Merge pull request #31187 from nextcloud/release/23.0.2

23.0.2
Merge pull request #31171 from nextcloud/stable23-disable-bulkupload
2022-02-15 14:34:52 +01:00 · 2022-02-15 13:43:45 +01:00 · 2022-02-15 13:32:15 +01:00 · 2022-02-15 07:14:14 +01:00 · 2022-02-14 16:14:57 +01:00 · 2022-02-11 12:14:31 +01:00
423 changed files with 15078 additions and 2433 deletions
@@ -1,5 +1,5 @@
 codecov:
-  branch: master
+  branch: stable23
  ci:
    - drone.nextcloud.com
    - !scrutinizer-ci.com
@@ -1403,7 +1403,7 @@ steps:
  commands:
    # JavaScript files are not used in integration tests so it is not needed to
    # build them.
-    - git clone --depth 1 https://github.com/nextcloud/spreed apps/spreed
+    - git clone --depth 1 --branch stable23 https://github.com/nextcloud/spreed apps/spreed
 - name: integration-sharing-v1-video-verification
  image: ghcr.io/nextcloud/continuous-integration-integration-php7.3:latest
  commands:
@@ -0,0 +1,30 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Pull request checks
+
+on: pull_request
+
+jobs:
+  block-merges-eol:
+    name: Block merges for EOL branches
+
+    # Only run on stableXX branches
+    if: startsWith( github.base_ref, 'stable')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download updater config
+        run: curl https://raw.githubusercontent.com/nextcloud/updater_server/production/config/config.php --output config.php
+
+      - name: Set server major version environment
+        run: |
+          # retrieve version number from branch reference
+          server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p')
+          echo "server_major=$server_major" >> $GITHUB_ENV
+ 
+      - name: Checking if ${{ env.server_major }} is EOL
+        run: |
+          php -r 'echo json_encode(require_once "config.php");' | jq --arg version "${{ env.server_major }}" '.stable[$version]["100"].eol' | grep --silent -i 'false'
@@ -0,0 +1,21 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Pull request checks
+
+on: pull_request
+
+jobs:
+  block-merges-during-freeze:
+    name: Block merges during feature freezes
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download version.php from ${{ github.base_ref }}
+        run: curl https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php --output version.php
+
+      - name: Run check
+        run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC'
@@ -44,7 +44,7 @@ jobs:
        with:
          php-version: ${{ matrix.php-versions }}
          tools: phpunit
-          extensions: mbstring, iconv, fileinfo, intl, sqlite, pdo_sqlite, zip, gd
+          extensions: mbstring, fileinfo, intl, sqlite, pdo_sqlite, zip, gd

      - name: Set up Nextcloud
        run: |
@@ -15,7 +15,7 @@ jobs:
      uses: shivammathur/setup-php@master
      with:
        php-version: ${{ matrix.php-versions }}
-        extensions: ctype,curl,dom,fileinfo,gd,iconv,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+        extensions: ctype,curl,dom,fileinfo,gd,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
        coverage: none
    - name: Lint
      run: composer run lint
@@ -30,7 +30,7 @@ jobs:
      uses: shivammathur/setup-php@master
      with:
        php-version: 7.4
-        extensions: ctype,curl,dom,fileinfo,gd,iconv,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+        extensions: ctype,curl,dom,fileinfo,gd,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
        coverage: none
        tools: cs2pr
    - name: Install dependencies
@@ -40,7 +40,7 @@ jobs:
        uses: shivammathur/setup-php@v2
        with:
          php-version: ${{ matrix.php-versions }}
-          extensions: ctype,curl,dom,fileinfo,gd,iconv,imagick,intl,json,mbstring,oci8,openssl,pdo_sqlite,posix,sqlite,xml,zip
+          extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,oci8,openssl,pdo_sqlite,posix,sqlite,xml,zip
          tools: phpunit:9
          coverage: none

@@ -45,7 +45,7 @@ jobs:
        with:
          php-version: ${{ matrix.php-versions }}
          tools: phpunit
-          extensions: mbstring, iconv, fileinfo, intl, sqlite, pdo_sqlite, zip, gd
+          extensions: mbstring, fileinfo, intl, sqlite, pdo_sqlite, zip, gd

      - name: Set up Nextcloud
        run: |
@@ -94,7 +94,7 @@ jobs:
        with:
          php-version: ${{ matrix.php-versions }}
          tools: phpunit
-          extensions: mbstring, iconv, fileinfo, intl, sqlite, pdo_sqlite, zip, gd
+          extensions: mbstring, fileinfo, intl, sqlite, pdo_sqlite, zip, gd

      - name: Set up Nextcloud
        run: |
@@ -0,0 +1,78 @@
+name: Samba Kerberos SSO
+on:
+  push:
+    branches:
+      - master
+      - stable*
+    paths:
+      - 'apps/files_external/**'
+  pull_request:
+    paths:
+      - 'apps/files_external/**'
+
+jobs:
+  smb-kerberos-tests:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        php-versions: ['7.4', '8.0']
+
+    name: php${{ matrix.php-versions }}-${{ matrix.ftpd }}
+
+    steps:
+      - name: Checkout server
+        uses: actions/checkout@v2
+        with:
+          submodules: true
+      - name: Pull images
+        run: |
+          docker pull icewind1991/samba-krb-test-dc
+          docker pull icewind1991/samba-krb-test-apache
+          docker pull icewind1991/samba-krb-test-client
+      - name: Setup AD-DC
+        run: |
+          mkdir data
+          sudo chown -R 33 data apps config
+          apps/files_external/tests/setup-krb.sh
+      - name: Set up Nextcloud
+        run: |
+          docker exec --user 33 apache ./occ maintenance:install --verbose --database=sqlite --database-name=nextcloud --database-host=127.0.0.1 --database-user=root --database-pass=rootpassword --admin-user admin --admin-pass password
+          docker exec --user 33 apache ./occ config:system:set trusted_domains 1 --value 'httpd.domain.test'
+
+          # setup user_saml
+          docker exec --user 33 apache ./occ app:enable user_saml --force
+          docker exec --user 33 apache ./occ config:app:set user_saml type --value 'environment-variable'
+          docker exec --user 33 apache ./occ config:app:set user_saml general-uid_mapping --value REMOTE_USER
+
+          # setup external storage
+          docker exec --user 33 apache ./occ app:enable files_external --force
+          docker exec --user 33 apache ./occ files_external:create smb smb smb::kerberosapache
+          docker exec --user 33 apache ./occ files_external:config 1 host krb.domain.test
+          docker exec --user 33 apache ./occ files_external:config 1 share netlogon
+          docker exec --user 33 apache ./occ files_external:list
+      - name: Test SSO
+        run: |
+          mkdir cookies
+          chmod 0777 cookies
+
+          DC_IP=$(docker inspect dc --format '{{.NetworkSettings.IPAddress}}')
+          docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
+            curl -c /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
+          CONTENT=$(docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
+            curl -b /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
+          echo $CONTENT
+          CONTENT=$(echo $CONTENT | tr -d '[:space:]')
+          [[ $CONTENT == "testfile" ]]
+
+
+  smb-kerberos-summary:
+    runs-on: ubuntu-latest
+    needs: smb-kerberos-tests
+
+    if: always()
+
+    steps:
+      - name: Summary status
+        run: if ${{ needs.smb-kerberos-tests.result != 'success' }}; then exit 1; fi
@@ -17,7 +17,7 @@ jobs:
              uses: shivammathur/setup-php@master
              with:
                php-version: 7.4
-                extensions: ctype,curl,dom,fileinfo,gd,iconv,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+                extensions: ctype,curl,dom,fileinfo,gd,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
                coverage: none
            - name: Composer install
              run: composer i
@@ -43,7 +43,7 @@ jobs:
              uses: shivammathur/setup-php@master
              with:
                php-version: 7.4
-                extensions: ctype,curl,dom,fileinfo,gd,iconv,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+                extensions: ctype,curl,dom,fileinfo,gd,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
                coverage: none
            - name: Composer install
              run: composer i
@@ -18,7 +18,7 @@ jobs:
        uses: shivammathur/setup-php@v2
        with:
          php-version: 7.4
-          extensions: ctype,curl,dom,fileinfo,gd,iconv,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+          extensions: ctype,curl,dom,fileinfo,gd,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
          coverage: none

      - name: Composer install
@@ -43,7 +43,7 @@
  </IfModule>

  # Add cache control for static resources
-  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico)$">
+  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

@@ -75,6 +75,7 @@

 <IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
+  AddType application/wasm wasm
  AddEncoding gzip svgz
 </IfModule>

@@ -2,13 +2,14 @@

 declare(strict_types=1);

-require_once './lib/composer/autoload.php';
+require_once './vendor-bin/cs-fixer/vendor/autoload.php';

 use Nextcloud\CodingStandard\Config;

 $config = new Config();
 $config
 	->getFinder()
+	->ignoreVCSIgnored(true)
 	->exclude('config')
 	->exclude('data')
 	->notPath('3rdparty')
@@ -1,6 +1,6 @@
 # Nextcloud Server ☁
-[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/nextcloud/server/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/nextcloud/server/?branch=master)
-[![codecov](https://codecov.io/gh/nextcloud/server/branch/master/graph/badge.svg)](https://codecov.io/gh/nextcloud/server)
+[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/nextcloud/server/badges/quality-score.png?b=stable23)](https://scrutinizer-ci.com/g/nextcloud/server/?branch=stable23)
+[![codecov](https://codecov.io/gh/nextcloud/server/branch/stable23/graph/badge.svg)](https://codecov.io/gh/nextcloud/server)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/209/badge)](https://bestpractices.coreinfrastructure.org/projects/209)

 **A safe home for all your data.**
@@ -61,3 +61,13 @@
 		}
 	}
 }
+
+@media (max-width: ($breakpoint-mobile / 2)) {
+	.app-settings #accessibility .preview-list .preview {
+		display: unset;
+
+		.preview-image {
+			height: 150px;
+		}
+	}
+}
@@ -8,6 +8,7 @@
 	<version>1.4.0</version>
 	<licence>agpl</licence>
 	<author>Christoph Wurst</author>
+	<author homepage="https://github.com/nextcloud/groupware">Nextcloud Groupware Team</author>
 	<namespace>ContactsInteraction</namespace>
 	<types>
 		<dav/>
@@ -149,7 +149,7 @@ class ClassLoader

