Linux: Debian 10 "Buster"

Debian logo



This page contains notes about the installation of Debian 10 "Buster" on several of my computers. Historically, this page is a follow-up to my "other" Debian pages and supersedes these. It was extended to document some specific installation cases and also includes documentation and rants about some issues that I encountered. - As usual, this document has been "anonymised" in a few places; in particular IP addresses have been replaced by xxx or yyy.

The upgrade to Debian 11 "Bullseye" is described elsewhere on this site.

Installing and fine-tuning Debian 10

Base install

The initial installation was performed using the Debian 10 64-bit "netinstall" USB stick. Before doing so, I adjusted the HDD partitions on my server (using gparted) and changed the partition scheme to GPT, since the state of the art has moved away from MBR:

Partition Size Filesystem Label mount point Comment
/dev/sda1 500 MB vfat EFI /boot/efi
/dev/sda2 30 GB ext4 d10 / This is the root filesystem of Debian 10.
/dev/sda3 30 GB ext4 d8 /mnt/debian8 This holds the "old" Debian 8 files, It will be overwritten when updating the system in the future.
/dev/sda4 120 GB ext4 home /home Home directories.
/dev/sda5 320 GB ext4 share /mnt/share Local NFS export for music, photos, etc.
/dev/sda6 8 GB swap swap swap Swap space.
/dev/sda7 400 GB ext4 vbox /mnt/vbox VirtualBox files.

Packages: During the installation, I select at least ssh server, file server and standard system utilities for any computer, no matter if desktop, laptop or server. For the main server in my home network, I add print server (CUPS).

Desktop: For machines running the KDE desktop, I prefer to select the packages manually later on (see below). For low-end machines, I prefer the XFCE desktop and install it with the Debian installer.

Once the initial installation finished and the system has booted, log in. The first thing I do is to apt install vim, edit /etc/vim/vimrc and un-comment syntax on.

Edit /etc/apt/sources.list. Remove the entry for the Debian CD, then add non-free contrib at the end of the first 4 entries.

apt update
apt install firmware-linux* firmware-misc-nonfree acpi-support hwinfo ntpdate hwinfo lshw mc acl \
            firmware-amd-graphics firmware-realtek firmware-atheros firmware-iwlwifi

Basic Network Security


If not already included in some metapackage, do apt install openssh-server and set up sshd. Some key entries in my /etc/ssh/sshd_config are:

Port 1234   # obviously not THIS port but you get the idea
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication yes
AcceptEnv LANG LC_*
Banner /etc/
AllowUsers joe jack

Create the banner file that is shown upon login:

cat <<EOF > /etc/ 
* This system is for the use of authorized users only.             *
* Unauthorized access to this system is prohibited.                *
*                                                                  *
* Usage of this system is monitored and recorded.                  *
* Anyone using this system expressly consents to such monitoring   *
* and is advised that if such monitoring reveals possible          *
* evidence of criminal activity, system personnel may provide the  *
* evidence from such monitoring to law enforcement officials.      *

Adjust some network-related files

On the server, /etc/hosts contains some fixed IP addresses and aliases in my local network (most are handled by dnmasq, see below).


ALL: LOCAL 192.168.* (or 192.168.999.* or whatever fits your subnet)


sshd: ALL EXCEPT LOCAL : rfc931 : spawn (/usr/sbin/safe_finger -l @%h | \
      mail -s%d-%h root) & : twist /bin/echo "Access prohibited by system administration. Go away."

Enable automatic security updates

On all my machines except laptops, I want security updates to be downloaded and applied automatically:

apt install unattended-upgrades 
dpkg-reconfigure unattended-upgrades


New names for the network interfaces

Bad News: The network interfaces have been renamed. While this is supposed to bring more consistency in the device naming, it also introduces a lot of problems since scripts are no longer transferable between computers:

In the "past", the first interface was always assigned to eth0. Even if the system had multiple interface cards, the old naming scheme allowed to define "which card is what interface" in /etc/udev/rules.d/70-persistent-net.rules. Afterwards, you could use eth0 and eth1 across multiple systems. In standard systems with a single network card, only eth0 was present anyway and the details did not matter. This was universal and could be replicated across all kinds of systems, from firewall rules through the Samba configuration up to utilities such as Conky. It meant that you could swap entire harddisks between computers and be sure that the machine would boot and connect.

