UNIX

You are currently browsing articles tagged UNIX.

This Pretty Much Answers That Question

Thursday, March 12, 2009 in Networking, UNIX by slowe | 8 comments

A couple of days ago I posed this question: is Sun preparing to take on Cisco? The question generated some interesting responses in the comments to the article.

Reader Bill had this to say:

How on earth would Cisco respond if Sun started introducing products with better performance, at a fraction of the price, built on high volume open source adoption?

As I responded, that’s the real $64,000 question, isn’t it? That’s the premise upon which this entire thing is built—that by using commodity hardware and open source components, Sun can produce high-quality, high-performing network equipment that they can sell for far less than Cisco.

Reader Ed, on the other hand, questioned the validity of this kind of move:

I would think that partnering with a Juniper or Foundry-type company and OEMing equipment from those companies would be a more prudent move than venturing on their own to create new network devices.

Normally, I would agree with Ed if we were talking about a company that was merely interested in entering a market in order to become a more complete supplier to their customers. That’s not Sun’s purpose. Sun’s purpose is, I think, to fundamentally change the nature of the networking hardware market. How successful they’ll be…well, that’s another question.

My original article also prompted a response elsewhere on the Internet. Christofer Hoff thought my use of the work “distracted” in describing Cisco and Project “California” wasn’t appropriate, and in one sense he’s correct—”California” is absolutely a natural evolution of Cisco’s products and technologies and it does make sense for them. As I pointed out to Hoff, though, being successful with this new solution (I can’t call it a server!) will take focus, and while Cisco is focused on “California” Sun has their opportunity.

And it looks like they are definitely going to take that opportunity:

As I’ve said before, general purpose microprocessors and operating systems are now fast enough to eliminate the need for special purpose devices. That means you can build a router out of a server - notice you cannot build a server out of a router, try as hard as you like. The same applies to storage devices.
 
To demonstrate this point, we now build our entire line of storage systems from general purpose server parts, including Solaris and ZFS, our open source file system. This allows us to innovate in software, where others have to build custom silicon or add cost. We are planning a similar line of networking platforms, based around the silicon and software you can already find in our portfolio.

The emphasis on that last sentence is mine, just to emphasize the clarity of where Sun is headed. Clearly, it is their intention to leverage OpenSolaris, Crossbow, ZFS, Solaris Zones, etc., to compete directly against Cisco. And Cisco appears to be their primary target, judging from this sentence:

That means you can build a router out of a server - notice you cannot build a server out of a router, try as hard as you like.

To me, that looks like a direct jab at “California”.

So, I guess the question of whether Sun is going to take on Cisco is settled. Hoff, get your popcorn!

Tags: , , , ,

Is Sun Preparing to Take on Cisco?

Monday, March 9, 2009 in Networking, UNIX by slowe | 9 comments

A while back in Virtualization Short Take #25 I briefly mentioned Sun’s Crossbow network virtualization software, which brings new possibilities to the Solaris networking world. Not being a Solaris expert, it was hard for me at the time to really understand why Solaris fans were so excited about it; since then, though, I’ve come to understand that Crossbow brings to Solaris the same kind of full-blown virtual network interfaces and such that I use daily with VMware ESX. Now I’m beginning to understand why people are so thrilled!

In any case, an astute reader picked up on my mention of Crossbow and pointed me to this article by Jonathan Schwartz of Sun, and in particular this phrase:

You’re going to see an accelerating series of announcements over the coming year, from amplifying our open source storage offerings, to building out an equivalent portfolio of products in the networking space…

That seemingly innocuous mention was then coupled with this blog post and the result was this question: is Sun preparing to take on Cisco? Is Sun getting ready to try to use commodity hardware and open source software to penetrate the networking market in the same way that they are using commodity hardware and open source software to try to further penetrate the storage market with their open storage products (in particular, the 7000 series)?

It’s an interesting thought, to say the least. Going up against Cisco is a bold move, though, and I question Sun’s staying power in that sort of battle. Of course, with Cisco potentially distracted by the swirling rumors regarding the networking giant’s entry into the server market, now may be the best time to make this move.

Thoughts?

