Blog

Aug
26

Mounting a Windows filesystem on AIX

A lot of people don’t realise that there are two optional AIX filesets on the Expansion DVD that enable you to mount a CIFS filesystem on AIX:

bos.cifs_fs.rte           Runtime for SMBFS
bos.cifs_fs.smit        SMIT Interface for SMBFS

Once installed you have to reboot your server to activate the kernel extension.

You should now see that the mount command now accepts the “-v cifs” argument, and that smitty mount also has CIFS as a valid choice from the F4 popup.

Example:
mount -v cifs -n laptop/Andrew/Password /Users /mnt
df /mnt
Filesystem    512-blocks      Free %Used    Iused %Iused Mounted on
laptop:/Users 1916172280 967849240   50%        0     0% /mnt

ls -l /mnt
total 5
drwxr-xr-x    1 root     system        16384 Aug 25 08:38 Andrew
drwxr-xr-x    1 root     system        16384 May 27 09:20 Backup
drwxr-xr-x    1 root     system        16384 Aug 30 2013  Default
drwxr-xr-x    1 root     system        16384 Jun 04 09:57 Public
drwxr-xr-x    1 root     system        16384 Jan 29 2014  andre_000
-rwxr-xr-x    1 root     system          174 Aug 22 2013  desktop.ini

See the mount manual page for more options.

If you have the “samba-client” fileset installed you can also see what your Windows machines are sharing e.g.

smbclient -L //laptop -U Andrew
Enter Andrew’s password: 
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]

Sharename       Type      Comment
———       —-      ——-
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
print$          Disk      Printer Drivers
Users           Disk
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]

Server               Comment
———            ——-

Workgroup            Master
———            ——-

Blog

Aug
21

Patching AIX from the command-line

Many people use SMIT when updating AIX and/or NIM but do not realise that they can also do this from the command-line using two IBM-supplied sctripts. Patches downloaded from Fix Central should all be in one directory e.g. “6100-08-02-1316”.

Change to the directory containing the patches and ensure that it is writeable, so inutoc can create/update the index, all that the files are readable by root.

cd 6100-08-02-1316
inutoc .

Run the patch-install script:

install_all_updates -d . -Y

+—————————————————————————–+
Summaries:
+—————————————————————————–+

Pre-installation Failure/Warning Summary
—————————————-
Name                      Level           Pre-installation Failure/Warning
——————————————————————————-
sysmgt.websm.rte          6.1.7.1         Requisite failure
sysmgt.pconsole.rte       6.1.7.2         Requisite failure
perfagent.tools           6.1.7.2         Requisite failure
devices.vdevice.IBM.v-scs…

The results will not only be displayed on the screen but stored in “/var/adm/ras/install_all_updates.log”.

You now reboot your system to ensure everything is working OK and once satisfied you can commit all the newly applied fixes in order to remove the old copies and save a lot of space in “/usr”.

installp -c ALL
oslevel -s
6100-08-02-1316

If you are using NIM you will also want to update your LPP_SOURCE so that any new clients will be built to the same OS level. Fortunately this can also be done from the command-line:

Note: NIM can only be patched this way to TL (tech-levels) and not SP (Service Packs).

cd <patch-directory>
nim_update_all -d . -s 610spot_res -l 610lpp_res -v -u
+ typeset +f
+ typeset -ft DEBUG
+ typeset -ft _check_level
+ typeset -ft bname
+ typeset -ft check_access
+ typeset -ft check_cpush_ok
+ typeset -ft check_level
+ typeset -ft check_push_ok
+ typeset -ft ck_attrs
+ typeset -ft ck_gencopy_flags
+ typeset -ft ck_inst_root_dirs
+ typeset -ft ck_installp_flags
+ typeset -ft ck_rel_level
+ typeset -ft ck_spot_options
+ typeset -ft cleanup
+ typeset -ft cmd_what
+ typeset -ft convert_arch_value
+ typeset -ft create_sysb
+ typeset -ft err_from_cmd
+ typeset -ft err_signal
+ typeset -ft error

..
395266 of 422959 files (93%)………………..

