Archive for the ·

solaris

· Category...

When zpool attach returns a device is too small error

4 comments

I had to refresh Solaris on one of our old servers. After clean install on the first drive c1t0d0 with ZFS filesystem, I had to create root pool mirror by second drive c1t1d0 using zpool attach:

# zpool attach rpool c1t0d0s0 c1t1d0s0
invalid vdev specification
use '-f' to override the following errors:
/dev/dsk/c1t1d0s0 contains a ufs filesystem.

As c1t1d0 had a ufs filesystem from previous installation, I tried to force:

# zpool attach -f rpool c1t0d0s0 c1t1d0s0
cannot attach c1t1d0s0 to c1t0d0s0: device is too small

I realized that an old disk slice c1t1d0s0 can be smaller than c1t0d0s0 as c1t0d0s0 was reinitialized by installer and expanded to whole disk. I could check it using prtvtoc:

# prtvtoc /dev/dsk/c1t0d0s2
* /dev/dsk/c1t0d0s2 partition map
*
* Dimensions:
* 512 bytes/sector
* 848 sectors/track
* 24 tracks/cylinder
* 20352 sectors/cylinder
* 14089 cylinders
* 14087 accessible cylinders
*
* Flags:
* 1: unmountable
* 10: read-only
*
* First Sector Last
* Partition Tag Flags Sector Count Sector Mount Directory
0 2 00 0 286698624 286698623
2 5 00 0 286698624 286698623
#

I decided to save this map into a file and write to my second drive using fmthard then:

# prtvtoc /dev/dsk/c1t0d0s2 > /tmp/vtoc_root.out
# fmthard -s /tmp/vtoc_root.out /dev/rdsk/c1t1d0s2
fmthard: New volume table of contents now in place.

Now zpool attach works much better:

# zpool attach rpool c1t0d0s0 c1t1d0s0
Please be sure to invoke installboot(1M) to make 'c1t1d0s0' bootable.
Make sure to wait until resilver is done before rebooting.

# zpool status rpool
pool: rpool
state: ONLINE
status: One or more devices is currently being resilvered. The pool will
continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
scrub: resilver in progress for 0h0m, 37.79% done, 0h1m to go
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
c1t0d0s0 ONLINE 0 0 0
c1t1d0s0 ONLINE 0 0 0 2.44G resilvered
errors: No known data errors

Last but not least step was to make c1t1d0s0 bootable using installboot:

# installboot -F zfs /usr/platform/`uname -i`/lib/fs/zfs/bootblk /dev/rdsk/c1t1d0s0

How to setup a relay host in sendmail

no comments

Often it is necessary to send all outgoing mail via the relay host from the corporate network. This is not so difficult to specify that for Solaris’ sendmail.

cd /usr/lib/mail/cf
vi sendmail.mc

Find this row in sendmail.mc and specify your relay host name or IP instead of relay.sun.com in my example:
define(`confFALLBACK_SMARTHOST', `relay.sun.com')dnl

Then do:
make sendmail.cf
cp sendmail.cf /etc/mail/sendmail.cf
svcadm restart svc:/network/smtp:sendmail

that’s all. To test you can use mailx:
echo "This is the body."| mailx -s "Test subject" mail@mail.com

How to add Solaris 10 server into MS Active Directory domain

21 comments

Here are my notes applicable for Solaris 10. First of all install latest patches – a lot of related things fixed (but new bugs may appear :))

  1. Synchronize the system clock with AD server
    domain ntp server(s) must be in /etc/inet/ntp.conf
    then restart ntp daemon svcadm restart /network/ntp
  2. Solaris server must have a record in the DNS
  3. Domain name and name servers (DNS servers) must be in /etc/resolv.conf
  4. In the /etc/nsswitch.conf file dns and files must be specified for hosts and ipnodes
    ...
    hosts: dns files
    ipnodes: dns files
    ...
  5. In the /etc/nodename and /etc/hostname.<nic> files host name must be specified only, not a fully qualified domain name
  6. Run adjoin script. You can find it here. It will:
    • auto-detects the Active Directory domain controllers
    • creates a machine account (also called a Computer object) for the Solaris host in Active Directory and generates a random password for this account
    • configures the Solaris host as a Kerberos client of the Active Directory domain controller by using the /etc/krb5/krb5.conf file
    • configures the /etc/krb5/krb5.keytab file on the Solaris host by using the keys for the machine account (also called host credentials)

    Execute adjoin script with following options:
    ./adjoin -d <domain_name> -p <administrator_principal> -f -x
    where -f to delete any pre-existing computer account for this host and -x to debug output.

