I just did a fresh install of UCS, joined it to my windows active directory domain and installed all available updates (4.3-2 errata331). so far everything seemed to work (login with domain credentials to ucs management, list users and groups etc.)
Then I installed nextcloud from the app center
Unfortunately the installer for docker apps seems to ignore proxy settings, but after opening the firewall for the ucs system, the installation went through.
But when I try to logon with my admin account to nextcloud web UI I’m getting an internal server error. “The server was not able to complete you request” (probably an unprecise translation from German to English)
It also says that I should look into the server log. Unfortunately this is my “first contact” with docker and I have no idea where to find it ^^
(with the help of another guy in the forum and some googeling)
First issue: DNS
My UCS server creates a DNS record in my windows DNS during the initial setup and the domain join (actually there are two DNS records but I don’t know what the other one is for.)
Unfortunately it did not update the record after I changed the IP address from a DHCP to a static one.
Nextcloud uses the fqdn to connect to the local ldap server of the UCS and therefore fails to login any users. After correcting the dns record manually I was able to log in
Second issue: Administrator
I finally was able to log in to Nextcloud but only with a regular user and NOT with my builtin Administrator account. Nextcloud UI always said “wrong password”
I was able to fix that by giving the administrator account a firstname, a lastname and a display name in my windows active directory. I’ve seen this behavior with a different linux appliance that used ldap to connect to a windows AD.
Third issue: Administrative rights
Despite of what univention claims in the app catalogue, my windows domain administrator is not a pre configured nextcloud admin by default. So I was able to login with my administrator account but in nextcloud it was just a regular user with standard user rights. To fix this I logged in via SSH and looked in the admin secret file
This seems to contain the password for the builtin nextcloud admin (“nc_admin”) account in plain text.
With that I was able to login to nextcloud with admin rights and give my windows domain administrator also admin privileges
If you ask me, these issues will be reproducible in any UCS setup with a windows domain and nextcloud
They should be considered as BUGS
And it should be in the interest of univention to fix them.
thanks for reporting and posting the solution here, too. Great work!
It is indeed in the interest of Univention. Just to add:
First: If a user changes IP and does not take alls DNS records into account you can not call this a bug. Or at least not a bug which can be fixed by Univention…
Second: Sounds strange, indeed. If this can be reproduce I would suggest to tell Nextcloud about this issue.
Third: Same as on the second.
I assume you had the second and the third error because of the first. I could imagine (although I do not know it) all will get set up properly if the user’s configuration and installation procedure went well. So the scripts could create and sync all users as needed.
A misconfigured DNS is verly likely to cause all sort of trouble…
Despite of this there is always the possibility to create a bug.
I think a member server (or PC) in a windows domain should update his DNS record automatically. At least windows hosts do that. I guess for a server this is not that important (as the IPs don’t change that much) but a client pc should update its dns record after a change of ip address.
The UCS system was able to create the dns records at domain join so it should be able to change them after a change of IP address.
You might be right, maybe the second and the third issues are results of the first one…
The workaround did not work for me (UCS 4.4.0 Errata 137).
In my case I get the error message after any login, if I have no host record in UCS DNS defined. Only after defining a host-record for my UCS-server with the local IP-address (192.168.21.51)
ucs 192.168.21.51 Host Record
in the "UCS - “Donain” - “DNS” runs Nextcloud-login without error, called from internal network or from internet.
I cannot leave the A-record, because letsencrypt cannot validate my UCS-server then.
All accounts (administrator, users) are affected, even using Nextcloud clients (Windows and Android).
I guess, that Nextcloud seems to need an internal IP-address to UCS-server itself, because the router resolves an external IP-address.
If login into Nextcloud fails, in the UCS network-settings the FritzBox-IP is set as DNS.