Skip to content


checksums …..

After downloading upgrade media for an HMC, I wanted to check consistency of the packages. During the download, I had to expand their file system and this gave me the “verify it” idea.

These are the contents I got from IBM server:

# ls -ltr
total 6219440
-rw-r--r--    1 root     system      2730176 Jul 08 06:59 bzImage
-rw-r--r--    1 root     system    817065984 Jul 08 07:20 disk1.img
-rw-r--r--    1 root     system   1456427008 Jul 08 07:58 disk2.img
-rw-r--r--    1 root     system           78 Jul 08 08:21 hmcnetworkfiles.sum
-rw-r--r--    1 root     system    873922560 Jul 08 08:21 disk3.img
-rw-r--r--    1 root     system     34185788 Jul 08 08:22 initrd.gz

The hmcnetworkfiles.sum list each file and its checksum value. See for yourself:

# cat hmcnetworkfiles.sum
02364:bzImage
06816:initrd.gz
55470:disk1.img
33312:disk2.img
45622:disk3.img

To identify checksum of these files, you will use the sum command maybe even in a loop like this one:

# for f in `cat hmcnetworkfiles.sum | awk -F ':' '{print $2}'`
do
sum $f | awk '{print $1":"$3}'
done 

Which in this case generated the following output:

02364:bzImage
06816:initrd.gz
55470:disk1.img
33312:disk2.img
45622:disk3.img

Comparing the latest with the cat hmcnetworkfiles.sum command proves that the data transferred successfully.

Posted in Real life AIX.

Tagged with , , .


map FC devices on aix box

A host with a large number of FC adapters, disks, tape drives, and so forth occasionally may put you in a difficult situation, especially when during a meeting someone asks you for “what is where”…..
The following few lines of shell can help you respond.

#!/usr/bin/ksh

# W.M.Duszyk 2/12
# map FC devices to their adapters and interfaces

for f in $(lsdev|awk '/fcs/{print $1}'); do
        printf "${f} - "
        j=$(lsdev -p $f|awk '/fscsi/{print $1}')
        echo "${j}:"
        z=$(lspath -p $j)
        if [ -n "$z" ]
         then
                 echo "$z"|awk '/rmt|smc|disk|d1/{printf "%s ", $2}END{print "\n"}'
         else
                 lsdev -p $j|awk '/rmt|smc|disk/{printf "%s ", $1}END{print "\n"}'
        fi
 done

For example:

# ./MapDev.ksh
fcs0 - fscsi0:

fcs1 - fscsi1:

fcs2 - fscsi2:

fcs3 - fscsi3: hdisk30 hdisk31 hdisk32 hdisk33 hdisk34 hdisk35 hdisk36 hdisk37 hdisk38 hdisk39 hdisk40 hdisk41 hdisk42 hdisk43 hdisk44 hdisk45 hdisk46 hdisk47 hdisk48 hdisk49 hdisk50 hdisk51 hdisk52

fcs4 - fscsi4: hdisk30 hdisk31 hdisk32 hdisk33 hdisk34 hdisk35 hdisk36 hdisk37 hdisk38 hdisk39 hdisk40 hdisk41 hdisk42 hdisk43 hdisk44 hdisk45 hdisk46 hdisk47 hdisk48 hdisk49 hdisk50 hdisk51 hdisk52

fcs5 - fscsi5:

fcs6 - fscsi6: rmt12 rmt13 rmt14 rmt15 rmt54 rmt55 rmt82 rmt83 rmt100 rmt101 rmt102 rmt103 rmt132 rmt133 rmt154 rmt155 rmt168 rmt169 rmt170 rmt171 rmt196 rmt197 rmt198 rmt199 rmt226 rmt227 rmt248 rmt249 rmt250 rmt251 rmt252 rmt253 rmt254 rmt255 rmt256 rmt257 rmt258 rmt259 rmt286 rmt287 rmt288 rmt289 smc1 smc11 smc17

fcs7 - fscsi7: rmt16 rmt17 rmt18 rmt19 rmt44 rmt45 rmt46 rmt47 rmt56 rmt57 rmt64 rmt65 rmt66 rmt104 rmt105 rmt106 rmt107 rmt134 rmt135 rmt156 rmt157 rmt172 rmt173 rmt174 rmt175 rmt200 rmt201 rmt202 rmt203 rmt228 rmt229 rmt296 rmt297 rmt298 rmt299 rmt300 rmt301 rmt302 rmt303 rmt304 rmt305 rmt306 rmt307 smc2 smc9 smc19

fcs8 - fscsi8: rmt20 rmt21 rmt22 rmt23 rmt58 rmt59 rmt67 rmt68 rmt69 rmt108 rmt109 rmt110 rmt111 rmt116 rmt117 rmt118 rmt158 rmt159 rmt176 rmt177 rmt178 rmt179 rmt204 rmt205 rmt206 rmt207 rmt230 rmt231 rmt260 rmt261 rmt262 rmt263 rmt264 rmt265 rmt266 rmt267 rmt268 rmt269 rmt270 rmt271 rmt336 rmt337 rmt338 rmt339 rmt340 rmt341 smc3 smc12 smc23

fcs9 - fscsi9: rmt24 rmt25 rmt26 rmt27 rmt60 rmt61 rmt70 rmt71 rmt72 rmt112 rmt113 rmt114 rmt115 rmt119 rmt120 rmt121 rmt140 rmt141 rmt142 rmt180 rmt181 rmt182 rmt183 rmt208 rmt209 rmt210 rmt211 rmt232 rmt233 rmt272 rmt273 rmt274 rmt275 rmt276 rmt277 rmt278 rmt279 rmt280 rmt281 rmt282 rmt283 smc4 smc13

fcs10 - fscsi10:rmt28 rmt29 rmt30 rmt31 rmt62 rmt63 rmt73 rmt74 rmt75 rmt84 rmt85 rmt86 rmt87 rmt122 rmt123 rmt124 rmt143 rmt144 rmt145 rmt184 rmt185 rmt186 rmt187 rmt212 rmt213 rmt214 rmt215 rmt234 rmt235 rmt236 rmt237 rmt238 rmt239 rmt240 rmt241 rmt242 rmt243 rmt244 rmt245 rmt246 rmt247 rmt284 rmt285 smc5 smc14 smc16

fcs11 - fscsi11: rmt32 rmt33 rmt34 rmt35 rmt48 rmt49 rmt76 rmt77 rmt88 rmt89 rmt90 rmt91 rmt125 rmt126 rmt127 rmt146 rmt147 rmt148 rmt188 rmt189 rmt190 rmt191 rmt216 rmt217 rmt218 rmt219 rmt308 rmt309 rmt310 rmt311 rmt324 rmt325 rmt326 rmt327 rmt328 rmt329 rmt330 rmt331 rmt332 rmt333 rmt334 rmt335 smc6 smc15 smc20 smc22

fcs12 - fscsi12: rmt0 rmt1 rmt2 rmt3 rmt36 rmt37 rmt38 rmt39 rmt50 rmt51 rmt78 rmt79 rmt92 rmt93 rmt94 rmt95 rmt128 rmt129 rmt136 rmt137 rmt138 rmt139 rmt149 rmt150 rmt151 rmt160 rmt161 rmt162 rmt163 rmt220 rmt221 rmt222 rmt223 rmt312 rmt313 rmt314 rmt315 rmt316 rmt317 rmt318 rmt319 rmt320 rmt321 rmt322 rmt323 smc7 smc10 smc21

fcs13 - fscsi13: rmt40 rmt41 rmt42 rmt43 rmt52 rmt53 rmt80 rmt81 rmt96 rmt97 rmt98 rmt99 rmt130 rmt131 rmt152 rmt153 rmt164 rmt165 rmt166 rmt167 rmt192 rmt193 rmt194 rmt195 rmt224 rmt225 rmt290 rmt291 rmt292 rmt293 rmt294 rmt295 smc8 smc18

Posted in Real life AIX.


mounting cifs from WIN2012

WIN2012 is not really supported….. These were the words of IBM engineer working on my PMR which I opened to find out how to mount WIN2012 shares (cifs)….. Well we can mount cifs from the previous releases of WINDOWS OS but not 2012 one. Next, he emailed me a link to Microsoft document explaining how to disable SMB signing – the reason for the failure. I was advised to follow the WIN2003 procedure with still applies to WIN2012.

You can have a look at the document following this link – “Overview of Server Message Block signing

To mount CIFS share in AIX:

# mount -v cifs -n lawisnqw1/lawsona/law1199 \
                 -o wrkgrp=wmd-edu,fmode=755 /tjtest /tjtest

aka

# mount -v cifs -n WINhost/WinUser/WinUserPassword \
                -o wrkgrp=wmd-edu,fmode=755 /ShareName /AIXmountPoint

To mount CIFS in RedHat6:

# mount.cifs //lawisnqw1/tjtest /test \
                -o username=lawsona,password=law1199,domain=wmd-edu

Now, let’s wait for Igor to get a moment of free time to disable SMB singing and check if this will put this request to bed…. :-)

Posted in Linux, Real life AIX.


Kerberos, Active Directory and ftp

It is not surprising that more and more users looks for Active Directory as the way to unify and to simplify the way to authenticate/authorize users and to save some money too.
After all Active Directory and Windows are almost in every office on this planet. Not to mention that if you work in a heavily audited environment the ability to have a single store of users definitions is really a blessing!

For about the last two months now, I am trying to get ftp working for AIX users authenticated with Kerberos services provided by Active Directory (2012).
I am not doing it alone, I have an open PMR and after numerous iptraces, snaps, and so forth my KERBEROS authenticated users still cannot use ftp…. and this sucks!
The locally (admin accounts) defined users can but the “flash & bone” users, the ones “living” in Active Directory cannot.

Is there someone out there who got this working and who is willing to share his/her knowledge, please?

Thanks,
MarkD:-)

Posted in Real life AIX.

Tagged with .


nim client removal

I have not done any patching for a while and today, when I had to remove a nim client definition I could not remember the second command to use. Now, I do so here it is for the record the process:

First, reset the client

# nim -F -o reset NIM_CLIENT_NAME

Now, remove all associated with the client resources.

# nim -o deallocate -a subclass=all  NIM_CLIENT_NAME

At this stage the client can be removed.

# nim -o remove -F  NIM_CLIENT_NAME

the NIM_CLIENT_NAME is the hostname of the client to be removed.

Posted in Real life AIX.

Tagged with , .


issues with a file system............

Last Friday evening, SAN administrator migrated disks of some hosts from one contraption to another. The effected AIX machines immediately lost their sanity and to get the file system to a usable state they all had to be rebooted. A day later, an application administrator sent out an email informing us that he has two hosts which are missing the same file system. These file systems are not “shared”, each of these two machines has its own disks (SAN delivered), the identical file system name is the only thing common to them both.

Since we follow the practice of making logical volumes and the associated with them file system names as close as they can be it was easy to figure out what is going in. Look at the output bellow:

# lsvg -l epcshreu001_vg
epcshreu001_vg:
LV NAME        TYPE   LPs  PPs     PVs  LV STATE      MOUNT POINT
epicbin_lv     jfs2   4       4    1    closed/syncd  #
engaudit_lv    jfs2   4       4    1    open/syncd    /epic/engaudit
epicprd_lv     jfs2   80      80   1    open/syncd    /epic/prd
epicjournal_lv jfs2   120     120  1    open/syncd    /epic/jrnlshde1

I decided to mount the file system using its appropriate name which was correctly represented as a stanza in /etc/filesystems. It worked like a charm :-)

# grep -p /epic/bin: filesystems
/epic/bin:
        dev             = /dev/epicbin_lv
        vfs             = jfs2
        log             = INLINE
        mount           = true
        check           = false
        options         = rw
        account         = false
# mount /dev/epicbin_lv /epic/bin 

Inspecting this file system reveled its contents were intact!. I created a new filesystem and filled it with copy of the /epic/bin, just in case. Next, the /epic/bin and the other file systems in this volume group were unmounted, volume group varied off and exported. Nect,the volume group was imported and varied on and it still showed the strange looking # instead of the file system name (executing lsvg -l epcshreu001_vg).

The syncvg -v epcshreu001_vg and the syncvg -l epicbin_lv commands were executed and nothing changed…..

Here we go again, the file systems were all unmounted, the volume group varied off and exported. Next, make copy of the /etc/filesystems and inspection of this file. We are looking for the stanza /epic/bin:. Yes, it is there! But it should not be there – every time a volume group is exported this file is updated removing the file systems stanzas associated with the exported volume group! I think, this is how it works, right?

The stanza was removed, and the volume group imported and varied on. The next execution of the lsvg -l epcshreu001_vg shows that the offending # character has been replaced with the /epic/bin as it should be! The next command (mount all) mounts all the file systems and opens them for user access.

Now, what happened here? Is this the result of the recent SAN migration. No, no, no! I do not think so. I bet my dollar, that someday in the past manual edit of the file left behind some hidden “special” character behind, which prevented AIX from removing this file system stanza…… the SAN migration and the following it reboot just happened to expose this fact and then when the second host was built (copy of the first) one the /etc/filesystems was copied too…..

Posted in Real life AIX.

Tagged with .


Power7, SMT, CPU utilization, etc

There is a lot of room for misunderstanding CPU utilization with active SMT (either 2 or 4 threads). Lately, I am in situation where not only I have to know what is going on with CPU utilization but also I have to be able to show and explain it my clients and my bosses as well.
For all of you who need to learn more about SMT and CPU utilization – check at least these two post by Mr. Nigel Griffiths, IBM.

nmon – I can’t see all the CPUs on-screen. Please Help!

nmon – new online Physical CPU Graphs arrive for latest AIX 6.1

Another reading material after comment from Rob: Power7 CPU and Virtual Processors . You may need to download this document to be able to read it (PowerPoint presentation).

Posted in Real life AIX.


Method error (/usr/lib/methods/cfallvpath -2): 0514-068 Cause not known

To migrate to PowerHA System Mirror 7.1 my cluster needs a pair of disks. But something is wrong, the cfgmgr command fails with the following messages:

# cfgmgr
Method error (/usr/lib/methods/cfallvpath -2):
        0514-068 Cause not known.
sh: /usr/lib/methods/cfallvpath:  not found.

What adds to the mystery is the fact that the /usr/lib/methods/cfallvpath is absent from this host and from all the other nodes in this cluster and as I can see later – it is absent from all of my AIX boxes (6.1.8 and 7.1.3). Something here does not add up…. Do I really need to reboot these nodes in order to get the disks in? Maybe not if only I could delete the offending “method” from ODM.

Let’s start and backup the current configuration rules, just in case…

# cd /etc/objrepos; cp Config_Rules Config_Rules.BACKUP

Now, let see (this step should be really the first one) these rules/methods for the last time.

# odmget -q "rule='/usr/lib/methods/cfallvpath -2' " Config_Rules

Config_Rules:
        phase = 2
        seq = 50
        boot_mask = 0
        rule = "/usr/lib/methods/cfallvpath -2"

Config_Rules:
        phase = 3
        seq = 50
        boot_mask = 0
        rule = "/usr/lib/methods/cfallvpath -2"

Look and check that the backup you made is really there when you left it. Ready to go, let’s remove the rules.

# odmdelete -q "rule='/usr/lib/methods/cfallvpath -2' " -o Config_Rules
0518-307 odmdelete: 2 objects deleted.

Is this the truth and they are gone?

# odmget -q "rule='/usr/lib/methods/cfallvpath -2' " Config_Rules

No output means that the rules have been removed. Now, it is the time for some housekeeping.

# savebase -v
saving to '/dev/hd5'
81 CuDv objects to be saved
366 CuAt objects to be saved
27 CuDep objects to be saved
22 CuVPD objects to be saved
405 CuDvDr objects to be saved
110 CuPath objects to be saved
216 CuPathAt objects to be saved
0 CuData objects to be saved
0 CuAtDef objects to be saved
Number of bytes of data to save = 51308
Compressing data
Compressed data size is = 16280
        bi_start     = 0x3600
        bi_size      = 0x1b20000
        bd_size      = 0x1b00000
        ram FS start = 0x917e30
        ram FS size  = 0x10ec71a
        sba_start    = 0x1b03600
        sba_size     = 0x20000
        sbd_size     = 0x3f9c
Checking boot image size:
        new save base byte cnt = 0x3f9c
Wrote 16284 bytes
Successful completion

Now, ready to run the ConfigurationMangler as Mr.Mike F. affectionately calls it ….

# cfgmgr 

It returns with no errors and the lspv shows the two new disks as expected. Have a good weekend Sys Admins!

Posted in Real life AIX.


NIM, KRB5/AD rsh, ftp …….

Lately, I am busy trying to get ftp and rsh to work with KRB5/AD as the authentication engine. Apparently, there are still applications that need both ftp and rsh… NIM is one such example, it still needs rsh. Well, this is exactly what I have thought till this morning when I discovered Chris Gibson article http://www.ibmsystemsmag.com/aix/administrator/systemsmanagement/nimsh_nimadm/ showing what to do in order to change this requirement! For me this is a “WIN” situation as now I can put back our NIM servers into the KRB5 and they will still work! This is really ironic as two days ago during a meeting with IBM reps I expressed my surprise that NIM still needs rsh. As I see it now, my idea was at least several months old.

Looking for more NIM info, I found a really nice blog I recommend all to take a look at – “NIM Less known features : HANIM, nimsh over ssl, DSM”
http://chmod666.org/index.php/nim-less-known-features-hanim-nimsh-over-ssl-dsm/.

This rocks! Thanks Gents!

Posted in Real life AIX.


AIX LDAP client + KRB5A with Active Directory 2012

If you select this method to authenticate/authorise you may notice that a user group membership is missing – a user with multiple groups will be shown to belong to only one group!

# lsuser -a pgrp groups mannt
mannt pgrp=lawson groups=lawson

The mannt user belongs to more than one group, really. So why when we ask (using AIX LDAP client) Active Directory to deliver this information it does come to us truncated?

It could be that the Active Directory administrator did not follow this procedure:

Active Directory object management
As is the case with any other authentication mechanism, we need to configure the user objects for the users that are to use the system. However, if you are implementing this solution, more than likely your users already have Windows accounts. In that case, all we need to do is to modify the objects to be POSIX compliant.
1.	Open the Active Directory Users and Groups management tool.
   a.) Modify a group object to function as a POSIX group.
   b.) Right-click on the user group for assignment of a GID.
   c.) Click on the Unix Attributes tab.
   d.) Populate the NIS Domain dropdown and the GID number as appropriate.
2.	Modify a user object to function as a POSIX user.
   a.) Locate and activate the tab that says Unix Settings.
   b.) Under Unix Settings, set the UID and GID for the user, as well         as the home directory location (on the Linux filesystem /home/).
   Note: You will need to ensure that the directory exists with the appropriate user object having access to the directory.
   c.) Reset the user's password. This causes the AD password and the Unix password attributes to synchronize.
3.	Add the user as a Unix member of the group.
   a.) After you have added the user as a Unix user, you will also need to come back to the group properties and add the user as a member on the Unix Attributes tab. Otherwise, the user will not be populated in the msSFU30PosixMember attribute.

Next, you have to modify the /etc/security/ldap/sfur2group.map file, which default is presented bellow:

groupname  SEC_CHAR   cn                 s       na      yes
id         SEC_INT    gidNumber          s       na      yes
users      SEC_LIST   cn                 m       na      yes

Depending how your user group membership is declared in Active directory, you have to replace the last line of this file so it looks either like this:

users      SEC_LIST    msSFU30PosixMember m      na      yes

or like this

users      SEC_LIST   member              m      na      yes

Follow this modifications with execution of the restart-secldapclntd command and list the user again. Now, his full group membership is really shown.

# lsuser -a pgrp groups mannt
mannt pgrp=lawson groups=lawson,shell,payroll,operator,printq

I will be able to provide you with the Active Directory “side” of this procedure as soon as my college Igor Zilberman (the greatest AD/CITRIX administrator I have been lucky to work with! :-) ) documents this process – Igor thanks in advance!
These two different attributes (member and msSFU30PosixMember) you use in sfur2group.map do really have an effect on how you assign UNIX attributes to AD users….

ATTENTION:
Tu Vo (IBM) just told me that the default *.map files may be overwritten the next time AIX is patched!!! With this knowledge at hand, I copied the original sfur2group.map into sfur2AD2012group.map (am I creative or not?), edited it as described above and next, I modified the appropriate entry in the /etc/security/ldap/ldap.cfg so know it looks like that:

groupattrmappath:/etc/security/ldap/sfur2AD2012group.map

After a few days, a user tried to use the sftp command and failed. Fixing his issues, I noticed a “strange” behavior (AIX 7.1 host) – for a casual user the id command did not work:

# id
uid=934960 gid=4141 groups=216(operator)

The host/user lost the ability to translate (to show) the user login name and his/her groups names – it just showed their numerals. When the same user tried to ssh to another host he would receive this pleasant message:

# ssh markd@hostB
You don't exist, go away!

Well, tell it to the user that he does not exist! How dare you? Tu Vo (IBM) delivered the resolution to this issue letting me know that KRB5A is “depreciated” (on its way out….). Tu Vo advise was to replace in /etc/methods.cfg file every KRB5A with just KRB like that

KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,is_kadmind_compat=no,tgt_verify=no

LDAP:
        program = /usr/lib/security/LDAP
        program_64 =/usr/lib/security/LDAP64

KRB5LDAP:
        options = auth=KRB5,db=LDAP

next, you must do the same in the /etc/security/user file – make sure that registry and SYSTEM also show KRB5LDAP instead of KRB5ALDAP.

After the change, you either has to restart the secldapclntd or to flush its cache (flush-secldapclntd). Now, login as the ordinary user and execute the id command, does it work? YES!!!! Now it is time to do ssh and sftp do they work? YES!!!

Thanks Tu Vo!
:-)

What about the earlier ssh issue? Well, it was not justKRB5 it was also the key in his ~/.ssh/known_hosts …….

Posted in Real life AIX.

Tagged with , , , , , , , , , , .




© 2008-2014 www.wmduszyk.com - best viewed with your eyes.