With the "new" interface names, all these scripts need to be revised on every single computer. On different computers I have seen interface names as colorful as enp3s0, enp4s0, enp0s25, enp63s0 (?!), wlp2s0, wlp3s0, wlp5s0 and others. Where is the consistency in this?

After figuring out "which card does what" with ip a, I adjusted /etc/network/interfaces to assigned the way the two cards are operated. At the same time, this is where the firewall is launched:

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# firewall
pre-up iptables-restore < /etc/iptables.conf

# the external network card
auto enp3s0
allow-hotplug enp3s0
iface enp3s0 inet dhcp

# The primary (internal) network interface
auto enp4s0
allow-hotplug enp4s0
iface enp4s0 inet static
  # do NOT set any gateway here!

Firewall, Router and NAT


For any machine that does not require routing, the uncomplicated firewall ufw is probably the easiest solution out there:

apt install ufw
ufw enable
ufw allow in 1234/tcp

However, I could not figure out how to use ufw with a router and NAT (and make the rules persists after a reboot!). After wasting too much time with different firewall options, I decided to stick with good old iptables for the router since it was the "easiest" to configure. The file /etc/network/iptables.conf contains mostly the same firewall rules as before:

-A INPUT -i lo -j ACCEPT
-A INPUT -i enp4s0 -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A INPUT -p udp --dport 5353 -d -j ACCEPT

# sshd runs on a non-standard port. Obviously not THIS one but you get the idea ;-)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1234 -j ACCEPT

# router
-A FORWARD -i enp3s0 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp4s0 -o enp3s0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited



Edit /etc/sysctl.conf and activate routing by un-commenting the line net.ipv4.ip_forward=1.

For the local DHCP server, apt install dnsmasq, then edit /etc/dnsmasq.conf:

dhcp-host=01:12:23:34:45:56,thing    # assign name "thing" to MAC address 01:12:23:34:45:56


At this point, the router functionality should be established and your machines on the internal network should be able to access Internet again. Test if DNS is working, e.g.:

dig @localhost
nslookup localhost
nslookup i5.localnet

Read the log files

On production machines I like to have a quick look at the key logfiles (e.g. using conky). Of course the default permission for these files is rather restrictive ... yet I do not want to log in as root just to have read access. On the other hand, I don't want to grant access to these files to all users in my group, nor use sudo.

With Linux supporting ACL (access Control Lists), the solution is as simple and as elegant as it can get: apt install acl, then to grant selective access on a per-file and per-user basis. The following cronjob allows user joe to read two of the log files (to be run as a cronjob, due to log file rotation)

11 * * * * root setfacl -m user:joe:r-- /var/log/messages /var/log/daemon.log

While we're at it, let's create a directory for my backup log files ...

mkdir /var/log/backup

... and in /etc/rsyslog.conf, the most important events shall be logged to console 9 and 10:

*.info;mail.none;cron.none         /dev/tty9
kern.warn,*.err;authpriv.none      /dev/tty10

Installing the Desktop


I prefer not to install all language packs. Here, be careful to select the languages you want to keep! Generally I select the generic language plus the UTF-8 variant, e.g. de and then dialects such as de_DE.UTF-8 and de_CH.UTF-8 :

apt install localepurge

Now, install the desktop files.

KDE: One could simply select the "Debian Desktop with KDE" (using tasksel), but I found that this installs a lot of "tools" that I do not need. Thus, I decided to install everything "by hand". The first command will fetch packages needed for clean integration of non-KDE applications and install the good old "Oxygen" theme (and you could put all this on one line, of course):

apt install kde-plasma-desktop kdeplasma-addons-data plasma-widgets-addons kde-config-gtk-style \
    kde-config-systemd kde-style-qtcurve-qt5 gtk2-engines-qtcurve print-manager kde-config-gtk-style \
    breeze-gtk-theme gtk2-engines-oxygen gtk3-engines-oxygen oxygen-icon-theme plasma-theme-oxygen
apt install dolphin okular okular-extra-backends apper kmix kate kmail kcharselect kaddressbook \
    kdeadmin kmenuedit kinfocenter ksnapshot kfind kwalletmanager kmenuedit kdepim kdeconnect
apt install firefox-esr chromium deluge lynx curl nmap dnsutils build-essential module-assistant
apt install dos2unix ark rar unrar sharutils mailutils subversion rsync unison-gtk  
apt install lyx texlive-lang-french texlive-lang-german tex4ht glabels faketime
apt install ttf-mscorefonts-installer fonts-liberation libreoffice libreoffice-kde 
apt install enchant aspell-fr aspell-de hunspell-en-us hunspell-fr hunspell-de-de hunspell-de-ch 
apt install gimp gimp-gutenprint imagemagick digikam hugin gwenview kipi-plugins 
apt install sqlite sqlitebrowser python-dateutil filelight conky   
apt install pdftk qpdf pdfmod ghostscript cups-pdf atril pdfgrep   # handling PDF 
apt install gftp bluefish tidy sitecopy                             # HTML authoring
apt install gpsbabel qmapshack                                      # GPS related 
apt install kicad gerbv                                             # electronics development
apt install inkscape gnuplot-x11                                    # graphics and science :-) 
apt install vlc k3b kde-config-cddb audacity easytag clementine     # Multimedia and CD authoring

