tag:blogger.com,1999:blog-63022704665989629462024-03-05T12:14:18.557+01:00Unix WearPut your favourite unix onMarcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.comBlogger63125tag:blogger.com,1999:blog-6302270466598962946.post-85681188484805279892011-09-11T23:26:00.000+02:002011-09-11T23:26:19.590+02:00Blind AdministrationA few weeks ago I've lost the ability to see any output form my MacBook Pro.<br />
<br />
It was a second time. For the first time I had lost the embedded led display only.<br />
The DVI output worked fine. Then came the healing power of promise - I have to buy a new one.<br />
But threat without the coverage it's just the bucket of words.<br />
The MBP makes me blind completely and definately. No video output. No remote access.<br />
No working ssh daemon, no firewall access, no future.<br />
<br />
I thought the target mode would be the cure.<br />
I have PowerBook Pismo with Tiger onboard. Unfortunately, the data on MBP was encrypted with<br />
a FileVault from Snow Leopard. Either try of target mode connection, or try of manual mount failed.<br />
<br />
Collecting of the recipe components took me many hours, often filled with an exasperation.<br />
Hidden typos. Invisible prompts. Lurking daemons.<br />
<br />
The recipe.<br />
It's here to remember. It's here to save other souls.<br />
<br />
Power On.<br />
Listen to chime and wait a few moments, then log in yourself:<br />
<i>username </i>TAB<br />
<i>password</i><br />
<br />
Open Applications<br />
<b>⌘+Shift+A</b><br />
and invoke your favourite text terminal by typing its name, followed by CMD+O<br />
i t e r m <b>⌘+O</b><br />
<br />
Confirm you're in:<br />
<pre style="color: #006600">$ say ok
$ sudo su
> put your password <
</pre>
Confirm your personality.
<pre style="color: #006600">$ whoami | say
</pre>Let the dogs out. Select a race, choose wisely.
<pre style="color: #006600">$ launchctl load -w /System/Library/LaunchDaemons/telnet.plist # enable configuration and
$ launchctl load -w /System/Library/LaunchDaemons/ssh.plist # set Disable key to false
$ launchctl start com.apple.telnetd
$ launchctl start com.openssh.sshd
</pre>Check the locks.
<pre style="color: #006600">$ defaults read /Library/Preferences/com.apple.alf globalstate | say
2
</pre>Firewall states
<ul type="square"><li>0 - de-activated<br />
<li>1 - on for specific services<br />
<li>2 - on for essential services<br />
</ul>
Open the gates.<br />
<i>Pretty enough for older systems (Tiger), where no reboot required:</i>
<pre style="color: #006600">$ ipfw flush
> 'y' to flush <
$ ipfw list | say # 'any to any' means success
</pre>
<i>Permanent solution:</i>
<pre style="color: #006600">$ defaults write /Library/Preferences/com.apple.alf globalstate -int 0
$ reboot
</pre>Connect and enjoy it.<br />
<br />
Mount USB Disk drive.
<pre style="color: #006600">sh-3.2# diskutil list| grep SAM
1: Windows_FAT_32 SAMSUNG 2.0 TB disk2s1
sh-3.2# diskutil mountDisk SAMSUNG
Volume(s) mounted successfully
</pre>Rsync your secrets.<br />
Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-66972461502157133992011-01-03T20:15:00.009+01:002011-01-03T21:40:58.473+01:00db2setup start failure on Debian/UbuntuTwo late evenings of life - that was the time cost of the solution discovery.<br />I had tried to put the DB2 Express-C 9.7.2 on 64-bit Linux system, and I failed either on Ubuntu 8.04 LTS<br />or on Debian 5.0 (I know it is not recommended/supported solution).<br /><br />The first and the last problem was related to the db2setup startup error. <br />It can be seen from the console just like that:<br /><pre style="color: #006600"><br /># ./db2setup <br />DBI1190I db2setup is preparing the DB2 Setup wizard which will guide<br /> you through the program setup process. Please wait.<br /><br /><br />#<br /></pre><br />But, there was the trail in the error log:<br /><pre style="color: #006600"><br /># cd /tmp<br /># cat db2setup.err <br />Exception in thread "main" java.lang.UnsatisfiedLinkError: awt (An exception was pending after running JNI_OnLoad)<br /> at java.lang.ClassLoader.loadLibraryWithPath(ClassLoader.java:998)<br /> at java.lang.ClassLoader.loadLibraryWithClassLoader(ClassLoader.java:962)<br /> at java.lang.System.loadLibrary(System.java:465)<br /> at sun.security.action.LoadLibraryAction.run(LoadLibraryAction.java:69)<br /> at java.security.AccessController.doPrivileged(AccessController.java:202)<br /> at java.awt.Toolkit.loadLibraries(Toolkit.java:1605)<br /> at java.awt.Toolkit.<clinit>(Toolkit.java:1627)<br /> at java.lang.J9VMInternals.initializeImpl(Native Method)<br /> at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)<br /> at java.awt.AWTEvent.<clinit>(AWTEvent.java:220)<br /> at java.lang.J9VMInternals.initializeImpl(Native Method)<br /> at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)<br /> at java.lang.J9VMInternals.initialize(J9VMInternals.java:167)<br /> at java.lang.J9VMInternals.initialize(J9VMInternals.java:167)<br /> at java.lang.J9VMInternals.initialize(J9VMInternals.java:167)<br /> at sun.misc.Unsafe.ensureClassInitialized(Native Method)<br /> at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFieldAccessorFactory.java:37)<br /> at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:122)<br /> at java.lang.reflect.Field.acquireFieldAccessor(Field.java:920)<br /> at java.lang.reflect.Field.getFieldAccessor(Field.java:901)<br /> at java.lang.reflect.Field.get(Field.java:360)<br /> at com.ibm.db2.tools.common.support.AssistManager.loadVKeys(Unknown Source)<br /> at com.ibm.db2.tools.common.support.AssistManager.<clinit>(Unknown Source)<br /> at java.lang.J9VMInternals.initializeImpl(Native Method)<br /> at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)<br /> at DB2Setup.<init>(Unknown Source)<br /> at DB2Setup.main(Unknown Source)<br />#<br /></pre><br />Let me start from the beginning.<br /><pre style="color: #006600"><br /># ./db2setup<br />WARNING:<br /> Can't use string to find the version of libstdc++.<br /> Check the following web site for the up-to-date system requirements<br /> of IBM DB2 9.7<br /> http://www.ibm.com/software/data/db2/udb/sysreqs.html<br /> http://www.software.ibm.com/data/db2/linux/validate <br /> The force option "-f sysreq" is used to force the installation ...<br /><br />DBI1190I db2setup is preparing the DB2 Setup wizard which will guide<br /> you through the program setup process. Please wait.<br /><br /><br /><br />The DISPLAY variable is not set properly. Ensure that the DISPLAY variable is set properly and that permissions are set properly to open windows on the display specified, then rerun the command.<br /># <br /></pre><br />Even with the <b>-f sysreq</b> there was no visible progress.<br />Before the installation begins I have installed the <b>libaio1</b> and <b>libstdc++6</b> as it was mentioned in the online documentation.<br /><br />The installation was on the remote server, so to verify that X11 session forwarding works fine I had to install <em>xauth</em> and use the <b>ssh -Y</b> option.<br /><pre style="color: #006600"><br /># xauth list<br />digestive.deadsystems.com/unix:10 MIT-MAGIC-COOKIE-1 a957c95c1c862f5314b32e88c5bd9e17<br /># echo $DISPLAY<br />localhost:10.0<br /></pre><br /><em>I have used the xarclock to check that the remote app is being displayed fine on my laptop.</em><br /><br />"Can't use string to find the version of libstdc++." - <br />it was resolved by simple <b>binutils</b> package installation (to get the <em>strings</em> binary).<br /><br />But, there was no progress yet.