    /**
     * @return string[] Array of classname => path
-     * @psalm-var array<string, string>
+     * @psalm-return array<string, string>
     */
    public function getClassMap()
    {
@@ -163,6 +163,7 @@ return array(
    'OCA\\DAV\\Connector\\Sabre\\FilesReportPlugin' => $baseDir . '/../lib/Connector/Sabre/FilesReportPlugin.php',
    'OCA\\DAV\\Connector\\Sabre\\LockPlugin' => $baseDir . '/../lib/Connector/Sabre/LockPlugin.php',
    'OCA\\DAV\\Connector\\Sabre\\MaintenancePlugin' => $baseDir . '/../lib/Connector/Sabre/MaintenancePlugin.php',
+    'OCA\\DAV\\Connector\\Sabre\\MtimeSanitizer' => $baseDir . '/../lib/Connector/Sabre/MtimeSanitizer.php',
    'OCA\\DAV\\Connector\\Sabre\\Node' => $baseDir . '/../lib/Connector/Sabre/Node.php',
    'OCA\\DAV\\Connector\\Sabre\\ObjectTree' => $baseDir . '/../lib/Connector/Sabre/ObjectTree.php',
    'OCA\\DAV\\Connector\\Sabre\\Principal' => $baseDir . '/../lib/Connector/Sabre/Principal.php',
@@ -178,6 +178,7 @@ class ComposerStaticInitDAV
        'OCA\\DAV\\Connector\\Sabre\\FilesReportPlugin' => __DIR__ . '/..' . '/../lib/Connector/Sabre/FilesReportPlugin.php',
        'OCA\\DAV\\Connector\\Sabre\\LockPlugin' => __DIR__ . '/..' . '/../lib/Connector/Sabre/LockPlugin.php',
        'OCA\\DAV\\Connector\\Sabre\\MaintenancePlugin' => __DIR__ . '/..' . '/../lib/Connector/Sabre/MaintenancePlugin.php',
+        'OCA\\DAV\\Connector\\Sabre\\MtimeSanitizer' => __DIR__ . '/..' . '/../lib/Connector/Sabre/MtimeSanitizer.php',
        'OCA\\DAV\\Connector\\Sabre\\Node' => __DIR__ . '/..' . '/../lib/Connector/Sabre/Node.php',
        'OCA\\DAV\\Connector\\Sabre\\ObjectTree' => __DIR__ . '/..' . '/../lib/Connector/Sabre/ObjectTree.php',
        'OCA\\DAV\\Connector\\Sabre\\Principal' => __DIR__ . '/..' . '/../lib/Connector/Sabre/Principal.php',
@@ -5,7 +5,7 @@
        'type' => 'library',
        'install_path' => __DIR__ . '/../',
        'aliases' => array(),
-        'reference' => 'c6429e6cd19c57582364338362e543580821cf99',
+        'reference' => 'e2c675724fc4ea50f1275bf0027b96f277c32578',
        'name' => '__root__',
        'dev' => false,
    ),
@@ -16,7 +16,7 @@
            'type' => 'library',
            'install_path' => __DIR__ . '/../',
            'aliases' => array(),
-            'reference' => 'c6429e6cd19c57582364338362e543580821cf99',
+            'reference' => 'e2c675724fc4ea50f1275bf0027b96f277c32578',
            'dev_requirement' => false,
        ),
    ),
@@ -29,6 +29,7 @@ use Sabre\HTTP\RequestInterface;
 use Sabre\HTTP\ResponseInterface;
 use OCP\Files\Folder;
 use OCP\AppFramework\Http;
+use OCA\DAV\Connector\Sabre\MtimeSanitizer;

 class BulkUploadPlugin extends ServerPlugin {

@@ -78,7 +79,18 @@ class BulkUploadPlugin extends ServerPlugin {
 			}

 			try {
+				// TODO: Remove 'x-file-mtime' when the desktop client no longer use it.
+				if (isset($headers['x-file-mtime'])) {
+					$mtime = MtimeSanitizer::sanitizeMtime($headers['x-file-mtime']);
+				} elseif (isset($headers['x-oc-mtime'])) {
+					$mtime = MtimeSanitizer::sanitizeMtime($headers['x-oc-mtime']);
+				} else {
+					$mtime = null;
+				}
+
 				$node = $this->userFolder->newFile($headers['x-file-path'], $content);
+				$node->touch($mtime);
+
 				$writtenFiles[$headers['x-file-path']] = [
 					"error" => false,
 					"etag" => $node->getETag(),
@@ -100,7 +100,9 @@ use function array_merge;
 use function array_values;
 use function explode;
 use function is_array;
+use function is_resource;
 use function pathinfo;
+use function rewind;
 use function sprintf;
 use function str_replace;
 use function strtolower;
@@ -1900,7 +1902,40 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 		}

 		$result = $outerQuery->executeQuery();
-		$calendarObjects = $result->fetchAll();
+		$calendarObjects = array_filter($result->fetchAll(), function (array $row) use ($options) {
+			$start = $options['timerange']['start'] ?? null;
+			$end = $options['timerange']['end'] ?? null;
+
+			if ($start === null || !($start instanceof DateTimeInterface) || $end === null || !($end instanceof DateTimeInterface)) {
+				// No filter required
+				return true;
+			}
+
+			$isValid = $this->validateFilterForObject($row, [
+				'name' => 'VCALENDAR',
+				'comp-filters' => [
+					[
+						'name' => 'VEVENT',
+						'comp-filters' => [],
+						'prop-filters' => [],
+						'is-not-defined' => false,
+						'time-range' => [
+							'start' => $start,
+							'end' => $end,
+						],
+					],
+				],
+				'prop-filters' => [],
+				'is-not-defined' => false,
+				'time-range' => null,
+			]);
+			if (is_resource($row['calendardata'])) {
+				// Put the stream back to the beginning so it can be read another time
+				rewind($row['calendardata']);
+			}
+			return $isValid;
+		});
+		$result->closeCursor();

 		return array_map(function ($o) {
 			$calendarData = Reader::read($o['calendardata']);
@@ -2615,6 +2650,7 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 				'size' => (int)$row['size'],
 			];
 		}
+		$stmt->closeCursor();

 		return $result;
 	}
@@ -2994,6 +3030,7 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 			->executeQuery();

 		$ids = $result->fetchAll();
+		$result->closeCursor();
 		foreach ($ids as $id) {
 			$this->deleteCalendar(
 				$id['id'],
@@ -49,7 +49,7 @@ class CalendarProvider implements ICalendarProvider {
 	public function getCalendars(string $principalUri, array $calendarUris = []): array {
 		$calendarInfos = [];
 		if (empty($calendarUris)) {
-			$calendarInfos[] = $this->calDavBackend->getCalendarsForUser($principalUri);
+			$calendarInfos = $this->calDavBackend->getCalendarsForUser($principalUri);
 		} else {
 			foreach ($calendarUris as $calendarUri) {
 				$calendarInfos[] = $this->calDavBackend->getCalendarByUri($principalUri, $calendarUri);
@@ -29,7 +29,8 @@ class Capabilities implements ICapability {
 		return [
 			'dav' => [
 				'chunking' => '1.0',
-				'bulkupload' => '1.0',
+				// disabled because of https://github.com/nextcloud/desktop/issues/4243
+				// 'bulkupload' => '1.0',
 			]
 		];
 	}
@@ -107,6 +107,8 @@ class AddressBookImpl implements IAddressBook {
 	 * 	- 'escape_like_param' - If set to false wildcards _ and % are not escaped
 	 * 	- 'limit' - Set a numeric limit for the search results
 	 * 	- 'offset' - Set the offset for the limited search results
+	 * 	- 'wildcard' - Whether the search should use wildcards
+	 * @psalm-param array{types?: bool, escape_like_param?: bool, limit?: int, offset?: int, wildcard?: bool} $options
 	 * @return array an array of contacts which are arrays of key-value-pairs
 	 *  example result:
 	 *  [
@@ -1024,6 +1024,8 @@ class CardDavBackend implements BackendInterface, SyncSupport {
 	 *    - 'escape_like_param' - If set to false wildcards _ and % are not escaped, otherwise they are
 	 *    - 'limit' - Set a numeric limit for the search results
 	 *    - 'offset' - Set the offset for the limited search results
+	 *    - 'wildcard' - Whether the search should use wildcards
+	 * @psalm-param array{escape_like_param?: bool, limit?: int, offset?: int, wildcard?: bool} $options
 	 * @return array an array of contacts which are arrays of key-value-pairs
 	 */
 	public function search($addressBookId, $pattern, $searchProperties, $options = []): array {
@@ -1055,6 +1057,7 @@ class CardDavBackend implements BackendInterface, SyncSupport {
 	 * @param string $pattern
 	 * @param array $searchProperties
 	 * @param array $options
+	 * @psalm-param array{types?: bool, escape_like_param?: bool, limit?: int, offset?: int, wildcard?: bool} $options
 	 * @return array
 	 */
 	private function searchByAddressBookIds(array $addressBookIds,
@@ -1062,6 +1065,7 @@ class CardDavBackend implements BackendInterface, SyncSupport {
 											array $searchProperties,
 											array $options = []): array {
 		$escapePattern = !\array_key_exists('escape_like_param', $options) || $options['escape_like_param'] !== false;
+		$useWildcards = !\array_key_exists('wildcard', $options) || $options['wildcard'] !== false;

 		$query2 = $this->db->getQueryBuilder();

@@ -1103,7 +1107,9 @@ class CardDavBackend implements BackendInterface, SyncSupport {

 		// No need for like when the pattern is empty
 		if ('' !== $pattern) {
-			if (!$escapePattern) {
+			if (!$useWildcards) {
+				$query2->andWhere($query2->expr()->eq('cp.value', $query2->createNamedParameter($pattern)));
+			} elseif (!$escapePattern) {
 				$query2->andWhere($query2->expr()->ilike('cp.value', $query2->createNamedParameter($pattern)));
 			} else {
 				$query2->andWhere($query2->expr()->ilike('cp.value', $query2->createNamedParameter('%' . $this->db->escapeLikeParameter($pattern) . '%')));
@@ -391,12 +391,13 @@ class FilesPlugin extends ServerPlugin {
 					$user->getUID()
 				);
 			});
-		}

-		if ($node instanceof \OCA\DAV\Connector\Sabre\Node) {
 			$propFind->handle(self::DATA_FINGERPRINT_PROPERTYNAME, function () use ($node) {
 				return $this->config->getSystemValue('data-fingerprint', '');
 			});
+			$propFind->handle(self::CREATION_TIME_PROPERTYNAME, function () use ($node) {
+				return $node->getFileInfo()->getCreationTime();
+			});
 		}

 		if ($node instanceof \OCA\DAV\Connector\Sabre\File) {
@@ -423,10 +424,6 @@ class FilesPlugin extends ServerPlugin {
 				return new ChecksumList($checksum);
 			});

-			$propFind->handle(self::CREATION_TIME_PROPERTYNAME, function () use ($node) {
-				return $node->getFileInfo()->getCreationTime();
-			});
-
 			$propFind->handle(self::UPLOAD_TIME_PROPERTYNAME, function () use ($node) {
 				return $node->getFileInfo()->getUploadTime();
 			});
@@ -0,0 +1,42 @@
+<?php
+/**
+ * @copyright Copyright (c) 2021, Louis Chemineau <louis@chmn.me>
+ *
+ * @author Louis Chemineau <louis@chmn.me>
+ *
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\DAV\Connector\Sabre;
+
+class MtimeSanitizer {
+	public static function sanitizeMtime(string $mtimeFromRequest): int {
+		// In PHP 5.X "is_numeric" returns true for strings in hexadecimal
+		// notation. This is no longer the case in PHP 7.X, so this check
+		// ensures that strings with hexadecimal notations fail too in PHP 5.X.
+		$isHexadecimal = preg_match('/^\s*0[xX]/', $mtimeFromRequest);
+		if ($isHexadecimal || !is_numeric($mtimeFromRequest)) {
+			throw new \InvalidArgumentException('X-OC-MTime header must be an integer (unix timestamp).');
+		}
+
+		// Prevent writing invalid mtime (timezone-proof)
+		if ((int)$mtimeFromRequest <= 24 * 60 * 60) {
+			throw new \InvalidArgumentException('X-OC-MTime header must be a valid positive integer');
+		}
+
+		return (int)$mtimeFromRequest;
+	}
+}
@@ -404,14 +404,6 @@ abstract class Node implements \Sabre\DAV\INode {
 	}

 	protected function sanitizeMtime($mtimeFromRequest) {
-		// In PHP 5.X "is_numeric" returns true for strings in hexadecimal
-		// notation. This is no longer the case in PHP 7.X, so this check
-		// ensures that strings with hexadecimal notations fail too in PHP 5.X.
-		$isHexadecimal = is_string($mtimeFromRequest) && preg_match('/^\s*0[xX]/', $mtimeFromRequest);
-		if ($isHexadecimal || !is_numeric($mtimeFromRequest)) {
-			throw new \InvalidArgumentException('X-OC-MTime header must be an integer (unix timestamp).');
-		}
-
-		return (int)$mtimeFromRequest;
+		return MtimeSanitizer::sanitizeMtime($mtimeFromRequest);
 	}
 }
@@ -41,7 +41,8 @@ class RemoveDeletedUsersCalendarSubscriptions implements IRepairStep {
 	/** @var int */
 	private $progress = 0;

-	private $orphanSubscriptions = [];
+	/** @var int[] */
+	private $orphanSubscriptionIds = [];

 	private const SUBSCRIPTIONS_CHUNK_SIZE = 1000;

@@ -74,7 +75,7 @@ class RemoveDeletedUsersCalendarSubscriptions implements IRepairStep {
 		$output->finishProgress();
 		$this->deleteOrphanSubscriptions();

