blog.scottlowe.org

I just wanted to provide a quick update on some articles I have in the works to be (hopefully) published soon.

• I’m working on an article discussing when to use various NIC teaming configurations with VMware ESX. There are some significant repercussions here for a variety of network configurations, but especially so for configurations involving IP-based storage (iSCSI or NFS).
• I’m finally wrapping up an article on the Xsigo I/O Director. I’ve been working a Xsigo VP780 in the lab for quite some time, and this article will provide a brief overview along with some tips and tricks.
• I received word from HP that I should be getting a ProCurve switch in my lab soon, so that means I can provide a ProCurve-oriented version of this NIC teaming and VLAN trunking article.
• I have some notes on using NetApp Open Systems SnapVault (OSSV) in conjunction with VMware ESX that I plan to post here as well.

New versions of the Linux and Solaris AD integration articles are on the way as well, starting with an update of the Solaris instructions to accommodate Solaris 10 Update 5 and Windows Server 2008.

If there’s anything else you’re interested in seeing, let me know in the comments. Thanks for reading!

UPDATE: The NIC utilization article is available here.

A new print magazine focused on the various BSD operating systems—FreeBSD, OpenBSD, and NetBSD—has started up. You can get more information about the magazine at http://www.bsdmag.org.

I’ve written about OpenBSD several times here, and while I’m lightyears from being any sort of BSD expert I have a great deal of respect for the BSDs. (After all, Mac OS X is based on FreeBSD.) If I weren’t so incredibly overloaded on technologies as it is, I’d probably be interested in learning more about all the BSDs. Unfortunately, there’s only 24 hours in a day, and other technologies—like virtualization, VMware, storage, SANs, etc.—already keep me busy enough as it is.

Best of luck to the new BSD Magazine editors! I hope the new magazine is successful.

This afternoon, I walked back through my own instructions for integrating Solaris 10 and Active Directory, and I found that the process wasn’t as smooth as perhaps I’d believed it to be.  As a result of walking back through the process again myself, I’ve collected some notes.  At some point in the near future, these notes will be integrated into a new version of the Solaris-AD integration instructions.

So, without further ado, here are the notes I collected in no particular order:

• The Blastwave Samba package does not create it’s own smb.conf file in /opt/csw/etc/samba.  This is correctly pointed out in the latest integration instructions, but I wanted to mention it again here.  You’ll need to manually create the /opt/csw/etc/samba/smb.conf file before attempting to join the Solaris server to Active Directory via the ‘net ads join’ command.
• The defaultServerList portion of the ‘ldapclient manual’ command only supports IP addresses.  The LDAP client service kept going into maintenance mode when using hostnames.  On a hunch, I substituted IP addresses for hostnames, and it worked.  Go figure.
• Apparently, you can’t use ‘ldapclient mod’ to change an existing attribute map.  I had a hunch about resolving a co-existence issue where both Solaris and Linux are both authenticating against Active Directory—more on that particular topic is coming soon as well—and needed to change the attribute maps for the homedirectory and loginshell attributes.  I ended up editing the ldap_client_file manually (found in /var/ldap; must be made writable using chmod) in order to make the change.  If anyone has a more elegant fix, please let me know.
• The ‘net ads join’ command correctly creates a Kerberos keytab with the appropriate entries, but places it in the wrong location.  On my test system, it placed the krb5.keytab file in the /etc directory, and Solaris expected it to be in /etc/krb5 instead.  Until I moved that file, authentication against Active Directory consistently failed.
• It turns out that it’s not really necessary to enable the DNS client using ’svcadm enable svc:/network/dns/client:default’; from what I’ve been able to gather, that’s there as a dependency only.  The ‘nslookup’ and ‘host’ commands seemed to work just fine with this service still disabled.

Again, I’ll be incorporating these changes into a future version of the Solaris-AD integration instructions.  I hope to have that complete within the next week or two, so stay tuned.  In addition, I have information coming to help with the co-existence of multiple UNIX and UNIX-like operating systems all authenticating against the same Active Directory forest, so keep your eyes peeled for that as well.

