 Questions
and Answers
Jim McKinstry and Amy Rich
Q I've installed a Solaris
8 jumpstart server with the following sysidcfg file (IPs
changed to protect the innocent):
name_service=DNS { domain_name=my.domain.com
name_server=192.168.1.2,192.168.1.3 }
system_locale=en_US
timezone=US/Eastern
terminal=vt100
timeserver=localhost
security_policy=NONE
network_interface=primary { netmask=255.255.255.0 protocol_ipv6=no }
When I try to jumpstart a client with:
boot net - install
the installation goes into interactive mode. If I use name_service=NONE,
then the installation completes without intervention. I thought that
using DNS and specifying the domain and nameservers should result
in a hands-off install. Am I doing something wrong?
A Are you installing the jumpstart
client on a network that can't reach the name servers (e.g.,
having a private non-routable network just for jumpstart installs,
but specifying the real DNS servers)? If the jumpstart client can
not reach the nameservers, I believe it asks for manual intervention.
In addition to that, you may want to check for typos in the IP addresses
and perhaps try a sniffer
to see what's happening on the wire.
Q I would like to forward all mail,
including local mail, to the central mail server for our UNIX systems.
No local mailboxes exist on the clients. The clients are running
Solaris 8. The mail server should then decide whether the address
is local or forward it to the company mail server. The forwarding
to the main company mail server works for non-local mail, but how
do I stop the client from delivering mail locally on the clients?
A On every client that should not
ever deliver any local mail, you want to use the nullclient configuration.
If you have the Sendmail source code:
cd ${sendmail src directory}/cf/cf
where ${sendmail src} is where you've unpacked the code.
You'll see a file there called clientproto.mc. The uncommented
text looks like:
divert(0)dnl
VERSIONID('$Id: clientproto.mc,v 8.16 2000/03/21 21:05:26 ca Exp $')
OSTYPE(unknown)
FEATURE(nullclient, mailhost.$m)
You'll want to change two things here: the OSTYPE and
the host to which the mail should be sent (the smart host). Your client
OS is Solaris 8, you mentioned, and let's say that your central
mail server is called mail.foo.com. Your create the file localclient.mc
(or pick whatever name you like for the mc file) and put the
following in it:
divert(0)dnl
VERSIONID('$Id: clientproto.mc,v 8.16 2000/03/21 21:05:26 ca Exp $')
OSTYPE(solaris2)
FEATURE(nullclient, mail.foo.com)
If your client machine is in the same DNS domain as your central mail
hub, you can leave the name of the mail hub as mail.$m instead
of specifying mail.foo.com. If you have clients that are running
other operating systems, you can find a list of accepted OSTYPE
settings in ${sendmail src}/cf/ostype. When specifying the
OSTYPE, don't add the .m4 on the end.
To create your new sendmail.cf file, do the following (assuming
you used localclient.mc as the name of your mc file):
cd ${sendmail src}/cf/cf
m4 ../m4/cf.m4 localclient.mc > sendmail.cf
mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig
mv sendmail.cf /etc/mail/sendmail.cf
/etc/init.s/sendmail stop
/etc/init.d/sendmail start
Look at the log file (usually /var/log/syslog, /var/adm/messages,
or /var/log/maillog) to verify that Sendmail started without
errors.
Q I've been seeing a lot of
RPC probes on my machine from an address in .br, .kr,
and .cn. Where the heck are these places, and is there some
definitive database that maps country code domains to location?
A .br belongs to the country
of Brazil, .kr to Korea, and .cn to China. I often
see a large number of cracking-associated probes (like RPC, backorifice,
DNS queries on a machine not running named, etc.) from Korea,
Hong Kong (.hk), and China, especially. For a complete listing
of country TLDs, take a look at IANA's ccTLD database:
http://www.iana.org/cctld/cctld-whois.htm
If you're seeing hits on ports that you don't recognize,
you may want to take a look at IANA's list of ports, too:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
Q I have a Sun machine with two processors.