-		$output->info(sprintf('%d calendar subscriptions without an user have been cleaned up', count($this->orphanSubscriptions)));
+		$output->info(sprintf('%d calendar subscriptions without an user have been cleaned up', count($this->orphanSubscriptionIds)));
 	}

 	/**
@@ -112,7 +113,7 @@ class RemoveDeletedUsersCalendarSubscriptions implements IRepairStep {
 		while ($row = $result->fetch()) {
 			$username = $this->getPrincipal($row['principaluri']);
 			if (!$this->userManager->userExists($username)) {
-				$this->orphanSubscriptions[] = $row['id'];
+				$this->orphanSubscriptionIds[] = (int) $row['id'];
 			}
 		}
 		$result->closeCursor();
@@ -122,7 +123,7 @@ class RemoveDeletedUsersCalendarSubscriptions implements IRepairStep {
 	 * @throws Exception
 	 */
 	private function deleteOrphanSubscriptions(): void {
-		foreach ($this->orphanSubscriptions as $orphanSubscriptionID) {
+		foreach ($this->orphanSubscriptionIds as $orphanSubscriptionID) {
 			$this->deleteOrphanSubscription($orphanSubscriptionID);
 		}
 	}
@@ -37,7 +37,7 @@ do
 		echo -en "--$BOUNDARY\r\n"
 		# echo -en "Content-ID: $file_name\r\n"
 		echo -en "X-File-Path: $file_remote_path\r\n"
-		echo -en "X-File-Mtime: $file_mtime\r\n"
+		echo -en "X-OC-Mtime: $file_mtime\r\n"
 		# echo -en "X-File-Id: $file_id\r\n"
 		echo -en "X-File-Md5: $file_hash\r\n"
 		echo -en "Content-Length: $file_size\r\n"
@@ -35,7 +35,8 @@ class CapabilitiesTest extends TestCase {
 		$expected = [
 			'dav' => [
 				'chunking' => '1.0',
-				'bulkupload' => '1.0',
+				// disabled because of https://github.com/nextcloud/desktop/issues/4243
+				// 'bulkupload' => '1.0',
 			],
 		];
 		$this->assertSame($expected, $capabilities->getCapabilities());
@@ -361,28 +361,28 @@ class FileTest extends TestCase {
 				'expected result' => null
 			],
 			"castable string (int)" => [
-				'HTTP_X_OC_MTIME' => "34",
-				'expected result' => 34
+				'HTTP_X_OC_MTIME' => "987654321",
+				'expected result' => 987654321
 			],
 			"castable string (float)" => [
-				'HTTP_X_OC_MTIME' => "34.56",
-				'expected result' => 34
+				'HTTP_X_OC_MTIME' => "123456789.56",
+				'expected result' => 123456789
 			],
 			"float" => [
-				'HTTP_X_OC_MTIME' => 34.56,
-				'expected result' => 34
+				'HTTP_X_OC_MTIME' => 123456789.56,
+				'expected result' => 123456789
 			],
 			"zero" => [
 				'HTTP_X_OC_MTIME' => 0,
-				'expected result' => 0
+				'expected result' => null
 			],
 			"zero string" => [
 				'HTTP_X_OC_MTIME' => "0",
-				'expected result' => 0
+				'expected result' => null
 			],
 			"negative zero string" => [
 				'HTTP_X_OC_MTIME' => "-0",
-				'expected result' => 0
+				'expected result' => null
 			],
 			"string starting with number following by char" => [
 				'HTTP_X_OC_MTIME' => "2345asdf",
@@ -398,11 +398,11 @@ class FileTest extends TestCase {
 			],
 			"negative int" => [
 				'HTTP_X_OC_MTIME' => -34,
-				'expected result' => -34
+				'expected result' => null
 			],
 			"negative float" => [
 				'HTTP_X_OC_MTIME' => -34.43,
-				'expected result' => -34
+				'expected result' => null
 			],
 		];
 	}
@@ -421,7 +421,6 @@ class FileTest extends TestCase {

 		if ($resultMtime === null) {
 			$this->expectException(\InvalidArgumentException::class);
-			$this->expectExceptionMessage("X-OC-MTime header must be an integer (unix timestamp).");
 		}

 		$this->doPut($file, null, $request);
@@ -447,7 +446,6 @@ class FileTest extends TestCase {

 		if ($resultMtime === null) {
 			$this->expectException(\Sabre\DAV\Exception::class);
-			$this->expectExceptionMessage("X-OC-MTime header must be an integer (unix timestamp).");
 		}

 		$this->doPut($file.'-chunking-12345-2-0', null, $request);
@@ -164,8 +164,54 @@ class NodeTest extends \Test\TestCase {
 			->disableOriginalConstructor()
 			->getMock();

-		$node = new  \OCA\DAV\Connector\Sabre\File($view, $info);
+		$node = new \OCA\DAV\Connector\Sabre\File($view, $info);
 		$this->invokePrivate($node, 'shareManager', [$shareManager]);
 		$this->assertEquals($expected, $node->getSharePermissions($user));
 	}
+
+	public function sanitizeMtimeProvider() {
+		return [
+			[123456789, 123456789],
+			['987654321', 987654321],
+		];
+	}
+
+	/**
+	 * @dataProvider sanitizeMtimeProvider
+	 */
+	public function testSanitizeMtime($mtime, $expected) {
+		$view = $this->getMockBuilder(View::class)
+			->disableOriginalConstructor()
+			->getMock();
+		$info = $this->getMockBuilder(FileInfo::class)
+			->disableOriginalConstructor()
+			->getMock();
+
+		$node = new \OCA\DAV\Connector\Sabre\File($view, $info);
+		$result = $this->invokePrivate($node, 'sanitizeMtime', [$mtime]);
+		$this->assertEquals($expected, $result);
+	}
+
+	public function invalidSanitizeMtimeProvider() {
+		return [
+			[-1337], [0], ['abcdef'], ['-1337'], ['0'], [12321], [24 * 60 * 60 - 1]
+		];
+	}
+
+	/**
+	 * @dataProvider invalidSanitizeMtimeProvider
+	 */
+	public function testInvalidSanitizeMtime($mtime) {
+		$this->expectException(\InvalidArgumentException::class);
+
+		$view = $this->getMockBuilder(View::class)
+			->disableOriginalConstructor()
+			->getMock();
+		$info = $this->getMockBuilder(FileInfo::class)
+			->disableOriginalConstructor()
+			->getMock();
+
+		$node = new \OCA\DAV\Connector\Sabre\File($view, $info);
+		$result = $this->invokePrivate($node, 'sanitizeMtime', [$mtime]);
+	}
 }
@@ -255,7 +255,12 @@ class Notifier implements INotifier {
 			}
 		}

-		$addressBookEntries = $this->contactsManager->search($federatedCloudId, ['CLOUD']);
+		$addressBookEntries = $this->contactsManager->search($federatedCloudId, ['CLOUD'], [
+			'limit' => 1,
+			'enumeration' => false,
+			'fullmatch' => false,
+			'strict_search' => true,
+		]);
 		foreach ($addressBookEntries as $entry) {
 			if (isset($entry['CLOUD'])) {
 				foreach ($entry['CLOUD'] as $cloudID) {
@@ -428,11 +428,6 @@ table {
 			padding: 0 20px 0 0;
 		}
 	}
-
-	.uploadtext {
-		position: absolute;
-		left: 55px;
-	}
 }

 .hide-hidden-files #filestable #fileList tr.hidden-file,
@@ -460,13 +455,22 @@ table td.filename .nametext .innernametext {
 /* for smaller resolutions - see mobile.css */

 table td.filename .uploadtext {
+	position: absolute;
 	font-weight: normal;
-	margin-left: 55px;
-	margin-top: 5px;
+	// checkbox width
+	margin-left: 50px;
+	left: 0;
+	bottom: 0;
 	height: 20px;
-	padding: 10px 0;
+	padding: 0 4px;
+	// align with file name
+	padding-left: 1px;
 	font-size: 11px;
-	opacity: .5;
+	// double the font size
+	line-height: 22px;
+	color: var(--color-text-maxcontrast);
+	text-overflow: ellipsis;
+	white-space: nowrap;
 }

 table td.selection {
@@ -988,6 +992,18 @@ table.dragshadow td.size {
 					}
 				}

+				.uploadtext {
+					width: 100%;
+					margin: 0;
+					top: 0;
+					bottom: auto;
+					// checkbox align
+					height: 28px;
+					padding-top: 4px;
+					// checkbox margins
+					padding-left: calc(44px - 16px);
+				}
+
 				.name {
 					height: 100%;
 					border-radius: var(--border-radius);
@@ -316,7 +316,7 @@
 		 * Event handler for when an app notified that its directory changed
 		 */
 		_onDirectoryChanged: function(e) {
-			if (e.dir) {
+			if (e.dir && !e.changedThroughUrl) {
 				this._changeUrl(this.navigation.getActiveItem(), e.dir, e.fileId);
 			}
 		},
@@ -386,9 +386,11 @@
 				params.fileid = fileId;
 			}
 			var currentParams = OC.Util.History.parseUrlQuery();
-			if (currentParams.dir === params.dir && currentParams.view === params.view && currentParams.fileid !== params.fileid) {
-				// if only fileid changed or was added, replace instead of push
-				OC.Util.History.replaceState(this._makeUrlParams(params));
+			if (currentParams.dir === params.dir && currentParams.view === params.view) {
+				if (currentParams.fileid !== params.fileid) {
+					// if only fileid changed or was added, replace instead of push
+					OC.Util.History.replaceState(this._makeUrlParams(params));
+				}
 			} else {
 				OC.Util.History.pushState(this._makeUrlParams(params));
 			}
@@ -322,26 +322,32 @@ OC.FileUpload.prototype = {
 		);
 	},

+	_delete: function() {
+		if (this.data.isChunked) {
+			this._deleteChunkFolder()
+		}
+		this.deleteUpload();
+	},
+
 	/**
 	 * Abort the upload
 	 */
 	abort: function() {
-		if (this.data.isChunked) {
-			this._deleteChunkFolder();
+		if (this.aborted) {
+			return
 		}
-		this.data.abort();
-		this.deleteUpload();
 		this.aborted = true;
+		this._delete();
 	},

 	/**
 	 * Fail the upload
 	 */
 	fail: function() {
-		this.deleteUpload();
-		if (this.data.isChunked) {
-			this._deleteChunkFolder();
+		if (this.aborted) {
+			return
 		}
+		this._delete();
 	},

 	/**
@@ -679,7 +685,26 @@ OC.Uploader.prototype = _.extend({
 			return;
 		}

-		delete this._uploads[upload.data.uploadId];
+		// defer as some calls/chunks might still be busy failing, so we need
+		// the upload info there still
+		var self = this;
+		var uploadId = upload.data.uploadId;
+		// mark as deleted for the progress bar
+		this._uploads[uploadId].deleted = true;
+		window.setTimeout(function() {
+			delete self._uploads[uploadId];
+		}, 5000)
+	},
+
+	_activeUploadCount: function() {
+		var count = 0;
+		for (var key in this._uploads) {
+			if (!this._uploads[key].deleted) {
+				count++;
+			}
+		}
+
+		return count;
 	},

 	showUploadCancelMessage: _.debounce(function() {
@@ -905,6 +930,7 @@ OC.Uploader.prototype = _.extend({
 		if ($uploadEl.exists()) {
 			this.progressBar.on('cancel', function() {
 				self.cancelUploads();
+				self.showUploadCancelMessage();
 			});

 			this.fileUploadParam = {
@@ -1075,6 +1101,10 @@ OC.Uploader.prototype = _.extend({
 					var upload = self.getUpload(data);
 					var status = null;
 					if (upload) {
+						if (upload.aborted) {
+							// uploads might fail with errors from the server when aborted
+							return
+						}
 						status = upload.getResponseStatus();
 					}
 					self.log('fail', e, upload);
@@ -1082,7 +1112,7 @@ OC.Uploader.prototype = _.extend({
 					self.removeUpload(upload);

 					if (data.textStatus === 'abort' || data.errorThrown === 'abort') {
-						self.showUploadCancelMessage();
+						return
 					} else if (status === 412) {
 						// file already exists
 						self.showConflict(upload);
@@ -1283,6 +1313,10 @@ OC.Uploader.prototype = _.extend({
 				fileupload.on('fileuploadchunksend', function(e, data) {
 					// modify the request to adjust it to our own chunking
 					var upload = self.getUpload(data);
+					if (!upload) {
+						// likely cancelled
+						return
+					}
 					var range = data.contentRange.split(' ')[1];
 					var chunkId = range.split('/')[0].split('-')[0];
 					data.url = OC.getRootPath() +
@@ -1298,9 +1332,9 @@ OC.Uploader.prototype = _.extend({

 					self._pendingUploadDoneCount++;

