SysAdmin1138 Expounds

"[Person X] no longer works here. Please change their password and give it to [Person Y] so they can handle email. And please set an out-of-office rule notifiying people of [Person X's] absence."

Labels: security, sysadmin

Labels: sysadmin

• Run a series of small applications we need to run, which drive the password change notification process among other things.
  
• Maps drives based on group membership.
  
• Maps home directories.
  
• Allows shelling out to other scripts, which allows less privileged people to manage scripts for their own users.

Labels: microsoft, netware, novell, sysadmin

Labels: backup, sysadmin

Labels: novell, opinion, sysadmin

Labels: security, sysadmin

Labels: microsoft, opinion, sysadmin

Labels: linux, opensuse, sysadmin

Labels: storage, sysadmin, virtualization

Labels: microsoft, sysadmin

1. We still have a lot of non-domained workstations
2. Our DNS environment is mind-bogglingly fragmented

• admcs.wwu.edu
• ac.bldg.wwu.edu
  
• ae.bldg.wwu.edu
• ah.bldg.wwu.edu
• ai.bldg.wwu.edu
  
• cv.bldg.wwu.edu
• es.bldg.wwu.edu
  
• om.bldg.wwu.edu
• rh.bldg.wwu.edu
• rl.bldg.wwu.edu
  
• archives.wwu.edu
• bh319lab.wwu.edu
• bldg.wwu.edu
  
• canada.wwu.edu
  
• ci.wwu.edu
• clsrm.wwu.edu
• cm.wwu.edu
• crc.wwu.edu
  
• etd110.lab01.wwu.edu
  
• fm.wwu.edu
  
• hh101lab.wwu.edu
• hh112lab.wwu.edu
• hh154lab.wwu.edu
  
• hh245lab.wwu.edu
• history.wwu.edu
• lab03.wwu.edu
  
• math.wwu.edu
  
• mh072lab.wwu.edu
• psych.wwu.edu
• soclab.wwu.edu
  
• spmc.wwu.edu
• ts.wwu.edu
  

Labels: microsoft, sysadmin

1. Generate a SSL certificate with the correct data.
   
2. Extract the certificate into base-64 form (a.k.a. PEM format) in separate 'certificate' and 'private key' files.
3. On your command view server overwrite the %ProgramFiles%\Hewlett-Packard\sanworks\Element Manager for StorageWorks HSV\server.cert file with the 'certificate' file
4. Overwrite the %ProgramFiles%\Hewlett-Packard\sanworks\Element Manager for StorageWorks HSV\server.pkey file with the 'private key' file
5. Restart the CommandView service

Labels: hp, security, storage, sysadmin

Labels: opinion, sysadmin

• Students
• Employees

If a STUDENT is taking less than M credit-hours of classes, and is employed in a job-class of C1-F9, then they shall be reclassed EMPLOYEE.

Labels: opinion, sysadmin

For type s addresses (only), this command mobilizes a persistent symmetric-active mode association with the specified remote peer.

Symmetric active/passive mode is intended for configurations were a clique of low-stratum peers operate as mutual backups for each other. Each peer operates with one or more primary reference sources, such as a radio clock, or a set of secondary (stratum, 2) servers known to be reliable and authentic. Should one of the peers lose all reference sources or simply cease operation, the other peers will automatically reconfigure so that time and related values can flow from the surviving peers to all hosts in the subnet. In some contexts this would be described as a "push-pull" operation, in that the peer either pulls or pushes the time and related values depending on the particular configuration.

Labels: sysadmin

Labels: sysadmin

I take it from the terminology ("fall quarter") that you work at a university.

How often do you re-engineer your infrastructure, or roll out new servers? Do yo align them to the school quarters? I'm interested in knowing how other people make decisions on roll-outs.

Labels: sysadmin

We are organized into four business unit segments, which are Open Platform Solutions, Identity and Security Management, Systems and Resource Management, and Workgroup. Below is a brief update on the revenue results for the second quarter and first six months of fiscal 2009 for each of our business unit segments:

•

Within our Open Platform Solutions business unit segment, Linux and open source products remain an important growth business. We are using our Open Platform Solutions business segment as a platform for acquiring new customers to which we can sell our other complementary cross-platform identity and management products and services. Revenue from our Linux Platform Products category within our Open Platform Solutions business unit segment increased 25% in the second quarter of fiscal 2009 compared to the prior year period. This product revenue increase was partially offset by lower services revenue of 11%, such that total revenue from our Open Platform Solutions business unit segment increased 18% in the second quarter of fiscal 2009 compared to the prior year period.

