tag:blogger.com,1999:blog-46199789642861063292024-03-12T21:38:04.994-04:00Another I.T. blogIdeas and solutions on IT architecture, UNIX, Linux, Oracle, Telecommunication, storage and virtualization in order to help other systems administrators and DBAs.Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.comBlogger36125tag:blogger.com,1999:blog-4619978964286106329.post-45558002234088005892014-01-25T00:10:00.001-05:002014-01-25T00:11:55.464-05:00Dell MD36xxf Storage Array SetupToday we received a new storage array : a Dell PowerVault <a href="http://www.dell.com/us/business/p/powervault-md36x0f-series/pd">MD3600f</a> with two <a href="http://www.dell.com/ca/business/p/powervault-md1200/pd">MD1200</a> expension units. In order to use those new disks, we had a bit of home work todo. Here's how we did it.<br />
<br />
But you must be warned : this ain't my best blog post.<br />
<a name='more'></a><b>Storage Array Setup</b><br />
<div>
<br /></div>
<div>
The first thing is of course to install the units in the computer room racks. Each unit uses 2U for a total of 6U. Be sure to use two seperate electrical circuits protected by a UPS. The Dell units have two power supply each for a total of six power supplies. Use three power cords from one circuit and another three from the other circuit. Use two circuits by units, one by power supply.<br />
<br />
Connect each MD1200 units with the SAS cables as explained in the <a href="https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&cad=rja&ved=0CFYQFjAD&url=http%3A%2F%2Fwww.dell.com%2Fdownloads%2Fglobal%2Fproducts%2Fpvaul%2Fen%2Fdisk-expansion-sas-quick-cabling-guide.pdf&ei=aBdCUf3DI8iQyQGwnYCQAQ&usg=AFQjCNFrzPSR5OKqwZlOcFZYLcFXB1EShQ&sig2=_HDjLl5CTd5lWgoWefnPOQ&bvm=bv.43287494,d.aWc">Dell MD1200 Disk Expansion SAS Quick Cabling Guide</a>.<br />
<br />
The MD3600f unit has two RAID controllers. One on top of the other. Each of these controllers has two fibre channel ports (well, they have more, but we only use two per controllers because we have SAN switches). Connect one fibre port of each controllers to your first SAN switch. And the other ports on the other SAN switch.<br />
<br />
Each RAID controller also has an ethernet interface. Connect both of them to an ethernet switch. Make sure that they are part of a VLAN where the DHCP can assign them IP addresses. Take note of the MAC addresses listed on the unit.<br />
<br />
<b>Important</b> : Power-on both MD1200 disk units <i>before</i> the MD3600f unit.<br />
<br />
Wait for both MD1200 blue LED at the front to come on before you power-on the MD3600f unit. The idea is to make sure both MD1200 units are operational before you start the MD3600f unit. Why? Because the MD1200 are simple JBOD while the MD3600f has two RAID controllers. Those controllers will manage the MD1200 disks. So you want them to be ready when the controllers boot up.<br />
<br />
This is inverted when you power-off the unit : start by the MD3600f and then both MD1200.<br />
<br />
After the MD3600f has been powered-on, wait for the blue LED at the front. Once you have the blue go ahead LED, check you DHCP server's log files and look for the MAC addresses of the MD3600f ethernet interfaces. Record the IP addresses that were assigned to them by the DHCP server.<br />
<br />
Configure your DNS servers with static IP addresses for the new storage array. You will need two IP addresses : one for the top controller and another for the bottom controller. Ideally use IP addresses that are part of a management VLAN. That is, a VLAN which only administrators have access. You obviously won't be able to use the static DNS names and IP until we configured them of course.<br />
<br />
Management Station<br />
<br />
Select a server that will be know as the Dell MD3600f <i>Management Station</i>. This host does not have to be a consumer of the storage found in the storage array. It is just that : a management station that runs Dell's management software. This machine has to have access to your management VLAN (if you use one).<br />
<br />
Place the DVD labeled Dell Resource DVD that came with the storage array into the selected machine's DVD drive. Ideally download the latest version from Dell's support site by using your MD3600f Dell Support Tag. That's what we did and got the <span style="font-family: 'Courier New', Courier, monospace;">DELL_MDSS_Consolidated_RDVD_4_1_0_88.iso</span> file. Place this file on an NFS directory for easy access because we will need this iso to configure storage consumers. For example, if <span style="font-family: 'Courier New', Courier, monospace;">/nfs</span> is under automount control (and assuming you have permission), then do this :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">mkdir -p /nfs/install/dell/md3600f/</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mv ~/Downloads/DELL_MDSS_Consolidated_RDVD_4_1_0_88.iso /nfs/install/dell/md3600f/</span><br />
<br />
The connect to the management machine with X11 forwarding enabled. Make sure your <span style="font-family: 'Courier New', Courier, monospace;">sshd_config(5)</span> file allows X11 forwarding via the « <span style="font-family: 'Courier New', Courier, monospace;">X11Forwarding yes</span> » configuration. If it's not there, edit the file and restart sshd then try again.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh -YX polaris.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">IMHO I prefer to use console mode, but this software has a bug that prevents installation in console mode (Bravo Dell! :S)</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mount -o loop /nfs/install/dell/md3600f/DELL_MDSS_Consolidated_RDVD_4_1_0_88.iso /mnt</span><br />
<br />
From the mount directory, launch the installer. You obviously need to have a supported OS for this to work. In this case, we're running CentOS and RedHat Linux machines.<br />
<br />
Now, on RedHat Linux 6.x, this installation requires several rpms to be installed. We didn't have them all and had problems starting the installation because of this. So make sure you have all the required software before you launch the installer.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install NetworkManager gtk2 libcanberra-gkt2 dejavu-sans-fonts</span><br />
<br />
If you don't install those packages, you will have these errors :<br />
<br />
<div style="font-family: 'Courier New', Courier, monospace;">
Gtk-Message: Failed to load module "gnomesegvhandler": libgnomesegvhandler.so: cannot open shared object file: No such file or directory</div>
<div style="font-family: 'Courier New', Courier, monospace;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace;">
(md_launcher_rhel_x86_64.bin:54899): Pango-WARNING **: failed to choose a font, expect ugly output. engine-type='PangoRenderFc', script='latin'</div>
<br />
Not to mention that you won't be able to read any text in the GUI because they will all appear as white squares!<br />
<br />
Unfortunately, this <span style="font-family: 'Courier New', Courier, monospace;">yum(8)</span> command will not install those three packages, but an enormous 46 packages depending on your machine's status. Anyway, once this is done, you can launch the installation process. It will run in console mode if you don't have your <span style="font-family: 'Courier New', Courier, monospace;">DISPLAY</span> environment variable set. Which is exactly what I would've done. But because of the bug, we have to run it in full GUI mode.<br />
<br />
Of course we need to run this as root, but our <span style="font-family: 'Courier New', Courier, monospace;">xauth(1)</span> list is different when we run sudo. So run this to fix this issue :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">xauth list | grep `hostname` | while read auth; do sudo xauth add ${auth}; done</span><br />
<br />
This actually places all the xauth from your normal user into the sudo enabled command.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /mnt</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ./autorun </span><br />
<br />
From the GUI, click on Install MD Storage Software > Install Management Station ONLY. If you want this machine to consume storage from the SAN, then use the Default (Recommended) which installs both the Managent and Client packages.<br />
<br />
This will install the required rpms and kernel modules. It will also force you to reboot the machine :S<br />
<br />
Once this is done, issue the reboot command.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo shutdown -r now</span><br />
<br />
When the machine is back up, connect to it again with X11 enabled.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh -YX polaris.company.com</span><br />
<br />
From there, we can either launch the GUI or proceed in CLI mode. To launch the GUI, simply issue this :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">xauth list | grep `hostname` | while read auth; do sudo xauth add ${auth}; done</span><br />
<br />
<b>RedHat / CentOS 6.x Linux Client Setup</b><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">ssh oxygen.company.com</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo mount -o loop /nfs/install/dell/md3600f/DELL_MDSS_Consolidated_RDVD_4_1_0_88.iso /mnt</span><br />
<br />
Beware, if you install the Client software with the GUI, it will modify the<span style="font-family: Courier New, Courier, monospace;"> /etc/multipath.conf</span> file by installing quite a few lines. These lines are also installed :<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">user_friendly_names no</span><br />
<span style="font-family: Courier New, Courier, monospace;">polling_interval 5</span><br />
<span style="font-family: Courier New, Courier, monospace;">queue_without_daemon no</span><br />
<div>
<br /></div>
<div>
So if you're like me and don't like the <span style="font-family: Courier New, Courier, monospace;">user_friendly_name</span>, then revisit the file and change it back to « <span style="font-family: Courier New, Courier, monospace;">no</span> » before you reboot the machine or restart <span style="font-family: Courier New, Courier, monospace;">multipathd(8)</span>. That's why I prefer to do this manually. Like this :</div>
<div>
<br /></div>
<span style="font-family: Courier New, Courier, monospace;">sudo rpm -Uv /mnt/linux/dkms/dkms-2.1.1.2-1.noarch.rpm</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo rpm -Uv /mnt/linux/coexistence/resources/linuxrdac/rhel6/linuxrdac-09.03.0C06.0452.2-1dkms.noarch.rpm</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: inherit;">At this point we need to reboot.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">sudo shutdown -r now</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Once we're back.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">sudo modprobe scsi_dh_rdac</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim /etc/multipath.conf</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo chkconfig multipathd on</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo /etc/init.d/multipathd start</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo multipath -ll</span><br />
<br />
Next we need to setup the Linux Logical Volume Manger. Install it if it's not already there.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo yum -y install lvm2</span><br />
<br />
Add the new LUNs into LVM control.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo pvcreate -M2 --metadatacopies 2 /dev/mapper/ora01 /dev/mapper/ora02 /dev/mapper/ora03 /dev/mapper/ora04</span><br />
<br />
Check that these new LUNs are now under LVM control.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo pvs</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> PV VG Fmt Attr PSize PFree </span><br />
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /dev/mapper/ora01 lvm2 a-- 512.00g 512.00g</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /dev/mapper/ora02 lvm2 a-- 512.00g 512.00g</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /dev/mapper/ora03 lvm2 a-- 512.00g 512.00g</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /dev/mapper/ora04 lvm2 a-- 512.00g 512.00g</span></div>
</div>
<div>
<br /></div>
<br />
Create a volume group on those new physical volumes. We will name this volume group « <span style="font-family: Courier New, Courier, monospace;">bkp</span> » as it will be used to store online backups for Oracle databases.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo vgcreate bkp /dev/mapper/ora01 /dev/mapper/ora02 /dev/mapper/ora03 /dev/mapper/ora04</span><br />
<br />
Check to see if the new volume group exists?<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo vgs</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> VG #PV #LV #SN Attr VSize VFree</span><br />
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ora 4 1 0 wz--n- 2.00t 0 </span></div>
</div>
<div>
<br /></div>
<br />
Add a logical volume on this new volume group. Notice that we don't specify neither mirror nor any RAID levels because RAID is handled by the storage array. And it's purpose built to do so, which means it must be better at it than the client machine, no? The new volume is called « <span style="font-family: Courier New, Courier, monospace;">ora</span> » in the command below.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo lvcreate -L 2T -n ora bkp</span><br />
<br />
<div>
Oups! What's that? It says that we can't build a 2 TB volume, but the <span style="font-family: Courier New, Courier, monospace;">pvs(8) </span>above told us that we did have 2 TB. WTF?!</div>
<div>
<br /></div>
<div>
Well, don't panic, just use the maximum number of extents that the command told us : 524284 extents. Let's try again using extents instead of size.</div>
<div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sudo lvcreate -l 524284 -n ora bkp</span></div>
</div>
<div>
<div>
<br /></div>
</div>
<div>
There you go! Check the new volume.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sudo lvs</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> LV VG Attr LSize Pool Origin Data% Move Log Cpy%Sync Convert</span></div>
</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ora bkp -wi-a---- 2.00t </span> </div>
</div>
<div>
<br /></div>
<div>
Alright, we're now ready to create an ext4 file system on the new logical volume.</div>
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkfs -t ext4 /dev/bkp/ora</span><br />
<br />
Mount the new file system.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mount /dev/bkp/ora /mnt</span><br />
<br />
Check the new file system<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">df -h /mnt</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Filesystem Size Used Avail Use% Mounted on</span><br />
<span style="font-family: Courier New, Courier, monospace;">/dev/mapper/bkp-ora 2.0T 199M 1.9T 1% /mnt</span><br />
<div>
<br /></div>
<div>
Add this new file system to the system's <span style="font-family: Courier New, Courier, monospace;">fstab(5)</span> so that it's mounted each time the server reboots.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sudo vim /etc/fstab</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">/dev/mapper/bkp-ora<span class="Apple-tab-span" style="white-space: pre;"> </span>/export/oracle<span class="Apple-tab-span" style="white-space: pre;"> </span>ext4 defaults 1 2</span></div>
</div>
<br />
<div>
Make sure the mount point exists.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir -p /export/oracle</span></div>
<div>
<br />
Try it now baby!<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mount /export/oracle</span></div>
<div>
<br />
That it.</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
<div>
<br /></div>
</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-70389352549637243912014-01-22T14:52:00.002-05:002014-01-25T00:00:23.168-05:00HOWTO : Replace a failed disk drive in a FreeBSD ZFS poolIn this blog post, we will repair a broken ZFS pool from a FreeBSD server. The machine is running FreeBSD 9.2, but so long as your FreeBSD machine runs a ZFS enabled FreeBSD, all the commands in this article should work.<br />
<br />
A little background on this machine. It's been in production for about four years now. It was originally installed with four 750 GB disk drives as a raidz2 pool. The OS has been upgraded several times and so is the disk drives (because that's what fails of course, hence this post). This is a ZFS-only machine built by following the <a href="https://wiki.freebsd.org/RootOnZFS">ZFS only FreeBSD installation wiki</a> with GPT formated disks.<br />
<br />
<a name='more'></a>I learned that my ZFS pool had an issue via the daily emails. That's because ZFS alerts were enabled. Which they're not by default. But it's so simple! Simply add a single line to <span style="font-family: 'Courier New', Courier, monospace;">/etc/periodic.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/periodic.conf</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;"># /etc/periodic.conf<br />#<br /># $Id: periodic.conf,v 1.1 2012/03/07 23:36:42 drobilla Exp $<br />#<br /># Changes in this file override the ones in<br /># /etc/defaults/periodic.conf<br />#<br /># David Robillard, March 7th, 2012.<br /><br />daily_status_zfs_enable="YES" # Check ZFS<br /><br /># EOF</span><br />
<br />
<div>
Alright, so this blog post is all about disks. And their names. You see, the ZFS pool uses GPT formatted drives as disk names. But the OS does't display these names when it boots. The idea is then to match their serial numbers. </div>
<div>
<br /></div>
<div>
So to do that, the first thing we need to do is to find out which disk is broken in the ZFS pool and record it's ZFS name. In this example, this is <span style="font-family: Courier New, Courier, monospace;">gpt/disk10</span> as we can see from this output :<br />
<span style="font-family: Courier New, Courier, monospace;">sudo zpool status -xv</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> pool: zroot</span><br />
<span style="font-family: Courier New, Courier, monospace;"> state: DEGRADED</span><br />
<span style="font-family: Courier New, Courier, monospace;">status: One or more devices could not be opened. Sufficient replicas exist for</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>the pool to continue functioning in a degraded state.</span><br />
<span style="font-family: Courier New, Courier, monospace;">action: Attach the missing device and online it using 'zpool online'.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> see: http://illumos.org/msg/ZFS-8000-2Q</span><br />
<span style="font-family: Courier New, Courier, monospace;"> scan: resilvered 617G in 12h48m with 0 errors on Sun Jan 27 22:50:59 2013</span><br />
<span style="font-family: Courier New, Courier, monospace;">config:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>NAME STATE READ WRITE CKSUM</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>zroot DEGRADED 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> raidz2-0 DEGRADED 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk8 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> </span><span style="font-family: 'Courier New', Courier, monospace;">gpt/disk10</span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">DEGRADED</span><span style="font-family: Courier New, Courier, monospace;"> 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk12 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk14 ONLINE 0 0 0</span><br />
<br />
Great, but knowing that <span style="font-family: Courier New, Courier, monospace;">gpt/disk10</span> is in error does't help us much in deciding which disk we need to replace right?! So we need to locate the <span style="font-family: Courier New, Courier, monospace;">/dev/gpt/disk</span> serial numbers. But how do we know which disks are in our machine? Simple, we check the <span style="font-family: Courier New, Courier, monospace;">/var/run/dmesg.boot</span> file which contains all boot messages. We also know that our disks are SATA disks. So a quick <span style="font-family: Courier New, Courier, monospace;"><a href="http://www.freebsd.org/cgi/man.cgi?query=grep&apropos=0&sektion=0&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html">grep(1</a><u>)</u></span> will show us the way :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">grep ATA /var/run/dmesg.boot</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ada0: <WDC WD1001FALS-00Y6A0 05.01D05> ATA-8 SATA 2.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada0: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada1: <ST31000524AS JC4B> ATA-8 SATA 3.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada1: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada2: <WDC WD7502AAEX-00Y9A0 05.01D05> ATA-8 SATA 3.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada2: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada3: <ST3750330AS SD1A> ATA-8 SATA 1.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada3: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<br />
So this tells us that our disks are named <span style="font-family: Courier New, Courier, monospace;">ada</span> something. With that in hand, we can check the serial numbers for both <span style="font-family: Courier New, Courier, monospace;">ada</span> disks and <span style="font-family: Courier New, Courier, monospace;">gpt/disk</span> disks then compare the two to match them.<br />
<br />
Using <span style="font-family: Courier New, Courier, monospace;"><a href="http://www.freebsd.org/cgi/man.cgi?query=diskinfo&apropos=0&sektion=0&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html">diskinfo(8)</a></span>, we can get the serial numbers. It shows as the "<span style="font-family: Courier New, Courier, monospace;">Disk ident</span>." value. Let's start with the <span style="font-family: Courier New, Courier, monospace;">ada</span> disks. We know that we have <span style="font-family: Courier New, Courier, monospace;">ada0</span> to <span style="font-family: Courier New, Courier, monospace;">ada3</span> from our last <span style="font-family: Courier New, Courier, monospace;">grep</span> command on <span style="font-family: 'Courier New', Courier, monospace;">/var/run/dmesg.boot</span>. A quick loop will check all four disks...<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">for i in 0 1 2 3;</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>do sudo diskinfo -v ada$i</span><br />
<span style="font-family: Courier New, Courier, monospace;">done</span><br />
<br />
Open an empty file (or spreadsheet) and record the <span style="font-family: Courier New, Courier, monospace;">ada#</span> with it's serial number. We need to fill in the blanks is this table :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">----------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada<span style="white-space: pre;"> </span>Serial Number<span style="white-space: pre;"> </span>GPT<span style="white-space: pre;"> </span>Model<span style="white-space: pre;"> </span>RAID card slot #</span><br />
<span style="font-family: Courier New, Courier, monospace;">----------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada0<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>disk10<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br class="Apple-interchange-newline" />ada1<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span"> </span><span style="white-space: pre;"> </span>disk8<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>1</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">ada2<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span"> </span><span style="white-space: pre;"> </span>disk12<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>2</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">ada3 <span class="Apple-tab-span" style="white-space: pre;"> </span>disk14<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span"> </span><span style="white-space: pre;"> </span>3</span><br />
<span style="font-family: Courier New, Courier, monospace;">----------------------------------------------------------------</span><br />
<br />
Locate the <span style="font-family: Courier New, Courier, monospace;">gpt/disks#</span> serial number as the "<span style="font-family: Courier New, Courier, monospace;">Disk ident</span>" value and enter those into the same table (or spreadsheet) started previously.<br />
<br />
Now let's do another quick loop to get the serial numbers of <span style="font-family: Courier New, Courier, monospace;">disk8</span> to <span style="font-family: Courier New, Courier, monospace;">disk14</span> from the <span style="font-family: Courier New, Courier, monospace;">zpool status</span> command.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">for i in 8 10 12 14;</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>do sudo diskinfo -v /dev/gpt/disk$i</span><br />
<span style="font-family: Courier New, Courier, monospace;">done</span><br />
<br />
Make sure to record the serial numbers and match it with the ones of the <span style="font-family: Courier New, Courier, monospace;">ada</span> disks and ta! da! We made it : We know exactly which physical disk to replace!<br />
<br />
At this point, we should have this table :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">----------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada<span style="white-space: pre;"> </span>Serial Number<span style="white-space: pre;"> </span>GPT<span style="white-space: pre;"> </span>Model<span style="white-space: pre;"> </span>RAID card slot #</span><br />
<span style="font-family: Courier New, Courier, monospace;">----------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>ada0<span style="white-space: pre;"> </span>3QK085G6<span style="white-space: pre;"> </span>disk10<span style="white-space: pre;"> </span>ST3750330AS SD1A<span style="white-space: pre;"> </span>0</b></span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">ada1<span class="Apple-tab-span" style="white-space: pre;"> </span>5VPC99S7<span style="white-space: pre;"> </span>disk8<span style="white-space: pre;"> </span>ST31000524AS<span style="white-space: pre;"> </span>1</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ada2<span class="Apple-tab-span" style="white-space: pre;"> </span>WD-WCAW32722468<span style="white-space: pre;"> </span>disk12<span style="white-space: pre;"> </span>WDC WD7502AAEX-00Y9A<span style="white-space: pre;"> </span>2</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ada3<span class="Apple-tab-span" style="white-space: pre;"> </span>3QK08L5V<span class="Apple-tab-span" style="white-space: pre;"> </span>disk14<span class="Apple-tab-span" style="white-space: pre;"> </span>ST3750330AS SD1A<span style="white-space: pre;"> </span>3</span><br />
<span style="font-family: Courier New, Courier, monospace;">----------------------------------------------------------------</span><br />
<br />
Since we know the failed disk drive is <span style="font-family: Courier New, Courier, monospace;">ada0</span><span style="font-family: inherit;"> and </span><span style="font-family: Courier New, Courier, monospace;">disk10</span><span style="font-family: inherit;"> </span>with serial number <span style="font-family: Courier New, Courier, monospace;">3QK085G6</span>, we thus record <span style="font-family: Courier New, Courier, monospace;">ada0</span><span style="font-family: inherit;">'s</span> disk format.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">gpart show ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">=> 34 1465149101 ada0 GPT (698G)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 34 128 1 freebsd-boot (64k)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 162 2097152 2 <b>freebsd-swap</b> (1.0G)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 2097314 1463051821 3 freebsd-zfs (697G)</span><br />
<br />
There's a <span style="font-family: 'Courier New', Courier, monospace;">freebsd-swap </span>partition, we can assume that since <span style="font-family: Courier New, Courier, monospace;">disk10</span> is broken, then <span style="font-family: Courier New, Courier, monospace;">swap10</span> is probably on the same drive. That's usually how we build things. But, a quik check nerver hurts.<br />
<br />
Not now, because I'm lazy. This machine has four swap partitions : one per disk. Chances are high that we'll be just fine.<br />
<br />
Handle the <span style="font-family: 'Courier New', Courier, monospace;">freebsd-swap </span>partition by removing <span style="font-family: Courier New, Courier, monospace;">swap10</span> from the <span style="font-family: Courier New, Courier, monospace;">fstab(5)</span>. Simply comment it out.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo vi /etc/fstab</span><br />
<br />
If you have users, inform then that you need to shutdown the server and need a maintenance window. Once this window arrives, make sure to schedule a downtime in your monitoring system and shutdown the server. Remove the disk with serial number <span style="font-family: Courier New, Courier, monospace;">3QK085G6</span>.<br />
<br />
Upon reboot, of course, the machine was configured to boot from the drive that was just removed. A quick pass in the BIOS to change that and the server was able to boot.<br />
<br />
Login and check the boot messages to see if our new disk is seen?<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">grep ^ada /var/run/dmesg.boot</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ada0 at ata4 bus 0 scbus4 target 0 lun 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada0: <WDC WD1001FALS-00Y6A0 05.01D05> ATA-8 SATA 2.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada0: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada0: 953869MB (1953525168 512 byte sectors: 16H 63S/T 16383C)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada0: Previously was known as ad8</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada1 at ata5 bus 0 scbus5 target 0 lun 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada1: <ST31000524AS JC4B> ATA-8 SATA 3.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada1: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada1: 953869MB (1953525168 512 byte sectors: 16H 63S/T 16383C)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada1: Previously was known as ad10</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada2 at ata6 bus 0 scbus6 target 0 lun 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada2: <WDC WD7502AAEX-00Y9A0 05.01D05> ATA-8 SATA 3.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada2: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada2: 715404MB (1465149168 512 byte sectors: 16H 63S/T 16383C)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada2: Previously was known as ad12</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada3 at ata7 bus 0 scbus7 target 0 lun 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada3: <ST3750330AS SD1A> ATA-8 SATA 1.x device</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada3: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada3: 715404MB (1465149168 512 byte sectors: 16H 63S/T 16383C)</span><br />
<span style="font-family: Courier New, Courier, monospace;">ada3: Previously was known as ad14</span><br />
<br />
Has the <span style="font-family: Courier New, Courier, monospace;">ada0</span> drive changed name? It has if the disk you installed is different from the one that was removed.<br />
<br />
Check the zpool status?<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">zpool status -vx</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> pool: zroot</span><br />
<span style="font-family: Courier New, Courier, monospace;"> state: DEGRADED</span><br />
<span style="font-family: Courier New, Courier, monospace;">status: One or more devices could not be opened. Sufficient replicas exist for</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>the pool to continue functioning in a degraded state.</span><br />
<span style="font-family: Courier New, Courier, monospace;">action: Attach the missing device and online it using 'zpool online'.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> see: http://illumos.org/msg/ZFS-8000-2Q</span><br />
<span style="font-family: Courier New, Courier, monospace;"> scan: resilvered 617G in 12h48m with 0 errors on Sun Jan 27 22:50:59 2013</span><br />
<span style="font-family: Courier New, Courier, monospace;">config:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>NAME STATE READ WRITE CKSUM</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>zroot DEGRADED 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> raidz2-0 DEGRADED 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk8 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b><span class="Apple-tab-span" style="white-space: pre;"> </span> 2974201805316735291 UNAVAIL 0 0 0 was /dev/gpt/disk10</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk12 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk14 ONLINE 0 0 0</span><br />
<br />
Check the current partition state of the new disk.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">gpart show ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">=> 63 1953525105 ada0 MBR (931G)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 63 206785 - free - (101M)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 206848 1953314816 1 <b>ntfs</b> (931G)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 1953521664 3504 - free - (1.7M)</span><br />
<br />
Of course, all new drives now have an NTFS partition by default. NTFS is not a bad file system. It's just that ZFS is better IMHO :) Let's clear that.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo gpart destroy -F ada0</span><br />
<br />
Make sure it's destroyed.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">gpart show ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">gpart: No such geom: ada0.</span><br />
<br />
Good, now parition the new drive.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo gpart create -s gpt ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo gpart add -b 34 -s 128 -t freebsd-boot ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo gpart add -s 2097152 -t freebsd-swap -l swap10 ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo gpart add -t freebsd-zfs -l disk10 ada0</span><br />
<br />
Take a look at what we just created.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">gpart show ada0</span><br />
<span style="font-family: Courier New, Courier, monospace;">=> 34 1953525101 ada0 GPT (931G)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 34 128 1 freebsd-boot (64k)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 162 2097152 2 freebsd-swap (1.0G)</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 2097314 1951427821 3 freebsd-zfs (930G)</span><br />
<br />
Next step is to actually tell ZFS that it's got a new drive to work with. Be ready to wait because this can take quite a while.<br />
<br />
Update the zpool.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo zpool replace zroot /dev/gpt/disk10</span><br />
<br />
This will trigger the disk replacement (resilvering in ZFS terms).<br />
<br />
NOTE: Make sure you wait until the resilvering is finished before you reboot!<br />
<br />
Check the replacement's status :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">zpool status -xv</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> pool: zroot</span><br />
<span style="font-family: Courier New, Courier, monospace;"> state: DEGRADED</span><br />
<span style="font-family: Courier New, Courier, monospace;">status: One or more devices is currently being resilvered. The pool will</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>continue to function, possibly in a degraded state.</span><br />
<span style="font-family: Courier New, Courier, monospace;">action: Wait for the resilver to complete.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> scan: resilver in progress since Mon Jan 20 19:36:53 2014</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 420G scanned out of 2.28T at 324/s, (scan is slow, no estimated time)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b> 105G resilvered, 17.99% done</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">config:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>NAME STATE READ WRITE CKSUM</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>zroot DEGRADED 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> raidz2-0 DEGRADED 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk8 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> replacing-1 DEGRADED 0 0 16</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> 2974201805316735291 UNAVAIL 0 0 0 was /dev/gpt/disk10/old</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk10 ONLINE 0 0 0 (<b>resilvering</b>)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk12 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk14 ONLINE 0 0 0 (<b>resilvering</b>)</span><br />
<br />
While we're waiting, let's go back to our <span style="font-family: Courier New, Courier, monospace;">fstab(5)</span> and enable <span style="font-family: Courier New, Courier, monospace;">swap10</span>.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim /etc/fstab</span><br />
<br />
Periodically check the status of the zpool. It might take a while, as we can see from my own server's output :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">zpool status -xv</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> pool: zroot</span><br />
<span style="font-family: Courier New, Courier, monospace;"> state: ONLINE</span><br />
<span style="font-family: Courier New, Courier, monospace;">status: One or more devices has experienced an unrecoverable error. An</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>attempt was made to correct the error. Applications are unaffected.</span><br />
<span style="font-family: Courier New, Courier, monospace;">action: Determine if the device needs to be replaced, and clear the errors</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>using 'zpool clear' or replace the device with 'zpool replace'.</span><br />
<span style="font-family: Courier New, Courier, monospace;"> see: http://illumos.org/msg/ZFS-8000-9P</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b> scan: resilvered 582G in 12h4m with 0 errors on Tue Jan 21 07:41:11 2014</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">config:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>NAME STATE READ WRITE CKSUM</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>zroot ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> raidz2-0 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk8 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk10 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk12 ONLINE 0 0 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span> gpt/disk14 ONLINE 0 0 <b>18</b></span><br />
<br />
12 hours! Not bad for a old Pentium 4 with 1 GB of memory running a 32 bit version of ZFS :)<br />
<br />
But wait?! We also see that the vdev <span style="font-family: Courier New, Courier, monospace;">gpt/disk14</span> has had a checksum error (18 of them to be precise). WTF? This means <span style="font-family: 'Courier New', Courier, monospace;">gpt/disk14</span> is probably close to his retirement. Looking at our table, we see that it's one of the old 750 GB drives. So the data fits the reality.<br />
<br />
It's not dead yet, so we'll give him a chance. Clear it and see what happens in the future. Make a note to double check this vdev in a couple of days.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo zpool clear zroot /dev/gpt/disk14</span><br />
<br />
Then when we check our pool, it's now back to normal operations.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">zpool status -xv</span><br />
<span style="font-family: Courier New, Courier, monospace;">all pools are healthy</span><br />
<br />
Make sure you have the ZFS report with each periodic run.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim /etc/periodic.conf </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># /etc/periodic.conf</span><br />
<span style="font-family: Courier New, Courier, monospace;">#</span><br />
<span style="font-family: Courier New, Courier, monospace;"># $Id: periodic.conf,v 1.1 2012/03/07 23:36:42 drobilla Exp $</span><br />
<span style="font-family: Courier New, Courier, monospace;">#</span><br />
<span style="font-family: Courier New, Courier, monospace;"># Changes in this file override the ones in</span><br />
<span style="font-family: Courier New, Courier, monospace;"># /etc/defaults/periodic.conf</span><br />
<span style="font-family: Courier New, Courier, monospace;">#</span><br />
<span style="font-family: Courier New, Courier, monospace;"># David Robillard, March 7th, 2012.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">daily_status_zfs_enable="YES"<span class="Apple-tab-span" style="white-space: pre;"> </span># Check ZFS</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># EOF</span><br />
<br />
There you go. The machine is back to normal status and your daily email will have the ZFS status.<br />
<br />
HTH,<br />
<br />
David<br />
<br /></div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com4tag:blogger.com,1999:blog-4619978964286106329.post-20661510765646666812013-11-04T13:37:00.000-05:002015-11-12T11:18:30.502-05:00HOWTO : Configure OpenSSH to Fetch Public Keys from OpenLDAP for Authentication on CentOSToday we will configure our OpenLDAP server to store SSH public keys so that the OpenSSH daemon can fetch them and thus authenticate our users.<br />
<br />
To do this, we first need two CentOS machines. This is easy to achieve via a KickStart. If you need help building a KickStart server, <a href="http://itdavid.blogspot.ca/2013/10/howto-centos-6-kickstart-server.html">follow my previous blog post</a>. Then we need a working OpenLDAP server. If you don't have one, then <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">follow my previous blog posts</a> to set one up.<br />
<a name='more'></a><br />
Once this is done, connect to a machine that is set to become the OpenSSH client of the OpenLDAP server.<br />
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">ssh client.example.org</span><br />
<br />
Install the required packages. Most likely you will already have both <span style="font-family: "courier new" , "courier" , monospace;">openssh</span> and <span style="font-family: "courier new" , "courier" , monospace;">openssh-server</span>, but not <span style="font-family: "courier new" , "courier" , monospace;">openssh-ldap</span>.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">sudo yum -y install openssh openssh-server openssh-ldap nss-pam-ldapd</span><br />
<br />
This will provide you with the required OpenLDAP schema and special <span style="font-family: "courier new" , "courier" , monospace;">sshd_config(5)</span> configuration to enable the OpenSSH daemon to fetch SSH public keys from the OpenLDAP server.<br />
<br />
If we take a look at what the openssh-ldap package provides, we'll find a nice HOWTO file.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">rpm -ql openssh-ldap</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/libexec/openssh/ssh-ldap-helper</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/libexec/openssh/ssh-ldap-wrapper</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/share/doc/openssh-ldap-5.3p1</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/share/doc/openssh-ldap-5.3p1/ldap.conf</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-sun.schema</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/share/man/man5/ssh-ldap.conf.5.gz</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">/usr/share/man/man8/ssh-ldap-helper.8.gz</span></div>
<div>
<br /></div>
This HOWTO file is basically what we're doing here. Take a look and see for yourself.</div>
<div>
<br /></div>
<h3>
OpenLDAP Server Configuration</h3>
<div>
<br /></div>
<div>
Next we need to configure OpenLDAP. To do so, we first create a temporary configuration file which includes only two schemas : the core and then the openssh-openldap one.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">echo "include /etc/openldap/schema/core.schema" > ~/ldap/openssh-ldap.conf<br />rpm -ql openssh-ldap | grep -i schema | grep -i openldap | sed 's/^/include /g' >> ~/ldap/openssh-ldap.conf</span><br />
<br />
The resulting file is very small :<br />
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">cat <a href="https://dl.dropboxusercontent.com/u/72609528/blog/openldap/openssh-ldap.conf">~/ldap/openssh-ldap.conf</a></span><br />
<br />
Let's make sure we don't have old artifacts lying around.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">rm -rf ~/ldap/cn\=config*</span></div>
<div>
<br /></div>
<div>
We then create the <span style="font-family: "courier new" , "courier" , monospace;">cn=config</span> version of this file. This creates the <span style="font-family: "courier new" , "courier" , monospace;">~/ldap/cn\=config</span> directory.</div>
<div>
<br />
<span style="font-family: "courier new" , "courier" , monospace;">slapcat -f ~/ldap/openssh-ldap.conf -F ~/ldap -n 0</span><br />
<br />
We then need to clean up the resulting files before we can add them to our OpenLDAP server.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">sed -re "/^(structuralObjectClass|entry[C|U]|creat[e|o]|modif[i|y])/d" cn\=config/cn\=schema/cn\=\{1\}openssh-lpk-openldap.ldif > ~/ldap/openssh-ldap.ldif<br /><br />sed -i.bak -e "s/{1}openssh-lpk-openldap/openssh-openldap/g" ~/ldap/openssh-ldap.ldif<br /><br />sed -i.bak -e "s/cn=openssh-openldap/cn=openssh-openldap,cn=schema,cn=config/g" ~/ldap/openssh-ldap.ldif</span><br />
<br />
Which results in a very small file :</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">cat <a href="https://dl.dropboxusercontent.com/u/72609528/blog/openldap/openss-ldap.ldif">~/ldap/openssh-ldap.ldif</a></span></div>
<div>
<br />
We can now add this to our OpenLDAP server.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">ldapmodify -axZWD cn=admin,dc=example,dc=org -f ~/ldap/openssh-ldap.ldif</span><br />
<br />
And we can make sure it's indeed in our DIT.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">ldapsearch -xLLLZWD cn=admin,dcexample,dc=org -b cn=config</span></div>
<div>
<br /></div>
<div>
<b>VERY IMPORTANT</b> : If you have a replicated OpenLDAP setup, then MAKE SURE YOU ALSO ADD THE NEW openssh-ldap.ldif FILE TO THE REPLICATED MACHINES! If you don't do so, the replicated servers (or consumers in OpenLDAP language) will protest and fail to operate. You have been warned!<br />
<br />
At this point we need to modify our OpenLDAP users to use the new attributes we just installed (i.e. <span style="font-family: "courier new" , "courier" , monospace;">sshPublicKey</span> and <span style="font-family: "courier new" , "courier" , monospace;">ldapPublicKey</span>). This task is quite easier with an LDAP Browser. I really like <a href="http://directory.apache.org/studio/">Apache Directory Studio</a>. In any case, use your favorite LDAP editor and connect to the OpenLDAP server.</div>
</div>
<div>
<br /></div>
<div>
So for our users, we add the new <span style="font-family: "courier new" , "courier" , monospace;">objectClass</span> attribute named <span style="font-family: "courier new" , "courier" , monospace;">ldapPublicKey</span>. Once this new <span style="font-family: "courier new" , "courier" , monospace;">objectClass</span> is installed, we can then add the new <span style="font-family: "courier new" , "courier" , monospace;">sshPublicKey</span> attribute.<br />
<br />
Of course, we need to add a value to the <span style="font-family: "courier new" , "courier" , monospace;">sshPublicKey</span>. But what? Easy, just add your existing SSH Public Key usually stored in the users's <span style="font-family: "courier new" , "courier" , monospace;">~/.ssh/id_rsa.pub</span> file. If you don't already have one, simply generate it with this command :</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">ssh-keygen -t rsa -b 2048</span></div>
<div>
<br /></div>
<div>
This command generates an <a href="http://en.wikipedia.org/wiki/RSA_(algorithm)">RSA</a> key pair. This key pair is stored in two files. One holds the private key (<span style="font-family: "courier new" , "courier" , monospace;">~/.ssh/id_rsa</span>) while the other stores the public one (<span style="font-family: "courier new" , "courier" , monospace;">~/.ssh/id_rsa.pub</span>). Keep the private one safe!<br />
<br />
Now that we have configured our user, let's see how this user is seen in our OpenLDAP server? I've listed the relevant attributes in <b>bold </b>in the following output. I've also changed both the <span style="font-family: "courier new" , "courier" , monospace;">userPassword</span> and <span style="font-family: "courier new" , "courier" , monospace;">sshPublicKey</span> attributes for obvious reasons ;)<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">ldapsearch -xZWLLLD cn=admin,dc=example,dc=org -b ou=users,dc=example,dc=org cn=davidr</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Enter LDAP Password:</span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">dn: cn=davidr,ou=users,dc=example,dc=org</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">uid: davidr</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">gecos: David Robillard</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">objectClass: top</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">objectClass: account</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">objectClass: posixAccount</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">objectClass: shadowAccount</span><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">objectClass: ldapPublicKey</span></b><br />
<span style="font-family: "courier new" , "courier" , monospace;">userPassword:: e1NTSEF9UnNBTXFPSTM2NDdxZzFnQVpasdasdAwc0VWZmE=</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">shadowLastChange: 15140</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">shadowMin: 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">shadowMax: 99999</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">shadowWarning: 7</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">loginShell: /bin/bash</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">uidNumber: 2000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">gidNumber: 2000</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">homeDirectory: /nfs/home/davidr</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">cn: davidr</span><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQAhygfeeDQOSbGhDjPqQSQz1BE9ogqvWHN</span><span style="font-family: "courier new" , "courier" , monospace;">pKfG3Hhp0uTXzzMyTmVqGDAMDl3Nc3rXjg1rf1Vcmi9+FUmh5nni7JUCvrhZoHdJuuVY3OlnXWRUR</span><span style="font-family: "courier new" , "courier" , monospace;">EKIFrPKQ1YIl0q81iomLwJwnhwWYzfQbQyUtKprdg6pobUVSf+76D1Svjqv9PbimAD6nw== david</span><span style="font-family: "courier new" , "courier" , monospace;">r@bwmdavidr</span></b></div>
<div>
<br /></div>
<h3>
Configure OpenSSH</h3>
<div>
<br /></div>
<div>
Now that OpenLDAP is ready, we must configure OpenSSH to fetch the keys from OpenLDAP. We do so by installing new configuration lines in <span style="font-family: "courier new" , "courier" , monospace;">sshd_config(5)</span>. These lines are :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">AuthorizedKeysCommandRunAs nobody</span></div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">PubkeyAuthentication yes</span></div>
<div>
<br /></div>
<div>
So do it.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/ssh/sshd_config</span></div>
<div>
<br /></div>
<div>
And we make sure to restart the OpenSSH daemon so that it knows about this new configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">sudo /etc/init.d/sshd restart</span></div>
<div>
<br /></div>
<div>
Then we must configure the <span style="font-family: "courier new" , "courier" , monospace;">ldap.conf(5)</span> specifically for OpenSSH. So we place the file under <span style="font-family: "courier new" , "courier" , monospace;">/etc/ssh</span>.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/openldap/etc.ssh.ldap.conf">/etc/ssh/ldap.conf</a></span></div>
<div>
<br /></div>
<div>
We can now try the new setup. From another machine, try to connect to the server we just configured to fetch the SSH key from our OpenLDAP server.</div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">ssh -v client.example.org</span></div>
<div>
<br /></div>
<div>
And in our <span style="font-family: "courier new" , "courier" , monospace;">/var/log/secure</span> file, we should see these lines :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Nov 4 13:30:42 client sshd[4924]: Accepted publickey for davidr from 192.168.20.216 port 32135 ssh2</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Nov 4 13:30:42 client sshd[4924]: pam_unix(sshd:session): session opened for user davidr by (uid=0)</span></div>
</div>
<div>
<br /></div>
<div>
And there you go :)</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com44tag:blogger.com,1999:blog-4619978964286106329.post-83581686218470014172013-10-17T17:02:00.003-04:002013-11-06T10:39:54.957-05:00HOWTO : CentOS 6 KickStart ServerThis blog post will explain how to build a <a href="http://en.wikipedia.org/wiki/Kickstart_(Linux)">Kickstart</a> server which is used to automatically perform untattended OS installation and configuration of both RedHat 6 and CentOS 6 machines.<br />
<br />
Kickstart is basically a copy of the <a href="http://en.wikipedia.org/wiki/Jumpstart_(Solaris)">Solaris Jumpstart</a>. If you manage IBM AIX machines, it's the equivalent of <a href="http://www.ibm.com/developerworks/aix/library/au-nim/">NIM</a>. Or <a href="http://h71028.www7.hp.com/enterprise/w1/en/os/hpux11i-system-management-ignite-ux.html">Ignite</a> in the HP-UX world.<br />
<br />
<a name='more'></a><br />
<br />
The following details are important in this blog post...<br />
<ul>
<li>Kickstart server's FQDN : <span style="font-family: Courier New, Courier, monospace;">angel.company.com</span> </li>
<li>DNS CNAME <span style="font-family: Courier New, Courier, monospace;">kickstart.company.com</span> points to <span style="font-family: Courier New, Courier, monospace;">angel.company.com</span></li>
<li>Central Syslog Server DNS CNAME <span style="font-family: Courier New, Courier, monospace;">syslog.company.com</span> </li>
<li>Kickstart server's IP : <span style="font-family: Courier New, Courier, monospace;">192.168.1.1</span> </li>
<li>Kickstart client machine FQDN : <span style="font-family: Courier New, Courier, monospace;">oxygen.company.com</span> </li>
<li>Kickstart client machine's MAC address : <span style="font-family: Courier New, Courier, monospace;">00:11:43:e4:4f:3d</span> </li>
<li>Kickstart client's IP : <span style="font-family: Courier New, Courier, monospace;">192.168.1.2</span> </li>
<li>DNS servers are : <span style="font-family: Courier New, Courier, monospace;">192.168.1.24</span> and <span style="font-family: Courier New, Courier, monospace;">192.168.1.53</span></li>
<li>NTP server are <span style="font-family: Courier New, Courier, monospace;">ntp1.company.com</span> at <span style="font-family: Courier New, Courier, monospace;">192.168.1.123</span></li>
<li>NTP server <span style="font-family: Courier New, Courier, monospace;">ntp2.company.com</span><span style="font-family: inherit;"> at </span><span style="font-family: Courier New, Courier, monospace;">192.168.1.124</span></li>
<li>Kerberos Key Distribution Center master server is <span style="font-family: Courier New, Courier, monospace;">king.company.com</span></li>
<li>Kerberos 2nd KDC is <span style="font-family: Courier New, Courier, monospace;">kong.company.com</span></li>
<li>NFS server for user's homes is <span style="font-family: Courier New, Courier, monospace;">nfs1.company.com</span></li>
<li>OpenLDAP servers are <span style="font-family: Courier New, Courier, monospace;">ldap1.company.com</span> and <span style="font-family: Courier New, Courier, monospace;">ldap2.company.com</span></li>
</ul>
<br />
<h4>
Kickstart Server Setup</h4>
<br />
We start by installing either a RedHat 6 or a CentOS 6 machine. I suggest using a CentOS 6 machine because your organisation won't have to pay any licenses for it. As always, I prefer to install the Minimal OS version and add packages as you go along. This creates a machine with a minimum amount of packages installed which means we have less updates to manage.<br />
<br />
Make sure to create an /export file system with quite a few GB of free space. For example, a Kickstart server for RedHat 6 x86_64, CentOS 6 i386 and CentOS 6 x86_64 requires 14 GB of disk space. Use <a href="http://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)">LVM</a> to manage your disks as it's more flexible. <br />
<br />
The /export filesystem is where we will store the complete RedHat 6 and CentOS 6 images along with the required Kickstart scripts and OS template configuration files. Don't forget that, with a little luck, the Kickstart server machine we are building now should one day serve as the Kickstart server for many future versions of RedHat/CentOS (i.e. 7, 8, 9, etc) but it can also install VMware ESX 3.5 servers (should you need that).<br />
<br />
Once the kickstart server is installed, we need to add and configure a few packages to it. Mainly, we will need the <a href="http://en.wikipedia.org/wiki/Apache_HTTP_Server">Apache HTTP web</a> server, a <a href="http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol">Trivial File Transfer Protocol</a> server, the <a href="http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol">Dynamic Host Configuration Protocol</a> from the <a href="http://en.wikipedia.org/wiki/Internet_Systems_Consortium">Internet Software Consortium</a>. We will also need a copy of the DVD iso images from both <a href="http://centos.org/">CentOS</a> 6 and <a href="http://www.redhat.com/">RedHat Enterprise Linux</a> 6 for the i386 (32 bit) and x86_64 (64 bit). Of course, if you're lucky enough to have only 64 bit capable machines, then don't bother with the 32 bit versions of the OS.<br />
<br />
Create a directory tree in which we will store the DVD images and the kickstart configuration files.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /export/install/linux/{centos,redhat,kickstart,etc,root}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /export/install/linux/centos/6/{x86_64,i386}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /export/install/linux/redhat/6/{x86_64,i386}</span><br />
<br />
Go to the <a href="http://www.centos.org/">CentOS</a> and <a href="http://www.redhat.com/">RedHat</a> websites and download the complete DVD iso image for version 6. Again, select the i386 and/or the x86_64 versions. In this blog post, I'll only show how to install the x86_64 version of CentOS 6 because that's what I use the most. Assuming you're working on a PC-BSD or Linux desktop, drop the DVD image into your <span style="font-family: 'Courier New', Courier, monospace;">~/Downloads</span> directory. Start the download now because these are big files to download.<br />
<br />
Next, connect to the KickStart server and install some required applications.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh angel.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install tftp-server xinetd httpd vim dhcp</span><br />
<br />
<h4>
DNS Configuration</h4>
<div>
<br /></div>
<div>
For this whole thing to work, we need to setup a DNS CNAME that points to our machine. So connect to your BIND name server and set one up. Test to see if it works :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dig +short kickstart.company.com. cname</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">angel.company.com.</span></div>
<div>
<br /></div>
<div>
Good that means your DNS resolver can find the right machine.</div>
<div>
<br /></div>
<h4>
Apache Configuration</h4>
<br />
We will use Apache as the transport for our KickStart. We thus need to configure it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/etc/httpd/conf/httpd.conf">/etc/httpd/conf/httpd.conf</a></span><br />
<br />
Check that our configuration is ok?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo httpd -S</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">VirtualHost configuration:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">wildcard NameVirtualHosts and _default_ servers:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">*:80 is a NameVirtualHost</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> default server kickstart.company.com (/etc/httpd/conf/httpd.conf:231)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> port 80 namevhost kickstart.company.com (/etc/httpd/conf/httpd.conf:231)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Syntax OK</span><br />
<br />
Make sure httpd starts at boot time.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig httpd on</span><br />
<br />
Then start it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/httpd start</span><br />
<br />
<h4>
DHCP Configuration</h4>
<br />
<a href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Configuring_a_Multihomed_DHCP_Server.html">Configuring a Multihomed DHCP Server</a> and ISC DHCP Documentation & FAQ. But the ISC has changed their site and I can't find this documentation anymore :(<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/etc/dhcp/dhcpd.conf">/etc/dhcp/dhcpd.conf</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim /etc/sysconfig/dhcpd</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig dhcpd on</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/dhcpd configtest</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/dhcpd start</span></div>
</div>
<div>
<br />
<b>WARNING </b>: Do NOT install a DHCP server in your corporation without the proper consent of the network administration group!<br />
<br />
<h4>
TFTP Server Configuration</h4>
<div>
<br /></div>
<div>
That's easy enough, just edit the configuration file. See in.tftpd(8) for more info.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/etc/xinetd.d/tftp.txt">/etc/xinetd.d/tftp</a></span></div>
<div>
<br /></div>
<div>
Then make sure xinetd(8) starts at boot.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig xinetd on</span></div>
<div>
<br /></div>
<div>
And start xinetd.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/xinetd start</span></div>
<div>
<br /></div>
<h4>
PXE Boot Configuration</h4>
<br />
You can read the <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-netboot-pxe-config.html">official PXE Boot Configuration documentation</a> on how to set things up. Or simply follow the instructions in this blog post. Now the only big differences between the CentOS and RedHat kickstart configuration are the <span style="font-family: 'Courier New', Courier, monospace;">vmlinuz</span> and <span style="font-family: 'Courier New', Courier, monospace;">initrd.img</span> files. The <span style="font-family: 'Courier New', Courier, monospace;">pxelinux.0</span> and <span style="font-family: 'Courier New', Courier, monospace;">pxelinux.cfg/default</span> files can be used for both as we shall see later on.<br />
<br />
<h4>
CentOS Kickstart Preparation</h4>
<br /></div>
<div>
Once you have both DVD1 and DVD2 iso from <a href="http://mirror.rackspace.com/CentOS/6.4/isos/x86_64/">one of the CentOS mirrors</a>, be sure to double check their SHA1 signatures against <a href="http://mirror.rackspace.com/CentOS/6.4/isos/x86_64/sha1sum.txt">the ones found on the mirror</a>.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">openssl dgst -sha1 ~/Downloads/CentOS-6.4-x86_64-bin-DVD*</span><br />
<br />
If that's good, then send them to your KickStart server (and if not, make sure to alert the mirror's maintainers!)<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">scp ~/Downloads/CentOS-6.4-x86_64-bin-DVD* kickstart.company.com:~/</span><br />
<br />
Create mount directories for both of them.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir /mnt/dvd1 /mnt/dvd2</span><br />
<br />
Then mount each of them in turn to their respective directories.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mount -t iso9660 -o loop,ro ~/CentOS-6.4-x86_64-bin-DVD1.iso /mnt/dvd1<br />sudo mount -t iso9660 -o loop,ro ~/CentOS-6.4-x86_64-bin-DVD2.iso /mnt/dvd2</span><br />
<br />
Once we have access to the DVD's content, we need to populate the syslinux and tftpboot directories. Let's do syslinux first. Our goal is to get the PXE boot file called <span style="font-family: 'Courier New', Courier, monospace;">pxelinux.0</span>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">mkdir /tmp/syslinux</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /tmp/syslinux</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo cp -rp /mnt/dvd1/Packages/syslinux-*.x86_64.rpm /tmp/syslinux<br />rpm2cpio /tmp/syslinux/syslinux-4.02-4.el6.x86_64.rpm | cpio -dimv</span><br />
<br />
The rpm2cpio(8) command will generate a directory tree starting with <span style="font-family: Courier New, Courier, monospace;">usr</span> in the <span style="font-family: Courier New, Courier, monospace;">/tmp/syslinux</span> directory. We then place this new syslinux PXE boot file into our <span style="font-family: Courier New, Courier, monospace;">/tftpboot</span> directory. Note that this file is identical for CentOS 5, CentOS 6, RedHat 5 and RedHat 6 for both the i386 and x86_64 versions. Which means that we don't have to recreate it for every single operating system version that we want to KickStart.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /tftpboot/pxelinux</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp /tmp/syslinux/usr/share/syslinux/pxelinux.0 /tftpboot/pxelinux</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp /tmp/syslinux/usr/share/syslinux/menu.c32 /tftpboot/pxelinux</span></div>
<div>
<br />
Once we have our PXE boot file, we then create a directory tree that will house the rest of the boot files. These files are different from one operating system to another. So make sure you update them when you setup a new OS for the KickStart.<br />
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /tftpboot/centos/6/x86_64/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp /mnt/dvd1/images/pxeboot/{vmlinuz,initrd.img} /tftpboot/centos/6/x86_64/</span></div>
<div>
<br />
The PXE boot environment is almost complete. We now need to place a copy of the OS on the KickStart server. The idea here is to dump the entire content of the DVDs on the KickStart server. With CentOS 6.4, it required 5.5 GB of disk space. So plan accordingly.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /export/install/linux/centos/6/x86_64</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /mnt/dvd1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo tar cf - . | (cd /export/install/linux/centos/6/x86_64; sudo tar xvf -)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /mnt/dvd2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo tar cf - . | (cd /export/install/linux/centos/6/x86_64; sudo tar xvf -)</span><br />
<br />
Once that's done, we can umount <span style="font-family: Courier New, Courier, monospace;">/mnt/{dvd1,dvd2}</span> and get rid of the DVD iso images.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo umount /mnt/</span><span style="font-family: 'Courier New', Courier, monospace;">{dvd1,dvd2}</span><br />
<span style="font-family: Courier New, Courier, monospace;">rm ~/CentOS-6.4-x86_64-bin-DVD*.iso</span></div>
<div>
<br />
We now have the PXE files and the CentOS distribution on the disks of our KickStart server. The next step is to configure the profiles that will be loaded by a machine that boots via PXE. Those profiles will direct the system during the OS installation and configuration. Our first file will be the default configuration loaded by any PXE client if it can't find a specific profile. We will see how to setup machine specific profiles later.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /tftpboot/pxelinux/</span><span style="font-family: 'Courier New', Courier, monospace;">pxelinux</span><span style="font-family: 'Courier New', Courier, monospace;">.cfg</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/tftpboot/pxelinux/pxelinux.cfg/default.txt">/tftpboot/pxelinux/pxelinux.cfg/default</a></span><br />
<br />
The default file lists several different possibilities. For this blog post example, we will configure a machine specific profile for a CentOS 6 x86_64 installation. Recall that our client machine that will be installed has a MAC address of 00:11:43:e4:4f:3d. You can find out your machine's MAC address by the BIOS or sometimes it's written on the case. Or you can simply try to PXE boot it and look at the TFTP server logs which should be printed in <span style="font-family: Courier New, Courier, monospace;">/var/log/messages</span>.<br />
<br />
When that machine will PXE boot, it will automatically look for a file named after it's MAC address, but with a twist. The MAC address has it's colons « : » transformed by dashes « - ». It also has an extra « 01- » preprended. To create the file, we simply transform the MAC address to the file name expected by PXE boot protocol. Like so :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">echo 00:11:43:e4:4f:3d | sed -e "s/:/-/g" -e "s/^/01-/g"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">01-00-11-43-e4-4f-3d</span><br />
<br />
We can thus create the file <span style="font-family: 'Courier New', Courier, monospace;">01-00-11-43-e4-4f-3d</span> like this.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/tftpboot/pxelinux/pxelinux.cfg/01-00-11-43-e4-4f-3d.txt">/tftpboot/pxelinux/pxelinux.cfg/01-00-11-43-e4-4f-3d</a></span><br />
<br />
OPTIONAL : it's easier to remember that machine <span style="font-family: 'Courier New', Courier, monospace;">oxygen.company.com</span> was installed instead of file <span style="font-family: 'Courier New', Courier, monospace;">01-00-11-43-e4-4f-3d</span>, so we can create a symbolic link. That step is optional, but is sysadmin friendly :)<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ln -s /tftpboot/</span><span style="font-family: 'Courier New', Courier, monospace;">pxelinux/</span><span style="font-family: 'Courier New', Courier, monospace;">pxelinux.cfg/01-00-11-43-e4-4f-3d /tftpboot/</span><span style="font-family: 'Courier New', Courier, monospace;">pxelinux/</span><span style="font-family: 'Courier New', Courier, monospace;">pxelinux.cfg/oxygen.company.com</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">In the </span><span style="font-family: 'Courier New', Courier, monospace;">01-00-11-43-e4-4f-3d</span><span style="font-family: inherit;"> file, we reference a particular kickstart file called </span><span style="font-family: 'Courier New', Courier, monospace;">centos6.ks</span>. We thus need to create this file too. This file contains the hard disk partitions which have been created according to <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s2-diskpartrecommend-x86.html">RedHat's Recommended Partitioning Scheme</a> and the file itself has been built according to <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html">RedHat's Kickstart Options</a>. Note that if this machine has two disks, we need to list both <span style="font-family: 'Courier New', Courier, monospace;">/dev/sda</span> and <span style="font-family: 'Courier New', Courier, monospace;">/dev/sdb</span>. Make sure the « .ks » file references the same number of disks of the client machine.<br />
<br />
Another important thing to consider when writing « .ks » files is that those disks need to be called the with the same name as the OS would see. For instance, HP machines use <span style="font-family: 'Courier New', Courier, monospace;">/dev/ciss/c0d0</span> disks instead of <span style="font-family: 'Courier New', Courier, monospace;">/dev/sda</span>. Some Dell onboard RAID controllers will show <span style="font-family: 'Courier New', Courier, monospace;">/dev/md127</span> to the OS. So the KickStart file has to use the good disk device name. Otherwise the KickStart will fail.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/kickstart/centos6.ks">/export/install/linux/kickstart/centos6.ks</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Good, we're close to our first system installation. </span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<h3>
<span style="font-family: inherit;">Client Post-Kickstart OS Configuration Setup</span></h3>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">What comes next is simply the site specific configurations. These configurations will of course change from site to site. So :</span><br />
<span style="font-family: inherit;"><i><br /></i></span>
<span style="font-family: inherit;"><i><b>Make sure you edit the files to suit your own corporation's needs!</b></i></span><br />
<span style="font-family: inherit;"><br /></span>
Site specific configurations are executed via a shell script which is launched after the operating system has been installed. My version of this script will configure the DNS resolver, OpenLDAP clients, NFS clients, Kerberos realm, AutoFS via LDAP and Kerberos, the nsswitch.conf file and a whole bunch of other files in <span style="font-family: Courier New, Courier, monospace;">/etc</span> and <span style="font-family: Courier New, Courier, monospace;">/root</span>. It also creates the root password and the panic user which I use in cases where the NFS and/or LDAP services are not working anymore. Your Mileage <i>Will</i> Vary!<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/kickstart/post.install.sh">/export/install/linux/kickstart/post.install.sh</a></span><br />