How do I take one of them offline without bringing down the machine?
A To change the operational state
of the processors, use the /usr/sbin/psradm utility. The
caveat is that, on some processors or under certain conditions,
it may not be possible to disable interrupts for an offline processor.
So, depending on your machine, you may not be able to fully take
the processor offline. In order to take a specified processor offline,
you need to know the number of the processor. These are listed when
you do a /usr/sbin/psrinfo. Once you know the processor number,
you specify it by using the -f flag to /usr/sbin/psradm.
You'd take processor 1 offline by doing the following:
/usr/sbin/psradm -f 1
Look at the manpages for psradm(1M) and psrinfo(1M)
for more information on these commands.
Q I'm looking at installing
some form of open source BSD on my PC. What's the difference
between NetBSD, OpenBSD, and FreeBSD? Is one any better than the
other?
A As always, "better"
is a relative term depending on what you're after. The three
open source BSD projects have different goals. NetBSD is designed
to be the most portable BSD, and it runs on a number of different
and obscure platforms. OpenBSD's goal is to be the most secure
OS, and they've done code audits and security enhancements
(like maintaining OpenSSH). Although not as portable as NetBSD,
OpenBSD currently runs on about a dozen platforms. FreeBSD is designed
to be the most user/systems administrator-friendly branch of the
BSDs, but it only runs (currently) on x86 and alpha platforms.
That said, the open source BSDs benefit from each other whenever
one does anything with the code base. There's a great deal
of cross-pollination that goes on between them (e.g., advancements
like the ports collection, security fixes to problems common to
all BSD installs, etc.). Each has a well-developed code base and
a structured development environment. They're all fairly good
choices for home UNIX machines.
Therefore, if you're just looking for a system to tinker
around with and learn from, I'd suggest FreeBSD. If you're
looking for something to run as a firewall, try OpenBSD. If you're
looking to run the same OS on a diverse number of platforms, I recommend
NetBSD. You may also want to take a look at the BSD FAQ:
http://cynjut.neonramp.com/FAQ.html
Q How can I completely remove the information
from a hard disk so that no one can recover the data that was on it?
Is just newfs'ing the disk good enough? How about formatting
it?
A The best way to ensure that no
one ever reads data off of a disk is to destroy the disk and melt
it down into slag. If you want to remove the old data and pass the
disk onto someone else for reuse, that's quite a bit trickier.
It isn't sufficient to just format or newfs the disk.
It's not even sufficient to write all zeros on the disk. Because
of the way data is stored on the disk, you have to jump through
hoops to actually get all of the data truly erased so that even
disk recovery houses can not pull information off of them. There's
a good paper by Peter Gutmann in the USENIX library that describes
erasing disks and tapes:
http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/
Q Is there a way to find out a user's
UID without looking in the password file? A machine I'm on has
the /etc/passwd file unreadable.
A You can use the id command
to determine what your UID and GID are. Most systems have a native
id command, or you can install the GNU sh-utils software:
ftp://ftp.gnu.org/gnu/sh-utils/
You can also whip up your own C program that uses one or more of the
following functions:
getuid, geteuid, getgid, getegid, getpwnam, getpwnam_r, getpwent,
getpwent_r, getpwuid, getpwuid_r, setpwent, endpwent, fgetpwent,
fgetpwent_r
See your system's man pages for the appropriate function call
syntax.
Q We have both FreeBSD and Solaris
machines at our company. We aren't currently running any sort
of centralized password authentication method (we're looking
into LDAP), but I want to be able to keep the passwords consistent
across platforms by just copying the password field. Is this possible?
A If your two platforms are using
the same scheme to encode passwords, then you can, indeed, copy
the passwords between machines. Note that the other fields of the
password entry may differ, however. By default, Solaris uses DES
to encode the the local password. At install time, FreeBSD can be
configured to use either DES or MD5. MD5 is believed to be more
secure, but if you're aiming for compatibility, you're
better off having your FreeBSD machines use DES. FreeBSD moved to
MD5 password encoding because, at the time, DES was export controlled,
and it was illegal for people installing FreeBSD in countries other
than the United States to use it. As a result, the DES libraries
(the FreeBSD crypto package) can do both MD5 and DES, but the MD5
libraries can only do MD5.