-					upload.done().then(function() {
+					upload.done().always(function() {
 						self._pendingUploadDoneCount--;
-						if (Object.keys(self._uploads).length === 0 && self._pendingUploadDoneCount === 0) {
+						if (self._activeUploadCount() === 0 && self._pendingUploadDoneCount === 0) {
 							// All the uploads ended and there is no pending
 							// operation, so hide the progress bar.
 							// Note that this happens here only with chunked
@@ -1314,9 +1348,13 @@ OC.Uploader.prototype = _.extend({
 							// hides the progress bar in that case).
 							self._hideProgressBar();
 						}
-
+					}).done(function() {
 						self.trigger('done', e, upload);
 					}).fail(function(status, response) {
+						if (upload.aborted) {
+							return
+						}
+
 						var message = response.message;
 						if (status === 507) {
 							// not enough space
@@ -794,7 +794,7 @@
 				if( (this._currentDirectory || this.$el.find('#dir').val()) && currentDir === e.dir) {
 					return;
 				}
-				this.changeDirectory(e.dir, false, true);
+				this.changeDirectory(e.dir, true, true, undefined, true);
 			}
 		},

@@ -2057,15 +2057,16 @@
 		 * @param {boolean} [changeUrl=true] if the URL must not be changed (defaults to true)
 		 * @param {boolean} [force=false] set to true to force changing directory
 		 * @param {string} [fileId] optional file id, if known, to be appended in the URL
+		 * @param {bool} [changedThroughUrl=false] true if the dir was set through a URL change
 		 */
-		changeDirectory: function(targetDir, changeUrl, force, fileId) {
+		changeDirectory: function(targetDir, changeUrl, force, fileId, changedThroughUrl) {
 			var self = this;
 			var currentDir = this.getCurrentDirectory();
 			targetDir = targetDir || '/';
 			if (!force && currentDir === targetDir) {
 				return;
 			}
-			this._setCurrentDir(targetDir, changeUrl, fileId);
+			this._setCurrentDir(targetDir, changeUrl, fileId, changedThroughUrl);

 			// discard finished uploads list, we'll get it through a regular reload
 			this._uploads = {};
@@ -2100,8 +2101,9 @@
 		 * @param targetDir directory to display
 		 * @param changeUrl true to also update the URL, false otherwise (default)
 		 * @param {string} [fileId] file id
+		 * @param {bool} changedThroughUrl true if the dir was set through a URL change
 		 */
-		_setCurrentDir: function(targetDir, changeUrl, fileId) {
+		_setCurrentDir: function(targetDir, changeUrl, fileId, changedThroughUrl) {
 			targetDir = targetDir.replace(/\\/g, '/');
 			if (!this._isValidPath(targetDir)) {
 				targetDir = '/';
@@ -2133,6 +2135,7 @@
 				if (fileId) {
 					params.fileId = fileId;
 				}
+				params.changedThroughUrl = changedThroughUrl
 				this.$el.trigger(jQuery.Event('changeDirectory', params));
 			}
 			this.breadcrumb.setDirectory(this.getCurrentDirectory());
@@ -2232,7 +2235,9 @@
 			this.hideMask();

 			if (status === 401) {
-				return false;
+				// We are not authentificated, so reload the page so that we get
+				// redirected to the login page while saving the current url.
+				location.reload();
 			}

 			// Firewall Blocked request?
@@ -46,7 +46,7 @@
 				actionHandler: function (fileName, context) {
 					var fileModel = context.fileInfoModel;
 					OC.Apps.hideAppSidebar($('.detailsView'));
-					OCA.Files.App.setActiveView('files');
+					OCA.Files.App.setActiveView('files', { silent: true });
 					OCA.Files.App.fileList.changeDirectory(fileModel.get('path'), true, true).then(function() {
 						OCA.Files.App.fileList.scrollTo(fileModel.get('name'));
 					});
@@ -560,7 +560,12 @@ class Provider implements IProvider {
 			return $this->displayNames[$search];
 		}

-		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD']);
+		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD'], [
+			'limit' => 1,
+			'enumeration' => false,
+			'fullmatch' => false,
+			'strict_search' => true,
+		]);
 		foreach ($addressBookContacts as $contact) {
 			if (isset($contact['isLocalSystemBook'])) {
 				continue;
@@ -21,6 +21,7 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>
 *
 */
+
 namespace OCA\Files\BackgroundJob;

 use OC\Files\Utils\Scanner;
@@ -29,7 +30,6 @@ use OCP\EventDispatcher\IEventDispatcher;
 use OCP\IConfig;
 use OCP\IDBConnection;
 use OCP\ILogger;
-use OCP\IUserManager;

 /**
 * Class ScanFiles is a background job used to run the file scanner over the user
@@ -40,8 +40,6 @@ use OCP\IUserManager;
 class ScanFiles extends \OC\BackgroundJob\TimedJob {
 	/** @var IConfig */
 	private $config;
-	/** @var IUserManager */
-	private $userManager;
 	/** @var IEventDispatcher */
 	private $dispatcher;
 	/** @var ILogger */
@@ -53,14 +51,12 @@ class ScanFiles extends \OC\BackgroundJob\TimedJob {

 	/**
 	 * @param IConfig $config
-	 * @param IUserManager $userManager
 	 * @param IEventDispatcher $dispatcher
 	 * @param ILogger $logger
 	 * @param IDBConnection $connection
 	 */
 	public function __construct(
 		IConfig $config,
-		IUserManager $userManager,
 		IEventDispatcher $dispatcher,
 		ILogger $logger,
 		IDBConnection $connection
@@ -69,7 +65,6 @@ class ScanFiles extends \OC\BackgroundJob\TimedJob {
 		$this->setInterval(60 * 10);

 		$this->config = $config;
-		$this->userManager = $userManager;
 		$this->dispatcher = $dispatcher;
 		$this->logger = $logger;
 		$this->connection = $connection;
@@ -81,10 +76,10 @@ class ScanFiles extends \OC\BackgroundJob\TimedJob {
 	protected function runScanner(string $user) {
 		try {
 			$scanner = new Scanner(
-					$user,
-					null,
-					$this->dispatcher,
-					$this->logger
+				$user,
+				null,
+				$this->dispatcher,
+				$this->logger
 			);
 			$scanner->backgroundScan('');
 		} catch (\Exception $e) {
@@ -94,20 +89,20 @@ class ScanFiles extends \OC\BackgroundJob\TimedJob {
 	}

 	/**
-	 * Find all storages which have unindexed files and return a user for each
+	 * Find a storage which have unindexed files and return a user with access to the storage
 	 *
-	 * @return string[]
+	 * @return string|false
 	 */
-	private function getUsersToScan(): array {
+	private function getUserToScan() {
 		$query = $this->connection->getQueryBuilder();
-		$query->select($query->func()->max('user_id'))
+		$query->select('user_id')
 			->from('filecache', 'f')
 			->innerJoin('f', 'mounts', 'm', $query->expr()->eq('storage_id', 'storage'))
 			->where($query->expr()->lt('size', $query->createNamedParameter(0, IQueryBuilder::PARAM_INT)))
-			->groupBy('storage_id')
-			->setMaxResults(self::USERS_PER_SESSION);
+			->andWhere($query->expr()->gt('parent', $query->createNamedParameter(-1, IQueryBuilder::PARAM_INT)))
+			->setMaxResults(1);

-		return $query->execute()->fetchAll(\PDO::FETCH_COLUMN);
+		return $query->execute()->fetchOne();
 	}

 	/**
@@ -119,10 +114,18 @@ class ScanFiles extends \OC\BackgroundJob\TimedJob {
 			return;
 		}

-		$users = $this->getUsersToScan();
-
-		foreach ($users as $user) {
+		$usersScanned = 0;
+		$lastUser = '';
+		$user = $this->getUserToScan();
+		while ($user && $usersScanned < self::USERS_PER_SESSION && $lastUser !== $user) {
 			$this->runScanner($user);
+			$lastUser = $user;
+			$user = $this->getUserToScan();
+			$usersScanned += 1;
+		}
+
+		if ($lastUser === $user) {
+			$this->logger->warning("User $user still has unscanned files after running background scan, background scan might be stopped prematurely");
 		}
 	}
 }
@@ -105,15 +105,6 @@ class Scan extends Base {
 			);
 	}

-	public function checkScanWarning($fullPath, OutputInterface $output) {
-		$normalizedPath = basename(\OC\Files\Filesystem::normalizePath($fullPath));
-		$path = basename($fullPath);
-
-		if ($normalizedPath !== $path) {
-			$output->writeln("\t<error>Entry \"" . $fullPath . '" will not be accessible due to incompatible encoding</error>');
-		}
-	}
-
 	protected function scanFiles($user, $path, OutputInterface $output, $backgroundScan = false, $recursive = true, $homeOnly = false) {
 		$connection = $this->reconnectToDatabase($output);
 		$scanner = new \OC\Files\Utils\Scanner(
@@ -141,12 +132,8 @@ class Scan extends Base {
 			$output->writeln('Error while scanning, storage not available (' . $e->getMessage() . ')', OutputInterface::VERBOSITY_VERBOSE);
 		});

-		$scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', function ($path) use ($output) {
-			$this->checkScanWarning($path, $output);
-		});
-
-		$scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', function ($path) use ($output) {
-			$this->checkScanWarning($path, $output);
+		$scanner->listen('\OC\Files\Utils\Scanner', 'normalizedNameMismatch', function ($fullPath) use ($output) {
+			$output->writeln("\t<error>Entry \"" . $fullPath . '" will not be accessible due to incompatible encoding</error>');
 		});

 		try {
@@ -73,15 +73,6 @@ class ScanAppData extends Base {
 		$this->addArgument('folder', InputArgument::OPTIONAL, 'The appdata subfolder to scan', '');
 	}

-	public function checkScanWarning($fullPath, OutputInterface $output) {
-		$normalizedPath = basename(\OC\Files\Filesystem::normalizePath($fullPath));
-		$path = basename($fullPath);
-
-		if ($normalizedPath !== $path) {
-			$output->writeln("\t<error>Entry \"" . $fullPath . '" will not be accessible due to incompatible encoding</error>');
-		}
-	}
-
 	protected function scanFiles(OutputInterface $output, string $folder): int {
 		try {
 			$appData = $this->getAppDataFolder();
@@ -124,12 +115,8 @@ class ScanAppData extends Base {
 			$output->writeln('Error while scanning, storage not available (' . $e->getMessage() . ')', OutputInterface::VERBOSITY_VERBOSE);
 		});

-		$scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', function ($path) use ($output) {
-			$this->checkScanWarning($path, $output);
-		});
-
-		$scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', function ($path) use ($output) {
-			$this->checkScanWarning($path, $output);
+		$scanner->listen('\OC\Files\Utils\Scanner', 'normalizedNameMismatch', function ($fullPath) use ($output) {
+			$output->writeln("\t<error>Entry \"" . $fullPath . '" will not be accessible due to incompatible encoding</error>');
 		});

 		try {
@@ -162,10 +162,10 @@ class ViewController extends Controller {
 	 * @return TemplateResponse|RedirectResponse
 	 * @throws NotFoundException
 	 */
-	public function showFile(string $fileid = null): Response {
+	public function showFile(string $fileid = null, int $openfile = 1): Response {
 		// This is the entry point from the `/f/{fileid}` URL which is hardcoded in the server.
 		try {
-			return $this->redirectToFile($fileid, true);
+			return $this->redirectToFile($fileid, $openfile !== 0);
 		} catch (NotFoundException $e) {
 			return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index', ['fileNotFound' => true]));
 		}
@@ -118,13 +118,12 @@ class FilesSearchProvider implements IProvider {
 				// Generate thumbnail url
 				$thumbnailUrl = $this->urlGenerator->linkToRouteAbsolute('core.Preview.getPreviewByFileId', ['x' => 32, 'y' => 32, 'fileId' => $result->getId()]);
 				$path = $userFolder->getRelativePath($result->getPath());
+
+				// Use shortened link to centralize the various
+				// files/folder url redirection in files.View.showFile
 				$link = $this->urlGenerator->linkToRoute(
-					'files.view.index',
-					[
-						'dir' => dirname($path),
-						'scrollto' => $result->getName(),
-						'openfile' => $result->getId(),
-					]
+					'files.View.showFile',
+					['fileid' => $result->getId()]
 				);

