Shared Keys are not generated for new Users and after Password reset

[SAENachtmann]

Steps to reproduce

1. Login as Admin user
2. Manually create a completely new user, assigning roles which grant access to existing folders
3. Wait for the task to finish and login as the new user
4. Try to open an existing item, which was created before the user

Steps to reproduce scenario 2

1. Login as Admin user
2. Manually reset the password of an existing user
3. Wait for the task to finish and login as the existing user
4. Try to open an existing item from a shared folder

Expected behaviour

The new user should be able to access passwords of items, which have been created before the user.
Scenario 2: The existing user should be able to access passwords of items he was able to access before the password reset.

Actual behaviour

• New users and existing users after password reset are not able to access any password of items, which have been created before the user or the user had access to before password reset.
  All items display this green no access icon. When trying to display the password an error message pops up saying "Element does not have a password".
  
• After creating the user or resetting a password of an existing user, the database table teampass_sharekeys_items is empty for the user id.
  After trying to generate new keys using the UI the database table teampass_sharekeys_items is also empty for the user id. The task is getting started properly though.
  
• When creating new items the user is able to access the new items, there also is an entry in teampass_sharekeys_items for the user id.
• At the moment it is not possible to use Teampass with this version, because newly created users or users with password reset are not able to access pre existing items.

I create a new ticket to indicate the importance of this error. Identical issues found but not solved yet:

• Existing passwords blank for new users #4459
• Item has no password #4458

Server configuration

Operating system: Debian GNU/Linux 11 (bullseye)
Web server: Apache/2.4.62 (Debian)
Database: 10.5.26-MariaDB-0+deb11u2
PHP version: 8.2.26
Teampass version: 3.1.3.8
LDAP authentication is enabled.

Teampass configuration file:

<?php
// DATABASE connexion parameters
define("DB_HOST", "127.0.0.1");
define("DB_USER", "teampass");
define("DB_PASSWD", "");
define("DB_NAME", "teampass");
define("DB_PREFIX", "teampass_");
define("DB_PORT", "3306");
define("DB_ENCODING", "utf8mb4");
define("DB_SSL", false); // if DB over SSL then comment this line
// if DB over SSL then uncomment the following lines
// define("DB_SSL", array(
//     "key" => "",
//     "cert" => "",
//     "ca_cert" => "",
//     "ca_path" => "",
//     "cipher" => ""
// ));
define("DB_CONNECT_OPTIONS", array(
    MYSQLI_OPT_CONNECT_TIMEOUT => 10
));
define("SECUREPATH", "/var/teampass");
define("SECUREFILE", "teampass-seckey.txt");
define("IKEY", "");
define("SKEY", "");
define("HOST", "");

if (isset($_SESSION['settings']['timezone']) === true) {
    date_default_timezone_set($_SESSION['settings']['timezone']);
}

Updated from an older Teampass or fresh install:
Updated, instance has been active since 2.xx version. No "tp.config.php" file available.
The last installed version was 3.0.0.21, the issue did not occur with this version.

Client configuration

Browser: Any browser, tested on Chrome and Edge

Operating system: Windows 11

Logs

Web server error log

No errors logged in apache error log

Log from the web-browser developer console (CTRL + SHIFT + i)

No errors in developer console

[SAENachtmann]

Migrated to another password vault, no further support required.

[aroussel62]

Hello
we are experiencing the exact same issue, can this be re-opened?
This issue also occurs with : teampass 3.1.3.9
I'm available if logs are needed to investiguate further

[SAENachtmann]

Hello we are experiencing the exact same issue, can this be re-opened? This issue also occurs with : teampass 3.1.3.9 I'm available if logs are needed to investiguate further

@aroussel62
Have a look at the referenced issues in the description.

• Existing passwords blank for new users #4459
• Item has no password #4458

[nilsteampassnet]

@aroussel62
I had added in a previous release a small tool you can access from : http://<your instance to Teampass>/index.php?page=tools
You must be admin user;
For any reason I don't know why it is not visible in the menu (I will check).
It could be usefull in such context, I already used it successfully.
Be carrefull, do a backup of the DB before running it.
I would be interested in the feedback.

Edit: this will not solve the issue here.
Please take look to next message

[nilsteampassnet]

@aroussel62
I've tried to reproduce on test environment and this works correctly.
There must be some kind of errors in the log, have you checked?
Can you check if in the "Done tasks", you have 3 entries for the user on which you have changed the password?

You can also check how many keys you have for this user directly in DB:

SELECT COUNT(s.object_id) 
FROM `teampass_sharekeys_items` as s 
inner join teampass_users as u
WHERE u.login = "<YOUR_USER_LOGIN";

[futureweb]

@nilsteampassnet - we got excactly the same problem - I just changed the Password of one of our Users - now no Password is accessible anymore for this Login. (version 3.1.3.9)
"Done Log" is only showing 1 Item for this Action:

Your Query would return lot's ob Objects:

Apache Logs not showing any Errors. Are there any other Logs we should check?