Revenue from our Linux Platform Products category within our Open Platform Solutions business unit segment increased 24% in the first six months of fiscal 2009 compared to the prior year period. This product revenue increase was partially offset by lower services revenue of 17%, such that total revenue from our Open Platform Solutions business unit segment increased 15% in the first six months of fiscal 2009 compared to the prior year period.

[sysadmin1138: Products include: SLES/SLED]

•

Our Identity and Security Management business unit segment offers products that we believe deliver a complete, integrated solution in the areas of security, compliance, and governance issues. Within this segment, revenue from our Identity, Access and Compliance Management products increased 2% in the second quarter of fiscal 2009 compared to the prior year period. In addition, services revenue was lower by 45%, such that total revenue from our Identity and Security Management business unit segment decreased 16% in the second quarter of fiscal 2009 compared to the prior year period.

Revenue from our Identity, Access and Compliance Management products decreased 3% in the first six months of fiscal 2009 compared to the prior year period. In addition, services revenue was lower by 40%, such that total revenue from our Identity and Security Management business unit segment decreased 18% in the first six months of fiscal 2009 compared to the prior year period.

[sysadmin1138: Products include: IDM, Sentinal, ZenNAC, ZenEndPointSecurity]

•

Our Systems and Resource Management business unit segment strategy is to provide a complete “desktop to data center” offering, with virtualization for both Linux and mixed-source environments. Systems and Resource Management product revenue decreased 2% in the second quarter of fiscal 2009 compared to the prior year period. In addition, services revenue was lower by 10%, such that total revenue from our Systems and Resource Management business unit segment decreased 3% in the second quarter of fiscal 2009 compared to the prior year period. In the second quarter of fiscal 2009, total business unit segment revenue was higher by 8%, compared to the prior year period, as a result of our acquisitions of Managed Object Solutions, Inc. (“Managed Objects”) which we acquired on November 13, 2008 and PlateSpin Ltd. (“PlateSpin”) which we acquired on March 26, 2008.

Systems and Resource Management product revenue increased 3% in the first six months of fiscal 2009 compared to the prior year period. The total product revenue increase was partially offset by lower services revenue of 14% in the first six months of fiscal 2009 compared to the prior year period. Total revenue from our Systems and Resource Management business unit segment increased 1% in the first six months of fiscal 2009 compared to the prior year period. In the first six months of fiscal 2009 total business unit segment revenue was higher by 12% compared to the prior year period as a result of our Managed Objects and PlateSpin acquisitions.

[sysadmin1138: Products include: The rest of the ZEN suite, PlateSpin]

•

Our Workgroup business unit segment is an important source of cash flow and provides us with the potential opportunity to sell additional products and services. Our revenue from Workgroup products decreased 14% in the second quarter of fiscal 2009 compared to the prior year period. In addition, services revenue was lower by 39%, such that total revenue from our Workgroup business unit segment decreased 17% in the second quarter of fiscal 2009 compared to the prior year period.

Our revenue from Workgroup products decreased 12% in the first six months of fiscal 2009 compared to the prior year period. In addition, services revenue was lower by 39%, such that total revenue from our Workgroup business unit segment decreased 15% in the first six months of fiscal 2009 compared to the prior year period.

[sysadmin1138: Products include: Open Enterprise Server, GroupWise, Novell Teaming+Conferencing,

Revenue from our Workgroup segment decreased in the first six months of fiscal 2009 compared to the prior year period primarily from lower combined OES and NetWare-related revenue of $13.7 million, lower services revenue of $10.5 million and lower Collaboration product revenue of $6.3 million. Invoicing for the combined OES and NetWare-related products decreased 25% in the first six months of fiscal 2009 compared to the prior year period. Product invoicing for the Workgroup segment decreased 21% in the first six months of fiscal 2009 compared to the prior year period.

Labels: linux, microsoft, netware, novell, OES, sled, sles, sysadmin, zenworks

Labels: microsoft, sysadmin

Labels: backup, opinion, sysadmin

• Outright blocking. Do not accept traffic from this IP address. The connection is terminated before any SMTP commands can be issued. Do not pass EHLO. Do not collect 220-ESMTP.
  
• Deferr. Issue a 421 error message. Smart mailers will attempt redelivery later. Bots are generally too stupid to try this and just pass on to the next address on their list.
• Throttle. Get very slow in accepting mail. Take a long time to issue 250-Ready statuses after SMTP commands.
  

Labels: spam, sysadmin

1. One Administrator account, used by all admins. Each admin has a normal user account, and log in as Administrator for their adminly work.
• Advantages Only one elevated account to keep track of.
  