    If your domain if geographically distributed with a lot of domain controllers (DC), script can detect inappropriate controllers. Just before entering admin password, check prepared adjoin-krb5.conf.XXXXXX file in the /tmp folder and remove unnecessary controllers from it.

    Adjoin script can stop work with pkcs11_kernel.so syntax error on some SUN servers:
    + ./adjoin[859]: /usr/lib/security/$ISA/pkcs11_kernel.so:: syntax error
    Then all you need is just to temporary rename this file and execute adjoin again
    mv /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_kernel.so.orig
    when adjoin finished successfully, rename it back

  7. Run ldapsearch and klist to check Kerberos
    ldapsearch -R -T -h dc1.xxxxxx.com -o authzid= -o mech=gssapi -b CN=Computers,DC=xxxxxx,DC=com -s sub cn=<computer_name>
    klist
    klist -e -k /etc/krb5/krb5.keytab
  8. Enable dns client and cache daemons
    svcadm enable /network/dns/client
    svcadm enable /system/name-service-cache
  9. In the /etc/nsswitch.ldap file dns and files must be specified for hosts and ipnodes
    ...
    hosts: dns files
    ipnodes: dns files
    ...
  10. Set up a server as a client of an LDAP. Execute ldapclient
    ldapclient -v manual \
    -a credentialLevel=self \
    -a authenticationMethod=sasl/gssapi \
    -a defaultSearchBase=dc=xxxxxx,dc=com \
    -a defaultSearchScope=sub \
    -a domainName=xxxxxx.com \
    -a defaultServerList="dc1.xxxxxx.com dc2.xxxxxx.com dc3.xxxxxx.com" \
    -a attributeMap=passwd:gecos=cn \
    -a attributeMap=passwd:homedirectory=unixHomeDirectory \
    -a objectClassMap=group:posixGroup=group \
    -a objectClassMap=passwd:posixAccount=user \
    -a objectClassMap=shadow:shadowAccount=user \
    -a serviceSearchDescriptor="passwd:ou=Accounts,ou=European office,dc=xxxxxx,dc=com?sub;ou=Accounts,ou=American Office,dc=xxxxxx,dc=com?sub" \
    -a serviceSearchDescriptor=group:ou=Groups,dc=xxxxxx,dc=com?sub

    ldapclient should finish without errors. To check use ldapclient list
  11. Edit the /etc/nsswitch.conf file: files and ldap must be specified for passwd and group only
    ...
    passwd: files ldap
    group: files ldap
    hosts: dns files
    ipnodes: dns files
    networks: files
    protocols: files
    ...

    remove ldap from everywhere else
  12. Restart LDAP client
    svcadm restart /network/ldap/client
  13. Add pam_krb5.so.1 in the /etc/pam.conf file
    ...
    login auth sufficient pam_krb5.so.1
    krlogin auth required pam_krb5.so.1
    krsh auth required pam_krb5.so.1
    ktelnet auth required pam_krb5.so.1
    other auth sufficient pam_krb5.so.1
    other account required pam_krb5.so.1
    other password sufficient pam_krb5.so.1
    ...

To ensure that users could login on the host under their AD accounts, accounts in AD must have following additional attributes:
uid the same as sAMAccountName
uidNumber unique number
gidNumber number
unixHomeDirectory for example /tmp
loginShell for example /usr/bin/bash or /bin/false

To check it use getent or ldapsearch
getent passwd <uid>
ldapsearch -R -T -h dc1.xxxxxx.com -b "ou=Accounts,ou=American Office,dc=xxxxxx,dc=com" -o mech=gssapi -o authzid='' "uid=<uid>"

If you would like read more: link to SUN’s article “Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory”.