<br /><pre style="color: #006600"><br /># ./db2setup <br />WARNING:<br /> The 32 bit library file libstdc++.so.6 is not found on the system. <br /> 32-bit applications may be affected. <br />DBI1190I db2setup is preparing the DB2 Setup wizard which will guide<br /> you through the program setup process. Please wait.<br /><br /><br /># <br /></pre><br />Then I thought that the /tmp/db2setup.err contains the java related exception, but there is no java vm on the machine.<br /><pre style="color: #006600"><br /># java -version<br />-ksh93: java: not found [No such file or directory]<br /></pre><br />After the <b>sun-java6-jre</b> installation there was still nothing more.<br /><pre><br /># java -version<br />java version "1.6.0_22"<br />Java(TM) SE Runtime Environment (build 1.6.0_22-b04)<br />Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)<br /></pre><br /><br />A few search queries more and I have found a <a href="http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=/com.ibm.java.doc.user.lnx.60/user/limitations.html<br />">tip</a>:<br /><cite><br />GUI applications, such as the JConsole monitoring tool, on 64-bit Ubuntu with a 32-bit JVM<br />When running a 32-bit JVM on a 64-bit Ubuntu system, GUI applications do not start because some AWT libraries are missing. To fix the problem, install the 32-bit libraries using the ia32-libs package:<br />sudo apt-get install ia32-libs<br />The following exception is thrown if the libraries are not available:<br />Exception in thread "main" java.lang.UnsatisfiedLinkError: awt (An exception was pending after running JNI_OnLoad)<br /> at java.lang.ClassLoader.loadLibraryWithPath(ClassLoader.java:993)<br /> at java.lang.ClassLoader.loadLibraryWithClassLoader(ClassLoader.java:962)<br /> at java.lang.System.loadLibrary(System.java:465)<br /> ... lines removed for clarity ...<br />If problems are encountered with DNS name resolution, install the package lib32nss-mdns.<br /></cite><br />But neither <b>ia32-libs</b> nor <b>lib32nss-mdns</b> installation helped me to go further.<br />The only benefit was the lack of warning message:<br /><pre><br />WARNING:<br /> The 32 bit library file libstdc++.so.6 is not found on the system. <br /> 32-bit applications may be affected.<br /></pre><br />Then It looked like:<br /><pre style="color: #006600"><br /># ./db2setup <br />DBI1190I db2setup is preparing the DB2 Setup wizard which will guide<br /> you through the program setup process. Please wait.<br /><br /><br />#<br /></pre><br />After the additional few hours of digging through the differences between the library sets on two machines,<br />on which the first have the fully operational DB2 instances and the second is the reported unlucky node, I have pointed the main responsible for all the evil - there was no <b>libxft2</b>. After the <em>apt-get install libxft2</em> - db2setup has raised from the ashes.<br /><br />Enjoy.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com4tag:blogger.com,1999:blog-6302270466598962946.post-5137316845190824862011-01-01T23:38:00.006+01:002011-01-01T23:54:43.546+01:00Un-monitUsing the <em>monit</em> to look after the hosts and services, sometimes you need to stop watching a particular check.<br />The argument for <b>unmonitor</b> option is the process name or host name being monitored, ex.<br /><pre style="color: #006600"><br /># monit status<br />[...]<br />Remote Host 'eye0.deadsystems.com'<br /> status Connection failed<br /> monitoring status monitored<br />[...]<br /><br /># monit unmonitor eye0.deadsystems.com<br /># monit summary<br />[...]<br />Process 'sshd' running<br />Remote Host 'eye0.deadsystems.com' not monitored<br />[...]<br /></pre>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-23949178833493032182010-09-28T15:45:00.003+02:002010-09-28T15:57:03.823+02:00User passwords may not be provided in pre-encoded formOne of the very first differences between the OpenDS and DSEE I have noticed <br />was the possibility of ldapmodifing the userPassword value. In OpenDS this feature is disabled by default.<br /><br /><pre style="color: #006600"><br />$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />changetype: modify<br />replace: userpassword<br />userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0<br /><br />Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config<br />MODIFY operation failed<br />Result Code: 53 (Unwilling to Perform)<br />Additional Information: User passwords may not be provided in pre-encoded form<br /><br />$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Default Password Policy" ds-cfg-allow-pre-encoded-passwords<br />dn: cn=Default Password Policy,cn=Password Policies,cn=config<br />ds-cfg-allow-pre-encoded-passwords: false<br /><br />$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Root Password Policy" ds-cfg-allow-pre-encoded-passwords<br />dn: cn=Root Password Policy,cn=Password Policies,cn=config<br />ds-cfg-allow-pre-encoded-passwords: false<br /><br /></pre><br />I do not know the pro and con voices in this discussion, but for me there is only one disadvantage - the ability to observe<br />multiple instances of the same encoded password strings. And it is only the risk when the one who would notice this fact is the bad guy.<br />In contrast I see only the advantages.<br />So...<br /><pre style="color: #003399"><br />dn: cn=Root Password Policy,cn=Password Policies,cn=config<br />changetype: modify<br />replace: ds-cfg-allow-pre-encoded-passwords<br />ds-cfg-allow-pre-encoded-passwords: true<br /></pre><br />LDIF has been implemented.<br /><pre style="color: #006600"><br />$ encode-password -s SSHA512 -f ~/.odspwd<br />Encoded Password: "{SSHA512}Gur7YkCGk4oP2sun+KqpXF4rB9wmzUgjhb3P6hBNmNRLBBQgTxSwLR5WuO41yytG9sUzslYc2HyUAM1otujRW+UkAOapbB7c"<br /><br />$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />changetype: modify<br />replace: userpassword<br />userpassword: {SSHA512}Gur7YkCGk4oP2sun+KqpXF4rB9wmzUgjhb3P6hBNmNRLBBQgTxSwLR5WuO41yytG9sUzslYc2HyUAM1otujRW+UkAOapbB7c<br /><br />Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config<br />MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config<br /><br />$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config "cn=odsmgr" +<br />The simple bind attempt failed<br />Result Code: 49 (Invalid Credentials)<br />$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config "cn=odsmgr" +<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />modifiersName: cn=Directory Manager,cn=Root DNs,cn=config<br />modifyTimestamp: 20100927104857Z<br />createTimestamp: 20100924124513Z<br />pwdChangedTime: 20100927104857.435Z<br />creatorsName: cn=Directory Manager,cn=Root DNs,cn=config<br />entryDN: cn=odsmgr,cn=root dns,cn=config<br />entryUUID: 99296ddd-e705-468b-8112-afd19bb38821<br />hasSubordinates: false<br />subschemaSubentry: cn=schema<br />ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=confi<br /> g<br />structuralObjectClass: inetOrgPerson<br />numSubordinates: 0<br /></pre>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com2tag:blogger.com,1999:blog-6302270466598962946.post-48164234090398291762010-09-26T20:51:00.002+02:002010-09-26T20:59:24.364+02:00Directory Managers. Lots of Directory Managers.Last week I have decided to take some OpenDS practise. The practical solving of a problem is better<br />then hundreds lines of reading about the others activity. At least that's the way I feel.<br />Task: Multiple the Directory Manager account to delegate administration without providing your secret password.