active directory – Samba extended ACLs restricting user even though they are in an authorized AD group for the share?

Have Samba extended ACLs (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Samba_Extended_ACL_Support) via SMB+WinBind set for a CentOS 7 file server to mount shares on a Windows 10 desktop (specifically, a Citrix VDI desktop). Yet when trying to access some shares (but not all), I see that my user access is denied (getting errors like “The handle is invalid” or “Windows cannot access” for folders and “Access denied” files) even though my test user is part of the AD groups for the shares Security properties (per the docs, https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs).

When logging into the smb linux server itself, I can see that the output of the groups command shows that the test user is indeed in all of the required AD groups (yet even on the server itself, I cannot access some folders that I ostensibly have AD permissions for (eg. nav to lower level folders or run head -n 10 <filename> on files)).

Eg. I have folders set up as SMB shares like…

/datastore    <----share
    /data
        /dataset1    <----share
            ...
            <data files and folders>
        /dataset2    <----share
            ...
            <data files and folders>
        /dataset3    <----share
            ...
            <data files and folders>

…and have /datastore, and all the /datastore/data/dataset... folders as smb shares and my test user added to the groups w/ Read access for the shares referring to datastore, dataset1, and dataset2 on the Computer Mgmt UI connecting to the smb server (per the Samba extended ACLs docs). (I found that you need give users share permissions for parent level folders if you want to set finer-grained share perms for lower-hierarchy share folders as they need to be able to have access all the way down the path (LMK if this is wrong and could be causing the problems)).

When mounting the datastore share on Windows, I find that my test user can open content in /datastore/data/dataset1 and (as expected) can’t open content in /datastore/data/dataset3, but also cannot access /datastore/data/dataset2. (I have triple-checked and do appear to be listed as a member in the AD group that is listed in the share’s Security tab).

Anyone with more experience with this have any ideas as to what could be happening? Any more debugging info that this post should contain?

(Note: I posted a similar question here, but was for an almost totally opposite problem (have not yet posted an answer there as this is part of that same testing process, so the exact diagnosis of all these hangups is still unclear))


For reference (though I don’t think anything is wrong here), my /etc/samba/smb.conf file looks like…

(root@myserver ~)# cat /etc/samba/smb.conf
(global)

security = ads
#  password server = adcontrollerserver.myorg.local
#  dedicated keytab file = /etc/krb5.keytab
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 3

winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
# the next line is only required on Samba versions less than 4.9.0
#  store dos attributes = Yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = tdb
idmap config * : range = 10000000-10999999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-20000
idmap config MYDOMAIN : unix_nss_info = yes
#  idmap config MYDOMAIN : unix_primary_group = no
username map = /usr/local/samba/etc/user.map
winbind enum users = yes
winbind enum groups = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
kerberos method = system keytab
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
winbind offline logon = yes

# all the various share names, eg...
(datastore__data__dataset1)
   path = /datastore/data/dataset1
   read only = no
.
.
.

and appear to have all the ACLs prerequisites…

(root@myserver ~)# smbd -V
Version 4.9.1
(root@myserver ~)# smbd -b | grep HAVE_LIBACL
HAVE_LIBACL
(root@myserver ~)# cat /etc/samba/smb.conf | grep "vfs objects"
vfs objects = acl_xattr
(root@myserver ~)# cat /etc/samba/smb.conf | grep "map acl inherit"
map acl inherit = Yes

MySQL group replication – how to find queries causing replication lag?

Turn on the slowlog on both machines. What version of MySQL are you using? Here are good settings to have for a relatively new version:

log_output = FILE
slow_query_log = ON
slow_query_log_file = (fullpath to some file)
long_query_time = 1
log_slow_admin_statements = ON
log_queries_not_using_indexes = OFF
log_slow_slave_statements
log_slow_extra = ON

More: http://mysql.rjweb.org/doc.php/mysql_analysis#slow_queries_and_slowlog

A possible cause of what you are seeing: An ALTER that takes some time and hits tableA is replicated. Meanwhile, other things are happening (read or write) to tableA. The above settings will probably catch the ALTER.

Another thing to look for (but hard to see) in the slowlog: A bunch of queries ending at about the same second. This usually means that one of them took a long time and was blocking the others (either directly or indirectly).

