Skip to content

If I were to give you a gift, what would it be?

In you own place, at your own time – I hope you will enjoy it. Follow this link with your eyes wide open 🙂

Posted in Real life AIX.

Tagged with , , , , , .

What do they mean when they say “stanza”?

and why you should never manually edit files in the /etc/security…….

A lot of AIX configuration files have the “stanza” format. Look at the /etc/qconfig or almost any file in /etc/security to see what I mean. So what is the “stanza”?
It is a block of ASCII text starting with a token (a word) ending with : and ending with at least one blank line.

Why do I write about it, today? Well, yesterday I asked my colleague (Jon is the Tivoli Management Framework Administrator – among others) to execute on all our AIX hosts (he can do it with a single stroke of a keyboard) one “small” script that I put together to enable LDAP authentication for two specific users. Here are the contents of this script (there is only one long line starting with the echo command – not few as shown on your browser):


rmuser -p svcvulscan 
rmuser -p svcvulscan2

echo "svcvulscan:\n\tSYSTEM = LDAP\n\tregistry = LDAP\n\nsvcvulscan2:\n\tSYSTEM = LDAP\n\tregistry = LDAP\n" >> /etc/security/user

In the perfect world this should work like a charm….. but I forgot the this is the real world. What happen? On some AIX hosts the last user prior to running this script could no longer log-in. Why? If you look above at the line starting with the echo statement, you will notice that the entry svcvulscan: just get inserted int the file. Plain and simple.
But what is going to happen if the last entry in the /etc/security/user is not a “blank” line? In this case, the last stanza in this file extends “swallowing” the the svcvulscan entry as the result making the last user in this file an LDAP user. The following illustrates what I mean.

        admin = false
        SYSTEM = LDAP
        registry = LDAP

        SYSTEM = LDAP
        registry = LDAP

To really make the point and to clear any doubts, look at the following:

# grep -p brownh /etc/security/user
        admin = false
        SYSTEM = LDAP
        registry = LDAP

At this moment, AIX will not allow brownh to login – AIX cannot make sense of this user stanza in /etc/security/user! It is not just this user, svcvulscan also will not be able to fucntion.
To fix it, the truly yours had to insert a blank line above svcvulscan to mark the end of the stanza defining brownh.

Could this be avoided? Sure. Look bellow.


rmuser -p svcvulscan
rmuser -p svcvulscan2

echo "\nsvcvulscan:\n\tSYSTEM = LDAP\n\tregistry = LDAP\n\nsvcvulscan2:\n\tSYSTEM = LDAP\n\tregistry = LDAP\n" >> /etc/security/user

Do you see that now the script will enter a blank line before inserting the stanzas (the \n in front of svcvulscan:? It does not really matter how many blank lines are used to separate stanzas but there must be at least on for stanza to be a stanza. 🙂

What I have described in this post would not happened if on some machines at one point or another for some “then” valid reasons some AIX administrator (it could be me) manually edited the contents of /etc/security/user forgetting and not leaving at least one blank line at the end of this file. Have a good day!

Posted in Real life AIX.

Tagged with , , .

Improving PowerVM Environment

There is no question about it – PowerVM is here to stay. Its flexibility – the ease of employment of new “partitions” combined with the ease of modifying the existing ones transformed PowerVM from a novelty into something to be expected in each data center housing AIX. Earlier, when building PowerVM environments (VIOS + partitions) and, to be precise, when configuring the networking side of these environments, I noticed that “my” partitions network adapters were all attached to one virtual switch (Ethernet 0).

Well, how this Ethernet 0 switch came to be and if the digit 0 following the Eternet indicates the possibility of additional switches (like for example Ethernet 1, 2, ....) – how to create and use them? Are there any advantages or disadvantages of building and employing multiple Ethernet switches with PowerVMs? For those interested in this subject, I recommended studying this document: “Using Virtual Switches in PowerVM to Drive Maximum Value of 10Gb Ethernet” – thanks Rob for locating it!

Usually, if one builds two VIO servers in a frame, one does it to provide a level of redundancy to protect partitions against a failure of one of the VIO servers delivering resources to frames partitions. If this is the case, then the presence of a single Ethernet is a single point of failure, right? This could be on more reason for you to get acquainted with the above document…..

Posted in Real life AIX, VIO.

Tagged with , , , , .

VIOS Advisor Explained

“The goal of the VIOS advisor is not to provide another monitoring tool, but instead have an expert system view performance metrics already available to the customer and make assessments and recommendations based on the expertise and experience available within the IBM systems performance group.”

Sounds interesting? It does? Follow this link to the latest article by Rob McNelly in the “IBM Systems Magazine“, AIX edition.

Posted in AIX, Real life AIX.

Tagged with , , , .

LDAP users can log into AIX with no or invalid password

Apparently it is nice to be liked. Today, I installed ldap client on a set of Oracle test machines and shortly later Adi tells me that he can ssh to other hosts without a password or with a wrong one. Oops, a big Oops indeed …. .