• Disadvantages Complete lack of auditing if there is more than one admin around. Also, unless said admin has two machines, or has a VM for adminly work, they're logged in as Administrator more often than they're logged in as themselves.
2. One Administrator account, admins user accounts are elevated to Administrator. Each admin's normal account is elevated. Administrator is relegated to a glorified utility account, useful for backups, other automation, or if you need to leave a server logged in for some reason.
   
• Advantages Audit trail. Changes are done in the name of the actual admin who performed the change.
  
• Disadvantages These users really need to be exempted from any Identity Management system. Since there are only going to be a few of them, this may not matter. Also, these users need to treat these passwords like the Administrator password.
3. Each admin gets two accounts, normal and elevated As with the above, Administrator is a glorified utility account. But each admin gets two accounts; a normal account for every day use (me.normal) and an elevated account (me.super) for functions that need that kind of access.
• Advantages Provides audit trail, and allows the admin's normal account to be subject to identity-management safely. Easy availability of 'normal' account allows faster troubleshooting of permissions issues (hard to check when you can see everything)
• Disadvantages Admin users are juggling two accounts again, with the same problems as option 1.
  

Labels: passwords, security, sysadmin

The Payment Card Industry Data Security Standard (PCI DSS) applies to a couple of servers we manage. In those standards is section 1.3.8. It reads

Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies—for example, port address translation (PAT).

With the testing procedure listed as:

For the sample of firewall and router components, verify that NAT or other technology using RFC 1918 address space is used to restrict broadcast of IP addresses from the internal network to the Internet (IP masquerading).

Which is sound practice, really. But we're running into an issue here that may become more of an issue once IPv6 gets deployed more widely. We're a University that received it's netblock back when they were still passing out Class B networks to the likes of us (140.160.0.0/16 in case you care). IPv4 address starvation is not something we experience. Because of this, NAT and IP-Masq have very little presence on our network.

We also believe in firewalls. Just because the address of my workstation is not in an RFC 1918 netblock, doesn't mean you can get uninvited packets to me. This is even more the case for the servers that handle credit-card data.

Implement separate DNS servers for public Internet and Internal usage, and prevent public Internet access to the internal DNS servers.

Labels: security, sysadmin

Labels: stats, sysadmin

Labels: sysadmin

LDAP.... Lightweight Directory Access Protocol. It came into existence as a way to standardize TCP access to X500 directories. X500 is a model of directory service that things like Active Directory and Novell eDirectory/NDS implemented. Since X500 was designed in the 1980's it is, perhaps, unwarrantedly complex (think ISDN), and LDAP was a way to simplify some of that complexity. Hence the 'lightweight".

LDAP, and X500 before it, are hierarchical in organization, but doesn't have to be. Objects in the database can be organized into a variety of containers, or just one big flat blob of objects. That's part of the flexibility of these systems. Container types vary between directory implementation, and can be an Organizational Unit (OU=), a DNS domain (DC=), or even a Cannonical Name (CN=), if not more. The name of an object is called the Distinguished Name (DN), and is composed of all the containers up to root. An example would be:

CN=Fred,OU=Users,DC=organization,DC=edu

This would be the object called Fred, in the 'Users' Organizational Unit, which is contained in the organization.edu domain.

Each directory has a list of classes and attributes allowable in the directory, and this is called a Schema. Objects have to belong to at least one class, and can belong to many. Belonging to a class grants the object the ability to define specific attributes, some of which are mandatory similar to Primary Keys in database tables.

Fred is a member of the User class, which itself inherits from the Top class. The Top class is the class that all other classes inherit from, as it defines the bare minimum attributes needed to define an object in the database. The User class can then define additional attributes that are distinct to the class, such as "first name", "password", and "groupMembership".

The LDAP protocol additionally defines a syntax for searching the directory for information. The return format is also defined. Lets look at the case of an authentication service such as a web-page or Linux login.

A user types in "fred" at the Login prompt of an SSH login to a linux server. The linux server then asks for a password, which the user provides. The Pam back-end then queries the LDAP server for objects of class User named "fred", and gets one, located at CN=Fred,OU=Users,DC=organization,DC=edu. It then queries the LDAP server for objects of class Group that are named CN=LinuxServerAccess,OU=Servers,DC=Organization,DC=EDU, and pulls the membership attributes. It finds that Fred is in this group, and therefore allowed to log in to that server. It then makes a third connection to the LDAP server and attempts to authenticate as Fred, with the password Fred supplied at the SSH login. Since Fred did not fat finger his password, the LDAP server allows the authenticated login. The Linux server detects the successfull login, and logs out of LDAP, finally permiting Fred to log in by way of SSH.