In any case, use pt-query-digest; its default sort is to put the “worst” queries first. Then…

  • The blocker may be among the first few.
  • The first few are likely to be queries that you should work on improving — better indexing, reformulation, etc.
  • Sometimes a “worst” query is a very fast query that was blocked by the blockage; that is it was a “victim”, not a “villain”. Example: UPDATE ... WHERE primary_key = 123 taking second(s) or even minute(s), not milliseconds.

Stop Instagram Group Message Requests Spam

Instagram has a huge spam problem.

My “Message Requests” inbox is continually filled with requests to join Group Messages, sent by fake “sexy women” profiles.

The only options are to Accept, Ignore, or Delete these group message requests. There does not seem to be a way to report them as spam, or block the sender.

enter image description here

Message Requests
Requests aren’t marked as seen until you allow them.
Accept | Ignore | Delete
Delete All

How can I prevent these messages from being sent to me? How can I block these senders or report them as spam?

riemannian geometry – Does every group arise as the fundamental group of a complete Kähler manifold?

The fundamental group of a manifold is countable, and every countable group $G$ arises as the fundamental group of a (smooth) manifold; see this comment or this answer for a construction of an open subset $U subset mathbb{R}^5$ with $pi_1(U) cong G$.

Note that every smooth manifold admits a complete Riemannian metric. In fact, every conformal class contains a complete metric, see The Existence of Complete Riemannian metrics by Nomizu and Ozeki. Therefore, every countable group arises as the fundamental group of a complete Riemannian manifold.

As the hermitian property is preserved under conformal change, every conformal class of a hermitian metric on a complex manifold contains a complete hermitian metric. Replacing $U$ with $V := Utimesmathbb{R} subset mathbb{R}^6 = mathbb{C}^3$, we see that every countable group arises as the fundamental group of a complete hermitian manifold.

Note that $V$ also admits a Kähler metric. However, unlike the hermitian case, the Kähler property is not preserved under non-constant conformal change, see this question. In fact, not every Kähler manifold admits a complete Kähler metric, see this question. Despite this, do we still have the Kähler analogue of the two bold statements above?

Does every countable group arise as the fundamental group of a complete Kähler manifold?

It’s worth pointing out that the question of which groups arise as the fundamental groups of compact Kähler manifolds (which are necessarily complete) is an active area of research. Such groups are known as Kähler groups and much is known about them, see this question.

MySQL Group Replication starts master node with super_read_only

I am trying to set up MySQL group replication. Only problem is, that when I try to start replication group, It starts with super_read_only.

Here the configurations in my.cnf file

(mysqld)

max_binlog_size = 4096
default_authentication_plugin     = mysql_native_password

log_bin                           = mysql-bin-1.log
enforce_gtid_consistency          = ON
gtid_mode                         = ON
log_slave_updates                 = ON
binlog_checksum                   = NONE

plugin-load-add                   = group_replication.so
plugin-load-add                   = mysql_clone.so
relay_log_recovery                = ON
transaction_write_set_extraction  = XXHASH64
loose_group_replication_start_on_boot                    = OFF
loose_group_replication_group_name                       = 74fe8890-679f-4e93-9169-a7edfbc1d427
loose_group_replication_group_seeds                      = mysql_cluster_mysql0_1:3306, mysql_cluster_mysql1_1:3306, mysql_cluster_mysql2_1:3306
loose_group_replication_single_primary_mode              = ON
loose_group_replication_enforce_update_everywhere_checks = OFF
bind-address = 0.0.0.0

instances are run inside docker, that’s why group seed addresses has these hostnames.

Also here the procedure for running master instance.

DELIMITER $$

USE `db`$$

DROP PROCEDURE IF EXISTS `set_as_master`$$

CREATE DEFINER=`root`@`%` PROCEDURE `set_as_master`()
BEGIN
  SET @@GLOBAL.group_replication_bootstrap_group=1;
  CREATE USER IF NOT EXISTS 'repl'@'%';
  GRANT REPLICATION SLAVE ON *.* TO repl@'%';
  FLUSH PRIVILEGES;
  CHANGE MASTER TO MASTER_USER='root' FOR CHANNEL 'group_replication_recovery';
  START GROUP_REPLICATION;
  -- SELECT * FROM performance_schema.replication_group_members;
END$$

DELIMITER;

After running CALL start_as_master; in Sqlyog, process stucks on below lines.

'CHANGE MASTER TO FOR CHANNEL 'group_replication_recovery' executed'. Previous state master_host='', master_port= 3306, master_log_file='', master_log_pos= 4, master_bind=''. New state master_host='', master_port= 3306, master_log_file='', master_log_pos= 4, master_bind=''.

2021-03-03T21:47:55.934818Z 8 (System) (MY-013587) (Repl) Plugin group_replication reported: 'Plugin 'group_replication' is starting.'

2021-03-03T21:47:55.935929Z 9 (System) (MY-011565) (Repl) Plugin group_replication reported: 'Setting super_read_only=ON.'

Why does it run with super_read_only=ON?
Is there anything I miss during configuration or running script?

MySQL version is 8.0.23.

Is quotient of projective scheme over arbitrary base by a finite group also projective

This question probably follows from standard geometric invariant theory. If true I’d to know a reference for it. Given a projective scheme $Xrightarrow S$ over the base $S$. Let’s assume a finite group $G$ is acting on $X$ and its quotient is an $S$-scheme $X//G$. Is the quotient projective or at least proper? (I have seen versions of this over fields but not for arbitrary base.)

Best UI pattern to group multiple uncategorised items (i.e. questions)

Problem: User has an ability to add x number of questions (uncategorized questions). Normally, user adds 2 – 5 questions. However, the problem is when the user add more than 10. The tricky part that I haven’t thought of how to implement is when they add 200 questions.

The current implementation was just to stack up together the questions so user can easily make some changes to all questions. However, if that is more than 10 question, user needs to scroll down which is tedious but still works. But with 200 questions, that’s like unlimited scrolling.

enter image description here

Some solutions I thought:

Pagination
This definitely is not a good solution. It’s confusing. I was thinking maybe there’s a good way to make use of pagination though so maybe you have some ideas.

Checkbox Table
I think this approach could be possible. The problem though is user can’t easily make some changes on the question. In addition, that means I would have another functionality of adding groups. There are possible workflow changes to suit this kind of approach but can’t think of any yet at the moment.

Note: The user can select the type of question he wants to add: multiple choice or essay-type.

I’m currently exploring on the best solution and to be honest, I haven’t really thought of any design approach to take yet. Would love to know our thoughts if you encountered something similar.

enter image description here

Any one know how to destroy or End the Facebook Group | NewProxyLists

In My Country there are lots of Scammers who eaten my money
They creates the fake currency exchange to eats simple person hard work money
Any one know how to destroy forever Facebook group or fb profile
I losts 1000$ of to exchange my money
So Webmaster please suggest

 

sharepoint online – How to EnsureUser with AD group in REST

I am trying to add AD group to SharePoint site in REST using EnsureUser but I kept getting error message “The specified user c:0+.w|S-1-5-21-1814438218-152777602-930774774-762833 could not be found“. Can someone please tell me what the correct format is for the logonName string? AD is on prem and we are using SP Online. Below is the code:

        string digest = formDigest == "" ? GetRequestDigest() : formDigest;
        string logonNameStr = WebUtility.HtmlEncode("c:0+.w|") + "S-1-5-21-1814438218-152777602-930774774-762833"; <== This seems to be incorrect
        string ensureUserUrl = _siteUrl + "_api/web/EnsureUser"; 
        
        using (var handler = GetHttpClientHandler(_siteUrl))
        {
            using (HttpClient client = GetHttpClient(handler))
            {
                client.DefaultRequestHeaders.Add("X-RequestDigest", digest);
                var payload = new { logonName = logonNameStr };
                string jsonBody = JsonSerializer.Serialize(payload);
                using (StringContent content = new StringContent(jsonBody))
                {
                    content.Headers.ContentType = MediaTypeHeaderValue.Parse("application/json;odata=verbose;charset=utf-8");
                    HttpResponseMessage response = client.PostAsync(ensureUserUrl, content).Result;
                    string jsonStr = await response.Content.ReadAsStringAsync();
                    if (!response.IsSuccessStatusCode) //if adding user failed
                    {
                        throw new Exception(String.Format("Failed to add AD group {0} to SharePoint site: {1}", groupName, jsonStr));
                    }
                }               

            }
        }

How to get the data associated to a post I started on a private Facebook group?

Let’s say I have done a post on a Facebook private group, and that many people have answered/commented on it.

How to retrieve this data, i.e. the whole conversation/comments for a post?

Example of data I’d like to retrieve:

Date                  User    Type       Content
2021-01-01 12:00      UserA   post       Hello! What do you think about XYZ?
2021-01-01 12:01      UserB   comment    I think that...
2021-01-01 12:02      UserC   comment    UserC: Yes I agree that...

I know the personal history Activity log, but it doesn’t contain all of this.