Solaris 9 Disable service ssh ? bash> /etc/init.d/sshd stop bash> /etc/rc3.d/S89sshd stop Enable service ssh ? bash> /etc/init.d/sshd start bash> /etc/rc3.d/S89sshd start Refresh service ssh ? bash> kill -HUP `cat /var/run/sshd.pid` Solaris 10 First you can check service ssh with command bash> svcs | grep ssh online Jan_21 svc:/network/ssh:default If status ssh offline, you can make online with command: bash> svcadm enable -t network/ssh:default bash> /lib/svc/method/sshd start Disable service ssh ? bash> svcadm disable -t network/ssh:default Restart service ssh ? bash> svcadm restart network/ssh:default bash> /lib/svc/method/sshd restart Refresh service ssh ? bash> svcadm refresh network/ssh:default For a root enable connect to host via ssh service bash> vi /etc/ssh/sshd_config [....] # Valid options are yes, without-password, no. PermitRootLogin no [....] Replace no with yes, after that save the edited configuration. Don't forget for the restart service ssh, after edit configuration.
Friday, August 16, 2013
solaris 9 & 10 ssh
yeah. i forget sometimes.
Wednesday, August 14, 2013
solaris 11 & password policy
it is 4:50 in the p.m. and it is a friday. someone says, hey, my simple password's not working on solaris11. you say, uh.
from: http://www.c0t0d0s0.org/archives/4454-Less-known-Solaris-features-On-passwords-Part-3-Using-a-password-policy.html Specifing a password policy There is a central file in Solaris controling the password policy. In /etc/default/passwd you define what requirements a password must fulfill before Solaris allows the user to set this password. Let´s have a look in the actual file of a standard solaris system. You have to log into your system as root. One important note for trying out this feature. You need to log into your system as a normal user in a different window.root can set any password without a check by the password policy thus it would look like that your configuration changes had no effect: # cat passwd [... omitted CDDL header ...] # MAXWEEKS= MINWEEKS= PASSLENGTH=6 #NAMECHECK=NO #HISTORY=0 #MINDIFF=3 #MINALPHA=2 #MINNONALPHA=1 #MINUPPER=0 #MINLOWER=0 #MAXREPEATS=0 #MINSPECIAL=0 #MINDIGIT=0 #WHITESPACE=YES #DICTIONLIST= #DICTIONDBDIR=/var/passwd You enable the checks by uncommenting it and set a reasonable value to the line. When you enable all the checks, it´s actually harder to find a valid password than a non-valid one. Whenever thinking about a really hard password policy you should take into consideration, that people tend to make notes about their password when they can´t remember it. And a strong password under the keyboard is obviously less secure than a weak password in the head of the user. Parameter Description MAXWEEKS This variable specifies the maximum age for a password. MINWEEKS This variable specifies the minimum age for a password. The rationale for this settings gets clearer when i talk about the HISTORY setting PASSLENGTH The minimum length for a password HISTORY This variable specifies the length of a history buffer. You can specify a length of up to 26 passwords in the buffer. The MINWEEKS buffer is useful in conjunction with this parameter. There is a trick to circumvent this buffer and to get you old password back. Just change it as often as the length of the buffer plus one time. The MINWEEK parameter prevents this. WHITESPACE This variable defines if you you are allowed to use a whitespace in your password NAMECHECK When you set this variable to YES, the system checks if the password and login name are identical. So using the password root for the use root would be denied by this setting. The default, by the way is, yes Besides of this basic checks you can use /etc/default/passwd/ enforce checks for the complexity of passwords. So you can prevent the user from setting to simple passwords. Parameter Description MINDIFF Let´s assume you´ve used 3 here. If your old password was batou001, a new password would be denied, if you try to use batou002 as only on character was changed. batou432 would be a valid password. MINUPPER With this variable you can force the usage of upper case characters. Let´s assume you´ve specified 3 here, a password like wasabi isn´t an allowed choice, but you could use WaSaBi MINLOWER With this variable you enable the check for the amount of lower case characters in your password. In the case you´ve specified 2 here, a password like WASABI isn´t allowed, but you can use WaSaBI MAXREPEATS Okay, some users try to use passwords like aaaaaa2=. Obviously this isn´t really a strong password. When you set this password to 2 you, it checks if at most 2 consecutive characters are identical. A password like waasabi would be allowed, but not a password like waaasabi MINSPECIAL The class SPECIAL consists out of characters like !