<br /><br />In theory it is possible without any problems.<br />The only requirement is the object class of <em>ds-cfg-root-dn-user</em>.<br />I have copied almost the all attributes from the current "root" account into a new one.<br /><pre style="color: #006600"><br />$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Directory Manager"<br />dn: cn=Directory Manager,cn=Root DNs,cn=config<br />sn: Manager<br />ds-cfg-alternate-bind-dn: cn=dirmgr<br />cn: Directory Manager<br />givenName: Directory<br />objectClass: ds-cfg-root-dn-user<br />objectClass: top<br />objectClass: inetOrgPerson<br />objectClass: organizationalPerson<br />objectClass: person<br />userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6<br /> aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0<br /><br /><br />$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />changetype: add<br />objectClass: ds-cfg-root-dn-user<br />objectClass: top<br />objectClass: inetOrgPerson<br />objectClass: organizationalPerson<br />objectClass: person<br />cn: odsmgr<br />givenName: ODS<br />sn: Manager<br />userPAssword: secret<br /><br />Processing ADD request for cn=odsmgr,cn=Root DNs,cn=config<br />ADD operation successful for DN cn=odsmgr,cn=Root DNs,cn=config<br /></pre><br />For the initial testing I have duplicated also the password.<br /><pre style="color: #006600"><br />$ ldappasswordmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd \<br />> -a "dn:cn=odsmgr,cn=Root DNs,cn=config" -c secret -N ~/.odspwd <br />The LDAP password modify operation was successful<br /></pre><br /><br />During the cut'n'copy session of ldapmodify I have omitted <em>ds-cfg-alternate-bind-dn</em> intentionally. <br />I thought the adjective "alternate" is self-explanatory.<br />Wrong!<br /><pre style="color: #006600"><br />$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr<br />The simple bind attempt failed<br />Result Code: 49 (Invalid Credentials)<br /><br />$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />changetype: modify<br />add: ds-cfg-alternate-bind-dn<br />ds-cfg-alternate-bind-dn: cn=odsmgr<br /><br />Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config<br />MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config<br /><br />$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />sn: Manager<br />ds-cfg-alternate-bind-dn: cn=odsmgr<br />cn: odsmgr<br />givenName: ODS<br />objectClass: top<br />objectClass: ds-cfg-root-dn-user<br />objectClass: organizationalPerson<br />objectClass: inetOrgPerson<br />objectClass: person<br />userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==<br /></pre><br />Why not to test a case with multiple <em>ds-cfg-alternate-bind-dn</em> attibute values.<br /><pre style="color: #006600"><br />$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />changetype: modify<br />add: ds-cfg-alternate-bind-dn<br />ds-cfg-alternate-bind-dn: cn=dsmgr<br /><br />Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config<br />MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config<br /><br />$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn=odsmgr<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />ds-cfg-alternate-bind-dn: cn=odsmgr<br />ds-cfg-alternate-bind-dn: cn=dsmgr<br />sn: Manager<br />cn: odsmgr<br />givenName: ODS<br />objectClass: ds-cfg-root-dn-user<br />objectClass: top<br />objectClass: inetOrgPerson<br />objectClass: organizationalPerson<br />objectClass: person<br />userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==<br /></pre><br />But wait a minute. Why the userPassword value is encoded with a <b>SSHA</b> password scheme, while <br />the Directory Manager and the default root scheme is pointing to <b>SSHA512</b>.<br /><pre style="color: #006600"><br />$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn="Directory Manager" userpassword<br />dn: cn=Directory Manager,cn=Root DNs,cn=config<br />userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6<br /> aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0<br /> <br />$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config "cn=Root Password Policy" \<br />> ds-cfg-default-password-storage-scheme<br />dn: cn=Root Password Policy,cn=Password Policies,cn=config<br />ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Sc<br /> hemes,cn=config <br /></pre><br />The answer has come with the hint from <a href="http://twitter.com/LudoMP">Ludovic Poitou</a>.<br />The virtual attribute of <em>ds-pwp-password-policy-dn</em> should be set explicitly.<br /><pre style="color: #006600"><br />$ ldapmodify -p 1389 -D cn=dsmgr -j ~/.odspwd<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />changetype: modify<br />add: ds-pwp-password-policy-dn<br />ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config<br /><br />Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config<br />MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config<br /><br />$ openssl rand -base64 12 > ~/.dspwd<br /><br />$ ldappasswordmodify -p 1389 -D cn=dsmgr -j ~/.odspwd -a "cn=odsmgr,cn=Root DNs,cn=config" \<br />> -C ~/.odspwd -N ~/.dspwd<br />The LDAP password modify operation was successful<br /><br />$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config cn=odsmgr userpassword<br />dn: cn=odsmgr,cn=Root DNs,cn=config<br />userpassword: {SSHA512}BxvZzrhuVpwOv6FMc9sI1infjPC7PQ0dXXdry4ZLNgq6FJbjCVfSiLwBO<br /> A1uzaXAscS7pkNbfkP4hG11L9DTPsRfpusta+4x<br /></pre><br />Nice.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-84922589952843985002010-09-21T21:18:00.007+02:002010-09-21T22:09:36.739+02:00Custom Service PackagesDuring each subsequent comms implementation I forget one or more steps from the following recipe.<br />So, here comes the milestones to remember.<br />For the complete documentation refer to the <a href="http://wikis.sun.com/display/CommSuite7/Delegated+Administrator+7+Initial+Configuration">wikis.sun.com</a>.<br /><br />Template for basic set of packages - <strong>da.cos.skeleton.ldif</strong> can be found in directory:<br /><strong>/opt/sun/comms/da/lib/config-templates/</strong><br />on Delegated Administrator default installation path.<br /><br />Usually I use only the packages for MailUser, MailCalendarUser and MailGroup.<br />After the customization the file might look like:<br /><pre style="color: #003399"><br />dn: cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root<br />changetype: add<br />objectclass: top<br />objectclass: LDAPsubentry<br />objectclass: extensibleobject<br />objectclass: cosTemplate<br />cn: wisniosMailUser<br />mailMsgMaxBlocks: 5000<br />mailAllowedServiceAccess: +imap,imaps,pop,pops,smtp,smtps,http,smime:ALL<br />daServiceType: mail user<br /><br />dn: cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root<br />changetype: add<br />objectclass: top<br />objectclass: LDAPsubentry<br />objectclass: extensibleobject<br />objectclass: cosTemplate<br />cn: wisniosMailCalendarUser<br />mailMsgMaxBlocks: 5000<br />mailAllowedServiceAccess: +imap,imaps,pop,pops,smtp,smtps,http,smime:ALL<br />daServiceType: calendar user<br />daServiceType: mail user<br /><br />dn: cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root<br />changetype: add<br />objectclass: top<br />objectclass: LDAPsubentry<br />objectclass: extensibleobject<br />objectclass: cosTemplate<br />cn: wisniosMailGroup<br />mailMsgMaxBlocks: 5000<br />daServiceType: mail group<br /></pre><br /><br />Dry run:<br /><pre style="color: #006600"><br /># ldapmodify -p 1389 -D cn=dirmgr -j /root/.dspwd -n -f da.cos.wisnios.ldif <br />!adding new entry cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root<br /><br />!adding new entry cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root<br /><br />!adding new entry cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root<br /></pre><br />Wet run:<br /><pre style="color: #006600"><br /># ldapmodify -p 1389 -D cn=dirmgr -j /root/.dspwd -f da.cos.wisnios.ldif <br />adding new entry cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root<br /><br />adding new entry cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root<br /><br />adding new entry cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root<br /></pre><br />Check:<br /><pre style="color: #006600"><br /># ldapsearch -p 1389 -D cn=dirmgr -j /root/.dspwd -b o=cosTemplates,o=root \<br />> "(&(cn=wisnios*)(objectclass=LDAPsubentry))" daServiceType<br />version: 1<br />dn: cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root<br />daServiceType: mail user<br /><br />dn: cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root<br />daServiceType: calendar user<br />daServiceType: mail user<br /><br />dn: cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root<br />daServiceType: mail group<br /></pre><br />To make sure that the changes (packages) will be visible restart the app/web container.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-6323557768256219302010-09-08T20:30:00.007+02:002010-09-09T00:38:06.219+02:00How to automate the SpamAssassin feedingThis post is my answer to the Sun Wikis' <a href="http://wikis.sun.com/display/CommSuite7U1090210/Convergence+Administrative+Tasks#ConvergenceAdministrativeTasks-EnablingAntiSpam">entry</a> about Enabling Anti-Spam functionality in Convergence.<br /><br />Technologies used:<br />Messaging Server<br />SpamAssassin<br />RBAC - execution profiles<br /><br />Messaging Server use the two variables to hold the email accounts for feeding anti-spam system<br /> with the positive and false positive spam messages: <br /><ul><br /> <li>service.feedback.spam</li><br /> <li>service.feedback.notspam</li><br /></ul><br />But there is no embedded mechanism to deal with them.<br />Here comes my solution.<br /><br />Every time the Convergence user marks the spam (ot not spam), with the appropriate button from its interface,<br />the mail is being sent to the address provided within the configuration.<br />The email messages accumulate in the accounts and waiting for the action.<br /><br />Scenario:<br /><ul><br /> <li>fetching messages from spam account</li><br /> <li>teaching spamassassin with spam</li><br /> <li>cleaing INBOX folder</li> <br /> <li>fetching messages from notspam account</li><br /> <li>teaching SA with ham</li><br /> <li>cleaning account</li><br /></ul><br /><br />Methods:<br /><ul><br /> <li>fetching messages from spam account</li><br /> <ol type="i"><br /> <li>imsexport</li><br /> </ol><br /> <li>teaching spamassassin with spam</li><br /> <ol type="i"><br /> <li>sa-learn --spam</li><br /> </ol><br /> <li>cleaing INBOX folder</li> <br /> <ol type="i"><br /> <li>mboxutil -d</li><br /> <li>mboxutil -c</li><br /> </ol><br /> <li>fetching messages from notspam account</li><br /> <ol type="i"><br /> <li>imsexport</li><br /> </ol> <br /> <li>teaching SA with ham</li><br /> <ol type="i"><br /> <li>sa-learn --ham</li><br /> </ol><br /> <li>cleaning account</li><br /> <ol type="i"><br /> <li>mboxutil -d</li><br /> <li>mboxutil -c</li><br /> </ol><br /></ul><br />Due to a fact the script will be invoked by root account, to get the access either to imsexport files or sa-learn with valid Bayes DB,<br />I have decided to use one of the Solaris RBAC mechanisms - profiles.<br /><br />I would not describe the profile creation step-by-step, because the learning by example is much more valuable.<br /><pre style="color: #006600"><br /># /usr/sadm/bin/smexec add -H localhost -u root -- \<br />-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102<br />Authenticating as user: root<br /><br />Type /? for help, pressing <enter> accepts the default denoted by [ ]<br />Please enter a string value for: password ::<br />There is no Solaris Management Console Server running on localhost.<br />^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br />\<br /># svcadm enable wbem<br /><br /># /usr/sadm/bin/smexec add -H localhost -u root -- \<br />-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102<br />Authenticating as user: root<br /><br />Type /? for help, pressing <enter> accepts the default denoted by [ ]<br />Please enter a string value for: password ::<br />Loading Tool: com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost<br />Login to localhost as user root was successful.<br />Download of com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost was successful.<br />You have entered a non-existent right SpamAssassin Administration.<br />^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br />\<br /># cd /usr/lib/help/profiles/locale/C<br /># cat RtSAAdmin.html<br />< HTML ><br />< HEAD ><br />< TITLE >< /TITLE ><br />< /HEAD ><br />< BODY ><br />SpamAssassin Administration right allows the user or role SA management.<br />< /BODY ><br />< /HTML ><br /></pre><br />^^^^^<br />Spaces has been added to HTML tags in due to blogspot problems with handling this kind of stuff within the post body.<br /><pre style="color: #006600"><br /># /usr/sadm/bin/smprofile add -H localhost -u root -- \<br />-n "SpamAssassin Administration" -d "Manage SpamAssassin" -m RtSAAdmin.html<br />Authenticating as user: root<br /><br />Type /? for help, pressing <enter> accepts the default denoted by [ ]<br />Please enter a string value for: password ::<br />Loading Tool: com.sun.admin.usermgr.cli.profile.UserMgrProfCli from localhost<br />Login to localhost as user root was successful.<br />Download of com.sun.admin.usermgr.cli.profile.UserMgrProfCli from localhost was successful.<br /><br /># tail -1 /etc/security/prof_attr<br />SpamAssassin Administration:::Manage SpamAssassin:help=RtSAAdmin.html<br /> <br /># /usr/sadm/bin/smexec add -H localhost -u root -- \<br />-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102<br />Authenticating as user: root<br /><br />Type /? for help, pressing <enter> accepts the default denoted by [ ]<br />Please enter a string value for: password ::<br />Loading Tool: com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost<br />Login to localhost as user root was successful.<br />Download of com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost was successful.<br /><br /># tail -1 /etc/security/exec_attr<br />SpamAssassin Administration:solaris:cmd:::/export/home/sa/bin/sa-learn:uid=105;gid=102<br /></pre><br /><br />So, running <em>sa-learn</em> by the user / role with "SpamAssassin Administration" profile assigned<br />allow access to bayes DB files with the proper rights.<br />Examples can be seen in the script code provided below.<br /><br /><pre style="color: #003399"><br />#!