<br />
This script, in turn, depends on a lot of files that should reside on our KickStart server and be accessible via the httpd server we configured. Here's all of them, but I'll say it again...<br />
<br />
<span style="font-family: inherit;"><i><b>...make sure you edit the files to suit your own corporation's needs!</b></i></span><br />
<div>
<br />
<b>NOTE</b> : this is a bit tedious, so of course, like they say in perl, there's more than one way to do it. You can use a configuration management software to do this for you. Things like <a href="http://puppetlabs.com/">Puppet</a>, <a href="http://www.opscode.com/chef/">Chef</a> and <a href="http://saltstack.com/community.html">SaltStack</a> are good examples of configuration management software.<br />
<br />
We will start by creating the directory hierarchy.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir </span><span style="font-family: 'Courier New', Courier, monospace;">-p</span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/logrotate.d</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /export/install/linux/etc/mail</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir /export/install/linux/etc/openldap</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir </span><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/pam.d</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir </span><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/selinux</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir /export/install/linux/etc/skel</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir /export/install/linux/etc/snmp</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir /export/install/linux/etc/ssh</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir /export/install/linux/etc/sysconfig</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">And so now we can populate our KickStart server with our configuration files. All these files are going to be pushed to our clients after the OS has been installed. Let's start by the files right in </span><span style="font-family: Courier New, Courier, monospace;">/etc</span><span style="font-family: inherit;">.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/autofs_ldap_auth.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/autofs_ldap_auth.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/banner"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/banner</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/hosts"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/hosts</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/idmapd.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/idmapd.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/issue"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/issue</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/kdump.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/kdump.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/krb5.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/krb5.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/nslcd.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/nslcd.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/nsswitch.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/nsswitch.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/ntp.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/ntp.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/pam_ldap.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/pam_ldap.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/resolv.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/resolv.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/rssh.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/rssh.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/rsyslog.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/rsyslog.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/sudoers"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/sudoers</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/sudo-ldap.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/sudo-ldap.conf</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/sysctl.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/sysctl.conf</span></a><br />
<div>
<br /></div>
<div>
Next we make sure we handle those log files.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/logrotate.d/ntpd"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/logrotate.d/ntpd</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/logrotate.d/sudo"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/</span><span style="font-family: 'Courier New', Courier, monospace;">etc/logrotate.d/sudo</span></a></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Now we can do the ones under <span style="font-family: Courier New, Courier, monospace;">/etc/mail</span>.</div>
<div>
<br /></div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/mail/sendmail.mc"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/mail/sendmail.mc</span></a><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/mail/submit.mc"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/mail/submit.mc</span></a><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The OpenLDAP client configuration in </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap</span><span style="font-family: inherit;">.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/openldap/ldap.conf"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap/ldap.conf</span></a><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: inherit;">We setup our Pluggable Authentication Modules (PAM).</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/pam.d/sshd"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/pam.d/sshd</span></a><br />
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/pam.d/system-auth-ac"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/pam.d/system-auth-ac</span></a></div>
<div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Now the one under </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/pki/tls/certs</span><span style="font-family: inherit;">. This is actually our Certificate Authority (CA) used to enable Transport Layer Security (TLS) to our OpenLDAP servers. You could also simply copy the </span><span style="font-family: Courier New, Courier, monospace;">rootca.crt</span><span style="font-family: inherit;"> file into the </span><span style="font-family: Courier New, Courier, monospace;">/etc/pki/tls/certs</span><span style="font-family: inherit;"> directory. Either way is fine. Of course, the filename might be different for you. And it has to be the exact same path and filename in all your configuration files.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/pki/tls/certs/rootca.crt">/etc/pki/tls/certs/rootca.crt</a></span></div>
<div>
<br /></div>
<span style="font-family: inherit;">While we're talking security, let's setup SELinux.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">sudo vim </span><a href="http://while%20we%27re%20talking%20security%2C%20let%27s%20setup%20selinux.%20%20sudo%20vim%20/export/install/linux/etc/selinux/config"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/selinux/config</span></a><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Then the ones under </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/skel</span><span style="font-family: inherit;">. Used when creating users.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/skel/.aliases">/etc/skel/.aliases</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/skel/.bash_profile">/etc/skel/.bash_profile</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/skel/.bashrc">/etc/skel/.bashrc</a></span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<span style="font-family: inherit;">The NetSNMP client configuration in </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/snmp</span><span style="font-family: inherit;">. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/snmp/snmpd.conf">/etc/snmp/snmpd.conf</a></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The <a href="http://www.openssh.org/">OpenSSH</a> deamon configuration </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh</span><span style="font-family: inherit;">.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/ssh/sshd_config">/etc/ssh/sshd_config</a></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">And now the ones under </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/sysconfig</span><span style="font-family: inherit;">.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/sysconfig/autofs"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/sysconfig/autofs</span></a><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/etc/sysconfig/ntpd"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/etc/sysconfig/ntpd</span></a><br />
<br />
<div>
We also need some files in the <span style="font-family: Courier New, Courier, monospace;">/root</span> directory. Which means we need to create the directory tree first.<br />
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /export/install/linux/root</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
And then we can populate it with the files.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/root/.aliases"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/root/.aliases</span></a><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim </span><a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/root/.bash_profile"><span style="font-family: 'Courier New', Courier, monospace;">/export/install/linux</span><span style="font-family: 'Courier New', Courier, monospace;">/root/.bash_profile</span></a></div>
<div>
<br /></div>
</div>
<div>
Ok, we now have quite a lot of files ready and waiting. Our next target is to prepare a repository of custom RPM that we want to install.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mkdir -p /export/install/linux/repository/centos/6/x86_64</span><br />
<br />
Then drop the latest Java JRE in there. When I wrote this post, it was jre-7u45-linux-x64.rpm.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo mv ~/Downloads/jre-7u45-linux-x64.rpm /export/install/linux/repository/centos/6/x86_64</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo ln -s /export/install/linux/repository/centos/6/x86_64/jre-7u45-linux-x64.rpm /export/install/linux/repository/centos/6/x86_64/jre.rpm</span><br />
<br />
Notice that we create a default jre.rpm symbolic link. With this, we don't need to update our post.install.sh script after each Java update. We just need to change the symlink.<br />
<br />
I also like to drop the <a href="http://pkgs.repoforge.org/rssh/">rssh</a> rpm in there. The <a href="http://www.pizzashack.org/rssh/">home page</a> does not provide them. Just do the same as for the JRE.<br />
<br />
<h4>
Client Machine BIOS Setup</h4>
<br />
Next thing to do is to go in the client machine's BIOS and make sure the boot order is set to CD/DVD, then local hard disk and then PXE. If it's PXE first, then once we KickStart the server, it will reboot and do the PXE boot again. Which is a KickStart infinite loop! The other thing we need to make sure is that PXE is enabled on the Network Interface Card (NIC) we plan to use.<br />
<br />
Now, from the kickstart server, open a shell and hit this :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo tail -F /var/log/messages</span><br />
<br />
Once this is done, let's boot the client machine, hit PXE boot and see what happens?</div>
<div>
<br />
Your client machine should boot via PXE, get it's IP via DHCP then issue several TFTP requests to get it's kernel, initrd and KickStart configuration. Then it's going to pull lots of files via HTTP and then reboot.<br />
<br />
Once it has rebooted, you should have a new server taylored for your own environment!<br />
<br />
<h4>
Next Steps</h4>
<br />
Once the client has booted, connect to it via SSH and create it's Kerberos setup. Don't worry about the NFS error. It's normal at this point because we configured the autofs daemon to fetch the NFS mount tables from OpenLDAP. But the autofs to LDAP authentication is done via Kerberos. But at this point, the client does not have his final Kerberos config.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">ssh oxygen.company.com</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo kadmin</span><br />
<span style="font-family: Courier New, Courier, monospace;">kadmin> <b>addprinc -randkey host/oxygen.company.com@COMPANY.COM</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">kadmin> <b>addprinc -randkey autofsclient/oxygen.company.com@COMPANY.COM</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">kadmin> <b>ktadd host/oxygen.company.com@COMPANY.COM</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">kadmin> <b>ktadd autofsclient/oxygen.company.com@COMPANY.COM</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">kadmin> <b>exit</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo /etc/init.d/autofs stop</span><br />
<span style="font-family: Courier New, Courier, monospace;">sudo /etc/init.d/autofs start</span><br />
<br />
Now you should have a working autofs daemon. Try it by simply going into your own directory.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">cd && pwd</span><br />
<br />
Thant's it! :)<br />
<br />
<h4>
New Client Setup</h4>
<br />
Now that we have a working KickStart and Configuration setup, we should use it to setup new machines. To do so, the only thing you need to change is the <a href="https://dl.dropboxusercontent.com/u/72609528/blog/kickstart/export/install/linux/kickstart/oxygen.company.com.ks" style="font-family: 'Courier New', Courier, monospace;">/export/install/linux/kickstart/centos6.ks</a> file. Make sure to edit the <span style="font-family: Courier New, Courier, monospace;">network </span>part of it so that you don't configure two systems with the same hostname and IP address.<br />
<br />
Let's hope it works for you as it does for me :)<br />
<br />
HTH,<br />
<br />
David</div>
</div>
</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-3281488662910778242013-10-16T11:12:00.003-04:002013-10-16T11:12:43.336-04:00RCS and sudo log namesIf you're tired of always seeing the root user in the RCS $Id$ tags, then <a href="http://www.linuxhowtos.org/Tips%20and%20Tricks/logname_sudo.htm">follow this short and to the point blog post</a> to switch this to the real author.Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-48594286661527078142013-04-12T14:28:00.000-04:002013-04-12T14:57:14.190-04:00Map Apple Keyboard on Windows 7 and Restore Apple Function Keys<span style="background-color: black;">This is a short post just to redirect all Apple Keyboard users on Windows 7 machines to a great blog that explains how to get the full functions of the keyboard.</span><br />
<span style="background-color: black;"><span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Check the <span style="line-height: 36px;"><a href="http://www.nextofwindows.com/map-apple-keyboard-on-windows-7-and-restore-apple-function-keys/">Map Apple Keyboard on Windows 7 and Restore Apple Function Keys</a> for more info.</span></span></span>Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-74257824126911259312013-03-12T14:13:00.003-04:002013-03-12T14:13:59.879-04:00CentOS yum(8) Error « No module named cElementTree » FixedI've been having problems with yum(8) on one of the CentOS 6 x86_64 machines. After looking at many different forums and bug reports, I now found the solution.<br />
<br />
<a name='more'></a>The problem was very bad. When I would use yum(8), I would get this ugly Python error :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y update --exclude=yum</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Loaded plugins: fastestmirror</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Loading mirror speeds from cached hostfile</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> * base: www.cubiculestudio.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> * extras: centos.mirror.rafal.ca</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> * updates: www.cubiculestudio.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">base | 3.7 kB 00:00 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Traceback (most recent call last):</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/bin/yum", line 29, in <module></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> yummain.user_main(sys.argv[1:], exit_code=True)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/share/yum-cli/yummain.py", line 276, in user_main</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> errcode = main(args)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/share/yum-cli/yummain.py", line 129, in main</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> result, resultmsgs = base.doCommands()</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/share/yum-cli/cli.py", line 434, in doCommands</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> self._getTs(needTsRemove)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/depsolve.py", line 99, in _getTs</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> self._getTsInfo(remove_only)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/depsolve.py", line 110, in _getTsInfo</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> pkgSack = self.pkgSack</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 883, in <lambda></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> pkgSack = property(fget=lambda self: self._getSacks(),</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 668, in _getSacks</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> self.repos.populateSack(which=repos)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/repos.py", line 294, in populateSack</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> sack.populate(repo, mdtype, callback, cacheonly)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 164, in populate</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> if self._check_db_version(repo, mydbtype):</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 222, in _check_db_version</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> return repo._check_db_version(mdtype)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1263, in _check_db_version</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> repoXML = self.repoXML</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1462, in <lambda></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> repoXML = property(fget=lambda self: self._getRepoXML(),</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1454, in _getRepoXML</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> self._loadRepoXML(text=self)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1444, in _loadRepoXML</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> return self._groupLoadRepoXML(text, self._mdpolicy2mdtypes())</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1419, in _groupLoadRepoXML</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> if self._commonLoadRepoXML(text):</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1237, in _commonLoadRepoXML</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> result = self._getFileRepoXML(local, text)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1015, in _getFileRepoXML</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> size=102400) # setting max size as 100K</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 837, in _getFile</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> size=size</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/urlgrabber/mirror.py", line 408, in urlgrab</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> return self._mirror_try(func, url, kw)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/urlgrabber/mirror.py", line 394, in _mirror_try</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> return func_ref( *(fullurl,), **kwargs )</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/urlgrabber/grabber.py", line 985, in urlgrab</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> return self._retry(opts, retryfunc, url, filename)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/urlgrabber/grabber.py", line 886, in _retry</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> r = apply(func, (opts,) + args, {})</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/urlgrabber/grabber.py", line 980, in retryfunc</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> apply(cb_func, (obj, )+cb_args, cb_kwargs)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1501, in _checkRepoXML</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> repoXML = repoMDObject.RepoMD(self.id, filepath)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/repoMDObject.py", line 124, in __init__</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> self.parse(srcfile)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/repoMDObject.py", line 140, in parse</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> parser = iterparse(infile)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/misc.py", line 1169, in cElementTree_iterparse</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> _cElementTree_import()</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib/python2.6/site-packages/yum/misc.py", line 1164, in _cElementTree_import</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> import cElementTree</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ImportError: No module named cElementTree</span><br />
<div>
<br /></div>
I searched the web and found quite a lot of other frustrated yum users. One of them suggested to test python right at the source : from python's shell.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo python</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Python 2.6.6 (r266:84292, Jun 18 2012, 14:18:47) </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">[GCC 4.4.6 20110731 (Red Hat 4.4.6-3)] on linux2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Type "help", "copyright", "credits" or "license" for more information.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> from xml.etree import cElementTree</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Traceback (most recent call last):</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "<stdin>", line 1, in <module></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> File "/usr/lib64/python2.6/xml/etree/cElementTree.py", line 3, in <module></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> from _elementtree import *</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ImportError: /usr/lib64/python2.6/lib-dynload/<b>pyexpat.so</b>: symbol XML_SetHashSalt, version EXPAT_2_0_1_RH not defined in file libexpat.so.1 with link time reference</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">>>> quit</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Use quit() or Ctrl-D (i.e. EOF) to exit</span><br />
<br />
So my <span style="font-family: 'Courier New', Courier, monospace;">pyexpat.so</span> file is having problems? Ok, let's find it just for fun?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo find /lib /lib64 /usr /opt -type f -iname "libexpat.so*"</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">/lib64/libexpat.so.1.5.2</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/opt/oracle/product/11.2.0/client_1/lib/libexpat.so.1</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">/opt/oracle/product/11.2.0/client_1/lib/libexpat.so.1.5.2</span><br />
<div>
<br /></div>
<div>
What's this Oracle file? Could it be causing me all those problems? </div>
<br />
In the end, the error was coming from the shared library dependencies. These are configured in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf</span> file. Which is very basic<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cat /etc/ld.so.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">include ld.so.conf.d/*.conf</span><br />
<br />
That says to load any configurations files ending with .conf found in the ld.so.conf.d directory. When I took a look at the content of this directory, I found this :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ls -1 /etc/ld.so.conf.d/*.conf</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/atlas-x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/kernel-2.6.32-220.13.1.el6.x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/kernel-2.6.32-220.17.1.el6.x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/kernel-2.6.32-220.23.1.el6.x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/kernel-2.6.32-220.4.1.el6.x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/kernel-2.6.32-358.0.1.el6.x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/mysql-x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/qt-x86_64.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/xulrunner-64.conf</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ld.so.conf.d/<b>oracle.conf</b></span></div>
</div>
<br />
There's a lot of items here. Looking at this, I tried to remove all the non-CentOS configurations. Starting with the obvious one : <span style="font-family: 'Courier New', Courier, monospace;">oracle.conf</span>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /etc/ld.so.conf.d/oracle.conf /tmp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldconfig</span><br />
<br />
And voilà! Problem solved.<br />
<br />
So basically, if you have this problem, double check your libraries. That's probably where the problem is.<br />
<br />
HTH,<br />
<br />
DA+<br />
<div>
<br /></div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com4tag:blogger.com,1999:blog-4619978964286106329.post-46705753052376083642013-02-22T16:10:00.000-05:002013-06-25T13:26:50.031-04:00Oracle Solaris 10 Kerberized SSH ConfigurationIf you manage Oracle Solaris 10 machines, you might want to configure your servers to accept Kerberos principals via SSH. The SSH that comes with Solaris 10 does not understand the same configurations as the OpenSSH one does. And Solaris has a little quirk that Linux and BSD don't.<br />
<br />
If you don't already have a Kerberos infrastrucutre in place, then the first thing to do is to set one up. Read my other article <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">HOWTO : Kerberos KDC with OpenLDAP 2.4 Back-End and SASL GSSAPI Authentication on CentOS 6.2</a> to learn how to create a Kerberos realm.<br />
<br />
<a name='more'></a>In this example, the Solaris host is called <span style="font-family: 'Courier New', Courier, monospace;">voyager.company.com</span>, the Kerberos realm is <span style="font-family: 'Courier New', Courier, monospace;">COMPANY.COM</span> and the KDC machines are <span style="font-family: 'Courier New', Courier, monospace;">kdc1.company.com</span> & <span style="font-family: 'Courier New', Courier, monospace;">kdc2.company.com</span>.<br />
<br />
The second thing to do is simply to install <a href="http://www.oracle.com/technetwork/server-storage/solaris10/downloads/index.html">Oracle Solaris 10 1/13</a> which is the latest version of Solaris 10 available on the Oracle download site. Make sure you have the following packages installed on the Solaris machine :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWkdcr Kerberos V5 KDC (root)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWkdcu Kerberos V5 Master KDC (user)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWkrbr Kerberos version 5 support (Root)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWkrbu Kerberos version 5 support (Usr)</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWsshcu SSH Common, (Usr)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWsshdr SSH Server, (Root)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWsshdu SSH Server, (Usr)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWsshr SSH Client and utilities, (Root)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">system SUNWsshu SSH Client and utilities, (Usr)</span></div>
</div>
<div>
<br /></div>
<div>
Configure the sshd service.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/etc/ssh/sshd_config.solaris.txt">/etc/ssh/sshd_config</a></span></div>
<br />
Notice how I left the various Kerberos and GSSAPI configurations in comments? The idea is to prevent other admins from enabling those. If you do, then the sshd server will refuse to start and the service will be placed in maintenance mode. This is what would happen if you did enable them :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo svcadm restart ssh</span><br />
<br />
But sshd would have died. If you looked in the log files, this is what came up :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 14:59:18 voyager sshd[503]: [ID 800047 auth.info] Received signal 15; terminating.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 14:59:18 voyager svc.startd[11]: [ID 652011 daemon.warning] svc:/network/ssh:default: Method "/lib/svc/method/sshd start" failed with exit status 255.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 14:59:18 voyager svc.startd[11]: [ID 652011 daemon.warning] svc:/network/ssh:default: Method "/lib/svc/method/sshd start" failed with exit status 255.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 14:59:18 voyager svc.startd[11]: [ID 652011 daemon.warning] svc:/network/ssh:default: Method "/lib/svc/method/sshd start" failed with exit status 255.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 14:59:19 voyager svc.startd[11]: [ID 748625 daemon.error] network/ssh:default failed: transitioned to maintenance (see 'svcs -xv' for details)</span><br />
<div>
<br /></div>
<div>
So, as the log says, we run svcs.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">svcs -xv</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">svc:/network/ssh:default (SSH server)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> State: maintenance since February 22, 2013 2:59:19 PM EST</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Reason: Start method failed repeatedly, last exited with status 255.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> See: http://sun.com/msg/SMF-8000-KS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> See: man -M /usr/share/man -s 1M sshd</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> See: /var/svc/log/network-ssh:default.log</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Impact: This service is not running.</span></div>
</div>
<div>
<br /></div>
So that points us into another log file. Let's take a look.<br />
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cat /var/svc/log/network-ssh:default.log</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[ Feb 22 14:59:18 Executing start method ("/lib/svc/method/sshd start") ]</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh/sshd_config: line 60: Bad configuration option: KerberosAuthentication</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh/sshd_config: line 61: Bad configuration option: KerberosOrLocalPasswd</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh/sshd_config: line 62: Bad configuration option: KerberosTicketCleanup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh/sshd_config: line 64: Bad configuration option: GSSAPICleanupCredentials</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh/sshd_config: terminating, 4 bad configuration options</span></div>
</div>
<div>
<br /></div>
<div>
There you go! I told you it wouldn't work ;)</div>
<div>
<br /></div>
<div>
To clear the error state, simply use <span style="font-family: 'Courier New', Courier, monospace;">svcadm(1M)</span>, fix the configuration file and enable it again. </div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo svcadm clear ssh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/ssh/sshd_config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo svcadm enable ssh</span></div>
<div>
<br /></div>
<div>
And now the SSH daemon is running as the log says :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 15:20:31 voyager sshd[8772]: [ID 800047 auth.info] Server listening on 0.0.0.0 port 22.</span></div>
</div>
<div>
<br /></div>
Once you have the Kerberos realm up and going, connect to the Solaris machine to configure it's Kerberos file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh voyager.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/etc/krb5/krb5.conf">/etc/krb5/krb5.conf</a></span><br />
<br />
Then contact the KDC to create the new Solaris 10 host's principal and add it to the machine's keytab.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo kadmin</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin> addprinc -randkey host/voyager.company.com@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin> ktadd host/voyager.company.com@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin> exit</span><br />
<br />
That will have created the <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5/krb5.keytab</span> file. Should you want to take a look at what's in this file, simply run this command :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo klist -ek /etc/krb5/krb5.keytab </span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Keytab name: FILE:/etc/krb5/krb5.keytab</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">KVNO Principal</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">---- --------------------------------------------------------------------------</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 2 host/</span><span style="font-family: 'Courier New', Courier, monospace;">voyager.company.com@COMPANY.COM</span><span style="font-family: 'Courier New', Courier, monospace;"> (AES-256 CTS mode with 96-bit SHA-1 HMAC) </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 2 host/</span><span style="font-family: 'Courier New', Courier, monospace;">voyager.company.com@COMPANY.COM</span><span style="font-family: 'Courier New', Courier, monospace;"> (AES-128 CTS mode with 96-bit SHA-1 HMAC) </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 2 host/</span><span style="font-family: 'Courier New', Courier, monospace;">voyager.company.com@COMPANY.COM</span><span style="font-family: 'Courier New', Courier, monospace;"> (Triple DES cbc mode with HMAC/sha1) </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 2 host/</span><span style="font-family: 'Courier New', Courier, monospace;">voyager.company.com@COMPANY.COM</span><span style="font-family: 'Courier New', Courier, monospace;"> (ArcFour with HMAC/md5) </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 2 host/</span><span style="font-family: 'Courier New', Courier, monospace;">voyager.company.com@COMPANY.COM</span><span style="font-family: 'Courier New', Courier, monospace;"> (DES cbc mode with RSA-MD5) </span><br />
<br />
Alright, now the very Solaris peculiar part of the Kerberos SSH authentication is to create a Kerberos principal to local user connection. This is done with the <span style="font-family: 'Courier New', Courier, monospace;">gsscred(1M)</span> command. In this example, I'm going to link my Kerberos principal <span style="font-family: 'Courier New', Courier, monospace;">drobilla@COMPANY.COM</span> to my local UNIX user <span style="font-family: 'Courier New', Courier, monospace;">drobilla</span>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo gsscred -m kerberos_v5 -a -c David Robillard -n drobilla@COMPANY.COM -u drobilla</span><br />
<br />
You can then check the contents of the Kerberos association database with the same command :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo gsscred -l</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">0401000B06092A864886F7120102020000001464726F62696C6C614043415052494F4E2E434F4D drobilla David Robillard</span><br />
<div>
<br /></div>
<div>
Once this association is made, you can now test the Kerberos authentication of sshd. </div>
<div>
<br /></div>
<div>
<b>HINT</b> : <b>Do NOT log off from the Solaris machine to test SSH. Use another terminal window.</b> If it fails, at least you still have a valid shell on the Solaris machine to try and fix the problem...</div>
<div>
<br /></div>
<div>
So, from a RedHat or CentOS machine that is already part of the same Kerberos realm, do this to test your Kerberized Solaris SSH server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kdestroy</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kinit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Password: <enter your Kerberos principal's password here></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh voyager.company.com</span></div>
<div>
<br /></div>
<div>
You should be logged in to the Solaris machine with your Kerberos principal. If it works, then the logs will show this :</div>
<div>
<br /></div>
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 15:24:39 voyager sshd[8785]: [ID 800047 auth.info] Authorized principal drobilla@COMPANY.COM, authenticated with GSS mechanism kerberos_v5, to: drobilla</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 15:24:39 voyager sshd[8785]: [ID 800047 auth.info] Accepted gssapi-with-mic for drobilla from 192.168.2.2 port 43205 ssh2</span><br />
<div>
<br /></div>
<div>
While the Kerberos KDC logs will show this :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 15:19:39 kdc1 krb5kdc[3234]: TGS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 10.10.2.2: ISSUE: authtime 1361564246, etypes {rep=18 tkt=18 ses=18}, drobilla@COMPANY.COM for krbtgt/COMPANY.COM@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Feb 22 15:19:42 kdc1 krb5kdc[3234]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.1.27: ISSUE: authtime 1361564246, etypes {rep=18 tkt=18 ses=18}, drobilla@COMPANY.COM for host/voyager.company.com@COMPANY.COM</span></div>
</div>
<div>
<br /></div>
<div>
If not, then you will be prompted to enter your password :/</div>
<div>
<br /></div>
<h4>
BSD Specific Issue</h4>
<div>
<br /></div>
<div>
If you try to ssh to the Solaris Kerberized ssh daemon from a FreeBSD or PC-BSD host, you will be authenticated, but immediately kicked out with not much debug info. The trick to make it work is to change your BSD machine's ssh_config (i.e. NOT the sshd_config). It's the BSD OpenSSH client that must NOT try to delegate the credentials. For some reason it never worked for me (if someone knows why, then please let me know). </div>
<div>
<br /></div>
<div>
What worked for me was to comment-out this line in the BSD machine's <span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh/ssh_config</span> :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># GSSAPIDelegateCredentials</span></div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com4tag:blogger.com,1999:blog-4619978964286106329.post-19685390538379996152013-02-22T14:35:00.002-05:002013-02-26T10:05:23.456-05:00MySQL Backup and RecoveryIf your site manages it's data with MySQL, then you obviously need to make sure the data is safe. In this blog post, I will show how to create a daily backup automatically. I will also show a continuous data protection plan for MySQL databases. This blog post uses the previous backup server configured in my <a href="http://itdavid.blogspot.ca/2012/06/secure-backup-recovery-with-rsnapshot.html">Secure Backup & Recovery with rsnapshot, rssh and OpenSSH</a> article.<br />
<a name='more'></a>In order to understand this blog, let's define some important terms :<br />
<ul>
<li>Backup server's hostname : <span style="font-family: 'Courier New', Courier, monospace;">angel.company.com</span></li>
<li>First MySQL server's hostname : <span style="font-family: 'Courier New', Courier, monospace;">jedi.company.com</span></li>
<li>Second MySQL server's hostname : <span style="font-family: 'Courier New', Courier, monospace;">r2d2.company.com</span></li>
</ul>
<h4>
Backup Server Setup (part 1 of 2)</h4>
<br />
The first thing we need to do on the backup server is to install the required software.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh angel.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y openssh-clients rsnapshot mysql vim</span><br />
<br />
Then configure a directory structure where the MySQL backups will be stored. Ideally, you want to create a seperate file system for this directory structure. And manage the file system under LVM2 so that you can increase it's size dynamically in the future. I'll skip the LVM2 setup for now.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /export/backup/{conf,data,log,run,scripts}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R root:root /backup</span><br />
<br />
Create two wrapper scripts to help the process.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropbox.com/u/72609528/blog/backup/backup_runner.sh">/export/backup/scripts/backup_runner.sh</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropbox.com/u/72609528/blog/backup/ssh_wrapper.sh">/</a><a href="https://dl.dropbox.com/u/72609528/blog/backup/backup_runner.sh">export/</a><a href="https://dl.dropbox.com/u/72609528/blog/backup/ssh_wrapper.sh">backup/scripts/ssh_wrapper.sh</a></span><br />
<br />
Make sure both scripts are executable and that they don't have any syntax errors in them.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod a+x /backup/scripts/*.sh</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo sh -n /export/backup/scripts/backup_runner.sh</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo sh -n /export/backup/scripts/ssh_wrapper.sh</span><br />
<br />
Configure both MySQL backup configuration files. <b>WARNING</b> : rsnapshot is very sensitive with spaces and tabs. <b>DO NOT USE ANY SPACES IN THE CONFIGURATION FILE!</b> You have been warned :)<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropbox.com/u/72609528/blog/backup/rdbms.mysql.daily">/export/backup/conf/rdbms.mysql.daily</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropbox.com/u/72609528/blog/backup/rdbms.mysql.hourly">/export/backup/conf/rdbms.mysql.hourly</a></span><br />
<br />
Make sure our backup log files don't consume too much disk space.<br />
<br />
s<span style="font-family: 'Courier New', Courier, monospace;">udo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/etc.logrotate.d.backup">/etc/logrotate.d/backup</a></span><br />
<br />
And make sure our new logrotate configuration is still valid.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo logrotate -d /etc/logrotate.conf</span><br />
<br />
Create the MySQL two backup scripts. Notice that in each of these two scripts, the variable <span style="font-family: 'Courier New', Courier, monospace;">MYSQL_HOST_LIST</span> is a space seperated list of all FQDN machines running MySQL. The beauty of this is that you can backup all your MySQL machines with a single script!<br />
<br />
<b>WARNING</b> : <i>be sure to change the user's password in both scripts!</i><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropbox.com/u/72609528/blog/backup/mysql_backup_daily.sh">/export/backup/scripts/mysql_backup_daily.sh</a></span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim <a href="https://dl.dropbox.com/u/72609528/blog/backup/mysql_backup_hourly.sh">/export/backup/scripts/mysql_backup_hourly.sh</a></span><br />
<div>
<br /></div>
<div>
Protect those scripts because they hold the MySQL backup user's password.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:root /export/backup/scripts/mysql_backup_*.sh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 700 /export/backup/scripts/mysql_backup_*.sh</span></div>
<div>
<br /></div>
<div>
We now need to configure the MySQL clients with the proper database backup user.</div>
<div>
<br /></div>
<h4>
MySQL Client Configuration</h4>
<div>
<br /></div>
<div>
Connect to each MySQL machines in order to create the backup user in their mysql database. Again, don't forget to update the user's password in the SQL commands. Let's start by our first MySQL server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh jedi.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql -u root -p</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> create user 'backup'@'angel.company.com' identified by 'change_me';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> grant all on *.* to 'backup'@'angel.company.com';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> flush privileges;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> exit;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<br /></div>
<div>
And now do the same with the other MySQL machine.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh r2d2.company.com</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql -u root -p</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> create user 'backup'@'angel.company.com' identified by 'change_me';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> grant all on *.* to 'backup'@'angel.company.com';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> flush privileges;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql> exit;</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<br /></div>
<h4>
Backup Server Setup (part 2 of 2)</h4>
<div>
<br /></div>
<div>
Back on the backup server, execute the mysql command to test if the new user can connect?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql -u backup -p -h jedi.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql -u backup -p -h r2d2.company.com</span></div>
<div>
<br /></div>
<div>
Once that is done, we can configure <span style="font-family: 'Courier New', Courier, monospace;">root</span>'s crontab to execute both of these scripts.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo <a href="https://dl.dropbox.com/u/72609528/blog/backup/crontab.mysql.txt">crontab -e</a></span></div>
<div>
<br /></div>
<div>
Once the backups are done, you will now have the following data in your data folder.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ls -AlFR /export/backup/data/rdbms.mysql/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 20</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drwxr-xr-x 3 root root 4096 Feb 22 13:30 daily.0/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drwxr-xr-x 4 root root 4096 Feb 22 14:00 hourly.0/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drwxr-xr-x 3 root root 4096 Feb 22 13:46 hourly.1/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/daily.0:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 12</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drwxr-xr-x 2 root root 4096 Feb 22 13:30 all_servers/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/daily.0/all_servers:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 292</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 1 root root 139900 Feb 22 13:30 jedi.company.com.ALL.20130222.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 1 root root 985 Feb 22 13:30 jedi.company.com.information_schema.20130222.sql</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 1 root root 138348 Feb 22 13:30 jedi.company.com.mysql.20130222.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 1 root root 2247 Feb 22 13:30 jedi.company.com.net2ftp.20130222.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/hourly.0:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 16</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drwxr-xr-x 2 root root 4096 Feb 22 14:00 all_servers/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drwxr-xr-x 2 root root 4096 Feb 22 13:46 prod/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/hourly.0/all_servers:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 152</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 1 root root 985 Feb 22 14:00 jedi.company.com.information_schema.2013.02.22-14:00.sql</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 1 root root 138354 Feb 22 14:00 jedi.company.com.mysql.2013.02.22-14:00.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 1 root root 2254 Feb 22 14:00 jedi.company.com.net2ftp.2013.02.22-14:00.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/hourly.0/prod:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 152</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 2 root root 985 Feb 22 13:46 jedi.company.com.information_schema.2013.02.22-13:46.sql</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 2 root root 138356 Feb 22 13:46 jedi.company.com.mysql.2013.02.22-13:46.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 2 root root 2255 Feb 22 13:46 jedi.company.com.net2ftp.2013.02.22-13:46.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/hourly.1:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 12</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drwxr-xr-x 2 root root 4096 Feb 22 13:46 prod/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/backup/data/rdbms.mysql/hourly.1/prod:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">total 152</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 2 root root 985 Feb 22 13:46 jedi.company.com.information_schema.2013.02.22-13:46.sql</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 2 root root 138356 Feb 22 13:46 jedi.company.com.mysql.2013.02.22-13:46.sql.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-rw------- 2 root root 2255 Feb 22 13:46 jedi.company.com.net2ftp.2013.02.22-13:46.sql.gz</span></div>
</div>
<div>
<br /></div>
<h4>
Recovery</h4>
<div>
<br /></div>
<div>
Should you ever need to recover (and you should try this before you really have to use this!) simply use one of the SQL scripts generated. For example, if we need to restore the entire database on host <span style="font-family: 'Courier New', Courier, monospace;">jedi.company.com</span>, we would do this :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mysql -u backup -p -h jedi.company.com < jedi.company.com.ALL.20130222.sql.gz</span></div>
<div>
<br /></div>
<div>
That is assuming the host was reinstalled as a result of a catastrophic failure or security beach. If you already have your databases on the host, make sure to drop them all before you do that.</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
David</div>
<br />
<br />Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com2tag:blogger.com,1999:blog-4619978964286106329.post-59418842682078578802013-01-29T10:59:00.002-05:002013-02-08T15:36:37.726-05:00Oracle Data PumpToday I'm going to show how I use Oracle Data Pump utilities. Starting with Oracle 10gR1, Oracle replaced both the export and import utilities by their new Data Pump counterpart : expdp and impdp respectively. The official documentation on these utilities is found in the <a href="http://docs.oracle.com/cd/B19306_01/server.102/b14215/toc.htm">Oracle Database Utilities10g Release 2 (10.2)</a><br />
<br />
The steps outlined in this blog post are part of a database consolidation effort in which several databases from two different machines will be merged into a new Linux x86_64 server running RedHat Enterprise Linux 5.9 and Oracle RDBMS 10gR2.<br />
<a name='more'></a><br />
The first step in this consolidation effort is of course to install and patch the new Linux x86_64 machine's OS and Oracle RDBMS 10gR2. The latest version of this (rather old) Oracle version is 10.2.0.5.10. I will assume that this as already been done and that an empty database has been created.<br />
<br />
Our old Linux server has a database called VPX which is the data repository for VMware VirtualCenter. The only schema of interest in this database is the VPXADMIN schema. So this is the one we will export the data from using Oracle's expdp utility. But before we can do so, this schema needs to be able to read and write to the DATA_PUMP_DIR. But where is that? Let's connect to the VPX database and find out :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@vpx as sysdba</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> col directory_path for a40;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select directory_name, directory_path from dba_directories where directory_name='DATA_PUMP_DIR';</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">DIRECTORY_NAME DIRECTORY_PATH</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">------------------------ ----------------------------------------------------</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">DATA_PUMP_DIR /opt/oracle/product/10.2.0_64/admin/vpx/dpdump/</span><br />
<div>
<br /></div>
We now know where the dump file will be created. If we don't have enough disk space there or we prefer to send our dump files elsewhere, we can create another directory. This is very simple :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /export/oracle/datafiles</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@vpx as sysdba</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create directory dpump_dir as '/export/oracle/datafiles';</span><br />
<div>
<br /></div>
<div>
Can we use this new directory with both expdp and impdp? Yes, but only from a priviledged user. But here we want to use the VPXADMIN schema, so we must give this user the right to read and write to this directory. Again, that is quite simple :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> grant read, write on directory dpump_dir to vpxadmin;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<br /></div>
We are now ready to export the data (of course, change the password). Notice how we use the same directory name we just created above as the value to the <span style="font-family: 'Courier New', Courier, monospace;">directory=</span> argument.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">expdp vpxadmin directory=dpump_dir dumpfile=vpx.dmp logfile=vpx.log</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Export: Release 10.2.0.4.0 - 64bit Production on Monday, 28 January, 2013 13:24:33</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Copyright (c) 2003, 2007, Oracle. All rights reserved.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Password :</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">With the Partitioning, OLAP, Data Mining and Real Application Testing options</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-31626: job does not exist</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-31637: cannot create job SYS_EXPORT_SCHEMA_01 for user VPXADMIN</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.KUPV$FT_INT", line 600</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-39080: failed to create queues "KUPC$C_1_20130128132434" and "KUPC$S_1_20130128132434" for Data Pump job</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.KUPC$QUE_INT", line 1606</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-04031: unable to allocate 4194344 bytes of shared memory ("streams pool","unknown object","streams pool","fixed allocation callback")</span><br />
<div>
<br /></div>
<div>
Hummm, that's not good. What happened here? A quick search on My Oracle Support yields <a href="https://support.oracle.com/epmos/faces/DocumentDisplay?id=457724.1">Doc ID 846537.1 - DataPump Export (Expdp) Fails With Errors ORA-31626 ORA-31637 ORA-39080 ORA-4031 ("Streams Pool"..."Fixed Allocation")</a></div>
<br />
This note explains that to fix this particular problem, we must do this :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@vpx as sysdba</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set streams_pool_size=10M scope=spfile;</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> shutdown immediate;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> startup;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<br /></div>
<div>
Now if we try again, what do we get?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Export: Release 10.2.0.4.0 - 64bit Production on Monday, 28 January, 2013 13:24:33</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Copyright (c) 2003, 2007, Oracle. All rights reserved.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span><span style="font-family: 'Courier New', Courier, monospace;">Password :</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">With the Partitioning, OLAP, Data Mining and Real Application Testing options</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-39002: invalid operation</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-39070: Unable to open the log file.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-29283: invalid file operation</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.UTL_FILE", line 475</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-29283: invalid file operation</span><br />
<br />
Damned! What does that mean? A quick search on MOS tu<span style="font-family: inherit;">rns out <a href="https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?id=1305166.1">Doc ID 1305166.1 - Errors ORA-39002 ORA-39070 ORA-29283 ORA-6512 When Using DataPump Export (EXPDP) or Import (IMPDP).</a></span><br />
<br />
<div>
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: inherit;"><span style="font-family: inherit;">
In our case, we are not using RAC, so it's either a) our schemas do</span>n't have read, write access to the directory specified or b) the oracle user does not have read, write access on the directory <b>at the Operating System level</b>. So that's an easy fix :</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R oracle:oinstall /export/oracle</span><br />
<br />
<div>
If we are on a Windows machine, then <a href="https://support.oracle.com/epmos/faces/DocContentDisplay?id=858401.1">Doc ID 858401.1 - DataPump Export (EXPDP) To A Windows Mapped Network Drive Returns Errors ORA-39002 ORA-39070 ORA-29283 ORA-6512</a> says we need to make sure that both the listener and the database have been started with the exact same username. In this example, in turned out that the listener was started with the <span style="font-family: 'Courier New', Courier, monospace;">DOMAIN\oraclewh</span> user while the database was started with the <span style="font-family: 'Courier New', Courier, monospace;">Local System account</span>. So I changed both of these services to run with the local <span style="font-family: 'Courier New', Courier, monospace;">DBHOST1\oracle</span> user and restarted both services. Once that was done, the export worked.</div>
<br />
Now when try we do get the expected result (with a lot of lines removed in this blog)</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">expdp vpxadmin directory=data_pump_dir dumpfile=vpx.dmp logfile=vpx.log</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Export: Release 10.2.0.4.0 - 64bit Production on Monday, 28 January, 2013 13:31:20</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Copyright (c) 2003, 2007, Oracle. All rights reserved.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Password :</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">With the Partitioning, OLAP, Data Mining and Real Application Testing options</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Starting "VPXADMIN"."SYS_EXPORT_SCHEMA_01": vpxadmin/******** directory=dpump_dir dumpfile=vpx.dmp logfile=vpx.log </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Estimate in progress using BLOCKS method...</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Total estimation using BLOCKS method: 91.43 MB</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/USER</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/SYSTEM_GRANT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/ROLE_GRANT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/DEFAULT_ROLE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/SEQUENCE/SEQUENCE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/TABLE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/INDEX/INDEX</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/CONSTRAINT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/INDEX/STATISTICS/INDEX_STATISTICS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/COMMENT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/PROCEDURE/PROCEDURE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/PROCEDURE/ALTER_PROCEDURE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/VIEW/VIEW</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/REF_CONSTRAINT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/JOB</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">. . exported "VPXADMIN"."VPX_EVENT_ARG" 25.64 MB 387348 rows</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">. . exported "VPXADMIN"."VPX_EVENT" 25.92 MB 272741 rows</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">. . exported "VPXADMIN"."VPX_HOST" 1.523 MB 2 rows</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[... 8< lines deleted 8< ...]</span></div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Master table "VPXADMIN"."SYS_EXPORT_SCHEMA_01" successfully loaded/unloaded</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">******************************************************************************</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Dump file set for VPXADMIN.SYS_EXPORT_SCHEMA_01 is:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> /export/oracle/datafiles/vpx.dmp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Job "VPXADMIN"."SYS_EXPORT_SCHEMA_01" successfully completed at 13:32:04</span><br />
<div>
<br /></div>
<div>
Good, that was better. Now what we must do is transfer this file to the new Linux machine named otto.company.com. That's quite easy.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">scp /export/oracle/datafiles/vpx.dmp otto.company.com:/u01/app/oracle/admin/meta/dpump</span></div>
<div>
<br /></div>
<div>
Before we can import the data, we must take some information on the VPXADMIN user. Why? Because we will need to recreate that user on the target database.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@vpx as sysdba</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select username, default_tablespace, temporary_tablespace, profile from dba_users where username='VPXADMIN';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">USERNAME</span> <span style="font-family: 'Courier New', Courier, monospace;">DEFAULT_TABLESPACE TEMPORARY_TABLESPACE</span> <span style="font-family: 'Courier New', Courier, monospace;">PROFILE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">----------- ------------------- ------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VPXADMIN VPX<span class="Apple-tab-span" style="white-space: pre;"> </span> </span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;">TEMP</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;">DEFAULT</span></div>
<div>
<br /></div>
<div>
Ah ha! It's using the VPX tablespace as the default. Let's take a look at what this is?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select file_name, bytes/1024/1024 MB, autoextensible from dba_data_files where tablespace_name='VPX';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">FILE_NAME<span class="Apple-tab-span" style="white-space: pre;"> </span>MB</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;">AUT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">--------------------------------------- ------- ---</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/u02/oradata/simone/vpx01.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span>512</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;">YES</span></div>
<div>
<br /></div>
<div>
Let's get the user's old password so that we can assign it on the new database.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select password from dba_users where username='VPXADMIN';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PASSWORD</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">--------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">D3645DAA57EA91AB</span></div>
<div>
<br /></div>
<div>
With all this information in hand, we can now shutdown this old VPX database instance to make sure clients don't try to connect to it.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@vpx as sysdba</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> shutdown immediate;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<br /></div>
<div>
We must also change our tnsnames.ora file to point to our new server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/ORACLE_HOME/network/admin/tnsnames.vpx.ora">$ORACLE_HOME/network/admin/tnsnames.ora</a></span></div>
<div>
<br /></div>
<div>
We can't test this new tnsnames because the service name has not yet been configured on the new machine. So let's do this. Connect to the new server and switch to the oracle user.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh otto.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span></div>
<div>
<br /></div>
<div>
Again, we now need to see what's the DATA_PUMP_DIR on this machine.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@meta as sysdba</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select directory_name, directory_path from dba_directories where directory_name='DATA_PUMP_DIR';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">DIRECTORY_NAME DIRECTORY_PATH</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">------------------------ ----------------------------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">DATA_PUMP_DIR /u01/app/oracle/product/10.2/db_1/rdbms/log/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<br /></div>
<div>
In this case, let's use this directory as is. We thus need to move the dump file into this directory.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mv /u01/app/oracle/admin/meta/dpump/vpx.dmp /u01/app/oracle/product/10.2/db_1/rdbms/log/</span></div>
<div>
<br /></div>
<div>
As always, in order to use the dump file, we first need to create the user. But to create the user, we need to create the tablespace first. Once the tablespace is created, we create the user and then grant him some rights. The exact rights you need to grant the user depends on the schema requirements of course. This is just an example.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create tablespace vpx datafile '/u02/oradata/meta/vpx01.dbf' size 512M reuse extent management local segment space management auto;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL.> alter tablespace vpx autoextend on next 512K maxsize 2048M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create user vpxadmin identified by values 'D3645DAA57EA91AB' default tablespace VPX temporary tablespace temp quota 2048M on vpx ;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> grant create session, create table to vpxadmin;</span></div>
<div>
<br /></div>
<div>
Ok, don't forget to grant VPXADMIN read, write access to the DATA_PUMP_DIR.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> grant read, write on directory DATA_PUMP_DIR to VPXADMIN;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<br /></div>
<div>
We can now import the data into the new database with impdp. We will run the import as the SYSTEM user. This way we should have all the rights required to generate the new data into this new database.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">impdp system@meta directory=data_pump_dir dumpfile=vpx.dmp schemas=vpxadmin logfile=vpx.log</span></div>
</div>
<div>
<br /></div>
<div>
Once the import is over, we need to assign the service name VPX to the database.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@meta as sysdba</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> show parameter service;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME<span class="Apple-tab-span" style="white-space: pre;"> </span> TYPE<span class="Apple-tab-span" style="white-space: pre;"> </span> VALUE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">------------------------------------ --------------- -----------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">service_names<span class="Apple-tab-span" style="white-space: pre;"> </span> string<span class="Apple-tab-span" style="white-space: pre;"> </span> meta.company.com, vpx.company.com</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set service_names='meta.company.com, vpx.company.com' scope=both sid='*';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system register;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit;</span></div>
<div>
<br /></div>
<div>
Let's see if the new service name is registered by the listener?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">lsnrctl status | grep vpx</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Service "vpx.company.com" has 1 instance(s).</span></div>
<div>
<br /></div>
<div>
Good. Let's check if the original machine can tnsping the new service?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tnsping vpx</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">TNS Ping Utility for Linux: Version 10.2.0.5.0 - Production on 29-JAN-2013 10:48:06</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Copyright (c) 1997, 2010, Oracle. All rights reserved.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Used parameter files:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Used TNSNAMES adapter to resolve the alias</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = otto.company.com)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = vpx.company.com)))</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">OK (10 msec)</span><br />
<br />
Excellent! :)<br />
<br /></div>
</div>
<div>
<h4>
Using the Network</h4>
<br />
But what if the source database server does not have enough disk space to create a local dump file? That happens more often than one might think. Let's say you have a 500 GB database stored on local disks and those disks are full. What do you do now?<br />
<br />
You leverage the network with expdp <a href="http://docs.oracle.com/cd/B19306_01/server.102/b14215/dp_export.htm#i1011008">NETWORK_LINK</a> keyword.<br />
<br />
In order to use this keyword, our DBA must first create a database link in the target database which enables us to connect to the source database. Once the database link is created, we can start expdp from the target machine, use the network_link keyword to connect to the source database and the dump file will be generated on the target machine which has enough disk space to receive the data. What's more, we can even do this between platforms!<br />
<br />
In our example, keep in mind this information :<br />
<ul>
<li>Source database machine : dbhost1.company.com.</li>
<li>Source database OS : Microsoft Windows Server 2003 Standard x64 Edition.</li>
<li>Source database ORACLE_SID : prefdb.</li>
<li>Target database machine : otto.company.com.</li>
<li>Target database OS : RedHat Enterprise Linux 5.9 (Tikanga) x86_64</li>
<li>Target database ORACLE_SID : orcl.</li>
</ul>
Let's do this. First we connect to the target machine and setup a new tnsnames.ora entry. Here I only show the new entry, not the entire file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh otto.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">vi $ORACLE_HOME/network/admin/tnsnames.ora</span><br />
<br />
<tnsnames.ora><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREFDB =</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> (DESCRIPTION =</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> (ADDRESS = (PROTOCOL = TCP)(HOST = dbhost1.company.com)(PORT = 1521))</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> (CONNECT_DATA =</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> (SERVER = DEDICATED)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> (SERVICE_NAME = prefdb. company.com)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> )</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> )</span><br />
<div>
</tnsnames.ora></div>
<div>
<br /></div>
<div>
Test to see if we can ping this new entry?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tnsping prefdb</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<span style="font-family: 'Courier New', Courier, monospace;">TNS Ping Utility for Linux: Version 10.2.0.5.0 - Production on 07-FEB-2013 10:23:18</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Copyright (c) 1997, 2010, Oracle. All rights reserved.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Used parameter files:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Used TNSNAMES adapter to resolve the alias</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = dbhost1.company.com)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = prefdb.</span><span style="font-family: 'Courier New', Courier, monospace;">company</span><span style="font-family: 'Courier New', Courier, monospace;">.com)))</span><br />
<b><span style="font-family: 'Courier New', Courier, monospace;">OK (0 msec)</span></b><br />
<div>
<br /></div>
<div>
Good! Let's now check where we can store the dump file on this machine. We need about 600 GB of disk space.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">df -h</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Filesystem Size Used Avail Use% Mounted on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/mapper/os-root 9.7G 2.6G 6.6G 29% /</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/mapper/ora-u02 1.6T 9.0G 1.5T 1% /u02</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/mapper/os-var 2.0G 192M 1.7G 11% /var</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/mapper/os-tmp 3.9G 137M 3.6G 4% /tmp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/mapper/os-u01 307G 3.4G 288G 2% /u01</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/sda1 251M 26M 213M 11% /boot</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tmpfs 32G 0 32G 0% /dev/shm</span></div>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">/dev/mapper/fra-u03 3.3T 2.1G 3.1T 1% /u03</span></b></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">angel.company.com:/export/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 770G 186G 545G 26% /nfs/home</span></div>
