: 1.7.0
- federation: 1.7.0
- files: 1.12.0
- files_pdfviewer: 1.6.0
- files_rightclick: 0.15.1
- files_sharing: 1.9.0
- files_trashbin: 1.7.0
- files_versions: 1.10.0
- files_videoplayer: 1.6.0
- firstrunwizard: 2.6.0
- gallery: 18.4.0
- issuetemplate: 0.6.0
- logreader: 2.2.0
- lookup_server_connector: 1.5.0
- nextcloud_announcements: 1.6.0
- notifications: 2.5.0
- oauth2: 1.5.0
- password_policy: 1.7.0
- privacy: 1.1.0
- provisioning_api: 1.7.0
- recommendations: 0.5.0
- richdocuments: 3.5.2
- serverinfo: 1.7.0
- sharebymail: 1.7.0
- sharingpath: 0.1.1
- support: 1.0.1
- survey_client: 1.5.0
- systemtags: 1.7.0
- tasks: 0.11.3
- text: 1.1.1
- theming: 1.8.0
- twofactor_backupcodes: 1.6.0
- user_ldap: 1.7.0
- viewer: 1.2.0
- workflowengine: 1.7.0
Disabled:
- deck
- encryption
- files_external
- spreed
Configuration (config/config.php)
{
"apps_paths": [
{
"path": "\/snap\/nextcloud\/current\/htdocs\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/snap\/nextcloud\/current\/nextcloud\/extra-apps",
"url": "\/extra-apps",
"writable": true
}
],
"supportedDatabases": [
"mysql"
],
"memcache.locking": "\\OC\\Memcache\\Redis",
"memcache.local": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0
},
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"10.1.1.3",
"netfiles.nettechnology.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "17.0.3.1",
"overwrite.cli.url": "http:\/\/10.1.1.3",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"theme": "",
"loglevel": 2,
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"twofactor_enforced": "false",
"twofactor_enforced_groups": [
"NET all Employees"
],
"twofactor_enforced_excluded_groups": [],
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_smtpsecure": "tls",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "25",
"mail_sendmailmode": "smtp"
}
Are you using external storage, if yes which one: local/smb/sftp/...
Are you using encryption:
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP configuration (delete this par if not used)
background_sync_interval: 43200background_sync_offset: 0background_sync_prefix: s01cleanUpJobOffset: 50enabled: yesinstalled_version: 1.7.0s01_lastChange: 1583336297s01has_memberof_filter_support: 1s01home_folder_naming_rule: s01last_jpegPhoto_lookup: 0s01ldap_agent_password: REMOVEDVALUE01ldap_attributes_for_group_search: s01ldap_attributes_for_user_search: s01ldap_backup_host: s01ldap_backup_port: s01ldap_base: DC=domain,DC=coms01ldap_base_groups: DC=domain,DC=coms01ldap_base_users: DC=domain,DC=coms01ldap_cache_ttl: 600s01ldap_configuration_active: 1s01ldap_default_ppolicy_dn: s01ldap_display_name: displaynames01ldap_dn: CN=googleSync,OU=Applications,OU=InternalOnly,OU=NET,DC=domain,DC=coms01ldap_dynamic_group_member_url: s01ldap_email_attr: mails01ldap_experienced_admin: 0s01ldap_expert_username_attr: s01ldap_expert_uuid_group_attr: s01ldap_expert_uuid_user_attr: s01ldap_ext_storage_home_attribute: s01ldap_gid_number: gidNumbers01ldap_group_display_name: cns01ldap_group_filter: (|(cn=Temps)(cn=Full Time Staff)(cn=Full Time Staff All)(cn=Full Time Staff FieldTechs)(cn=Domain Admins))s01ldap_group_filter_mode: 0s01ldap_group_member_assoc_attribute: members01ldap_groupfilter_groups: Temps
Full Time Staff
Full Time Staff All
Full Time Staff FieldTechs
Domain Adminss01ldap_groupfilter_objectclass: s01ldap_host: dc.domain.coms01ldap_login_filter: (&(&(|(objectclass=person))(|(|(memberof=CN=Temps,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=4947))(|(memberof=CN=Full Time Staff FieldTechs,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=6842))(|(memberof=CN=Full Time Staff,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=1269))(|(memberof=CN=Full Time Staff All,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=8276))(|(memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com)(primaryGroupID=512))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))s01ldap_login_filter_mode: 0s01ldap_loginfilter_attributes: s01ldap_loginfilter_email: 1s01ldap_loginfilter_username: 1s01ldap_nested_groups: 0s01ldap_override_main_server: s01ldap_paging_size: 500s01ldap_port: 389s01ldap_quota_attr: s01ldap_quota_def: s01ldap_tls: 0s01ldap_turn_off_cert_check: 0s01ldap_turn_on_pwd_change: 0s01ldap_user_avatar_rule: defaults01ldap_user_display_name_2: s01ldap_user_filter_mode: 0s01ldap_userfilter_groups: Temps
Full Time Staff FieldTechs
Full Time Staff
Full Time Staff All
Domain Adminss01ldap_userfilter_objectclass: persons01ldap_userlist_filter: (&(|(objectclass=person))(|(|(memberof=CN=Temps,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=4947))(|(memberof=CN=Full Time Staff FieldTechs,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=6842))(|(memberof=CN=Full Time Staff,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=1269))(|(memberof=CN=Full Time Staff All,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=8276))(|(memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com)(primaryGroupID=512))))s01use_memberof_to_detect_membership: 1types: authentication
Client configuration
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Operating system:
Logs
Web server error log
Not applicable
Nextcloud log
No Event logs exist which are related to this error as it is a MS Error currently. Once the MS Security Patch is installed, we would expect that there will be a error log in the nextCloud log stating a login failure.
ISSystems article on the Channel Binding MS Patch
[https://www.ixsystems.com/blog/library/microsoft-ldap-defaults-2020/](https://www.ixsystems.com/blog/library/microsoft-ldap-defaults-2020/)
MS Article on Channel Binding
[https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536)
This article talks about Discovering Clients computers that do not use signing and an excerpt of how is below.
[https://social.technet.microsoft.com/wiki/contents/articles/12603.event-id-2886-ldap-signing.aspx](https://social.technet.microsoft.com/wiki/contents/articles/12603.event-id-2886-ldap-signing.aspx)
Browser log
NA