/usr/bin/ksh<br />#------------------------------------<br /># sa-feed.ksh<br /># feed SpamAssassin with {NOT}SPAM<br /># from file in mbox format<br />#====================================<br /># author: Marcin Wisnios<br /># e-mail: wisnios at wisnios dot com<br />#------------------------------------<br />PATH=$PATH:/opt/sun/comms/messaging64/bin:/export/home/sa/bin<br /><br />TDIR=$(mktemp -td) # temporary directory<br />FILE=$TDIR/INBOX # mbox file<br />MUSR=$(ps -o user -p $(pgrep -nf dispatcher) | tail -1) # messaging server runtime user<br />SUSR=$(ps -o user -p $(pgrep -nf spamd) | tail -1) # spamassassin runtime user<br />SPAM=$(configutil -o service.feedback.spam) # feedback account for spam<br />NOTSPAM=$(configutil -o service.feedback.notspam) # feedback account for not spam<br />BDBL=/export/home/sa/.spamassassin # Bayes DB location<br />SALEARN="pfexec sa-learn --dbpath $BDBL" # fixed part of sa-learn invocation<br /><br />chown $MUSR $TDIR<br />chmod 0755 $TDIR<br /><br />imsexport -s INBOX -d $TDIR -u $SPAM<br /><br /><br />[ -f $FILE ] && {<br /> chown $SUSR $FILE<br /><br /> NSPAM_BEFORE=$($SALEARN --dump magic 2> /dev/null | grep nspam | awk '{print $3}')<br /> $SALEARN --mbox --spam $FILE 2> /dev/null &&\<br /> NSPAM_AFTER=$($SALEARN --dump magic 2> /dev/null | grep nspam | awk '{print $3}')<br /><br /> [ $NSPAM_BEFORE -lt $NSPAM_AFTER ] && {<br /> mboxutil -d user/$SPAM/INBOX<br /> mboxutil -c user/$SPAM/INBOX<br /> }<br /><br /> rm $FILE<br />}<br /><br />imsexport -s INBOX -d $TDIR -u $NOTSPAM<br /><br />[ -f $FILE ] && {<br /> chown $SUSR $FILE<br /><br /> NHAM_BEFORE=$($SALEARN --dump magic 2> /dev/null | grep nham | awk '{print $3}')<br /> $SALEARN --mbox --ham $FILE 2> /dev/null &&\<br /> NHAM_AFTER=$($SALEARN --dump magic 2> /dev/null | grep nham | awk '{print $3}')<br /><br /> [ $NHAM_BEFORE -lt $NHAM_AFTER ] && {<br /> mboxutil -d user/$NOTSPAM/INBOX<br /> mboxutil -c user/$NOTSPAM/INBOX<br /> }<br />}<br /><br />[ -d $TDIR ] && rm -rf $TDIR<br /></pre><br /><br />Run the script in a way you like.<br />I put it directly to a crontab. Root's crontab.<br /><br />Enjoy.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-71138966728337330262010-06-25T19:53:00.007+02:002010-06-25T21:33:37.613+02:00crle and missing libusb.so.1 libraryToday I have installed SpamAssassin from a tar.gz archive on Solaris 10 10/09.<br />Though everything looked fine I faced the problem with invocation of sa-update - SpamAssassin rules updater.<br /><pre><br />$ sa-update<br />ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory<br />Killed<br />ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory<br />Killed<br />error: GPG validation failed!<br />The update downloaded successfully, but the GPG signature verification<br />failed.<br />channel: GPG validation failed, channel failed<br />$ gpg<br />ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory<br />Killed<br /></pre><br />(gnupg has been installed from a package from sunfreeware.com, but it was not a problem)<br /><br />Quick truss session:<br /><pre><br /># truss gpg<br />[...]<br />stat64("/usr/local/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />stat64("/usr/local/ssl/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />stat64("/usr/openwin/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />stat64("/usr/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />stat64("/usr/X11R6/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />stat64("/usr/local/BerkeleyDB.4.7/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />stat64("/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />stat64("/usr/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT<br />ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory<br />[...]<br /></pre><br />find lookup:<br /><pre><br /># find /usr -name libusb.so.1<br />/usr/sfw/lib/libusb.so.1<br /></pre><br />...and I had to change the default library path.<br />The tool - crle - runtime linking environment configurator, was taken as the only fair solution.<br />Do not want to reproduce the manual pages, so, below is the syntax I had used.<br />Checking the current options:<br /><pre><br /># crle<br /><br />Configuration file [version 4]: /var/ld/ld.config <br /> Default Library Path (ELF): /lib:/usr/lib (system default)<br /> Trusted Directories (ELF): /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib<br /><br />Command line:<br /> crle -c /var/ld/ld.config -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib<br /><br /></pre><br />Complementation of default library path:<br /><pre><br /># crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib<br /><br />[CHECK]<br /># crle<br />Configuration file [version 4]: /var/ld/ld.config <br /> Default Library Path (ELF): /lib:/usr/lib:/usr/sfw/lib<br /> Trusted Directories (ELF): /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib<br /><br />Command line:<br /> crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib<br /># exit<br />$ gpg<br />gpg: WARNING: using insecure memory!<br />gpg: please see http://www.gnupg.org/faq.html for more information<br />gpg: directory `/export/home/sa/.gnupg' created<br />gpg: new configuration file `/export/home/sa/.gnupg/gpg.conf' created<br />gpg: WARNING: options in `/export/home/sa/.gnupg/gpg.conf' are not yet active during this run<br />gpg: keyring `/export/home/sa/.gnupg/secring.gpg' created<br />gpg: keyring `/export/home/sa/.gnupg/pubring.gpg' created<br />gpg: Go ahead and type your message ...<br />^C<br />gpg: signal 2 caught ... exiting<br />$ sa-update<br />gpg: WARNING: using insecure memory!<br />gpg: please see http://www.gnupg.org/faq.html for more information<br />$<br /></pre><br /><br /><span style="font-weight:bold;">Final notes</span><br />The syntax being used could be shortened to a form of:<br /><pre><br /># crle -u -l /usr/sfw/lib<br /></pre><br />where <em>-u</em> stands for existing configuration (file /var/ld/ld.config) update.<br />But be aware that by omitting the <em>-u</em> argument you turn your box into soldered fish tin, until you turn the other directories to the default path.<br /><pre><br /># crle -l /usr/sfw/lib<br /># init<br />ld.so.1: init: fatal: libpam.so.1: open failed: No such file or directory<br />Killed<br /># crle -u -l /lib -l /usr/lib -l /usr/sfw/lib<br /># init<br />Usage: init [0123456SsQqabc]<br />#<br /></pre>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com1tag:blogger.com,1999:blog-6302270466598962946.post-4087166135407318732010-06-07T23:13:00.007+02:002010-09-08T21:08:30.631+02:00svclogEverytime I have to check the SMF log file quickly I suffer.<br />I suffer in due to lack of simple method which I would provide you today with.<br /><br />C'n'P:<br /><pre style="color: #003399"><br />#!/usr/bin/ksh<br />#------------------------------------<br /># svclog<br /># ...run for your logs<br />#====================================<br /># author: Marcin Wisnios<br /># e-mail: wisnios at wisnios dot com<br />#------------------------------------<br /><br />svcs $1 > /dev/null 2>&1<br />if [ $? -eq 1 ]; then<br /> echo "No match."<br /> exit<br />fi<br /><br />if [ ! -z $1 ]; then<br /> LOG=$(svcs -l $1 | sed 's/logfile[ ]*\(.*\)/\1/p;d')<br /> echo "\n\t\t${LOG}\n"<br />else<br /> echo "Usage: $0 FMRI [n]"<br /> echo "n - number of lines to display"<br /> exit<br />fi<br /><br />if [ ! -z $2 ]; then<br /> tail -$2 ${LOG}<br />else<br /> tail -f ${LOG}<br />fi<br /></pre><br />Save as, for ex. /usr/local/bin/svclog and... run for your logs:<br /><pre><br /># svclog ds 3<br /><br /> /var/svc/log/application-sun-ds:default.log<br /><br />Waiting for Directory Server instance '/instances/ds1' to start...<br />Directory Server instance '/instances/ds1' started: pid=434<br />[ Jun 7 16:53:00 Method "start" exited with status 0 ]<br /># svclog ms<br /><br /> /var/svc/log/application-sun-ms:default.log<br /><br />Stopping dispatcher server 593 ... done<br />Stopping sched server 591 ... done<br />Stopping http server 590 ... done<br />Stopping pop server 589 ...... done<br />Stopping imap server 588 ... done<br />Stopping purge server 587 ... done<br />Stopping store server 584 .... done<br />Stopping watcher 583 ... done<br />[ Jun 7 23:40:12 Method "stop" exited with status 0 ]<br />[ Jun 7 23:40:12 Executing start method ("/opt/sun/comms/messaging64/bin/start-msg") ]<br />Connecting to watcher ...