#StackBounty: #debian #samba Samba only sees first group of a user

Bounty: 50

I have a samba server on Debian Buster that was upgraded from Debian Stretch. This upgraded Samba from 4.5.16 to 4.9.5. Somewhere in this process, it seems that handling of groups changed. Users that could previously access shares with the correct group memberships can no longer access them.

  • Users are able to access their home directories
  • Users are able to access guest shares
  • Users are able to access shares with their main group
  • Users are unable to access shares with their secondary groups

The smb.conf file is effectively as follows:

[global]
workgroup = EXAMPLE
realm = WIN.EXAMPLE.COM
security = ADS
server string = %h
wins server = 10.0.1.10 10.0.2.20
panic action = /usr/share/samba/panic-action %d
invalid users = root

server signing = required
ntlm auth = no

dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
min protocol = SMB2

[guestshare]
path = /srv/guestshare
guest ok = yes
writeable = yes

[working]
path = /srv/working
guest ok = no
writable = yes
create mask = 0660
directory mask = 0770
valid users = +working

[notworking]
path = /srv/notworking
guest ok = no
writable = yes
create mask = 0660
directory mask = 0770
valid users = +notworking

The user can access the guestshare and the working shares, but not the notworking share.

Group membership for the user looks like this:

# id user
uid=1234(user) gid=10000(working) groups=10000(working),10010(notworking),10020(othergroup)

Please tell me what I’m missing here.


Get this bounty!!!

#StackBounty: #linux #debian #cron flock command in root cron won't execute

Bounty: 50

I’ve got the following code in my root crontab on my Debian

* * * * * flock -xn /absolute/path/to/run.lock -c cd /absolute/parth/to/project && ./run >> run.log

But I see no run.log or run.lock files where I specify them. In fact, there’s no evidence the script was executed.

Running ps aux | grep run only yields that grep call.

How do I run the run script using flock in the root crontab?


Get this bounty!!!

#StackBounty: #linux #debian #cron flock command in root cron won't execute

Bounty: 50

I’ve got the following code in my root crontab on my Debian

* * * * * flock -xn /absolute/path/to/run.lock -c cd /absolute/parth/to/project && ./run >> run.log

But I see no run.log or run.lock files where I specify them. In fact, there’s no evidence the script was executed.

Running ps aux | grep run only yields that grep call.

How do I run the run script using flock in the root crontab?


Get this bounty!!!

#StackBounty: #linux #debian #cron flock command in root cron won't execute

Bounty: 50

I’ve got the following code in my root crontab on my Debian

* * * * * flock -xn /absolute/path/to/run.lock -c cd /absolute/parth/to/project && ./run >> run.log

But I see no run.log or run.lock files where I specify them. In fact, there’s no evidence the script was executed.

Running ps aux | grep run only yields that grep call.

How do I run the run script using flock in the root crontab?


Get this bounty!!!

#StackBounty: #debian #mount #apache-httpd How to make apache access the resource on the other disk mounted?

Bounty: 200

The disk partition sda4 is a ntfs disk.

sudo blkid |grep sda4
/dev/sda4: UUID="0042E54842E54350" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="70f5093c-b320-4325-88bb-97748f522332"

I mount it automatically when booting.

cat /etc/fstab
UUID=0042E54842E54350  /media/debian/0042E54842E54350      ntfs-3g   rw,user,exec,umask=000 0 0

Now create a web project mydoc on /media/debian/0042E54842E54350,set ownership and file’s mode:

sudo chown -R www-data:www-data  /media/debian/0042E54842E54350/mydoc
sudo chmod  755 -R /media/debian/0042E54842E54350/mydoc

Write all the setting such as below:

cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
 ServerName localhost
 DocumentRoot  /media/debian/0042E54842E54350/mydoc 
 Alias  /regular  "/media/debian/0042E54842E54350/mydoc/build/html"
 <Directory /media/debian/0042E54842E54350/mydoc>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
 </Directory>
</VirtualHost>

To restart apache service :

sudo systemctl restart apache2

Type 127.0.0.1/regular in browser.

It encounter error info:

Forbidden
You don't have permission to access this resource.

