Friday, August 31, 2012

my vendors don't listen or bulk ms-dns add script

Sigh. I specified that all my DHCP passed-out addresses need to have an A name and a PTR record. Apparently someone wasn't listening, or half-listened, as when I went to do whatever I do, my hosts were showing up sans-name. Oh man. Maybe they got tired typing. There is an easier way to create bulk DNS records.

Let's just say my hosts need this format:

dhcp-101.testorama.vendor.local  10.0.10.101
dhcp-102.testorama.vendor.local  10.0.10.102

Now, vendor.local is my forward lookup zone, and testorama is the domain.

First off, I need an input file with my particulars all separated by commas (csv files are fun).

HOSTNAME,ZONE,IP_ADDRESS

Within my DNS structure, a hostname is the host's name plus domain. Domains can be their own zones... but in my case, this is not so.

For the above a line in my input file called input.txt would look like:

dhcp-101.testorama,vendor.local,10.0.10.101

On the DNS server, or on a host on which you permission to edit DNS entries and have DNS tools installed (for the lovely dnscmd command) issue:

for /f "tokens=1-3 delims=," %a in (input.txt) do dnscmd  /RecordAdd %b %a A %c

to create A records .

Issue:

for /f "tokens=1-3 delims=," %a in (input.txt) do for /f "tokens=1-4 delims=." %e in ("%c") do dnscmd  /RecordAdd %g.%f.%e.in-addr.arpa. %h PTR %a.%b

for PTR records.

For A & PTR record deletions, because you made a mistake, by say, having a digit flip...

for /f "tokens=1-3 delims=," %a in (input.txt) do dnscmd  /RecordDelete %b %a A /f

for /f "tokens=1-3 delims=," %a in (list.txt) do for /f "tokens=1-4 delims=." %e in ("%c") do  do dnscmd  /RecordDelete %g.%f.%e.in-addr.arpa. %h PTR /f
sometimes your dns admins will not have separate zones for various subnets. in the above example, 10.0 is it. to remedy that, just change the variables in your PTR script:

Issue:

for /f "tokens=1-3 delims=," %a in (input.txt) do for /f "tokens=1-4 delims=." %e in ("%c") do dnscmd  /RecordAdd %f.%e.in-addr.arpa. %h PTR %a.%b

Wednesday, August 22, 2012

greping ldap for clues.

Sometimes you need to do queries off Active Directory. AD is basically an LDAP database with some weirdness. That's okay.

On my lovely ubuntu box, I need to do queries to find bunches of users.

ldapsearch -x -D "Domain\uid" -W \
-h ad.server.com \
-b "DC=my,DC=ad,DC=server,DC=com" \
-LLL -v "(sAMAccountName=anotheruid)" cn

What is all this?
-x says we're doing a simple bind.
AD likes authenticated queries. -D is who you're binding as. -W prompts for a pass.
-h is the AD server I'm talking to.
-b is the search base; that is the AD tree where I'm doing my query.
-LLL is the output format. It will show everything in the record.
-v is the verbose tag.
After all this is my search string. In this case, I'm looking for a uid and want to print its common name. I could plop sn which'd tell me the surname.
To be interesting, I could put in "(sn=clue)" cn and that'd display everyone with the surname "clue" and their common name. Fun.

Monday, August 20, 2012

lsof adventures on sol11.

Solaris 11, I heart you. But I h8 you. I do. You've skipped out of one of the most useful toolks known to sysadmindom:
lsof

Why? Well... we can roll our own, can't we? Sure we can.

Solaris 11 does not have a /usr/local/bin or /usr/local/sbin .
Create skel directories:
# mkdir -p /usr/local/bin
# mkdir -p /usr/local/man/man8

Then, with your downloaded lsof.tar.Z code from
ftp://sunsite.ualberta.ca/pub/Mirror/lsof/lsof_4.86.tar.Z

Read the READMES. Read them again..
# ./Configure solariscc
# make
# make install

And then you see...