<br />Launching watcher ... 1463<br />Starting store server .... 1464<br />Checking store server status .....<br />- CUT -<br /></pre><br />Enjoy.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-76845009396978523802010-05-25T19:55:00.009+02:002010-05-25T20:52:00.811+02:00fc-fabric(ation) of server's dysfunctionDo you like minimization? I do.<br />But sometimes you can go one bridge too far.<br /><br />Today I have switched off the set of useless services.<br />One after one...<br />Do I need... No!<br />Do I need... No!<br />Do I need Fibre Channel Fabric device support? No.<br /><pre><br />$ svcadm disable fc-fabric<br /></pre><br />Another one bites the dust.<br /><br />After the couple of hours I decided to reboot the server to check its readiness to serve.<br />And... it failed.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlz-zo57tJUGWZ3jj7HLY850EtrCp22_3-5WxY-t2ZySKNeGUkC-Js_PoUPf9IVWLDoTRIWt9FaYQRLlOXwIGNNmUZ1U7JX0xu89Ofb6Ysq6IYM507OIvId8o4TeEyoSU7xkXMLNmiRjE/s1600/fc-fabric.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 143px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlz-zo57tJUGWZ3jj7HLY850EtrCp22_3-5WxY-t2ZySKNeGUkC-Js_PoUPf9IVWLDoTRIWt9FaYQRLlOXwIGNNmUZ1U7JX0xu89Ofb6Ysq6IYM507OIvId8o4TeEyoSU7xkXMLNmiRjE/s400/fc-fabric.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5475274568862442146" /></a><br /><br />Of course at the moment of failure I dit not realize it was caused by service unavailability of fc-fabric.<br />Unnecessary stress.<br /><br />The solution has been revealed during the dependencies check.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBEBnDL_A6MX_QXc9wESXrIuVkLyT6RHnUo_a4lwWdb9M0iWWkixtHIdhCPVfKEEeBngPrXKTXg4Wqo0wBOMQETU3PIiV4woJJjYOgD9wBzOuQe1k5CmwPN0N0nWyZ5aVauiqL7-2prU4/s1600/fc-fabric_devices.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 136px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBEBnDL_A6MX_QXc9wESXrIuVkLyT6RHnUo_a4lwWdb9M0iWWkixtHIdhCPVfKEEeBngPrXKTXg4Wqo0wBOMQETU3PIiV4woJJjYOgD9wBzOuQe1k5CmwPN0N0nWyZ5aVauiqL7-2prU4/s400/fc-fabric_devices.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5475282121983956530" /></a><br /><br />Keep this in mind.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-19773782953634529092010-04-29T20:33:00.008+02:002010-04-29T21:32:54.092+02:00AIX backup / restoreThe commonly used mode of backup utility back up file systems by i-node. It uses the Level param of 0 - for full,<br /> 1 to 9 for incremental backups, and takes the predefined fileset as input (/, /home, /opt, /usr, /var, etc.).<br />If you want to use the ordinary directory, not the one of predefined filesets use the -i switch.<br />It takes the list of files from the standard input (back up by name), and when used in conjunction with hyphen sign<br /> as the target device, it can be piped directly to dd, to put the output into the file.<br /><pre><br />$ find /etc | backup -i -f - | dd of=/backup/etc.bak<br /></pre><br />To list the content of backup archive use restore with the -T switch.<br /><pre><br />$ restore -Tq -f /backup/etc.bak<br /></pre><br />To restore the individually named file use -x switch.<br /><pre><br /># restore -xqf /backup/etc.bak /etc/passwd<br />x /etc/passwd<br /></pre><br />...or files (in verbose mode):<br /><pre><br /># restore -xqvf /backup/etc.bak /etc/passwd /etc/security/passwd<br />New volume on /backup/etc.bak:<br /> Cluster 51200 bytes (100 blocks).<br /> Volume number 1<br /> Date of backup: Thu Apr 29 12:22:13 2010<br /> Files backed up by name<br /> User root<br />x 560 /etc/passwd<br />x 288 /etc/security/passwd<br /> total size: 848<br /> files restored: 2<br /></pre><br />And to get back all the content of the specified subdirectory use the force of -d<br /><pre><br /># restore -xqdf /backup/etc.bak /etc/security<br />x /etc/security<br />x /etc/security/.idlck<br />x /etc/security/.ids<br />x /etc/security/.kst<br />x /etc/security/.profile<br />x /etc/security/acl<br />x /etc/security/aixpert<br />x /etc/security/aixpert/bin<br />x /etc/security/aixpert/bin/ISSServerSensor<br />x /etc/security/aixpert/bin/audit_report<br />x /etc/security/aixpert/bin/binaudit<br />[...]<br /></pre><br /><br /><strong>Be aware that all the above actions has overwritten the original files.</strong>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-32695415417203064372010-04-27T21:46:00.006+02:002010-04-27T22:01:46.871+02:00mktemp portabilityIf you ever need to create a script, to run in the closest possible way in all the unix flavours - <br />beware of HP-UX behaviour of <em>mktemp</em> command.<br /><br />It is the only unix system (I know) where <em>mktemp</em> do not create randomly named file/directory.<br /><br />The result of its actions is just a display of generated name.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com2tag:blogger.com,1999:blog-6302270466598962946.post-47112781950708872382010-04-27T21:44:00.000+02:002010-04-27T21:45:28.255+02:00Silence is golden<pre><br />$ touch .hushlogin<br /></pre>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-54594671748319035412010-03-09T20:58:00.005+01:002010-03-09T21:10:08.187+01:00User interface errorHave you ever encountered similar problems during the n-time tryout of the SSL signing process?<br /><pre><br /># openssl rsa -in cakey.pem -out cakey.pem<br />Enter pass phrase for cakey.pem:<br />User interface error<br />unable to load Private Key<br />26116:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:403:<br /></pre><br />or...<br /><pre><br /># ./CA.pl -sign<br />Using configuration from /usr/lib/ssl/openssl.cnf<br />Enter pass phrase for ./demoCA/private/cakey.pem:<br />User interface error<br />unable to load CA private key<br />26676:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:403:<br />Signed certificate is in newcert.pem<br /></pre><br />This is a single-echo-pill solution.<br /><br />ad. 1<br /><code><br /># echo | openssl rsa -in cakey.pem -out cakey.pem<br />Enter pass phrase for cakey.pem:<br />writing RSA key<br /></code><br />ad. 2<br /><code><br /># printf "y\ny\n"| ./CA.pl -sign<br />Using configuration from /usr/lib/ssl/openssl.cnf<br />Enter pass phrase for ./demoCA/private/cakey.pem:<br />Check that the request matches the signature<br />Signature ok<br />Certificate Details:<br />[...]<br />Sign the certificate? [y/n]:<br /><br />1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries<br />Data Base Updated<br />Signed certificate is in newcert.pem<br /></code><br />Enjoy.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-56267158647706763952010-03-03T19:36:00.006+01:002010-03-03T20:06:59.951+01:00maximum number of instances of the packageSometimes there is a need of existence of concurrent versions of the same package.<br />It is not a issue why, but how to achieve this behaviour.<br /><br />During the normal installation procedure of the package, with the same name but different version then already installed one, <br />there is a chance to see a similar message:<br /><pre><br /># pkgadd -d somepkg*dstream<br />[...]<br />Current administration requires that a unique instance of the<br /><somepkg> package be created. However, the maximum number of<br />instances of the package which may be supported at one time on the<br />same system has already been met.