Also after I reset the Password not from Admin - but from User Login itself - it's the same - Passwords are not accessible :-(

I hope we can narrow down this Problem is multiple Accounts can't access any Password anymore ... which is a major problem! :-(

thx
Andreas

[nilsteampassnet]

@futureweb
Well what you provide here is not what I would have expected.
Things seem to be normal.
You confirm that the user you changed is a local Teampass user?
Can you do this please:

• Change the user password from admin
• As quick as possible, run from your terminal the script (instead of being launched by cron): php scripts/background_tasks___userKeysCreation.php
  See if some errors occur

[futureweb]

@nilsteampassnet - Confirming that we only have local Teampass users.

I followed the suggested steps, no error occurs when executing the script, the password reset email is not being sent, and no passwords are available. Tested this twice.

Let me please know if you need any additional details for troubleshooting.

html# php -d display_errors=1 -d error_reporting=E_ALL scripts/background_tasks___userKeysCreation.php
html# 

[futureweb]

@nilsteampassnet Do you have any other ideas on how to identify the issue? It's becoming critical since we already have several accounts that can't access any passwords, causing significant problems.
Thanks in advance!

[futureweb]

@nilsteampassnet
I wanted to follow up on this issue as it has become increasingly critical for us. Several of our employees are unable to access the passwords they need, which is causing significant disruptions in our daily operations.

Is there any additional information we can provide or any further steps we can take to help identify the root cause of the issue? Your assistance in resolving this would be greatly appreciated.

Thank you in advance for your support!

[nilsteampassnet]

@futureweb
Sorry I've been ill and wasn't connected.
I need to get deeper in the investigation.
Could it be possible to get connected to your instance ?

[futureweb]

Hi @nilsteampassnet ,
I hope you're doing well again and have fully recovered! 😊
I've dropped you an E-Mail regarding direct access to the Server.
thx, bye from Austria
Andy

[nilsteampassnet]

Hi @futureweb
I've published release 3.1.3.11 that should fix the issue.
At least, I'm really hoping it.
I discovered an inconsistency in the query during process of user password changing confirmation.
Please let me know

[futureweb]

Hi @nilsteampassnet ,
unfortunately still "no password" accessible when changing the PW of a User. :-(

Task Log:

Also the User didn't get an E-Mail even it's shown in the Task Log :-/
(checked Mailllog of Server - nothing in it)

[nilsteampassnet]

@futureweb
From where do you change the pwd of the user?
Once the task is finished and back to Teampass, has the user have to provide previous and new pwd?

[nilsteampassnet]

@futureweb
Can you please try one thing with a user?

Please launch "generate new OTP in order to force the full refresh of shared keys.

[hitenmandalia]

monitoring this closely as i think the fix could also fix the issue #4572 which i opened.

@nilsteampassnet Im not sure if oauth 2 works totally different to local user and ldap users, but when first attempting to log in using an oauth user, once the user account is created and an admin assigns a role, the oauth user can then log in but is never given the option to put in the otp code (email is never received either) and never presented with the screen to enter a one time code.

I have just tried to generate a new OTP on an oauth 2 user that was having issues with Item has no password and this time i did get an email with the code. However when i log back into TeamPass and get the screen to enter it, i get the Bad Code error.

[killmenowkid]

Currently experiencing the same issue. Updated from 3.1.2.x to 3.1.3.11. Added a new LDAP user after upgrade, and discovered this issue. Tried generating a new OTP and for the user and it did not work.

[nilsteampassnet]

monitoring this closely as i think the fix could also fix the issue #4572 which i opened.

@nilsteampassnet Im not sure if oauth 2 works totally different to local user and ldap users, but when first attempting to log in using an oauth user, once the user account is created and an admin assigns a role, the oauth user can then log in but is never given the option to put in the otp code (email is never received either) and never presented with the screen to enter a one time code.

I have just tried to generate a new OTP on an oauth 2 user that was having issues with Item has no password and this time i did get an email with the code. However when i log back into TeamPass and get the screen to enter it, i get the Bad Code error.

oauth2 users are not managed the same way.
I have indeed identify an issue while generating a new OTP from such account, But I will first focus on the issue regarding password change on other kind of users.

[futureweb]

@nilsteampassnet changed PW from Admin:

Now I tried "GENERATE NEW OTP" - logged in as the User - entered the Temporary Key + Password - but still:

[killmenowkid]

Using LDAP users. Users who have their password reset or are recently synced from AD are effected.

When a password item is created or edited it does generate a shared key for the effected users.

The way the shared key generation is coded on the item site work, only the user side is busted.

All error logs are empty however, so I have no further info at this time (php, mysql, and apache logs)

[jeffsuncorp]

The same as @killmenowkid above. Several ldap users for me have been broken for months (ie. not able to see passwords on certain items) Was hoping this release made a difference but unfortunately still the same. OTP is also not allowing login.