Mapping NT User Account Information to LDAP
The schema for two object classes ntUser and ntGroup that support Windows NT user accounts ships with the iPlanet Directory Server. Some of the LDAP attributes contained in these object classes correspond directly to Windows NT user account fields. These are shown in TABLE 12-1. TABLE 12-1 Windows NT to LDAP Mapping Directory Server Attribute NT User Account Field For each Windows NT user account as well as for Windows NT groups, an equivalent LDAP entry is created with these mapped fields....
Introducing Route Table Search Order
The kernel routing algorithm searches route table entries in the following 1. The kernel routing algorithm checks the LAN for destination hosts. The kernel extracts the destination IP address from the IP datagram and computes the destination network number. The destination network number is then compared with the network numbers of all of the local interfaces interfaces that are physically attached to the system for a match. If the destination network number matches that of a local interface...
Internet Layer IGMP
The Internet Group Management Protocol IGMP version 2 is described fully in RFC 2236. Hosts belonging to mulitcast groups use IGMP to report their memberships to local multicast routers. Three IGMP messages are relevant to this introduction, namely Membership query - Used to determine which groups have members on a network Membership report - Used by a system to report that it is part of a multicast group Leave group - Used by a system when it leaves a multicast group ARP has been replaced by...
SNMPBased Monitoring
Early versions of the Solaris fault manager reported faults to the system log and console s . It provided a wealth of status information using fmadm 1M . But these reporting mechanisms leave much to be desired syslog messages must be parsed, and a busy central log host can easily lose important messages in the noise. Worse still, a privileged user must log into the affected system and run administrative commands to get information they need that is not contained in the message. SNMP is a...
1471 Memory Mapped IO
A request to memory-map a file into an address space is handled by the file systenanode method vop_map and theseg_vn memory segment driver see Section 14.7.4 . A process requests that a file be mapped into its address space. Once the mapping is established, the address space represented by the file appears as regular memory and the file system can perform I O by simply accessing that memory. Memory mapping of files hides the real work of reading and writing the file because the seg_vn memory...
Setting a Local Ethernet Address
In today's network environments, many systems have multiple interfaces, often on the same subnet or collision domain. Because an Ethernet address targets systems, each interface on the same network or subnet on a multi-interface system must have a unique Ethernet address. Sun network adapters have local Ethernet addresses encoded in their programmable read-only memories PROMs . To view the current host-based Ethernet address, perform the command at the ok prompt Sun Ultra 5 10 UPA PCI...
Installing a Solaris Package Using the CLI
The best way to learn about adding packages is to use an example. In this section, you'll download a package from http www.sunfreeware.com called gpw-6.94-sol10-sparc-local.gz, an application developed by Tom Van Vleck that generates random passwords. Let's look more closely at the package name to determine what software this package contains The .gz extension indicates that the package file has been compressed using gzip after it was created. Other possible extensions include .Z, which...
ifconfig a
inet 127.0.0.1 netmask ff000000 hme0 mtu 1500 index 2 inet 192.168.30.41 netmask ffffff00 broadcast 192.168.30.255 ether 8 0 20 93 c9 af The MAC address is listed as 8 0 20 93 c9 af in this example. You can also retrieve the MAC address from a system that has not yet been booted by performing the banner command at the ok prompt.
Using the sysidcfg File
For the sysidcfg file method, a file for each system is created that contains a set of lines in the form of keyword value, such as timezone US CENTRAL. The file can be available over the network via NFS or on disk mounted in the local disk drive. The following is a list of information that can be defined in the sysidcfg file gt Name service NIS, NIS , DNS, or none along with the hostname and IP address of the server gt Network interface Specify DHCP or specify IP address and netmask instead....
CDE Process Manager
New in Solaris 8 is CDE Process Manager, sdtprocess, a graphical Common Desktop Environment CDE tool that provides a Process Manager window for monitoring and controlling system processes. The advantage of using Process Manager is that you can view and control processes without knowing all the complex options associated with the ps and kill commands. For example, you can display processes that contain specific character strings, and you can sort the process list alphabetically or numerically....
