Problem: Nextcloud Join Script Fails After Upgrade Due to Missing SAML Components

Knowledge Base Community
, , , ,
1

Nextcloud Join Script Fails After Upgrade Due to Missing SAML Components

Summary

After upgrading Nextcloud on a Univention Corporate Server (UCS), the corresponding join script (50nextcloud.inst) may fail. As a result, required Nextcloud plugins do not function correctly and users are unable to access their data.

The root cause in this case was missing SAML-related packages, which prevented the creation of the required SAML service provider object during the join process.

Environment

  • UCS version: 5.0-10
  • Nextcloud installed via Univention App Center
  • Hostname: ucs5010
  • Domain: univention.intranet
  • LDAP base: dc=univention,dc=intranet

Problem

After a Nextcloud upgrade, the join script was not executed successfully. This caused several Nextcloud plugins (notably SSO-related components) to malfunction, effectively blocking user access to their files.

The following error messages were found in /var/log/univention/join.log:

RUNNING 50nextcloud.inst
Object exists: cn=services,cn=univention,dc=univention,dc=intranet
Object exists: cn=Nextcloud Hub,cn=services,cn=univention,dc=univention,dc=intranet
No modification: cn=ucs5010,cn=dc,cn=computers,dc=univention,dc=intranet
WARNING: cannot append Nextcloud Hub to service, value exists
Not updating nextcloud/ucs/modifyUsersFilter
Not updating nextcloud/ucs/userEnabled
Not updating nextcloud/ucs/userQuota
Not updating nextcloud/ucs/debug
Not updating nextcloud/ldap/cacheTTL
Not updating nextcloud/ldap/homeFolderAttribute
Not updating nextcloud/ldap/userSearchAttributes
Not updating nextcloud/ldap/userDisplayName
Not updating nextcloud/ldap/groupDisplayName
Not updating nextcloud/ldap/base
Not updating nextcloud/ldap/baseUsers
Not updating nextcloud/ldap/baseGroups
Not updating nextcloud/ldap/filterLogin
Not updating nextcloud/ldap/filterUsers
Not updating nextcloud/ldap/filterGroups
Config value were not updated
LDAP Error: No such object.
Failed to create saml/serviceprovider (SimpleSAMLphp)

Investigation

The investigation quickly revealed the following critical error:

Failed to create saml/serviceprovider (SimpleSAMLphp)

Running the following command returned no results, confirming that no SAML service provider objects existed:

udm saml/serviceprovider list

This indicated that the join script failed while attempting to create the SAML service provider required for Nextcloud Single Sign-On (SSO).

Root Cause

The issue was caused by missing packages:

  • univention-saml
  • simplesamlphp

This was confirmed with:

dpkg -l | grep saml
rc  simplesamlphp                                       1.19.0-1A~5.1.0.202310121019                       all          Authentication and federation application supporting several protocols
rc  univention-saml                                     8.0.2                                              all          Transitional dummy package
rc  univention-saml-schema                              9.0.2                                              all          Transitional dummy package

Because these packages were not installed, the saml/serviceprovider object required by Nextcloud could not be created during the join process.

Notably, this occurred on a UCS 5.0-10 system, where these packages are usually installed by default.

Solution

1. Install Missing SAML Packages

Install the required packages:

univention-install univention-saml

2. Re-run the Nextcloud Join Script

Manually execute the pending join script:

univention-run-join-scripts --run-scripts 50nextcloud.inst

3. Verify SAML Service Provider Creation

After successfully running the join script, the SAML service provider object was correctly created:

DN: SAMLServiceProviderIdentifier=https://ucs5010.univention.intranet/nextcloud/apps/user_saml/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=univention,dc=intranet
AssertionConsumerService: https://ucs5010.univention.intranet/nextcloud/apps/user_saml/saml/acs
Identifier: https://ucs5010.univention.intranet/nextcloud/apps/user_saml/saml/metadata
NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
isActivated: TRUE
signLogouts: TRUE
simplesamlAttributes: TRUE
simplesamlNameIDAttribute: uid
singleLogoutService: https://ucs5010.univention.intranet/nextcloud/apps/user_saml/saml/sls

See also:

Additional Findings (Unsupported Workaround)

:warning: Disclaimer
The following steps are not officially supported.
Proceed only if you fully understand the implications and test thoroughly in a staging or test environment before applying this workaround in production.

Although the join issue was resolved, users were still unable to access Nextcloud documents.

The root cause turned out to be a Collabora Online version incompatibility.
A newer version of Collabora Online (25.04.5.3) resolved the issue, but this version is officially available only for UCS 5.2.

Workaround: Temporarily Fetch UCS 5.2 App Center Metadata

1. Temporarily set UCS version to 5.2

ucr set version/version=5.2

2. Update App Center metadata

univention-app update

3. List available Collabora versions

univention-app list collabora

Available versions include:

25.04.5.3

4. Upgrade Collabora Online

univention-app upgrade collabora-online=25.04.5.3

The container is successfully updated and started.

Result

After the upgrade:

univention-app info

UCS: 5.2-10
Installed:
  collabora-online=25.04.5.3
  nextcloud=31.0.9-0

Nextcloud document access is restored.

Cleanup: Restore Correct UCS Version

To avoid inconsistencies, reset the UCS version:

ucr set version/version=5.0

Re-register Collabora for UCS 5.0

After reverting the UCS version, Collabora may no longer appear correctly in the App Center.
Re-register the application:

univention-app register --do-it collabora-online

:stop_sign: Note:
The App Center may show an older version, while Docker is running a newer container:

root@ucs5010:~# univention-app info
UCS: 5.0-10 errata1362
Installed: collabora-online=24.04.12.4 fetchmail=6.3.26 mailserver=12.0 nextcloud=31.0.9-0 ox-connector=2.3.3 oxseforucs=7.10.6-ucs5
Upgradable:


root@ucs5010:~# docker ps
CONTAINER ID   IMAGE                                                      COMMAND                  CREATED          STATUS          PORTS                                       NAMES
8cca778bf68a   docker.software-univention.de/collabora-online:25.04.5.3   "/start-collabora-on…"   17 minutes ago   Up 17 minutes   0.0.0.0:9980->9980/tcp, :::9980->9980/tcp   serene_meitner
e459e64b6973   docker.software-univention.de/ox-connector:2.3.3           "/sbin/init"             3 weeks ago      Up 3 weeks                                                  hardcore_brattain
1ee0f90c5398   docker.software-univention.de/nextcloud:31.0.9-0           "/usr/sbin/entrypoin…"   6 weeks ago      Up 6 weeks      0.0.0.0:40000->80/tcp, :::40000->80/tcp     upbeat_euclid


root@ucs5010:~# docker images
REPOSITORY                                       TAG         IMAGE ID       CREATED        SIZE
docker.software-univention.de/nextcloud          31.0.9-0    854c359cc923   3 months ago   1.89GB
docker.software-univention.de/collabora-online   25.04.5.3   b5a7c83b8daa   4 months ago   1.45GB
docker.software-univention.de/ox-connector       2.3.3       566a48655e5c   8 months ago   147MB

This mismatch is expected due to the workaround.

Disclaimer

This workaround is not officially supported by Univention.

  • Do not use this approach in production without thorough testing
  • Always validate behavior in a test environment first
  • Version spoofing via version/version may lead to unexpected side effects