Please write your own install rule. Lsof should be installed...

grumble. Thanks Vic for assuming I have half a brain... heh...

$ vi Makefile

DESTDIR= /usr/local
BIN=    ${DESTDIR}/sbin
DOC=    ${DESTDIR}/man/man8
GRP= sys  



 install -m 2755 -o root -g ${GRP} ${PROG} ${BIN}
 install -m 444 ${MAN} ${DOC}

If it still craps out...
# cp lsof /usr/local/sbin/.
# chmod 2755 /usr/local/sbin/lsof
# chown root:sys /usr/local/sbin/lsof
# cp lsof.8 /usr/local/man/man8/.
# chmod 755 /usr/local/man/man8/lsof.8

Wednesday, August 15, 2012

formatting a disk in a solaris10 system

After the drive's been placed in the system, solaris doesn't autofind the hardware a la kudzu. You need to do it yourself.

Run:
# devfsadm

To save yourself some pain, if you've mounted a disk used by an old system, redo to the label or partition table. I've had VTOC Warnings about not having backup labels when doing a simple partition table. So. Run:

# format -e
Choose your new disk.

You'll be presented with: SMI [0] or EFI [1].
format> label
[0] SMI Label
[1] EFI Label
Specify Label type[1]: 0
Warning: This disk has an EFI label. Changing to SMI label will erase all
current partitions.
Continue? y
Auto configuration via format.dat[no]? n
format> quit

SMI will create a new disk slice with backup. backup is the slice logically containing the entire space available on the disk.

When redoing the partition tables on the disk, do not delete or rename backup.

Run format again...
format> partition

partition> print
Current partition table (original):
Total disk cylinders available: 1020 + 2 (reserved cylinders)

Part Tag Flag Cylinders Size Blocks
0 unassigned wm 0 0 (0/0/0) 0
1 unassigned wm 0 0 (0/0/0) 0
2 backup wu 0 – 1020 1.99GB (1021/0/0) 4182016
3 unassigned wm 0 0 (0/0/0) 0
4 unassigned wm 0 0 (0/0/0) 0
5 unassigned wm 0 0 (0/0/0) 0
6 unassigned wm 0 0 (0/0/0) 0
7 unassigned wm 0 0 (0/0/0) 0
8 boot wu 0 – 0 2.00MB (1/0/0) 4096
9 unassigned wm 0 0 (0/0/0) 0

In this case, I just want to create one large partition for some extra storage so I will allocate all I can to partition 0. Note that partition 2 is used to reference the entire drive and is not a usable partition. To modify a given partition, just enter the number of the partition at the partition prompt:

Choose the partition, re-name unassigned and make wm.
I like to do the last slice on up, skipping slice 2, taking note of its size... and then when I've made it to 0, give it the same amount of space as slice 2.

Then...
partition> label
Ready to label disk, continue? y

partition> quit
format> quit

Create a lovely UFS filesystem...
# newfs /dev/dsk/c0t1d0s0
newfs: construct a new file system /dev/rdsk/c1t1d0s0: (y/n)? y
/dev/dsk/c0t1d0s0: 4173824 sectors in 1019 cylinders of 128 tracks, 32 sectors
5000.0MB in 45 cyl groups (23 c/g, 46.00MB/g, 11264 i/g)
super-block backups (for fsck -F ufs -o b=#) at:

Fsck it.

# fsck -y /dev/dsk/c0t1d0s0
And then mount it however you wish.

Thursday, August 9, 2012

exchange small ufs drive for a large one

teeny ufs drive to larger ufs drive on solaris 10 a possibility? ya betcha.

c0t0d0 is the source. it is formatted as ufs. bummer.
c1t0d0 is the destination. it shall be formatted as ufs. bummer.

the bum deal is that the source disk has all of these volumes defined, and since the backup disk slice is being a punk, i can't resize any of the slices. that's okay. i really just want to plop everything on the same slice and go on with life. i could make this complicated - you know, re-create all the disk slices and ufsdump slice to slice, but i'm in a rush. if you're doing the later, as opposed to ufsdump root partion, just do the rdsk. it works.

first. format the destination disk.

