Server: Change of user passwords by admin fails

Created on 8 Mar 2017 · 15Comments · Source: nextcloud/server

Steps to reproduce

Login as an admin.
Navigate to Users.
Click on a user password and try to change.

Expected behaviour

The password changes.

Actual behaviour

The password fails to change.

The browser console shows a 503 on the ajax call as follows:

POST https://cloud.mydomain.com/index.php/settings/users/changepassword 503 (Service Unavailable)

I attempted using both Chromium and Firefox, with the same result.

I found a reference to someone else reporting what appears to be the same issue last December, here:

https://help.nextcloud.com/t/unable-to-change-user-password-from-admin/2211/5

Server configuration

Operating system: Ubuntu 16.04

Web server: Apache

Database: MariaDB

PHP version: 7.0.15-0ubuntu0.16.04.4

Nextcloud version: 11.0.2

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Nextcloud.com

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.4.1
  - calendar: 1.5.1
  - comments: 1.1.0
  - dav: 1.1.1
  - encryption: 1.4.1
  - external: true
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_automatedtagging: 1.1.1
  - files_external: 1.1.2
  - files_markdown: 1.0.1
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.0
  - notifications: 1.0.1
  - passman: 2.1.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - tasks: 0.9.5
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - workflowengine: 1.1.1
Disabled:
  - admin_audit
  - files_accesscontrol
  - files_retention
  - files_videoplayer
  - templateeditor
  - user_external
  - user_ldap
  - user_saml

The content of config/config.php:

Config report

{
    "system": {
        "instanceid": "ocx4g0garbjc",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.mydomain.com",
            "cloud.mydomain2.com",
            "cloud.mydomain3.com"
        ],
        "datadirectory": "\/var\/nextcloud_data",
        "overwrite.cli.url": "https:\/\/cloud.mydomain.com",
        "dbtype": "mysql",
        "version": "11.0.2.7",
        "dbname": "nextcloud",
        "dbhost": "localhost",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "localhost",
            "port": 6379
        },
        "mail_from_address": "cloud",
        "mail_smtpmode": "php",
        "mail_domain": "mydomain2.com",
        "preview_libreoffice_path": "\/usr\/bin\/libreoffice",
        "loglevel": 1,
        "maintenance": false,
        "theme": "",
        "updater.release.channel": "stable"
    }
}

Are you using external storage, if yes which one: None

Are you using encryption: Yes

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Chromium and Firefox

Operating system: KDE Neon

Logs

Web server error log

No errors appear in web server log.

Nextcloud log (data/nextcloud.log)

Nextcloud log

Nothing appears in the Nextcloud log following the attempt to change the password.

Browser log

js.js?v=ef0c97a…:2139 Deprecation warning: tipsy is deprecated. Use tooltip instead.
jQuery.fn.tipsy @ js.js?v=ef0c97a…:2139
(anonymous) @ users.js?v=ef0c97a…:708
dispatch @ jquery.js:4435
r.handle @ jquery.js:4121
js.js?v=ef0c97a…:2139 Deprecation warning: tipsy is deprecated. Use tooltip instead.
jQuery.fn.tipsy @ js.js?v=ef0c97a…:2139
(anonymous) @ users.js?v=ef0c97a…:708
dispatch @ jquery.js:4435
r.handle @ jquery.js:4121
jquery.js:8630 POST https://cloud.mydomain.com/index.php/settings/users/changepassword 503 (Service Unavailable)
send @ jquery.js:8630
ajax @ jquery.js:8166
n.(anonymous function) @ jquery.js:8311
_submitPasswordChange @ users.js?v=ef0c97a…:676
(anonymous) @ users.js?v=ef0c97a…:720
dispatch @ jquery.js:4435
r.handle @ jquery.js:4121

bug encryption (server-side)

Source

Aninstance

All 15 comments

Works fine here, please have a look whether there is something related in your servers error log.

nickvergessen on 10 Mar 2017

No, there is absolutely nothing logged in the server's error log (Apache).

