Sun

You are currently browsing articles tagged Sun.

The Return of Virtualization Short Takes

Friday, June 5, 2009 in Networking, Virtualization by slowe | 4 comments

My irregular “Virtualization Short Takes” series was put on hold some time ago after I started work on Mastering VMware vSphere 4. Now that work on the book is starting to wind down just a bit, I thought it would be a good time to try to resurrect the series. So, without further delay, welcome to the return of Virtualization Short Takes!

  • Trigged by a series of blog posts by Arnim van Lieshout on VMware ESX memory management (Part 1, Part 2, and Part 3), Scott Herold decided to join the fray with this blog post. Both Scott’s post and Arnim’s posts are good reading for anyone interested in getting a better idea of what’s happening “under the covers,” so to speak, when it comes to memory management.
  • Perhaps prompted by my post on upgrading virtual machines in vSphere, a lot of information has come to light regarding the PVSCSI driver. Some are advocating changes to best practices to incorporate the PVSCSI driver, but others seem to be questioning the need to move away from a single drive model (a necessary move since PVSCSI isn’t supported for boot drives). Personally, I just want VMware to support the PVSCSI driver on boot drives.
  • Eric Sloof confirms for us that name resolution is still the Achilles’ Heel of VMware High Availability in VMware vSphere.
  • I don’t remember where I picked up this VMware KB article, but it sure would be handy if VMware could provide more information about the issue, such as what CPUs might be affected. Otherwise, you’re kind of shooting in the dark, aren’t you?
  • Upgraded to VMware vSphere, and now having issues with VMotion? Thanks to VMwarewolf, this pair of VMware KB articles (here and here) might help resolve the issue.
  • Chad Sakac of EMC and co-conspirator for the storage portion of Mastering VMware vSphere 4 (pre-order here), has been putting out some very good posts:
  • Leo Raikhman pointed me to this article about IRQ sharing between the Service Console and the VMkernel. I think I’ve mentioned this issue here before…but after over a 1,000 posts, it’s hard to keep track of everything. In any case, there’s also a VMware KB article on the matter.
  • And speaking of Leo, he’s been putting up some great information too: notes on migrating Ubuntu servers (in turn derived from these notes by Cody at ProfessionalVMware), a rant on CDP support in ESX, and a note about the EMC Storage Viewer plugin. Good work, Leo!
  • If you are interested in a run-down of the storage-related changes in VMware vSphere, check out this post from Stephen Foskett.
  • Rick Vanover notes a few changes to the VMFS version numbers here. The key takeaway here is that no action is required, but you may want to plan some additional tasks after your vSphere upgrade to optimize the environment.
  • In this article, Chris Mellor muses on how far VMware may go in assimilating features provided by their technology partners. This is a common question; many people see the addition of thin provisioning within vSphere as a direct affront to array vendors like NetApp, 3PAR, and others who also provide thin provisioning features in the array themselves. I’m not so convinced that this feature is as competitive as it is complementary. Perhaps I’ll write a post about that in the near future…oh wait, never mind, Chad already did!
  • File this one away in the “VMware-becoming-more-like-Microsoft” folder.
  • My occasional mentions of Crossbow prompted a full-on explanation of the Open Networking functionality of OpenSolaris by a Sun engineer. It kind of looks like SR-IOV and VMDirectPath to me…sort of. Don’t you think?
  • If you are thinking about how to incorporate HP Virtual Connect Flex-10 into your VMware environment, Frank Denneman has some thoughts to share. I’ve been told by HP that I have some equipment en route with which I can do some additional testing (the results of which will be published here, of course!), but I haven’t seen it yet.

    • OK, I guess that should just about do it. Thanks for reading, and please share your thoughts, interesting links, or (pertinent) rants in the comments.

