Bricks of the knowledge wall

Ssh and nscd

2009-07-02T13:08:00.002+02:00

Strange behavior of sshd on Solaris 10:

If you use ldap as name service on Solaris 10 then you have use nscd daemon, ssh won't permit you log into without it.

How to examine content of certificates database

2009-06-30T10:02:00.004+02:00

/usr/sfw/bin/certutil -L -d /var/ldap/ - lists certificates in Solaris ldap client database

certutil -L -d /var/ldap/ -n certname -shows information about a certificate

Sun Directory Server backup scripts

2009-06-29T14:21:00.004+02:00

Sun Directory Server has quite good tools for backups. But if you want them to perform automaticaly you will have to create some cron scripts:

$cat backup.sh

#!/usr/bin/bash
DSADM=/opt/SUNWdsee/ds6/bin/dsadm
INSTANCE_NAME=instancename
INSTANCE_HOME=/var/spool/ldap_instances
INSTANCE_PATH=$INSTANCE_HOME/$INSTANCE_NAME
BACKUP_TIMESTAMP=`/usr/bin/date '+%H:%M:%S_%d:%m:%y'`
BACKUP_DIR=/var/backup/$INSTANCE_NAME/$BACKUP_TIMESTAMP
BACKUP_DIR_BINARY_DATA=/var/backup/$INSTANCE_NAME/$BACKUP_TIMESTAMP/binary

mkdir $BACKUP_DIR&&echo "*BACKUP DIRECTORY CREATED"
$DSADM stop $INSTANCE_PATH&&echo "*LDAP instance $INSTANCE_NAME - stopped"
$DSADM backup $INSTANCE_PATH $BACKUP_DIR_BINARY_DATA 2>&1 >/dev/null&&echo "*Binary data - backuped"
cp -r $INSTANCE_PATH/config $BACKUP_DIR&&echo "* Configuration data 1/2 copied"
cp -r $INSTANCE_PATH/alias $BACKUP_DIR/config&&echo "* Configuration data 2/2 copied"
$DSADM start $INSTANCE_PATH&&echo "*LDAP instance $INSTANCE_NAME - started"
echo "Saved data is under $BACKUP_DIR"

$cat restore.sh(don't put into crontab :)):

#!/usr/bin/bash

DSADM=/opt/SUNWdsee/ds6/bin/dsadm
SOURCE=$1
TARGET=$2

$DSADM stop $TARGET&& echo "Instance $TARGET stopped"
cp -r $SOURCE/config/alias/ $TARGET/config/&&echo "Config Data 1/2 restored"
cp -r $SOURCE/config/ $TARGET&& echo "Config Data 2/2 restored"
$DSADM restore $TARGET $SOURCE/binary/ && echo "Binary data restored"
$DSADM start $TARGET&& echo "Instance $TARGET started"

Solaris native LDAP client(Password policies)

2009-06-23T14:54:00.001+02:00

1. Password policies in Sun Directory Server are applied automaticaly (Default global password policy )
2. It's easy to create custom policies and apply them to different ldap trees(passwordpolicysubentry: cn=PolicyName,dc=test,dc=com)
3. In other words passwords policies works fine through LDAP, but user will see onle one reason of declining his password operation - "permission denied".

Solaris native LDAP client(using netgroups)

2009-06-23T14:49:00.003+02:00

If you want to define list of users and groups which are permited to use your exact host you need "netgroup" feature.

To use it in Solaris 10 it is necessary to:
1. Use "compat" in /etc/nsswitch.conf

#passwd: files ldap
#group: files ldap

passwd: compat
passwd_compat: ldap

group: compat
group_compat: ldap

2. Have installed proper pam modules (out of box on Solaris 10) and proper pam.conf

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

3. Proper content in LDAP
ldapaddent -a simple -D "cn=Directory Manager" -f /etc/netgroup netgroup

4. You have to attach groupname to the end of your passwd and shadow files:
Echo "+@groupname:x:::::" >>/etc/passwd
pwconv

5. Test if your netgroups and users works properly:
getent passwd
getent shadow

6. You will not be able to use "compat" if havn't defined groups, if don't need them use simple "ldap" declaration in nsswitch.conf!

Less known Solaris features

2009-06-17T14:41:00.000+02:00

A great book about less known Solaris features

Some tips using ssl with Sun Directory Server 6.3.1

2009-06-17T13:58:00.002+02:00

To make native ldap client using ssl with directory server perform following steps:

1. On directory server create/add own selfsigned/CAsigned certificates.
Don't use default ones(which are created during install), they are created with not FQDN.

