Skip to content


installing WebSphere Server in a wpar

Annwoy, just made the following comment about installing WebSphere in a wpar: “it will save you time if before attempting to do this for the first time, you spend a few minutes following and reading this link” http://www-01.ibm.com/support/docview.wss?uid=swg21293695 . It looks like he was right.

Posted in AIX, wpar.

Tagged with , , .


SAN storage migration for lpar and its wpar

Here we go again! It is time to migrate from SVC to XIV – the decision has been made! This post shows my approach with this aspect of AIX life. For the sake of simplicity I will show interaction between one lpar and one wpar. The same procedure applies to one or many wpars.

Posted in Real life AIX, wpar.

Tagged with , , , , , .


Nowe Sutry

pod Sutrami znajdziesz moje dwa nowe tlumaczenia – Sutra Vimalakitri oraz Sutra Siedmiu Słońc czyli Sutra Końca Świata.

Posted in BuddhaTaoZen, Sutry.

Tagged with , , , , , , .


missing disks, dump devices, mirroring, etc.

Since, we are pretty much always learning …. Some of us on a more elementary, intermediate, or advanced level but regardless of the level we all always learn or re-learn (because what we have mastered we had an ample time to forget – not doing it for a while), here it is a reminder of how to deal with a volume group (in this case it is rootvg which for some reasons lost one of it disks. The loss could be a function of SAN, VIO or other event. It could be a permanent loss – a disk is dead, broken, no longer functioning or the loss was/is temporary in nature; AIX kernel detected a timeout (without any disk errors associated with device failure) long enough for the kernel to mark the disks missing.

If faced with such situation, I always hope for the “temporary” and execute the varyonvg vg_nam command in order to re-establish communication path to the offending disk. If this action fails, than I investigate command errpt -a to hopefully find more details to gain better understanding of what is really going on.

For the last few days, I am dealing with a peculiar issue of one specific user having login issues with a specific AIX host. The password is delivered via LDAP, the users is “kicked out” as soon as he logs in so to deal with this witchcraft I decided that it is time to download and to update the client’s side of LDAP (TDS LDAP filesets on the host) – not that I am 100% convinced that this will save the day. To accommodate the download, I had to increase the capacity of the /root file system (root’s home directory). While doing so, the following message showed on my screen.

# chfs -a size=+1G /root
lquerypv: Warning, physical volume hdisk1 is excluded since it may be either missing or removed.
0516-404 allocp: This system cannot fulfill the allocation request. There are not enough free partitions or not enough physical volumes to keep strictness and satisfy allocation requests.  The command  should be retried with different allocation characteristics.

By the way, where is Tivoli Monitoring when you need it? Well, I do not see any messages in my mailbox and it could be that it is not Tivoli but how it (Tivoli) has been configured ……..

It is the time to follow my usual procedure in such case, let’s vary it on!

# varyonvg rootvg
0516-1774 varyonvg: Cannot varyon volume group with an active dump device on a missing physical volume. Use sysdumpdev to temporarily replace the dump device with /dev/sysdumpnull and try again.

Our AIX hosts always have two dump devices (logical volumes) – one per the rootvg disk. The primary in always located on hdisk0, the secondary is always on hdisk1. If I did not know it, to establish what dump device resides on a missing disk, I would execute the sysdumpdev command followed with lslv -m lv_name (for example).

To deactivate the dump device requires the following re-direction:

# sysdumpdev -s /dev/sysdumpnull
primary              /dev/dump0
secondary            /dev/sysdumpnull
copy directory       /var/adm/ras
forced copy flag     TRUE
always allow dump    TRUE
dump compression     ON
type of dump         traditional

As seen above, the primary dump is still live and kicking. Now, let’s try again to varyon the volume group:

# varyonvg rootvg
# lsvg -p rootvg
rootvg:
PV_NAME  PV STATE    TOTAL PPs   FREE PPs    FREE DISTRIBUTION
hdisk1   active      559         346         87..05..30..112..112
hdisk0   active      559         346         87..05..30..112..112

This time, there are no complaints and the disk is meditatively listed as active. This volume group is always mirrored (in our case), we need to verify that the syncvg has been automatically started.