    Tags: , , , , , , , , , ,

    A Collection of Viewpoints on Cisco UCS

    Friday, April 3, 2009 in Networking, Virtualization by slowe | 9 comments

    A couple of weeks have passed since the announcement of Cisco’s Unified Computing System (UCS), and in that timeframe I’ve collected a number of links to articles and blog posts about UCS. I thought I’d collect them here and try to get a feel from all of the various viewpoints where the industry stands on UCS.

    I’ll start with Robin Harris aka StorageMojo and his initial take on UCS. The one thing that jumped out at me about his article was this statement:

    If IBM, HP and Sun aren’t meeting today to plot a radical, Cisco margin destroying open-source router & low-cost switch counterattack – like Seagate, HP and IBM performed on Quantum’s DLT – they’re idiots.

    This seems to validate the strategy outlined by Sun and sheds new light—for me, at least—on the potential motivations for IBM to acquire Sun and, thus, Sun’s intellectual property. Is Big Blue’s move to acquire Sun a precursor to a strike against the heart of Cisco’s routing and switching business? And how would Cisco respond to just such a move?

    Massimo Re Ferre’ of IT 2.0 approaches UCS from a different angle. According to Massimo, if you stop and really look at what you get from UCS, it’s not terribly different from what you can get from other vendors. In fact, if you separate out the unified fabric, there really isn’t a whole lot to distinguish UCS from other, similar solutions from HP, IBM, Dell, and Sun. And if you think about it, he’s right—it’s really only the unified fabric, along with the fabric extenders in the chassis and the single point of management, that differentiate the platform.

    Therein lies the problem. Massimo points out a couple of potential problems with unified fabric (security and political/organizational challenges). If unified fabric doesn’t fly, then UCS is grounded too. And industry excitement over FCoE isn’t exactly the greatest in the world. Chris Evans aka The Storage Architect makes clear his feelings about FCoE in this post:

    FCoE is a Cisco strategy to own the data centre, nothing else. As the recession bites, it would be a brave soul who could justify the disruption and additional spend, for very little gain.

    FCoE is hardly a forgone conclusion, and given that so much of UCS’ value is tied up in the unified fabric and the results that come from it, that makes UCS awfully vulnerable.

    Not everyone thinks that FCoE makes the UCS vulnerable, by the way; technology evangelist Christopher Kusek thinks the future will be a unified one:

    The Data center has spoken and it’s answer is True unification.

    Burton Group analyst Drue Reeves says that this was a move Cisco had to make:

    In the end, UCS was a move Cisco had to make to ward off competition AND increase shareholder value. Cisco has a strong brand, enterprise credibility, the technical chops and finances to pull it off. Is UCS a business risk? Sure. But the greater risk for Cisco is to do nothing.

    Perhaps, perhaps not. Given that UCS relies so heavily on FCoE, wouldn’t it have made sense for Cisco to push the FCoE train along by providing FCoE interconnects for blade servers from HP and IBM? Of course, this is supposing that CNAs would be available for HP and IBM blades, but I’m sure that this is something Cisco could have helped guarantee. This route would have broadened the market for FCoE and the unified fabric and simultaneously establishing Cisco as the FCoE leader (as if they weren’t already). Then, when really game-changing stuff like the SR-IOV-enabled adapters like “Palo” were available, Cisco could have taken the leap into the compute space and played the unified management card. That seems like a less risky approach to me. But hey, what do I know?

    Tags: , , , , , , , ,

    Is Sun Preparing to Take on Cisco?

    Monday, March 9, 2009 in Networking, UNIX by slowe | 9 comments

    A while back in Virtualization Short Take #25 I briefly mentioned Sun’s Crossbow network virtualization software, which brings new possibilities to the Solaris networking world. Not being a Solaris expert, it was hard for me at the time to really understand why Solaris fans were so excited about it; since then, though, I’ve come to understand that Crossbow brings to Solaris the same kind of full-blown virtual network interfaces and such that I use daily with VMware ESX. Now I’m beginning to understand why people are so thrilled!