Apache/2.4.25 (Debian) Server at 127.0.0.1 Port 80

Check its log:

sud cat /var/log/apache2/error.log
[Thu Aug 06 20:13:41.467015 2020] [core:error] [pid 4248] (13)Permission denied: [client 127.0.0.1:53024] AH00035: access to /favicon.ico denied (filesystem path '/media/debian/0042E54842E54350') because search permissions are missing on a component of the path, referer: http://127.0.0.1/regular/os

How to make apache access the resource on the other disk mounted ?
More info:

sudo chown -R www-data:www-data  /media/debian/0042E54842E54350/mydoc

No error info.

responses to comments and answers

$ ls -ld /media{,/debian{,/0042E54842E54350{,/mydoc}}}
drwxr-xr-x  4 root root  4096 Feb  1  2020 /media
drwxr-x---+ 4 root root  4096 Aug  6 21:50 /media/debian
drwxrwxrwx  1 root root 16384 Aug  6 07:55 /media/debian/0042E54842E54350
drwxrwxrwx  1 root root  4096 Aug  6 06:53 /media/debian/0042E54842E54350/mydoc

Why can’t change the owner for /media/debian/0042E54842E54350/mydoc?

getfacl  -p "/media/debian"
# file: /media/debian
# owner: root
# group: root
user::rwx
user:debian:r-x
group::---
mask::r-x
other::---

The real problem is that my pc is dual os (win10+debian),i want build a web app on some disk partition which it can be used both by win10 and debian,is it feasible?
If i set the web app on ntfs,apache can work on win10,when i reboot to switch to debian, apache on debian can’t read and write it.
If i set the web app on one of ext2/ext3/ext4 ,apache can work on debian, when i reboot to switch to win10, apache on win10 can’t read and write it.
Is there no way to achieve my target?


Get this bounty!!!

#StackBounty: #linux #debian #updates #firmware #docking-station How to flash firmware upgrade to Thinkpad Ultra Docking Station on Lin…

Bounty: 100

I need to update the firmware of a Thinkpad Ultra Docking Station to V3.3.1, which has been released last year. I got no laptop running Windows 7/8/10 and Lenovo does not provide this update via LVFS, but only as an .exe file.

Is it possible to flash the firmware update onto the dock under Linux? Or does somebody know another way to update the dock’s firmware?

A few approaches I am considering:

  • Maybe I could create a Windows 10 USB recovery drive, boot it, fire up a shell and then install the update.
  • Another option would be to create a Windows Preinstallation Environment (PE), flash it to an USB drive, boot it and then run the update. However, all tutorials I found on how to create a PE seem to be outdated.
  • Inside a VirtualBox VM I have a Windows 10 Pro 2004 running. Maybe it is somehow possible to pass-through the dock to this VM to flash the update?
  • I have not tried, but am 99.9999% sure that any approach based on WINE will not work.

What I already tried so far:

  • Leveraging the Windows 10 Pro 2004 VM’s "Recovery Media Creator" tool, I crafted an USB recovery drive, copied the firmware onto the USB drive and tried to run it, but unfortunately without success:
    Error message
    I also tried the "Firmware Update Tool for Enterprise Deploy" and followed the instructions for "Silent deployment in other environment" but ended up with the same error.

There are two threads over at the Lenovo forums regarding firmware updates of an older / another docking station, but neither of them with an accepted solution.


Get this bounty!!!

#StackBounty: #debian #raspbian #hostapd #wpa How to switch off "Not RRM Network" messages

Bounty: 50

My system’s logs are being swamped by these messages:

wpa_supplicant[390]: RRM: Ignoring radio measurement request: Not RRM network

I have searched extensively; I’ve even found the sources for wpa_supplicant here: git clone git://w1.fi/hostap.git
But I’m not fluent in C and have no clue how to proceed.
Can anybody suggest how I can suppress or avoid these messages or switch off this functionality?

EDIT: This is on Raspbian (Debian flavor for Raspberry Pi) Buster, which has wpa_supplicant v2.8-devel. It is communicating with a Fritz!Box AP; I mention this because I’m getting the feeling that could be relevant.


Get this bounty!!!

#StackBounty: #debian #boot #xfce #display How to have a seamless custom JPG image splash screen when GRUB starts, the kernel boots, et…

Bounty: 200

On a standard Debian, how to replace everything that is displayed at Linux boot by a custom JPG or PNG image, until a Python app with GUI starts?

Is there a generic way to replace the boot messages display with a CustomSplash.jpg image, in a seamless way, with no flicker, for:

  • GRUB (I already used this in /etc/default/grub: GRUB_HIDDEN_TIMEOUT=0, GRUB_HIDDEN_TIMEOUT_QUIET=true but I think there’s still a very short GRUB splash screen)
  • these log messages:

    enter image description here

  • the start screen X11/Xfce4 (for now I have enabled an autologin like in Automatically Login on Debian 9.2.1 Command Line and I do startxfce4 manually, but eventually I’ll create a systemd service to start xfce)
  • i.e. everything until a Python app starts (using Tkinter or wxPython)

For an embedded computer, I’d like to have only the custom splash screen and then the application. (The only thing I probably won’t be able to remove is BIOS initial messages?).