I used to read Tom Yager’s “Ahead of the Curve” column when InfoWorld was still a print publication.  Every month, without fail, as soon as the magazine arrived I turned right to his column.  It was one of my primary reasons for reading the magazine, at least in recent years.  I think it’s probably safe to say that Yager’s affection for Mac OS X led me to perform an evaluation of my own and, eventually, to switch to Mac OS X myself based on the results of that personal evaluation.

But then the magazine turned digital/online only, and I stopped following his column.  I already had enough stuff coming in to my various digital inboxes, and didn’t really need another.  Part of the allure of the column had been precisely that it wasn’t digital.

Fast forward to just the other day, when I stumble across his column once more and find that I, too, am “ahead of the curve.”  In his recent article The next best thing to OS X, Yager claims that Sun Solaris 10 is a great fit for places where Mac OS X isn’t.

Given that I have embarked upon a plan to learn Solaris, it’s kind of nice to see an “industry analyst” say that you’re making the right move and that you, too, are ahead of the curve.

I’ve been looking forward to Solaris 10 8/07 (Update 4) for a while now, eager to see what new technologies and features have been baked into the stable Solaris 10 code base.  I won’t go into all the new bells and whistles, partly because I’m just not knowledgeable enough about them to them justice, and partly because it’s been done better elsewhere.

I didn’t really expect any problems when I went to install Update 4 on ESX Server 3.0.2, and Solaris didn’t disappoint.  The new update installed quickly and flawlessly, and VMware Tools installed without a hitch.  After installation, I modified the VM configuration to use the Intel e1000 driver, mostly because I know that the e1000 driver is supported for VLAN interfaces, something I have been and will continue to be experimenting with over the next day or so.

<aside>By the way, if you’re having problems getting changes to the VMX file to stick (i.e., if VirtualCenter keeps overwriting your changes), then remove the VM from inventory, edit the file, then browse the datastore and add the VM back to inventory.  Your changes to the VMX file will now stick.</aside>

Now that I have Update 4 running on ESX Server, the next step is to try using Solaris Containers (zones) on the virtualized instance, as well as testing the new iSCSI target functionality in Solaris to provide iSCSI storage for the ESX hosts.  I’ll post more information here (it may be slightly delayed because I’ll be in San Francisco next week at VMworld) as soon as I’ve had the opportunity to conduct those tests and have some results.

I’ve been doing some interoperability testing with VMware ESX Server and VLANs (a separate article on that is in the works), and needed a guest OS that supported VLAN interfaces.  From my previous (but limited) experience with OpenBSD, I suspected that VLAN interfaces were indeed supported, and after setting up a quick VM running OpenBSD 4.1 I found that I was indeed correct.  Not only are they supported, they are incredibly easy to setup and configure.

The command to configure a VLAN interface is simply a variation of the standard ifconfig command (note that I’m using a backslash to denote a line continuation, so that I can wrap lines here for readability):

ifconfig <VLAN interface name> vlan <VLAN ID> \
vlandev <physical network device>

So, by example, the command I used to create a VLAN interface for VLAN ID 3 looked like this:

ifconfig vlan3 vlan 3 vlandev pcn0

I did find that I couldn’t name the VLAN interface (“vlan3”, in this case) anything other than vlanX, where X was a number.  I don’t know if this is an OpenBSD limitation, or just an error on my part.  The latter is certainly a distinct possibility.

Once the VLAN interface, is created, then I just followed the standard OpenBSD way of provisioning an interface—create /etc/hostname.ifname (where ifname is the name of the VLAN interface) for each VLAN interface and that should be that.

The ESX Server configuration to support these VLAN interfaces at the guest level was pretty easy, too.  I just had to create a port group with a VLAN ID of 4095 and attach the OpenBSD guest to that port group.  ESX Server automatically passed the VLAN tags up to the guest and everything worked as expected.  (Again, I’ll have a separate article on that published soon.)

Next, perhaps I’ll try this with Linux or Solaris…

I’m not a Solaris expert, nor a SPARC expert, nor even a longtime user of their products.  But I do have a lot of respect for their recent engineering efforts in the x86 space, particularly those hardware products released since Andy Bechtolsheim’s return with the acquisition of Kealia a couple of years ago.  The move to open-source Solaris, the increasing visibility of OpenSolaris, the introduction of exciting new technologies such as ZFS…all these things have been building up the “tech cred” that Sun needs to win back (or continue to hold on to) the hearts and minds of technical leaders.  And then this happens—they announce they’re changing the stock ticker symbol from SUNW to JAVA.  Huh?