Tags: , , , , ,

No Solaris-AD Integration Update

Wednesday, November 19, 2008 in Interoperability, Microsoft, UNIX by slowe | 6 comments

I’m sorry, folks, but I’m not going to have the time or the resources to publish an update to my existing instructions for integrating Solaris 10 into Active Directory. Quite some time ago I had posted that I planned on creating an update to the original instructions so as to incorporate some lessons learned, but it keeps get pushed aside for other tasks that are more important and more relevant to my day-to-day work. Rather than keep readers hanging on for something that will likely never appear, I’d rather just be upfront and frank about the situation. As much as I’d love to spend some time working on the Solaris-AD integration situation and documenting my findings, I just don’t have the time. Sorry.

Tags: , , , , , ,

In the Works

Tuesday, July 15, 2008 in General, Linux, Storage, UNIX, Virtualization by slowe | 3 comments

I just wanted to provide a quick update on some articles I have in the works to be (hopefully) published soon.

  • I’m working on an article discussing when to use various NIC teaming configurations with VMware ESX. There are some significant repercussions here for a variety of network configurations, but especially so for configurations involving IP-based storage (iSCSI or NFS).
  • I’m finally wrapping up an article on the Xsigo I/O Director. I’ve been working a Xsigo VP780 in the lab for quite some time, and this article will provide a brief overview along with some tips and tricks.
  • I received word from HP that I should be getting a ProCurve switch in my lab soon, so that means I can provide a ProCurve-oriented version of this NIC teaming and VLAN trunking article.
  • I have some notes on using NetApp Open Systems SnapVault (OSSV) in conjunction with VMware ESX that I plan to post here as well.

New versions of the Linux and Solaris AD integration articles are on the way as well, starting with an update of the Solaris instructions to accommodate Solaris 10 Update 5 and Windows Server 2008.

If there’s anything else you’re interested in seeing, let me know in the comments. Thanks for reading!

UPDATE: The NIC utilization article is available here.

Tags: , , , , , , , ,

New BSD Magazine

Wednesday, May 7, 2008 in UNIX by slowe | No comments

A new print magazine focused on the various BSD operating systems—FreeBSD, OpenBSD, and NetBSD—has started up. You can get more information about the magazine at http://www.bsdmag.org.

I’ve written about OpenBSD several times here, and while I’m lightyears from being any sort of BSD expert I have a great deal of respect for the BSDs. (After all, Mac OS X is based on FreeBSD.) If I weren’t so incredibly overloaded on technologies as it is, I’d probably be interested in learning more about all the BSDs. Unfortunately, there’s only 24 hours in a day, and other technologies—like virtualization, VMware, storage, SANs, etc.—already keep me busy enough as it is.

Best of luck to the new BSD Magazine editors! I hope the new magazine is successful.

Tags: ,

Some Things I’m Working On

Thursday, January 3, 2008 in General, Virtualization by slowe | 8 comments

I wanted to take just a brief moment and let everyone know about a few articles that I’ve got “in the pipeline” for the site. If there is one—or more—of these articles that looks particularly interesting, speak up in the comments.

Here are the articles that are currently under development:

  • An update to the Solaris-AD integration instructions: Last time I ran through these instructions I came across a number of discrepancies and little “gotchas.” I need to incorporate the workarounds into the integration instructions and publish a new version.
  • A brief blurb on NetApp OSSV: NetApp’s Open Systems SnapVault (OSSV) is a pretty cool technology, so I want to take a quick look at setting it up. I’m also exploring to see what kind of unique synergies may arise from using OSSV in a VMware environment.
  • Restricting access to ESX Server when using AD integration: As reader Scott Garrett points out in this comment to an earlier article, ESX Server’s version of sshd doesn’t support the UsePAM directive. This prevents us from using group membership in Active Directory to control access to ESX Server’s Service Console. Or does it? I have a hunch that there may be at least one workaround for this problem; once I’ve tested it, I’ll document it here.
  • New iSCSI functionality in ESX Server 3.5: VMware appears to have refreshed the software iSCSI initiator in ESX Server 3.5, so I want to take a closer look at and discuss here some of this new functionality.

That’s it for now, although I’m certainly open to other items that pique reader interest. Feel free to submit your suggestions in the comments. Thanks!

Tags: , , , , , , , ,

Some Notes on Solaris-AD Integration

Tuesday, November 27, 2007 in Interoperability, UNIX by slowe | 8 comments

This afternoon, I walked back through my own instructions for integrating Solaris 10 and Active Directory, and I found that the process wasn’t as smooth as perhaps I’d believed it to be.  As a result of walking back through the process again myself, I’ve collected some notes.  At some point in the near future, these notes will be integrated into a new version of the Solaris-AD integration instructions.