    In any case, an astute reader picked up on my mention of Crossbow and pointed me to this article by Jonathan Schwartz of Sun, and in particular this phrase:

    You’re going to see an accelerating series of announcements over the coming year, from amplifying our open source storage offerings, to building out an equivalent portfolio of products in the networking space…

    That seemingly innocuous mention was then coupled with this blog post and the result was this question: is Sun preparing to take on Cisco? Is Sun getting ready to try to use commodity hardware and open source software to penetrate the networking market in the same way that they are using commodity hardware and open source software to try to further penetrate the storage market with their open storage products (in particular, the 7000 series)?

    It’s an interesting thought, to say the least. Going up against Cisco is a bold move, though, and I question Sun’s staying power in that sort of battle. Of course, with Cisco potentially distracted by the swirling rumors regarding the networking giant’s entry into the server market, now may be the best time to make this move.

    Thoughts?

    Tags: , , , , ,

    Storage Short Take #4

    Tuesday, December 2, 2008 in Storage by slowe | 2 comments

    Last week I provided a list of virtualization-related items that had made their way into my Inbox in some form or another; today I’ll share storage-related items with you in Storage Short Take #4! This post will also be cross-published to the Storage Monkeys Blogs.

    • Stephen Foskett has a nice round-up of some of the storage-related changes available to users in VMWare ESX 3.5 Update 3. Of particular note to many users is the VMDK Recovery Tool. Oh, and be sure to have a look at Stephen’s list of top 10 innovative enterprise storage hardware products. He invited me to participate in creating the list, but I just didn’t feel like I would have been able to contribute anything genuinely useful. Storage is an area I enjoy, but I don’t think I’ve risen to the ranks of “storage guru” just yet.
    • And in the area of top 10 storage lists, Marc Farley shares his list of top 10 network storage innovations as well. I’ll have to be honest—I recognize more of these products than I did ones on Stephen’s list.
    • Robin Harris of StorageMojo provides some great insight into the details behind EMC’s Atmos cloud storage product. I won’t even begin to try to summarize some of that information here as it’s way past my level, but it’s fascinating reading. What’s also interesting to me is that EMC chose to require users to use an API to really interact with the Atmos (more detailed reasons why provided here by Chad Sakac), while child company VMware is seeking to prevent users from having to modify their applications to take advantage of “the cloud.” I don’t necessarily see a conflict between these two approaches as they are seeking to address two different issues. Actually, I see similarities between EMC’s Atmos approach and Microsoft’s Azure approach, both which require retooling applications to take advantage of the new technology.
    • Speaking of Chad, here’s a recent post on how to add storage to the Celerra Virtual Appliance.
    • Andy Leonard took up a concern about NetApp deduplication and volume size limits a while back. The basic gist of the concern is that in its current incarnation, NetApp deduplication limits the size of the volume that can be deduplicated. If the size of the volume ever exceeds that limit, it can’t be deduplicated—even if the volume is subsequently resized back within the limit. With that in mind, users must actively track deduplication space savings so that, in the event they need to undo the deduplication, they don’t inadvertently lose the ability to deduplicate because they exceeded the size limit. Although Larry Freeman aka “Dr Dedupe” responded in the comments to Andy’s post, I don’t think that he actually addressed the problem Andy was trying to state. Although the logical data size can grow to 16TB within a deduplicated volume, you’ll still need to watch deduplication space savings if you think you might need to undo the deduplication for whatever reason. Otherwise, you could exceed the volume size limitations and lose the ability to deduplicate that volume.
    • And while we are on the subject of NetApp, a blog post by Beth Pariseau from earlier in the year recently caught my attention; it was in regards to NetApp Snapshots in LUN environments. I’ve discussed a little bit of this before in my post about managing space requirements with LUNs. The basic question: how much additional space is recommended—or required—when using Snapshots and LUNs? Before the advent of Snapshot auto-delete and volume autogrow, the mantra from NetApp was “2x + delta”—two times the size of the LUN plus changes. With the addition of these features, deduplication, and additional thin provisioning functionality, NetApp has now moved their focus to “1x + Delta”—the size of the LUN plus space needed for changes. It’s not surprising to me that there is confusion in this area, as NetApp themselves has worked so hard to preach “2x + Delta” and now has to go back and change their message. Bottom line: You’re going to need additional space for storing Snapshots of your LUNs, and the real amount is determined by your change rate, how many Snapshots you will keep, and for how long you will keep them. 20% might be enough, or you might need 120%. It all depends upon your applications and your business needs.
    • If you’re into Solaris ZFS, be sure to have a look at this NFS performance white paper by Sun. It provides some good details on recent changes to how NFS exports are implemented in conjunction with ZFS.

