G Suite: Whoops! There was a problem loading more pages

Recently, a rash of users have received this error when trying to view more than the first page of a PDF in our corporate Gmail:

Error when viewing second page of PDF in Gmail

This problem started to appear toward the end of July 2019, and by mid-August it was company-wide. This timeline corresponds with the release of Chrome v76. Chome v76 introduces a change to Cross-Origin Requests, and while this change introduced some trouble for a number of Chrome Extensions, it can also negatively impact corporate G Suite environments who utilize certain restrictions in the Google Admin Console.

How to Fix this Error

First, verify that this is, indeed, the problem.

  • Open an email in Gmail with a multi-page PDF attachment, but do not click the attachment yet
  • Press CTRL+Shift+I to open the Developer console, and click to the Network tab
  • Click the PDF attachment and look at the results in the Network tab
  • One of the Red items that appear on the list should contain:
Access to XMLHttpRequest at 'https://drive.google.com/viewerng/upload?ds=docstring' from origin 'https://mail.google.com/ has been blocked by CORS policy: Request header field x-googapps-allowed-domains is not allowed by Access-Control-Allow-Headers in preflight response.

If you see the above, then this solution will work for you. To explain, settings exist in the G Suite Admin Console which can restrict the ability of a Chrome user, with Sync turned on, from logging into secondary accounts outside of an allowed set of domains. The requests to the Google Drive PDF viewer from Gmail come across as generic and not specific to your domain, and thus Chrome refuses to render the document. To solve the problem, this restriction in the Admin Console will need to be disabled by an administrator in your G Suite organization.

  • Open the Admin Console
  • Navigate to Devices – Chrome management – User and browser settings
  • Find Sign-in to secondary accounts and set it to Allow users to sign-in to any secondary Google Accounts
Allow users to sign-in to any secondary Google Accounts

Your organization more than likely utilizes a web filter, DLP platform, or firewall to restrict sign-in settings anyway, so this setting will do no harm.

How to block a DNF package update on Fedora

You know the new version of a package is a buggy mess and you don’t want to update, or you manually install an rpm that exists in the repos but you really want to keep the version you installed. There’s an easy way to do that!

Edit (as root) /etc/dnf/dnf.conf and add this line:

exclude = packagename1
exclude = packagename2

Save it. The next time DNF updates, your package won’t be updated! This will work with any distribution that uses DNF (Mageia, future versions of CentOS).

Possible missing firmware for module tg3

When recently updating my Debian 9 Stretch’s boot image, it produced the following warning:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

That doesn’t look good! Without this module, I suspect my network card will not work after reboot. What’s needed is the package firmware-linux-nonfree but it’s not available in the standard Debian free repos – you need the nonfree repo.

Edit your /etc/apt/sources.list and add the following:

deb http://ftp.de.debian.org/debian stretch main non-free

You can install firmware-linux-nonfree with apt-get, which will allow your adapter requiring the tg3 module to continue working.

Have root send as a different address using postfix

If you have scripts or other services that run as root that need to send to outside email addresses, via postfix, without being root@hostname, this is what you need to do:

    1.  sudo vi /etc/postfix/generic

      root name@tld.com

    2. sudo vi /etc/postfix/main.cf

      smtp_generic_maps = hash:/etc/postfix/generic

    3. sudo postmap /etc/postfix/generic
    4. sudo systemctl restart postfix

Done! Now root will send as name@tld.com instead. Substitute whatever you want for name@tld.com

Setting NTP settings on Windows Server

Here’s how to set your Windows server to sync its time with an NTP server.

  1. Open a Command Prompt as Administrator
  2. Enter: w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
  3. Enter: net stop w32time
  4. Enter: net start w32time
  5. Initiate a sync: w32tm /resync
  6. Check the status: w32tm /query /status

You’re done! You can also now use this server as a time server for other devices on your network. Just follow the above steps and replace pool.ntp.org with your server’s IP address.

If your server is a VM, you may need to disable time syncing from your hypervisor. Otherwise, your sync efforts will be for naught, as the VM will keep syncing with its hardware host.

Install Trusted Root Certificate in Windows silently

If you’re a sysadmin trying install a root certificate to devices for the purpose for SSL inspection, and you’re not wanting to leverage Group Policy for a widescale rollout just yet, here’s how you can script it to import silently via command line using your preferred administration tool:

certutil -enterprise -f -v -AddStore filename.crt

Replace filename.crt with the name or path to your certificate. No reboot should be required.

Launch ‘Configure advanced user profile properties’ from Command Prompt

If you’re a Windows sysadmin in an environment with locked down user rights, and you want to perform an administrative action without needing to log out a current user, you can find yourself in a tight spot. Luckily, if you Shift-RightClick Command Prompt, click Run As another user, and login as your admin user, you can launch administrative tools all without needing to log out.

One such tool is the User Profiles window under Advanced system settings. To launch it from Command Prompt, type:

rundll32.exe sysdm.cpl,EditUserProfiles


Windows Environment Variables from Command Prompt

If you’re supporting an end user on Windows XP, Vista, 7, 8, or 10, and don’t want to completely log them out, you can use Run As on a Command Prompt as an administrator and then run the following:

rundll32 sysdm.cpl,EditEnvironmentVariables

Now edit your variables and relaunch your application. This is very useful if you find yourself needing to correct the PATH, let’s say, for Java.

How to Solve: Enrolled Chromebooks losing Enrollment

Lately, I’ve had a rash of Lenovo N22 Chromebooks that would lose their G Suite Admin Console enrollment. Re-enrollment wasn’t sticking and the next update would make them lose their enrollment.

To solve this, a full device factory reset is needed.  Follow this process:

  1. Turn off the Chromebook. Shutdown or long holding Power are both fine.
  2. Press and hold Escape, Refresh, and Power for 3 seconds. Let go.
  3. It will come up to a screen with a yellow exclamation. Press CTRL + D.
  4. It will tell you to press Enter to turn OS verification off. Press Enter.
  5. It will restart with a red exclamation. Press CTRL + D again.
  6. It will transition to Developer Mode. This can take 5-10 minutes.
  7. At the next bootup, it will tell you that it is going to start in Developer Mode and to press Space to turn OS verification back on. Press Space then Enter.
  8. It will transition back to Verified mode, this will take a minute or two.
  9. It will boot to the Welcome screen. Connect it to the wireless and enroll it with CTRL E. 

You’re done! Now your Chromebooks shouldn’t ask for Wi-Fi credentials on bootup as if they weren’t enrolled.

Re-enable the certificate detail window in Google Chrome

Web Developers, Sysadmins, and their ilk lamented the day when Google decided to remove the detailed certificate window from Google Chrome. Now, it’s back. Here’s how:

  1. Put the following in the address bar: chrome://flags/#show-cert-link
  2. Click Enable
    Google Chrome - Click Enable