2. Configure directory server(s) use them by default.

3. Export certificates in "der" format from each node you plan connect to(name them equal to domain names of servers):
/opt/SUNWdsee/ds6/bin/dsadm show-cert -F der -o CertName ldap_instance_name/logs/access "CertName"

4. Copy exported certificates to one place where you will import them into Solaris ldapclient's certificate database (in our case it's "cert_database").

5. Create certificate database:
/usr/sfw/bin/certutil -N -d ./cert_database

6. Import certificate(s):
/usr/sfw/bin/certutil -A -i ./CertName -n CertName -t CT -d ./cert_database

7. Distribute this database among all Solaris hosts which will use ldap, put it at /var/ldap directory.

8. Use ldapclient init ..... on each host.

9. Check everything works fine(on server):
tail -f ldap_instance_name/logs/access

That's all!

P.S: If you want secure communication in Directory Server replications, exchange certificates among each node also!

Webconsole on all interfaces

2009-06-16T13:38:00.002+02:00

Of cource, it's not a good idea to do it on production(for security reasons ;)),
but for testing purposes
#svccfg -s svc:/system/webconsole setprop options/tcp_listen = true

Export of rbac databases to ldap

2009-06-11T11:00:00.002+02:00

Beter use

#/usr/sadm/bin/smattrpop -c -f -v -s file:/servername -t ldap:/servername/dc=example,dc=com all

to export RBAC files to LDAP server.

Importing Projects database to LDAP

2009-06-05T10:13:00.002+02:00

`projects` Database

The default projects defined in /etc/project can be expressed in LDIF like this:

dn: solarisprojectname=system,ou=projects,dc=example,dc=com
objectClass: top
objectClass: solarisproject
SolarisProjectID: 0
SolarisProjectName: system

dn: solarisprojectname=user.root,ou=projects,dc=example,dc=com
objectClass: top
objectClass: solarisproject
SolarisProjectID: 1
SolarisProjectName: user.root

dn: solarisprojectname=noproject,ou=projects,dc=example,dc=com
objectClass: top
objectClass: solarisproject
SolarisProjectID: 2
SolarisProjectName: noproject

dn: solarisprojectname=default,ou=projects,dc=example,dc=com
objectClass: top
objectClass: solarisproject
SolarisProjectID: 3
SolarisProjectName: default

Files you have to import to LDAP for Solaris client proper work

2009-06-05T09:48:00.001+02:00

ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/aliases aliases
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/hosts ipnodes
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/rpc rpc
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/hosts hosts
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/protocols protocols
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/networks networks
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/services services
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/group group
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/netmasks netmasks
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/publickey publickey
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/aliases aliases
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/auto_home auto_home
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/auto_master auto_master
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/security/tsol/tnrhdb tnrhdb
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/security/tsol/tnrhtp tnrhtp
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/security/audit_user audit_user
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/security/auth_attr auth_attr
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/security/exec_attr exec_attr
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/security/prof_attr prof_attr
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/user_attr user_attr
ldapaddent -D "cn=Directory Manager" -w your_pass -f /etc/netmasks netmasks
ldapaddent -p -D "cn=Directory Manager" -w your_pass -f /etc/passwd passwd
ldapaddent -p -D "cn=Directory Manager" -w your_pass -f /etc/shadow shadow

Solaris LDAP client setup. part 2(management interface)

2009-06-04T13:49:00.002+02:00

Now we have an environment which uses LDAP as Name Service.
And the question of proper data management in LDAP arises.
We can use:

Sun Directory Server Webconsole Interface which is delivered with Directory server (which is a bad idea, you'll have to edit raw data) .
Use SMC (Solaris Management Interface) related tools. (Howto)

Problems which took a lot of time:
When run:

#/usr/sadm/bin/smrole list -D ldap:/solaris10core.example.test/dc=example,dc=test -- Use LDAP form of domain declaration(dc=,dc=), there are no word in manuals about it.
#/usr/sadm/bin/dtsetup scopes - be careful with domain name resolving for all domains this command shows.
Better run SMC in environment with END user cluster.

Solaris LDAP client setup. part 1

2009-05-28T16:49:00.004+02:00

Very simplified you can setup Solaris ldap user authentication in such steps.

On server side:
#/usr/lib/ldap/idsconfig
This tool inserts a lot of stuff in LDAP server(schemas, creates items tree, access creds, indexes search atributes etc.)

On client:
#ldapclient init -a profileName=prfilename server_ip_address
#ldapaddent -a simple -p -D "cn=Directory Manager" -f /etc/passwd passwd
#ldapaddent -a simple -p -D "cn=Directory Manager" -f /etc/group group
etc. more information in ldapaddent documentation
............

Everything goes fine, but passwords are not imported to ldap, to fix it you have manualy change password through Directory Server Control Console for each user. It actually can be coused by the fact my test environment used unencrypted communication between ldap server and client!

Postinstall configuration of Solaris zone

2009-05-28T08:31:00.001+02:00

When you have just installed a Solaris zone, you have to configure it to start working.
You can do it with zlogin -C command . The one of the first questions it asks is about terminal type you are using.
And here is some trick. Even if you do this from ssh session and $TERM variable is xterm you have to choose VT100 terminal.
In other case it hangs!

First steps to have Sun One Directory Server up and running

2009-05-27T16:43:00.002+02:00

To have DS up and running you have to go through several steps.
You are able to control directory server through command line tools(dsadm,dsconf) and by Java Web Console.
To use the second one you have :
1. Register Directory Service Control Center in Java Web Console
#/opt/SUNWdsee/dscc6/bin/dsccsetup ads-create
#/opt/SUNWdsee/dscc6/bin/dsccsetup status
#/opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads
#cacaoadm start
2.Start Java Web Console if necessary with the smcwebserver command
# /usr/sbin/smcwebserver start
3.Log into Directory Service Control Center with system user.
https://hostname:6789/
4. Create directory server instance.

Sun One Directory Server installation

2009-05-27T14:14:00.000+02:00

This directory server is included in product called Sun Java Enterprise System.
To install it on basic system it's necessary to install some extra packages.
For text based installation:
SUNWadmc,SUNWpl5u,SUNWadmfr,SUNWxcu4,SUNWadmfw,SUNWxcu6.
For GUI:
SUNWctpls,SUNWxwplr,SUNWmfrun,SUNWxwplt,SUNWxwfnt,SUNWxwrtl,SUNWxwice.

To begin installation unzip java_es-5-identsuite-ga-solaris-x86.zip and run
#./installer

During installation process you will be asked what components to install and proposed to configure them.
Installation log can be found in /var/sadm/install/logs/
and configuration report /var/sadm/install/logs/Java_Enterprise_System_Identity_Management_Suite_Summary_Report_install(Some number)

Installing zone support on basic Solaris 10 system

2009-05-26T10:11:00.000+02:00

This tip is about how to install zones(containers) support on Solaris 10
system(of course if you don't like to use full installations of Solaris)

To do it , install these packages regardless dependency warnings:
SUNWadmc
SUNWadmfr
SUNWadmfw
SUNWlur
SUNWlucfg
SUNWluu
SUNWpoolr
SUNWpool
SUNWluzone
SUNWzoner
SUNWzoneu

First steps to do after fresh installation of Solaris 10(core system) part 1

2009-05-25T11:16:00.001+02:00

1. Install bash,ssh,less(can't live without it):
mount /dev/dsk/c1t0d0p0 /mnt
#pkgadd -d /mnt/Solaris_10/Product/ SUNWbash
#pkgadd -d /mnt/Solaris_10/Product/ SUNWssh*
#pkgadd -d /mnt/Solaris_10/Product/ SUNWless

2. Generate key and enable ssh:
#ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
#svcadm enable ssh

3. Man pages will be useful also:
#pkgadd -d /cdrom/Solaris_10/Product SUNWdoc SUNWman

First steps to do after fresh installation of Solaris 10(core system) part 1

2009-05-25T11:11:00.000+02:00

From Debian with love!

2009-04-27T14:36:00.002+02:00

New Solaris packing system (IPS) and Debian's apt-get comparison.

Debian way of Solaris

2008-11-26T15:08:00.002+02:00

As you know a new packet management system (IPS) was released in a Open Solaris 2008.05.
The great event I thinks, It was the very necessary step towards greater usability of Solaris.
IPS is similar to Debian's APT or Aptitude and this is very good!
Great deal Ian Murdock !

I found a great article which will give you an overview of how it works.

Quick view at Solaris 10 10/08 Release

2008-11-05T16:58:00.006+02:00

As you know It was announced by SUN that it will be possible to install
Solaris 10/08 on ZFS filesystem directly.
I've checked how it works, you can watch it in the video report below.
I only can say that I've expected more: installer doesn't give ability to chose of what type of pool I want, I mean the process must be more customizable ... and hope that it will done in future releases.

Good article about Mysql Cluster deployed in Solaris Zones

2008-11-03T16:45:00.002+02:00

http://www.sun.com/bigadmin/features/articles/mysql_cluster_zones.jsp

Some usefull shell tricks

2008-06-04T17:35:00.006+02:00

Reuse previous arguments

The !$ command returns the last file name parameter used with a command. But what happens if you have a command that used multiple file names and you want to reuse just one of them? The !:1 operator returns the first file name used in a command. The example in Listing 1 shows how you can use this operator in combination with the !$ operator. In the first command, a file is renamed to a more meaningful name, but to preserve use of the original file name, a symbolic link is created. The file kxp12.c is renamed in a more readable manner, then the link command is used to create a symbolic link back to the original file name, in case it's still used elsewhere. The !$ operator returns the file_system_access.c file name, and the !:1 operator returns the kxp12.c file name, which is the first file name of the previous comma nd.

Listing 1. Using !$ and !:1 in combination

$ mv kxp12.c file_system_access.c
$ ln –s !$ !:1

Manage directory navigation with pushd and popd

UNIX supports a wide variety of directory-navigation tools. Two of my favorite productivity tools are pushd and popd. You're certainly aware that the cd command changes your current directory. What happens if you have several directories to navigate, but you want to be able to quickly return to a location? The pushd and popd commands create a virtual directory stack, with the pushd command changing your current directory and storing it on the stack, and the popd command removing the directory from the top of the stack and returning you to that location. You can use the dirs command to display the current directory stack without pushing or popping a new directory. Listing 2 shows how you can use the pushd and popd commands to quickly navigate the directory tree.

Listing 2. Using pushd and popd to navigate the directory tree

$ pushd . ~ ~
$ pushd /etc /etc ~ ~
$ pushd /var /var /etc ~ ~
$ pushd /usr/local/bin /usr/local/bin /var /etc ~ ~
$ dirs /usr/local/bin /var /etc ~ ~
$ popd /var /etc ~ ~
$ popd /etc ~ ~
$ popd ~ ~
$ popd

The pushd and popd commands also support parameters to manipulate the directory stack. Using the +n or -n parameter, where n is a number, you can rotate the stack left or right, as shown in Listing 3.

Listing 3. Rotating the directory stack

$ dirs /usr/local/bin /var /etc ~ ~
$ pushd +1 /var /etc ~ ~ /usr/local/bin
$ pushd -1 ~ /usr/local/bin /var /etc ~

Taken from here.

Using X server in Windows for calling remote graphical applications in Unix

2008-05-28T11:36:00.002+02:00

Sometimes you need ability to run X apps from remote unix servers.
It is not a problem when you are using unix as a client, but what should you do when you running windows.

The answer:
1. Your can use X servers for windows such as Xming is(I recommend this case if you are sure that this is the onliest task you will perform).
2. You can run X server from Cygwin

Lets examine the second one:
1. Install Cygwin and run it.
2. In shell run:
$XWin -logfile /tmp/asd.log -ac &
3. Connect to the desired host:
$ssh -X host
4. You have to export $DISPLAY variable with a value which points to host you have come from:
host$export DISPLAY=sourcehost:0.0
5. Run your apps:
host$xterm

Bricks of the knowledge wall

Ssh and nscd

How to examine content of certificates database

Sun Directory Server backup scripts

Solaris native LDAP client(Password policies)

Solaris native LDAP client(using netgroups)

Less known Solaris features

Some tips using ssl with Sun Directory Server 6.3.1

Webconsole on all interfaces

Export of rbac databases to ldap

Importing Projects database to LDAP

projects Database

Files you have to import to LDAP for Solaris client proper work

Solaris LDAP client setup. part 2(management interface)

Solaris LDAP client setup. part 1

Postinstall configuration of Solaris zone

First steps to have Sun One Directory Server up and running

Sun One Directory Server installation

Installing zone support on basic Solaris 10 system

First steps to do after fresh installation of Solaris 10(core system) part 1

First steps to do after fresh installation of Solaris 10(core system) part 1

From Debian with love!

Debian way of Solaris

Quick view at Solaris 10 10/08 Release

Good article about Mysql Cluster deployed in Solaris Zones

Some usefull shell tricks

Reuse previous arguments

Manage directory navigation with pushd and popd

Using X server in Windows for calling remote graphical applications in Unix

`projects` Database