=(). Let´s assume you´ve specified 2, a password like !ns!st= would be fine, but the password insist is not a valid choice. MINDIGIT With this password you can specify the amount of the numbers in your password. Let´s a assume you specify 2, a password like snafu01 would will be allowed. A password like snafu1 will be denied. MINALPHA You can check with this variable for a minimum amount of alpha chars (a-z and A-Z) . When you set a value of 2 on this variable, a password like aa23213 would be allowed, a password like 0923323 would be denied MINNONALPHA This checks for the amount of non-alpha characters (0-9 and special chars). A value of 2 would lead to the denial of wasabi, but a password like w2sab! is okay Using wordlists There is another way to force stronger passwords. You can deny every password that is located in a list of words. The program for changing password is capable to compare the new password against a list of words. With this function you can deny the most obvious choices of passwords. But you should initialize the dictionary with a list of words before you can use this feature. # mkpwdict -s /usr/share/lib/dict/words mkpwdict: using default database location: /var/passwd. The file /usr/share/lib/dicts/words is a file in the Solaris Operating System containing a list of words. It´s normally used by spell checking tools. Obviously you should use a workdlist in your own language, as user tend do choose words from their own language as passwords. So an english wordlist in Germany may be not that effective.You find a list of other wordlists here Now you have to tell Solaris to use this lists. There are some parameters in the /etc/default/password i didn´t covered before: Parameter Description DICTIONLIST This variable can contain a list of dictionary files seperated by a comma. You must specify full pathnames. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word DICTIONDBDIR The directory where the generated dictionary databases reside When none of the both variables is specified in the /etc/default/passwd then no dictionary check is performed. Let´s try it. I´ve uncommented the DICTIONDBDIR line of the /etc/default/passwd file and used the standard value /var/passwd. One of the word in the dictionary i imported is the word airplane: $ passwd passwd: Changing password for jmoekamp Enter existing login password: chohw!2 New Password: airplane passwd: password is based on a dictionary word. Solaris denies the password as it´s based on a word in the imported dictionary.
Monday, August 5, 2013
solaris flar p2v
notes to self...
on your zone system, make sure you've got all the consistinuent packages;
# pkginfo | egrep brand
system SUNWs8brandr Solaris 8 Containers: solaris8 brand support (Root)
system SUNWs8brandu Solaris 8 Containers: solaris8 brand support (Usr)
system SUNWs9brandr Solaris 9 Containers: solaris9 brand support (Root)
system SUNWs9brandu Solaris 9 Containers: solaris9 brand support (Usr)
If not, then you need to download the proper patch set from Oracle. Sadly, you need an OS subscription for that.
# pkgadd -d s9containers-bundle/1.0/Product
# pkgadd -d s8containers-bundle/1.0/Product
# pkgadd -d s9containers-bundle/1.0.1/Product
# pkgadd -d s8containers-bundle/1.0.1/Product
And... for flarcreate...
109318-41 | 5.8
109319-40 | 5.8_x86
113434-40 | 5.9
114196-38 | 5.9_x86
cool we're going to use flar & cpio
flarcreate -S -n s10-system -L cpio /net/target/export/s10-system.flar
or without compression:
flarcreate -R / -n engr -c -x /opt/flash /opt/flash/engr.flar
flar info s9-image.flar
of importance:
s9-image.flar : Flash Archive 2.0
files_archived_method=cpio
this means we first have to use flar (2.0) to extract files. and then those component files must be extracted using cpio.
morerover, flar 2.0 will tell you the os. if using flar 1.0, well, you're prolly looking at a sol 5.8 image.
flar split -d /opt/s9-image.zone /opt/s9-image/s9-image.flar
cpio -idmv < /opts/s9-image/archive
cat s9-image.flar | cpio -ivt
that's just extract
supposedly if you do this:
flar split -d /opt/s9-image.zone -f /opt/s9-image/s9-image.flar
the flar will be extracted complete
and then you can run:
zoneadm -z s9-image install -p -v -d /opt/s9-image.zone/archive
or -d -
that -d - is sort of important. that says, use this directory, and oh by the way, it exists, so no copying stuff from there as specified in your previous zonecfg process.
and get your imaged system to install. that -u means initialize the system so all that fun name, ip and auth system stuff is zapped.