As I said before, these databases can be organized any which way. Some are organized based on the Organizational Chart of the organization, not with all the users in one big pile like the above example. In that case, Fred's distinguished-name could be as long as:

CN=Fred,ou=stuhelpdesk,ou=DesktopSupport,ou=InfoTechSvcs,ou=AcadAffairs,dc=organization,dc=edu

How to organize the directory is up to the implementers, and is not included in the standards.

The higher performing LDAP systems, such as the systems that can scale to 500,000 objects or higher, tend to index their databases in much the same way that relational databases do. This greatly speeds up common searches. Searching for an object's location is often one of the fastest searches an LDAP system can perform. Because of this LDAP very frequently is the back end for authentication systems.

LDAP is in many ways a speciallized identity database. If done right, on identical hardware it can easilly outperform even relational-databases in returning results.

Any questions?

Labels: edir, linux, sysadmin

Labels: spam, sysadmin

Labels: sysadmin

Labels: sysadmin

Labels: sysadmin

1. Remove dead server's objects from the tree
2. Designate a new server as the Master for any replica this server was the master of (all of them, as it happened)
3. Install server fresh

Labels: edir, netware, novell, sysadmin

...the selection of a variety of back-ends for data storage, be it the current in-memory database, a traditional SQL-based server, an embedded database engine or back-ends for specific applications such as a high performance, pre-compiled answer database.

run on multiple but related systems simultaneously, using a pluggable, open-source architecture to enable backbone communications between individual members of the cluster. These coordination services would enable a server farm to maintain consistency and coherence.

Labels: clustering, linux, microsoft, netware, sysadmin

1. Clean out the Zenworks database
2. Force a WorkstationOID change on all workstations

1. Stop the Collection Client service
2. Delete a specific registry key
3. Start the Collection Client service

Labels: novell, sysadmin, zenworks

Labels: security, sysadmin

Labels: clustering, microsoft, netware, novell, sysadmin

Labels: opinion, sysadmin

• 2 more enclosures for the existing EVA6100
• A new EVA4400 with all eight enclosures
• HP EVA replication software, so we can mirror the 6100 to the new 4400.
• Data Protector licensing for everything we need
• A new tape library, the one we have is creaky
• New 64-bit servers for the main file-serving cluster

Labels: opinion, sysadmin

• User runs the bad file
• postcard.exe checks http://whatismyip.com/autmation/n09230945.asp to get the local IP address
• File throws them at Hallmark.com displaying the ecard. Awww.
• Hallmark throws the user some advertising from a bunch of places.
• 5 minutes pass where nothing happens
• Postcard.exe does an HTTP POST to 85.12.43.102 (Netherlands) with encrypted data
• 85.12.43.102 replies with a bunch of encrypted data. Presumably, this is the command file.
• Postcard.exe opens three connections to 82.98.235.205 (Belgium), getting a trio of windows files of some kind. I think they're DLL files that compliment postcard.exe. That or the chopped up pieces of javawm.exe.
• Postcard.exe does an HTTP POST to 85.17.169.56 (Netherlands) with a bunch of HTTP headers populated with crypted data.
• 85.17.169.56 replies with an HTTP 200/OK, a bunch of HTTP headers that contain redirection servers, stats servers, and other information useful for adware, as well as a 143KB file of some kind.
• Infected computer connects to 83.149.75.33 (Netherlands) and does an HTTP GET with a series of parameters. This is probably a status message of some kind. Remote side returns 404-not-found.
• 5 minutes pass where nothing happens on the network, but the local machine falls deeper into the clutches of the adware czars.
• Someone launches IE, and it goes to http://runonce.msn.com/, the default XP home page. Probably just to see what happens.
• HTTP connection to Key Bank, redirected to https://www.key.com/, where I can't see squat. SSL doing its job.
• Parallel to the KeyBank connection, an SSL connection to 216.236.233.68, an iP hosted in Denmark. This resolves to "key.tcliveus.com", which is very probably legitimate traffic directed by www.key.com.
• Connection to 83.149.115.156 (Netherlands), almost definitely the adware. Phoning in that IE went to http://runonce.msn.com/. The reply directs the client to connect to 82.98.235.58. Meanwhile, keybank session continues.
• SSL Connection to 66.235.132.62, a host in the 2o7.net advertising network. Very probably legitimate from Key Bank.
• HTTP connection to 82.98.235.58 (Netherlands), as directed. Supplies URL given to it by 83.149.115.156. Server returns the URL http://privacyscanner15.com/sysgd09_2/3/10232 (don't go there). Meanwhile, Keybank session continues.
• HTTP connection to 209.249.222.48, which is privacyscanner15.com, with the supplied URL.
• Key Bank session finishes cleanly.
• HTTP connections to privacyscanner15.com, clearly rendering the page, pulling graphics and the evil javascripts.
• Key Back session resumes. SSLed, so I have no idea what's going on.
• HTTP connection to 83.149.75.33, but I can't tell what it does because…
• End of capture.
  

