Skip to content

Microsoft March forcing LDAP signed bind Security Patch with NextCloud Login #19779

New issue
New issue
Closed
Closed
Microsoft March forcing LDAP signed bind Security Patch with NextCloud Login#19779

Description

@jwalker5006

jwalker5006
openedon Mar 4, 2020

Steps to reproduce

  1. Turn on unsigned binds for LDAP on DC
  2. Log into Nextcloud with LDAP username and password
  3. Review Event Log under directory services and see error 2889

This should mean come March MS patch install, Nextcloud LDAP will no longer allow logins when those logins are LDAP connections to a Microsoft Domain Controller and the security patch has been installed.

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type the following command, and then press ENTER: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
  3. When you are prompted, confirm the overwrite operation by typing Y and pressing ENTER.
  4. Use Event Viewer to locate the Event ID 2889, which is logged each time that a client computer attempts an unsigned LDAP bind. This event displays the client IP address and the account name that was used when the client computer attempted to authenticate.
  5. After you have determined the client computers that are attempting to perform unsigned binds, you can disable the diagnostic logging for LDAP Interface Events by running the following command: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0
  6. Type Y and press ENTER to confirm the settings overwrite, which disables diagnostic logging for the LDAP Interface.

Expected behaviour

Event 2889 should not occur when authentication occurs between a NextCloud web browser, NextCloud Server and Microsoft AD Domain controller.

Actual behaviour

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

The error log you will see will be for the IP of the NextCloud server, and show the username who logged into NextCloud via a web browser.

Client IP address:
[x.x.x.x]:59784
Identity the client attempted to authenticate as:
NET[ms user name]
Binding Type:
1

Server configuration detail

Operating system: Linux 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64

Webserver: Apache (fpm-fcgi)

Database: mysql 5.7.29

PHP version:

7.3.15
Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, bz2, ctype, curl, dom, hash, fileinfo, filter, ftp, gd, gmp, SPL, iconv, intl, json, ldap, mbstring, pcntl, PDO, session, pdo_sqlite, posix, Reflection, standard, SimpleXML, mysqlnd, exif, tokenizer, xml, xmlreader, xmlwriter, zip, pdo_mysql, cgi-fcgi, redis, Zend OPcache