# ps -ef | grep sync
root   655432 1 0   Jun 26      - 47:47 /usr/sbin/syncd 60
root  3735800 1 0 10:10:35  pts/0  0:00 /bin/ksh /usr/sbin/syncvg -v rootvg
root 16842916  3735800   1 10:10:46  pts/0  0:00 lresynclv -P 24 -l 00f66d0c871

Yes, the volume group is already being synchronized. The last step is to restore the dump environment:

# sysdumpdev -P -s /dev/dump1
primary              /dev/dump0
secondary            /dev/dump1
copy directory       /var/adm/ras
forced copy flag     TRUE
always allow dump    TRUE
dump compression     ON
type of dump         traditional

Well, the previous step was not the last – Now, I will be able to increase to size of /root – which is the “last” step. :-)

Posted in AIX, Real life AIX.

Tagged with , , , , .


restoring passwd file from mksysb image

The ripper paid me a visit – I removed some users which later turned to be a mistake. Fortunately, I had a mksysb backup which contained all the necessary data in form of the /etc/passwd, /etc/group, /etc/security/passwd and /etc/security/user.

So to restore these files to their original state was easy. After moving to the directory containing the mksysb backup I executed the following commands:

restore -xvqf mksysbimg.image ./etc/passwd
restore -xvqf mksysbimg.image ./etc/group
restore -xvqf mksysbimg.image ./etc/security/user
restore -xvqf mksysbimg.image ./etc/security/passwd

These files were restore to the sub-directory etc. After cd etc, the rest was just copying the files to their appropriate targets in /etc.

What if the mksysb archive was on a tape? You have to move the tape pass all the control/authentication headers with command

tctl -f /dev/rmtX.1 fsf 3

, where X denotes the actual tape drive identifier. After the “read” pointer is moved to the appropriate location on the tape, the same restore command will restore the files we need.

Posted in Real life AIX.

Tagged with , , .


Authenticating RedHat with ActiveDirectory and Kerberos

Disable sssd (if already running) as our goal is to remove it from the host (and any other of its components packages if installed) as we are not interested in using its extended capabilities – all we want is to integrate our LINUX host into AD.

chkconfig sssd off
service sssd stop

Check what sssd packages are installed:

# rpm -qa | grep sssd

Remove them all (for example)

# yum remove sssd
# yum remove sssd-client

Make sure that the following packages are also installed:

# rpm -qa | grep ldap
nss-pam-ldapd-0.7.5-18.1.el6_4.x86_64
pam_ldap-185-11.el6.x86_64
openldap-2.4.23-32.el6_4.x86_64
openldap-clients-2.4.23-32.el6_4.x86_64

Now, the long part, provide entries appropriate for your environment.

authconfig --enableshadow --passalgo=sha512 --enableldap \
--ldapserver=ldap://wmd.edu \
--ldapbasedn="dc=wmd,dc=edu" --disablefingerprint \
--enablekrb5 --krb5kdc=wmd.edu \
--krb5adminserver=WMD.edu \
--krb5realm=WMD.edu --enablemkhomedir --update

Make sure that nscd and nslcd packages are installed and make sure they start at reboot.

# chkconfig nscd on

We will start it right away.

# service nscd start

To allow searching of AD repository, we have set a “special” (low privileges – scan only) account in ActiveDirectory, which we identify in the file /etc/nslcd.conf as show bellow:

binddn CN=aixldapquery,OU=ServiceAccounts,OU=Corporate Servers,DC=wmd,DC=edu
bindpw ZupaDupa1$
uri ldap://wmd.edu/
base dc=wmd,dc=edu

In the same file find the lines below and remove # to activate them. The final product will look like:

# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
map    group  uniqueMember     member

At this time, we can execute the following commands:

chkconfig nslcd on
service nslcd restart

Edit file /etc/pam.d/system-auth to look (order matters!) like that

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Edit file /etc/pam.d/password-auth to look that:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

As the final step, we have to modify the /etc/nsswitch.conf file as shown bellow:

passwd:     files ldap
shadow:     files ldap
group:      files ldap
netgroup:   files ldap

The best bet, is to reboot the host (or restart both nscd and nslcd daemons). After it is back on line validate your work executing the getent passwd command. Next, execute the id against a user whose UNIX attributes are defined in Active Directory. If both commands return with the expected values there is nothing else you need to do.

