Skip to content

restrict ftp access to AIX host

I am not going to discuss the “cons” of using ftp – they are pretty much known to all involved with UNIX in general. Still, for some ftp is “a must” and for various reasons it has to be used.

To completely disable ftp access is easy. Just comment out or remove the following two line in the file /etc/inetd.conf and both ftp and its simpler version tftp.

ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd     ftpd
tftp    dgram   udp6    SRC     nobody  /usr/sbin/tftpd    tftpd -n

Follow these “edits” with refresh -s inetd and these services will be disabled on the host.

In order to allow ftp access to a particular user or users, system administrator has to leave the two daemons in place (ftp daemons are left operational).
Contrary to cron access control, ftp instead of two access control files (for cron they are cron.allow and cron.deny) there is only one ftp access control file. This file is called /etc/ftpusers. Its syntax is identical to cron access files – one login name per line.

AIX being itself has a special command to manipulate contents of this file. This command is called ruser.

For example, to allow only the users brickj and bondj access to ftp, system administrator may do the following.

Process the /etc/passwd file to create corresponding entries in the /etc/ftpusers:

for user in `cat /etc/passwd | awk -F ':' '{print $1}'`
    ruser -a -f $user

The same can be done without cat and awk:

for user in `lsuser -a ALL`
    ruser -a -f $user

At this moment nobody can ftp! So, brickj and bondj login names have to be removed from ftpusers file.

ruser -d -f brickj; ruser -d -f bondj

Anything left? Yes, test it!!! Does ftp work only for brickj and bondj on this machine?

Posted in Real life AIX.

Tagged with , , , , .

a cluster that just refused to work …..

This cluster just does not want to cooperate.  It worked OK for a few weeks, than it started to misbehave. On of the previous post describes what I had to do to get it to work. Now, the same cluster stopped cooperating again. I cannot move its resource group from one node to another as I do not see neither node in the selection list. I get some errors suggesting that the network adapter is unreachable, some other message asks me to enable automatic verification and synchronization in the HACMP SMIT Extended Configuration, Extended Cluster Service Settings menu, then restart the selected nodes. Please let me know, when you find this menu option in smitty of its other variations.

Posted in AIX, HACMP, Real life AIX.

Tagged with , , , , , , , , , , , .

recovering “lost” host using its mksysb image and NIM server

Someone asked me what would have do be done if we lost one of our data centers? First, in our case this would not be really a show stopper as we have a number of them and most of our systems (at least all defined as Level 1) are clustered with nodes located in geographical dispersed locations.

So the question has to be re-phrased – what would we do to “re-create” a destroyed machine?

Posted in Real life AIX.

Tagged with , , , , , , , , , , .

IBM Power Systems Champions……

I have been nominated and named as one of the 2011 IBM Power Systems Champions. For these who did the “selection and nomination”, I say

Thank You!

Posted in NonAix.

Tagged with , , , .

Adding disks to a Shadow Image based backup environment….

Sooner or later, capacity of the existing Shadow Image becomes too constricting and it need to be extended. Usually, it happens after expansion of a file system in a volume group which is “Shadow Imaged”.
For some, the Shadow Image disk are local to the host which backup is taken with this mechanism. For others, Shadow Image disks are remote – located on the server that performs the actual backup of data. When the volume group runs out of capacity, and a new disk or disks (P-VOLs) have to be added to it, the identical addition has to be done to the set of disks which are the target of the Shadow Image operations and which are called the S-VOLs.

Posted in Real life AIX, scripts.

Tagged with , , , , , , , , .

a cluster that just stopped working….

A few weeks ago, I build a two nodes cluster which used to work till yesterday. Well, yesterday I rebooted the nodes to activate the latest XIV drivers I had to install anticipating a future migration from SVC to XIV based storage.
After the reboot I could not start PowerHA (HACMP) services on one of the nodes. Trying to verify/sync the cluster generated nothing but this meaningful message cldare: A communication error prevents obtaining the VRMF from remote nodes. Eventually, I started the cluster on the other node which allowed application team to continue their work. I got stuck with the other node….

Posted in HACMP, Real life AIX.

Tagged with , , , , , , .

Disk Path Design for AIX

I stumbled upon this presentation a while ago. Finally, today I had time to translate its html version into PDF and to show it here.

This is another document from Dan Braden, IBM – very well worth the time needed to read it: Disk Path Design for AIX Including SAN Zoning.

Dan’s presentation was accompanied by Jim Blue “San Best Practices” presentation which can be viewed here: SN08 SAN Best  Practices.pdf

Posted in Real life AIX.

Tagged with , , , , , , , , .

ikeyman and getting it to work for you….

Well, I am not suggesting that there is something wrong with it, some error or something as bad. Just that in my case, in order to get the “CMS key database type” as one of the options, I had to do the following:

1. update my .profile to include these two directives:

export JAVA_HOME=/usr/IBM/HTTPServer/java

export PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb/usr/bin/X11

These directive re-point JAVA to the ikeyman own JAVA file sets. PATH is not pointing to any AIX JAVA directories….

2. update the file $JAVA_HOME/jre/lib/security/ to add these two lines (to make ikeyman aware of CMS):

where, X and X+1 are the next consecutive numbers.

For a nice post guiding you through the process of creating key databases, issuing certificates and so forth follow this link

I reversed my .profile to its original state after I was done using ikeyman.

Posted in ldap.

Tagged with , , , , .

fc_qns on steroids = sanscan

In the past, I learnt to appreciate fc_qns. Lately, I started using its bigger and better “version” called sanscan.
You can get it from an IBM Service engineer. Just call the 1-800-IBM-SERV, open a SAN related PMR and after you are connected with your engineer ask for sanscan. I will have it here as soon as I figure out how to allow downloads from my blog….

If your AIX hosts are SAN attached you must have sanscan, really.


sanscan v2.2
Copyright (C) 2010 IBM Corp., All Rights Reserved

Processing FC device:
    Adapter driver: fcs0
    Protocol driver: fscsi0
    Connection type: fabric
    Local SCSI ID: 0x011e00
    Local WWPN: 0x10000000c9460ab1
    Local WWNN: 0x20000000c9460ab1

Initializing device information...
Scanning SAN...
SCSI ID LUN ID   WWPN    WWNN    Vendor ID Product ID Rev  NACA Qualifier     Device    Type                  Error(s)
070c00  0000000000000000 5005076801302afd 5005076801002afd IBM   2145  0000 yes  Not connected Unknown                or no device

sanscan produces tonns of information that may be priceless for a stressed AIX administrator. Ask for it.

Posted in Real life AIX.

Tagged with , , , , , , .

ssh does not work, really?

You will find a few posts touching ssh “issues” in this blog. This morning, I had to interrupt my daily routine (building, building, and more building for migration from the older to the newest hardware) in order to convert the “old” scripts (rcp based) into the new (scp based) – for the very well known reasons….

Posted in Real life AIX.

Tagged with , , , .

Copyright © 2015 - 2016 Waldemar Mark Duszyk. - best viewed with your eyes.. Created by Blog Copyright.