The Boot Command
The easiest way to boot a system from the powered-down state is, of course, to turn it on. When you turn a system on, the system locates the boot device using information stored in its NVRAM and starts loading various boot software, as described earlier. If you interrupt this process with a Stop-A or your auto-boot NVRAM parameter discussed later in this chapter is set to false, you can choose to boot from a different device or explore the OpenBoot environment. The full syntax of the boot...
pwconv
You can use the pwconv command to convert systems that do not have a shadow password file to use password shadowing. Most if not all modern systems would use password shadowing. However, if the etc shadow file does not exist, the encrypted password is stripped from etc passwd, and is replaced by x, indicating that the password for each user is shadowed. A shadow password file would then be created using the encrypted passwords extracted from the password file. However, a more common use of...
12231 The Translation Table Entry
Each entry of the TLB consists of a Translation Table Entry TTE , which describes the mapping and provides details of its associated properties. The TTE may be thought of as corresponding to a page table entry, or PTE, in the sun4m architecture. A TTE is made up of two components, the tag and the translation data, each of length 64 bits. The TTE tag contains the encoded virtual address and context ID Figure 12.7 , and the TTE data contains the corresponding physical address together with...
Direct Maps
A direct map provides both mount point and NFS resources. Entries in a direct map consist of three fields gt Key The key is typically a full pathname that is to be used as a mount point. gt Mount options The mount options field contains zero or more comma-separated NFS-specific mount options, as described in Table 15.3. gt NFS resource The NFS resource files takes the form server file system, which identifies a file system shared by the system server. Because more than one NFS server might be...
131 Solaris Kernel Architecture
The Solaris kernel is grouped into several key components and is implemented in a modular fashion System call interface. The system call interface allows user processes to access kernel facilities. The kernel then performs specific tasks on behalf of the calling process, such as reading or writing a file, or establishing a network connection. The system call layer consists of a common system call handler, which vectors execution into the appropriate kernel modules. Process execution and...
Chapter 1 Introduction to Observability Tools
Bryan Cantrill's foreword describes operating systems as proprietary black boxes, welded shut to even the merely curious. Bryan paints a realistic view of the not-too-distant past when only a small amount of the software stack was visible or observable. Complexity faced those attempting to understand why a system wasn't meeting its prescribed service-level and response-time goals. The problem was that the performance analyst had to work with only a small set of hardwired performance statistics,...
svcs l nfsserver
require_any error svc milestone network online require_all error svc network nfs nlockmgr online optional_all error svc network nfs mapid online require_all restart svc network rpc bind online optional_all none svc network rpc keyserv disabled optional_all none svc network rpc gss online require_all error svc system filesystem local online
792 TCP Statistics from Kstat
The kstat command can fetch all the TCP MIB statistics. You can print all statistics from the TCP module by specifying -m instead of -n -m, includes tcpstat, a collection of extra kstats that are not contained in the Solaris TCP MIB. And you can print individual statistics
Autoenabling a Service Group
A service group is autodisabled until VCS probes all of the resources and checks that they are ready to bring online. Autoenable a service group in situations where the VCS engine is not running on one of the systems in the cluster, and you must override the disabled state of the service group to enable the group on another system in the cluster. To autoenable a service group from Cluster Explorer 1. On the Service Groups tab of the configuration tree, right-click the service group. or Click...
Fragment Size
As files are created or expanded, they are allocated disk space in either full logical blocks or portions of logical blocks called fragments. When disk space is needed to hold data for a file, full blocks are allocated first, and then one or more fragments of a block are allocated for the remainder. For small files, allocation begins with fragments. The ability to allocate fragments of blocks to files rather than whole blocks saves space by reducing the fragmentation of disk space that results...
Creating an NIS Group
To create an NIS group, you must have create rights to the groups_dir directory of the group's domain. Use the -c option and a fully qualified group name When you create a group, an NIS groups table with the name you have given is created in groups_dir. You can use nisls to confirm that the new group table now exists in groups_dir, and niscat to list the groups members listed in the table. A newly created group contains no members. See Adding Members to an NIS Group on page 320 for information...
Deleting a Service Group
Delete a service group from Cluster Explorer or Command Center. Note You cannot delete service groups with dependencies. To delete a linked service group, you must first delete the link. To delete a service group from Cluster Explorer 1. On the Service Groups tab of the configuration tree, right-click the service group. or Click a cluster in the configuration tree, click the Service Groups tab, and right-click the service group icon in the view panel. To delete a service group from Command...
