Bits on Bytes bits on iphone, programming, and all things tech

Before you can enable the samba service in SMF the config file needs to be created. Copy /etc/sfw/smb.conf-example to /etc/sfw/smb.conf. Make sure you have lines that look like this:

security = user
passdb backend = tdbsam

That will let you use the Solaris user accounts for samba access. Next set up a share that you’d like to test with. Here’s a simple one I used:

[htdocs]
path = /opt/coolstack/apache2/htdocs
valid users = cjs00c
public = no
writable = yes

Start up the samba service with svcadm enable samba. Now we need to add a user/pass to the samba user database: smbpasswd -a cjs00c. You should be able to connect to your new samba share now.

Just for fun, the samba password database file is located at /etc/sfw/private/passdb.tdb. If you’d like to check it for users you can use:
tdbtool /etc/sfw/private/passdb.tdb
tdb> info
3 records totalling 224 bytes
tdb> dump

key 12 bytes
USER_cjs00c
data 213 bytes
[a whole bunch of encoded data here]

key 13 bytes
INFO/version
data 4 bytes
[000] 03 00 00 00 …

key 13 bytes
RID_000004b0
data 7 bytes
[000] 63 6A 73 30 30 63 00 cjs00c
tdb>

I often disable the GUI login on my Solaris machines for simplicity, so they just sit at the console login prompt. This presents a problem because by default Solaris sends logs to the console via /dev/sysmsg. This means that system errors, kernel and authentication notices are right out there for the world to see. So I like to redirect these logs to a more secure location (and keep my console nice and pretty).

The config file is /etc/syslog.conf. Comment out the line:

*.err;kern.notice;auth.notice                  /dev/sysmsg

by putting a # in front of it, or point to a new file location.

You should notice that most of these messages are being captured by the line below it as well and are being sent to /var/adm/messages. That’s a good place for these logs so leave that. However, it’s not capturing the auth.notice messages. Look a bit further down the file and you’ll see an ‘auth.notice’ line that’s commented out. Uncomment that line (make sure loghost is set in /etc/hosts) and your auth messages should be sent to /var/log/authlog. Which is a much nicer location than the console don’t you think?

User errors are defined further down the file and it also has an entry for logging user errors to /dev/sysmsg so you can comment that out as well if desired.

Boot to the Solaris DVD and at the GRUB menu select Solaris (it’s the default option)

At the next menu choose ‘Solaris Interactive Text’ either desktop or console. I chose #4, the console session because it loads faster.

The installer asks you a few network and configuration questions first. For simplicity I’ll just list my summary:

Networked: Yes
Use DHCP: No
Host name: gibbs
IP address: 150.252.xxx.xxx
System part of a subnet: Yes
Netmask: 255.255.xxx.xxx
Enable IPv6: No
Default Route: Specify one
Router IP Address: 150.252.xxx.xxx
Configure Kerberos Security: No
Name service: DNS
Domain name: acu.edu
Server address(es): 150.252.xxx.xxx
150.252.xxx.xxx
Search domain(s): acu.edu
NFSv4 Domain Name: << Value to be derived dynamically >>
Time zone: Central Time
(US/Central)
Date and time: 2008-11-03 14:14:00

After entering the root password the screen goes blank for a few seconds, some scripts start executing, then the installation screen comes back.

1. Select the “Standard” installation
2. Automatically eject CD/DVD
3. Auto Reboot
4. Accept the license agreement
5. Select any extra regional support
6. Select POSIX C (C)
7. Select None for Web Start products
8. Select ZFS for the filesystem
9. Select Entire Distribution
10. Select disk to install on

Configure the ZFS settings. I changed the swap size to 2G and left everything else default.

ZFS Pool Name: rpool
ZFS Root Dataset Name: s10x_u6wos07b
ZFS Pool Size (in MB): 39214
Size of Swap Area (in MB): 2048
Size of Dump Area (in MB): 1024
Keep / and /var combined

Add remote mounts if you have any and begin installation!

So apparently when I wrote part 1, I completely forgot about the zone configuration - which needs to be done in order to use any networking services.

So to configure the zone you need to log into the zone’s ‘console’ after booting it for the first time.

# zlogin -C myzone

If you don’t see anything hit enter. You should be presented with a terminal choice. After that it should be pretty standard system configuration questions.

Alternatively, this can be automated by creating a sysidcfg file and placing it in /etc

So if you didn’t quite understand that subject it means this post is about the ACL (access control list) I am using on my CIFS (common internet file system) shared ZFS (zetta file system). I’m fairly new to ACLs myself but Ben Rockwood wrote an extremely helpful post about them, so go check it out!

On to the subject of this post - If you share a ZFS filesystem with CIFS and create new entries from a windows computer (as one might do for a home file server), the resulting entries have zero permissions. For example, this is the ls -l result of a directory and a text file created from a windows system: Read the rest of this entry »

If you were like me and installed the original release of OpenSolaris, it might be time to upgrade. The original release (2008.05) was based on the Solaris Nevada code version 86. The current version of Nevada is 93. The great thing about OpenSolaris is that the changes in Nevada get ported over to the OpenSolaris package server. This means you can easily upgrade to the latest package set with one command: pkg image-update

It gets better! OpenSolaris will even help protect your system by creating an entirely new boot environment and upgrading that. So if something were to not go as expected you could always boot back into your original environment. Read the rest of this entry »

This blows my mind every time I read it.

ZFS has been designed from the ground up to be the most scalable file system, ever. The file system itself is 128-bit, allowing for 256 quadrillion zettabytes of storage. All metadata is allocated dynamically, so no need exists to pre-allocate inodes or otherwise limit the scalability of the file system when it is first created. All the algorithms have been written with scalability in mind. Directories can have up to 2⁴⁸ (256 trillion) entries, and no limit exists on the number of file systems or number of files that can be contained within a file system.

Source: ZFS Administration Guide

My purpose for doing this was to automate file transfers between servers. So I needed a secure copy method (SCP) without prompting for a password (SSH keys). I’ll call my two systems production and backup. I need to be able to ssh from production to backup without it prompting for a password.

On production generate your private/public key pair:

chris@production ~$ ssh-keygen -t dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/export/home/chris/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /export/home/chris/.ssh/id_dsa.
Your public key has been saved in /export/home/chris/.ssh/id_dsa.pub.
The key fingerprint is:
bd:cf:bb:c0:30:1c:c3:5f:74:80:3b:f0:1f:82:20:bb chris@production

Put the public key file (id_dsa.pub) on the remote system you will be ssh’ing to as the authorized_keys2 file in the .ssh directory of the user you will be using to ssh:

chris@production ~$ scp ~/.ssh/id_dsa.pub backup:.ssh/authorized_keys2

Or append it if you have a preexisting authorized_keys2 file.

That’s it. You should be able to ssh from production to backup with whatever password you entered in the key generation process (or none if you didn’t enter one).

This morning while I’m still asleep my wife goes “Chris your computer is making a noise…” and after repeating herself ten times I finally comprehend what she’s saying and start listening. Sure enough there was a loud clicking noise coming from my server in the other room. I figured I had just lost a hard drive but I wasn’t worried because I have a spare that’s supposed to pop into action when this happens. So I hit the power button once and listen as it shuts itself down cleanly.

Looking back I probably should have been more cautious but hey, I was still 98% asleep. When I finally got a chance to look at it, I find out the spare wasn’t actually added to my storage pool. Oops, my bad. Well I still wasn’t worried because my storage pool (all my really important data) was still up and rockin’: Read the rest of this entry »

Disable

# /usr/dt/bin/dtconfig -d

Enable

# /usr/dt/bin/dtconfig -e