Friday, August 2, 2013
ACL error on ls. eh?
root@solaris: $ ls -la /nfs/mnt ls: can't read ACL on .: Permission denied sigh. root@solaris: $ mount -F nfs -o vers=3 server:/nfs/export /nfs/mnt root@solaris: $ ls -la /nfs/mnt ... stuff ... cool why? nfs client default mismatch. solaris was saying 2. server was saying i'm 3 all the time.
is nscd dead?
if so, restart it.
if [ $(ps aux | grep -e 'nscd$' | grep -v grep | wc -l | tr -s "\n") -eq 0 ]; then /etc/init.d/nscd stop; /etc/init.d/nscd start; fimight as well crontab it, too.
Thursday, August 1, 2013
well flies on my eyes! or netapp and samba domain excitement
here's the normal process of having a netapp filer join an nt4-style samba domain:
vfiler*> cifs terminate
filer@vfiler*> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.
Your filer does not have WINS configured and is visible only to
clients on the same subnet.
Do you want to make the system visible via WINS? [n]: y
You can enter up to 4 IPv4 WINS server addresses.
IPv4 address(es) of your WINS name server(s) []: IP.OF.WINS.SERVER
A filer can be configured for multiprotocol access, or as an NTFS-only
filer. Since multiple protocols are currently licensed on this filer,
we recommend that you configure this filer as a multiprotocol filer
(1) Multiprotocol filer
(2) NTFS-only filer
Selection (1-2)? [1]: 1
The default name for this CIFS server is 'FILER'.
Would you like to change this name? [n]:
Data ONTAP CIFS services support four styles of user authentication.
Choose the one from the list below that best suits your situation.
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
Selection (1-4)? [1]: 2
What is the name of the Windows NT 4 domain? []: SAMBADOMAIN
*** CIFS Setup was unable to discover the address of the Primary Domain
*** Controller (PDC) for the SAMBADOMAIN domain using WINS or broadcasts.
*** In order to join the domain, you must supply the IPv4 address of the
*** PDC. After CIFS Setup has completed, you can use the 'cifs prefdc'
*** command to specify a complete set of preferred PDC and BDC addresses.
Enter the IPv4 address of the Primary Domain Controller []: 10.10.10.10
CIFS - Starting SMB protocol...
Welcome to the SAMBADOMAIN Windows(R) NT domain
filer@vfiler*> Wed Mar 30 10:55:09 EST [filer@auth.dc.trace.DCConnection.statusMsg:info]:
AUTH: TraceDC- the machine password changed on domain controller \\PDC.
Wed Mar 30 10:55:09 EST [filer@cifs.startup.local.succeeded:info]: CIFS: CIFS local server is running.
Wed Mar 30 10:55:16 EST [filer@nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations
have completed for the local server.
filer@vfiler*>
filer@vfiler*> cifs domaininfo
NetBios Domain: SAMBADOMAIN
Type: NT4
Current Connected DCs: \\PDC
Total DC addresses found: 3
Preferred Addresses:
10.10.10.10 PDC PDC
Favored Addresses:
None
Other Addresses:
10.10.10.11 BDC
10.10.10.12 BDC2
however. sometimes things do not work out for you.
vfiler> vfiler context filer
filer@vfiler> Thu Aug 1 09:02:39 EDT [filer@cmds.vfiler.console.switch:notice]:
Console context was switched to a vFiler(tm) unit filer.
filer@vfiler> cifs domaininfo
NetBios Domain: SAMBADOMAIN
Type: NT4
Not currently connected to any DCs
Preferred Addresses:
10.10.10.10 PDC PDCBROKEN
Favored Addresses:
None
Other Addresses:
10.10.10.11 BDC BDCBROKEN
10.10.10.12 BDC2 BDCBROKEN
filer@vfiler> cifs testdc
Using Established configuration
Current Mode of NBT is H Mode
Netbios scope ""
Registered names...
