Sundot unix and security blog archives.

If resolv.conf exists on your NIS server - ypserv will always use DNS forwarding on Solaris.

posted by hal 20030606 (archived) | permalink | path | initial version: 200300605.

This is a slightly edited reply of a recent posting on news about setting up your NIS master server. If /etc/resolv.conf exists ypserv will always start with the "-d" option - it does not matter what you do in /var/yp/Makefile (from the man page for ypserv on the "-d" option: go to the DNS (Domain Name Service) for more host information).

To make sure DNS forwarding is turned off

use "B=" in /var/yp/Makefile
edit /usr/lib/netsvc/ypstart so ypserv does not start with the "-d" option
stop/start the nis-server using /usr/lib/netsvc/{ypstop|ypstart}
use ps or pgrep to check that ypserv is not running with the "-d" option and also check that rpc.nisd_resolv isn't running

A snip from the news posting

ypserv is running with the '-d' option, which according to Answer Book means that it is running without DNS forwarding.

And my reply:

are you dead sure? have you checked ypserv actually does run without "-d" using ps? setting "B=" in /var/yp/Makefile does not prevent ypserv from starting with "-d" as long as /etc/resolv.conf exists (and nsswitch.conf does not matter either - see below). There are perfectly valid reasons for wanting the NIS master to be a "pure" DNS client (without using forwarding for your NIS clients) - ie you want to run nslookup. When setting up NIS servers I normally change the offending lines in /usr/lib/netsvc/ypstart from
if [ -f /etc/resolv.conf ]; then
$YPDIR/ypserv -d && echo ' ypserv\c'
else
$YPDIR/ypserv && echo ' ypserv\c'
fi
to simply
$YPDIR/ypserv && echo ' ypserv\c'
It's still there in Solaris 9 and Sun code maintainers should take note - if we change the "B=" in /var/yp/Makefile we want it to have effect :-|

Hands-off (non-interactive) Solaris package removal - example using old Gnome packages.

posted by hal 20030211 (archived) | permalink | path | initial version: 20030210

Having to answer lots of yes/no questions on package dependencies is a pain when doing Solaris package administration; so here is a quick how-to on how to avoid the questions. First create /tmp/noask with the following contents (edited copy of /var/sadm/install/admin/default):

mail=
instance=unique
partial=nocheck
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=nocheck
setuid=nocheck
conflict=nocheck
action=nocheck
basedir=default

Then execute something like this to remove the old Gnome packages before installing the new Sun supported 2.0 version (remove-gnome from the 2.0 beta script failed for me):

for p in `pkginfo | grep -i gnome | sort | awk '{print $2}'`
do
  pkgrm -n -a /tmp/noask $p
done

Solaris Guide for New Sys Admins - updated: half of our suggestions included.

posted by hal 20030205 (archived) | permalink | path | initial version: 20030205

"The Solaris™ OE Guide for New System Administrators" by Rolf Kersten has been updated to version 1.13e. Around half of my suggestions for improvement are included. My main gripes are fixed, but I still think turning on UFS logging is vital.

We also got mentioned in Sun's BigAdmin Newsletter (mailing list):
Solaris OE Guide for New System Administrators has been updated. Special thanks to Hal at sundot.com for his input.

Quick how-to on setting up Sun eeprom aliases for alternative boot disks.

posted by hal 20030125 (archived) | permalink | path | initial version: 20030125.

This is just a quick reference. The information is fleshed further out in several Sun Blueprints with the string "boot disk" contained in the title (e.g. "Towards a Reference Configuration for VxVM Managed Boot Disks" - where the cat ./myaliases trick is found).

The alias names are different in the various BluePrints - some use "rootdisk/rootmirror" and others use "bootdisk/bootmirr". It does not really matter as long as it is obvious what the alias is for.

# ls -l /dev/dsk/c0t0d0s2
lrwxrwxrwx   1 root     root          41 Jan 20 18:15 /dev/dsk/c0t0d0s2 ->
../../devices/pci@1f,4000/scsi@3/sd@0,0:c
# ls -l /dev/dsk/c2t0d0s2
lrwxrwxrwx   1 root     root          40 Jan 20 18:15 /dev/dsk/c2t0d0s2 ->
../../devices/pci@4,4000/scsi@4/sd@0,0:c

# cat myaliases
devalias rootdisk /pci@1f,4000/scsi@3/disk@0,0
devalias rootmirror /pci@4,4000/scsi@4/disk@0,0
# 
# eeprom nvramrc="`cat ./myaliases`" 

# eeprom boot-device='rootdisk rootmirror'
# eeprom diag-device='rootdisk rootmirror'
# eeprom "use-nvramrc?=true"

Forcing ethernet interface settings on Solaris - get the sequence right (scripts).

posted by hal 20030116 (archived) | permalink | path | initial version: 20030115.

When forcing settings for an ethernet interface using ndd on Solaris it essential to get the sequence correct. Get it wrong and you end up with the wrong results or having to issue your ndd's twice (as shown here).

First set the interface speed and handshake, then turn off auto-negotiation. It's a common mistake to do it the other way around (in fact I did it myself until I checked my settings after a reboot).

So for the hme0 ethernet interface run the commands in this sequence to force 100 Mbit/sec full-duplex:

# /usr/sbin/ndd -set /dev/hme instance 0
# /usr/sbin/ndd -set /dev/hme adv_100fdx_cap 1
# /usr/sbin/ndd -set /dev/hme adv_100hdx_cap 0
# /usr/sbin/ndd -set /dev/hme adv_10fdx_cap 0
# /usr/sbin/ndd -set /dev/hme adv_10hdx_cap 0
# /usr/sbin/ndd -set /dev/hme adv_100T4_cap 0
# /usr/sbin/ndd -set /dev/hme adv_autoneg_cap 0

Simple scripts for forcing (ge, eri and hme) ethernet interfaces and checking them are available as downloads.