So, without further ado, here are the notes I collected in no particular order:

  • The Blastwave Samba package does not create it’s own smb.conf file in /opt/csw/etc/samba.  This is correctly pointed out in the latest integration instructions, but I wanted to mention it again here.  You’ll need to manually create the /opt/csw/etc/samba/smb.conf file before attempting to join the Solaris server to Active Directory via the ‘net ads join’ command.
  • The defaultServerList portion of the ‘ldapclient manual’ command only supports IP addresses.  The LDAP client service kept going into maintenance mode when using hostnames.  On a hunch, I substituted IP addresses for hostnames, and it worked.  Go figure.
  • Apparently, you can’t use ‘ldapclient mod’ to change an existing attribute map.  I had a hunch about resolving a co-existence issue where both Solaris and Linux are both authenticating against Active Directory—more on that particular topic is coming soon as well—and needed to change the attribute maps for the homedirectory and loginshell attributes.  I ended up editing the ldap_client_file manually (found in /var/ldap; must be made writable using chmod) in order to make the change.  If anyone has a more elegant fix, please let me know.
  • The ‘net ads join’ command correctly creates a Kerberos keytab with the appropriate entries, but places it in the wrong location.  On my test system, it placed the krb5.keytab file in the /etc directory, and Solaris expected it to be in /etc/krb5 instead.  Until I moved that file, authentication against Active Directory consistently failed.
  • It turns out that it’s not really necessary to enable the DNS client using ’svcadm enable svc:/network/dns/client:default’; from what I’ve been able to gather, that’s there as a dependency only.  The ‘nslookup’ and ‘host’ commands seemed to work just fine with this service still disabled.

Again, I’ll be incorporating these changes into a future version of the Solaris-AD integration instructions.  I hope to have that complete within the next week or two, so stay tuned.  In addition, I have information coming to help with the co-existence of multiple UNIX and UNIX-like operating systems all authenticating against the same Active Directory forest, so keep your eyes peeled for that as well.

Tags: , , , , , ,

Apparently, I’m Ahead Too

Sunday, October 21, 2007 in Macintosh, UNIX by slowe | No comments

I used to read Tom Yager’s “Ahead of the Curve” column when InfoWorld was still a print publication.  Every month, without fail, as soon as the magazine arrived I turned right to his column.  It was one of my primary reasons for reading the magazine, at least in recent years.  I think it’s probably safe to say that Yager’s affection for Mac OS X led me to perform an evaluation of my own and, eventually, to switch to Mac OS X myself based on the results of that personal evaluation.

But then the magazine turned digital/online only, and I stopped following his column.  I already had enough stuff coming in to my various digital inboxes, and didn’t really need another.  Part of the allure of the column had been precisely that it wasn’t digital.

Fast forward to just the other day, when I stumble across his column once more and find that I, too, am “ahead of the curve.”  In his recent article The next best thing to OS X, Yager claims that Sun Solaris 10 is a great fit for places where Mac OS X isn’t.

Given that I have embarked upon a plan to learn Solaris, it’s kind of nice to see an “industry analyst” say that you’re making the right move and that you, too, are ahead of the curve.

Tags: , ,

One Potential Issue in AD Integration Scenarios

Monday, September 17, 2007 in Interoperability by slowe | 8 comments

Regular readers of this blog know that I like to work on integrating various systems into Active Directory.  I’ve written a couple of articles on the issue:

Linux-AD Integration, Version 4
Solaris 10-AD Integration, Version 3
Active Directory Integration Index

These articles have been pretty successful and from what I understand have helped a fair number of people integrate their non-Windows systems into Active Directory for simplified user management and authentication.  Occasionally, though, we run into the odd issue that isn’t quite so straightforward to resolve.

For example, I recently had a reader (let’s call him Johnny) who was having a difficult time getting the Linux-AD integration to work.  The “ldapsearch” and “kinit” commands worked fine, but “getent passwd” or “getent group” failed with no output.  The users in Active Directory did indeed have UNIX attributes added to their accounts.  There were no firewalls between the non-Windows systems and the Active Directory domain controllers, and there did not appear to be any connectivity issues whatsoever (this further underscored by the fact that “ldapsearch” successfully returned LDAP search results from AD, and “kinit” successfully obtained a Kerberos ticket from AD).  We were stumped.