Get this bounty!!!

#StackBounty: #debian #nvidia #displayport #xinerama Nvidia Xinerama 1xGT1030 to 2 DP monitors with either nouveau/nvidia driver

Bounty: 50

I have GeForce GT 1030 card with 2 Dell U2415 monitors. The connection is 1030’s DisplayPort => Monitor 1 DP Input; Monitor 1 DP Output => Monitor 2 DP Input.

The OS is Debian Buster (10), with the default nouveau driver.

I have tried all possible scenarios I can think of w/o any success. What’s in common is that when I boot the machine both screens are showing the BIOS/GRUB/OS booting. The action comes when Xorg comes.

  1. Nouveau driver, regular boot. The login screen is seen on the 2nd screen, after login I can see only xfce4 background and the mouse can leave to the left where the main (1st) screen should be, but it is black. Xorg.log
  2. Nouveau driver, nomodeset boot. Both monitors have blinking underscore with Xorg dead. Xorg.log
  3. Nvidia driver (from the Debian’s non-free repo). xfce4-display-settings shows the 2 monitors, but the 2nd one is marked as ‘Disabled’. If I enable the 2nd screen, the screen on the 1st one blinks and both are seen as active. The mouse can leave the 1st monitor to where the screen of the 2nd should be, but the 2nd is totally black. Selecting ‘mirror displays’ doesn’t help either – still black screen on the 2nd monitor. The ‘configure new displays when connected’ is checked. Tried to turn off the 2nd screen – it dissapears from both xfce4-display-settings and nvidia X server settings. Turning it on again asks me how to deal with the monitor. Selecting to extend to the right accepts my change, both monitors are seen as active on both xfce4-display-settings and nvidia X server settings. The position of the 2nd one is Absolute +1920+0 as it should be, but it is still black. Xorg.log
  4. Same Nvidia driver, with the xorg.conf provided by the Nvidia X server settings xfce4-display-settings pops up with Unable to start the XFCE display settings. Unable to query the version of the RandR extension being used. xrandr command returns RandR extension missing. Only first screen works, the 2nd one is black Xorg.log

The monitors are tested with the same cables from one Intel NUK using the same OS (Debian 10 Buster) but with the intel’s graphic card and the Xinerama works properly out of the box.

What I’m missing which can be done in order to feed the 2 monitors using the GT 1030?


Get this bounty!!!

#StackBounty: #nginx #debian #logwatch http logfile filter is not shown on report

Bounty: 50

I’m on debian 10.4 and I’ve a fresh installation of logwatch. Everything works as expected except logwatch (ver. 7.5.0) that output everything except http logs report.

I ran logwatch with --debug med and on debug output I’ve seen:

Preprocessing LogFile: http
'/tmp/logwatch.hVSrPWg3/http-archive' '/var/log/apache2/www.anonicloud.ch_access.log.1' '/var/log/apache2/other_vhosts_access.log' '/var/log/apache2/www.anonicloud.ch_access.log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applyhttpdate ''>/tmp/logwatch.hVSrPWg3/http

Preprocessing LogFile: http-error
'/var/log/apache2/error.log' '/var/log/apache2/www.anonicloud.ch_error.log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate '[%a %b %d %H:%M:%S(.d*)? %Y] '| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeheaders '[w{3} w{3} d{2} dd:dd:dd(.d*)? d{4}] '>/tmp/logwatch.hVSrPWg3/http-error

… and …

Processing Service: http
( cat /tmp/logwatch.hVSrPWg3/http  |  /usr/bin/perl /usr/share/logwatch/scripts/services/http) 2>&1

export LOGWATCH_LOGFILE_LIST='/var/log/apache2/error.log /var/log/apache2/www.anonicloud.ch_error.log '
export LOGWATCH_ARCHIVE_LIST=''
export LOGWATCH_LOGFILE_LIST='/var/log/messages '
export LOGWATCH_ARCHIVE_LIST='/var/log/messages.1 /var/log/messages.2.gz /var/log/messages.3.gz '

So I argue that my http logfiles are correctly parsed.

But when I inspect the output I can’t find any reference like for other services:

# Why I can't find the same for http???
--------------------- fail2ban-messages Begin ------------------------
DEBUG: Inside Fail2Ban Filter
---------------------- fail2ban-messages End -------------------------

/usr/share/logwatch/default.conf/ignore.conf is empty (well everything commented out) and on my config files I haven’t excluded anything.

Edit: I’m behind an nginx reverse proxy; on my apache server I enabled mod_remoteip and replaced all %h with %a on log file format.

Any clue is strongly apreciated.


Get this bounty!!!