Nextcloud version: 17.0.3 - 17.0.3.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps 
Enabled:
 - accessibility: 1.3.0
 - activity: 2.10.1
 - admin_audit: 1.7.0
 - apporder: 0.9.0
 - bruteforcesettings: 1.5.0
 - circles: 0.17.10
 - cloud_federation_api: 1.0.0
 - comments: 1.7.0
 - dav: 1.13.0
 - drawio: 0.9.5
 - federatedfilesharing: 1.7.0
 - federation: 1.7.0
 - files: 1.12.0
 - files_pdfviewer: 1.6.0
 - files_rightclick: 0.15.1
 - files_sharing: 1.9.0
 - files_trashbin: 1.7.0
 - files_versions: 1.10.0
 - files_videoplayer: 1.6.0
 - firstrunwizard: 2.6.0
 - gallery: 18.4.0
 - issuetemplate: 0.6.0
 - logreader: 2.2.0
 - lookup_server_connector: 1.5.0
 - nextcloud_announcements: 1.6.0
 - notifications: 2.5.0
 - oauth2: 1.5.0
 - password_policy: 1.7.0
 - privacy: 1.1.0
 - provisioning_api: 1.7.0
 - recommendations: 0.5.0
 - richdocuments: 3.5.2
 - serverinfo: 1.7.0
 - sharebymail: 1.7.0
 - sharingpath: 0.1.1
 - support: 1.0.1
 - survey_client: 1.5.0
 - systemtags: 1.7.0
 - tasks: 0.11.3
 - text: 1.1.1
 - theming: 1.8.0
 - twofactor_backupcodes: 1.6.0
 - user_ldap: 1.7.0
 - viewer: 1.2.0
 - workflowengine: 1.7.0
Disabled:
 - deck
 - encryption
 - files_external
 - spreed
Configuration (config/config.php) 
{
    "apps_paths": [
        {
            "path": "\/snap\/nextcloud\/current\/htdocs\/apps",
            "url": "\/apps",
            "writable": false
        },
        {
            "path": "\/var\/snap\/nextcloud\/current\/nextcloud\/extra-apps",
            "url": "\/extra-apps",
            "writable": true
        }
    ],
    "supportedDatabases": [
        "mysql"
    ],
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 0
    },
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "10.1.1.3",
        "netfiles.nettechnology.com"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "17.0.3.1",
    "overwrite.cli.url": "http:\/\/10.1.1.3",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "maintenance": false,
    "theme": "",
    "loglevel": 2,
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
    "twofactor_enforced": "false",
    "twofactor_enforced_groups": [
        "NET all Employees"
    ],
    "twofactor_enforced_excluded_groups": [],
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_smtpsecure": "tls",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "25",
    "mail_sendmailmode": "smtp"
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this par if not used) 
background_sync_interval: 43200background_sync_offset: 0background_sync_prefix: s01cleanUpJobOffset: 50enabled: yesinstalled_version: 1.7.0s01_lastChange: 1583336297s01has_memberof_filter_support: 1s01home_folder_naming_rule: s01last_jpegPhoto_lookup: 0s01ldap_agent_password: REMOVEDVALUE01ldap_attributes_for_group_search: s01ldap_attributes_for_user_search: s01ldap_backup_host: s01ldap_backup_port: s01ldap_base: DC=domain,DC=coms01ldap_base_groups: DC=domain,DC=coms01ldap_base_users: DC=domain,DC=coms01ldap_cache_ttl: 600s01ldap_configuration_active: 1s01ldap_default_ppolicy_dn: s01ldap_display_name: displaynames01ldap_dn: CN=googleSync,OU=Applications,OU=InternalOnly,OU=NET,DC=domain,DC=coms01ldap_dynamic_group_member_url: s01ldap_email_attr: mails01ldap_experienced_admin: 0s01ldap_expert_username_attr: s01ldap_expert_uuid_group_attr: s01ldap_expert_uuid_user_attr: s01ldap_ext_storage_home_attribute: s01ldap_gid_number: gidNumbers01ldap_group_display_name: cns01ldap_group_filter: (|(cn=Temps)(cn=Full Time Staff)(cn=Full Time Staff All)(cn=Full Time Staff FieldTechs)(cn=Domain Admins))s01ldap_group_filter_mode: 0s01ldap_group_member_assoc_attribute: members01ldap_groupfilter_groups: Temps
Full Time Staff
Full Time Staff All
Full Time Staff FieldTechs
Domain Adminss01ldap_groupfilter_objectclass: s01ldap_host: dc.domain.coms01ldap_login_filter: (&(&(|(objectclass=person))(|(|(memberof=CN=Temps,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=4947))(|(memberof=CN=Full Time Staff FieldTechs,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=6842))(|(memberof=CN=Full Time Staff,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=1269))(|(memberof=CN=Full Time Staff All,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=8276))(|(memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com)(primaryGroupID=512))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))s01ldap_login_filter_mode: 0s01ldap_loginfilter_attributes: s01ldap_loginfilter_email: 1s01ldap_loginfilter_username: 1s01ldap_nested_groups: 0s01ldap_override_main_server: s01ldap_paging_size: 500s01ldap_port: 389s01ldap_quota_attr: s01ldap_quota_def: s01ldap_tls: 0s01ldap_turn_off_cert_check: 0s01ldap_turn_on_pwd_change: 0s01ldap_user_avatar_rule: defaults01ldap_user_display_name_2: s01ldap_user_filter_mode: 0s01ldap_userfilter_groups: Temps
Full Time Staff FieldTechs
Full Time Staff
Full Time Staff All
Domain Adminss01ldap_userfilter_objectclass: persons01ldap_userlist_filter: (&(|(objectclass=person))(|(|(memberof=CN=Temps,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=4947))(|(memberof=CN=Full Time Staff FieldTechs,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=6842))(|(memberof=CN=Full Time Staff,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=1269))(|(memberof=CN=Full Time Staff All,OU=GoogleDistroGroups,OU=GoogleSync,OU=NET,DC=domain,DC=com)(primaryGroupID=8276))(|(memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com)(primaryGroupID=512))))s01use_memberof_to_detect_membership: 1types: authentication

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36

Operating system:

Logs

Web server error log 
Not applicable
Nextcloud log 
No Event logs exist which are related to this error as it is a MS Error currently. Once the MS Security Patch is installed, we would expect that there will be a error log in the nextCloud log stating a login failure.

ISSystems article on the Channel Binding MS Patch
[https://www.ixsystems.com/blog/library/microsoft-ldap-defaults-2020/](https://www.ixsystems.com/blog/library/microsoft-ldap-defaults-2020/)

MS Article on Channel Binding
[https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536)

This article talks about Discovering Clients computers that do not use signing and an excerpt of how is below.
[https://social.technet.microsoft.com/wiki/contents/articles/12603.event-id-2886-ldap-signing.aspx](https://social.technet.microsoft.com/wiki/contents/articles/12603.event-id-2886-ldap-signing.aspx)
Browser log

NA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagePending check for reproducibility or if it fits our roadmapbug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions