RE: FOG has issues if the temp image location is on another drive. FOG 1.5.10.1612 Ubuntu Server24.04.1 LTS

@Fog_Newb I’m not sure I follow th eproblem.

Your directory structure looks correct to me?

Now, there is a piece to be thinking of first:

Your mounts seem to be correct and even a df -h seems to show up properly (lsblk if you want use that which is displayed)

The only way I could think of how this should occur.

You should:

1. Unmount vdc1
2. move vdb’s dev folder to your /root/folder for backup purposes temporarily (completely remove it from the /images
3. create a new dev folder in your /images
4. Mount vdc1 to /images/dev
5. Copy back the items in /root/dev/ to the new /images/dev
6. Make sure the requisite .mntcheck file exists touch /images/.mntcheck; touch /images/dev/.mntcheck
7. Change the ownership back to chown -R fogproject:fogproject /images; chmod 775 -R /images

This should allow your system to work without issues.

Your FSTAB needs to have the mount set correctly too so that dev gets mounted appropriately on subsequent boots which I presume is already happening?

@Fog_Newb did you make sure the /images/dev is owned by fogproject:fogproject user and that there’s the ever useful (needed) .mntcheck file?

@adam1972 you should run the e2fsck command FROM the blue window

and you should reschedule your task, but with the debug option.

@LLamaPie Based on what I see of the issue is it possible the server is this service too?
https://sarperavci.com/Froxlor-Authenticated-RCE/

I don’t know what Froxlor is, but the lol.php and .systmd that you saw seems to point that somebody was trying to do some bitcoin mining possibly?

@george1421 Running Fog Version: 1.5.10.15

@LLamaPie If you can get the backup db and images of course. I don’t think they’re affected, but whatever is relaying is using a ton of CPU. so at least not a full startover I think.

@LLamaPie I am pretty sure this isn’t something FOG is doing. I don’t know of a command named .systmd and seems questionable at best. The fact that it’s being used and spawned by www-data is real hmmm if you ask me.

@adam1972 have you tried running this capture in debug mode and attempt the e2fsck -f /dev/sda2 as suggested?

@mentaluproar The error code you see is 2732 which is coming from the Domain controller. If your account is the one indeed being used, and isn’t locked, I don’t know what else to look into.

Basically 2732 is the code from MS, not from FOG.

@Fog_Newb Then I have no idea and apologize for not having much more to give you…

If i’m mistaken, however, the value of the UTC for the imagine time might just be exactly presented instead of transformed to local timings?

and you’re 100% certain your instance of FOG is using php8.3? I know that seems an odd question but if you restarted php-fpm and apache2 there should be 0 references as the instantiation of php is using the date.timezone.

@Fog_Newb Under debian there’s 2 points:

/etc/php/8.3/cli/php.ini and the apache2/php.ini I believe

@Fog_Newb /etc/php.ini’s date.timezone should be defined as well unfortunately.

@mentaluproar

Seems maybe the account is locked?

@AUTH-IT-Center Subree is updated to be properly listed as Subtree

@AUTH-IT-Center Roger and it is much appreciated

@AUTH-IT-Center I think, at least with what limitations I have this would work just fine in working-1.6

Except you’d be setting the groupNameAttr = edupersonentitlement

My filter query is built as such:

(&(|(%s=%s))(|(%s=%s)(%s=%s=%s)(%s=%s)))

basically it builds it out as:
<group name attribute>=<groups to associate> (and broken into multiple if and as necessary)
<group member attribute>=<userDN>
<group member attribute>=<user name attribute>=<username>
<user name attribute>=<username>

This is built as an AND or (and) or

So in psuedo code:

if (groupNameAttr = <value> or .... or ... or)

AND 

if (groupMember = <userDN> or groupMember = userName = <user> or userName = <user>)

then it should work.
I don’t have a way to represent it, Just saying I think we are covering those basis in working-1.6 (among many other potentials).

@AUTH-IT-Center In my testing with an openldap (ldap.forumsys.com)
https://www.forumsys.com/2022/05/10/online-ldap-test-server/

I wasn’t able to use member/memberof though I wasn’t able to figure out quite why, but when I changed the group member to ‘uniquemember’ all seemed to work.

Assuming eduPersonEntitlement has the uids (in dn format) of the user (either full dn or partial) and it’s directly associated with the ou structure for your admin group:

Similarly your ‘admingroup’ (I know you’ve masked it) but do you have a group in your LDAP that has a full name of: https://entitlements.it.auth.gr/<adminGroupName>?

Now I’m not sure on the exact setup differences (I just helped get the plugin built)

In my experience:
Search base DN tells us where it’s going to search for users
Group base DN tells us where it’s going to search for groups

So if Groups are all under the OU=People,O=Auth,C=GR then this would work, but if groups are not all under OU?

In my example structure my layout was:

LDAP Server -> ldap.forumsys.com
LDAP Server Port -> 389
Use Group Matching (recommended) checked
Search Base DN -> dc=example,dc=com
Group Search DN -> dc=example,dc=com
Administrator Group -> mathematicians
Non-Administrator Group ->
Username Attribute -> uid
Group Name Attribute -> ou #Working-1.6 has this element
Group Member Attribute -> uniquemember
Search Scope -> Subtree and Below
Bind DN -> cn=read-only-admin,dc=example,dc=com
Bind Password -> password

Of course I don’t expect anyone to actually use this setup and this is for testing, not for real login, but gave me a way to test things.

Search Base DN = Where we search for users
Group Search DN = Where we search for groups
Admin/user Group = What groups should users belong in (must reside in the Group Search DN to work.)
Username Attribute = We all know this one
Group Name Attribute = This is new to working-1.6 of course but similar to username attribute. In your case this would be defaulted to name in dev-branch
Group Member Attribute = which attribute stores users that are associated to the group.
Search Scope = Base = Only at the search base, Subtree = Only at the group below the search base, Subtree and below = Everthing from the group base and below. (this is just how I imagine and envision it, if anyone has better descriptions feel free to correct me please.)

Bind DN (what user dn is to authenticate intially with the ldap)
Bind Password (what password to authenticate with)

I know I was explicit but this is what worked for me in my testing.

@AUTH-IT-Center After some pretty serious testing I think I finally got the ldap plugin working on 1.6 as well.

I can make the suggested changes in dev-branch, but that might remove your PR. I can merge yours in, then refactor it so at least you get the due credit, I just refined it to make it more robust?

Hopefully that will help.

your uid=… method it’s not perfect.

Your filter should be:

<groupNameAttribute=<group1>, etc…<groupMemberAttribute=<userdn/or uid information>

So group name I think was always expected to be name for some period of time, though has been refactored to allow

The purpose of the groupMemAttr is the member attribute, not the group name attribute (which I think is what you’re using it for currently?)

The idea of this is:

check all groups (with name as the key indicator explicitely defined unfortunately in dev-branch) that match the name of . whatever group search you’re doing (admin or user) (This is psuedo code of representation for the filter logic ideals:

if (name = this OR name = that OR name = other) {
    AND (if <userDN> is in the member list of this group) {
        This is the access level
    }
}

Your method is saying:

if (member = this OR member = that) { // Here you're using member but using the group name attribute to select it?
    AND (if usernameattribute == username) { // this would be true if the bind already read worked.
    }
}

Basically the problem with your current filter is you only check if the group exists and the username = username, not that the username actually is a member of that group.

We do have logic, I think that double checks but I hope you can see the issue here?

@AUTH-IT-Center I’m asking about testing working-1.6 lol selfishly. Keep using what you’ve done though I did find I think 1 issue in your code (a place where admingroups should be usergroups)