XFCE, MATE: For less complex desktop environments, I usually choose the "Debian Desktop with XFCE" (or MATE) option using tasksel. A typical installation (again ... you could put all this on one line):

# the following two lines are specific for the MATE desktop:
apt install mate-desktop-environment     # metapackage
apt install caja-sendto caja-open-terminal caja-wallpaper caja-xattr-tags caja-image-converter 

apt install firefox-esr thunderbird chromium deluge lynx curl nmap dnsutils build-essential module-assistant 
apt install ufw dos2unix ark rar unrar sharutils subversion rsync unison-gtk  
apt install ttf-mscorefonts-installer fonts-liberation libreoffice gnote glabels  
apt install enchant aspell-fr aspell-de hunspell-en-us hunspell-fr hunspell-de-de hunspell-de-ch 
apt install gimp gimp-gutenprint imagemagick digikam vlc k3b 
apt install sqlite sqlitebrowser python-dateutil filelight conky k3b  
apt install pdftk qpdf pdfmod ghostscript cups-pdf atril system-config-printer


Time for some clean-up. On a desktop system, we do not need the Network Manager applet, and I don't understand why minidlna is installed by default without asking. In addition, I observed some trouble with Intel graphics:

apt remove network-manager kde-nm nm minidlna
apt remove xserver-xorg-video-intel
apt purge  xserver-xorg-video-intel

Enable Alt-Ctrl-Backspace to kill X server. This needs to be done AFTER X is set up; the setting we want is on the very last screen:

dpkg-reconfigure keyboard-configuration

File and Print Services

NFS Export

For machines that make files available via NFS (i.e. NFS server):

apt install nfs-kernel-server nfs-common
vim /etc/exports

For read-only export, /etc/exports contains something like:


For read-write access, /etc/exports contains something like:


The corresponding clients will have something like this in their /etc/fstab:  /mnt/nas  nfs    noauto,user,bg,hard,intr,_netdev   0 0

... and they need the NFS tools, of course:

apt install nfs-common


If a print server is already on the network, we can simply make it available through /etc/printcap:

cat >> /etc/printcap
LJ5MP|HP LaserJet 5MP (via JetDirect) @ i5:rm=hp2:rp=LJ5MP:
OKI531|Oki C531dn @ i5:rm=hp2:rp=OKI531:

The CUPS printing system provides also the traditional lpr functionality, so we set the default printer (as user):

lpstat -p -d         # see which printers are available
lpoptions -d LJ5MP   # set default printer

Specify the default papersize:

echo "a4" > /etc/papersize
tl-paper set all a4

Apache Webserver

I keep a fully functional webserver on my local machine, so that I can test webpages with PHP scripts and other functionalities without publishing them on my "real" webserver yet. Installing Apache on Debian is done with a single command:

apt install apache2 php libapache2-mod-php

Since I create and modify all the HTML and PHP files in a folder www/<sitename> inside my home directory, I want to access them directly inside this location (i.e. without copying them to the server). Per-user web directories to the rescue:

a2enmod userdir

In /etc/apache2/mods-enabled/userdir.conf, replace all occurrences of public_html by www, then restart Apache:

systemctl restart apache2

If you get the error message "apache2: Could not reliably determine the server's fully qualified domain name, using for ServerName", the fix is simple: echo "ServerName localhost" >> /etc/apache2/conf.d/httpd.conf and run apache2ctl configtest to confirm.

Firewall: Since the server is only accessed on the local machine, I do not need to open ports 80 (http) and 443 (https) on the firewall.