Stateful Packet Filtering
Packet state filtering can be used for any TCP flow to short-cut later filtering. The shortcuts are kept in a table, with no alterations to the list of firewall rules. Subsequent packets, if a matching packet is found in the table, are not passed through the list making packet filtering much more efficient. For TCP flows, the filter follows the ack sequence numbers of packets and only allows packets through that fall inside the correct window. Keep state for all outgoing telnet connections and...
564 Block Buffer Cache
The buffer cache used in Solaris for caching of inodes and file metadata is now also dynamically sized. In old versions of UNIX, the buffer cache was fixed in size by the nbuf kernel parameter, which specified the number of 512-byte buffers. We now allow the buffer cache to grow by nbuf, as needed, until it reaches a ceiling specified by the bufhwm kernel parameter. By default, the buffer cache is allowed to grow until it uses 2 of physical memory. We can look at the upper limit for the buffer...
Preventing MultipathingSuppress Devices from VxVMs View
This section describes how to exclude a device that is under VxVM or Dynamic Multipathing control. To prevent multipathing or suppress devices, enter the command 1. Select menu item 17 Prevent Multipathing Suppress devices from VxVM's view from the vxdiskadm main menu. VxVM INFO V-5-2-1239 This operation might lead to some devices being suppressed from VxVM's view or prevent them from being multipathed by vxdmp. This operation can be reversed using the vxdiskadm command . Do you want to...
2101 Procfs Implementation
Proofs is implemented as a dynamically loadable kernel module, kernel fs procfs, and is loaded automatically by the system at boot time, proc is mounted during system startup by virtue of the defaulfproc entry in the etc vfstab file. The mount phase causes the invocation of the procfs prinit initialize and prmount file-system-specific functions, which initialize thevfs structure for procfs and create and initialize a vnode for the top-level directory file, proc. The kernel memory space for the...
The zonecfg Resources Parameters
Resource types within the zonecfg utility include the following zone name - Defines the zone name and identifies the zone to the configuration utility. zonepath - Defines the zone path resource and is the path to the zone root. fs - Assigns resource parameters for file systems. Use of the special parameter allows the local zone to mount global system resources under separate directories. Table 15-2 shows parameters associated with the fs resource. Table 15-2 The fs Resource Parameters Table...
41cletype 1
The type that you specified with the -t or -p option does not exist. Examples EXAMPLE l Adding a SCSI Quorum Device The following clquorum command configures a SCSI quorum device that is connected to all the cluster nodes. clquorum add dev did rdsk d4s2 When you use the add subcommand, the shared_disk type is the default. To add a shared_disk quorum device, you do not need to specify -t shared_disk. EXAMPLE 2 Adding a Network Appliance NAS Quorum Device The following clquorum command adds the...
Secure RPC Password Versus Login Password Problem
When a principal's login password is different from his or her Secure RPC password, keylogin cannot decrypt it at login time because keylogin defaults to using the principal's login password, and the private key was encrypted using the principal's Secure RPC password. When this occurs, the principal can log in to the system, but for NIS purposes the principal is placed in the authorization class of nobody because the keyserver does not have a decrypted private key for that user. Since most NIS...
83 cputrack Command
While the cpustat command monitors activity for the entire system, the cputrack command allows the same counters to be measured for a single process. This can be useful for focusing on particular applications and determining whether only one process is the cause of performance issues. The event specification for cputrack is the same as cpustat, except that instead of an interval and a count, cputrack takes either a command or -p pid. cputrack -T secs -N count -Defhnv -o file -c events command...
ipfstat io
block in proto tcp from any to 192.168.2.0 24 port telnet Note - The ipfstat -io command does not display the rules in the same sequence as they are listed in the etc ipf ipf.conf file. The out rules are listed in order first, and then the in rules are listed. Configuring Logging in the Solaris IP Filter Firewall The Solaris IP Filter firewall includes the ability to log its actions. Logged information is sent to the dev ipl device. The dev ipl device can be monitored by running the ipmon...
Resource and Resource Group States and Settings
A system administrator applies static settings to resources and resource groups. You can change these settings only by administrative action. The RGM moves resource groups between dynamic states. These settings and states are as follows Managed or unmanaged settings. These cluster-wide settings apply only to resource groups. The RGM manages resource groups. You can use the clresourcegroup command to request that the RGM manage or unmanage a resource group. These resource group settings do not...
Configuring the Sections of Makefile
The first section of the Makefile file contains the following macro definitions The second section of the Makefile file contains the first target, all. all passwd group hosts ipnodes ethers networks rpc services protocols netgroup bootparams aliases publickey netid netmasks c2secure timezone auto.master auto.home auth.attr exec.attr prof.attr user.attr audit.user The all target has several dependencies, each of which represents one of the NIS maps to be built. This feature enables the entire...
The Substitution String for an Indirect Map
The following entry reduces the auto_home file to a single line. The use of substitution characters specifies that for every login ID, the client remotely mounts the export home loginID directory from the NFS server serverl onto the local mount point home loginID. This entry uses the wildcard character to match any key the substitution character amp at the end of the location specification is replaced with the matched key field. This works only when all home directories are on a single server...
Step 9 Setting Password Read Permission for proxyagent
If pam_unix is used to authenticate Solaris users as recommended the cn proxyagent DN, with which the Solaris LDAP client binds to the server, must be granted read permission for user account passwords. To perform this operation through the Directory Console, follow these steps 1. Click the right mouse button on the top-level object, then choose Set Access Permissions from the pull-down menu and add the following data User Group- cn proxyagent, ou profile use Add User to List Rights-compare,...
Encapsulation and Deencapsulation
When systems communicate with each other, data can be thought of as flowing down the model from the application layer to the hardware layer, across the network connection, and then flowing up the model on the target system from the hardware layer to the application layer. A header is added to each segment received on the way down the model, and a header is removed from each segment on the way up the model, as shown in Figure 2-2. Each header contains specific address information so that the...
Encapsulation and Deencapsulation
When you think of systems communicating via a network, you can imagine the data progressing through each layer down from the application layer to the hardware layer, across the network, and then flowing back up from the hardware layer to the application layer. A header is added to each segment that is received on the way down the layers encapsulation , and a header is removed from each segment on the way up through the layers de-encapsulation . Each header contains specific address information...
The NFSv4 Finish script
A sample script is delivered as part of the JumpStart sample files in the CD's s0 Solaris_l0 Misc jumpstart_sample directory. This finish script allows the user to specify the NFS4 domain, within the script, and have the sysidcfg finish.sh script call it. The provided script sets the NFSMAPID_DOMAIN setting in etc default nfs and create the etc .NFS4inst_state.domain state file. Upon first system boot, sysidnfs4 is executed by sysidconfig as explained above, but the existence of the state file...
Example 2 The maincf for a TwoNode Asymmetric NFS Cluster
The following example is a basic two-node cluster exporting an NFS file system. The servers Serverl and Server2 storage One disk group managed using VERITAS Volume Manager, sharedl IP address 192.168.1.3 IP_nfs1 Server1 is primary location to start the NFS_group1 In an NFS configuration, the resource dependencies must be configured to bring up the IP address last. This prevents the client from accessing the server until everything is ready, and preventing unnecessary Stale File Handle errors on...
Device Groups
In the Sun Cluster software, all multihost devices must be under control of the Sun Cluster software. You first create volume manager disk groups, either Solaris Volume Manager disk sets or VERITAS Volume Manager disk groups, on the multihost disks. Then, you register the volume manager disk groups as device groups. A device group is a type of global device. In addition, the Sun Cluster software automatically creates a raw device group for each disk and tape device in the cluster. However,...
DHCP Administration Commands pntadm Continued
-M Modify the specified client entry with the hostname or the client IP address in the named dhcp_network table. For example pntadm -M 128.50.2.2 -m inetll -f PERMANENT MANUAL' 128.50.2.0 -D Delete the specified client entry in the named dhcp_network. For example -P Display the named dhcp_network table. For example -R Remove the named dhcp_network table. For example pntadm -R 128.50.2.0 -r nisplus -p Test.Nis.Plus. The dhtadm command is used to manage the DHCP service configuration table,...
The SOA record
SOA is the start of authority record. It contains the information that other name servers querying this one will require, and will determine how the data will be handled by those name servers. Each primary file pointed to in named.boot should have one and only one SOA record. The two fully qualified names listed after the SOA label are the primary name server for the domain, and where to send problems with the zone or domain via e-mail. HNOUE Because signs cannot be used in this field, the...
Preventing General DoS Attacks Malformed Packet Attacks and Flooding
For the exam, you should know the six techniques SUN recommends implementing to help prevent DoS attacks against the Solaris operating system. These are disabling executable stacks, disabling extraneous IP services ports, using egress filtering, using firewalls, monitoring networks, and implementing a patch update program. To prevent and defend against DoS attacks, including malformed packet attacks and flooding, Sun Microsystems recommends using egress filtering, TCP wrappers, firewalling,...
242 User Area
The role of the user area traditionally referred to as the uarea , has changed somewhat in the Solaris environment when compared with traditional implementations of UNIX. The uarea was linked to the proc structure through a pointer and thus was a separate data structure. The uarea was swappable if the process was not executing and memory space was tight. Today, thearea is embedded in the process structure. The process kernel stack, which was traditionally maintained in the uarea, is now...
Cluster Membership
Cluster membership implies that the cluster must accurately determine which nodes are active in the cluster at any given time. In order to take corrective action on node failure, surviving nodes must agree on when a node has departed. This membership needs to be accurate and must be coordinated among active members. This becomes critical considering nodes can be added, rebooted, powered off, faulted, and so on. VCS uses its cluster membership capability to dynamically track the overall cluster...
Monitoring the Database from the Command Line
You can monitor your directory server's database activities from any LDAP client by specifying the following parameters blueprints ldapsearch -h blueprints.com -s base -b cn monitor,cn ldbm objectclass When you monitor your server's activities in this way, you see the following information database The type of database you are currently monitoring. read-only State of the database, that is, whether in read-only mode. A value of 0 means the server is not in read-only mode 1 means it is in...
VEA Windows Client Package Installation
To install the Windows Client Package, follow this procedure 1. Install the base English package for the VEA client VRTSobgui.msi a. If the CD-ROM drive is drive D , navigate to D Windows b. Double click on VRTSobgui.msi c. Follow the instructions from the installer 2. Install the multi language pack for the VEA Client VRTSmuobg.msi a. If the CD-ROM is drive D , and, for example, you want to install the Japanese version, navigate to D ja windows. b. Double click on VRTSmuobg.msi c. Follow the...
intrstat
device cpuO tim cpul tim cpu2 tim cpu3 tim ata 1 0 0.0 4 0.0 0 0.0 0 0.0 bge 01 1 0.0 0 0.0 0 0.0 0 0.0 mpt 0 0 0.0 12661 4.8 0 0.0 0 0.0 device cpuO tim cpul tim cpu2 tim cpu3 tim ata 1 0 0.0 0 0.0 0 0.0 0 0.0 bge 0 6 0.0 0 0.0 0 0.0 0 0.0 mpt 0 0 0.0 12630 4.7 0 0.0 0 0.0 means it is likely that CPU 1 has device interrupt bindings. Using The intrstat 1 data shows us that device mpt 0 mpt is the device nomenclature, 0 refers to instance 0 of the device is generating interrupts to CPU 1, which...
97 Interrupt Analysis intrstat
The intrstat command, new in Solaris 10, uses DTrace. It measures the number of interrupts and, more importantly, the CPU time consumed servicing interrupts, by driver instance. This information is priceless and was extremely difficult to measure on previous versions of Solaris. In the following example we ran intrstat on an UltraSPARC 5 with a 360 MHz CPU and a 100 Mbits sec interface while heavy network traffic was received. device I cpu0 tim ------------------ ---------------- device I cpu0...
BSD Versus SVR4 Printing Software
The software that drives the UNIX printing process is an area in which the two UNIX versions, BSD and SVR4, are similar and yet very different. The two print systems are similar in that both are based on the concept of spooling. Both SVR4 and BSD print services support the concept of an interface program, which acts as a filter through which all output sent to the printer is passed. Here are some sample uses of an interface program Adding a banner page Most UNIX systems automatically add a...