</div>
<div>
<br /></div>
<div>
Let's create our directory in /u03 since we have 3.1 TB of free space.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mkdir -p /u03/export</span></div>
<div>
<br /></div>
<div>
Next we connect to the target database ORACLE_SID and create the required directory and database_link.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@orcl as sysdba</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create directory dpdir as as '/u03/export';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select directory_name, directory_path from dba_directories where directory_name='DPDIR';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">DIRECTORY_NAME<span class="Apple-tab-span" style="white-space: pre;"> </span>DIRECTORY_PATH</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">--------------</span><span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;">------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">DPDIR<span class="Apple-tab-span" style="white-space: pre;"> </span>/u03/export</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create public database link prefdb connect to system identified by changeme using 'prefdb';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Database link created.</span></div>
<div>
<br /></div>
<div>
Alright, but is this new directory working? To test this, we need to know which schemas we want to export from the source database. In this example, we want to extract the PREF schema. So we query the source database's all_objects table to see how many objects are owned by the PREF schema.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select count(*) from all_objects@prefdb where owner='PREF';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> COUNT(*)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">----------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 229</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<br /></div>
<div>
Our new database link is now working. We can also double-check that by using the same query from the source database directly instead of using the database link.</div>
<br />
We now have everything in place to run expdp from our target machine. In the example below, we also export several other schemas.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">expdp system schemas=pref,pref_new,pref_new_ro,pref_read directory=dpdir dumpfile=prefdb.dmp logfile=prefdb.log network_link=prefdb</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Export: Release 10.2.0.5.0 - 64bit Production on Thursday, 07 February, 2013 10:12:19</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Copyright (c) 2003, 2007, Oracle. All rights reserved.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Password: </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">With the Partitioning, OLAP, Data Mining and Real Application Testing options</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Starting "SYSTEM"."SYS_EXPORT_SCHEMA_01": system/******** schemas=pref,pref_new,pref_new_ro,pref_read directory=dpdir dumpfile=prefdb.dmp logfile=prefdb.log network_link=prefdb </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Estimate in progress using BLOCKS method...</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/TABLE_DATA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Total estimation using BLOCKS method: 538.77 GB</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/USER</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/SYSTEM_GRANT</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/ROLE_GRANT</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/DEFAULT_ROLE</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLESPACE_QUOTA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[... 8< lines deleted 8< ...]</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">. . exported "PREF_NEW"."TMP_PROT" 0 KB 0 rows</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">. . exported "PREF_NEW_RO"."TMP_PROT" 0 KB 0 rows</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Master table "SYSTEM"."SYS_EXPORT_SCHEMA_01" successfully loaded/unloaded</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">****************************************************************</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Dump file set for SYSTEM.SYS_EXPORT_SCHEMA_01 is:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> /u03/export/prefdb.dmp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Job "SYSTEM"."SYS_EXPORT_SCHEMA_01" <b>completed with 2 error(s)</b> at 12:16:23</span></div>
</div>
<div>
<br /></div>
<div>
Hummm, we have two errors. The log file shows this :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">grep ^ORA /u03/export/prefdb.log </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-31679: Table data object "PREF_NEW"."PARAMETER_FILE" has long columns, and longs can not be loaded/unloaded using a network link</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-31679: Table data object "PREF_NEW"."PARAMETER_FILE_OLD" has long columns, and longs can not be loaded/unloaded using a network link</span></div>
</div>
<div>
<br /></div>
<div>
How do we fix this? Well, we can't if we use NETWORK_LINK. That's what sections 4.3 and 8.11 says in <a href="https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?id=553337.1&type=DOCUMENT&displayIndex=1">Doc ID 553337.1 - Export/Import DataPump Parameter VERSION - Compatibility of Data Pump Between Different Oracle Versions [Video]</a>. We appear to hit bug 6630677 which is explained in <a href="https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?id=6630677.8&type=DOCUMENT&displayIndex=2">Doc ID 6630677.8 - IMPDP skips table exported just before table with LONG column using NETWORK_LINK</a>.</div>
<div>
<br /></div>
<div>
So now what do we do? Well, you can a) upgrade the database to 11.2 which is not affected by this bug or b) dump the file to the local file system. </div>
<div>
<br /></div>
<div>
Since we just want to get rid of this old Windows machine, I'm not going to bother upgrading it. I just installed a USB drive and let it slowly dump to it.</div>
<div>
<br /></div>
<h4>
Increasing Speed</h4>
<br />
In our example above, we exported about 600 GB of data. It took quite some time. Of course, the USB drive was the bottleneck. But let's say we had a normal SATA, SCSI or FC LUN attached to the machine with enough disk space. How can we speed up the export?<br />
<br />
Simple : use the <a href="http://docs.oracle.com/cd/B19306_01/server.102/b14215/dp_export.htm#sthref148">PARALLEL</a> keyword.<br />
<br />
This keyword enables us to use multiple workers to extract or load data. The idea is to have the same amount of dump files as the number of worker processes. And not to have more workers than the number of available CPUs on the machine.<br />
<br />
So, with our current example, our export could be sped up with this command :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">expdp system@prefdb directory=dpdir dumpfile=<b>prefdp%u.dmp</b> logfile=prefdb.exp.log schemas=pref,pref_new,pref_new_ro,pref_read <b>parallel=8</b></span><br />
<br />
Notice how the DUMPFILE keyword has also been modified to use a variable. This enables us to set the number of PARALLEL jobs to use and automatically match this with the number of dump files. Quite handy!<br />
<br />
But how much does it make a difference? Well, using a NETWORK_LINK and PARALLEL=1, the previous expdp took 2 h 15 to create a 29 GB dumpfile. Using local storage with PARALLEL=8, these 29 GB took about half an hour. Much faster! :)<br />
<br />
But, I had this error on the Windows machine :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">UDE-00008: operation generated ORACLE error 31626</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-31626: job does not exist</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-39086: cannot retrieve job information</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.DBMS_DATAPUMP", line 2745</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.DBMS_DATAPUMP", line 3712</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at line 1</span><br />
<br />
Another trip to My Oracle Support revealed <a href="https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?id=549781.1">Doc ID 549781.1 - Data Pump Client Gets UDE-8 ORA-31626 ORA-39086</a>. This doc says that if the log file says the export completed successfully, then we can ignore this error. So let's take a look at the log file...<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Dump file set for SYSTEM.SYS_EXPORT_SCHEMA_01 is:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP01.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP02.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP03.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP04.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP05.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP06.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP07.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> \\DBHOST1\PREFDB\PREFDP08.DMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Job "SYSTEM"."SYS_EXPORT_SCHEMA_01" successfully completed at 15:21:37</span><br />
<br />
...and sure enough, the export was successful.<br />
<br />
We just need to send those dump files to the target machine and import them. We'll use <a href="http://winscp.net/eng/index.php">WinSCP</a> to send the files over from the Windows machine to the RedHat Linux server and dump them in <span style="font-family: 'Courier New', Courier, monospace;">/u03/export</span>.<br />
<br />
Once the transfer is done, reconnect to the source database a list the tablespaces that we just exported. The idea here is to list the default tablespaces of the schemas we exported. Which in this example are : PREF, PREF_NEW, PREF_NEW_RO and PREF_READ. The reason is quite simple : impdp will not create the tablespaces for us.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sqlplus sys@prefdb as sysdba</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select username, default_tablespace, temporary_tablespace from dba_users wh</span><span style="font-family: 'Courier New', Courier, monospace;">ere username like 'PREF%' order by default_tablespace;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">USERNAME DEFAULT_TABLESPACE TEMPO</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">-------------------- ------------------------------ -----</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF PREF_DATA TEMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_NEW PREF_DATA TEMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_NEW_RO PREF_NEW_RO_DATA TEMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_READ USERS TEMP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select tablespace_name, file_name from dba_data_files where tablespace_name like 'PREF%' order by tablespace_name, file_name;</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">TABLESPACE_NAME FILE_NAME</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">------------------ ---------------------------------------------</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA01.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA02.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA03.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA04.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA05.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA06.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA07.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA08</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA08.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA D:\ORADATA\PREFDB\PREF_DATA09.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX D:\ORADATA\PREFDB\PREF_IDX01.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX D:\ORADATA\PREFDB\PREF_IDX02.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX D:\ORADATA\PREFDB\PREF_IDX03.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX D:\ORADATA\PREFDB\PREF_IDX04</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX D:\ORADATA\PREFDB\PREF_IDX05.DBF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">PREF_NEW_RO_DATA D:\ORADATA\PREFDB\PREF_NEW_RO_DATA01.DBF</span><br />
<br />
So now we know which tablespaces we need to create in the target database before we perform the import. Let's connect to the target server and switch to the Oracle user.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh otto.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<br />
We then need to connect to the target database and recreate the tablespaces that we wish to import.<br />
<br />
-- PREF_DATA creation.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create tablespace pref_data datafile '/u02/oradata/simone/pref_data01.dbf' size 1024M autoextend on next 1024k maxsize 5120M extent management local;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data02.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data03.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data04.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data05.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data06.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data07.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data08.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data09.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_data add datafile '/u02/oradata/simone/pref_data10.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<br /></div>
<div>
-- PREF_IDX creation.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create tablespace pref_idx datafile '/u02/oradata/simone/pref_idx01.dbf' size 1024M autoextend on next 1024k maxsize 5120M extent management local;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_idx add datafile '/u02/oradata/simone/pref_idx02.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_idx add datafile '/u02/oradata/simone/pref_idx03.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_idx add datafile '/u02/oradata/simone/pref_idx04.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter tablespace pref_idx add datafile '/u02/oradata/simone/pref_idx05.dbf' size 1024M autoextend on next 1024k maxsize 5120M;</span></div>
<div>
<br /></div>
<div>
-- PREF_NEW_RO_DATA creation.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create tablespace pref_new_ro_data datafile '/u02/oradata/simone/pref_new_ro01.dbf' size 128M autoextend on next 1024k maxsize 5120M extent management local;</span></div>
<div>
<br /></div>
<div>
And let's check what we just built.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select tablespace_name, file_name, bytes/1024/1024 MB from dba_data_files where tablespace_name like 'PREF%' order by tablespace_name, file_name;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">TABLESPACE_NAME <span class="Apple-tab-span" style="white-space: pre;"> </span> FILE_NAME<span class="Apple-tab-span" style="white-space: pre;"> </span> MB</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">------------------------------ ------------------------------------------------------- ----------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data01.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data02.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data03.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data04.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data05.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data06.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data07.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data08.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data09.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_data10.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_idx01.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_idx02.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_idx03.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_idx04.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_IDX<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_idx05.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PREF_NEW_RO_DATA<span class="Apple-tab-span" style="white-space: pre;"> </span> /u02/oradata/simone/pref_new_ro01.dbf<span class="Apple-tab-span" style="white-space: pre;"> </span> 128</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<br /></div>
<div>
Ok, we're good to go for the import now.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">impdp system schemas=pref,pref_new,pref_new_ro,pref_read parallel=8 dumpfile=PREFDP%u.DMP directory=dpdir logfile=prefimp.log</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Import: Release 10.2.0.5.0 - 64bit Production on Friday, 08 February, 2013 11:45:19</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Copyright (c) 2003, 2007, Oracle. All rights reserved.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Password: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">With the Partitioning, OLAP, Data Mining and Real Application Testing options</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Master table "SYSTEM"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Starting "SYSTEM"."SYS_IMPORT_SCHEMA_01": system/******** schemas=pref,pref_new,pref_new_ro,pref_read parallel=8 dumpfile=PREFDP%u.DMP directory=dpdir logfile=prefimp.log </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/USER</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/SYSTEM_GRANT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/ROLE_GRANT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-39083: Object type ROLE_GRANT failed to create with error:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-01919: role 'PREF_NEW_READ' does not exist</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Failing sql is:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> GRANT "PREF_NEW_READ" TO "PREF_NEW_RO"</span></div>
<div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/DEFAULT_ROLE</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLESPACE_QUOTA</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">[... 8< lines deleted 8< ...]</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Processing object type SCHEMA_EXPORT/TABLE/INDEX/INDEX</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-39014: One or more workers have prematurely exited.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-39029: worker 1 with process name "DW01" prematurely terminated</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-31671: Worker process DW01 had an unhandled exception.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-12801: error signaled in parallel query server P001</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-01452: cannot CREATE UNIQUE INDEX; duplicate keys found</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at "SYS.KUPW$WORKER", line 1423</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-06512: at line 2</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Job "SYSTEM"."SYS_IMPORT_SCHEMA_01" stopped due to fatal error at 12:05:22</span></div>
</div>
<div>
<br /></div>
<div>
Ah nice, another error! Another trip to MOS reveals <a href="https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?id=1325408.1">Doc ID 1325408.1 - Error ORA-28604 Obtained During DataPump Import</a>. According to this article, we should have had some other debug message. But we just didn't. Even the alert log does not show us anything usefull. So we'll drop the stuff and start again, this time without the parallel keyword.</div>
<div>
<br /></div>
<div>
But before we redo the import, we must first clean-up a little. This will prevent a whole bunch of error messages.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@orcl as sysdba;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> drop tablespace pref_data including contents and datafiles;</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> drop tablespace pref_idx including contents and datafiles;</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> drop tablespace pref_new_ro_data including contents and datafiles;</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> drop user pref cascade;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> drop user pref_new cascade;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> drop user pref_new_ro cascade;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> drop user pref_read cascade;</span></div>
<div>
<br /></div>
<div>
Then rerun the job without the parallel keyword.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /u03/export</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">impdp system schemas=pref,pref_new,pref_new_ro,pref_read dumpfile=PREFDP%u.DMP directory=dpdir logfile=prefimp.log</span></div>
</div>
<div>
<br /></div>
<div>
That will take care of it. But we will have some database link errors such as these :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ORA-04052: error occurred when looking up remote object STAGE.TABLE@PODS.COMPANY.COM</span></div>
</div>
<div>
<br /></div>
<div>
How do we fix this? Simple, just a) create the tnsnames and then b) login to the database with the user pref_new and create the database link.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi $ORACLE_HOME/network/admin/tnsnames.ora</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><tnsnames.ora></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PODS =</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> (DESCRIPTION =</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> (ADDRESS = (PROTOCOL = TCP)(HOST = dbhost1.company.com)(PORT = 1521))</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> (CONNECT_DATA =</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> (SERVER = DEDICATED)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> (SERVICE_NAME = pods.company.com)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> )</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> )</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"></tnanames.ora></span></div>
<div>
<br /></div>
<div>
Then create the database link.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus pref_new@orcl</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create database link pods.company.com connect to system identified by ***** using pods;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit;</span></div>
<div>
<br /></div>
<div>
And finally, recompile the schema.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus sys@orcl as sysdba</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exec dbms_utility.compile_schema(schema => 'PREF_NEW');</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
And make sure this database now answers to the PREFDB call.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> show parameter service;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set service_names='orcl.company.com, prefdb.company.com' scope=both sid='*';</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system register;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span><br />
<br /></div>
<div>
Excellent! Job's done :)</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com2tag:blogger.com,1999:blog-4619978964286106329.post-28124483986122623932012-09-28T16:09:00.004-04:002012-09-28T16:17:41.882-04:00VoIP QoS on Cisco 3560 Switches with Polycom and Cisco IP PhonesToday we are going to setup network Quality of Service (QoS) for Voice over IP (VoIP) traffic generated by Polycom and Cisco IP phones. Our goal here is to tag the VoIP packets so that they are placed in a priority outgoing queue so that if the available bandwith is saturated, then the VoIP packets will be the last ones to be dropped by the switch. VoIP is a delay-sensitive application while bulk data transfers are not. When a switch port gets more data that it can handle, the switch will start dropping packets. If a VoIP packet is dropped, people having a conversation will hear a glitch. We don't want that and this is why we must treat the VoIP packets differently than other data packets.<br />
<a name='more'></a><br />
<h3>
Topology</h3>
<br />
It's always easier to understand network modifications when we have a topology plan. So here it is :<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-f_jMYQWg4BQ/UGSYX5nlI3I/AAAAAAAACrw/fS-GC2GSByI/s1600/VoIP.QoS.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="488" src="http://1.bp.blogspot.com/-f_jMYQWg4BQ/UGSYX5nlI3I/AAAAAAAACrw/fS-GC2GSByI/s640/VoIP.QoS.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1: Example Network Topology</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="https://dl.dropbox.com/u/72609528/blog/cisco/QoS/VoIP.QoS.pdf">A larger PDF version is also available</a>.<br />
<br />
From the topology, we can see that voice traffic follows this path :<br />
<br />
IP phone > WS-C3560-48PS-S > WS-C3560G-24TS-S > SonicWall 2400 X4 VoIP interface > SonicWall 2400 X1 WAN interface > WS-C3560G-24TS-S > ISP<br />
<br />
As you might imagine, the ISP connected WS-C3560G-24TS switch has three VLANs:<br />
<ul>
<li>VLAN 300 is the VoIP VLAN.</li>
<li>VLAN 144 is the WAN (or ISP) VLAN.</li>
<li>VLAN 200 is the Management VLAN.</li>
</ul>
In this example, the WS-C3560-48PS switches are connected to two types of IP phones :<br />
<ul>
<li><a href="http://www.polycom.com/products/voice/desktop_solutions/soundpoint/desk_phones/soundpoint_ip335.html">Polycom SoundPoint IP 335</a></li>
<li><a href="http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps10499/data_sheet_c78-548564.html">Cisco SPA504G IP phone</a></li>
</ul>
<br />
<h3>
A Little Theory</h3>
<br />
By default, both Polycom and Cisco IP phones will add a « voice » tag to all the packets they generate. This tag can take two different forms :<br />
<ul>
<li><a href="http://en.wikipedia.org/wiki/Differentiated_services">Differentiated Services Code Point (DSCP)</a></li>
<li><a href="http://en.wikipedia.org/wiki/Class_of_Service">Class of Service (COS)</a></li>
</ul>
The Polycom IP phones will use DSCP while the Cisco IP phones use COS (I'm not 100 % sure on this, anyone?). The idea here is to configure each devices in the packet path to « trust » the packet tag from the other device. Otherwise the packet's tag is not honored.<br />
<br />
<h3>
Configuration</h3>
<br />
We will start our configuration with both devices into which the IP phones are connected : these are the two WS-C3560-48PS. They can be reached at 172.16.1.2/24 and 172.16.1.3/24. Once both of those devices are configured, we will configure the switch found at 172.16.1.1/24. I assume that all switches already have IP addresses and that SSH is working on all of them. I also assume you have a user that can perform administrative fonctions.<br />
<br />
<h3>
First WS-C3560-48PS Switch</h3>
<br />
Connect to the switch and check the interfaces. In this example, also assume that interfaces Fa0/1 to Fa0/47 all start with the same configuration. In a real life scenario, make sure this is true!<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh 172.22.1.2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch> enable</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int fa0/1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">!</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">interface FastEthernet0/1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport access vlan 300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode access</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> speed 100</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> duplex full</span></div>
<span style="font-family: 'Courier New', Courier, monospace;"> no cdp enable</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">end</span><br />
<div>
<br /></div>
<div>
The interface is set to 100 Mb/s full duplex. It does not send CDP packets. It is in access mode and into VLAN 300, but we don't know what that VLAN is at the moment. Let's check our VLAN Transfer Protocol (VTP) status?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh vtp status</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VTP Version capable : 1 to 3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VTP version running : 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VTP Domain Name : dmz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VTP Pruning Mode : Disabled</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VTP Traps Generation : Enabled</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Device ID : 0018.19a9.2800</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Configuration last modified by 172.16.1.2 at 3-8-93 23:56:45</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Feature VLAN:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">--------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VTP Operating Mode : Client</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Maximum VLANs supported locally : 1005</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Number of existing VLANs : 9</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Configuration Revision : 20</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">MD5 digest : 0x3B 0x54 0xC1 0x4F 0x88 0x4B 0x84 0xBB </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0xC1 0x82 0x8C 0x07 0x5B 0x27 0x96 0x28</span> </div>
</div>
<div>
<br /></div>
<div>
Ok, so we are a VTP client. Let's check our current VLAN status then.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh vlan brief</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VLAN Name Status Ports</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">---- -------------------------------- --------- -------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1 default active Gi0/1, Gi0/2, Gi0/4</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">19 DMZ active </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">144 WAN ISP </span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">active </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">200 Management active Fa0/48</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">300 VoIP active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1002 fddi-default act/unsup </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1003 token-ring-default act/unsup </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1004 fddinet-default act/unsup </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1005 trnet-default act/unsup</span> </div>
</div>
<div>
<br /></div>
<div>
We can see that VLAN 300 is indeed our VoIP VLAN. We also see that interface Fa0/48 is connected to the Management VLAN. According to our topology map, interface Gi0/3 is our connection to the WS-C3560G-24TS switch. If it's not listed here, it must be a trunk then. Let's check.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh int status | inc Gi0/3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/3 c3560g VoIP trunk connected trunk a-full a-1000 1000BaseSX SFP</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">!</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">interface GigabitEthernet0/3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> description c3560g VoIP trunk</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport trunk encapsulation dot1q</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode trunk</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">end</span></div>
<div>
<br /></div>
<div>
So indeed it is. Our first task is to discover which ports have which IP phone? The reason is simple : Polycom IP phones and Cisco IP phones do not have the same configuration. Cisco IP phones support a tightly integrated configuration with the Cisco switches. But the Polycom do not. We thus need to configure each ports differently depending on which type of phone is connected to it.</div>
<div>
<br /></div>
<div>
Luckly for us, both types of devices support Cisco's <a href="http://en.wikipedia.org/wiki/Cisco_Discovery_Protocol">Cisco Discovery Protocol (CDP)</a>. So let's start CDP and check it's status.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# cdp run</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# end</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp neighbors</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> D - Remote, C - CVTA, M - Two-port Mac Relay </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Device ID Local Intrfce Holdtme Capability Platform Port ID</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">core.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Fas 0/48 129 R S I WS-C4507R Fas 5/44</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">wan.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Gig 0/3 130 S I WS-C3560G Gig 0/27</span></div>
</div>
<div>
<br /></div>
<div>
Hummm, we don't see any IP phones here. That's because CDP is disabled on all interfaces except those two. Let's enable it to all the other FastEthernet interfaces.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range fa0/1 - 47</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# cdp enable</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# end</span></div>
</div>
<div>
<br /></div>
<div>
Now let's see if we have those phones now.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp neighbors</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> D - Remote, C - CVTA, M - Two-port Mac Relay </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Device ID Local Intrfce Holdtme Capability Platform Port ID</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">core.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Fas 0/48 129 R S I WS-C4507R Fas 5/44</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">wan.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Gig 0/3 130 S I WS-C3560G Gig 0/27</span></div>
</div>
</div>
<div>
<br /></div>
<div>
Weird, still no phones. I'm not quite sure why (someone knows?), but one trick to get them to talk CDP again is to shutdown the interfaces and bring them back online again.</div>
<div>
<br /></div>
<div>
<b>WARNING :<span style="color: red;"> </span></b><i><span style="color: red;">this command will shutdwon all voice operations from that switch. Make sure you have authorization to do this!</span></i></div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range fa0/1 - 47</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# shutdown</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# no shutdown</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# end</span></div>
</div>
<div>
<br /></div>
<div>
Most IP phones are <a href="http://en.wikipedia.org/wiki/Power_over_Ethernet">Power over Ethernet (PoE)</a> devices. So by doing a shutdown on the interfaces, we also cut the power supply of all the connected IP phones. So if we looked at CDP right after that, we would not see anything new. Why? Because we need to wait for the IP phones to boot and start sending CDP packets. This takes about two or three minutes. After that delay, we check the CDP again.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp nei</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> D - Remote, C - CVTA, M - Two-port Mac Relay </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Device ID Local Intrfce Holdtme Capability Platform Port ID</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ebe3e Fas 0/30 144 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f235b3f6 Fas 0/12 145 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec344 Fas 0/6 143 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ebe3f Fas 0/36 146 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec122 Fas 0/28 136 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22c72b3 Fas 0/33 141 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec100 Fas 0/9 136 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22cce0b Fas 0/37 124 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f235ad32 Fas 0/8 140 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2318999 Fas 0/34 142 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed7fa Fas 0/14 141 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f216a70a Fas 0/47 142 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed0ba Fas 0/15 141 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec3fa Fas 0/19 138 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb0fc Fas 0/10 140 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb037 Fas 0/13 140 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2318675 Fas 0/16 143 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec282 Fas 0/29 142 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed619 Fas 0/23 139 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed718 Fas 0/21 143 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb109 Fas 0/3 141 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ebdb9 Fas 0/26 144 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">core.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Fas 0/48 133 R S I WS-C4507R Fas 5/44</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed758 Fas 0/46 139 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2358788 Fas 0/5 138 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">wan.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Gig 0/3 134 S I WS-C3560G Gig 0/27</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A5B Fas 0/38 168 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb17d Fas 0/32 139 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed72b Fas 0/35 140 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec3d7 Fas 0/24 146 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb3e7 Fas 0/31 145 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed03d Fas 0/4 136 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec13c Fas 0/20 140 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec05d Fas 0/7 145 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2e4c11a Fas 0/44 138 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed6a5 Fas 0/17 136 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec2e9 Fas 0/25 145 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A676B Fas 0/18 164 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22902f7 Fas 0/42 139 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A66 Fas 0/27 132 H P IP Phone Port 1</span></div>
</div>
<div>
<br /></div>
<div>
Ah ha! That's better. We now have a complete list of which type of phone is connected to which port. The Cisco IP phones connected ports are :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp nei | inc IP Phone</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A5B Fas 0/38 152 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A676B Fas 0/18 145 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A66 Fas 0/27 172 H P IP Phone Port 1</span></div>
</div>
<div>
<br /></div>
<div>
While the Polycom phones connected ports are :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp nei | inc Polycom </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ebe3e Fas 0/30 123 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f235b3f6 Fas 0/12 123 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec344 Fas 0/6 122 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ebe3f Fas 0/36 125 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec122 Fas 0/28 174 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22c72b3 Fas 0/33 179 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec100 Fas 0/9 175 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22cce0b Fas 0/37 163 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f235ad32 Fas 0/8 178 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2318999 Fas 0/34 120 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed7fa Fas 0/14 120 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f216a70a Fas 0/47 120 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed0ba Fas 0/15 179 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec3fa Fas 0/19 177 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb0fc Fas 0/10 178 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb037 Fas 0/13 178 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2318675 Fas 0/16 121 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec282 Fas 0/29 120 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed619 Fas 0/23 177 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed718 Fas 0/21 122 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb109 Fas 0/3 120 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ebdb9 Fas 0/26 123 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed758 Fas 0/46 178 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2358788 Fas 0/5 176 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb17d Fas 0/32 177 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed72b Fas 0/35 178 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec3d7 Fas 0/24 124 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb3e7 Fas 0/31 123 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed03d Fas 0/4 175 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec13c Fas 0/20 178 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec05d Fas 0/7 123 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f2e4c11a Fas 0/44 177 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed6a5 Fas 0/17 175 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec2e9 Fas 0/25 123 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22902f7 Fas 0/42 178 H P Polycom S Port 1</span></div>
</div>
<div>
<br />
<h4>
Polycom SoundPoint IP 335 Ports Configuration</h4>
<br /></div>
<div>
Ok, now that we know all this, we can now configure the telephone ports. Let's start with the Polycom ports.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range fa0/3-10, fa0/12-17, fa0/19-21, fa0/23-26, fa0/28-37, fa0/42, fa0/44, fa0/46-47</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# description Polycom phone port</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# mls qos trust dscp</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# auto qos trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# spanning-tree portfast</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# end</span></div>
<div>
<br /></div>
<div>
If QoS was not enabled on this switch, then the « <span style="font-family: 'Courier New', Courier, monospace;">mls qos trust dscp</span> » command will enable it. Now check an interface to see what has happened?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int fa0/42</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">!</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">interface FastEthernet0/42</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> description VoIP telephone port</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport access vlan 300</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode access</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> speed 100</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> duplex full</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 1 30 35 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> spanning-tree portfast</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">end</span></div>
</div>
<div>
<br /></div>
<div>
Notice how the « <span style="font-family: 'Courier New', Courier, monospace;">srr-queue bandwidth share 1 30 35 5</span> » configuration is now listed. This is placed automatically by the « <span style="font-family: 'Courier New', Courier, monospace;">auto qos trust</span> » command.</div>
<div>
<br />
<h4>
Cisco SPA504G IP Phone Ports Configuration</h4>
<br /></div>
<div>
Good, now let's configure the Cisco IP phone connected ports.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range fa0/18, fa0/27, fa0/38</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# description Cisco IP phone port</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# mls qos trust cos</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# mls qos trust device cisco-phone</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# auto qos voip cisco-phone </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# spanning-tree portfast</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# end</span></div>
</div>
<div>
<br /></div>
<div>
Notice how it's a little different from the Polycom configuration. Let's see what happens to the interface?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch#sh run int fa0/18</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">!</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">interface FastEthernet0/18</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> description VoIP telephone port</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport access vlan 300</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode access</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> speed 100</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> duplex full</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 1 30 35 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust device cisco-phone</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust cos</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos voip cisco-phone </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> spanning-tree portfast</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">end</span></div>
</div>
<div>
<br /></div>
<div>
Again the « <span style="font-family: 'Courier New', Courier, monospace;">srr-queue bandwidth share 1 30 35 5</span> » configuration was installed along with the « <span style="font-family: 'Courier New', Courier, monospace;">service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY</span> ». </div>
<div>
<br />
<h4>
Running Configuration</h4>
<br /></div>
<div>
Those new interface configurations now have « <span style="font-family: 'Courier New', Courier, monospace;">mls</span> » and « <span style="font-family: 'Courier New', Courier, monospace;">policy-map</span> ». If we have those, then they must be defined in the configuration. Let's find out by checking the running-config. I've listed here only the relevant parts for this blog post :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos map policed-dscp 0 10 18 24 46 to 8</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos map cos-dscp 0 8 16 24 32 46 48 56</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input bandwidth 70 30</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input threshold 1 80 90</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input priority-queue 2 bandwidth 30</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input cos-map queue 1 threshold 2 3</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input cos-map queue 1 threshold 3 6 7</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input cos-map queue 2 threshold 1 4</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input dscp-map queue 1 threshold 2 24</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue input dscp-map queue 2 threshold 3 46 47</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output cos-map queue 1 threshold 3 4 5</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output cos-map queue 2 threshold 1 2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output cos-map queue 2 threshold 2 3</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output cos-map queue 2 threshold 3 6 7</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output cos-map queue 3 threshold 3 0</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output cos-map queue 4 threshold 3 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 1 threshold 3 46 47</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 2 threshold 2 24</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos queue-set output 1 threshold 1 100 100 50 200</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos queue-set output 1 threshold 2 125 125 100 400</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos queue-set output 1 threshold 3 100 100 100 400</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos queue-set output 1 threshold 4 60 150 50 200</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos queue-set output 1 buffers 15 25 40 20</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mls qos </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">! </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">auto qos srnd4</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">class-map match-all AUTOQOS_VOIP_DATA_CLASS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> match ip dscp ef </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">class-map match-all AUTOQOS_DEFAULT_CLASS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> match access-group name AUTOQOS-ACL-DEFAULT</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> match ip dscp cs3 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">! </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> class AUTOQOS_VOIP_DATA_CLASS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> set dscp ef</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> police 128000 8000 exceed-action policed-dscp-transmit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> class AUTOQOS_VOIP_SIGNAL_CLASS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> set dscp cs3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> police 32000 8000 exceed-action policed-dscp-transmit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> class AUTOQOS_DEFAULT_CLASS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> set dscp default</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> police 10000000 8000 exceed-action policed-dscp-transmit</span></div>
</div>
<div>
<br /></div>
<br />
As you can see, there is a lot going on when we use the auto keywords to configure VoIP QoS.<br />
<br />
<h4>
Trunk Port Configuration</h4>
<br />
We now have all IP phone connected ports configured. But we haven't configured the trunk port yet. So do this now.<br />
<br />
<br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int gi0/3</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# description </span><span style="font-family: 'Courier New', Courier, monospace;">c3560g VoIP trunk</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# auto qos trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# end</span></div>
</div>
<br />
And once we're finished, this is what the interface looks like :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/3</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">!</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">interface GigabitEthernet0/3</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> description c3560g VoIP trunk</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport trunk encapsulation dot1q</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode trunk</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 1 30 35 5</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust dscp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos trust </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">end</span><br />
<div>
<br /></div>
<div>
Again, we can see the « srr-queue » config has been installed even if we did not explicitly configured it.</div>
<div>
<br /></div>
<h4>
Save Configuration</h4>
<div>
<br /></div>
<div>
The last task to do on this switch is to save the configuration. Very easy to do, but oh so important!</div>
<div>
<br /></div>
<div>
<div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# write memory </span></div>
</div>
</div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy run start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy start tftp</span></div>
<div>
<br /></div>
<div>
That's it for our first WS-C3560-48PS Switch. Let's configure the second one now.</div>
<div>
<br /></div>
<h3>
Second WS-C3560-48PS Switch</h3>
<div>
<br /></div>
<div>
On this switch, we simply need to do all what we did on the first one : check VLAN, VTP status, CDP and then configure phone ports and trunk port. I'll skip most of the discussion as I hope I've been clear enough on the first switch.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh 172.22.1.3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch> enable</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh vtp status</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh vlan brief</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh int status | inc Gi0/3</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/3</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# cdp run</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# end</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp neighbors</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range fa0/1 - 47</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# cdp enable</span></div>
<div>
<div>
<b><br class="Apple-interchange-newline" />WARNING :<span style="color: red;"> </span></b><i><span style="color: red;">this command will shutdwon all voice operations from that switch. Make sure you have authorization to do this!</span></i></div>
<div>
<br /></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# shutdown</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# no shutdown</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# end</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch#</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp neighbors</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> D - Remote, C - CVTA, M - Two-port Mac Relay </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Device ID Local Intrfce Holdtme Capability Platform Port ID</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec3ed Fas 0/5 123 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed793 Fas 0/6 135 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec090 Fas 0/1 130 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">core.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Fas 0/48 143 R S I WS-C4507R Fas 5/43</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">wan.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Gig 0/3 136 S I WS-C3560G Gig 0/28</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A9C Fas 0/42 166 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AA8 Fas 0/4 169 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AA7 Fas 0/36 164 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A66EE Fas 0/31 165 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6713 Fas 0/30 165 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6714 Fas 0/44 164 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AA1 Fas 0/39 164 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AC2 Fas 0/35 165 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec05f Fas 0/7 135 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed7f0 Fas 0/3 132 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb3e3 Fas 0/46 132 H P Polycom S Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A53 Fas 0/34 164 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A52 Fas 0/43 165 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A50 Fas 0/2 164 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AAC Fas 0/37 164 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A57 Fas 0/38 163 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AAB Fas 0/40 166 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AAA Fas 0/33 165 H P IP Phone Port 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A54 Fas 0/41 166 H P IP Phone Port 1</span></div>
</div>
<div>
<br /></div>
<div>
We thus need to configure ports diffrently because this switch also has a mix of Polycom and Cisco phones.</div>
<div>
<br /></div>
<div>
<div>
<h4>
<b>Polycom SoundPoint IP 335 Ports Configuration</b></h4>
<br /></div>
<div>
Again, as we did on the first VoIP access switch, let's configure the Polycom ports first. In order to do that, we need to narrow our search in CDP to only the Polycom devices.</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp nei | inc Polycom</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec3ed Fas 0/5 125 H P Polycom S Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed793 Fas 0/6 137 H P Polycom S Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec090 Fas 0/1 131 H P Polycom S Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ec05f Fas 0/7 136 H P Polycom S Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22ed7f0 Fas 0/3 133 H P Polycom S Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SEP0004f22eb3e3 Fas 0/46 133 H P Polycom S Port 1</span><br />
<div>
<br /></div>
Then configure only those ports.<br />
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range fa0/1, fa0/3, fa0/5-7, fa0/46</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# description Polycom phone port</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# auto qos trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# spanning-tree portfast</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# end</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<h4>
<b>Cisco SPA504G IP Phone Ports Configuration</b></h4>
<br /></div>
<div>
Now let's configure the Cisco IP phone connected ports. We first list our Cisco IP Phone ports.</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh cdp nei | inc IP Phone</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A9C Fas 0/42 145 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AA8 Fas 0/4 124 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AA7 Fas 0/36 151 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A66EE Fas 0/31 147 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6713 Fas 0/30 143 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6714 Fas 0/44 151 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AA1 Fas 0/39 147 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AC2 Fas 0/35 150 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A53 Fas 0/34 150 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A52 Fas 0/43 127 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A50 Fas 0/2 139 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AAC Fas 0/37 152 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A57 Fas 0/38 146 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AAB Fas 0/40 170 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6AAA Fas 0/33 151 H P IP Phone Port 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SIP1CDF0F4A6A54 Fas 0/41 159 H P IP Phone Port 1</span><br />
<div>
<br /></div>
<div>
Once we know our Cisco IP Phone connected ports, we can configure them.</div>
<div>
<br /></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range fa0/2, fa0/4, fa0/30-31, fa0/33-44</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# description Cisco IP phone port</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# mls qos trust cos</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# mls qos trust device cisco-phone</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# auto qos voip cisco-phone </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# spanning-tree portfast</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if-range)# end</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<br />
<h4>
<b>Trunk Port Configuration</b></h4>
<br />
As we did with our first access switch, we need to configure our trunk port.<br />
<br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int gi0/3</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# description </span><span style="font-family: 'Courier New', Courier, monospace;">c3560g VoIP trunk</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# auto qos trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# end</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<h4>
<b>Save Configuration</b></h4>
<div>
<br /></div>
<div>
And finally, save the configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# write memory </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy run start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy start tftp</span></div>
<div>
<br /></div>
<div>
That's it for our second WS-C3560-48PS access switch. We must now move on to the WS-C3560G-24TS-S switch which is the central connection for both the VoIP and WAN VLANs, both VoIP access switches and our firewall.</div>
<div>
<br /></div>
<h3>
Cisco WS-C3560G-24TS-S Switch Configuration</h3>
<br />
This switch connects all of our pieces together : both access switches, the firewall and our ISP uplink. So we need to configure these ports :<br />
<ul>
<li>Gi0/1 which is connected to our ISP uplink.</li>
<li>Gi0/4 which is connected to the WAN interface in our firewall.</li>
<li>Gi0/17 which is connected to the VoIP interface in our firewall.</li>
<li>Gi0/27-28 which are connected to the WS-C3560-48PS access switch.</li>
</ul>
But before we configure any ports, let's check the VTP, VLAN and interface status.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh 172.16.1.1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch> enable</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch#sh vtp status</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">VTP Version capable : 1 to 3</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">VTP version running : 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">VTP Domain Name : dmz</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">VTP Pruning Mode : Disabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">VTP Traps Generation : Enabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Device ID : 001a.2f98.2f00</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Configuration last modified by 172.22.200.6 at 3-8-93 23:56:45</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Local updater ID is 172.16.1.1 on interface Vl200 (preferred interface)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Preferred interface name is vlan200 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Feature VLAN:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">--------------</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">VTP Operating Mode : Server</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Maximum VLANs supported locally : 1005</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Number of existing VLANs : 9</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Configuration Revision : 20</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">MD5 digest : 0x3B 0x54 0xC1 0x4F 0x88 0x4B 0x84 0xBB </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 0xC1 0x82 0x8C 0x07 0x5B 0x27 0x96 0x28 </span><br />
<div>
<br /></div>
<div>
Ok, so this is the VTP master for VTP domain dmz. It means if we ever need to change VLAN for our three switches, it's via this one that we need to do so.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch#sh vlan brief</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">VLAN Name Status Ports</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">---- -------------------------------- --------- -------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1 default active Gi0/2, Gi0/5, Gi0/7, Gi0/8, Gi0/14, Gi0/15, Gi0/16, Gi0/19, Gi0/20, Gi0/21, Gi0/22, Gi0/23, Gi0/25, Gi0/26</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">19 DMZ active Gi0/9, Gi0/10, Gi0/11, Gi0/12, Gi0/13</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">144 WAN active Gi0/1, Gi0/3, Gi0/4, Gi0/6</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">200 Management active Gi0/24</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">300 VoIP active Gi0/17, Gi0/18</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1002 fddi-default act/unsup </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1003 token-ring-default act/unsup </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1004 fddinet-default act/unsup </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1005 trnet-default act/unsup</span></div>
<br />
We have all the same VLAN as our two other switches plus a new one : VLAN 19 (DMZ). That means this switch also has some DMZ ports. This is not showed in the VoIP topology and it's not required for our purposes.<br />
<br />
Let's see what interfaces are connected on this device?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh int status | inc connected</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/1 WAN ISP connected 144 a-full a-1000 10/100/1000BaseTX</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/4 firewall X2 WAN connected 144 full a-100 10/100/1000BaseTX</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/9 firewall X3 DMZ connected 19 full a-100 10/100/1000BaseTX</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/10 www.company.com connected 19 full a-100 10/100/1000BaseTX</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/12 ftp.company.com connected 19 a-full a-100 10/100/1000BaseTX</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/17 firewall X4 VoIP connected 300 a-half a-100 10/100/1000BaseTX</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/24 Switch mgmt port connected 200 full a-100 10/100/1000BaseTX</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/27 VoIP 1 trunk connected trunk a-full a-1000 1000BaseSX SFP</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/28 VoIP 2 trunk connected trunk a-full a-1000 1000BaseSX SFP</span><br />
<div>
<br /></div>
<div>
As per our topology, we can see that port Gi0/1 is our WAN port. We also see some DMZ hosts (the firewall, a web server and an FTP server). We clearly see that the firewall is connected on three interfaces on this device : Gi0/4 in VLAN 144 which connects to the firewall to the WAN, Gi0/9 in VLAN 19 for the DMZ and Gi0/17 in VLAN 300 which is the VoIP VLAN. Ports Gi0/27 and Gi0/28 are the trunk ports going to the WS-C3560-48PS access switches. While we're here, let's configure them.</div>
<div>
<br /></div>
<h4>
Gi0/27-28 Trunk Ports Configuration</h4>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int range gi0/27-28</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(if-range)# description VoIP trunk</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(if-range)# switchport trunk allowed vlan 200,300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(if-range)# priority-queue out </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(if-range)# mls qos trust dscp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(if-range)# auto qos voip trust </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(if-range)# end</span><br />
<br />
So this configure both trunk ports. Let's see what that gives us?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/27</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">!</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">interface GigabitEthernet0/27</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> description VoIP trunk</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport trunk allowed vlan 200,300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 10 10 60 20</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> queue-set 2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust dscp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos voip trust </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">end</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/28</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">!</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">interface GigabitEthernet0/28</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> description VoIP trunk</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport trunk allowed vlan 200,300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 10 10 60 20</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> queue-set 2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust dscp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos voip trust </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">end</span><br />
<br />
As for the other ports, the « <span style="font-family: 'Courier New', Courier, monospace;">srr-queue bandwidth share 10 10 60 20</span> » and the « <span style="font-family: 'Courier New', Courier, monospace;">queue-set 2</span> » were installed without us having to type them.<br />
<br />
Notice the « <span style="font-family: 'Courier New', Courier, monospace;">switchport trunk allowed vlan 200,300</span> » config. It prevents the DMZ and the WAN VLANs to reach the VoIP access switches for security reasons. Let's make sure that is the case.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh int trunk</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Port Mode Encapsulation Status Native vlan</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/27 auto n-802.1q trunking 200</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/28 auto n-802.1q trunking 200</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Port Vlans allowed on trunk</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/27 200,300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/28 200,300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Port Vlans allowed and active in management domain</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/27 200,300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/28 200,300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Port Vlans in spanning tree forwarding state and not pruned</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/27 300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Gi0/28 300</span><br />
<div>
<br /></div>
<div>
Indeed, that is the case. These trunk ports will only allow the Management and the VoIP VLANs to reach the VoIP access switches. Which is good.</div>
<div>
<br /></div>
<h4>
Gi0/17 Firewall VoIP Interface Port Configuration</h4>
<div>
<br /></div>
<div>
We continue with our setup by configuring the Gi0/17 port that connects to the firewall's VoIP interface. Our goal is always the same : make sure the DSCP and CoS tags are honored and not striped when passing on the interface. That's why we add those <span style="font-family: 'Courier New', Courier, monospace;">trust</span> commands.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int gi0/17</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# description firewall X4 VoIP interface</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# switchport access vlan 300</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# switchport mode access</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# auto qos voip trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# no cdp enable</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# end</span></div>
<div>
<br /></div>
<div>
These commands create the configuration :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/17</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">!</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">interface GigabitEthernet0/17</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> description firewall X4 VoIP interface</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport access vlan 300</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode access</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 10 10 60 20</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue-set 2</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos voip trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> no cdp enable</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">end</span></div>
</div>
<div>
<br /></div>
<div>
Our next step is to configure interface Gi0/4 which connects our firewalls's WAN interface to the current switch.</div>
<div>
<br /></div>
<h4>
Gi0/4 Firewall WAN Interface Port Configuration</h4>
<div>
<br /></div>
<div>
So again, we setup <span style="font-family: 'Courier New', Courier, monospace;">trust</span> commands on this interface.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int gi0/4</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# description firewall X4 WAN interface</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# switchport access vlan 144</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# switchport mode access</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# auto qos voip trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# no cdp enable</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# end</span></div>
</div>
<div>
<br /></div>
<div>
And the configuration created by these commands is that one :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/4 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">!</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">interface GigabitEthernet0/4</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> description firewall X4 WAN interface</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport access vlan 144</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode access</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 10 10 60 20</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue-set 2</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos voip trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> no cdp enable</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">end</span></div>
<div>
<br /></div>
</div>
<div>
We're almost there. One more interface to configure : the WAN ISP interface.</div>
<br />
<h4>
Gi0/1 ISP Uplink Port Configuration</h4>
<br />
Our last interface to configure is the Gi0/1 which connects to our ISP's switch installed in our data center.<br />