Upon further investigation, I believe it could be related to encryption having been set up on the server. When attempting to do a password reset through the user's email, I get:

"Your files are encrypted. If you haven't enabled the recovery key, there will be no way to get your data back after your password is reset.
If you are not sure what to do, please contact your administrator before you continue.
Do you really want to continue?"

I then check the "I know what I am doing" box and proceed. Then I just get:

"Private Key missing for user: please try to log-out and log-in again".

There appears to be absolutely no way to reset the user's password, either as an administrator through the backend, nor as the user through email password reset.

The user's data is not encrypted, either. Encryption is activated for external storage only, and the user has not attached any external storage. Moreover, the encryption key does exist.

The error message is also bizarre - the user clearly cannot log-out and log-in again, because he is attempting a password reset and, as such, is not logged in to begin with.

Aninstance on 10 Mar 2017

Ah encryption is an important detail!

nickvergessen on 16 Mar 2017

Sure, although none of the user's files are encrypted. It's just that the encryption option is activated on the server.

Don't hesitate to let me know if you'd like me to conduct any further testing. I remedied the immediate issue by simply creating a new account for the user and copying his files across. However, the problem does persist on this server and manifests in the same way for every user account.

I was tempted to blow this instance away and reinstall anew, however decided to leave it as-is in case I could be of any assistance in terms of investigating the problem with a view to helping others who may encounter this in future.

Aninstance on 16 Mar 2017

Hi,
I've the same issue here. With the same server options than Aninstance.
Version Nextcloud 11.0.1 (stable).

bigornoo on 21 Mar 2017

Same issue here. 11.0.2

kun-zhou on 26 Mar 2017

Same issue. 11.0.2

shllg on 4 Apr 2017

@schiessle mind having a look?

nickvergessen on 5 Apr 2017

Same issue with MySQL & PHP 5.6. At Chrome Network Console, you can see "changepassword" 503 error shows a page explaining that "this app need Javascript to work" and "Nextcloud Bad Signature". Tried Chrome, Firefox, Edge and IE11 with no luck.

edumgui on 1 May 2017

I was about to say I have the same issue, but turns out it was because I didn't notice the recoverykey field in the top of the screen. I have a encrypted home storage and after filling out the field with the server key the user password changed just fine.

However, I think it's a problem that there's no indicator that anything happens (or in some cases doesn't happen) when you don't fill it out. For me it just silently sent the POST request without recoveryPassword set to which the page returned a 503 HTML page with the non-descriptive text "Bad Signature".

Herover on 27 May 2017

👍1

Thought I had the same problem.
But had the same problem as @Herover
Did not see or get any feedback that recoverykey was needed.

john-arvid on 28 Aug 2017

👍1

cc @schiessle

MorrisJobke on 3 Sep 2017

I have the exact same issue. One of the users password is lost, in a attempt to reset the password through the admin panel nothing seems to happen. The user has not set an e-mailadres so I cannot send a recovery e-mail (although I tried to set this in the database).

Error log is empty of the nextcloud log (with log_level 0), apache error log or syslog. Firefox gives no errors but safari gives me the following errors:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
Failed to load resource: the server responded with a status of 404 (Not Found) /core/vendor/purify.min.js.map
Failed to load resource: the server responded with a status of 503 (Service Unavailable)
/index.php/settings/users/changepassword

Server info:

Ubuntu: 16.04
Apache: Server version: Apache/2.4.18 (Ubuntu)
PHP 7.0.22-0ubuntu0.16.04.1
mysql Ver 14.14

Nextcloud version 12.0.4
Encryption is installed and all files are encrypted.

If I forgot something please let me know. I would like to help to solve this issue.

JMBokhorst on 11 Dec 2017

can't reproduce it. Feel free to re-open if this is still an issue with the latest version of Nextcloud

schiessle on 10 Aug 2018

I have a similar problem. If I try to edit a new pw as admin for another user, the field blinks for half a second and I cannot edit anything, of course without a change. Browser here is firefox v61.0.1.

Trying that in chrome v68.0.3440.106 I can edit it as expected.

NC v 13.0.5, no encryption, self signed certificate.