    That’s it for this time around, but feel free to share any interesting links and your thoughts on them in the comments!

    Tags: , , , , , , , , , ,

    NetApp Suing Sun over ZFS

    Wednesday, September 5, 2007 in Storage by slowe | 2 comments

    I was on the road most of the day today, so I must have missed this news earlier. Apparently, Sun Microsystems and Network Appliance have had a little spat over ZFS and WAFL, and now NetApp is suing Sun for patent infringement.

    Dave Hitz explained the situation in a blog entry:

    This morning, NetApp filed an IP (intellectual property) lawsuit against Sun. It has two parts. The first is a “declaratory judgment”, asking the court to decide whether we infringe a set of patents that Sun claims we do. The second says that Sun infringes several of our patents with its ZFS technology.

    Dave Hitz goes on to attempt to differentiate NetApp’s actions from the IP lawsuit(s) of SCO infamy. Personally, I wouldn’t place NetApp and SCO in the same situation, although I am strongly opposed to the current system of software patents. Patent reform is desperately needed, before things get worse than they already are.

    In any case, this turn of events is unfortunate. I’m not technical enough to be able to provide any sort of opinion with regards to whether or not ZFS actually does infringe upon NetApp’s WAFL patents (or the other way around), but I do hope that Sun and NetApp can settle things amicably and move forward with more innovation, rather than getting stuck in an argument over who owns what. That’s the last thing either company needs right now. In addition, ZFS’ status needs to be settled quickly, before more companies decide to try to adopt a supposedly open sourced file system and incorporate it into their own products (as Apple reportedly did with ZFS and Leopard).

    For more information on the lawsuit, see this eWeek article or this report from The Register. I’d also be interested in hearing anyone else’s feedback on the situation. What’s your take?

    Tags: , , , , ,

    Learning Solaris

    Tuesday, July 31, 2007 in UNIX by slowe | 7 comments

    I’ve targeted Solaris (specifically, Solaris 10 on x86) as the next major technology that I’m going to try to learn.  I’ve always been fascinated with UNIX and UNIX-like operating systems such as Linux, and Linux’s popularity on the x86 platform made it much easier to learn because I didn’t have to acquire any exotic hardware.  With Sun’s (apparent) renewed interest in x86/x64, Solaris is much more accessible now than it was in the past.

    Obviously, I’m not a complete newbie to the Solaris environment, having written a couple articles on Solaris-AD integration (the latest being found here).  However, I don’t feel like I have a solid understanding of the operating system and its architecture, and I’d feel much more comfortable with that information under my belt.  At some point, the IT industry being what it is, I’ll need to seek some sort of Solaris certification, but that’s not my primary goal.  Understanding the product itself is my primary goal; certification will merely be a side effect.