Johnny and I traded e-mails back and forth a few times, until finally Johnny found his error and notified me about what had been happening.  As I read the description about the problem, I realized that this may be a problem that is affecting a lot of users, and may, in fact, have stumped some of you out there reading right now.  Here’s the details.

The method that I suggest using for AD integration uses two parts:

  • First, we use Kerberos to obtain a Kerberos ticket from an Active Directory domain controller (also a Kerberos key distribution center, or KDC).  This handles the authentication side of things and prevents the password from crossing the wire at any point in time.
  • Next, we use LDAP to centrally store account information, such as UID number, GID number, home directory, login shell, etc.  This is the part that typically requires schema extensions (although there is a workaround for that) and using this technique ensures that we don’t have to manage accounts individually on each Linux server.

This approach doesn’t work without both pieces.  The Kerberos authentication takes care of the password, but without account information logins still fail.  So if Kerberos works but LDAP doesn’t, logins will fail.  If Kerberos doesn’t work but LDAP is fine, logins will fail.  So part of troubleshooting this configuration is isolating where the problem lies.  In this particular case, “kinit” worked fine—no error was returned and “klist” showed a valid Kerberos ticket.  So the problem had to be with LDAP.  But where?  The “ldapsearch” command worked fine.

The problem lie with the /etc/ldap.conf file.  See, the nss_ldap libraries (which are responsible for using LDAP—and other sources, as defined in /etc/nsswitch.conf—as the backend information database for account information) are controlled by this file, but “ldapsearch” does not use it.  Specifically, the error was with the account that is used to bind (or connect) to Active Directory to perform the searches.

There are two ways of specifying this account in /etc/ldap.conf.  You can use the full DN, which looks something like “cn=Scott Lowe,cn=Users,dc=example,dc=com” or “cn=John Smith,ou=Marketing,ou=Departments,dc=example,dc=com”.  Alternately, you can use the universal principal name (UPN), which looks something like an e-mail address, such as “slowe@example.com” or “john.smith@example.com”.  In this particular case, Johnny (our reader with the problem) was using the full DN, but he was using the wrong attribute in the DN.  Here’s the information he had:

First Name: John
Last Name: Smith
Full Name: John Smith
Display Name: John Smith
UPN: jsmith@example.com
SAM Account Name (downlevel logon name): jsmith
Object name: jsmith

Which of these do you suppose should be used in the DN?  Full name?  No.  Display name?  No.  It must be the object name, in this case “jsmith”.  You can double-check your object name (or CN) using ADSI Edit or a similar utility.  You could use Active Directory Users and Computers, but that’s typically the confusing part.  In any case, once Johnny fixed the syntax for the bind account then “getent passwd” and “getent group” worked like a champ.

How do we avoid this kind of issue?  Simple: just use the UPN instead of the full DN.  This syntax works just as well and avoids the potential problem of using the wrong name when building the full DN.

Tags: , , , , , , ,

Solaris 10 Update 4 on ESX Server

Thursday, September 6, 2007 in UNIX, Virtualization by slowe | 2 comments

I’ve been looking forward to Solaris 10 8/07 (Update 4) for a while now, eager to see what new technologies and features have been baked into the stable Solaris 10 code base.  I won’t go into all the new bells and whistles, partly because I’m just not knowledgeable enough about them to them justice, and partly because it’s been done better elsewhere.

I didn’t really expect any problems when I went to install Update 4 on ESX Server 3.0.2, and Solaris didn’t disappoint.  The new update installed quickly and flawlessly, and VMware Tools installed without a hitch.  After installation, I modified the VM configuration to use the Intel e1000 driver, mostly because I know that the e1000 driver is supported for VLAN interfaces, something I have been and will continue to be experimenting with over the next day or so.

<aside>By the way, if you’re having problems getting changes to the VMX file to stick (i.e., if VirtualCenter keeps overwriting your changes), then remove the VM from inventory, edit the file, then browse the datastore and add the VM back to inventory.  Your changes to the VMX file will now stick.</aside>

Now that I have Update 4 running on ESX Server, the next step is to try using Solaris Containers (zones) on the virtualized instance, as well as testing the new iSCSI target functionality in Solaris to provide iSCSI storage for the ESX hosts.  I’ll post more information here (it may be slightly delayed because I’ll be in San Francisco next week at VMworld) as soon as I’ve had the opportunity to conduct those tests and have some results.

Tags: , , , ,

« Older entries