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf t</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# int gi0/1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# description ISP uplink</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# switchport access vlan 144</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# switchport mode access</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# priority-queue out </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# mls qos trust dscp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# auto qos voip trust </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# no cdp enable</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# spanning-tree portfast</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-if)# end</span></div>
<br />
And the resulting configuration is :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run int gi0/1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">!</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">interface GigabitEthernet0/1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> description ISP uplink</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport access vlan 144</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> switchport mode access</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> srr-queue bandwidth share 10 10 60 20</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> queue-set 2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> priority-queue out </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> mls qos trust dscp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> auto qos voip trust </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> no cdp enable</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> spanning-tree portfast</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">end</span><br />
<div>
<br />
<br />
<h4>
Save Configuration</h4>
<div>
<br /></div>
<div>
The last task, as always, is to save the configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# write memory </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy run start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy start tftp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
</div>
</div>
<div>
Great! We now have configured our entire topology for VoIP QoS!</div>
<div>
<br /></div>
<div>
But how do we know it works?</div>
<div>
<br /></div>
<h3>
Testing and Monitoring</h3>
<div>
<br /></div>
<div>
To check if the configuration is working, one must first clear the statistics of the WAN port Gi0/1 that we just configured. To do this, connect to the switch and issue the following.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# clear mls qos interface gi0/1 statistics</span></div>
<div>
<br /></div>
<div>
Then, we need to generate VoIP traffic. That's quite easy, pickup the phone and call a friend ;) Place him on spearkers and while you're talking, check the statistics on the interface. It will start by a complete zero right after the clear command. But after a while, counters will start to increase. To see the statistics data, do this :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh mls qos interface gi0/1 statistics</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">GigabitEthernet0/1 (All statistics are in packets)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> dscp: incoming </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 8648676 16 1984532 0 751 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 9 : 0 15 156 5502 64 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 10 - 14 : 4611 0 57 0 4 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 15 - 19 : 0 449 0 15 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 20 - 24 : 10 0 0 0 304172 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 25 - 29 : 0 25 0 1 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 30 - 34 : 4 0 33 0 68 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 35 - 39 : 0 0 0 1167 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 40 - 44 : 216 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 45 - 49 : 0 4408223 0 271 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 50 - 54 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 55 - 59 : 1182 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 60 - 64 : 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> dscp: outgoing </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 9432900 0 0 0 11952 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 9 : 0 0 0 58829 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 10 - 14 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 15 - 19 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 20 - 24 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 25 - 29 : 0 28328 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 30 - 34 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 35 - 39 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 40 - 44 : 0 0 0 0 459249 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 45 - 49 : 0 4165178 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 50 - 54 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 55 - 59 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 60 - 64 : 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> cos: incoming </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 15365764 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 7 : 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> cos: outgoing </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 9444939 58829 0 28328 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 7 : 4624427 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> output queues enqueued: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue: threshold1 threshold2 threshold3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-----------------------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 0: 0 0 4624427 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 1: 0 379 124143 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 2: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 3: 58829 0 9445149 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> output queues dropped: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue: threshold1 threshold2 threshold3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-----------------------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 0: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 1: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 2: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 3: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Policer: Inprofile: 0 OutofProfile: 0</span> </div>
</div>
<div>
<br /></div>
<div>
Hummm, ok, what do all these numbers mean?</div>
<div>
<br /></div>
<div>
Relax. Back off and look at the entire output, not at the numbers. You will find that we have both DSCP incoming and outgoing tables. We also have COS incoming and outgoing tables. And then we have both incoming and outgoing queues. So let's break this down to three subjects :</div>
<div>
<div>
<ul>
<li>DSCP Statistics</li>
<li>COS Statistics</li>
<li>Queue Statistics</li>
</ul>
</div>
</div>
<div>
<br /></div>
<h4>
DSCP Statistics</h4>
<div>
<br /></div>
<div>
DSCP stats are displayed like two tables : one for incoming packets (i.e. <span style="font-family: 'Courier New', Courier, monospace;">dscp: incoming</span>) and another for outgoing packets (i.e.<span style="font-family: 'Courier New', Courier, monospace;">dscp: outgoing</span> ). I've highlighted these two tables in bold right here :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh mls qos interface gi0/1 statistics </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">GigabitEthernet0/1 (All statistics are in packets)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> <b>dscp: incoming</b> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 8648676 16 1984532 0 751 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 9 : 0 15 156 5502 64 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 10 - 14 : 4611 0 57 0 4 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 15 - 19 : 0 449 0 15 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 20 - 24 : 10 0 0 0 304172 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 25 - 29 : 0 25 0 1 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 30 - 34 : 4 0 33 0 68 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 35 - 39 : 0 0 0 1167 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 40 - 44 : 216 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 45 - 49 : 0 4408223 0 271 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 50 - 54 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 55 - 59 : 1182 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 60 - 64 : 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> <b>dscp: outgoing</b> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 9432900 0 0 0 11952 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 9 : 0 0 0 58829 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 10 - 14 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 15 - 19 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 20 - 24 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 25 - 29 : 0 28328 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 30 - 34 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 35 - 39 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 40 - 44 : 0 0 0 0 459249 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 45 - 49 : 0 4165178 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 50 - 54 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 55 - 59 : 0 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 60 - 64 : 0 0 0 0</span> </div>
</div>
<div>
<br /></div>
<div>
Both table are quite the same. One the X axis, or the first column of the table if you prefer, we see a list of ranges : <span style="font-family: 'Courier New', Courier, monospace;">0 - 4</span> is followed by <span style="font-family: 'Courier New', Courier, monospace;">5 - 9</span> all the way down to <span style="font-family: 'Courier New', Courier, monospace;">60 - 64</span>. These represent the various possible DSCP values which range from zero to 64.</div>
<div>
<br /></div>
<div>
Each lines represent a possible DSCP value in the range found on the left hand side. For example, take line 45 - 49 from the « <span style="font-family: 'Courier New', Courier, monospace;">dscp: outgoing</span> » table. Right after the 45 - 49 : there are four columns with these values : 0, 4165178, 0 and 0. Since we're looking at the 45 - 49 line, this tells us that DSCP value 45 has 0 packets, DSCP value 46 has 4165178 packets, DSCP values 48 and 49 both don't have any packets at all, so they both show a 0. So we know that this interface (gi0/1) has sent 4165178 packets tagged as DSCP value 46.</div>
<div>
<br /></div>
<div>
Now I didn't choose DSCP value 46 by error : this is the standard VoIP DSCP packet tag! That's because DSCP 46 is the « Expedited Forwarding » DSCP value. So it has a very high priority.</div>
<div>
</div>
<div>
Since we know that the Polycom IP phones tag all their packets with DSCP 46 and we configured all of our equipement to trust each other's QoS values, then we know that a Polycom telephone generating packet tagged as DSCP 46 from either of the VoIP access switches finds it's way to this switch still tagged as a DSCP 46 packet : a VoIP packet.</div>
<div>
<br /></div>
<div>
Now look at both the « <span style="font-family: 'Courier New', Courier, monospace;">dscp: incoming</span> » table and the « <span style="font-family: 'Courier New', Courier, monospace;">dscp: outgoing</span> » table. Notice how they both have a very high value in the DSCP 46 spot. That means VoIP traffic flows in both directions : incoming and outgoing. If you have a high DSCP 46 value in the « <span style="font-family: 'Courier New', Courier, monospace;">dscp: outgoing</span> » table, but a value of 0 in the « <span style="font-family: 'Courier New', Courier, monospace;">dscp: incoming</span> » table, you know something is wrong (or vice-versa). Simply because a telephone conversation is never flowing in one direction only. </div>
<div>
<br /></div>
<h4>
COS Statistics</h4>
<div>
<br /></div>
<div>
The COS tables are a bit smaller than the DSCP ones. Again, we have two of them : one for incoming packets and the other for outgoing packets.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> <b>cos: incoming</b> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 15365764 0 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 7 : 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> <b>cos: outgoing</b> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 0 - 4 : 9444939 58829 0 28328 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 5 - 7 : 4624427 0 0</span> </div>
</div>
<div>
<br /></div>
<div>
The trick to read these two table is the same to read the DSCP table : each row (either <span style="font-family: 'Courier New', Courier, monospace;">0 - 4</span> and <span style="font-family: 'Courier New', Courier, monospace;">5 - 7</span>) represent a COS value. These values range from 0 to 7. To find the amount of incoming packets with a COS value of four, we must check the « cos: outgoing » table, select row 0 - 4 and check the fourth value (28328). Simple!</div>
<div>
<br /></div>
<div>
Voice traffic has a COS value of 5 by default.</div>
<div>
<br /></div>
<div>
From « <span style="font-family: 'Courier New', Courier, monospace;">cos: outgoing</span> » table, we can see that this switch has sent 4624427 packets with a COS value of 5. But unfortunately, our ISP sends everything in COS value 0. That's why we see 15365764 packets with COS value 0 in the « <span style="font-family: 'Courier New', Courier, monospace;">cos: incoming</span> » table.</div>
<div>
<br /></div>
<h4>
Queue Statistics</h4>
<div>
<br /></div>
<div>
The last set of tables displayed by the « <span style="font-family: 'Courier New', Courier, monospace;">sh mls qos interface gi0/1 statistics</span> » command are the queue tables :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> output queues enqueued: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue: threshold1 threshold2 threshold3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-----------------------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 0: 0 0 4624427 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 1: 0 379 124143 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 2: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 3: 58829 0 9445149 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> output queues dropped: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue: threshold1 threshold2 threshold3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-----------------------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 0: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 1: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 2: 0 0 0 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> queue 3: 0 0 0 </span></div>
</div>
<div>
<br /></div>
<div>
There are two tables : the « <span style="font-family: 'Courier New', Courier, monospace;">output queues enqueued</span> » and the « <span style="font-family: 'Courier New', Courier, monospace;">output queues dropped</span> ». Obviously, we don't want any packets to be listed in the « <span style="font-family: 'Courier New', Courier, monospace;">output queues dropped</span> » table. That would mean that the interface is dropping packets. There are many reasons to drop packets, but a high value should indicate that you need to check this problem and fix it (new hardware? better QoS? larger bandwith? YMMV)</div>
<div>
<br /></div>
<div>
There are four queues on each interfaces : queue 0 to queue 3. And each queue has three thresholds : threshold1, threshold2 and threshold3. These queues are the ones referenced by the « <span style="font-family: 'Courier New', Courier, monospace;">srr-queue bandwidth</span> » commands found on all the interfaces we worked with. For example, « <span style="font-family: 'Courier New', Courier, monospace;">srr-queue bandwidth share 1 30 35 5</span> » assigns different weights to each queue. Queue 0 gets a weight of 1, queue 1 get a weight of 30, 35 for queue 2 and 5 for queue 3. Check out <a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swqos.html">Catalyst 3560 Switch Software Configuration Guide - Configuring QoS</a> for a complete description of the queues.</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
David</div>
<div>
<br /></div>
<h3>
References</h3>
<div>
<br /></div>
<div>
<a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swqos.html">Catalyst 3560 Switch Software Configuration Guide - Configuring QoS</a></div>
<div>
<a href="http://packetlife.net/media/library/19/QoS.pdf">Packet Life dot net QoS cheat cheat</a></div>
<div>
<a href="http://www.rhyshaden.com/qos.htm">Quality of Service</a></div>
<div>
<a href="http://www.ccnpguide.com/voip-qos/">VoIP and QoS</a></div>
<div>
<pre style="white-space: pre-wrap; word-wrap: break-word;"><a href="http://www.ietf.org/rfc/rfc2474.txt">Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers</a></pre>
<pre style="word-wrap: break-word;"><span style="white-space: pre-wrap;"><a href="http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ft_dscp.html">Classifying VoIP Signaling and Media with DSCP for QoS</a></span></pre>
</div>
</div>
</div>
</div>
<div>
</div>
</div>
</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com5tag:blogger.com,1999:blog-4619978964286106329.post-63955607912666075552012-09-27T11:38:00.001-04:002012-09-27T11:38:27.574-04:00IOS Upgrade on Cisco WS-C4507R Chassis with Dual Supervisor V EnginesToday we will upgrade the IOS version on both WS-X4516 supervisor engines V in a WS-C4507R chassis. This blog post assumes that your 4507R chassis's supervisor engine already has network support for you to SSH into it.<br />
<br />
First, go to the Cisco support site and download the latest IOS version (you need a Cisco support contract to have access to new IOS images). Place this image on your TFTP server. In this example, the TFTP server is a CentOS Linux machine called alice.company.com.<br />
<br />
<a name='more'></a><br />
<span style="font-family: 'Courier New', Courier, monospace;">scp ~/Downloads/cat4500-entservicesk9-mz.150-2.SG5.bin alice.company.com:/tmp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span><br />
<br />
If you don't have a TFTP server installed, then set one up.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install tftp-server</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/etc/xinetd.d/tftpd.txt">/etc/xinetd.d/tftpd</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig xinetd on</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">chkconfig --list xinetd</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /tftpboot/ios</span><br />
<br />
Now move the IOS image into the <span style="font-family: 'Courier New', Courier, monospace;">/tftpboot/ios</span> directory.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/cat4500-entservicesk9-mz.150-2.SG5.bin /tftpboot/ios</span><br />
<br />
(Optional) Create a symbolic link to the image so that you can remember which hardware it's for. When your site has several different Cisco models, those symbolic links can be handy!<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ln -s /tftpboot/ios/cat4500-entservicesk9-mz.150-2.SG5.bin /tftpboot/ios/ws-c4507r</span><br />
<br />
<div>
Check the file size of the new IOS image?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">du -sb /tftpboot/ios/cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>19458176</b><span class="Apple-tab-span" style="white-space: pre;"> </span>/tftpboot/ios/cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
</div>
<div>
<br /></div>
That means we need 19458176 bytes of free space on both supervisor engines internal flash storage. To check this, we must connect to the chassis's IP address and check the remaining space.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh 172.16.1.1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch> enable</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# show version | inc bytes of memory</span></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cisco WS-C4507R (MPC8245) processor (revision 4) with <b>524288K</b> bytes of memory.</span><br />
<div>
<br /></div>
<div>
We appear to have enough space. If we didn't, we could check the flash content and erase some old IOS images. For example, let's pretend there is the old <span style="font-family: 'Courier New', Courier, monospace;">cat4000-i9s-mz.122-20.EW3.bin</span> IOS file on the bootflash. We could remove it like this :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# delete bootflash:cat4000-i9s-mz.122-20.EW3.bin</span></div>
<div>
<br /></div>
<div>
Check the redundancy status of both supervisor engines.</div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# show redundancy states</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> my state = 13 -ACTIVE </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> peer state = 4 -<b>STANDBY COLD</b> </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Mode = Duplex</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Unit = Primary</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Unit ID = 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy Mode (Operational) = <b>RPR</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy Mode (Configured) = <b>RPR</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy State = <b>RPR</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Maintenance Mode = Disabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Manual Swact = enabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Communications = Up</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"> client count = 35</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> client_notification_TMR = 240000 milliseconds</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive TMR = 9000 milliseconds</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive count = 1 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive threshold = 18 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> RF debug mask = 0x0 </span><br />
<br />
As we can see, we are running in RPR redundancy mode (or Route Processor Redundancy mode). This means that if the active supervisor engines fails or reloads, all ports will loose connection for several minutes while they synchronize with the other supervisor engine. That is not super duper.<br />
<br />
Fortunately, there is another redundancy mode which offers a faster switchover. This mode is called <i>Stateful SwitchOver</i> or SSO for short. When the supervisors are running in SSO redundancy mode, the switch will keep working fine with layer 2 during a supervisor switchover, but all layer 3 connections will loose the neighbor relationship for 50 milliseconds because they are synchronized while they are running.<br />
<div>
<br /></div>
<div>
So let's change our redundancy mode from RPR to SSO.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf terminal</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# redundancy </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-red)# mode sso</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Changing to sso mode will reset the standby. Do you want to continue?[confirm]</span></div>
</div>
<div>
<br /></div>
<div>
As you can see, when we do this, the standby supervisor engine will reload. So be sure to check this supervisor's console output. Once the standby engine is back online, double-check the redundancy mode again.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh redundancy states</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> my state = 13 -ACTIVE </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> peer state = 4 -STANDBY COLD </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Mode = Duplex</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Unit = Primary</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Unit ID = 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy Mode (Operational) = RPR</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy Mode (Configured) = <b>Stateful Switchover</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy State = RPR</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Maintenance Mode = Disabled</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Manual Swact = enabled</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> Communications = Up</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> client count = 35</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> client_notification_TMR = 240000 milliseconds</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive TMR = 9000 milliseconds</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive count = 1 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive threshold = 18 </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> RF debug mask = 0x0 </span></div>
</div>
<div>
<br /></div>
<div>
Ok, so now only the standby supervisor engine is running in SSO mode. That's because we can't be in SSO mode on both supervisor engines without a reload of the active one. Which means that the standby has to take over. During that supervisor switchover, there will be a layer 2 downtime and a layer 3 downtime of about 1 to 3 minutes depending on the amount of configured ports.<br />
<br />
<i>So, in order to continue with the IOS upgrade, <b>you need to schedule a network maintenance!</b></i></div>
<div>
<br /></div>
Download the new IOS to both supervisor engines.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy tftp:/ios/cat4500-entservicesk9-mz.150-2.SG5.bin bootflash:</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Address or name of remote host [172.16.1.33]? </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Source filename [/ios/cat4500-entservicesk9-mz.150-2.SG5.bin]? </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Destination filename [cat4500-entservicesk9-mz.150-2.SG5.bin]? </span><br />
<br />
The file will be transfered from the TFTP server into the active supervisor engine's internal flash storage. You will see a series of exclamation points (one for each packet) and then a few captial C letters. The C letters are showned when IOS verifies the new IOS image. You can do it manually with the verify command if you prefer.<br />
<br />
While we're working with our TFTP server, we should make a backup of our configuration.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy run start</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy start tftp</span><br />
<br />
Next, copy the IOS to the standby supervisor engine.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy bootflash:cat4500-entservicesk9-mz.150-2.SG5.bin slavebootflash:</span><br />
<br />
Now check to see if both supervisor engines have the new IOS image?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# dir bootflash:</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Directory of bootflash:/</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 -rwx 19458176 Sep 24 2012 13:08:32 -04:00 cat4500-entservicesk9-mz.150-2.SG5.bin</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">59244544 bytes total (26308040 bytes free)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">switch# dir slavebootflash:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Directory of slavebootflash:/</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"> 1 -rwx 13478072 Jun 29 2006 11:02:01 -04:00 cat4500-entservicesk9-mz.122-31.SG.bin</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 3 -rwx 19458176 Sep 24 2012 13:52:19 -04:00 cat4500-entservicesk9-mz.150-2.SG5.bin</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">59244544 bytes total (6849736 bytes free)</span><br />
<br />
We must make sure that configuration changes from the active supervisor engine is properly transfered to the standby one.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf terminal</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# redundancy</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-red)# main-cpu</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-r-mc)# auto-sync standard</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(config-r-mc)# end</span><br />
<br />
Now manually force a resynchronization of the supervisor engines.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy run start</span><br />
<br />
Check your syslog output. When the synchronization occurs, you should see lines like these :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:13:04 c4507r 230: 000258: Sep 24 14:13:03: %C4K_REDUNDANCY-5-CONFIGSYNC: The bootvar has been successfully synchronized to the standby supervisor</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:13:04 c4507r 231: 000259: Sep 24 14:13:03: %C4K_REDUNDANCY-5-CONFIGSYNC: The config-reg has been successfully synchronized to the standby supervisor</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:13:04 c4507r 232: 000260: Sep 24 14:13:03: %C4K_REDUNDANCY-5-CONFIGSYNC: The startup-config has been successfully synchronized to the standby supervisor</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:13:04 c4507r 233: 000261: Sep 24 14:13:03: %C4K_REDUNDANCY-5-CONFIGSYNC: The private-config has been successfully synchronized to the standby supervisor</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:13:04 c4507r 234: 000262: Sep 24 14:13:03: %C4K_REDUNDANCY-5-CONFIGSYNC_RATELIMIT: The vlan database has been successfully synchronized to the standby supervisor</span><br />
<div>
<br /></div>
<div>
Prepare the switch to boot the new IOS image.</div>
<div>
<br /></div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# config terminal</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# config-register 0x2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# boot system flash bootflash:cat4500-entservicesk9-mz.150-2.SG5.bin</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# end</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy running-config start-config</span></div>
<div>
<br /></div>
<div>
We can now update the IOS image on the standby supervisor image. This can be done anytime because there is no traffic disruption. To see the standby supervisor upgrade messages, make sure to connect to the standby supervisor's console port.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# redundancy reload peer</span></div>
<div>
<br /></div>
<div>
This will reload the standby supervisor engine. You will see these syslog messages from the active one :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:11:07 c4507r 224: 000249: Sep 24 14:11:06: %C4K_REDUNDANCY-5-CONFIGSYNC: The startup-config has been successfully synchronized to the standby supervisor</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:11:07 c4507r 225: 000250: Sep 24 14:11:07: %C4K_REDUNDANCY-5-CONFIGSYNC: The private-config has been successfully synchronized to the standby supervisor</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:11:17 c4507r 226: 000251: Sep 24 14:11:16: %C4K_REDUNDANCY-3-COMMUNICATION: Communication with the peer Supervisor has been lost</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:11:17 c4507r 227: 000252: Sep 24 14:11:16: %C4K_REDUNDANCY-3-SIMPLEX_MODE: The peer Supervisor has been lost</span></div>
</div>
<div>
<br /></div>
<div>
At the standby supervisor's console, you will see the upgrade messages. Once the new IOS is up and running on the standby supervisor, you should see this in your syslog server :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:13:03 c4507r 228: 000256: Sep 24 14:13:02: %C4K_REDUNDANCY-2-IOS_VERSION_CHECK_FAIL: IOS version mismatch. Active supervisor version is 12.2(31)SG,. Standby supervisor version is 15.0(2)SG5,. Redundancy feature may not work as expected.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Sep 24 14:13:03 c4507r 229: 000257: Sep 24 14:13:03: %C4K_REDUNDANCY-3-COMMUNICATION: Communication with the peer Supervisor has been established</span></div>
</div>
<div>
<br /></div>
<div>
As the messages tell you, the IOS version is not the same on both supervisor engines. That's normal because we haven't updated the active one yet. We can check the version of both engines with this :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# show module</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">M MAC addresses Hw Fw Sw Status</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">--+--------------------------------+---+------------+----------------+---------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 1 0017.e0fa.58c0 to 0017.e0fa.58c1 4.0 12.2(20r)EW1 <b>12.2(31)SG</b> Ok </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 0017.e0fa.58c2 to 0017.e0fa.58c3 4.0 12.2(20r)EW1 <b>15.0(2)SG5</b> Ok </span></div>
</div>
<div>
<br /></div>
<div>
We can see that module in slot 2 (the standby supervisor) is running version 15.0(2)SG5 while the active module in slot 1 is running version 12.2(31)SG.</div>
<div>
<br /></div>
<div>
To upgrade the active supervisor engine, we must issue the following. Make sure you're connected to the active supervisor's console port when you issue this command. THIS COMMAND WILL CAUSE A LAYER 2 AND LAYER 3 NETWORK OUTAGE! So make sure you do this on a scheduled maintenance.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# redundancy force-switchover</span></div>
<div>
<br />
The active supervisor will reload, forcing a supervisor engine switchover. This will make the standby supervisor engine take control of the chassis. During the switchover, the supervisor that used to be the active one reloads into the new IOS version. After a few minutes, we can see that they are both running the same IOS version :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh 172.16.1.1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">switch> enable</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh mod | inc 15.0</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 1 0017.e0fa.58c0 to 0017.e0fa.58c1 4.0 12.2(20r)EW1 15.0(2)SG5 Ok </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> 2 0017.e0fa.58c2 to 0017.e0fa.58c3 4.0 12.2(20r)EW1 15.0(2)SG5 Ok </span> <br />
<br />
We can also see that our redundancy has changed for both engines from RPR to SSO.<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh redundancy states</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> my state = 13 -ACTIVE </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> peer state = 8 -<b>STANDBY HOT </b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Mode = Duplex</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Unit = Secondary</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Unit ID = 2</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy Mode (Operational) = <b>Stateful Switchover</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy Mode (Configured) = <b>Stateful Switchover</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Redundancy State = <b>Stateful Switchover</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Maintenance Mode = Disabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Manual Swact = enabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Communications = Up</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"> client count = 60</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> client_notification_TMR = 240000 milliseconds</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive TMR = 9000 milliseconds</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive count = 1 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> keep_alive threshold = 18 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> RF debug mask = 0x0</span><br />
<br />
<div>
<br /></div>
<div>
That's it! We now have both supervisor engines running the new IOS version and the statefull switchover redundancy mode.</div>
<div>
<br /></div>
</div>
<h2>
Troubleshooting</h2>
<div>
<br /></div>
<h4>
Standby Supervisor Engine Reload Loop</h4>
<div>
<br /></div>
<div>
Sometimes the standby supervisor might go into a reload loop because of this message :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Current BOOT file is --- flash:cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Invalid filename flash:cat4500-entservicesk9-mz.150-2.SG5.bin. It must begin with device name.</span></div>
</div>
<div>
<br /></div>
<div>
You are then presented with a ROMMON prompt. Hit Ctrl-C to prevent a reload. Then, at the prompt, issue a boot command to load the IOS.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rommon 1 > boot bootflash:cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
<div>
<br /></div>
<div>
The standby supervisor engine will boot the IOS. You can then check your configuration and fix the problem.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# show running-config | inc boot system</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">boot system flash flash:cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">boot system flash bootflash:cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
</div>
<div>
<br /></div>
<div>
First line is our problem. It says to boot from flash: instead of bootflash: like the second line. So to fix our problem, we only need to remove that first line.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# conf terminal</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# no boot system flash flash:cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch(config)# end</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy run start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# sh run | inc boot system</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">boot system flash bootflash:cat4500-entservicesk9-mz.150-2.SG5.bin</span></div>
</div>
<div>
<br /></div>
<div>
There, that should do it. Now issue the standby supervisor reload again and see how it goes?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# redundancy reload peer</span></div>
<div>
<br /></div>
<h4>
TFTP Configuration Backup Error</h4>
<div>
<br /></div>
<div>
When we backup the switch's configuration to our TFTP server, we might have an access denied. That's because our TFTP server doesn't have the right to write into the /tftpboot directory. A simple, yet not very secure way to fix this is to change the permissions right before we do the config backup. Then place it back to what it was.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown o+rwx /tftpboot</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch# copy start tftp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod o-w /tftpboot</span></div>
<div>
<br /></div>
<h2>
References</h2>
<div>
<br /></div>
<div>
<a href="http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/RPR.html">Configuring Supervisor Engine Redundancy on the Catalyst 4507R and Catalyst 4510R Switches</a></div>
<div>
<a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/RPR.html">Configuring Supervisor Engine Redundancy using RPR and SSO</a><br />
<a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/15.02SG/configuration/guide/config.html">Catalyst 4500 Series Switch Software Configuration Guide, 15.0(2)SG</a></div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com13tag:blogger.com,1999:blog-4619978964286106329.post-69134663340891962952012-08-22T15:14:00.003-04:002013-03-10T09:57:24.977-04:00Oracle Database 11.2.0.3 Install and Setup on RedHat Linux 6 x86_64In this post we will install a new server with the latest Oracle Database 11gR2 software (as of this writing, it is version 11.2.0.3). In this example, the new machine is called <span style="font-family: 'Courier New', Courier, monospace;">opus.company.com</span> and the new database instance is called <span style="font-family: 'Courier New', Courier, monospace;">meta</span>.<br />
<a name='more'></a><br />
<h3>
Pre-Installation Tasks</h3>
<br />
<h3>
Software Download</h3>
<br />
Start by connecting to <a href="https://supporthtml.oracle.com/">My Oracle Support</a> and search for patchset <a href="https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=10404530&aru=14125322&release=80112030&plat_lang=226P&patch_num_id=1432597&">10404530</a>. There are seven files in this patch. According to the patch <a href="https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=10404530&aru=14125322&release=80112030&plat_lang=226P&patch_num_id=1432597&">README</a>, the files are :<br />
<br />
<div class="titleintable" style="font-family: Tahoma, sans-serif; font-size: small; font-style: italic; font-weight: bold;">
Table 1 Installation Types and Associated Zip Files</div>
<table border="1" cellpadding="3" cellspacing="0" class="Formal" dir="ltr" frame="hsides" rules="groups" style="color: black; font-family: Tahoma, sans-serif; font-size: small;" summary="designations to determine which zip file is mapped to each installation type" title="Installation Types and Associated Zip Files"><colgroup><col width="46%"></col></colgroup></table>
<br />
Installation Type Zip File Oracle Database (includes Oracle Database and Oracle RAC)<br />
Note: you must download both zip files to install Oracle Database.<br />
<span style="font-family: 'Courier New', Courier, monospace;"><code style="font-size: 12px;">p10404530_112030_</code><code style="font-size: 12px;"><span class="codeinlineitalic" style="font-style: italic;">platform</span></code><code style="font-size: 12px;">_1of7.zip</code></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><code style="font-size: 12px;">p10404530_112030_</code><code style="font-size: 12px;"><span class="codeinlineitalic" style="font-style: italic;">platform</span></code><code style="font-size: 12px;">_2of7.zip</code></span><br />
<code style="font-size: 12px;"><br /></code>
Oracle Grid Infrastructure (includes Oracle ASM, Oracle Clusterware, and Oracle Restart)<br />
<code style="font-size: 12px;">p10404530_112030_</code><code style="font-size: 12px;"><span class="codeinlineitalic" style="font-style: italic;">platform</span></code><code style="font-size: 12px;">_3of7.zip</code><br />
<code style="font-size: 12px;"><br /></code>
Oracle Database Client<br />
<code style="font-size: 12px;">p10404530_112030_</code><code style="font-size: 12px;"><span class="codeinlineitalic" style="font-style: italic;">platform</span></code><code style="font-size: 12px;">_4of7.zip</code><br />
<code style="font-size: 12px;"><br /></code>
Oracle Gateways<br />
<code style="font-size: 12px;">p10404530_112030_</code><code style="font-size: 12px;"><span class="codeinlineitalic" style="font-style: italic;">platform</span></code><code style="font-size: 12px;">_5of7.zip</code><br />
<code style="font-size: 12px;"><br /></code>
Oracle Examples<br />
<code style="font-size: 12px;">p10404530_112030_</code><code style="font-size: 12px;"><span class="codeinlineitalic" style="font-style: italic;">platform</span></code><code style="font-size: 12px;">_6of7.zip</code><br />
<code style="font-size: 12px;"><br /></code>
Deinstall<br />
<code style="font-size: 12px;">p10404530_112030_</code><code style="font-size: 12px;"><span class="codeinlineitalic" style="font-style: italic;">platform</span></code><code style="font-size: 12px;">_7of7.zip</code><br />
<br />
We only need the first two files to install the database. Since that's our goal, then download the first two files and place them into a staging NFS directory. If you don't have one, then go ahead and create one on your NFS server as this is quite handy! (Check Doc ID <a href="https://supporthtml.oracle.com/epmos/faces/ui/km/DocContentDisplay.jspx?_afrLoop=5407687867272000&id=1117597.1">1117597.1</a> for the NFS options).<br />
<br />
Note that even if the files come from a patchset, they're actually a full software install. So we don't need to have version 11.2.0.1 or 11.2.0.2 installed before we install version 11.2.0.3.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">mkdir /nfs/install/oracle/11.2/x86_64</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">mv ~/Downloads/p10404530_112030_Linux-x86-64_*.zip /nfs/install/oracle/11.2/x86_64</span><br />
<br />
Create the checksum files. The exact values are listed in the <a href="https://updates.oracle.com/Orion/ViewDigest/get_form?aru=14125322">patch digest page</a>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">echo "80A78DF21976A6586FA746B1B05747230B588E34" > /nfs/install/oracle/11.2/x86_64/p10404530_112030_Linux-x86-64_1of7.zip.sha1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">echo "A39BED06195681E31FBB0F6D7D393673BA938660" > /nfs/install/oracle/11.2/x86_64/p10404530_112030_Linux-x86-64_2of7.zip.sha1</span><br />
<br />
Verify the SHA1 checksum of both files and compare the results with the ones listed above. The results are not case sensitive.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">openssl dgst -sha1 /nfs/install/oracle/11.2/x86_64/p10404530_112030_Linux-x86-64_1of7.zip</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">openssl dgst -sha1 /nfs/install/oracle/11.2/x86_64/p10404530_112030_Linux-x86-64_2of7.zip</span><br />
<br />
Extract both zip files. This will create a « database » directory.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /nfs/install/oracle/11.2/x86_64</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">unzip p10404530_112030_Linux-x86-64_1of7.zip</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">unzip p10404530_112030_Linux-x86-64_2of7.zip</span></div>
</div>
<div>
<br /></div>
<h3>
Server Setup</h3>
<div>
<br /></div>
<div>
Install a Minimal RedHat Enterprise Linux 6 x86_64 machine. I like to create seperate mount points for <span style="font-family: 'Courier New', Courier, monospace;">/u01, /u02</span> and <span style="font-family: 'Courier New', Courier, monospace;">/u03</span> as specified by the <a href="http://docs.oracle.com/cd/E11882_01/install.112/e16763/appendix_ofa.htm">Oracle Flexible Architecture</a> guide. In this blog, we build an RMAN server. It doesn't need quite a lot of disk space, so I'm only using local disk drives. For production databases, the <span style="font-family: 'Courier New', Courier, monospace;">/u02</span> and <span style="font-family: 'Courier New', Courier, monospace;">/u03</span> mount points are LUNs on a SAN, so I use ASM. But this will be the topic of another blog post :)</div>
<div>
<br />
<h4>
/etc/fstab</h4>
<br /></div>
<div>
Once your server is up and running, connect to it and edit the <span style="font-family: 'Courier New', Courier, monospace;">/etc/fstab</span> to build a bigger shared memory. Bigger is better here. But it depends on the amount of memory the machine has. See the « <a href="http://download.oracle.com/docs/cd/E11882_01/server.112/e10839/appc_linux.htm#CHDFHJHA">Oracle Database Administrator's Reference 11g Release 2 (11.2) for Linux and UNIX-Based Operating Systems Chapter C - Administering Oracle Database on Linux</a> » guide for more info.</div>
<div>
<br /></div>
<div>
<b>WARNING</b> : <i>don't just copy this fstab line! Just copy the line which starts with « <span style="font-family: 'Courier New', Courier, monospace;">shmfs</span> » and paste it into your own <span style="font-family: 'Courier New', Courier, monospace;">/etc/fstab</span> file. And adjust the size according to the amount of memory in your system. This is just an example</i>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/fstab</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tmpfs /dev/shm tmpfs size=4g 0 0</span><br />
<div>
<br /></div>
<h4>
Kernel Configuration</h4>
<div>
<br /></div>
<div>
<div>
We must change quite a few parameters in the RedHat Linux kernel to keep Oracle happy.</div>
</div>
<div>
<br /></div>
<div>
sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/sysctl.conf">/etc/sysctl.conf</a></div>
<div>
<br /></div>
<div>
Don't forget that we must reboot to enable those changes. Well, that's not exactly true, as we can force the config with the help of <span style="font-family: 'Courier New', Courier, monospace;">sysctl(8)</span> command. But rebooting now will ensure that our <span style="font-family: 'Courier New', Courier, monospace;">/etc/sysctl.conf</span> file does not contain any errors. Imagine you reboot after the software is installed and it doesn't work. Try tracing the problem down to this file is quite a time-consuming (and frustrating) task.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo shutdown -r now</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<h4>
</h4>
<h4>
Security Limits</h4>
</div>
<div>
<br /></div>
<div>
Configure shell limits for the <span style="font-family: 'Courier New', Courier, monospace;">oracle</span> user. Here I set both the <span style="font-family: 'Courier New', Courier, monospace;">grid</span> and the <span style="font-family: 'Courier New', Courier, monospace;">oracle</span> user's limits. In this blog we're not using the grid user. But I like to have all my systems as identical as possible.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/security/limits.conf">/etc/security/limits.conf</a></span></div>
<div>
<br /></div>
<h4>
Package Installation</h4>
<div>
<br /></div>
<div>
We must make sure this new Oracle machine has several RPM installed. For instance, the <span style="font-family: 'Courier New', Courier, monospace;">xorg-x11-xauth</span> rpm is installed because we need the <span style="font-family: 'Courier New', Courier, monospace;">xauth(1)</span> command for the X11 forwarding to work. We also install the <span style="font-family: 'Courier New', Courier, monospace;">xorg-x11-utils</span> package in order to have access to the <span style="font-family: 'Courier New', Courier, monospace;">xdpyinfo(1)</span> command which is used by the Orace Universal Installer (OUI) when it starts. We don't absolutely need this, as you can always ignore the system prerequisites when you start the OUI with the <span style="font-family: 'Courier New', Courier, monospace;">-ignorePrereq</span> flag.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install xorg-x11-xauth gcc gcc-c++ libaio libaio-devel compat-libstdc++-33 glibc-devel glibc-headers libstdc++ </span><span style="font-family: 'Courier New', Courier, monospace;">sysstat</span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">binutils make expat compat-libcap1 ksh </span><span style="font-family: 'Courier New', Courier, monospace;">compat-glibc compat-glibc-headers glibc-devel.i686</span></div>
</div>
<div>
<br />
Don't be surprised by the number of other packages that will be installed to satisfy dependencies.<br />
<br />
<h4>
Users and Groups</h4>
</div>
<div>
<br /></div>
<div>
Your organisation's RedHat Kickstart should have created the users and groups required to run Oracle. But if not, then these are the ones you need. Adapt the UID and GID as you see fit. Just make sure they're unique in the entire corporate network.</div>
<div>
<br /></div>
<div>
We first create several groups.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 5000 oinstall</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 5001 dba</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 5002 sysoper</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 5003 asmadmin</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 5004 asmdba</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 5005 asmoper</span></div>
<div>
<br /></div>
<div>
Then we create the <span style="font-family: 'Courier New', Courier, monospace;">oracle</span> and <span style="font-family: 'Courier New', Courier, monospace;">grid</span> users. Again, we don't really need the grid user in this post, but let's create it anyway. Who knows, maybe one day we will migrate to ASM?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo useradd -u 5001 -g oinstall -G dba,asmadmin,asmdba,asmoper -d /usr/home/grid -s /bin/bash -c</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">"Oracle Grid Infrastructure Owner" -m grid</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo useradd -u 5000 -g oinstall -G dba,sysoper,asmdba -d /usr/home/oracle -s /bin/bash -c "Oracle</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Database Owner" -m oracle</span></div>
</div>
<div>
<br /></div>
<div>
Edit <span style="font-family: 'Courier New', Courier, monospace;">/etc/profile</span> to handle these new users.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/profile">/etc/profile</a></span></div>
<div>
<br /></div>
<div>
<h4>
SSH Keys and X11 Forwarding</h4>
</div>
<div>
<br /></div>
<div>
We will need our new Oracle machine to accept SSH connections from our oracle and grid users. We also need it to forward X11. To do this, edit sshd's configuration. </div>
<div>
<br /></div>
<div>
<b>WARNING :</b> <i>make sure you understand this file, because you can lock yourself out from the server if you don't!</i></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/ssh/sshd_config">/etc/ssh/sshd_config</a></span></div>
<div>
<br /></div>
<div>
Restart the daemon so that he understands the changes.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/sshd restart</span></div>
<div>
<br /></div>
<div>
Now from your workstation, if you haven't done so already, create a pair of SSH keys and then send the public one to your new Oracle server. </div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh-keygen -t rsa</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">scp ~/.ssh/id_rsa.pub opus.company.com:/tmp</span></div>
<div>
<br /></div>
<div>
Connect to the machine and place your public SSH key into the oracle user's authorized_keys. </div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh opus.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mkdir ~/.ssh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">chmod 600 ~/.ssh/authorized_keys</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rm /tmp/id_rsa.pub</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<br /></div>
<div>
Back on your own workstation, allow the new server X11 access to the local machine and then connect to the new machine with the X11 forwarding enabled.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">xhost +opus.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh -Y -X oracle@opus.company.com</span></div>
<div>
<br /></div>
<div>
<h4>
Create Directories</h4>
</div>
<div>
<br /></div>
<div>
Let's connect to the new machine and create some directories. First the Oracle Inventory.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh opus.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /u01/app/oraInventory</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:oinstall /u01/app/oraInventory</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod -R 2775 /u01/app/oraInventory</span></div>
<div>
<br /></div>
<div>
Then create the Oracle base.</div>
<div>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /u01/app/oracle</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R oracle:oinstall /u01/app/oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod -R 775 /u01/app/oracle</span><br />
<br />
<h3>
Software Installation</h3>
<br />
<div>
Connect to the new machine with X11 enabled.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh -YX oracle@opus.company.com</span></div>
<div>
<br /></div>
<h4>
Fix OUI Bug</h4>
<div>
<br /></div>
<div>
<a href="https://supporthtml.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1454982.1">Doc ID 1454982.1 - Installing 11.2.0.3 64-bit (x86-64) on RHEL6 Reports That Packages "elfutils-libelf-devel-0.97" and "pdksh-5.2.14" are missing (PRVF-7532)</a></div>
<div>
<br /></div>
<div>
Because of a bug with the 11.2.0.3 OUI (see Doc ID 1454982.1), we must edit a file before we can start the OUI.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /nfs/install/oracle/11.2/x86_64/database/stage/cvu/cv/admin</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cp cvu_config cvu_config.backup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/cvu_config">cvu_config</a></span></div>
<div>
<br /></div>
<h4>
Create a Response File</h4>
<div>
<br /></div>
<div>
Edit a response file. The easiest way to create a response file is to run the installer in GUI mode and hit the save response file button just before you would normally start the installation. Exit from the GUI OUI and start it at the console prompt using your new response file.</div>
<div>
<br /></div>
<div>
Why bother with a response file? Because IMHO it's easier to follow the installation progress and you skip some problems when you can't have the X11 output (security policies) or you don't have access to an X server (a workstation running Windows on which you can't install <a href="http://www.straightrunning.com/XmingNotes/">Xming</a> for example).</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mkdir ~oracle/oui</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/oui/db.11.2.0.3.rsp">~oracle/oui/db.11.2.0.3.rsp</a></span></div>
<div>
<br /></div>
<h4>
Run the installer</h4>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">./runInstaller -showProgress -ignorePrereq -ignoreSysPrereqs -silent -responseFile ~/oui/db.11.2.0.3.rsp</span></div>
</div>
<div>
<br /></div>
<div>
This will start the OUI. Give him a few minutes to get started and you will be notified of the log file at the standard output. So open a second shell window and follow both ouput simultaneously.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh opus.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">tail -F /u01/app/oraInventory/logs/installActions*.log</span></div>
<br />
<div>
A bit latter, you will see this appear in the standard output window :</div>
<br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">As a root user, execute the following script(s):</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>1. /u01/app/oraInventory/orainstRoot.sh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>2. /u01/app/oracle/product/11.2.0.3/dbhome_1/root.sh</span></div>
</div>
<div>
<br /></div>
<div>
It's pretty obvious what we now need to do... So from another shell do this :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /u01/app/oraInventory/orainstRoot.sh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /u01/app/oracle/product/11.2.0.3/dbhome_1/root.sh</span></div>
<div>
<br /></div>
<div>
The last script will display a log file name saying that's where you should look to see what the script just did. So a simple cat(1) will do the trick (because of the time stamp, the file name will be different every time you run the OUI, so use the file name the script told you). </div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cat /u01/app/oracle/product/11.2.0.3/dbhome_1/install/root_opus.company.com_2012-07-03_14-21-29.log</span></div>
<div>
<br /></div>
<div>
Good job, you now have Oracle RDBMS 11.2.0.3 Enterprise Edition installed! :)</div>
<div>
<br /></div>
<h3>
Post-Installation Tasks</h3>
<div>
<br /></div>
<h4>
Backup Root Scripts</h4>
<div>
<br /></div>
<div>
Oracle recommends to backup both root.sh scripts. So let's do this.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mkdir ~/backup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cp /u01/app/oraInventory/orainstRoot.sh ~/backup/orainstRoot.sh.`date +%Y%m%d`</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cp /u01/app/oracle/product/11.2.0.3/dbhome_1/root.sh ~/backup/root.sh..`date +%Y%m%d`</span></div>
<div>
<br /></div>
<h3>
Configure User Environment</h3>
<div>
<br /></div>
<h4>
.bash_profile</h4>
<div>
<br /></div>
<div>
Let's configure the oracle user's environment. I always like to keep a copy of the environment that has nothing Oracle related configured. It's usefull when we need to run OUI again.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cp ~/.bash_profile ~/.bash_profile.oui</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/home/oracle/.bash_profile.txt">~/.bash_profile</a></span></div>
<div>
<br /></div>
<h4>
.aliases</h4>
<div>
<br /></div>
<div>
Let's create some finger-friendly aliases.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/home/oracle/.aliases.txt">~/.aliases</a></span></div>
<div>
<br /></div>
Check to make sure the environment is ok?<br />
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">source ~/.bash_profile</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">env | sort</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">alias</span></div>
<div>
<br /></div>
<div>
<h4>
login.sql</h4>
</div>
<div>
<br /></div>
<div>
This file is read when we start an sqlplus session. I like to change things a bit.</div>
<div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mkdir -p /nfs/home/oracle/scripts/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/home/oracle/login.sql">/nfs/home/oracle/scripts/login.sql</a></span></div>
</div>
<div>
<br /></div>
<h3>
Database Creation</h3>
<div>
<br /></div>
<div>
We're now ready to create a new empty database. In this example, the database will be called « <span style="font-family: 'Courier New', Courier, monospace;">meta</span> ».</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">for DIR in adump dpdump hdump pfile scripts; do</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> sudo mkdir -p /u01/app/oracle/admin/meta/$DIR</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">done</span></div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /u01/oradata /u02/oradata /u03/oradata</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R oracle:oinstall /u0*/oradata</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R oracle:oinstall /u01/app/oracle/admin</span></div>
<div>
<br /></div>
<div>
I like to use the Oracle Database Configuration Assistant (DBCA) to setup the SQL scripts. This is because each version of Oracle has a modified DBCA which uses the latest configurations. Instead of using a database creation script I used for Oracle 10gR1 on a new 11gR2, I prefer to generate new scripts via the latest DBCA. I then save those scripts and run them manually. Running them manually gives me the opportunity to learn how it's done. I can also run those scripts manually on another machine without using DBCA again in case this machine doesn't have X11 forwarding enabled. So start DBCA and save the scripts.</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/bin/dbca</span><br />
<br /></div>
<div>
This will generate a bunch of files. <a href="https://dl.dropbox.com/u/72609528/blog/oracle/meta.creation.scripts.tar.gz">You can download them from my dropbox account</a>.<br />
<br />
Execute the scripts to create the new database.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sh /u01/app/oracle/admin/meta/scripts/meta.sh</span></div>
<div>
<br /></div>
<div>
<h3>
Post-Database Installation Tasks</h3>
<br />
Edit the hosts's <span style="font-family: 'Courier New', Courier, monospace;">/etc/oratab</span>. Do this as yourself, not as the oracle user.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/oratab">/etc/oratab</a></span><br />
<br />
<h4>
Configure SQL*Net</h4>
<br />
Switch to the oracle user and configure SQL*Net.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">vi $ORACLE_HOME/network/admin/tnsnames.ora</span><br />
<br />
Configure a basic listener setup. The point here is just to start the listener. Don't forget that we already have a <span style="font-family: 'Courier New', Courier, monospace;">listener.ora</span> template located in the <span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/network/admin/samples</span> directory.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/ORACLE_HOME/network/admin/listener.ora">$ORACLE_HOME/network/admin/listener.ora</a></span><br />
<br />
Start the listener.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">lsnrctl start</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
Next SQL*Net file to configure is the sqlnet.ora file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/ORACLE_HOME/network/admin/sqlnet.ora">$ORACLE_HOME/network/admin/sqlnet.ora</a></span><br />
<br />
And the <span style="font-family: 'Courier New', Courier, monospace;">tnsnames.ora</span> file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/ORACLE_HOME/network/admin/tnsnames.ora">$ORACLE_HOME/network/admin/tnsnames.ora</a></span><br />
<br />
<h4>
Configure Database Instance</h4>
<div>
<br /></div>
</div>
<div>
Setup a few configuration parameters. Most of these will prevent errors from showing up in the <a href="http://docs.oracle.com/cd/B19306_01/install.102/e10041/intro.htm">Oracle Configuration Manager</a> (OCM) inside My Oracle Support.</div>
<div>
<br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set global_names=true scope=both sid='*';</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set smtp_out_server='127.0.0.1' scope=both sid='*';</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set log_checkpoints_to_alert=true scope=both sid='*';</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set os_authent_prefix='' scope=spfile sid='*';</span></div>
<div>
<br /></div>
<div>
You may have noticed that I use <span style="font-family: 'Courier New', Courier, monospace;">sid='*'</span> for all the above statements. Since we're configuring a single instance database, we don't really need this. But I keep using it because this way it becomes a reflex and so when I'm working on a RAC database, I never forget it.</div>
<div>
<br /></div>
<div>
The following is going to push the undo retention period to way longer than the 900 default value. As it says in the <a href="http://docs.oracle.com/cd/E11882_01/backup.112/e10642/toc.htm">Oracle Database Backup and Recovery User's Guide</a> :</div>
<div>
<blockquote class="tr_bq">
To ensure that the undo information is retained for Flashback Table operations, Oracle suggests setting the UNDO_RETENTION parameter to 86400 seconds (24 hours) or greater for the undo tablespace.</blockquote>
<div>
<div>
So let's crank this up to 48 hours (i.e. 172800 seconds).</div>
</div>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set undo_retention=172800 scope=both sid='*';</span></div>
<div>
<br /></div>
<div>
<div>
Next we need to boost the flashback retention period higher than the default value of 1440 minutes (i.e. 24 hours). If you have lots of disk space, then go on and set it quite high. Enough to last a long week-end (i.e. four days) or more. In this example, we will set it to 7200 minutes (i.e. 6 days).</div>
<br /></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set db_flashback_retention_target=7200 scope=both sid='*';</span></div>
<br /></div>
<div>
We are now going to enable block change tracking. That's going to eat up a bit of disk space, but is going to help improve our RMAN backup times. For this to work, our block change tracking file has to be specified or the <span style="font-family: 'Courier New', Courier, monospace;">DB_CREATE_FILE_DEST</span> parameter has to be set. In this example, we will use a file that will be placed in the same directory as the other database files. So we first check what that directory is?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select file_name from dba_data_files;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">FILE_NAME</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-------------------------------------------------------</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/u02/oradata/meta/system01.dbf</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/u02/oradata/meta/sysaux01.dbf</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/u02/oradata/meta/undotbs01.dbf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/u02/oradata/meta/users01.dbf</span></div>
<div>
<br /></div>
</div>
<div>
Then create the file in the same directory.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter database enable block change tracking using file '/u02/oradata/meta/block.change.tracking.dbf';</span></div>
</div>
<div>
<br />
Check to see if it's properly configured?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select filename, status from v$block_change_tracking;</span><br />
<br /></div>
</div>
<div>
<h4>
Prevent Account Expiration for Service Accounts</h4>
<br />
<div>
It’s old news, but oracle 11g expires passwords after 180 days and most DBAs don’t</div>
<div>
<div>
like that. It’s unsecure, but for client-server-applications a locked account is not a single-user-annoyance, it’s a downtime killing SLAs, nerves and – hopefully not – DBA jobs. So just make your DEFAULT user profile less secure by allowing passwords to never expire.</div>
</div>
<br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select * from dba_profiles where resource_type='PASSWORD' order by resource_name;</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter profile DEFAULT limit PASSWORD_LIFE_TIME UNLIMITED;</span></div>
<br /></div>
<h4>
Fix Bug 11891463</h4>
According to Metalink <a href="https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=756784917285605&type=DOCUMENT&id=1361567.1">Doc ID 1361567.1 - Minact-Scn Master-Status: Grec-Scn Messages In Trace File</a>, we need to fix a bug. Otherwise our <span style="font-family: 'Courier New', Courier, monospace;">diag_dest_dir</span> directory will be filled by <span style="font-family: 'Courier New', Courier, monospace;">.trc</span> and <span style="font-family: 'Courier New', Courier, monospace;">.trm</span> files from the MMON process. To prevent that, issue the following command :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set "_enable_minscn_cr"=false scope=spfile sid='*';</span><br />
<div>
<br /></div>
To enable this, we should bounce the instance right now. But since we still have some configuration work to do, let's wait until everything is configured before the instance restart.<br />
<br />
<h4>
Change Audit Parameters</h4>
</div>
<div>
<div>
<br /></div>
<div>
I've already wrote on this topic in <a href="http://itdavid.blogspot.ca/2011/02/manage-oracle-11gr2-asm-and-rdbms-audit.html">a previous blog post</a>, but it was for RedHat 5 and we're on RedHat 6 here. So let's go over this again. We will change all of our databases audit trail to SYSLOG audit trails as it's the Oracle recommended best practices. The idea here is that logs sent to syslog will be placed inside a file to which neither the oracle user nor any of it's groups have write access. So in theory, the DBA and the Linux systems administrator are not the same person. Which means that if the DBA does something fishy, he won't be able to edit the audit trail to cover his or her actions.</div>
</div>
<div>
<ul>
<li><a href="http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/auditing.htm#CEGCFCJI">Configuring Syslog Auditing</a></li>
<li><a href="http://download.oracle.com/docs/cd/E11882_01/server.112/e17110/initparams016.htm#REFRN10263">Oracle Database Reference 11g Release 2 (11.2) - AUDIT_SYSLOG_LEVEL.</a></li>
<li><a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=553225.1">Doc ID 553225.1 - How To Set the AUDIT_SYSLOG _LEVEL Parameter?</a></li>
<li><a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=756708.1">Doc ID 756708.1 - How To Distinguish The Output Of 2 Or More Databases In The SYSLOG Audit Output.</a></li>
<li><a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=174340.1">Doc ID 174340.1 - Audit SYS User Operations</a></li>
<li><a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=308066.1">Doc ID 308066.1 - AUDIT_SYS_OPERATIONS Set To FALSE Yet Audit Files Are Generated.</a></li>
</ul>
</div>
<div>
We start by changing our <span style="font-family: 'Courier New', Courier, monospace;">/etc/rsyslog.conf</span> file to send <span style="font-family: 'Courier New', Courier, monospace;">local0</span> messages to the Oracle audit trail. Recall that we are sending all our syslog data to a central syslog server. So we must change both our local rsyslog.conf file and the central syslog server's rsyslog.conf file. Then restart <span style="font-family: 'Courier New', Courier, monospace;">rsyslogd(8)</span> on both machines.</div>
<div>
<br /></div>
<b>Oracle RDBMS Server Syslog Configuration</b><br />
<div>
<br /></div>
<div>
We start by the configuration of <span style="font-family: 'Courier New', Courier, monospace;">rsyslogd(8)</span> on the client machine. I say client machine because the Oracle RDBMS server is the syslog client to our central syslog server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/rsyslog.conf.rdbms.txt">/etc/rsyslog.conf</a></span></div>
<div>
<br /></div>
<div>
Create the new log file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /var/log/oracle</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo touch /var/log/oracle/audit.log</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod go-r /var/log/oracle/audit.log</span></div>
<div>
<br /></div>
<div>
Make sure this new log file is rotated.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/logrotate.d/oracle.audit</span></div>
<div>
<br /></div>
<div>
Verify that the new <span style="font-family: 'Courier New', Courier, monospace;">logroate(8)</span> configuration file is ok?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo logrotate -d /etc/logrotate.conf</span></div>
<div>
<br /></div>
<div>
Restart the <span style="font-family: 'Courier New', Courier, monospace;">rsyslogd(8)</span> daemon to enable the changes.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/rsyslogd restart</span></div>
<div>
<br /></div>
<b>Central Syslog Server Configuration</b><br />
<div>
<br /></div>
<div>
The central syslog server's configuration is quite similar as the one for the Oracle RDBMS server. In 11gR2 you can send more then one database audit logs to the same audit log file because they all log their DBID so you can differentiate them. Here I send all the the RDBMS audit logs to the same file.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/rsyslog.conf.central.txt">/etc/rsyslog.conf</a></span></div>