We did not set up a specific Samba user. Instead, the Samba shares were created by root and then assigned to an existing user:

    mkdir /mnt/share/win/ /mnt/share/win/transfer
    chmod 2755 /mnt/share/win/ /mnt/share/win/transfer
    chown -R joe:joe /mnt/share/win/

Note that the Linux file permissions are always applied, overriding the things you wish to happen via the Samba config file. Since we are not using per-user logins here, all file access is simply assigned to the Linux user who owns the Samba share (and that we just defined above). This is the reason why we use force user and force group in the config file below.

apt install samba (for the clients: apt install samba-client cifs-utils), then adjust the configuration file /etc/samba/smb.conf. Check with testparm. Some useful entries (not everything is shown) might be:

   follow symlinks = yes		   # Make symlinks accessible
   wide links = yes
   allow insecure wide links = yes
   map to guest = bad user  
   create mask = 0664
   directory mask = 2755
   force create mode = 0644
   force directory mode = 2755

[share]             # read-only
    comment = Shared drive (read-only) 
    path = /mnt/share/win
    public = yes
    writable = no
    force user = joe
    force group = joe

[transfer]           # read-write
    comment = Transfer drive (read/write for everyone) 
    path = /mnt/share/win/transfer
    public = yes
    writable = yes
    force user = joe
    force group = joe

Specific Hardware

Works out of the Box

As usual, almost everything worked right out of the box:

My Wacom Bamboo MTE-450 tablet was detected and immediately usable.

Synchronising with the Palm T2 works: apt install jpilot pilot-link, then usermod -a -G dialout joe and use usb: as the communication port.

Bluetooth audio

Bluetooth audio finally works, I can use my Bluetooth headset e.g. for videoconferencing:

apt install pulseaudio pulseaudio-module-bluetooth pavucontrol bluez-firmware
service bluetooth restart
killall pulseaudio

If you can hear audio in the headset but the microphone does not work, the headset is most probably connected as "A2DP Sink" (i.e. listening only). To correct this, simply launch pavucontrol ("PulseAudio Volume Control"), go to the Configure tab and switch the profile from "Sink" to "Headset".


kdeconnect is a great little application that integrates Android phones and Android Tablets into the KDE desktop. Some use cases that I could appreciate immediately:


First, install the generic Linux tools for scanning and OCR, then add the user to the scanner group:

apt install sane sane-utils xsane parallel tesseract-ocr tesseract-ocr-fra tesseract-ocr-deu
usermod -a -G scanner joe

Epson Perfection 1660 Photo scanner

This scanner requires a proprietary driver that is available from the Epson support pages (I don't provide a specific link here - just search for "Epson Image Scan! for Linux"). After downloading and unpacking, launch the installer:

cd /path/to/epson/iscan-bundle-1.0.4.x64.deb/

Fujitsu SP1120 scanner with ADF

This scanner is my workhorse for document scanning. It requires a proprietary driver that is available from Fujitsu (I don't provide a specific link here - just search for "Fujitsu Image Scanner Driver for Linux"). After downloading, just install the .deb package with dpkg:

cd /path/to/fujitsu/fujitsu-sp1120/   
dpkg -i pfusp-ubuntu18.04_2.1.1_amd64.deb

One problem with the SP1120 was that I could not access the scanner as normal user: scanimage: open of device pfusp:SP1120:001:002 failed: Access to resource has been denied. The document scanner would only work as root, despite me being member of the group scanner.

The reason is that the Fujitsu scanner driver is using some extended ACL that prevented a normal user from using the device. The fix was to create a specific udev rule to correct the rights:

cat >> /etc/udev/rules.d/50-libsane.rules 
# Fujitsu SP1120
ATTRS{idVendor}=="04c5", ATTRS{idProduct}=="1473", ENV{libsane_matched}="yes", MODE="0664",OWNER="root",GROUP="root"
udevadm trigger

The ATTRS can be found by looking at the output of lsusb:

$ lsusb
Bus 002 Device 002: ID 04b8:011e Seiko Epson Corp. GT-8300UF [Perfection 1660 PHOTO]
Bus 002 Device 010: ID 04c5:1473 Fujitsu, Ltd

The MODE to be used is the same as for /dev/bus/usb/002/002, i.e. the Epson scanner.

Epson Perfection 2480

The Epson Perfection 2480 scanner does not require a proprietary driver but proprietary firmware:

cp /path/to/downloaded/firmware/esfw41.bin /lib/firmware/

Then, edit /etc/sane.d/snapscan.conf and make two modifications near the top of the file:

firmware /lib/firmware/esfw41.bin
/dev/usb/scanner0 bus=usb

After a service saned restart, the scanner should now be accessible.