Labels: sysadmin

SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE PROVIDERS.

Section 2703 of title 18, United States Code, is amended by adding at the end the following:

`(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.'.

The end points always require authentication prior to usage.

Labels: opinion, sysadmin

• 12 P4 cores, with an average of 3GHz per core (36GHz).
• A total of 24GB of RAM
• About 7TB of active data

• HP ProLiant DL580 (4 CPU sockets)
  
• 4x Quad Core Xeon E7330 Processors (2.40GHz per core, 38.4GHz total)
  
• 24 GB of RAM
• The usual trimmings
• Total cost: No more than $16,547 for us
  

Labels: hp, linux, netware, novell, NSS, OES, sysadmin, virtualization

Labels: opinion, sysadmin

server ntpserver1
server ntpserver2 minpoll 6 maxpoll 13
peer ntppeer1 key 1

enable auth monitor
keys sys:\etc\ntp.keys
trustedkey 1
requestkey 1

restrict default ignore
restrict 140.160.0.0 mask 255.255.0.0 nomodify nopeer
restrict 127.0.0.1
restrict [ip of ntpserver1]
restrict [ip of ntpserver2]
restrict [ip of ntppeer1]

Labels: linux, netware, sysadmin

Labels: backup, benchmarking, hp, storage, sysadmin

Labels: linux, sysadmin

Labels: edir, linux, netware, novell, NSS, OES, sysadmin

1. The move to TCP/IP. This by far is the biggest disruption since 1996. NetWare 5.0(?) introduced the ability to do NCP over TCP/IP natively, and not tunneled IPX-over-IP. This required replacing IPX SAP, something the routers just did, with SLP, a service that needed configuration and setup.
2. The NSS file-system. This was a much lesser move than the TCP/IP one, as it worked on a general level (trustees, quotas, etc) the same as TFS did. Tweaking it for performance, however, was a dark art for many years and much learning was derived out of this.
3. Protected memory. A concept familiar to anyone who has used Windows or Linux, and all NetWare admins are by now administering one or both of these OS's. While some modules can't use it for whatever reason (iPrint, NetStorage) others (GroupWise) could.
4. Native File Access Pack. NetWare could do AFP since the NW3 days, the same for NFS. SMB was another story. It was with NetWare 5.1 that NFAP came on to the scene, and NetWare 6.0 where it came built in and performed much better. The ability to use protocols other than NCP for your Windows clients was embraced by many shops.

Labels: netware, novell, opinion, sysadmin

Labels: microsoft, sysadmin

Labels: sata, storage, sysadmin

Labels: benchmarking, msa, storage, sysadmin

Labels: stats, storage, sysadmin, virtualization

1. Rebuilding all of the Disk Arrays.
2. Creating LUNs expressly for Backup-to-Disk functionality.
3. Flashing the Active/Active firmware on to it, the 7.00 firmware rev.
4. Get the two Backup servers installed with the right MPIO widgetry to take advantage of active/active on the MSA>
   

Labels: backup, clustering, msa, storage, sysadmin

Labels: clustering, exchange, hp, storage, sysadmin

Labels: linux, sysadmin

Labels: budget, clustering, exchange, hp, linux, msa, netware, novell, OES, opinion, storage, sysadmin, virtualization

Labels: hp, msa, storage, sysadmin

Key points I've learned:

• The I/O controllers in the 4400 are able to efficiently handle more data than a single host can throw at it.
• The FATA drives introduce enough I/O bottlenecks that multiple disk-groups yield greater gains than a single big disk-group.
• Restripe operations do not cause anywhere near the problems they did on the MSA1500.
• The 4400 should not block-on-write the way the MSA did, so the NetWare cluster can have clustered volumes on it.
  

The "Same LUN" test showed that Write speeds are about half that of the single threaded test, which gives about equal total throughput to disk. The Read speeds are roughly comperable, giving a small net increase in total throughput from disk. Again, not sure why. The Random Read tests continue to perform very poorly, though total throughput in parallel is better than the single threaded test.