<br />
<div>
Create the new log file.</div>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /var/log/oracle</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo touch /var/log/oracle/audit.log</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod go-r /var/log/oracle/audit.log</span></div>
</div>
<div>
<br /></div>
<div>
Make sure this new log file is rotated.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/logrotate.d/oracle.audit</span></div>
<div>
<br /></div>
<div>
Verify that the new <span style="font-family: 'Courier New', Courier, monospace;">logroate(8)</span> configuration file is ok?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo logrotate -d /etc/logrotate.conf</span></div>
<div>
<br /></div>
<div>
Restart the <span style="font-family: 'Courier New', Courier, monospace;">rsyslogd(8)</span> daemon to enable the changes.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/rsyslogd restart</span></div>
</div>
<div>
<br /></div>
<div>
Exit from the central syslog server and go back to the Oracle RDBMS server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh opus.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span></div>
<div>
<br /></div>
<div>
<div>
Configure the database to send audit logs to syslog.</div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sqlplus '/ as sysdba'</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> show parameter audit;</span></div>
</div>
<div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set audit_trail='OS' scope=spfile sid='*';</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set audit_syslog_level='local0.info' scope=spfile sid='*';</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> alter system set audit_sys_operations=true scope=spfile sid='*';</span></div>
</div>
<div>
<br /></div>
<div>
We just changed a lot of configuration parameters, let's make a copy of the spfile just to be safe. The first query will return the path of the spfile. The next one creates a text file copy of it.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> select name, value from v$parameter where name = 'spfile';</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> create pfile = '/u01/app/oracle/admin/meta/pfile/pfile.ora' from spfile;</span></div>
</div>
</div>
<div>
</div>
</div>
</div>
<div>
<br />
You may have noticed that the alter system audit parameters where all using the « <span style="font-family: 'Courier New', Courier, monospace;">scope=spfile</span> ». That means we have to bounce the instance for the audit parameters to kick in. We run the show parameter audit query again after the restart to make sure our audit parameters are now online.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> shutdown immediate;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> startup;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">SQL> show parameter audit;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">NAME<span class="Apple-tab-span" style="white-space: pre;"> </span> TYPE VALUE</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">---------------------- -------- --------------------------------</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">audit_file_dest string /u01/app/oracle/admin/meta/adump</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">audit_sys_operations boolean<span class="Apple-tab-span" style="white-space: pre;"> </span>TRUE</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">audit_syslog_level string<span class="Apple-tab-span" style="white-space: pre;"> </span>LOCAL0.INFO</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">audit_trail<span class="Apple-tab-span" style="white-space: pre;"> </span> string<span class="Apple-tab-span" style="white-space: pre;"> </span>OS</span><br />
<div>
<br /></div>
<div>
Double check the audit trail now?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tail /var/log/oracle/audit.log</span></div>
<div>
<br /></div>
<div>
You should get a « <span style="font-family: 'Courier New', Courier, monospace;">permission denied</span> » here because you tried to access the audit trail as the <span style="font-family: 'Courier New', Courier, monospace;">oracle</span> user. Try again as <span style="font-family: 'Courier New', Courier, monospace;">root</span> via sudo.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo tail /var/log/oracle/audit.log</span></div>
<div>
<br /></div>
<div>
Good!</div>
<div>
<br /></div>
<div>
One last thing before we're finished with the audit parameters. As Doc ID 308066.1 clearly explains, we will always get audit logs in our <span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_BASE/admin/$ORACLE_SID/adump</span> directory. So let's make sure it doesn't grow out of proportion by clearing the old audit logs. We do this in the <span style="font-family: 'Courier New', Courier, monospace;">oracle</span> user's crontab.</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><a href="https://dl.dropbox.com/u/72609528/blog/oracle/crontab.txt">crontab -e</a></span></div>
<div>
<br /></div>
<div>
Finally, I like to use <a href="http://www.idevelopment.info/">Jefferey M. Hunter's</a> scripts. He's an Oracle ACE which has created management scripts for Oracle. They're interesting, so we install them. Grab a copy of the scripts and extract them to a central Oracle NFS directory.</div>
<div>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mkdir -p /nfs/home/oracle/scripts/jeffrey.hunter</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /nfs/home/oracle/scripts/jeffrey.hunter</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">wget http://www.idevelopment.info/data/Oracle/DBA_scripts/dba_scripts_archive_Oracle.zip</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span>
<br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">unzip /nfs/home/oracle/scripts/jeffrey.hunter/dba_scripts_archive_Oracle.zip</span></div>
</div>
<br />
<div>
<div>
Then, create the <span style="font-family: 'Courier New', Courier, monospace;">ORACLE_PATH</span> directory and extract the scripts into it.</div>
</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mkdir -p $ORACLE_BASE/common/sql</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cp /nfs/home/oracle/scripts/jeffrey.hunter/dba_scripts/sql/* $ORACLE_BASE/common/sql</span></div>
</div>
<div>
<br />
<h3>
Oracle Configuration Manager</h3>
<ul>
<li><a href="http://docs.oracle.com/cd/B19306_01/install.102/e10041/intro.htm">Oracle Configuration Manager</a> (OCM)</li>
<li><a href="http://docs.oracle.com/cd/E28601_01/index.htm">Oracle Configuration Manager Documentation Index</a></li>
<li><a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=1107494.1&h=Y">Doc ID 1107494.1 - How To Check If The OCM Is Configured or Not?</a></li>
<li><a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=369619.1">Doc ID 369619.1 - OCM (Oracle Configuration Manager) and My Oracle Support : FAQ and Troubleshooting</a></li>
</ul>
OCM comes built-in with 11gR2, so we will configure it right now. OCM requires Java JRE to be installed. So go to the <a href="http://www.oracle.com/technetwork/java/index.html">Oracle Java website</a> and download the latest Java SE package and install it (follow the instructions on the Oracle website).<br />
<br />
Once you have Java JRE installed, configure OCM. You will need your Oracle Support Contract number and the email you use to connect to My Oracle Support. In this example, the contract number and the email is bogus, as this is just an example...<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/ccr/bin/setupCCR 973649 david.robillard@company.com</span><br />
<br />
This will deploy OCM and print out some info about what it's doing and what are the next steps you need to execute. One of those steps is to configure the daily collection interval. The idea here is to use different collection times for the various machines on your network so that they don't connect to My Oracle Support at the exact same time.<br />
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/ccr/bin/emCCR set collection_interval="FREQ=DAILY; BYHOUR=6; BYMINUTE=20"</span><br />
<div>
<br /></div>
<div>
We can now check the crontab to see what was installed by the emCCR command?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">crontab -l</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">0,15,30,45 * * * * /u01/app/oracle/product/11.2.0.3/dbhome_1/ccr/bin/emCCR -cron -silent start</span></div>
</div>
<div>
<br /></div>
<div>
For each of the database instances running on the machine, execute the post-installation script.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/ccr/admin/scripts/installCCRSQL.sh collectconfig -s meta</span></div>
</div>
<div>
<br /></div>
<div>
<div>
Test then start a collection.</div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/</span><span style="font-family: 'Courier New', Courier, monospace;">ccr/bin/emCCR test</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/</span><span style="font-family: 'Courier New', Courier, monospace;">ccr/bin/emCCR collect</span></div>
<div>
<br />
Now login to <a href="https://support.oracle.com/">My Oracle Support</a> and check the Systems tab, you should now see your instance listed there.<br />
<br /></div>
</div>
</div>
<div>
<h4>
Startup Scripts</h4>
</div>
<div>
<br /></div>
<div>
Let's create startup scripts for the listener and the database. We will include those new scripts in the RedHat startup procedure. So, as your own user, create the Oracle listener startup script.</div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/init.d/oracle.listener.txt">/etc/init.d/oracle.listener</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig oracle.listener on</span></div>
<div>
<br /></div>
<div>
And then the Oracle RDBMS startup script.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/oracle/etc/init.d/oracle.db.txt">/etc/init.d/oracle.db</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig oracle.db on</span></div>
<div>
<br /></div>
<div>
Double check to see if the new scripts are part of the RedHat system's startup configuration?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">chkconfig --list | grep oracle</span></div>
<div>
<br /></div>
<div>
<i><b>Be sure to test both scripts!</b></i></div>
<div>
<br /></div>
<div>
Reboot your server to see if the database and the listener are up without any intervention on your part.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo shutdown -r now</span></div>
<div>
<br />
<h3>
Install Latest Patch Set</h3>
<br />
<a href="https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=756671.1">Doc ID 756671.1 - Oracle Recommended Patches -- Oracle Database</a><br />
<a href="https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=293369.1">Doc ID 293369.1 - Master Note For OPatch</a><br />
<a href="https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?_afrLoop=840760191758407&id=1348336.1">Doc ID 1348336.1 - 11.2.0.3 Patch Set - Availability and Known Issues</a><br />
<a href="https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=13923374.8">Doc ID 13923374.8 - Bug 13923374 - 11.2.0.3.3 Patch Set Update (PSU)</a><br />
<br />
As of this writing, the latest patch set is 11.2.0.3.3. So <a href="https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=13923374">download the patch set update</a>. Get the SHA1 checksum also.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">echo "34E9FA2627E06791C8D5DC84C2DCA2090F8B5256" > ~/Downloads/p13923374_112030_Linux-x86-64.zip.sha1</span><br />
<br />
Compare both SHA1 values from the downloaded file and the one found on My Oracle Support.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">openssl dgst -sha1 ~/Downloads/p13923374_112030_Linux-x86-64.zip</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">cat ~/Downloads/p13923374_112030_Linux-x86-64.zip.sha1</span><br />
<br />
If the SHA1 values are the same, then move everything to the staging directory.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">mv ~/Downloads/p13923374_112030_Linux-x86-64.zip* /nfs/install/oracle/linux/x86_64</span><br />
<br />
Now <a href="https://updates.oracle.com/ARULink/PatchDetails/process_form?patch_num=6880880">download the latest OPatch version</a> and check the SHA1 value.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">echo "C0B9E5566DDBDFFD3076735F429587EC8CE9EF18" > ~/Downloads/p6880880_112000_Linux-x86-64.zip.sha1</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">openssl dgst -sha1 ~/Downloads/p6880880_112000_Linux-x86-64.zip</span></div>
</div>
<div>
<br /></div>
<div>
Move the latest OPatch to the staging directory.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">mv ~/Downloads/p6880880_112000_Linux-x86-64.zip* /nfs/install/oracle/linux/11.2/x86_64/</span></div>
</div>
<div>
<br /></div>
Connect to the database server and check the status of the current OPatch.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh opus.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/OPatch/opatch version</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">OPatch Version: 11.2.0.1.7</span><br />
<div>
<br /></div>
Extract the latest OPatch directly into the <span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME</span>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">unzip /nfs/install/oracle/linux/x86_64/p6880880_112000_Linux-x86-64.zip -d $ORACLE_HOME</span><br />
<br />
Then check the new version of OPatch.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">$ORACLE_HOME/OPatch/opatch version</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">OPatch Version: 11.2.0.3.0</span></div>
</div>
<div>
<br /></div>
<div>
Good, we moved from version 11.2.0.1.7 to version 11.2.0.3.0. We can now use this new OPatch to install the latest Patch Set Update (PSU). Let's extract this patch.</div>
<div>
<br /></div>
<span style="font-family: 'Courier New', Courier, monospace;">unzip /nfs/install/oracle/linux/x86_64/p13923374_112030_Linux-x86-64.zip -d /tmp</span><br />
<br />
Change to the patch directory and check if it conflicts with the currently installed patches. There shouldn't be any because we just installed 11.2.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /tmp/13923374</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">opatch prereq CheckConflictAgainstOHWithDetail -ph ./</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Prereq "checkConflictAgainstOHWithDetail" passed</span>.</div>
</div>
<div>
<br /></div>
<div>
We are now ready to install the patch.Shutdown all instances and listeners running from that Oracle home. Of course, if this database is in production, make sure you let people know that the database will not be availalble for a short period of time.</div>
<div>
<span style="background-color: white; line-height: 16px;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<span style="line-height: 16px;"><span style="font-family: 'Courier New', Courier, monospace;">echo "shutdown immediate;" | sqlplus '/ as sysdba'</span></span></div>
<div>
<span style="line-height: 16px;"><span style="font-family: 'Courier New', Courier, monospace;">lsnrctl stop</span></span></div>
<div>
<span style="font-family: inherit;"><span style="line-height: 16px;"><br /></span></span></div>
<div>
<span style="font-family: inherit;"><span style="line-height: 16px;">We can now apply the new patch.</span></span></div>
<div>
<span style="font-family: inherit;"><span style="line-height: 16px;"><br /></span></span></div>
<div>
<span style="line-height: 16px;"><span style="font-family: 'Courier New', Courier, monospace;">cd /tmp/13923374</span></span></div>
<div>
<span style="line-height: 16px;"><span style="font-family: 'Courier New', Courier, monospace;">opatch apply</span></span></div>
<div>
<span style="font-family: inherit;"><span style="line-height: 16px;"><br /></span></span></div>
<div>
<span style="font-family: inherit;"><span style="line-height: 16px;">Once patch installation is finished, run the following scripts in each of the database instances running from this Oracle home.</span></span></div>
<div>
<span style="font-family: inherit;"><span style="line-height: 16px;"><br /></span></span></div>
<div>
<span style="line-height: 16px;"><span style="font-family: 'Courier New', Courier, monospace;">rlwrap sqlplus '/ as sysdba'</span></span></div>
<div>
<span style="line-height: 16px;"><span style="font-family: 'Courier New', Courier, monospace;">SQL> startup;</span></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span style="line-height: 16px;">SQL> </span>@?/rdbms/admin/catbundle.sql psu apply</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SQL> exit</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">Start the listener again.</span></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">lsnrctl start</span></div>
<div>
<br />
<h3>
Configure Recovery Manager (RMAN)</h3>
<br />
If your site has Oracle RDBMS systems, chances are that you already have a Recovery Manager Catalog. Let's assume you have one and configure the new database with it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">rman target sys@meta catalog rman@rman</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> register database</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> configure retention policy to recovery window of 10 days;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> configure backup optimization on;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> configure controlfile autobackup on;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> configure device type disk parallelism 2 backup type to copy;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> configure compression algorithm 'basic' as of release 'default' optimize for load false;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> configure archivelog deletion policy to backed up 2 times to disk;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> configure snapshot controlfile name to '/u01/app/oracle/admin/oprod/controlfile/snapshot_cf.rman';</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> show all;</span></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN configuration parameters for database with db_unique_name META are:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF 10 DAYS;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE BACKUP OPTIMIZATION ON;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE DEFAULT DEVICE TYPE TO DISK; # default</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE CONTROLFILE AUTOBACKUP ON;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK TO '%F'; # default</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE DEVICE TYPE DISK PARALLELISM 2 BACKUP TYPE TO COPY;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # default</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # default</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE MAXSETSIZE TO UNLIMITED; # default</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE ENCRYPTION FOR DATABASE OFF; # default</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE COMPRESSION ALGORITHM 'basic' AS OF RELEASE 'default' OPTIMIZE FOR LOAD FALSE;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE ARCHIVELOG DELETION POLICY TO BACKED UP 2 TIMES TO DISK;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">CONFIGURE SNAPSHOT CONTROLFILE NAME TO '/u01/app/oracle/admin/meta/controlfile/snapshot_cf.rman'; # default</span><br />
<br />
Once the database is configured, we can already create a first backup. This example uses Incrementally Updated Backups. See these Document ID for more info :<br />
<br />
<a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=360416.1">Doc ID 360416.1 - Oracle10g / 11g - Getting Started with Recovery Manager (RMAN)</a><br />
<a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=351455.1">Doc ID 351455.1 - Oracle Suggested Strategy & Backup Retention</a><br />
<a href="https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=303861.1">Doc ID 303861.1 - Incrementally Updated Backup In 10G</a><br />
<a href="http://download.oracle.com/docs/cd/E11882_01/backup.112/e10642/rcmbckba.htm#i1034163">Oracle Database Backup and Recovery User's Guide 11g Release 2 (11.2) Chapter 9 - Backing Up the Database - Making and Updating Incremental Backups</a><br />
<a href="http://download.oracle.com/docs/cd/E11882_01/backup.112/e10643/rcmsynta007.htm#i78895">Oracle Database Backup and Recovery Reference 11g Release 2 (11.2) - BACKUP</a><br />
<a href="http://download.oracle.com/docs/cd/E11882_01/backup.112/e10642/rcmbckba.htm#CHDCDFDF">Oracle Database Backup and Recovery Reference 11g Release 2 (11.2) - Example 9-10 Advanced Incremental Update Script</a><br />
<div>
<br /></div>
<div>
Let's create a few directories before we can perform a backup. A good procedure is to create the backup directory on an NFS share and not be local to the machine. This way if ever there was a problem with the database server, the data on the NFS share. Or if the NFS server or NAS system has a problem, you still have the database intact. The idea is not to put all your eggs in the same basket ;)</div>
<div>
<br /></div>
<div>
So let's assume that we already have a NAS share which is automounted on the database server on <span style="font-family: 'Courier New', Courier, monospace;">/backup/oracle</span>, we could run this to create an incrementally updated backup of the database :</div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> run {</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">2> sql "create pfile=''/backup/oracle/meta/pfile.txt'' from spfile";</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">3> sql "alter database backup controlfile to trace as ''/backup/oracle/meta/controlfile.before.backup.txt'' reuse";</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">4> recover copy of database with tag DAILY until time 'sysdate - 1';</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">5> backup as compressed backupset incremental level 1 for recover of copy with tag DAILY database;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">6> backup as compressed backupset archivelog all delete all input;</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">7> sql "alter database backup controlfile to trace as ''/backup/oracle/meta/controlfile.after.backup.txt'' reuse";</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">8> backup recovery area to destination '/backup/oracle/rman/meta';</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">9> crosscheck backup;</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">10> delete noprompt obsolete;</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">11> }</span></div>
</div>
<div>
<br /></div>
Once in RMAN, we can also check the database schema :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">RMAN> report schema;</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Report of database schema for database with db_unique_name META</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">List of Permanent Datafiles</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">===========================</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">File Size(MB) Tablespace RB segs Datafile Name</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">---- -------- -------------------- ------- ------------------------</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">1 612 SYSTEM *** /u02/oradata/meta/system01.dbf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">2 666 SYSAUX *** /u02/oradata/meta/sysaux01.dbf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">3 393 UNDOTBS1 *** /u02/oradata/meta/undotbs01.dbf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">4 5 USERS *** /u02/oradata/meta/users01.dbf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">5 14 RMAN *** /u02/oradata/meta/rman01.dbf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">List of Temporary Files</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">=======================</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">File Size(MB) Tablespace Maxsize(MB) Tempfile Name</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">---- -------- -------------------- ----------- --------------------</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">1 60 TEMP 32767 /u02/oradata/meta/temp01.dbf</span><br />
<div>
<br /></div>
</div>
<div>
<span style="font-family: inherit;">So that's it for now.</span></div>
<br />
HTH,<br />
<br />
DA+</div>
</div>
</div>
</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com18tag:blogger.com,1999:blog-4619978964286106329.post-67425395188325535072012-08-21T10:45:00.002-04:002012-08-21T10:45:44.567-04:00Howto Recover Lost Cisco Enable PasswordIn this blog post, we will recover from a lost Cisco switch enable password.<br />
<br />
<a name='more'></a><br /><br />
Connect the console cable to a running Linux or FreeBSD machine's serial port. Make sure the <span style="font-family: 'Courier New', Courier, monospace;"><a href="http://www.gnu.org/software/screen/">screen(1)</a></span> software is installed.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"># FreeBSD or PC-BSD version :</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /usr/ports/sysutils/screen</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo make install clean</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Linux version :</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install screen</span><br />
<br />
Then use <span style="font-family: 'Courier New', Courier, monospace;">screen(1)</span> to connect to the serial port and thus get the Cisco switch's console output :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"># FreeBSD or PC-BSD version :</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo screen -S cisco /dev/cuau0</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Linux version :</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo screen -S cisco /dev/ttyS0</span><br />
<br />
Now hold the <b>Mode</b> button, and at the same time reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1X goes off. Several lines of information about the software appear, as do instructions:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">The system has been interrupted prior to initializing the flash </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">file system. The following commands will initialize the flash </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">file system, and finish loading the operating system software:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">flash_init</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">load_helper</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">boot</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch:</span></div>
</div>
<div>
<br /></div>
<div>
At the switch: prompt, issue the following command to initialize the Flash file system :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch: flash_init</span></div>
<div>
<br /></div>
<div>
<div>
Load any helper files:</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch: load_helper</span></div>
<div>
<br /></div>
<div>
Display the contents of Flash memory:</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch: dir flash:</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Directory of flash:/</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">2 -rwx 1645810 <date> c2900XL-c3h2s-mz-120.5.2-XU.bin</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">3 -rwx 105970 <date> c2900XL-diag-mz-120.5.2-XU</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">4 drwx 6784 <date> html</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">111 -rwx 3087 <date> config.text</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">112 -rwx 286 <date> env_vars</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">113 -rwx 1456 <date> vlan.dat</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">114 -rwx 25 <date> snmpengineid</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">829952 bytes available (2782720 bytes used)</span></div>
<div>
<br /></div>
<div>
We can see several files with their sizes. The file that we're interested in is config.text which holds the switch's configuration and the lost password. So let's move all this aside for now. Be carefull to use the rename command and not the copy command here.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch: rename flash:config.text flash:config.old</span></div>
<div>
<br /></div>
</div>
<div>
<div>
Boot the system.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">switch: boot</span></div>
<div>
<br /></div>
<div>
You are prompted to start the setup program. Enter <b>N</b> at the prompt.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Continue with the configuration dialog? [yes/no]: N</span></div>
</div>
<br />
That will drop you to the <span style="font-family: 'Courier New', Courier, monospace;">Switch></span> prompt. Move to EXEC mode.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch> enable</span><br />
<br />
This will change the prompt to <span style="font-family: 'Courier New', Courier, monospace;">Switch#</span> instead of <span style="font-family: 'Courier New', Courier, monospace;">Switch></span>. We can now load the old configuration into memory. But before we can do this, we need to rename the configuration file to its original name:<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch# rename flash:config.old flash:config.text</span><br />
<br />
Copy the configuration file into memory and press Return in response to the confirmation prompts.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch# copy flash:config.text system:running-config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Source filename [config.text]?</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Destination filename [running-config]?</span><br />
<br />
The configuration file is now reloaded, and you can use the following normal commands to change the password.<br />
<br />
Enter global configuration mode:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch# config terminal</span><br />
<br />
Change the password:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config)# enable secret <password></span><br />
<br />
While we're at it, let's change the user passwords as well.<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config)# line con 0</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config-line)# login</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config-line)# password <password></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config-line)# line vty 0 15 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config-line)# login</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config-line)# password <password></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch(config-line)# end</span><br />
<div>
<br /></div>
<br />
We're now ready to reload the switch and test our new passwords.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Switch# reload</span><br />
<br />
Once the switch is back, we will be able to login with our new passwords.<br />
<br />
Finally, to exit from the <span style="font-family: 'Courier New', Courier, monospace;">screen(1)</span>, simply hit « <span style="font-family: 'Courier New', Courier, monospace;">Ctrl-A</span> » then hit the « <span style="font-family: 'Courier New', Courier, monospace;">K</span> » key. You will be asked if you really want to kill the screen, simply say « yes ».<br />
<br />
That'it!<br />
<br />
HTH,<br />
<br />
DA+<br />
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-45821400757101724342012-08-16T13:44:00.003-04:002013-03-20T15:54:22.025-04:00How to remove an FC LUN from a running RedHat 6 server.This quick howto document shows how to remove a fibre channel LUN under multipathd(8) control from a running RedHat Enterprise Linux 6 machine. Be careful when performing online storage modifications. Make sure you have a valid backup. And of course I can't be held resonsible for any problems if you follow these steps ;)<br />
<br />
<a name='more'></a>In our example, we have an LVM volume mounted on <span style="font-family: 'Courier New', Courier, monospace;">/export/oracle</span> which is under <span style="font-family: 'Courier New', Courier, monospace;">multipathd(8)</span> control. We will remove this volume from the server without taking the machine down.<br />
<br />
So first, make sure the mount point is not used anymore. Check your applications and users and remove all references to this device.<br />
<br />
If the volume is mounted, check if it's used and if not, then unmount it. The <span style="font-family: 'Courier New', Courier, monospace;">fuser(1)</span> and <span style="font-family: 'Courier New', Courier, monospace;">lsof(1)</span> commands can tell you if the device is in use. Don't forget that if this file system is shared via NFS, you will need to stop the NFS daemons before you can <span style="font-family: 'Courier New', Courier, monospace;">umount(1)</span> it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">df -h /export/oracle</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">/dev/mapper/ora-bckp 2.0T 1.4T 509G 74% /export/oracle</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo fuser </span><span style="font-family: 'Courier New', Courier, monospace;">/export/oracle</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo umount </span><span style="font-family: 'Courier New', Courier, monospace;">/export/oracle</span></div>
<br />
Now unmount the file system.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo umount /export/oracle</span><br />
<br />
From the <span style="font-family: 'Courier New', Courier, monospace;">df(1)</span> command above, we saw that the <span style="font-family: 'Courier New', Courier, monospace;">/export/oracle</span> file system is in fact an LVM logical volume called « <span style="font-family: 'Courier New', Courier, monospace;">bckp</span> » from the volume group « <span style="font-family: 'Courier New', Courier, monospace;">ora</span> ». Let's take a look at the LVM configuration for both of these objects starting with the logical volume.<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo lvs bckp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> LV VG Attr LSize Pool Origin Data% Move Log Cpy%Sync Convert</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> bckp ora -wi-a---- 2.00t</span> <br />
<div>
<br /></div>
<div>
Then the volume group.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vgs ora</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> VG #PV #LV #SN Attr VSize VFree</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> ora 4 1 0 wz--n- 2.00t 0 </span></div>
</div>
<div>
<br /></div>
<div>
And finally, the physical devices.</div>
<div>
<br /></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo pvs | egrep 'PV|ora'</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"> PV VG Fmt Attr PSize PFree</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> /dev/mapper/backup01 ora lvm2 a-- 512.00g 0 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> /dev/mapper/backup02 ora lvm2 a-- 512.00g 0 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> /dev/mapper/backup03 ora lvm2 a-- 512.00g 0 </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> /dev/mapper/backup04 ora lvm2 a-- 512.00g 0 </span><br />
<div>
<br /></div>
<br />
Take a note of these four LVM physical devices. We will use this info later. But for now, we must first remove the logical volume and then the volume group from LVM. We start by removing the logical volume.<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo lvremove ora/bckp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Do you really want to remove active logical volume bckp? [y/n]: <b>y</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Logical volume "bckp" successfully removed</span><br />
<div>
<br /></div>
<div>
Then we remove the volume group.</div>
<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vgremove ora</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Volume group "ora" successfully removed</span><br />
<br />
We can now work on the LVM physical devices.<br />
<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo pvremove /dev/mapper/backup01</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Labels on physical volume "/dev/mapper/backup01" successfully wiped</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo pvremove /dev/mapper/backup02 /dev/mapper/backup03 /dev/mapper/backup04</span></div>
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"> Labels on physical volume "/dev/mapper/backup02" successfully wiped</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Labels on physical volume "/dev/mapper/backup03" successfully wiped</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Labels on physical volume "/dev/mapper/backup04" successfully wiped</span><br />
<div>
<br /></div>
<br />
Good, now let's check the multipath status for these four LVM physical devices.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo multipath -ll</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">[...output truncated...]</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">backup04 (3600508b4000c1ec00001400000b30000) dm-2 HP,HSV300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">size=512G features='1 queue_if_no_path' hwhandler='0' wp=rw</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">|-+- policy='service-time 0' prio=50 status=active</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| |- <b>2:0:0:4</b> sdd 8:48 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| `- <b>3:0:3:4</b> sdt 65:48 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">`-+- policy='service-time 0' prio=10 status=enabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> |- <b>2:0:3:4</b> sdj 8:144 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> `- <b>3:0:0:4</b> sdn 8:208 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">backup03 (3600508b4000c1ec00001400000a60000) dm-3 HP,HSV300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">size=512G features='1 queue_if_no_path' hwhandler='0' wp=rw</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">|-+- policy='service-time 0' prio=50 status=active</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| |- <b>2:0:3:3</b> sdi 8:128 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| `- <b>3:0:0:3</b> sdm 8:192 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">`-+- policy='service-time 0' prio=10 status=enabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> |- <b>2:0:0:3</b> sdc 8:32 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> `- <b>3:0:3:3</b> sds 65:32 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">backup02 (3600508b4000c1ec00001400000980000) dm-1 HP,HSV300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">size=512G features='1 queue_if_no_path' hwhandler='0' wp=rw</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">|-+- policy='service-time 0' prio=50 status=active</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| |- <b>2:0:0:2</b> sdb 8:16 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| `- <b>3:0:3:2</b> sdr 65:16 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">`-+- policy='service-time 0' prio=10 status=enabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> |- <b>2:0:3:2</b> sdh 8:112 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> `- <b>3:0:0:2</b> sdl 8:176 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">backup01 (3600508b4000c1ec00001400000840000) dm-0 HP,HSV300</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">size=512G features='1 queue_if_no_path' hwhandler='0' wp=rw</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">|-+- policy='service-time 0' prio=50 status=active</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| |- <b>2:0:0:1</b> sda 8:0 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">| `- <b>3:0:3:1</b> sdq 65:0 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">`-+- policy='service-time 0' prio=10 status=enabled</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> |- <b>2:0:3:1</b> sdg 8:96 active ready running</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> `- <b>3:0:0:1</b> sdk 8:160 active ready running</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<br />
<div>
Record the <b>bold output</b> as we need it later. A quick way to do so is like this :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">for i in backup01 backup02 backup03 backup04; do</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> sudo multipath -ll $i | grep ':' | sed -e "s/.- //g" -e "s/^| //g" -e "s/ //g" | cut -d' ' -f1 | tee -a /tmp/ids</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">done</span><br />
<br /></div>
<div>
Now remove the LUNs from <span style="font-family: 'Courier New', Courier, monospace;">multipathd(8)</span> control.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo multipath -f backup01 backup02 backup03 backup04</span></div>
<div>
<br /></div>
<div>
Once that's done, make sure they're not listed in the following output.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo multipath -ll | grep backup</span><br />
<br />
Update <span style="font-family: 'Courier New', Courier, monospace;">/etc/multipath.conf</span> to remove the LUN. In this example, I removed this block of code from the file's <span style="font-family: 'Courier New', Courier, monospace;">multipaths</span> section. YMMV of course, because the LUN's WWN will obviously not be the same.</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vim /etc/multipath.conf</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"><remove></span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"> multipath {</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> wwid "3600508b4000c1ec00001400000840000"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> alias backup01</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> }</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> multipath {</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> wwid "3600508b4000c1ec00001400000980000"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> alias backup02</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> }</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> multipath {</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> wwid "3600508b4000c1ec00001400000a60000"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> alias backup03</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> }</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> multipath {</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> wwid "3600508b4000c1ec00001400000b30000"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> alias backup04</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> }</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"></remove></span></div>
<div>
<br /></div>
</div>
<div>
Tell <span style="font-family: 'Courier New', Courier, monospace;">multipathd(8)</span> that the configuration has changed.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/multipahtd reload</span></div>
<div>
<br /></div>
<div>
Clear the device from the SCSI subsystem. This is where we need the recorded output from above. What we need is the <span style="font-family: 'Courier New', Courier, monospace;"><i>HBA number:Channel:Target ID:LUN number</i></span> numbers. These numbers look like <span style="font-family: 'Courier New', Courier, monospace;">2:0:1:3</span><span style="font-family: inherit;"> in the </span><span style="font-family: 'Courier New', Courier, monospace;">`multipath -ll`</span><span style="font-family: inherit;"> output. Since we previously saved our SCSI IDs in the </span><span style="font-family: 'Courier New', Courier, monospace;">/tmp/ids</span><span style="font-family: inherit;"> file, we can </span>simply <span style="font-family: inherit;">do this :</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - root</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">cat /tmp/ids | while read id; do</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> echo "1" > /sys/class/scsi_device/${id}</span><span style="font-family: 'Courier New', Courier, monospace;">/device/delete</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">done</span></div>
<div>
<br /></div>
<div>
This will generate logs similar to these ones in <span style="font-family: 'Courier New', Courier, monospace;">/var/log/messages</span> :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Aug 16 13:19:52 oxygen multipathd: sdw: remove path (uevent)</span></div>
</div>
<div>
<br /></div>
<div>
Now that we have safely removed the LUNs from the server, we can remove those LUNs from the storage array. Once you do this, the server from which we just removed a LUNs will complain in it's <span style="font-family: 'Courier New', Courier, monospace;">/var/log/messages</span> :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Aug 16 13:48:59 oxygen kernel: sd 5:0:0:1: [sdc] Warning! Received an indication that the LUN assignments on this target have changed. The Linux SCSI layer does not automatically remap LUN assignments.</span><br />
<div>
<br /></div>
<div>
These are warning messages only and can be safely ignored. To be complete, we should really issue a LIP from each of the HBA ports on the server. If you don't know how many HBA ports you have, just look into the /sys/class/fc_host directory. There is going to be one sub-directory per HBA port. In this example, the machine has two single ports HBA, so we have two sub-directories.<br />
<br />
ls /sys/class/fc_host/<br />
host2 host3</div>
<div>
<br /></div>
<div>
To issue a LIP reset, simple do this.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - root</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ls /sys/class/fc_host/ | while read dir</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> do echo $dir; echo 1 > /sys/class/fc_host/${dir}/issue_lip</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">done</span><br />
<br />
And that's it!<br />
<br /></div>
<div>
Should you want to read more about online storage management under RedHat 6, then read the Red Hat Enterprise Linux 6 Storage Administration Guide « <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/index.html">Deploying and configuring single-node storage in Red Hat Enterprise Linux 6</a> »</div>
<div>
<br /></div>
</div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-32209603905233323032012-06-28T10:31:00.000-04:002012-06-28T10:31:35.768-04:00PC-BSD / FreeBSD Kerberos GNOME Graphical LoginA quick post just to show how to configure a <a href="http://www.pcbsd.org/">PC-BSD</a> or a <a href="http://www.freebsd.org/">FreeBSD</a> workstation to run <span style="font-family: 'Courier New', Courier, monospace;">kinit(1)</span> right when you login. In this example, the desktop machine is running PC-BSD 9.0 with the GNOME desktop.<br />
<br />
<a name='more'></a><br /><br />
To enable Kerberos, you must first have a Kerberos realm configured. See my <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">previous blog post</a> on exactly how to set one up.<br />
<br />
Then configure the PC-BSD desktop machine to run NTP and then to be a Kerberos client (also explained in the <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">previous blog post</a>).<br />
<br />
<i><b>WARNING</b> : be sure to test your Kerberos client setup with <span style="font-family: 'Courier New', Courier, monospace;">kinit(1)</span> <b>before</b> you go any further!</i><br />
<br />
Now to be extra safe, hit « <span style="font-family: 'Courier New', Courier, monospace;">Ctrl-Alt-F1</span> » to get to the « <span style="font-family: 'Courier New', Courier, monospace;">ttyv1</span> » on the command line and login as <span style="font-family: 'Courier New', Courier, monospace;">root</span>.<br />
<br />
Once this is done, simply edit the <span style="font-family: 'Courier New', Courier, monospace;">/usr/local/etc/pam.d/gdm</span> file to enable the <span style="font-family: 'Courier New', Courier, monospace;">pam_krb5.so</span> module. It's easy, the lines are already there! That's because FreeBSD (the underlying OS of PC-BSD) already has all the required Kerberos files, binaries and libraries in the base system. That means you simple need to remove the hash mark to un-comment all the lines that have the <span style="font-family: 'Courier New', Courier, monospace;">pam_krb5.so</span> module in them.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp /usr/local/etc/pam.d/gdm ~/pam.d.gdm.backup</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /usr/local/etc/pam.d/gdm</span><br />
<br />
Restart the <span style="font-family: 'Courier New', Courier, monospace;">gdm</span> daemon so that it knows about the new <span style="font-family: 'Courier New', Courier, monospace;">pam.d/gdm</span> file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /usr/local/etc/rc.d/gdm restart</span><br />
<br />
This will place you back to the graphical login screen automagically. Simply login with your user then start a shell. Check your Kerberos tickets and, ta-dam, you should have two tickets : your host's ticket and the tickget granting ticket from your KDC.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">klist</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Credentials cache: FILE:/tmp/krb5cc_5100</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Principal: drobilla@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Issued Expires Principal</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Jun 28 10:12:04 Jun 28 20:12:04 host/tbr.company.com@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Jun 28 10:12:04 Jun 28 20:12:04 krbtgt/COMPANY.COM@COMPANY.COM</span><br />
<div>
<br /></div>
<div>
You can now login to other servers in your Kerberos realm without having to type your password.</div>
<div>
<br /></div>
<div>
BTW : don't forget to logout from the ttyv1 root shell and delete the <span style="background-color: white; font-family: 'Courier New', Courier, monospace;">~/pam.d.gdm.backup</span><span style="background-color: white;"> file.</span></div>
<div>
<br /></div>
<div>
Enjoy!</div>
<div>
<br /></div>
<div>
David</div>Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-78949354880541686472012-06-12T12:10:00.003-04:002014-01-15T11:49:52.325-05:00Secure Backup & Recovery with rsnapshot, rssh and OpenSSH<h2>
Overview</h2>
<div>
<br /></div>
<div>
Wee all need to backup our machines. But we also need to keep the data private and the backup procedure secured. In UNIX and Linux machines, we need to run the backup operation as root in order to read everything on the machines. But allowing remote connections as the <span style="font-family: 'Courier New', Courier, monospace;">root</span> user is not exactly a good idea. So how to we proceed? We use <a href="http://rsnapshot.org/"><span style="font-family: 'Courier New', Courier, monospace;">rsnapshot(1)</span></a> and <a href="http://www.pizzashack.org/rssh/"><span style="font-family: 'Courier New', Courier, monospace;">rssh(1)</span></a> together with <a href="http://www.openssh.org/">OpenSSH</a> to secure the whole process. Here's how to do it on CentOS 6.</div>
<div>
<br /></div>
<div>
In case you're running a heterogeneous network, please note that I've successfully configured this process on <a href="http://www.freebsd.org/">FreeBSD</a>, <a href="http://www.pcbsd.org/">PC-BSD</a>, <a href="http://www.redhat.com/">RedHat</a>, <a href="http://www.ubuntu.com/">Ubuntu</a>, <a href="http://en.wikipedia.org/wiki/IBM_AIX">AIX</a> and <a href="http://en.wikipedia.org/wiki/Solaris_(operating_system)">Solaris</a> servers.</div>
<div>
<br /></div>
<div>
In this example, our backup server is called <span style="font-family: 'Courier New', Courier, monospace;">backup.company.com</span> and is running CentOS 6 while the clients are :<br />
<ol>
<li>The OpenLDAP server <span style="font-family: 'Courier New', Courier, monospace;">alice.company.com</span><span style="font-family: inherit;"> <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">that</a> </span><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">we</a> <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">configured</a> <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">in</a> <a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">several</a> <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">other</a> <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">blog</a> <a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">posts</a> and running CentOS 6.</li>
<li>A workstation machine called <span style="font-family: 'Courier New', Courier, monospace;">charlie.company.com</span> running PC-BSD 9.0 (i.e. FreeBSD 9.0 :)</li>
</ol>
</div>
<div>
<a name='more'></a></div>
<div>
<br /></div>
<h2>
Server Configuration (part 1 of 2)</h2>
<div>
<br /></div>
<div>
Select a server which has a lot of hard disk space or that can grow it's storage without too much trouble. Don't forget that this solution is a disk-based backup solution, so we need disk space. Not an enormous quantity, thanks to rsnapshot, but enough to hold all of your current and future clients. If you can, I'd suggest that you use either a FreeBSD or a Solaris machine and configure the <span style="font-family: 'Courier New', Courier, monospace;">/backup</span> filesystem on <a href="http://en.wikipedia.org/wiki/ZFS">ZFS</a> to benefit from it's <a href="http://en.wikipedia.org/wiki/ZFS#Data_Integrity">data integrity</a> feature and eliminate the risk of silent data corruption. There is <a href="http://zfsonlinux.org/">ZFS on Linux</a>, but I haven't tried it yet since it's still a release candidate. And <a href="http://en.wikipedia.org/wiki/Btrfs">BRTFS</a> is also not production ready at the time of this writing. Since this is our production data, I don't want to use a non-production ready file system to store it.</div>
<div>
<br /></div>
<div>
So, once you selected a machine, install a minimal CentOS 6 on it and <b>make sure to create a seperate file system with a mount point of <span style="font-family: 'Courier New', Courier, monospace;">/backup</span></b>. </div>
<div>
<br /></div>
<div>
Connect to the backup server and setup the <span style="font-family: 'Courier New', Courier, monospace;">/backup</span> directories.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh backup.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /backup/{conf,data,key,log,run,scripts}</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R root:root /backup</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Then install some more packages.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install openssh-clients rsnapshot</span></div>
<div>
<br /></div>
<div>
The rsnapshot installation will also install <a href="http://en.wikipedia.org/wiki/Rsync"><span style="font-family: 'Courier New', Courier, monospace;">rsync</span></a> as a dependency.</div>
<div>
<br /></div>
<div>
Next create a backup group and a backup user. Notice that our backup user has the UID zero (same as the root user). This is crucial for our purposes. Also keep in mind that you may select any GID and UID for the backup group and user. The important thing is to <i>make sure that the backup GID and UID are exactly the same across your entire infrastructure</i>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 911 backup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo useradd -c "Remote Backup User" -d /home/backup -o -u 0 -g 911 -m -s /bin/bash backup</span></div>
<div>
<br /></div>
<div>
Make sure to assign a password to our new backup user. This way it's account won't be locked.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo passwd backup</span></div>
<div>
<br /></div>
<div>
Switch to the backup user and create an SSH key pair. I use DSA here because all my other keys are RSA. <b>Do not assign a passphrase to the new key</b>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo su - backup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh-keygen -t dsa -b 1024</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<br /></div>
<div>
Move the key into the <span style="font-family: 'Courier New', Courier, monospace;">/backup/key</span> directory.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp ~backup/.ssh/id_dsa ~backup/.ssh/id_dsa.pub /backup/key</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 700 /backup/key</span></div>
<div>
<br /></div>
<div>
Create two wrapper scripts to help the process.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/backup_runner.sh">/backup/scripts/backup_runner.sh</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/ssh_wrapper.sh">/backup/scripts/ssh_wrapper.sh</a></span></div>
<div>
<br /></div>
<div>
Make sure both scripts are executable and that they don't have any syntax errors in them.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod a+x /backup/scripts/*.sh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo sh -n /backup/scripts/backup_runner.sh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo sh -n /backup/scripts/ssh_wrapper.sh</span></div>
<div>
<br /></div>
<div>
Exclude some files from the CentOS/RedHat machines.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/exclude.centos.os.conf">/backup/conf/exclude.centos.os.conf</a></span></div>
<div>
<br /></div>
<div>
Configure the clients. <b>WARNING</b> : rsnapshot is <i>very</i> sensitive with spaces and tabs. <b>DO NOT USE ANY SPACES IN THE CONFIGURATION FILE!</b> You have been warned :)</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/alice.company.com.txt">/backup/conf/alice.company.com</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi </span><a href="https://dl.dropbox.com/u/72609528/blog/backup/charlie.company.com.txt" style="font-family: 'Courier New', Courier, monospace;">/backup/conf/charlie.company.com</a><br />
<div>
</div>
</div>
<div>
<br />
Make sure our backup log files don't consume too much disk space.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/etc.logrotate.d.backup">/etc/logrotate.d/backup</a></span></div>
<div>
<br /></div>
<div>
And make sure our new logrotate configuration is still valid.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo logrotate -d /etc/logrotate.conf</span></div>
<div>
<br /></div>
<div>
Before we can backup a machine, we must make sure the client allows the connection and has a copy of the backup user's public ssh key. Of course, <i>replace my username by yours in the commands below...</i></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo scp /backup/key/id_dsa.pub drobilla@alice.company.com:/tmp</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo scp /backup/key/id_dsa.pub drobilla@charlie.company.com:/tmp</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<h2>
Client Configurations</h2>
<div>
<br /></div>
<div>
In this section we will configure the CentOS and FreeBSD / PC-BSD clients.</div>
<div>
<br /></div>
<h3>
CentOS 6 Client Configuration</h3>
<div>
<br /></div>
<div>
<div>
We need to install rssh on each clients, but it's not in the default CentOS repositories. Thankfiully, rssh is available in <a href="http://wiki.centos.org/AdditionalResources/Repositories/RPMForge">RPMforge</a>, one of the <a href="http://wiki.centos.org/AdditionalResources/Repositories">Additional CentOS Repositories</a>. Simply follow the <a href="http://wiki.centos.org/AdditionalResources/Repositories/RPMForge#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01">instructions</a> to install the RPMforge repository. Once this is done, install rssh and rsync.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install rssh rsync</span></div>
</div>
<div>
<br /></div>
<div>
We also need the same backup group and user on each clients. But here there is a subtle but very important difference : the backup user's shell is set to <span style="font-family: 'Courier New', Courier, monospace;">/usr/bin/rssh</span>.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo groupadd -g 911 backup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo useradd -c "Remote Backup User" -d /home/backup -o -u 0 -g 911 -m -s /usr/bin/rssh backup</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
Make sure to assign a password to our new backup user. This way it's account won't be locked.</div>
<div>
<br /></div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo passwd backup</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Then place a copy of the backup user's public ssh key into the client's backup </span><span style="font-family: 'Courier New', Courier, monospace;">authorized_keys</span><span style="font-family: inherit;"> files.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir ~backup/.ssh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/id_dsa.pub ~backup/.ssh/authorized_keys</span></div>
<div>
<br /></div>
<div>
Now edit the <span style="font-family: 'Courier New', Courier, monospace;">authorized_keys</span> file to add the <span style="font-family: 'Courier New', Courier, monospace;">from="backup.company.com"</span> keyword at the start of the file. This will restrict the use of this key to our backup server only. Any other machine trying to use this key will not be permitted. This is an extra layer of security to the whole setup. <a href="http://man.he.net/man5/authorized_keys">See this URL for more information on the <span style="font-family: 'Courier New', Courier, monospace;">authorized_keys</span> file syntax</a>. Keep in mind that the file below is <i>just an example</i>!</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/authorized_keys.txt">~backup/.ssh/authorized_keys</a></span></div>
<div>
<br /></div>
<div>
Make sure it has the right permissions.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 600 ~backup/.ssh/authorized_keys</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:root ~backup/.ssh/authorized_keys</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 750 ~backup/.ssh</span></div>
<div>
<br /></div>
<div>
Before we can use rssh, we must configure it. Our goal is to use it only for the root/backup user, so let's do this now.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/etc.rssh.conf">/etc/rssh.conf</a></span></div>
<div>
<br /></div>
<div>
We must also add rssh to the available shells on the machine.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/etc.shells.txt">/etc/shells</a></span></div>
<div>
<br /></div>
<div>
And of course, we must configure OpenSSH to allow our backup group to login, to permit the root user to login, but without password. Your sshd_config file may be different, so keep in mind that the important configuration keywords are <span style="font-family: 'Courier New', Courier, monospace;">AllowGroups</span> and <span style="font-family: 'Courier New', Courier, monospace;">PermitRootLogin</span> which are set like this :</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/ssh/sshd_config</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">AllowGroups backup sysadmin</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PermitRootLogin without-password</span></div>
</div>
<div>
<br /></div>
<div>
Restart the sshd(8) daemon so that it knows about the new configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/sshd restart</span></div>
<div>
<br /></div>
<div>
And make sure it starts when the client comes up.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig sshd on</span></div>
<div>
<br /></div>
<div>
The client machine is now ready. To test the backup, we must return to our backup server, try the ssh key and answer YES to the very first connection and then setup the crontab so that the backup happens every night without having to manually manage it.</div>
<div>
<br />
<h3>
PC-BSD 9.0 / FreeBSD 9.0 Client Configuration</h3>
<br />
Connect to the client machine.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh charlie.company.com</span><br />
<br />
Update the ports tree.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo portsnap fetch</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo portsnap update</span><br />
<br />
Install rssh. We don't need rdist support, but you may compile it in if you want, that's not a problem.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /usr/ports/shells/rssh</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo make install clean</span><br />
<br />
Install rsync using all the default options.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cd /usr/ports/net/rsync</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo make install clean</span><br />
<br />
Create the backup group and backup user.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo pw group add -n backup -g 911</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo pw user add -o -u 0 -n backup -d /usr/home/backup -g backup -c "Remote Backup User" -m -s /usr/local/bin/rssh -w random</span></div>
</div>
<div>
<br /></div>
<div>
<div>
<div>
We don't need to assign a password to our new backup user because we chose to use a random one when we created it (see the « <span style="font-family: 'Courier New', Courier, monospace;">-w random</span> » option in the command above). You can forget about this password since you'll never need it.</div>
<span style="font-family: inherit;"><br /></span>
Run a quick chmod(1) to fix an error if you forget to run it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:wheel /usr/home/backup/.login_conf</span><br />
<br />
<span style="font-family: inherit;">Then place a copy of the backup user's public ssh key into the client's backup </span><span style="font-family: 'Courier New', Courier, monospace;">authorized_keys</span><span style="font-family: inherit;"> files.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir ~backup/.ssh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/id_dsa.pub ~backup/.ssh/authorized_keys</span></div>
<div>
<br /></div>
<div>
Now edit the <span style="font-family: 'Courier New', Courier, monospace;">authorized_keys</span> file to add the <span style="font-family: 'Courier New', Courier, monospace;">from="backup.company.com"</span> keyword at the start of the file. This will restrict the use of this key to our backup server only. Any other machine trying to use this key will not be permitted. This is an extra layer of security to the whole setup. <a href="http://man.he.net/man5/authorized_keys">See this URL for more information on the <span style="font-family: 'Courier New', Courier, monospace;">authorized_keys</span> file syntax</a>. Keep in mind that the file below is <i>just an example!</i></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/authorized_keys.txt">~backup/.ssh/authorized_keys</a></span></div>
<div>
<br /></div>
<div>
Make sure it has the right permissions.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 600 ~backup/.ssh/authorized_keys</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:wheel ~backup/.ssh/authorized_keys</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 750 ~backup/.ssh</span></div>
<div>
<br /></div>
<div>
Before we can use rssh, we must configure it. Our goal is to use it only for the root/backup user, so let's do this now.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/backup/etc.rssh.conf">/usr/local/etc/rssh.conf</a></span></div>
<div>
</div>
</div>
<br />
And of course, we must configure OpenSSH to allow our backup group to login, to permit the root user to login, but without password. Your sshd_config file may be different, so keep in mind that the important configuration keywords are <span style="font-family: 'Courier New', Courier, monospace;">AllowGroups</span> and <span style="font-family: 'Courier New', Courier, monospace;">PermitRootLogin</span> which are set like this :<br />
<div>
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/ssh/sshd_config</span></div>
<div>
<div>
</div>
</div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">AllowGroups backup sysadmin</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">PermitRootLogin without-password</span></div>
<div>
<br /></div>
<div>
<div>
And make sure it starts when the client comes up. Just add a single line to <span style="font-family: 'Courier New', Courier, monospace;">/etc/rc.conf</span>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/rc.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sshd_enable="YES"</span></div>
<br />
Restart the <span style="font-family: 'Courier New', Courier, monospace;">sshd(8)</span> daemon so that it knows about the new configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/rc.d/sshd restart</span></div>
<div>
<br /></div>
<div>
The client machine is now ready. To test the backup, we must return to our backup server, try the ssh key and answer YES to the very first connection and then setup the crontab so that the backup happens every night without having to manually manage it.</div>
<br /></div>
<div>
<h2>
Server Configuration (part 2 of 2)</h2>
</div>
<div>
<br /></div>
<div>
Connect to the backup server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh backup.company.com</span></div>
<div>
<br /></div>
<div>
Connect to the client using the backup user's key and answer <b><i>YES</i></b>. <b><i>This is very important and you only need to do this once.</i></b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>sudo ssh -i /backup/key/id_dsa backup@alice.company.com</b></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">The authenticity of host 'alice.company.com (192.168.1.20)' can't be established.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">RSA key fingerprint is 60:0c:db:21:a2:c3:6b:0d:ae:03:f4:45:be:b5:e5:01.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Are you sure you want to continue connecting (yes/no)? <b>yes</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Warning: Permanently added 'alice.company.com (192.168.1.20)' (DSA) to the list of known hosts.</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Last login: Tue Jun 12 09:24:37 2012 from backup.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">This account is restricted by rssh.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Allowed commands: rsync</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">If you believe this is in error, please contact your system administrator.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
</div>
<div>
As you can see, the rssh shell prevented us from have a shell on the client. But we still managed to connect to the client. All this in an encrypted ssh tunnel. Great!</div>
<div>
<br />
<span style="font-size: large;">IMPORTANT : make sure you answer YES once for all your backup clients!</span><br />
<br /></div>
<div>
Now let's try a backup now. Note that the first <span style="font-family: 'Courier New', Courier, monospace;">sudo -l</span> is just there to prevent a password prompt which is usefull when you use an « <span style="font-family: 'Courier New', Courier, monospace;">&</span> » at the end of the next sudo command.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo -l</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /backup/scripts/backup_runner.sh /backup/conf/alice.company.com daily &</span></div>
<div>
<br /></div>
<div>
And check the log as it happens.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo tail -F /backup/log/alice.company.com</span></div>
<div>
<br /></div>
<div>
Once the backup is over, confirm that you have the data on the backup server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ls -alFR /backup/data/alice.company.com/daily.0</span></div>
<div>
<br /></div>
<div>
And fiinally, configure <span style="font-family: 'Courier New', Courier, monospace;">cron(8)</span> to manage all this automatically.</div>
<div>
<br /></div>
<div>
<a href="https://dl.dropbox.com/u/72609528/blog/backup/crontab.txt"><span style="font-family: 'Courier New', Courier, monospace;">sudo crontab -e</span></a></div>
<div>
<br /></div>
<div>
<b>A good idea now would be to backup your backup server's data! Encrypt the data and send it offsite.</b></div>
<div>
<b><br /></b></div>
<h2>
Recovery</h2>
<div>
<br /></div>
<h3>
Human Error</h3>
<div>
<br /></div>
<div>
Recover with this setup is quite easy because you can simply navigate the backup directory and retrive any files as you normally do on a filesystem. For example, let's say you accidentally deleted the <span style="font-family: 'Courier New', Courier, monospace;">/etc/sysconfig/ifcfg-eth0</span> on host alice (and that you don't use <a href="http://en.wikipedia.org/wiki/Revision_Control_System">RCS</a>). Then simply connect to the backup server and send the file back to the client <span style="font-family: 'Courier New', Courier, monospace;">alice.company.com</span> via <span style="font-family: 'Courier New', Courier, monospace;">scp(1)</span>. Again, replace my own username with yours in the <span style="font-family: 'Courier New', Courier, monospace;">scp(1)</span> command below...</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh backup.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo scp /backup/data/alice.company.com/daily.0/etc/sysconfig/network-scripts/</span><span style="font-family: 'Courier New', Courier, monospace;">ifcfg-eth0 drobilla@alice.company.com:/tmp</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">Then connect to the client and move the file where it belongs.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/ifcfg-eth0 /etc/sysconfig/network-scripts</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:root /etc/sysconfig/network-scripts/</span><span style="font-family: 'Courier New', Courier, monospace;">ifcfg-eth0</span></div>
<div>
<br /></div>
<div>
There you go! Simple, secured and easy!</div>
<div>
<br /></div>
<h3>