Scanner startup is very slow

Starting the scanners was slow since there were too many drivers enabled in /etc/sane.d/dll.conf. I disabled all of these, except the ones that I actually use:

Also, in /etc/sane.d/epkowa.conf I disabled the scsi line.


My two network printers, a Laserjet 5MP and an OKI 531C, were identified and installed without problems.

For the Brother HL-3140CW, a printer driver from the Brother website is required. The driver features the old i386 architecture but, fortunately, Brother offers a printer installer that will download and install only those i386 packages that are strictly neccessary. After downloading and unpacking, just run the installer, specifying the exact printer type as argument (shown in bold):

bash /home/jha/Downloads/linux-brprinter-installer-2.2.1-1 hl-3140cw

Specific Software


I use VirtualBox to run instances of Microsoft Windows and other software as "guest" inside the Linux system. Install and updates are done through apt:

echo -e "\n# VirtualBox - get it directly from Oracle" >> /etc/apt/sources.list
echo "deb buster contrib" >> /etc/apt/sources.list
wget -q -O- | apt-key add -
apt update
apt install virtualbox-6.1
adduser joe vboxusers

To enable USB support you need to download and install a module from the Virtualbox website; the process is self-explaining.

If you use Microsoft Windows 10 as "guest" under Linux and have problems using the microphone, please launch pavucontrol ("PulseAudio Volume Control") while the Windows "guest" is running, then verify the settings in check two places:

Acrobat Reader

I am mostly using atril as PDF reader now. If I need to fill in forms, okular.

Yet ... there are still a few use cases where I need to use Acrobat Reader, albeit Adobe has abandoned the software several years ago for the Linux world. A Debian package of the latest version (9.5.5) is still available but features the old i386 architecture. Using gdebi helps to keep the amount of 386 packages down, i.e. we do not install acroread from but use the files from the Adobe ftp server:

apt install gdebi
dpkg --add-architecture i386 
apt update
apt install libc6:i386 libgdk-pixbuf2.0-0:i386 libglib2.0-0:i386 libgtk2.0-0:i386 libxml2:i386 
gdebi AdbeRdr9.5.5-1_i386linux_enu.deb

Bug: The software runs (with occasional crashes), but something is wrong with the font management: it would appear that acroread cannot access all of the installed fonts and falls back to its "emergency" fonts, which are not ... pleasing to read, to say the least. You can see this under File > Properties > Fonts, where e.g. Arial is replaced by Adobe Sans MM.

As a workaround, take care to create only PDF files that are PDF/A compliant; these have the fonts embedded.

FWIW, I wrote "something is wrong with the font management" since the output of fc-cache -fv or fc-cache -v shows looped directories:

/usr/share/fonts/truetype: skipping, looped directory detected
/usr/share/fonts/type1: skipping, looped directory detected
/usr/local/share/fonts/a: skipping, looped directory detected


The Arduino development package provided by Debian is outdated (due to license issues for the newer versions). To install the actual version, I download it from the Arduino website, then proceeded as follows:

sudo mkdir /opt/arduino
sudo chown -R joe:joe /opt/arduino/
sudo usermod -a -G dialout joe

.. then continue as normal user:

cd /opt/arduino/
tar xvf ~/Downloads/arduino-1.8.12-linux64.tar.xz 
cd arduino-1.8.12/

CalDaV, CardDAV and Google Calendar

apt install kaccounts-providers

To add a CardDAV account (Contacts list) to the KDE KOrganizer, go into Kontact > Settings > Configure Kontact > Calendar (!) > General > Tab "Calendars" > Add > DAV Groupware Ressource > enter your account.

To add a Google Calendar to the KDE KOrganizer, go into Kontact > Settings > Configure Kontact > Calendar > General > Tab "Calendars" > Add > Google Calendars and Tasks > enter your gmail account.

SQlite in Libreoffice

To use SQLite in LibreOffice, proceed as follows:

apt install libsqliteodbc
cat <<EOF > /etc/odbcinst.ini
Description=SQLite ODBC Driver

Description=SQLite3 ODBC Driver

The specific databases for each user are referenced in ~/odbc.ini like this:

[Clients 2020]
Description=Reservations 2020

Issues and weird things

Bash and PATH

One weird thing is that the local ~/bin directory is no longer in the PATH (unless you use a login shell), i.e. users cannot execute any scripts in their local bin directory without specifying the full path. To correct this for all users, edit the system-wide /etc/bash.bashrc and add:

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then

LyX cannot print anymore

My preferred writing tool LyX has no print menu anymore. It would appear that printing support was officially dropped from Lyx in 2015, following isolated complaints about the print preview.

