AD password reset allows 2 passwords to login to nextcloud

fresh install to confirm this, but standard install of nethserver7 with local active directory and nextcloud installed after the domain was setup. i create new user then login to nextcloud with the account. no go change that users password, and suddenly i can use the old and new passwords to authenticate. even after reboot i can use either password. in my production install, the useable password will periodically swap between the old and new password causing me to re-login often. i rechanged the password to the original and all issues disappear.

Thoughs?

thanks,
John

UPDATE: it seems to remember the last password and the new one. i changed the password a few times and each time i can still use the last old password and the new one.

My guess is that somehow Nextcloud retain for a defined (currently unknown) amount of time a cached positive access.

I think Michael is right, take a look at User authentication with LDAP — Nextcloud latest Administration Manual latest documentation.

See also User authentication with LDAP — Nextcloud latest Administration Manual latest documentation

1 Like

@pike @giacomo

Hi

I’d just like to note that this “feature” is a standard feature of Windows since NT times…
Any Windows Notebook, if already once already sucessfully authentificated to AD can ALWAYS use cached AD Authentification to log in locally, even without any connection to the AD (Or ANY network at all!). This is valid for all systems after and including Windows 2000 (NT didn’t support AD, but did the same for NT Domain Authentification)…

If you opt for AD, you have to support and accept all “quirks” of Microsoft’s AD implementation, that includes all Linux Samba uses and also, by an extension, NextCloud with AD authentification.

Interestingly, this also means:

If AD was up and running, login fine.

If AD screwed up, and networking running, NO login possible!

If Network not running or AD not reachable (short outage), login works!

→ There’s a small Window where “login tolerance” does not work!

My 2 cents
Andy

1 Like

Maybe i’m wrong, but… Nextcloud should talk (via LDAP) to sssd, which route logins request and confirms to NSDC.
So… if sssd and NSDC have healthy connection, all sssd-dependand logins like postfix, dovecot, webtop should fail for a failed login. If only Nextcloud have this grace period for double login, maybe the cache is not in samba, sssd but in Nextcloud.
These are only educated guesses…

Don’t know if it matters but IIRC sssd also has a cache.

1 Like

It surely matters…
IMVHO if the “grace period” is situated in sssd all softwares relying on that authentication server should share the same grace period.

Thanks for the replies all, Im not knowledgeable in AD auth paths and what not, but Michael, based on what you said about other software, i did try webmail which would also auth with AD and it will only accept the current password. i tried 2 accounts with at least 3 old passwords and no-go. i currently dont have any external applications using the AD, but i could try to set one up and see.