    Here’s what I’ve done so far:

    • I’ve created a Solaris 10 (32 bit) virtual machine on my VMware ESX Server farm; that’s been the system I’ve used mostly for testing the Active Directory integration instructions.  I’ve also done some work with the automounter (automounting home directories via NFS).
    • I’ve also just recently gotten a Solaris 10 (64 bit) VM running under VMware Fusion on my MacBook Pro; I’ll use that system for more day-to-day operational tasks and getting used to the interface.
    • I have a group of Solaris- and UNIX-related RSS feeds in NetNewsWire, including BigAdmin (What’s New and Feature Articles), Inchoate Curmudgeon, and a del.icio.us tag feed, among others.

    I’d certainly appreciate any suggestions from those who may have already been down this path as to specific projects I should undertake, books I should acquire, websites to frequent, RSS feeds to which I should subscribe, etc.  In addition, any guidance as to how I should balance Solaris vs. OpenSolaris (on which one should I focus more effort?) would be very helpful.  And what builds of Solaris/Solaris Express are most beneficial to use?  I’m currently using Solaris 10 Update 3, but I’m not sure if a different build would be better to work with.  That’s the kind of information that would be great to get from those wiser and more experienced.

    Wish me luck!

    Tags: , , ,

    Statistically Secure

    Wednesday, June 27, 2007 in Security by slowe | 2 comments

    I’ll start out by saying that I am neither a security expert nor a statistician.  With that disclaimer in hand, I wanted to briefly share my thoughts on the “days of risk” assessment that has recently been used to compare the security of Windows, Linux (Red Hat and SuSE), Mac OS X, and Sun Solaris.  Before continuing, I encourage you to have a look at the actual report itself, along with a few related articles:

    In summary, the Days-of-Risk (DoR) assessment showed that Microsoft patched vulnerabilities in Windows more quickly than Red Hat, Novell, Apple, or Sun patched vulnerabilities in their products.  This is true even when only High Severity issues are taken into consideration, although the gap between Microsoft and the other vendors narrowed in that analysis (with the exception of Sun).

    OK, that’s all well and good, but we all know statistics can be made to show just about anything.  I’m not saying that Mr. Jones deliberately limited his data to present a favorable outcome for Microsoft; Microsoft has done a very admirable job of improving their security responsiveness, and in that regard the other vendors would do well to improve their own responsiveness to the disclosure of security vulnerabilities.  No, my thoughts are more centered on the question: Is this data the right data to accurately and objectively represent the security profile of an operating system?

    I would contend that, in addition to DoR, information on the following areas would also need to be included in order to more accurately depict an operating system’s security profile:

    • Number and severity of exploits published or otherwise made available for vulnerabilities
    • Number of viruses, trojans, rootkits, or other malware readily available or in active circulation

    Now, before you say something like “Well, of course Windows is going to have more viruses and more exploits because it has a larger installed base!”, let me also say that these values should be correlated and weighted according to the installed base of the operating system as well.  This allows the values to account for the fact that Windows is in use by a much larger base of users than Linux, Solaris, or Mac OS X.

    Again, I’m not a statistician, but surely there’s a way to correlate this data (including DoR) and start presenting some sort of objective guide, based on measurable facts, regarding the security of an operating system.  Then the vendors (Microsoft, Apple, Novell, Sun, Red Hat, and others) can stand on equal ground and be able to make some sort of reasonable comparison regarding the security of each product.  Isn’t that what we really need anyway?

    Tags: , , , , , , ,

    Solaris 10 and Active Directory Integration

    Tuesday, August 15, 2006 in Interoperability, UNIX by slowe | 53 comments

    As with the procedure for authenticating Linux against Active Directory and providing Kerberos-based SSO with Apache, there are a few steps to be performed.  Some of these steps are performed on the Active Directory side, some of them are performed on the Solaris 10 system.

    This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product.

    Preparing Active Directory (One-Time)

    These steps only need to be performed once.  Note that if you have performed any of these steps as part of authenticating Linux to Active Directory, they do not need to be performed again.  Simply make note of the information used earlier and re-use that information again with Solaris.