The missing print support in LyX was among the reasons why I never moved to Debian 9 "Stretch". Still, I think this is a strange move - I'm using LyX every day to write and print (sic) texts, letters and invoices. Passing through an external viewer just looks like a waste of time to me.

Broken KDE settings

The transition from KDE4 (Debian 8) to KDE5 (Debian 10) resulted in many messed-up configurations and settings. I ended up logging off, doing a rm .config/plasma* and started over with with an almost fresh desktop. A further rm .kde/share/config/kdeglobals did significantly speed up the login time. Of course I had to re-enter many settings and options, but at least the behaviour of most applications was consistent again.

If you want to reduce the spacing between Desktop icons, edit /usr/share/plasma/plasmoids/org.kde.desktopcontainment/contents/ui/FolderView.qml, search for the function cellWidth (around line 600) and change as follows:

- var minIconWidth = Math.max(iconWidth, units.iconSizes.small * 8);
+ var minIconWidth = Math.max(iconWidth, units.iconSizes.small * 6);

Desktop Themes

I do not like the Breeze Theme (why do so many Linux Desktops try to copy the worst of Microsoft Windows?). Fortunately, the good old Oxygen style is still there and can be installed with apt install oxygen-icon-theme plasma-theme-oxygen. Once installed, go to System Settings > Application Style and select QtCurve - the display is much more compact.

Currency, time and language settings in KDE are messed up

I have always used custom locale settings, e.g.

In KDE5, most of the proposed currency formats for my location (Switzerland) are wrong ... and I cannot modify the individual settings - it would appear that they are hardcoded in the Qt source files (!) The problem could be solved easily if there were a means to (re-)introduce custom formats ... as was the case in previous KDE versions. I filed a bug with Debian, it was closed as "Resolved Upstream".

It was suggested to use mixture of different country settings, adjustable in Numeric, Currency and Time Formats >"Detailed Settings":

export LANG=fr_CH.UTF-8
export LC_TIME=en_SE.UTF-8
export LC_MONETARY=de_CH.UTF-8
export LANGUAGE=en_US.UTF-8

... however, as soon as these "mixed" settings are used, they screw up different applications! As an example, the glabels merge function does not recognize Umlaut or accents. The problem was temporarily solved with the above rm ./config/plasma* but after I while it reappeared, accompanied by messages like these:

(process:15072): Gtk-WARNING **: 12:35:45.983: Locale not supported by C library.
        Using the fallback 'C' locale.

The problem persists even when I launch these applications as LANG=C glabels-3 or LANGUAGE=C glabels-3. If you have the solution (other than "not touching the Detailed Settings"), please let me know.

Migrating KMail settings

Migrating KMail from the previous version (Debian 8, KDE4) to Debian Buster (KDE5) resulted in a big mess. The KMail accounts were only migrated partially, many of the the identities were messed up and many default folders were mis-assigned, including filters.

After a lot of trial and error, I ended up deleting all accounts in KMail and re-entered all account data from scratch (just for the record: 7 different mail accounts). Some things I found out:

The default KMail screen layout is a waste of screen space, so I did the following:

KMail on two computers

I have been using KMail "forever", IIRC starting with my very first Linux distribution. Over time, the KMail developers introduced changes that modified the scope of the software, moving towards an integration Personal Information Management package (KDE PIM). While I still appreciate the idea, there were core developments unrelated to the initial goal (such as "desktop search") that resulted in a software that is not just complicated but complex - in particular when it comes to to archive and restore.

This has grown into a real issue to me since I need to transfer mails and mail settings between my desktop and my laptop, with thousands of files in the Local Mail folder.

I used to have a working setup with a single unison profile that would perfectly synchronize both machines under Debian 8. The move to KDE5 broke this ... and I am currently working around the problem by using two different unison configurations:

  1. laptop-init.prf for the very first sync
  2. laptop.prf for any subsequent sync

The differences between the two are just two lines, pointed out in the code snippet below. The second configuration still marks all "new" files (= added since the last sync) as unread, but at least they are transferred.