FILER < 0> WINS Broadcast
FILER < 3> WINS Broadcast
FILER <20> WINS Broadcast
SAMBADOMAIN < 0> WINS Broadcast
Testing all Primary Domain Controllers
found 1 unique addresses
Thu Aug 1 09:05:54 EDT [filer@auth.dc.DCPasswdChange.failed:error]:
AUTH: The filer's attempt to change the shared password with filer's domain controller
failed with status 0xc000005e: Scheduled automatic password change failed. The filer
will retry in 1 hour.
Not able to communicate with PDC 10.10.10.10
trying 10.10.10.10...10.10.10.10 is alive
Testing all Domain Controllers
found 3 unique addresses
Not able to communicate with DC 10.10.10.10
trying 10.10.10.10...10.10.10.10 is alive
found DC BDC at 10.10.10.11
found DC BDC2 at 10.10.10.12
well crud. let's try to re-add.
filer@vfiler> cifs terminate
CIFS local server on vfiler filer is shutting down...
waiting for CIFS shut down (^C aborts)...
CIFS local server on vfiler filer has shut down...
filer@vfiler> cifs setup filer
Invalid arguments to CIFS Setup.
filer@vfiler> cifs setup
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.
This filer is currently a member of the Windows NT 4 domain
'SAMBADOMAIN'.
Do you want to continue and change the current filer account information? [n]: y
Your filer is currently visible to all systems using WINS. The WINS
name servers currently configured are: [ 10.10.10.10 ].
(1) Keep the current WINS configuration
(2) Change the current WINS name server address(es)
(3) Disable WINS
Selection (1-3)? [1]: 1
This filer is currently configured as a multiprotocol filer.
Would you like to reconfigure this filer to be an NTFS-only filer? [n]: n
The default name for this CIFS server is 'FILER'.
Would you like to change this name? [n]: n
Data ONTAP CIFS services support four styles of user authentication.
Choose the one from the list below that best suits your situation.
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
Selection (1-4)? [1]: 2
What is the name of the Windows NT 4 domain? [SAMBADOMAIN]:
CIFS - Starting SMB protocol...
Thu Aug 1 09:18:35 EDT [filer@nbt.nbns.registrationComplete:info]: NBT: All CIFS name
registrations have completed for the local server.
*** CIFS Setup could not establish a connection with the Primary Domain
*** Controller (PDC). Usually this happens when the 'FILER'
*** account does not exist in the domain or must have it's password reset.
crud. exit from cifs setup. and go over to your Samba PDC.
root@pdc:~# smbpasswd -x FILER$ smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBADOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: FILER$ init_group_from_ldap: Entry found for group: 2771 ldapsam_delete_sam_account: Deleting user FILER$ from LDAP. sh: 1: /usr/local/sbin/ldap_delete_user: not found smb_delete_user: Running the command `/usr/local/sbin/ldap_delete_user "filer$"' gave 127 Deleted user FILER$. root@pdc:~# smbpasswd -a -m FILER$ smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBADOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBADOMAIN))] ldapsam_add_sam_account: User exists without samba attributes: adding them init_ldap_from_sam: Setting entry for user: FILER$ ldapsam_add_sam_account: added: uid == FILER$ in the LDAP database init_sam_from_ldap: Entry found for user: FILER$ init_group_from_ldap: Entry found for group: 2771 init_ldap_from_sam: Setting entry for user: FILER$ ldapsam_update_sam_account: successfully modified uid = FILER$ in the LDAP database Added user FILER$. root@pdc:~# id FILER$ uid=15345(FILER$) gid=1301(Domain Computers) groups=1301(Domain Computers)now, go back to the netapp filer. start the process again. when you get past the authentication section, you should see this:
Selection (1-4)? [2]: 2 What is the name of the Windows NT 4 domain? [SAMBADOMAIN]: CIFS - Starting SMB protocol... Thu Aug 1 09:34:29 EDT [filer@nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have completed for the local server. Thu Aug 1 09:34:32 EDT [filer@auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- the machine password changed on domain controller \\BDC. Welcome to the SAMBADOMAIN Windows(R) NT domain filer@vfiler> Thu Aug 1 09:34:32 EDT [filer@auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- the machine password changed on domain controller \\BDC. Thu Aug 1 09:34:32 EDT [filer@cifs.startup.local.succeeded:info]: CIFS: CIFS local server is running.hot damn.
Subscribe to:
Posts (Atom)