To determine which scheme you're using on your FreeBSD machines,
take a look at /etc/master.passwd. Passwords encrypted with
the MD5 hash are longer than those with encrypted with the DES hash
and begin with the the string $1$. DES password strings are
shorter and are coded in a 64-character alphabet, which does not
include the $ character. You can also determine which authentication
system your machine is using by looking at where the libcrypt libraries
point.
ls -l /usr/lib/libcrypt.*
If these libraries point to libdescrypt, then you're using
DES. If they point to libscrypt, then you're using MD5.
If you're using MD5 and you want to switch to DES, you can install
the crypto package from /stand/sysinstall. The libcrypt
libraries should now point to the libdescrypt libraries. If
you have old users with MD5 entries, you'll either have to crack
them or have the users change their passwords.
If the DES libraries are installed, also be sure to check /etc/login.conf
for a passwd_format directory. If one exists, you'll
want it set to des, not md5. This setting controls
the format in which any new passwords are stored.
As an aside, if you're looking at some sort of centralized
password and group repository, try as soon as possible to sync up
your UIDs and GIDs across all of your machines.
QI'm trying to run Netscape
4.76 on Solaris 8, but whenever I type in a URL, it just sits there
and hangs. If I wait long enough, it comes back and says that it
can't resolve the host. I have the following in /etc/nsswitch.conf:
hosts: files dns
I can do an nslookup on the hosts I'm trying to get to,
I can ping them, and I can telnet to them -- everything
but Web access via Netscape. What's the problem?
A You've probably turned off
nscd, the name service cache daemon. Unfortunately, with
Solaris 8, Netscape refuses to function without using nscd.
I'd suggest trying to run:
/etc/init.d/nscd start
and then browsing. If this fixes your problem, make sure you have
the following start and stop scripts in place, and nscd will
start even after the machine gets rebooted:
/etc/rc0.d/K40nscd
/etc/rc1.d/K40nscd
/etc/rc2.d/S76nscd
/etc/rcS.d/K40nscd
For more information about nscd and what it does, take a look
at the man pages nscd(1M) and nscd.conf(4).
Q We have a large number of messages
that get queued, so I want to set up multiple queue directories
on different disks to help with stat() times and read times.
I'm using Sendmail 8.11.2, and I have the partitions for the
queue directories mounted as /var/spool/mqueue1, /var/spool/mqueue2,
and /var/spool/mqueue3. I'm not sure how to split up
the queue so that it goes onto these disks, however. Everything
is still staying in /var/spool/mqueue.
A First, make sure that you have
stopped Sendmail and that no mail is being delivered. From doc/op/op:
QueueDirectory=dir [Q] Use the named dir as the queue directory. To
use multiple queues, supply a value ending with an asterisk.
For example, /var/spool/mqueue/q* will use all of the
directories or symbolic links to directories beginning with q
in /var/spool/mqueue as queue directories.
Set QueueDirectory to /var/spool/mqueue/q*. In the mc
file, add the following; rebuild your sendmail.cf; and put
it into place:
define('confQUEUE_DIR', '/var/spool/mqueue/q*')dnl
Make the following symlinks:
/var/spool/mqueue/q1 -> /var/spool/mqueue1
/var/spool/mqueue/q2 -> /var/spool/mqueue2
/var/spool/mqueue/q3 -> /var/spool/mqueue3
You can also change where you mount your three partitions so that
they are directly mounted as /var/spool/mqueue/qN instead of
/var/spool/mqueueN. If you mounted the partitions directly,
you could skip doing the symlinks. If you don't have dedicated
partitions for each of the spool directories, though, symlinks are
the way to go.