 				$searchResultEntry = new SearchResultEntry(
@@ -29,7 +29,7 @@ $userSession = \OC::$server->getUserSession();
 // TODO: move this to the generated config.js
 /** @var IManager $shareManager */
 $shareManager = \OC::$server->get(IManager::class);
-$publicUploadEnabled = $shareManager->shareApiLinkAllowPublicUpload() ? 'yes' : 'no';;
+$publicUploadEnabled = $shareManager->shareApiLinkAllowPublicUpload() ? 'yes' : 'no';

 $showgridview = $config->getUserValue($userSession->getUser()->getUID(), 'files', 'show_grid', false);
 $isIE = OC_Util::isIe();
@@ -23,8 +23,7 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */
-// Check if we are a user
-OC_Util::checkLoggedIn();
+
 $config = \OC::$server->getConfig();
 $userSession = \OC::$server->getUserSession();

@@ -37,6 +37,9 @@ Object.assign(window.OCA.Files, { Settings: new Settings() })
 Object.assign(window.OCA.Files.Settings, { Setting })

 window.addEventListener('DOMContentLoaded', function() {
+	if (window.TESTING) {
+		return
+	}
 	// Init Vue app
 	// eslint-disable-next-line
 	new Vue({
@@ -58,5 +58,7 @@ __webpack_public_path__ = generateFilePath('files', '', 'js/')

 Vue.prototype.t = t

-const View = Vue.extend(PersonalSettings)
-new View().$mount('#files-personal-settings')
+if (!window.TESTING) {
+	const View = Vue.extend(PersonalSettings)
+	new View().$mount('#files-personal-settings')
+}
@@ -213,8 +213,11 @@ export default {
 				)
 				this.logger.debug('Created new file', fileInfo)

-				await fileList?.addAndFetchFileInfo(this.name)
+				const data = await fileList?.addAndFetchFileInfo(this.name).then((status, data) => data)

+				const model = new OCA.Files.FileInfoModel(data, {
+					filesClient: fileList?.filesClient,
+				})
 				// Run default action
 				const fileAction = OCA.Files.fileActions.getDefaultFileAction(fileInfo.mime, 'file', OC.PERMISSION_ALL)
 				fileAction.action(fileInfo.basename, {
@@ -222,7 +225,7 @@ export default {
 					dir: currentDirectory,
 					fileList,
 					fileActions: fileList?.fileActions,
-					fileInfoModel: fileList?.getModelForFile(this.name),
+					fileInfoModel: model,
 				})

 				this.close()
@@ -30,7 +30,6 @@ use OCP\EventDispatcher\IEventDispatcher;
 use OCP\IConfig;
 use OCP\ILogger;
 use OCP\IUser;
-use OCP\IUserManager;
 use Test\TestCase;
 use Test\Traits\MountProviderTrait;
 use Test\Traits\UserTrait;
@@ -54,7 +53,6 @@ class ScanFilesTest extends TestCase {
 		parent::setUp();

 		$config = $this->createMock(IConfig::class);
-		$userManager = $this->createMock(IUserManager::class);
 		$dispatcher = $this->createMock(IEventDispatcher::class);
 		$logger = $this->createMock(ILogger::class);
 		$connection = \OC::$server->getDatabaseConnection();
@@ -63,7 +61,6 @@ class ScanFilesTest extends TestCase {
 		$this->scanFiles = $this->getMockBuilder('\OCA\Files\BackgroundJob\ScanFiles')
 			->setConstructorArgs([
 				$config,
-				$userManager,
 				$dispatcher,
 				$logger,
 				$connection,
@@ -5,6 +5,8 @@ icewind/smb/install_libsmbclient.sh
 icewind/smb/Makefile
 icewind/smb/.travis.yml
 icewind/smb/.scrutinizer.yml
+icewind/smb/example-apache-kerberos.php
+icewind/smb/codecov.yml
 icewind/streams/tests
 .github
 .php_cs*
@@ -9,6 +9,6 @@
 	},
 	"require": {
 		"icewind/streams": "0.7.4",
-		"icewind/smb": "3.4.1"
+		"icewind/smb": "3.5.2"
 	}
 }
@@ -4,20 +4,20 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "0ffc772b2aaaaffe52decb8d13361976",
+    "content-hash": "524c99fd87297e01d004eb5a4e53b04c",
    "packages": [
        {
            "name": "icewind/smb",
-            "version": "v3.4.1",
+            "version": "v3.5.2",
            "source": {
                "type": "git",
                "url": "https://github.com/icewind1991/SMB.git",
-                "reference": "9dba42ab2a3990de29e18cc62b0a8270aceb74e3"
+                "reference": "0a425bd21acf7ae112b135dca34640e1b1a825c3"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/icewind1991/SMB/zipball/9dba42ab2a3990de29e18cc62b0a8270aceb74e3",
-                "reference": "9dba42ab2a3990de29e18cc62b0a8270aceb74e3",
+                "url": "https://api.github.com/repos/icewind1991/SMB/zipball/0a425bd21acf7ae112b135dca34640e1b1a825c3",
+                "reference": "0a425bd21acf7ae112b135dca34640e1b1a825c3",
                "shasum": ""
            },
            "require": {
@@ -49,9 +49,9 @@
            "description": "php wrapper for smbclient and libsmbclient-php",
            "support": {
                "issues": "https://github.com/icewind1991/SMB/issues",
-                "source": "https://github.com/icewind1991/SMB/tree/v3.4.1"
+                "source": "https://github.com/icewind1991/SMB/tree/v3.5.2"
            },
-            "time": "2021-04-19T13:53:08+00:00"
+            "time": "2022-01-20T14:51:51+00:00"
        },
        {
            "name": "icewind/streams",
@@ -107,5 +107,5 @@
    "prefer-lowest": false,
    "platform": [],
    "platform-dev": [],
-    "plugin-api-version": "2.1.0"
+    "plugin-api-version": "2.2.0"
 }
@@ -42,30 +42,75 @@ namespace Composer\Autoload;
 */
 class ClassLoader
 {
+    /** @var ?string */
    private $vendorDir;

    // PSR-4
+    /**
+     * @var array[]
+     * @psalm-var array<string, array<string, int>>
+     */
    private $prefixLengthsPsr4 = array();
+    /**
+     * @var array[]
+     * @psalm-var array<string, array<int, string>>
+     */
    private $prefixDirsPsr4 = array();
+    /**
+     * @var array[]
+     * @psalm-var array<string, string>
+     */
    private $fallbackDirsPsr4 = array();

    // PSR-0
+    /**
+     * @var array[]
+     * @psalm-var array<string, array<string, string[]>>
+     */
    private $prefixesPsr0 = array();
+    /**
+     * @var array[]
+     * @psalm-var array<string, string>
+     */
    private $fallbackDirsPsr0 = array();

+    /** @var bool */
    private $useIncludePath = false;
+
+    /**
+     * @var string[]
+     * @psalm-var array<string, string>
+     */
    private $classMap = array();
+
+    /** @var bool */
    private $classMapAuthoritative = false;
+
+    /**
+     * @var bool[]
+     * @psalm-var array<string, bool>
+     */
    private $missingClasses = array();
+
+    /** @var ?string */
    private $apcuPrefix;

+    /**
+     * @var self[]
+     */
    private static $registeredLoaders = array();

+    /**
+     * @param ?string $vendorDir
+     */
    public function __construct($vendorDir = null)
    {
        $this->vendorDir = $vendorDir;
    }

+    /**
+     * @return string[]
+     */
    public function getPrefixes()
    {
        if (!empty($this->prefixesPsr0)) {
@@ -75,28 +120,47 @@ class ClassLoader
        return array();
    }

+    /**
+     * @return array[]
+     * @psalm-return array<string, array<int, string>>
+     */
    public function getPrefixesPsr4()
    {
        return $this->prefixDirsPsr4;
    }

+    /**
+     * @return array[]
+     * @psalm-return array<string, string>
+     */
    public function getFallbackDirs()
    {
        return $this->fallbackDirsPsr0;
    }

+    /**
+     * @return array[]
+     * @psalm-return array<string, string>
+     */
    public function getFallbackDirsPsr4()
    {
        return $this->fallbackDirsPsr4;
    }

+    /**
+     * @return string[] Array of classname => path
+     * @psalm-return array<string, string>
+     */
    public function getClassMap()
    {
        return $this->classMap;
    }

    /**
-     * @param array $classMap Class to filename map
+     * @param string[] $classMap Class to filename map
+     * @psalm-param array<string, string> $classMap
+     *
+     * @return void
     */
    public function addClassMap(array $classMap)
    {
@@ -111,9 +175,11 @@ class ClassLoader
     * Registers a set of PSR-0 directories for a given prefix, either
     * appending or prepending to the ones previously set for this prefix.
     *
-     * @param string       $prefix  The prefix
-     * @param array|string $paths   The PSR-0 root directories
-     * @param bool         $prepend Whether to prepend the directories
+     * @param string          $prefix  The prefix
+     * @param string[]|string $paths   The PSR-0 root directories
+     * @param bool            $prepend Whether to prepend the directories
+     *
+     * @return void
     */
    public function add($prefix, $paths, $prepend = false)
    {
@@ -156,11 +222,13 @@ class ClassLoader
     * Registers a set of PSR-4 directories for a given namespace, either
     * appending or prepending to the ones previously set for this namespace.
     *
-     * @param string       $prefix  The prefix/namespace, with trailing '\\'
-     * @param array|string $paths   The PSR-4 base directories
-     * @param bool         $prepend Whether to prepend the directories
+     * @param string          $prefix  The prefix/namespace, with trailing '\\'
+     * @param string[]|string $paths   The PSR-4 base directories
+     * @param bool            $prepend Whether to prepend the directories
     *
     * @throws \InvalidArgumentException
+     *
+     * @return void
     */
    public function addPsr4($prefix, $paths, $prepend = false)
    {
@@ -204,8 +272,10 @@ class ClassLoader
     * Registers a set of PSR-0 directories for a given prefix,
     * replacing any others previously set for this prefix.
     *
-     * @param string       $prefix The prefix
-     * @param array|string $paths  The PSR-0 base directories
+     * @param string          $prefix The prefix
+     * @param string[]|string $paths  The PSR-0 base directories
+     *
+     * @return void
     */
    public function set($prefix, $paths)
    {
@@ -220,10 +290,12 @@ class ClassLoader
     * Registers a set of PSR-4 directories for a given namespace,
     * replacing any others previously set for this namespace.
     *
-     * @param string       $prefix The prefix/namespace, with trailing '\\'
-     * @param array|string $paths  The PSR-4 base directories
+     * @param string          $prefix The prefix/namespace, with trailing '\\'
+     * @param string[]|string $paths  The PSR-4 base directories
     *
     * @throws \InvalidArgumentException
+     *
+     * @return void
     */
    public function setPsr4($prefix, $paths)
    {
@@ -243,6 +315,8 @@ class ClassLoader
     * Turns on searching the include path for class files.
     *
     * @param bool $useIncludePath
+     *
+     * @return void
     */
    public function setUseIncludePath($useIncludePath)
    {
@@ -265,6 +339,8 @@ class ClassLoader
     * that have not been registered with the class map.
     *
     * @param bool $classMapAuthoritative
+     *
+     * @return void
     */
    public function setClassMapAuthoritative($classMapAuthoritative)
    {
@@ -285,6 +361,8 @@ class ClassLoader
     * APCu prefix to use to cache found/not-found classes, if the extension is enabled.
     *
     * @param string|null $apcuPrefix
+     *
+     * @return void
     */
    public function setApcuPrefix($apcuPrefix)
    {
@@ -305,6 +383,8 @@ class ClassLoader
     * Registers this instance as an autoloader.
     *
     * @param bool $prepend Whether to prepend the autoloader or not
+     *
+     * @return void
     */
    public function register($prepend = false)
    {
@@ -324,6 +404,8 @@ class ClassLoader