# format

second. create a filesystem on the destination disk.

# newfs

third. mount the disk and initiate a ufsdump and restore. dd be damned.

i'm going to mount it under /mnt.

# mount -F ufs -o rw /dev/dsk/c1t0d0s0 /mnt
# ufsdump 0f - / | ( cd /mnt ; ufsrestore xvf - )
# umount /mnt

at the end of it all, be sure to enable the disk to actually be booted.

# /usr/sbin/installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk /dev/rdsk/c1t0d0s0

for fun:
# fsck /dev/rdsk/c1t0d0s0

and, clean things up in /mnt/etc/vfstab . we don't want to mount things that aren't there, like the not-copied-over swap partition.

http://utahsysadmin.com/2008/02/07/adding-a-hard-drive-to-solaris-10/
http://nixforums.org/about22408-Copy-entire-Solaris-disk--to-new-Hard-Disk-.html
http://fengnet.com/book/Solaris_admin/ch01lev1sec15.html is a lovely discussion of smc admin tool. yay illegal yanking of copyrighted material prc peeps.

oracle solaris 11 is all new all the time

it is.

after install, re-configure networking. this will remove all profiles and anything that may muck up correct connectivity later on.

[undo]
yep. you start out by unconfiguring the default. go figure, right? well, this gets rid of all the confusion created by np and loc and "network magic."

# sysconfig configure -s

system will shut down; upon system start logon as "alternate account".

[ssh]
allow root ssh login solaris 11.

/etc/ssh/sshd_config
PermitRootLogin = yes

/etc/default/login
#CONSOLE =/dev/login

# rolemod -K type=normal root

[ldap]
what's ldap up to?
svc */ldap/*
svcadm enable network/ldap/client:default
svcadm enable network/nis/domain
svcs -l network/ldap/client:default
/usr/lib/ldap/ldap_cachemgr -g

svcs -l network/ldap/client:default
make sure the deps are online.

ldapclient -v manual \
-a defaultServerList=xx.xx.xx.xx \
-a defaultSearchBase=dc=xx,dc=xx,dc=xx \
-a defaultSearchScope=sub \
-a bindTimeLimit=20 \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=admin,dc=xx,dc=xx,dc=xx \
-a proxyPassword=aStringValue \
-a serviceSearchDescriptor=passwd:ou=users,dc=xx,dc=xx,dc=xx \
-a serviceSearchDescriptor=shadow:ou=users,dc=xx,dc=xx,dc=xx \
-a serviceSearchDescriptor=group:ou=groups,dc=xx,dc=xx,dc=xx \
-a followReferrals=true

# ldapclient list
determine that all fields are thus:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=admin,dc=xx,dc=xx,dc=xx
NS_LDAP_BINDPASSWD= {NS1}poop
NS_LDAP_SERVERS= xx.xx.xx.xx
NS_LDAP_SEARCH_BASEDN= dc=xx,dc=xx,dc=xx
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=users,dc=xx,dc=xx,dc=xx
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=users,dc=xx,dc=xx,dc=xx
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=groups,dc=xx,dc=xx,dc=xx
NS_LDAP_BIND_TIME= 30

in pam.conf have:
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1

http://docs.oracle.com/cd/E23823_01/html/816-5166/ldapclient-1m.html shows all the neat switches.

[nsswitch]

# svccfg
svc:> select name-service/switch
svc:/system/name-service/switch> setprop config/host = astring: "files dns"
svc:/system/name-service/switch> setprop config/ipnodes = astring: "files dns"
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/system/name-service/switch:default> exit
# svcadm enable dns/client
# svcadm refresh name-service/switch
# grep host /etc/nsswitch.conf
hosts:  files dns
# cat /etc/resolv.conf