The "Different LUN, same disk-group," test showed similar results to the "Same LUN" test in that Write speeds were about half of single threaded yielding a total Write throughput that closely matches single-threaded. Read speeds saw a difference, with significant increases in Read throughput (about 25%). The Random Read test also saw significant increases in throughput, about 37%, but still is uncomfortably small at a net throughput of 11 MB/s.

The "Different LUN, different disk-group," test did show some I/O contention. For Write speeds, the two writers showed speeds that were 67% and 75% of the single-threaded speeds, yet showed a total throughput to disk of 174 MB/s. Compare that with the fasted single-threaded Write speed of 130 MB/s. Read performance was similar, with the two readers showing speeds that were 90% and 115% of the single-threaded performance. This gave an aggregate throughput of 133 MB/s, which is significantly faster than the 113 MB/s turned in by the fastest Reader test.

Adding disks to a disk-group appears to not significantly impact Write speeds, but significantly impact Read speeds. The Read speed dropped from 28 MB/s to 15 MB/s. Again, a backup-to-disk operation wouldn't notice this sort of activity. The Random Read test showed a similar reduction in performance. As Write speeds were not affected by restripe, the sort of cluster hard-locks we saw with the MSA1500 on the NetWare cluster will not occur with the EVA4400.

And finally, a word about controller CPU usage. In all of my testing I've yet to saturate a controller, even during restripe operations. It was the restripe ops that killed the MSA, and the EVA doesn't seem to block nearly as hard. Yes, read performance is dinged, but not nearly to the levels that the MSA does. This is because the EVA keeps its cache enabled during restripe-ops, unlike the MSA.

Labels: benchmarking, hp, msa, storage, sysadmin

Labels: clustering, storage, sysadmin, virtualization

Labels: clustering, microsoft, opinion, storage, sysadmin

Labels: exchange, storage, sysadmin

• A bill by the State Legislature mandating IPv6 uptake by all State agencies. We're not subject to the already existing Federal rule.
• Enough of the general internet is routing IPv6 that the IPv4-over-IPv6 tunneling causes enough headaches we need to move due to user revolts.
• Some new widget, be it server tech or some kind of net-attached device, only supports IPv6 and we need to get it running.
  

Labels: opinion, sysadmin

The NTP protocol permits the use of crypto to authenticate clients and servers to each other, as well as between time servers. By default, SLES10 is set up to allow the v3 method of using symmetric keys, but not the v4 method that uses public/private keys. If you want to use the v4 method, this is the tip for you.

Background

By default SLES runs NTP inside a chroot jail. This can be changed from the YaST NTP config screen if you wish. This is a more secure method of running NTP. The chroot jail's root is at /var/lib/ntp/.

Additionally, ntp runs with an AppArmor profile loaded against it for added security.

Getting NTPv4 auth to work

There are 4 steps to get this to work.

1. Copy the .rnd file to the chroot jail
2. Run ntp-keygen
3. Modify the AppArmor profile for /usr/sbin/ntpd to allow read access to the new files
4. Modify the /etc/ntp.conf file to enable v4 auth.

Copy the .rnd file to the chroot jail

By default, there should be a .rnt file at /root/.rnd. If so, copy this to /var/lib/ntp/etc/.rnd. If there is no file there, one can be generated through use of openssl.

timehost:~ # openssl rand -out /var/lib/ntp/etc/.rnd 1

Run ntp-keygen

Change-directory to /var/lib/ntp/etc, and execute the following command:

timehost:~ # ntp-keygen -T

This will drop a pair of files in the directory you run it, so running it while in /var/lib/ntp/etc saves you the step of copying them to this directory.

Modify the AppArmor profile

This is done through YaST

1. Launch YaST
2. Go to the "Novell AppArmor" section, and enter the "Edit Profile" tool.
3. Select "/usr/sbin/ntpd" and click Next.
4. Click the "Add Entry" button and select File.
5. Browse to /var/lib/ntp/etc/.rnd and click the "Read" permissions check-box, and click OK
6. Repeat the previous two steps to add the two files created by ntp-keygen, named "ntpkey_cert_[hostname]" and "ntpkey_host_[hostname]".
1. Note: AppArmor behavior changes between SP1 and SP2. In SP1 you can use the link files, in SP2 you need to specify the link targets.
   