Total Client Failure</h3>
<div>
<br /></div>
<div>
In the case where you suffer a total client failure, simply reinstall the OS, reconfigure the backup user but give him shell access (i.e. <span style="font-family: 'Courier New', Courier, monospace;">/bin/bash</span> instead of <span style="font-family: 'Courier New', Courier, monospace;">/usr/bin/rssh</span>) and use tar(1) to dump the content of the backups over to the newly installed client. Then reset the client's backup user's shell back to <span style="font-family: 'Courier New', Courier, monospace;">/usr/bin/rssh</span>. For example :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh backup.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo su -</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /backup/data/alice.company.com/daily.0/etc</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tar zcf - . | ssh -i /backup/key/id_dsa backup@alice.company.com "cd /etc; tar zxvf -"</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /backup/data/alice.company.com/daily.0/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tar zcf - . | ssh -i /backup/key/id_dsa backup@alice.company.com "cd /home; tar zxvf -"</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /backup/data/alice.company.com/daily.0/root</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tar zcf - .| ssh -i /backup/key/id_dsa backup@alice.company.com "cd /root; tar zxvf -"</span></div>
<div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /backup/data/alice.company.com/daily.0/var/log</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tar zcf - ./var | ssh -i /backup/key/id_dsa backup@alice.company.com "cd /var/log; tar zxvf -"</span></div>
</div>
<div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /backup/data/alice.company.com/daily.0/var/lib/ldap</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tar zcf - ./etc | ssh -i /backup/key/id_dsa backup@alice.company.com "cd /var/lib/ldap; tar zxvf -"</span></div>
</div>
<div>
<br /></div>
<div>
You can of course simply enable root access via SSH and do this only via the root user, but that would render the whole process a bit less secure.</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com0tag:blogger.com,1999:blog-4619978964286106329.post-73375827386403318552012-06-08T15:51:00.000-04:002014-02-19T14:24:02.589-05:00HOWTO : OpenLDAP 2.4 Replication on CentOS 6.2<div>
We continue our OpenLDAP 2.4 on CentOS 6.2 with a description on how to setup between two OpenLDAP 2.4 servers. This happens to be the final bullet point in our list of goals :</div>
<ol>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">Install OpenLDAP 2.4.</a></strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Manage users and groups in OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Configure pam_ldap to authenticate users via OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">Use OpenLDAP as sudo's configuration repository.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">Use OpenLDAP as automount map repository for autofs.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">Use OpenLDAP as NFS netgroup repository again for autofs.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">Use OpenLDAP as the Kerberos principal repository.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">Setup OpenLDAP backup and recovery.</a></strike></li>
<li><a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">Setup OpenLDAP replication.</a></li>
</ol>
Of course the first thing to do in order to be able to replication our DIT is to have another CentOS machine. So go ahead and install it on a seperate computer. We will continue with our example two machines : <a href="http://en.wikipedia.org/wiki/Alice_and_Bob">alice and bob</a>. Alice is the current OpenLDAP server while bob was the client. At the end of this document, bob will be the second OpenLDAP server. Which in OpenLDAP syncrepl parlance, we have these entities :<br />
<ul>
<li><i>provider</i> : <span style="font-family: 'Courier New', Courier, monospace;">alice.company.com</span> (a.k.a. <i>master</i> server)</li>
<li><i>consumer</i> : <span style="font-family: 'Courier New', Courier, monospace;">bob.company.com</span> (a.k.a. <i>replica</i> server)</li>
</ul>
<a name='more'></a>Another important thing to do is to read the <a href="http://www.openldap.org/doc/admin24/replication.html">OpenLDAP replication</a> chapter in the administrator's guide. The following exerpt is of particular interest :<br />
<blockquote class="tr_bq">
Syncrepl supports both pull-based and push-based synchronization. In its basic refreshOnly synchronization mode, the provider uses pull-based synchronization where the consumer servers need not be tracked and no history information is maintained. The information required for the provider to process periodic polling requests is contained in the synchronization cookie of the request itself. To optimize the pull-based synchronization, syncrepl utilizes the present phase of the LDAP Sync protocol as well as its delete phase, instead of falling back on frequent full reloads. To further optimize the pull-based synchronization, the provider can maintain a per-scope session log as a history store. In its refreshAndPersist mode of synchronization, the provider uses a push-based synchronization. The provider keeps track of the consumer servers that have requested a persistent search and sends them necessary updates as the provider replication content gets modified.</blockquote>
Replication is handeled by <a href="http://www.openldap.org/doc/admin24/overlays.html">an OpenLDAP overlay</a>. Check the <span style="font-family: 'Courier New', Courier, monospace;">slapo-syncprov(5)</span> man page for the provider overlay information. With that in mind, we will setup a <span style="font-family: 'Courier New', Courier, monospace;">refreshAndPersist</span> replication using the <span style="font-family: 'Courier New', Courier, monospace;">delta-syncrepl</span><span style="font-family: inherit;"> replication scheme. Note that, as the official documentation says :</span><br />
<blockquote class="tr_bq">
As you can see, you can let your imagination go wild using Syncrepl and slapd-ldap(8) tailoring your replication to fit your specific network topology.</blockquote>
<br />
<h2>
Provider Configuration</h2>
<br />
Setting up delta-syncrepl requires configuration changes on both the master (i.e. <i>provider</i>) and replica (i.e. <i>consumer</i>) servers. We will start by configuring the provider machine (i.e. <span style="font-family: 'Courier New', Courier, monospace;">alice.company.com</span>) and then continue to the consumer machine (i.e. <span style="font-family: 'Courier New', Courier, monospace;">bob.company.com</span>).<br />
<br />
So, connect to the <i>provider</i> server.<br />
<br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span></div>
<div>
</div>
<br />
On this machine, we need to setup several things :<br />
<ol>
<li>A <a href="http://www.openldap.org/doc/admin24/slapdconf2.html#cn=module">cn=module</a> configuration.</li>
<li>An accesslog database to store the accesslog data (i.e. <span style="font-family: 'Courier New', Courier, monospace;">cn=accesslog</span>)</li>
<li>A syncprov overlay over the accesslog database.</li>
<li>Two overlays over our primary database (i.e. <span style="font-family: 'Courier New', Courier, monospace;">dc=company,dc=com</span>)</li>
<li>A new user object to authenticate and fetch the data.</li>
<li>Limits and ACLs to the new object.</li>
</ol>
Let's configure those items one at a time.<br />
<br />
<h3>
Provider Module Configuration</h3>
<br />
To configure a module on the provider, we first need to check if we have one? Since we have a Kerberos realm and SASL GSSAPI authentication setup, let's use this to simplify our queries. Note that you can always use the <span style="font-family: 'Courier New', Courier, monospace;">cn=admin,dc=company,dc=com RootDN</span> to perform all the tasks in this blog post, but the queries are longer to write.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">kinit -p drobilla/admin@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb cn=config olcModulePath</span><br />
<div>
<br /></div>
<div>
The above query did not return the olcModulePath object. So we need to create it. But what is our module path? The <span style="font-family: 'Courier New', Courier, monospace;">cn=module</span> documentation shows us that module names end in « <span style="font-family: 'Courier New', Courier, monospace;">.la</span> ». With that info, a simple rpm query will show us where they're stored on the filesystem.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rpm -ql openldap-servers | grep '\.la$'</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/accesslog.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/auditlog.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/collect.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/constraint.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/dds.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/deref.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/dyngroup.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/dynlist.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/memberof.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/pcache.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/ppolicy.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/refint.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/retcode.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/rwm.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/seqmod.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/smbk5pwd.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/sssvlv.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/syncprov.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/translucent.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/unique.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap/valsort.la</span></div>
</div>
<div>
<br /></div>
<div>
Ok, so we know our <span style="font-family: 'Courier New', Courier, monospace;">olcModulePath</span> is <span style="font-family: 'Courier New', Courier, monospace;">/usr/lib/openldap</span>. We also know that we have quite a bunch of different modules available. Let's write another LDIF file to set the <span style="font-family: 'Courier New', Courier, monospace;">olcModulePath</span>, but also which modules we want to load. Since we need both the <span style="font-family: 'Courier New', Courier, monospace;">accesslog</span> and the <span style="font-family: 'Courier New', Courier, monospace;">syncprov</span> overlays, we might as well load them right?!</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/module.ldif">~/ldap/module.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
Load this new configuration.</div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -aZf ~/ldap/module.ldif</span></div>
<br />
Check to see if it's installed? Then what's in it?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb cn=config dn | grep module</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb cn=module{0},cn=config</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn=module{0},cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">objectClass: olcModuleList</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cn: module{0}</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">olcModulePath: /usr/lib/openldap</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">olcModuleLoad: {0}accesslog.la</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">olcModuleLoad: {1}syncprov.la</span></div>
</div>
<div>
<br /></div>
<div>
Good. We can proceed to the next provider objective.</div>
<br />
<h3>
Provider Accesslog Database</h3>
<br />
Now that we have the accesslog overlay module loaded, we must create a database in which to store the accesslog data. We of course do this with another LDIF file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/accesslog.ldif">~/ldap/accesslog.ldif</a> </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
As we can see, this database uses a new directory that must be created first. We also need to drop a <span style="font-family: 'Courier New', Courier, monospace;">DB_CONFIG</span> file in there and fix permissions.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /var/lib/ldap/accesslog</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp `rpm -ql openldap-servers | grep DB_CONFIG` /var/lib/ldap/accesslog/</span><span style="font-family: 'Courier New', Courier, monospace;">DB_CONFIG</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R ldap:ldap /var/lib/ldap</span><br />
<br />
Alright, we can now create the new accesslog database. Note that we're using the <span style="font-family: 'Courier New', Courier, monospace;">hdb</span> instead of the <span style="font-family: 'Courier New', Courier, monospace;">bdb</span> for this database. There's no real reason, choose whichever you prefer.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -aZf </span><span style="font-family: 'Courier New', Courier, monospace;">~/ldap/accesslog.ldif</span><br />
<br />
We should now have a new database. Let's see if that's true?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb cn=config dn | grep hdb</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={3}hdb,cn=config</span><br />
<br />
What does it contain?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb olcDatabase={3}hdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={3}hdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">objectClass: olcDatabaseConfig</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">objectClass: olcHdbConfig</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDatabase: {3}hdb</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDbDirectory: /var/lib/ldap/accesslog</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcSuffix: cn=accesslog</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcRootDN: cn=admin,dc=company,dc=com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: default eq</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart</span><br />
<br />
Great! Let's continue with our next objective.<br />
<div>
<br /></div>
<h3>
Provider Syncprov Overlay Over the Accesslog Database</h3>
<div>
<br /></div>
<div>
Our next objective is to setup a syncprov overlay on the new accesslog database. Create this LDIF file :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/overlay.accesslog.ldif">~/ldap/overlay.accesslog.ldif</a> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<div>
And add the new setup to our OpenLDAP server.</div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -aZf ~/ldap/overlay.accesslog.ldif </span><br />
<br />
We should now have a new <span style="font-family: 'Courier New', Courier, monospace;">dn:</span> in our <span style="font-family: 'Courier New', Courier, monospace;">olcDatabase={3}hdb,cn=config</span> database.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb olcDatabase={3}hdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={3}hdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">objectClass: olcDatabaseConfig</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">objectClass: olcHdbConfig</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDatabase: {3}hdb</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDbDirectory: /var/lib/ldap/accesslog</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcSuffix: cn=accesslog</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcRootDN: cn=admin,dc=company,dc=com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: default eq</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcOverlay={0}syncprov,olcDatabase={3}hdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">objectClass: olcOverlayConfig</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">objectClass: olcSyncProvConfig</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcOverlay: {0}syncprov</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcSpNoPresent: TRUE</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcSpReloadHint: TRUE</span><br />
<br />
Sure enough, it's there. We can now continue with our setup.<br />
<br />
<h3>
Provider Overlays On Primary Database</h3>
<br />
Do do this objective, we must of course write another LDIF file in which we will a) setup new indexes to our primary database, b) add the syncprov overlay and c) add the accesslog overlay.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/overlay.primary.ldif">~/ldap/overlay.primary.ldif</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
We then add this new LDIF into our system.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -aZf ~/ldap/overlay.primary.ldif </span><br />
<br />
Which then gives us two new overlays on the primary database.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb olcDatabase={1}bdb,cn=config dn</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={1}bdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcOverlay={1}accesslog,olcDatabase={1}bdb,cn=config</span><br />
<br />
And sure enough, we do have the two new overlays.<br />
<br />
<h3>
Provider Replication User</h3>
<br />
We need a user for the replication. That user will be used to authenticate the replication server and read the data. Period. Once again, we need an LDIF file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/replication.ldif">~/ldap/replication.ldif</a> </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<br />
<div>
Apply this LDIF file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -aZf ~/ldap/replication.ldif </span></div>
<div>
<br /></div>
This user needs a real password. Make sure to record this password and keep it safe.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldappasswd -xZ -S cn=replication,dc=company,dc=com</span><br />
<br />
Note that in this example our replication user is named just « replication ». If you plan on having more than one replicated server, then ideally choose a unique name for each of the replicated server. This way you can audit which machine replicates and when. You can also decide which part of the DIT gets replicated to which machine. But that's another story.<br />
<br />
<h3>
Provider Limits and ACLs to the Replication User</h3>
<br />
We now need to give access via ACLs and some limits to the new user. Let's do it in two steps starting with the limits (or lack of actually :)<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/limits.ldif">~/ldap/limits.ldif</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
Then apply this LDIF.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -Zf ~/ldap/limits.ldif</span><br />
<br />
Next step is to give read access to the replication user. Before we do this, it's usually a good idea to double-check our current ACL list.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -LLLb cn=config olcAccess</span><br />
<br />
We can now create another LDIF file to update our ACLs. The idea here is to have the same sets of ACLs on both the provider and the consumer. Except that on the consumer, we don't need any ACLs with regards to the replication user (i.e. the one defined in <span style="font-family: 'Courier New', Courier, monospace;">olcSyncRepl:</span>).<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/consumer.acl.ldif">~/ldap/consumer.acl.ldif</a></span><br />
<br />
Enable the ACL changes.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -f ~/ldap/consumer.acl.ldif</span><br />
<br />
Check the ACL listing.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -Zb olcDatabase={1}bdb,cn=config olcAccess</span><br />
<div>
<br /></div>
Test to see if we can access our entire DIT with the replication DN?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZWD cn=replication,dc=company,dc=com -H ldap://alice.company.com</span><br />
<br />
This is of course crucial. Do not continue with this blog post until you can access the entire DIT with the replication DN. Once it works, we need to setup our consumer OpenLDAP machine.<br />
<br />
<h2>
Consumer Configuration</h2>
<br />
<h3>
Consumer OpenLDAP Installation</h3>
<br />
Install another CentOS 6 machine and connect to it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span><br />
<br />
<b>Make sure that <span style="font-family: 'Courier New', Courier, monospace;">ntpd(8)</span> is running</b> and that both alice and bob's clocks are synchronized. All of your servers' clocks must be tightly synchronized using either NTP(See <a href="http://www.ntp.org/">http://www.ntp.org/</a> for info on NTP), an atomic clock or some other reliable time reference.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ntpq -p</span><br />
<br />
Then connect to <span style="font-family: 'Courier New', Courier, monospace;">bob.company.com</span> and install a few packages.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install openldap-servers cyrus-sasl-gssapi pam_krb5 krb5-server-ldap</span><br />
<br />
Configure an empty OpenLDAP server. I've already covered how to do this in a <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">previous blog post</a>, but we now need to change this a little. So we can't really follow the other post. Let's do it all over again then. So the first thing we must do is upgrade the sudo package to have the latest sudo schema. I've explained how to achieve this goal <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">in another blog post</a>. But I'll show here just what we need which starts by installing the latest (as of this writing) sudo package from the sudo website. Note that if your machine is 32 bit, then the package would be <span style="font-family: 'Courier New', Courier, monospace;">sudo-1.8.4-5.el6.i386.rpm</span>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">wget http://www.sudo.ws/sudo/dist/packages/Centos/6/sudo-1.8.4-5.el6.x86_64.rpm</span><br />
<br />
Upgrade sudo.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo rpm -U ./sudo-1.8.4-5.el6.x86_64.rpm</span><br />
<br />
This sudo package comes with an OpenLDAP schema. Get the path to the file. Keep note of this path as we will include it in our slapd configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">rpm -ql sudo | grep -i openldap</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/share/doc/sudo-1.8.5-1.el6/schema.OpenLDAP</span></div>
</div>
<div>
<br /></div>
We now need to create the config file. It needs the <span style="font-family: 'Courier New', Courier, monospace;">RootDN</span> password, so record the output of the <span style="font-family: 'Courier New', Courier, monospace;">slappasswd(8C)</span> command<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">slappasswd</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">New password: </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Re-enter new password: </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">{SSHA}JGjPUbxyCn7wa/pt8YM5rzK7s/hUGncW</span><br />
<br />
Plug the above output into the file below. To understand the syncrepl syntax, refer to the <a href="http://www.openldap.org/doc/admin24/slapdconfig.html#syncrepl">official syncrepl documentation</a>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">mkdir ~/ldap</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/slapd.conf.consumer">~/ldap/slapd.conf.consumer</a></span><br />
<br />
Create the configuration.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo slapcat -f ~/ldap/slapd.conf.consumer -F /tmp -n 0</span><br />
<br />
Remove the old configuration.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo rm -rf /etc/openldap/slapd.d/*</span><br />
<br />
Install the new one.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp -rp /tmp/cn\=config* /etc/openldap/slapd.d</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R ldap:ldap /etc/openldap/slapd.d</span></div>
<div>
<br /></div>
<div>
Check to see if the new configuration is ok?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo slaptest -uF /etc/openldap/slapd.d</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">config file testing succeeded</span></div>
</div>
<div>
<br /></div>
<div>
Install the <span style="font-family: 'Courier New', Courier, monospace;">DB_CONFIG</span> file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">egrep -vi '^$|^#' `rpm -ql openldap-servers | grep DB_CONFIG` > /tmp/DB_CONFIG</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/DB_CONFIG /var/lib/ldap/DB_CONFIG</span></div>
<br />
<div>
</div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R ldap:ldap /var/lib/ldap</span><br />
<br />
Prepare the log system.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.rsyslog.conf">/etc/rsyslog.conf</a></span><br />
<br />
Touch the new log file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo touch /var/log/slapd.log</span><br />
<br />
Make sure the log file doesn't grow to humongous proportions.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.logrotate.d.slapd">/etc/logrotate.d/slapd</a></span><br />
<br />
Restart the rsyslog daemon so that it knows about the changes.<br />
<br />
sudo <span style="font-family: 'Courier New', Courier, monospace;">/etc/init.d/rsyslog</span> restart<br />
<br />
Edit the <span style="font-family: 'Courier New', Courier, monospace;">slapd(8)</span> system configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.sysconfig.ldap">/etc/sysconfig/ldap</a></span><br />
<br />
<div>
Start the slapd(8) daemon.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd start</span></div>
<div>
<br /></div>
<div>
Make sure the daemon starts when the server boots.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig slapd on</span></div>
<div>
<br /></div>
<div>
<div>
Configure a system-wide LDAP client configuration. This is to simplifiy our life and reduce typing later on. Don't worry about the TLS configurations for now. We will configure them later, but it doesn't hurt to have them in the file at the moment. Don't forget that in this blog post, the OpenLDAP server's FQDN is <span style="font-family: 'Courier New', Courier, monospace;">bob.company.com</span> and <b>not</b> <span style="font-family: 'Courier New', Courier, monospace;">alice.company.com</span> as we used to. This is important because here we don't want to query nor modify the <i>provider</i> (i.e. <span style="font-family: 'Courier New', Courier, monospace;">alice.company.com</span>), but only the <i>consumer</i> (i.e. <span style="font-family: 'Courier New', Courier, monospace;">bob.company.com</span>).</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.openldap.ldap.conf.consumer">/etc/openldap/ldap.conf</a></span></div>
<div>
<br /></div>
<div>
Check if our admin user can connect? <b>Double check the logs to make sure you're not binding to the provider!</b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapwhoami -WD cn=admin,dc=company,dc=com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Enter LDAP Password:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn:cn=admin,dc=company,dc=com</span></div>
</div>
<div>
<br />
<h3>
Consumer TLS Configuration</h3>
<br /></div>
<div>
Ok, let's configure TLS for the consumer. I'll still use a Windows CA for this post.</div>
<br />
openssl req -newkey rsa:2048 -keyout `hostname`.key -nodes -out `hostname`.req -subj /CN=bob.company.com/O=Company/C=CA/ST=QC/L=Montreal<br />
<br />
Upload the <span style="font-family: 'Courier New', Courier, monospace;">.req</span> file to the CA machine sign it.<br />
<br />
C:\> certreq -submit -attrib "CertificateTemplate:WebServer" -config "caserver.company.com\Company CA" bob.company.com.req bob.company.com.pem<br />
<br />
Upload the <span style="font-family: 'Courier New', Courier, monospace;">.pem</span> file to our consumer OpenLDAP server then place both the <span style="font-family: 'Courier New', Courier, monospace;">.pem</span> and <span style="font-family: 'Courier New', Courier, monospace;">.key</span> files into the proper location with the appropriate permissions.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv bob.company.com.pem bob.company.com.key /etc/pki/tls/certs</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown ldap:ldap /etc/pki/tls/certs/bob.company.com.*</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 600 /etc/pki/tls/certs/bob.company.com.key</span><br />
<br />
Grab a copy of the CA's certificate from our provider server.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">scp alice.company.com:/etc/pki/tls/certs/companyCA.crt /tmp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/companyCA.crt /etc/pki/tls/certs</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:root /etc/pki/tls/certs/companyCA.crt</span><br />
<br />
Configure TLS in our consumer OpenLDAP server.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/tls.consumer.ldif">~/ldap/tls.consumer.ldif</a></span><br />
<br />
Add the TLS configuration to the cn=config base.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -WD cn=admin,dc=company,dc=com -H ldapi:/// -f <a href="https://dl.dropbox.com/u/72609528/blog/openldap/tls.consumer.ldif">~/ldap/tls.consumer.ldif</a></span><br />
<br />
Check if our configuration has been installed?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config -s base | grep olcTLS</span><br />
<br />
Check to see if we can connect with TLS (i.e. the « <span style="font-family: 'Courier New', Courier, monospace;">-Z</span> » switch).<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapwhoami -xZWD cn=admin,dc=company,dc=com -H ldap://bob.company.com</span><br />
<br />
Revist the LDAP client configuration file to enable the TLS configs.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.openldap.ldap.conf.consumer.tls">/etc/openldap/ldap.conf</a></span><br />
<br />
Modify the consumer <span style="font-family: 'Courier New', Courier, monospace;">cn=config</span> and database configurations.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/consumer.ldif">~/ldap/consumer.ldif</a></span><br />
<br />
Apply the changes.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -WD cn=admin,dc=company,dc=com -H ldapi:/// -f ~/ldap/consumer.ldif </span><br />
<br />
Check the configuration changes to both the cn=config and the primary database.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}bdb))"</span><br />
<br />
<h3>
Consumer SASL GSSAPI Configuration</h3>
<br />
Enable SASL GSSAPI authentication.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/consumer.gssapi.ldif">~/ldap/consumer.gssapi.ldif</a></span><br />
<br />
Add the modification to the server.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -xZWD cn=admin,dc=company,dc=com -H ldap://bob.company.com -f ~/ldap/consumer.gssapi.ldif</span><br />
<br />
Change the system-wide OpenLDAP daemin configuration to add a Kerberos keytab.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.sysconfig.ldap.gssapi">/etc/sysconfig/ldap</a></span><br />
<br />
Create the OpenLDAP kerberos keytab, the the host's principal key and the autofsclient key while we're in the kadmin dialogue. <b>IMPORTANT</b> : notice how we place the <i>host/</i> and <i>autofsclient/</i> principals in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.keytab</span> while the <i>ldap/</i> principal gets stored in <span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap/krb5.keytab</span>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo kadmin -p drobilla/admin@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>addprinc -randkey ldap/bob.company.com@COMPANY.COM</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>ktadd -k /etc/openldap/krb5.keytab ldap/bob.company.com@COMPANY.COM</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>addprinc -randkey host/bob.company.com@COMPANY.COM</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>ktadd -k /etc/krb5.keytab host/bob.company.com@COMPANY.COM</b></span><br />
<br />
<div style="font-family: 'Courier New', Courier, monospace;">
kadmin: <b>addprinc -randkey autofsclient/bob.company.com@COMPANY.COM</b></div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: </span><span style="font-family: 'Courier New', Courier, monospace;"> </span><b style="font-family: 'Courier New', Courier, monospace;">ktadd -k /etc/krb5.keytab autofsclient/bob.company.com@COMPANY.COM</b><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>exit</b></span><br />
<br />
Fix permissions on the new Kerberos keytab. The goal here is to let the <span style="font-family: 'Courier New', Courier, monospace;">ldap</span> group be able to read the <i>ldap/</i> principal stored in the keytab.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:ldap /etc/openldap/krb5.keytab </span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 640 /etc/openldap/krb5.keytab</span></div>
<div>
<br /></div>
Restart the slapd(8) daemon.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd restart</span><br />
<br />
Test the SASL GSSAPI authentication.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">kdestroy</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kinit -p drobilla/admin@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapwhoami</span><br />
<br />
<h3>
Consumer DIT Initial Load</h3>
<br />
One last step before we start the replication is to load the DIT from our provider into our consumer. It's not required, but if your DIT is large, this will save quite a lot of time. Do to this, follow these steps :<br />
<br />
Connect to the <i>provider</i>.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span><br />
<br />
Create a new LDIF file with the entire DIT of the provider.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo slapcat | tee -a /tmp/provider.slapcat.ldif</span><br />
<br />
Transfer the LDIF file over to the consumer.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">scp /tmp/provider.slapcat.ldif bob.company.com:/tmp</span><br />
<br />
Remove the temporary file. After all, it's the entire DIT that's in there in clear text...<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo rm /tmp/provider.slapcat.ldif</span><br />
<br />
Connect to the consumer.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span><br />
<br />
Stop slapd.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd stop</span><br />
<br />
Destroy the database, but save the <span style="font-family: 'Courier New', Courier, monospace;">DB_CONFIG</span> file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp /var/lib/ldap/DB_CONFIG /tmp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo rm -rf /var/lib/ldap</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /var/lib/ldap</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/DB_CONFIG /var/lib/ldap</span><br />
<br />
Load the provider LDIF file into the consumer's database. Notice the « <span style="font-family: 'Courier New', Courier, monospace;">-w</span> » switch to <span style="font-family: 'Courier New', Courier, monospace;">slapadd(8C)</span> which will write syncrepl context information. Once all entries are added, the <span style="font-family: 'Courier New', Courier, monospace;">contextCSN</span> will be updated with the greatest CSN in the database. That's pretty handy in our case :)<br />
<div>
<br /></div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo slapadd -l /tmp/provider.slapcat.ldif -w</span><br />
<br />
Again, remove the temporary file. After all, it's the entire DIT that's in there in clear text...<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo rm /tmp/provider.slapcat.ldif</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
Start the consumer daemon.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd start</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Check to see if the entire DIT is now on the consumer machine?</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZWD cn=admin,dc=company,dc=com -b dc=company,dc=com -H ldap://bob.company.com</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Check to see if the SASL GSSAPI user has the proper ACLs to this DIT on the consumer?</span><br />
<span style="font-family: inherit;"><br /></span><span style="font-family: 'Courier New', Courier, monospace;">
kinit -p drobilla/admin@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb dc=company,dc=com -H ldap://bob.company.com</span><br />
<div>
<br /></div>
<h3>
Replication Test</h3>
<br />
We now have a TLS and SASL GSSAPI enabled OpenLDAP server <span style="font-family: 'Courier New', Courier, monospace;">bob.company.com</span> configured as the consumer of our provider alice.company.com machine. Let's see if it works? Do test this, connect to the provider and change something. In this example, we will change our <span style="font-family: 'Courier New', Courier, monospace;">test.user</span>'s shell.<br />
<br />
Connect to the provider server.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Check the current value for </span><span style="font-family: 'Courier New', Courier, monospace;">loginShell</span><span style="font-family: inherit;">.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -LLLZb cn=test.user,ou=users,dc=company,dc=com loginShell</span><br />
<div style="font-family: 'Courier New', Courier, monospace;">
loginShell: /bin/bash</div>
<div style="font-family: 'Courier New', Courier, monospace;">
<br /></div>
<div>
<span style="font-family: inherit;">Change the </span><span style="font-family: 'Courier New', Courier, monospace;">loginShell</span><span style="font-family: inherit;"> value to </span><span style="font-family: 'Courier New', Courier, monospace;">/bin/sh</span><span style="font-family: inherit;">.</span></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify <<-EOF</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn=test.user,ou=users,dc=company,dc=com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">changetype: modify</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">replace: loginShell</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">loginShell: /bin/sh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">EOF</span></div>
<br />
Keep an eye on the slapd.log file. You should now see these lines on the consumer :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: do_syncrep2: rid=000 cookie=rid=000,csn=20120608192235.282075Z#000000#000#000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: syncrepl_entry: rid=000 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: syncrepl_entry: rid=000 be_search (0)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: syncrepl_entry: rid=000 cn=test.user,ou=users,dc=company,dc=com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: slap_queue_csn: queing 0xa1601040 20120608192235.282075Z#000000#000#000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: slap_graduate_commit_csn: removing 0xa16050c8 20120608192235.282075Z#000000#000#000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: syncrepl_entry: rid=000 be_modify cn=test.user,ou=users,dc=company,dc=com (0)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: slap_queue_csn: queing 0xa1601040 20120608192235.282075Z#000000#000#000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6620]: slap_graduate_commit_csn: removing 0xa1604a48 20120608192235.282075Z#000000#000#000000</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
And if you query the consumer, you should see that the loginShell has indeed replicated to the consumer.</div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -LLLZb cn=test.user,ou=users,dc=company,dc=com loginShell</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">loginShell: /bin/sh</span><br />
<br />
Success! :)<br />
<br />
<h3>
Consumer Kerberos Slave Setup</h3>
<br />
The whole point of replicating our DIT is to have two copies of it should the provider fails. But our DIT also supports our Kerberos infrastructure. We must thus make sure that our consumer can also act as a Kerberos slave should our provier -and Kerberos master- fails.<br />
<br />
To enable the consumer machine to become a Kerberos slave, we must of course install the required packages and we already did that (see above). We must then send several provider's Kerberos files over to our consumer. Those files are the Kerberos private key and the Kerberos stash keyfile.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo scp /var/kerberos/krb5kdc/.k5.COMPANY.COM drobilla@bob.company.com:/tmp</span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo scp /etc/krb5.d/stash.keyfile drobilla@kong.caprion.com:/tmp</span></div>
<div>
<br /></div>
<div>
Now connect to the consumer and move the files to their proper locations and fix permissions.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/.k5.COMPANY.COM /var/kerberos/krb5kdc</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /etc/krb5.d</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/stash.keyfile /etc/krb5.d</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R root:root /var/kerberos/krb5kdc /etc/krb5.d</span></div>
<div>
<br /></div>
<div>
Make sure to edit the Kerberos ACL file on the consumer. This file contains a single line.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /var/kerberos/krb5kdc/kadm5.acl</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">*/admin@COMPANY.COM<span class="Apple-tab-span" style="white-space: pre;"> </span>*</span></div>
</div>
<div>
<br /></div>
<div>
Edit the consumer's Kerberos <span style="font-family: 'Courier New', Courier, monospace;">kdc.conf</span> file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/var.kerberos.krb5kdc.kdc.conf">/var/kerberos/krb5kdc/kdc.conf</a></span></div>
<div>
<br /></div>
<div>
Grab a copy of the <span style="font-family: 'Courier New', Courier, monospace;">krb5.conf</span> file on the provider machine.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">scp alice.company.com:/etc/krb5.conf /tmp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /tmp/krb5.conf /etc</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:root /etc/krb5.conf</span></div>
<div>
<br /></div>
<div>
Modify the database to include several new indexes which will help the Kerberos LDAP lookups. While we're at it, let's also add several other required indexes :)</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/kerberos.indexes.txt">~/ldap/kerberos.indexes.ldif</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -xZWD cn=admin,dc=company,dc=com -H ldap://bob.company.com -f </span><span style="font-family: 'Courier New', Courier, monospace;">~/ldap/kerberos.indexes.ldif</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span></div>
</div>
<div>
<br /></div>
<div>
Check to see if we have the new indexes in place?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb olcDatabase={1}bdb,cn=config olcDbIndex</span></div>
<div>
<br /></div>
<div>
<div>
Make sure the <span style="font-family: 'Courier New', Courier, monospace;">krb5kdc</span> daemon is running when the machine boots. Note that we do <b>not</b> run the <span style="font-family: 'Courier New', Courier, monospace;">kadmin</span> daemon on the slave KDC.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig krb5kdc on</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Start the krb5kdc daemon.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/krb5kdc start</span></div>
<br />
<h3>
Consumer Backup</h3>
<br />
Don't forget to backup the consumer now that it's working. <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">See this blog post</a> on how to do just that.<br />
<br />
<h2>
Check Replication Status</h2>
<br />
Sometimes the log files are not clear in order to determine if the replication is finished or not. To check this, simply query both the provider and the consumer servers for the contextSCN. If the values are the same, then replication is finished.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">kinit -p drobilla/admin@COMPANY.COM</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ldapsearch -LLLH ldap://alice.company.com -s base -b "dc=company,dc=com" </span><br />
<span style="font-family: Courier New, Courier, monospace;">dn: dc=company,dc=com</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>contextCSN: 20140207211614.110524Z#000000#000#000000</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ldapsearch -LLLH ldap://bob.company.com -s base -b "dc=company,dc=com" </span><br />
<span style="font-family: Courier New, Courier, monospace;">dn: dc=company,dc=com</span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>contextCSN: 20140207211614.110524Z#000000#000#000000</b></span><br />
<br />
As we can see, both contextSCN values are the same, so we're good.<br />
<br />
<h2>
Client Configuration</h2>
<br />
Now that we have two OpenLDAP servers, we need to configure the client machines to use them both. So perform these configuration changes to all your LDAP client machines :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh client.company.com</span><br />
<br />
Change the sudoers LDAP configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/ha.etc.ldap.conf">/etc/ldap.conf</a></span><br />
<br />
Change the system LDAP configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/ha.etc.openldap.ldap.conf">/etc/openldap/ldap.conf</a></span><br />
<br />
Change the client's nslcd configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/ha.etc.nslcd.conf">/etc/nslcd.conf</a></span><br />
<br />
Change the pam_ldap configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/ha.etc.pam_ldap.conf">/etc/pam_ldap.conf</a></span><br />
<br />
Change the Kerberos configuation file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/ha.etc.krb5.conf">/etc/krb5.conf</a></span><br />
<br />
As you can see, this requires quite a few changes. So you should probably script these changes. I usually setup an admin server that runs Apache with configuration files on it. Clients can thus simply <span style="font-family: 'Courier New', Courier, monospace;">wget</span> them. Easy. Or you can use <a href="http://puppetlabs.com/">Puppet</a>. Even better!<br />
<br />
With the new client configuration, try shutting down the LDAP and Kerberos services on <span style="font-family: 'Courier New', Courier, monospace;">alice.company.com</span> and see if the clients can still work by using <span style="font-family: 'Courier New', Courier, monospace;">bob.company.com</span>.<br />
<br />
<h2>
Troubleshooting</h2>
<br />
<h3>
olcLogLevel</h3>
<br />
If you're not sure about the syncrepl engine, then enable logging for this.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -Z <<-EOF</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">changetype: modify</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">replace: olcLogLevel</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcLogLevel: stats sync</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">EOF</span><br />
<div>
<br /></div>
You can do this on both the consumer and the provider.<br />
<br />
<h3>
syncrepl_message_to_entry</h3>
<br />
If you get this type of error :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">syncrepl_message_to_entry: rid=000 mods check (objectClass: value #1 invalid per syntax)</span><br />
<br />
It means that you're missing a schema in on the consumer server. Of course the <span style="font-family: 'Courier New', Courier, monospace;">rid=000</span> can be different on your server. It's the replication ID configured in the <span style="font-family: 'Courier New', Courier, monospace;">olcSyncrepl:</span> config of the consumer server. Compare the schemas on both machines and fix the consumer so that it has exactly the same schemas as the provider. So, the first thing you must do is check the schemas on the provider :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb cn=schema,cn=config dn</span><br />
<div>
<br /></div>
<div>
Then connect to the consumer and check the schemas there :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -ZLLLb cn=schema,cn=config dn</span></div>
<div>
<br /></div>
<div>
If the consumer is missing some schemas present on the provider, then add those missing schemas to the consumer and try the replication again.</div>
<br />
<h3>
Missing DB_CONFIG, but it's there?</h3>
<br />
Your logs show these error messages when you start slapd :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[7722]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap/accesslog: (14).#012Expect poor performance for suffix "cn=accesslog".</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[7722]: slapd starting</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[7722]: <= bdb_equality_candidates: (objectClass) not indexed</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[7722]: <= bdb_inequality_candidates: (reqStart) not indexed</span><br />
<div>
<br /></div>
<div>
But when you look into the <span style="font-family: 'Courier New', Courier, monospace;">/var/lib/ldap/accesslog</span> directory, there is a <span style="font-family: 'Courier New', Courier, monospace;">DB_CONFIG</span> file and the permissions are good.</div>
<div>
<br /></div>
<div>
What's the problem?</div>
<div>
<br /></div>
<div>
Well, it's simply that the HDB has the wrong « <span style="font-family: 'Courier New', Courier, monospace;">objectClass: olc<b>D</b>dbConfig</span><span style="font-family: inherit;"> »</span>. It should be « <span style="font-family: 'Courier New', Courier, monospace;">objectClass: olc<b>H</b>dbConfig</span><span style="font-family: inherit;"> ». Notice the small, but very critical, difference?</span></div>
<div>
<br /></div>
<div>
That's it! </div>
<div>
<br /></div>
<div>
That means we finished our initial goals :</div>
<div>
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li><strike>Use OpenLDAP as sudo's configuration repository.</strike></li>
<li><strike>Use OpenLDAP as automount map repository for autofs.</strike></li>
<li><strike>Use OpenLDAP as NFS netgroup repository again for autofs.</strike></li>
<li><strike>Use OpenLDAP as the Kerberos principal repository.</strike></li>
<li><strike>Setup OpenLDAP backup and recovery.</strike></li>
<li><strike>Setup OpenLDAP replication.</strike></li>
</ol>
</div>
<div>
The next set of goals are coming. I want to enable Referential Integrity in the LDAP DIT (i.e. when you delete a user it is also deleted from the various groups he's part of). I'm also interested in pulling information, such as users, passwords and grous from Active Directory servers and thus remove Samba.</div>
<div>
<br /></div>
HTH, Let me know if I made a mistake as this post was not easy to put together.<br />
<ul>
</ul>
<div>
DA+</div>
<div>
<br /></div>
<div>
<h2>
References</h2>
<ul>
<li><a href="http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl">Delta-syncrepl Provider configuration</a></li>
<li><a href="http://www.rjsystems.nl/en/2100-d6-openldap-consumer.php">OpenLDAP consumer on Debian squeeze</a></li>
</ul>
</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com31tag:blogger.com,1999:blog-4619978964286106329.post-88958795981929723122012-05-31T16:21:00.000-04:002012-06-27T14:29:20.189-04:00CentOS Serial Console Server with Digi AccelePort Xem ModuleIn order to effectively manage UNIX, Linux and Cisco machines from a remote location, one needs to redirect the console to the serial port and hook this to a serial console server. It is also good on a security stand point because all the messages sent to the console are logged on the console server, thus serving in forensic investigations. Ideally, to have even the BIOS at the serial ports, you need to run Oracle/Sun Microsystems or IBM pServers machines. Most newer x86 servers can redirect their BIOS to the serial port. Do it, it's great! With the console server, you have access to everything the server has to offer from the comfort of your office.
<br />
<br />
<a name='more'></a><br />
<h2>
Server Setup</h2>
<h3>
</h3>
<h3>
Server Hardware</h3>
<br />
To create a console server, you can either purchase one from Avocent, Cyclades or the like. Or you can use a standard Linux machine in which you install serial port cards. The Digi port serial cards called Digiboard PCI PC/Xem are great for this purpose. To use the Digi products, get these items from Digi :<br />
<ul>
<li>Digi part number <b>70001757</b>. This is the AccelePort Xem Universal PCI (3.3V & 5V) 16-port RS-232 RJ-45 1U 19" rack with a MSRP of 1249 US$. This product number is for a bundle which contains the PCI card, the cable and a 1U rackmount RJ45 RS-232 port concentrator.</li>
<li>Digi part number <b>76000617</b>. This is the Digi PORTS/16em Module Rack Mount RJ-45 with a MSRP of 722$US. This product is just an extra 1U rackmount RJ45 RS-232 port concentrator with the cable.</li>
</ul>
The nice thing about these Digi cards and concentrators is that with a single card, you can daisy-chain up to 4 concentrators. Note that the third and fourth concentrators will need an extra power-supply unit (sold by Digi of course).<br />
<br />
<h3>
Server Software Installation</h3>
<br />
Start by installing a Minimal CentOS 6 machine. Once it's up, edit the <span style="font-family: 'Courier New', Courier, monospace;">blacklist.conf</span> file to add the « <span style="font-family: 'Courier New', Courier, monospace;">blacklist epca</span> » line to prevent some errors later.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/modprobe.d/blacklist.conf</span><br />
<br />
Reboot the machine to make sure this new blacklisted module will not be loaded.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo shutdown -r now</span><br />
<br />
Install some packages required to build software. Here we also install the <a href="http://www.gnu.org/software/screen/">screen</a> package which is pivotal in the use of the console server.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install rpm-build make gcc g++ kernel-devel ncurses-devel screen</span><br />
<div>
<br /></div>
<div>
Download the latest module code.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">wget ftp://ftp1.digi.com/support/beta/linux/dgap/dgap-1.3-22.src.rpm</span></div>
<div>
<br /></div>
<div>
Install the source rpm. We can then delete the source rpm after since we won't be needing it anymore.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo rpm -Uvh dgap*.src.rpm</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rm dgap-1.3-22.src.rpm</span></div>
<div>
<br /></div>
<div>
Build the module.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo rpmbuild -ba /root/rpmbuild/SPECS/dgap-1.3.spec</span></div>
</div>
<div>
<br /></div>
<div>
Install the new package. Once it's installed, it will prompt you to run the mpi command to configure the driver. <b>Don't do this right now!</b> We need to get the module loaded first.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo rpm -Uvh /root/rpmbuild/RPMS/i386/dgap-1.3-22.i386.rpm</span></div>
</div>
<div>
<br /></div>
<div>
Make sure the new module is loaded.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo modprobe dgap</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">lsmod | grep dgap</span></div>
<div>
<br /></div>
<div>
Now run the mpi Digi configuration tool. This tool has a ncurses GUI.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mpi</span></div>
<div>
<br /></div>
<div>
Follow these steps :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>Config</b></span></div>
<div>
Are you sure you want to continue? <span style="font-family: 'Courier New', Courier, monospace;"><b>Yes</b></span></div>
<div>
Do you want ID letters picked for you? <span style="font-family: 'Courier New', Courier, monospace;"><b>Yes</b></span></div>
<div>
How many adapters do you want to install? <span style="font-family: 'Courier New', Courier, monospace;"><b><select the number of PCI cards you have, normally just one></b></span></div>
<div>
What type of adapter do you have? <b><span style="font-family: 'Courier New', Courier, monospace;">2 AccelePort Xem PCI</span></b></div>
<div>
How many modules are connected to the adapter? <b><span style="font-family: 'Courier New', Courier, monospace;"><choose how many you have></span></b></div>
<div>
How many ports are on the EBI module 1? <b><span style="font-family: 'Courier New', Courier, monospace;">16 ports</span></b></div>
<div>
Is this configuration acceptable? <span style="font-family: 'Courier New', Courier, monospace;"><b>Yes</b></span></div>
<div>
Altpin : Is this acceptable? <b><span style="font-family: 'Courier New', Courier, monospace;">Yes</span></b></div>
<div>
Would you like to load the driver with this configuration now? <b><span style="font-family: 'Courier New', Courier, monospace;">Yes</span></b></div>
<div>
<br /></div>
<div>
At this point the dgap module will unload and reload. Each time you will be prompted to say « <b><span style="font-family: 'Courier New', Courier, monospace;">Ok</span></b> ». Then simply « <span style="font-family: 'Courier New', Courier, monospace;"><b>Exit</b></span> » from the utility.</div>
<div>
<br /></div>
<div>
We should now see those lines in our <span style="font-family: 'Courier New', Courier, monospace;">/var/log/messages</span> file :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 31 13:43:00 hostname kernel: dgap: board 0: AccelePort XEM (rev 1), irq 20</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 31 13:51:51 hostname kernel: dgap: dgap-1.3-22, Digi International Part Number 40002347_C</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 31 13:51:51 hostname kernel: dgap: For the tools package or updated drivers please visit http://www.digi.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 31 13:51:51 hostname kernel: dgap: board 0: AccelePort XEM (rev 1), irq 20</span></div>
</div>
<div>
<br /></div>
<div>
And some new devices in our <span style="font-family: 'Courier New', Courier, monospace;">/dev</span> directory :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ls /dev/ttya*</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/ttya01 /dev/ttya03 /dev/ttya05 /dev/ttya07 /dev/ttya09 /dev/ttya11 /dev/ttya13 /dev/ttya15</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/dev/ttya02 /dev/ttya04 /dev/ttya06 /dev/ttya08 /dev/ttya10 /dev/ttya12 /dev/ttya14 /dev/ttya16</span></div>
</div>
<div>
<br /></div>
<h3>
Server Software Configuration</h3>
<div>
<br /></div>
<div>
Now that we have both the hardware and software installed in our new console server, we need to configure it. We will use the <a href="http://www.gnu.org/software/screen/">screen</a> software to jump from one console to the next. It will also enable us to log everything that happens at the console even when we're not using it.</div>
<div>
<br /></div>
<div>
So let's first create some directories.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /etc/console/RCS</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /etc/console/screenrc</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /var/log/console</span></div>
</div>
<div>
<br /></div>
<div>
Make sure our future console logs don't grow too big.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/logrotate.d/console</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># /etc/logrotate.d/console</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">#</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># Clean up serial console log files.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">#</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># David Robillard, May 31st, 2012.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/var/log/console/*.log {</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>weekly</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>missingok</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rotate 7</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>compress</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>delaycompress</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>notifempty</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>create 640 root root</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">}</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># EOF</span></div>
</div>
<div>
<br /></div>
<div>
Check to make sure this new configuration file is ok?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo logrotate -d /etc/logrotate.conf</span></div>
<div>
<br /></div>
<div>
Now create a global configuration file for the serial console server. An example <span style="font-family: 'Courier New', Courier, monospace;">ports.conf</span> file can be found in my DropBox account as you click on the URL.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="http://dl.dropbox.com/u/72609528/blog/console/ports.conf">/etc/console/ports.conf</a></span></div>
<div>
<br /></div>
<div>
Create a startup script. Again, the content of the script can be found on my DropBox account as you click on the URL.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="http://dl.dropbox.com/u/72609528/blog/console/console">/etc/init.d/console</a></span></div>
<div>
<br /></div>
<h3>
Server Kernel Upgrade</h3>
<div>
<br /></div>
<div>
A minor annoyance with this setup is that when we upgrade the console server's kernel, we have to rebuild the module. Here's how to do so :</div>
<div>
<br /></div>
<div>
Recreate the module.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo rpmbuild -ba /root/rpmbuild/SPECS/dgap-1.3.spec</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Install the new package using <span style="font-family: 'Courier New', Courier, monospace;">--force</span> because it's actually already installed.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo rpm -Uvh --force /root/rpmbuild/RPMS/i386/dgap-1.3-22.i386.rpm</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Fix udev configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp /etc/dgap/10-dgap.rules /etc/udev/rules.d</span></div>
<div>
<br /></div>
<div>
Re-run the configuration utility (see above on how to do this).</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mpi</span></div>
<div>
<br /></div>
<div>
Restart the serial consoles.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/console restart</span></div>
<div>
<br /></div>
<h2>
Client Configuration</h2>
<div>
<br /></div>
<h3>
Client Hardware</h3>
<br />
The serial port (i.e. <span style="font-family: 'Courier New', Courier, monospace;">COM1</span> in PC language) of each clients must be fitted with a <a href="http://www.pccables.com/01910.htm">DB9 to RJ45 adapter</a> sometimes refered to as null-modem adapters. It's easy to buy adapters that don't have the DB9 connecter attached to the RJ45 cables. If that case, connect the DB9 connector like this :<br />
<br />
<ol>
<li><span style="color: blue;">blue</span> RJ45 cable to DB9 pin number 1.</li>
<li><span style="color: red;">red</span> RJ45 cable to DB9 pin number 2.</li>
<li><span style="color: #38761d;">green</span> RJ45 cable to DB9 pin nunber 3.</li>
<li><span style="color: white;">white</span> RJ45 cable to DB9 pin number 4.</li>
<li><span style="color: yellow;">yellow</span> RJ45 cable to DB9 pin number 5.</li>
<li><span style="color: orange;">orange</span> RJ45 cable to DB9 pin number 6.</li>
<li><span style="color: #783f04;">dark brown</span> RJ45 cable to DB9 pin number 7.</li>
<li><span style="background-color: black;">black </span>RJ45 cable to DB9 pin number 8.</li>
</ol>
<br />
The DB9 pin number 9 is not connected to anything.<br />
<br />
Close the DB9 connector and then place it on the client's serial 0 port (or <span style="font-family: 'Courier New', Courier, monospace;">COM1</span> in PC language). Connect the RJ45 cable into a port in the Digi PORTS/16em serial console module.<br />
<br />
Important : take a note of which port you connect which server. You need this to configure the <span style="font-family: 'Courier New', Courier, monospace;">/etc/console/ports.conf</span> file on the server.<br />
<br />
<h3>
Client OS Configuration</h3>
<div>
<br /></div>
<div>
Make sure you modify the /boot/grub/grub.conf file to enable serial console output. The modified lines are listed in <b>bold</b>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /boot/grub/grub.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># /boot/grub/grub.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">#</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># Grub configuration file. See grub(8).</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">#</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># David Robillard, April 20th, 2012.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>serial -unit=1 --speed=9600</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>terminal --timeout=8 console serial</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">default=0</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">timeout=5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>#splashimage=(hd0,0)/grub/splash.xpm.gz</b></span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">hiddenmenu</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">title CentOS (2.6.32-220.17.1.el6.i686)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>root (hd0,0)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>kernel /boot/vmlinuz-2.6.32-220.17.1.el6.i686 ro root=UUID=473422f2-caf3-4eed-bcb7-edbbab98a7b2 nomodeset rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us LANG=en_US.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_NO_LVM rd_NO_DM <b>console=tty console=ttyS0,9660n8</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>initrd /boot/initramfs-2.6.32-220.17.1.el6.i686.img</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">title CentOS (2.6.32-220.el6.i686)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>root (hd0,0)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>kernel /boot/vmlinuz-2.6.32-220.el6.i686 ro root=UUID=473422f2-caf3-4eed-bcb7-edbbab98a7b2 nomodeset rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us LANG=en_US.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_NO_LVM rd_NO_DM <b>console=tty console=ttyS0,9660n8</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>initrd /boot/initramfs-2.6.32-220.el6.i686.img</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># EOF</span></div>
</div>
<div>
<br /></div>
<div>
Don't worry, the <span style="font-family: 'Courier New', Courier, monospace;">console=tty console=ttyS0,9660n8</span> portion of the <span style="font-family: 'Courier New', Courier, monospace;">kernel</span> line are installed when the kernel is upgraded.</div>
<div>
<br /></div>
<div>
Next make sure the <span style="font-family: 'Courier New', Courier, monospace;">ttyS0</span> console exists in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/securetty</span> file. Again, the change to this file is listed in <b>bold</b>.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/securetty</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">console</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/2</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/4</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/6</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/7</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/8</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/9</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/10</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vc/11</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty2</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty3</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty4</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty6</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty7</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty8</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty9</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty10</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">tty11</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>ttyS0</b></span></div>
<div>
<br /></div>
</div>
<div>
Once this is done, simply reboot the client.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo shutdown -r now</span></div>
<div>
<br /></div>
<h2>
Console Usage</h2>
<div>
<br /></div>
<div>
Connect the RJ45 cables from the module, record that information in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/console/ports.conf</span> file on the server. </div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/console/ports.conf</span></div>
<div>
<br /></div>
<div>
Start the serial consoles.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/console start</span></div>
<div>
<br /></div>
<div>
Check which consoles have been started? Here we only have a single one active.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo screen -ls</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">There is a screen on:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>5619.client<span class="Apple-tab-span" style="white-space: pre;"> </span>(Detached)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">1 Socket in /var/run/screen/S-root.</span></div>
</div>
<div>
<br /></div>
<div>
If we need to grab the client's console, we simply go like this :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo screen -r client</span></div>
<div>
<br /></div>
<div>
That will dump us into the client's console. We can exit from the console by striking the escape sequence which is « <span style="font-family: 'Courier New', Courier, monospace;">Ctrl-X D</span> » which means « <span style="font-family: 'Courier New', Courier, monospace;">Control-X Detach</span> ». So we first hit « <span style="font-family: 'Courier New', Courier, monospace;">Ctrl-X</span> » and then hit « <span style="font-family: 'Courier New', Courier, monospace;">D</span> ».</div>
<div>
<br /></div>
<div>
For those of us familiar with screen, you will notice that the escape sequence was changed from the default « <span style="font-family: 'Courier New', Courier, monospace;">Ctrl-A</span> ». The reason for this is to be able to work inside a screen and still grab a console. In effect using a screen inside another screen. We thus need a way to differenciate between the two screen escape sequences.</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com2tag:blogger.com,1999:blog-4619978964286106329.post-57717822312550754502012-05-15T17:25:00.002-04:002012-09-21T10:14:50.012-04:00HOWTO : OpenLDAP 2.4 Backup & Recovery on CentOS 6.2This blog post will explain how to backup and restore our OpenLDAP 2.4 server. This is goal number nine.<br />
<ol>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">Install OpenLDAP 2.4.</a></strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Manage users and groups in OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Configure pam_ldap to authenticate users via OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">Use OpenLDAP as sudo's configuration repository.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">Use OpenLDAP as automount map repository for autofs.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">Use OpenLDAP as NFS netgroup repository again for autofs.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">Use OpenLDAP as the Kerberos principal repository.</a></strike></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">Setup OpenLDAP backup and recovery.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">Setup OpenLDAP replication.</a></li>
</ol>
The <a href="http://www.openldap.org/doc/admin24/maintenance.html#Directory Backups">Maintenance chapter in the OpenLDAP Administrator's Guide</a> on this topic is not very explicit. We hope this blog post will be more helpful.<br />
<br />
<a name='more'></a><br />
<h3>
Backup</h3>
<br />
<div>
We need to backup our OpenLDAP data, the OpenLDAP configuration and the OpenLDAP directory along with the system-wide LDAP configuration. Why take both the configuration and the directory? Because the configuration in LDIF format does not have the Kerberos keytab nor the <span style="font-family: 'Courier New', Courier, monospace;">/etc/sysconfig/ldap</span> file.<br />
<br />
Both the data and the configuration are dumped in LDIF files with the help of <span style="font-family: 'Courier New', Courier, monospace;">slapcat(8C)</span>. The directory and daemon configuration file are placed together in a compressed <span style="font-family: 'Courier New', Courier, monospace;">tar(1)</span> file.<br />
<br />