<br /><br />No changes were made to the system.<br /></pre><br />To resolve the conflict change the value of <b>MAXINST</b> variable from inside the <b><em>pkginfo</em></b> file<br />(during the package build process).<br /><br />For example, to allow the coexistence of maximum number of two packages use the following:<br /><code><br />MAXINST=2<br /></code><br /><pre><br /># pkgadd -d somepkg*dstream<br />[...]<br /><br />Installation of <somepkg.2> was successful.<br /></pre>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-37468272543942574892010-02-25T20:26:00.003+01:002010-02-25T20:34:50.059+01:00E.T. call ~homeAfter many years of unix systems administration, it is a pure pleasure to discover the trick<br /> as simple as displaying the user home directory with <span style="font-weight:bold;">~username</span>.<br /><br />Examples:<br /><code><br />$ echo ~adm<br />/var/adm<br />$ echo ~listen<br />/usr/net/nls<br />$ echo ~wisnios<br />/home/wisnios<br /></code>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-59304544943417343262010-02-12T22:40:00.002+01:002010-02-12T22:45:02.958+01:00digression<strong>command+shift+L</strong> rise a google search window with the results of the selected-piece-of-text query.<br />Piękne. It's beautiful.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-81646834048983298612010-01-19T20:13:00.003+01:002010-01-19T21:04:44.186+01:00substitute multiple line pattern in sedToday I faced a problem with a multiline replacement. I did not want to write a sophisticated regex.<br />I just wanted to get a copy-pasted block of code and put it in place of the old one. Selected weapon - sed.<br />I've chosen the <b>/begin/,/end/</b> matching syntax.<br /><pre><br />['test' input file]<br /><br />111<br />222<br />333<br /> if (aaa) {<br /> bbbbb<br /> }xxx<br /> }<br />444<br /> while (0) {<br /> ccccc<br /> }<br />666<br /></pre><br /><pre><br />['change' script]<br /><br />#!/usr/bin/ksh<br /><br />sed '<br />/if (aaa)/,/\ }$/ c\<br /> CHANGE\<br /> WAS\<br /> MADE<br />' \<br />test<br /></pre><br /><pre><br />[session]<br /><br />$ ./change<br />111<br />222<br />333<br /> CHANGE<br /> WAS<br /> MADE<br />444<br /> while (0) {<br /> ccccc<br /> }<br />666<br /></pre>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-74866461172912461082009-12-22T20:14:00.012+01:002009-12-22T20:54:23.831+01:00MakeLDIF.jarYesterday I have realized that I do not remember how to prepare the ldif file. But not just a simple ldif with a few lines of add/modify/delete subcommands. I have forgotten how to use the SLAMD project's tool - MakeLDIF. As far as I remember there was the jar - MakeLDIF. It was, but now there is not. It had taken a few moments before I found the solution. Here you go:<br /><code><br />$ find . -name *.jar | grep -i make<br />$ cd tools/MakeLDIF<br />$ perl -e 's/(^define suffix=).*/\1o=ods/' -pi example.template<br />$ perl -e 's/(^define numusers)=.*/\1=1000/' -pi exa* <br />$ perl -e 's/(^define maildomain)=.*/\1=wisnios\.com/' -pi exa*<br />$ head -3 exa*<br />define suffix=o=ods<br />define maildomain=wisnios.com<br />define numusers=1000<br />$ cd ..<br />$ ./make-ldif.sh -t MakeLDIF/example.template -o ~/ods1k.ldif <br />Processed 1000 entries<br />Processing complete.<br />1002 total entries written.<br /></code><br />And the process view of similar command execution:<br /><code><br />/usr/jdk/instances/jdk1.5.0/bin/java -server -Xms512m -Xmx512m com.slamd.tools.makeldif.MakeLDIF<br /> -r /export/home/slamd200-20090712/tools/MakeLDIF -t /tmp/ods.template -o /tmp/ods100k.ldif<br /></code><br />Merry Xmas!Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-25740196732819153612009-12-08T20:46:00.005+01:002009-12-09T00:07:00.967+01:00AIX stat equivalent<code><br />$ istat /usr/sbin/lsuser<br />Inode 115447 on device 10/5 File<br />Protection: r-xr-xr-x Set UID <br />Owner: 0(root) Group: 7(security)<br />Link count: 1 Length 84080 bytes<br /><br />Last updated: Tue Dec 8 14:40:33 CST 2009<br />Last modified: Mon Mar 30 00:45:51 CDT 2009<br />Last accessed: Tue Dec 8 16:55:55 CST 2009<br /></code><br /><br />* lsuser hint<br />To display the attributes of all the users, use the <em>ALL</em> keyword:<br /><code><br />$ lsuser ALL<br /></code>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com2tag:blogger.com,1999:blog-6302270466598962946.post-11402338348125316922009-11-24T22:27:00.009+01:002009-11-24T23:08:07.747+01:00Solaris ksh variationsToday i have <a href="http://www.gnu.org/software/hello/manual/autoconf/Shellology.html">read</a>, and in the parallel - discovered, that Solaris has got three ksh variants.<br />Two of them are ksh88, and one ksh93.<br /><pre><br />$ grep -i ver /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh<br />/usr/bin/ksh:@(#)Version M-11/16/88i<br />/usr/xpg4/bin/sh:@(#)Version M-11/16/88i<br />/usr/dt/bin/dtksh:@(#)Version M-12/28/93d<br />/usr/dt/bin/dtksh:@(#)Version M-12/28/93<br />/usr/dt/bin/dtksh:@(#)Version 12/28/93<br /></pre><br />The standard one - <em>/usr/bin/ksh</em>, and a POSIX-compliant veriant of ksh88 - <em>/usr/xpg4/bin/sh</em>.<br />Both of them are the components of SUNWcsu (Core Solaris (Usr)) package.<br /><em>dtksh</em> comes from SUNWdtbas.<br /><pre><br />$ ls -li /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh<br /> 489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/ksh<br /> 26709 -r-xr-xr-x 1 root bin 620144 Jan 23 2005 /usr/dt/bin/dtksh<br /> 1536 -r-xr-xr-x 1 root bin 171412 Aug 7 13:27 /usr/xpg4/bin/sh<br />$ file /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh<br />/usr/bin/ksh: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped<br />/usr/xpg4/bin/sh: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped<br />/usr/dt/bin/dtksh: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped, no debugging information available<br /></pre><br />As you can already saw (on the ls -li listing) there are also the three brothers-in-inode:<br /><pre><br /># ls -li /usr/bin/*ksh<br /> 489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/ksh<br /> 489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/pfksh<br /> 489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/rksh<br /></pre><br />It's the highest inode count from all of the Solaris shells (10u8, SUNWCall), the second place goes to csh with only two file names binded to its inode.<br /><br />Fascinating.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-74434288692870152612009-11-22T19:35:00.008+01:002009-11-22T22:23:04.589+01:00Make yourself a packageIn the world where the Good Security Practices becomes Science Fiction, there was an Admin who wants to train himself in Solaris Packaging.<br />He has written down the <a href="http://cs-tools.googlecode.com/files/rootbox.sh">script</a>, which has made his Lord the Legend ;-)<br />Now, let's put some light on it.<br /><br />The script takes .ssh folder files from the specified user of template machine, and turns it into .ssh folder of root user on target host. There are also the configuration changes, inside of either /etc/default/login file, or /etc/ssh/sshd_config one.