7. Click Done on the main Profile Dialog
8. Agree to reload the AppArmor profile

Modify /etc/ntp.conf

The YaST tool for NTP doesn't allow for v4 configurations, so this has to be done on the command line. Open the /etc/ntp.conf file with your editor of choice, and insert the following lines before your "server" lines:

keysdir /var/lib/ntp/etc/
crypto randfile /var/lib/ntp/etc/.rnd

Then append the word "autokey" to the server and peer lines of your choice. At this point, you should be able to restart ntpd, and it will use authentication. This is a very basic NTPv4 configuration setup, but this should set the ground up for more complex configs.

Labels: coolsolutions, crypto, linux, sles, sysadmin

Labels: linux, netware, OES, sysadmin, virtualization

Labels: sysadmin

Packaging the Core

Including More Data

Labels: coolsolutions, edir, linux, novell, OES, sysadmin

Labels: exchange, microsoft, sysadmin

Labels: opinion, sysadmin

Labels: coolsolutions, edir, netware, novell, NSS, storage, sysadmin

1. Replacing the 7U monsters with 1U servers
2. Virtualization
3. No budget for massive server expansions
   

Labels: sysadmin, virtualization

Labels: linux, novell, sled, sles, sysadmin

Labels: sysadmin

• When deciding where to host the enhincrdb hive on a Windows server, format that particular volume with a 1k block size.
• If HP supported NetWare as an Enhanced Incremental Backup client, the 4kb block size of NSS would cause this hive to grow beyond all reasonable proportions.
  

Labels: backup, hp, netware, NSS, storage, sysadmin

• The first level is the mount point. Example: enhincrdb\F\
• The 2nd level are directories named 00-FF which contain the file state data itself

Labels: backup, hp, netware, NSS, storage, sysadmin

#!/bin/sh
#
# For killing ZMD when it is clearly hung. An all too often occurance.
#

declare PIDZMD

# First get the PID of ZMD

printf "Getting PID... "
let PIDZMD=`rczmd showpid`
printf "$PIDZMD\n"
# Then unconditionally kill it

printf "Killing zmd hard... \n"
kill -9 $PIDZMD

# Remove the old, inconsistent database

printf "Nuking old database... \n"
rm /var/lib/zmd/zmd.db

# Restart ZMD, which will build a new, consistent database

printf "Restarting ZMD\n"
rczmd start

Labels: linux, novell, sles, sysadmin

Labels: exchange, spam, sysadmin

Labels: storage, sysadmin

Labels: linux, OES, sysadmin

Labels: opinion, sysadmin

80-90% of ALL email is directory harvesting attacks. 60-70% of the rest is spam or phishing. 1-5% of email is legit. Really makes you think about the invisible hand of email security, doesn't it?

Labels: exchange, spam, stats, sysadmin

Labels: opinion, sysadmin

How may of you in the room have been at this long enough to do IPX? Ok, great. Now how many of you have done anything with IPv6? Doesn't that look JUST like IPX?

Labels: brainshare, clustering, netware, novell, sysadmin

NPIV looks really nifty. Look into it.

• It will include eDir 8.8.4 (8.8.3 will ship this summer sometime)
• NCP and eDir will be fully 64-bit
• OES2 SP1 will be based on SLES SP2, which will be releasing about the same time
• AFP Support
• AFP 3.1
• Uses Diffie-Helman 1 for password exchange, meaning the 8-character password problem is solved.
• Fully SMP-safe
• Has cross-protocol locking with NCP. CIFS doesn't have cross-protocol locking yet, but IIRC, Samba does
• Does not need LUM enabled users
• CIFS Support
• NTLMv1, but v2 is a possibility if enough people ask, so file those enhancement requests!!
• CIFS is separate from Samba, therefore can not be used in conjunction with Domain Services for Windows
• As with AFP, fully SMP safe
• EDir 8.8.4
• LDAP auditing enhanced
• "newer auth protocols", but they didn't say what.

• The 8 character password limit has been fixed! They now support DH1 for passing passwords.
• The 'afptcp' daemon can use one password protocol at a time, so you can only use DH1, or one of the other three I can't remember.
• Support for OSX 10.1 and 10.2 is scanty, and 10.5 is limited but users may not notice anyway.
• Passwords will be case sensitive.
• Kerberos will be in a future release
• Performance is faster than NetWare, partly due to the ability to multi-thread
• Can register services by way of SLP
• Only supports NSS for the time being, the other Linux file-systems will be a future feature.
• Can support 500 concurrent users, and 1000+ in the future. This fits our current AFP loads.
• We can configure more about how it works than we could on NetWare, such as how many worker threads to spawn.
• Has meaninful debug logs!
• Has a new command, 'afpstat' that works like 'netstat' for giving a snapshot of afp connections.