    /**
     * Unregisters this instance as an autoloader.
+     *
+     * @return void
     */
    public function unregister()
    {
@@ -403,6 +485,11 @@ class ClassLoader
        return self::$registeredLoaders;
    }

+    /**
+     * @param  string       $class
+     * @param  string       $ext
+     * @return string|false
+     */
    private function findFileWithExtension($class, $ext)
    {
        // PSR-4 lookup
@@ -474,6 +561,10 @@ class ClassLoader
 * Scope isolated include.
 *
 * Prevents access to $this/self from included files.
+ *
+ * @param  string $file
+ * @return void
+ * @private
 */
 function includeFile($file)
 {
@@ -20,12 +20,25 @@ use Composer\Semver\VersionParser;
 *
 * See also https://getcomposer.org/doc/07-runtime.md#installed-versions
 *
- * To require it's presence, you can require `composer-runtime-api ^2.0`
+ * To require its presence, you can require `composer-runtime-api ^2.0`
 */
 class InstalledVersions
 {
+    /**
+     * @var mixed[]|null
+     * @psalm-var array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string, type: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string, type?: string}>}|array{}|null
+     */
    private static $installed;
+
+    /**
+     * @var bool|null
+     */
    private static $canGetVendors;
+
+    /**
+     * @var array[]
+     * @psalm-var array<string, array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string, type: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string, type?: string}>}>
+     */
    private static $installedByVendor = array();

    /**
@@ -228,7 +241,7 @@ class InstalledVersions

    /**
     * @return array
-     * @psalm-return array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}
+     * @psalm-return array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string, type: string}
     */
    public static function getRootPackage()
    {
@@ -242,7 +255,7 @@ class InstalledVersions
     *
     * @deprecated Use getAllRawData() instead which returns all datasets for all autoloaders present in the process. getRawData only returns the first dataset loaded, which may not be what you expect.
     * @return array[]
-     * @psalm-return array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>}
+     * @psalm-return array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string, type: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string, type?: string}>}
     */
    public static function getRawData()
    {
@@ -265,7 +278,7 @@ class InstalledVersions
     * Returns the raw data of all installed.php which are currently loaded for custom implementations
     *
     * @return array[]
-     * @psalm-return list<array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>}>
+     * @psalm-return list<array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string, type: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string, type?: string}>}>
     */
    public static function getAllRawData()
    {
@@ -288,7 +301,7 @@ class InstalledVersions
     * @param  array[] $data A vendor/composer/installed.php data set
     * @return void
     *
-     * @psalm-param array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>} $data
+     * @psalm-param array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string, type: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string, type?: string}>} $data
     */
    public static function reload($data)
    {
@@ -298,7 +311,7 @@ class InstalledVersions

    /**
     * @return array[]
-     * @psalm-return list<array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>}>
+     * @psalm-return list<array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string, type: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string, type?: string}>}>
     */
    private static function getInstalled()
    {
@@ -48,6 +48,7 @@ return array(
    'Icewind\\SMB\\IShare' => $vendorDir . '/icewind/smb/src/IShare.php',
    'Icewind\\SMB\\ISystem' => $vendorDir . '/icewind/smb/src/ISystem.php',
    'Icewind\\SMB\\ITimeZoneProvider' => $vendorDir . '/icewind/smb/src/ITimeZoneProvider.php',
+    'Icewind\\SMB\\KerberosApacheAuth' => $vendorDir . '/icewind/smb/src/KerberosApacheAuth.php',
    'Icewind\\SMB\\KerberosAuth' => $vendorDir . '/icewind/smb/src/KerberosAuth.php',
    'Icewind\\SMB\\Native\\NativeFileInfo' => $vendorDir . '/icewind/smb/src/Native/NativeFileInfo.php',
    'Icewind\\SMB\\Native\\NativeReadStream' => $vendorDir . '/icewind/smb/src/Native/NativeReadStream.php',
@@ -68,6 +68,7 @@ class ComposerStaticInit98fe9b281934250b3a93f69a5ce843b3
        'Icewind\\SMB\\IShare' => __DIR__ . '/..' . '/icewind/smb/src/IShare.php',
        'Icewind\\SMB\\ISystem' => __DIR__ . '/..' . '/icewind/smb/src/ISystem.php',
        'Icewind\\SMB\\ITimeZoneProvider' => __DIR__ . '/..' . '/icewind/smb/src/ITimeZoneProvider.php',
+        'Icewind\\SMB\\KerberosApacheAuth' => __DIR__ . '/..' . '/icewind/smb/src/KerberosApacheAuth.php',
        'Icewind\\SMB\\KerberosAuth' => __DIR__ . '/..' . '/icewind/smb/src/KerberosAuth.php',
        'Icewind\\SMB\\Native\\NativeFileInfo' => __DIR__ . '/..' . '/icewind/smb/src/Native/NativeFileInfo.php',
        'Icewind\\SMB\\Native\\NativeReadStream' => __DIR__ . '/..' . '/icewind/smb/src/Native/NativeReadStream.php',
@@ -2,17 +2,17 @@
    "packages": [
        {
            "name": "icewind/smb",
-            "version": "v3.4.1",
-            "version_normalized": "3.4.1.0",
+            "version": "v3.5.2",
+            "version_normalized": "3.5.2.0",
            "source": {
                "type": "git",
                "url": "https://github.com/icewind1991/SMB.git",
-                "reference": "9dba42ab2a3990de29e18cc62b0a8270aceb74e3"
+                "reference": "0a425bd21acf7ae112b135dca34640e1b1a825c3"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/icewind1991/SMB/zipball/9dba42ab2a3990de29e18cc62b0a8270aceb74e3",
-                "reference": "9dba42ab2a3990de29e18cc62b0a8270aceb74e3",
+                "url": "https://api.github.com/repos/icewind1991/SMB/zipball/0a425bd21acf7ae112b135dca34640e1b1a825c3",
+                "reference": "0a425bd21acf7ae112b135dca34640e1b1a825c3",
                "shasum": ""
            },
            "require": {
@@ -25,7 +25,7 @@
                "phpunit/phpunit": "^8.5|^9.3.8",
                "psalm/phar": "^4.3"
            },
-            "time": "2021-04-19T13:53:08+00:00",
+            "time": "2022-01-20T14:51:51+00:00",
            "type": "library",
            "installation-source": "dist",
            "autoload": {
@@ -46,7 +46,7 @@
            "description": "php wrapper for smbclient and libsmbclient-php",
            "support": {
                "issues": "https://github.com/icewind1991/SMB/issues",
-                "source": "https://github.com/icewind1991/SMB/tree/v3.4.1"
+                "source": "https://github.com/icewind1991/SMB/tree/v3.5.2"
            },
            "install-path": "../icewind/smb"
        },
@@ -5,7 +5,7 @@
        'type' => 'library',
        'install_path' => __DIR__ . '/../',
        'aliases' => array(),
-        'reference' => '70483a16a3a232758979bb6fa363629b5a16b6a4',
+        'reference' => '0bed61f949bc7a8c69cd154919e78b704e28c99e',
        'name' => 'files_external/3rdparty',
        'dev' => true,
    ),
@@ -16,16 +16,16 @@
            'type' => 'library',
            'install_path' => __DIR__ . '/../',
            'aliases' => array(),
-            'reference' => '70483a16a3a232758979bb6fa363629b5a16b6a4',
+            'reference' => '0bed61f949bc7a8c69cd154919e78b704e28c99e',
            'dev_requirement' => false,
        ),
        'icewind/smb' => array(
-            'pretty_version' => 'v3.4.1',
-            'version' => '3.4.1.0',
+            'pretty_version' => 'v3.5.2',
+            'version' => '3.5.2.0',
            'type' => 'library',
            'install_path' => __DIR__ . '/../icewind/smb',
            'aliases' => array(),
-            'reference' => '9dba42ab2a3990de29e18cc62b0a8270aceb74e3',
+            'reference' => '0a425bd21acf7ae112b135dca34640e1b1a825c3',
            'dev_requirement' => false,
        ),
        'icewind/streams' => array(
@@ -44,13 +44,42 @@ $server = $serverFactory->createServer('localhost', $auth);

 ### Using kerberos authentication ###

+There are two ways of using kerberos to authenticate against the smb server:
+
+- Using a ticket from the php server
+- Re-using a ticket send by the client
+
+### Using a server ticket
+
+Using a server ticket allows the web server to authenticate against the smb server using an existing machine account.
+
+The ticket needs to be available in the environment of the php process.
+
 ```php
 $serverFactory = new ServerFactory();
 $auth = new KerberosAuth();
 $server = $serverFactory->createServer('localhost', $auth);
 ```

-Note that this requires a valid kerberos ticket to already be available for php
+### Re-using a client ticket
+
+By re-using a client ticket you can create a single sign-on setup where the user authenticates against
+the web service using kerberos. And the web server can forward that ticket to the smb server, allowing it
+to act on the behalf of the user without requiring the user to enter his passord.
+
+The setup for such a system is fairly involved and requires roughly the following this
+
+- The web server is authenticated against kerberos with a machine account
+- Delegation is enabled for the web server's machine account
+- Apache is setup to perform kerberos authentication and save the ticket in it's environment
+- Php has the krb5 extension installed
+- The client authenticates using a ticket with forwarding enabled
+
+```php
+$serverFactory = new ServerFactory();
+$auth = new KerberosApacheAuth();
+$server = $serverFactory->createServer('localhost', $auth);
+```

 ### Upload a file ###

@@ -45,7 +45,7 @@ interface IShare {
 	public function put(string $source, string $target): bool;