    1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant.  Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console.  You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
    2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default.  This will speed up the login process and reduce the overall load on your DCs.  (For more information, refer to my updated Linux-Windows Server 2003 R2 integration instructions, linked above.)  It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
    3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
    4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

    Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

    Preparing Active Directory (Each User)

    Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component).  The attributes that must be populated are:

    • NIS domain:  It’s required on this tab in order to populate the other fields, but we won’t be using it.
    • UID:  This is actually the UID number.  Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
    • GID:  In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
    • Login Shell:  Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
    • Home Directory:  Specify the home directory (such as “/export/home/slowe”) that will be used for this user.  Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

    Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins.  I haven’t yet figured out how to reconcile these differences in a multi-platform environment (suggestions are welcome).

    After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

    Preparing Active Directory (Each Solaris Server)

    These steps need to be repeated for each Solaris server that will authenticating via Kerberos to Active Directory.

    1. Create a user account (not a computer account) for each Solaris server.  (Note that this is different than the instructions provided for integrating Linux.  I have an article planned to discuss this in more detail, but for now just trust me.)  I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server.  Since Solaris will use the HOST service principal, a name like “HOST-solarissrvr” would be good.  The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
    2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account.  The command will look something like this (substitute the appropriate values where necessary): 
      ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\account
-crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
-out filename

      Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file).  I suggest using the server’s name as the filename, i.e., something like “solarissrvr.keytab”.

    Now that each Solaris server has a matching account in Active Directory, and each account has had a keytab generated for it, we’re ready to move on to configuring the Solaris servers themselves.

    Configuring Solaris (Each Server)

    The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

    Configuring Kerberos

    Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf.  Edit this file using your editor of choice to look something like the one below.  Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

    [libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true
        verify_ap_req_nofail = false

[realms]
        EXAMPLE.COM = {
        kdc = dc01.example.com
        kdc = dc02.example.com
        admin_server = dc01.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        .subdomain.example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

    Your particular information will need to be supplied here, of course, so you can’t simply copy and paste from here to the Solaris configuration file.

    Of particular interest here is the “verify_ap_req_nofail = false” parameter.  I’m still shaking out some TGT validation/verification errors, and this is currently the only way to make authentication work from Solaris.  As soon as I get the validation/verification problems sorted out, I’ll post a new version of these instructions.

    Transfer the keytab generated earlier by the ktpass.exe utility (in our example, it was called “solarissrvr.keytab”) to the Solaris server in some secure fashion, like SFTP or SCP.  Place it in the /etc/krb5 directory as krb5.keytab, and make sure that only root has permissions to the file.

    Configuring LDAP

    We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris.  The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

    ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \
-a proxyPassword=Password1 \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

    The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

    After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP.  However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again.  Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

    I think it’s necessary at this point to restart the LDAP client service:

    svcadm restart svc:/network/ldap/client:default

    Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

    Configuring PAM

    The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris.  You’ll need to edit the /etc/pam.conf file to look something like what’s shown below.  I’ve edited away all the non-essential sections, so only change the sections listed below.

    # Default definition for Authentication management
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# Default definition for Account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
#

    With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

    Testing the Configuration

    Once all of the configuration steps have been completed, you can test the configuration with the following commands:

    • You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
    • You can use “kinit <Name of AD user>” to test Kerberos authentication.  A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

    If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing.  Both of these tests will need to be successful in order for authentication to work correctly.

    If the tests are successful, then you should now be able to authenticate on a Solaris server using your Active Directory username and password.  I tested this using SSH and the X Desktop login.

    How I Tested

    I tested this configuration using Solaris 10 x86 6/06 (the June 2006 release) running as a VM under VMware ESX Server 3.0.0.  Authentication was performed against a pair of virtual servers (one hosted on ESX 3.0.0, the other on ESX 2.5.3) running Windows Server 2003 R2, Standard Edition.