0512-003 mksysb may not have been able to archive some files.
The messages displayed on the Standard Error contained additional
information.
+ [[ 0 -ne 0 ]]
+ return 0
+ [ 0 -ne 0 ]
+ /usr/bin/tee -a /var/adm/ras/nim.update
+ /usr/bin/dspmsg -s 2 cmdnim.cat 338 nNIM update_all is complete – enjoy!

NIM update_all is complete – enjoy!
Your SPOT and LPP_SOURCE should now be at the same level.

lsnim -l 610spot_res

610spot_res:
class         = resources
type          = spot
plat_defined  = chrp
arch          = power
Rstate        = ready for use
prev_state    = verification is being performed
location      = /export/eznim/spot/610spot_res/usr
version       = 6
release       = 1
mod           = 8
oslevel_r     = 6100-08
alloc_count   = 0
server        = master
Rstate_result = success
mk_netboot    = yes
mk_netboot    = yes
mk_netboot    = yes

Blog

Aug
19

Using Splitvg to make backups

If you need to backup a logical volume or volume group with the minimum amount of downtime the easiest way is to mirror it and then create a snapshot as follows:

mirrorvg [ -S | -s ] [ -Q ] [ -c copies] [ -m ] [ -p copyn=mirrorpool ] volumegroup [ physicalvolume … ]

Now split off a copy of the mirror using the splitvg command

splitvg  [ -y SnapVGname ]  [ -c  Copy ] [ -f  ] [ -i ]  VGname
This splits a single mirror copy of a fully mirrored volume group into a snapshot volume group. The original volume group VGname will stop using the disks that are now part of the snapshot volume group SnapVGname.

This method can also be used to split-off copies of one or more logical-volumes.

Splitting copies of a logical volume

The splitlvcopy command splits copies from one logical volume and creates a new and separate logical volume from them. The general syntax of the splitlvcopy command is as follows:

splitlvcopy [ -f ] [ -y NewLogicalVolumeName ] [ -Y Prefix ] LogicalVolume

Copies [ PhysicalVolume … ]

To split one copy of each logical partition belonging to the logical volume named “oldlv” which currently has 3 copies of each logical partition, and create the logical volume “newlv”, use the splitlvcopy command as follows:

# splitlvcopy -y newlv oldlv 2

Each logical partition in the logical volume “oldlv” now has two physical partitions.
Each logical partition in the logical volume “newlv” now has one physical partition.

Mirroring is an LVM task that you perform only on logical volumes to migrate data. The following example shows how to create a mirror copy of a logical volume using the mklvcopy command:

# mklvcopy -e m -s y -k datalv 2 hdisk3 hdisk7

.

.

# splitlvcopy -y splitlv datalv 1

Once you have a split copy you can mount the filesystem elsewhere and back it up whilst the original is still being updated. Once finished you simply join the LV or VG and the mirrors are re-synced automatically.

19-08-2014
Related

Blog

Aug
18

Importing a new Volume Group

Accidentally importing a disk that has a root volume group can have disasterous results on your AIX system because it renames the logical-volumes required to boot your system, therefore you should know something  about a disk or disks before you attempt to import them.

Here are some handy LVM commands that help you to see what is on a disk(s) without importing:

List the maximum number of logical volumes allowed in the VG
lqueryvg -p PVname -N

Show the PP size ?
lqueryvg -p PVname -s

Show the number of free PPs in the VG
lqueryvg -p PVname -F

Show the current number of LVs in the VG
lqueryvg -p PVname -n

List the current number of PVs in the VG
lqueryvg -p PVname -c

Display the total number of VGDAs for the VG
lqueryvg -p PVname -D

List each LVID, LV name, state for each logical volume
lqueryvg -p PVname -l

List each PVID, number of VGDAs and state for each PV in the VG
lqueryvg -p PVname -P

List all the attributes with tags for the vG
lqueryvg -p PVname -At

Show a physical volume’ VGID
lqueryvg -p PVname -v

Move a physical partition
lmigratepp -g VGID -p old_PVID -n old_PPNum -P new_PVID -N new_PPNum