 	/**
-	 * Open a readable stream top a remote file
+	 * Open a readable stream to a remote file
 	 *
 	 * @param string $source
 	 * @return resource a read only stream with the contents of the remote file
@@ -0,0 +1,136 @@
+<?php
+/**
+ * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Icewind\SMB;
+
+use Icewind\SMB\Exception\DependencyException;
+use Icewind\SMB\Exception\Exception;
+
+/**
+ * Use existing kerberos ticket to authenticate and reuse the apache ticket cache (mod_auth_kerb)
+ */
+class KerberosApacheAuth extends KerberosAuth implements IAuth {
+	/** @var string */
+	private $ticketPath = "";
+
+	/** @var bool */
+	private $init = false;
+
+	/** @var string|false */
+	private $ticketName;
+
+	public function __construct() {
+		$this->ticketName = getenv("KRB5CCNAME");
+	}
+
+
+	/**
+	 * Copy the ticket to a temporary location and use that ticket for authentication
+	 *
+	 * @return void
+	 */
+	public function copyTicket(): void {
+		if (!$this->checkTicket()) {
+			return;
+		}
+		$krb5 = new \KRB5CCache();
+		$krb5->open($this->ticketName);
+		$tmpFilename = tempnam("/tmp", "krb5cc_php_");
+		$tmpCacheFile = "FILE:" . $tmpFilename;
+		$krb5->save($tmpCacheFile);
+		$this->ticketPath = $tmpFilename;
+		$this->ticketName = $tmpCacheFile;
+	}
+
+	/**
+	 * Pass the ticket to smbclient by memory instead of path
+	 *
+	 * @return void
+	 */
+	public function passTicketFromMemory(): void {
+		if (!$this->checkTicket()) {
+			return;
+		}
+		$krb5 = new \KRB5CCache();
+		$krb5->open($this->ticketName);
+		$this->ticketName = (string)$krb5->getName();
+	}
+
+	/**
+	 * Check if a valid kerberos ticket is present
+	 *
+	 * @return bool
+	 * @psalm-assert-if-true string $this->ticketName
+	 */
+	public function checkTicket(): bool {
+		//read apache kerberos ticket cache
+		if (!$this->ticketName) {
+			return false;
+		}
+
+		$krb5 = new \KRB5CCache();
+		$krb5->open($this->ticketName);
+		/** @psalm-suppress MixedArgument */
+		return count($krb5->getEntries()) > 0;
+	}
+
+	private function init(): void {
+		if ($this->init) {
+			return;
+		}
+		$this->init = true;
+		// inspired by https://git.typo3.org/TYPO3CMS/Extensions/fal_cifs.git
+
+		if (!extension_loaded("krb5")) {
+			// https://pecl.php.net/package/krb5
+			throw new DependencyException('Ensure php-krb5 is installed.');
+		}
+
+		//read apache kerberos ticket cache
+		if (!$this->checkTicket()) {
+			throw new Exception('No kerberos ticket cache environment variable (KRB5CCNAME) found.');
+		}
+
+		// note that even if the ticketname is the value we got from `getenv("KRB5CCNAME")` we still need to set the env variable ourselves
+		// this is because `getenv` also reads the variables passed from the SAPI (apache-php) and we need to set the variable in the OS's env
+		putenv("KRB5CCNAME=" . $this->ticketName);
+	}
+
+	public function getExtraCommandLineArguments(): string {
+		$this->init();
+		return parent::getExtraCommandLineArguments();
+	}
+
+	public function setExtraSmbClientOptions($smbClientState): void {
+		$this->init();
+		try {
+			parent::setExtraSmbClientOptions($smbClientState);
+		} catch (Exception $e) {
+			// suppress
+		}
+	}
+
+	public function __destruct() {
+		if (!empty($this->ticketPath) && file_exists($this->ticketPath) && is_file($this->ticketPath)) {
+			unlink($this->ticketPath);
+		}
+	}
+}
@@ -99,7 +99,7 @@ class NativeFileInfo implements IFileInfo {
 	public function isDirectory(): bool {
 		$mode = $this->getMode();
 		if ($mode > 0x1000) {
-			return (bool)($mode & 0x4000); // 0x4000: unix directory flag
+			return ($mode & 0x4000 && !($mode & 0x8000)); // 0x4000: unix directory flag shares bits with 0xC000: socket
 		} else {
 			return (bool)($mode & IFileInfo::MODE_DIRECTORY);
 		}
@@ -267,14 +267,14 @@ class NativeShare extends AbstractShare {
 	 * Open a writeable stream to a remote file
 	 * Note: This method will truncate the file to 0bytes first
 	 *
-	 * @param string $source
+	 * @param string $target
 	 * @return resource a writeable stream
 	 *
 	 * @throws NotFoundException
 	 * @throws InvalidTypeException
 	 */
-	public function write(string $source) {
-		$url = $this->buildUrl($source);
+	public function write(string $target) {
+		$url = $this->buildUrl($target);
 		$handle = $this->getState()->create($url);
 		return NativeWriteStream::wrap($this->getState(), $handle, 'w', $url);
 	}
@@ -282,14 +282,14 @@ class NativeShare extends AbstractShare {
 	/**
 	 * Open a writeable stream and set the cursor to the end of the stream
 	 *
-	 * @param string $source
+	 * @param string $target
 	 * @return resource a writeable stream
 	 *
 	 * @throws NotFoundException
 	 * @throws InvalidTypeException
 	 */
-	public function append(string $source) {
-		$url = $this->buildUrl($source);
+	public function append(string $target) {
+		$url = $this->buildUrl($target);
 		$handle = $this->getState()->open($url, "a+");
 		return NativeWriteStream::wrap($this->getState(), $handle, "a", $url);
 	}
@@ -38,6 +38,14 @@ class NativeState {
 	/** @var bool */
 	protected $connected = false;

+	/**
+	 * sync the garbage collection cycle
+	 * __deconstruct() of KerberosAuth should not called too soon
+	 *
+	 * @var IAuth|null $auth
+	 */
+	protected $auth = null;
+
 	// see error.h
 	const EXCEPTION_MAP = [
 		1   => ForbiddenException::class,
@@ -107,6 +115,11 @@ class NativeState {
 		}

 		$auth->setExtraSmbClientOptions($this->state);
+
+		// sync the garbage collection cycle
+		// __deconstruct() of KerberosAuth should not caled too soon
+		$this->auth = $auth;
+
 		/** @var bool $result */
 		$result = @smbclient_state_init($this->state, $auth->getWorkgroup(), $auth->getUsername(), $auth->getPassword());

@@ -62,7 +62,7 @@ class System implements ISystem {
 			$result = null;
 			$output = [];
 			exec("which $binary 2>&1", $output, $result);
-			$this->paths[$binary] = $result === 0 ? trim(implode('', $output)) : null;
+			$this->paths[$binary] = $result === 0 && isset($output[0]) ? (string)$output[0] : null;
 		}
 		return $this->paths[$binary];
 	}
@@ -47,7 +47,7 @@ class Connection extends RawConnection {
 	public function clearTillPrompt(): void {
 		$this->write('');
 		do {
-			$promptLine = $this->readLine();
+			$promptLine = $this->readTillPrompt();
 			if ($promptLine === false) {
 				break;
 			}
@@ -56,13 +56,12 @@ class Connection extends RawConnection {
 		if ($this->write('') === false) {
 			throw new ConnectionRefusedException();
 		}
-		$this->readLine();
+		$this->readTillPrompt();
 	}

 	/**
 	 * get all unprocessed output from smbclient until the next prompt
 	 *
-	 * @param (callable(string):bool)|null $callback (optional) callback to call for every line read
 	 * @return string[]
 	 * @throws AuthenticationException
 	 * @throws ConnectException
@@ -71,42 +70,22 @@ class Connection extends RawConnection {
 	 * @throws NoLoginServerException
 	 * @throws AccessDeniedException
 	 */
-	public function read(callable $callback = null): array {
+	public function read(): array {
 		if (!$this->isValid()) {
 			throw new ConnectionException('Connection not valid');
 		}
-		$promptLine = $this->readLine(); //first line is prompt
-		if ($promptLine === false) {
-			$this->unknownError($promptLine);
-		}
-		$this->parser->checkConnectionError($promptLine);
-
-		$output = [];
-		if (!$this->isPrompt($promptLine)) {
-			$line = $promptLine;
-		} else {
-			$line = $this->readLine();
-		}
-		if ($line === false) {
-			$this->unknownError($promptLine);
-		}
-		while ($line !== false && !$this->isPrompt($line)) { //next prompt functions as delimiter
-			if (is_callable($callback)) {
-				$result = $callback($line);
-				if ($result === false) { // allow the callback to close the connection for infinite running commands
-					$this->close(true);
-					break;
-				}
-			} else {
-				$output[] = $line;
-			}
-			$line = $this->readLine();
+		$output = $this->readTillPrompt();
+		if ($output === false) {
+			$this->unknownError(false);
 		}
+		$output = explode("\n", $output);
+		// last line contains the prompt
+		array_pop($output);
 		return $output;
 	}

 	private function isPrompt(string $line): bool {
-		return mb_substr($line, 0, self::DELIMITER_LENGTH) === self::DELIMITER;
+		return substr($line, 0, self::DELIMITER_LENGTH) === self::DELIMITER;
 	}

 	/**
@@ -132,6 +111,6 @@ class Connection extends RawConnection {
 			// ignore any errors while trying to send the close command, the process might already be dead
 			@$this->write('close' . PHP_EOL);
 		}
-		parent::close($terminate);
+		$this->close_process($terminate);
 	}
 }
@@ -65,16 +65,20 @@ class NotifyHandler implements INotifyHandler {
 	 */
 	public function listen(callable $callback): void {
 		if ($this->listening) {
-			$this->connection->read(function (string $line) use ($callback): bool {
+			while (true) {
+				$line = $this->connection->readLine();
+				if ($line === false) {
+					break;
+				}
 				$this->checkForError($line);
 				$change = $this->parseChangeLine($line);
 				if ($change) {
 					$result = $callback($change);
-					return $result === false ? false : true;
-				} else {
-					return true;
+					if ($result === false) {
+						break;
+					}
 				}
-			});
+			};
 		}
 	}

@@ -71,7 +71,8 @@ class RawConnection {

 		setlocale(LC_ALL, Server::LOCALE);
 		$env = array_merge($this->env, [
-			'CLI_FORCE_INTERACTIVE' => 'y', // Needed or the prompt isn't displayed!!
+			'CLI_FORCE_INTERACTIVE' => 'y', // Make sure the prompt is displayed
+			'CLI_NO_READLINE'       => 1,   // Not all distros build smbclient with readline, disable it to get consistent behaviour
 			'LC_ALL'                => Server::LOCALE,
 			'LANG'                  => Server::LOCALE,
 			'COLUMNS'               => 8192 // prevent smbclient from line-wrapping it's output
@@ -91,7 +92,7 @@ class RawConnection {
 	public function isValid(): bool {
 		if (is_resource($this->process)) {
 			$status = proc_get_status($this->process);
-			return (bool)$status['running'];
+			return $status['running'];
 		} else {
 			return false;
 		}
@@ -109,13 +110,30 @@ class RawConnection {
 		return $result;
 	}

+	/**
+	 * read output till the next prompt
+	 *
+	 * @return string|false
+	 */
+	public function readTillPrompt() {
+		$output = "";
+		do {
+			$chunk = $this->readLine('\> ');
+			if ($chunk === false) {
+				return false;
+			}
+			$output .= $chunk;
+		} while (strlen($chunk) == 4096 && strpos($chunk, "smb:") === false);
+		return $output;
+	}
+
 	/**
 	 * read a line of output
 	 *
 	 * @return string|false
 	 */
-	public function readLine() {
-		return stream_get_line($this->getOutputStream(), 4086, "\n");
+	public function readLine(string $end = "\n") {
+		return stream_get_line($this->getOutputStream(), 4096, $end);
 	}

 	/**
@@ -202,6 +220,14 @@ class RawConnection {
 	 * @psalm-assert null $this->process
 	 */
 	public function close(bool $terminate = true): void {
+		$this->close_process($terminate);
+	}
+
+	/**
+	 * @param bool $terminate
+	 * @psalm-assert null $this->process
+	 */
+	protected function close_process(bool $terminate = true): void {
 		if (!is_resource($this->process)) {
 			return;
 		}
@@ -345,11 +345,17 @@ class Share extends AbstractShare {
 		// since returned stream is closed by the caller we need to create a new instance
 		// since we can't re-use the same file descriptor over multiple calls
 		$connection = $this->getConnection();
+		stream_set_blocking($connection->getOutputStream(), false);

 		$connection->write('get ' . $source . ' ' . $this->system->getFD(5));
 		$connection->write('exit');
 		$fh = $connection->getFileOutputStream();
-		stream_context_set_option($fh, 'file', 'connection', $connection);
+		$fh = CallbackWrapper::wrap($fh, function() use ($connection) {
+			$connection->write('');
+		});
+		if (!is_resource($fh)) {
+			throw new Exception("Failed to wrap file output");
+		}
 		return $fh;
 	}

@@ -374,7 +380,9 @@ class Share extends AbstractShare {

 		// use a close callback to ensure the upload is finished before continuing
 		// this also serves as a way to keep the connection in scope
-		$stream = CallbackWrapper::wrap($fh, null, null, function () use ($connection) {
+		$stream = CallbackWrapper::wrap($fh, function() use ($connection) {
+			$connection->write('');
+		}, null, function () use ($connection) {
 			$connection->close(false); // dont terminate, give the upload some time
 		});
 		if (is_resource($stream)) {
@@ -446,7 +454,7 @@ class Share extends AbstractShare {
 	 * @return string[]
 	 */
 	protected function execute(string $command): array {
-		$this->connect()->write($command . PHP_EOL);
+		$this->connect()->write($command);
 		return $this->connect()->read();
 	}