Test your new sendmail.cf and then start the Sendmail daemon
back up again.
QI've heard that you can now
download Solaris instead of paying $75 for the CDs. Is this true?
Is it both SPARC and x86? Where can I get the distribution?
A Yes, Sun has now put Solaris 8
up for free download. After downloading the ISO images, use your
favorite CDR/CDRW burning software to put the images onto CDs. You
can obtain the zipped ISO images for either SPARC or x86 platforms
from the following URL:
http://www.sun.com/software/solaris/binaries/download.html
You can also still order the media from Sun for $75 if you don't
have the space or the connection speed needed to download the ~800M
ISO images.
QI have a message in my syslog
files that indicate that sshd (OpenSSH 2.3.0p1) generated
a RSA key. This happened without my intervention. Does sshd
do this automatically at certain times, or is something malicious
happening?
A Yes, this happens automatically
for security reasons. After the key has been regenerated, it becomes
impossible to recover it for decrypting hijacked sessions because
the key is not stored on disk. From the sshd man page:
...when the daemon starts, it generates a server RSA key (normally 768 bits). This key
is normally regenerated every hour if it has been used, and is never stored on disk.
You can specify the key regeneration interval when you start sshd
by using the -k switch (time is measured in seconds). If you
wanted to regenerate the key every half hour, you'd start sshd
as:
sshd -k 1800
If you specify zero for the regeneration time, it will never be regenerated.
This is not recommended.
QWhen I make an alias as an end-user
everything works as expected. When I invoke other shell console,
though, the alias I made is not available anymore. Is there any
command to add aliases to a file, or is this method of adding aliases
just for root?
A Aliasing is a function of your
shell, and some shells do not support aliases. For shells that do
support aliases, when you set an alias on the command line, it is
good only for that session. If you want aliases to persist for each
shell invocation, you need to put them in a resource file (e.g.,
.cshrc for csh, .tcshrc for tcsh, .bashrc
for bash, etc.). To determine the proper resource file for
your shell, read the man page on your chosen shell.
QIs there an equivalent to Solaris's
truss on HP/UX?
A It's not an officially supported
HP product, but tusc (trace UNIX system calls) was written
by Chris R. Bertin who works at HP Cupertino. Tusc can be
found at:
ftp://ftp.cup.hp.com/dist/networking/misc/tusc.shar
QMy Exabyte 8200 8mm tape drive just
died, and I'm thinking of upgrading to the Exabyte Mammoth. Will
I still be able to use the tapes from my 8200?
A The Mammoth and Mammoth-LT drives
can read the data written by the 8200 drive, but the Mammoth-2 drive
can not. Neither of them can write the 8200 format, but I suspect
you don't care about that as much, because it sounds like you
won't be going back to using a 8200 for restores. You'll
also have to buy new tapes to write to, because the Mammoth drive
does not write to the MP tapes. These two URLs from Exabyte should
give you a good idea of your compatibility options:
http://www.exabyte.com/support/online/kb/display.cfm?id=152
http://www.exabyte.com/support/online/kb/display.cfm?id=142
QI'm running Solaris 7 and I'm
using Solaris' printing system. We have a Postscript printer
attached to a Jetdirect card and every time someone prints something,
it sends a banner page first. Is there an easy way to turn off the
banner page?
A Shut down the printing system
by doing:
/etc/init.d/lp stop
Change the contents of the file /etc/lp/model/netstandard from:
nobanner=no
to:
nobanner=yes
Restart the printing system:
/etc/init.d/lp start
Jim McKinstry is a Senior Sales Engineer for MTI Technology Corporation
(www.mti.com). MTI is a leading international provider
of data storage management products and services. He can be reached
at: jrmckins@yahoo.com.
Amy Rich, president of the Boston-based Oceanwave Consulting,
Inc. (http://www.oceanwave.com), has been a UNIX systems
administrator for more than five years. She received a BSCS at Worcester
Polytechnic Institute, and can be reached at: arr@oceanwave.com.
| 