A quick shell script takes care of the backup procedure.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /root/scripts</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /root/scripts/backup.slapd.sh</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">#!/bin/sh</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># /root/scripts/backup.slapd.sh</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">#</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"># Backup the OpenLDAP data and configuration as compressed LDIF files.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"># Also backup the entire OpenLDAP directory and daemon configuration.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">#</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"># David Robillard, April 23rd, 2012.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">umask 022</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">export PATH</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">DATE=`date +%Y%m%d`</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">BACKUP_DIR="/root/backup/slapd"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">BACKUP_DATA_FILENAME="slapd.data.${DATE}.ldif"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">BACKUP_CONFIG_FILENAME="slapd.config.${DATE}.ldif"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">BACKUP_TAR_FILENAME="slapd.directory.${DATE}.tar.gz"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">CA_TLS_CERT="/etc/pki/tls/certs/companyCA.crt"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">DIT_CONFIG="cn=config"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">DIT_SUFFIX="dc=company,dc=com"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">SLAPD_CONFIG_FILENAME="/etc/sysconfig/ldap"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">SLAPD_DIR="/etc/openldap"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">SLAPD_LOG_ROTATION="/etc/logrotate.d/slapd"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">SLAPD_TLS_CERT="/etc/pki/tls/certs/alice.company.com.pem"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">SLAPD_TLS_KEY="/etc/pki/tls/certs/alice.company.com.key"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">SLAPCAT_OPTIONS="-F /etc/openldap/slapd.d"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">LOGFILE="/var/log/backup/slapd.log"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">KEEP="30"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Make sure we have a log file.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">if [ ! -f ${LOGFILE} ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>touch ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if [ "$?" -ne "0" ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: could not create the log file."</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Check if root is running this script.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">if [ `id -u` -ne "0" ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: only root can run this script." | tee -a ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Make sure we have a backup directory.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">if [ ! -d ${BACKUP_DIR} ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>mkdir -p ${BACKUP_DIR}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if [ "$?" -ne "0" ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: could not create the backup directory." | tee -a ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Make sure we don't have too much backup files piling up in our backup directory.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">FILES=`find ${BACKUP_DIR} -type f -name "slapd.*" -print | wc -l`</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">if [ "${FILES}" -gt "${KEEP}" ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>OVER=`echo ${FILES}-${KEEP} | bc`</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>RMFILES=`find ${BACKUP_DIR} -type f -name "slapd.*" -print | sort -r | tail -${OVER}`</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "NOTE: removing ${RMFILES} from the backup directory." >> ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rm ${RMFILES}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Backup the DIT data.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapcat ${SLAPCAT_OPTIONS} -b ${DIT_SUFFIX} -l ${BACKUP_DIR}/${BACKUP_DATA_FILENAME} >/dev/null 2>&1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">if [ "$?" -eq "0" ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>gzip -f ${BACKUP_DIR}/${BACKUP_DATA_FILENAME} 2>&1 >> ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if [ "$?" -ne "0" ] ; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: dump file compression problem." | tee -a ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">else</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: problem running slapcat(8C) for the DIT data backup." | tee -a ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rm ${BACKUP_DIR}/${BACKUP_DATA_FILENAME}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Backup the DIT config as an LDIF file.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">slapcat ${SLAPCAT_OPTIONS} -b ${DIT_CONFIG} -l ${BACKUP_DIR}/${BACKUP_CONFIG_FILENAME} >/dev/null 2>&1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">if [ "$?" -eq "0" ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>gzip -f ${BACKUP_DIR}/${BACKUP_CONFIG_FILENAME} 2>&1 >> ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if [ "$?" -ne "0" ] ; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: dump file compression problem." | tee -a ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">else</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: problem running slapcat(8C) for the DIT config backup." | tee -a ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rm ${BACKUP_DIR}/${BACKUP_CONFIG_FILENAME}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># Backup the entire configuration directory.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">BACKUP_FILES_LIST="${CA_TLS_CERT} ${SLAPD_CONFIG_FILENAME} ${SLAPD_DIR} ${SLAPD_LOG_ROTATION} ${SLAPD_TLS_CERT} ${SLAPD_TLS_KEY}"</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">tar zcf ${BACKUP_DIR}/${BACKUP_TAR_FILENAME} ${BACKUP_FILES_LIST} >/dev/null 2>&1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">if [ "$?" -ne "0" ]; then</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "ERROR: problem running config directory tar." | tee -a ${LOGFILE}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rm ${BACKUP_DIR}/${BACKUP_TAR_FILENAME}</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit 1</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">fi</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;"># EOF</span><br />
<br />
<div>
<br /></div>
<div>
Make sure this new script is executable.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod a+x /root/scripts/backup.slapd.sh</span></div>
<div>
<br /></div>
<div>
Place the script in root's crontab.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo crontab -e</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># root's crontab</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># The time and date fields are:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># field allowed values</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># ----- --------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># minute 0-59</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># hour 0-23</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># day of month 1-31</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># month 1-12 (or names, see below)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># day of week 0-7 (0 or 7 is Sun, or use names)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># Backup the OpenLDAP data, config, directory and daemon config.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">00 22 * * * /root/scripts/backup.slapd.sh</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># EOF</span></div>
</div>
<div>
<br /></div>
<div>
Come back tonight after 10 PM (or tomorrow :) to see if you have backup files.<br />
<br />
<b><span style="font-size: large;">IMPORTANT : make sure you copy the backup files off site!</span></b></div>
<div>
<br /></div>
<h3>
Recovery</h3>
<div>
<br /></div>
<div>
In the event of a catastrophic failure of the OpenLDAP server, we have everything to revive it. How we do it depends on the scenario.</div>
<div>
<ol>
<li>Complete Server Lost</li>
<li>ACL Problems</li>
<li>Data Corruption (or Human Error...)</li>
<li>File System Full</li>
</ol>
</div>
<h4>
Complete Server Lost</h4>
<div>
<br /></div>
<div>
If the OpenLDAP server crashes beyond repair, the first thing one needs to do is simply find another computer (or have this one fixed), install CentOS and OpenLDAP. Then simply copy the backup files back to the new machine and run these commands :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y openldap-servers krb5-server-ldap nss-pam-ldapd</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /etc/openldap /etc/openldap.install</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd / && sudo tar zxvf /tmp/slapd.directory.20120515.tar.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp `rpm -ql openldap-servers | grep DB_CONFIG` /var/lib/ldap/</span><span style="font-family: 'Courier New', Courier, monospace;">DB_CONFIG</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown ldap:ldap /var/lib/ldap/DB_CONFIG</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig slapd on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd start</span></div>
<div>
<br /></div>
<div>
That should get you started. Of course, the rsyslog configuration will need to be reconfigured. See <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">this blog post</a> on how to proceed.</div>
<div>
<br /></div>
<h4>
ACL Problems</h4>
<div>
<br /></div>
<div>
It happens mostly when we build the server, but one can lock itself out of his own OpenLDAP server if the ACLs are modified. This one is quite easy to get back on our feet :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd stop</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd stop</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /etc/openldap /etc/openldap.broken</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd / && sudo tar zxvf /root/backup/slapd/slapd.directory.20120515.tar.gz</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd start</span></div>
<div>
<br /></div>
<h4>
Data Corruption (or Human Error...)</h4>
<div>
<br /></div>
<div>
Well, sometimes even the administrators make mistakes. Normally one simply has to change it back to what it was via his prefered LDAP browser. But say one admin made changes on friday and left to go climbing. The other admin has no idea what happened and things are broken saterday morning at 2 AM. Well, in those circumstances, we admins tend to have less debug patience. So the easiest (and fastest!) way of fixing things is to bring back thursday's backup with <span style="font-family: 'Courier New', Courier, monospace;">slapadd(8C)</span> while <span style="font-family: 'Courier New', Courier, monospace;">slapd(8C)</span> is <b><i>NOT</i></b> running.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd stop</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd stop</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mv /var/lib/ldap /var/lib/ldap.broken</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /var/lib/ldap</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo</span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">cp `rpm -ql openldap-servers | grep DB_CONFIG` /var/lib/ldap/</span><span style="font-family: 'Courier New', Courier, monospace;">DB_CONFIG</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo zcat /root/backup/slapd/slapd.data.20120512.ldif.gz > /tmp/slapd.data.ldif</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo slapadd -v < /tmp/slapd.data.ldif</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R ldap:ldap /var/lib/ldap</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: inherit;">This will bring the data back to which ever backup data file we selected.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<h4>
File System Full</h4>
<div>
<br /></div>
<div>
Sometimes the <span style="font-family: 'Courier New', Courier, monospace;">/var</span> filesystem gets filled up. If the LDAP data doesn't live in it's own <span style="font-family: 'Courier New', Courier, monospace;">/var/lib</span> filesystem and the server generates a lot of logs, this can happen quite often. (HINT : place your LDAP data on a seperate filesystem! :) The <span style="font-family: 'Courier New', Courier, monospace;">/var</span> fills up, one will see these errors in the log :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo: ldap_simple_bind_s: Can't contact LDAP server</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Checking configuration files for slapd: bdb_db_open: DB_CONFIG for suffix dc=company,dc=com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">has changed.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Performing database recovery to activate new settings.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">bdb(dc=company,dc=com): file id2entry.bdb (meta pgno = 0) has LSN [1][1984522].</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">bdb(dc=company,dc=com): end of log is [1][28]</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">bdb(dc=company,dc=com): /var/lib/ldap/id2entry.bdb: unexpected file type or format</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">bdb_db_open: db_open(/var/lib/ldap/id2entry.bdb) failed: Invalid argument (22)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">bdb(dc=company,dc=com): Unknown locker ID: 0</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">backend_startup_one: bi_db_open failed! (22)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slap_startup failed (test would succeed using the -u switch)</span></div>
</div>
<div>
<br /></div>
<div>
Fixing this error is quite easy. <b>First, clean-up up /var!</b></div>
<div>
<br /></div>
<div>
Once <span style="font-family: 'Courier New', Courier, monospace;">/var</span> has some space left, run the <a href="http://docs.oracle.com/cd/E17076_02/html/api_reference/C/db_recover.html">db_recover</a> tool. This tool will make sure that all committed transactions are guaranteed to appear after <span style="font-family: 'Courier New', Courier, monospace;">db_recover</span> has run, and all uncommitted transactions will be completely undone.</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd stop</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd stop</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo db_recover -vh /var/lib/ldap</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd start</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd start</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
And that's it. If some data is missing, then use yesterday's backup.</div>
<div>
<br />
We're now done with the backup and recovery of our OpenLDAP 2.4 server. This was goal number nine.<br />
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li><strike>Use OpenLDAP as sudo's configuration repository.</strike></li>
<li><strike>Use OpenLDAP as automount map repository for autofs.</strike></li>
<li><strike>Use OpenLDAP as NFS netgroup repository again for autofs.</strike></li>
<li><strike>Use OpenLDAP as the Kerberos principal repository.</strike></li>
<li><strike>Setup OpenLDAP backup and recovery.</strike></li>
<li>Setup OpenLDAP replication.</li>
</ol>
</div>
<div>
The next post will explain how to configure OpenLDAP replication.</div>
<div>
</div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
<br /></div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com15tag:blogger.com,1999:blog-4619978964286106329.post-90657419179946808642012-05-15T15:21:00.003-04:002014-02-20T11:32:37.659-05:00HOWTO : Kerberos KDC with OpenLDAP 2.4 Back-End and SASL GSSAPI Authentication on CentOS 6.2We continue our OpenLDAP 2.4 series with goal number 8. Recall that our goals are :<br />
<ol>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">Install OpenLDAP 2.4.</a></strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Manage users and groups in OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Configure pam_ldap to authenticate users via OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">Use OpenLDAP as sudo's configuration repository.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">Use OpenLDAP as automount map repository for autofs.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">Use OpenLDAP as NFS netgroup repository again for autofs.</a></strike></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">Use OpenLDAP as the Kerberos principal repository.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">Setup OpenLDAP backup and recovery.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">Setup OpenLDAP replication.</a></li>
</ol>
In this document, we will learn how to setup our OpenLDAP 2.4 server as a repository for our <a href="http://web.mit.edu/kerberos/">Kerberos</a> principals. We will also explore how to configure the client machines. <a href="http://en.wikipedia.org/wiki/Kerberos_(protocol)">Kerberos</a> is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication.<br />
<a name='more'></a><br />
<h3>
Server Configuration</h3>
<br />
<b>Enable <a href="http://en.wikipedia.org/wiki/Network_Time_Protocol">NTP</a> and make sure your server and clients are synchronized!</b> I will not explain how to setup <a href="http://www.ntp.org/">NTP</a> in this document. There are quite a lot of examples if you need help. Maybe in some other blog post.<br />
<br />
Now that we have our OpenLDAP server configured, we can now proceed with the Kerberos 5 server setup. In this blog post, we will create a Kerberos Key Distribution Center server for the realm COMPANY.COM. To start with, as usual, install the appropriate rpm packages. This will also install several dependencies. The <span style="font-family: 'Courier New', Courier, monospace;">words</span> package will create the <span style="font-family: 'Courier New', Courier, monospace;">/usr/share/dict/words</span> directory used by the <span style="font-family: 'Courier New', Courier, monospace;">kadmind(8)</span> service.<br />
<ul>
</ul>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install krb5-pkinit-openssl krb5-server-ldap words</span><br />
<br />
If we followed my <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">blog post series on OpenLDAP</a>, then the Kerberos schema is already installed. But let's take a look, just to be sure.<br />
<div>
<ul>
</ul>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn | grep -i kerberos</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={12}kerberos,cn=schema,cn=config</span></div>
<div>
<br /></div>
<div>
Sure enough, the schema is right there. This schema has quite a lot of objects. To see them all, run the following query.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn={12}kerberos,cn=schema,cn=config | grep NAME | cut -d' ' -f5 | sort</span></div>
<div>
<br /></div>
<div>
This command must return some objects. This is important because if the new Kerberos LDAP attributes are not present, kdb5_ldap_util(8) will generate the following error :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kdb5_ldap_util: Kerberos Container create FAILED: No such object while creating realm 'COMPANY.COM'</span></div>
<div>
<br /></div>
<div>
Ok, so we have the schema and it's objects. But do we have the container for our Kerberos principals?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b ou=services,dc=company,dc=com dn | grep -i kerberos</span></div>
</div>
<div>
<br /></div>
<div>
No we don't. So we must add the LDAP container for our Kerberos principals. We must also add an LDAP user and group which will be used by Kerberos to talk to the LDAP server. So create a temporary LDIF file.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/kerberos.ldif">~/ldap/kerberos.ldif</a></span></div>
<div>
<br />
Use this new file to add the ou=kerberos to our OpenLDAP server. Enter the OpenLDAP manager's password when prompted.</div>
</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -aH ldapi:/// -f ~/ldap/kerberos.ldif</span><br />
<br /></div>
<div>
<div>
Assign a password to the new krbadmin user. Make sure to write this password into a secure store (such as <a href="http://keepass.info/">KeePass Password Safe</a> or in <a href="http://www.gnupg.org/">gpg</a>).</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldappasswd -xWSD "cn=admin,dc=company,dc=com" "cn=krbadmin,ou=users,dc=company,dc=com"</span></div>
<div>
<br /></div>
<div>
Create the Kerberos configuration file. </div>
</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.krb5.server.conf">/etc/krb5.conf</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<div>
Now create the Kerberos administrator's access control list (ACL) file. Don't confuse this ACL with the OpenLDAP ACLs. They are not the same. We will work on OpenLDAP ACLs in a few minutes.</div>
<div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/var.kerberos.krb5kdc.kadm5.acl">/var/kerberos/krb5kdc/kadm5.acl</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<div>
Edit the Kerberos 5 Authentication Service and Key Distribution Center (AS/KDC) configuration file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/var.kerberos.krb5kdc.kdc.conf">/var/kerberos/krb5kdc/kdc.conf</a></span></div>
<div>
<br /></div>
<div>
Using another terminal, keep an eye open on the OpenLDAP server log file. This way we can see what the <span style="font-family: 'Courier New', Courier, monospace;">kdb5_ldap_util(8)</span> command generates.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo tail -F /var/log/slapd.log</span></div>
<div>
<br /></div>
<div>
In a different terminal then the one in which we are running the <span style="font-family: 'Courier New', Courier, monospace;">tail(1)</span> command, issue the following to create our Kerberos entries into our OpenLDAP server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo kdb5_ldap_util -D "cn=admin,dc=company,dc=com" create -subtrees "ou=kerberos,ou=services,dc=company,dc=com" -r COMPANY.COM -s</span></div>
<div>
<br /></div>
<div>
Create the directory where we will store the stash password. This directory is referenced by the <span style="font-family: 'Courier New', Courier, monospace;">ldap_service_password_file</span> variable found in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.conf</span> file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /etc/krb5.d</span></div>
<div>
<br /></div>
<div>
And extract the <span style="font-family: 'Courier New', Courier, monospace;">cn=krbadmin,ou=users,dc=company,dc=com</span> user's password using <span style="font-family: 'Courier New', Courier, monospace;">kdb5_ldap_util(8)</span>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo kdb5_ldap_util -D "cn=admin,dc=company,dc=com" stashsrvpw -f /etc/krb5.d/stash.keyfile cn=krbadmin,ou=users,dc=company,dc=com</span><br />
<br />
You will be prompted for the database Master Password.<br /><br />
It is important that you NOT FORGET this password.<br /><br />
This has created a few entries under our <span style="font-family: 'Courier New', Courier, monospace;">ou=kerberos,ou=services,dc=company,dc=com</span> namespace. To see them, simply run a query.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b ou=kerberos,ou=services,dc=company,dc=com dn</span></div>
<div>
<br /></div>
<div>
But besides the cn=admin user, can anybody else see the Kerberos info? That would be unwise. So let's take a look at our current OpenLDAP ACLs.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b olcDatabase={1}bdb,cn=config olcAccess</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={1}bdb,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> ,cn=auth" manage by dn.base="cn=nssproxy,ou=users,dc=company,dc=com" read by</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> * auth by * none</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=a</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> dmin,dc=company,dc=com" write by dn="cn=nssproxy,dc=company,dc=com" read by *</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> auth by * none</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">olcAccess: {2}to dn.base="dc=company,dc=com" by dn="cn=admin,dc=company,dc=com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> " manage by dn="cn=nssproxy,dc=company,dc=com" read by * search</span></div>
</div>
<div>
<br /></div>
<div>
What we need to do, is to grant read/write permission to the Kerberos admin user (i.e. <span style="font-family: 'Courier New', Courier, monospace;">cn=krbadmin,ou=users,dc=company,dc=com</span>) on the <span style="font-family: 'Courier New', Courier, monospace;">ou=kerberos</span> subtree. Any other user should not have access to this data. We again proceed to write an LDIF file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/kerberos.acl.ldif">~/ldap/kerberos.acl.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Activate those changes.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -H ldapi:/// -f ~/ldap/kerberos.acl.ldif</span></div>
<div>
<br /></div>
<div>
Check to see if the new ACL works. Both the <span style="font-family: 'Courier New', Courier, monospace;">cn=admin</span> user and a user with both UID zero and GID zero will be able to see the <span style="font-family: 'Courier New', Courier, monospace;">ou=kerberos</span> subtree. The <span style="font-family: 'Courier New', Courier, monospace;">cn=nssproxy</span> user will not even see the <span style="font-family: 'Courier New', Courier, monospace;">ou=kerberos</span> container while the <span style="font-family: 'Courier New', Courier, monospace;">cn=krbadmin</span> user will be able to read and write to the entire <span style="font-family: 'Courier New', Courier, monospace;">ou=kerberos</span> subtree. We must also check to see if normal users can still use our OpenLDAP server for authentication via pam_ldap and check to see if they can change their LDAP password?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># This returns the entire ou=kerberos,ou=services,dc=company,dc=com subtree.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZLLLWD cn=krbadmin,ou=users,dc=company,dc=com -b ou=kerberos,ou=services,dc=company,dc=com dn</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># This query should return the « No such object (32) » error.</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZLLLWD cn=nssproxy,ou=users,dc=company,dc=com -b ou=kerberos,ou=services,dc=company,dc=com dn</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"># Check to see if the user can change his own LDAP password?</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">su - test.user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">passwd</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Changing password for user test.user.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Enter login(LDAP) password: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">New password: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Retype new password: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">LDAP password information changed for test.user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">passwd: all authentication tokens updated successfully.</span></div>
</div>
<div>
<br /></div>
<div>
Very good! :)</div>
<div>
<br /></div>
<div>
When we installed the <span style="font-family: 'Courier New', Courier, monospace;">krb5-server</span> rpm, it configured <span style="font-family: 'Courier New', Courier, monospace;">logrotate(8)</span> to handle two new log files : one for <span style="font-family: 'Courier New', Courier, monospace;">krb5kdc(8)</span> and the other for <span style="font-family: 'Courier New', Courier, monospace;">kadmind(8)</span> as we can see from <span style="font-family: 'Courier New', Courier, monospace;">/etc/logrotate.d/krb5kdc</span> and <span style="font-family: 'Courier New', Courier, monospace;">/etc/logrotate.d/kadmind</span> files. Strangely, the rpm installation does not create those files. So let's create them.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo touch /var/log/krb5kdc.log /var/log/kadmind.log</span></div>
<div>
<br /></div>
<div>
We now need to instruct <span style="font-family: 'Courier New', Courier, monospace;">rsyslogd(8)</span> what to send into those two new files.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.rsyslog.conf">/etc/rsyslog.conf</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Restart <span style="font-family: 'Courier New', Courier, monospace;">rsyslogd(8)</span> for the changes to take effect.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/rsyslog restart</span></div>
<div>
<br /></div>
<div>
Make sure the Kerberos daemons start when the machine boots.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig krb5kdc on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig kadmin on</span></div>
</div>
<div>
<br /></div>
<div>
And finally, start the Kerberos daemons.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/krb5kdc start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/kadmin start</span></div>
<div>
<br /></div>
<div>
A quick look at the <span style="font-family: 'Courier New', Courier, monospace;">/var/log/krb5kdc.log</span> file should display this line :</div>
<div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">May 14 12:53:34 alice krb5kdc[23528]: commencing operation</span><br />
<br />
<div>
Using <span style="font-family: 'Courier New', Courier, monospace;">netstat(8)</span>, we can see that we now have TCP ports 88 (kerberos), 464 (kpasswd) and 749 (kerberos-adm) in LISTEN mode.</div>
<div>
<br /></div>
<span style="font-family: 'Courier New', Courier, monospace;">netstat -alnt | egrep ':88|:464|:749'</span><br />
<br />
Congratulations! We now have an operational MIT Kerberos 5 Authentication Service and Key Distribution Center :)<br />
<br />
Now what? Well, first, we need to create a principal for the local server. We should also create a test.user principal. Here's how. The lines below in bold are what is actually typed. This is a single session, but we break it down to add some details.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo kadmin.local</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Authenticating as principal root/admin@COMPANY.COM with password.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Here we create the machine principal for the current server we're currently logged-in.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: <b>addprinc -randkey host/alice.company.com@COMPANY.COM</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">WARNING: no policy specified for host/alice.company.com@COMPANY.COM; defaulting to no policy</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Principal "host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM" created.</span><br />
<br />Once we have created the host principal, we can add it to the machine's kerberos keytab (i.e. <span style="font-family: Courier New, Courier, monospace;">/etc/krb5.keytab</span>)<br /><br /><span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: <b>ktadd host/</b></span><b><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM</span></b><br />
<span style="font-family: 'Courier New', Courier, monospace;">Entry for principal host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Entry for principal host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Entry for principal host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Entry for principal host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Entry for principal host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Entry for principal host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.</span><br />
<br />
<span style="font-family: inherit;">Next we create a user princpipal for myself and assign a password to this new user.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: <b>addprinc drobilla@COMPANY.COM</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">WARNING: no policy specified for drobilla@COMPANY.COM; defaulting to no policy</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Enter password for principal "drobilla@COMPANY.COM": </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Re-enter password for principal "drobilla@COMPANY.COM": </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Principal "drobilla@COMPANY.COM" created.</span><br />
<br />
<span style="font-family: inherit;">The next user is again for me, but with administrative rights. Remember the </span><span style="font-family: 'Courier New', Courier, monospace;">/var/kerberos/krb5kdc/kadm5.acl</span><span style="font-family: inherit;"> file? That's where it comes into play. The </span><span style="font-family: 'Courier New', Courier, monospace;">/admin</span><span style="font-family: inherit;"> users have administrative rights to the Kerberos realm via that file. That means they can create and destroy users or policies. So make sure we know and trust them!</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: <b>addprinc drobilla/admin@COMPANY.COM</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">WARNING: no policy specified for drobilla/admin@COMPANY.COM; defaulting to no policy</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Enter password for principal "drobilla/admin@COMPANY.COM": </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Re-enter password for principal "drobilla/admin@COMPANY.COM": </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Principal "drobilla/admin@COMPANY.COM" created.</span><br />
<br />
This will list all the current principals in the realm.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: <b>getprincs</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">K/M@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">krbtgt/COMPANY.COM@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin/admin@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin/changepw@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin/history@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">drobilla@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">drobilla/admin@COMPANY.COM</span><br />
<span style="font-family: inherit;"> </span><br />
<span style="font-family: inherit;">And this will give more details on the </span><span style="font-family: 'Courier New', Courier, monospace;">host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM</span><span style="font-family: inherit;"> principal.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: <b>getprinc host/</b></span><span style="font-family: 'Courier New', Courier, monospace;"><b>alice</b></span><span style="font-family: 'Courier New', Courier, monospace;"><b>.company.com@COMPANY.COM</b></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Principal: host/</span><span style="font-family: 'Courier New', Courier, monospace;">alice</span><span style="font-family: 'Courier New', Courier, monospace;">.company.com@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Expiration date: [never]</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Last password change: Mon May 14 12:58:24 EDT 2012</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Password expiration date: [none]</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Maximum ticket life: 1 day 00:00:00</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Maximum renewable life: 0 days 00:00:00</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Last modified: Mon May 14 12:58:24 EDT 2012 (root/admin@COMPANY.COM)</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Last successful authentication: [never]</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Last failed authentication: [never]</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Failed password attempts: 0</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Number of keys: 6</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Key: vno 2, aes256-cts-hmac-sha1-96, Version 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Key: vno 2, aes128-cts-hmac-sha1-96, Version 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Key: vno 2, des3-cbc-sha1, Version 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Key: vno 2, arcfour-hmac, Version 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Key: vno 2, des-hmac-sha1, Version 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Key: vno 2, des-cbc-md5, Version 5</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">MKey: vno 1</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Attributes:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Policy: [none]</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: <b>exit</b></span></div>
</div>
<div>
<br /></div>
<div>
Notice that a new file was created : <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.keytab</span>. That's why we ran the kadmin.local binary as root. If we didn't we would've had this error :</div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Authenticating as principal drobilla/admin@COMPANY.COM with password.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin.local: Error reading password from stash: Permission denied while initializing kadmin.local interface</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: inherit;">This is because only root has read access to the stash file (i.e. </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.d/stash.keyfile</span>). But let's examine what's the content of the <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.keytab.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div style="font-family: 'Courier New', Courier, monospace;">
sudo klist -ek /etc/krb5.keytab </div>
<div style="font-family: 'Courier New', Courier, monospace;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace;">
Keytab name: WRFILE:/etc/krb5.keytab</div>
<div style="font-family: 'Courier New', Courier, monospace;">
KVNO Principal</div>
<div style="font-family: 'Courier New', Courier, monospace;">
---- --------------------------------------------------------------------------</div>
<div style="font-family: 'Courier New', Courier, monospace;">
2 host/alice.company.com@COMPANY.COM (aes256-cts-hmac-sha1-96) </div>
<div style="font-family: 'Courier New', Courier, monospace;">
2 host/alice.company.com@COMPANY.COM (aes128-cts-hmac-sha1-96) </div>
<div style="font-family: 'Courier New', Courier, monospace;">
2 host/alice.company.com@COMPANY.COM (des3-cbc-sha1) </div>
<div style="font-family: 'Courier New', Courier, monospace;">
2 host/alice.company.com@COMPANY.COM (arcfour-hmac) </div>
<div style="font-family: 'Courier New', Courier, monospace;">
2 host/alice.company.com@COMPANY.COM (des-hmac-sha1) </div>
<div style="font-family: 'Courier New', Courier, monospace;">
2 host/alice.company.com@COMPANY.COM (des-cbc-md5) </div>
<div style="font-family: 'Courier New', Courier, monospace;">
<br /></div>
<div>
<span style="font-family: inherit;">As we can see, these are all the encryption keys for this particular machine. No wonder the permissions on the file are restricted to root!</span></div>
</div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
We still have one last item on the server side to fix. That's the « <span style="font-family: 'Courier New', Courier, monospace;">bdb_equality_candidates: (krbPrincipalName) not indexed</span> » error we keep having in the <span style="font-family: 'Courier New', Courier, monospace;">/var/log/slapd.log</span> log file. To fix this, we need another LDIF file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/kerberos.indexes.ldif">~/ldap/kerberos.indexes.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Add those new indexes to the OpenLDAP server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -aH ldapi:/// -f kerberos.indexes.ldif</span></div>
<div>
<br /></div>
<div>
Alright, we now have a KDC !</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<h2>
Client Configuration</h2>
<div>
<br />
With a working KDC server, we can now configure client machines and services to use it. Our goals with the clients is to leverage the Kerberos infrastructure to :</div>
<ol>
<li>Enable sshd(8) Kerberos authentication.</li>
<li>Enable PAM Kerberos authentication.</li>
<li>SASL GSSAPI OpenLDAP authentication.</li>
<li>Use SAS:L GSSAPI Authentication with AutoFS.</li>
</ol>
So let's start with our first goal.<br />
<br />
<h3>
Enable sshd(8) Kerberos authentication.</h3>
<br />
Connect to a client machine. <b>IMPORTANT : Kerberos clients require connectivity to the KDC's TCP ports 88 and 749.</b><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span><br />
<br />
Install required packages.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install krb5-workstation pam_krb5</span><br />
<br />
Configure the client's <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.conf</span> file. The file looks quite a lot like the one found on the server. That means we can send the server's <span style="font-family: 'Courier New', Courier, monospace;">krb5.conf</span> file to the client and use it as a template.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.krb5.client.conf">/etc/krb5.conf</a></span><br />
<div>
<br /></div>
<div>
Create a new machine principal for this host. We run the <span style="font-family: 'Courier New', Courier, monospace;">kadmin(1)</span> command as root so that we can write the resulting keyfile <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.keytab</span>. Otherwise, we would get the « <span style="font-family: 'Courier New', Courier, monospace;">No such file or directory while adding key to keytab</span> » error which is not quite explicit enough. We also must use the <span style="font-family: 'Courier New', Courier, monospace;">-p</span> switch to let kadmin know with which principal we want to connect with. If we only try <span style="font-family: 'Courier New', Courier, monospace;">sudo kadmin</span>, then we will get the « <span style="font-family: 'Courier New', Courier, monospace;">Client not found in Kerberos database while initializing kadmin interface</span> » error because we didn't create the <span style="font-family: 'Courier New', Courier, monospace;">root/admin@</span><span style="font-family: 'Courier New', Courier, monospace;">COMPANY</span><span style="font-family: 'Courier New', Courier, monospace;">.COM</span> principal. Don't create it either, we want to be able to know who connected with his <span style="font-family: 'Courier New', Courier, monospace;">/admin</span> user. If it's <span style="font-family: 'Courier New', Courier, monospace;">root/admin</span>, there's now way to tell.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo kadmin -p drobilla/admin@COMPANY.COM</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Authenticating as principal drobilla/admin@</span><span style="font-family: 'Courier New', Courier, monospace;">COMPANY</span><span style="font-family: 'Courier New', Courier, monospace;">.COM with password.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Password for drobilla/admin@</span><span style="font-family: 'Courier New', Courier, monospace;">COMPANY</span><span style="font-family: 'Courier New', Courier, monospace;">.COM: </span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>addprinc -randkey host/bob.company.com@</b></span><span style="font-family: 'Courier New', Courier, monospace;"><b>COMPANY</b></span><span style="font-family: 'Courier New', Courier, monospace;"><b>.COM</b></span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>ktadd host/bob.company.com@</b></span><span style="font-family: 'Courier New', Courier, monospace;"><b>COMPANY</b></span><span style="font-family: 'Courier New', Courier, monospace;"><b>.COM</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>exit</b></span></div>
<br />
That created the <span style="font-family: 'Courier New', Courier, monospace;">/etc/krb5.keytab</span><span style="font-family: inherit;">. We can now edit </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/ssh/sshd_config</span><span style="font-family: inherit;"> to enable Kerberos authentication. Don't forget to add test.group into the AllowGroups directive. Otherwise we won't be able to test and will have the « </span><span style="font-family: 'Courier New', Courier, monospace;">User test.user from alice.company.com not allowed because none of user's groups are listed in AllowGroups</span><span style="font-family: inherit;"> » in the machine's </span><span style="font-family: 'Courier New', Courier, monospace;">/var/log/secure</span><span style="font-family: inherit;"> log file.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.ssh.sshd_config.kerberos.txt">/etc/ssh/sshd_config</a></span></div>
<br />
Restart the daemon.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/sshd restart</span><br />
<div>
<br /></div>
<div>
Leave this terminal window open after we've issued this command :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo tail -F /var/log/secure</span></div>
<div>
<br /></div>
<div>
<b>From another terminal window on the server</b>, create a test.user principal.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin -p drobilla/admin@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>addprinc test.user@COMPANY.COM</b></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">WARNING: no policy specified for test.user@COMPANY.COM; defaulting to no policy</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Enter password for principal "test.user@COMPANY.COM": </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Re-enter password for principal "test.user@COMPANY.COM": </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Principal "test.user@COMPANY.COM" created.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>exit</b></span></div>
</div>
<div>
<br /></div>
<div>
Assume this user's identity by taking his Kerberos ticket. We first destroy our own tickets with <span style="font-family: 'Courier New', Courier, monospace;">kdestroy(1)</span>, then get the test.user's ticket with <span style="font-family: 'Courier New', Courier, monospace;">kinit(1)</span> and finally confirm that we do indeed have the new ticket with <span style="font-family: 'Courier New', Courier, monospace;">klist(1)</span>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kdestroy</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kinit -p test.user@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Password for test.user@COMPANY.COM: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">klist</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Ticket cache: FILE:/tmp/krb5cc_1100</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Default principal: test.user@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Valid starting Expires Service principal</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">05/14/12 14:12:10 05/15/12 14:12:10 krbtgt/COMPANY.COM@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>renew until 05/14/12 14:12:10</span></div>
</div>
<div>
<br /></div>
<div>
We can now login with this Kerberos ticket.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh test.user@bob.company.com</span></div>
<div>
<br /></div>
<div>
If we go back to the terminal window on the client in which the <span style="font-family: 'Courier New', Courier, monospace;">tail(1)</span> command was running on the <span style="font-family: 'Courier New', Courier, monospace;">/var/log/secure</span><span style="font-family: inherit;"> </span>file, we should have those lines :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 14 14:09:17 bob sshd[2619]: Authorized to test.user, krb5 principal test.user@COMPANY.COM (krb5_kuserok)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 14 14:09:17 bob sshd[2619]: Accepted gssapi-with-mic for test.user from 192.168.1.20 port 54891 ssh2</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 14 14:09:17 bob sshd[2619]: pam_unix(sshd:session): session opened for user test.user by (uid=0)</span></div>
</div>
<div>
<br /></div>
Success! We can now cross our first goal and try the second one.<br />
<ol>
<li><strike>Enable sshd(8) Kerberos authentication.</strike></li>
<li>Enable PAM Kerberos authentication.</li>
<li>SASL GSSAPI OpenLDAP authentication.</li>
<li>Use SAS:L GSSAPI Authentication with AutoFS.</li>
</ol>
<br />
<h3>
Enable PAM Kerberos authentication</h3>
<br />
That shouldn't be too hard since we've <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">already configured pam_ldap in another blog post</a>. Again, we won't be using <span style="font-family: 'Courier New', Courier, monospace;">authconfig(8)</span>. To enable PAM kerberos, we need to change the <span style="font-family: 'Courier New', Courier, monospace;">/etc/pam.d/system-auth-ac</span> file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.pam.d.system-auth-ac.kerberos.txt">/etc/pam.d/system-auth-ac</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">And that's it! That was easy :)</span><br />
<ol>
<li><strike>Enable sshd(8) Kerberos authentication.</strike></li>
<li><strike>Enable PAM Kerberos authentication.</strike></li>
<li>SASL GSSAPI OpenLDAP authentication.</li>
<li>Use SAS:L GSSAPI Authentication with AutoFS.</li>
</ol>
<br />
<h3>
SASL GSSAPI OpenLDAP authentication</h3>
<br />
<h4>
<b>Server Configuration (part 1 of 2)</b></h4>
<br />
To enable <a href="http://www.openldap.org/doc/admin24/sasl.html#GSSAPI">SASL GSSAPI authentication</a>, we must configure the OpenLDAP server so that it knows about our Kerberos realm. Then we can configure the clients.<br />
<br />
So, <b>from the OpenLDAP server</b>, connect to the KDC and create a new principal. We still use kadmin as root because we want to place the new keytab into <span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap</span> so that our OpenLDAP daemon has a different keytab then the host.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo kadmin -p drobilla/admin@COMPANY.COM</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>addprinc -randkey ldap/alice.company.com@COMPANY.COM</b></span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: </span><b><span style="font-family: 'Courier New', Courier, monospace;">ktadd -k /etc/openldap/krb5.keytab ldap/</span><span style="font-family: 'Courier New', Courier, monospace;">alice.company.com@COMPANY.COM</span></b></div>
</div>
<div>
<br /></div>
Change the permissions on this new file to allow the OpenLDAP server to read it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:ldap /</span><span style="font-family: 'Courier New', Courier, monospace;">etc/openldap/krb5.keytab</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 640 </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap/krb5.keytab</span><br />
<br />
Install the required software.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install cyrus-sasl-gssapi</span><br />
<br />
Check our current configuration to see if we have any SASL directives in there?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config -s base | grep -i sasl</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcSaslSecProps: noplain,noanonymous</span><br />
<br />
Ah ha! So we already have <span style="font-family: 'Courier New', Courier, monospace;">olcSaslSecProps:</span> configured. Let's build on that.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/sasl.ldif">~/ldap/sasl.ldif</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
Well, actually, we wouldn't need to play with <span style="font-family: 'Courier New', Courier, monospace;">olcSaslSecProps:</span><span style="font-family: inherit;"> but I left it there because I tried adding the « noactive » keyword. When we do and try to « </span><span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL...</span><span style="font-family: inherit;"> » we get the following error :</span><br />
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config -s base | grep -i sasl</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SASL/EXTERNAL authentication started</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldap_sasl_interactive_bind_s: Authentication method not supported (7)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>additional info: SASL(-4): no mechanism available: security flags do not match required</span></div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Since that's not exactly what we need at the moment. Maybe later. For now, let's see if our new SASL configuration has been loaded by slapd?</div>
<div style="font-family: inherit;">
<br /></div>
<div>
<div style="font-family: 'Courier New', Courier, monospace;">
sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config -s base | grep -i sasl</div>
<div style="font-family: 'Courier New', Courier, monospace;">
[sudo] password for drobilla: </div>
<div style="font-family: 'Courier New', Courier, monospace;">
SASL/EXTERNAL authentication started</div>
<div style="font-family: 'Courier New', Courier, monospace;">
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth</div>
<div style="font-family: 'Courier New', Courier, monospace;">
SASL SSF: 0</div>
<div style="font-family: 'Courier New', Courier, monospace;">
olcSaslHost: alice.company.com</div>
<div style="font-family: 'Courier New', Courier, monospace;">
olcSaslRealm: COMPANY.COM</div>
<div style="font-family: 'Courier New', Courier, monospace;">
olcSaslSecProps: noanonymous,noplain </div>
<div style="font-family: 'Courier New', Courier, monospace;">
<br /></div>
<div>
Good! Now here's a tricky part, we need to add the <span style="font-family: 'Courier New', Courier, monospace;">KRB5_KTNAME</span> parameter to the <span style="font-family: 'Courier New', Courier, monospace;">/etc/sysconfig/ldap</span><span style="font-family: inherit;"> file.</span> <i>But this parameter is not part of any OpenLDAP documentation I've ever found?!?</i> A hint about this parameter is found in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/init.d/slapd</span> startup script and that's it! <b>If anyone knows why, please let me know!</b> </div>
</div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.sysconfig.ldap.gssapi">/etc/sysconfig/ldap</a></span></div>
<div>
<br /></div>
<div>
Since we've changed this file, we need to restart <span style="font-family: 'Courier New', Courier, monospace;">slapd(8C)</span> for the changes to take effect. We also stop <span style="font-family: 'Courier New', Courier, monospace;">nslcd(8)</span> which prevents a timeout when <span style="font-family: 'Courier New', Courier, monospace;">slapd(8C)</span> starts.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd stop</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd restart</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd start</span></div>
<div>
<br /></div>
<div>
Once slapd is back, we can proceed with the client configuration.</div>
<div>
<br /></div>
<div>
<h4>
<b>Client Configuration (part 1 of 2)</b></h4>
</div>
<div>
<br /></div>
<div>
We start by changing the <span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap/ldap.conf</span> file in order to specify that we want to use the SASL GSSAPI authentication mechanism. That's just a single line to change and she's listed in <b>bold</b>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.openldap.ldap.conf.gssapi.txt">/etc/openldap/ldap.conf</a></span></div>
<div>
<br /></div>
<div>
We then get a ticket from the KDC.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">klist</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_911)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kinit -p drobilla@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Password for drobilla@COMPANY.COM: </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">klist</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Ticket cache: FILE:/tmp/krb5cc_911</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Default principal: drobilla@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Valid starting Expires Service principal</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">05/15/12 11:27:17 05/16/12 11:27:17 krbtgt/COMPANY.COM@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>renew until 05/15/12 11:27:17</span></div>
<div>
<br /></div>
<div>
We can now see if the SASL GSSAPI authentication works?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapwhoami</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SASL/GSSAPI authentication started</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SASL username: drobilla@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SASL SSF: 56</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">SASL data security layer installed.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn:uid=drobilla,cn=company.com,cn=gssapi,cn=auth</span></div>
</div>
<div>
<br /></div>
<div>
Success! :) Had we forgot to run kinit before we ran ldapwhoami, we would have had this error :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">SASL/GSSAPI authentication started</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldap_sasl_interactive_bind_s: Local error (-2)</span><br />
<span class="Apple-tab-span" style="font-family: 'Courier New', Courier, monospace; white-space: pre;"> </span><span style="font-family: 'Courier New', Courier, monospace;">additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_1100' not found)</span><br />
<br />
We can now cross our first goal and try the fourth one.</div>
<ol>
<li><strike>Enable sshd(8) Kerberos authentication.</strike></li>
<li><strike>Enable PAM Kerberos authentication.</strike></li>
<li><strike>SASL GSSAPI OpenLDAP authentication.</strike></li>
<li>Use SAS:L GSSAPI Authentication with AutoFS.</li>
</ol>
<div>
But wait, did you notice that OpenLDAP has changed our Kerberos principal into a OpenLDAP name? We had this principal : </div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">drobilla@</span><span style="font-family: 'Courier New', Courier, monospace;">COMPANY</span><span style="font-family: 'Courier New', Courier, monospace;">.COM</span></div>
<div>
<br /></div>
<div>
...which was translated by slapd(8C) into this :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn:uid=drobilla,cn=company.com,cn=gssapi,cn=auth</span></div>
</div>
<div>
<br /></div>
<div>
That means we must now return to the server to install some new ACLs if we want our AutoFS Kerberos principal to be able to read the automount data.</div>
<div>
<br /></div>
<div>
<h4>
<b>Server Configuration (part 2 of 2)</b></h4>
</div>
<div>
<br /></div>
<div>
Back on our OpenLDAP server, we edit another LDIF file to change our ACLs. But before we change anything, it's always good to know what we currently have configured?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xLLLZWD cn=admin,dc=company,dc=com -b cn=config olcAccess</span></div>
<div>
<br /></div>
<div>
That query returned three different distinguished names with <span style="font-family: 'Courier New', Courier, monospace;">olcAccess:</span> attributes :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={0}config,cn=config</span></div>
</div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={1}bdb,cn=config</span></div>
</div>
<div>
<div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={2}monitor,cn=config</span></div>
</div>
</div>
</div>
<div>
<br /></div>
<div>
That means we must now edit the ACL on all three of these distinguished names. Be ready, because the ACL list is getting a little bigger...</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/sasl.acl.ldif">~/ldap/gssapi.acl.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Ouf! Did you get all this? Don't be alarmed and read it one by one. You should be fine ;) Still, this looks like a lot of changes, so make a full backup in case things go wrong...</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo tar zcvf ~/ldap/slapd.d.backup.tar.gz /etc/openldap/slapd.d</span></div>
<div>
<br /></div>
<div>
Add those news ACLs to our OpenLDAP server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -xZWD cn=admin,dc=company,dc=com -f ~/ldap/gssapi.ldif</span></div>
<div>
<br /></div>
<div>
And test to see if we can access what we need? Are users that are not supposed to see things really aren't capable of seeing them? Is our Kerberos <span style="font-family: 'Courier New', Courier, monospace;">kadmin(1)</span> programm still working? Can the <span style="font-family: 'Courier New', Courier, monospace;">cn=nssproxy</span> user do it's job? Let's find out.</div>
<div>
<br /></div>
<div>
Check if the RootDN can still see the configuration? It should return only « dn: cn=config ».</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xLLLZWD cn=admin,dc=company,dc=com -b cn=config -s base dn</span></div>
<div>
<br /></div>
<div>
Check if a user with both UID and GID set to zero can see the configuration? It should return only « dn: cn=config ».</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config -s base dn</span></div>
<div>
<br /></div>
<div>
Check if a /admin principal has access to the configuration? It should return only « dn: cn=config ». But notice how the <span style="font-family: 'Courier New', Courier, monospace;">ldapsearch</span> command line is easier to write :)</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kdestroy</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kinit -p drobilla/admin@COMPANY.COM</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -LLLZb cn=config -s base dn</span></div>
</div>
<div>
<br /></div>
<div>
Check if the cn=nssproxy user can still work? This returns every dn: in the Directory Information Tree <i>except</i> the ones under <span style="font-family: 'Courier New', Courier, monospace;">ou=kerberos</span>.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZLLLWD cn=nssproxy,ou=users,dc=company,dc=com -b dc=company,dc=com dn</span></div>
<div>
<br /></div>
<div>
Can normal users still change their passwords? Well, that changed! If we try the passwd command of a user which is not part of the local <span style="font-family: 'Courier New', Courier, monospace;">/etc/passwd</span> file, instead of trying the OpenLDAP passwd, the <span style="font-family: 'Courier New', Courier, monospace;">passwd(1)</span> command will look the the Kerberos 5 password. That's because we enabled PAM Kerberos. Don't worry, that command will prompt for the Kerberos password.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">su - test.user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">passwd</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Changing password for user test.user.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Kerberos 5 Password:</span> </div>
<div>
</div>
</div>
<div>
<br /></div>
<div>
<h4>
<b>Client Configuration (part 2 of 2)</b></h4>
</div>
<div>
<br /></div>
<div>
We can now head to the client machine and modify it to use SASL GSSAPI authentication for it's default LDAP queries and the autofs maps. <b>Connect to the client machine with a user that is NOT using an NFS home!</b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh panic@bob.company.com</span></div>
<div>
<br /></div>
<div>
<b>Check to make sure there is no NFS mounted directories? If there are any, make sure to unmount them before you continue!</b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">df -h </span></div>
<div>
<br /></div>
<div>
Change the automount system-wide configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.sysconfig.autofs.txt">/etc/sysconfig/autofs</a></span></div>
<div>
<br /></div>
<div>
Note that the OPTIONS and LOGGING clauses are set to debug values. This is just to help us find problems if there are any. During normal operations, these should be changed. We'll get to these in a minute. </div>
<div>
<br /></div>
<div>
Next we need to create a Kerberos principal that will be used by our autofs daemon. We must also add this new principal's keys into the client's keytab.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo kadmin -p drobilla/admin@COMPANY.COM</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>addprinc </b></span><b style="font-family: 'Courier New', Courier, monospace;">-randkey </b><b style="font-family: 'Courier New', Courier, monospace;">autofsclient/bob.company.com@COMPANY.COM</b></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>ktadd autofsclient/bob.company.com@COMPANY.COM</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">kadmin: <b>exit</b></span></div>
<div>
<br /></div>
<div>
We can see that the autofsclient keys are now part of the client's keytab :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo klist -ek /etc/krb5.keytab</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Keytab name: WRFILE:/etc/krb5.keytab</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">KVNO Principal</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">---- --------------------------------------------------------------------------</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 autofsclient/bob.company.com@COMPANY.COM (aes128-cts-hmac-sha1-96) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 autofsclient/bob.company.com@COMPANY.COM (des-hmac-sha1) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 autofsclient/bob.company.com@COMPANY.COM (arcfour-hmac) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 autofsclient/bob.company.com@COMPANY.COM (des-cbc-md5) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 4 host/bob.company.com@COMPANY.COM (aes256-cts-hmac-sha1-96) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 4 host/bob.company.com@COMPANY.COM (aes128-cts-hmac-sha1-96) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 4 host/bob.company.com@COMPANY.COM (des3-cbc-sha1) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 4 host/bob.company.com@COMPANY.COM (arcfour-hmac) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 4 host/bob.company.com@COMPANY.COM (des-hmac-sha1) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 4 host/bob.company.com@COMPANY.COM (des-cbc-md5) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 autofsclient/bob.company.com@COMPANY.COM (aes256-cts-hmac-sha1-96) </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 2 autofsclient/bob.company.com@COMPANY.COM (des3-cbc-sha1)</span></div>
</div>
<div>
<br /></div>
<div>
We can now change the authentication for autofs to use both SASL GSSAPI and the new principal.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.autofs_ldap_auth.conf">/etc/autofs_ldap_auth.conf</a></span></div>
<div>
<br /></div>
<div>
Restart the daemon.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/autofs stop</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/autofs start</span></div>
<div>
<br /></div>
<div>
Check the logs to see if that worked?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo less /var/log/messages</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: do_bind: lookup(ldap): autofs_sasl_bind returned 0</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(cn=home)(cn=/)(cn=\2A)))" under "ou=auto.nfs,ou=autofs,ou=services,dc=company,dc=com"</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: lookup_one: lookup(ldap): getting first entry for cn="home"</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: lookup_one: lookup(ldap): examining first entry</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: lookup_mount: lookup(ldap): home -> alice.company.com:/export/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: parse_mount: parse(sun): expanded entry: alice.company.com:/export/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: parse_mount: parse(sun): gathered options: nodev,nfs4,rsize=8192,wsize=8192</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: parse_mount: parse(sun): dequote("alice.company.com:/export/home") -> alice.company.com:/export/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: parse_mount: parse(sun): core of entry: options=nodev,nfs4,rsize=8192,wsize=8192, loc=alice.company.com:/export/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: sun_mount: parse(sun): mounting root /nfs, mountpoint home, what alice.company.com:/export/home, fstype nfs, options nodev,nfs4,rsize=8192,wsize=8192</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: mount_mount: mount(nfs): root=/nfs name=home what=alice.company.com:/export/home, fstype=nfs, options=nodev,nfs4,rsize=8192,wsize=8192</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: mount_mount: mount(nfs): nfs options="nodev,nfs4,rsize=8192,wsize=8192", nosymlink=0, ro=0</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: mount_mount: mount(nfs): calling mkdir_path /nfs/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">May 15 14:46:42 bob automount[5539]: mount_mount: mount(nfs): calling mount -t nfs -s -o nodev,nfs4,rsize=8192,wsize=8192 alice.company.com:/export/home /nfs/home</span></div>
</div>
<div>
<br /></div>
<div>
Success! :)</div>
<div>
<br /></div>
<div>
We should now edit the automount system-wide configuration to change it for production mode (i.e. less verbose output). Only those two lines are changed.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi /etc/sysconfig/autofs</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>LOGGING="none"</b></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b># OPTIONS="-d -v"</b></span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
And restart the autofs deamon for those changes to take effect.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/autofs stop</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/autofs start</span></div>
<div>
<br /></div>
<div>
That's it! We have achieved all of our Kerberos goals!</div>
<div>
<ol>
<li><strike>Enable sshd(8) Kerberos authentication.</strike></li>
<li><strike>Enable PAM Kerberos authentication.</strike></li>
<li><strike>SASL GSSAPI OpenLDAP authentication.</strike></li>
<li><strike>Use SAS:L GSSAPI Authentication with AutoFS.</strike></li>
</ol>
We also achieved goal number 8 which was :</div>
<div>
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li><strike>Use OpenLDAP as sudo's configuration repository.</strike></li>
<li><strike>Use OpenLDAP as automount map repository for autofs.</strike></li>
<li><strike>Use OpenLDAP as NFS netgroup repository again for autofs.</strike></li>
<li><strike>Use OpenLDAP as the Kerberos principal repository.</strike></li>
<li>Setup OpenLDAP backup and recovery.</li>
<li>Setup OpenLDAP replication.</li>
</ol>
Our next blog post will explain how to <a href="http://www.openldap.org/doc/admin24/maintenance.html#Directory Backups">backup</a> and restore our OpenLDAP server. We will then <a href="http://www.openldap.org/doc/admin24/replication.html">configure replication</a>. With all the OpenLDAP services which our clients now depend on, we need to add some robustness to our OpenLDAP setup.</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
<div>
<br /></div>
<h3>
References</h3>
<div>
<br /></div>
<div>
<a href="http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml">Kerberos, GSSAPI and SASL Authentication using LDAP</a></div>
<div>
<a href="http://itlab.stanford.edu/blog/archives/2009/test-services/ldap-kerberos-5-sasl-and-passwords">LDAP, Kerberos 5, SASL and Passwords</a></div>
<br />Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com162tag:blogger.com,1999:blog-4619978964286106329.post-62501478776347672132012-05-10T17:19:00.001-04:002012-09-21T10:19:57.228-04:00HOWTO : OpenLDAP NFS NetGroup Repository for AutoFSWe continue our OpenLDAP 2.4 series with goal number 7. Recall that our goals are :<br />
<ol>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">Install OpenLDAP 2.4.</a></strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Manage users and groups in OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Configure pam_ldap to authenticate users via OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">Use OpenLDAP as sudo's configuration repository.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">Use OpenLDAP as automount map repository for autofs.</a></strike></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">Use OpenLDAP as NFS netgroup repository again for autofs.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">Use OpenLDAP as the Kerberos principal repository.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">Setup OpenLDAP backup and recovery.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">Setup OpenLDAP replication</a>.</li>
</ol>
In this document, we will learn how to setup our OpenLDAP 2.4 server as a repository of NFS netgroup configuration. Then we will configure an NFS client to see if our netgroup configuration actually works. A netgroup is a set of (host, user, domain) tuples that are to be given similar network access.<br />
<a name='more'></a><br />
<h2>
Server Configuration</h2>
<br />
If we followed this OpenLDAP series, we know that the <a href="http://en.wikipedia.org/wiki/Network_Information_Service">Network Information Service (NIS)</a> schema was <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">installed in the very first blog post</a>. But let's double check just for fun.<br />
<br />
sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn | grep nis<br />
dn: cn={10}nis,cn=schema,cn=config<br />
<div>
<br /></div>
<div>
Indeed we do have the NIS schema. But does it contain the required attributes for our netgroup purposes? It should, but again, let's take a look.</div>
<div>
<br /></div>
<div>
<div>
sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn={10}nis,cn=schema,cn=config | grep NAME | cut -d' ' -f5 | grep -i netgroup</div>
<div>
<br /></div>
<div>
'memberNisNetgroup'</div>
<div>
'nisNetgroup'</div>
<div>
'nisNetgroupTriple'</div>
<div>
<br /></div>
</div>
<div>
Ok good, we have what it takes. But we don't have anything configured yet to leverage those attributes. So let's create another LDIF file which will create a container for our netgroup configs along with a few example netgroups.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/netgroup.ldif">~/ldap/netgroup.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<b>NOTE : be carefull with the use of <a href="http://en.wikipedia.org/wiki/Fully_qualified_domain_name">Fully Qualified Domain Names</a> in the netgroup tuples!</b><br />
<br />
If you do it wrong, it won't work. For example, don't use « <span style="font-family: 'Courier New', Courier, monospace;">nisNetgroupTriple: (bob.company.com,,company.com)</span> » but rather « <span style="font-family: 'Courier New', Courier, monospace;">nisNetgroupTriple: (bob.</span><span style="font-family: 'Courier New', Courier, monospace;">company.com</span><span style="font-family: 'Courier New', Courier, monospace;">,,)</span><span style="font-family: inherit;"> </span>». Another way to write the netgroup tuple is to use this version which also works : « <span style="font-family: 'Courier New', Courier, monospace;">nisNetgroupTriple: (bob,,</span><span style="font-family: 'Courier New', Courier, monospace;">company.com</span><span style="font-family: 'Courier New', Courier, monospace;">)</span> » Choose a syntax and stick to it.<br />