Posted in ldap, Linux.

Tagged with , , , .


comparing contents of text files

Well, how many times have I been asked to do just that and how many times have I done it comparing both files one by one? How many times have I been asked to list duplicates in a file and used my eyes to do that? Many times indeed, but not any more!

To compare two files, to find duplicate entries in both – first, make sure that both files are already sorted in alphabetical order and then execute:

# uniq -d file1 file2

To find duplicates (if any) in the file /etc/passwd (for example):

# cat /etc/passwd | awk -F ':' '{print $1}' | sort | uniq -d

or

sort -t ':' -k 1 /etc/passwd | awk -F ':' '{print $1}' | uniq -d

The one who knows a shorter syntax, please leave a comment.

Posted in Real life AIX.

Tagged with , , .


Learn to use AIX Logical Volume Manager

A newcomer to AIX administration could gain more understanding and appriciation of Logical Volume Manager following this presentation. A machine was just assigned one additional LUN that we have to accquire and use to create a new volume group. A few weeks ago, the same host received a LUN known locally as the hdisk8 which was used to expand capacity of the file system /u40 residing in the volume group called oracle_vg. Today, we have to investigate if this file system could be shrinked to free hdisk8 so this disk could be added to a new volume group. See page 2 for details.

Posted in Real life AIX.

Tagged with , , , .


LINUX authentication with TDS LDAP and SSL

A while ago, I posted some information about setting a LINUX (RedHat 6.2) client to authenticate with the Tivoli Directory Server. This post is more informative. It shows how to configure LINUX client to authenticated against multiple TDS servers over SSL – so the generated traffic is encrypted. If this sounds interesting, flip to the next page.

Posted in AIX, ldap, Linux, Real life AIX.

Tagged with , , , , , , .


LAWSON authentication with LDAP

Integrating LDAP/AD login names and passwords with our UNIX environment was not implemented without challenges but all pales looking at the benefits of this integration. One of the benefits was the ability to use the long (up to 265 characters) login names.

Somehow, it was surprising to discover that LAWSON application’s own authorization mechanism does not accept logins longer then 10 characters, oops …. For a moment we felt like being doomed. But thanks to the splendid LAWSON administrator that we have, we discovered that the long login names used by the operating system can be mapped to the shorter ones allowed by LAWSON – a Lawson user is one that has an entry in the /etc/passwd. It does not matter that there is no corresponding entry in the /etc/group or /etc/security/user and so forth – there must be an entry in the /etc/passwd for LAWSON to view a login account as a legitimate one.

So somewhere, where only the LAWSON administrator knows there is the file that maps UNIX login name with the appropriate LAWSON application login name. The LAWSON user authentication proceeds pretty much along this line:

    a. user logs into UNIX host with his/hers long login –
    LDAP authenticate the user

    b. AIX passes the flow of control to the /etc/profile

    c. inside this file, there is a call to a script that based on the user group
    membership invokes the LAWSON authentication procedure

    d. this procedure maps the OS login name to a shorter one which is looked up
    in the /etc/passwd and if the match is made the user is allowed to proceed
    into the LAWSON realm

    e. user is asked to provide the LAWSON password and if a valid response is
    provided user can proceed into the LAWSON realm.

Sometimes, system administrator who “owns” the LAWSON servers needs to know what are the logins which are longer then 10 characters allowed by this application. On the next page, you will find a simply script that does exactly what I have just described – pulling this information out of the LDAP repository.

Posted in AIX, Linux, Real life AIX, scripts.




Copyright © 2015 - 2016 Waldemar Mark Duszyk. - best viewed with your eyes.. Created by Blog Copyright.