Is it just me, or does this not make sense?  I suppose I kind of see the reasoning behind the move, although I don’t agree with the reasoning.  It all smacks of rebranding all the products with Java, even though most of them didn’t (and don’t) have anything to do with Java.

It all just seems silly to me.

I’ve targeted Solaris (specifically, Solaris 10 on x86) as the next major technology that I’m going to try to learn.  I’ve always been fascinated with UNIX and UNIX-like operating systems such as Linux, and Linux’s popularity on the x86 platform made it much easier to learn because I didn’t have to acquire any exotic hardware.  With Sun’s (apparent) renewed interest in x86/x64, Solaris is much more accessible now than it was in the past.

Obviously, I’m not a complete newbie to the Solaris environment, having written a couple articles on Solaris-AD integration (the latest being found here).  However, I don’t feel like I have a solid understanding of the operating system and its architecture, and I’d feel much more comfortable with that information under my belt.  At some point, the IT industry being what it is, I’ll need to seek some sort of Solaris certification, but that’s not my primary goal.  Understanding the product itself is my primary goal; certification will merely be a side effect.

Here’s what I’ve done so far:

• I’ve created a Solaris 10 (32 bit) virtual machine on my VMware ESX Server farm; that’s been the system I’ve used mostly for testing the Active Directory integration instructions.  I’ve also done some work with the automounter (automounting home directories via NFS).
• I’ve also just recently gotten a Solaris 10 (64 bit) VM running under VMware Fusion on my MacBook Pro; I’ll use that system for more day-to-day operational tasks and getting used to the interface.
• I have a group of Solaris- and UNIX-related RSS feeds in NetNewsWire, including BigAdmin (What’s New and Feature Articles), Inchoate Curmudgeon, and a del.icio.us tag feed, among others.

I’d certainly appreciate any suggestions from those who may have already been down this path as to specific projects I should undertake, books I should acquire, websites to frequent, RSS feeds to which I should subscribe, etc.  In addition, any guidance as to how I should balance Solaris vs. OpenSolaris (on which one should I focus more effort?) would be very helpful.  And what builds of Solaris/Solaris Express are most beneficial to use?  I’m currently using Solaris 10 Update 3, but I’m not sure if a different build would be better to work with.  That’s the kind of information that would be great to get from those wiser and more experienced.

Wish me luck!

Having tested a couple of the previous releases of OpenBSD on various versions of ESX Server (OpenBSD 3.8 here and version 3.9 here), I decided to test OpenBSD 4.1 on ESX Server 3.0.1.  I didn’t really expect any problems at first, but then I stumbled across this article describing a problem between OpenBSD 4.1 and ESX Server 2.5.  Fortunately, it appears as if that problem does not affect ESX Server 3.0.1.

The VM configuration was pretty straightforward; just change the SCSI controller to LSI Logic instead of BusLogic and everything should work beautifully.  The OpenBSD 4.1 release notes indicate a new driver for the VMware VMXnet NIC driver, but I haven’t had the opportunity to test this yet; my installation is still using the pcn0 driver.

After installing OpenBSD, I was able to successfully install a number of packages using pkg_add (pulling the packages down via FTP).  Not confident that I had transferred enough data to be sure that I wasn’t going to see the same issue the other blogger ran into with his installation, I fired up Interarchy and transferred a 450MB ISO file via SFTP.  The file transfer completed successfully and I ran into no problems.

I’ll likely experiment with adding the VMXnet driver within the next few days to see how that works and how it affects network performance.

Thanks to some very helpful individuals in the #solaris channel on irc.freenode.net, I’ve been able to get ADS support working in Samba on Solaris 10, and thus have been able to incorporate the use of Samba in the Solaris 10-AD integration instructions.

To refer to earlier versions of the Solaris 10-AD integration instructions, see this article or this article.  I would expect that you won’t need to refer to those posts, though, and will be able to get most of what you need directly from this post.