Retrive the VG name for a particular LV from ODM
getlvodm -b LVID

Retrive all configured PVs from ODM
getlvodm -C

Retrive the major number for a VGID from ODM
getlvodm -d VGID

Retrive the logical volume allocation characteristics for a LVID from ODM
getlvodm -c LVID

Retrive the free configured PVs from ODM
getlvodm -F

Retrive the strip size for a LVID from ODM
getlvodm -F LVID

Retrive the PV name for a PVID from ODM
getlvodm -g PVID

Retrive all VG names from the ODM
getlvodm -h

Retrive the VGID for a PVID from ODM
getlvodm -j PVID

Retrive the LVs and LVIDs for a VG name or VGID from ODM
getlvodm -L VGDescriptor

Retrive the LVID/LV Name for a LV Name or LVID from ODM
getlvodm -l LVDescriptor

Retrive the mount point for a LVID from ODM
getlvodm -m LVID

Retrive the stripe width for a LVID from ODM
getlvodm -N LVID

Retrive the PVID/PN name for a PV name or PVID from ODM
getlvodm -p PVDesciptor

Retrive the PV names, PVIDs and VGs of all configured PVs from ODM
getlvodm -P

Retrive the relocatable flag for a LVID from ODM
getlvodm -r LVID

Retrive the VG state for a VG from ODM
getlvodm -s VGDescriptor

Retrive the timestamp for a VG from ODM
getlvodm -T VGDescriptor

Retrive the VG name for a VGID from ODM
getlvodm -t VGID

Retrive the auto-on value for a VG name or VGID from ODM
getlvodm -v VGDesciptor

Retrive the VGID for a vG name
getlvodm -v VGDesciptor

Retrive the PV names and PVIDs for a VG from ODM
getlvodm -w VGDesciptor

How to retrive the LV type for a LVID from ODM
getlvodm -y LVID

How to retrive the concurrent capable flag for a VG from ODM
getlvodm -X VGDescriptor

How to retrive the auto-on concurrent flag for a VG from ODM
getlvodm -x VGDescriptor

Display the contents of LVCB
getlvcb -A LVName

List the number of copies of a LV from LVCB
getlvcb -c LVName

List the file system name of a LV from LVCB
getlvcb -f LVName

List the label of a LV from LVCB
getlvcb -L LVName
Display the type of the file system from LVCB
getlvcb -t LVName

Display the upper limit from LVCB
getlvcb -u LVName

Blog

Aug
18

Installing RPMs

Installing RPMs in AIX can be a real pain and a lot of time can be spent looking for the dependant packages etc. This is a quick tip which enables you to see a package’s contents and dependencies without having to try to install it:

To see some background information:

rpm -qpi ./sudo-1.8.9p5-1.aix5.1.ppc.rpm
Name        : sudo                         Relocations: (not relocateable)
Version     : 1.8.9p5                  Vendor: (none)
Release     : 1                                Build Date: Thu Feb  6 14:46:56 CET 2014
Install date: (not installed)  Build Host: aix51.perzl.org
Group       : Applications/System     Source RPM: sudo-1.8.9p5-1.src.rpm
Size        : 1571387                      License: BSD
URL         : http://www.courtesan.com/sudo/
Summary     : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis.  It is not a replacement for the shell.  Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.

Adding the “–changelog” argument also lets you see all the author’s publising information:

rpm -qpi –changelog ./sudo-1.8.9p5-1.aix5.1.ppc.rpm

.
* Thu Feb 06 2014 Michael Perzl <michael@perzl.org> – 1.8.9p5-1

– updated to version 1.8.9p5

* Tue Jan 21 2014 Michael Perzl <michael@perzl.org> – 1.8.9p4-1

– updated to version 1.8.9p4
..