@@ -1,8 +1,3 @@
-#filestable tbody tr.externalDisabledRow {
-	background-color: #CCC;
-}
-
-
 #filestable tbody tr.externalErroredRow {
 	background-color: #F2DEDE;
 }
@@ -254,8 +254,6 @@ OCA.Files_External.StatusManager = {
 				OCA.Files_External.StatusManager.Utils.changeFolderIcon(elementList);
 				// Save default view
 				OCA.Files_External.StatusManager.Utils.storeDefaultFolderIconAndBgcolor(elementList);
-				// Disable row until check status
-				elementList.addClass('externalDisabledRow');
 				OCA.Files_External.StatusManager.Utils.toggleLink(elementList.find('a.name'), false, false);
 			}
 		}
@@ -505,7 +503,6 @@ OCA.Files_External.StatusManager.Utils = {
 			// can't use here FileList.findFileEl(OCA.Files_External.StatusManager.Utils.jqSelEscape(folder)); return incorrect instance of filelist
 			trFolder = $('#fileList tr[data-file=\"' + OCA.Files_External.StatusManager.Utils.jqSelEscape(folder) + '\"]');
 		}
-		trFolder.removeClass('externalErroredRow').removeClass('externalDisabledRow');
 		var tdChilds = trFolder.find("td.filename div.thumbnail");
 		tdChilds.each(function () {
 			var thisElement = $(this);
@@ -31,8 +31,6 @@ namespace OCA\Files_External\AppInfo;

 use OCA\Files_External\Config\ConfigAdapter;
 use OCA\Files_External\Config\UserPlaceholderHandler;
-use OCA\Files_External\Listener\GroupDeletedListener;
-use OCA\Files_External\Listener\UserDeletedListener;
 use OCA\Files_External\Lib\Auth\AmazonS3\AccessKey;
 use OCA\Files_External\Lib\Auth\Builtin;
 use OCA\Files_External\Lib\Auth\NullMechanism;
@@ -49,6 +47,7 @@ use OCA\Files_External\Lib\Auth\Password\UserGlobalAuth;
 use OCA\Files_External\Lib\Auth\Password\UserProvided;
 use OCA\Files_External\Lib\Auth\PublicKey\RSA;
 use OCA\Files_External\Lib\Auth\PublicKey\RSAPrivateKey;
+use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth;
 use OCA\Files_External\Lib\Auth\SMB\KerberosAuth;
 use OCA\Files_External\Lib\Backend\AmazonS3;
 use OCA\Files_External\Lib\Backend\DAV;
@@ -62,6 +61,8 @@ use OCA\Files_External\Lib\Backend\SMB_OC;
 use OCA\Files_External\Lib\Backend\Swift;
 use OCA\Files_External\Lib\Config\IAuthMechanismProvider;
 use OCA\Files_External\Lib\Config\IBackendProvider;
+use OCA\Files_External\Listener\GroupDeletedListener;
+use OCA\Files_External\Listener\UserDeletedListener;
 use OCA\Files_External\Service\BackendService;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@@ -126,16 +127,16 @@ class Application extends App implements IBackendProvider, IAuthMechanismProvide
 		$container = $this->getContainer();

 		$backends = [
-			$container->query(Local::class),
-			$container->query(FTP::class),
-			$container->query(DAV::class),
-			$container->query(OwnCloud::class),
-			$container->query(SFTP::class),
-			$container->query(AmazonS3::class),
-			$container->query(Swift::class),
-			$container->query(SFTP_Key::class),
-			$container->query(SMB::class),
-			$container->query(SMB_OC::class),
+			$container->get(Local::class),
+			$container->get(FTP::class),
+			$container->get(DAV::class),
+			$container->get(OwnCloud::class),
+			$container->get(SFTP::class),
+			$container->get(AmazonS3::class),
+			$container->get(Swift::class),
+			$container->get(SFTP_Key::class),
+			$container->get(SMB::class),
+			$container->get(SMB_OC::class),
 		];

 		return $backends;
@@ -149,37 +150,38 @@ class Application extends App implements IBackendProvider, IAuthMechanismProvide

 		return [
 			// AuthMechanism::SCHEME_NULL mechanism
-			$container->query(NullMechanism::class),
+			$container->get(NullMechanism::class),

 			// AuthMechanism::SCHEME_BUILTIN mechanism
-			$container->query(Builtin::class),
+			$container->get(Builtin::class),

 			// AuthMechanism::SCHEME_PASSWORD mechanisms
-			$container->query(Password::class),
-			$container->query(SessionCredentials::class),
-			$container->query(LoginCredentials::class),
-			$container->query(UserProvided::class),
-			$container->query(GlobalAuth::class),
-			$container->query(UserGlobalAuth::class),
+			$container->get(Password::class),
+			$container->get(SessionCredentials::class),
+			$container->get(LoginCredentials::class),
+			$container->get(UserProvided::class),
+			$container->get(GlobalAuth::class),
+			$container->get(UserGlobalAuth::class),

 			// AuthMechanism::SCHEME_OAUTH1 mechanisms
-			$container->query(OAuth1::class),
+			$container->get(OAuth1::class),

 			// AuthMechanism::SCHEME_OAUTH2 mechanisms
-			$container->query(OAuth2::class),
+			$container->get(OAuth2::class),

 			// AuthMechanism::SCHEME_PUBLICKEY mechanisms
-			$container->query(RSA::class),
-			$container->query(RSAPrivateKey::class),
+			$container->get(RSA::class),
+			$container->get(RSAPrivateKey::class),

 			// AuthMechanism::SCHEME_OPENSTACK mechanisms
-			$container->query(OpenStackV2::class),
-			$container->query(OpenStackV3::class),
-			$container->query(Rackspace::class),
+			$container->get(OpenStackV2::class),
+			$container->get(OpenStackV3::class),
+			$container->get(Rackspace::class),

 			// Specialized mechanisms
-			$container->query(AccessKey::class),
-			$container->query(KerberosAuth::class),
+			$container->get(AccessKey::class),
+			$container->get(KerberosAuth::class),
+			$container->get(KerberosApacheAuth::class),
 		];
 	}
 }
@@ -0,0 +1,53 @@
+<?php
+
+/**
+ * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
+ *
+ * @author Robin Appelman <robin@icewind.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Files_External\Lib\Auth\SMB;
+
+use OCA\Files_External\Lib\Auth\AuthMechanism;
+use OCA\Files_External\Lib\DefinitionParameter;
+use OCP\Authentication\LoginCredentials\IStore;
+use OCP\IL10N;
+
+class KerberosApacheAuth extends AuthMechanism {
+	/** @var IStore */
+	private $credentialsStore;
+
+	public function __construct(IL10N $l, IStore $credentialsStore) {
+		$realm = new DefinitionParameter('default_realm', 'Default realm');
+		$realm
+			->setType(DefinitionParameter::VALUE_TEXT)
+			->setFlag(DefinitionParameter::FLAG_OPTIONAL)
+			->setTooltip($l->t('Kerberos default realm, defaults to "WORKGROUP"'));
+		$this
+			->setIdentifier('smb::kerberosapache')
+			->setScheme(self::SCHEME_SMB)
+			->setText($l->t('Kerberos ticket apache mode'))
+			->addParameter($realm);
+		$this->credentialsStore = $credentialsStore;
+	}
+
+	public function getCredentialsStore(): IStore {
+		return $this->credentialsStore;
+	}
+}
@@ -24,16 +24,19 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>
 *
 */
+
 namespace OCA\Files_External\Lib\Backend;

 use Icewind\SMB\BasicAuth;
+use Icewind\SMB\KerberosApacheAuth;
 use Icewind\SMB\KerberosAuth;
 use OCA\Files_External\Lib\Auth\AuthMechanism;
 use OCA\Files_External\Lib\Auth\Password\Password;
+use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth as KerberosApacheAuthMechanism;
 use OCA\Files_External\Lib\DefinitionParameter;
+use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
 use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill;
 use OCA\Files_External\Lib\StorageConfig;
-
 use OCP\IL10N;
 use OCP\IUser;

@@ -69,13 +72,13 @@ class SMB extends Backend {
 			->setLegacyAuthMechanism($legacyAuth);
 	}

-	/**
-	 * @param StorageConfig $storage
-	 * @param IUser $user
-	 */
 	public function manipulateStorageConfig(StorageConfig &$storage, IUser $user = null) {
 		$auth = $storage->getAuthMechanism();
 		if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {
+			if (!is_string($storage->getBackendOption('user')) || !is_string($storage->getBackendOption('password'))) {
+				throw new \InvalidArgumentException('user or password is not set');
+			}
+
 			$smbAuth = new BasicAuth(
 				$storage->getBackendOption('user'),
 				$storage->getBackendOption('domain'),
@@ -85,6 +88,43 @@ class SMB extends Backend {
 			switch ($auth->getIdentifier()) {
 				case 'smb::kerberos':
 					$smbAuth = new KerberosAuth();
+					break;
+				case 'smb::kerberosapache':
+					if (!$auth instanceof KerberosApacheAuthMechanism) {
+						throw new \InvalidArgumentException('invalid authentication backend');
+					}
+					$credentialsStore = $auth->getCredentialsStore();
+					$kerbAuth = new KerberosApacheAuth();
+					// check if a kerberos ticket is available, else fallback to session credentials
+					if ($kerbAuth->checkTicket()) {
+						$smbAuth = $kerbAuth;
+					} else {
+						try {
+							$credentials = $credentialsStore->getLoginCredentials();
+							$user = $credentials->getLoginName();
+							$pass = $credentials->getPassword();
+							preg_match('/(.*)@(.*)/', $user, $matches);
+							$realm = $storage->getBackendOption('default_realm');
+							if (empty($realm)) {
+								$realm = 'WORKGROUP';
+							}
+							if (count($matches) === 0) {
+								$username = $user;
+								$workgroup = $realm;
+							} else {
+								$username = $matches[1];
+								$workgroup = $matches[2];
+							}
+							$smbAuth = new BasicAuth(
+								$username,
+								$workgroup,
+								$pass
+							);
+						} catch (\Exception $e) {
+							throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
+						}
+					}
+
 					break;
 				default:
 					throw new \InvalidArgumentException('unknown authentication backend');
@@ -23,8 +23,7 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>
 *
 */
-// Check if we are a user
-OC_Util::checkLoggedIn();
+
 $config = \OC::$server->getConfig();
 $userSession = \OC::$server->getUserSession();

@@ -207,7 +207,7 @@ $canCreateMounts = $_['visibilityType'] === BackendService::VISIBILITY_ADMIN ||
 	<form autocomplete="false" action="#"
 		  id="global_credentials" method="post">
 		<h2><?php p($l->t('Global credentials')); ?></h2>
-		<p class="settings-hint"><?php p($l->t('Global credentials can be used to authenticate with multiple external storage that have the same credentials.')); ?></p>
+		<p class="settings-hint"><?php p($l->t('Global credentials can be used to authenticate with multiple external storages that have the same credentials.')); ?></p>
 		<input type="text" name="username"
 			   autocomplete="false"
 			   value="<?php p($_['globalCredentials']['user']); ?>"
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+function getContainerHealth {
+  docker inspect --format "{{.State.Health.Status}}" $1
+}
+
+function waitContainer {
+  while STATUS=$(getContainerHealth $1); [ $STATUS != "healthy" ]; do
+    if [ $STATUS == "unhealthy" ]; then
+      echo "Failed!"
+      exit -1
+    fi
+    printf .
+    lf=$'\n'
+    sleep 1
+  done
+  printf "$lf"
+}
+
+mkdir /tmp/shared
+
+# start the dc
+docker run -dit --name dc -v /tmp/shared:/shared --hostname krb.domain.test --cap-add SYS_ADMIN icewind1991/samba-krb-test-dc
+DC_IP=$(docker inspect dc --format '{{.NetworkSettings.IPAddress}}')
+
+waitContainer dc
+
+# start apache
+docker run -d --name apache -v $PWD:/var/www/html -v /tmp/shared:/shared --dns $DC_IP --hostname httpd.domain.test icewind1991/samba-krb-test-apache
+APACHE_IP=$(docker inspect apache --format '{{.NetworkSettings.IPAddress}}')
+
+# add the dns record for apache
+docker exec dc samba-tool dns add krb.domain.test domain.test httpd A $APACHE_IP -U administrator --password=passwOrd1
--- a/Show More
+++ b/Show More