<br />Do not try this at (production) home! <br /><code><br /># ./rootbox.sh<br />Generating package files<br />prototype<br />pkginfo<br />checkinstall<br />postinstall<br />postremove<br />login.sed<br />sshd_config.sed<br />Making package MMWrootbox.1.0.i386.pkg [/tmp]<br />success<br />Translating package format to a datastream<br />success<br /># cd /tmp<br /># pkgadd -d MMWrootbox.1.0.i386.pkg<br /><br />The following packages are available:<br /> 1 MMWrootbox Root box<br /> (i386) 1.0<br /><br />Select package(s) you wish to process (or 'all' to process<br />all packages). (default: all) [?,??,q]: <br /><br />Processing package instance <MMWrootbox> from </tmp/MMWrootbox.1.0.i386.pkg><br /><br />Root box(i386) 1.0<br />Marcin Marian Wisnios<br />## Executing checkinstall script.<br />## Processing package information.<br />## Processing system information.<br />## Verifying disk space requirements.<br />## Checking for conflicts with packages already installed.<br />## Checking for setuid/setgid programs.<br /><br />This package contains scripts which will be executed with super-user<br />permission during the process of installing this package.<br /><br />Do you want to continue with the installation of <MMWrootbox> [y,n,?] y<br /><br />Installing Root box as <MMWrootbox><br /><br />## Installing part 1 of 1.<br />/root/.ssh/authorized_keys<br />[ verifying class <none> ]<br />Modifying /etc/default/login<br />Modifying /etc/ssh/sshd_config<br />[ verifying class <sed> ]<br />## Executing postinstall script.<br /><br />Installation of <MMWrootbox> was successful.<br /># date;svcs -x ssh| grep -i state<br />Sun Nov 22 08:50:57 CET 2009<br /> State: online since Sun Nov 22 08:50:42 2009<br /># diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config<br />128c128<br />< PermitRootLogin without-password<br />---<br />> PermitRootLogin no<br /># diff /etc/default/login /tmp/rootbox.bak/login<br />18c18<br />< #CONSOLE=/dev/console<br />---<br />> CONSOLE=/dev/console<br /># pkginfo MMWrootbox<br />system MMWrootbox Root box<br /># pkginfo -l MMWrootbox<br /> PKGINST: MMWrootbox<br /> NAME: Root box<br /> CATEGORY: system<br /> ARCH: i386<br /> VERSION: 1.0<br /> BASEDIR: /<br /> VENDOR: Marcin Marian Wisnios<br /> DESC: Methods and keys to allow remote root user access<br /> PSTAMP: 20091122085002<br /> INSTDATE: Nov 22 2009 08:50<br /> EMAIL: wisnios@gmail.com<br /> STATUS: completely installed<br /> FILES: 4 installed pathnames<br /> 2 shared pathnames<br /> 1 directories<br /> 3 blocks used (approx)<br /><br /># pkgrm MMWrootbox<br /><br />The following package is currently installed:<br /> MMWrootbox Root box<br /> (i386) 1.0<br /><br />Do you want to remove this package? [y,n,?,q] y<br /><br />## Removing installed package instance <MMWrootbox><br /><br />This package contains scripts which will be executed with super-user<br />permission during the process of removing this package.<br /><br />Do you want to continue with the removal of this package [y,n,?,q] y<br />## Verifying package <MMWrootbox> dependencies in global zone<br />## Processing package information.<br />## Removing pathnames in class <sed><br />Modifying /etc/ssh/sshd_config<br />Modifying /etc/default/login<br />## Removing pathnames in class <none><br />/root/.ssh/authorized_keys<br />/root/.ssh<br />## Executing postremove script.<br />## Updating system information.<br /><br />Removal of <MMWrootbox> was successful.<br /># svcs -x ssh|grep -i state; date<br /> State: online since Sun Nov 22 08:52:33 2009<br />Sun Nov 22 08:52:50 CET 2009<br /># diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config<br /># diff /etc/default/login /tmp/rootbox.bak/login<br /></code><br /><br /><a href="http://cs-tools.googlecode.com/files/rootbox.sh">http://cs-tools.googlecode.com/files/rootbox.sh</a><br /><br />Enjoy.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-48508347849095811242009-10-28T10:00:00.010+01:002009-10-28T22:45:56.395+01:00ParanoidSo, have you ever seen the Solaris 10 boot process, line by line?<br />I do not talk about the kernel <em>-m verbose</em> mode, which only shows the particular SMF identifiers.<br />Have you ever wondered why the boot process has hanged? and what's the cause?<br /><br />The Wisnios way is as follow.<br />I've decided to replace the master restarter binary with a shell script.<br /><code><br /># mv /lib/svc/bin/svc.startd /lib/svc/bin/svc.startdd<br /># vi /lib/svc/bin/svc.startd<br /></code><br /><pre><br /> #!/bin/sh<br /> truss -fa -t exec /lib/svc/bin/svc.startdd<br /></pre><br /><code><br /># chmod 555 /lib/svc/bin/svc.startd<br /># chgrp sys /lib/svc/bin/svc.startd<br /></code><br /><br />You could also choose the more verbose mode by adding the <em>-e</em> switch to truss command.<br />Truss <em>-f</em> option follows all fork/vfork children, <em>-a</em> shows the argument strings within the exec() calls and <em>-e</em> shows the environment variables (for ex. SMF_FMRI).<br /><br />Other traces are limited by imagination only.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-61200271300178087252009-09-24T22:17:00.016+02:002009-09-25T11:50:38.109+02:00rmdom.plI've just started the google code project called cs-tools (Commandline Support Tools).<br />This will be a container for my set of scripts supporting the administration of Sun Java Communications Suite components. <br />Project Home: <a href="http://code.google.com/p/cs-tools/">http://code.google.com/p/cs-tools/</a><br /><br />There's also the first one perl program - <a href="http://cs-tools.googlecode.com/files/rmdom.pl"><strong>rmdom.pl</strong></a> - you could use to simplify the deletion and purge process of hosted domain.<br /><br />Sample session:<br /><pre><br /># perl rmdom.pl <br />fe : frontend.localdomain<br />be : backend.localdomain<br />ldap: ldap.localdomain:389<br />%%%%%%%%%%%%%%%%%%%%%%%%%%<br />bind dn: cn=dirmgr<br />bind passwd: <br />domain: rmdom.pl<br />mail domain ok<br />cal domain ok<br />active users: 2<br />active groups: 1<br />are you sure (yes to confirm)? yes<br />domain deleted<br />domain purged<br /></pre><br />Enjoy.Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com0tag:blogger.com,1999:blog-6302270466598962946.post-38559729489310859672009-09-22T00:27:00.003+02:002009-09-22T00:52:55.399+02:00DateTime set: Object cannot be writtenVery lately (about fifteen minutes ago) I had to resolve the time issue from the ELOM level of Sun Fire X2200.<br />It couldn't be done, because:<br /><pre><br />/SP/AgentInfo -> show <br /><br /> /SP/AgentInfo<br /> Targets:<br /> PEF<br /> PET<br /> SEL<br /> console<br /> mail<br /> SNMP<br /><br /> Properties:<br />[...]<br /> DateTime = 01/03/1970-02:56:23<br />[...]<br /><br />/SP/AgentInfo -> set DateTime="09/22/2009-00:22:00"<br />set: Object cannot be written<br /></pre><br />So, it's the place where the <strong>ipmitool</strong> could be used.<br />Ipmitool need the three kernel modules to be loaded:<br />* ipmi_si<br />* ipmi_devintf<br />* ipmi_msghandler<br /><br />The time can be adjusted with an argument <em>set</em> of the ipmitool's <em>SEL</em> (System Event Log) subcommand.<br />Sample Linux command line session:<br /><pre><br /># ipmitool sel time get<br />Could not open device at /dev/ipmi0 or /dev/ipmi/0: No such file or directory<br />Get SEL Time command failed<br /># lsmod | grep ipmi<br /># modprobe ipmi_devintf <br /># modprobe ipmi_si <br /># lsmod | grep ipmi<br />ipmi_si 57164 0 <br />ipmi_devintf 20624 0 <br />ipmi_msghandler 50680 2 ipmi_si,ipmi_devintf<br /># ipmitool sel time get<br />01/01/1970 22:07:22<br /><br /># ipmitool sel time set "09/22/2009 00:22:00"<br /><br /># ipmitool sel time get<br />09/22/2009 00:22:03<br /></pre>Marcin Wiśnioshttp://www.blogger.com/profile/04040800455610004174noreply@blogger.com1