# Unison: ignore all the log files, but not the prf files
ignore = Name unison.log
ignore = Name .unison/*
ignorenot = Name .unison/*prf
path = .unison

# this is where all the local mail is stored (maildir)
path = .local/share/
path = .local/share/local-mail

# Akonadi resources. 
# this needs to be adjusted every time if you add or remove an account ...
## COMMENT OUT AFTER 1st SYNC ## path = .local/share/akonadi
path = .local/share/akonadi-davgroupware  
path = .local/share/akonadi_googlecalendar_resource_0  
path = .local/share/akonadi_maildir_resource_0
path = .local/share/akonadi_imap_resource_4            
path = .local/share/akonadi_migration_agent
path = .local/share/emailidentities 
path = .local/share/kaddressbook
path = .local/share/kmail2
path = .local/share/kontact
path = .local/share/korganizer
path = .local/share/notes
# path = .local/share/kxmlgui5

## COMMENT OUT AFTER 1st SYNC ## path = .config/akonadi
path = .config/akonadi-firstrunrc
path = .config/akonadi_akonotes_resource_0rc
path = .config/akonadi_archivemail_agentrc
path = .config/akonadi_contactrc
path = .config/akonadi_davgroupware_resource_9rc
path = .config/akonadi_followupreminder_agentrc
path = .config/akonadi_googlecalendar_resource_0rc
path = .config/akonadi_imap_resource_0rc
path = .config/akonadi_imap_resource_1rc
path = .config/akonadi_imap_resource_2rc
path = .config/akonadi_imap_resource_3rc
path = .config/akonadi_imap_resource_4rc
path = .config/akonadi_imap_resource_5rc
path = .config/akonadi_imap_resource_6rc
path = .config/akonadi_indexing_agentrc
path = .config/akonadi_kalarm_resource_0rc
path = .config/akonadi_kalarm_resource_1rc
path = .config/akonadi_kalarm_resource_2rc
path = .config/akonadi_maildir_resource_0rc
path = .config/akonadi_maildispatcher_agent.notifyrc
path = .config/akonadi_mailfilter_agentrc
path = .config/akonadi_newmailnotifier_agentrc
path = .config/akonadi_notes_agentrc
path = .config/akonadikderc
path = .config/emaildefaults
path = .config/emailidentities
path = .config/mailtransports
path = .config/kaddressbookrc
path = .config/kmail2rc
path = .config/kmailsearchindexingrc
path = .config/kmailsnippetrc

KDE Error mounting USB devices

If you want to mount a USB device and get the error message Error - KIO Client: Unable to run the command specified. The file or folder /media/<username>/... does not exist, simply unmount the device, then delete its mountpoint in /media/<username>/. The mountpoint will be re-created when you re-insert the device.

I have no idea what causes this error, but it is related to extended permissions of the mountpoint.

Debian Buster on Laptops


I'm using Debian on all of my computers; this includes laptops. The installation of Debian Buster on a laptop is performed along the same lines as described above and went mostly seamless. Specific points are listed below; a few generic comments and hints:

Lenovo T440s

I'm using a Lenovo T440s as main laptop.

The move to Debian 10 was performed in 2020-01 and included a harddisk upgrade: the 128 GB SSD was changed against a 500 GB SSD. The old drive had a 50-GB Windows 7 partition on sda1 that I wanted to preserve and transfer "as is" to the new drive, then extend to 100 GB. I proceeded as follows:

  1. boot into the "old", existing Linux.
  2. mount a USB drive with enough free space to hold the entire partition.
  3. Archive the complete partition: dd if=/dev/sda1 | gzip -c > /path/to/usbdrive/sda1.gz
  4. Unmount the USB drive and shut down the computer.
  5. If the HDD is protected with password, remove it now.
  6. Go into the BIOS and "disable internal battery". This will shut down the machine completely.
  7. Swap the HDD.
  8. Connect the power supply and boot.
  9. Partition the HDD as needed and run a Linux base install (as described above).
  10. Boot into Linux, then mount the USB drive containing the backup.
  11. Restore the complete partition: gunzip -c /path/to/backup/sda1.gz | dd of=/dev/sda1
  12. Run cfdisk /dev/sda and check that the drive is marked as bootable (Windows needs this)
  13. Resize the Windows partition with ntfsresize --size 99G /dev/sda1
  14. Reboot into Windows.
  15. Smile :-)

If you run into trouble detecting Windows, try (under Linux):


The Linux install was without trouble, all devices work as expected and the system is stable through suspend/resume cycles. Here is the disk layout ("Disklabel type: dos"):

Partition Size Filesystem Label mount point Comment
/dev/sda1 93 GB W95 FAT32 win /mnt/win MS Windows 7 (dual-boot)
/dev/sda2 20 GB ext4 d10 / This is the root filesystem of Debian 10.
/dev/sda3 20 GB ext4 other /mnt/other This will be used when updating the system in the future.
/dev/sda5 93 GB ext4 home /home Home directories.
/dev/sda6 230 GB ext4 share /mnt/share-local Backup copy of the local NFS server data.
/dev/sda7 8 GB swap swap swap Swap space.