Labels: brainshare, edir, linux, netware, novell, OES, sysadmin

• Novell's group of partners is growing, adding a couple hundred new ones since last year. This shows the Novell 'ecosystem' is strong.
• 8700 new customers last year
• Novell press mentions are now only 5% negative.

• High Capacity Computing
• Policy Engines
• Orchestration
• Convergence
• Mobility

Labels: brainshare, clustering, netware, novell, OES, sysadmin, virtualization

Labels: opinion, sysadmin

• Were born in 1990
• ...have never known life without cable or satellite TV.
• ...probably have never seen a rotary dial phone.
• ...have had internet access for most of their school life.

1. Hit the online Novell Knowledge Base over at novell.com/support
2. Hit the peer-support forums over at forums.novell.com (or nntp://forums.novell.com/ if you prefer old-school)
3. Pay for a support incident
   
4. Ask around the office

1. Hit the peer-support forums over on CompuServe, which required a modem and a CompuServe account.
2. See if the problem is mentioned in the book-shelf of manuals, which was a big investment to own.
   
3. Pay for a support incident.
4. Ask around the office.

Labels: netware, novell, opinion, sysadmin

Labels: edir, netware, novell, OES, sysadmin

1. I've been using Slack since college
2. Diversity is good when figuring out how to run Linux
1. Slackware doesn't have anything approaching YaST.
2. Getting a new service online with Slackware takes about five times longer than it does with SuSE, but at the end of it you know how it bloody well works.
3. It's easier to crib from existing config files that way.

Labels: linux, sysadmin

Labels: clustering, netware, novell, sysadmin

Labels: edir, netware, novell, OES, sysadmin

Domain Services for Windows, which is scheduled to ship with OES 2 SP1 (currently scheduled for late 2008), will also offer some clear advantages.

Labels: clustering, linux, netware, novell, OES, sysadmin

The MSA team has determined that your device is working perfectly, and can find no defects. They've referred the case to the NetWare software team.

Working as designed. Fix your software. Talk to Novell.

Labels: clustering, hp, msa, netware, novell, OES, storage, sysadmin

To: support_am@hp.com
Subject:

CASE_ID_NUM: [case number, such as 36005555555]
MESSAGE: [text]

Labels: hp, sysadmin

Labels: clustering, hp, msa, netware, novell, OES, storage, sysadmin

Labels: linux, sysadmin

Labels: crypto, security, sysadmin

Labels: sysadmin

• Created and named dynamically
  
• [AuxClass] Attribute with user-defined name
• [AuxClass] Attribute with the creator
• [AuxClass] Attribute with the expiry date
• Since this is eDirectory, group memberships apply immediately rather than taking a logout/login cycle to refresh the access token like in MS networks.
  

• Created & named dynamically
• Associated to the created group
• Assigned to the specified users
• This allows the share to show up in NetStorage

Labels: netware, OES, sysadmin

• Changing it via LDAP made a sync.
• Changing it via the IDM did not make a sync.
• Changing it via iManager made a sync.
• Changing it via ConsoleOne on the IDM server made a sync

• Change the concurrent connections attribute through IDM
• Change the concurrent connections attribute through ConsoleOne on the IDM server

Labels: edir, linux, novell, sysadmin

The event system extension allows the client to specify the events for which it wants to receive notification. This information is sent in the extension request. If the extension request specifies valid events, the LDAP server keeps the connection open and uses the intermediate extended response to notify the client when events occur. Any data associated with an event is also sent in the response. If an error occurs when processing the extended request or during the subsequent processing of events, the server sends an extended response to the client containing error information and then terminates the processing of the request.

Labels: edir, novell, sysadmin

Labels: storage, sysadmin

RailGunSally writes "I am a (strictly technical) member of a large *nix systems admin team at a Fortune 150. Our new IT Management Overlord is a hardcore bean-counter from hell. We in the trenches have been tasked with providing 'metrics' on absolutely everything from system utilization to paper clip recycling. Of course, measuring productivity is right up there at the top of the list. We're stumped as to a definition of the basic unit of productivity for a *nix admin. There is a school of thought in our group that holds that if the PHBs are simple enough to want to operate purely from pie charts and spreadsheets, then we should just graph some output from /dev/random and have done with it. I personally love the idea, but I feel the need for due diligence, so I put the question to the Slashdot community: How does one reasonably quantify admin productivity?"

• The impact of server and service downtime.
• The value gained from meetings.
• The seasonal variations in business (in our case, when are classes in session? When are finals? When do grades need to be reported? When are parents on campus? Things like that.)
• Bureaucratic friction (how much 'process' is required to get things done?)

Labels: opinion, sysadmin