Assumptions

This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product.  This will require changes to the “ldapclient manual” command shown below, which handles the schema/attribute mapping.  (I only have a single article written that includes pre-R2 attribute mapping, and that’s this Linux-AD article.  The schema mapping should be very, very similar between that article and Solaris 10.)

Preparing Active Directory (One-Time)

These steps only need to be performed once.  Note that if you have performed any of these steps as part of authenticating Linux or Solaris to Active Directory, they do not need to be performed again.  Simply make note of the information used earlier and re-use that information again this time.

1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant.  Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console.  You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default.  This will speed up the login process and reduce the overall load on your DCs.  (For more information, refer to the Linux-Windows Server 2003 R2 integration instructions.)  It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

Preparing Active Directory (Each User)

Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component).  The attributes that must be populated are:

• NIS domain:  It’s required on this tab in order to populate the other fields, but we won’t be using it.
• UID:  This is actually the UID number.  Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
• GID:  In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
• Login Shell:  Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
• Home Directory:  Specify the home directory (such as “/export/home/slowe”) that will be used for this user.  Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins.  The only workarounds I’ve found to address these issues is the clever use of symlinks and the use of NFS automounts for home directories.

After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

Configuring Reverse DNS

On the DNS server handling the reverse lookup zones for the subnet on which the Solaris server is located, add a PTR record for the Solaris server and it’s IP address.  This will ensure that reverse DNS lookups work as expected.  Make sure that each Solaris server that will be authenticating against Active Directory has a reverse lookup record in DNS, and ensure that both forward and reverse lookups work from each of the Solaris server(s).

Configuring Solaris (Each Server)

The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

Configuring the hosts file

To enable reliable TGT validation (this ensures that the Kerberos ticket returned by a KDC actually came from the KDC and not a spoofed server), you’ll need to edit the hosts file.  On Solaris 10, this is found in /etc/inet/hosts and is read-only, even for root.  Edit this file (changing permissions as necessary) so that the line with the server’s IP address looks something like this:

10.1.1.1        hostname.example.com hostname loghost

What we’re doing here is making sure that the server’s fully qualified domain name (not just the short hostname) is the first name entry on the line for the server’s IP address.

There may or may not be other entries in the file; leave those entries untouched (unless you know you need to modify them).

Installing Blastwave Packages

This is the key to getting ADS support into Samba on Solaris 10.  I won’t go into excruciating detail on this since this process is amply covered elsewhere, but here’s the basic idea of the process:

• Use the standard wget (found in /usr/sfw/bin) to download the pkg-get file used by Blastwave.
• Use pkgadd to install pkg-get.
• Configure pkg-get to use the unstable packages (makes sure you get the latest builds).
• Use pkg-get to install the CSWsamba package and all requisite packages (there were quite a few dependency packages during my testing).

Once the CSWsamba package and related packages are installed, we’ll need to configure Samba by creating /opt/csw/etc/samba/smb.conf with the following contents:

workgroup = <NetBIOS name of AD domain>
security = ads
realm = <DNS name of AD domain in UPPERCASE>
use kerberos keytab = true
password server = <Space-delimited list of AD DCs>

At this point, we are ready to configure Kerberos and then proceed with testing the configuration and join the Active Directory domain.

Configuring Kerberos

Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf.  Edit this file using your editor of choice to look something like the one below.  Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true

[realms]
        EXAMPLE.COM = {
        kdc = dc01.example.com
        kdc = dc02.example.com
        admin_server = dc01.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        .subdomain.example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

There will also be a file named cswkrb5.conf in the /etc directory; you can configure this file with the contents of the [libdefaults], [reamls], and [domain_realms] sections as listed above.  You don’t need to include the [logging] or [appdefaults] sections in this file.

Note that you can’t simply copy and paste from here to the Solaris configuration files, as you’ll need to customize your version for your particular network, hostnames, domain names, etc.  If you must copy and paste from here, put it into a text editor first to customize it for your implementation.