These two machines are running AIX and all other ones that I have switched into TDS/AD authentication are AIX or and they do not demonstrate this dangerous “abilities”. The few hosts with LDAP client running AIX also do not show this behavior.

This dangerous issue apparently is specific to which explain why any earlier or later OS versions do not show it. IBM has an emergency fix neutralizing this problem which is know as IZ97416. To install it execute:

emgr -e IZ97416.110329.epkg.Z

Now, do verify that the previous password-less logins from the AIX LDAP client to other AIX hosts are no longer possible.

Posted in ldap, Real life AIX.

Tagged with , , , , , , .

TDS Server refuses to START…… error: GLPRDB111E

Yesterday, I got a fair share of excitement. One of my TDS servers mysteriously stopped working…. Looking in the ibmslapd.log I found staring back at me this message:

12/15/11 09:03:43 GLPRDB111E The server is unable to use the username and password combination for the DB2 instance owner in the configuration file to establish a connection to the database.

This entry from one of KnowWiki pages provided the solution:

Make sure your instance name user is active and has the active password.

OK, I open a new putty session and log-in with the instance name user. AIX immediately responds announcing that this user password expired and need to be changed…. ! I know what to do next – after I log-in and su -, I execute the pwdadm -c instance_name followed with chuser rlogin=false expires=0 instance_name so this user password never expires and simultaneously the remote log-in ability is removed from this account to make it more secure. Next, I start the TDS instance which comes alive like nothing ever happened.

Now, do repeat the same steps on the other TDS servers, please.

Well, I was a happy AIX administrator for very short….. The next re-start produced this:

12/15/11 09:03:43 GLPRDB111E The server is unable to use the username and password combination for the DB2 instance owner in the configuration file to establish a connection to the database.

It seems appropriate to investigate the ibmslapd.conf file. What helped me was a fully functional second TD server (peer). I noticed that the non-functional server in its ibmslapd.conf files showed a wrong key file name and location. In my case these should be located in the directory /etc/security/ldap with the file name always as ServerKey.kdb name like that:


The configuration file had instead:

ibm-slapdsslkeydatabasepw: {AES256}3yBk0e0qwzqL7/glbBSodA==

I recognized that I have to change the first entry to correctly identify location of the GSK key database. The second issue to deal with was to re-create the encrypted password…… This step requires creation of a simple LDIF file:

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: abcABC123

The abcABC123 represent the un-encrypted password used to create (stashed into) the file ServerKey.kdb. The command ldapmodify will update TD server configuration and encrypt the password.

ldapmodify -D cn=root -w Admin_Password -i update.ldif

The first time it did not work because LDAP server was down, I restarted it in configuration mode and this time ldapmodified did work. To end my misery, I rebooted the server. After a few minutes execution of idsldapsearch over SSL from AIX client against each TD servers worked, finally!

ldapsearch -h aixtds1 -Z -K /etc/security/ldap/ClientHost.kdb \
 -P abcABC123 -b "" -s base objectclass=*

ldapsearch -h aixtds2 -Z -K /etc/security/ldap/ClientHost.kdb \
 -P abcABC123 -b "" -s base objectclass=*

Posted in ldap, Real life AIX.

Tagged with , , , , , , .

IBM Power Systems Hardware Information Center

can be usefull to know about this place – “IBM Power Systems Hardware Information Center“.

Posted in AIX.

Tagged with , .

Pass Through Authentication between TDS Ldap servers and ActiveDirectory over SSL

I installed two IBM Tivoli Directory Servers (LDAP), configured replication between them (Peer to Peer) and finally set the PTA to AD servers for logins and passwords – no more separate login to Windows or AIX, no separate password standards, attributes to maintain….

To set SSL based authentication between AIX based TDS and clients was easy. You can find an excellent directions following this link:
By the way if you want to enable SSL to the Management Console (the Web Admin Tool) follow this link: (thanks Debra from IBM LDAP support :-D)

Then you have to set each AIX client to enable SSL communication between them and TD servers.

Finally, the Pass Through authentication between each TD server and Active Directory server has to be be modified to use SSL too. Follow the rest of this post to see how this could be done without using ikeyman – this utility is not working for me. I get these silly messages saying “The CMS Java native library was not found. Please make sure the SSL component required ........ .” and I have opened a PMR in this regard – will post the resolution as soon as I get it.

Posted in ldap.

Tagged with , , , , , , , , , .

Recovering root password using NIM

It happens, not often but it does and when it does it usually sucks. If nothing else is available to you to reset the root password but this “environment” has a working NIM server you may try the procedure documented under this link as the “AIX: Recovering A Lost Root Password On A P-Series LPAR, Using A NIM Server”.
Whoever created documents there did a really splendid job. I believe many will find this site useful.

The same can be done without a NIM server using AIX installation media. But then “somebody” has to travel to insert the media into the host with unknown root password.

Posted in AIX, Real life AIX.

Tagged with , , , , .

Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.