    Tags: , , , , ,

    Very High Quality vs. Just Good Enough

    Sunday, June 25, 2006 in General by slowe

    In a recent article discussing Novell’s leadership change, one analyst was quoted regarding the change as being positive for Novell in that they (Novell) could stop building very high quality products and instead build products that are just good enough.  I don’t know about you, but this spirit of mediocrity is exactly the wrong kind of thinking for IT vendors.

    Specifically, the quote stated this:

    “Ron Hovsepian appears to be an astute business person, one who will be able to quickly take stock of the environment and Novell’s position within that environment. This, I hope, will help Novell move from its current position of very slowly building extremely high quality products to quickly building and marketing products that are good enough to satisfy the market,” concluded Kusnetzky.

    So what is he (Dan Kusnetzky) proposing then?  It sounds to me that Dan thinks IT software vendors should make their products just good enough to pass muster, instead of making them the best that they can be.

    In my opinion, this spirit of mediocrity—this willingness to accept products that are knowingly released with imperfections and flaws because they are “good enough”—is exactly what brought the industry to where it is today.  This mediocrity is what brought SQL Slammer, Blaster, and Melissa.  This is the view that accepts that rebooting your computer a few times a day is just a part of life, and that our operating systems and applications shouldn’t be expected to be stable and reliable.  Just good enough?  When was the last time you recommended a product, service, or vendor because they were “just good enough”?  No, just good enough isn’t good enough.

    Every major IT vendor out there—from HP, IBM, and Sun, to Apple, Microsoft, and Red Hat—should be held accountable for the quality of the products they release.  Hey, I understand that companies may make mistakes, and miss errors.  That’s understandable.  But any company that knowingly releases a product that’s “just good enough” when it could have been better is not a company we should be praising.  We should be supporting those companies that emphasize quality over “just good enough”.

    Perhaps I’m overreacting.  Perhaps the analyst’s comments were merely directed at the speed with which Novell releases their products, and was instead trying to state that Novell needed to release competing products more quickly.  Even so, any vendor that values speed over quality is bound to get bitten sooner or later.  Microsoft got bitten, and changed their priorities (somewhat).  Apple will get bitten, too, if they start letting the quality of Mac OS X releases slide in favor of shorter development cycles.  The same goes for all the other vendors.

    What about you?  I’d love to hear your comments on the matter.

    Tags: , , , , , ,

    Open Source Hardware

    Wednesday, February 15, 2006 in Interoperability by slowe

    Sun joins IBM in trying to use the open source software model to help with hardware as well.  (Thanks to Linux-Watch for the news.)  Creating a new project called OpenSPARC, Sun is open sourcing the specifications for its latest SPARC processor, the UltraSPARC T1, code-named “Niagara.”

    According to the Linux-Watch article, the effort is intended to help drive the development of ports of Linux and BSD that can take full advantage of the CoolThreads technology in the UltraSPARC T1, which provides 32 threads of execution.  This allows the T1 to provide much greater throughput at lower clock speeds with dramatically lower power consumption.

    In addition to the processor architecture and code, Sun is also open sourcing its HyperVisor API information.  Like other vendors’ hypervisor efforts, the idea is to allow multiple operating systems or multiple instances of an operating system to run simultaneously on the same hardware.  Again, ports of Linux and BSD that are designed to take full advantage of the UltraSPARC T1 architecture and HyperVisor API are beneficial to Sun because they can help drive sales of their hardware.

    It’s a good idea, really, if you think about it.  Sun’s big into open source these days, after creating the OpenSolaris project in an effort to open source the entire Solaris operating system.  However, Solaris is really the only operating system that can run well on Sun’s SPARC hardware, and helping other alternatives to run equally well on SPARC hardware would encourage more people to buy SPARC hardware.  With any luck, Sun could create the kind of momentum and mystique around their SPARC hardware as they’ve done with their AMD-based “Galaxy” servers.

    It’ll be interesting to see how it plays out.

    Tags: , , , , ,