Configuring LDAP

We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris.  The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

ldapclient manual 
-a credentialLevel=proxy 
-a authenticationMethod=simple 
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com 
-a proxyPassword=Password1 
-a defaultSearchBase=dc=example,dc=com 
-a domainName=example.com 
-a “defaultServerList=172.16.1.10” 
-a attributeMap=group:userpassword=userPassword 
-a attributeMap=group:memberuid=memberUid 
-a attributeMap=group:gidnumber=gidNumber 
-a attributeMap=passwd:gecos=cn 
-a attributeMap=passwd:gidnumber=gidNumber 
-a attributeMap=passwd:uidnumber=uidNumber 
-a attributeMap=passwd:homedirectory=unixHomeDirectory 
-a attributeMap=passwd:loginshell=loginShell 
-a attributeMap=shadow:shadowflag=shadowFlag 
-a attributeMap=shadow:userpassword=userPassword 
-a objectClassMap=group:posixGroup=group 
-a objectClassMap=passwd:posixAccount=user 
-a objectClassMap=shadow:shadowAccount=user 
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub 
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP.  However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again.  Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

While you’re editing /etc/nsswitch.conf, be sure to add a “dns” entry at the end of the line for hosts:

hosts          files dns

This will help ensure that Solaris is properly configured to use DNS for host name resolution.

I think it’s necessary at this point to restart the LDAP client service:

svcadm restart svc:/network/ldap/client:default

Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

Configuring the DNS Client

You’ll also need to make sure that the DNS client is enabled and running.  Using “svcs -a | grep dns” will help you identify the correct service, which you can then enable with svcadm:

svcadm enable svc:/network/dns/client:default

Test DNS resolution using the “nslookup” command.  As mentioned previously, be sure to test both forward and reverse lookups.

Configuring PAM

The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris.  You’ll need to edit the /etc/pam.conf file to look something like what’s shown below.  I’ve edited away all the non-essential sections, so only change the sections listed below.

# Default definition for Authentication management
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# Default definition for Account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
#

With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

Reboot the Solaris Server

I know this sounds stupid, but even after restarting LDAP and enabling/starting/restarting the DNS client, things still didn’t work for me in the lab.  However, after rebooting the Solaris server, it worked like a champ.  So, just in case, reboot the Solaris server after completing the configuration.

Testing the Configuration

Once all of the configuration steps have been completed, you can test the configuration with the following commands:

• You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
• You can use “kinit <Name of AD user>” to test Kerberos authentication.  A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing.  Both of these tests will need to be successful in order for authentication to work correctly.

If the tests are successful, then you should now be able to join the Solaris server to Active Directory using Samba.

Joining the Solaris Server to Active Directory

This is the final step.  Don’t try this step until you’ve successfully tested the configuration.  After this step is completed, you are finished and AD users will be able to login to the Solaris server (assuming the AD users have been properly configured).

To join the Solaris server to Active Directory, follow these steps:

1. Verify the Samba configuration as outlined earlier.  Key to the configuration are the “security = ads” and “use kerberos keytab = true” directives.
2. Use “kdestroy” to destroy any existing Kerberos credentials you may have; then run “kinit <Domain administrative account>@AD.DOMAIN.NAME” to get a Kerberos ticket for an account that is a domain administrator account.
3. Run “net ads join” to join the Solaris server to Active Directory.  This command will automatically create a computer object in Active Directory and add the appropriate SPNs (service principal names) to the computer object.  In addition, it will populate the local Kerberos key table (/etc/krb5.keytab, by default) with the correct entries for authentication against Active Directory.  You may see an error about a missing userPrincipalName, but this does not appear to affect any functionality.

At this point, all properly configured AD users (those users who have UNIX attributes) should be able to login to the Solaris server using their Active Directory username and password.  Of course, this assumes that you’ve already dealt with home directories (or are automounting home directories).

As with previous instructions, these instructions don’t address password management (the ability to change an AD password from Solaris) and don’t address how to handle home directories.  Hey, I’ve got to leave a few challenges for others to tackle, right?

How I Tested

This testing was done using Solaris 10 11/06 (Update 3) running on VMware ESX Server 3.0.1.  Active Directory was running on a pair of servers with Windows Server 2003 R2, also virtual machines on ESX Server.  Authentication testing was performed using SSH from a client system running Mac OS X.