To see the dependencies:

rpm -qpR ./sudo-1.8.9p5-1.aix5.1.ppc.rpm
gettext >= 0.10.40
openldap >= 2.4.23
openssl >= 1.0.1f-1
zlib
/bin/sh
libc.a(shr.o)
libcrypto.a(libcrypto.so.1.0.1)
libintl.a(libintl.so.1)
liblber.a(liblber-2.4.so.2)
libldap.a(libldap-2.4.so.2)
libs.a(shr.o)
libz.a(libz.so.1)

You can also see the files in the package and importantly where it is going to be installed:

rpm -qpl ./sudo-1.8.9p5-1.aix5.1.ppc.rpm
/etc/sudoers
/opt/freeware/bin/sudo
/opt/freeware/bin/sudoedit
/opt/freeware/bin/sudoreplay
/opt/freeware/doc/sudo-1.8.9p5
/opt/freeware/doc/sudo-1.8.9p5/HISTORY
/opt/freeware/doc/sudo-1.8.9p5/LICENSE
/opt/freeware/doc/sudo-1.8.9p5/README
/opt/freeware/doc/sudo-1.8.9p5/TROUBLESHOOTING
/opt/freeware/doc/sudo-1.8.9p5/UPGRADE
/opt/freeware/libexec/sudo/group_file.so
/opt/freeware/libexec/sudo/sudo_noexec.so

Blog

Aug
13

An interesting LDAP feature

Many people use LDAP to store vital information such as usernames and passwords, and sudo rules, and this information should always protected as much as possible. The ideal soltion is to configure Secure LDAP and have all your traffic encrypted using a certificate. The problem is that you have to start somewhere and it is always easier to start with the most basic configuration, and add functionality as you go.

The easiest and supported method for configuring an AX server as an AIX client is to use themksecldap command. This method not only configures the “/etc/ldap/ldap.cfg” configuration file, it tests the actual connection and adds an entry to the “/etc/inittab” which ensures that LDAP starts during boot.

ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd  > /dev/console 2>&1

Assuming everything is working you should be able to test your connection:

# ls-secldapclntd
ldapservers=ldap-server.mydomain.local
current ldapserver=ldap-server.mydomain.local
ldapport=389
active connections=1
ldapversion=3
usercachesize=1000
usercacheused=3
groupcachesize=100
groupcacheused=3
usercachetimeout=300
groupcachetimeout=300
heartbeat interval=300
numberofthread=10
connectionsperserver=10
authtype=UNIX_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=SFUR2
userbasedn=OU=AIX,DC=mydomain,DC=local
groupbasedn=OU=AIX,DC=mydomain,DC=local
userobjectclass=user,person,organizationalperson
groupobjectclass=group

and retrieve some data e.g.

# lsldap
dn: OU=AIX,DC=mydomain,DC=local

dn: CN=Builtin,DC=mydomain,DC=local

dn: CN=Computers,DC=mydomain,DC=local

d…
..

As you used a username (binddn) and password (bindpwd) to make the connection these credentials are stored in the “ldap.cfg” e.g.

binddn:CN=myhost,OU=AIX,DC=domain,DC=local
bindpwd:{DESv2}65 C1ADCD69A$F 973F44541DAC97E66A78DEF1B5FA97EFF

According to IBM this password has been salted and the file cannot be copied to another system, however this is not the case as you can actually create a single file and copy it to all your hosts, and just add the entry to “/etc/inittab” and this gives you a really quick way to build a test environment, however what happens if you want to change the password, or make every host bind using a different name?

The convential wisdom is to create an account that matches the hostname of each server. This works nicely but if you want to do this you also need to run mksecldap on each host, or do you?

If you are sticking to one user for all and just want to change the password you can simply runmksecldap on one host, disctribute the “ldap.cfg” and restart the daemons, however you create a new password by running:

# /usr/sbin/secldapclntd -e <new-password>

and then append this to the “bindpwd:” entry and recycle the daemon. The interesting part is that this new password is SALTED and so cannot be copied to another system, which means if you want to script this, it has to run on each target machine.

Note: If you are testing/are unsure about a password you can simply enter the plain-text, restart the daemon, and this will also work, but should obviously be repaced ASAP.

The other thing to consider is that if your LDAP server(s) is not available during boot, your AIX server will hang. It is therefore worth considering replacing “wait” with “once”.