<br />
Add those new entries into the OpenLDAP server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -aH ldapi:/// -f ~/ldap/netgroup.ldif</span></div>
<div>
<br /></div>
<div>
Change the netgroup: values in <span style="font-family: 'Courier New', Courier, monospace;">/etc/nsswitch.conf</span> to enable only LDAP queries.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/nsswitch.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">netgroup: ldap</span></div>
<div>
<br /></div>
<div>
<div>
Test to see what our new LDAP netgroup configuration returns?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent netgroup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Enumeration not supported on netgroup</span></div>
</div>
<div>
<br /></div>
<div>
Ah that's interesting. Since netgroups are basically a security measure, it won't allow you to list all the netgroups configured. That means you have to list them explicitly.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent netgroup oracle</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">oracle (oracle, , company.com)</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent netgroup dev</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dev (bob, , company.com)</span></div>
</div>
<div>
<br /></div>
<div>
Great, it seems to work. We can confirm that from the slapd.log file that shows our <span style="font-family: 'Courier New', Courier, monospace;">getent netgroup dev</span> query for example :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1109 op=2 SRCH base="dc=company,dc=com" scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=dev))"</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1109 op=2 SRCH attr=cn nisNetgroupTriple memberNisNetgroup</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1109 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=</span></div>
</div>
<div>
<br /></div>
<div>
Next configure the NFS <span style="font-family: 'Courier New', Courier, monospace;">/etc/exports</span> file on the server. This is where we specify which file systems are exported and to whom?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.exports.netgroup.txt">/etc/exports</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Notice that we specified our new <span style="font-family: 'Courier New', Courier, monospace;">bob</span> netgroup with a « <span style="font-family: 'Courier New', Courier, monospace;">@</span> » sign. The client machine <span style="font-family: 'Courier New', Courier, monospace;">bob</span> is part of this netgroup. So it should be able to mount the directory. But before we try the client, we need to tell our nfs daemons that we changed the exports file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nfs reload</span></div>
<div>
<br /></div>
<div>
We can see that the changes have been applied.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">showmount -e</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Export list for alice.company.com:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/home @bob</span></div>
</div>
<div>
<br /></div>
<div>
We can now test our new netgroups on the client machine <span style="font-family: 'Courier New', Courier, monospace;">bob</span>.</div>
<div>
<br /></div>
<h2>
Client Configuration</h2>
<div>
<br /></div>
<div>
Connect to the client machine. <b>Make sure to use a user that does NOT have it's home on /nfs/home!</b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span></div>
<div>
<br /></div>
<div>
<a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">In the previous post</a>, we've already have this client as an NFS client of server alice.company.com via autofs. This time we are going to check if we can automount the <span style="font-family: 'Courier New', Courier, monospace;">/nfs/home</span> directory. The first thing we need to do is to change /etc/nsswitch.conf to enable LDAP queries for netgroups.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/nsswitch.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">netgroup: ldap</span></div>
<div>
<br /></div>
<div>
Check to see if we can query the netgroup database in LDAP?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent netgroup dev</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dev (bob, , company.com)</span></div>
<div>
<br /></div>
<div>
Good! Now make sure that <span style="font-family: 'Courier New', Courier, monospace;">/nfs/home</span> is not currently mounted. <b>IMPORTANT : don't do this if your current user has it's home on <span style="font-family: 'Courier New', Courier, monospace;">/nfs/home</span> otherwise this command will hang. We need to use a user which does not use <span style="font-family: 'Courier New', Courier, monospace;">/nfs/home</span> as it's home.</b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo umount /nfs/home</span></div>
<div>
<br /></div>
<div>
Ok, let's check if the server advertises the new netgroup?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">showmount -e alice.company.com</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Export list for alice.company.com:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/home @bob</span></div>
</div>
<div>
<br /></div>
<div>
It does. So we should be ok to mount it.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /nfs/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">df -h .</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">alice.company.com:/export/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 770G 17G 714G 3% /nfs/home</span></div>
</div>
<div>
<br /></div>
<div>
Excellent! It worked!</div>
<div>
<br /></div>
<div>
But will it work if we don't have access? To make sure, we must first unmount the direectory and go back to the server and change the /etc/exports file to use another netgroup.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /tmp</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo umount /nfs/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">exit</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh alice.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.exports.netgroup.oracle.txt">/etc/exports</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Notice that we changed the <span style="font-family: 'Courier New', Courier, monospace;">@bob</span> for the <span style="font-family: 'Courier New', Courier, monospace;">@oracle</span> netgroup in which the client machine <span style="font-family: 'Courier New', Courier, monospace;">bob</span> is not part of. That will enable us to test if the netgroups work. If they do, then <span style="font-family: 'Courier New', Courier, monospace;">bob</span> should not be able to mount the <span style="font-family: 'Courier New', Courier, monospace;">/nfs/home</span> directory anymore. But we first need to tell our NFS daemons about the change.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nfs reload</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">showmount -e</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Export list for alice.company.com:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/home @oracle</span></div>
</div>
<div>
<br /></div>
<div>
Let's see if this prevents <span style="font-family: 'Courier New', Courier, monospace;">bob</span> from mounting the directory? <b>Again, make sure to use a user that does NOT have it's home on /nfs/home!</b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh bob.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /nfs/home</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">-bash: cd: /nfs/home: No such file or directory</span></div>
<div>
<br /></div>
<div>
Good! That means our netgroups are working! We have achieved goal number 7 :)</div>
<div>
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li><strike>Use OpenLDAP as sudo's configuration repository.</strike></li>
<li><strike>Use OpenLDAP as automount map repository for autofs.</strike></li>
<li><strike>Use OpenLDAP as NFS netgroup repository again for autofs.</strike></li>
<li>Use OpenLDAP as the Kerberos principal repository.</li>
<li>Setup OpenLDAP backup and recovery.</li>
<li>Setup OpenLDAP replication.</li>
</ol>
The next blog post will describe how to setup a Kerberos realm using OpenLDAP as the Kerberos principals repository. That's going to be quite a lot of fun. Because once we have a Kerberos realm, we can start using it to secure user authentication via ssh, secure LDAP connections via SASL GSSAPI, secure our NFS automount requests and mount request. Plus a whole lot more!</div>
<div>
<br /></div>
<div>
Stay tuned!</div>
<div>
<br /></div>
<div>
DA+<br />
<br />
Update!<br />
<br />
I've just tried to add a new nisNetgroupTriple: attribute in the <span style="font-family: 'Courier New', Courier, monospace;">cn=dev,ou=netgroup</span>... netgroup and to my surprise, it generated an error. If I tried via Apache Directory Studio, an error pop-up appeared saying « <span style="font-family: 'Courier New', Courier, monospace;">additional info: modify/add: nisNetgroupTriple: no equality matching rule</span> ». Humm, strange? So I then tried via a simple LDIF file and that got me the following error : « <span style="font-family: 'Courier New', Courier, monospace;">Error: Bad parameter to an ldap routine (-9)</span> ».<br />
<br />
<a href="http://www.openldap.org/lists/openldap-software/200401/msg00392.html">Several</a> <a href="http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/2007-August/001438.html">Google</a> searches later, I realized this was not a bug, but that's how the nis schema is defined. The standard way to change the netgroup is then to delete the <i>entire</i> <span style="font-family: 'Courier New', Courier, monospace;">cn=dev,ou=netgroup</span><span style="font-family: inherit;"> object and recreate it with all the desired </span><span style="font-family: 'Courier New', Courier, monospace;">nisNetgroupTriple:</span><span style="font-family: inherit;"> tuples. While this works, it's clearly not easy to maintain, let alone to work with.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Another way to allow us to add/remove tuples is to modify the schema. Here's a </span><span style="font-family: 'Courier New', Courier, monospace;">diff(1)</span><span style="font-family: inherit;"> of the original schema and the modified one with two lines of context (-C 1) to understand where the change takes place.</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">s</span><span style="font-family: 'Courier New', Courier, monospace;">udo diff -C 1 cn\=\{10\}nis.ldif.original cn\=\{10\}nis.ldif.modified </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">*** cn={10}nis.ldif.original<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-05-17 17:26:18.479629651 -0400</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">--- cn={10}nis.ldif.modified<span class="Apple-tab-span" style="white-space: pre;"> </span>2012-05-17 17:28:46.289627851 -0400</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">***************</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">*** 33,35 ****</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgr</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">! oup triple' SYNTAX 1.3.6.1.1.1.0.0 )</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY intege</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">--- 33,35 ----</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgr</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">! oup triple' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY intege</span><br />
<br />
As we can see, this is a trivial modification to the <span style="font-family: 'Courier New', Courier, monospace;">nisNetgroupTriple</span> object in the nis schema.<br />
<br />
But in the end, the fastest way to update the netgroup is still via an LDIF file such as <a href="https://dl.dropbox.com/u/72609528/blog/openldap/netgroup.change.ldif">this one</a>.<br />
<br />
Note to self : write a script to update the netgroups...<br />
<br />
HTH,<br />
<br />
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com8tag:blogger.com,1999:blog-4619978964286106329.post-63953467684979398602012-05-09T18:47:00.000-04:002013-11-01T15:26:23.732-04:00HOWTO : OpenLDAP 2.4 NFSv4 Automount Map Repository on CentOS 6.2We continue our OpenLDAP 2.4 series with goal number 6.<br />
<div>
<ol>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">Install OpenLDAP 2.4.</a></strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Manage users and groups in OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Configure pam_ldap to authenticate users via OpenLDAP.</a></strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">Use OpenLDAP as sudo's configuration repository.</a></strike></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">Use OpenLDAP as automount map repository for autofs.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">Use OpenLDAP as NFS netgroup repository again for autofs.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">Use OpenLDAP as the Kerberos principal repository.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">Setup OpenLDAP backup and recovery.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">Setup OpenLDAP replication.</a></li>
</ol>
In this document, we will learn how to setup an NFS server along with an NFS client which runs autofs(5) version 5. This daemon will fetch his automount maps from our OpenLDAP 2.4 server. The client will then be configured to mount users home directories from the NFS server. All OpenLDAP users DN will be modified to reflect this change. We will also create a central NFS software repository.</div>
<div>
<br /></div>
<div>
<a name='more'></a><h2>
Server NFS Configuration</h2>
</div>
<div>
<br /></div>
<div>
Install the required packges.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install nfs-utils nfs4-acl-tools openldap-clients nss-pam-ldapd</span></div>
<div>
<br /></div>
<div>
Create a directory in which user's homes will reside (/export/home) and the central software repository (/export/install)</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir -p /export/home /export/install</span></div>
<div>
<br /></div>
<div>
Keep in mind that we need to create a home directory for each users. Since our users are stored in OpenLDAP, we must make sure that the NFS server is also an LDAP client. That means editing the LDAP client file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.openldap.ldap.conf.tls">/etc/openldap/ldap.conf</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Then making sure the nslcd(8) is properly configured and starts at boot time.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig nslcd on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.nslcd.conf">/etc/nslcd.conf</a></span></div>
<div>
<div>
<br /></div>
</div>
<div>
Start the daemon.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd start</span></div>
<div>
<br /></div>
<div>
Edit the name service switch configuration file to enable LDAP lookups.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.nsswitch.conf">/etc/nsswitch.conf</a></span></div>
<div>
<br /></div>
<div>
Test to see if the test user is part of the local /etc/passwd file? It should not be.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">grep ^test.user /etc/passwd</span></div>
<div>
<br /></div>
<div>
Now test to see if we can fetch it's data from the LDAP server?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent passwd test.user</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">test.user:x:1101:1101:Test User:/nfs/home/test.user:/bin/bash</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent group test.group</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">test.group:*:1101:</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo getent shadow test.user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">test.user:{SSHA}RsAMqOI3647qgZF3x2BKBnp0sEVfa:15140:0:99999:7:::0</span></div>
</div>
<div>
<br /></div>
<div>
As we can see, one must be UID zero if we are to get any <span style="font-family: 'Courier New', Courier, monospace;">shadow</span> data. That is the expected behavior. We can now create a test case. Fortunately, we have our <span style="font-family: 'Courier New', Courier, monospace;">test.user</span>!</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /export/home/test.user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp /etc/skel/.* /export/home/test.user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown -R test.user:test.group /export/home/test.user</span></div>
<div>
<br /></div>
<div>
If we don't remember your test.user's password, now is the update it.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldappasswd -xZWD cn=admin,dc=company,dc=com -S cn=test.user,ou=users,dc=company,dc=com</span></div>
<div>
<br /></div>
<div>
Configure the <span style="font-family: 'Courier New', Courier, monospace;">/etc/exports</span> file to enable NFS exports.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.exports.txt">/etc/exports</a></span></div>
<div>
<br /></div>
<div>
Configure the NFS daemons.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.sysconfig.txt">/etc/sysconfig/nfs</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Enable the NFS daemons.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig rpcbind on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/rpcbind start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig nfs on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nfs start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig nfslock on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nfslock start</span></div>
<div>
<br /></div>
<div>
Check to see if the filesystems are exported?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">showmount -e</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Export list for alice.company.com:</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/install *.company.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/export/home *.company.com</span></div>
</div>
<div>
<br /></div>
<h2>
LDAP Server Configuration</h2>
<div>
<br /></div>
<div>
Now that our NFS server is configured, we need to add the automount schema to our LDAP server. The easiest way to get the schema is to install the <span style="font-family: 'Courier New', Courier, monospace;">autofs</span> package.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install autofs</span></div>
<div>
<br /></div>
<div>
This package comes with the required schema.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rpm -ql autofs | grep schema</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/share/doc/autofs-5.0.5/autofs.schema</span></div>
<div>
<br /></div>
<div>
Which means to add the autofs schema, we just need to do the same thing we did with sudo in <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">one of my previous blog post</a>. Start by creating a temporary configuration file. Notice that we need the core.schema in this temporary configuration file. Otherwise we get an error saying : « <span style="font-family: 'Courier New', Courier, monospace;">objectclass: AttributeType not found: "ou"</span><span style="font-family: inherit;"> »</span> because the <span style="font-family: 'Courier New', Courier, monospace;">autofs.schema</span> file depends on the <span style="font-family: 'Courier New', Courier, monospace;">"ou"</span> objectClass.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">echo "include /etc/openldap/schema/core.schema" > ~/ldap/autofs.conf</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rpm -ql autofs | grep -i schema | sed 's/^/include /g' >> ~/ldap/autofs.conf</span></div>
<div>
<br /></div>
<div>
Next, use <span style="font-family: 'Courier New', Courier, monospace;">slapcat(8C)</span> to generate the new <span style="font-family: 'Courier New', Courier, monospace;">autofs</span> schema in LDIF format.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapcat -f ~/ldap/autofs.conf -F ~/ldap -n 0</span></div>
<div>
<br /></div>
<div>
The new LDIF schema file is dumped in <span style="font-family: 'Courier New', Courier, monospace;">~/ldap/cn\=config/cn\=schema/cn\=\{1\}autofs.ldif</span><span style="font-family: inherit;">. As was the case with the sudo schema, we first need to sanitize this new file before we can add it to our OpenLDAP server. </span>A few quick <span style="font-family: 'Courier New', Courier, monospace;">sed(1)</span> commands should do the trick.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sed -re "/^(structuralObjectClass|entry[C|U]|creat[e|o]|modif[i|y])/d" ~/ldap/cn\=config/cn\=schema/cn\=\{1\}autofs.ldif > ~/ldap/autofs.schema.ldif</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sed -i.bak -e "s/{1}autofs/autofs/g" ~/ldap/autofs.</span><span style="font-family: 'Courier New', Courier, monospace;">schema.</span><span style="font-family: 'Courier New', Courier, monospace;">ldif</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sed -i.bak -e "s/cn=autofs/cn=autofs,cn=schema,cn=config/g" ~/ldap/autofs.</span><span style="font-family: 'Courier New', Courier, monospace;">schema.</span><span style="font-family: 'Courier New', Courier, monospace;">ldif</span></div>
<div>
<br /></div>
<div>
The resulting LDIF file is quite small.</div>
</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cat <a href="https://dl.dropbox.com/u/72609528/blog/openldap/autofs.schema.ldif">~/ldap/autofs.schema.ldif</a></span></div>
</div>
<div>
<br />
We can now add this to our OpenLDAP server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -aH ldapi:/// -f ~/ldap/autofs.</span><span style="font-family: 'Courier New', Courier, monospace;">schema.</span><span style="font-family: 'Courier New', Courier, monospace;">ldif</span></div>
<div>
<br /></div>
<div>
If we take a look to our server log file, we will see that our new schema has been included.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1067 op=2 ADD dn="cn=autofs,cn=schema,cn=config"</span></div>
</div>
<div>
<br /></div>
<div>
We can double check that of course.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn | grep auto</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={14}autofs,cn=schema,cn=config</span></div>
</div>
<div>
<br /></div>
<div>
Good! Now let's add the autofs container and some configuration values. Edit yet another LDIF file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/autofs.ldif">~/ldap/autofs.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Check to see if our changes are now part of the OpenLDAP server?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b ou=autofs,ou=services,dc=company,dc=com dn</span></div>
</div>
<div>
<br /></div>
<div>
Excellent! We're now ready to configure a client machine.</div>
<div>
<br /></div>
<h2>
Client Configuration</h2>
<div>
<br /></div>
<div>
Here we assume that the client is already an LDAP client of our OpenLDAP server. If not, then read my <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">previous</a> <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">blog</a> <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">posts</a> on the subject.</div>
<div>
<br /></div>
<div>
As always, make sure the required packages are installed.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install rpcbind nfs-utils nfs4-acl-tools nss-pam-ldapd openldap-clients autofs</span></div>
<div>
<br /></div>
<div>
Configure idmapd(8).</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.idmap.conf">/etc/idmapd.conf</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Make sure various daemons are started at boot and start them manually. <b>NOTE : I had a problem where idmapd required a complete client AND server reboot for it to work. If it doesn't work for you, try it.</b></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig rpcbind on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/rpcbind start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig nfslock on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nfslock start</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig rpcidmapd on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/rpcidmapd start</span></div>
<div>
<br /></div>
<div>
Configure the name service switch file so that the <span style="font-family: 'Courier New', Courier, monospace;">automount:</span> keyword uses the ldap directory.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/nsswitch.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">automount:<span class="Apple-tab-span" style="white-space: pre;"> </span>ldap</span></div>
</div>
<div>
<br /></div>
<div>
Configure the automount(8) daemon.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.sysconfig.autofs.txt">/etc/sysconfig/autofs</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Configure LDAP authentication for the autmount(8) daemon.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.autofs_auth_config.txt">/etc/autofs_ldap_auth.conf</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Fix permissions on the file. Otherwise we get this error which is pretty clear :)</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">automount[4570]: parse_ldap_config: lookup(ldap): Configuration file /etc/autofs_ldap_auth.conf exists, but is not usable. Please make sure that it is owned by root, group is root, and the mode is 0600.</span></div>
<div>
<br /></div>
<div>
Make sure the automount daemon starts when the client machine boots and start the daemon.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig autofs on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/autofs start</span></div>
<div>
<br /></div>
<div>
Check the server and the client log files. If all is good, then test your configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cd /nfs/install</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">df -h .</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Filesystem Size Used Avail Use% Mounted on</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">alice.company.com:/export/install</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> 770G 17G 714G 3% /nfs/install</span></div>
</div>
<div>
<br /></div>
<div>
Voilà! Goal number 6 is done!</div>
<div>
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li><strike>Use OpenLDAP as sudo's configuration repository.</strike></li>
<li><strike>Use OpenLDAP as automount map repository for autofs.</strike></li>
<li>Use OpenLDAP as NFS netgroup repository again for autofs.</li>
<li>Use OpenLDAP as the Kerberos principal repository.</li>
<li>Setup OpenLDAP backup and recovery.</li>
<li>Setup OpenLDAP replication.</li>
</ol>
</div>
<div>
In future blog posts, I will show how to use a Kerberos principal and SASL GSSAPI to authenticate the autofs daemon.</div>
<div>
<br /></div>
<div>
Stay tuned!</div>
<div>
<br /></div>
<div>
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com19tag:blogger.com,1999:blog-4619978964286106329.post-84261824550081123392012-05-09T15:14:00.000-04:002013-09-09T14:05:32.467-04:00HOWTO : OpenLDAP 2.4 sudo Repository on CentOS 6.2Today we continue with our OpenLDAP series of blog posts. Recall that our goals were :<br />
<ol>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">Install OpenLDAP 2.4.</a></strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Manage users and groups in OpenLDAP.</a></strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">Use OpenLDAP as sudo's configuration repository.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">Use OpenLDAP as automount map repository for autofs.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">Use OpenLDAP as NFS netgroup repository again for autofs.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">Use OpenLDAP as the Kerberos principal repository.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">Setup OpenLDAP backup and recovery.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">Setup OpenLDAP replication.</a></li>
</ol>
Since goals 1 to 4 are already achieved in <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">previous</a> <a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">blog posts</a>, we are now ready to tackle goal number 5 which is to configure OpenLDAP to be a repository of sudo rules. The <a href="http://www.sudo.ws/">official sudo website</a>, the <a href="http://www.gratisoft.us/sudo/sudoers.ldap.man.html">sudoers LDAP manual</a> and the <a href="http://www.sudo.ws/sudo/readme_ldap.html">sudo LDAP README</a> file are a good place to start.<br />
<br />
<a name='more'></a><h2>
Server Configuration</h2>
<br />
The first thing we need to check the sudo package. We know it is installed because we've been working with it a lot lately. So let's just check which version it is?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">rpm -qi sudo | grep -i version</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Version : 1.7.4p5 Vendor: CentOS</span><br />
<br />
Ok, was it configured <span style="font-family: 'Courier New', Courier, monospace;">--with-ldap</span>? It looks strange to type sudo sudo, but we need to assume UID zero if we want to see the binary's configuration.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo sudo -V | egrep -i '^config|ldap'</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Configure args: --build=x86_64-unknown-linux-gnu --host=x86_64-unknown-linux-gnu --target=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.7.4p5 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/nslcd.conf --with-selinux --with-passprompt=[sudo] password for %p: --with-linux-audit</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldap.conf path: /etc/nslcd.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ldap.secret path: /etc/ldap.secret</span><br />
<br />
From the above output, we can see that this sudo binary has indeed the LDAP configurations and it's using <span style="font-family: 'Courier New', Courier, monospace;">/etc/nslcd.conf</span> as the LDAP configuration path. According to the <a href="http://www.gratisoft.us/sudo/sudoers.ldap.man.html">sudoers LDAP manual</a>, all we need to do now is to add <span style="font-family: 'Courier New', Courier, monospace;">SUDOERS_BASE</span> to <span style="font-family: 'Courier New', Courier, monospace;">/etc/nslcd.conf</span> file. Right?<br />
<br />
Wrong :(<br />
<br />
The sudo version shipped with CentOS 6.2 (and RedHat 6.2 for that matter) has a bug with sudo. You can find both the <a href="http://bugs.centos.org/view.php?id=5200">CentOS bug</a> and the <a href="https://bugzilla.redhat.com/show_bug.cgi?id=760843">RedHat bug</a> pages. You can try to configure sudo parameters into <span style="font-family: 'Courier New', Courier, monospace;">/etc/nslcd.conf </span>if you want. But that will only result in an error like this one :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Starting nslcd: nslcd: /etc/nslcd.conf:20: unknown keyword: 'sudoers_base'</span><br />
<br />
So what should we do? Give up? No! We only have to download the latest sudo rpm from the <a href="http://www.sudo.ws/sudo/download.html">official sudo download site</a>. Simply get the latest binary package for CentOS 6 which is currently <span style="font-family: 'Courier New', Courier, monospace;">sudo-1.8.4-5.el6</span>. So let's download it. <b>NOTE : please don't just copy/paste this wget command, but make sure to grab the latest version of sudo from the official web site. </b>Also, please note that we're using the 64 bit version. Maybe your machine requires the 32 bit version. In that case, the package would be called <span style="font-family: 'Courier New', Courier, monospace;">sudo-1.8.4-5.el6.i386.rpm
</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">wget http://www.sudo.ws/sudo/dist/packages/Centos/6/sudo-1.8.4-5.el6.x86_64.rpm</span><br />
<br />
Make sur to upgrade sudo on all the systems you need to have sudo LDAP enabled...<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo rpm -U ./sudo-1.8.4-5.el6.x86_64.rpm</span><br />
<br />
Check the new sudo package.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">rpm -qi sudo | grep -i version</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Version : 1.8.4 Vendor: Todd C. Miller</span><br />
<div>
<br /></div>
<div>
Check to see if it has a different LDAP configuration from the one which comes with CentOS 6?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo sudo -V | grep ldap</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Configure options: --prefix=/usr --with-logging=syslog --with-logfac=authpriv --with-pam --enable-zlib=system --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-passprompt=[sudo] password for %p: --with-selinux --with-linux-audit --with-pam-login</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldap.conf path: /etc/ldap.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldap.secret path: /etc/ldap.secret</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: inherit;">And indeed it does. We can see that the </span><span style="font-family: 'Courier New', Courier, monospace;">ldap.conf</span><span style="font-family: inherit;"> file is not </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/nslcd.conf</span><span style="font-family: inherit;"> anymore, but </span><span style="font-family: 'Courier New', Courier, monospace;">/etc/ldap.conf</span><span style="font-family: inherit;">. </span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;">Now that we have a new version of sudo, we must check the LDAP schema that comes with it. </span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rpm -ql sudo | grep schema</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/share/doc/sudo-1.8.4p4-5.el6/schema.ActiveDirectory</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/share/doc/sudo-1.8.4p4-5.el6/schema.OpenLDAP</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">/usr/share/doc/sudo-1.8.4p4-5.el6/schema.iPlanet</span></div>
</div>
<div>
<br /></div>
<div>
Ok, we need to check the <span style="font-family: 'Courier New', Courier, monospace;">/usr/share/doc/sudo-1.8.4p4-5.el6/schema.OpenLDAP</span> file to find out what are the sudo schema objects?</div>
<div>
<br /></div>
<div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">grep NAME `rpm -ql sudo | grep -i openldap`</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoUser</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoHost</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoCommand</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoRunAs</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoOption</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoRunAsUser</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoRunAsGroup</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoNotBefore</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoNotAfter</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> NAME '<b>sudoOrder</b>'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME '<b>sudoRole</b>' SUP top STRUCTURAL</span></div>
</div>
<div>
<br /></div>
<div>
Let's compare this list to our current sudo schema and see if we have access to all those objects? First we need to know in which schemas the sudo objects are defined.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={0}core,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={1}cosine,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={2}inetorgperson,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={3}collective,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={4}corba,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={5}duaconf,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={6}openldap,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={7}dyngroup,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={8}java,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={9}misc,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={10}nis,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={11}ppolicy,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={12}kerberos,cn=schema,cn=config</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: cn={13}schema,cn=schema,cn=config</span></div>
</div>
<div>
<br /></div>
<div>
Hummm, that's strange, we don't have a sudo schema. But we did <a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">install one in a previous post</a> when we first installed our OpenLDAP server. But wait, what's this strange <span style="font-family: 'Courier New', Courier, monospace;">cn={13}schema,cn=schema,cn=config</span> schema? Let's see if it contains our sudo objects?</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn={13}schema,cn=schema,cn=config | grep -i sudo</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Sure enough, it contains our sudo objects. But is it complete? We're not sure because this sudo schema came with sudo version 1.7.x while we have sudo version 1.8.x installed now. Let's check which objects are currently in our OpenLDAP schema.</div>
</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn={13}schema,cn=schema,cn=config | grep NAME | awk '{print $4,$5 }' | sort</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoCommand'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoHost'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoOption'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoRole'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoRunAs'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoRunAsGroup'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoRunAsUser'</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">NAME 'sudoUser'</span></div>
</div>
<div>
<br /></div>
<div>
When we compare this list of objects to the objects found in the schema.OpenLDAP file from sudo 8.x, we are missing a few objects (i.e. <span style="font-family: 'Courier New', Courier, monospace;">sudoNotAfter, sudoNotBefore</span> and <span style="font-family: 'Courier New', Courier, monospace;">sudoOrder</span>). Plus our sudo schema is not named correctly. So let's change all this. To do so, let's first remove the current sudo schema. According to<a href="http://www.openldap.org/lists/openldap-technical/200812/msg00066.html"> this mailing-list archive thread</a>, we cannot remove schemas from our OpenLDAP server via <span style="font-family: 'Courier New', Courier, monospace;">ldapdelete(1)</span>. So in order to remove the old <span style="font-family: 'Courier New', Courier, monospace;">cn={13}schema,cn=schema,cn=config</span> schema from our OpenLDAP server, we must delete it from the <span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap/slapd.d</span> directory. <b>If anyone knows a better way to remove schemas, please let me know!</b><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd stop</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo rm /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{13\}schema.ldif</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/slapd start</span><br />
<div>
<br /></div>
<div>
Confirm that the old <span style="font-family: 'Courier New', Courier, monospace;">{13}schema</span> is now gone from the configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn</span></div>
<br />
As expected, the above command returned nothing. We can now generate a new sudo schema in <a href="http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format">LDIF</a> format. To do so, create a temporary configuration file like this :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rpm -ql sudo | grep -i schema.openldap | sed 's/^/include /g' > ~/ldap/sudo.conf</span></div>
<div>
<br /></div>
<div>
Next, use <span style="font-family: 'Courier New', Courier, monospace;">slapcat(8C)</span> to generate the new sudo schema in LDIF format.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapcat -f sudo.conf -F ~/ldap -n 0</span></div>
<div>
<br /></div>
<div>
This will create the <span style="font-family: 'Courier New', Courier, monospace;">~/ldap/cn\=config.ldif</span> file and the <span style="font-family: 'Courier New', Courier, monospace;">~/ldap/cn\=config</span> directory in which our new sudo schema file was generated. It was unfortunately created with the wrong name again.<b> If someone knows how to assign a name to a new LDIF schema, please let me know!</b> So let's change it's name.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cp ~/ldap/cn\=config/cn\=schema/cn\=\{0\}schema.ldif ~/ldap/sudo.ldif</span></div>
<div>
<br /></div>
<div>
But changing the file name is not enough, we also need to change the <span style="font-family: 'Courier New', Courier, monospace;">dn:</span> and <span style="font-family: 'Courier New', Courier, monospace;">cn:</span> attribute values in the file. A quick <span style="font-family: 'Courier New', Courier, monospace;">sed(1)</span> command does just that.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sed -i.bak -e "s/^dn: cn={0}schema/dn: cn=sudo,cn=schema,cn=config/g" -e "s/^cn: {0}schema/cn: sudo/g" ~/ldap/sudo.ldif</span></div>
<div>
<br /></div>
<div>
We should now be ready to install our new sudo schema. The <a href="http://www.openldap.org/faq/data/cache/1442.html">OpenLDAP FAQ-O-Matic explains how to do so</a>. But it never worked for me. YMMV of course, but let's use <a href="http://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2-4-11-a-700452/">this recipe</a> from the mailing-list archive. It says that we must first remove these objects from the file :<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">structuralObjectClass:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">entryUUID:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">creatorsName:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">createTimestamp:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">entryCSN:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">modifiersName:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">modifyTimestamp:</span><br />
<br />
Again, a quick <span style="font-family: 'Courier New', Courier, monospace;">sed(1)</span> will take care of that.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sed -i.bak -re "/^(structuralObjectClass|entry[C|U]|creat[e|o]|modif[i|y])/d" </span><span style="font-family: 'Courier New', Courier, monospace;">~/ldap/sudo.ldif</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
If we don't remove those objects, we will see these errors in the sldapd log file :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1010 op=2 RESULT tag=105 err=53 text=no global superior knowledge</span><br />
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1012 op=2 RESULT tag=105 err=19 text=structuralObjectClass: no user modification allowed</span></div>
</div>
<div>
<br /></div>
The end LDIF file now should look like <a href="https://dl.dropbox.com/u/72609528/blog/openldap/sudo.schema.ldif">this</a>. We can now add it to the directory.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -a -H ldapi:/// -f ~/ldap/sudo.ldif</span><br />
<br />
If you're looking into the server log file, you should see this :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1013 op=2 ADD dn="cn=sudo,cn=schema,cn=config"</span><br />
<br />
Confirm that we now have the new schema in place?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn | grep sudo</span><br />
<br />
Excellent! :)<br />
<br />
Let's clean-up a bit, since we don't need the <span style="font-family: 'Courier New', Courier, monospace;">~/ldap/cn\=config.ldif, ~/ldap/sudo.ldif</span> and <span style="font-family: 'Courier New', Courier, monospace;">~/ldap/sudo.conf</span> files nor the <span style="font-family: 'Courier New', Courier, monospace;">~/ldap/cn\=config</span> directory anymore, so we can remove them.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">rm -rf ~/ldap/cn\=config* </span><span style="font-family: 'Courier New', Courier, monospace;">~/ldap/sudo.*</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<br />
<h3>
<span style="font-family: inherit;">Convert sudoers to LDAP</span></h3>
<span style="font-family: inherit;"><br /></span>
Before we convert the sudoers file, let's take a look at an example file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo cat <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.sudoers.txt">/etc/sudoers</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
To convert this sudoers file, we need to create yet another LDIF file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo SUDOERS_BASE=ou=sudo,ou=services,dc=company,dc=com perl</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">/usr/share/doc/sudo*/sudoers2ldif /etc/sudoers > ~/ldap/sudoers.ldif</span><br />
<div>
<br /></div>
<div>
That generates the LDIF file with our current sudoers configuration translated into LDIF. This all good, but we don't have the LDAP container for sudo yet. Actually, we don't even have our services OU yet. So we need to add a few lines at the start of the file to create the services OU.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/sudoers.ldif">~/ldap/sudoers.ldif</a> # This is NOT the final sudoers.ldif file. See below for a complete one.</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
The rest of the file contains your sudoers configuration. Before we can add this new LDIF file, we must clean it up a bit. The problem are the spaces around the equal signs. If you leave it like this « <span style="font-family: 'Courier New', Courier, monospace;">env_keep = COLORS</span> » instead of like that « <span style="font-family: 'Courier New', Courier, monospace;">env_keep=COLORS</span> » then we will get LDAP errors. This quick <span style="font-family: 'Courier New', Courier, monospace;">sed(1)</span> command will clean things up.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sed -i.bak -e "s/ = /=/g" -re 's/= {0,2}"/=/g' -e 's/"$//g' -e "s/p \+/p+/g" ~/ldap/sudoers.ldif</span></div>
<div>
<br /></div>
<div>
Almost there, we only need one more <span style="font-family: 'Courier New', Courier, monospace;">sed(1)</span> run to add structure to the LDIF file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sed -i.bak -e "/^dn: ou=sudo,/a objectClass: organizationalUnit" -e "/^dn: ou=sudo,/a description: sudo" </span><span style="font-family: 'Courier New', Courier, monospace;">~/ldap/sudoers.ldif</span></div>
<div>
<br />
The end result looks like that :<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">cat <a href="https://dl.dropbox.com/u/72609528/blog/openldap/sudoers.final.ldif">~/ldap/sudoers.ldif</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Now we can add it to our LDAP server.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -aH ldapi:/// -f ~/ldap/sudoers.ldif</span></div>
</div>
<div>
<br /></div>
<div>
We should see this in the server logs :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=2 ADD dn="ou=sudo,ou=services,dc=company,dc=com"</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=2 RESULT tag=105 err=0 text=</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=3 ADD dn="cn=defaults,ou=sudo,ou=services,dc=company,dc=com"</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=3 RESULT tag=105 err=0 text=</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=4 ADD dn="cn=root,ou=sudo,ou=services,dc=company,dc=com"</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">alice slapd[10783]: conn=1028 op=4 RESULT tag=105 err=0 text=</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=5 ADD dn="cn=panic,ou=sudo,ou=services,dc=company,dc=com"</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=5 RESULT tag=105 err=0 text=</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: conn=1028 op=6 ADD dn="cn=%sysadmin,ou=sudo,ou=services,dc=company,dc=com"</span></div>
</div>
<div>
<br /></div>
<div>
Confirm that we now have a sudoers file in our LDAP server?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b ou=sudo,ou=services,dc=company,dc=com</span></div>
<div>
<br /></div>
<div>
Excellent!</div>
<div>
<br /></div>
<div>
But can anybody see our sudoers configuration? That wouldn't be good. Let's find out...</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZLLLWD cn=drobilla,ou=users,dc=company,dc=com -b ou=sudo,ou=services,dc=</span><span style="font-family: 'Courier New', Courier, monospace;">company</span><span style="font-family: 'Courier New', Courier, monospace;">,dc=com -H ldap://alice.</span><span style="font-family: 'Courier New', Courier, monospace;">company</span><span style="font-family: 'Courier New', Courier, monospace;">.com</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><b>Insufficient access (50)</b></span></div>
</div>
<div>
<br /></div>
<div>
Good! Exactly how it should be. But can the cn=nssproxy user read the data?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZLLLWD cn=nssproxy,ou=users,dc=</span><span style="font-family: 'Courier New', Courier, monospace;">company</span><span style="font-family: 'Courier New', Courier, monospace;">,dc=com -b ou=sudo,ou=services,dc=</span><span style="font-family: 'Courier New', Courier, monospace;">company</span><span style="font-family: 'Courier New', Courier, monospace;">,dc=com</span></div>
<div>
<br /></div>
<div>
Normally, we should see all of our sudoers configuration.</div>
<div>
<br /></div>
<h3>
Client Configuration</h3>
<div>
<br /></div>
<div>
Since we have a working sudo schema along with an LDAP version of our sudoers file, we can now configure client machines to fetch their sudoers data from the OpenLDAP server.</div>
<div>
<br /></div>
<div>
<b>Make sure you install the latest sudo version on the client from the sudo website!</b> See above on how to do this.</div>
<div>
<br /></div>
<div>
Then configure the sudo only <span style="font-family: 'Courier New', Courier, monospace;">/etc/ldap.conf</span> file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.ldap.conf">/etc/ldap.conf</a></span></div>
<div>
<br /></div>
<div>
Fix permissions on the file (it has a password in it...)</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 600 /etc/ldap.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:root /etc/ldap.conf</span></div>
<div>
<br /></div>
<div>
Don't forget to place your corporation's CA certificate on the client (if you use one or if you self signed it).</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo cp ~/companyCA.crt /etc/pki/tls/certs/</span></div>
<div>
<br /></div>
<div>
Then change the sudoers line (or add it) to <span style="font-family: 'Courier New', Courier, monospace;">/etc/nsswitch.conf</span>. Notice how <span style="font-family: 'Courier New', Courier, monospace;">files</span> is listed before <span style="font-family: 'Courier New', Courier, monospace;">ldap</span>? That's in case we have a general LDAP failure or a network failure. If that happens, then we'll be able to read the local sudoers file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi /etc/nsswitch.conf</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudoers:<span class="Apple-tab-span" style="white-space: pre;"> </span>files ldap</span></div>
<div>
<br /></div>
<div>
And now test our new LDAP-enabled sudo binary. We should see our LDAP sudoers configuration printed on screen.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo -l</span></div>
<div>
<br /></div>
<div>
If we take a look at the <span style="font-family: 'Courier New', Courier, monospace;">/var/log/slapd.log</span> file on the OpenLDAP server, we will see some error messages like these :</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[10783]: <= bdb_equality_candidates: (sudoUser) not indexed</span></div>
<div>
<br /></div>
<div>
To fix this, go back to the OpenLDAP machine and create another LDIF file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/sudoers.indexes.ldif">~/ldap/sudoers.indexes.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Add those new indexes to the database.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -H ldapi:/// -f sudoers.indexes.ldif</span></div>
</div>
<div>
<br /></div>
<div>
While keeping an eye on the <span style="font-family: 'Courier New', Courier, monospace;">slapd.log</span> file, run another sudo command from the client we just configured. </div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ls</span></div>
<div>
<br /></div>
<div>
The <span style="font-family: 'Courier New', Courier, monospace;">bdb_equality_candidates</span> errors should now have disapeared.</div>
<div>
<br /></div>
<div>
We thus have achieved our fifth goal!</div>
<div>
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li><strike>Use OpenLDAP as sudo's configuration repository.</strike></li>
<li>Use OpenLDAP as automount map repository for autofs.</li>
<li>Use OpenLDAP as NFS netgroup repository again for autofs.</li>
<li>Use OpenLDAP as the Kerberos principal repository.</li>
<li>Setup OpenLDAP backup and recovery.</li>
<li>Setup OpenLDAP replication.</li>
</ol>
</div>
<div>
Next time we will configure an NFS server and use OpenLDAP to store our autofs configuration.</div>
<div>
<br /></div>
<div>
HTH,</div>
<div>
<br /></div>
<div>
DA+</div>
</div>
<br />
<div>
</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com43tag:blogger.com,1999:blog-4619978964286106329.post-47339112494478728712012-05-07T15:59:00.003-04:002012-09-21T10:43:00.284-04:00HOWTO : OpenLDAP 2.4 Users & Groups Management and PAM Authentication on CentOS 6.2Today we will create and manage users and groups in our OpenLDAP 2.4 daemon running on a CentOS 6.2 machine. Recall our goals :<br />
<ol>
<li><strike><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-6.html">Install OpenLDAP 2.4.</a></strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Manage users and groups in OpenLDAP.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-2.html">Configure pam_ldap to authenticate users via OpenLDAP.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-sudo-repository-on.html">Use OpenLDAP as sudo's configuration repository.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-nfsv4-automount-map.html">Use OpenLDAP as automount map repository for autofs.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/we-continue-our-openldap-2.html">Use OpenLDAP as NFS netgroup repository again for autofs.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html">Use OpenLDAP as the Kerberos principal repository.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/05/howto-openldap-24-backup-recovery-on.html">Setup OpenLDAP backup and recovery.</a></li>
<li><a href="http://itdavid.blogspot.ca/2012/06/howto-openldap-24-replication-on-centos.html">Setup OpenLDAP replication.</a></li>
</ol>
<h3>
<a name='more'></a>Manage users and groups in OpenLDAP</h3>
<br />
We now have an empty OpenLDAP directory. We can prove this simply by trying to extract information from it.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -LLLxWD cn=admin,dc=company,dc=com -b dc=company,dc=com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Enter LDAP Password:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">No such object (32)</span><br />
<div>
<br /></div>
If you're interested, the LDAP error codes can be found in section <span style="white-space: pre-wrap;">4.1.10. « Result Message » of </span><a href="http://tools.ietf.org/html/rfc2251">RFC 2251</a>. In this case, error 32 means <span style="white-space: pre-wrap;"><span style="font-family: 'Courier New', Courier, monospace;">noSuchObject</span>. But you can also have this error if an ACL prevents you from seeing the data.</span><br />
<span style="white-space: pre-wrap;"><br /></span>
In order to use our OpenLDAP directory, we need to create the base suffix and two <a href="http://en.wikipedia.org/wiki/Organizational_Unit">Organizational Units (OU)</a> to store our users and groups. So create an LDIF file with the following data.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/users%2Bgroups.ldif">~/ldap/users+groups.ldif</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
Add this new data into our directory.<br />
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -a -xWD cn=admin,dc=company,dc=com -f ~/ldap/users+groups.ldif</span> </div>
<br />
Verify that we now have the new data.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -LLLxWD cn=admin,dc=company,dc=com</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<div>
Did you notice I didn't specify any <span style="font-family: 'Courier New', Courier, monospace;">-b dc=company,dc=com</span> suffix with the previous <span style="font-family: 'Courier New', Courier, monospace;">ldapsearch</span> command? That's because the suffix is already configured in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/openldap/ldap.conf </span>file.</div>
<div>
<br /></div>
<div>
Let's now add a few groups. We will create the following groups :</div>
<div>
<ul>
<li><span style="font-family: 'Courier New', Courier, monospace;">sysadmin</span> to group the Linux systems administrators together.</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">oinstall</span>, sysoper, asmdba, asmadmin and asmoper which are all Oracle related groups.</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">test.group</span> to test verious parts of our PAM and LDAP architecture. It's always good to test!</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">panic</span> which will be used by in case LDAP and/or NFS has a problem.</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">nssproxy</span> which will be used to query this LDAP server instead of an anonymous user.</li>
</ul>
</div>
<div>
Of course, I encourage you to change this group list to fit your organization's needs. Create another LDIF file with the following data.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/groups.ldif">~/ldap/groups.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Add those new groups to our LDAP directory.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -a -xWD cn=admin,dc=company,dc=com -f ~/ldap/groups.ldif</span></div>
<div>
<br /></div>
<div>
Now it's time to create a few users. In this document, we will create the following users. Again, you should change this user list and the user's details (such as UID) to fit your corporation's needs.</div>
<div>
<ul>
<li><span style="font-family: 'Courier New', Courier, monospace;">drobilla</span>. That's me :)</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">nssproxy</span>. This user will be used to query our LDAP server instead of using an anonymous user.</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">panic</span>. This user will be used when LDAP and/or NFS is broken. It is a local user, but we list it here in order to have a central place where we can get all of our UID. This prevents UID clash!</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">test.user</span>. Again, this user will be used to test our setup as we build on this OpenLDAP server.</li>
</ul>
</div>
<div>
Let's write yet another LDIF file. Don't bother with the passwords for now, we will address those in a few minutes.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/users.ldif">~/ldap/users.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Add these users to the LDAP directory.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -a -xWD cn=admin,dc=company,dc=com -f ~/ldap/users.ldif</span></div>
<div>
<br /></div>
<div>
Let's now assign a proper password to the users. Repeat this procedure for each of the users. Note that this command will prompt twice for the new user's password and a third time for the <span style="font-family: 'Courier New', Courier, monospace;">cn=admin,dc=company,dc=com</span> user's password.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldappasswd -xZWD cn=admin,dc=company,dc=com -S cn=nssproxy,ou=users,dc=company,dc=com</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">New password: </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Re-enter new password: </span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Enter LDAP Password: </span><br />
<div>
<br /></div>
<div>
If you take a look in the <span style="font-family: 'Courier New', Courier, monospace;">/var/log/slapd.log</span> file, you should see these lines which indicates the password has been modified :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[5319]: conn=1022 op=1 PASSMOD id="cn=nssproxy,ou=users,dc=company,dc=com" new</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[5319]: conn=1022 op=1 RESULT oid= err=0 text=</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
We need to modify an OpenLDAP ACL to enable the <span style="font-family: 'Courier New', Courier, monospace;">nssproxy</span> user access to our data. Let's first check which ACLs are in place. But first we need to know what is our database's DN?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config dn | grep -i database</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={-1}frontend,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={0}config,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={1}bdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={2}monitor,cn=config</span><br />
<br />
Ok, so now we know that we need to edit the « <span style="font-family: 'Courier New', Courier, monospace;">olcDatabase={1}bdb,cn=config</span><span style="font-family: inherit;"> »</span> DN. Let's see what ACLs are configured on this DN?<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZLLLWD cn=admin,dc=company,dc=com -b olcDatabase={1}bdb,cn=config olcAccess</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={1}bdb,cn=config</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> l,cn=auth" manage</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcAccess: {1}to attrs=userPassword by self write by * auth</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">olcAccess: {2}to dn.base="dc=company,dc=com" by * search by * none</span><br />
<div>
<br /></div>
<div>
We can see that we have ACLs on three configuration DN. We must then change these to allow the nssproxy user to read our data. Edit another LDIF file.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/nssproxy.acl.ldif">~/ldap/nssproxy.acl.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
</div>
<div>
Apply the modifications to the OpenLDAP server.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapmodify -xZWD cn=admin,dc=company,dc=com -f ~/ldap/</span><span style="font-family: 'Courier New', Courier, monospace;">nssproxy.acl.ldif</span></div>
<div>
<br /></div>
<div>
Test to see if we can see our data with the nssproxy user? This command should return the entire <a href="http://en.wikipedia.org/wiki/Directory_information_tree">Directory Information Tree (DIT)</a></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZWD cn=nssproxy,ou=users,dc=company,dc=com "(objectClass=*)"</span></div>
<div>
<br /></div>
<div>
Test that you cannot get anything using another user.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xLLLZWD cn=drobilla,ou=users,dc=</span><span style="font-family: 'Courier New', Courier, monospace;">company</span><span style="font-family: 'Courier New', Courier, monospace;">,dc=com "(objectClass=*)"</span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">result: </span><b style="font-family: 'Courier New', Courier, monospace;">50 Insufficient access</b></div>
</div>
<div>
<br /></div>
<div>
Excellent! We can now continue.</div>
<div>
<br /></div>
</div>
</div>
<h3>
LDAP Browser</h3>
<div>
<br /></div>
<div>
Now that we're starting to have a few objects in the LDAP directory, you should think about installing an LDAP Browser. It's a GUI which helps you visualize your LDAP data. My own personal favorite is <a href="http://directory.apache.org/studio/">Apache Directory Studio</a>. It's a free, cross-platform and full featured LDAP Browser. It can be installed stand-alone or inside Eclipse. That's how I use it on my PC-BSD 9.0 desktop.<br />
<br /></div>
</div>
<div>
Ok, we achieved another of our goals...<br />
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li>Configure pam_ldap to authenticate users via OpenLDAP.</li>
<li>Use OpenLDAP as sudo's configuration repository.</li>
<li>Use OpenLDAP as automount map repository for autofs.</li>
<li>Use OpenLDAP as NFS netgroup repository again for autofs.</li>
<li>Use OpenLDAP as the Kerberos principal repository.</li>
<li>Setup OpenLDAP backup and recovery.</li>
<li>Setup OpenLDAP replication.</li>
</ol>
The next section will discuss how to configure PAM with LDAP.<br />
<br />
<h3>
Configure pam_ldap to authenticate users via OpenLDAP</h3>
<br />
Login to another machine running CentOS 6.2 (or install a new one :) Install the required packages on this client.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo yum -y install openldap openldap-clients nss-pam-ldapd pam_ldap</span><br />
<br />
Before we start changing this client's configuration file, we should test again just to make sure our nssproxy user is ok and that we can connect to the OpenLDAP machine.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">ldapsearch -xZLLLWD cn=nssproxy,ou=users,dc=company,dc=com -b dc=company,dc=com -H ldap://alice.company.com:389</span><br />
<br />
Edit the system-wide LDAP client configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.openldap.ldap.conf.tls">/etc/openldap/ldap.conf</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
Edit another system-wide LDAP client configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.nslcd.conf">/etc/nslcd.conf</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
Fix permissions on the <span style="font-family: 'Courier New', Courier, monospace;">/etc/nslcd.conf</span> file because there is the password for our <span style="font-family: 'Courier New', Courier, monospace;">nssproxy</span> user.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chmod 600 /etc/nslcd.conf</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown root:root /etc/nslcd.conf</span><br />
<br />
Edit the network service switch configuration file.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.nsswitch.conf">/etc/nsswitch.conf</a></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Make sure the nslcd daemon starts at boot.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chkconfig nslcd on</span></div>
<div>
<br /></div>
<div>
Start it.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/nslcd start</span></div>
<div>
<br /></div>
<div>
Make sure you do NOT have the nssproxy user in the system's local passwd file. This should return nothing.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">grep nssproxy /etc/passwd</span></div>
<div>
<br /></div>
<div>
Then test the new LDAP query.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent passwd test.user</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">test.user:x:1101:1101:Test User:/home/test.user:/bin/bash</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span></div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<div>
<span style="font-family: 'Courier New', Courier, monospace;">getent group test.group</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">test.group:*:1101:</span></div>
<span style="font-family: 'Courier New', Courier, monospace;">
</span></div>
<div>
<br /></div>
<div>
Good! That means the system can now find users and groups from the LDAP directory.</div>
<div>
<br /></div>
<div>
We can thus configure the PAM LDAP module. Note that we could use the <span style="font-family: 'Courier New', Courier, monospace;">authconfig(8)</span> and <span style="font-family: 'Courier New', Courier, monospace;">authconfig-tui(8)</span> tools to configure PAM LDAP, but I prefer to edit the files manually. <b>Keep note that if you edit the files manually and then user either of those tools, the configurations in /etc/nslcd.conf and pam.d will be removed! </b>So edit the <span style="font-family: 'Courier New', Courier, monospace;">/etc/pam_ldap.conf</span> file.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.pam_ldap.conf">/etc/pam_ldap.conf</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Then edit several files in the <span style="font-family: 'Courier New', Courier, monospace;">/etc/pam.d</span> directory. First the system authentication PAM in which we list the new <span style="font-family: 'Courier New', Courier, monospace;">pam_ldap</span> module.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.pam.d.system-auth-ac">/etc/pam.d/system-auth-ac</a> </span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Next we also want to use pam_ldap to authenticate users coming in via sshd(8), so let's tell PAM about it.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.pam.d.sshd">/etc/pam.d/sshd</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Of course, we also need to configure <span style="font-family: 'Courier New', Courier, monospace;">sshd(8)</span> so it knows we want to use <span style="font-family: 'Courier New', Courier, monospace;">pam_ldap</span>. </div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/etc.ssh.sshd_config">/etc/ssh/sshd_config</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
In this file we also restricted who could login via the AllowGroups directive. Now restart sshd so that it knows about the new configuration.</div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo /etc/init.d/sshd restart</span></div>
<div>
<br /></div>
<div>
We also like to let our users know that this machine is restricted via a simple /etc/issue file:</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">cat /etc/issue</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">Restricted Access.</span></div>
<div>
<br /></div>
<div>
Create a home directory for the user.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo mkdir /home/test.user</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo chown test.user:test.group /home/test.user</span></div>
<div>
<br /></div>
<div>
Ok, from the client machine, issue a tail on the secure log file to see if things work?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo tail -F /var/log/secure</span></div>
<div>
<br /></div>
<div>
While from another machine, try to ssh into this new LDAP configured client.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ssh -v test.user@client.company.com</span></div>
<div>
<br /></div>
<div>
You should now have access to the client :)</div>
<div>
<br /></div>
<div>
But wait! If you take a look at the /var/log/slapd.log file on the OpenLDAP server, you will find quite a lot of lines like these :</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6152]: <= bdb_equality_candidates: (objectClass) not indexed</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">slapd[6152]: <= bdb_equality_candidates: (uid) not indexed</span></div>
</div>
<div>
<br /></div>
<div>
If we take a look to our server, we notice that we don't have any indexes at the moment.</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b olcDatabase={1}bdb,cn=config olcDbIndex</span></div>
<div>
<br /></div>
<div>
That means we must modify the backend database to create indexes for these attributes. So edit another LDIF file.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">vi <a href="https://dl.dropbox.com/u/72609528/blog/openldap/posixaccount.indexes.ldif">~/ldap/posixaccount.indexes.ldif</a></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
Add those changes to the LDAP server.</div>
</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapmodify -a -H ldapi:/// -f ~/ldap/posixAccount.indexes.ldif</span></div>
<div>
<br /></div>
<div>
Then check if the changes have been properly installed?</div>
<div>
<br /></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b olcDatabase={1}bdb,cn=config olcDbIndex</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">dn: olcDatabase={1}bdb,cn=config</span></div>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: default pres,eq</span></b></div>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: uid</span></b></div>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: cn,sn pres,eq,sub</span></b></div>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: objectClass eq</span></b></div>
</div>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;"></span></b><br />
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: memberUid eq</span></b></div>
<b><span style="font-family: 'Courier New', Courier, monospace;">
</span></b>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: uniqueMember eq</span></b></div>
<b><span style="font-family: 'Courier New', Courier, monospace;">
</span></b>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: uidNumber</span></b></div>
<b><span style="font-family: 'Courier New', Courier, monospace;">
</span></b>
<div>
<b><span style="font-family: 'Courier New', Courier, monospace;">olcDbIndex: gidNumber eq</span></b></div>
<b><span style="font-family: 'Courier New', Courier, monospace;">
</span></b></div>
<div>
<br /></div>
<div>
Excellent! We should not have any more errors in our slapd.log file.</div>
<div>
<br /></div>
<div>
We now have finished another of our goals!</div>
<div>
<ol>
<li><strike>Install OpenLDAP 2.4.</strike></li>
<li><strike>Configure Transport Layer Security (TLS).</strike></li>
<li><strike>Manage users and groups in OpenLDAP.</strike></li>
<li><strike>Configure pam_ldap to authenticate users via OpenLDAP.</strike></li>
<li>Use OpenLDAP as sudo's configuration repository.</li>
<li>Use OpenLDAP as automount map repository for autofs.</li>
<li>Use OpenLDAP as NFS netgroup repository again for autofs.</li>
<li>Use OpenLDAP as the Kerberos principal repository.</li>
<li>Setup OpenLDAP backup and recovery.</li>
<li>Setup OpenLDAP replication.</li>
</ol>
</div>
<div>
See you later,</div>
<div>
<br /></div>
<div>
DA+</div>
Arsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.com91