Acer ES1-131

I'm using an Acer ES1-131 (the sticker on the box says "Aspire E 11") as 2nd portable computer. Mine has an Intel Celeron N3050 Dual-Core CPU @ 1.6 GHz and came with a 500-GB harddisk, 2 GB of RAM and Windows 10 and was totally underpowered for that purpose. Fortunately, it runs very well once you install Linux with a light desktop such as XFCE or MATE, and a later update to 8 GB of RAM made even Windows 10 almost usable on the machine :-)

My disk layout (gpt) preserves most of the Windows partitions but was thoroughly resized to free up space:

Partition Size Filesystem Label mount point Comment
/dev/sda1 100 MB vfat ESP /boot/efi EFI system with boot files.
/dev/sda2 16 MB Microsoft reserved - - left untouched.
/dev/sda3 97 GB Microsoft basic data Acer /mnt/win Windows 10 partition, resized
/dev/sda4 826 MB Windows recovery environment - - Windows recovery, unused, shrunk to the minimum.
/dev/sda5 20 GB ext4 debian8 /mnt/debian8 This holds the "old" Debian 8 files, It will be overwritten when updating the system in the future.
/dev/sda6 20 GB ext4 debian / This is the root filesystem of Debian 10.
/dev/sda7 8 GB swap swap swap Swap space.
/dev/sda8 78 GB ext4 homedirs /home Home directories.
/dev/sda9 242 GB ext4 share-local /mnt/share-local Backup copy of the local NFS server data.
apt install firmware-linux-nonfree firmware-atheros firmware-realtek acpi-support net-tools

Using UEFI Boot

To use UEFI boot, simply proceed as follows:

  1. Enter the BIOS (F2) and move to the Boot screen.
  2. Leave the Boot Mode to UEFI, but disable Secure Boot (you may have to set a superuser password first)
  3. Move the Cursor onto the Debian entry, and move this one up (using the F5/F6 keys) above the HDD and Windows Bootloader entries.


A showstopper was that the graphic display on my machine would not come up. The workaround was to switch to the framebuffer device:

apt install fbdev xserver-xorg-video-fbdev 
dpkg-reconfigure xserver-xorg-video-fbdev

FWIW, the lspci settings for this graphics card:

00:02.0 VGA compatible controller [0300]: Intel Corporation Atom/Celeron/Pentium Processor 
     x5-E8000/J3xxx/N3xxx Integrated Graphics Controller [8086:22b1] (rev 21)

On another machine of the same type (this one with Intel Celeron N2840 @ 2.16  GHz and Insyde BIOS V1.10), the install went without problems:

00:02.0 VGA compatible controller: Intel Corporation Atom Processor Z36xxx/Z37xxx Series Graphics & Display (rev 0e)

Wireless network and suspend/resume

With Debian 10, the machine finally supports suspend/resume when closing the lid.

On machines with Broadcom BCM43142 chipset, run apt install broadcom-sta-dkms: this driver "survives" suspend/resume cycles.

With the Qualcomm Atheros QCA 9565 / AR 9565 chipset, WiFi would not come up again after a suspend/resume cycle. The solution is to reload the r8169 driver with a script:

cat <<EOF > /lib/systemd/system-sleep/r8169-refresh

# script to reload the r8169 driver after suspend.
# source:
# 2020-03-05 JHa

PROGNAME=$(basename "$0")

function log {
    logger -i -t "$PROGNAME" "$*"

log "Running $action $state"

if [[ $state == post ]]; then
    modprobe -r r8169 \
    && log "Removed r8169" \
    && modprobe -i r8169 \
    && log "Inserted r8169"

Debian Buster with RAID1


(to be completed ...)

Grub and RAID

If the grub package is updated automatically, it may happen that the system does not boot anymore. In such a case, simply boot into the rescue system and run:

grub-install /dev/sda 
grub-install /dev/sdb

Both drives will be able to boot alone.